eCPPTv2 Prep

Basic Assembly

CPU (Central Process Unit)

The device in charge of executing the machine code of the program, the machine code is the set of instructions that the CPU processes. The instructions are represented in HEX format, which then gets translated into mnemonic code which is the assembly language.

ISA

Each CPU has it's own instruction set architecture or ISA.

Which is a set of instructions that we or a compiler must understand and use to write a program correctly for that specific CPU and machine. This includes; memory, registers, etc. There are two main ISA's: x86 (32 bit) and x64 (64 bit).

Registers

• The number of bit 32, or 64 refers to the width of the CPU registers.

• Each CPU has a fixed set of registers that are accessed when needed.

• Registers can be thought as temporary variables used by the CPU to store data

• Some store data temporarily, while others have specific functions and some are for general storage.

• The one we'll be using is the GPRs General Purpose Registers

  • There are eight GPR's plus another called the EIP

  • The Instruction Pointer (EIP) controls program execution by stroring a pointer to the address of the next instruction that will be executed.

Process Memory

The process is divided into four regions:

• Text

  • Fixed by the program and contains the program code.

  • Marked read-only since the program should not change during execution

• Data

  • Divided into initialized and uninitialized data.

  • Initialized data includes items such a static and global declared vars, predefined and can me modified.

  • Uninitialized data, named Blocked Started by Symbol (BSS) also initializes vars that initialized to zero or do not have an explicit value.

• The Heap

  • Start after the BSS segment.

  • During execution, the program may request more space in memory via specific system calls.

• The Stack

The Stack

• Last-in-First-out (LIFO) block of memory.

• Located in the higher part of the memory.

• Like an array used for saving a function's return addresses

• Passing function arg and local vars.

The purpose of the ESP register (Stack Pointer) is to identify the top of the stack. It is modified each time a value is pushed in (PUSH) or popped out (POP). The stack does not grow upwards as it may sound but instead grows downward.

Both Push and Pop work like we'd expect in a more high-level programming language. Push adding the data to the top of the stack, while Pop retrieves the data from the top of the stack and stores it.

Endianness

A way of storing values in memory. There are three types: Big-endian, Little-endian and Endian conversion.

Important to note! ⚠️

Knowing the difference between the two types is important for writing the correct payloads for Buffer Overflow exploits.

The most significant bit (MSB) in a binary number is the largest value. Usually the first from the left. If we had 100 the MSB would be 1. The least significant bit (LSB) in a binary number is the lowest value. Usually first from the right. If we had 110 the LSB would be 0.

In big-endian, the LSB is stored at the highest memory address. While the MSB is at the lowest memory address.

No Operation Instruction (NOP)

NOP is an Assembly instruction that does nothing. When your program hits a NOP it will skip to the next instruction. In x86 CPU's, NOP's are represented by the hex value 0x90.

Assembler

When a source code file is assembled it is called an object file, a binary representation of the program. A linker is then needed to create the actual executable file. A linker takes one or more object files and combines to create the executable.

Compiler

Converts high-level source code like C into low-level code or into an object file. Once the file is created the previous process will be executed on the file, with the result been an executable file. We can this from the command line, on Linux for example:

g++ mytestscript.c -o mytestscript.exe

NASM

High-level functions likestrcpy()are made of multiple ASM instruction put together to perform the operation, copy two strings in this case. The simplest is MOV that moves data from one point in memory to another.

Example of summing two numbers in Assembly code

Each opcode is represented in one line and contains the instruction (MOV, ADD, PUSH, etc.) and the operands used. Depending on the architectural system instructions and rules may differ.

The CALL and RET are used for subroutines.

CALL pushes the current instruction pointer (EIP) to the stack and jumps to the function address specified.

RET pops the last element from the stack and the CPU jumps to the address.

Decompiling

Learning to reverse code and obtain the assembly code is a key skill for pentesting. If we run the below we will get a text file containing all the Assembly code.

objdump -d -Mintel > example.exe > disembled-example.txt

A debugger like Immunity Debugger will automatically do this for you too and allow you to interact with the code.

Buffer Overflow Attacks

A buffer overflow attack works by taking control of the execution flow of a piece of software. This means being able to force an application to behave differently to how it was designed can lead to:

• An app or OS crash, causing DOS

• Privilege Escalation

• Remote Code Execution (RCE)

• Security features bypass

Buffers

A buffer is an area in the computer of RAM reserved for temporary data storage.

• User input

• Parts of a video file

• Server banners

Buffers have a finite size, which means they can only hold a limited amount of data If a client-server app is designed to accept only 8-characters long username, the username buffer will be 8 bytes long.

Buffers are stored in a data structure in computer memory known as a stack To add data to the stack we can use the Last in First Out (LIFO) approach.

• Push: add an element to the stack

• Pop: removes the last inserted element

In Modern OS's they still use LIFO but an app can randomly access a positon on the stack to read-write data. To save space for later use, the app can reserve memory allocations on the stack to access them.

A raw overflow that overwrites memory will crash an app, while a well-engineered attack is able to execute code.

Radare2

A framework for reverse engineering and analysing binaries.

• To open a binary in debugging mode r2 -d <FILE_NAME>

• Then to analyze the program type aa

• Once complete run afl to see a list of the functions.

• Run: pdf @main

Immunity Debugger

The main application used for disassembling code from .exe into Assembly code. There are many plugins such as Mona that can be used to:

• Create a payload to find the EIP register: !mona pc <number of bytes>

• Find the size of junk bytes needed before reaching the EIP: !mona po <EIP crash value>

• Find the address of a CALL/JMP ESP: !mona jmp -r esp -m kernel

• Check modules properties: !mona modules

• Check to see if ASLR is enabled or not !mona noaslr

Bypass Techniques

There are many methods to use but most require an excellent understanding of reverse engineering and exploit writing. Here a couple:

Non-randomized modules

• AIms to find a module that does not have ASLR enabled.

• Uses a simple JMP/CALL ESP from that module.

• One of the easiest techniques to use.

Bruteforce

• ASLR can be forced by overwriting the return pointer with plausible addresses until we reach the shellcode.

• Success depends on these factors;

  • How much we can change the address space layout?

  • How many NOP's can be placed?

  • How many exploitation attempts can we perform?

NOP-Sled

• Create a big area of NOP's in order to increase the chances to jump to this area.

• Makes the execution "slide" down the NOP's to react the shellcode.

• An attacker can guess the jump location with a low degree of accuracy and still exploit the program.

• https://www.fireeye.com/blog/threat-research/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html - a useful ref from FireEye.

Preventing Buffer Overflow Attacks

• Address Space Layout Randomization (ASLR)

  • Used by all modern OS's.

  • Introduces randomness for executables, libs, and stacks in the memory address space.

  • Makes it harder for an attacker to predict memory address that may exploit or crash the process.

  • OS loads the same executable at different locations in memory each time.

  • ASLR is not enabled for all modules, which can lead to vulnerable processes that are open to the ASLR bypass attack.

• Data Execution Prevention (DEP)

  • Defensive hardware and software to prevent the execution of code from pages in memory that are not marked as executable.

  • Code injected into the memory cannot be run from that region.

  • Makes Buffer Overflow exploits hard to carry out.

• Stack Cookies (Canary)

• • A security implementation that places a value next to the return address on the stack.

  • The prologue function loads a value into this location

  • The epilogue function makes sure the value is intact.

  • When epilogue runs it checks value is present and unchanged.

• EMET (Enhanced Mitigation Experience Toolkit)

  • A utility that helps prevent vulnerabilities from being exploited.

  • Offer many mitigation technologies, such as DEP, ASLR, SEHOP and more.

  • Can also disable the security of the system for testing purposes.

Shellcode

Once an attacker has identified an exploit in the application the first task is to inject shellcode into the software. The shellcode can get sent through the network (remote buffer overflows) or through the local environment. As well as using the EIP to run the shellcode it's possible to execute it when an SEH (Structured Exception Handling) frame activates. The SEH stores an address to jump to upon encountering an exception like division by zero.

Local Shellcode

• Used to exploit local processes to get higher privileges on a machine.

• AKA Privilege Escaltion Shellcode

Remote Shellcode

• Sent through the network along with an exploit.

• AKA Remote Code Execution

• To provide access to machine by means of TCP/IP.

Remote shellcodes can be sub-divided based on how the connection is setup:

• Connect back

  • Initiates a connection back to the attacker's machine.

• Bind shell

  • Binds a shell to a certain port on which the attacker can connect.

• Socket Reuse

  • Establishes a connection to a vulnerable process that does not close before shellcode executes.

  • Can re-use this connection to communicate with the attacker

  • Very complex so not used often

Null-Free Shellcode

There are two main ways to do this:

Manually edit the shellcode to not have the string terminator, or use different instructions that perfrom the same operations.

Enode and Decode the shellcode.

We can also use a tool such as msfvenom to do this for us.

• First we have convert the shellcode to binary

  • echo -ne "x68\x63\x6d..." > binshellcode.bin

  • -n used to not output teh trailing newline

  • -e enables interpretation of backslash escapes

• The we can use msfvevom to encode it

  • -b <character(s) to avoid> : specify a list of bad character when generating shellcode, '\x00' in this case since we want null free.

  • -a x64: scpecify teh arhitecture to use

  • -p: instructs msfvenom to read the custom payload from stdin

  • --platform win: specify the platform to use

  • -e x86/shikata_ga_nai: specify enocoder to se

  • -f c: : sets the output format

  Final command:

cat binshellcode.bin | msfvenom -p -a x86 --platform win -e x86/shikata_ga_nai -f c -b '\x00'

To list payloads in msfvenom: msfvenom --list payloads

One of the easiest to use is the windows/messagebox payload: msfvenom -p windows/messagebox

Cryptography

There are four main issues:

• Authentication - claims made by or about subject are true

• Confidentiality - information is accessible onnly to authorized users or people

• Integrity - message hasw not been tampared/ altered in anyway during transfer

• Non-repudiation - ensuring that an idividual or party cannout refute the validity of a a statement

Classification

Based or how they keys are used there are 2 main divisions:

• Symmetric-key

  • Both the sender and reciever share the same key.

  • The plain text and the key are used to apply the encryption to ge the cipher text

  • Examples include: DES, AES, Blowfish.

• Public-key (Asymmetric-key)

  • There are two keys for each peer.

    • A public key and a private key.

  • The public key can be freely distrubuted and a the matching private key kept secure.

  • Typically used for encryption while the private key is used for decryption.

Public Key Infrastructure (PKI)

A set of hardware, software, people, policies and procedures needed to create, manage, store, distribute and revoke digitial certificates. The PKI must make sure that the identidity of a person or organization is certified correctly by means of a certificate authority (CA).

X.509 is the standard for public key certificates. They are widely used in protocols like SSL/TLS, SET, S/MIME, IPsec and others. A certificate binds a public key with an identitiy (a digital signature). The information includes the name of a person, organization and other relevent details. The CA acts a trusted third party, to verify the identity you need to trust the CA. Common filename extensions include:

• .DER - (Distinguished Encoding Rules) encoded cerftificate.

• .PEM - (Privacy Enhanced Mail) Base64 encoded DER certificate

• .PFX or .P12 - PKCS#12 may contain cerfticate(s) (public) and private keys (password protected)

SSL (Secure Sockets Layer)

A protocol which is used to communicate over the Internet securely. SSL uses both PKI and Symmetric encryption to create secure comminucation channel between two entities. SSL ensure that no third party can tamper with the communication.

Digital Signature

A mechanism much like a human signature on papaer that allow to authenticate a message. I proves the message is coming from the given sender. It cannot be reproduced so if tampered we will know.

Secure Shell (SSH)

A network protocol that allows data to be exchanged using a secure channel between two networked devices. Common on Unix-based systems and a replacement of Telent as it allows remote access to a computer/ server through a secure shell.

SSH Tunnels

An SSH tunnel is an encrypted tunnel created through an SSH connection. These tunnels can be used to tunnel unencrypted traffic over a network securely. SSH allow us to tunnel any protocol securely.

Creating a tunnel

1. An SSH client is configured to forward a specified local port to a port on a remote machine.

2. Traffic to the local port (SSH client) is forwarded to the remote host (SSH server).

3. The remote host will then forward this traffic to the intended host.

Tunnels provide means to bypass firewalls that prohibit certain Internet services provided that outgoing connections are allowed. This also can apply to corporate policies and filters too.

Legacy Windows (2000/ XP/ Vista/ 7/ 8) Passwords

Nearly all passwords in Windows are stored in a config database called SAM. The Security Accounts Manager or SAM is a database stored as a registry file in Windows NT, Window 200 and later versions of Windows. It stores users' passwords in a hashed format:

• LM hash

• NT hash

Stealing the hashes

To start we need at least an administrative account. If we already have a shell on our target system and it's meterpreter shell then all we have to run is one simple command hashdump. There are many other tools to name a few: Pwdump and fgdump. These work great with a running (remote) system but say we want to gather hashes offline?This assumes we have local access to the system, we can use tools like ophcrack to dump the hashed for later cracking.

Instead of stealing hashes you change the SAM fille content. A tool called chntpw allows us to:

• Clear passwords

• Change passwords

• Promote users to adminstrator

The login process can be bypassed entirely using a tool like Kon-Boot. It allow to log into a system as root without knowing the password - https://www.piotrbania.com/all/kon-boot/.

At this point we have hashes to crack and have to options, We can try and Crack the hash or Pass-the-hash.

Pass-the-hash is an authentication attack that allows us to use LM & NT hashes to gain access to a remote Windows host without having to know the actual password. More later...

Crack the hash is an attack using other tools such a John or Hashcat that have options to perform many attacks such as dictionary and bruteforce. Or we can use Ophcrack which uses rainbow tables.

Information Gathering

WHOIS Lookup

WHOIS can find the location, phone numbers, DNS provider, name server but it's worth noting sometimes we can not get this information as some webiste won't list this to keep their privacy. We can do this online or locally on our terminal: whois <DNS to query>

If we want more information we can use a specific whois server:whois -h <whois server DNS to query>

DNS Lookup

One of the simplest queries a DNS server can get. It asks the DNS to resolve a hostname to the matching IP. This can be done with nslookup <hostname>

It's also possible to do the reverse and from a given IP address lookup the Domain name: from the DNS pointer records (PTR): nslookup -type=PTR IPAddress or using tools like http://network-tools.com/nslook/.

Using the MX(Mail Exchange) lookup we retrieve a list of servers for delivering e-mails for the given domain: nslookup -type=MX domain or tools online such as http://www.dnsqueries.com/en/ and http://www.mxtoolbox.com/.

Zone transfers (a misconfig of the remote DNS server), if they are enabled we can enumerate the entire DNS record for the zone. We first have to find the organization's name server: nslookup -type=NS domain There are usually to name servers. Then we can issue a zone transfer request: nslookup server <Name server for domain> ls -d domain

All the following commands can be written in dig too.

dig target.com Standard DNS lookup

dig target.com PTR PTR lookup

dig target.com MX MX lookup

dig target.com NS NS lookup

dig target.com axfr @target.com target.com

It's helpful to know both tools!

We can use Bing and Google to find all websites hosted on a given IP using the ip filter.

ip:192.193.168.101

There are also other online tools that allow subdomain enumeration.

• http://www.tcpiputils.com/domain-neighbors

• http://reverseip.domaintools.com/

Netblocks

A range or set of IP addresses, usually assigned to someone and has both a starting and ending IP address. ie:

192.168.0.0 - 192.168.255.255 or in (CIDR notation) 192.168.0.0/16

Larger netblocks are given to larger organizations like Internet Service Providers (ISP) and Government agencies. It's the individual who buys one or more IP addresses from the ISP.

Autonomous Systems

Made from one or more netblocks under the same administrative control. Big corporations and ISP's have an autonomous system, while smaller companies will barely have a netblock.

ICMP is often disabled on perimeter routers and firewalls and on latest Windows clients via the Windows Firewall. ICMP scans are no longer reliable in determining whether a host is alive or not. Nmap's host discovery command: -sn is more than just a simple ICMP echo.

DNS

We can use Nmap to scan the entire network and find hosts that have port 53 open

TCP scan: nmap -sS -p53 [NETBLOCK]

UDP scan: nmap -sS -p53 [NETBLOCK]

Maltego

Maltego bills itself as a source intelligence and forensics application. It uses transformations to discover transformations about specific targets. You can begin with a server address and enumerate various information in relation to that server. It then uses the information to create a full map of the entities entire internet presence.

Other none intrusive tools

• https://dnsdumpster.com/

• https://github.com/fwaeytens/dnsenum

• https://github.com/makefu/dnsmap

Foca

Used to scan a domain for more information on the target. Using search engines it can find interesting files that are available, using Google, Bing and Exalead. By analysing metadata from files it's possible to find usernames and what machines were used to create the said file.

Shodan

shodan.io

Allows us to gather a lot of information such as services running on IP's and ports, banners and OS.

It's possible to query a particular service like ?query=SSH or ?query=FTP

Can be used to avoid running something like Nmap to gain a small amount of information quietly.

Scanning

Ports, Protocols and Services (PPS)

To effectively utilize PPS we need to know where to find information and services and apps running on a specific port. In order to ensure we have covered all bases, it's best to run multiple scans using different techniques.

The Three-Way Handshake (TWH)

All TCP based connections begin with a simple exchange of messages.

1. The client sends a TCP packet to the server. The packet has the SYN flag enabled and a random sequence number set.

2. The server replies by sending a packet with both the SYN and ACK flag set and another random sequence number (ACK number is always a simple increment of the SYN)

3. Finally, the client completes by sending an ACK packet.

Crafting packets

Using hping we can craft a very simple TCP SYN packet to send to an IP:

hping3 -S [IP] -p 80

This repeatedly sends SYN packets to the IP on port 80 until we stop the program. For example, our host sends a packet with the SYN flag and the target responds with an (SA) SYN-ACK flag meaning the port is open otherwise it will respond with an (RA) Reset-ACK flag meaning the port is closed.

hping3 -S [IP] -p 80 -c 4

Adding the -c <number of packets> flag tells hping to limit the packets sent to the number set then stop.

Hping has new scanning facilities which are called with -8or —scan flags:

hping3 -8 50-56 -S 4.2.2.1

With the scan flag, we have a much more flexible way to specify ports either by min-max or port1,port2,port3

Idle Scan

The idle scan is a stealth scan that uses a zombie in the target network. A zombie is a host that is not sending or receiving any packets. The pre-requisites are:

1. Find a zombie that assigns IP ID both incrementally and globally

2. Find an idle zombie meaning that there should be no other traffic on the zombie that will disturb the IP ID

To find a zombie the steps are:

1. Run Nmap to determine if the IP ID sequence generation is incremental - nmap -O -v [IP]

2. If we see the following: IP ID Sequence Generation: Incremental then we know we have a zombie

The steps required to mount it:

1. Probe the zombie's IP ID and record the value

2. Forge an SYN packet with the source address of the zombie and send it to the port of our target host

3. Probe the zombie's IP ID again and, pending upon the ID we can infer if the target port is open or closed

The steps for the actual attack:

We can do this in Nmap with the -sIoption, for example.

nmap -Pn -sI [ZOMBIE_IP:ZOMBIE_PORT] [TARGET_IP] -v

Other useful Nmap flags:

• -n: Never do DNS Resolution, we should use this whenever possible if we don't need to resolve our IP addresses to hostnames, It also will help reduce our scan times and generate less noise.

• -b: FTP Bounce Scan is another stealthy scan. This type of scan exploits an FTP server's PORT command. If the server is vulnerable it allows us to launch port scans from the FTP server to other machines on the internet. All scans using this method will appear to have come from the FTP server. Another way to hide our original source.

• -sA: Used to map out the rulesets of firewalls and determine if the devices are both stateful and which ports are filtered.

• -sO: IP Protocol Scan cannot be considered a port scanning technique as it only enumerates the types of IP protocols that the target system supports.

• -sA: Used to map out the rulesets of firewalls and determine if the devices are both stateful and which ports are filtered.

Nmap Scripting Engine (NSE)

To start with we need to update our NSE database

• --script-updatedb

During the information gathering phase

• --script whois-domain [target-domain] -sn

During the recon phase

• --script smb-os-discovery -p 445 [target-ip]

For finding a good Zombie

• --script ipidseq [target-ip] -p 135

These are just a select few but there are many more to use and it's even possible to write your own using LUA language.

Service and OS Detection

See https://app.gitbook.com/@tomhwarhurst/s/tc/pentesting-basics for active techniques

For Passive OS Fingerprinting a great tool can be used known as POf. It can be used to get the following without sending a single packet:

• Host Uptime

• OS/ Software

• Distance from our current host

• User-Agents

./pOf -i eth0

A simple service detection scan: nmap -sV -n [options] [targetIP]

Firewall/IDS Evasion

Most of the techniques covered could be detected and blocked by either Firewalls or ID's on the target network. This causes two issues:

• Becoming exposed

• Obtaining incorrect information

Fragmentation

The concept is simple, it's the process of splitting a single packet into smaller ones. This can disable the ability of some security system to either apply their packet fiiltering rules or to process all the fragments of data.

Modern ID's are able to rebuild fragmented packets meaning this technique can be ineffective. In Nmap we can run the fragmentation command like so:

-f obviously meaning fragment the packets.

nmap -sS -f [targetIP]

NB: Fragmentation does not work with -sT or -sV instead we can use --mtu with the an offset that must be a multiple of eight.

Decoys

The aim of decoys is to add noise to the IDS by sending scans from spoofed IP's. This means the real attacker IP will appear on the list of ID's along with all the spoofed ones confusing whoever is watching the system. The attack requires these three steps:

1. All decoys are up and running so it's not easy to determine the real attacker's IP.

2. The real IP should appear in random order to the ID's.

3. ISP's traversed by spoofed traffic let the traffic go through.

nmap -sS -D [DecoyIP#1],[DecoyIP#2],[DecoyIP#3],ME [targetIP]

Source Ports

Nmap allows us to add the source port during scans so we may bypass restrictions. To use this we can use:--source-port [portnumber]

nmap -sS --source-port 53 [target] All our scan will come from port 53

Enumeration

After scanning the next goal is gather as much detailed information about any devices and resources attached to the network. This includes account name, shares, misconfigured services etc.

NetBIOS (Network Basic Input Output System)

A service that allows windows systems to share files, folder and printers to other machines on a LAN network. If misconfogured it can lead to a large leak of information. NetBIOS can be helpful in finding out types of sys information.

PC's on a NetBIOS LAN can communicate by establishing a session or by using datagrams. NetBIOS uses the and UDP ports.

• UDP 137 for Name Services

  • Has the same purpose of a DNS record, tranlates and maps a NetBIOS name to an IP.

  • The name is a 6-byte address that indefntifies a NetBIOS resource on the network.

  • To find a resource, a NetBIOS Name Query can be used to resolve the Name to an IP.

  • To see this on Linux we can run: nbtscan -v or for Windows: nbtstat -A

• UDP 138 for Datagram Services

  • NetBIOS Datagram Service (NBDS)

  • It allows the sending and receiving of messages to and from:

  • A NetBIOS Name.

  • Broadcast the datagram to all NetBIOS Names.

  • Allows one computer to communicate with serveral others at the same time.

    • Limited in terms of message size.

• TCP 139 for Session Services

  • NetBIOS Session Service (NBSS).

  • Allows two names to establish a connection to then be able to exchange data.

  • Once a device creates a file sharing connection the session service is used.

    • Once established the two computers use the Server Message Block (SMB) protocol.

SNMP (Simple Network Management Protocol)

A protocol used to gather both information and configure network devices (printers, switches, servers). Runs on UDP port 161

SMB (Server Message Block)

SMB lets you share files, disks, directories and printers. Before Windows 2000, SMB only ran with NetBIOS over TCP/IP (port 139) therefore a NewBIOS Session was needed. Windows 2000 and higher now allow SMB to run directly over TCP/IP without NetBIOS sessions, TCP port 445.

Null Session

One of the olderst and most known attacks performed on Windows 2000 and NT environments. Malicious user are able to establish a connection to the victim in order to gather personal information such as shares, users, resgistrykeys and more. They rely on Common Internet File System (CIFS) and SMB API that will return information to even a unauthenticated user.

Community Strings

A tool called "onesixtyone" can be used to gather this information

onesixtyone -c [wordlist.txt] [TargetIP]

https://book.hacktricks.xyz/pentesting/pentesting-snmp

Enumerating SNMP

snmpwalk -v [SNMP-Version] -c [Community-String] [IP]

or

snmp-check [IP] -c [Community-String]

Sniffing & MITM (Man In The Middle)

Sniffing is a listening or eavesdropping network layer attack, consisting of capturing packets from other computers. These packets can contain valuable and sensitive data.

A MitM attack is where the attacker is able to intercept communication between two systems. In a safe network communication, the server and victim will talk to each other and the attacker is in another node in the network. This means they'll be unable to intercept messages.

In a MitM attack, the attacker can split the TCP connection into two new ones, one between the victim and attacker and the other between the attacker and the destination. Once intercepted, the attacker acts as a proxy to read, insert and modify data.

Types of sniffing

• Passive sniffing is when the attacker watches packets on the network to gather sensitive information such as user ids, passwords and emails. They are hard to detect due to them being hands-off. These attacks can be carried out with sniffer software such as Wireshark.

• Active sniffing is performed by malicious operations such as MAC flooding and ARP poisoning on the network. Packets are injected into the network to redirect traffic. There are two techniques for this.

  • MAC Flooding 🌊

    • Designed to stress the switch and fill it's CAM table.

    • A CAM table keeps all the information needed to forward frames to the correct port.

    • When the CAM table is full of fake MAC addresses the switch cannot learn new MAX addresses.

  • ARP Poisoning 🧪

    • Much stealthier than MAC Flooding.

    • Designed to exploit the concept of traffic redirection.

    • The attacker can redirect traffic of the selected victim(s) to their machine, doing so will allow the attacker to read and also modify the traffic.

Basics of ARP

• Arp is short for Address Resolution Protocol and is supported by all NIC's and OS's.

• ARP was created to be a quick way to match Layer 3 network address (IP address) with Layer 2 addresses (MAC addresses).

• The ARP protocol has two types of packets:

  • ARP requests

  • ARP replies

• Arp works with an ARP table which stores IP-MAC pairs and a TTL value related to each entry.

• To see your ARP table you can type:

  • arp -a on Windows.

  • arp on Linux

• When one computer (A) wants to send a packet to another (B), A checks the ARP table for B's IP address, if it's found the corresponding MAC address is inserted as the destination address.

• If the address is not found then an ARP request is sent on the LAN as a broadcast asking who has the IP address.

• The image below demonstrates how computers can send a packet to another host in the same network.

Simplified version

Gratuitous ARP request and response.

• The gratuitous ARP request a packet is where the source and destination IP are set with the IP of the machine that is issuing the packet and destination MAC is the broadcast address.

• The gratuitous ARP response is an ARP reply that has been sent without being requested.

Attacking Tools

Bettercap

• Perform reconnaissance and attack

  • WiFi networks,

  • Bluetooth Low Energy devices,

  • Wireless HID devices

  • IPv4/IPv6 networks.

Ettercap

• An open-source program that combines a packet sniffer for many protocols (POP/HTTPS/HTTPS).

• Also, offers password cracking.

• sudo ettercap -G.

• We can select between

  • Unified sniffing, sniffs all packets on the cable.

  • Bridged, uses two network interfaces and forwards traffic from one to the other.

• Now we need to scan the network to find live hosts.

  • Hosts -> Scan for Hosts

• Now we can add a host to target 1 and target 2.

• Then we can select which MitM attack we to carry out.

• Say we select Arp Poisoning we should now be intercepting traffic of our target machine.

Cain & Abel

• Once Cain & Abel is open we click the Configure button.

• Select the correct interface then start the sniffer.

• Right-click in the white space and select Scan MAC address.

• Now click OK and Cain starts scanning the network.

Macof

• macof [-s src] [-i interface] [-xsport] [-y dport]

Make sure IP forwarding is active!

echo 1 > /proc/sys/net/ipv4/ip_forward

• Now we can then start Wireshark to start capturing the data being sent.

Arpspoof

• sudo arpspoof -i tap0 -t [VICTIM_IP] [OUR_IP]

• Now we are sending ARP replies to the victim that them the gateway is our MAC address.

• To finish the attack we need run another arpspoof attack to change the ARP table on the gateway too.

• sudo arpspoof -i tap0 -t [OUR_IP] [VICTIM_IP]

Bettercap

• First, we need to find our targets in the network.

• bettercap -I tap0 --no-spoofing

• bettercap -I tap0 -T [TARGET_IP] -X -P "HTTPAUTH, URL, FTP, POST"

  • Runs ARP spoofing attack by default!

  • -X : Sniffer feature enabled.

  • -P: Parser feature enabled, lists the packet parsers to use.

Intercepting SSL Traffic