ARP Poisoning and Sniffing Traffic

 In this lab, I was connected directly to an internal network and had to use ARP requests to discover live hosts. I started by using arp-scan and then tried using an nmap scan. I got the same results from both scans. I then combined the IP addresses into a file which could be used to feed further nmap scans.






My next job was to try to find the DNS server, so I scanned for port 53 being open to TCP and / or UDP connections. I also tried scanning port 53 from the source port of 53 as sometimes DNS servers will only accept requests from this port.






Next, I did a more thorough scan of the DNS server and found it to be running SAMBA on ports 139 and 445, which suggested that it was a Linux box with connections to Windows machines using the SMB protocol.




I then used dig to query the DNS server to find out more about the domain it was serving and the host names for the other two machines on the network. I did this using a reverse DNS request as I was working from the IP addresses and trying to find the domain names.





To try and find out if there were any other machines on this domain, I created a custom .txt file which had lots of common names plus the ones I had already discovered. I then used a shell script to brute-force possible host names and discovered two new machines on a different subnet. The ARP scans did not find these machines as ARP is a level 2 protocol and therefore does not broadcast beyond the subnet it is used on.




I also wrote a shell script to do the same job but with a default wordlist. I then gave it executable rights and ran it. This time I found the two new machines.



The names of the new machines suggested to me that the newly discovered subnet was being used for serving services to machines within the organisation (ftp and an intranet). In order to find the default gateway to access this new subnet, I used the route command.




It was now time to launch an ARP spoofing attack against the hosts and the default gateway. I started with the machine at 172.16.5.5 I enabled port forwarding on my attacking machine first of all and then saved the sniffed data in a wireshark capture. As the attack was going on, I also used driftnet to view any images being fetched. After I had finished the attack, I looked at the data which had been captured. Lots of it used http which is not a secure protocol as it transmits in plain text. A better choice for the organisation would be to use https which uses SSL to encrypt the data. I filtered the wireshark capture to look at GET requests and then POST requests. I was able to find sensitive data (credentials). Some of these led to failed login pages, but the credentials might still be useful as the users might use them for different services within the network. By following http streams and filtering out the failed logins, I eventually found a set of credentials which led to a redirection (302) to a login_success.php page.












I then filtered the data to find FTP connections. This quickly led to further credentials. FTPS would be a better way for the organisation to implement file transfers as it encrypts the data.





I then launched an ARP spoofing attack against the machine @ 172.16.5.6 and quickly found new credentials by filtering on the http.location of /login_success.php I also exported the http objects and saw that most of the files being transferred were images related to sport.






I then had a look at the SMB data and searched for SMB files. I found that some had been fetched, so I exported the SMB objects and saw that two documents on the /finance share looked interesting. I therefore used cifs utilities to mount the shares on my Linux box and had a look at the data.










I then did the same thing for the share @ /technology




The next part of this lab was to try to get a remote shell on a machine. I had discovered valid credentials and knew that SAMBA was being used. I therefore tried the exploit/linux/samba/is_known_pipename exploit in msfconsole. I fed it the admin credentials and set the usual options before running it. This successfully established a reverse shell.






The lab was completed! I enjoyed learning how to use a different way to Cain and Abel (arpspoof along with wireshark) to launch a mitm attack.

Popular posts from this blog

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more