Privleged Network Insider Attacks Flashcards
What is the most common hacker tool used after gaining inital network access?
sniffers
Privileged network position
an attacker on the same LAN in an organization
How are many attacks discovered
only when a sniffer log consumes all available file space
what is promiscuous mode
when an Ethernet interface is gathering all traffic regardless of its destination hardware addresss.
What is a hardware address
MAC Address
What is a MAC Address
each Ethernet card is programmed with a unique Mac Address?
Traditional Ethernet
Implemented in a hub, is a broadcast medium, which broadcasts ALL data to ALL systems connected to the LAN segment.
Is Traditional Ethernet sniffable?
Yes.
Switched Ethernet
Does not broadcast all information to links of the LAN segment. It is more intelligent than the hub(traditional ethernet) by looking at the destination MAC address, only sending the data to the required port on the switch.
Traditional Ethernet VS Switched Ethernet
Tradtional is a hub, Switched is a switch. Traditional broadcasts to all systems connected on LAN. Switched looks at the destination MAC address and only sending data required for that address.
How does switch operate in Switched Ethernet?
observes the source MAC address of frames going from each physical port to learn which MAC addresses are connected on that port. The switch rememberes this mapping of MAC address(layer 2) to physical address (layer1) in memory on the switch.
Does the switch remember the mapping of MAC address (layer 2) to physical address (layer 1) in memory on the switch?
yes.
Content Table Addressable Memory (CAM) table
Used in Switch Ethernet when the switch remembers the mapping of MAC address(layer 2) to physical address (layer 1) in memory on the switch. When new frames arrive at the switch, the device can consult its CAM table to determine which physical interface to send this packet to so it arrives at its destination.
https://www.youtube.com/watch?v=TIHvWb-gruc
Ethernet frame?
is primarily responsible for the correct rule making & successful tranmission of Data Packets when transmitting data over the ethernet.
Ethernet?
Ethernet is a family of wired computer networking technologies commonly used in local area networks,
Using the CAM table the switch switches?
True.
two ways to sniff a switched environment?
redirect the flow of traffic on the LAN by 1. attacking th e switch directly 2. going after the machine sending the traffic
Sniffers?
Gather all information transmitted accross a line
Broadcast media
(non switched ethernet or Wi-Fi networks) allow an attacker to gather passwords and more
Wi-Fi networks are akin to hubs?
True. (Pre switch days.)
Wireshark
Sniffing tool.
Wireshark abilities?
- parse traffic from network or read, parse, display packet capture
- read files in TCPDumps/Libpcap native format
- convert dozens other popular sniffer file formats
- Parse over 500 different protocols
Should you install wireshark on a compromised system?
NO. use built in tools to take a packet capture.
Scenario. Need to take a packet capture of a compromised windows system. How do I do it?
Use built in tool netsh to take the packet capture, it will be propietary so transfer the .etl file to analysis workstation and use et12pcapng.exe to convert the .etl capture to a .pcapng to be compatible with Wireshark.
netsh
Built in tool on windows can create packet capture.
netsh trace start capture=yes maxsize=1000 tracefile-pcap.etl
netsh trace stop
.etl and .etl12pcapng.exe
.etl : is microsoft windows propitary packet capture format
.etl12pcapng.exe : is used to convert the etl file to a compatile packet capture type for wireshark such as .pcapng
what does etl stand for?
Event Trace Log (ETL) File
How to take a packet capture of compromised Linux system?
tcpdump
tcpdump
used to take packet capture of a UNIX/Linux system
Should you install tcpdump if not installed already on comrpomised system?
yes but be careful, download and run a STATIC binary (requires no additional libraries) to prevent log detection.
apt-get install tcpdump
will generate numerous logs and could disclose attackers presence on system. use STATIC binary.
Static Executable
is one where the external libraries needed for the binary to run are built into the executable directly.
Benefit of running a static executable
makes the binary independent, and will run on most Linux distributions without additional modifications to the system
Does tcpdump require root access?
Yes.
Where is tcpdump most valuable?
to obtain unencrypted passwords from weak protocols such as (FTP, HTTP, SNMP, Telnet)
tcpdump -n
turn off name resolution
tcpdump -i
listen on interface (eth0)
tcpdump - s 0
is the snap length set to 0 to capture the entire packet
creating a file with a leading .
makes the filename hidden from normal view on the system
./tcpdump -n -i eth0 -s 0 -w .packets.pcap
turn off name resolution
listen on interface eth0
capture entire packet with snap length set to 0
save capture to hidden file .packets.pcap
What is ARP used for?
Dynamic IP to MAC address resolution
is ARP essential?
Yes. because tells clients on the same LAN how to reach eachother
Scenario of ARP
client A wants to talk to client B on the LAN. Client A sends ARP request messsage “ hey 172.x.x.x who is this, who is responsible for this IP address?” Client B responds with MAC address & “thats me , send me your data”.
ARP Cache
when a corresponding system sends me their MAC address after when I first initially sent out the my ARP request message “who is responsible for IP x.x.x.x”. Their MAC address will be cached for up to 10 min
Data sent across a LAN must be directed to the ___?
hardware address (MAC address)
How many bits is the MAC address of the Ethernet card?
48-bits
What protocol is known for when a machine must determine the MAC address corresponding to a given IP address?
ARP mapping IP to MAC Address.
how long is ARP cached?
10 min
is ARP secure?
NO. no way to tell/veriify if the ARP response came from the proper machine.
Is ARP routed between LANS?
no. ARP messages are only sent across a single LAN.
are ARP messages sent across a single LAN.
Yes. only a single LAN.
Gratuitous ARP? layman
a client who thinks they are very important tells other people on the network. “At some point if you want to talk to me this is my ip 172.x.x.x and this is my MAC xxxx…” its a built in feature in ARP. A client will accept whatever the last ARP message was to its ARP cache w/ ip to mac address mappings. this poses a vulnerability known as ARP Cache poisining.
Gratuitous ARP?
Anyone can send ARP responses, even though no - one sends an ARP request. ( so sending a response of IP and MAC address)
how do systems respond to someone sending a gratuitous arp?
machines greedily take this data, devour it for their system caches (ARP cache) and even overwrite previous entries of IP to MAC mapping entries.
What is a vulnerability ARP faces with gratuitous ARP?
ARP Cache poising.
two things that happen if send an ARP response when noone asks a question (known as Gratuitous ARP)
- flood a switches memory
2. poisin the victims system ARP cache
If a machine wants to talk to another machine on a LAN what must first happen?
which hardware address to use for a specific ip address.
scenario. explain ARP Alice wants to talk to Bob.
- Allice sends an ARP request to determine which hardware address corresponds to Bobs IP address. “hey who is responsible for IP x.x.x.x” Bobs system responds with his MAC address. So now alice knows where to send the message. Alice stores bobs answer in her ARP cache.
“MAC address for IP address x.x.x. is AA.AA.AA.AA.AA.AA (48 bits long MAC) “ without a presceding query
Gratuitous ARP
ARP Cache Poisoning
an attack technique where an adversary can tell other people on the network to impersonate another persons ip address which facilitates a MITM attack
Bettercap
ARP cache poisoning tool. runs different parsers and interception tools to hijack traffic. must run as root.
remove noise from bettercap
sudo bettercap -eval “events.ignore endpoint”; set $»_space; {reset}”
net.show
bettercap : disclose hosts on the network. will passively identify network hosts by looking for broadcast and multicast traffic.
Better cap default runs actively or passively?
passively
repeating net.show?
could disclose additional hosts as they join/leave the network
Steps to bettercap MITM attack?
- choose victim 192.168.86.40 as target for ARP spoofing.
$set arp.spoof.targets 192.168.86.40 - record a packet capture
$net.sniff.output saving data to output packet capture .pcap - turn on network sniffer
$arp.spoof on - start to see evidence of victim system browsing thorugh the attacler, disclosing hostname of encrypted website theyre visiting thorugh the plaintext server name identification (SNI) field in the HTTPS request.
