Privleged Network Insider Attacks

Question 1

What is the most common hacker tool used after gaining inital network access?

Answer 1

sniffers

Question 2

Privileged network position

Answer 2

an attacker on the same LAN in an organization

Question 3

How are many attacks discovered

Answer 3

only when a sniffer log consumes all available file space

Question 4

what is promiscuous mode

Answer 4

when an Ethernet interface is gathering all traffic regardless of its destination hardware addresss.

Question 5

What is a hardware address

Answer 5

MAC Address

Question 6

What is a MAC Address

Answer 6

each Ethernet card is programmed with a unique Mac Address?

Question 7

Traditional Ethernet

Answer 7

Implemented in a hub, is a broadcast medium, which broadcasts ALL data to ALL systems connected to the LAN segment.

Question 8

Is Traditional Ethernet sniffable?

Answer 8

Yes.

Question 9

Switched Ethernet

Answer 9

Does not broadcast all information to links of the LAN segment. It is more intelligent than the hub(traditional ethernet) by looking at the destination MAC address, only sending the data to the required port on the switch.

Question 10

Traditional Ethernet VS Switched Ethernet

Answer 10

Tradtional is a hub, Switched is a switch. Traditional broadcasts to all systems connected on LAN. Switched looks at the destination MAC address and only sending data required for that address.

Question 11

How does switch operate in Switched Ethernet?

Answer 11

observes the source MAC address of frames going from each physical port to learn which MAC addresses are connected on that port. The switch rememberes this mapping of MAC address(layer 2) to physical address (layer1) in memory on the switch.

Question 12

Does the switch remember the mapping of MAC address (layer 2) to physical address (layer 1) in memory on the switch?

Answer 12

yes.

Question 13

Content Table Addressable Memory (CAM) table

Answer 13

Used in Switch Ethernet when the switch remembers the mapping of MAC address(layer 2) to physical address (layer 1) in memory on the switch. When new frames arrive at the switch, the device can consult its CAM table to determine which physical interface to send this packet to so it arrives at its destination.
https://www.youtube.com/watch?v=TIHvWb-gruc

Question 14

Ethernet frame?

Answer 14

is primarily responsible for the correct rule making & successful tranmission of Data Packets when transmitting data over the ethernet.

Question 15

Ethernet?

Answer 15

Ethernet is a family of wired computer networking technologies commonly used in local area networks,

Question 16

Using the CAM table the switch switches?

Answer 16

True.

Question 17

two ways to sniff a switched environment?

Answer 17

redirect the flow of traffic on the LAN by 1. attacking th e switch directly 2. going after the machine sending the traffic

Question 18

Sniffers?

Answer 18

Gather all information transmitted accross a line

Question 19

Broadcast media

Answer 19

(non switched ethernet or Wi-Fi networks) allow an attacker to gather passwords and more

Question 20

Wi-Fi networks are akin to hubs?

Answer 20

True. (Pre switch days.)

Question 21

Wireshark

Answer 21

Sniffing tool.

Question 22

Wireshark abilities?

Answer 22

• parse traffic from network or read, parse, display packet capture
• read files in TCPDumps/Libpcap native format
• convert dozens other popular sniffer file formats
• Parse over 500 different protocols

Question 23

Should you install wireshark on a compromised system?

Answer 23

NO. use built in tools to take a packet capture.

Question 24

Scenario. Need to take a packet capture of a compromised windows system. How do I do it?

Answer 24

Use built in tool netsh to take the packet capture, it will be propietary so transfer the .etl file to analysis workstation and use et12pcapng.exe to convert the .etl capture to a .pcapng to be compatible with Wireshark.

Question 25

netsh

Answer 25

Built in tool on windows can create packet capture.
netsh trace start capture=yes maxsize=1000 tracefile-pcap.etl
netsh trace stop

Question 26

.etl and .etl12pcapng.exe

Answer 26

.etl : is microsoft windows propitary packet capture format

.etl12pcapng.exe : is used to convert the etl file to a compatile packet capture type for wireshark such as .pcapng

Question 27

what does etl stand for?

Answer 27

Event Trace Log (ETL) File

Question 28

How to take a packet capture of compromised Linux system?

Answer 28

tcpdump

Question 29

tcpdump

Answer 29

used to take packet capture of a UNIX/Linux system

Question 30

Should you install tcpdump if not installed already on comrpomised system?

Answer 30

yes but be careful, download and run a STATIC binary (requires no additional libraries) to prevent log detection.

Question 31

apt-get install tcpdump

Answer 31

will generate numerous logs and could disclose attackers presence on system. use STATIC binary.

Question 32

Static Executable

Answer 32

is one where the external libraries needed for the binary to run are built into the executable directly.

Question 33

Benefit of running a static executable

Answer 33

makes the binary independent, and will run on most Linux distributions without additional modifications to the system

Question 34

Does tcpdump require root access?

Answer 34

Yes.

Question 35

Where is tcpdump most valuable?

Answer 35

to obtain unencrypted passwords from weak protocols such as (FTP, HTTP, SNMP, Telnet)

Question 36

tcpdump -n

Answer 36

turn off name resolution

Question 37

tcpdump -i

Answer 37

listen on interface (eth0)

Question 38

tcpdump - s 0

Answer 38

is the snap length set to 0 to capture the entire packet

Question 39

creating a file with a leading .

Answer 39

makes the filename hidden from normal view on the system

Question 40

./tcpdump -n -i eth0 -s 0 -w .packets.pcap

Answer 40

turn off name resolution
listen on interface eth0
capture entire packet with snap length set to 0
save capture to hidden file .packets.pcap

Question 41

What is ARP used for?

Answer 41

Dynamic IP to MAC address resolution

Question 42

is ARP essential?

Answer 42

Yes. because tells clients on the same LAN how to reach eachother

Question 43

Scenario of ARP

Answer 43

client A wants to talk to client B on the LAN. Client A sends ARP request messsage “ hey 172.x.x.x who is this, who is responsible for this IP address?” Client B responds with MAC address & “thats me , send me your data”.

Question 44

ARP Cache

Answer 44

when a corresponding system sends me their MAC address after when I first initially sent out the my ARP request message “who is responsible for IP x.x.x.x”. Their MAC address will be cached for up to 10 min

Question 45

Data sent across a LAN must be directed to the ___?

Answer 45

hardware address (MAC address)

Question 46

How many bits is the MAC address of the Ethernet card?

Answer 46

48-bits

Question 47

What protocol is known for when a machine must determine the MAC address corresponding to a given IP address?

Answer 47

ARP mapping IP to MAC Address.

Question 48

how long is ARP cached?

Answer 48

10 min

Question 49

is ARP secure?

Answer 49

NO. no way to tell/veriify if the ARP response came from the proper machine.

Question 50

Is ARP routed between LANS?

Answer 50

no. ARP messages are only sent across a single LAN.

Question 51

are ARP messages sent across a single LAN.

Answer 51

Yes. only a single LAN.

Question 52

Gratuitous ARP? layman

Answer 52

a client who thinks they are very important tells other people on the network. “At some point if you want to talk to me this is my ip 172.x.x.x and this is my MAC xxxx…” its a built in feature in ARP. A client will accept whatever the last ARP message was to its ARP cache w/ ip to mac address mappings. this poses a vulnerability known as ARP Cache poisining.

Question 53

Gratuitous ARP?

Answer 53

Anyone can send ARP responses, even though no - one sends an ARP request. ( so sending a response of IP and MAC address)

Question 54

how do systems respond to someone sending a gratuitous arp?

Answer 54

machines greedily take this data, devour it for their system caches (ARP cache) and even overwrite previous entries of IP to MAC mapping entries.

Question 55

What is a vulnerability ARP faces with gratuitous ARP?

Answer 55

ARP Cache poising.

Question 56

two things that happen if send an ARP response when noone asks a question (known as Gratuitous ARP)

Answer 56

1. flood a switches memory

2. poisin the victims system ARP cache

Question 57

If a machine wants to talk to another machine on a LAN what must first happen?

Answer 57

which hardware address to use for a specific ip address.

Question 58

scenario. explain ARP Alice wants to talk to Bob.

Answer 58

1. Allice sends an ARP request to determine which hardware address corresponds to Bobs IP address. “hey who is responsible for IP x.x.x.x” Bobs system responds with his MAC address. So now alice knows where to send the message. Alice stores bobs answer in her ARP cache.

Question 59

“MAC address for IP address x.x.x. is AA.AA.AA.AA.AA.AA (48 bits long MAC) “ without a presceding query

Answer 59

Gratuitous ARP

Question 60

ARP Cache Poisoning

Answer 60

an attack technique where an adversary can tell other people on the network to impersonate another persons ip address which facilitates a MITM attack

Question 61

Bettercap

Answer 61

ARP cache poisoning tool. runs different parsers and interception tools to hijack traffic. must run as root.

Question 62

remove noise from bettercap

Answer 62

sudo bettercap -eval “events.ignore endpoint”; set $&raquo_space; {reset}”

Question 63

net.show

Answer 63

bettercap : disclose hosts on the network. will passively identify network hosts by looking for broadcast and multicast traffic.

Question 64

Better cap default runs actively or passively?

Answer 64

passively

Question 65

repeating net.show?

Answer 65

could disclose additional hosts as they join/leave the network

Question 66

Steps to bettercap MITM attack?

Answer 66

1. choose victim 192.168.86.40 as target for ARP spoofing.
   $set arp.spoof.targets 192.168.86.40
2. record a packet capture
   $net.sniff.output saving data to output packet capture .pcap
3. turn on network sniffer
   $arp.spoof on
4. start to see evidence of victim system browsing thorugh the attacler, disclosing hostname of encrypted website theyre visiting thorugh the plaintext server name identification (SNI) field in the HTTPS request.