Exploitation

Exploitation

Physical Access

Many attacks focus on diret access to a system. Mr. Robot even needs direct access many times to then carry out the rest of the attack. There are great tools to bypass passwords and SSD/HDD encryption. Kon boot has been a longtime favorite from middle school days. Kon-boot injects itself into the windows bootprocess and allows any password to be accepted as correct. For encrypted drives you can use inception to manipulate phyusical memory by hacking and taking advatage of PCI-based direct memory access. Lanturtle is a malicous USB ethernet adapter that allows an attacker to access shell from a remote lacation and capture hashes and generate DNS request. Rubber Duckie looks innocent but its an automated keyboard. Rubber Duckie can download and execute malware, steal files, and more.

Defending against Physical Access.

  • Use fulldisk encrytpion and powerdown the device completly when not in use.
  • Restrict USB access
  • Password protect BIOS and disable USB Boot
  • Disable LLMNR.

BGP Hijacking

The attack is rare but they are fairly advanced and stealthy. These attacks are almost impossible to detect. This attack relied on an attacker broadcasting an autonomous system nuymber which contains a more specific route to an IP address or addresses. The Attacker reroutes traffic through their network or broadcast a malicious route in which they can use for man in the middle attacks, traffic analysis, or blackholing.

Defending against BGP Hijacking

Know what normal traceroute information looks like
Look for suspicious routes
Browser errors
Dropped connections
Contact ISP

Netcat

Ive dedicated an entire page on netcat because how versitile and unique this tool is. Click the link to learn more about Netcat

Passive & Active Sniffing

When a ethernet interface is gathering all traffic regardless of its destination hardware address, it is said to be in "promiscious mode". Broadcast network like a ethernet hub or wireless broadcast all data to all devices and is inherently sniffable. A switch network however only send data to the required port on the switch based on MAC address. For an attacker to sniff on a switched network one of two things needs to happen. The attacker must redirect the flow of traffic on the lan by attacking the switch or going after the system sending the original data.

Wireshark is a great sniffing tool. Run cross platform and can capture traffice, read, parse, and display packet capture data. Wireshark uses TCPdump native format but can convert a dozen other popular file formats. Wireshark does tend to havwe buffer overflow flaws constiantly so make sure you stay on top of the updates.

ARP & Mac Analysis

If you are trying to snif traffic on a switched network you have to use a different vector in using this type of attack to steal data. YOou either have to attack the system sending the orriginal data or attacking the switch it's self. To better understand how this works you need to understand the MAC layer and the Address resolution protocol(ARP). When sending and recieving data on the LAN it must be directed to the hardware address. ARP translate the ip address to the MAC address associated and in corespondence with that ip address. Systems cache this data for at least 10 minutes to speed up things. These systems are gratuitous and have no way of checking the integrity of this response the arp response ingestion. ARP poisoning is the act of redirecting an IP address to a malicous MAC address. This allows the attacker to perform various attacks including man in the middle.

Tools

Bettercap

Ruby framework that allows attackers to manipulate ARP mapping on targeted stystems and gateways. Also supports a wide variety of other attacks as well.

Arpspoof

Manipulate the IP-to-MAC address mapping to allow traffic to be sniffed.
Manipulate IP

MitMf

supports ARP cache poisoning and multiple other injection/TCP stream modifications attacks.

Hijacking

In addition to ARP posoning there are other ways in which to hijack a system. Both alternitives mentioned in this post take advantage of redirecting users to a malicious endpoint. These attacks are used most often post exploitation to extend the access to other systems.

LLMNR

Short for Link-Local Multicast Name Resolution. This is a lavish term for a local DNS system. Its main use is in consumer-grade networks where a DNS is not available. It resolves local hostnames. Enterprise environments should disable this by default.

Responder

Responder is a tool which is dedicated to answering stray LLMNR request. However, responder can also spin up a large number of services. The reason for this is because when it is responding to a request, the victim system is going to go to that server and do something. It could be a webpage or an FTP server. Regardless of the request, responder works by trying to set up a service in which the victim can authenticate. Executables can also be served.

WPAD

Web proxy Auto-detect
To understand how to exploit WPAD, you must understand how the Web Proxy Auto-Discovery Protocol works. In simple terms, WPAD works by finding a web proxy server automatically and downloading the needed configuration scripts.

Automatic proxy detection is a process by which a Web proxy server is identified by the system and used to send requests on behalf of the client. This feature is also known as Web Proxy Auto-Discovery (WPAD). When automatic proxy detection is enabled, the system attempts to locate a proxy configuration script that is responsible for returning the set of proxies that can be used for the request. If the proxy configuration script is found, the script is downloaded, compiled, and run on the local computer..
For more information check microsoft's docs

The issue with this service is that an attacker can effortlessly pretend to be a WPAD system and serve up a malicious PAC file. Once you give a browser, a PAC file, it will then use the attacker's malicious proxy for all traffic. PACDoor is the best tool for this job and it can also determine the full URL for HTTPS communications.

Defense against hijacking

Hard coding your ARP tables can provide a level of security because you can set it to have only a specific IP-to-MAC mapping. These values cannot be overwritten by gratuitous ARP's. The downside here is an increase in management. You would need to update these tables in each system when changes occur.

Activate port-level security on switches. At a minimum, this implies locking down each physical port on the switch to allow only a single MAC address. You can take it another level by only allowing a specific MAC address. This approach, nonetheless, will make management more complicated. This feature is only recommended for a sensitive LANs or DMZs.

Encryption, by encrypting sessions, an attacker cannot hijack or snoop on them. They would need to obtain the keys to encrypt or decrypt.

Secure Protocols, One should only use a secure protocol to manage infrastructure. Do not use TELNET (This should be disabled by default), instead use SSH, or a better solution would be VPN with encryption.

Hijacking identification

  • Users lose connections
  • Corrupted ARP entries
  • Check physical machine
    • Windows: arp -a
    • Unix: arp -a or arp -e
  • Use ARPWatch to check across the network.
  • Check DNS Cache on Windows
    • ipconfig /displaydns
  • SSH clients receive error messages.

Hijacking containment

  • Drop hijacked session
    • Change passwords and restart affected services.
  • Carefully analyze destination systems when the session was hijacked.

Hijack Eradication and Recovery

  • Change passwords to hijacked accounts
  • Rebuild systems if Root/admin accounts are compromised.

Continue reading if you are intersted in overflow exploits, bypassing endpoint protection, and cracking passwords. Exploits continued