(For more resources related to this topic, see here.)

Man-in-the-middle attacks

Using ARP abuse, we can actually perform more elaborate man-in-the-middle (MITM)-style attacks building on the ability to abuse address resolution and host identification schemes. This section will focus on the methods you can use to do just that.

MITM attacks are aimed at fooling two entities on a given network into communicating by the proxy of an unauthorized third party, or allowing a third party to access information in transit, being communicated between two entities on a network. For instance, when a victim connects to a service on the local network or on a remote network, a man-in-the-middle attack will give you as an attacker the ability to eavesdrop on or even augment the communication happening between the victim and its service. By service, we could mean a web (HTTP), FTP, RDP service, or really anything that doesn’t have the inherent means to defend itself against MITM attacks, which turns out to be quite a lot of the services we use today!

Ettercap DNS spoofing

Ettercap is a tool that facilitates a simple command line and graphical interface to perform MITM attacks using a variety of techniques. In this section, we will be focusing on applications of ARP spoofing attacks, namely DNS spoofing.

You can set up a DNS spoofing attack with ettercap by performing the following steps:

1. Before we get ettercap up and running, we need to modify the file that holds the DNS records for our soon-to-be-spoofed DNS server. This file is found under /usr/share/ettercap/etter.dns. What you need to do is either add DNS name and IP addresses or modify the ones currently in the file by replacing all the IPs with yours, if you’d like to act as the intercepting host.
2. Now that our DNS server records are set up, we can invoke ettercap. Invoking ettercap is pretty straightforward; here’s the usage specification:

   ettercap [OPTIONS] [TARGET1] [TARGET2]
   
   

3. To perform a MITM attack using ettercap, you need to supply the –M switch and pass it an argument indicating the MITM method you’d like to use. In addition, you will also need to specify that you’d like to use the DNS spoofing plugin. Here’s what the invocation will look like:

   ettercap –M arp:remote –P dns_spoof [TARGET1] [TARGET2]

   Where TARGET1 and TARGET2 is the host you want to intercept and either the default gateway or DNS server, interchangeably.

4. To target the host at address 192.168.10.106 with a default gateway of 192.168.10.1, you will invoke the following command:

   ettercap –M arp:remote –P dns_spoof /192.168.10.107//192.168.10.1/

Once launched, ettercap will begin poisoning the ARP tables of the specified hosts and listen for any DNS requests to the domains it’s configured to resolve.

Interrogating servers

For any network device to participate in communication, certain information needs to be accessible to it, no device will be able to look up a domain name or find an IP address without the participation of devices in charge of certain information. In this section, we will detail some techniques you can use to interrogate common network components for sensitive information about your target network and the hosts on it.

SNMP interrogation

The Simple Network Management Protocol (SNMP) is used by routers and other network components in order to support remote monitoring of things such as bandwidth, CPU/Memory usage, hard disk space usage, logged on users, running processes, and a number of other incredibly sensitive collections of information. Naturally, any penetration tester with an exposed SNMP service on their target network will need to know how to proliferate any potentially useful information from it.

About SNMP Security

SNMP services before Version 3 are not designed with security in mind. Authentication to these services often comes in the form a simple string of characters called a community string. Another common implementation flaw that is inherent to SNMP Version 1 and 2 is the ability to brute-force and eavesdrop on communication.

To enumerate SNMP servers for information using the Kali Linux tools, you could resort to a number of techniques. The most obvious one will be snmpwalk, and you can use it by using the following command:

snmpwalk –v [1 | 2c | 3 ] –c [community string] [target host]

For example, let’s say we were targeting 192.168.10.103 with a community string of public, which is a common community string setting; you will then invoke the following command to get information from the SNMP service:

snmpwalk –v 1 –c public 192.168.10.103

Here, we opted to use SNMP Version 1, hence the –v 1 in the invocation for the preceding command. The output will look something like the following screenshot:

As you can see, this actually extracts some pretty detailed information about the targeted host. Whether this is a critical vulnerability or not will depend on which kind of information is exposed.

On Microsoft Windows machines and some popular router operating systems, SNMP services could expose user credentials and even allow remote attackers to augment them maliciously, should they have write access to the SNMP database. Exploiting SNMP successfully is often strongly depended on the device implementing the service. You could imagine that for routers, your target will probably be the routing table or the user accounts on the device. For other host types, the attack surface may be quite different. Try to assess the risk of SNMP-based flaws and information leaks with respect to its host and possibly the wider network it’s hosted on. Don’t forget that SNMP is all about sharing information, information that other hosts on your network probably trust. Think about the kind of information accessible and what you will be able to do with it should you have the ability to influence it. If you can attack the host, attack the hosts that trust it.

Another collection of tools is really great at collecting information from SNMP services: the snmp_enum, snmp_login, and similar scripts available in the Metasploit Framework. The snmp_enum script pretty much does exactly what snmpwalk does except it structures the extracted information in a friendlier format. This makes it easier to understand. Here’s an example:

msfcli auxiliary/scanner/snmp/snmp_enum [OPTIONS] [MODE]

The options available for this module are shown in the following screenshot:

Here’s an example invocation against the host in our running example:

msfcli auxiliary/scanner/snmp/snmp_enum RHOSTS=192.168.10.103

The preceding command produces the following output:

You will notice that we didn’t specify the community string in the invocation. This is because the module assumes a default of public. You can specify a different one using the COMMUNITY parameter.

In other situations, you may not always be lucky enough to preemptively know the community string being used. However, luckily SNMP Version 1, 2, 2c, and 3c do not inherently have any protection against brute-force attacks, nor do any of them use any form of network based encryption. In the case of SNMP Version 1 and 2c, you could use a nifty Metasploit module called snmp-login that will run through a list of possible community strings and determine the level of access the enumerated strings gives you. You can use it by running the following command:

msfcli auxiliary/scanner/snmp/snmp_login RHOSTS=192.168.10.103

The preceding command produces the following output:

As seen in the preceding screenshot, once the run is complete it will list the enumerated strings along with the level of access granted.

The snmp_login module uses a static list of possible strings to do its enumeration by default, but you could also run this module on some of the password lists that ship with Kali Linux, as follows:

msfcli auxiliary/scanner/snmp/snmp_login PASS_FILE=/usr/share/wordlists/
rockyou.txt RHOSTS=192.168.10.103

This will use the rockyou.txt wordlist to look for strings to guess with.

Because all of these Metasploit modules are command line-driven, you can of course combine them. For instance, if you’d like to brute-force a host for the SNMP community strings and then run the enumeration module on the strings it finds, you can do this by crafting a bash script as shown in the following example:

#!/bin/bash
if [ $# != 1 ]
then
echo "USAGE: . snmp [HOST]"
exit 1
fi
TARGET=$1
echo "[*] Running SNMP enumeration on '$TARGET'"
for comm_string in 
`msfcli auxiliary/scanner/snmp/snmp_login RHOSTS=$TARGET E 2> /dev/null
| awk -F' '/access with community/ { print $2 }'`;
do
echo "[*] found community string '$comm_string' ...running
enumeration";
msfcli auxiliary/scanner/snmp/snmp_enum RHOSTS=$TARGET
COMMUNITY=$comm_string E 2> /dev/null;
done

The following command shows you how to use it:

. snmp.sh [TAGRET]

In our running example, it is used as follows:

. snmp.sh 192.168.10.103

Other than guessing or brute-forcing SNMP community strings, you could also use TCPDump to filter out any packets that could contain unencrypted SNMP authentication information. Here’s a useful example:

tcpdump udp port 161 –i eth0 –vvv –A

The preceding command will produce the following output:

Without going too much into detail about the SNMP packet structure, looking through the printable strings captured, it’s usually pretty easy to see the community string. You may also want to look at building a more comprehensive packet-capturing tool using something such as Scapy, which is available in Kali Linux versions.