Penetration sniffing in Linux

In terms of attacks, Intranet penetration tends to be a combination of social engineering and conventional Vulnerability Detection. In order to understand the setting of protection measures within the network, it is achieved through step-by-step spying and experience accumulation, and sometimes judgment on errors, you can also enter the wrong zone. However, if you can perform sniffing within the network, you can get twice the result with half the effort and be completely transparent to the Intranet settings. This article will discuss with you the whole process from the breakthrough caused by a note point to the control of the entire intranet, the penetration sniffing and security protection of the Intranet.

When looking for breakthroughs, more is from the application service, and the most intuitive information collection of the application service, namely port scanning, different applications, open services are different. Therefore, when collecting network information, there are two steps: Port detection and program fingerprint analysis. In terms of port detection, I personally like to use SuperScan to quickly judge the application in the network segment. After understanding the port information, I need to analyze the fingerprint of the service application, it mainly includes the version number, known vulnerability information, general configuration information, and popular attack methods for this application. This article tries to submit a malformed request to a WEB service host in the network as a breakthrough,

You can read the following information:
System type: Fedora
Application: apache/2.2.4
The above is just a simple manual analysis of the program fingerprint, of course, there are many web application scanners, more common wvs, appscan and so on. Use the lightweight "wwwwscan" to scan:

The scan result is consistent with that of the manual test.

Through the above simple information collection, you can understand the website architecture is apache + mysql + php, directly request URL: http://61.67.xx. 116/htdocs/

It is found that this site is an EcShop architecture site, and its version information is V2.5.0. The EcShop version has many injection points. The user. php file has an injection vulnerability. The request URL is as follows:
Http://61.67.xx. 116/htdocs/user. php? Act = order_query & order_sn = 'Union select 1, 2, 4, 5, 6, concat (user_name, 0 × 7c, password, 0 × 7c, email), 8 from ecs_admin_user /*

Obtain the Administrator account and password. ECShop uses MD5 encryption for direct decryption. The original password is admin, a little unexpected. Access the management background, modify the template, and insert a Trojan to obtain WEBSEHLL,

After obtaining the WEBshell permission, you need to analyze the system and find the Exp. Run the following command:
# Uname-

The returned information is "Linux fedora 2.6.20-1.2962.fc6" and Linux kernel 2.6.20.
When raising the permission, you need to use gcc for compilation to check whether the system has been installed and run the command,
# Gcc-help

It is found that gcc can be run, and the system administrator does not restrict the use of shell and gcc, which is also a lack of security.

When looking for a local privilege escalation program, it is usually based on the system version, and the Local Privilege Escalation of the application is also the same. There are websites available for query on the Internet, such as http://www.milw0rm.com /.

There are many vulnerabilities that can be exploited.

Local Elevation of Privilege requires an interactive shell. The local listening port is as follows:

Use the bounce function provided by WebShell to directly connect to the local port 12345 and return the shell

After the connection is successful, an apache user's shell can be obtained.
But sometimes you can directly execute it if you cannot interact with each other,
# Python-c 'impotr pty; pty. spawn ("/bin/sh ");'
To obtain the interactive Shell. python is installed by default in general systems.

The prompt is successful. You can create a directory to store the elevation tool.

In Linux, Elevation of Privilege can be roughly divided into third-party software vulnerabilities, local trust features, kernel overflow, and so on. Common High overflow rates are considered as kernels. Download the overflow source code with Wget. The vulnerability used is Linux vmsplice Local Root Exploit.
, The success rate is quite high. gcc compilation, execution,

The root permission is obtained successfully. Sometimes multiple tests are required when the overflow exploitation program is selected.

What is Sniffer? sniffer is a tool used to capture sensitive information by analyzing intercepted data and intercept communication between computers. But how does it intercept data? Before that, you need to explain the arp (Address Rrsolution Protocol) Protocol, that is, the Address Resolution Protocol, which is located in the low-layer Protocol in the TCP/IP Protocol stack and is responsible for parsing an IP Address into a corresponding MAC Address. It enables the IP address to be responded by the target machine on the network by maintaining a table saved in the memory. During data transmission, the IP packet contains the source IP address, source MAC address, and target IP address. If there is a corresponding MAC location in the ARP table, access the IP directly based on the optimal selection method. If, if there is no corresponding address, it is necessary to broadcast it out and find the corresponding address in the network. If the IP address of the other party is the same as the destination IP address, the other party will send the MAC address to the source host ,, at this time, if the attacker hears the IP address sent, it will counterfeit the IP address of the target host and then return the MAC address of the host to the source host, because the IP packet sent from the source host does not contain the MAC address of the target host, and the ARP table does not contain the corresponding table of the target IP address and the target MAC address, the attacker's MAC will be accepted to choose to communicate with the attacker, so ARP spoofing is triggered. When the system is just started, you can enter the "arp-a" command under DOS to view the content of the local arp cache table,

We will communicate with IP192.168.0.5. After the communication, the arp cache table will have such a record corresponding to the MAC address and IP address.

Add the corresponding records of IP and MAC in the cache on the local machine.

Dsniff is a well-known network sniffer toolkit. Its developer is Dug Song. It is designed to reveal the insecure network communication and facilitate network administrator audit, of course, penetration testing is also included. A tool in its installation package fully discloses the uneasiness and completeness of the Protocol. As a tool set, Dsniff includes four types of tools:
1. purely passive tools for network activity monitoring, including dsniff, filesnscarf, mailsnf, msgsnscarf, urlsnscarf, and webspy
Ii. MITM attack tools for SSH and SSL, including sshmitm and webmitm
3. Tools that initiate active spoofing, including arpspoof, dnsspof, and macof
4. other tools, including tcpkill and tcpnice

Download Dsniff Official Website: www.monkey.org /~ Dugsong/dsniff/This is the source code package. After unzipping the package, you can check README. It prompts that the support of five software is required: openssl, Berkeley_db, libnet, libpca, and libnids.
As follows:
Berkeley_db: http://www.oracle.com/technology/software/products/berkeley-db/index.html
Libpcap: http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz
Ftp://rpmfind.net/linux/epel/5/