Sniffing spoofing and man-in-the-middle attacks
1. Enter the command echo 1 > /proc/sys/net/ipv4/ip_forwardto enable port forwarding for Kali settings
2. Set up ssltrip
Execute the command iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8081to forward all 80 requests to 8081.
3. Preparation of ettercap
The configuration file is /etc/ettercap/etter.conf. First, both ec_uid and ec_gid should be changed to 0.
Then find the following two lines of if you use iptables under the linux category, and remove the comment to allow iptables to forward.
ettercap -GOpen the graphical interface. Click Sniff->Unified sniffing.
4.Ettercap usage
Hosts -> Scan for hosts to find hosts on the network.
Select the IP address you want to target in the window, then click Add to Target 1 at the bottom of the window, and then assign the gateway to Target 2. Select Mitm -> Arp poisoning -> Sniff remote connections.
Use the command on the target host to arp -aview the ARP address table. The left and right sides of the figure below are the relevant information before and after spoofing. It can be seen that after ARP spoofing is implemented, the MAC address corresponding to the ARP address table 192.168.199.1 of the target host has become the MAC address of 192.168.199.162. address.
Select Start -> Start sniffing to start monitoring, and all traffic of the target host goes out through the attacker's host. When a victim on the same LAN accesses a web page to log in, the password can be recorded.
5. Introduction of Dsniff suit
The Dsniff suite is mainly arpspoof and dsniff, the former is used for arp spoofing, the latter is used for sniffing.
`
-c:打开半双工TCP流,允许在使用arpspoof时进行正确的嗅探操作
-d:启动调试模式
-f:以/etc/service格式从文件中加载触发器(也就是口令嗅探的服务类型)
-I:使用特定的网络接口
-m:使用dsniff.magic文件通过在magic文件中定义的特征尝试自动判断协议
-n:不执行主机查找
-r:从前面保存的会话中读取被嗅探的数据
-s:最多对报文的前个字节进行嗅探,如果用户名和口令信息包含在随后的默认1024字节界限中
-t:使用格式port/proto=servise;来加载一个以逗号界定的触发器集;6. Session Hijacking
Here we mainly use cookies as an example to illustrate the usage of session hijacking.
arpspoof -i wlan0 -t 192.168.1.1 192.168.1.102
Capture datagrams:
tcpdump -i wlan -w test.cap
wait for a while, it is estimated that the target will log in to the website, and we start processing the captured datagrams:
forret -r test.cap
if the captured datagrams are ok and port forwarding is determined to be enabled, then the processed datagrams will automatically generate hamster.txt . Next, run hamster, hamster will prompt the browser to set the proxy to http://127.0.0.1:1234, and then open hamster in the browser: http://hamster Select the target and possible login authentication address, and then click the link to The hijacking was found to be successful .
7. Picture interception
Using Driftnet, we can see pictures of victims visiting websites.
First, still use arpspoof to start arp spoofing, and then start driftnet:
driftent -i
At this time, a small window will pop up. When the target visits a website with pictures, the attacker can see it in this small window.
8. DNS Spoofing
Using the dnsspoof in the Dsniff package or the dnsspoof plugin of ettercap, we can complete the dns spoofing of the victim.
9. URL monitoring
Using the urlsnarf tool in the Dsniff suite, we parse the HTTP communication of TCP80, 3128, and 8080 ports, and can dump all the sniffed HTTP requests into a common log format (Common Log Format, CLF). This format is Used by many Web servers, such as IIS and Apache, it is very convenient to use some log analysis tools to analyze the recorded results afterwards.
Usage: urlsnarf [-n] [-i interface | -p pcapfile] [[-v] pattern [expression]]
10. Download software monitoring
Using the filesnarf tool in the Dsniff suite, we can select a file from the sniffed NFS communication and dump it to the local current working directory.
Ussage: filesnarf [-i interface | -p pcapfile] [[-v] pattern [expression]]
Permission maintenance
1. WEB backdoor
(1)Weevely
Weevely is a webshell tool written in python, which integrates webshell generation and connection. The code for generating the backdoor is base64 encoded. The functions used in the backdoor are all commonly used string processing functions, which are used as eval for checking rules. , system and other functions will not appear directly in the code, which can cause the backdoor file to bypass the inspection of the backdoor search tool. Modules are not available on windows.
Through the command weevely generate test ~/1.php, a backdoor named 1.php and password test is generated.
Copy 1.php to the target machine 192.168.199.139 /var/www/ path, and upload the backdoor to the web.
Enter the command weevely http://192.168.199.139/1.php test, use weevely to connect to the backdoor (after the connection is the set password), you can get a webshell, and then you can use the terminal at will.
WeBaCoo (Web Backdoor Cookie) script-kit is a small, covert php backdoor that provides a terminal that can connect to a remote web server and execute php code. WebaCoo uses HTTP response headers to transmit command results. Shell commands are base64 encoded and hidden in cookies, that is, their communication content is transmitted through cookie headers.
webacoo -g -o wbc.php
Copy the 2.php file to the web root directory (/var/www/) of the target machine 192.168.199.139 and enter the commandwebacoo -t -u http://192.168.199.139/2.php
2. System backdoor
(1) Cymothoa system backdoor
Cymothoa is a backdoor tool that can inject shellcode into existing processes. The backdoor program it injects should be able to coexist with the injected process and obtain the same permissions as the original process.
(2)Dbd
Dbd can be understood as an encrypted version of Netcat (or nc), which only supports TCP/IP connections. Sbd is very similar to Dbd and is also a clone of Netcat, using AES-CBC-128 and HMAC-SHA1 encryption.
(3) U3-Pwn
is a tool used in combination with Metasploit Payload. The menu can be single-handedly multi-targeted for mobile optical drive devices such as optical drive images, U disks, etc.
(4)Intersect
Enter 2 to list available modules
Enter 1 to create a backdoor script, add functional components freely (enter the required module name to add the module, here we take the bshell module as an example), and :creatgenerate a shell. Next, set the Intersect script name, temp directory (temporary file address), enable logging, bind port, remote host), remote port), proxy port, and xor cipher key. This will /usr/share/intersect/Scripts/generate shell.py under the path.
Copy shell.py to the current directory, the terminal simulates the target host to execute ./shell.py -b, and generates a bind shell backdoor. Then open a terminal to simulate the execution of the attacker nc -nvv 127.0.0.1 5555, and get a perfect shell.
3. Tunnel toolset
The Tunnel toolset contains a series of tools for establishing communication tunnels and proxies:
1、CryptCat
Cryptcat is an encrypted version of Netcat, similar to Dbd and Sbd. Cryptcat supports two network protocols, TCP and UDP. It can establish a specified connection between two computers and encrypt the transmitted data with a specific key. To improve encryption, the tool allows users to use a custom key for each connection, thus ensuring data security.
2、DNS2TCP
dns2tcp is a tool that uses DNS tunnel to forward TCP connections, supports KEY and TXT type requests, and is developed in C language. It is divided into two parts, the server and the client. After the compilation is completed, the executable file name on the server is dns2tcpd, and the name on the client is dns2tcpc. In addition to dns2tcp, the tools implemented by DNS tunnel include OzymanDNS, tcp-over-dns, heyoks, and iodine.
4 Miredo
Miredo is a network tool. It is mainly used for IPV6 Teredo tunnel conversion of BSD and Linux. It can convert network connections that do not support IPV6 to IPV6. IPV6 and TUN tunnel support are required in the kernel.
5、Proxychains
Proxychains is a proxy tool often used in intranet penetration testing, which can force any application's TCP connection to use a SOCKS4, SOCKS or HTTP(S) proxy to connect.
The configuration file of ProxyChains is located /etc/proxychains.conf. After opening the configuration file, add the proxy IP and port at the end. You can add any proxy, one record per line. For example, if we use Meterpreter to open a Socks4a proxy service, by modifying it to socks4 127.0.0.1 8080join the proxy, other tools such as sqlmap and namp can directly use the proxy to scan the intranet. The usage is very simple, just add proxychains directly in front of the application, eg proxychain namp -sT -Pn 10.0.0.1/24. Because proxychains will only proxy TCP connections, and ping uses ICMP, -Pn must be used.
6 、 Proxy tunnel
Proxytunnel can connect to a remote server through a standard Https proxy, which is a proxy that implements the function of bridging. Especially for Http(s) transfers over SSH. Prosytunnel can be used for:
- Create a communication channel using an http(s) proxy (http connect command)
- Write a client driver for OpwnSSH and create an http(s) proxy based on SSH connections
- As a standalone application, can connect to a remote server
7 、 Ptunnel
In some network environments, both TCP and UDP packets can be intercepted without authentication. But as long as you can ping the remote computer, you can establish an ICMP tunnel through the ICMP packet sent by this ping, and send TCP data through the tunnel to achieve unrestricted network access. Ptunnel uses ICMP packets to establish tunnel communication. Users need to start Ptunnel in advance to establish a proxy server outside the restricted network. Then run Ptunnel in client mode to establish an ICMP tunnel.
8.pwnat
pwnat is a NAT penetration tool, which enables two machines behind NAT or firewall to communicate without any third-party server or port forwarding. The tool first establishes a server on the public network computer. Then, other computers behind the NAT run in client mode, and can access each other by connecting to the server.
9、slh
sslh is a ssl/ssh port multiplexing tool, sslh can accept https, ssh and openvpn connections on the same port. This makes it possible to connect to ssh server or openvpn server through port 443 and provide https service on this port. sslh can be used as an example to study port multiplexing.
Kali reverse engineering tool
1 、 Computer Debugger
EDB (Evan's Debugger) is a binary debugging tool developed based on Qt4. It is mainly to be in line with the OllyDbg tool. The function can be expanded through the plug-in system. Currently, only Linux is supported.
2. Ollydbgs is a classic Ring3-level debugger, a dynamic debugging tool that combines IDA and SoftICE. Under Kali is Ollydbg running in Wine mode.
3, jad is a Java decompilation tool
4. Radare2 is an open source reverse engineering platform that can disassemble, debug, analyze and manipulate binary files.
6. APKTool is an APK compilation tool provided by GOOGLE, which can decompile and recompile apk, install the framework-res framework required by the decompilation system apk, and clean up the last decompilation folder.
7 Clang 、 Clang ++
Clang is a lightweight compiler for C, C++, Objective-C, and Objective-C++ languages. Clang++ is another upgraded version of clang, and the usage methods are actually the same. clang is similar to gcc compiler, clang++ is similar to gc++ compiler.
8. D2j-des2jar disassembles dex files to jar files. In turn, other tools can be used to view the source code.
9、Flasm
The main function is to directly modify the script actionscript in the swf file.
The software for converting swf to fla files cannot guarantee 100% restoration. If you only modify the as script code, flasm is the best choice, because it only modifies the script, and the resource data is not modified.
(10) Javasnoop
A java application security testing tool that allows you to intercept, tamper with data and hack java applications running on your computer. Often without source code, testing the security of a java client is unpredictable at best and impractical at worst.
