Sunday, October 15, 2017
COUNTING NETWORK TRAFFIC GENERATED BY NMAP OPTIONS
- Layout for this exercise:
1 - Introduction
- The goal of this exercise is to compare traffic sent by different NMAP options while scanning ports of a target.
- For that purpose the bash script TrafficCounter.sh uses Linux Iptables to measure incoming and outgoing traffic to the target 192.168.1.7.
- Every time the Nmap is used the script is run in order to clean the current status of the Iptables firewall, with options -Z (zero counters in all chains) and -F (deletes all rules in all chains).
- Giving execution permissions to the script:
- After Nmap has been run Iptables shows the traffic sent to the target, with options -vn ( verbose and numeric output) and -L (lists the rules):
2 - Nmap -sT
- nmap -sT establishes a full TCP handshake connection:
- The traffic originated is big, 122 Kbytes:
3 - Nmap -sS
- nmap -sS scan does not establish a full TCP handshake, just half connection:
- The traffic generated is 88 Kbytes:
4 - Nmap -sV
- nmap -sV detects versions of the the services running at the ports:
- Traffic generated is 98 Kbytes:
5 - Nmap -O
- nmap -O discovers the Operating System of the target:
- The traffic generated is 95 Kbytes:
6 - Nmap -sU
- nmap -sU scans UDP ports:
- Traffic generated is less than previous cases, 58 Kbytes:
7 - Nmap -sn
- nmap -sn discovers up/down targets of a given subnet:
- The traffic generated is almost nothing:
8 - Nmap -sP
- nmap -sP discovers whether the target is up/down:
- The traffic generated is negligible:
9 - Nmap -sT all ports
- nmap -sT -p 1-65535 scans all ports of the target:
- The traffic generated is huge, 7878 Kbytes:
10 - Nmap --top-ports
- nmap --to-ports scans only the most important or usual ports, up to a specified amount of them, in this case 10:
- The generated traffic is small, 852 bytes:
Monday, October 2, 2017
DNS TUNNELING WITH DNSCAT2
- Layout for this exercise:
1 - INTRODUCTION
- dnscat2 creates an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network.
- dnscat2 can be used as a communication channel between a target host and the C&C server, because even in the most restricted environments DNS traffic should be allowed to resolve internal or external domains.
- Commands and data are included inside DNS queries and responses therefore detection is difficult since arbitrary commands are hiding in legitimate traffic.
- dnscat2 comes in two parts: server and client
1.1 - dnscat2 server
- The server is designed to be run on an authoritative DNS server. It's written in Ruby, and depends on several different gems.
- It can tunnel any data, with no protocol attached, which means it can upload and download files, it can run a shell, etc ... it can also potentially tunnel TCP, but that's only going to be added in the context of a pen-testing tool (that is, tunneling TCP into a network), not as a general purpose tunneling tool.
- It's also encrypted by default.
1.2 - dnscat2 client
- The client is designed to be run on a compromised machine. It's written in C and has the minimum possible dependencies.
- The client needs to be executed on the target in order for the server to receive a connection. Traffic is transmitted in an encrypted form and also it supports authentication via pre-shared secrets.
- When running the client typically a domain name is specified. All requests will be sent to the local DNS server, which are then redirected to the authoritative DNS server for that domain.
- If there is no authoritative DNS server, it is possible to use direct connections on UDP/53. They'll be faster, and still look like DNS traffic to the casual viewer, but it's much more obvious in a packet log (all domains are prefixed with "dnscat.", unless you hack the source). This mode will frequently be blocked by firewalls.
- To sum it up, some advantages of dnscat2:
- Support of multiple sessions
- Traffic encryption
- Protection from MiTM attacks with secret key
- Run PowerShell scripts directly from memory
2 - SETTING UP DNSCAT2
2.1 - dnscat2 server
- To download the server (for Kali):
- Cloning and installing the dnscat2 server to Kali:
- Running the server it waits until a session is requested by the remote client:
2.2 - dnscat2 client
- To download the client (for Windows):
- Once downloaded dnscat2 client to Windows there is an executable:
3 - ESTABLISHING THE DNSCAT2 SESSION
- The session is initialized by the client, just calling to the server in this way:
- The server acknowledges the session, but it is very important to notice that the same string is shared between the two parties client and server:
- Connecting to the session (window) 1 we have a command session command (NYC) 1> indicating that the session is successfully established:
- Available options:
4 - REMOTE COMMAND EXECUTION
- One example of how to execute commands remotely from Kali to Windows would be just launching the Calculator with command exec calc.exe:
- The remote execution is successful, as we can checked at the Windows' side:
5 - REMOTE SHELL
- The most powerful option would be to spawn a remote shell, just calling the command shell:
- At the Windows' side the cmd.exe program is loaded:
- Going to the just created new session (window) 3 created we've got a remote shell:
- Running ipconfig and whoami at Kali to check that we are connected to the correct Windows NYC machine:
6 - CAPTURING ENCRYPTED TRAFFIC
- Both Tcpdump and Wireshark detect the traffic bewteen the two parties, but the traffic is encrypted and not readable in plain text:
- Wireshark with Follow UDP Stream: