CompTIA Pentest+ PT0-002 – Section 10: Network Attacks Part 2

87. ARP Poisoning (OBJ 3.1)

The Address Resolution Protocol or ARP, is a procedure that occurs automatically on a given local area network to identify which workstation is currently assigned a particular IP address at any given time. This is because most networks use dynamic IP addresses that are changing over time, but each workstation has a burned in fixed physical machine address known as it’s MAC or media access control address that will never change. So if you remember from your earlier networking studies, you’ll remember that as data enters a local area network and it reaches a network switch, the communications are going to change from using IP addresses for routing to determine which machine to send the data to and instead they’re going to start using the machines MAC address at the data link layer of the OSI model.

For this to work, each switch and each workstation on the network has to maintain an ARP cache that contains a list of all the IP addresses and it’s matching MAC addresses that it is identified by listening to the network traffic. Now, this is normally created automatically and update dynamically by the systems. But a malicious user or penetration tester can configure a static ARP table or a static singular entry to misdirect traffic in the local area network to their machine.

At its most basic form ARP spoofing occurs when an attacker or penetration tester sends falsified ARP messages over a local area network to get the ARP caches to dynamically update themselves with the new information. Remember, the purpose of ARP is to create a binding between an IP address and a MAC address inside of the local area network using layer 2 or the data link layer. This is different than the IP addresses that are being used at the network layer or layer 3 of the OSI model, which allows network data to travel from a computer to another computer across the internet. As data is transferring over the internet, it has to rely on the IP addresses to transfer packets from router to router as it goes across the different networks. But once the IP address is at the right local area network, it’s converted from a layer 3 IP address into a layer 2 MAC address, so its network data can be delivered to the final destination client using the network switching infrastructure.

This occurs by using the ARP table that’s being maintained by the routers and the switches on the local area network. So if a penetration tester or attacker wants to pretend to be a different client on the network, they might be able to intercept those frames that are destined for a different network client. They can do this by changing the IP address and MAC address bindings that are being stored in that ARP table by conducting ARP spoofing. If they wanted to do this, all they have to do is send out an ARP message and advertise their IP address as the correct one for the MAC address of the victimized client. As you can probably guess conducting ARP spoofing by itself is not the entire attack, but instead it’s going to be used to put the attacker in a position to do some other type of attack, like interception or the modification of frames using an on-path attack at layer 2 of the OSI model. ARP poisoning is an attack that exploits the IP address to MAC resolution in a network to steal, modify or redirect frames within that local area network. One way to do that, as I said is ARP spoofing. As a cyber security professional, if you want to prevent ARP poisoning from occurring in your network, you need to set up good VLAN segmentation within your network and set up DHCP snooping to ensure that IP addresses aren’t being stolen and taken over by an attacker.

Now let me give you a quick analogy to help solidify the concept of ARP spoofing and in turn ARP poisoning for you. I think the easiest way to think about this is to equate it to when you last wrote a letter. Let’s say you filled out the envelope and you put the destination address as your grandma’s name and address. Then in the upper left corner you filled in your name and address. This would be the normal way to send a letter here in the United States, where you put the sender’s name in the upper left corner and the receiver in the center of the envelope. But let’s say you wanted to conduct spoofing here. Instead of writing your own name and address in the upper left corner, you decided to write your name but use your friend’s address instead. Now, when grandma gets that letter from you, she’s going to think that you moved because this has a new address in it. So she pulls out her address book, scratches out your old address and adds this new address to her address book. Now, when she wants to send you a letter she’s actually going to send it to your friend’s house instead.

Why? Because she already updated her ARP table in this case her address book to reflect that new address that she believes is yours. Now, this is the same thing that happens in our local area networks all the time. Anytime a frame passes through a switch and claims to have a new IP address for a given MAC address, it’s going to update its ARP cache and start sending traffic destined for that IP address to the new MAC address that had just recorded into its ARP table. To conduct ARP poisoning to redirect traffic from a victimized computer to your own attacking workstation, you first need to identify its MAC address and its IP address. You can do this by using Wireshark to passively collect the ARP packets as they’re being broadcast on the network, or you could take a more active approach by using a tool like Nmap.

With Nmap you can run a scan by entering nmap -PR -sn and the target to conduct an ARP ping and disabling a port scan while you’re doing it. This will allow you to gather all the MAC addresses associated with the targets that you specify in your target list. Now, once you know the MAC address that you want to spoof and pretend to be, you’re going to use a spoofing tool like Arpspoof or the auxiliary ARP poisoning tool inside of Metasploit to conduct that ARP poisoning. To use the command line tool Arpspoof, you’re simply going to enter arpspoof -i the interface name like eth0 -t and the IP address of your target. Now eth0 is going to be the name of the network interface that’s connected to the local area network that you want to conduct your spoofing on. And then the target that you’re going to enter is going to be the IP address of the victim whose cache you want to poison, such as a domain controller or a switch or something like that. Now, if you want to do it to the entire network, you can do that by typing in arpspoof -i eth0 and pressing Enter without specifying any target IP addresses. And this will send out the ARP broadcast across the entire local area network. Now, if you’re going to use the Metasploit framework instead you first need to start up the tool by entering msfconsole at the shell prompt and pressing Enter.

Once you get into the Metasploit framework tool you’re going to be at the Metasploit shell. From there, you’re going to enter use auxiliary/spoof/arp/arp_poisoning. And then set all the options such as the name of the interface, the target IP addresses and the MAC addresses that you want to use in your spoofing. You’re going to learn how to use Metasploit in more depth later on, but for right now, I just wanted to introduce you to the idea that Metasploit has a lot of different tools including some for ARP poisoning that you can use. Most of the tools inside of Metasploit are run the same way. You use a command like use and the tool name, and then you’re going to use set and the options to set the options before running the exploit, and then you’ll run the exploit after you’ve set those options.

88. DNS Cache Poisoning (OBJ 3.1)

In this lesson we’re going to discuss how DNS cache poisoning works. But before we do that, I think it’s important for us to conduct a quick review of how DNS is designed to work. Remember, every time a user tries to go to a website or click a link, they’re telling their computer that they want to connect to some URL like diontraining.com. So, if you go to our homepage right now you might see a link that you want to click on like our exam vouchers page where we sell discounted CompTIA exam vouchers for the official certification exam. If you want to check out our prices, you’re going to click on that link and it takes you to diontraining.com/vouchers. But how does your computer know how to get to diontraining.com or diontraining.com/vouchers in the first place? Well, your computer needs to determine the IP address of my web server for it to be able to do that. And this is because your computer has no idea where diontraining.com is because computer networks are based on routing your request from one IP address to another using either IPv4, or IPv6. And as you know, computers like numbers better than names. So, diontraining.com isn’t easy for a computer to work with because it prefers an IP address like 66.23.47.12 or whatever my web servers IP is today.

Now humans though, like you and I, we prefer to remember names like diontraining.com instead of a long series of numbers. So, it’s easier for me to tell you to visit my website @diontraining.com than it is for me to give you a long series of numbers and it makes it easier for you to remember too. So, to make it easier for both humans and computers we rely on DNS or the Domain Name system. This converts domain names to IP addresses every time a user clicks on a link or enters a domain name into their browser. And this all happens in the background without us having to do anything ourselves. Unfortunately, DNS is not secure though because it was designed back in the early days of the internet in the 1980s when it was a much smaller place and was treated almost like a large local area network. This led to a lot of vulnerabilities that attackers or penetration testers can exploit to our own advantages. Now, when a person first enters the domain name of diontraining.com into their web browser, their computer is first going to ask its own operating system, if it knows what the IP address is for that particular server. Now, it does this by using what’s called a stub resolver and checking its DNS cache that the operating system is maintaining based on the previous lookups that it’s performed. Now, if the operating system doesn’t know the IP address for this particular domain name because it’s not already in its DNS cache it then has to use a recursive resolver to ask the next device upstream of it, in this case, it’s default gateway for that IP address for the domain name.

So, the user’s computer is now going to ask its router or default gateway. And if the router or default gateway doesn’t know, then it’s going to ask its DNS server to resolve it. And if that DNS server doesn’t know it, it’s then going to continue to resolve it recursively all the way up until it finds the right IP address as a response. Now, the problem with this is that these responses from the resolver, when they come back, there’s no way to verify the authenticity of those responses and that they’ve come from the authoritative name server for that particular domain which ultimately is where the other resolves should get their information from. Basically, if an attacker or a penetration tester can send a resolution to one of those resolvers and they accept it as truthful they’re going to place it in their own cache and then they’re going to be able to give that result back to end users who are asking for the IP address of diontraining.com or whatever their website is being poisoned in that cache. And because this might not be the authoritative source for that domain name, we really don’t want them going to that site because it could be an IP address that’s associated with an attacker server that’s pretending to be that particular website. So, what does an attacker do in DNS cache poisoning? Well, they’re going to attempt to change the IP address of a domain name that’s stored in the DNS cache of a given DNS server.

If they can do that, any client who requests to visit that website in the future is going to be redirected to a website that’s controlled by the attacker, and this allows them to conduct further exploitation of that client, and that client then becomes their victim. As we just discussed though, there’s multiple places that these caches exist, including on the client itself, the default gateway or router, the local DNS server, the ISPs DNS server and all the upstream DNS servers until you reach the root DNS server for the .com domain or the authoritative DNS server for that particular domain name like the name server for diontraining.com. So for example, when my kids were younger and they were doing school online I often found them goofing off and watching YouTube videos instead of doing their schoolwork. So, I used a little cache poisoning on them and cause youtube.com to be redirected to their school’s domain name instead. Every time they tried to go to YouTube to watch a video on their laptop, they would instantly be redirected to their school’s homepage. By performing this cache poisoning against their laptops, it only affected their laptops and not my wife’s or mines or anybody else’s in the house. So, we could still go to YouTube, but the kids couldn’t because we poisoned it in the cache of their windows laptops. Similarly, if I was conducting an engagement against a company, I could poison their DNS servers cache, because all of their works stations are going to be configured to check their local company’s DNS server before connecting to an upstream DNS server. So, if I knew from my reconnaissance that every morning their employees were going to facebook.com to scroll their news feeds, I could actually poison the company’s internal DNS servers to redirect all requests that were sent to facebook.com to instead go to a website that’s controlled by me, and it might be one that looks just like facebook.com.

So, I could try to trick the users using social engineering to enter their usernames and passwords as a form of a watering hole attack by using DNS cache poisoning. Now, if you want to conduct DNS cache poisoning against an organization during your engagement, you first need to check if there or server uses recursion and you do this by doing it Nmap scan. If you enter nmap-sU-P 53–script=dns-recursion and then the IP address of your target server, this is going to use the Nmap scripting engine to check if recursion is enabled on the DNS server whose IP you entered. Now, if recursion is enabled, you can then attempt to conduct a dynamic DNS update without authentication by entering the command nmap-SU-P 53–script=dns-update–scripts-orgs= dns-update.hostname= the domain you want to use, dns-update.IP= the IP you want to use and then the target IP of the DNS server. This will allow you to try to do an update in an unauthenticated manner to be able to give them the new addresses that you want to with associate with a particular IP address. Remember, there’s lots of different ways to conduct DNS poisoning. This can be done by poisoning either the workstation or the server’s DNS cache by hijacking their local DNS server or performing an unauthorized zone transfer to an unpatched DNS server where you can then change the IP address of a given web server a record.

To counteract DNS poisoning attacks, there is a secure version of DNS known as DNSSEC that was created. DNSSEC uses encrypted digital signatures when passing DNS information between servers to be able to help protect it from poisoning. You can also prevent your DNS servers from being poisoned by ensuring your server has the latest security patches and the latest updates to make sure they’re always properly protected. Now, DNS cache poisoning won’t work on every DNS server because lots of servers are now using DNSSEC, like I just mentioned. DNSSEC is the DNS Security Extensions. And this is used to strengthen authentication in DNS by using digital signatures based on public-key cryptography to ensure the DNS data is deemed authoritative and it is digitally signed by the owner of that data. And therefore it prevents spoofing of those DNS records. If the server is using DNSSEC, it will prevent most of our DNS cache poisoning attempts. In DNSSEC, there is a public and private key pair for every DNS zone. And the zone owner is going to use the zone’s private key to digitally sign the DNS data in that zone. Now, since only the zone owner has that private key, this ensures that the DNS data that signed with that private key must be authoritative and it has been approved by that zones owner. The other key, which is the public key is then going to be able to be used by anyone to decrypt the digital signature and validate the zones data as being authoritative and correct. So, anytime resolver gets some DNS data using DNSSEC, it’s going to validate it by looking at the digital signature before it accepts it and enters it into its own cache, and this prevents cache poisoning. Now, this provides also data origin authentication for the data because only the zone owner could have digitally signed it. It also provides data integrity protection for the data because the data cannot be you changed after it’s been digitally signed by that zone owner. So, for DNSSEC to work both the zone owner and the resolver need to configure their DNS servers to support it to be able to read these digital signatures. So now if you happen to run your own DNS server, you need to configure it to allow DNSSEC to prevent DNS cache poisoning from occurring and this can be one of the recommendations you make in your final report if you find that your target organization is not using DNSSEC. Remember, DNSSEC is used to protect the validity and authoritativeness of the DNS servers for the target organization. Now, one other thing that we need to cover here as we’re talking about DNS is the concept of DNS zone transfers. Now a DNS zone transfer is a method of replicating DNS database entries across a set of DNS servers.

Normally, this is used for legitimate purposes but it can also be used as part of your information gathering and exploitation phases. Now, there are two ways to do this depending on whether you’re using windows or Linux. If you’re using a windows machine as your attack machine, you can use the NsLookup Tool in interactive mode to attempt to do a zone transfer. To attempt the zone transfer, simply enter NsLookup and hit enter at the command prompt, and then inside of the NsLookup Tool, enter set type-any hit enter and then type in LS-D and the domain name for whatever domain name you want to do the zone transfer from. This will be able to say I want all of the records for any kind of DNS information you have on the server, and I want you to transfer them for this domain name to my system. If their DNS server is misconfigured you’re going to be able to download all of their information from their DNS server to your local machine and then go through it at your leisure. Now, if you’re using a Linux or a Mac system as your attacking machine, you’re instead going to use the dig command. To perform the transfer, enter dig axfr name server target name server attacker. This states that we want to use the dig tool to conduct a zone transfer from the name server of the target to the name server that I control as an attacker. So in this example I might want to go from nameserver.diontraining.com to name server.attacker.com. Now you may notice that this command that we use here with dig said, AXFR. And you may be wondering what does AXFR mean? Well, AXFR is an abbreviation for authoritative transfer which is just another name for DNS zone transfer. So, if you see AXFR now you know what it means.

Now, if I run this command and my server was vulnerable to the attack this command would then copy all of the DNS entries over to my attacker’s name server so they can then go through them manipulate them and use that information as they need to to be able to get IP addresses for your servers your sub domains, or other information like that. This is known as the DNS harvesting, that’s another form of open source intelligence that you can use to gather information about a domain name and it’s associated resources. In addition to using these built in tools like NSLookup and dig you can also use Nmap to conduct a zone transfer. To do this, you’ll use the Nmap script called dns-zone-transfer.domain to conduct the zone transfer if the server allows it.

89. LLMNR/NBT-NS Poisoning (OBJ 3.1)

The next network vulnerability that we’re going to discuss involves the link-local multicast name resolution protocol, known more commonly by the abbreviation LLMNR. The LLMNR protocol is based on the DNS packet format and it allows both IPv4 and IPv6 hosts to perform name resolution on the host if they’re on the same local link. This means that both hosts need to be on the same internal network to be able to use the link local multicast name resolution. If there is not a DNS server on the network, then your Windows machines can use LLMNR to determine the names and the IP addresses of the other and resources on that network. If the systems are running Linux, though, LLMNR is not going to work. Instead, Linux systems rely on ZeroConf, which uses the SystemD or system Damon, and the system resolve D Damon to accomplish the name resolutions on their local links. ZeroConf and LLMNR are useful for creating temporary networks like ad hoc wifi networks, Bluetooth networks, and things of that nature. Another type of name resolution protocol that we can exploit is known as the NetBIOS name service, also known as the wins service on a Windows system.

Now the NetBIOS name service, which is usually written as NBNS or NBT-NS, is part of the NetBIOS over TCP protocol suite that’s used as a type of name resolution inside of the internal network to translate internal names to IP addresses using a 16-character ASCII name. The NetBIOS name service is implemented in both the windows operating system, as well as the Linux operating system. Now, the NetBIOS name service is going to use the host name of a system, for example, Jason’s PC, and it’s going to use that to resolve it. This allows us to be able to connect to a resource using the server’s name instead of using its IP address. For example, if you’ve ever tried to connect to a network server and you entered something like //fileserver or //sharedrive, you were actually using the NetBIOS name service to identify the proper IP address behind the scenes and then connect to that resource. By default, Windows machines will first attempt to use the link local multicast name resolution, or LLMNR, but if that fails, then it’s going to attempt to use the NetBIOS name service, or NBT-NS instead.

Now, to exploit the link local multicast name resolution or the NetBIOS name service, a penetration tester can use a tool known as Responder. Responder is a command line tool in Kali Linux that’s you used to poison the NetBIOS, LLMNR and MDNS name resolution requests. This is considered a post exploitation tool because you first have to break into that local area network in order to use this tool. So, for example, let’s say you’ve broken into a Windows network. You can now use Responder to poison the link local multicast name resolution process for name resolution inside of that network. When you run Responder, it’s going to start listening for any time a system calls out for a certain machine, and then it’s going to poison the name resolution call by sending back incorrect information. So let’s say that a Windows machine is trying to find the file server, and it sends out a resolution request using the LLMNR protocol. Now Responder is going to see this request and then it’s going to respond to it with the IP address of a file server that’s controlled by that penetration tester.

When this IP address is returned to the Windows client, it’s then going to try to connect to the attacker’s controlled file server, instead of the company’s real file server. From this position we can perform other attacks and exploits or even use this LLMNR poisoning to conduct an on path attack by putting our attack machine in the center of all the communications between the client and the server that we want to victimize. Now, for this attack to work, though, the attacker has to be able to prevent the real file server from responding to the initial LLMNR request. In a real attacker hack, this can easily be done by temporarily kicking that server offline using a denial of service attack, but for our engagements that’s likely not going to be in your scope of allowed activities. So instead, you’re going to want to try to trick the victim into querying a non-existent name by using some kind of social engineering. For example, you might send a phishing email that has a link to the local share drive that //fileservers with an S instead of //fileserver without an S. If the victim tries to open that link to connect to the file server, they are now going to be rerouted and redirected to your attack server instead because you have poisoned that LLMNR using Responder.

• Category: Uncategorized