IN5290 Ethical Hacking: Lecture 12 - Internal Network Hacking Study Notes

IN5290 Ethical Hacking: Lecture 12 - Internal Network Hacking

Lecture Overview

  • Internal network hacking steps

  • Packet sniffing

  • ARP protocol, ARP/DNS poisoning

  • Internal network Windows protocols

Internal Network Description

  • Internal Network IP Ranges:

  1. 10.0.0.0/8

  2. 192.168.0.0/16

  3. 172.16.0.0/12

Gaining Access to the Internal Network

Methods of Accessing the Network

  1. Physical Access:

    • Walk into the building to locate an endpoint.

    • Tailgating: An attacker follows someone with legitimate access to enter a restricted area protected by an electronic access control (e.g., RFID card).

    • Asking for assistance while holding a large package to gain entry.

    • Entering under false pretenses (e.g., for a meeting or job interview).

    • Getting hired as an insider (insider attack).

  2. Logical Access:

    • Determine if access restrictions are in place and exploit vulnerabilities to gain access.

Types of Ethical Hacking Projects

  • From the attacker’s location perspective:

    • External penetration testing

    • Web hacking

    • Internal penetration testing

    • Wireless penetration testing

    • Social engineering

  • From the attacker’s access rights perspective:

    • Black box testing

    • Grey box testing

    • White box testing

Note: Internal penetration testing can also reveal potential insider threats by assessing employee capabilities.

Steps of Hacking Internal Network

  1. General Information Gathering: Collect all readily available information about the target.

  2. Technical Information Gathering: Gather network/system-specific vital information (requires access to the internal network).

  3. Identifying Available Hosts: Determine which computers can be attacked.

  4. Identifying Available Services: Determine which services on those hosts can be targeted.

  5. Manual Service Mapping: Review how services operate, system reactions, and mitigations involved.

Technical Access Requirements for TCP/IP Communication

  • A valid IP address

  • A netmask

  • A gateway

  • DNS servers (one or more)

Listening to Network Traffic Without a Valid IP

Even without a valid IP address, attackers can listen to traffic by utilizing different network topologies (e.g., ring, star, line). Packets not addressed to a specific device can still be captured using techniques involving promiscuous mode.

Promiscuous Mode / Monitor Mode

  • Promiscuous Mode: The network interface card (NIC) receives all traffic instead of only packets addressed to its own MAC address. This mode is primarily used for packet sniffing.

  • Monitor Mode: Specifically for wireless network interface cards, allowing traffic capture without initial association with an access point.

Wireshark Overview

  • Wireshark: A packet sniffer that sets the NIC to promiscuous mode and displays all traffic.

  • Capabilities include:

    • Viewing detailed info about analyzed frames, including MAC addresses, IPs in use, traffic direction, possible subnets, and the presence of proxies.

    • Collecting clear text data from sniffed packets.

Gaining Logical Access to the Internal Network

Options After Connecting to an Endpoint

  1. Determine if the Link is Active: Check to see if the endpoint is functioning.

  2. Acquire an IP Address via DHCP:

    • Dynamic Host Configuration Protocol (DHCP): A network management protocol that automatically assigns IP addresses and other configurations to devices to facilitate communication.

  3. Port Security Enforcement: Cisco switches utilize port security to limit traffic based on specific MAC addresses.

Bypassing Port Security

  • Requirements: To bypass port security, one must use a valid MAC address, accomplished through:

    • Sniffing network traffic to obtain a valid MAC address.

    • Disconnecting an existing device (e.g., printer) and using its MAC address.

Steps if Endpoint Access is Unavailable

If access to the network cannot be obtained (e.g., no DHCP), the attacker may:

  • Ask a contractor for access, impersonating an employee for entry.

  • Commence a professional attack by securing an employment position to gain legitimate network access.

Internal Hacking Process after Gaining IP and Communication

  • Similar steps to external hacking:

    1. Identifying available hosts in the network.

    2. Identifying available services on those hosts.

    3. Manual mapping of identified services.

    4. Conducting automatic vulnerability scanning.

    5. Manually verifying findings.

    6. Exploitation of vulnerabilities.

    7. Lateral movement within the network.

    8. Ensuring persistent access.

    9. Collecting intelligence and removing evidence of the intrusion.

Internal Hacking - Port Scanning

  • The internal network typically includes many more devices, so traditional scanning approaches may be inadequate.

  • Efficiency in Scanning Large Internal Addresses:

    • Instead of pinging the entire range (e.g., 2563=16777216256^3 = 16777216 hosts), focus on specific sub-ranges detected via previously captured traffic data.

    • Scanning for active devices using limited scans based on known address logic or diagrams of network topology.

Wireshark Advanced Usage

  • Traffic Filtering & Data Analysis: Wireshark can filter specific protocols (e.g., HTTP) and would show detailed statistics from the captured data. Examples of filtering commands:

    • ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 tcp.window_size == 0 && tcp.flags.reset != 1

    • Following a TCP stream with commands such as Follow TCP Stream (tcp.stream eq 4).

Layer 2 and Layer 3 Communication

  • Layer 3 Communication Necessities: IP address usage is common, however, within the same subnet, MAC addressing governs communication.

  • To communicate outside the subnet, both IP and MAC gateway addresses are needed.

Address Resolution Protocol (ARP)

  • ARP Definition: ARP is utilized to resolve the hardware (MAC) address from an IP address. It operates by broadcasting an ARP request on the local network segment and listening for an ARP reply from the device with the targeted IP address.

  • ARP Table Management: Each device maintains an ARP table that helps in efficiently mapping IP addresses to MACs.

ARP Poisoning Techniques

  • ARP Poisoning Definition: A method wherein an attacker sends spoofed ARP messages to associate their MAC address with the IP of another host (e.g., gateway), effectively redirecting traffic to the attacker.

Mitigation Methods against ARP Poisoning

  • Dynamic ARP Inspection (DAI): A security feature intercepting ARP requests/responses and verifying their validity based on a trusted binding table populated through DHCP snooping.

DNS Poisoning

  • DNS Poisoning Overview: An attack method involving manipulation of DNS records to redirect legitimate traffic to malicious destinations. Often combined with ARP poisoning in internal networks where fake MAC addresses are presented to DNS resolvers in response to queries.

  • Modification of responses can redirect victim traffic through an attacker's IP.

NetBIOS Overview

  • NetBIOS Definition: Provides services at the session layer of the OSI model, facilitating communication among networked applications (e.g., name service, datagram service, session service).

  • NetBIOS Services Include:

    • NetBIOS Name Service: Name lookup and registration over TCP 137.

    • NetBIOS Datagram Service: Connectionless message sending over UDP 138.

    • NetBIOS Session Service: Connection establishment allowing larger messages and providing error handling over TCP 139.

NetBIOS Vulnerabilities as of 2023

  • A comprehensive list of CVEs relating to NetBIOS vulnerabilities, such as:

    • CVE-2023-0854: Linux kernel overflow leading to unexpected reads.

    • CVE-2020-10745: Processes excessive CPU consumption leading to denial of service through NetBIOS vulnerabilities in Samba versions.

Server Message Block (SMB)

  • SMB Definition: Protocol used for shared file access, printer sharing, and inter-node communications.

  • Operates directly over TCP (TCP/445) or through NetBIOS (TCP 137/139, UDP 138).

  • Versions of SMB have evolved through the introduction of newer Windows operating systems.

SMB Vulnerabilities

  • Key CVEs including:

    • CVE-2017-0143: An exploitation vector found within older SMB protocol versions allowing for remote code execution, known as “EternalBlue”.

Active Directory (AD) Descriptions

  • AD Defined: A directory service that provides critical identity-related services and policies management within Windows domain networks, utilizing protocols such as LDAP and Kerberos.

Active Directory Attacks

  • Common attack methods against AD include:

    • LDAP reconnaissance

    • Local admin mapping

    • Privilege escalations.