After reading @chemaalonso‘s post about DHCP Ack Inyector, I remembered my college years back in 2005 when you just needed to go to the library, plug-in your laptop to the network and voilà, just “listening” network traffic you saw all those vulnerable or misconfigured protocols such as STP, HSRP, DTP, etc..

Not only that. There wasn’t any type of control over the information the users could send, and using tools such as Gobbler, dsniff, ettercap, yersinia, etc., you could perform any man-in-the-middle attack. The most interesting part was that the networking devices used for traffic management were almost entirely Cisco. I.e. devices fully able to control and mitigate virtually most of these attacks, but that were configured to perform basic networking functions: routing, VLANS, ACL, QoS, etc. Either because of ignorance or carelessness, they were not being taken the performance that actually justified his acquisition.

Over time I have realized that this situation is quite common: it is really hard to find a company with strict configuration policies to secure the local network environment. I personally think that many organizations are unaware of the damage that a disgruntled employee could do in a network “poorly controlled”. Without using any sophisticated tools like Loki or Yersinia, it is possible to bring down an entire network with just a couple of packets. Using Scapy, you can perform MitM using ARP / DHCP / VRRP / HSRP or without much effort even more entertaining things like getting a pool of shells with Metasploit browser_autopwn and etterfilters.

[Read more…]

During the post-exploitation phase of an intrusion, after getting a shell on a computer, one of the steps to gain access to other computers or networking devices is thru traffic sniffing. Just listening to the traffic passing through the machine, even in a switched environment, can provide us with very useful information about the network topology or the potential vulnerabilities that can we exploit later: NetBIOS names, users / passwords in clear ARP, CDP, DHCP, HSRP, VRRP, etc..

To listen the traffic from a shell, however, we must make use of external tools that we need to download and run on the compromised computer. A good choice is rawcap which allows packet capturing without relying on packet capture drivers as WinPcap (libpcap library for Windows used by many traffic analysis tools).

Another option is to use Meterpreter from where we can rely on capture modules without using the compromised machine harddisk. To do so, Meterpreter sniffer has the sniffer extension o the packetrecorder module by @Carlos_Perez aka Darkoperator. Both can be used to generate and save the pcap file locally with the captured traffic.

As an alternative to these two options, I have created a small module (rpcapd_start) that activates the service rpcapd in order to capture traffic remotely. It is not uncommon to find user computers, even Windows servers, with WinPcap installed. So, what better way to get traffic than using this service remotely? As an additional benefit we won’t depend on the meterpreter session because once activated, we can capture traffic with any software that supports rpcap.

The WinPcap installation will create a new service called rpcapd disabled by default.

The module will just activate rpcapd, specifying the port and the operating mode (active or passive). We may also choose whether or not we want authentication.

Since it is likely that the computer will be NATed behind a router or firewall, in practice, the most useful will be the active mode, where the compromised machine will be the one connecting to us.

After starting the service and in the case of using a passive connection (as in the example) a new rule will be added in the Windows Firewall under the name “Windows Service” to allow incoming traffic.

Then we can connect to the machine from any tool that supports rpcap and start capturing traffic.

The module is already included in Metasploit so you just need to update it so simply for download.