Skip to content

Latest commit

 

History

History
125 lines (78 loc) · 2.84 KB

7.Network-Based Attacks.md

File metadata and controls

125 lines (78 loc) · 2.84 KB

BPM Circuits

eJPT-CheatSheets
Bartosz Pokrywka

Usefull info and commands for eJPT cert exam

Network Based Attacks

Network Services

  • ARP
  • DHCP
  • SMB
  • FTP
  • Telnet
  • SSH

Tshark

The CLI version of Wireshark is good for target specific use. Good for automation.

Protocol Hierarchy Statistic:

-z io,phs -q

Filtering Basics

Display filter:

  • -Y

Examples of filters names:

  • ip.src == IP && ip.dest == IP
  • http
  • http.request.method == GET

Set the format of the output when viewing decoded packet data:

  • -T

fields The values of fields specified with the -e option, in a form specified by the -E option:

Examples:

> -Y 'http.request.method == GET' -T fields -e frame.time -e ip.src -e http.request.full_uri

Plain text passwords in http:

> -Y 'http contains password'

If you want to find something specific to the site:

> -Y 'http.request.method == GET && http.host == www.nytimes.com' -T fields -e ip.dst

Http Cookie:

> -Y 'ip contains amazon.in && ip.src == IP' -T fields -e ip.src -e http.cookie

What browser user utilize:

> -Y 'ip.src == IP && http' -T fields -e http.user_agent

Arp Poisoning

Enable IP forwarding (your machine then works as a gateway):

> echo 1 > /proc/sys/net/ipv4/ip_forward

arpspoof:

arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host

  • -i interface

  • -t target

  • -r poison both hosts (in conjuntion with -t)

      > arpspoof -i interface -t targetIP -r hostIP

WiFi Traffic Analysis

Use wireshark...

Filtering WiFi

Wireshark filters:

  • wlan.fc.type_subtype == 0x0008 (beacon frame)
  • wlan.wfa.ie.wpa.version == 1 (WPA ver. 1)
  • wlan.tag.number==48 (enterprise network tag)
  • wlan.ta == macaddress (how many packets are transmitted)
  • wlan.ra == macaddress (how many packets are received)
  • wlan.bssid (mac address of device)
  • wlan.fc.type_subtype == 0x0020 (what mac addresses are talking with each other)
  • wlan.fc.type_subtype == 0x0001 (association response)

tshark:

> -Y 'wlan'

> -Y 'wlan.fc.type_subtype == 0x000c' (deauth packets)

> -Y 'eapol' (handshake packets)

> -Y 'wlan.fc.type_subtype == 8' -T fields -e wlan.ssid -e wlan.bssid (show only ssid and bssid)

> -Y 'wlan.ssid==WiFI_Name' -T fields -e wlan.bssid

> -Y 'wlan.ssid==WiFI_Name' -T fields -e wlan_radio.channel

> -Y 'wlan.ta==macaddress && http' -T fields -e http.user_agent (look for the user agent)