Network Exploitation and Monitoring

(For more resources related to this topic, see here.)

Man-in-the-middle attacks

Using ARP abuse, we can actually perform more elaborate man-in-the-middle (MITM)-style attacks building on the ability to abuse address resolution and host identification schemes. This section will focus on the methods you can use to do just that.

MITM attacks are aimed at fooling two entities on a given network into communicating by the proxy of an unauthorized third party, or allowing a third party to access information in transit, being communicated between two entities on a network. For instance, when a victim connects to a service on the local network or on a remote network, a man-in-the-middle attack will give you as an attacker the ability to eavesdrop on or even augment the communication happening between the victim and its service. By service, we could mean a web (HTTP), FTP, RDP service, or really anything that doesn't have the inherent means to defend itself against MITM attacks, which turns out to be quite a lot of the services we use today!

Ettercap DNS spoofing

Ettercap is a tool that facilitates a simple command line and graphical interface to perform MITM attacks using a variety of techniques. In this section, we will be focusing on applications of ARP spoofing attacks, namely DNS spoofing.

You can set up a DNS spoofing attack with ettercap by performing the following steps:

  1. Before we get ettercap up and running, we need to modify the file that holds the DNS records for our soon-to-be-spoofed DNS server. This file is found under /usr/share/ettercap/etter.dns. What you need to do is either add DNS name and IP addresses or modify the ones currently in the file by replacing all the IPs with yours, if you'd like to act as the intercepting host.
  2. Now that our DNS server records are set up, we can invoke ettercap. Invoking ettercap is pretty straightforward; here's the usage specification:

    ettercap [OPTIONS] [TARGET1] [TARGET2]

  3. To perform a MITM attack using ettercap, you need to supply the –M switch and pass it an argument indicating the MITM method you'd like to use. In addition, you will also need to specify that you'd like to use the DNS spoofing plugin. Here's what the invocation will look like:

    ettercap –M arp:remote –P dns_spoof [TARGET1] [TARGET2]

    Where TARGET1 and TARGET2 is the host you want to intercept and either the default gateway or DNS server, interchangeably.

  4. To target the host at address with a default gateway of, you will invoke the following command:

    ettercap –M arp:remote –P dns_spoof /

Once launched, ettercap will begin poisoning the ARP tables of the specified hosts and listen for any DNS requests to the domains it's configured to resolve.

Interrogating servers

For any network device to participate in communication, certain information needs to be accessible to it, no device will be able to look up a domain name or find an IP address without the participation of devices in charge of certain information. In this section, we will detail some techniques you can use to interrogate common network components for sensitive information about your target network and the hosts on it.

SNMP interrogation

The Simple Network Management Protocol (SNMP) is used by routers and other network components in order to support remote monitoring of things such as bandwidth, CPU/Memory usage, hard disk space usage, logged on users, running processes, and a number of other incredibly sensitive collections of information. Naturally, any penetration tester with an exposed SNMP service on their target network will need to know how to proliferate any potentially useful information from it.

About SNMP Security

SNMP services before Version 3 are not designed with security in mind. Authentication to these services often comes in the form a simple string of characters called a community string. Another common implementation flaw that is inherent to SNMP Version 1 and 2 is the ability to brute-force and eavesdrop on communication.

To enumerate SNMP servers for information using the Kali Linux tools, you could resort to a number of techniques. The most obvious one will be snmpwalk, and you can use it by using the following command:

snmpwalk –v [1 | 2c | 3 ] –c [community string] [target host]

For example, let's say we were targeting with a community string of public, which is a common community string setting; you will then invoke the following command to get information from the SNMP service:

snmpwalk –v 1 –c public

Here, we opted to use SNMP Version 1, hence the –v 1 in the invocation for the preceding command. The output will look something like the following screenshot:

As you can see, this actually extracts some pretty detailed information about the targeted host. Whether this is a critical vulnerability or not will depend on which kind of information is exposed.

On Microsoft Windows machines and some popular router operating systems, SNMP services could expose user credentials and even allow remote attackers to augment them maliciously, should they have write access to the SNMP database. Exploiting SNMP successfully is often strongly depended on the device implementing the service. You could imagine that for routers, your target will probably be the routing table or the user accounts on the device. For other host types, the attack surface may be quite different. Try to assess the risk of SNMP-based flaws and information leaks with respect to its host and possibly the wider network it's hosted on. Don't forget that SNMP is all about sharing information, information that other hosts on your network probably trust. Think about the kind of information accessible and what you will be able to do with it should you have the ability to influence it. If you can attack the host, attack the hosts that trust it.

Another collection of tools is really great at collecting information from SNMP services: the snmp_enum, snmp_login, and similar scripts available in the Metasploit Framework. The snmp_enum script pretty much does exactly what snmpwalk does except it structures the extracted information in a friendlier format. This makes it easier to understand. Here's an example:

msfcli auxiliary/scanner/snmp/snmp_enum [OPTIONS] [MODE]

The options available for this module are shown in the following screenshot:

Here's an example invocation against the host in our running example:

msfcli auxiliary/scanner/snmp/snmp_enum RHOSTS=

The preceding command produces the following output:

You will notice that we didn't specify the community string in the invocation. This is because the module assumes a default of public. You can specify a different one using the COMMUNITY parameter.

In other situations, you may not always be lucky enough to preemptively know the community string being used. However, luckily SNMP Version 1, 2, 2c, and 3c do not inherently have any protection against brute-force attacks, nor do any of them use any form of network based encryption. In the case of SNMP Version 1 and 2c, you could use a nifty Metasploit module called snmp-login that will run through a list of possible community strings and determine the level of access the enumerated strings gives you. You can use it by running the following command:

msfcli auxiliary/scanner/snmp/snmp_login RHOSTS=

The preceding command produces the following output:

As seen in the preceding screenshot, once the run is complete it will list the enumerated strings along with the level of access granted.

The snmp_login module uses a static list of possible strings to do its enumeration by default, but you could also run this module on some of the password lists that ship with Kali Linux, as follows:

msfcli auxiliary/scanner/snmp/snmp_login PASS_FILE=/usr/share/wordlists/ rockyou.txt RHOSTS=

This will use the rockyou.txt wordlist to look for strings to guess with.

Because all of these Metasploit modules are command line-driven, you can of course combine them. For instance, if you'd like to brute-force a host for the SNMP community strings and then run the enumeration module on the strings it finds, you can do this by crafting a bash script as shown in the following example:

#!/bin/bash if [ $# != 1 ] then echo "USAGE: . snmp [HOST]" exit 1 fi TARGET=$1 echo "[*] Running SNMP enumeration on '$TARGET'" for comm_string in \ `msfcli auxiliary/scanner/snmp/snmp_login RHOSTS=$TARGET E 2> /dev/null\ | awk -F\' '/access with community/ { print $2 }'`; do echo "[*] found community string '$comm_string' ...running enumeration"; msfcli auxiliary/scanner/snmp/snmp_enum RHOSTS=$TARGET COMMUNITY=$comm_string E 2> /dev/null; done

The following command shows you how to use it:


In our running example, it is used as follows:


Other than guessing or brute-forcing SNMP community strings, you could also use TCPDump to filter out any packets that could contain unencrypted SNMP authentication information. Here's a useful example:

tcpdump udp port 161 –i eth0 –vvv –A

The preceding command will produce the following output:

Without going too much into detail about the SNMP packet structure, looking through the printable strings captured, it's usually pretty easy to see the community string. You may also want to look at building a more comprehensive packet-capturing tool using something such as Scapy, which is available in Kali Linux versions.

SMTP server interrogation

SMTP servers are used to forward e-mail, and they operate a simple text-based protocol. Because these machines exist on operating systems with users accounts defined on them and due to the way some of them are configured to handle falsified e-mail recipients, you can often abuse the way e-mail address verification or look ups work to enumerate the list of user accounts on the host operating system. Kali has a great command-line tool called smtp-user-enum to do this. Here's how it works:

smtp-user-enum [-hvd] [-M EXPN | VRFY | RCPT] [-u username | -U USER_FILE]
[-t host | -T HOST_FILE] [-p PORT]

The components of the previous command line are explained as follows:

  • -M: This is the enumeration method. This is the command that will be used to determine whether a user actually exists on the targeted server.
  • -u: This is used to specify a single username to check for.
  • -U: This is used to specify a list of usernames to check for.
  • -t: This is used to specify a single host to target with the enumeration attack.
  • -T: This allows you to specify a HOST_FILE, which is a list of hosts to target with the attack.
  • -h: This specifies the help file of output.
  • –v: This specifies the verbosity of output.

To use smtp-user-enum effectively, you need a pretty comprehensive username list. There are tons of them on the web; for our purposes, we will simply grab the /etc/passwd, pull it through awk, and use the list of users on our host system to guess with. This is also a great way to fingerprint operating systems similar to your own. It is done by performing the following steps:

  1. Strip out the usernames as follows:

    cat /etc/passwd | awk –F\: '{ print $1}' > users_list.txt

  2. Target the smtp server with the enum attack:

    smtp-user-enum –t [HOST] –U ./users_list.txt

smtp-user-enum will then use the VRFY command to determine whether the users exist on your target. You could also specify other methods for enumeration as follows:

smtp-user-enum –t [HOST] –U ./users_list.txt –M EXPN smtp-user-enum –t [HOST] –U ./users_list.txt –M RCPT

That's about it as far as SMTP enumeration goes; from here on out, you should record the usernames you enumerate and replay them the next time you need to run an SMTP username enumeration attack.

Automated web application security assessment

Web applications are incredibly complex pieces of technology, and they become more complex every day. It's not hard to imagine that penetration testing these big, heavy, and often very sneaky applications can be quite a cumbersome task. Luckily, a considerable portion of the work that goes into web application security assessment can be automated. I say "portion" because there are attack surfaces for web applications that have not seen much successful automation, that is, XSS requiring user interaction, customized encryption flaws, and business logic flaws. It is never safe to assume you have a good grip of web application security if all you've done is run a scanner! That being said, tasks such as crawling, fuzzing headers, picking up authentication forms, and other simple repetitive tasks have been automated in web application scanners very well. In this section, we will look at a small selection of the command line-driven tools available in Kali Linux to automate web application security assessment.

Scanning with SkipFish

SkipFish is a tool both used and created by some of the folks who work at Google. SkipFish as with most of the tools in its field simply crawls a web application and passes each page it picks up through a detection engine in an effort to analyze the page for common flaws and wrong configurations. SkipFish reports its output in the form of an interactive web page. Let's get a look at how one uses SkipFish and some of the functionalities it supports.

To launch SkipFish, you will need two essential things: a word list and a directory to store its results. Perform the following steps to get it working:

  1. Prepare an output directory for SkipFish by using the following command:

    mkdir skipfish-ouput/

  2. Grab a sample word list for SkipFish to work with by using the following command:

    cp /usr/share/skipfish/dictionaries/medium.wl .

    Here, we are using the medium dictionary. This is merely a demonstration; feel free to try some of the other dictionaries in the mentioned folder.

  3. Make sure the directory is not marked as read-only; you'll need to remove the very first line of this file since it's shipped with SkipFish as read only. You'll need to remove the line that looks like the following:

    # ro

  4. You can now launch SkipFish by executing the following command:

    skipfish –W medium –o skipfish-out/

The whole process will look like the following screenshot when executed on the Kali Linux command line:

When it's done running, SkipFish will present you with the following screenshot:

If this is the very first time you're running SkipFish, you could abort it preemptively, since it will automatically report all the results collected this far. You can do this by pressing Ctrl + C.

When SkipFish is done running, it will present you with an index.html file in the directory you created for its output. This file contains the report. A SkipFish report looks like the following screenshot when opened in Iceweasel, the default browser for Kali Linux:

SkipFish supports a number of other invocation options, some of which control how word lists are treated; others control how aggressive SkipFish is during testing.

Scanning with Arachni

Arachni is another great command line-driven web application scanning tool available in Kali Linux. It comes with a range of modules and plugins allowing its users to assess a mosaic of web application security focus areas. To launch Arachni in its default mode, you have to invoke the following command:

arachni –u [URL]

For instance, if you'd like to target with an Arachni scan, you will issue the following command:

arachni –u

This will load all the scanning modules and have Arachni target all possible attack surfaces for the specified web application. You can also focus Arachni on a given type of scanning. For instance, to run detection for XSS vulnerabilities only, you will specify the following command:

arachni –u [URL] –mods=xss_*

To load all the audit modules, use the following command:

arachni –u [URL] –mods=audit*

You can list the available modules by using the –-lsmod command line option. This option takes a regular expression as an argument and looks up all the modules whose names produce a match, Arachni then displays some basic information about them. Arachni also supports a reporting framework that allows you to generate neatly formatted reports about the issues it finds. You can use it by typing the following command:

arahni –u [URL] –-report=[FORMAT]:[FILENAME]

Where [FORMAT] is the document format you'd like to report in and FILENAME is the filename the report is to be saved under. FORMAT could be either HTML, .txt, or many others.

Here's an example that generates an HTML report:

arachni –u –-report:html:privatebankloads.html

As with many of the command-line arguments, you can specify more than one report format. This will cause multiple reports to be generated, as specified in the following commands:

arachni –u –-report:html:privatebankloads.html –-report:json:privatebankloads.html

Arachni supports a range arguments that control other aspects of its operation.


In this article, we performed full MITM attacks that allow us to intercept traffic and spoof DNS servers. We covered techniques that target SMTP and SNMP services on a local network. We also saw the usage of a tool called snmpwalk as well as the Metasploit modules snmp-enum and snmp-login, which were used to brute-force SNMP authentication. In the end, we learned to use two very powerful web application scanning tools, namely SkipFish and Arachni.

Resources for Article:

Further resources on this subject:

You've been reading an excerpt of:

Penetration Testing with the Bash shell

Explore Title