terça-feira, 14 de abril de 2020

Eavesarp - Analyze ARP Requests To Identify Intercommunicating Hosts And Stale Network Address Configurations (SNACs)


A reconnaissance tool that analyzes ARP requests to identify hosts that are likely communicating with one another, which is useful in those dreaded situations where LLMNR/NBNS aren't in use for name resolution.

Requirements/Installation
This is only gon' work on Kali or other Debian-based Linux distributions
eavesarp requires Python3.7 and Scapy. After installing Python, run the following to install Scapy: python3.7 -m pip install -r requirements.txt

General Usage

Capturing ARP Requests
Notes:
  • eavesarp requires root privileges to sniff from the interface and craft ARP packets.
  • Captured output is automatically written to disk under the name eavesarp.db to prevent having to recapture ARP requests.

Passive Execution
The most basic form of execution is:
sudo ./eavesarp.py capture -i eth1
This will initialize eavesarp such that ARP requests will be captured, analyzed, and relevant output will be presented to the user in a table. Use --help for additional information on non-standard arguments. Note that the stale column indicates [UNCONFIRMED] when an ARP request originating from a target (as a sender) has not yet been observed when running in this mode. Enable ARP resolution via the -ar flag to determine if a given target address has gone stale.
 ___ ___ __  _____ ___ ___ ________
/ -_) _ `/ |/ / -_|_-</ _ `/ __/ _ \
\__/\_,_/|___/\__/___/\_,_/_/ / .__/
-----------------------------/ /---
[LISTEN CAREFULLY]          /_/

Capture interface: eth1
ARP resolution:    disabled
DNS resolution:    disabled
Requests analyzed: 65

SNAC    Sender         Target            ARP#  Stale
------  -------------  --------------  ------  -------------
        192.168.86.5   192.168.86.101      29  [UNCONFIRMED]
                       192.168.86.3         1
        192.168.86.3   192.168.86.37       25  [UNCONFIRMED]
                       192.168.86.38        7  [UNCONFIRMED]
                       192.168.86.5         1
                       192.168.86.99        1
        192.168.86.99  192.168.86.3         1

Active Execution (ARP Resolution, DNS Resolution)
Enable ARP and DNS resolution by including the -ar and -dr flags. Keep in mind that this makes the tool non-passive, but the advantage is that DNS records, MAC addresses, and a confirmation of SNACs status is returned.
sudo ./eavesarp.py capture -i eth1 -ar -dr --blacklist 192.168.86.5
We can clearly see from the output below which senders are affected by one or more SNACs and the affected addresses. The final column indicates if a potential MITM opportunity is present. eavesarp checks to see if the FWD address of the PTR resolved for a given sender is different. If so, it may be an indicator that the intended target has moved to the new FWD address. Applying an alias to the interface of our attacking host may allow us to forward the traffic to the intended target and capture information in transit.
 ___ ___ __  _____ ___ ___ ________
/ -_) _ `/ |/ / -_|_-</ _ `/ __/ _ \
\__/\_,_/|___/\__/___/\_,_/_/ / .__/
-----------------------------/ /---
[LISTEN CAREFULLY]          /_/

Capture interface: eth1
ARP resolution:    enabled
DNS resolution:    enabled
Requests analyzed: 55

SNAC    Sender         Target            ARP#  Stale    Sender PTR      Target PTR        MITM
------  -------------  --------------  ------  -------  --------------  ----------------  ---------------------------------------------
True    192.168.86.2   192.168.86.101      21  True     iron.aa.local.  syslog.aa.local.  T-IP:192.168.86.101 != PTR-FWD:192.168.86.102
True    192.168.86.3   192.168.86.38       17  True     crux.aa.local.
                       192.168.86.37       15  True
                       192.168.86.99        1                           w10.aa.local.
        192.168.86.99  192.168.86.3         1           w10.   aa.local.   crux.aa.local.

Analyzing PCAP Files and SQLite Databases (generated by eavesarp)
eavesarp can accept SQLite databases and PCAP files for analysis. It will output the extracted values to a new database file for further analysis. See the --help flag for more information on this process, however basic execution is demonstrated below.
sudo ./eavesarp.py analyze -sfs eavesarp.db  -cp disable --blacklist 192.168.86.5 --csv-output-file eavesarp_analysis.db
SNAC    Sender         Target            ARP#  Stale    Sender PTR      Target PTR        MITM
------  -------------  --------------  ------  -------  --------------  ----------------  ---------------------------------------------
True    192.168.86.2   192.168.86.101      21  True     iron.aa.local.  syslog.aa.local.  T-IP:192.168.86.101 != PTR-FWD:192.168.86.102
True    192.168.86.3   192.168.86.38       17  True     crux.aa.local.
                       192.168.86.37       15  True
                       192.168.86.99        1                           w10.aa.local.
        192.168.86.99  192.168.86.3         1           w10.aa.local.   crux.aa.local.
- Writing csv output to eavesarp_analysis.db
...and the CSV output looks like...
arp_count,sender,sender_mac,target,target_mac,stale,sender_ptr,target_ptr,target_forward,mitm_op,snac
21,192.168.86.2,74:d4:35:1a:b5:fb,192.168.86.101,[STALE TARGET],True,iron.aa.local.,syslog.aa.local.,192.168.86.102,T-IP:192.168.86.101 != PTR-FWD:192.168.86.102,True
17,192.168.86.3,b8:27:eb:a9:5c:8f,192.168.86.38,[STALE TARGET],True,crux.aa.local.,,,False,True
15,192.168.86.3,b8:27:eb:a9:5c:8f,192.168.86.37,[STALE TARGET],True,crux.aa.local.,,,False,True
1,192.168.86.99,08:00:27:22:49:c5,192.168.86.3,b8:27:eb:a9:5c:8f,False,w10.aa.local.,crux.aa.local.,192.168.86.3,False,False
1,192.168.86.3,b8:27:eb:a9:5c:8f,192.168.86.99,08:00:27:22:49:c5,False,crux.aa.local.,w10.aa.local.,192.168.86.99,False,True




via KitPloit
This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com
Read more
Publicada por à(s)

Sem comentários:

Enviar um comentário

Subscrever: Enviar feedback (Atom)

Quando eu te falei em amor

Quando os meus olhos te tocaram
Eu senti que encontrara
A outra, metade de mim
Tive medo de acordar
Como se vivesse um sonho
Que não pensei em realizar
E a força do desejo
Faz me chegar perto de ti

Quando eu te falei em amor
Tu sorriste para mim
E o mundo ficou bem melhor
Quando eu te falei em amor
Nos sentimos os dois
Que o amanha vem depois
E não no fim

Estas linhas que hoje escrevo
São do livro da memória
Do que eu sinto por ti
E tudo o que tu me das
É parte da história que eu ainda não vivi
E a força do desejo
Faz me chegar de ti

Quando eu te falei em amor
Tu sorriste para mim
E o mundo ficou bem melhor
Quando eu te falei em amor
Nos sentimos os dois
Que o amanha vem depois e não no fim

André Sardet

Collide

The dawn is breaking
A light shining through
You're barely waking
And I'm tangled up in you
Yeah

But I'm open, you're closed
Where I follow, you'll go
I worry I won't see your face
Light up again

Even the best fall down sometimes
Even the wrong words seem to rhyme
Out of the doubt that fills my mind
I somehow find, you and I collide

I'm quiet, you know
You make a first impression
I've found I'm scared to know
I'm always on your mind

Even the best fall down sometimes
Even the stars refuse to shine
Out of the back you fall in time
I somehow find, you and I collide

Don't stop here
I've lost my place
I'm close behind

Even the best fall down sometimes
Even the wrong words seem to rhyme
Out of the doubt that fills your mind

You finally find, you and I collide
You finally find You and I collide
You finally findYou and I collide

Howie Day


Everything

You're a falling star, You're the get away
car.
You're the line in the sand when I go too
far.
You're the swimming pool, on an August day.
And You're the perfect thing to see.

And you play it coy, but it's kinda cute.
Ah, When you smile at me you know exactly what you
do.
Baby don't pretend, that you don't know it's
true.
Cause you can see it when I look at you.

And in this crazy life, and through these crazy
times
It's you, it's you, You make me sing.
You're every line, you're every word, you're
everything.

You're a carousel, you're a wishing well,
And you light me up, when you ring my bell.
You're a mystery, you're from outer space,
You're every minute of my everyday.

And I can't believe, uh that I'm your man,
And I get to kiss you baby just because I
can.
Whatever comes our way, ah we'll see it
through,
And you know that's what our love can do.

And in this crazy life, and through these crazy
times
It's you, it's you, You make me sing
You're every line, you're every word, you're
everything.

So, La, La, La, La, La, La, La
So, La, La, La, La, La, La, La

And in this crazy life, and through these crazy
times
It's you, it's you, You make me sing.
You're every line, you're every word, you're
everything.
You're every song, and I sing along.
Cause you're my everything.
yeah, yeah

So, La, La, La, La, La, La, La
So, La, La, La, La, La, La, La

Michael Bublé