fake_router6

Create a rouge ipv6 router in one simple step with fake_router6

fake_router6 is a tool inside THC-IPv6 tools bundled inside Kali linux to test exploit & attack weaknesses & protocol complexity in ipv6 & icmp6 protocols. As the name suggests, it’s from the Hackers’ Choice. Before we begin the attack, lets get under the hood for a minute. In IPv4, you know what is “ARP”, here in IPv6, its replaced by ND expanded as Neighbor Discovery. ND combines the functionality of ARP,ICMP, ICMP-Redirect & router discovery which is present in IPv4. There are several other advanteges & additional functionalities for ND like to discover neighbouring devices & hosts, link the layer2 (link layer) addresses, advertise the presence of a host/router etc. There are basically 5 types of ND messages.

  • Router Solicitation (ICMPv6 type 133)
  • Router Advertisement (ICMPv6 type 134)
  • Neighbor Solicitation (ICMPv6 type 135)
  • Neighbor Advertisement (ICMPv6 type 136)
  • Redirect (ICMPv6 type 137)

Here we can focus on the 2nd one, Router Advertisement. An IPv6 routere sends RA packets in an irregular manner containing the link layer information to the multicast address. This can contain information about the likn layer address of the router, the network range, MTU etc required for the host. When a client host or machine enters the network, it receives this RA packet & connects to the corresponding router and gets an IPv6 address defined in the range.

fake_router6 sends out Router Advertisement packets to the network with highest priority. So even if other IPv6 routers are present in the network, new clients get connected to the rouge router which fake_router6 creates.

Home Page : https://www.thc.org/thc-ipv6/

References : http://tools.kali.org/information-gathering/thc-ipv6

http://computernetworkingnotes.com/ipv6-features-concepts-and-configurations/ipv6-neighbor-discovery.html

https://technet.microsoft.com/en-in/library/cc781672%28v=ws.10%29.aspx

Lets’ See it in action

Note: This tutorial was written when Kali 1.0.9 was the latest. In newer versions (Kali Sana & Kali Rolling) the command has changed to atk6-tool. For example you are using fake_router6, in newer version becomes atk6-fake_router6.

Options

Syntax: fake_router6 [-HFD] interface network-address/prefix-length [dns-server [router-ip-link-local [mtu [mac-address]]]]
-H adds hop-by-hop
-F fragmentation header
-D dst header

Lab : Advertise a fake router in the network

NOTE : This may cause DOS attack, use it wisely. Please use it with permission or on a test network.

Launch the attack simply by a oneline command.

command: fake_router6 eth0 <replace with your interface> bad::00/64 <replace with your fake n/w>
fake_router6
Command

Now I am gonna turn on a Windows 2012 Server VM which I have. Instead you can try with any machine which supports IPv6.

After that, open cmd & issue

Command: ipconfig
fake_router6
New Clients being affected

Now lets try on a RHEL7 server.

After booting up the system open terminal & issue

Command : ifconfig

If it’s  version 7(CentOS/RHEL v7), you can try

nmcli con <name> show | grep bad<replace with your network suffix>
fake_router6
Fake address on a RedHat server on interface with auto configuration.

 

And amazingly, my live system running Windows 8.1 with all updates also got the address of the rouge network even though I didn’t restart the network.

fake_router6
Real Machines being affected

Hope you liked this tutorial. Remember! Be a WhiteHat/GreyHat, don’t be a kiddie. Also Remember to subscribe, comment & follow.

Johnny

Lab 2: Test the complexity of a Windows System, Cracking Windows hashes using Johnny

When cracking Windows passwords if LM hashing is not disabled, two hashes are stored in the SAM database. SAM is Security Accounts Manager. It stores the LM & NTLM hashes in an encrypted form. So first we have to decrypt or dump the hashes into a file. For this other tools in kali linux are there which is described in the series. Check out tool “samdump2” for decrypting & dumping the SAM. For this Lab we have a dumped file containing the LM & NTLM hashes named “hashes”.

The first is the LM hash (relatively easy to crack because of design flaws, but often stored for backwards-compatibility)

The second is the NTLM hash which can be more difficult to crack (when used with strong passwords).

Step 1: Load the hashes file into Johnny.

johnny
Loading the LM Hash

Step 2: Select LM as format in the options tab.

johnny
Selecting the Format

Step 3: Start Attack and look for results

johnny
Passwords Shown

This one & the previous one on Johnny, these could be really time consuming & processor intensive. It could take upto a millennium to break a password by brute forcing it. So some times (in fact most of the times) we use word-list attack in which a word-list is supplied to crack the password.

If you want to know what is happening under the hood, read on.

Brute-forcing is simply a method of trying all combinations in a particular key space. Say suppose we have a suitcase with a number lock of 3 digits. Suppose you forgot your unlock code. You couldn’t figure it out what was it, what will you do ? Simply you try all combinations  under 3 digits from 000 to 999. So how much time it would take to crack the code. Same happens in brute-forcing. Programs & Scripts analyze the type of cryptographic algorithm used, calculates the keyspace & runs through all values inside it.

Also there is word-list attack.In this, a wordlist containing a list of commonly used passwords is supplied to the attack. The program(here john) first finds out the hashing/encryption technique used in the supplied hash. Then the program calculates the corresponding hash of each word in the list supplied and compares it with the hash that needs to be cracked. We will do couple of wordlist attacks in later tutorials. This is also known as “Dictionary Attack”.

 

http://en.wikipedia.org/wiki/Brute-force_attack

http://searchsecurity.techtarget.com/definition/dictionary-attack

Bluelog

Simple Bluetooth Discovery with Bluelog

Bluelog is a simple Bluetooth scanner that is designed to essentially do just one thing, log all the discoverable devices in the area. It is intended to be used as a site survey tool, identifying the number of possible Bluetooth targets there are in the surrounding environment. This tool only shows visible devices like PCs, phones printers etc. This doesn’t show devices whose visibility is OFF.

Note: Make sure you are not testing this tool on a VM, or if you are, you need to plugin in a USB bluetooth device and attach it to your VM. Also make sure that the device is turned on. Read on for further guidelines.

Options

Syntax: bluelog -i <interface> <options>

Basic Options:

-i <interface>     Sets scanning device, default is “hci0”

-o <filename>     Sets output filename, default is “devices.log”

-v                 Verbose, prints discovered devices to the terminal

-q                 Quiet, turns off nonessential terminal outout

-d                 Enables daemon mode, Bluelog will run in background

-k                 Kill an already running Bluelog process

-l                 Start “Bluelog Live”, default is disabled

 

Logging Options:

-n                 Write device names to log, default is disabled

-m                Write device manufacturer to log, default is disabled

-c                 Write device class to log, default is disabled

-f                 Use “friendly” device class, default is disabled

-t                 Write timestamps to log, default is disabled

-x                 Obfuscate discovered MACs, default is disabled

-e                 Encode discovered MACs with CRC32, default disabled

-b                 Enable BlueProPro log format, see README

 

Advanced Options:

-r <retries>       Name resolution retries, default is 3

-a <minutes>       Amnesia, Bluelog will forget device after given time

-w <seconds>       Scanning window in seconds, see README

-s                 Syslog only mode, no log file. Default is disabled

 

Bluelog Homepage: http://www.digifail.com/software/bluelog.shtml

Lab1 : Scan all Bluetooth Devices and log them to a file.

In this lab we simply scan for all Bluetooth devices around and log them into a file. First we need to check our Bluetooth interfaces. As I said earlier, make sure to be on a physical machine with bluetooth device turned ON. In some laptops, the hotkeys for turning ON/OFF devices doesn’t work well if you are running kali linux. Then you might have to add additional kernel modules to solve the issue. For the following 2 labs, I have used a Lenovo Notebook, which had some issues in the begining running kali linux. Anyway lets proceed.

 

Step 1: Ensure your bluetooth device is working and get it’s MAC.

Command:hciconfig
bluetooth
Bluetooth interface details

From this we can see the Bluetooth device present in our system/machine. Here we have an interface which is hci0.

 

Step 2: Start scanning

Command: bluelog -i hci0 -o /root/Desktop/btdevices.log –v
bluetooth
Blog scanning, devices appearing

Check the file after btdevices.log after a 10 minutes. You can see all the devices which are nearby you/your working machine.

bluetooth
Output file

 

Lab 2 : Logging Additional Information

In this lab, we log additional information l manufacturer, broadcast names and device class.

Command: bluelog -i hci0 -mnc -o /root/Desktop/btdevices2.log –v
bluetooth
Advanced options

Then Check the file btdevices2.log

bluetooth
Output File

Note: Remember scanning is a time consuming process. The more patience you have the better are the results. Also this procedure resembles the process of wardriving. If you have a portable device and can get it around, add up some of your social engineering skills, you get great results.