Kali Rolling comes with nmap v7 by default. Still you can use the steps below to update nmap or any other tools and while editing sources.list
To update to we first need to ensure that all repositories are in place.
You can verify this by the following command
Command: cat /etc/apt/sources.list/
Official list of repos for Kali Rolling
deb http://http.kali.org/kali kali-rolling main contrib non-free
#Source Repo
deb-src http://http.kali.org/kali kali-rolling main contrib non-free
Official repositories for Kali 2.0 (SANA) :
deb http://old.kali.org/kali sana main non-free contrib
deb-src http://old.kali.org/kali sana main non-free contrib
Older versions(Kali 1.0 MOTO)
deb http://old.kali.org/kali moto main non-free contrib
deb-src http://old.kali.org/kali moto main non-free contrib
In case you don’t have all the above, you can copy from the list and paste it to the “sources.list” file located in “ /etc/apt/ ”
Next, update the existing package database in the OS.
command: apt-get update
Updating the database
This should take a couple of minutes. The time depends on your internet connection & no of updates.
After this is finished, we are ready to install the newer version.
For this simply install nmap once agian. Apt will intelligently update the existing version to the latest version.
command: apt-get install nmap
Install Nmap
After this is complete, we can verify the version by executing the following:
command: nmap –V
Checking Version
Remember that at the time of your install, there may be a newer version available. These steps works for all those updates until the base version of Kali is the same. Once Kali Sana is upgraded, you may need to change the repositories. Also remember to use the second list of repos if you are using Kali Linux 1.X.
Optionally there are some minor updates in the GUI package, the Zenmap. After updating nmap, you can update the zenmap package also. This is also simple. Just open a terminal and execute the following:
Command: apt-get install zenmap
Hope this helps & Be on the lookout for the complete tutorial series on Nmap.
Nmap has always been the king of scanners for a Security professional. After 18 years from it’s first release, the 7th version has been released. This is the current major & stable release containing about 330 significant improvements. Over all this period, the developers have managed to improve the speed of scans, add more functionalities, include more scripts and so on. This time there are some major developments as well. According to the official documentation, there are major improvements in 7 areas. Nmap v7 with 7 major improvements – What a coincidence !
Lets get to see them briefly.
Nmap Scripting Engine (NSE)
Nmap Scripting Engine Orginal: Maserati
Nmap Scripting engine allows users to write custom scripts in lua scripting language. It gives the user the power & flexibility to automate & enumerate various tasks & targets in an advanced environment. For those who are not aware, there were about 340 pre-written scripts packed by default with NMAP 6.xx series. However, in this major release, the number has jumped to 515. In this 171 are additions & 4 deletions and 35 of this is exclusively for version detection(-sV) scans.
Since 2002 Nmap project has been supporting ipv6. Now as ARIN has ran out of IPv4 addresses, they have moved to IPv6. Slowly the global-trend is changing to IPv6 and so has nmap. In this release, some major changes have been brought in IPv6 modules. Here is a brief description of them:
1.Idle Scan Support
Idle scan was not yet implemented in IPv6 networks because of the packet structure & characteristics of IPv6 packet. But now new techniques have been developed and it has also been implemented in Nmap 7.0.
2. Unicast-CIDR Range Style scanning.
Now using Nmap, we can scan for ranges like in old IPv4 scanning. For eg: google.co.in/120.
3.Enhanced NSE Scripts
Many of the existing scripts have now IPv6 support. Also 4 exclusive IPv6 scripts have been introduced for host-discovery, DOS, traceroute etc.
4.Parallel Reverse DNS Resolver
Now the Reverse DNS Resolver supports IPv6 and faster scans using “-6” options because of core level changes in code.
5.OS Detection
Using new techniques the OS detection in IPv6 has improved in this version.
6.Advanced Traceroute
Now traceroute is available for IPV6 scans also. It’s even capable of using UDP, SCTP etc just like IPv4 scanning.
Advanced SSL Scanning Features
Now Nmap has the feature to scan for different security vulnerabilities which affected in SSL/TLS like Heartbleed, Poodle, LOGJAM, FREAK etc. New scripts are also there to perform these. Also various other services running through TLS like LDAP, POP3, IMAP etc are supported.
Infrastructure Upgrades
Nmap officially announces some major upgrades in their development & maintaince. Officially nmap.org is now TLS enabled an version control has been made through GIT etc.
Performance Advancements
New NSOC engines give faster yet accurate scan results to the new version. There are quite a lot of improvements in the way which nmap scans. The developers have taken good care to improve both accuracy & speed.
Netcat
Ncat Enhanced
The developers claim better support & solutions for bugs in the nc & netcat commands with the new ncat package. They claim this as official support for Ncat package has been anounced from the RedHat/Fedora team which allows better understanding of such systems and eventually solutions for many bugs.
Portability Extreme
Alhough the tool works on a varid no of platforms, the portability has been increased. now nmap works on Windows 10, MAC OS-X 10.11 El Capitan, Solaris & AIX.
Conclusion
In addition to the changes listed above there are more changes in this version which improves the functionality & efficiency of this tool. Many functional changes also have been introduced in this version like IPv6 idle scanning and newer scanning techniques. Putting it alltogether, about 2 years of development of the tool from version 6 to 7 has well paid off. My opinion is, nmap has evolved from a simple recon tool to a dedicated vulnerability scanner. Also the functionalities of nmap is ever-growing and with the release of this version, many user-end features like IPv6 scanning & better NSE scripts have been implemented. So to wrap this up, we can conclude the no of blades and their sharpness in the Swiss-Army Knife of the Pentester has increased.
Do share this Article & Post your opinions as comments.
Basic Operation of SQLMAP & enumeration of Server through automatic SQL Injection.
SQLMAP is a database pentesting tool used to automate SQL Injection. Practically using sqlmap, we can dump a whole database from a vulnerable server. SQLMap is written in python and has got dynamic testing features. It can conduct tests for various database backends very efficiently. Sqlmap offers a highly flexible & modular operation for a web pentester. It can act as a basic fingerprinting tool and till upto a full database exploitation tool.Simply we can say that there will be no web application testing without sqlmap. All in all, fully loaded..!
Features of SQLMAP
Supports
MySQL,
Oracle,
PostgreSQL,
Microsoft SQL Server, Microsoft Access,
IBM DB2,
SQLite, Firebird,
Sybase,
SAP MaxDB
HSQLDB
Supports 6 types of Injection Techniques
boolean-based blind,
time-based blind,
error-based,
UNION query-based,
stacked queries
out-of-band
Ability to perform operations on specific DBs,tables,columns or even dump whole database. Offers multiple database capabilities also.
Supports execution of arbitary queries and system commands
Ability to inject backdoors.
Specific attacker functions on databases.
Multicolored output indicating different messages.(Green=Info; Yellow=Warn; Red=Critical; BOLD Green=Interesting etc.)
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution – Wikipedia
Sql injection is basically making the backend database server to execute unintended queries to gain information or to bypass authentication or to execute a command in the remote host and various other malicious purposes. These unintended queries are usually executed by inputting special operational characters(dependent on the backend DBMS) through input forms in web pages like login forms. By performing SQLi an attacker can perform various types of tasks on the remote machine. SQLi is the most widely found vulnerability among websites. Click here to view some statistics.
Scenario
Attacker Machine: Kali Linux 2.0 (VM)
Target: OWASPBWA (VM), IP Addr: 192.168.0.104, Application: Mutillidae
In this lab, we are simply grabbing the banners from the remote machine. Details like backend DBMS, Web application technology, Server OS, Web server type & version etc are retrieved from this operation. For this we need to specify in the exact url or a file which contains the request to the url. In this tutorial, we are performing the operation with a file containing the request. We can take this request with the help of burpsuite. We can turn ON the intercept & forward the request from our browser to burpsuite. Seeing the request we can copy the request & paste it in a file. Refer to tutorial on burpsuite here to learn how to start with burpsuite.
Step 1 : Take Request
Open the login page of the Mutillidae(or which ever target you have).
Filling the form
Open Burpsuite & turn ON intercepting proxy. Also configure browser to send connections to burpsuite as a proxy. Refer here to see how to do this.
Burpsuite intercepting the request
Come back to browser & give some data in the text boxes & submit.
See request intercepted at burpsuite. Copy the entire request to a new file. Here I am using “mut-sqlmap-bypassauth-post.req”. Then save the file.
Copying the Request
Note: After turning ON Intercepting in Burp, select the POST request only. The request should be the one which you would do when performing a browser based manual SQL Injection.
Saving the file
Edit the file in any text editor to make the username & password blank. Give 2 single quotes.
Editing request file2
Step 2 : Run SQLMAP with the file
Command: sqlmap -r mut-sqlmap-bypassauth-post.req<replace with yours> --threads=10<optional> -b
Executing sqlmap
Sqlmap asks couple of questions during the execution. You can answer yes (‘y’) for all of them but do read them carefully.
Sqlmap prompts
You can get to see various messages & the actual operation done by sqlmap and finally the results are shown.
Operations displayedResults
Here the webserver, backend database web technology & the system OS are displayed. All this information is stored in a local directory also. You can try reading them also.
Ever wanted to see live DOS attacks across the globe? There is a website from a security firm that shows live attacks from all over the globe including the protocol information, IP addresses and country. All this information is put together in a wonderful hacker-like map. Live attacks & traffic are shown once you start the live view. The website shows the source & target attacks in a geographical map with each attack as each lines starting from the source & ending at the destination.
Patience running out ? Well here it is but come back here :
The website is made & maintained by Norse corperation. In that, the company offers a product called Norse Appliance. They claim they have a network of sensors, honepots & IDSs which monitors over 1 Billion nodes including TOR & other anonymous proxies. The data from all these & from each of the Norse Appliance combined with the regular SIEMs are centralized into one big data rig. They claim upto 7 Peta-Bytes of threat intelligence data world-wide. This database is accessible to Norse customers and can be integrated to their regular security architecture. What Norse claims is by ding so, the client company can interpret and predict security events & patterns. This allows the company to take appropriate countermeasures before the attack starts.
For the normal people using the map, they can see the attack patterns emerging worldwide. It gives you a broad view of what is happening out there. Very interesting information like protocol attack, Attacker & target IPs, geographical location, etc is arranged in the website – the hackers’ way. You can sort or filter out specifically for a particular info, change the interface & view country information.
I think the best use would be, is that this live-attack map can be used to get an outline of the Cyber Warfare going on. By looking at the map for 5 minutes, you can understand a pattern of attack at various times. You can figure out even whether your country is targeted by many and whom also.
So here is a gif for some 10 seconds:
Using the interface you can Pause the live preview, zoom in or out & see other information at the bottom. There is also another interface available. You can access it by clicking the middle button in the controls buttons to the right bottom.
So don’t wait, analyse who your enemies are quickly & share this post on your social accounts.
MAC Flooding with MACOF & some major countermeasures
Macof is a member of the Dsniff suit toolset and mainly used to flood the switch on a local network with MAC addresses. The reason for this is that the switch regulates the flow of data between its ports. It actively monitors (cache) the MAC address on each port, which helps it pass data only to its intended target. This is the main difference between a switch and a passive hub. A passive hub has no mapping, and thus broadcasts line data to every port on the device. The data is typically rejected by all network cards, except the one it was intended for. However, in a hubbed network, sniffing data is very easy to accomplish by placing a network card into promiscuous mode. This allows that device to simply collect all the data passing through a hubbed network. While this is nice for a hacker, most networks use switches, which inherently restrict this activity. Macof can flood a switch with random MAC addresses. This is called MAC flooding. This fills in the switch’s CAM table, thus new MAC addresses can not be saved, and the switch starts to send all packets to all ports, so it starts to act as a hub, and thus we can monitor all traffic passing through it.
-i interface Specify the interface to send on.
-s src Specify source IP address.
-d dst Specify destination IP address.
-e Specify target hardware address.
-x sport Specify TCP source port.
-y dport Specify TCP destination port.
-n times Specify the number of packets to send.
LAB 1: Simple Flooding
Macof can flood a switch with random MAC addresses. This is called MAC flooding. This fills in the switch’s CAM table, thus new MAC addresses can not be saved, and the switch starts to send all packets to all ports, so it starts to act as a hub, and thus we can monitor all traffic passing through it.
command: macof -i eth1 -n 10
Random Flooding
LAB 2: Targeted Flooding
Macof can flood a switch with random MAC addresses destinated to 192.168.1.1.
command: macof -i eth1 -d 192.168.1.1
Targeted Flooding
While conducting a pentest, this tool comes in handy while sniffing. Some switches don’t allow to spoof arp packets. This tool can be used in such situations to check if the switch is overloaded. Some switches behave like hubs, transmitting all source packets to all destinations. Then sniffing would be very easy. Some switches tend to crash & reboot also. Such kind of layer 2 stress testing can be done with this handy tool.
Countermeasures
Some of the major countermeasures against MAC Flooding are:
Port Security : Limits the no of MAC addresses connecting to a single port on the Switch.
Implementation of 802.1X : Allows packet filtering rules issued by a centralized AAA server based on dynamic learning of clients.
MAC Filtering : Limits the no of MAC addresses to a certain extent.
Find out whether your device is vulnerable & Defend against Stagefright Vulnerability
Stagefright is one of the latest large scale vulnerabilities that swept up to a billion android devices all over the world. Basically speaking, stagefright vulnerability is the flaw which allows an attacker to control your android device by sending you an MMS message. It can be through your carrier services or Google Hangouts or any other services which has auto download MMS enabled. An attacker can gain access to your device by sending you a malicious MMS. If the malicious MMS gets downloaded in your device the attacker gets access. You need not open the MMS at all. By doing so, the attacker can access your emails, facebook, whatsapp & many other services in your device. So first and foremost, now itself switch off the auto-download Media option in Messaging, Google Hangouts & other specific services you have installed in your android device.
More Specific Details for the IT Guys.
Stagefright is actually a collective set of media formats bundled into a single library used for media playback in android OS. This was written in C++ native in order to improve media processing performance. But C++ is more prone to memory corruption & overflows. In August 2015 (ie this month when this article was written), a company named, Zimpremium providing enterprise mobile security solutions & services, discovered a set of vulnerabilities in the stagefright library. The R&D team of zLabs company officially presented the vulnerabillity in Blackhat USA Aug 5 & DEFCON 23 on Aug 7. In April 2015 an zLabs Security Researcher name Joshua Drake discovered this vulnerability in the Stagefright library. Though he has reported it to google & they have released patches, security researchers believe that there are still 950 million android devices that are vulnerable.
Technically Speaking
There are a set of seven remote code execution & privilege escalation vulnerabilities in the stagefright library. In depth technical details are not available though they are assigned the following CVE numbers. The type of vulnerability, Impact & vulnerable object are mentioned respectively.
CVE-2015-1538 – Integer Overflow, Remote Code Execution, MP4 Atom
CVE-2015-1539 – Integer Overflow, Remote Code Execution, MP4 Atom
CVE-2015-3824 – Integer Overflow, Remote Code Execution, MP4 Atom
CVE-2015-3826 – Buffer Overread, 3GPP Metadata
CVE-2015-3827 – Integer Overflow, Remote Code Execution, MP4 Atom
This is nothing major, no need to turn off your smartphones or to increase your blood pressure. This is just simply a bad MMS/Media message which comes to your messaging or Google Hangout or similar apps. What you need to do is to just turn OFF automatic media download & make sure not to open any MMS or even text messages you receive from unknown senders. Also remember to update the apps your phone contains & install new android updates as soon as you see them. If yo are still afriad, turn off the Wifi or Mobile Data, then nobody dares to touch your device. (:P)
How to detect whether your device is Affected
There are some apps in the Play store which have come to detect this vulnerability. Using these apps, you can install them directly to your device & check for yourself from within your device itself. Here I have described 2 apps which can be helpful. They are given below:
Stagefright Detector – Lookout Mobile Security
Stagefright Detector – Zimperium INC.
Stagefright Detector – Lookout Mobile Security
Lookout Security
This is more intended to the normal users who doesn’t want the techie-wiggies. This app just clearly detects whether your device has the vulnerablility & shows the result summary. Finding this app is simple. Mostly this app will be the 2nd one when you search for “Stagefright Detector” in the Play store. However here is the link:
Install it as you would install a normal app. After installation, just open the app & it starts detection. Once detection is finished, it displays the result. Also it includes some intresting links.
This is simple as you unlock your phone. Try it.
Here are some Screenshots.
Stagefright Detector – Zimperium INC.
Zimperium
This the the app from the Official Security research firm that discovered this vulnerability. In addition to detecting whether vulnerable or not, it provides additional information on which exact variable your device is vulnerable. it also gives some more detailed output in Red & Green CVE Numbers.
eg: If your device has got the 2015-3824 vulnerability, it turns Red. Other which are non existent turns Green.
Finding & Installing the app is simple. This app will be the first one popping out when you search for “stagefright detector” in the play store. Following is the link to the app:
After installation, open the app & tap the “Begin Analysis” Button to start analysing your device. After successful detection, the app displays the result in a manner as described earlier.
Here are the screenshots:
How to defend against it ?
1.Update Android
The best solution is to update Android when it arrives. Officiallly Google has released Android 5.1.1_r9 which patches this issue. It has been made available for Nexus, HTC & Samsung as of now(August 2015). Soon patches for more devices is expected to arrive.
2. Disable Auto Downloads
In fact the first & foremost thing to do is to block all text & MMS messages from unknown sources. Attackers can use these MMSs like a phishing link to gain access into your android device. So here are a list of tasks to do
Turn OFF the auto retrieve for multimedia messages.
In your Android device, Goto Messaging > Settings >Auto-retrive & uncheck the option.
Do the same for Hangouts also.
Disabling Auto Retrive
Conclusion
After heartbleed vulnerability, the most widespread vulnerability which affects a large range of devices is stagefright vulnerability. There are system level & human level patches for this flaw. In my opnion, the human level patch & defence is more necessary as a lot of end-user devices are affected. Creating basic awareness of what this flaw is & how to defend against it is critical to all android device users equally. Helping one protect their Privacy is more like a social work than just saying that your device is vulnerable. So do it in any means you can.
Of Course if you think this article will help in any ways, sharing this will help somebody to protect themselves. So why are you waiting for. Please Like US, Follow US, Subscribe & give feedback.
More Linux Core Changes in Kali Sana are to be noticed. (Also applies to Other Latest Linux Distros)
Recently, some core changes & tweaks were introduced to the Linux architecture & Kernel itself. This article gives an introduction to some of them. Although this focuses on Kali Linux, people using other Linux versions also can use this. These updates are there since 2014 but, are being put to use now only as there are some major changes on the way how the linux system works.
Here in this article, 3 core level changes are discussed.
1. Systemd & Systemctl
2. New Network Manager
3. Journalist
1. Systemd & Systemctl
Systemd is an abbreviation for System Management Deamon. It replaces the init process which was the parent of all processes of a unix system in older versions. Systemd starts processes in parallel as compared with init in older versions which starts serially. This was designed to overcome many limitations of init like kernel panic. Also, the intension was to make things clean as possible. As a result, systemd starts much faster than init. Also there is a new logging system called journald which is described later in this article.
Pratically, the core change is the run levels have been replaced by targets. Also all objects are categorized as targets, sockets, & services. Starting a runlevel is ideologically changed into reaching a target.
Here is a table containing the comparison between init commands & systemd commands. In init based systems, we use service command to control whereas in systemd based, we use systemctl. Have a look at the following table & try it for yourself.
Comparison
Here are some screenshots(Click to Enlarge).
Here is a list of other systemctl tricks
systemctl show targets #Shows all targets
systemctl list-units #Lists all units, use pipe to filter out
systemctl list-unit-files #Lists all unit files
systemctl list-dependencies #Lists dependencies to all objects
systemctl get-default #Shows the default target, default-graphical.target in Kali Sana
systemctl set-default <target> #Set the target. try multiuser.target
2. New Network Manager – NMCLI
Nmcli & Nmtui are the new 2 interfaces to the network manager in new unix systems. In Kali Linux v 2.0, this new manager to manage Network Connections is available. Nmcli is the command line version & nmtui is the curses like text interface. Other systems like CentOS/RHEL/Fedora etc are also starting to use nmcli.
Using nmcli, we can add, edit or remove network connections & every small details in each of the connections wee have. In addition, creating bridges & bond connections(Team Aggregation) are just a few strokes away.
Tasks
View current State using nmcli
Start & Stop a connection using nmcli
Setup a connection with nmtui
1.View Current Status
nmcli connection show <connection name> <press tab twice to view all connections>
nmcli con show eth0<replace with yours>
Here are some Screenshots(Click to Enlarge)
2. Start & Stop Connections
nmcli con show eth0<replace with yours>
nmcli con down eth0
nmcli con up eth0
3.Setup a connection with nmtui
For this, I have added a new adapter to the VM. Let’s give a static address to the newly added NIC.
NMTUI is an interactive terminal, you can do it by yourself.
Journal is a new system which collects log data including their meta data from various sources within a Linux/Unix system. Journaluses a native API fro collecting logs from various sources including systemd, other service deamons, kernel etc. It indexes the collected data & restructures in an efficient manner. As a result, seek times are less. In addition, journal works in parallel to legacy systems like rsyslog and logs are available in the same locations(/var/log)
Journald service is responsible for collecting the logs & doing all the process. Journalctl is an interactive console tool to view journals. Using journalctl, journals can be viewed & sorted out very quickly as the complete data are indexed. So this can help in solving problems a lot faster.
Putting it all toghether, Kali Linux has had a complet core-level change over. Maybe that’s one of the reasons why the developers have gone from Version 1.1 to 2.0 directly. With improved Kernel, logging system & Network Manager, Kali Linux 2.0 has prooved to be more stable & and to emerge(or remain) as an industry standard Pen-testing Distro.
A rebirth of a penetration testing distribution – Kali Linux 2.0 Codename: Kali Sana
On August 11th, Kali Linux Version 2.0 was released. It was codenamed as Sana. After rigorous changes & updates from Kali 1.0 to 1.1, the makers of Kali Linux, Offensive Security have decided to go for version 2.0 with major changes since the release of Kali Linux. Mainly some end user modifications, like accessibility, newer tools, more stable & updated kernel are some of the updates. The developers, have made the new version more user friendly and interactive with latest desktop environments. The developers also say that it is highly customizable. Another major notable thing is that Kali Linux now supports a variety of ARM devices including some of the latest smartphones.
Here are the major updates
GNOME 3 Session
The most tweaky update of all in the new version of Kali Linux is the introduction of a full Gnome 3 session. In the older versions, it was a fallback (with limited features). Many didn’t want to change to Kali from Backtrack because of the completely dark enviornment and a pitch black wallpaper. The new version comes with a bright new wallpaper, the GNOME 3 Hot corner(Apps Overview) a highly customizable sidebar, new, improved & customized GTK-Shell and many more visual tweeks.
Pros:
More user friendly
Highly Customizable
Comes with Gnome-Tweak-Tool by default
Brighter Experience.
Additional features like multiple desktops, easy screen & sound recorder, apps corner etc.
Cons:
Minimum requirements are higher.
Consumes more resources.
Here are some Screenshots
Better Support for ARM & other robotic kits.
Officially, Kali Linux is now available for all major versions of Google Chromebooks, Raspberry PI Odroids & some more robotic kits. In addition to this, Kali & the Nethunter images have more stable support for devices like Nexus, One Plus 1 which is a new addition. Also the developers claim that it will be easier to compile new drivers since they have included all source kernel headers.
In addition to this, the have given a new VMware/VirtualBox image also with improved Guest addition packages.
Pros:
Complete kernel solves many driver issues found on earlier versions.
Better for those who have knowledge in embedded/robotic/electronic systems.Can be now installed on Chromebooks and other ARM based systems.
This is one of the major cons in the new version. The new version of Kali Linux comes with the Open-source base package of metasploit and the WebUI & other community/pro services aren’t available. Anyway, Metasploit Community can be downloaded, registered & installed from Rapid7’s website.
Metasploit
Pros:
What could that be ? Yes the advantage is that, the developers claim, it has a faster & smoother experience because of the use of native-ruby packages.
Cons:
Service Metasploit is not available. So one has to manually start up PGSql, initialize the database & connect it.
The much user friendly WebUI of Metasploit Community/PRO is not available.
Updated & Better Tools.
From the first look, the old menu system has undergone some minor changes but some new tools have been added. One of the notable thing is the addition of PixieWPS which can be used for attacking & cracking WPS much faster. Then of course the kernel is Linux kernel 4.0. Also the developers are sticking to debian standards. Source packages are constantly being pulled from the debian testing repo & newer packages are also tested on Kali Linux. This makes it a stable & cutting edge distribution compliant with Debian Standards.
Conclusion
All in all, Offensive Security, the makers of Kali Linux have took the release of Kali Linux 2.0 very seriously. They have brought about some drastic changes making this platform compatible fro a wider number of devices & ensuring more stability. Also new & improved tool set and interface has been introduced in Kali sana making it the most powerful Penetration Testing Distribution to date.
Redirect all IPv6 traffic through your attacker machine with parasite6
Parasite6 is the arpspoof in IPv6 networks and also a part of the THC-IPv6 tools suite. As always they have made it very simple & effective. Parasite6 just spoofs the neighbor advertisement & solicitation packets. Specifically, it advertises that the attacker machine is the router for every neighbor solicitation packet. So virtually all traffic in the IPv6 network gets the false advertisement from the attacker machine & sends all packets to the attacker machine thinking that it is the router. We can either specify a mac address or run without specifying it. Either way, this works very good just like arpspoof tool.
Options
Syntax: parasite6 [-lRFHD] interface [fake-mac]
-l loops and resends the packets per target every 5 seconds.
-R try to inject the destination of the solicitation
NS security bypass:
-F fragment,
-H hop-by-hop and
-D large destination header
Note: This tutorial was written when Kali 1.0.9 was the latest. In newer versions (Kali Sana & Kali Rolling) the command has changed to atk6-tool. For example, you are using parasite6, in the newer version becomes atk6-parasite6.
Lab: Spoof the network and Route all packets through your system.
Scenario: I have an IPv6 network & some IPv6 hosts
IPv6 network : fc00::01/64
Attacker : Kali Linux VM
This is simple as it is. First turn on IPv6 forwarding and run parasite.
Command: parasite6 eth0<replace with your interface> -l
Packets Being Spoofed
Try different options yourself including giving a fake mac address in square brackets after options.
To evaluate if it’ s working correctly, test with Passive Discovery6. Click here to view tutorial on it. You can also do it with urlsnarf or driftnet or just any other sniffer.
Don’t forget to comment & Subscribe. It’s what keeps us alive.
Perform a Smurf attack and a Distributed Denial of Service (DDoS) attack on a on whole IPv6 network using smurf6
Smurf6 is a tool to perform a smurf attack on IPv6 network. A smurf attack is a type of DOS attack where an attacher pings the Broadcast address with a spoofed address of a victim. Eventually all nodes in the network gets an ICMP ping request from the victim’s ip address. As a result all the hosts reply back to the victim IP-address making it a DDoS attack. In IPv4 this attack will not be successful in most of the modern routers & switches. But iPv6 is still vulnerable. Take a look at the following image for better understanding of this attack.
Schematic Diagram of Smurf Attack
Smurf6 sends a whole lot of ICMP Ping requests to the multicast address in IPv6(Instead of Broadcast in IPv4) with the spoofed IP address of the victim. Eventually all the nodes gives echo replies to the victim host making it a DDoS.
Note: This tutorial was written when Kali 1.0.9 was the latest. In newer versions (Kali Sana & Kali Rolling) the command has changed to atk6-tool. For example you are using smurf6, in newer version becomes atk6-smurf6.
This is pretty simple with smurf6. All you have to do is to find out the network(IPv6) range, and some hosts. Even if you didn’t get any hosts, smurf6 works perfect flooding the entire network with ICMP6 requests. Check out the post on passive discovery to see how to discover IPv6 hosts & network.
Note: This is a vandalizing DDoS attack. The authors of this article or the tool itself are not responsible in any ways for the consequences faced if misused. Use this only on a test network or with a Proper Agreement if in case you want to execute on a live environment.
Scenario: To be frank with you this is very much vandalizing. This crashes all systems in the target network and not only the victim host. For this simple tutorial I had to prepare a lot because the carrying out this attack kills everything in the network. So I had to move into the live machine in order to complete this tutorial. Lets see how.
Coming to the point, I have 2 VMs and a network which supports both IPv4 & IPv6
IPv4 Network Range : 192.168.0.1/24
IPv4 Network Range : fc00::00/64
Attacker Kali Linux (VM): IP:192.168.0.102/24, fc00::05/64
Windows 8.1 PRO (Real System): IP: 192.168.0.100/24, fc00::04/64
Let’s proceed.
command: smurf6 eth0<replace with yours> fc00::03 [fc00::00/64] <replace with yours>
Wait for 1 minute and you can see everyone in the office going crazy…!
I was able to take only one screenshot. Also, I was performing the attack by taking a SSH session from the Kali box. Otherwise every VMs would crash including my real machine and nothing I could do expect but to take off the power cable. Et… Voila…
Take a good look at the following screenshot, observe my notations on each Windows. You can see the CPU spiking after the attack has been launched.
CPUs of systems present in the network spiking up.
I am not sure of the reason Offsec included this under Stress testing. Maybe, we can check how much the network & network equipments can take by observing the time taken for every nodes on the network to crash. Or if the network is large and contains large no of hosts & services like Windows AD etc, we can test whether the gateway can handle everything at once or whether something is done to prevent pinging to broadcast address. For now the simplest countermeasure for this attack is to stick with IPv4 and disable IPv6 on internal networks.
Well Enjoy IPv6 Smurfing while it Lasts and don’t forget to subscribe & follow us.
