Beginners Guide to TShark (Part 2)

In the previous article, we learned about the basic functionalities of this wonderful tool called TShark. If you haven’t read it until now. Click here.

TL; DR

In this part, we will the Statistical Functionalities of TShark. We will understand different ways in which we can sort our traffic capture so that we can analyse it faster and effectively.

Table of Content

  • Statistical Options
  • Protocol Hierarchy Statistics
  • Read Filter Analysis
  • Endpoints Analysis
  • Conversation Analysis
  • Expert Mode Analysis
  • Packet Distribution Tree
  • Packet Length Tree
  • Color Based Output Analysis
  • Ring Buffer Analysis
  • Auto-Stop
    • Duration
    • File Size
  • Data-Link Types

Statistical Options

TShark collects different types of Statistics and displays their result after finishing the reading of the captured file. To accomplish this, we will be using the “-z” parameter with TShark. Initially, to learn about all the different options inside the “-z” parameter, we will be running the TShark with the “-z” parameter followed by the help keyword. This gives us an exhaustive list of various supported formats as shown in the image given below.

Protocol Hierarchy Statistics

Using the TShark we can create a Protocol based Hierarchy Statistics listing the number of packets and bytes using the “io,phs” option in the “-z” parameter. In the case where no filter is given after the “io,phs” option, the statistics will be calculated for all the packets in the scope. But if a specific filter is provided than the TShark will calculate statistics for those packets that match the filter provided by the user. For our demonstration, we first captured some traffic and wrote the contents on a pcap file using the techniques that we learned in part 1 of this article series. Then we will be taking the traffic from the file, and then sort the data into a Protocol Hierarchy.  Here we can observe that we have the frames count, size of packets in bytes and the Protocol used for the transmission.

Read Filter Analysis

During the first pass analysis of the packet, the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) has to be applied. Packets which are not matching the filter are not considered for future passes. This parameter makes sense with multiple passes. Note that forward-looking fields such as ‘response in frame #’ cannot be used with this filter since they will not have been calculated when this filter is applied. The “-2” parameter performs a two-pass analysis. This causes TShark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, it also permits reassembly frame dependencies to be calculated correctly. Here we can see two different analysis one of them is first-pass analysis and the latter is the two-pass analysis.

Endpoints Analysis

Our next option which helps us with the statistics is the “endpoints”. It will create a table that will list all endpoints that could be seen in the capture. The type function which can be used with the endpoint option will specify the endpoint type for which we want to generate the statistics.

The list of Endpoints that are supported by TShark is:

Sno. Filter Description
1 “bluetooth” Bluetooth Addresses
2 “eth” Ethernet Addresses
3 “fc” Fiber Channel Addresses
4 “fddi” FDDI Addresses
5 “ip” IPv4 Addresses
6 “ipv6” IPv6 Addresses
7 “ipx” IPX Addresses
8 “jxta” JXTS Addresses
9 “ncp” NCP Addresses
10 “rsvp” RSVP Addresses
11 “sctp” SCTP Addresses
12 “tcp” TCP/IP socket pairs Both IPv4 and IPv6 supported
13 “tr” Token Ring Addresses
14 “usb” USB Addresses
15 “udp” UDP/IP socket pairs Both IPv4 and IPv6 supported
16 “wlan” IEEE 802.11 addresses

In case that we have specified the filter option then the statistics calculations are done for that particular specified filter. The table like the one generated in the image shown below is generated by picking up single line form each conversation and displayed against the number of packets per byte in each direction as well as the total number of packets per byte. This table is by default sorted according to the total number of frames.

Conversation Analysis

Let’s move on to the next option which is quite similar to the previous option. It helps us with the statistics is the “conversation”. It will create a table that will list all conversation that could be seen in the capture. The type function which can be used with the conversation option will specify the conversation type for which we want to generate the statistics.

If we have specified the filter option then the statistics calculations are done for that particular specified filter. The table generated by picking up single line form each conversation and displayed against the number of packets per byte in each direction, the total number of packets per byte as well as the direction of the conversation travel. This table is by default sorted according to the total number of frames.

Expert Mode Analysis

The TShark Statistics Module have an Expert Mode. It collects a huge amount of data based on Expert Info and then prints this information in a specific order. All this data is grouped in the sets of severity like Errors, Warnings, etc., We can use the expert mode with a particular protocol as well. In that case, it will display all the expert items of that particular protocol.

Packet Distribution Tree

In this option, we take the traffic form a packet and then drive it through the “http,tree” option under the “-z” parameter to count the number of the HTTP requests, their mods as well as the status code. This is a rather modular approach that is very easy to understand and analyse. Here in our case, we took the packet that we captured earlier and then drove it through the tree option that gave us the Information that a total of 126 requests were generated out of which 14 gave back the “200 OK”. It means that the rest of them either gave back an error or were redirected to another server giving back a 3XX series status code.

Packet Length Tree

As long as we are talking about the Tree option, let’s explore it a bit. We have a large variety of ways in which we can use the tree option in combination with other option. To demonstrate that, we decided to use the packet length option with the tree option. This will sort the data on the basis of the size of the packets and then generate a table with it. Now, this table will not only consist of the length of the packets, but it will also have the count of the packet. The minimum value of the length in the range of the size of the packets. It will also calculate the size as well as the Percentage of the packets inside the range of packet length

Color Based Output Analysis

Note: Your terminal must support color output in order for this option to work correctly.

We can enable the coloring of packets according to standard Wireshark color filters. On Windows, colors are limited to the standard console character attribute colors. In this option, we can set up the colors according to the display filter. This helps in quickly locating a specific packet in the bunch of similar packets. It also helps in locating Handshakes in communication traffic. This can be enabled using the following command.

Ring Buffer Analysis

By default, the TShark to runs in the “multiple files” mode. In this mode, the TShark writes into several capture files. When the first capture file fills up to a certain capacity, the TShark switches to the next file and so on. The file names that we want to create can be stated using the -w parameter. The number of files, creation data and creation time will be concatenated with the name provided next to -w parameter to form the complete name of the file.

The files option will fill up new files until the number of files is specified. at that moment the TShark will discard data in the first file and start writing to that file and so on. If the files option is not set, new files filled up until one of the captures stops conditions matches or until the disk is full.

There are a lot of criteria upon which the ring buffer works but, in our demonstration, we used 2 of them. Files and the Filesize.

files: value begin again with the first file after value number of files were written (form a ring buffer). This value must be less than 100000.

filesize: value switches to the next file after it reaches a size of value kB. Note that the file size is limited to a maximum value of 2 GiB.

Auto-Stop

Under the huge array of the options, we have one option called auto-stop. As the name tells us that it will stop the traffic capture after the criteria are matched.

Duration

We have a couple of options, in our demonstration, we used the duration criteria. We specified the duration to 10. This value is in seconds. So, the capture tells us that in the time of 10 seconds, we captured 9 packets.

File Size

Now another criterion for the auto-stop option is the file size. The TShark will stop writing to the specified capture file after it reaches a size provided by the user. In our demonstration, we set the filesize to 1. This value is in kB. We used the directory listing command to show that the capture was terminated as soon as the file reached the size of 1 kB.

Data-Link Types

At last, we can also modify the statistics of the captured traffic data based on the Data-Link Types. For that we will have to use an independent parameter, “-L”. In our demonstration, we used the “-L” parameter to show that we have data links like EN10MB specified for the Ethernet Traffic and others.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Hack the Box: Networked Walkthrough

Today, we’re sharing another Hack Challenge Walkthrough box: Networked design by Guly and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set: Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Penetration Methodologies

Network Scanning

  • Nmap

Enumeration

  • Dirbuster

Exploiting

  • Malicious file upload

Privilege Escalation

  • Abusing Exec function via nohup
  • Abusing Sudo Right

Network Scanning

As we know the victim’s machine IP thus, we can start with Nmap scanning to identify the open ports and services running across it.

From this scanning result, we found that port 80 is open for HTTP. besides, port 22 is also open for SSH.

Enumeration

As a result, we looked at the victim IP in the web browser and the welcomed web page is shown in the image below.

I read the text given on the web page, but I didn’t find the message was enough to guess next clue, so I decided to go with the listing of the web directory.

Thus, I choose dirbuster for the directory brute force attack and enter the target URL.

As a result I found some php files and directories like /uploads and /backup as shown in the given image.

So, first I explored the /backup directory and found a backup.tar file on the website.

Without wasting a lot of time, we downloaded the file backup.tar in our local machine and extracted the file to analyze what’s in it.

So, basically, it holds some php files like index.php, lib.php, photos.php, and upload.php. Then we explored upload.php file where this file has been linked to uploads directory to validate uploaded photo via extensions like jpg, png, gif & jpeg.

Then I explored photo.php in the web browser and note that it was the photo gallery where the uploaded photos are available.

And when I scanned the /upload.php file in the web browser, I found the upload parameter that allows any image file to be uploaded.

It could be exploited by uploading a backdoor by injecting a malicious payload into the image. So, we’ve got the image named “1.png” that I used to inject a malicious payload.

After injected the payload with the help of exfil tool, I saved the image as shell.php.png

When all things are set then I upload the file “shell.php.png” and as a result, the uploaded file is shown to refresh the gallery successfully.

So, again we browse the http://10.10.10.photos.php file and found the link for our malicious file that we have uploaded.

Now, it was time to execute the backdoor but before that, we need to start netcat listener in the background.

Then finally! We obtained the victim’s machine reverse connection via netcat session and a bash shell. I found three files inside the /guly folder as: “check attack.php” “user.txt” “crontab.guly” where I try to read the user.txt file but couldn’t read it due to the least permission. 😓

Privilege Escalation

Then I explored crontab.guly where I found a cronjob running in the background to run attack php file every three minutes after that, the attack.php file will check for the malicious content inside /var /www /html/uploads and report it by mail to guly. In addition, the “exec”  function here is used for “nohup”, which stands for No Hungup.

The nohup command runs another program defined as its argument and disregards all signals from SIGHUP (hangup). The given exec function along with nohup will delete the files from the get namechecks function under $path = /var/www/html/uploads/ and $value.

Therefore, I decided to use the exec function by passing two arguments separated by semi-colon (;) under /var/www/html / uploads, so I use the touch command to build a file that will be our first argument and then continue the second argument separated by; for netcat reverse connection wait for three to get the reverse connection via new netcat session. 😇

We got a reverse connection of the host machine after three minutes in a new terminal where we had our netcat in listening mode and catch the 1st flag by reading user.txt file.

Now it’s time to get the root flag too, but we need to raise the root privileges for these, so we search for the user’s sudo permission.

So, we found user guly can run a program changename.sh from inside /user/local/sbin as root and fill the input which will give a root shell. Just move inside the/root directory and capture the root flag.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Tempus Fugit: 1: Vulnhub Walkthrough

In this article, we are going to crack the Tempus Fugit: 1 Capture the Flag Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to 4nqr34z and DCAU. Download this lab by clicking here.

Level: Hard/Insane

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover Scan
    • Nmap Scan
  • Enumeration
    • Browsing HTTP Service in Browser
    • User Enumeration using Command Injection
    • Getting netcat session using Command Injection
    • Enumerating Cgroup for Dockers
    • Enumerating FTP service for CMS Credentials
    • Installing Nmap On Target Machine
    • Nmap Scan
  • Exploitation
    • Crafting Payload using MSFvenom
    • Transferring Payload to Target Machine
    • Getting Meterpreter Session
  • Post Exploitation
    • Port Forwarding using portfwd
    • Enumeration of /etc/hosts on Target Machine
    • Installing Bind Tools
    • Enumerating using DiG
    • Adding CMS URL in attacker’s /etc/hosts
    • Accessing the CMS
    • Exploiting CMS using a Theme template
    • Getting Session for www-data
    • Getting Credentials using Responder
    • Enumerating the mails of the user
    • Getting credentials of another user
  • Privilege Escalation
    • Enumerating for Sudoers List
    • Escalating Privilege using nice
  • Reading Root Flag

Walkthrough

Network Scanning

We downloaded, imported and ran the virtual machine (.ova) on the VMWare Workstation, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP address of our target machine, for that use the following command as it helps to see all the IP’s in an internal network:

We found the target’s IP Address 192.168.43.100. The next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further

Enumeration

Here, we performed an Aggressive scan to gather maximum information in a single step. The scan revealed that we only have the TCP port 80 opened. It was running the Nginx server which is hosting the HTTP service. As for the lack of better option let’s get on to enumerate the port 80.

We have a very nice site, which looked like it is made of some popular CMS but, all my hard work exploring the webpage didn’t yield any benefit. But we did find this message.

It was in the About section, it tells us the meaning of the word Tempus Fugit which really translates to “Time Flies”. The message also informs that this webpage was designed to upload some scripts onto an internal FTP server. Now all we need to find that upload option. It was on the menu of the webpage. After enumerating for a while, it was clear that this upload option was white-listed. Only .txt and .rtf extensions were allowed. After an exhaustive list of ways to upload any kind of shell but we were unsuccessful. Now it hit us that we could try command injection through this upload option. We tried the very basic injection with “;whoami”. For this we intercepted the request on the “Upload!” and added the injection text in the filename field as shown in the image given below. After this, we forwarded the request to the Target Machine Server.

It’s good news! The injection was successful. We get a reply “root”. Now the next logical step is to enumerate around the application.

For enumeration, we thought that Directory Listing is a good way. So, we replaced “;whoami” injection to “;ls”. After performing the ls command injection, we see that we have all the files in the directory listed. This was a pretty consolidated format. But we clearly saw that there was a file named main.py. This must be important.

We tried to read the main.py file using the cat command. We get an error “Only RTF and TXT files are allowed”. We deduced from this is that the filter is not allowing “.py” in the injection as well. So, to work around this filter, we thought to try the wildcard option (*).

It worked! We were able to read the main.py file. It was the internal FTP server that is working on the backend. On taking a closer look we see that we have a username and a hash which looks like MD5.

Now, we cannot proceed further without a proper shell to work. But as we figured out earlier that the dot (.) is also blacklisted. We went on to the internet to find the representation of IP Address without the dot. We came across Long IP. So, we thought of trying to gain the session using the Long IP format of our attacker IP. The conversion to Long IP was not difficult, there were many converters available online.

Now using the command injection, we found earlier, we entered a netcat invocation shell command. This command invoked a shell on port 6666 on our attacker machine.

We started a Listener before executing the command to invoke a shell. After execution, we get the shell. But to convert the improper shell into TTY shell, we used the python one-liner. Now that we have the TTY shell, we ran the whoami command which told us that we are the root user.

Now we knew that this was not that easy. So, we went straight up to the root directory. Here we see that we have a text file named message.txt. We read the contents of the message.  As expected, it tells us that we are not done yet.

Now we started to enumerate the other directories that are available for us in search of some hint to move forward. We used the ls command in the root directory which revealed a folder named .ncftp. We decided to take a look at it. Inside it, we found some files, in which trace.234 file revealed some information that was worth looking into. We saw that there was an IP Address that didn’t seem to be part of our subnet. There were attempts to connect to that particular IP Address.

At this moment it hit us that, as we are root and there are multiple IP Addresses involved. It is possible that we are in a docker environment. So, to confirm that we tried to read the proc cgroup file. As expected, we are indeed in a docker environment. As we know that we can run the netcat in this environment, and we found a new IP Address inside an NcFTP directory. We had a hunch that the IP Address we found must be running an NcFTP service. To confirm, we ran a port scan using the netcat on the IP Address we found as shown in the image given below.

Our port scan reveals that the IP Address we found is running an FTP service on port 21. We used the lftp command to login into the FTP service. We used the credentials that we found in the main.py earlier. Now, we found a hash in the main.py. We decoded it and it came out to be “mofo”. We tried that as a password. But it wasn’t a success. So, we tried the hash as a password. That worked and we were inside the FTP Server.  Now in the FTP server, we found a cmscreds.txt file. In this file, we have a set of credentials that would help us logging into a CMS but the location of CMS still remains a mystery.

We went back to the root directory where we found the .ncftp directory. Here we found a file named .python_history. Anything that is hidden, and is named history is worth looking into. So, we dig in to find a set of credentials. But wait there is more. We have an IP Address that is mentioned inside the code. We see that this seems to be out on a different subnet. But definitely requires investigation.

Now, although we have the standard netcat method to scan for active ports, we need something more powerful. Nmap. I checked if we have Nmap installed on this machine. But it wasn’t. Then it hit us, that we are root. So, if there is something that is not installed, we can install it. I tried apt install Nmap but that gave back an error. So, I investigated on the flavour of the Linux that we have here. Then while we were reviewing our steps, there we saw that when we read the file named trace.234. It tells us that our Target is running Alpine Linux 3.7. That’s quite helpful. This means that we will have to run the apk add command to get Nmap installed. Now as we are surrounded by multiple IP Address that is only accessible through the target machine. We went on the mission to find all the IP Address that is in question by scanning the whole subnet for available IP Addresses. This gave us a total of 4 IP Addresses.

We decided to start with the 172.19.0.1 and we saw that it has the port 22, 80 and 8080 open. And we have some sort of Proxy running on the system. Now whenever we come across a proxy, we know we have to use port forwarding to get through. There are multiple ways to do this. But we prefer using Metasploit. For this, we will have to gain a meterpreter session on the system.

Exploitation

To gain meterpreter, we first need to craft a payload. We used the msfvenom for this task. As the target machine was running Alpine Linux. We decided to craft the payload in .elf format. After creating the payload, we use the python one line to host the payload on the port 80 in order to transfer the payload from our attacker machine to target machine.

Now, onto the session that we have of the target machine. We used wget to download the payload file to the target machine. Now we need to give proper permissions to the payload so that it can be executed easily.

Post Exploitation

After giving proper permissions, we execute the elf file. After execution, we see that we have the meterpreter session on our attacker machine. Now, we used the portfwd command to forward the 8080 port of the internal IP to our attacker machine i.e., Kali Linux.

We tried to access the CMS but we were not successful. This means that some more enumeration is required. We went back to our shell on the target machine and started to look around. As the CMS was not accessible, we thought to take a look at the etc directory for any hosts. Here we found “sid” mapped to the IP Address of CMS. We looked inside the resolve.conf and found “mofo.pwn” written.

It was quite possible this might be the host that would lead us to the CMS. To confirm our suspicions, we decided to use the bind tools. As they were not installed, we used the apk add command to install those. After that, we ran the dig command and found the host that we were looking for. ourcms.mofo.pwn seems to be the host that would take us to the CMS that we need.

Since the Tempus Fugit original webpage is still running on the target IP Address, we need to kill that process in order to access this CMS. We ran the netstat command and found that Nginx running with the PID 9. So, we killed it.

Now to access the CMS, we need to add that host we found in our i.e., Kali’s /etc/hosts file.

Now, all that left is to access the CMS from our browser. As we forwarded the port. We will access the webpage on 8080.

Finding the admin login panel was quite easy and if we remember correctly, we have the credentials for this CMS.

After logging in the CMS, we went to the Themes Section. Themes are mostly designed in PHP format and those are easier to edit and gain a shell. We edited the Innovation Theme’s template file.

We replaced the contents of the template.php file with the PHP reverse shell payload and edited the IP Address and the port as shown in the image given below.

Now before saving and accessing the template from the URL provided. We ran a netcat listener to receive the session that would be generated by the reverse shell payload upon execution. The shell popped up. We ran the whoami command and found that we are www-data user. Now we need to escalate privilege from here.

Here we were stuck for a bit, there was almost no hint possible and we were left with enumeration. Here we contacted the author and got the hint that Wireshark would be helpful. If Wireshark is helpful it means that there must be some queries in the network. We ran the Wireshark to find some DNS queries in the network but to get some credentials we need the responder tool. We ran the responder and let it work for a while in the network. After a while, we got some credentials. It was for the user roxi.

We used the su command to login as roxi.

We started our enumeration for this user roxi. We see that this user has some mails.

Let’s dig into that. There was some elaborate story in those emails but in the end, these mails have some credentials. It was for the user dorelia.

Privilege Escalation

We again used the su command to login as the newly found user named dorelia. Let’s use the sudo -l command to enumerate if this user can run some application with root privileges.

Dorelia user can run the “nice” command as the Nancy user which we suppose have the root access. We need to find more about this “nice”. We used the help parameter to get some information about this command. At last, we checked the gtfobin for the nice command and found a way to escalate privileges using the nice command. So, we ran the nice command to invoke the sh shell with the sudo command. This gave us the root privileges.

Reading Root Flag

We traversed to the root directory to find the flag and we have a script here named proof.sh. We ran the script and it gave us the final flag.

This was a long tiring but learning experience, I would like to thank the lab authors for creating such a lab that helped me learn so much. Also, I would like to thank Erik for his help.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Evil SSDP: Spoofing the SSDP and UPnP Devices

TL; DR

Spoof SSDP replies and creates fake UPnP devices to phish for credentials and NetNTLM challenge/response.

Disclaimer

Table of Content

  • Introduction
    • What is SSDP?
    • What are UPnP devices?
  • Installation
  • Spoofing Scanner SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Office365 SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Password Vault SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Microsoft Azure SSDP
    • Template Configuration
    • Manipulating User
  • Mitigation

Introduction

What is SSDP?

SSDP or Simple Service Discovery Protocol is a network protocol designed for advertisement and discovery of network services. It can work without any DHCP or DNS Configuration. It was designed to be used in residential or small office environments. It uses UDP as the underlying transport protocol on port 1900. It uses the HTTP method NOTIFY to announce the establishment or withdrawal of services to a multicast group. It is the basis of the discovery protocol UPnP.

What are UPnP devices?

UPnP or Universal Plug and Play is a set of networking protocols that allows networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to discover each other’s availability on the network and establish network services for communications, data sharing, and entertainment. The UPnP architecture supports zero-configuration networking. A UPnP compatible device from any vendor can dynamically join a network, obtain an IP address, announce its name, advertise or convey its capabilities upon request, and learn about the presence and capabilities of other devices.

Now that we understood the basic functions of SSDP or UPnP, let’s use it to manipulate the target user in order to steal their credentials.

Installation

The Evil SSDP too was developed by initstring. This tool is hosted on the GitHub. We will be using the git clone command to clone all the contents of the git onto our attacker machine. The git clone command will create a directory with the same name as on GitHub. Since the tool is developed in Python version 3, we will have to use the python3 followed by the name of the .py file in order to run the program. Here we can see a basic help screen of the tool.

In the cloned directory, we will find a directory named templates. It contains all the pre complied templates that can be used to phish the target user.

Spoofing Scanner SSDP

Now, that we ran the tool without any issues, let’s use it to gain some sweet credentials. In this first Practical, we will be spoofing a Scanner as a reliable UPnP device. To begin, we will have to configure the template.

Template Configuration

To use the tool, we will have to provide the network interface. Here, on our attacker machine, we have the “eth0” as our interface, you can find your interface using the “ifconfig” command.

After providing the interface, we will use the “–template” parameter to pass a template that we found earlier in the templates directory. To spoof a scanner, we will be running the following command. As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888. We also have the SMB pointer hosted as well.

Manipulating User

The next logical step is to manipulate the user to click on the application. Being on the same network as the target will show our fake scanner on its explorer. This is where the UPnP is in works. The Evil SSDP tool creates this genuine-looking scanner on the system on the target without any kind of forced interaction with the target.

Upon clicking the icon inside the Explorer, we will be redirected to the default Web Browser, opening our hosted link. The templates that we used are in play here. The user is now aware he/she is indeed connected to a genuine scanner or a fake UPnP device that we generated. Unaware target having no clue enters the valid credentials on this template as shown in the image given below.

Grabbing the Credentials

As soon as the target user enters the credentials, we check our terminal on the attacker machine to find that we have the credentials entered by the user. As there is no conversation required for each target device, our fake scanner is visible to each and every user in the network. This means the scope of this kind of attack is limitless.

Spoofing Office365 SSDP

In the previous practical, we spoofed the scanner to the target user. Now, ongoing through the template directory, we found the Office365 template. Let’s use it.

Template Configuration

As we did previously, let’s begin with the configuration of the template as well as the tool. We are going to use the python3 to run the tool followed by the name of the python file. Then providing the network interface which indeed will be followed by the template parameter with the office365.

As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888.

Manipulating User

As soon as we run the tool, we have a UPnP device named Office365 Backups. This was done by the tool without having to send any file, payload or any other type of interaction to the target user. All that’s left is the user to click on the icon.

Upon being clicked by the user, the target user is redirected to our fake template page through their default browser. This is a very genuine looking Microsoft webpage. The clueless user enters their valid credentials onto this page.

Grabbing the Credentials

As soon as the user enters the credentials and they get passed as the post request to the server, which is our target machine, we see that on our terminal, we have the credentials.

Diverting User to a Password Vault SSDP

Until now, we successfully spoofed the target user to gain some scanner credentials and some Office365 backup credentials. But now we go for the most important thing that is used as a UPnP, The Password Vault.

Template Configuration

As we did in our previous practices, we will have to set up the template for the password-vault. In no time, the tool hosts the password-vault template onto the port 8888.

Manipulating User

Moving onto the target machine, we see that the Password Vault UPnP is visible in the Explorer. Now lies that the user clicks on the device and gets trapped into our attack. Seeing something like Password Vault, the user will be tempted to click on the icon.

As the clueless user thinks that he/she has achieved far most important stuff with the fake keys and passwords. This works as a distraction for the user, as this will lead the user to try this exhaustive list of credentials with no success.

Spoofing Microsoft Azure SSDP

While working with Spoofing, one of the most important tasks is to not let the target user know that he/she has been a victim of Spoofing.  This can be achieved by redirecting the user after we grab the credentials or cookies or anything that the attacker wanted to acquire. The evil_ssdp tool has a parameter (-u) which redirects the targeted user to any URL of the attacker’s choice. Let’s take a look at the working of this parameter in action.

To start, we will use the python3 for loading the tool. Followed by we mention the Network Interface that should be used. Now for this practical, we will be using the Microsoft Azure Storage Template. After selecting the template, we put the (-u) parameter and then mention any URL where we want to redirect the user. Here we are using the Microsoft official Link. But this can be any malicious site.

Manipulating User

Now that we have started the tool, it will create a UPnP device on the Target Machine as shown in the image given below. For the attack to be successful, the target needs to click on the device.

After clicking the icon, we see that the user is redirected to the Microsoft Official Page. This can be whatever the attacker wants it to be.

This concludes our practical of this awesome spoofing tool.

Mitigation

  • Disable UPnP devices.
  • Educate Users to prevent phishing attacks
  • Monitor the network for the password travel in cleartext.

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here