old notes

aircrackng

#networking #dns #nslookup #dig #cname #aircrackng #UofTBootcamp

Follow-Up Questions from Homework9

Q2 – does it matter that we are getting non-authoritative answers from a recursive resolver (8.8.8.8) vs getting an authoritative one? – what is the difference between using this: nslookup -type=cname www.theforce.net And getting: Non-authoritative answer: www.theforce.net canonical name = theforce.net.

VS.

nslookup -type=cname theforce.net and getting: Non-authoritative answer: *** Can't find theforce.net: No answer

Authoritative answers can be found from: theforce.net origin = WebPublish_Othe mail addr = hostmaster serial = 2017110901 refresh = 900 retry = 600 expire = 86400 minimum = 3600

https://stackoverflow.com/questions/66014432/how-to-find-the-canonical-name-with-nslookup

Q3: – what does NX DOMAIN tell us for sure? https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ – follow-up on conclusion


Networking Fundamentals: Homework 9

Your task is a crucial one: Restore the Resistance's core DNS infrastructure and verify that traffic is routing as expected.

Mission 1:

Network Issue:

The Resistence has taken down their primary DNS and email servers in order to a build and deply a new DNS and mail server but they are not currently receiving emails because they have no configured MX Records for the new email servers.

DNS record type found:

We want to check the MX records (mail exchanger records) which specify which mail servers can accept email that's sent to our domain with: starwars.com: nslookup -type=mx starwars.com

DNS records that can explain the reasons for existing network issue:

According to our nslookup results, the new mail servers are not listed. The primary mail server for starwars.com should be asltx.l.google.com and the secondary email should be asltx.2.google.com.

`Server: 192.168.2.1 Address: 192.168.2.1#53

Non-authoritative answer: starwars.com mail exchanger = 5 alt2.aspmx.l.google.com. starwars.com mail exchanger = 1 aspmx.l.google.com. starwars.com mail exchanger = 10 aspmx2.googlemail.com. starwars.com mail exchanger = 10 aspmx3.googlemail.com. starwars.com mail exchanger = 5 alt1.aspx.l.google.com.`

Instead, the primary server (indicated by the numeric value of 1 before the server address) is: aspmx.l.google.com. The secondary server is either: aspmx.l.google.com. or alt1.aspx.l.google.com. as both addresses have the next priority value of 5.

It's likely that these are the old servers and someone has forgotten to change the MX record configuration to the new servers at: asltx.l.google.com and asltx.2.google.com.

Recommended fixes to save the Galaxy!

The corrected MX record should be:

starwars.com mail exchanger = 1 asltx.l.google.com starwars.com mail exhanger = 2 asltx.2.google.com

Mission 2:

Network Issue:

Official emails are going into spam or being blocked because the SPF record has not been updated to reflect the new IP address of their mail server. Since the SPF record is used to indicate which mail servers are allowed to send emails on behalf of a domain, emails from the IP address of the new mail server (missing from the current SPF record) is likely to be filtered out as spam.

DNS record type found:

Looking up the SPF (Sender Policy Framework) record using nslookup -type=txt theforce.net | grep spf to find the following SPF record::

theforce.net text = "v=spf1 a mx mx:smtp.secureserver.net include:aspmx.googlemail.com ip4:104.156.250.80 ip4:45.63.15.159 ip4:45.63.4.215"

Alternatively, we can also use the dig DNS lookup utility: dig theforce.net txt | grep spf which confirms the same SPF record:

theforce.net. 3498 IN TXT "v=spf1 a mx mx:smtp.secureserver.net include:aspmx.googlemail.com ip4:104.156.250.80 ip4:45.63.15.159 ip4:45.63.4.215"

DNS records that can explain the reasons for existing network issues:

The servers currently configured to be allowed to send emails for the domain are from the following IPv4 hosts: 104.156.250.80, 45.63.15.159, and 45.63.4.215. The new one (45.23.176.21) has not beed added. It is likely that similar to Mission 1, someone has forgotten to update changes made while the network was down.

Recommended fixes to save the Galaxy!

We have not been given data regarding the other mail server IP addresses — if we assume that those are still correct and do not need to removed, we only need to add the missing IP so that the corrected record should be:

theforce.net. 3498 IN TXT "v=spf1 a mx mx:smtp.secureserver.net include:aspmx.googlemail.com ip4:104.156.250.80 ip4:45.63.15.159 ip4:45.63.4.215 ip4:45.23.176.21

Mission 3:

Network Issue:

DNS record type found:

We need to check the CNAME record of the resistance.theforce.net domain in order to see why it is not redirecting to theforce.net. A CNAME record is used to point one domain to another so if we want the resistance.theforce.net subdomain to point to theforce.net, we need to have the CNAME configured to do so.

DNS records that can explain the reasons for existing network issues:

Looking up the CNAME (Canonical Name) of www.theforce.net with nslookup in interactive mode in order to examine a correct CNAME configuration where www.theforce.net will be redirected to theforce.net:

nslookup to enter into interactive mode

> set query=CNAME to set the query type to CNAME > www.theforce.net to set the domain to query

This gives the following (relevant) output:

www.theforce.net canonical name = theforce.net.

Alternatively, we can also use single line command nslookup -type=CNAME www.theforce.net or dig www.theforce.net | grep CNAME if we like to confirm things in multiple ways before moving forward:

www.theforce.net. 2321 IN CNAME theforce.net. is the output from dig indicating the correct configuration.

Looking up why our resistance.theforce.net is not redirecting to theforce.net:

Using nslookup -type=CNAME resistance.theforce.net we get:** server can't find resistance.theforce.net: NXDOMAIN which is an error message indicating the DNS query failed because the domain name queried (resistance.theforce.net does not exist or that the query could not “know” that it exists.

This could mean (if we assume we have not made a user error in our query, i.e. mistyping the address): – the domain is currently offline or is having server issues – a security control blocking the domain – domain could be compromised or that malware exists

To follow-up, we can first check if the domain is offline using https://isitup.org/resistance.theforce.net which indicates that the domain is down. This makes sense because we are supposed to be redirecting resistance.theforce.net to the CNAME domain theforce.net so the subdomain should not exist on its own.

Recommended fixes to save the Galaxy!

To fix this, we need to correct the CNAME record configuration to have this line:

resistance.theforce.net canonical name = theforce.net.

Mission 4

Network Issue: DNS record type found: DNS records that can explain the reasons for existing network issues: Recommended fixes to save the Galaxy!

Mission 5:

Network Issue:

Slow network traffic from the planet of Batuu to Jedha due to an attack on Planet N.

The routing protocol in use is OSPF Open Shortest Path First.

Recommended fixes to save the Galaxy!

The new path to use is:

Mission 6:

Your Mission:

  • Figure out the Dark Side's secret wireless key by using Aircrack-ng.

Results from running Aircrack-ng with the password list downloaded from: https://github.com/danielmiessler/SecLists/blob/master/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt

`[00:00:00] 3432/4800 keys tested (10349.88 k/s)

Time left: 0 seconds 71.67%

KEY FOUND! [ dictionary ]

Master Key : B3 52 50 D0 9F 8E AB BD 0D 9E 3D D3 A3 62 12 82 9E FA 89 FC 19 1D A4 4A 3E 7A 40 9C D4 DF 68 DC

Transient Key : DF 26 D4 B0 47 58 E5 AB 33 66 35 14 87 70 7E 46 9E 93 3F 48 3A AE BE F5 0A 58 81 82 B1 59 56 A4 05 C4 04 F4 F0 E2 27 45 49 3D 51 9C A0 E0 AA 83 5F 63 D5 35 A5 56 52 24 35 70 31 08 BE 99 F6 15

EAPOL HMAC : 3E B9 D6 B8 63 69 A7 8B 83 EA 2A 3A 71 ED CF 59`

The password is: dictionary. We use this password to decrypt the WPA traffic via Wireshark.

  • Once you have decrypted the traffic, figure out the following Dark Side information:

    • Host IP Addresses and MAC Addresses by looking at the decrypted ARP traffic.

Host: Sender MAC address: IntelCor_55:98:ef (00:13:ce:55:98:ef) Sender IP address: 172.16.0.101 (172.16.0.101)

Looking for: Sender MAC address: Cisco-Li_e3:e4:01 (00:0f:66:e3:e4:01) Sender IP address: 172.16.0.1 (172.16.0.1)

Mission 7:

Viewing the DNS record from Mission #4, specifically looking for a hidden message in the TXT record:

nslookup -type=txt princessleia.site to find this message:

princessleia.site text = "Run the following in a command line: telnet towel.blinkenlights.nl or as a backup access in a browser: www.asciimation.co.nz"

Take a screen shot of the results:

Note: This was the coolest last homework question ever! And thank you for reading.

#networking #dhcp #nat #bridgemode #tcpip #OSI #mask #subnet #gateway # definitions #wireshark #aircrackng #80211

Follow-Up Questions

  • the Wireless Toolbar no longer exists in view > it is now in Wireshark > Preferences > Protocols > IEEE 802.11
  • DHCP attack bonus question
  • Analyzing Wireless Security activity follow-up on beacon = WAP?
  • Final activity: no WPA version = no security? + meaning of all the 802.11 info terms

Self-Learning Notes

DHCP is an extension of BOOTP mechanism: DHCP uses BOOTP as its transport protocol

Activity 9.04 on DHCP Attacks

These employees are receiving error messages saying no local IP addresses are available, indicating a potential issue with DHCP:

  • no local IP addresses available = likely a starvation attack
  1. Create a filter to determine the count for each DHCP activity:
    • DHCP Discover: dhcp.option.dhcp == 1 – @150
    • DHCP Offer: dhcp.option.dhcp == 2 –@32
    • DHCP Request: dhcp.option.dhcp == 3 @1

QUESTION: Why does the Request say *REF*?

  1. Based on these results, summarize what type of attack may have occurred, and why you believe Acme Corp's employees are having network issues.
  2. there were 150 DHCP Discover requests and 32 DHCP Offer responses so it is likely that most of these requests were fraudulent and made the DHCP server run out of IPs.

Bonus

  • Analyze the source MAC addresses of the DHCP activities and summarize what the attacker is doing.

QUESTION: What does this mean?

[Expert Info (Warning/Protocol): Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)]

Activity: Analyzing Wireless Security

  • all the beacons are wireless routers, yes? 45
  • 44 using WPA1, 1 using nothing?

Aircrack-ng Practice Activity:

KEY FOUND! [ 1F:1F:1F:1F:1F ] – ARP flood attack clearly happening – 802.11 has a lot of: Acknowledgement, Association Response, Authentication, Clear-to-Send, Disassociate – 1 x 802.11 Beacon frame from SSID Appart,BSS Id: Arcadyan_12:32:29 (00:12:bf:12:32:29), with no security??? - There areIGMPv2` packets: IGMP (Internet Group Management Protocol) is a Host-Router Multicast Signalling Protocol that provides dynamically registration of the hosts to the desired Multicast Groups.


9.1 CLASS NOTES:

NAT Pathway:

(1) connecting to internet: – outbound packet's destination port is standard, i.e. 80 or 443 – source port is randomly generated and unique for each connection – when website replies, it sends packets back to you with source/destination IPs reversed

In detail: Loading Reddit: – client sends packet to router to Reddit's IP + port 80/443 with source data of aka TRANSPORT LAYER encapuslates this data – computer checks its subnet mask adn compares its own IP and the destination IP for computer to determine if a destination is beyond teh same router or if it'll need routing services: ARP Resolution Request

Example: [192.168.0.2] [255.255.255.255] [ Who has router IP 192.168.0.1? ] Broadcasted on LAN

[192.168.0.1] [192.169.0.2] [ I have the Router IP, and you can reach me via MAC Address ffff ]

Your computer now knows how to reach the router, so now it fires the porn browsing packet to the router:

[192.168.0.2] [1.2.3.4] [ open connection ]

The router, upon receiving this packet, is smart enough to know that it's a connection request, so first it adds the source, destination and port to something called a NAT table, which looks like this:

Source Port Destination Port Local IP Remote IP 96354 80 192.168.0.2 1.2.3.4 88965 22 192.168.0.3 4.5.6.7 12345 8888 192.168.0.99 9.9.3.9

  • router then forwards packet out to internet, changing source IP from to its own unique IP
  • can also change source port in order to avoid conflict since multiple machines could be attempting to reach reddit.com at same time and could be using the same source port numbers

  • NAT: is the table that the router keeps that maps the original internal ip/port to the translated ip/port number that the router changed the packet to

  • when reddit replies, router looks up received destination port numbers (the destination IP will always be the router's IP)

  • translation destination of incoming packets to original IP/port

  • since TCP has an explicit connection handshake/termination process, router is able to see when connections are terminated adn clear those from table

  • UDP is trickier because it's “stateless” so the router basically has use a timeout that resets every time a new packet is seen.

PUBLIC IP & NAT:

Every device on the internet has an IP address. This address must be unique, there can be no two devices with the same IP. The number of IP addresses is limited, and mostly used up. There is a group of addresses that have been reserved for use only in internal networks. This works because the devices sharing an address cannot see each other – they are on different networks with no route between them.

Nat is implemented by a device (a computer, a router, or a firewall) that has two network connections, one to the internal network, one to the internet. When a device on the internal network wants to connect outside, it sends its messages (packets) to the NAT device. The NAT device strips the address of the original device and substitutes its own, then sends it out to the internet.

When the reply comes back, the NAT device then strips its own address, substitutes the address of the original device, and sends it to the internal network.

In this way, many devices can share one IP address.

LAN: local area network

  • will have: a network address (unusable), a mask (how mnay IP addresses are usable minus the network and broadcast, and a broadcast address (unusable)
  • default gateway/default route is usually network+1 or broadcast+1

Gateway:

  • in networking: the “default-gateway” on a single egress-point network (which is typically how a lot of networks are put together)
  • but “gateway address” or “gateway device” or “gateway” can mean different things
  • traffic needing to go from private to public networks and public to private networks or even private to private needs to go through gateway

Mask: defines how many IP addresses are usable minu the network and broadcast addrsses

  • how a device (computer, router, etc) determines if a destination IP is local to an interface or not.

NAT: Network Address Translation (PUBLIC IP)

  • “Speaking of IP, there aren't enough to go around so let me take that 1 public address your ISP gave you and “split it up” into many private ones for your devices”
  • router maintains address book where it maps all your devices internally
  • useful in IPV4 because you only get 1 external IP so to the outside world, your devices all appear to come from just 1 source
  • 1-to-many relationship like a company where there are many employees but you only see the company name

DHCP: Dynamic Host Configuration Protocol (PRIVATE IP)

  • “You don't have to manually assign IP addresses to your devices, let me do it fo r you”
  • probably running on router at home
  • will ask DHCP server “hey can I get an IP”, DHCP says “ok, let me check for one not currently used to give to you” —> automates process of assigning IP yourself
  • often run by default with NAT but it's not a requirement, can turn it off but will have to do IP assignments and avoid collision yourself
    • DHCP is a Layer 7: Application layer protocol, that uses two UDP ports:
  • Port 67 is used by the server
  • Port 68 is used by the client.

Bridge Mode

  • whatever device you have in a middleman who doesn't care about the traffic rule; it only hands things from one end to the other

DHCP (Dynamic Host Configuration Protocol)

Four-Step Process

  1. DHCP Discover: find the DHCP server
  2. sends out message to everyone on local network: “I need a DHCP server”

  3. DHCP Offer: Find available IP addresses

  4. DHCP server finds and selects an available IP address and sends it out to network: “Here is your IP address, DHCP client”

  5. DHCP Request: DHCP client returns message of receipt

  6. “Thanks for IP address, I will take it”

  7. DHCP ACK: DHCP server acknowledges that IP is taken + issues DHCP lease which upon expiry, IP can be given to another device

To view specific DHCP steps:

DHCP Discover filter: dhcp.option.dhcp == 1 DHCP Offer filter: dhcp.option.dhcp == 2 DHCP Request filter: dhcp.option.dhcp == 3 DHCP ACK filter : dhcp.option.dhcp == 5

  • Clarify that dhcp.option.dhcp == 4 is used for DHCP Decline. This is why DHCP ACK is dhcp.option.dhcp == 5.

DHCP Attacks

DHCP Starvation: a type of DDoS

  • attacker accesses LAN, sends large volume of fraudulent DHCP messages over the network requesting IPs from server. If large enough, server may run out of IPs.

Mitigation of DHCP starvation:

  • set a maximum threshold aka number of DHCP requests per second that can be accepted by server

DHCP Spoofing: AFTER starvation

  • after DHCP Starvation attack, attacker can set up fraudulent DHCP server
  • send out spoof messages to DHCP clients, identifying malicious router that clients should direct traffic to
  • Once DHCP clients make this change, traffic is redirected

Mitigation of DHCP spoofing with DHCP Snooping:

  • process implemented on a network switch that inspects packets to confirm they're legitimate DHCP offers + block the unauthorized

Routing Schemes and Protocols

Routing: The act of choosing the path that traffic takes in or across networks

Routing Schemes: 1. Unicast: Single device delivers a message to another single specific device, i.e. a phone call 2. Broadcast: Single device broadcasts to all devices on same network, i.e. DHCP broadcast, ARP broadcast 3. Multicast: Single device sends message to devices that have expressed interest in receiving message, i.e. subscription

Static Routing Vs Dynamic Routing

Static: manual configuration of a network route, usually by net admin – smaller networks or less changes – PRO: lower CPU on router, net admin has full control of their net's routing behaviour – CON: fault tolerance; router can't be adjusted

Dynamic routing: network acts on its own to avoid network blockages – network is adaptive – primary routing techniques – uses Routing Protocols

Dynamic Routing Protocols: 2 Primary Criteria

(1) Distance: amount of devices/hops used to get data from source to destination –> chooses least hops – “Distance-Vector Routing Protocols” include: -RIP: Routing Information Protocol: Uses hop count as main criteria – EIGRP: Enhanced Interior Gateway Routing Protocol: Better than RIP because it only sends incremental updates, reducing workload on router and amount of data being transmitted – More on comparison: https://community.fs.com/blog/eigrp-vs-ospf-differences.html

(2) Speed: Route is determined by time taken to move from source to destination – just because a path has more hops does not make it slower – “Link-State Routing Protocols include: – OSPF: Open Shortest Path First:

Wireless Networking

  • Wifi Standard: 802.11

WAP: Wireless Access Point: networking hardware device that connects a wireless network to a wired network by broadcasting a wireless signal called a beacon.

  • must identify itself
  • uses BSSID: Basic Service Set Identifier to identify its MAC address in a beacon signal in six hexadecimal octets
  • also broadcasts SSID: Service Set Identifier using a more recognizable format that is easier to recognize for humans
  • Wifi Security: WPA2 replaced WPA replaced WEP

Wifi in Wireshark: Detect Security Protection Manually:

  • click “Wireless” in toolbar + “WLAN Traffic”
  • will show SSIDs, BSSID, and wireless security protection
  • If unable to detect security protection, the manual approach:

  • to add the different SSIDs as a column: wireless5.png]

  • to add the security: IEEE 802.11 wireless LAN > Tagged parameters > Tag: Vendor Specific: Microsoft Corp.: WPA Information Element

  • Right-click on WPA Version: 1 then select Apply as Column.

Decrypting with Aircrack-NG

  • syntax is: Aircrack-ng [.pcap file name]
  • Aircrack-NG needs a certain amount of wireless packets to figure out key, typically min 10k
  • the Wireless Toolbar no longer exists in view > it is now in: Wireshark > Preferences > Protocols > IEEE 802.11

Wifi Security Vulnerabilities

Wardriving: driving/walking around with wireless-enabled device looking for unsecured wireless LANs Warchalking: using chalk markings to show presence and vulnerabilities of wireless networks nearby Warflying: Using drones Evil Twin: Make a fake SSID to trick users to connecting to attacker's WAP