Skip to content

Lab 2 - SNMP, arpspoof, softflowd

links: SPA TOC - Lab - Index


Exercise find open SNMP ports

nmap -sU --script snmp-brute 147.87.80.0/24 --script-args snmp-brute.communitiesdb=public

Systems found with an open SNMP port:

  • ds01.bfh.ch (147.87.80.213)
  • hpr.netlab.bfh.ch (147.87.80.252)

Exercise snmpwalk

Results for snmpwalk -v2c -c public 147.87.80.252

What type of device is used?

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M) \(\rightarrow\) Cisco 1800 Series Integrated Services Routers: Cisco 1841 Router

What's the internal system name?

hpr_netlab.netlab.bfh.ch

What's the firmware version used on the device?

Version 12.4(23), RELEASE SOFTWARE (fc1)

How many physical ports does the device have?

9 (snmpwalk -v2c -c public 147.87.80.252 1.3.6.1.2.1.2.1.0)

What routes does the device propagate?

This OID provides information about the IPv4 routing table: snmpwalk -v2c -c public 147.87.80.252 1.3.6.1.2.1.4.21

Example Output:

...
iso.3.6.1.2.1.4.21.1.8.147.87.86.32 = INTEGER: 4
iso.3.6.1.2.1.4.21.1.8.147.87.86.64 = INTEGER: 4
iso.3.6.1.2.1.4.21.1.8.147.87.86.96 = INTEGER: 4
iso.3.6.1.2.1.4.21.1.8.147.87.86.128 = INTEGER: 4
iso.3.6.1.2.1.4.21.1.8.147.87.86.160 = INTEGER: 4
iso.3.6.1.2.1.4.21.1.8.147.87.86.192 = INTEGER: 4
iso.3.6.1.2.1.4.21.1.8.147.87.86.224 = INTEGER: 4
...

In this case, the constant value 4 indicates that the routing protocol for these routes is likely "Indirect." The OID 1.3.6.1.2.1.4.21 corresponds to the ipRouteTable and 157.87.86.32 (etc.) is the destination address.

What routing protocols are in use?

To determine which routing protocols are in use on a Cisco router using SNMP, you can query the iso.3.6.1.2.1.4.21.1.8 OID: `snmpwalk -v2c -c public 147.87.80.252 1.3.6.1.2.1.4.21.1.8. The output shows that prellaem Netmgmt (value 3) and Indirect (Dynamic routing protocols such as OSPF, EIGRP (value 4)) are used as routing protocols.

What are the MAC/IP pairs the device has cached?

To retrieve the MAC/IP pairs that a device has cached using SNMP, you can query the ARP (Address Resolution Protocol) table: snmpwalk -v2c -c public 147.87.80.252 1.3.6.1.2.1.4.22.1 . The hex string stands for the MAC address and is preceded by the corresponding IP address. Example output:

...
iso.3.6.1.2.1.4.22.1.2.9.147.87.80.2 = Hex-STRING: 00 50 56 BD 93 F0 
iso.3.6.1.2.1.4.22.1.2.9.147.87.80.3 = Hex-STRING: C6 18 84 84 9E E2 
iso.3.6.1.2.1.4.22.1.2.9.147.87.80.8 = Hex-STRING: 52 54 00 92 B3 F5 
iso.3.6.1.2.1.4.22.1.2.9.147.87.80.102 = Hex-STRING: 00 50 56 96 29 02 
iso.3.6.1.2.1.4.22.1.2.9.147.87.80.143 = Hex-STRING: 00 50 56 00 43 0B 
iso.3.6.1.2.1.4.22.1.2.9.147.87.80.145 = Hex-STRING: 00 50 56 00 45 0B 
...

Exercise arpspoof

IP forwarding: echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward Then use sudo arpspoof -i ens160 -t 147.87.86.78 -r 147.87.86.65

Check if you see the traffic on the attacking machine

Second terminal: sudo tcpdump -i ens160 host 147.87.86.78 -n -s 0

Check your ARP cache.

arp -a

Use dsniff to sniff on the spoofing host and access an anonymous ftp server.

Second Terminal: sudo dsniff -i ens160

Try to detect the spoofing host using tracert on client02.

First hop always goes via the client01!

Exercise arpwatch

Configure e-mail notifications:

For example, if you want to send mails about arpwatch events on eth0 to arpwatch+eth0@example.com, you can generate the configuration file using the following command: echo 'IFACE_ARGS="-m arpwatch+eth0@example.com"' > /etc/arpwatch/eth0.iface

Detect the spoofing from the exercise above in syslog:

2024-01-20T17:21:44.531611+01:00 router arpwatch: reaper: pid 41288, exit status 1
2024-01-20T17:31:12.846210+01:00 router arpwatch: ethernet mismatch 147.87.86.78 00:50:56:00:45:00 (00:50:56:00:45:01) ens224
2024-01-20T17:31:14.893666+01:00 router arpwatch: ethernet mismatch 147.87.86.78 00:50:56:00:45:00 (00:50:56:00:45:01) ens224
2024-01-20T17:31:16.941860+01:00 router arpwatch: ethernet mismatch 147.87.86.78 00:50:56:00:45:00 (00:50:56:00:45:01) ens224
2024-01-20T17:31:18.989618+01:00 router arpwatch: ethernet mismatch 147.87.86.78 00:50:56:00:45:00 (00:50:56:00:45:01) ens224
2024-01-20T17:31:21.037759+01:00 router arpwatch: ethernet mismatch 147.87.86.78 00:50:56:00:45:00 (00:50:56:00:45:01) ens224

Exercise flow export using softflowd

For softflowd-config: options='-v 9 -n 147.87.86.67:2055'. For the verify-command use sudo!

Exercise flow capture/analysis using nfcapd/nfdump

You have to add a rule to accept flow data on 2055/udp to /etc/nftables.conf an reload the ruleset.

#!/usr/sbin/nft -f

table inet nslab {
        chain INPUT {
                type filter hook input priority 0; policy drop;
                udp dport 2055 accept
                .....

Then:

sudo nft -f /etc/nftables.conf

Find out how to process multiple capture files, filter flows or generate top N flows/packets/bytes statistics using nfdump

Process Multiple Capture Files: nfdump -r file1.nfcap -r file2.nfcap

Filter Flows: nfdump -r file.nfcap -A src-ip,10.0.0.1

To display the top N flows based on the number of packets: nfdump -r file.nfcap -o "fmt:%ts %te %td %pr %sa -> %da packets:%pkt" -s pkt

Top N Packets: nfdump -r file.nfcap -o "fmt:%sS packets:%pkt" -s pkt

Top N Bytes: nfdump -r file.nfcap -o "fmt:%tdst:%dst %pr dst-port:%tdport bytes:%byt" -s byt


links: SPA TOC - Lab - Index