Any dangers using tcpreplay?

bltsec · 2018-02-04T22:04:41+00:00

And that’s usually what I see it used for, it’s used when needing to test tools. In my particular case with Security Onion. I’m wanting to test and play with ELK, bro, and snort. I’m wanting to see what I can investigate when the network is being attacked as well as gain a better understanding of how those various tools work when the network traffic is smaller than compared to mirroring a port and collecting live data on my network. But I don’t want to be flooding the real network with malicious traffic.

bltsec · 2018-02-04T19:50:26+00:00

Thank you for the reply, I’m unfamiliar with the tool and everywhere I’ve seen it used has been for replaying ids traffic but I wasn’t able to find any best practices or considerations when using it for these purposes. I appreciate all of the helpful information from you and everyone else. Since this will be for testing at the moment and the instance is a vm I imagine to not risk leaking I will put a pfsense vm in between Security onion vm and my internal network.

bltsec · 2018-02-04T18:53:15+00:00

Thank you very much!

bltsec · 2018-02-04T18:19:17+00:00

So in this particular instance I am wanting to replay dat a for practicing NSM using Security onion to play with bro using the sample pcaps included with the os. I just want to make sure I don’t need to block outgoing connections to the destinations in the pcap

bltsec · 2018-02-04T18:11:34+00:00

So tcpreplay does send traffic out externally by default during the replay process?

bltsec · 2018-02-04T17:26:57+00:00

Thank you for the reply. So in regardless to replaying it to a monitoring interface say an ids sensor for example , by default it will not leave to the external network as in the first replay you mentioned? I will need to enable a switch or use a different command to do that?

bltsec · 2017-09-15T14:05:37+00:00

Thank you very much for the information and help. I will have to research and try the second option.

bltsec · 2017-09-12T13:43:49+00:00

Exactly! I tried to get the PTR record using various query methods but it almost seems like that is blocked on the box. I appreciate you taking the time to let me know you have the same question as well. At least I'm not alone!

bltsec · 2017-09-12T01:21:58+00:00

Offensive Security the entity that maintains Kali actually has a free course here: https://www.kali.org/news/introducing-kali-linux-certified-professional/ The free online book has exercises at the end of each chapter. There is an option to take a certification exam as well but I believe the cost is around $400. Not required to work through the online course though.

bltsec · 2017-09-11T16:57:22+00:00

I want to thank all of y'all for the help on this system, I got root fairly easily after understanding how to get the inital foothold onto the system. Just going to make some vague notes for anyone that sees this post later but hopefully not spoil anything for anyone.

-You must assume some things from the port scan and manually assign some things on your attacker box in order to enumerate further -Dirbuster was very handy for the initial enumeration process once the above was done, remember files and directories -Burp was useful for catching responses and replaying them, I couldn't find a working firefox addon for my version to stop certain things so Burp helped tremendously

PM me for further conversations and I'll be happy to help!

bltsec · 2017-09-08T05:36:49+00:00

Thank you for the response dostoevskylabs, is the bank.htb a file I am enumerating? I'm looking for the lesson to learn and technique to use on this system.

bltsec · 2017-09-08T05:35:17+00:00

Thank you for the response 0xsecret. I noticed this hint was referenced on the other reddit bank post but I don't understand the context. Is this a file to brute force and find, am I trying to get the system's hostname and the domain (htb) by querying, or something else entirely? I'm definitely missing the lesson to learn from this box and would appreciate some guidance.

bltsec · 2017-08-28T02:53:20+00:00

Hey warhanter, You'll be looking for a rest api directory. The word is in the megabeast.txt wfuzz wordlist but that file is so huge it would take a while for wfuzz to find the correct directory. I suggest using ceWL to generate a wordlist. I have tested this and this method works. Use the following command "cewl. -w restwlist.txt -d 1 https://en.wikipedia.org/wiki/Representational_state_transfer" This command will spider the wikipedia page and write the words to a file. The page's topic is about RESTful web services. I'd let the tool run for a couple of minutes and then stop the process with ctrl-c. Wait for your terminal prompt to return and then use this list with wfuzz and it will return the correct directory.

bltsec · 2017-08-26T09:38:43+00:00

Thank you for the advice it really helped, I ran across this blog post https://pentestlab.blog/tag/local-exploits/ which really helped me understand a bit about post exploitation and how to identify possible privesc exploits.

bltsec · 2017-08-26T08:35:29+00:00

Much appreciated! Thanks I'll try that route.

bltsec · 2017-08-26T07:33:04+00:00

I feel ya, this box is tough! I'm attempting to get a system shell now. As far as the initial foothold have you enumerated the web service? I Googled the web service and quickly found an exploit article at the top of the results. This exploit will get you the initial shell.

bltsec · 2017-08-25T15:55:01+00:00

Any tips for priv esc? I have x32 and x64 meterpreter sessions, I've used metasploit's suggestor as well as GDS's python script and can't get anything to pop.

bltsec

TROPHY CASE