communication issue
juanmay1 opened this issue · 7 comments
Hi, i'm using pytbull-ng but i can't perform the attacks, i'm running pytbull on the victim and attacker sides, but i can't see the establishement of any session.
i'm performing a tcpdump in the "utm" device and i just see the syn from the attacker but i can't see any response of the victim, also the attacker side gets closed because the basic checks can't be performed.
i'm following the network topology that you share and the commands that you specify.
Can you help me please?
thank you so much
adminjmy@ubuntu-pytbull-attacker:~$ sudo docker run -it --rm -p 80:80 --name=pytbull-ng_attacker efigo/pytbull-ng -m attacker -t 192.168.0.222 -l 10.0.0.100
FTP user: :
Mode: attacker
Host IP: 10.0.0.100
Victim IP: 192.168.0.222
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 29/httpd
__ __ ____
____ __ __/ /_/ /_ __ __/ / / ____ ____ _
/ __ \/ / / / __/ __ \/ / / / / /_____/ __ \/ __ `/
/ /_/ / /_/ / /_/ /_/ / /_/ / / /_____/ / / / /_/ /
/ .___/\__, /\__/_.___/\__,_/_/_/ /_/ /_/\__, /
/_/ /____/ /____/
creator of pytbull: Sebastien Damaye, aldeid.com
creator of pytbull-ng: Michal Chrobak, efigo.pl
(standalone mode)
(offline)
+------------------------------------------------------------------------+
| pytbull will set off IDS/IPS alarms and/or other security devices |
| and security monitoring software. The user is aware that malicious |
| content will be downloaded and that the user should have been |
| authorized before running the tool. |
+------------------------------------------------------------------------+
BASIC CHECKS
Checking root privileges.........................................[ OK ]
Checking remote port 21/tcp (FTP)................................[ Failed ]
***ERROR: [Errno 110] Operation timed out
Port 21/tcp seems to be closed
Install FTP on the remote host: sudo apt-get install vsftpd
real 2m 11.14s
user 0m 1.09s
sys 0m 0.06s
Start: Sun May 30 21:25:35 UTC 2021
End: Sun May 30 21:29:57 UTC 2021
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
16:25:35.485594 IP 10.0.0.100.53020 > 192.168.0.222.http: Flags [S], seq 240687923, win 64240, options [mss 1460,sackOK,TS val 719866192 ecr 0,nop,wscale 7], length 0
16:25:36.497447 IP 10.0.0.100.53020 > 192.168.0.222.http: Flags [S], seq 240687923, win 64240, options [mss 1460,sackOK,TS val 719867204 ecr 0,nop,wscale 7], length 0
16:25:38.526652 IP 10.0.0.100.53020 > 192.168.0.222.http: Flags [S], seq 240687923, win 64240, options [mss 1460,sackOK,TS val 719869234 ecr 0,nop,wscale 7], length 0
16:25:42.606553 IP 10.0.0.100.53020 > 192.168.0.222.http: Flags [S], seq 240687923, win 64240, options [mss 1460,sackOK,TS val 719873316 ecr 0,nop,wscale 7], length 0
16:25:50.795168 IP 10.0.0.100.53020 > 192.168.0.222.http: Flags [S], seq 240687923, win 64240, options [mss 1460,sackOK,TS val 719881509 ecr 0,nop,wscale 7], length 0
16:26:06.915262 IP 10.0.0.100.53020 > 192.168.0.222.http: Flags [S], seq 240687923, win 64240, options [mss 1460,sackOK,TS val 719897637 ecr 0,nop,wscale 7], length 0
16:26:40.689411 IP 10.0.0.100.53020 > 192.168.0.222.http: Flags [S], seq 240687923, win 64240, options [mss 1460,sackOK,TS val 719931428 ecr 0,nop,wscale 7], length 0
16:27:47.285127 IP 10.0.0.100.48914 > 192.168.0.222.ftp: Flags [S], seq 613706125, win 64240, options [mss 1460,sackOK,TS val 719998057 ecr 0,nop,wscale 7], length 0
16:27:48.303756 IP 10.0.0.100.48914 > 192.168.0.222.ftp: Flags [S], seq 613706125, win 64240, options [mss 1460,sackOK,TS val 719999076 ecr 0,nop,wscale 7], length 0
16:27:50.319266 IP 10.0.0.100.48914 > 192.168.0.222.ftp: Flags [S], seq 613706125, win 64240, options [mss 1460,sackOK,TS val 720001093 ecr 0,nop,wscale 7], length 0
16:27:54.380615 IP 10.0.0.100.48914 > 192.168.0.222.ftp: Flags [S], seq 613706125, win 64240, options [mss 1460,sackOK,TS val 720005156 ecr 0,nop,wscale 7], length 0
16:28:02.568885 IP 10.0.0.100.48914 > 192.168.0.222.ftp: Flags [S], seq 613706125, win 64240, options [mss 1460,sackOK,TS val 720013349 ecr 0,nop,wscale 7], length 0
16:28:18.694681 IP 10.0.0.100.48914 > 192.168.0.222.ftp: Flags [S], seq 613706125, win 64240, options [mss 1460,sackOK,TS val 720029476 ecr 0,nop,wscale 7], length 0
16:28:51.718785 IP 10.0.0.100.48914 > 192.168.0.222.ftp: Flags [S], seq 613706125, win 64240, options [mss 1460,sackOK,TS val 720062500 ecr 0,nop,wscale 7], length 0
Hi juanmay1,
Ok, let's debug this problem. On current version I can confirm that it should work. First, we check network configuration, can you verify that port 21, 22 or 12345 on 10.0.0.100 are open (eg. nmap -p 21,22,12345 192.168.0.222 or nc -nv 192.168.0.222 12345) from some other host than 10.0.0.100? Maybe there is problem on your "UTM" with network policy access? You run tcpdump on ingress or egress interface? Or maybe there is some local firewall on host where you have docker?
Victim need dedicated network from docker, how you create it? Could you paste output from docker network inspect <network_name>? And how you run victim? Could you paste this two commands, which in my example looks like that:
docker network create -d macvlan --subnet=10.0.233.0/24 --gateway=10.0.233.1 -o parent=ens19 net_233docker run --rm -it --network=net_233 --ip=10.0.233.6 --name=pytbull-ng_victim efigo/pytbull-ng -m victim
Remember that macvlan doesn't work on windows - you need linux host for this container.
My host which run victim container has IP 10.0.233.4, host which run attacker has 10.0.222.3, so I run this command to run attacker container:
docker run -it --rm -p 80:80 --name=pytbull-ng_attacker efigo/pytbull-ng -m attacker -t 10.0.233.6 -l 10.0.222.3
hi netrunn3r, thank you for your answer.
first i want to tell you that i'm running pytbull on two ubuntu 18.04 machines running on virtualbox, is there any issue working on virtual machines? should i use physical device instead?, should i use another distro?
the docker version that i'm using is:
adminjmy@pytbull-victim:~$ docker -v
Docker version 20.10.6, build 370c289
adminjmy@pytbull-attacker:~$ docker -v
Docker version 20.10.6, build 370c289
i have build another scenario where both machines, Attacker and Victim are in the same network: 192.168.0.0/24 without any other device between the communication.
in thins scenario, the attacker has the 192.168.0.100/24 and the victim the 192.168.0.222/24
when i perform an NMAP to the victim, it doesn't answer:
adminjmy@pytbull-attacker:~$ nmap -p 21,22,12345 192.168.0.222
Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-31 08:31 -05
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
also from the attacker and from the victim host i can't see the victim machine (192.168.0.222) through arp, i just see incomplete in the MAC address
adminjmy@pytbull-victim:~$ arp -a
? (192.168.0.222) at on enp0s8
? (192.168.0.100) at 08:00:27:3f:dd:2c [ether] on enp0s8
_gateway (192.168.1.254) at c0:89:ab:dc:14:10 [ether] on enp0s3
? (192.168.1.100) at d4:d2:52:75:03:fa [ether] on enp0s3
adminjmy@pytbull-attacker:~$ arp -a
_gateway (192.168.1.254) at c0:89:ab:dc:14:10 [ether] on enp0s3
? (192.168.1.100) at d4:d2:52:75:03:fa [ether] on enp0s3
? (192.168.0.222) at on enp0s8
? (192.168.0.200) at 08:00:27:37:61:56 [ether] on enp0s8
this is the output of docker network inspect net_192_168_0_0-24:
adminjmy@pytbull-victim:~$ docker network inspect net_192_168_0_0-24
[
{
"Name": "net_192_168_0_0-24",
"Id": "bafd43dba279c8437e48b38e1c269dbb173cd62f18b1b250bb8a2804a86abbfc",
"Created": "2021-05-31T08:17:06.895888122-05:00",
"Scope": "local",
"Driver": "macvlan",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "192.168.0.0/24",
"Gateway": "192.168.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"104155bf186cfe23b0e6317bdb47e39d7cc3ca372126bb73fb1e5205826631a3": {
"Name": "pytbull-ng_victim",
"EndpointID": "295e90c69e7fd81e2b382bd52cf6a4f1275cdce779a97f159b3f29219666a821",
"MacAddress": "02:42:c0:a8:00:de",
"IPv4Address": "192.168.0.222/24",
"IPv6Address": ""
}
},
"Options": {
"parent": "enp0s8"
},
"Labels": {}
}
]
i run the victim machine like this:
adminjmy@pytbull-victim:~$ docker run --rm -it --network=net_192_168_0_0-24 --ip=192.168.0.222 --name=pytbull-ng_victim efigo/pytbull-ng -m victim
FTP user: lvMPbpAWSQzF:xuqbLw5Azig3PPrjIlX6
Mode: victim
Host IP: 192.168.0.222/24
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 51/httpd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 45/vsftpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 49/sshd [listener]
tcp 0 0 127.0.0.11:37881 0.0.0.0:* LISTEN -
__ __ ____
____ __ __/ /_/ /_ __ __/ / / ____ ____ _
/ __ \/ / / / __/ __ \/ / / / / /_____/ __ \/ __ `/
/ /_/ / /_/ / /_/ /_/ / /_/ / / /_____/ / / / /_/ /
/ .___/\__, /\__/_.___/\__,_/_/_/ /_/ /_/\__, /
/_/ /____/ /____/
creator of pytbull: Sebastien Damaye, aldeid.com
creator of pytbull-ng: Michal Chrobak, efigo.pl
Checking root privileges.........................................[ OK ]
Checking port to use.............................................[ OK ]
Server started on port: 12345
Listening...
i run the attacker machine like this:
adminjmy@pytbull-attacker:~$ sudo docker run -it --rm -p 80:80 --name=pytbull-ng_attacker efigo/pytbull-ng -m attacker -t 192.168.0.222 -l 192.168.0.100
FTP user: :
Mode: attacker
Host IP: 192.168.0.100
Victim IP: 192.168.0.222
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 28/httpd
__ __ ____
____ __ __/ /_/ /_ __ __/ / / ____ ____ _
/ __ \/ / / / __/ __ \/ / / / / /_____/ __ \/ __ `/
/ /_/ / /_/ / /_/ /_/ / /_/ / / /_____/ / / / /_/ /
/ .___/\__, /\__/_.___/\__,_/_/_/ /_/ /_/\__, /
/_/ /____/ /____/
creator of pytbull: Sebastien Damaye, aldeid.com
creator of pytbull-ng: Michal Chrobak, efigo.pl
(standalone mode)
(offline)
+------------------------------------------------------------------------+
| pytbull will set off IDS/IPS alarms and/or other security devices |
| and security monitoring software. The user is aware that malicious |
| content will be downloaded and that the user should have been |
| authorized before running the tool. |
+------------------------------------------------------------------------+
BASIC CHECKS
Checking root privileges.........................................[ OK ]
Checking remote port 21/tcp (FTP)................................[ Failed ]
***ERROR: [Errno 110] Operation timed out
Port 21/tcp seems to be closed
Install FTP on the remote host: sudo apt-get install vsftpd
real 2m 11.11s
user 0m 1.30s
sys 0m 0.11s
Start: Mon May 31 13:26:16 UTC 2021
End: Mon May 31 13:30:36 UTC 2021
adminjmy@pytbull-attacker:~$
Virtual machines as a solution for docker host is not a problem, I also have two VM (on qemu/KVM). Maybe there is some problem with VM configuration, especially with network configuration. I take a look on google and probably it is case with network interface:
- https://superuser.com/questions/1343250/is-it-possible-to-attach-docker-containers-inside-ubuntu-virtualbox-to-phyical-n
- https://forums.docker.com/t/why-is-promiscuous-mode-needed-for-macvlan-driver/37416
Could you verify it? If it is not this case, we continue debugging.
To test if ports on victim are open, please use different machine than docker host of that container - in my environment it didn't work, but every other host can connect to victim, but not docker host of victim. It is how macvlan works.
hi netrunn3r, thank you so much for your answer and your time.
in the links that you shared me i found the solution to my problem, i have to enable the promiscuous mode in the virtualbox network adapter and also in the S.O.
inside the ubuntu, we just have to execute the command sudo ip link set promisc on and that was all, it works.
Thank you so much for your help.
The problem get solved executing sudo ip link set interface promisc on, inside the S.O.
I am glad to hear that it resolve your problem. Cases like this are very important for me, because it identify problems on different environment, so other users can avoid problems like those. And if someone submit issue it means that someone is using pytbull-ng and I have more motivation to work on it :)
thank you so much, pytbull is helping me with my Master degree research, also using this new approack of pytbull opens me my mind in working with new technologies like docker, thank you so much, i hope in a future give new contributions to this tool.