LLDP Info

[rdub]

Not sure if this is the right place to discuss but I was able to get the shark to pull LLDP info from the device it is connected to and had it email me the results. It is taking about 64 seconds to go from plugging in to reading the email with the info I need to be able to find the switch a wall port is connected to. I am however bad at formatting the data, any tips or materials to help with formatting the data would be handy.

I had to install a few packages first, mailsend and lldpd. Anyone know of more light weight ways to do this I am all ears...

After those were installed I setup a payload to wait until it got an IP to run the commands for LLDP and email it to me. This includes the IP the shark pulled from DHCP, LLDP info like the switch port ID, switch management IP, switch model and version.

 

[Topknot]

You and I have similar ideas. Here is how to do the email side. Interested to see what you come up with on the LLDP side.
https://forum.openwrt.org/t/openwrt-how-to-send-mail-with-attachment-with-mutt-and-msmtp-gmail/45844

I have followed this guide and email is working for me.

[rdub]

Oh, I already have it all working! I installed lldpd with opkg. Then I run the command "lldpcli show neighbor detail" and out it to a txt file that gets sent along as the body of the email. 

[Topknot]

That's excellent! I'm going to add that to the nmap script from MonsieurMarc that I modified. (replaced pastebin exfiltration and with email.) Thanks for the info!

I would be interested to see what you payload looks like if you are alright with sharing. 🙂

[Darren Kitchen]

Likewise... 

I'm also keen on writing some payload snippets or extensions to ease exfiltration via email & http posts for sites like pastebin similar to how easy it is to exfil to Cloud C2 with a command like:

C2EXFIL STRING $log_file Payload-Name 

[rdub]

Here are the snippets from my payload for this task. This all assumes that you have installed LLDPD and MAILSEND already. I used the SSH server payload to get the shark online and installed them that way.

LED SETUP
NETMODE DHCP

#Enable SSH Server
/etc/init.d/sshd start

sleep 10
#Wait for an IP Address and Add this IP info to the loot file - stolen from other script by darren.
while ! ifconfig eth0| grep "inet addr" >> /root/loot/info.txt; do sleep 1;done

LED ATTACK
sleep 2

#Assign LLDPD to eth0 - found without this it would fail
lldpd -I eth0
sleep 2

#Restart the LLDPD service - found it would fail without this
/etc/init.d/lldpd restart
sleep 2

#Copy LLDP info to LOOT file - this is where I could use help formatting the data.
lldpcli show neighbor detail > /root/loot/info.txt
sleep 2
#Send email with the info from LOOT file to the EMAILADD 
mailsend -to toADDRESS -from fromADDRESS -starttls -port 587 -auth -smtp SMTPADDRESS -sub "SUBJECT LINE GOES HERE" -mime-type text/plain -msg-body /root/loot/info.txt -v -user fromADDRESSUSER -pass "fromADDRESSPASSWORD"
sleep 1
LED FINISH

 

In the end I get an email with this in the body. It needs some work to clean it up with only the data that is useful.

 inet addr:10.8.29.169  Bcast:10.8.31.255  Mask:255.255.252.0

-------------------------------------------------------------------------------
LLDP neighbors:
-------------------------------------------------------------------------------
Interface:    eth0, via: LLDP, RID: 1, Time: 0 day, 00:00:01
  Chassis:     
    ChassisID:    mac 50:65:f3:9a:3e:a0
    SysName:      017-156-12506
    SysDescr:     HP J9774A 2530-8G-PoEP Switch, revision YA.15.12.0015, ROM YA.15.12 (/ws/swbuildm/YA_rel_knoxville_qaoff/code/build/lakes(swbuildm_YA_rel_knoxville_qaoff_rel_knoxville))
    MgmtIP:       10.8.0.45
    Capability:   Bridge, on
  Port:       
    PortID:       local 6
    PortDescr:    6
    TTL:          120
    PMD autoneg:  supported: yes, enabled: yes
      Adv:          10Base-T, HD: yes, FD: yes
      Adv:          100Base-TX, HD: yes, FD: yes
      Adv:          1000Base-T, HD: no, FD: yes
      MAU oper type: 100BaseTXFD - 2 pair category 5 UTP, full duplex mode
    MDI Power:    supported: yes, enabled: yes, pair control: no
      Device type:  PSE
      Power pairs:  signal
      Class:        class 0
  VLAN:         17, pvid: yes
  LLDP-MED:   
    Device Type:  Network Connectivity Device
    Capability:   Capabilities, yes
    Capability:   Policy, yes
    Capability:   Location, yes
    Capability:   MDI/PSE, yes
-------------------------------------------------------------------------------

 

 

[Jason_Meredith]

This is exactly what I'm looking for!  We have been looking for a way to check ports around the school to see what VLANs are assigned easily.

Does anyone have a git for this yet?

the C2 option also looks like it could work!  

a BLE connection to a dashboard app that could be displayed on your mobile device would be  supa cool 🙂  

[Flatlinebb]

@Jason_Meredith

Like this? https://github.com/hak5/sharkjack-payloads/tree/master/payloads/library/recon/Network-Recon-With-Email-Exfil

[ktdt00]

This works really well for me after setting the interface and restarting the service per above BUT I usually have to wait 25-30 seconds after the restart before "show neighbors" will return anything. Has anyone else seen this? Thanks!