Geekly Articles each Day
📜 ⬆️ ⬇️

The book "Security Audit Information Systems"

image The book of Nikita Skabtsov (Master of CS, 10 years experience as an information security engineer, teacher “computer networks, operating systems”, certificates: CEH, CCSA, LPIC, MCITP) discusses methods of bypassing security systems of network services and penetrating open information systems . Information security, like much in our world, is a two-way medal. On the one hand, we conduct an audit, look for ways to penetrate and even apply them in practice, and on the other, we are working on protection. Penetration tests are part of the normal life cycle of any IT infrastructure, allowing you to truly assess potential risks and identify hidden problems.

Passive traffic interception


The easiest and safest way to capture data. This method of interception works in networks that share the same medium for data transfer (ring topology, wireless data transfer), as well as in networks built on hubs.

Consider intercepting data using Wireshark. Wireshark is a free software product for Windows and Linux that allows you to intercept, filter, analyze and save network traffic. It is used not only by information security experts, but also by network administrators - for example, in order to identify and fix problems that arise during the operation of network services.

Now we will demonstrate the capabilities of Wireshark to intercept and analyze traffic. Let's start Wireshark and select the monitoring interface from the list, in our case it will be eth0.
')
image

After selecting the interface, data collection will begin. At the beginning of the chapter, we mentioned that monitoring traffic in wireless networks is quite simple. So it is - in order to view data from all computers of the wireless network, simply select the desired interface.

After you have collected the right amount of data, stop collecting the packets. Now you can save them for later analysis or start it immediately.

For a couple of minutes, we collected almost 20,000 packets, and this provided that the traffic on the network was minimal. Of course, viewing such a number of packets manually is a very laborious task, and various filters are present in Wireshark to facilitate it.

image

Filter user requests to the site lenta.ru. Let's start with the DNS query, since it will always be the first (dns.qry.name contains “lenta.ru”).

image

Applying the filter, we see a complete, consistent history of browser requests and responses to the DNS server. Now, knowing which IP address further communication will take place, let's create the appropriate filter (ip.addr == 81.19.72,38).

image

So, we saw a complete, standard picture of communication - a request and response of the DNS server, a three-way "handshake" and the initialization of data transfer. Moreover, we saw the contents of the packages.

As you can see in fig. 8.5 The number of filtered packets is 2283. In each of them only a small part of the data is transmitted, and it is quite difficult to understand what information they contain. To facilitate the task in Wireshark there is a great opportunity to follow a certain stream of data. In the case of HTTP, select “follow HTTP stream”.

image

It should be noted that you will not always have access to the graphical interface, so we recommend that you familiarize yourself with another tool that appeared before Wireshark, tcpdump. So, if you just run tcpdump, then all the information will be displayed in real time, which subsequently makes it practically unsuitable for analysis:

root@kali:~# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:46:47.867683 IP kali.57728 > ec2-52-43-198-160.us-west-2.compute.amazonaws.com. https: Flags [.], ack 1406161060, win 40880, length 0 11:46:47.868400 IP ec2-52-43-198-160.us-west-2.compute.amazonaws.com.https > kali.57728: Flags [.], ack 1, win 64240, length 0 11:46:47.870762 IP kali.53588 > gateway.domain: 6423+ PTR? 160.198.43.52.in-addr. arpa. (44) 11:46:47.942135 IP gateway.domain > kali.53588: 6423 1/0/0 PTR ec2-52-43-198-160. us-west-2.compute.amazonaws.com. (107) 11:46:47.943079 IP kali.53170 > gateway.domain: 29504+ PTR? 129.126.168.192.inaddr. arpa. (46) 11:46:48.005087 IP gateway.domain > kali.53170: 29504 NXDomain 0/0/0 (46) 11:46:48.012487 IP kali.34133 > gateway.domain: 9564+ PTR? 2.126.168.192.in-addr. arpa. (44) 11:46:48.073047 IP gateway.domain > kali.34133: 9564 NXDomain 0/0/0 (44) 11:46:48.699462 IP kali.54070 > ec2-52-32-150-180.us-west-2.compute.amazonaws.com. https: Flags [.], ack 101222386, win 40880, length 0 11:46:48.701314 IP kali.51078 > gateway.domain: 2872+ PTR? 180.150.32.52.in-addr. arpa. (44) ...

It is much better to save all the information to a file, as this will simplify data collection and create an opportunity for subsequent analysis of traffic at any time convenient for you.

 root@kali:~# tcpdump -w /root/tcpump.cap tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C3821 packets captured 3828 packets received by filter 0 packets dropped by kernel

To analyze the data you can use Whireshark, but since we are working in the console, we will be consistent and give an example of data analysis in the console. Consider all the IP-addresses and ports with which the connection occurred:

 root@kali:~# tcpdump -n -r /root/tcpump.cap | awk -F" " '{ print $3}' | sort -u | head reading from file /root/tcpump.cap, link-type EN10MB (Ethernet) 136.243.75.5.80 138.201.8.34.80 138.201.8.95.80 144.76.164.182.80 144.76.28.230.80 144.76.62.5.80 173.194.122.218.80 173.194.32.186.443 178.250.0.80.80 178.250.2.77.80

After analyzing the output, we can see which addresses most often went to requests. Now we will filter traffic based on the information we have.

 root@kali:~# tcpdump -n src host 138.201.8.34 -r /root/tcpump.cap reading from file /root/tcpump.cap, link-type EN10MB (Ethernet) 11:59:01.590002 IP 138.201.8.34.80 > 192.168.126.129.44236: Flags [S.], seq 1793877133, ack 236733408, win 64240, options [mss 1460], length 0 11:59:01.594853 IP 138.201.8.34.80 > 192.168.126.129.44238: Flags [S.], seq 1094285691, ack 3332638160, win 64240, options [mss 1460], length 0 11:59:01.594994 IP 138.201.8.34.80 > 192.168.126.129.44236: Flags [.], ack 1461, win 64240, length 0 11:59:01.595001 IP 138.201.8.34.80 > 192.168.126.129.44236: Flags [.], ack 1537, win 64240, length 0 ... root@kali:~# tcpdump -n dst host 138.201.8.34 -r /root/tcpump.cap reading from file /root/tcpump.cap, link-type EN10MB (Ethernet) 11:59:01.475932 IP 192.168.126.129.44236 > 138.201.8.34.80: Flags [S], seq 236733407, win 29200, options [mss 1460,sackOK,TS val 144778 ecr 0,nop,wscale 7], length 0 11:59:01.476078 IP 192.168.126.129.44238 > 138.201.8.34.80: Flags [S], seq 3332638159, win 29200, options [mss 1460,sackOK,TS val 144778 ecr 0,nop,wscale 7], length 0 11:59:01.590025 IP 192.168.126.129.44236 > 138.201.8.34.80: Flags [.], ack 1793877134, win 29200, length 0 11:59:01.590665 IP 192.168.126.129.44236 > 138.201.8.34.80: Flags [.], seq 0:1460, ack 1, win 29200, length 1460: HTTP: GET /tag?event=otherPage&check=tr ue&__location=http%3A%2F%2Fwww.tez-tour.com%2F&__referrer=&__title=%D0%9F%D1%83%D1 %82%D0%B5%D0%B2%D0%BA%D0%B8%20%D0%B2%20%D0%93%D1%80%D0%B5%D1%86%D0%B8%D1%8E%2C%20 %D0%9A%D0%B8%D0%BF%D1%80%2C%20%D0%9E%D0%90%D0%AD%2C%20%D0%A ... root@kali:~# tcpdump -n port 80 -r /root/tcpump.cap reading from file /root/tcpump.cap, link-type EN10MB (Ethernet) 11:58:57.800214 IP 192.168.126.129.40306 > 93.184.220.29.80: Flags [S], seq 3231467275, win 29200, options [mss 1460,sackOK,TS val 143859 ecr 0,nop,wscale 7], length 0 11:58:57.902747 IP 192.168.126.129.40308 > 93.184.220.29.80: Flags [S], seq 3445184571, win 29200, options [mss 1460,sackOK,TS val 143884 ecr 0,nop,wscale 7], length 0 11:58:57.909838 IP 93.184.220.29.80 > 192.168.126.129.40306: Flags [S.], seq 3702388, ack 3231467276, win 64240, options [mss 1460], length 0 11:58:57.909911 IP 192.168.126.129.40306 > 93.184.220.29.80: Flags [.], ack 1, win 29200, length 0 11:58:57.910923 IP 192.168.126.129.40306 > 93.184.220.29.80: Flags [P.], seq 1:430, ack 1, win 29200, length 429: HTTP: POST / HTTP/1.1 11:58:57.911421 IP 192.168.126.129.40310 > 93.184.220.29.80: Flags [S], seq 1472664795, win 29200, options [mss 1460,sackOK,TS val 143886 ecr 0,nop,wscale 7], length 0 11:58:57.914620 IP 93.184.220.29.80 > 192.168.126.129.40306: Flags [.], ack 430, win 64240, length 0 ...

Next, consider the information that was transmitted over the network at the time of its capture. In this case, we will see it in HEX-format, but this does not prevent us from obtaining the necessary data.

 root@kali:~# tcpdump -nX -r /root/tcpump.cap reading from file /root/tcpump.cap, link-type EN10MB (Ethernet) 11:58:57.026917 IP 192.168.126.129.60358 > 192.168.126.2.53: 61944+ A? self-repair. mozilla.org. (41) 0x0000: 4500 0045 7b58 4000 4011 417b c0a8 7e81 E..E{X@.@.A{..~. 0x0010: c0a8 7e02 ebc6 0035 0031 baef f1f8 0100 ..~....5.1...... 0x0020: 0001 0000 0000 0000 0b73 656c 662d 7265 .........self-re 0x0030: 7061 6972 076d 6f7a 696c 6c61 036f 7267 pair.mozilla.org ... 11:58:59.459884 IP 192.168.126.129.39468 > 194.165.24.241.80: Flags [P.], seq 1:873, ack 1, win 29200, length 872: HTTP: GET / HTTP/1.1 0x0000: 4500 0390 3741 4000 4006 e566 c0a8 7e81 E...7A@.@..f..~. 0x0010: c2a5 18f1 9a2c 0050 f298 04bc 2c12 6d3b .....,.P....,.m; 0x0020: 5018 7210 e0d2 0000 4745 5420 2f20 4854 Pr....GET./.HT 0x0030: 5450 2f31 2e31 0d0a 486f 7374 3a20 7777 TP/1.1..Host:.ww 0x0040: 772e 7465 7a2d 746f 7572 2e63 6f6d 0d0a w.tez-tour.com.. 0x0050: 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69 User-Agent:.Mozi 0x0060: 6c6c 612f 352e 3020 2858 3131 3b20 4c69 lla/5.0.(X11;.Li 0x0070: 6e75 7820 6936 3836 3b20 7276 3a34 352e nux.i686;.rv:45. 0x0080: 3029 2047 6563 6b6f 2f32 3031 3030 3130 0).Gecko/2010010 0x0090: 3120 4669 7265 666f 782f 3435 2e30 0d0a 1.Firefox/45.0.. 0x00a0: 4163 6365 7074 3a20 7465 7874 2f68 746d Accept:.text/htm 0x00b0: 6c2c 6170 706c 6963 6174 696f 6e2f 7868 l,application/xh 0x00c0: 746d 6c2b 786d 6c2c 6170 706c 6963 6174 tml+xml,applicat 0x00d0: 696f 6e2f 786d 6c3b 713d 302e 392c 2a2f ion/xml;q=0.9,*/ 0x00e0: 2a3b 713d 302e 380d 0a41 6363 6570 742d *;q=0.8..Accept- 0x00f0: 4c61 6e67 7561 6765 3a20 656e 2d55 532c Language:.en-US, 0x0100: 656e 3b71 3d30 2e35 0d0a 4163 6365 7074 en;q=0.5..Accept 0x0110: 2d45 6e63 6f64 696e 673a 2067 7a69 702c -Encoding:.gzip, 0x0120: 2064 6566 6c61 7465 0d0a 436f 6f6b 6965 .deflate..Cookie ...

And here we found the connection we are interested in with tez-tour.com. But there is still a lot of data. To simplify the task, we use the built-in header filter. We will be interested only in packets with PSH and ACK flags.

image

The above diagram shows that flags A and P of interest are in fourth and fifth positions, which means that in binary format it will look like 00011000, and in decimal - 24. Let's see what the filter will look like now:

 root@kali:~# tcpdump -A -n 'tcp[13] = 24' -r /root/tcpump.cap ... 11:59:00.459252 IP 192.168.126.129.49290 > 144.76.62.5.80: Flags [P.], seq 2487328431:2487328798, ack 1891911515, win 29200, length 367: HTTP: GET /webim/ button.php HTTP/1.1 E.....@.@.."..~..L>....PA.pG[Pr:...GET /webim/button.php HTTP/1.1 Host: teztourcom.webim.ru User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.tez-tour.com/ Connection: keep-alive If-None-Match: "2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a" 11:59:00.563800 IP 144.76.62.5.80 > 192.168.126.129.49290: Flags [P.], seq 1:276, ack 367, win 64240, length 275: HTTP: HTTP/1.1 200 OK E..;p........L>...~..P..pG[.A..P.......HTTP/1.1 200 OK Server: nginx Date: Thu, 10 Nov 2016 16:58:59 GMT Content-Type: image/gif Content-Length: 43 Connection: keep-alive X-Webim-Version: 8.14.142 Etag: "2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a" X-Time: 0.000 GIF89a.............!.......,...........D..; 11:59:00.839316 IP 192.168.126.129.54060 > 81.222.128.23.80: Flags [P.], seq 3867682114:3867682536, ack 387532615, win 29200, length 422: HTTP: GET /cgi-bin/ erle.cgi?sid=204602&bt=62&custom=153%3Duser_id&ph=1&rnd=346920&tail256=unknown HTTP/1.1 E.....@.@..q..~.Q....,.P..%B..GGP.r.-Y..GET /cgi-bin/erle.cgi?sid=204602&bt=62&cust om=153%3Duser_id&ph=1&rnd=346920&tail256=unknown HTTP/1.1 Host: ad.adriver.ru User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.tez-tour.com/ Cookie: cid=AhKU-kniKHjQWpLwdDd1YpA; ar_g2=1; ar_go=1; 1d=1; ar_ord=1; ar_ya=1 Connection: keep-alive ...

Now the information is presented in a more understandable and convenient form for the analysis, isn’t it?

Active interception


So, we have considered a network model in which all traffic goes not only from the point of origin to the point of destination, but also comes to our interface. Now consider the situation in which the attacker gets access to one of the ports of the switch. In this situation, it does not matter whether the switch itself is accessed or whether it is a power outlet that is connected to network equipment located in another room. The only important thing is that only those packets that should arrive, and no more, come to the network interface.

One of the most popular ways to bypass such protection and make the switch work as a hub, which will allow us to intercept all network traffic, is the overflow of the CAM table.

All CAM tables have a finite value and contain data that helps direct the right traffic to the right clients, namely, the MAC addresses, the port number, and VLAN membership information.

Overflow of this table leads to the fact that the switch can no longer process data in normal mode, and in order to provide customers with a minimum level of service, it stops reading the CAM table and starts working as a hub.

It should be noted that the table overflow is a continuous process, and soon after it stops, the CAM table will be cleared and it will return to normal operation.

To carry out an attack aimed at overflowing the CAM table with MAC addresses, one command is enough:

 root@kali:~# macof b2:f9:9e:6b:59:b4 69:69:f4:1:d:7d 0.0.0.0.17507 > 0.0.0.0.49697: S 1870663496:1870663496(0) win 512 6b:df:e5:9:a8:1e c9:9c:3d:4b:21:d0 0.0.0.0.14408 > 0.0.0.0.45120: S 2106903632:2106903632(0) win 512 8:80:82:19:60:ec d4:f7:fb:14:47:f5 0.0.0.0.13022 > 0.0.0.0.2854: S 708293972:708293972(0) win 512 53:d4:80:73:dc:c4 d2:dd:5b:2d:32:b3 0.0.0.0.5752 > 0.0.0.0.1613: S 1815033319:1815033319(0) win 512 c3:a0:33:5b:67:8b 58:d6:8f:5d:fd:63 0.0.0.0.975 > 0.0.0.0.37840: S 1285237419:1285237419(0) win 512 81:86:99:13:d2:10 8f:37:86:2:ea:a6 0.0.0.0.30380 > 0.0.0.0.47351: S 447067260:447067260(0) win 512 ee:df:dd:2f:f5:96 8b:62:89:38:fa:1a 0.0.0.0.31470 > 0.0.0.0.57504: S 1107960129:1107960129(0) win 512 1f:d6:c1:1f:42:df 2d:ba:3e:6e:ca:29 0.0.0.0.28879 > 0.0.0.0.18191: S 753232608:753232608(0) win 512 1a:93:a9:1:e1:31 2a:1a:bd:5e:d8:ce 0.0.0.0.4821 > 0.0.0.0.53112: S 437165546:437165546(0) win 512

Another way is to “poison” the ARP. ARP tables on routers — and not only — are used to match IP and MAC addresses, which allows switches to choose the most efficient path for traffic to pass. What is important for us is that the broadcast packets used to build this table are not filtered in any way and are broadcast. Using this feature, an attacker can send fake data over the network and turn your computer into a hub.

Let us demonstrate the example of Ettercap. Select the type of sniffing (Sniff  Unified sniffing ...) and the interface with which we will work (eth0) (Fig. 8.9).

image

We will scan the network for available hosts (Hosts Scan for hosts) (Fig. 8.10). Then examine the list of available hosts (Hosts Hosts list). Now you can go two ways: or start an attack on all the machines on the network, and then you don’t need to choose anything, or indicate the targets that interest us. In our case, we marked the router as goal number 1 and one of the computers as goal number 2 (Fig. 8.11).

Now let's start the attack by selecting Ettercap MITM  ARP poisoning from the top menu (fig. 8.12).
image

image


Another problem should be mentioned. It is important to note that, most likely, even if you get access to one of the network ports, you will still not be able to get into the network, since all modern switches can control access by MAC addresses. However, you always have the opportunity to change the MAC address of your computer as follows:

 root@kali:~# ifconfig eth0 down root@kali:~# macchanger -r eth0 Current MAC: 00:0c:29:9a:54:a5 (VMware, Inc.) Permanent MAC: 00:0c:29:9a:54:a5 (VMware, Inc.) New MAC: 6a:66:b0:89:af:63 (unknown) root@kali:~# ifconfig eth0 up

Summary


In order to intercept information, or sniff, you will need a network adapter, special drivers (with standard drivers you are unlikely to do something) and software, such as Whireshark.

Remember that there are two types of networks. In some, all passing data is available to all users, and in others - only to the addressee. The first type includes wireless networks and networks built using hubs, in this case, the interception of data is not difficult. You need to install the necessary driver and run the sniffer, which will collect all passing traffic.

The second type includes networks built using switches. To intercept traffic on the switches, you need to get access to all the data passing through it. One of the ways to achieve this is to overflow the CAM - switch table with MAC addresses.

Using broadcast packets, you can change the ARP-table of the victim's computer and the switch. They will perceive your device as part of the network, and all traffic will go through you, you only need to collect it!

All received network data is very inconvenient for reading, however Whireshark contains powerful filtering tools. Explore and use them to find the information you need in a vast array of data.

Remember that it is not enough just to connect to the switch with a wire: it is possible that he will let you into the network, you will need to change the MAC address of your network card.

»More information about the book can be found on the publisher's website.
» Table of Contents
» Excerpt

For Habrozhiteley 20% discount coupon - Information Security

Source: https://habr.com/ru/post/337714/

More articles:


All Articles