Book "Security Audit of Information Systems"

    imageNikita Skabtsov’s book (CS master, 10 years of experience as an information security engineer, computer networks, operating systems teacher, certificates: CEH, CCSA, LPIC, MCITP) discusses methods of bypassing security systems of network services and penetrating into open information systems . Information security, like much in our world, is a medal with two sides. On the one hand, we conduct an audit, look for ways to penetrate and even put them into practice, and on the other, we work on protection. Penetration tests are part of the normal life cycle of any IT infrastructure, allowing you to truly assess possible risks and identify hidden problems.

    Passive traffic interception


    The easiest and safest way to intercept data. This method of interception works in networks that share the same medium for data transfer (ring topology, wireless data transfer), as well as in networks built on hubs.

    Consider intercepting data using Wireshark. Wireshark is a free software product for Windows and Linux that allows you to intercept, filter, analyze and save network traffic. It is used not only by information security experts, but also by network administrators, for example, in order to identify and eliminate problems that arise during the operation of network services.

    Now demonstrate the capabilities of Wireshark to intercept and analyze traffic. Run Wireshark and select from the list the interface for monitoring, in our case it will be eth0.

    image

    After selecting an interface, data collection will begin. At the beginning of the chapter, we mentioned that monitoring traffic in wireless networks is quite simple. So it is - in order to view data from all computers on a wireless network, simply select the desired interface.

    After you have collected the required amount of data, stop collecting packets. Now you can save them for later analysis or start it right away.

    In a couple of minutes we collected almost 20,000 packets, and this provided that the traffic on the network was minimal. Of course, viewing such an amount of packets manually is a very time-consuming task, and there are various filters in Wireshark to facilitate it.

    image

    We filter out user requests to the site lenta.ru. Let's start with the DNS query, since it will always be the first (dns.qry.name contains “lenta.ru”).

    image

    Applying the filter, we see a complete, consistent history of browser requests and responses to the DNS server. Now, knowing at what IP address the further communication will take place, create an appropriate filter (ip.addr == 81.19.72,38).

    image

    So, we saw a complete, standard picture of communication - a DNS server request and response, a three-way “handshake” and initialization of data transfer. Moreover, we saw the contents of the packages.

    As you can see, in fig. 8.5 the number of filtered packets is 2283. In each of them only a small part of the data is transmitted, and it is quite difficult to understand what information they contain. To make things easier, Wireshark has a great opportunity to track a specific data stream. In the case of HTTP, select "follow HTTP stream".

    image

    Please note that you will not always have access to the graphical interface, so we recommend that you familiarize yourself with another tool that appeared before Wireshark, tcpdump. So, if you just run tcpdump, then all the information will be displayed in real time, which subsequently makes it practically unsuitable for analysis:

    root@kali:~# tcpdump
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    11:46:47.867683 IP kali.57728 > ec2-52-43-198-160.us-west-2.compute.amazonaws.com.
    https: Flags [.], ack 1406161060, win 40880, length 0
    11:46:47.868400 IP ec2-52-43-198-160.us-west-2.compute.amazonaws.com.https >
    kali.57728: Flags [.], ack 1, win 64240, length 0
    11:46:47.870762 IP kali.53588 > gateway.domain: 6423+ PTR? 160.198.43.52.in-addr.
    arpa. (44)
    11:46:47.942135 IP gateway.domain > kali.53588: 6423 1/0/0 PTR ec2-52-43-198-160.
    us-west-2.compute.amazonaws.com. (107)
    11:46:47.943079 IP kali.53170 > gateway.domain: 29504+ PTR? 129.126.168.192.inaddr.
    arpa. (46)
    11:46:48.005087 IP gateway.domain > kali.53170: 29504 NXDomain 0/0/0 (46)
    11:46:48.012487 IP kali.34133 > gateway.domain: 9564+ PTR? 2.126.168.192.in-addr.
    arpa. (44)
    11:46:48.073047 IP gateway.domain > kali.34133: 9564 NXDomain 0/0/0 (44)
    11:46:48.699462 IP kali.54070 > ec2-52-32-150-180.us-west-2.compute.amazonaws.com.
    https: Flags [.], ack 101222386, win 40880, length 0
    11:46:48.701314 IP kali.51078 > gateway.domain: 2872+ PTR? 180.150.32.52.in-addr.
    arpa. (44)
    ...

    It is much better to save all the information in a file, as this will simplify the collection of data and create the possibility for subsequent traffic analysis at any time convenient for you.

    root@kali:~# tcpdump -w /root/tcpump.cap
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    ^C3821 packets captured
    3828 packets received by filter
    0 packets dropped by kernel

    You can use Whireshark to analyze the received data, but since we work in the console, we will be consistent and give an example of data analysis in the console. Consider all the IP addresses and ports that were connected to:

    root@kali:~# tcpdump -n -r /root/tcpump.cap | awk -F" " ‘{ print $3}’ | sort -u |
    head
    reading from file /root/tcpump.cap, link-type EN10MB (Ethernet)
    136.243.75.5.80
    138.201.8.34.80
    138.201.8.95.80
    144.76.164.182.80
    144.76.28.230.80
    144.76.62.5.80
    173.194.122.218.80
    173.194.32.186.443
    178.250.0.80.80
    178.250.2.77.80

    After analyzing the conclusion, we can see which addresses the requests most often went to. Now we filter the traffic based on the information we have.

    root@kali:~# tcpdump -n src host 138.201.8.34 -r /root/tcpump.cap
    reading from file /root/tcpump.cap, link-type EN10MB (Ethernet)
    11:59:01.590002 IP 138.201.8.34.80 > 192.168.126.129.44236: Flags [S.], seq
    1793877133, ack 236733408, win 64240, options [mss 1460], length 0
    11:59:01.594853 IP 138.201.8.34.80 > 192.168.126.129.44238: Flags [S.], seq
    1094285691, ack 3332638160, win 64240, options [mss 1460], length 0
    11:59:01.594994 IP 138.201.8.34.80 > 192.168.126.129.44236: Flags [.], ack 1461,
    win 64240, length 0
    11:59:01.595001 IP 138.201.8.34.80 > 192.168.126.129.44236: Flags [.], ack 1537,
    win 64240, length 0
    ...
    root@kali:~# tcpdump -n dst host 138.201.8.34 -r /root/tcpump.cap
    reading from file /root/tcpump.cap, link-type EN10MB (Ethernet)
    11:59:01.475932 IP 192.168.126.129.44236 > 138.201.8.34.80: Flags [S], seq
    236733407, win 29200, options [mss 1460,sackOK,TS val 144778 ecr 0,nop,wscale 7],
    length 0
    11:59:01.476078 IP 192.168.126.129.44238 > 138.201.8.34.80: Flags [S], seq
    3332638159, win 29200, options [mss 1460,sackOK,TS val 144778 ecr 0,nop,wscale 7],
    length 0
    11:59:01.590025 IP 192.168.126.129.44236 > 138.201.8.34.80: Flags [.], ack
    1793877134, win 29200, length 0
    11:59:01.590665 IP 192.168.126.129.44236 > 138.201.8.34.80: Flags [.], seq
    0:1460, ack 1, win 29200, length 1460: HTTP: GET /tag?event=otherPage&check=tr
    ue&__location=http%3A%2F%2Fwww.tez-tour.com%2F&__referrer=&__title=%D0%9F%D1%83%D1
    %82%D0%B5%D0%B2%D0%BA%D0%B8%20%D0%B2%20%D0%93%D1%80%D0%B5%D1%86%D0%B8%D1%8E%2C%20
    %D0%9A%D0%B8%D0%BF%D1%80%2C%20%D0%9E%D0%90%D0%AD%2C%20%D0%A
    ...
    root@kali:~# tcpdump -n port 80 -r /root/tcpump.cap
    reading from file /root/tcpump.cap, link-type EN10MB (Ethernet)
    11:58:57.800214 IP 192.168.126.129.40306 > 93.184.220.29.80: Flags [S], seq
    3231467275, win 29200, options [mss 1460,sackOK,TS val 143859 ecr 0,nop,wscale 7],
    length 0
    11:58:57.902747 IP 192.168.126.129.40308 > 93.184.220.29.80: Flags [S], seq
    3445184571, win 29200, options [mss 1460,sackOK,TS val 143884 ecr 0,nop,wscale 7],
    length 0
    11:58:57.909838 IP 93.184.220.29.80 > 192.168.126.129.40306: Flags [S.], seq
    3702388, ack 3231467276, win 64240, options [mss 1460], length 0
    11:58:57.909911 IP 192.168.126.129.40306 > 93.184.220.29.80: Flags [.], ack 1, win
    29200, length 0
    11:58:57.910923 IP 192.168.126.129.40306 > 93.184.220.29.80: Flags [P.], seq 1:430,
    ack 1, win 29200, length 429: HTTP: POST / HTTP/1.1
    11:58:57.911421 IP 192.168.126.129.40310 > 93.184.220.29.80: Flags [S], seq
    1472664795, win 29200, options [mss 1460,sackOK,TS val 143886 ecr 0,nop,wscale 7],
    length 0
    11:58:57.914620 IP 93.184.220.29.80 > 192.168.126.129.40306: Flags [.], ack 430,
    win 64240, length 0
    ...

    Next, consider the information that was transmitted over the network at the time of its capture. In this case, we will see it in the HEX format, but this will not prevent us from getting the necessary data.

    root@kali:~# tcpdump -nX -r /root/tcpump.cap
    reading from file /root/tcpump.cap, link-type EN10MB (Ethernet)
    11:58:57.026917 IP 192.168.126.129.60358 > 192.168.126.2.53: 61944+ A? self-repair.
    mozilla.org. (41)
            0x0000: 4500 0045 7b58 4000 4011 417b c0a8 7e81 E..E{X@.@.A{..~.
            0x0010: c0a8 7e02 ebc6 0035 0031 baef f1f8 0100 ..~....5.1......
            0x0020: 0001 0000 0000 0000 0b73 656c 662d 7265 .........self-re
            0x0030: 7061 6972 076d 6f7a 696c 6c61 036f 7267 pair.mozilla.org
    ...
    11:58:59.459884 IP 192.168.126.129.39468 > 194.165.24.241.80: Flags [P.], seq
    1:873, ack 1, win 29200, length 872: HTTP: GET / HTTP/1.1
            0x0000: 4500 0390 3741 4000 4006 e566 c0a8 7e81 E...7A@.@..f..~.
            0x0010: c2a5 18f1 9a2c 0050 f298 04bc 2c12 6d3b .....,.P....,.m;
            0x0020: 5018 7210 e0d2 0000 4745 5420 2f20 4854 P.r.....GET./.HT
            0x0030: 5450 2f31 2e31 0d0a 486f 7374 3a20 7777 TP/1.1..Host:.ww
            0x0040: 772e 7465 7a2d 746f 7572 2e63 6f6d 0d0a w.tez-tour.com..
            0x0050: 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69 User-Agent:.Mozi
            0x0060: 6c6c 612f 352e 3020 2858 3131 3b20 4c69 lla/5.0.(X11;.Li
            0x0070: 6e75 7820 6936 3836 3b20 7276 3a34 352e nux.i686;.rv:45.
            0x0080: 3029 2047 6563 6b6f 2f32 3031 3030 3130 0).Gecko/2010010
            0x0090: 3120 4669 7265 666f 782f 3435 2e30 0d0a 1.Firefox/45.0..
            0x00a0: 4163 6365 7074 3a20 7465 7874 2f68 746d Accept:.text/htm
            0x00b0: 6c2c 6170 706c 6963 6174 696f 6e2f 7868 l,application/xh
            0x00c0: 746d 6c2b 786d 6c2c 6170 706c 6963 6174 tml+xml,applicat
            0x00d0: 696f 6e2f 786d 6c3b 713d 302e 392c 2a2f ion/xml;q=0.9,*/
            0x00e0: 2a3b 713d 302e 380d 0a41 6363 6570 742d *;q=0.8..Accept-
            0x00f0: 4c61 6e67 7561 6765 3a20 656e 2d55 532c Language:.en-US,
            0x0100: 656e 3b71 3d30 2e35 0d0a 4163 6365 7074 en;q=0.5..Accept
            0x0110: 2d45 6e63 6f64 696e 673a 2067 7a69 702c -Encoding:.gzip,
            0x0120: 2064 6566 6c61 7465 0d0a 436f 6f6b 6965 .deflate..Cookie
    ...

    And so we found the connection we were interested in with tez-tour.com. But there is still a lot of data. To simplify the task, use the built-in header filter. We will only be interested in packages with the PSH and ACK flags.

    image

    The diagram above shows that flags A and P of interest to us are in the fourth and fifth positions, which means that in binary format it will look like 00011000, and in decimal - 24. Let's see how the filter will now look:

    root@kali:~# tcpdump -A -n 'tcp[13] = 24' -r /root/tcpump.cap
    ...
    11:59:00.459252 IP 192.168.126.129.49290 > 144.76.62.5.80: Flags [P.], seq
    2487328431:2487328798, ack 1891911515, win 29200, length 367: HTTP: GET /webim/
    button.php HTTP/1.1
    E.....@.@.."..~..L>....P.A..p.G[P.r.:...GET /webim/button.php HTTP/1.1
    Host: teztourcom.webim.ru
    User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
    Accept: image/png,image/*;q=0.8,*/*;q=0.5
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://www.tez-tour.com/
    Connection: keep-alive
    If-None-Match: "2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a"
    11:59:00.563800 IP 144.76.62.5.80 > 192.168.126.129.49290: Flags [P.], seq 1:276,
    ack 367, win 64240, length 275: HTTP: HTTP/1.1 200 OK
    E..;p........L>...~..P..p.G[.A..P.......HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 10 Nov 2016 16:58:59 GMT
    Content-Type: image/gif
    Content-Length: 43
    Connection: keep-alive
    X-Webim-Version: 8.14.142
    Etag: "2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a"
    X-Time: 0.000
    GIF89a.............!.......,...........D..;
    11:59:00.839316 IP 192.168.126.129.54060 > 81.222.128.23.80: Flags [P.], seq
    3867682114:3867682536, ack 387532615, win 29200, length 422: HTTP: GET /cgi-bin/
    erle.cgi?sid=204602&bt=62&custom=153%3Duser_id&ph=1&rnd=346920&tail256=unknown
    HTTP/1.1
    E.....@.@..q..~.Q....,.P..%B..GGP.r.-Y..GET /cgi-bin/erle.cgi?sid=204602&bt=62&cust
    om=153%3Duser_id&ph=1&rnd=346920&tail256=unknown HTTP/1.1
    Host: ad.adriver.ru
    User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://www.tez-tour.com/
    Cookie: cid=AhKU-kniKHjQWpLwdDd1YpA; ar_g2=1; ar_go=1; 1d=1; ar_ord=1; ar_ya=1
    Connection: keep-alive
    ...

    Now the information is presented in a more understandable and convenient for analysis form, right?

    Active interception


    So, we examined a network model in which all traffic goes not only from the sending point to the destination point, but also reaches our interface. Now consider a situation in which an attacker gains access to one of the ports of the switch. In this situation, it doesn’t matter if you get access to the switch itself or if it is a network outlet connected to network equipment located in another room. The important thing is that only those packets that should come to the network interface, and no more.

    One of the most popular ways to circumvent such protection and make the switch work as a hub, which will allow us to intercept all network traffic, is to overflow the CAM table.

    All CAM tables are finite in size and contain data that helps to direct the necessary traffic to the right clients, namely MAC addresses, port number and information about VLAN membership.

    Overflowing this table leads to the fact that the switch can no longer process data in normal mode, and in order to provide customers with a minimum level of service, it stops reading the CAM table and starts working as a hub.

    It should be noted that table overflow is a continuous process, and shortly after it stops, the CAM table will be cleared and it will return to normal operation.

    To carry out an attack aimed at overflowing the CAM table with MAC addresses, one command is enough:

    root@kali:~# macof
    b2:f9:9e:6b:59:b4 69:69:f4:1:d:7d 0.0.0.0.17507 > 0.0.0.0.49697: S
    1870663496:1870663496(0) win 512
    6b:df:e5:9:a8:1e c9:9c:3d:4b:21:d0 0.0.0.0.14408 > 0.0.0.0.45120: S
    2106903632:2106903632(0) win 512
    8:80:82:19:60:ec d4:f7:fb:14:47:f5 0.0.0.0.13022 > 0.0.0.0.2854: S
    708293972:708293972(0) win 512
    53:d4:80:73:dc:c4 d2:dd:5b:2d:32:b3 0.0.0.0.5752 > 0.0.0.0.1613: S
    1815033319:1815033319(0) win 512
    c3:a0:33:5b:67:8b 58:d6:8f:5d:fd:63 0.0.0.0.975 > 0.0.0.0.37840: S
    1285237419:1285237419(0) win 512
    81:86:99:13:d2:10 8f:37:86:2:ea:a6 0.0.0.0.30380 > 0.0.0.0.47351: S
    447067260:447067260(0) win 512
    ee:df:dd:2f:f5:96 8b:62:89:38:fa:1a 0.0.0.0.31470 > 0.0.0.0.57504: S
    1107960129:1107960129(0) win 512
    1f:d6:c1:1f:42:df 2d:ba:3e:6e:ca:29 0.0.0.0.28879 > 0.0.0.0.18191: S
    753232608:753232608(0) win 512
    1a:93:a9:1:e1:31 2a:1a:bd:5e:d8:ce 0.0.0.0.4821 > 0.0.0.0.53112: S
    437165546:437165546(0) win 512

    Another way is ARP poisoning. ARP tables on routers - and not only - are used to map IP and MAC addresses, which allows switches to choose the most efficient way of traffic flow. It is important for us that the broadcast packets used to build this table are not filtered in any way and are broadcast. Using this feature, an attacker can send fake data over the network and turn your computer into a hub.

    Demonstrate Ettercap as an example. Choose the type of sniffing (Sniff  Unified sniffing ...) and the interface we will work with (eth0) (Fig. 8.9).

    image

    Scan the network to available hosts (Hosts  Scan for hosts) (Fig. 8.10). Then we examine the list of available hosts (Hosts  Hosts list). Now you can go in two ways: either start an attack on all the machines in the network, and then you do not need to choose anything, or you can specify the goals that interest us. In our case, we marked the router as target number 1 and one of the computers as target number 2 (Fig. 8.11).

    Now start the attack by selecting Ettercap MITM  ARP poisoning from the top menu (Fig. 8.12).
    image

    image


    One other issue should be mentioned. It is important to consider that, most likely, even if you get access to one of the network ports, you still cannot get into the network, since all modern switches can control access by MAC addresses. However, you always have the opportunity to change the MAC address of your computer as follows:

    root@kali:~# ifconfig eth0 down
    root@kali:~# macchanger -r eth0
    Current MAC:      00:0c:29:9a:54:a5 (VMware, Inc.)
    Permanent MAC: 00:0c:29:9a:54:a5 (VMware, Inc.)
    New MAC:           6a:66:b0:89:af:63 (unknown)
    root@kali:~# ifconfig eth0 up

    Summary


    In order to intercept information, or sniff, you will need a network adapter, special drivers (with standard drivers you are unlikely to do anything) and software, for example Whireshark.

    Remember that there are two types of networks. In some, all transmitted data is accessible to all users, while in others it is accessible only to the addressee. The first type includes wireless networks and networks built using hubs, in which case data interception is not difficult. You need to install the necessary driver and run the sniffer, which will collect all the passing traffic.

    The second type includes networks built using switches. To intercept traffic on switches, it is necessary to gain access to all data passing through it. One way to achieve this is to overflow the CAM - switch table with MAC addresses.

    Using broadcast packets, you can change the ARP table of the victim computer and the switch. They will perceive your device as part of the network, and all traffic will go through you, you just have to collect it!

    All received network data is very inconvenient for reading, however Whireshark contains powerful filtering tools. Examine and use them to find information of interest to you in a huge array of data.

    Remember that it is not enough just to connect a wire to the switch: it is possible that it will let you into the network, you will need to change the MAC address of your network card.

    »More information on the book can be found on the publisher’s website
    » Table of Contents
    » Excerpt

    For Khabrozhiteley 20% discount on coupon - Information Security

    Also popular now: