Secure Communications Over a Network Course: MITS:5400G Proffessor: Dr. Xiaodong Lin By: Geoff Vaughan 100309160 March 20th 2012
Abstract The purpose of this experiment is to transmit an encrypted message over a network without the message being able to be read by anyone sniffing the network. For this experiment I will first demonstrate the message being transmitted without encryption, while sniffing the packets to prove that the communication could be intercepted. In the second situation I will set up secure channel to pass my message through using Stunnel. Stunnel uses SSL encryption to route the normal communication ports through its own communications first. The diagram bellow is a good demonstration of how the communication takes place. Image Source: Secure Communication with Stunnel, 2010, Xiaodong Lin,UOIT
System Setup To perform these experiments you need two computers that are accessible through a network. Although it is possible to run this experiment with any 2 computers connected to the Internet it is certainly easier if you have two computers on a local area network. For my setup I used 2 virtual machines running on top of my Mac OS. One of the VM s was running Backtrack and the other was using SELinux. I chose these distributions of Linux as they were known to already have many of the packages and libraries I needed already installed and I already had these VM s set up on my machine. For anyone repeating this experiment I would recommend using 2 VM s running Backtrack as it was just a little easier to setup Backtrack then SELinux. In SELinux I had to chmod a couple file permissions or run as root in order to be allowed to bind to some of the ports I needed. Although my entire setup is running in a Linux environment it is also possible to run this on a windows system or between windows and Linux machines. It just requires a little bit different system setup. Libraries and Software needed OpenSSL - to create your private key and public key certificates Telnet - Installed on one machine (the client) to connect to the other computer Netcat - Installed on the other machine (the server) to listen for the connection request from the first computer Stunnel - Installed on both machines Wireshark - Installed on at least one machine or setup so that it can hear the whole network from a third machine.
Procedures Experiment 1 Establishing an Open Communication Line Between Two Computers 1. First ensure that both machines are properly connected to the local area network. In the virtual machines you need to make sure that network connection is properly bridged or using the host machines network card properly. On the Server (machine 1) 2. From a terminal window ifconfig to get the local IP address and make note of it. The local IP of my server was 192.168.139.128 3. Setup the server to listen on a particular port and wait for a connection using Netcat netcat -l -p 3333 //Sets up sever to listen on port 3333 -l sets up Netcat in listening mode -p assigns Netcat to port 3333 to listen on when its waiting you should just see a cursor flashing
On the Client (machine 2) 4. From a terminal window connect to the server IP address and Port that it is listening on: telnet 192.168.139.128 3333 //connects to ip of server on port 3333 5. Send a greeting message to the server and press enter Hello server how are you today? When you press enter the text should appear on the server Now that this is set up we are free to send messages back and forth between the two computers. What we want to do next is prove that these communications are insecure and could be read by listening in on the line.
Setting up Wireshark to Capture the communication In a typical attack scenario an attacker would likely be listening in from a third computer. This is very easily done over an insecure wireless network however it can be a little more challenging over a wired network or secure wireless system. In these environments the attacker might first need to attack the router with some form of man-in-the middle attack to convince the router to send the packets through to the attackers machine. Although this isn t really that hard its not really the point of this exercise. For this reason I am simply going to set up Wireshark on one of the devices to listen to all the packets between it and the other computer. On my system I was running Wireshark on the server VM. 6. In another window launch Wireshark. From a terminal type: wireshark & 7. Setup Wireshark to start capturing on eth0 or whatever network device you are using. You may be prompted for an admin password on your host machine as you are trying to operate the network adapter in promiscuous mode which requires root privileges. Depending on your Internet traffic you may want to filter down to specific packets between the two computers. When we inspect one of the communications packets we can very clearly see that the message is easy to read in plan text. This proves that the communication being transmitted across this network is insecure.
Experiment 2 Passing an encrypted message through Stunnel In this experiment we are going to encrypt the messages from the previous experiment and monitor the network to ensure that they cannot be intercepted. On Server 1. Generating a private key and public key certificate on the server. Here we are going to use openssl to generate a certificate that we can use to pass to the client so that they can encrypt their messages and send it to us. Use the following openssl command to generate a certificate. You may need to change some of the directories around. Also you will be prompted to input a bunch of information about your company and locations. Just fill out the fields and the certificate will be generated. openssl req -new -x509 -days 365 -nodes -key /root/desktop/ mykey.pem -keyout /root/desktop/mykey2.pem My key and certificate looks like this. 2. Continuing on the server this step needs to be done in order. In a new terminal window setup Netcat to listen on port 8080 with the following command: netcat -l -p 8080 3. With Netcat running in the background we now need to setup Stunnel to take any data it reads off port 8080 and encrypt it and transmit it through port 7777. Stunnel also needs to listen on port 7777 for any computers that are going to connect to it. If a computer is trying
to connect to Stunnel it will reply with its certificate so that the client knows how to encrypt its communications. When the communications come through Stunnel will then decrypt them and forward them to port 8080. In order for Stunnel to know how to do all this it needs to be configured properly. This is done in a configuration file. The Stunnel config file needs to know the location of the certificate, what service and port to listen for, and what port to accept traffic on. Bellow are all the lines I used in my config file. cert =/root/desktop/stunnel.pem #location of private key and certificate debug = 7 #so you can see more stunnel outputs foreground = yes #so it runs in terminal [netcat] #service name to pipe connect = 127.0.0.1:8080 #address that netcat will connect to accept = 7777 #port to listen on for communications 4. With the config file and OpenSSL certificate in place, and Netcat already listening to port 8080 its time to launch Stunnel. Use the following command to launch Stunnel on the server from the directory where the stunnelserver.conf is located. stunnel stunnelserver.conf In debug mode you get a lot of status information but it can be really helpful troubleshooting problems if you run into any. In the image bellow you can see I have Netcat listening with Stunnel running. I also have Wireshark capturing in the background but its not visible in this image.
On Client Similarly on the client we also need to configure Stunnel to listen to a particular port then encrypt and transmit its information to the server. The only thing that is different on the server is that we don t need to generate a certificate. In this situation however you are telling Stunnel which port to expect communications on from Telnet and where on the network to forward that communication which in this case is on the server machine. 5. Setup Stunnel config file (stunnel.conf) for the client as followed: client = yes #specifies client mode debug = 7 #displays connection info for troubleshooting foreground =yes #so you can see it running in current terminal [telnet] #specifies the service name you will run accept=127.0.0.1:7070 #the local port for telnet to connect to connect=192.168.139.128:7777 #specifies the socket that you want to connect to 6. Once you have setup a configuration file, this time you need to initiate Stunnel before you try and connect with telnet. Use: stunnel stunnel.conf 7. With Stunnel running you can now Telnet to Stunnel s listening port (7070) and it will forward it to the server after encrypting it. telnet 127.0.0.1 7070 In the image bellow you can see the the client with Stunnel running and connected to the server via telnet.
Wireshark Having captured all communications on Wireshark we can now have a look to see if we are able to read any of the messages that were passed. The following image is a screen shot from Wireshark showing the message being sent from the client to the server. Judging by the fact that you cannot read anything in the data then it is safe to conclude that the message is encrypted. Conclusions In the first experiment I was able to demonstrate that communicating over an unencrypted method leaves your messages vulnerable to interception. I should also mention that many email servers traditionally operate in an unencrypted environment leaving your mail traffic open to interception. Using OpenSSL and Stunnel I was able to demonstrate how your communication can be protected using encryption and what an attacker might see if they tried to monitor your network activity.