Computers Windows Internet
Expand
home

Redirecting SSH and HTTP traffic. Traffic Redirection BeEF Hooking with Ettercap Filters

In this article, we will look at Man-in-the-Middle attacks with you, or rather the method
redirecting SSH and HTTP traffic using the Man in the Middle attack. Let's not pull the cat by the tail, but get down to business.

Man in the Middle (in short MitM, from Russian it is simply - "mediator's attack" or "man
in the middle ") is a type of attack based on redirecting traffic between two machines to intercept information - to further study it, destroy or modify it. So, the first thing we need is the dsniff package (you will see the link to the package at the end of the article). Why Because this package contains all the necessary utilities, including sshmitm (redirecting SSH traffic) and httpmitm (redirecting HTTP traffic), which can bypass the following security scheme: as far as you know, encrypted protocols are quite -so "sekurny" (encryption to help :)) and do not allow attacks "over" the network layer. The hacker does not know the encryption key - the data cannot be decrypted and the command is inserted too. Everything seems to be fine, but here's how
since the MitM attack programs (sshmitm and httpmitm) from the dsniff package are able to bypass this system security (you can bypass almost everything). This is all done according to the following principle:
the intermediate host receives a request from the client, "telling" him that he is the server, then connecting to the real server.
The second thing we need is straight arms, the fourth is the most important thing - desire, and, of course, the victim, that is, the computer that we will attack.

SSH traffic redirection

After preparing the toolkit, you understood what's what and why :). Get sshmitm - now we will redirect SSH traffic (everything that I did not understand with the theoretical part - read above)
using it, using the shortcomings of today's PKI (public key infrastructure - a key management scheme based on
methods of asymmetric cryptography). Let's take a look at the syntax
sshmitm:

sshmitm [-d] [-I] [-p port] host

D
allow debug output (i.e. more advanced mode)

I
hijacking sessions

P port
listening port

host
the address of the remote host whose sessions will be intercepted

port
port on the remote host

Everything seems to be simple and tasteful - nothing complicated :). Let's start implementing the attack!

# sshmitm server.target.gov // specify your SSH server
sshmitm: relaying to server server.target.gov

Since we do not have a real SSH key, the command interpreter of the attacked
will display a request to verify the host key, it will all look something like this:

clientmachine $ server.target.gov
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
Please contact your system administrator.

And then the user will decide whether to connect or not. If so, then we will have full control over the SSH session.
BUT! If the user has never connected to that wheelbarrow, the following message may appear:

The authenticity of host "server.target.gov" can "t be established
RSA key fingerprint is
bla: bla: bla; bla; bla ........
Are you sure you want ti continue connecting (yes / no)?

Here the user also has two choices - to connect or not. If yes, then we intercepted the session, if not, then alas ... :(.
In general, the attack was successful if the user connected, and sshmitm, in turn, will record all the passes and logins, and it is very readable 🙂
Naturally, this is not the only SSH session interceptor, but having familiarized yourself with this, you will easily master another one

Redirecting HTTP traffic

We will now redirect HTTP traffic. Again, we need an earlier selected tool: httpmitm, which listens on 80- (HTTP -) and 443- (HTTPS -) ports, intercepts WEB requests, then connects to the server and forwards the requests to the client computer. The program also generates SSL keys and SSL certificates using OpenSSL. Then after trying
will connect to the site (target.gov), the browser will check the SSL certificate. Since the certificates will not match, the browser will warn you about
wrong SSL certificate. From a cracker's perspective, it will look something like this:

#webmitm -d
webmitm: relaying transparently
webmitm: new connection from
GET [link] /uzerz.php?user=hellknights&password=neskaju1qwerty HTTP / [version]
Connection: [type]
Host: www.target.gov
User-Agent: [information about the system, browser]
[etc., etc., etc.]
Cookie: [cookies]

This is how it all looks from the outside -
the SSL connection is intercepted by grabbing unencrypted data.

Conclusion

In this article, we looked at redirecting SSH and HTTP traffic using the Man in the Middle attack - clearly, in detail, briefly. Other HTTP and SSH redirectors
traffic with the help of MitM you will quickly master if you have mastered these :)). If something was not clear - then.

The next type of attacks aims to direct the traffic of the attacked computer to a false address, which can be the address of either an attacker or a third party. An attacker can dispose of a data stream that a user sends, for example, to his corporate server or a bank server in two ways. The first is that the attacker masquerades as the recipient's server, transmitting to the client the "picture" and the messages that he expects. For example, an attacker can simulate a logical login procedure for a victim user and obtain a user ID and password. This data can then be used for unauthorized access to the server of an enterprise or a bank, which is the main target of the attack. The second way is to organize traffic transit. Each intercepted packet is memorized and / or analyzed at the attacking node, and then forwarded to the "real" server. Thus, all traffic between the client and the server is passed through the attacker's computer.

Let's look at some of the techniques used now (or in the recent past) when carrying out attacks of this type. Countermeasures have already been developed for most of them, and the descriptions of attacks presented here are mostly educational in nature.

The simplest way to redirect traffic on a local network can be done by sending a false ARP-omeema to the network. (Leaving aside the question of how often such a situation can arise when an attacker is interested in intercepting traffic on his own local network.) In this case, the scheme is obvious: after receiving a broadcast ARP request for a certain IP address, the attacker sends a false ARP response, in which it is reported that the given IP address corresponds to its own MAC address.

In theory, the ICMP protocol can also be used to intercept and redirect traffic on a local network. In accordance with this protocol, the default ICMP route redirection message is sent by the router to the host of the directly attached local network when this route fails or when it detects that the host is using an irrational route for some destination address. In fig. 1, and the default router R1, having received a packet addressed to the host H2 from the host H1, determines that the best route to the host H2 goes through another router of the local network, namely through the router R2. Router R1 discards the received packet and puts its header in the UMP route redirection message that it sends to host H1. The message contains the IP address of the alternate router R2, which the host should now use when sending data to host H2. Host H1 makes changes to its routing table and from that moment sends packets to host H2 along the new corrected route. To intercept the traffic directed by the H1 host to the H2 host, the attacker must form and send the HI host a packet masquerading as a YMP route redirection message (Fig. 1b). This message contains a request to update the routing table of host H1, so that in all packets with the IP H2 address, the address of the next router becomes the IPha address. which is the address of the attacker host HA. In order for the host to "believe" this message, the address of R1, which is the default router, must be entered in the sender's IP address field. When the packets transmitted by the misleading host begin to arrive at the attacker's node, he can either capture and not transmit these packets further, imitating the application for which these packets were intended to maintain a dialogue, or organize a transit data transfer to the specified destination address IPn2 - Reading the entire traffic between nodes H1 and H2, the attacker receives all the information necessary for unauthorized access to the H2 server.

Another way to intercept traffic is using DNS-omeemoe logging (Fig. 2). The attacker's task is to gain access to the corporate server. To do this, he needs to take possession of the name and password of an authorized user of the corporate network. He decides to obtain this information by forking the data stream that the corporate client sends to the corporate server. The attacker knows that the client is accessing the server by specifying its symbolic DNS name www.example.com. He also knows that before sending a packet to the server, software the client machine queries the DNS server to find out which IP address this name matches.

The attacker's goal is to outpace the response of the DNS server and impose on the client his own response, in which instead of the IP address corporate server(in the example 193.25.34.125) the attacker specifies the IP address of the attacking host (203.13.1.123). There are several major obstacles to the implementation of this plan.

Rice. 1. Route redirection using the YUMR protocol: a - a message about a more rational route is sent to the H2 host by the default R1 router;
b - the message about redirecting the route to itself is sent by the attacking host HA

Rice. 2. Traffic redirection scheme using false DNS responses

First of all, it is necessary to delay the response of the DNS server; for this, the server, for example, can be subjected to a DoS attack. Another issue is related to determining the DNS client port number, which must be specified in the packet header in order for the data to reach the application. And if the server part of DNS has the so-called "well-known" number 53 permanently assigned to it, then the client part of the DNS protocol receives the port number dynamically at startup, and operating system selects it from a fairly wide range.

Note that the DNS protocol can use both UDP and TCP to transfer its messages, depending on how it is configured by the administrator. Since TCP establishes a logical connection keeping track of the numbers of bytes sent and received, it is much more difficult to "wedge" into the dialogue between the client and the server in this case than in the case when the UDP datagram protocol is used.

However, in the latter case, the problem of determining the UDP port number of the DNS client remains. The attacker solves this problem by directly enumerating all possible numbers. Also, by enumerating possible values, the attacker overcomes the problem of determining the identifiers of DNS messages. These identifiers are transmitted in DNS messages and are used to enable the DNS client to match incoming responses to requests sent. So, the attacker bombards the client machine with bogus DNS responses, enumerating all possible values ​​of the identifying fields so that the client ultimately takes one of them for a true DNS response. As soon as this happens, the attacker's goal can be considered achieved - packets from the client are sent to the address of the attacking host, the attacker gets at his disposal the name and password of the legal user, and with them access to the corporate server.

Description of any questions about information security not possible without describing hackers and their methods of work. This term "hacker" is used in the sense - a person who hacks into computers.

Hackers are knowledgeable, technically literate people who have a clear understanding of the operation of computers and networks, understand how protocols are used to perform system operations. The motivation for the work of hackers can be different, from the desire to attract attention to the most common greed.

Modern methods of hacker attacks

Many modern attacks are performed by the so-called script kiddies. Attackers simply search the Internet for exploit scripts and launch them against every system they can find. Data simple ways attacks do not require special knowledge or instructions.

However, there are other methods based on a deeper understanding of the operation of computers, networks, and attacked systems. In this article, we will describe such methods.

Listening to networks

Wiretapping, or sniffing, is a technique used by hackers / crackers to collect passwords and other system information. For operation, the computer's network interface is set to listening mode for mixed traffic (promiscuous mode), i.e. network adapter will capture all packets traveling over the network, not just packets destined for this adapter. Snifers of this type work well in shared bandwidth networks with network hubs.

Finding a hub now is very a big problem- network switches are mainly used, and accordingly, the effectiveness of sniffing began to decrease. In a switched environment, broadcast mode is not applied; instead, packets are sent directly to the recipient system. However, switches are not protective devices. These are ordinary network devices therefore, the security they provide is a by-product of their network purpose rather than a structural element. There is also a sniffer specially designed for the switched environment.

To listen to traffic in a switched environment, one of the following conditions must be met:
"convince" the switch that the traffic of interest should be directed to the sniffer;
force the switch to send all traffic to all ports.

If one of the conditions is met, the sniffer will be able to read the traffic of interest and, thus, provide the hacker with the information he is looking for.

Traffic redirection

The switch routes traffic to ports based on the Media Access Control (MAC) address for the Ethernet frame. Each network interface has a unique MAC address, and the switch "knows" which addresses are on which port. Therefore, when transmitting a frame with a specific destination MAC address, the switch forwards that frame to the port to which this MAC address is assigned.

The following are the methods you can use to force the switch to route network traffic to the sniffer:
ARP spoofing;
duplication of MAC addresses;
imitation of a domain name.

ARP spoofing ARP is an Address Resolution Protocol used to obtain the MAC address associated with a specific IP address. It works as follows: when transmitting traffic, the sending system sends an ARP request to the recipient's IP address. The receiving system responds to this request by transmitting its MAC address, which will be used by the sending system to forward traffic.

If the sniffer captures traffic of interest to him, he will respond to the ARP request instead of the real destination system and provide his own MAC address. As a result, the sender system will send traffic to the sniffer.

For this process to be effective, it is necessary to redirect all traffic to the sniffer instead of the actual destination. If this is not done, then there will be a possibility of a denial of access to the network. I add ..

ARP spoofing only works on subnets (a single network segment) because ARP messages are not routed. The sniffer must be located on the same LAN segment where the sender and receiver systems are located.

Duplicate MAC addresses. Duplicating the MAC address of the destination system is another way to "convince" the switch to send traffic to the sniffer. To do this, the hacker needs to change the MAC address on the sniffer and be located in the same segment of the local network.
I'll add it again.

To perform ARP spoofing, the sniffer must be located on the same local subnet as both systems (sender and receiver) in order to be able to duplicate MAC addresses.

Simulated domain name. There is a third way to force the switch to send all traffic to the sniffer: you need to "trick" the sending system into using the sniffer's real MAC address for data transmission. This is done by simulating a domain name.

When performing this attack, the sniffer intercepts DNS requests from the sending system and responds to them. Instead of the IP address of the systems to which the request was sent, the sending system receives the IP address of the sniffer and sends all traffic to it. Next, the sniffer must redirect this traffic to the real recipient. We see that in this case, the domain name spoofing attack turns into a hijacking attack.

To ensure the success of this attack, the sniffer needs to look at all DNS requests and respond to them before the real recipient does. Therefore, the sniffer should be located on the traffic route from the sending system to the DNS server, or even better, on the same local subnet as the sender.

Sniffer could view requests sent over the Internet, but the further away he is from the sending system, the more difficult it is to ensure that he answers them first.

Send all traffic to all ports

Instead of all of the above, a hacker can force the switch to act as a hub (hub). Each switch uses a certain amount of memory to store a mapping table between the MAC address and the physical port on the switch. This memory is limited. If it overflows, some switches may erroneously report the "open" state. This means that the switch will stop forwarding traffic to certain MAC addresses and will start forwarding all traffic to all ports. As a result, the switch will work like a hub (hub).

Executing attacks

Now let's take a look at what is required to perform the above attacks. In the event of ARP spoofing, MAC address duplication, or MAC flooding, you need to connect directly to the attacked switch. Such a connection is also required to simulate a domain name.

Conclusion - the hacker must install the system on the local switch. To do this, he enters the system through a known vulnerability, and installs the software necessary for sniffing. In another variant, the hacker is already inside the organization (he is its employee or contractor). In this case, he uses his legal access to the local network, which allows him to communicate with the switch.

IP spoofing

As mentioned, the correctness of the IP addresses in the packets transmitted over the network is not checked. Consequently, a hacker can change the sender's address so that it appears as if the packet is arriving from any address. The difficulty lies in the fact that the returned packets (SYN ACK packets in the TCP connection) will not be able to return to the sending system. Therefore, trying to spoof an IP address (IP spoofing) to establish a TCP connection is very difficult. In addition, the TCP header contains a sequence number used to acknowledge the receipt of the packet. The initial sequence number (ISN) for each new connection is chosen pseudo-randomly.

IP spoofing attack details

The figure shows an IP spoofing attack in progress. 1 - target identification. 2. - determination of the increment value of the initial serial number (ISN). This can be done by making a series of legitimate connections to the target system and marking the returned ISNs (the hacker risks exposing his real IP address). Sorry, the drawing does not work, although I rotate this way and that! Stronger than I am ...

In this article, we will look at proxying traffic for iOS applications that use native web sockets to communicate with the server. The article will be useful to those pentesters who are faced with interception of confidential information sent by iOS applications in non-standard ways. These methods are relevant because using standard settings the proxy server on the device may not be sufficient to intercept the traffic of some applications.

Recently, during the next pentest, I came across an application that was sending information to port 20xx of the web server. The traffic of this application could not be intercepted by changing the standard settings (Settings -> Wi-Fi -> HTTP Proxy -> Manual) and redirecting traffic to the proxy. One of the reasons this method doesn't work is that native websockets are used to communicate with the server instead of the UIWebView class. For more information on how to configure web sockets, see this article.

However, there is a workaround to fix this problem. We can implement DNS spoofing and redirect all HTTP traffic from all ports through a proxy like Burp. This article is divided into parts:

  1. Sniffing traffic with Wireshark to find the IP address and port of the server.
  2. DNS spoofing and forwarding all traffic to the machine where the proxy is installed.
  3. Interception of traffic using a proxy server after performing DNS spoofing.

Below is a step-by-step diagram for implementing traffic interception for iOS applications using Native Web Socket.

1. Create a wireless access point and connect the device to it. [Note: the machine must be connected to Ethernet or any other way connected to the Internet, since the Wi-Fi interface will be used for the access point. This article explains how to configure an access point on a Windows machine]

2. Launch a network sniffer (for example, Wireshark) and look for traffic passing through non-standard ports.

a. We filter traffic, leaving only the one that goes to the IP address we need (ip.dst == ip.ip.ip.ip)

b. Find the port number to which traffic is sent.

Figure 1: Finding the non-standard port to which the application is sending traffic

3. Launch the Metasploit DNS spoofing console and enter the following commands:

c. set SRVHOST = (IP wireless access point)

d. set SRVPORT = 53, set TARGETACTION = BYPASS, set TARGETDOMAIN = www.apple.com (Note: by setting TARGETDOMAIN = www.apple.com, we will intercept all traffic except from apple.com).

e. set targethost = (IP of wireless access point)

Figure 2: Configuring a DNS server using the fakedns module (inMetasploit)

4. Configure Burp to listen for incoming device traffic on specific ports and redirect it to the previously found port.

a. Go to Proxy-> Options-> Add; set the "bind port" to the port to which the application should forward traffic (note: this is one of those non-standard tcp ports that was found using Wireshark).

b. We listen to all interfaces.

c. In the Request Handling tab, set the server domain (the Redirect to host field).

d. In the same tab, set the corresponding port number (the Redirect to port field).

e. If traffic is sent via https, we set the forced use of SSL.

f. Click ok and repeat all the above operations for all ports to which the application sends traffic. In other words, a separately configured Proxy listener is required for each port.

Figure 3: Configuring Listening and Traffic Redirection

5. Configuring the proxy settings on the device:

a. Go to the Wi-Fi-> DHCP section and set DNS = IP-address of the access point.

b. In the HTTP proxy settings, set the IP address of the access point and the corresponding port to which burp is configured (these settings are used to proxy standard HTTP traffic).

Figure 4: Configuring IP andDNS forwardingon device

6. Enter "exploit" in the Metasploit console and you will see all intercepted traffic from non-standard ports.

The described method can be used to work around the problems with intercepting traffic of iOS applications that transmit it in non-standard ways.

Interception of data over the network receiving any information from a remote computer device is considered. It can consist of personal information of the user, his messages, records of visits to websites. Data capture can be done by spyware or network sniffers.

Spyware is special software that can record all information transmitted over a network from a specific workstation or device.

A sniffer is a program or computer technique that intercepts and analyzes traffic that passes through a network. Sniffer allows you to connect to a web session and perform various operations on behalf of the computer owner.

If information is not transmitted in real time, spyware generate reports that are convenient for viewing and analyzing information.

Network interception can be legitimate or illegal. The main document that fixes the legality of the seizure of information is the Convention on Cybercrime. It was established in Hungary in 2001. The legal requirements of different countries may differ slightly, but the key message is the same for all countries.

Classification and methods of intercepting data over the network

In accordance with the above, interception of information over the network can be divided into two types: authorized and unauthorized.

Authorized data capture is carried out for a variety of purposes, ranging from protecting corporate information to ensuring the security of the state. The grounds for such an operation are determined by legislation, special services, law enforcement officials, specialists from administrative organizations and company security services.

There are international standards for performing data interception. The European Telecommunication Standards Institute has managed to bring a number of technical processes (ETSI ES 201 158 "Telecommunications security; Lawful Interception (LI); Requirements for network functions") to a unified norm, on which the interception of information is based. As a result, a system architecture has been developed that helps secret service specialists, network administrators, legally take over data from the network. The developed structure for the implementation of data interception over the network is used for wired and wireless voice call systems, as well as for correspondence by mail, transmission voice messages by IP, information exchange by SMS.

Unauthorized interception of data over the network is carried out by cybercriminals who want to take possession of confidential data, passwords, corporate secrets, addresses of computers on the network, etc. To achieve their goals, hackers usually use a network traffic analyzer - a sniffer. This program or a hardware-software-type device gives a fraudster the ability to intercept and analyze information within the network to which the victim user is connected, including encrypted SSL traffic through certificate spoofing. Traffic data can be acquired in different ways:

  • listening to the network interface,
  • connecting an interception device to the channel break,
  • creating a traffic branch and duplicating it on a sniffer,
  • by carrying out an attack.

There are also more sophisticated technologies for intercepting sensitive information that allow you to intrude into network communication and change data. One such technology is bogus ARP requests. The essence of the method is to spoof IP addresses between the victim's computer and the attacker's device. Another technique that can be used to intercept data over a network is false routing. It consists in replacing the IP address of the network router with its own address. If the cybercriminal knows how to organize the local network, in which the victim is, then he can easily organize the receipt of information from the user's machine to his IP address. Hijacking a TCP connection is also an effective way to intercept data. The attacker interrupts the communication session by generating and sending TCP packets to the victim's computer. Further, the communication session is restored, intercepted and continued by the criminal instead of the client.

Object of influence

Objects of data interception over the network can be state institutions, industrial enterprises, commercial structures, ordinary users. Within an organization or a business company, information capture can be implemented to protect the network infrastructure. Intelligence agencies and law enforcement agencies can carry out a massive interception of information transmitted from different owners, depending on the task at hand.

If we talk about cybercriminals, then any user or organization can become an object of influence in order to obtain data transmitted over the network. With authorized access, the informative part of the information received is important, while the attacker is more interested in data that can be used to seize money or valuable information for its subsequent sale.

The most common victims of information interception by cybercriminals are users connecting to a public network, for example, in a cafe with a Wi-Fi hotspot. An attacker connects to a web session using a sniffer, spoofs data and steals personal information... For more details on how this happens, see the article.

Source of threat

Public network infrastructure operators are involved in authorized interception of information in companies and organizations. Their activities are aimed at protecting personal data, trade secrets and other important information. On legal grounds, the transfer of messages and files can be monitored by special services, law enforcement agencies and various government agencies to ensure the safety of citizens and the state.

Attackers are engaged in illegal data interception. In order not to become a victim of a cybercriminal, you need to follow some of the recommendations of experts. For example, you should not perform operations that require authorization and transfer of important data in places where you connect to public networks. It is safer to choose encrypted networks, or even better, to use personal 3G and LTE modems. When transferring personal data, it is advised to encrypt using the HTTPS protocol or a personal VPN tunnel.

You can protect your computer from intercepting network traffic using cryptography, anti-sniffers; will reduce the risks of dial-up rather than wireless access to the network.



Did not find an answer to your question? Look at here
Architecture of a distributed control system based on a reconfigurable multi-pipeline computing environment L-NetArchitecture of a distributed control system based on a reconfigurable multi-pipeline computing environment L-Net "transparent" distributed file systems
Email sending page Fill relay_recipients file with addresses from Active DirectoryEmail sending page Fill relay_recipients file with addresses from Active Directory
Missing language bar in Windows - what to do?Missing language bar in Windows - what to do?