6. Arp Cache Posioning Tools and Countermeasures
So let’s go ahead and kind of finish up this section. We know that the tool Cane Enable, which is actually a free tool from Oxidoxid it and you could download this and utilize this yourself, can be used to poison a pair of machines or even an entire subnet. So I can poison one person or an entire subnet and have everyone come through me, if you will. By default, Cane will say send out the art package every 30 seconds, and we know that Windows will only hold that entry for two minutes. So if we send it out every 30 seconds, it’s never going to expire and it’s always going to use our entry as opposed to the entry that was put in naturally by a typical art request.
I wanted to briefly touch on a couple of tools that you may see, and you may even see this on a test. There is a tool called Dsnf, which is a collection of Linux or Unix based tools for auditing. Dsnf is the tool collection, but it gives you the capability to collect files using filesnarf. Mail snarf collects email messages, message snarf collects messages utilizing like, MSN Messenger URL snarf collects all the URLs you went to. And webspy was a really great little tool in his day. When it worked well and we didn’t encrypt everything like we do today, it would actually follow a person where he or she is going on the Internet. I tell you, it was really interesting.
A lot of times I’d spend a lot of nights in hotels when I’m out teaching classes all over the world, and I will try and arpcast somebody in the hotel because I know I can do it to them, they can do it to me. And I tell you, some of these people that you follow them where they’re going on Internet, I can tell you there’s lots of lonely guys in some of these hotel rooms, I tell you. It also consists of utilities like Arp Spoof, which is a command line version of the Spoofing capabilities or Arp cache portioning capabilities of Cane Enable. DNS Spoof allows you to change the DNS request because it will send back something else in days gone by, I could type in www. americanairlines. com and an attacker could send me to Delta. com just as an example.
With people having certificates much more commonplace anymore, that really takes away a lot of the trickery I used to be able to do in classes. You also remember the Mac Off utility, that’s part of the Dsnaf suite as well. That’s what we used when we flooded the cam table of the switch. And Ssh man in the middle and Web band in the middle are active man in the middle or monkey in the middle type attacks because they use redirected Sshps sessions by exploiting that Wheat binding in an ad hoc Pki. Now. What is DNS spoofing? Now, DNS Spoofing, sometimes you’ll see it referred to as DNS cache poisoning is actually a computer hack where the data is introduced into a domain name system, our DNS system, our telephone book for the Internet, the DNS name servers cache, causing the name server to return incorrect IP address.
Now, if you recall, DNS used UDP instead of TCP. And remember, UDP was the one that was easy to spoof. There was an old joke going around that somebody would say I could tell you a UDP joke, but you may not get it. The idea is if you just drop a letter in the mail, if somebody changes, there was no contacting them back. So you just assumed that was the right thing. But if you do TCP, where you have to send act, it would act back to somebody else. It just simply wouldn’t work, or at least not work very well. This would divert the traffic to another computer, never the attacker. A domain name system translates, of course, a human readable domain name like example. com into a numerical IP address to use the route communication between nodes on the Internet.
Now, normally, if the server doesn’t know requested translation, it will ask another server, it will ask another server and this process continues recursively. This is known as a Recursive query because there is not one server on the Internet that contains the entire DNS. It’s spread out all throughout the Internet. And we have redundant servers of one person attacks one, there’s usually many others to take its place. So to increase performance, the server will typically remember, in other words, cache these translations for a certain amount of time so that if it receives another request for the same translation, it can reply. But I haven’t asked the other server. Again, doing this recursive query.
When a DNS server has received a false translation and caches it for performance optimization, it’s considered to be poisoned and it supplies false data to the clients and sends you to another place. If a DNS server is poisoned, it may return the incorrect IP address, naturally diverting traffic to another computer, typically the attackers. So there are several tools, like I said before, they can do the DNS boothing. Kane and Abel has one that was just one of the options in there that was under DNS, another one that’s part of Linux, part of the D sniff suite of tools we talked about earlier for Unix and Linux. They’re wind DNS spoof DNS hijacker. There are a number of tools that you can use to do this. It’s really pretty easy to spoof DNS because it uses UDP.
7. Breaking SSL Traffic, Intercepting VoIP, Routing Protocols, RDP, Passwords and M
Now, I hope this puts everything together for you, because this little animation just really clears things up for a lot of people. When we learned in a previous module what SSL is, here’s a recap, okay? The secure socket layer. In reality, it’s called TLS, but a lot of people still call it SSL. TLS is the newer version of SSL. Anyway, TLS is the most widely deployed security protocol used today. It is essentially a protocol that provides a secure channel between two machines operating over the Internet or an internal network. In today’s Internet focused world, SSL protocol is typically used when a Web browser needs to securely connect to a Web server over an inherently insecure Internet.
As a matter of fact, approximately 90% of the websites use SSL today. This is a huge shift from what it used to be, say, five years ago. Technically, SSL is a transparent protocol. Leaves relatively little interaction from the end user when establishing a secure session. When things go right. In the case of a browser, for instance, users are alerted to the presence of SSL when the browser displays a padlock or that green bar that we saw. It displays a padlock and a green bar if it’s extended validation. This is the key to the success of SSL. It’s an incredibly simple experience for end users. So the question is, how do we break it? All right, I think you’ll enjoy this.
So for a successful SSL attack, the hacker the hacker will be performing an arp cache poison. So think of this right here as being the victim. This is the guy running Cane and Abel here’s, the man in the middle. And this is, say, your bank server as an example. What happens is, the very first thing, the victim sends an SSL request. Since we are the man in the middle, we stop it. The attacker sends an SSL request of its own to the bank’s server. The bank server replies with a real certificate. We stop that real certificate as well, copy it, and alter it using the tools in Cane and able to use a copy of what was called Openssl to create a whole new certificate that is not signed by a certificate authority. It then sends that certificate out to the end user.
Now, that end user is going to have some kind of message come up on their screen saying, hey, this is not a real certificate. What do you want to do? What’s standing in the way of that person getting to that website? If it’s my wife, what’s standing in the way of buying that purse or bag or shoes? If she says no, she’s not getting there. I can tell you right now what my wife is going to do. She’s going to say, do you want to proceed? Yes, I do. Of course we have an encrypted connection back to the band in the middle. I sent out the certificate.Of course I know what the key is. Now we decode and do what we want to with that information. We then use the real certificate and encode it, send it back to the bank, no one being the wiser.
So a hacker can create fake certificates and pretend to be the real server. Two simultaneous SSL connections are established between the victim and the hacker and between the hacker and the real server. If you go into a hotel or a coffee shop and this certificate pops up, is it somebody Arp cash poisoning you? Or is it just that they didn’t want to purchase a real certificate and they are using a self sign one? Your guess is as good as mine. It’s not really known, and so you’re taking a huge chance. If you say yes, I’ll go ahead and use that certificate. If a victim is misled to a hacker’s web server via DNS, Booing or even URL obfuscation, they may not know any better and accept that fake certificate that the hacker created.
Hacker could then play a man in the middle game with them against the victim, using all different kinds of tools that we’ve already showed you. And Kaneable is not only a fully automated SSL cracker, but it also cracks passwords. It’s a really wonderful little tool. Lastly, we want to talk about voice over IP. Now, voiceover IP is not typically encrypted. That means that we could arc cache poison a phone and that is using voice over IP and pick up the information and listen to it or eavesdrop on it very, very easily. As things are getting more progressive, newer and newer technology, they’re building encryption into the chipset on phone.
This technique of doing this is not going to blast a whole lot longer, especially if you’re using hardware based Cisco phones and things of that nature. So I guess the hackers can enjoy it while they can. But as soon as they upgrade the phone system, more than likely it will be with the new encryption chip that’s in, it very easy to intercept the voice over IP. You just simply Arp cache voices between you and the codec. It’s going to talk back and forth to it and it’s going to intercept this as a wave file that you can just simply play just back through your speakers. And we want to just tie up one last thing for sniffing use only encrypted protocols, openssh Ipsec VPNs, especially when traveling for encryption and strong authentication.
90% of the attacks happen for the traffic, even reaches the ISP. If you can jump out of your Insecure area, pass the ISP to the VPN provider, more than likely you’re going to be safe. And then we also talked about monitoring for these common Arp cache poisoning using Arp watch and using higher level switches that have port security features like port secure and dynamic Arp inspection. Then lastly, use strong authentication. Educate users not to accept certificates that have problems, have them call tech support, use encrypted voiceover IP systems like Skype is a good example that uses encryption.
8. Exercise/Assignment Breaking SSL – Preparation
Okay, folks, we’re going to do a little lab and exercise and if this doesn’t scare the bejesus out of here, I just don’t know what else is going to. All right? So first off, what we’re going to do is we’re going to go into our colleague Linux machine and we’re going to go ahead and power it off, all right? So we’ll go ahead and shut down the guest and at this point in time we’re going to change this into Net Mode. Now I normally use Net Mode in this particular diagram, especially when I do it in a class because we’re going to be doing some Arp cache poisoning and I don’t really want to be fighting battling Arp caches with the default gateway and that kind of thing. And I’m also going to use the Windows Seven machine and I want to go ahead and put it in that mode as well.
So I’m just simply going to double click on this and I’m going to put that in that mode as well, all right? Then I’m going to go ahead and power on both of those machines. Perfect dope now while that’s going ahead and booting up, go ahead and press Enter on that guy and I’m going to go ahead and go over to this one and I’m going to go ahead and press Enter on that guy and we’re going to use one of my famous copy paste labs, all right? And what I’m going to do is I’m going to show you how I’m going to go into PayPal and I can guarantee you, you will put your password in to PayPal, I will steal it and you will never know that I’ve done it if you don’t believe me, just you watch.
So a couple of things that we’re going to need to do to get set up and then I’m going to let you walk through this like we’ve done in the past and I’m going to go back through and I’m going to go ahead and finish the rest of this out, all right? So let’s go ahead and let this thing boot up. Now, the copy paste actually works much better if I kind of walk you through everything, explaining each piece as we go through here. So I think I’ll probably just go ahead and do that. But I want you to follow along with me as we do this, all right? Because you’re going to paste each one of these commands in one at a time and I want you to follow along with me, all right? You’ll have this exact same text file, so it’s going to be very important for you to do this, all right?
So the first thing we’re going to need to do is I’m going to go ahead and say ask me later on this. I explained to you about that before about the seven X thing, all right? And I’m going to go into collie and I got to put in the username. The username is always root and a password of Tour, which is roots fell backwards. Okay? And go into this there. Now I’m going to go back over to Kali Linux right here, and I’m going to open up a terminal. All right, I’ll make this kind of big right here, and I’m going to use this to fill out a little bit of information. All right, the first thing it’s asking me for is to issue the route in command. All right? So I’m going to type in route in.
All right, it wants to know what my default gateway is. All right, here is my default gateway. I’m going to press CTRL C right here and on here it basically says the victim the byy. All right? So I’m going to just at the very end of this, I’m going to paste that in. Okay? And the next thing I want to know is the victim Windows Seven. All right, so I need to find out what the Windows Seven IP address is. Okay? So I’m going to go over here and Windows Seven IP address is going to be 192 168 14 131. Okay, perfect. Now basically what I’m going to do is I’m going to take wherever I need to have in all of the commands where it calls for the Windows Seven IP address, and I’m going to replace it with this IP address where it calls for the default gateway. I’ll replace it with this.
Okay? Now the easiest way to do that is to just use the search and replace. So I’m going to click on Replace and I’m going to grab this right here and I’m going to click on Copy. I’m going to put this up here, and I’m going to grab this right here, CTRL C. And I’m going to put that right there. Okay? I need to make sure there’s no space before it or after it. And I’m going to do a replace. All perfect. The next thing I’m going to do is I’m going to grab this Yy, control C, put that right there, control V, and I’m going to replace grab that one right there, control C, and I’m going to put that there, control V, and Replace. All perfect. Now as you’re going to see as I move down through here, it’s replaced all of those commands that I need to do all those nice things with.
Now basically, what it’s saying here, if your Kali and Linux and Windows Seven machines are turned on, turn them off, put them in that mode, boot both your colleague then machines and log in. We’ve already done that. Log into Kali with a password, route and Tour Winds machine should log in automatically. If not, use console view in the Kali Linux machine. Open up a terminal and ping Google. com. I want to make sure that I’m able to have network connectivity, so I’m going to pingw Google. com. It sure does look like she’s working fine there. And I’m going to come back over here, open up a command prompt, and I’m going to do the same thing with that. So I’m going to type in ping, Google. com, and looks like she’s working there, too. All right, perfect.
9. Exercise/Assignment Breaking SSL – Solution
So now the next thing we’re going to do now that we know we have connectivity is we’re going to issue the command in Kali Linux to tell it that we’re going to port forward everything. So I’m going to just grab this command right here. I’m going to control C, and I’m going to rightclick and paste press iter, and bing, bang, boom, I got that baby in there. Okay, the next thing I’m going to do is I’m going to tell it I’m going to do an Arp spoof telling that with this seven machine that I’m the default gateway, and I’m going to tell the default gateway that I am the Witness machine. So I’m going to issue this command right here.
Now, that command is going to just simply roll over and over, and I want you just to let that guy run. And we’re not going to mess with it. Because what happens is, on a Windows machine, the Arp cache will last for two minutes, and we’ve got to refresh that every two minutes or it’s going to time out so it comes back and does that every 30 seconds. So I’m just going to go ahead and open up another terminal and I’m going to come in here and I’m going to issue another command. This one right here. I’m going to tell It that I’m going to redirect anything from port 80. So I’m going to go in here to this one, right click and click on Paste and press Enter.
Okay, perfect. I’m going to then go in, and now we’re going to issue the SSL strip command. So I’m going to issue this one right here. I’m going to click on Copy right here, click on Paste. Okay. And issuing an SSL strip, I’m going to now open up a third terminal. And on this one, I’m going to use the tail command and read the log. And I’m going to go over to my Windows Seven machine. I will then open up Mozilla, and I’m going to type in Paypal. com. Now I want you to take a real close look at this. Do you see anything unusual here? Looks like PayPal b. Well, let’s go ahead and log in. I’m going to log in, but I’m not going to use my regular login.
I’m going to log in with Tim@tim. com and my secret password, and I’m going to log in. Now, it’s obviously going to fail because that’s not my password. But if you look over here, you’re going to see my login. Tim@tim. com, my password is my secret password. What? What happened? Oh, my gosh. If this doesn’t shake you up, it should, but here is what happened. I want you to look real close. This up here. We are not in Https mode. It’s stripped off the S. And if you’re not real careful and real consistent, you’ll miss that in a coffee shop, in a hotel and give away your PayPal, your Facebook, your Amazon, your whatever password and never know the difference.
