Sniffing and MitM Attacks

MAC Flooding

Filling a switches CAM table (which has the information for forwarding frames to their correct destinations)

This causes the switch to enter a "fail open" state and act like a hub, forwarding the frames on all ports.

ARP Poisoning/Spoofing

Redirecting traffic to your attacking machine. Allows you to read/modify network traffic.

ARP Basics

Protocol used to link IPs to MAC addresses. The links are stored in the devices ARP table.

If the device is not found within the ARP table, a broadcast message will be sent over the network, asking all the devices their IPs.

Gratuitous ARP
Request:

Reply:

Host Poisoning

Attacker will forge gratuitous ARP reply packets and send them to both target machines (Attacker is sitting in the middle). Traffic to/from the two hosts will now pass through the attacking machine.

Gateway Poisoning

The attacking machine sends Gratuitous ARP replys to some or all hosts in a network, announcing his MAC address as the MAC of the default gateway.

This will allow the attacker to sniff traffic designated for the default gateway. This requies the attacker machine to be able to process large amounts of data/packets per second. If the device is too slow, it can cause a DOS to the network.

Sniffing Tools

dnsiff
Provides active and passive sniffing and MitM attacks.

dniff
-c = Half-duplex TCP stream reassembly to handle asymmetrically routed traffic.
-d = Debugging
-m = Automatic protocol detection
-n = No DNS resolution
-p = Process contents of PCAP files
-i = Interface to listen on

tcpdump
tcpdump -i <interface> -xxAXXSs 0 dst <IpToSniff>

tcpdump src <IP>
tcpdump dst <IP>
tcpdump net <Range/CIDR>
tcpdump port/src port <port>
tcpdump -q = Quiet ouput

tcpdump -i <interface> -w <Output_file>
tcp dump -r <PcapFiletoRead>

MitM Attacks

Typically done on a LAN due to lack os security surround ARP and DHCP

ARP poisoning
Attacker will deliver fake IP-MAC pairs to two targets ARP tables, making the attackers machine the middle man.

Local to Remote MitM

The attacker will deliver a gratuitous ARP to the target machine, identifying as the Gateways IP address with the attacker machines MAC address. All traffic will then route through the attackers machine and then to the gateway.

DHCP Spoofing

The attacker spoofs the DHCP messages issued to devices on a network.

The attacker machine will respond to DHCP requests on the network. The attacker machine will offer a DHCPOFFER packet with a large lease time; this will trick the requesting machine to choose this DHCPOFFER over other offers with lower lease times.

The DHCPOFFER will contain an increased lease time and the MAC SRC will be the attacker's machine MAC address. Now, all traffic will first route to the attacker machine and then to the real gateway.

MitM in Public Key Exchange

The attacker machine will recognize queries to a key server; once the key server returns the public key, the attacker will obtain the public key and replace it with the attackers public key.

After alice encrypts data with the attackers public key, the attacker will intercept the data and decrypt it with his private key. After decrypting the data, the attacker uses the original public key to forward the message to the intended user.

LLMNR and NBT-NS Spoofing/Poisoning

Link-Local Mulicast Name Resolution and NetBIOS Name Service

A host requests an SMB share with a misspelled name. DNS cannot resolve the unknown host and therefore an LLMNR or NBT-NS broadcast message is sent. The attacker machine will respond to the LLMNR or NBT-NS message acting as a legit system. The host then provides their credentials directly to the attacker machine.

Responder/MultiRelay
Responder

MultiRelay:

IN ORDER FOR THIS TO WORK, SMB SIGNING MUST BE DISABLED ON WORKSTATIONS

Launching Responder

https://github.com/lgandx/Responder

  1. edit the Responder.conf file and disable both SMB and HTTP server options.

  2. python Responder.py -I <interface> --lm

    • Launches responder and downgrades NTLMv1/2 hashes to LM hashes with -lm

  3. Launch MultiRelay.py in another window with the following command:

    1. python MultiRelay.py -t <TargetIP> -u ALL

Tools

Ettercap

ettercap -G = Start GUI

Sniffing Options:

  1. Unified - Sniffs all packets on a nic
  2. Bridged - Uses two NICs and forwards the traffic from one to the other

View -> Connections = See intercepted connections

Scan for hosts
Hosts -> Scan for Hosts
Choose targets and select "Add to Target 1/2"

Select type of Attack
MitM tab -> Choose (ARP poisoning/ICMP redirect/Port Stealing/DHCP spoofing)

Viewing Sniffed Traffic
View -> Connections
You can also view the traffic with wireshark on the same interface

Cain & Abel

Starting the attack

  1. Configure tab
    1. Select network adapter and ensure it's in promiscuous mode
  2. Select Sniffer tab
    1. Click Start/Stop sniffer icon (to the left)
  3. Right click in the white space and select "Scan MAC Addresses"
    1. Provide Cain with your IP range
    2. Cain will provide you with discovered hosts
  4. Click APR tab on bottom of window
  5. Click in top white space
    1. Click the blue plus sign in the tabs bar
  6. Select the router/gateway of your target on the left and then select the target IP on the right
    1. Hold CTRL key and select multiple hosts on the right
  7. From main menu, select the APR button (Nuclear symbol) to start ARP poisoning
    1. If successful, "Poisoning" will appear in the Status column
  8. If it's working, packets will appear in the bottom windows
    1. Statuses:
      1. Broadcasting: Received a packet from a host you aren't poisoning; Cain will broadcast the packet to all hosts on the LAN so it doesn't drop.
      2. Half-Routing: ARP poisoning isn't successful due to asymmetric routing or a target is not vulnerable. The traffic is only being routed one way, either server to host or host to server.
      3. Full-Routing: ARP poisoning is working as intended
  9. View what was intercepted in the left panel

Cain can intercept encrypted traffic and also gather NTLM SHA1 hashed passwords by spoofing the NTLM challenge response mechanism

Macof

Floods a switches CAM table with fake MAC addresses, putting the switch into a "failopen" state, acting as a hub (broadcasting traffic to all hosts).

Can genereate 155,000 MAC entries per minute. Generally takes less than 70 seconds to fill a CAM table.

IP FORWARDING NEEDS TO BE ENABLED

echo 1 > /proc/sys/net/ipv4/ip_forward

Macof Options:
macof -s <SourceIP> -d <DestinationIP> -e <TargetMACAddress> -x <SourcePort> -y <DestinationPort> -i <Interface> -n <#PacketsToSend>

macof -i <Interface> = Being sniffing traffic with macof (This will send packets until you stop it. Use -n <#> to send a specific amount)

Arpspoof

Part of the dsniff suite. Will constantly send ARP answeres to targets in order to poison the ARP tables.

IP FORWARDING NEEDS TO BE ENABLED

echo 1 > /proc/sys/net/ipv4/ip_forward

arpspoof -i <Interface> -t <TargetIP> <TargetGateway>

Rerun the previous command but now switch the TargetIP and TargetGateway. This will now update the Target Gateway's ARP table, setting the TargetIP MAC address to the attack machines MAC.

Open wireshark to view the traffic

Bettercap

ARP Spoofing with Bettercap

https://www.cyberpunk.rs/bettercap-usage-examples-overview-custom-setup-caplets

Identify targets w/ discovery mode
bettercap -I <Interface> --no-spoofing

Run ARP spoofing against a specific target
bettercap -I <Interface> -T <TargetIP>

Specifying a gateway for the target (If bettercap fails to do it automatically)
bettercap -I <Interface> -G <GatewayIP> -T <TargetIP>

Parsing for HTTP authentication, URLs visited, FTP, and HTTP POST data
bettercap -I tap0 -T <TargetIP> -X -P "HTTPAUTH,URL,FTP,POST"

Intercepting SSL Traffic

WARNING: When using tools, most have self-signed certificates which will prompt a user to allow a security exception.

Ettercap

  1. Edit the etc/ettercap/etter.conf file
    1. Change both the UID and the GID to 0
    2. Uncomment the redir_command_on and redir_command_off lines (Different depending on OS)
  2. Run ettercap like previously described

sslstrip

Performs a MitM attack on the HTTPS connection between victim and server. Replaces the HTTPS links with HTTP clones and communicates with the victim over HTTP while communicating with the legitimate sever over HTTPS. The victim to server traffic is proxied through the attackers machine, logging data as it passes.

sslstrip uses port 10000 by default but can be changed

Using ettercap and sslstrip to capture encrypted traffic

  1. Enable IP forwarding
    1. echo 1 > /proc/sys/net/ipv4/ip_forward
  2. Set up port redirection with iptables
    1. iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
  3. Start sslstrip on port 8080 and output logs to a file
    1. sslstrip -a -f -l 8080 -w <logfile>
  4. Configure ettercap to mount an ARP MitM attack between the target and gateway

Using bettercap to strip ssl

  1. Bettercap does everything for you.
    1. bettercap -G <TargetGateway> -T <TargetIP> --proxy-https

HTTP Strict Transport Security (HSTS) forces HTTP to use HTTPS, rendering the previous methods useless. Bettercap can bypass this.

sslstrip+

Utilized to bypass HSTS and implemented in MITMf

MITMf
Intercepts the traffic and changes the webpage name to something incorrect, causing the victim to make a DNS request to an invalid domain.
The attacker then intercepts the DNS request, forwards the real request, aand responds to the victim with a fake domain and IP.
The victims browser then checks the HSTS preload list to see if HTTPS is required. Since the domain is different, the browser will allow HTTP connections.

BlackHat Talk
https://www.youtube.com/watch?v=Q3siIqS9LVA