Information Security Training. Assignment 1 Networking

Transcription

1 Information Security Training Assignment 1 Networking By Justin C. Klein Keane <[email protected]> September 28, 2012

2 Assignment 1 For this assignment you will utilize several networking utilities to get comfortable using them and expand your exposure to networking protocols. In the last lecture we discussed TCP/IP networking, the OSI model, and several related protocols. Learning More Many of the tools described in this document have extensive documentation that is installed when the tool is installed. These documentations are known as man pages for manual pages and can be accessed using the 'man' command. For instance, if you were interested in the documentation for nmap you could type: $ man nmap and read the documentation at the command line. Man pages cover options for the command, such as command line switches, general uses, and examples. It is highly recommended that you read the man pages for each of the tools covered in this document to learn more about their usage. ARP Exercises The first protocol we'll discuss is APP, or Address Resolution Protocol. Recall that ARP is used on LAN segments to quickly identify hosts and determine the network segment upon which they run. In VirtualBox, look at the 'Settings' in your Fedora 17 virtual machine. In the 'Network' section, choose the 'Adapter 1' tab and set the 'Attached to:' section to Bridged Adapter mode. To understand more about VirtualBox networking read Chapter 6 of the Documentation (under the Help menu). Bridged mode allows your virtual machine to use your real ethernet adapter, so that when your machine boots it will probe your LAN for a DHCP server. Be sure your 'Promiscous Mode' drop down is set to 'Allow All'. Save the settings and start the virtual machine. In your virtual machine ensure that tcpdump is installed. You can do this using: $ rpm q tcpdump in a terminal window. If you need to install it you can do so using: $ sudo yum install y tcpdump You will need sudo access, or you can perform this command as root. To give a local user sudo access simply edit the /etc/sudoers file.

3 Once tcpdump is installed you can start it up at the command line. Unless you tell it, tcpdump will look at all traffic on all devices. To limit this inspection to just your ethernet use the ifconfig command to determine the name of your active device: In the above example the primary ethernet card is 'p2p1' the secondary one, 'p7p1' is actually the VirtualBox Network 2 adapter (host-only) that can only communicate with the hardware host. Now that we have the name of the ethernet adapter we can limit sniffing. To start tcpdump to examine ARP traffic use: $ sudo tcpdump i [ethdev] apr where you substitute the name of your ethernet device for [ethdev].

4 In my case I use 'p2p1' and the following output begins to stream onto my console: Looking at the ARP traffic you can clearly see host querying the local network to see who is around. This is extremely interesting because you can passively determine the occupants of the network by simply looking at ARP. In traditional network discovery the easiest way to determine if a host is online is to send an ICMP ECHO-REQUEST packet to the host and see if you get a response. This is an ICMP ping. Most hosts, however, have ICMP blocked at their host firewall. Start up your CentOS virtual machine, making sure that the networking is set to 'Bridged' in the same way as your Fedora machine. Alternatively you can start both machines with two adapters, one set to 'Host-only' and one set to 'NAT'. This will allow the two virtual machines to communicate over the NAT connection while also being visible to the hardware host using the 'Host-only' connection. Once your CentOS machine is started determine the IP address of that host using the ifconfig command as before. Next, let's adjust the firewall rules so the CentOS machine rejects all ICMP packets. The firewall configuration script is found at /etc/sysconfig/iptables. You can edit this file as root. Find the line that reads: A INPUT p icmp j ACCEPT And change it to the following A INPUT p icmp j REJECT Now, restart the firewall using the command: # service iptables restart

5 Finally, on your Fedora machine, ping the CentOS host, using the '-c' flag to limit the number of ICMP packets that are sent to 2 (otherwise ping will just keep sending packets until you stop it with something like Ctrl+c), and observe the response. In this example my CentOS box is as : Now, given that there is definitely a host on the network, how would we discover it? Well, using ARP would be a good way to do just that. In fact, looking at the output of your tcpdump should reveal a request to (or whatever is the IP address of your CentOS machine) and a response. You can also force this type of behavior using the extremely handy network mapping tool NMAP. If you don't have NMAP installed install it using: $ sudo yum install y nmap you can use NMAP at the command line by typing 'nmap'. NMAP is an extremely useful tool designed to find machines and fingerprint them. Normally this is done by sending ping style ICMP echo requests, but NMAP also tries to connect to ports on remote machines to discover what services are available. NMAP can also use ARP for discovery, which is much faster and more reliable, but as discussed during the lecture, only works on the local network segment. To discover all the hosts on your Fedora machines network using nmap type the following (note that you have root privileges to use layer 2 protocols): $ sudo nmap -PR substitute the network range of your virtual machines instead of the above Two things should be immediately obvious. The first is the speed of the scan. You can watch your tcpdump session and observe the ARP broadcast queries and replies:

6 The second thing you will notice is that NMAP will show you what ports are open on machines it identifies (if any) as well as the manufacturer of the MAC address for any addresses that respond. Network Abuse Now that you've seen how network traffic can be observed and how remote hosts can be mapped let's examine how the network can be abused by attackers. Be aware that our exercises are going to be somewhat contrived. In a real network a DHCP server and a malicious actor may work against each other, and race conditions are going to be determined by copper wire between them and the target, and the arbitration of signals by the LAN router. Using virtual machines we can simulate a network, but with a virtual network, the DHCP server is often the host, meaning the router and the DHCP server are the same machine. Furthermore there is not copper to introduce latency in network transmission. All network communication in a completely virtualized environment is actually just controlled by software that emulates the network. For this reason it is difficult to do things like cause a denial of service, or otherwise dupe the router (which is just a the virtualization software). The software is still useful, however, but your experience will be slightly removed from actual practice. As mentioned before, please be extremely careful if you choose to use tools like Ettercap in a live network. A misconfiguration, mistake, or uninformed use of these tools could cause portions of your network or your LAN networking equipment, to cease functioning. This can be a costly and time consuming issue to resolve, so if you're going to try these tools out on a real network be sure you know what you're doing first. For this task let's try and snoop, from our Fedora virtual machine, on the traffic generated by the CentOS virtual machine. For this operation it will be important to configure the networking on your two virtual machines so that VirtualBox mimics a real network and segregates traffic. Set up two network adapters on each of your virtual machines. Set the first to be NAT, which allows the VM to communicate to the internet (to do things like download updates). Set the second adapter to 'Host-only' mode, which creates an internal LAN shared by the virtual machines. In the 'advanced' options set 'Promiscuous Mode' to 'Allow VMs' so we can carry out the exercise. Once the network is configured and both machines are booted go ahead and start a packet capture on the Fedora machine using tcpdump. Note that your network interface may have changed. For example: $ sudo tcpdump i p7p1 tcp

7 This should capture all TCP traffic that the network adapter can observe. Next, in your CentOS machine, at the command line type the following, which will download a copy of the Google home page (note that you may have to install 'wget' using the 'yum install' command first): $ wget Notice that there is no output from the Fedora box showing that the download has happened. This is because the machines are in a 'switched' environment so traffic is only sent to and from intended recipient machines. To show the difference, from the CentOS machine try to SSH to the Fedora machine, substituting the proper IP of the Fedora machine in the following exampe: $ ssh Note the output on each machine. From the CentOS machine we see the connection is refused: However, from the Fedora machine we can clearly observe the output in tcpdump: Now, let's install Ettercap, a man-in-the-middle (mitm) tool that we can use to do ARP poisoining to redirect traffic from the CentOS machine to the Fedora machine as a gateway. Although an RPM exists for Ettercap that we can install via yum, installing the latest version from source is recommended since it tends to be less buggy. Download the latest version of Ettercap from Once you've downloaded the file (which should be in the form ettercap tar.gz) you can upack it using: $ tar xvzf ettercap tar.gz This will unpack the zipped tar (Tape ARchive) into a directory. Move into this directory using: $ cd ettercap Next you'll need to install some dependencies to make sure you can compile the source. Do this using: $ sudo yum install y gcc make gtk2 devel pango pango devel atd atkdevel libnet libnet devel bison bison devel flex

8 Next start the installer using: $ sudo./configure Be sure to look at any error messages. It is possible you may need to install other libraries on your Fedora system. To search for packages in yum use: $ sudo yum search packagename Once the configure script finishes you can start the install using: $ sudo make Then once that is complete: $ sudo make install After the install script completes you should find the ettercap executable in /usr/local/bin/ettercap. Once installed start up ettercap using: $ sudo /usr/local/bin/ettercap G m This will start the graphical installer.

9 To start your session choose Sniff -> Unified sniffing from the menu, and select the network adapter that is shared between your CentOS and Fedora machine. Once complete this will change the menu options at the top of Ettercap. Next you'll want to set up the targets list. To do this click Hosts -> Scan for hosts. Click the Hosts -> Host list to view all the hosts detected on the LAN. In the above screenshot you can see three hosts, the Fedora machine, the CentOS machine, and the VirtualBox host (at ). Next, click View -> Connections to open the Connections tab to see what is sniffed.

10 To start sniffing click Start->Start sniffing, then click View -> Connections to see the sniffed connections. To start the ARP attack first select Mitm->ARP poisoning and select the 'Sniff remote connection.' checkbox. To begin DHCP attacks simply go to the Mitm->DHCP menu and input the Netmask and the DNS server of your choosing ( is Google's public DNS server and a good choice in absence of others). Once started you should be able to view DHCP requests and responses. Unfortunately, in a VirtualBox environment it's nearly impossible to beat the VirtualBox DHCP without major backflips, and because the machines actually only use the host-only network to communicate with one another (they use the NAT connection for external communication) you'll only be able to see connections between the machines. This is further confused by the fact that promiscuous mode for the host-only network is set to all VM's, all VM's and the host, or deny, so there is no way to truly simulate a switched network. If you set up your hardware host behind a gateway router, such as a cheap Netgear box, you can set your VM to have only one 'bridged' adapter and attempt to use Ettercap against other machines on the LAN. Beware of using Ettercap in live environments though, as it can be extremely destructive to networking configurations. Packet Captures One of the primary purposes for ARP poisoning or DHCP abuse is to get access to traffic that would otherwise not be visible to an attacker. However, once this traffic is visible, tcpdump may not be sufficient to examine the traffic. Wireshark is an extremely useful graphical tool that can be used to view, manipulate, and analyze network traffic. Wireshark can perform active captures or it can be used to load up files that contain previously captured packet traffic (PCAP files). Wireshark can be installed on your Fedora machine using: $ sudo yum install y wireshark wireshark gnome Once installed you can find wireshark in your 'Activities' menu. Wireshark needs to be started using superuser privileges to put the network card into promiscuous mode, however. The simplest way to do this is at the command line using:

11 $ sudo /sbin/wireshark Once opened you can start a new capture by first specifying which interface to capture on then starting a new live capture. Alternatively you can load a.pcap file from the File -> Open options. Open the packet capture file that you can find at in wireshark and examine the contents. Can you find any information that would be useful to an attacker in the file?