Sniffing & MitM
Last updated
Last updated
Sniffing can be used defensively, as well as offensively:
Defensive: Snort / Zeek / Suricata - Detect suspicious packet patterns / content
Offensive: Look for sensitive information like password / session token / ...
There are two types of sniffing - Passive & Active:
Passive: Typical example: Wireshark / Zeek / ...
Active: MAC flooding / ARP poisoning
Therefore to defense, we have to ensure that data in motion should be encrypted!
Man-in-the-Middle is the attacker whose interface sitting between two parties, and acts as proxy to read, insert and modify the data in the intercepted communication.
In a switch environment, the switch can be configured with mirror port to mirror some traffic to a destination. The host connecting to the mirror port can be configured with promiscuous mode to sniff the mirrored traffic.
MAC flooding: Intentionally flood a switch CAM table, leading to eliminating the switch's ability to learn new MAC addresses. As a result, all traffic will be then forwarded to the attacker.
ARP poisoning: Most used technique in MitM attack. ARP poisoning redirects the traffic of the selected victims to a specific machine.
ARP = Translate between IP Address (L3) and MAC address (L2)
Every host has an ARP table to store IP-MAC pairs and their TTL. To view the ARP table:
In real life sceanario, when A wants to send data to B, but A does not know B's MAC address, A will perform a ARP broadcast (destination MAC address = FF:FF:FF:FF:FF:FF). Then B will send back an ARP reply with its MAC address.
Gratuitous ARP request is a request packer with identical source and destination IP address, while setting the destination MAC address to be broadcast (FF:FF:FF:FF:FF:FF). While Gratuitous ARP reply is an ARP reply that has been sent without being requested. These are made to detect IP conflict.
Attack forges Gratuitous ARP replies (with fake IP to MAC correspondence) to both the communication peers, making the traffic from B to A and from A to B will pass through the attacker.
Attacker forges Gratuitous ARP replies (with fake IP to MAC correspondence) to some / all the hosts in a network, announcing his MAC address as the MAC address of the default gateway.
Out of support
Monitor network for data such as passwords, emails, files, ...
---
Syntax:
To see all traffic:
Windows version Tcpdump.
Flood the victim with Gratuitous ARP, replacing the MAC address of the default gateway to be the attacker's MAC address in the victim's ARP table
DHCP clients choose the best offer according to the lease time attribute - the longer the better
A rogue DHCP server simply sends DHCPOFFER with a greater lease time and Rouge MAC address.
Also DHCP also determines the default gateway of the client!
LLMNR and NBT-NS spoofing are 2 very effective methods for capturing users' NTLMv1 / NTLMv2 / LM hashes.
They allow machines within a Windows network to find each other, and are essentially a fallback protocol for the resolution of hostnames within a network when DNS cannot resolve the IP.
When LLMNR / NBT-NS broadcasts for host discovery, there is a chance that NTLMv1/v2 hashes being sent over the network.
Example: \\<somehost>\
The host does not know somehost and go on broadcast LLMNR / NBT-NS message
The somehost turns out to be the attacker and responds to this broadcast
A sign-in prompt appears in the victim machine, and when entered, the username and NTLM hashes will be sent to the attacker.
(LLMNR) Multicast Name Resolution has not been turned off in
Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client
(NBT-NS) NetBIOS over TCP/IP is not disabled in
Network Connections / Network Adapter Properties / TCP/IPv4 Properties > Advanced Tab > WINS tab
Responder is a tool which perform LLMNR poisoning
Typically when in red team / pen testing situation, this tool is run in the morning. Since it is common that LLMNR is not disable, there will be at least some hashes we can collect.
Steps:
[1] Run Responder in the target network
[2] An event occurs (e.g. someone typed in a wrong network drive)
[3] Get Dem Hashes and save as hashes.txt
[4] Offline crack the Dem Hashes
[5] Alternatively, instead of cracking, we can relay the hashes to specific machines (SMB signing should be disabled on the targets)
Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access.
The requirements are:
SMB signing must be disabled on the target
Relayed user credentials must be admin on the targets
Network Discovery is turned on in the targets
To verify if the target has SMB signing disabled, we can use RunFinger.py in the Responder package:
The steps on launching the attack:
[1] Run Responder with configurations (/etc/responder/Responder.conf):
[2] Run Responder.py
[3] Run ntlmrelayx.py:
[4] A LLMNR / NBT-NS event occurs (e.g. wrong network drive)
[5] ntlmrelayx.py authenticates against the victim machines, getting the hashes in the local SAM database
We can also configure ntlmrelayx.py to give us interactive shell:
If authenticated successfully, the sessions will be shown on the console. We can then use nc to connect.
To run an executable (e.g. msfvenom generated payload) upon connection, use the -f flag:
Sniff POP/HTPPS/HTTPS/SFTP with password cracking feature
-G stands for graphical interface
GUI ...
Perform MAC flooding on switch, attempt to cause fail-open state - Switch acts as Hub.
After running this, we can use Wireshark / dsniff / tcpdump to capture traffic from the switch.
Before doing, make sure you have IP forwarding enabled on the attack machine:
You have to execute both of the following:
After running this, we can use Wireshark / dsniff / tcpdump to capture traffic between these 2 hosts.
To intercept SSL traffic, we can use Ettercap and configure it to use SSL certificate. Edit /etc/ettercap/etter.conf:
Also uncomment the following:
However, each time the user browses a HTTPS page, certificate error will show.
[1] Enable IP forwarding:
[2] Set port redirection using iptables
[3] Start Sslstrip
Note that this does not work anymore (likely) since browsers have implemented HSTS!
Requirements:
Use sslstrip+
Run a DNS server to intercept and edit the victim's DNS requests
High-level:
The victim goes to google.com (not in the HSTS preload list)
Attacker intercepts the traffic and change the links in the web page. (e.g. a.google.com --> aaa.google.com)
The victim makes a DNS request for aaa.google.com
Attacker intercepts the request, forward the real DNS request and respond to the victim with a fake domain and the IP address
