Saturday, 27 July 2013

Sniffing HTTP On A LAN, MITM Attack


Have you ever wondered why you are always recommended https connection instead of http? This article will demonstrate how one can hijack your session easily if you are using an http connection to log into a website. I saw my friend on my LAN using http connection to browse facebook, the secure browsing in the facebook privacy settings wasnt enabled , and i wanted to show him his session can be hijacked. Since facebook home page is available only in https his login credentials cannot be captured, but after logging in, the connection changes into an http connection and one can hijack his session by capturing the session cookies.

Basically the problem with http connection is that data is sent and received in plain text. As this data has to pass through a number of routers if somebody want to manipulate it, they can do. Or they can simply do a Man-in-the-middle attack and capture your cookies to hijack your session. This tutorial will show you the ease with which one sitting on your LAN can hijack any of your account if you are using http an connection.
Here we will use an Ubuntu machine loaded with arpspoof and tcpdump. Tcpdump is present in ubuntu by default. A firefox plugin tamperdata will be used to edit the cookies.  Arpspoof comes with the package dsniff. You can install it using the command below
sudo apt-get install dsniff
 
In the previous post we have seen how to cut somebody's internet connection on a LAN. There we have poisoned the arp-cache of the victim and gateway with mac addresses which does not exist on the network. But here we will poison it with our mac address. Here we send packets to gateway saying that the victim's mac address is that of ours. And also to the victim saying that the mac address of gateway is that of ours. And now all the packets sent by both the gateway and victim will pass through us. And we can examine these packets by using tcpdump.

Before starting the attack you need to take note of a few things, they can be found using the the command ifconfig. Press ctrl+atl+t, this will launch you a terminal there use the command ifconfig

Here you need to note your interface, (mine is 'eth0'). And your network ip, (mine is 192.168.11). These values are used later replace them with yours. 
To do a mitm attack you can find all the alive hosts in your network and choose one(or all), here is a small bash script for that using the ping utility
If you dont know how to execute it go here and learn. After executing it you will see the ip addresses of the machines who are currently alive.

You need to enable ip forwarding in your machine, it can be done using the command
sudo sysctl -w net.ipv4.ip_forward=1
 Then you need to poison the victims arp-cache, for that we can use the command sudo arpspoof -t 192.168.11.200 192.168.11.1
Here 192.168.11. is the ip address of my network and 200 is the ip of the host i am going to attack.  192.168.11.1 is the ip of my default gateway, usually it ends with a 1 after your network's ip. After executing this command with proper values you need to open another terminal. And monitor the traffic going through your machine, this can be done using tcpdump. You can always filter out cookies using the grep.
So if i want get the facebook cookies then i will issue the command
  sudo tcpdump -i eth0 -A|grep "Cookie: datr="
Since 'datr' is a facebook cookie i will get the output filtered and will only contain facebook cookies. You can drop the datr to get cookies of all the sites or replace it with the cookie of some other site.  Note that here eth0 is my interface, you should replace it with yours. So i managed to get my friends cookies.

To use it i copied it and opened firefox and used a firefox-addon tamperdata.  Tamperdata can moniter the http traffic between firefox and server and also it can be used to edit cookies on the fly. So i visited www.facebook.com and used tamperdata to replace the cookies with the captured one.
And on the fly i got his home page, and my friend was amazed and could'nt believe it.

Here if we want to browse the victims account. We need to edit his cookies for each request. Instead if the attacker used some cookie editor add-on which is easily available online he can really browse it just like his own account. If this sort of mitm attack is combines with a Dos attack, the victim cannot really log out of his machine, he may clear his cookies from the browser thinking it is safe but this makes it worse his account is "permenantly hijacked" as he cannot log out and the attacker can use the same cookies. 




 

Friday, 12 July 2013

DOS Attack By ARP Poisoning



In the previous post we have been discussing the arp protocol (if you havent read it go here and read it) we saw theoretically how one can poison other's arp table on his LAN and disconnect him from the Internet. Here, you will see how one can cut others internet connection on a LAN.
We will use a tool called nemesis on a linux machine, the download link is given at the bottom. Nemesis is a packet injection tool, means you can create forged packets using it.
Usually the OS automatically replies for arp requests, the kernel usually fills the header with the correct values and automatically sends it. But with the help of nemesis we can create packets with manipulated contents, not only the body of packets but also the header. So if we want to send a spoofed arp reply, we can.
So you should find your target's ip address, this is not the public ip which is same for both of you. To find the active computers on your network you can use the ping command in a loop.
Here is a bash script for it, refer towards the end of the post if you dont know how to execute the code.

The ip 192.168.11 is that of the network which i am using. Replace it with that of your network.
The command ifconfig will help you to find the ip address of your network.


Now execute it. Now wait a few seconds to get the list of hosts who are alive at the moment. Now you should choose a host to perform the attack. Ignore the '1' which is usually the gateway.
And here is another bash script to perform the attack.
Here 'eth0' is my ethernet interface, you can find your by using the ifconfig command. '192.168.11.' is the ip address of my network and 20 is the ip of the host which i want attack. You should replace these values with apropriate ones.
What the script does is, it sends arp reply to 192.168.11.20 saying the mac address of the gateway(192.168.11.1) is '0:1:2:3:4:5' but it is not the actual one but something rubbish(use the command arp on the terminal to see your arp table) and his arp table becomes poisoned, similarly it poisons the arp table of the gateway, these steps are executed in a loop. Since the packets destined for them are having false mac address as destination, adapters at both the systems ignore the packets and both of them cannot communicate with each other, hence  '192.168.11.20' looses his internet connection. After executing it, on success you will get messages saying this


ctrl+z can be used when you want to stop the execution of the script.

To execute the bash script, copy it and paste it in plain text editor and name it as "anyname.sh". Now use cd command to browse to the location of the file, and use the following command to make it executable
sudo chmod +x anyname.sh
Now simply use the command
./anyname.sh

For installing nemesis, you can download the binaries from here
If  "libnet-1.0.2a" is not installed in your system you should install it before  nemesis. Click here to download it.
If you don't how to compile and install these binaries then use google.


tags:-arp, poisoning, DOS, nemesis, ping, host, scan, ping, mitm