Sniffing compromised LANs

Sniffing Compromised LANs By Click Death Squad (C.D.S.) Revision 1.1 LAN networks that have been compromised are subject to internal attacks that can seriously subject critical information. This attack method includes (but is not limited to) capturing live URL traffic, passwords, images and more. Some individuals choose to enable MAC address filtering on their network, which in some cases can add an additional layer of protection. Using collected information from sniffing, you can spoof a MAC address of another client, which defeats MAC filtering all together. Once a network has been compromised, data collection can yield some stunning results. By exercising techniques described in this tutorial, you can test your own network and see just how dangerous your situation might be. This attack works by poisoning the network with ARP packets, effectively tricking any clients that may be connected. The ARP request will make other clients think that your computer is in fact the wireless router, and let you capture data that was never intended to be seen. This is how ARP works. The wireless router associates each computers MAC address with an IP, that way packets only go to the computer they were destined to reach, instead of all clients on the LAN. In this example, we used an atheros card, and all the commands issued are given in quotes, with the result of the commands being listed in grey. After each step, a screenshot is given so you may compare your output to what should be happening. Please note that not all the screenshots contain the exact same data which is given in the example, they are merely for reference purposes. Tools you will need to accomplish this task: System with dsniff installed or a Backtrack 3 CD Wireless network that you have access to and can test The dsniff toolkit by Dug Song (Comes with Backtrack 3) Driftnet by Chris Lightfoot (Comes with Backtrack 3) Basic Linux networking skills and command line capabilities A cold beer Step 1: Tell the kernel to enable IP fowarding. Boot up Backtrack and connect to your wireless network. Before you start sniffing anything, you need to enable IP fowarding on your computer. This is a critical step in the process because it will allow you to intercept data that is intended for other clients, inspect it, then pass it to the destination. Basically, you will be tricking the wireless router into showing you the packets first, then your computer will pass them to their intended destination. (Man-in-the-middle attack) "echo 1 > /proc/sys/net/ipv4/ip_forward" ### enable IP forwarding in the Linux kernel. Once you changed the value to enable IP fowarding, you can cat the result to ensure you did it correctly. Complete status should indicate a 1. Step 2: Spoof some ARP requests to trick other clients that may be connected to the target access point. Now that your computer is configured to forward any traffic, you can pass ARP requests and trick other clients into divulging their data. Normally an access point would only pass traffic intended for you to the MAC address assigned to your own card. Trick the other clients into thinking that your computer is actually the access point and show you all their traffic. You can use the "arpspoof" tool that comes with the dsniff toolkit to accomplish this. Be sure to leave this terminal window open, so the spoofed ARP requests are constantly broadcasting. "arpspoof -i ath0 192.168.1.1" ### where ath0 is your network interface and 192.168.1.1 is the IP address of the access point. Once arpspoof is running, be sure to leave the terminal window open. As the network is flooded with fake requests claiming that the MAC address of your computer is actually the wifi access point, you will be able to intercept data. Step 3: Start sniffing. Let's try inspecting some URLs being viewed first. Using additional tools that come with the dsniff toolkit, you can start inspecting HTTP traffic that is flying by. You have many options available to you, one of them being the urlsnarf tool. Start running urlsnarf and watch traffic being browsed in real time. Each time a user on the network requests a website, urlsnarf can capture that request and display which site is being requested. "urlsnarf -i ath0" ### where ath0 is your network interface. In the example screenshot, you can see the ARP spoofs being broadcasted in the background, while url snarf captures data. It would appear that one of the "victims" on the network is going to check out hotmail. The target computer that is being watched probably has no idea their traffic is being redirected, unless they are using a tool to detect fake ARP requests, or actively running a packet sniffer. Step 4: Continue sniffing. Let's try inspecting some images that are being pulled up by clients. Backtrack comes pre-equipped with driftnet, which is a tool that can grab a copy of images which are being requested by clients. This is particularly fun, because you can visually see things that the "target" is seeing. In the given example, myspace.com and tmz.com was loaded and the resulting images are picked up and displayed in the window. "driftnet -i ath0" ### where ath0 is your network interface. You can see the result of images being picked up by clients that are browsing the web. Our ARP spoof pcakets are still being broadcast in the background, while driftnet picks up interesting data. As the "target" loads up their myspace page and tmz.com, you can see pictures that are embedded in the webpage being served up in real time. Amuse your friends and roommates to no end with this fun. Step 5: Continue sniffing. See if you can capture a password. The primary tool that comes with the dsniff kit is dsniff itself. This tool is capable of capturing passwords for a multitude of different protocols as they are plugged into various services such as web forms, irc, instant messenger clients and more. For obvious reasons, no passwords are shown in the example screenshot, but as you sniff the traffic on your own LAN, try logging into some of your favorite services and watch the passwords come rolling in. "dsniff -c -m -i ath0" ### where "-c" tells dsniff to capture data that is being captured from ARP spoofing, "-m" tells dsniff to automatically guess the protocol being sniffed, and ath0 is your network interface. Another option that is available to you besides urlsnarf and dsniff would be msgsnarf, a tool designed to capture (specifically) chat conversations from your favorite instant messenging tools. If you have roommates or friends that use your network, immagine the fun when you snoop their conversations and mess with them. Conclusions: As you can see, sniffing traffic on internal LANs could be used for some potentially dangerous attacks. The question arises, how does one prevent these types of attacks from happening? Inherently there are flaws with TCP/IP that ultimately cannot allow you to defend against everything. A router merely uses ARP requests to have each computer volunteer the MAC address so it may be associated with an IP address. Because anyone can claim to be any MAC address, there is really no limit to the amount of havoc that can be caused. You CAN however monitor traffic on your own network using a variety of methods, such as using a packet sniffer, or a tool like arpalert. Tools like arpalert keep a table of which MAC addresses are pointing to which IP address, and can alert you if there is a change in the ARP table which may mean that an attacker is doing something nasty. If you were running a packet sniffer such as wireshark, you may notice that there are ARP requests being broadcasted, which probably looks something like the screenshot below. As you can see in the example, a rogue client is flooding the network with ARP requests, claiming to be the IP address of the access point. This looks pretty suspicious, and is a solid indicator that something may be going wrong. Protect yourself and your network by checking your logfiles, securing your wireless access point and using tools that can effectively protect you and your data.