In previous posts we have discussed different man-in-the-middle attacks with various tools using a laptop. In this post, a good buddy of mine describes similar attacks with Android as the attack platform.
For this example I went down to a local community college cafeteria where there was an open wireless network and a bunch of college students studying and working on their computers…..or just Facebooking. To start hijacking sessions you simply connect to the wireless network, launch FaceNiff or DroidSheep and sit back and watch the sessions coming rolling in. I literally had 20+ in under 1 minute. What is so scary about this is how easy it is! It makes script kiddies look like 1337 h4x0rs…errr…something. I have been able to hijack sessions for Facebook, Twitter, Google and Amazon so far. What is even more frightening is that you can log in to the account with one click. Luckily neither app provides the user with clear text login information.
You can get both Android apps for free from the links above. The free version of FaceNiff only allows you to hijack 3 sessions before needing to upgrade to the paid version. The free version of DroidSheep is unlimited. Using both I have to say that I find DroidSheep to be more stable though both are pretty at what they do
In this post I am going to cover how to detect when an attacker is ARP poisoning your network with Wireshark.
Fortunately , detecting ARP poisoning is fairly straightforward and simple to execute.
Process
1. Launch Wireshark and set the filter to “arp.duplicate-address-frame”
2. Examine the packets for the IP address of the gateway coming from different MAC addresses. Under normal circumstances this would not happen, and indicates spoofing via ARP poisoning.
In a previous post I mentioned that I bought a Nokia N900 from craigslist as an additional tool for my pen testing efforts. For wireless assessments, one tool included on my pwnphone is GrimWepa. Although its no longer maintained, it works great on the Nokia N900.
From their page, “GRIM WEPA’s cracking methods are archaic and have been around for years. It simply uses the existing cracking methods in aireplay-ng (for WEP) and aircrack-ng (for WPA). Grim Wepa is similar in style and functionality to shamanvirtuel’s Spoon series (SpoonWEP, SpoonWPA, and SpoonDRV). The Spoon suite is still available, though it is not kept updated.”
aircrack-ng is able to crack just about any WEP password after about 20,000 IV (Initialization Vector) data packets have been captured. The capture usually takes about 2 minutes, and the crack another 2-3 minutes.
Attacks for WPA-encrypted Access Points
Basic deauthorization attack to get handshake.
Cracking:
GRIM WEPA includes a 2MB default password list containing approximately 250,000 commonly-used passwords.
Wordlist / Dictionary / Brute-force attack: Currently, there is only one consistent method of cracking WPA, and that is by brute force. aircrack-ng can crack hundreds of passwords per second, so this method is not nearly as arbitrary as has been proposed.
Process
1. Enable monitor mode by the icon on desktop
2. Enable injection with blue syringe icon on desktop
3. Open Grimwepa, by shortcut on desktop
4. Click ‘refresh targets’ which will automatically spawn airodump to start sniffing. Once you have found a WEP network you wish to crack, switch back to the Grimwepainterface and click ‘stop scanning’.5. Select from the list the target network to crack, then click ‘use client in attack’ select under ‘attack method’ ‘arp-replay’.
6. click ‘start attack’. If everything goes well and you are close enough to the access point, and there are clients connected, it should attack and crack everything automatically. If this does now work you can try opening a separate rootshell terminal and running aireplay-ng fake auth and deauth attacks to generate more data packets Grimpwepa automatically starts cracking once it has collected 10,000 data packets.
Secure socket layer (SSL) is a transport layer cryptographic security technique implemented by most websites today. Many sites use this cryptographic encryption technique to secure online credentials of users. While the use of SSL prevents information being sent in cleartext, and thought to be secure, there are ways to perform man in the middle attacks and obtain these credentials.
Address Resolution Protocol (ARP) poisoning is a type of layer 2 attack where the Media Access Control (MAC) address is changed by the attacker. Also, called an ARP spoofing attacks, it is effective against both wired and wireless local networks. These attacks could be used to eavesdrop on network traffic, steal and/or modify data and even prevent a user from accessing the internet.
In this tutorial, I will cover how to perform the attack using a tool called Ettercap on Ubuntu, in which we will combine SSLstrip and Ettercap to capture the SSL credentials from a victim.
Process
enable the kernel to be able to forward packets. This is necessary to enable your Ubuntu machine to be the “man-in-the-middle” and forward packets. If this isn’t enabled you could cause a denial of service condition.
echo 1 > /proc/sys/net/ipv4/ip_forward
1. Open a terminal and start ettercap as root : sudo ettercap -G
2. Select ‘Sniff’ and click ‘Unified sniffing’
3. Select the interface that you want to sniff on and click ‘OK’
4. Click ‘Start’ and then ‘Start Sniffing’
5. Go to ‘Hosts’ and click ‘Scan for Hosts’
6. Go to ‘Hosts’ and click ‘Host list’
Hosts list in ettercap
7. Select IP address of target computer to mitm and then click ‘Add to Target 1′
8. Select router IP and click ‘Add to Target 2′
9. Go to ‘Mitm’ and click ‘Arp Poisoning’ and select the checkbox for ‘Sniff remote connections’
10. click ‘OK’ (to stop arp-cache poisoning click on ‘Mitm’ and select ‘Stop mitm’)
11. from terminal launch sslstrip #sslstrip
12. Open a new shell and tail -f /home/user/sslstrip.log SSL credentials can show up in both Ettercap and /home/user/sslstrip.log
I recently picked up a Nokia N900 off of craigslist for dirt cheap. While in my opinion its about as non sexy and ugly as you can get for a smart phone these days, that was not my reason for buying it. The reason I bought it is the folks at Pwnie Express have ported a full penetration testing and hacking tool set to the N900. The n900 is complete with wifi drivers that support packet injection, along with tools like Metasploit, aircrack-ng, nmap, hping, wireshark, social engineering toolkit, and much more. They sell them pre loaded with this tool set for 900.00 here: http://pwnieexpress.com/pwn_phone.html . I picked mine up for way less than that. Overall, it took me about an hour to get this up and running , with the new operating system.
LEGAL:
——
PwnPhone Image is for legal use only, Pwine Express is not liable or responsible for what you do with this image.
**************************WARNING**************************
NOTE BEFORE STARTING – THIS WILL OVERWRITE ANYTHING YOU HAVE ON THE ROOTFS AND OPTFS
The MyDocs partition will not be overwriten, but Pwnie Express is not responsible for any data loss so if you want anything of yours on the phone previous to the image install, back your stuff up! This image will overwrite your rootfs and optfs, leaving MyDocs partition intact. That doesn’t mean something can’t go wrong by accident.
PRE-INSTALL:
————
We recommend doing a fresh flash of the latest Maemo5 image provided by Nokia, or you can install the image on top of your existing installation and risk possibly bricking or messing up your device. You can usually get it back with a fresh re-imaging from the standard maemo 5 image.
The Maemo wiki provides an excellent easy to follow step by step instruction on how to flash your device to the latest Maemo image.
Instructions on how to flash the N900 and where to download the flasher utility with the latest Maemo5 image can be found here:
HOW TO INSTALL PWNIE EXPRESS IMAGE AFTER FRESH MAEMO 5 FLASH:
————————————————————-
Extract pwnphone_image-7.5.2011.tar.gz to a micro SD card, make sure the folder “pwnimage” and “systemBackups” are placed in the root directory of the microSD card or the install script will not work.
tar -zxvf pwnphone_image-7.4.2011.tar.gz
(on the N900 exract to mSD: tar -zxvf pwnphone_image-7.4.2011.tar.gz /media/mmc1/)
(or just use winrar to extract the files to your microSD card if in Windows)
ON THE N900:
————
1. Insert microsd card with files into your N900.
2. Use the filemanager, browse to microsd card (filemanager is located in programs menu accessed by tapping upper left hand corner of the screen)
3. Scroll down until you see rootsh_1.8_all and tap it, this will bring up application manager, tap ‘I accept’ and ‘continue’ (sometimes you may have to wait a little while for it to come up in the app manager)
4. Once rootsh is installed EXIT Application Manager and File Manager
5. Tap upper left hand corner until apps are shown, scroll down and tap Xterminal, then enter the following commands:
sudo gainroot
cd /media/mmc1/pwnimage/
chmod 777 install.sh
sh install.sh
Once install.sh is running be prepared to click ‘I accept’ and ‘continue’ to install different packages that require interactive authorization to install. This should only happen twice once in the beginning of the script and once at the very end.
The main pwnphone folder will take a while to copy, over an hour, so just let it go and come back or wait patiently, it is working.
When the script is done, it will anounce that it is rebooting shortly after the last GUI install interaction. When it reboots, it is CRUCIAL that the keyboard is slid out to trigger the backup menu utility for restoring the pwnphone image. When the backup menu utility starts, hit any key twice, and you will be in the backup menu – once there hit the keys below in the following order:
r
t
q
b
a
p
Now wait until the utility says:
Restore completed, press any key to continue
hit q
Close keyboard when rebooting or you will end up back in the backupmenu.
So, I am excited as in a few hours I will be buying a Nokia N900. I am an Android Fanboy so my intent is not to get this to replace my phone, but as another tool for my job as a Pen Tester
Nokia N900
The PWN Phone is a full pentesting suite for the Nokia N900. It includes Aircrack, Metasploit, Kismet, GrimWEPa, SET, Fasttrack, Ettercap, nmap, and more. Custom pentesting screen with shortcuts to macchanger, injection on/off, etc. Built-in wireless card supports packet injection, monitor mode, and promiscuous mode.
I am going to work on getting this setup and configured tonight, with future blog posts and tutorials planned. For now, here is a video of a guy performing a man-in-the-middle attack with the N900:
Often during a Penetration Test, I go up against a client network with an Intrusion Prevention System(IPS) in place, and not white listed. If an IPS is configured correctly it will not only detect your attempts at performing recon on targets its designed to protect, but it also drop or block your traffic as well.
Luckily for me, nmap the king of portscanners has many built features to help evade and bypass these perimeter defenses.
Process
Here is a typical “stealth” port scanning technique I would use:
-sS is a half-open or Syn scan. These scans do not complete all three steps of the TCP hand shake and therefor has a chance of not being logged or picked up by an IPS.
-f frament packet This fragments our packet. The idea here is to split up the TCP headers over many packets in order to hopefully make it harder for a firewall or IPS to detect what you are doing
–mtu is specific MTU size
–data-length spec lngth of the packet
–source-port specify source port to bypass poor firewall config
–randomize=hosts = a typical IDS or IPS signature might pick up if you scan multiple target hosts in order. Randomizing the order in which you scan helps avoid this
-T 2 This is the timing setting When done with a full port range (-p1-65535) on four IP’s it takes 1000 seconds to complete. The -T2 option is the time setting, T1 is the slowest.
While these changes might not guarantee that you your port scans will go undetected, but if you are up against a poorly configured IPS or one with default like settings you have a much better chance.
We have all been told time and time again to use strong, complex, hard to guess passwords right? Well in this demonstration you will see why you should not use a password that is in a dictionary.
I am a big proponent of two factor authentication when possible to avoid brute-force password attacks. Many times this is just not possible. In these instances it is highly advisable to use passphrases with special characters.
Hydra is a tool that can take a dictionary or password list and combine it with a user list and attempt thousands of password attempts in a very short amount of time. Hydra can be used against HTTP , FTP, SSH, RDP, Telnet, SMTP, and many other protocols
In a penetration test, often times a brute force attack is a last resort, but many times when the conditions are right, such as no password lockout policy combined with dictionary based passwords, its an easy ticket in.
Process
Hydra can be either launched command line or GUI. I prefer command line for Hydra, though many will find the GUI easier.
In this example we will attempt to brute force an Ubuntu SSH server:
Syntax for attacking an SSH server
The syntax here is :
-L is for the userlist
-P is for the password list
-SSH is the protocol we are attacking. If this were an FTP server, you obviously would use FTP, a web login, HTTP etc.
Hydra begins the attack on the SSH Server
As Hydra is attempting the brute force attack on the SSH server, you can see the failed login attempts in the SSH server auth logs:
Description: From the website: Nmap (“Network Mapper”) is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Twitter