Attacking Tools

4.6. Attacking Tools

4.6.1. Ethercap: Sniffing and MitM Attack

Ethercap is an open source program that combines a packet sniffer for different protocols (POP/HTTP/HTTPS/SFTP), but it also offers password cracking features.

Steps:

1. In order to start Ettercap, let us run the following command in out terminal:

sudo ettercap -G

The -G options instructs Ettercap to use GTK+ GUI, in other words, it instructs Ettercap to start the graphical interface.

1. Select the interface to use and the sniffing option We can choose between:

• Unified : it sniffs all the packets on the cable

• Bridged : it uses 2 network interfaces and forwards the traffic one to the other

1. Once we select the sniffing option (unified in our case), a new window appears Here we have to select the interface to use. In our case we will select the tap0 interface and click OK. Once we confirm, the options and the interface will change.

2. Right now Ettercap is sniffing the traffic on the network. You can see the connection intercepted by clicking on View and then select Connections

3. The first step once we run Ettercap is to scan the network in order to find alive hosts

This is the easiest step, but may take a while depending on how your network is set up. To do this let us click on Hosts and then Scan for hosts.

It will go through its automatic scanning steps while showing you its progress.

1. Once it is done, we can see the results by clicking on Host list in the Host menu

From here we can select which of these hosts will be the targets of our attack. We just need to select them and then click on Add target 1 and Add target 2

While you can pick as many hosts as you like, remember that your system will be processing the traffic from the hosts you select. In other words, be sure to not to select too many hosts or everything will come to a standstill.

Try 2 or 3 targets at the beginning and add additional from there if you wish.

Supposing we want to intercept only the traffic of a specific host, we will add the target host and the router in the list.

Therefore, if we want to run our attack on the host with IP address 172.16.5.15, we will select the targets as follow: Add to target 1: 172.16.5.15 | or | Add to target 1: 172.16.5.1 Add to target 2: 172.16.5.1 | | Add to target 2: 172.16.5.15

Important: Please note that if you do not select a target, Ettercap will automatically set ANY (all the hosts) in the target list.

As you can imagine, this will force your system to process a lot of traffic. Be sure your network and your machine can handle this amount of traffic, otherwise you may DoS your network.

Once we set the targets, we can select the type of attack to run. To do so let us click on the MitM in the top bar and choose among one of the following attacks:

• ARP poisoning

• ICMP redirect

• Port stealing

• DHCP spoofing

For our first test we will select ARP Poisoning. Once we click on it, a pop-up window appears and we can select some options for the attack. For now let us enable the Sniff remote connections option and click OK.

The ARP poisoning attack automatically starts and we should now be able to intercept the traffic of our target machine.

To verify that the attack is working, let us first check our (the attacker) physical address.

Then check the ARP table of the target machine (by running `arp -a`).
  It will show the MAC address(es) difference before and after the attack.

Now that we know that the attack is working, let us click on View->Connections in order to inspect the traffic intercepted. As we can see, here is all the traffic generated from the target machine.

In order to inspect the packets, we can double click on a connection listed in the previous view. A new tab appears, showing the details and the data transmitted.

Ettercap will also automatically tries to intercept credentials sent via the network. Indeed we can see it was able to automatically gather the username and the password sent by the target host to the FTP server.

It is important to know that with the current configuration we can use other sniffing tools at the same time. For example, we can start Wireshark to sniff the tap0 traffic.

You need to also know that some traffics are encrypted (i.e. SSL), but we can configure Ettercap later on in order to intercept and decrypt this traffic, but also what pitfalls and limits we may face.

4.6.2. Cain & Abel: Sniffing and MitM Attacks

Another very powerful and infamous tool that we can use to mount MitM attacks is Cain & Abel.

To demonstrate how Cain works, we will use the same target used with Ettercap.

Steps (Image available):

1. The first thing to do once Cain starts, is to Configure button in the top menu Ensure that you select the correct network adapter, and that you are sniffing in promiscuous mode. Also notice that some older wireless cards may not be able to sniff in promiscuous mode

2. Once we are sure we have selected the correct interface to use, we have to select the Sniffer tab and start the sniffer by clicking on the Start/Stop Sniffer icon

3. Now that we are in the correct window, let us right-click in the white space and select Scan MAC address. We need to provide the address range to scan and Cain will automatically resolve IP to MAC based on ARP Request/Reply packets.

As soon as we click `OK`, Cain starts scanning the network.
After a few seconds we should see the hosts found listed in the main window. Similarly to Ettercap, we will run an ARP poisoning attack and use the host 172.16.5.15 and 172.16.5.1 (gateway) as targets.

1. To intercept the data between these devices, we must now perform the ARP poisoning attack.

ARP Poisoning steps:
1. Let us click the ARP tab down at the bottom of the screen.
2. Now that we are in the ARP tab, we have to click in the top white box and then click on the blue plus icon in the top menu.
  This will open a new window where we can select the targets of our test.
3. In the new window we will see a list of host on the left. Once we select the router (172.16.5.1) on the left, the other hosts will show up on the right. With the router still selected on the left, let us then select our target (172.16.5.15) on the right.

  Notice that if you want to capture traffic from multiple hosts, you can hold down the CTRL key and click the other systems.

  In the next steps we will use only one victim (172.16.5.15).

4. Now we are ready to activate the ARP poisoning by clicking on the ARP button in the main button (the Nuclear symbol).
  If everything is set correctly, we should now see the word `Poisoning` in the `Status` column.

  If the attack is working, we will start seeing packets in the bottom section of the windows, as follows:
  |   Status   |IP Address | MAC Address |Packets->|<-Packets| MAC Address | IP Address|
  |------------|-----------|-------------|---------|---------|-------------|------------------|
  |Full-routing|172.16.5.15|005056513404 |   40    |   40    |005056B139AF | 10.10.10.6 |
  |Full-routing|172.16.5.15|005056513404 |  17068  |  28096  |005056B139AF | 10.10.10.6 |

  We need to make a couple of notes here regarding the `ARP WAN Status` column in the bottom section of the window:
  - Broadcasting <br>
    The APR received a packet from a host on a different network directed to a host we are not poisoning. In order to ensure that the packet gets back to the host, ARP will broadcast the packet to all hosts on the LAN
  - Half-Routing <br>
    Means that APR is only routing traffic on one side of the connection (either client to server, or server to client), but not both sides

    There are couple of reasons this can happen:
    - One of the two hosts cannot be poisoned
    - Asymmetric routing is used on the LAN

    In this state, APR is limited in that it cannot grab any authentications that use challenge response mechanism for proper authentication. More than likely, the Poisoned system is still using the correct destination MAC address, so the traffic is bypassing the attacker system.

  - Full-Routing <br>
    This state means that APR is routing traffic successfully both ways, and all authentication will be captured accordingly.

On the left panel we can see what Cain was able to intercept. If we inspect the entries by opening the `Password` tab, we will see the target machine (see image).

  If we inspect the entries by opening the `Password` tab, we will see the credentials sent by the target machine.

  You can continue to look at captured sessions by clicking on any of the items in the list on the left.

Notice that Cain can be used to capture encrypted traffic too.

  In this case, it provides the target its own certificate, therefore it will be able to encrypt/decrypt the whole communication. (We will see this later on in this module)

One of the other powerful uses for Cain, is the interception of NTLM (NT LAN Manager) challenge spoofing. If a network utilizes Active Directory for authentication, Cain will be able to get the NTLM SHA1 hashed credentials from the network by spoofing the NTLM challenge response mechanism.

Moreover, any encrypted passwords can be sent to the Cain built-in Cracker, by right clicking on the line that contains the password that you need to decrypt and then clicking send to cracker

4.6.3. Macof

As we already know, switches keep a translation table, known as the Content Addressable Memory (CAM) table. This table maps MAC addresses to the physical ports on the switch.

In other words, the CAM table allows a switch to intelligently route packets from one host to another, but it has a limited memory for this function.

This is how CAM table looks like: |PORT| MAC | TTL | |----|-----|-----| | 1 |MAC_A|1600 | | 1 |MAC_B| 90 | | 1 |MAC_C|1000 | | 2 |MAC_D| 36 |

MAC flooding makes use of this limitation of memory of the CAM table. It will flood the switch with fake MAC addresses, until the switch cannot keep up. This causes the switch to enter into what known as a failopen mode, wherein the switch begins acting as a network Hub by broadcasting packets to all the machines on the network.

MAC flooding can be performed with both Ettercap and Cain, but we will see how to run the attack with Macof, a utility which comes with dsniff suite.

Macof can generate 155,000 MAC entries per minute, and generally takes less than 70 seconds to fill the CAM table on an average switch.

Macof is a C version of the Perl module Net::RawIP macof program, originally written by Ian Vitek.

Like many other tools, best results will come from running the tools as an administrator or root level user, or a user that has the same privileges on the system.

Basic Macof usage:

macof [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-i interface ] [-n times]

Description:

• -i interface: Specify the interface to send on

• -s src: Specify source IP address

• -d dst: Specify destination IP address

• -e tha: Specify target hardware address

• -x sport: Specify TCP source port

• -y dport: Specify TCP destination port

• -n times: Specify the number of packets to send

Please note that using macof may cause degradation of network services, so be aware when running it in your network.

Also ensure that port forwarding is active on the attacking machine as describes earlier in the module. To do so, you can run the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

For example: Let us run the command and set the interface tap0 with the -i option: root@els: $ sudo macof -i tap0

At this point we can start a network sniffer, such as Wireshark or dnsiff, to start capturing data from the switch.

  If you are not seeing any data from other systems, then the router or switch you are trying to flood probably has protection against MAC flooding.

Since the previous command will keep sending traffic, we can specify the amount of packets to send. For example, let us set them to 32 with the -n option, Once the 32 packets have been sent, Macof will automatically stop.

This shortened command would only replace the first 32 listings in the table. Therefore would only get data from those ports until the switch times out the entry in the table and rediscovered the IP address of the device attached to the port.

4.6.4. Arpspoof

Now we will take a look at ARPspoof, which executes the MitM attack that will allow us to sniff traffic.

This tool is part of dsniff package. It will constantly send ARP answers to our targets in order to poison its ARP table.

We will use the following test environment, same of the previous tests (see image):

Target (Gateway)----------------Switch----------Victim    
  MAC : 00:50:56:B1:39:AF         |               MAC : 00:50:56:B1:34:04
  IP  : 172.16.5.1                |               IP  : 172.16.5.15
                                  |
                                  --------------Attacker
                                                  MAC : EA:75:03:7F:07:EB
                                                  IP  : 172.16.5.152

Steps:

1. Before running the tool, let us take a look at our victim machine and pull up the current ARP table on the system. To do this, we run the arp -a command from the prompt (see image).

In the output we can see that the victim IP address is 172.16.5.15, and that the router (172.16.5.1) MAC address is 00:50:56:B1:31:04.

Moreover the attacker (172.16.5.152) has the following MAC address: EA:75:03:7F:07:EB 2. Now that we know these information, we can go into our attacker machine and run the arpspoof that will start the attack by running sudo arpspoof -i tap0 -t 172.16.5.15 172.16.5.1: stduser@els:~$ sudo arpspoof -i tap0 -t 172.16.5.15 172.16.5.1 ea:75:3:7f:7:eb 0:50:56:b1:31:4 0806 42: arp reply 172.16.5.1 is-at ea:75:3:7f:7:eb ea:75:3:7f:7:eb 0:50:56:b1:31:4 0806 42: arp reply 172.16.5.1 is-at ea:75:3:7f:7:eb ea:75:3:7f:7:eb 0:50:56:b1:31:4 0806 42: arp reply 172.16.5.1 is-at ea:75:3:7f:7:eb ea:75:3:7f:7:eb 0:50:56:b1:31:4 0806 42: arp reply 172.16.5.1 is-at ea:75:3:7f:7:eb ea:75:3:7f:7:eb 0:50:56:b1:31:4 0806 42: arp reply 172.16.5.1 is-at ea:75:3:7f:7:eb ea:75:3:7f:7:eb 0:50:56:b1:31:4 0806 42: arp reply 172.16.5.1 is-at ea:75:3:7f:7:eb With this command we are sending ARP replies to the victim host (-t 172.16.5.15), telling that the MAC address of the host 172.16.5.1 (gateway) is our MAC address.

Indeed, if we inspect the victim ARP table (using `arp -a`), we will see that the MAC address associated to the IP address *172.16.5.1* is changed and it is the same or our (attacker) machine (see image).

**Notice that this is just half of the attack: the victim thinks we are the gateway, but the gateway still sends the packets to the correct victim MAC address.**

1. To complete the attack we have to run a new arpspoof command, similar to the previous one, but with the 2 IP addresses in the reverse order. This allows us to change the ARP table on the gateway too and be able to intercept the full communications between the victim and the gateway:

   sudo arpspoof -i tap0 -t 172.16.5.1 172.16.5.15

   Once we run the previous command, the MitM attack is complete and we will be able to intercept the victim traffic with external tool such as Wireshark or tcpdump

Important: Before running the arpspoof commands, be sure you have enabled IP forwarding on your attacker machine, so that the traffic goes through your host.

You can do this with the following command: sudo echo 1 > /proc/sys/net/ipv4/ip_forward

4.6.5. Bettercap

Bettercap is an open-source, modular, multi-platform, and offers a great amount of options and features that will allow us to highly configure our MitM attacks.

Once again we will use the same testing environment used so far and the same target machines. Like the tools we've seen so far, Bettercap implements an ARP spoofer feature that allows us to target both the whole network or a single known address.

Basic commands:

• -h

• -G --gateway ADDRESS Manually specify the gateway address

• -I --interface IFACE Network interface name

• -S --spoofer NAME Spoofer module to use

• -T --target ADDRESS1.address2 Target IP address --ignore ADDRESS1.address2 Ignore addresses if found

• -O --log LOG_FILE Log all messages into a file

• -D --debug Enable debug logging

• -L --local Parse packets from/to the address of this PC

• -X --sniffer Enable sniffer

• -P --parser Enable parser

• And others

Steps:

1. First, we need to find our targets in the network. To do so we can simply run Bettercap on a specific interface with the --no-spoofing option:

   bettercap -I tap0 --no-spoofing

As we can see, only the discovery mode is enabled and the output shows that Bettercap is able to automatically identify the gateway (172.16.5.1), the other hosts in the network and their MAC addresses.

Notice that by default it also attempts to perform a NBNS hostname resolution for each host, but we can disable this feature by adding the --no-target-nbns option to our command.

Now that we know the alive hosts in our network, let us start configuring Bettercap. Notice that if we run it without any options, Bettercap by default will run a spoofing attack against all the host in the network.

1. Since we want to run the ARP spoofing attack on a specific target (172.16.5.15), we will use the -T option

bettercap -I tap0 -T 172.16.5.15

It is important to know that if Bettercap does not identify the correct gateway or not. If we want to manually specify a different gateway address, we can use the -G option followed by the IP address of the gateway.

In our case, our command will look like the following: bettercap -I tap0 -G 172.16.5.1 -T 172.16.5.15

Before running the previous command let us also enable the sniffer feature with the -X option. As stated in the documentation, the credentials sniffer is able to dissect and print information such as: URLs visited, HTTP POST data, HTTP authentications, FTP credentials, and many more.

We can decide what information to analyze but we can also use regex to capture the sniffed data.

For now we will only enable the following: HTTPAUTH, FTP, URL, POST.

Our final command will look like the following: bettercap -I tap0 -T 172.16.5.15 -X -P "HTTPAUTH,URL,FTP,POST"

Once we run the command, Bettercap starts collecting URLs and data sent via POST/GET parameters.