Performing this task and all subsequent tasks requires you to succesfully perform an ARP Spoofing attack against the other nodes in your network using Ettercap. Other tools that might be useful for this task include tcpdump and chaosreader.
If you don’t have an account, follow the instructions in the introduction to DETER document.
Log into DETER.
Create an instance of this exercise by following the instructions here, using
/share/education/MITM_UCLA/mitm.ns as your NS File.
In the “Idle-Swap” field, enter “1”. This tells DETER to swap your experiment out if it is idle for more than one hour.
In the “Max. Duration” field, enter “6”. This tells DETER to swap the experiment out after six hours.
After the experiment has finished swapping in, log in to the node via ssh.
For this lab, you will only have console access to the host eve.mitm.UCLAClass.deterlab.net; the hosts alice and bob will at be configured so that you can’t log into them (at least to start!).
It is very possible that actions you take in the course of this lab could kill important processes, erase files, or generally cause other havoc in the system. If you think that you have “broken” your lab nodes, you can always reboot the nodes, or if things are really screwed up, swap out the experiment and swap it back in to start fresh. As always, anything you save in your group directory on DETER will stay there — make sure you save any important work somewhere safe.
Your first task is to eavesdrop on all cleartext network traffic and document what the different traffic streams are communicating.
Do not ARP Poison any interface from /var/emulab/boot/controlif or starting with 192.168.*.* — that is DETER’s control network!
Answer these questions as completely as you can:
What kind of data is being transmitted in cleartext?
What ports, what protocols?
Can you extract identify any meaningful information from the data?
e.g., if a telnet session is active, what is happening in the sesion? If a file is being transferred, can you identify the data in the file?
Make sure you eavesdrop for at least 30 seconds to make sure you get a representative sample of the communication.
Is any authentication information being sent over the wire? e.g., usernames and passwords.
If so, what are they? What usernames and passwords can you discover?
Note: the username and password decoding in ettercap is not perfect — how else could you view plain text authentication?
Is any communication encrypted? What ports?
Replay Attack against the Stock Ticker
You know that stock information is communicated over your network and logged on an internal server. It takes a feed from New York that updates the current price. The local server shows the current price and all previous prices since the last reload. This local server is the information that all internal company brass use for their reports and personal stock purchases. You also know that the stock program uses some kind of encryption, but you think it may be vulnerable to replay attacks because it was written by the CTO’s 13 year old nephew who doesn’t have the greatest
Can you perform a replay attack against the stock ticker in order to make FrobozzCo’s stock look bad and Zembor Corp’s stock look good? You like imagining the internal chaos this would cause.
To do this, you will need to:
set up ARP spoofing with Ettercap
capture traffic with tcpdump
analyze the captured traffic
generate new requests to the stock quote service by “replaying” old requests.
You will probably find it easiest to create URL-based replay attacks using elinks, wget, or curl (all text-based web clients). Likewise, you’ll probably want to set up port forwarding so you can play with the application in your desktop web browser.
In this way, you are “replaying” the remote procedure call (RPC), but not the actual TCP packets. In reality, there is software that can be used to actually replay real TCP sessions back on to the network, but it is too complicated for this lab. (What about TCP packets makes replaying difficult?)
Once you figure out how to create the replay attack, include the following information in a report:
Explain exactly how to execute the attack, including the specific RPCs you replayed.
Explain how you determined that this strategy would work.
Execute your replay attack and show the results of your attack with a screen capture, text dump, etc. showing that you are controlling the prices on the stock ticker.
Ettercap has the ability to executeregular expression-like filters on cleartext traffic. This allows you to change the contents of packets as you sniff them. To do this, you need to create ettercap filter modules and load them into a running ettercap that is performing ARP spoofing.
For this part of the lab, you’ll write some etterfilters, compile them, and load them into ettercap so you can use them on the network stream.
etterfilters can be used to intercept and change traffic in either or both directions, but only between bob and alice. This means that you can change a request going to the server, and/or you can change the results that ticker users see when they view the ticker (by changing outgoing results). However, changing requests to the server is hard because of the nonce in the stock ticker request. This nonce hinders replay attacks and thus makes it difficult to correctly modify requests that are inbound to the
ticker. However, but since the ticker replies in cleartext, it’s easy to change outgoing results! Again, remember that requests from eve will not be modified — so “testing” from eve with elinks or a tunneled connection will not see the changes.
For these filters, you won’t change the data that’s on the stock server — just what it looks like to someone viewing the page.
You can change the symbols a viewer of the ticker sees by intercepting the HTML bound for their browser. Write a filter to change the symbol FZCO to OWND.
Write a filter to affect the prices a user of the stock ticker sees.
Include your filter sources with your submission materials.
Make sure you comment your code (use the # character) to explain what the filter does and how.
Warning! It’s hard to test whether your filtering setup is working, because ettercap is only filtering traffic to and from alice and bob. If you run elinks on eve , or forward a port through eve with ssh tunneling, the traffic you see as a viewer will not be modified! You can run tcpdump on eve to see the modified packets leaving eve, but only the outgoing packets will be modified.
For these questions, you don’t need to write filters, just write short answers or pseudocode explaining how you would do it.
Given the power of etterfilter and the kinds of traffic on this network, you can actually make significant changes to a machine or machines that you’re not even logged in to. How?
Of the cleartext protocols in use, can you perform any other dirty tricks using insertion attacks? The more nasty and clever they are, the better.
Hint: There is a sample etterfilter source file in /root/ on the host eve.
You can use this filter as a starting point for your own filters. See
man etterfilter and irongeek’s etterfilter tutorial in the “starting points”
4. MITM vs. Encryption
There is at least one encrypted network stream in use on your network subnet. Lucky for you, your coworkers blindly click OK any time a certificate error pops up on their screen — you know this because they complain loudly every time it happens — so you are hopeful that a man-in-the-middle attack against the certificates would be successful. What’s so important about that encrypted stream — what is the data being transferred?
Ettercap will not perform SSL decryption automatically — you have to uncomment a few configuration items in /usr/local/etc/etter.conf in order to properly forward the data. Examine that file, use any available documentation and make the necessary changes so that you can man-in-the-middle their SSL connection.
When you quit using Ettercap after having made these changes, it will make some complaints — don’t worry about them.
What configuration elements did you have to change?
Copy and paste some of this data into a text file and include it in your submission materials.
Why doesn’t it work to use tcpdump to capture this “decrypted” data?
For this exploit to work, it is necessary for users to blindly “click OK” without investigating the certificate issues. Why is this necessary?
What is the encrypted data they’re hiding?
What can go wrong
Make sure you swap out your nodes when you are done working.
If Ettercap doesn’t seem to be working, make sure you are poisoning the correct interface.
You should be poisoning the 10.x.x.x interface.
If Ettercap still won’t work, try rebooting your nodes (you don’t have to swap out yet). If it’s still not working, try swapping the nodes out and back in. (Save your work.)
Keep your etterfilters simple — the etterfilter scripting language can be difficult to work with.
This assignment is left intentionally open-ended — rather than going into great depth about how to use tools like Ettercap, tcpdump, chaosreader, and others, we’re leaving it up to you to do the external reading and experimentation required. We’ve also provided a challenge problem if the regular assignment is too easy.
You should take notes on everything that you do, including taking terminal logs or copying character data from the terminal. In a very real sense, this activity is the opposite of computer forensics, and both require lots of notes in order to ensure repeatability. In a real Red Team exercise, complete and thorough documentation is a must.
A few starting points:
SANS Institute Ettercap Tutorial — this is for an older version of Ettercap so don’t be confused.
You have a powerful suspicion that the encryption token used in the stock ticker application is not particularly strong.
Extra Credit Questions
Answer one or more of the following to receive extra credit points.
What observable software behavior might lead you to believe this?
Can you reverse engineer the token? How is the token created?
If you can reverse engineer it, can you write a script in your favorite language to post data of your choice?
Hint: all the necessary pieces are available on the servers for both Perl and bash.
What would be a better token? How would you implement it on both the client and server side?
Create a single .pdf, .doc, or .txt with all your answers, your etterfilter source files, and anything else you think should be included etc., and submit it to your instructor. Make sure to double check that you have answered all the questions.