18.1 The Basic
Conecpt of Packet Sniffing
Password Cracking repeatedly enters the
username and password to find the authentication information. This has the
disadvantage in that it takes a lot of time to seize the password. Also, if no
password matches the data dictionary, it is possible to fail the attack. On the
other hand, data that is transmitted over a TCP/IP network can be seized in
transit. Let's assume that you have been able to convert a PC in an
enterprise's internal network into a zombie through successful penetration
testing. The TCP/IP 2-layer protocol primarily uses the broadcast protocol, and
therefore, once the intranet has been accessed, it is possible to see all
packets that have been sent from the internal network.
Figure 18-1 Packet Sniffing Area
In particular, the
username and password that are sent and received in the course of the FTP login
are sent in plain text. Therefore, these can be easily seized through a Packet
Sniffing attack. In order to recognize the network data, the data from the physical
layer to the transport layer must be converted. However, FTP data in the
Application Layer can be easily recognized without performing any additional
tasks. Since it is easy to read, it is easy to hack. However, please note that
a Packet Sniffing attack is not possible from an Internet (external network)
environment.
Figure 18-2 TCP / IP Layer-2 Protocol
behavior
In
the TCP/IP protocol stack, layer 2 operates based on the MAC (Media Access
Control) address. The MAC address is also called the physical address, and the
NIC (Network Interface Card) is assigned a unique 48-bit value. You can find the
MAC address by typing “ipconfig /all” in the command program on Windows. The
packets that are generated by the origin are broadcast to all nodes in the same
network. Since the network may be divided by the router, only the nodes that
are connected to the router can exchange packets with each other. The NIC
determines whether the destination address of the received packets matches its
own address, and if this is true, it sends the packets to the operating system.
The basic concept of the Packet Sniffing is to analyze all packets without
discarding any.
Figure 18-3 Packet Sniffing Procedure
You
should run the Python GUI with administrator privileges to execute the Packet
Sniffing program. The program needs
administrator privileges to create a raw socket. A raw socket is a socket that
accepts all packets without filtering any. After generating a raw socket, bind
it to the NIC (Network Interface Card) and change the mode of the NIC. The
default setting is to accept only the packets sent to the NIC as the
destination. If you switch it into the Promiscuous Mode, the NIC may receive
all incoming packets. In Python, only a few lines of code are needed to set up
the above.
Figure 18-4 Setting Run as
Administrator
Select the “IDLE”
icon and click on the right mouse button. When you click on “Properties”, the
above screen is displayed. In the “Privilege Level” field at the bottom of the
“Compatibility” tab, check the “Run this program as an administrator” option.
As a result, each time you click on the “IDLE” icon, the program starts with
administrator privileges.
18.2 Packet Sniffing
Execution
The client PC sends
packets to log in to the FTP service in the server PC. The hacker PC can then
hack these packets via packet sniffing. The purpose of this example is not to
analyze the packets for all network layers. To take the username and password via
packet sniffing, you have to analyze only the data in the application layer.
import socket
import string
HOST =
socket.gethostbyname(socket.gethostname())
s =
socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP) #(1)
s.bind((HOST, 0)) #(2)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) #(3)
s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON) #(4)
while True:
data = s.recvfrom(65565) #(5)
printable =
set(string.printable) #(6)
parsedData = ‘’.join(x if x in printable else ‘.’ for x in data[0])
if(parsedData.find("USER") > 0): #(7)
print parsedData
elif(parsedData.find("PASS") > 0):
print parsedData
elif(parsedData.find("530
User cannot log in") > 0):
print parsedData
elif(parsedData.find("230
User logged in") > 0):
print parsedData
|
The
arguments that are configured when creating a socket class determine the type
of data that can be processed by the socket. As previously mentioned, when
using a raw socket, it is necessary to always open the program with
administrator privileges. The execution procedure is as follows.
(1)
Creating Socket Class: Define the functions of the socket with three
arguments and create a class
⦁ AF_INET: One
of the address families that specifies the IPv4 protocol to support TCP/UDP
⦁
SOCK_RAW: raw socket support. The raw socket sends data without the TCP/UDP
header just above the IP stack.
⦁ IPPROTO_IP:
Specify the IP protocol in the protocol that is used for the socket.
(2)
Binding Socket: Binds a socket to the NIC card. Enter the address of the local
PC and assign an unused “0” Port.
(3) Changing Socket Option: Change the
option to enter the RAW packet to the kernel.
⦁ IPPROTO_IP:
The socket transmits the network layer packet to the kernel.
⦁ IP_HDRINCL
and 1: The socket provides an IP header to the
kernel.
(4) Setting Promiscuous Mode: The NIC
forwards all packets that are received to the socket.
⦁ SIO_RCVALL:
The NIC forwards the IPv4/IPv6 packets that are
received to the socket.
⦁ RCVALL_ON:
The NIC forwards all packets that are received to
the socket.
(5)
Receiving Packet: Transfer the data in the buffer by reading 65,565 bytes
as a tuple data type.
(6)
Setting Output Type: If the NULL value is stored in the data, an error
occurs when reading the tuple. Therefore, change the data into a form that can
be output.
(7)
Printing Authentication Information: Print the authentication information
included in the data. The “USER” and “PASS” correspond to the username and
password. If authentication is successful, a 530 message is output, and a 230
message is output if it fails. Make sure the credentials are correct.
Run
the hacking program on the hacker PC, and try to establish an FTP connection from
the client PC to the server PC. Although the correct information is “server/server”,
we first enter “server/server1” to see the results of an incorrect
authentication attempt. Second, identify the normal authentication results by
entering “server/server”. The results for the FTP login attempt from the client
PC are as follows
Figure 18-5 Client PC FTP Connection
Screen
The
hacking program that runs on the hacker PC monitors the packets that are
generated from the client PC. If traffic is generated, the following results
are shown. Since the first login attempt failed, an error message displayed
“530 User cannot log in”. Since the second login attempt was successful, the
“230 User logged in” message is displayed. From here you can determine that
“server/server” are the username and password.
Figure 18-6 Hacker PC Packet Sniffing
Result
Once
a hacker penetrates the internal network, he can easily steal credentials via
packet sniffing. Therefore, internal security measures should be implemented to
prepare against such an attack. When transmitting the data, you must use
encryption protocols such as SSL (Secure Socket Layer) and IPsec (IP Security
Protocol). When you are connected to a remote server, you must use SSH (Secure
SHell). This protects the data that is transmitted from sniffing attacks. A
more aggressive response uses a specialized sniffing detection tool that can
detect sniffing attacks.
No comments:
Post a Comment