Attack Vector 1 – Wireshark

Wireshark_Screenshot
Wireshark has become a universal tool for network administrators and engineers to help diagnose network issues.   However, Wireshark is also a powerful tool that can be used for both White Hat and Black Hat professionals.  One of the elementary exercises is an attempt to capture plain-text information that passes through the wire.  This attack steps a user through the process of capturing the plain-text log-in credentials of a user who access an un-encrypted WordPress site.  This is a great tutorial to understand how to use Wireshark, and to learn how vulnerable some websites can be.

Wireshark Attack Process

The following sections cover each part of the attack.  These are covered in chronological order as you read though this page.  Use the following navigation to skip to specific sections, jump to the video tutorial, or review the commands only section.

 

Main Attack
Other

IP Forwarding

IP forwarding tells the Linux system to send packets to their proper destination.  This is needed before we attempt to issue ARP Cache Poising. This will ensure that packets will get sent to their proper destination after we have inserted ourselves as a MitM.  In essence, after we grab the network packets from the target system we have to pass them to their destination or we just create a denial of service (DoS).

Step 1: Setup IP forwarding

root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward

Check to see ensure the command was executed correctly

root@kali:~# cat /proc/sys/net/ipv4/ip_forward

IPForward

Find Default Gateway

Step 2: Discover your current default gateway

root@kali:~# netstat -nr

DefaultGateway

 

Locate Target IP

To execute an attack at a target we must firs know what IP address to target.  One of the most popular network enumeration programs is Nmap.  The free and open source program can scan networks using a multitude of methods.  There are different ways to use Nmap, and some ways are more stealth than others.  For the sake of this demonstration we are going to use the default settings of the program.  Please note that this method may alert a Security Administrator of your presence,  however, a full description and implementation of Nmap is out of the scope for this project.  For more information on how to use the stealth features please visit the Nmap website.

The syntax for Nmap follows:nmap -[arguments] [network to scan]

We are going to use the following two arguments: “R” for reverse DNS lookup, and “sn” to prevent port scanning.  Using the above information about the network we can deduce that the attached network is a Class C, thus we limit our scan to the local network.

Step 3: Locate target IP address

root@kali:~# nmap -Rsn 192.168.2.0/24

nmap_scan

The ceolaptop.bahansen.info that resolves to 192.168.2.88 is a prime target.  Now having the target system and default gateway we can now execute our attack.

MitM with ARPSpoof

ARPSpoof will issue a repeat command to tell the local network that the Raspberry Pi is now the CEO’s laptop. The network will then send those packets to Kali Linux for us to intercept, the IP forwarding command in Step 1 will then pass those packet back and forth from the CEO’s laptop to their destination.

The syntax for ARPSpoof follows: arpspoof -i interface -t target IP -r gateway IP

Step 4: Issue the ARP cache poisoning command using ARPSpoof

root@kali:~# arpspoof -i eth0 -t 192.168.2.88 -r 192.168.2.1

This command will occupy the current command window. Be sure to leave ARPSpoof running and open a new connection to the Raspberry Pi to issue the final command.

Running Wireshark Remotely

Linux is a very powerful operating system that will let you run XWindows programs remotely.  This means we can access the Graphical User Interface (GUI) of Wireshark through our SSH session.   The only additional requirement is to pass the ssh command the “-X” argument.

Step 5: Open a ssh session with X-Forwarding enabled

root@kali:~# ssh -X 192.168.11.15

 

Step 6: Launch Wireshark

root@kali:~# wireshark

Wireshark_Main

 

Wireshark will launch and you will see the above options displayed.  To verify that you are indeed running Wireshark from the Raspberry Pi click on the “Interface List” and verify that the IP address listed is the same as the network that was scanned above, and different from the laptop.

 

Wireshark_IPAddress

 

Capturing Packets

Step 7: Start capturing packets with Wireshark

Wireshark_Start

Wireshark_Stop

  1. Select the check box next to the “eth0” interface, this is the built-in network card on the Raspberry Pi.
  2. Then click “Start” and wait until you feel confident you have captured enough data.
  3. Click the “Stop” button to stop capturing packets

 

Step 8: Filter the captured data based on the source IP address
Enter ip.src == 192.168.2.88 and http.request.full_uri contains login into the Filter box on Wireshark.
Wireshark_IPSrc

 

Step 9: Use Wireshark to view the raw data being sent between the target computer and the server.

Wireshark_POST

Wireshark_FollowTCP

Wireshark_Password

  1. Select the packet that has the html “POST” for the log-in page
  2. Right-Click and select “Follow TCP Stream”
  3. Locate the Log-In Name and Password from the raw stream

The “%21” is URL encoding for the “!”, after decoding you get:

User Name: IA590
Password: SecurityRocks!

Video Instructions

 

Commands Only

 

echo 1 > /proc/sys/net/ipv4/ip_forward
netstat -nr
nmap -Rsn 192.168.2.0/24
arpspoof -i eth0 -t 192.168.2.88 -r 192.168.2.1
ssh -X 192.168.11.15
wireshark