Insecure Protocols

Conversations about the Network

James Feister openjaf@gmail.com

Computer Security

• Misconfigurations
• Software exploitation
• Hardware exploitation
• Physical attacks
• Social Engineering
• Computer Network Defense
• Pick a team? Red Team, Blue Team, CSIRT

Reconnaissance

• Social networks
• 3 Questions
• Friends and Family
• Public Web Pages
• shodan (ref 7)
• Message Boards
• Chat rooms
• Passive Observance
• maltego (ref 6)

“Tap all the Things” (Liam Randall : BRO IDS)

• Passive Taps
• Handmade - 10BASE-T 100BASE-T
• Commercial - Gigabit and beyond
• Span port - Someone is just being nice
• Wireless is awesome for this but tricky
• Active: Man in the Middle

Tools and Viz

• RTFM! - Always a fine reference
• /etc/services - If you forget a port number
• tcpdump - Capture traffic to screen or file
• ettercap - Sniffing and MITM attacks
• ngrep - grep for network data
• pcap-filter - packet filter syntax
• wireshark - Awesome analyst tool and more
• dsniff - live capture of credentials
• ntop - Passive fingerprinting of network traffic

What to look for

• NFS
• SYSLOG
• HTTP under HTTPS
• Netbios
• SMB

• FTP
• TELNET
• SMTP
• IGMP
• SNMP

​

Preparing the interface

• For each interface use ethtool to disable segmentation offloading (ref 1).

$ for i in rx tx sg tso ufo gso gro lro; do ethtool -K interface_name $i off; done

• Set -s0 flag when using tcpdump. By default tcpdump only captures the first 64 bytes of the packet, this makes sure that tcpdump will capture the full packet.
• Wireless cards require monitor mode to capture everyones traffic. Remember aircrack-ng
• Crack the wireless key and obtain the various pairwise keys on WPA WPA2 networks. (ref 5) *needs explanation of these steps

tcpdump, used to capture data

• Show live capture with some verbosity

$> tcpdump -s0 -i interface -vvv

• Write to a file file.pcap

$> tcpdump -s0 -i interface -w file.pcap

• Use a pcap filter, port 21

$> tcpdump -s0 -i interface port 21

• Use monitor mode to capture all wireless traffic

$> tcpdump -s0 -I -i interface

ngrep

• Print out usernames and passwords, may be in base64== (ref 8)
• For TELNET

$> ngrep -I telnet.pcap -W byline port 23

• Now for SMTP

$> ngrep -I smtp.pcap -W byline port 25

• Now for FTP

$> ngrep -I ftp.pcap -W byline port 21

$> ngrep -I ftp.pcap -W byline port 20

​

ettercap

• Dump ftp username and password from the ftp.pcap capture file.

$> ettercap -r ftp.pcap -Tzq //21

• Dump ftp username and password from the ftp.pcap capture file.

$> ettercap -r ftp.pcap -Tzq //21

• Poke around the user console

$> ettercap -Tzq -i interface_name

Type ‘h’ for help menu

FTP - What does this get us?

• Possible logins used on other services
• Firmware being pulled to update network devices. Now I know what version you use.
• Anonymous access company sites.
• Q: Its only up there for X hours? �A: My script can pull files every Y minutes.
• Q: Its encrypted, I don’t have to worry right? �A: I can send it to my brute force farm.
• I have identified an exfiltration point.

FTP - examples

$ ettercap -r ctp.pcap -Tzq //21

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Reading from ftp.pcap... (Ethernet)

​

28 plugins

39 protocol dissectors

53 ports monitored

7587 mac vendor fingerprint

1698 tcp OS fingerprint

2183 known services

​

Starting Unified sniffing...

​

FTP : 192.168.9.1:21 -> USER: thickeners PASS: ennobling

FTP : 192.168.9.3:21 -> USER: cabbage PASS: hydrodynamic

FTP : 192.168.9.4:21 -> USER: housetops PASS: statements

FTP : 192.168.9.5:21 -> USER: worrying PASS: cottoned

​

End of dump file...

​

Terminating ettercap...

$ ngrep -I ctp.pcap -W byline port 21

input: ctp.pcap

filter: (ip or ip6) and ( port 21 )

###

#

T 192.168.9.1:21 -> 192.168.9.3:49433 [AP]

220 This is the system banner Do not login..

#

​

.. Username and Password exchange Cut out ..

​

T 192.168.9.3:49433 -> 192.168.9.1:21 [AP]

STOR qrcode170.png.

#

T 192.168.9.1:21-> 192.168.9.3:49433 [AP]

150 Connection accepted.

​

......

exit

​

​

​

file operation

got creds?

TELNET

• Possible logins used on other services
• Was used to access network device management consoles. Hopefully they now use ssh.
• Status info from servers: mail, proxies
• Scada systems: Hey lets make that device IP accessible!! (ref 7)

TELNET - example

$ ngrep -I ctp.pcap -W byline port 23

input: ctp.pcap

filter: (ip or ip6) and ( port 23 )

#

T 192.168.9.1:23 -> 192.168.9.2:49265 [AP]

Linux 2.6.31 (rox) (1).

rox login:

#

T 192.168.9.2:49265 -> 192.168.9.1:23 [AP]

roger

#

T 143.84.99.216:23 -> 192.168.9.2:49265 [AP]

Password:

#

T 192.168.9.2:49265 -> 192.168.9.1:23 [AP]

nothing

​

#

T 192.168.9.2:49265 -> 192.168.9.1:23 [AP]

export TERM=vt220

ls

exit

​

​

Commands Executed

Login Section

SMTP

• Usernames and password for accounts
• Target the executives email
• Blackmail
• Trade secrets
• Meetings and appointments - I can follow you

SMTP example

$ tcpdump -tnAK -s0 -r ctp.pcap port 25

IP 192.168.1.3.smtp > 192.168.1.2.50289: Flags [P.], seq 1:17, ack 1, win 256, length 16

E..8,<@......Tc..Tc....q..\L....P...}@..220 MAIL ESMTP

​

IP 192.168.1.2.50289 > 192.168.1.3.smtp: Flags [P.], seq 1:21, ack 17, win 256, length 20

E..<.'@......Tc..Tc..q........\\P.......ehlo [143.84.99.2]

​

IP 192.168.1.3.smtp > 192.168.1.2.50289: Flags [P.], seq 17:62, ack 21, win 256, length 45

E..U,=@......Tc..Tc....q..\\....P...cO..250-MAIL

250-SIZE 20480000

250 AUTH LOGIN

​

IP 192.168.1.2.50289 > 192.168.1.3.smtp: Flags [P.], seq 21:46, ack 62, win 256, length 25

E..A.(@......Tc..Tc..q........\.P.......AUTH LOGIN YmlydGhkYXlz

​

IP 192.168.13.smtp > 192.168.1.2.50289: Flags [P.], seq 62:80, ack 46, win 256, length 18

E..:,>@......Tc..Tc....q..\.....P....4..334 UGFzc3dvcmQ6

​

IP 192.168.1.2.50289 > 192.168.1.3.smtp: Flags [P.], seq 46:60, ack 80, win 256, length 14

E..6.)@......Tc..Tc..q........\.P.......cGFyb2xpbmc=

​

IP 192.168.1.3.smtp > 192.168.1.2.50289: Flags [P.], seq 80:100, ack 60, win 256, length 20

E..<,?@......Tc..Tc....q..\.....P....v..235 authenticated.

Username, Base64 encoded

$ echo "YmlydGhkYXlz" | base64 -d

birthdays

Password Request, Base64 encoded

$ echo "UGFzc3dvcmQ6" | base64 -d

Password:

Password, Base64 encoded

$ echo "cGFyb2xpbmc=" | base64 -d

paroling

SNMP

• Identify network infrastructure assets
• V1 and V2 insecure communication
• V3 more security but still breakable still not as widely used.
• Identify all command and control points to use

References

• Doug Burks, SecurityOnion - Full Packet Capture
• http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
• Ming Chow, Wall of Sheep - Tools and techniques to succeed at the Wall of Sheep
• http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-21
• ngrep
• http://ngrep.sourceforge.net/usage.html
• ettercap
• http://www.ettercap-project.org/
• TLDP - 802.1X Port-Based Authentication HOWTO
• http://www.tldp.org/HOWTO/8021X-HOWTO/intro.html
• Maltego - Social Engineering Tools
• http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Maltego
• http://www.paterva.com/
• Dan Tentler - Drinking from the caffeine firehose we know as shodan
• http://www.youtube.com/watch?v=5cWck_xcH64
• base64 encoding, wikipedia
• http://en.wikipedia.org/wiki/Base64

​

​

todo

IGMP, SMB, NFS: discussion and examples

SNMP: examples