Lab-6: Sniffing

Sniffing is an essential method of collecting information. If a hacker gains access to a computer network somehow, one of the first actions will be to sniff the network to capture sensitive data such as usernames and passwords. Internal threats such as disgruntled employees may also attempt to sniff their company networks to collect sensitive information.

The most effective countermeasure against sniffing is encryption. Today, most of the web traffic is encrypted by TLS protocol so that your webmail, social media passwords cannot be sniffed.

However, there are legacy protocols such as FTP and Telnet. Because these protocols do not have encryption features, both credentials and data can be intercepted using sniffers.

Section-1: Sniffing FTP Credentials by Using Wireshark

• Enter the Netlab environment and open the Kali Linux computer.
• Type in password as toor
• Click on the Kali icon on the bottom left corner, and type wireshark on the search box to open Wireshark sniffer
• Ensure that the eth0 network interface has been selected (1) and then click the capture icon (2).
• Open a terminal window
• Type in ftp 192.168.2.14 to open a connection to FTP server hosted on 192.168.2.14 (Metasploitable)
• Type anonymous as the user name and anything you want as the password. You will see that Wireshark is capturing the FTP traffic you are creating.
• Stop the packet capture by clicking the stop button and type ftpasthe filter and press enter.

 

• The Wireshark’s info column shows the username (Anonymous) and the password you typed in cleartext.

Take a screenshot of Wireshark windows showing the password you typed.

Section-2: Sniffing Telnet Credentials by Using Wireshark

In this section, you will sniff the telnet password.

• Click the capture icon once again on the top left corner of the Wireshark window.
• When prompted to save the previous capture, click Continue without Saving

Note that if you closed the Wireshark window follow the steps you did in the previous section to open Wireshark

• Open a new terminal window or use the previous terminal windows you opened in Section-1.
• Type in telnet 192.168.2.13toopen a telnet connection to Windows 7.
• Type in admin as the username and admin as the password
• Stop the packet capture by clicking the stop button and type telnetas the filter and press enter.
• Click on one of the captured packet (1), right-click (2), click in the Follow > TCP Stream (3). You will see the captured traffic and credentials in cleartext (4).

Take a screen capture of the TCP stream window.

Section-3: Sniffing RDP Credentials by Using Cain

In Section-1 and Section-2, you performed packet sniffing on the computer that opens the connection to the remote computer; therefore, you could sniff the network traffic.

In a switched network like the one you are using in the Netlab, you cannot sniff the traffic between two computers as switches create virtual dedicated channels between computers.

Man-in-the-middle (MITM) attack enables attackers to sniff in a switched network. It is also known as ARP cache poisoning attack.  In this lab, you will launch a MITM attack and capture the RDP (Remote Desktop Password). The visualization of the attack is given below.

After launching the MITM attack using the Cain tool, RDP traffic between Windows 7 Target and Windows 2008 will be directed to Windows 7 Attacker; and Windows 7 Attacker will relay this traffic.

• Open Windows 7 Attacker on Netlab environment
• Run the Cain tool by clicking the Cain icon on the desktop, start Sniffer (1) and click the Sniffer tab (2). You will be on the hosts section by default (3).
• Open the MAC address scan menu by right-clicking anywhere on the spreadsheet and clicking on the Scan MAC Addresses
• Choose the range as shown below and click the OK button. (This is the range for IP addresses for 192.168.2.0/24 network.)
• You will see a result screen like below.
• Now, it is time to leverage the MITM attack. In order to do this, Cain tool will poison the ARP caches of Window 7 Target and Windows 2008 machines, so that the traffic will pass over the Windows 7 Attacker machine. Complete the steps below to set everything ready for ARP cache poisoning.
  1. Click the APR tab (1)
  2. Click APR icon (2)
  3. Click on the empty spreadsheet on the workspace (3)
  4. Click on the “+” icon to add hosts for ARP cache poisoning (4)
  5. Select IP Address 192.168.2.13 from the left section (5)
  6. Select IP Address 192.168.2.11 from the right section (6)
  7. Click OK

 

• Start poisoningby clicking the poisoning button (1)

Now, it is time to create an RDP traffic between Windows 7 Target and Windows 2008. This traffic will not be solely between these two computers.

• Switch to Windows 7 Target on the Netlab environment.
• Click the start button, andclick on the Remote Desktop Connection icon.
• Type 192.168.2.11 in the computer section, which is the IP address of Windows 2008. Click connect.

 

• Type administrator as username and aA12345 as password. Click OK.

 

• Click Yes at the certificate warning window

 

• You will log into Windows 2003 over the RDP connection.
• Switch to Windows 7 Attacker.Open the captured traffic by clicking APR-RDP on the tree (1) and then right-clicking the second row, and then click on view.
• Captured traffic will be opened on the Notepad. Search within the Notepad for the “keypressed”keyword. You will be able to see every key pressed by the user while connecting to the remote computer over the RDP protocol.

Take a screen capture of the Notepad showing the first two characters of the password.

Weekly Learning and Reflection

In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this lab. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you’re confused about. Questions asked here will be summarized and answered anonymously in the next class.