Sniffing gives the attacker a way
to capture data and intercept passwords. These may be
clear text FTP or Telnet password or even encrypted NTLM
passwords. Man-in-the-middle attacks can be used to
literally steal someone else’s authenticated session.
They will be logged in with the same rights and
privileges as the user they stole the session from. They
are free to erase, change, or modify information at that
point. Sniffing, session hijack, and man-in-the-middle
attacks all represent powerful tools for hackers.
Session Hijack with Ettercap
Ettercap is an open source tool
written by Alberto Ornaghi and Marco Valleri. Available
from http://ettercap.sourceforge.net/, ettercap will
compile on most major operating systems. Ettercap is not
strictly an attack tool; it includes many plugins for
attempting to detect other systems engaging in
potentially malicious activity on the network.
Connecting to the attacking server via SSH, we start
ettercap with the –T and –q options. The –T option
forces ettercap to use a text interface, and the –q
option suppresses ettercap listing every packet that it
sniffs. From within this interface, we can press p to
view the list of plugins available in ettercap, a number
of which are listed below.
1. autoadd 1.2 Automatically add new victims in the
target range
2. chk_poison 1.1 Check if the poisoning had success
3. dos_attack 1.0 Run a d.o.s. attack against an IP
address
4. find_conn 1.0 Search connections on a switched LAN
5. find_ip 1.0 Search an unused IP address in the subnet
6. gw_discover 1.0 Try to find the LAN gateway
6. isolate 1.0 Isolate an host from the lan
7. link_type 1.0 Check the link type (hub/switch)
7. pptp_chapms1 1.0 PPTP: Forces chapms-v1 from
chapms-v2
8. pptp_clear 1.0 PPTP: Tries to force cleartext tunnel
9. pptp_pap 1.0 PPTP: Forces PAP authentication
10. pptp_reneg 1.0 PPTP: Forces tunnel re-negotiation
11. rand_flood 1.0 Flood the LAN with random MAC
addresses
12. repoison_arp 1.0 Repoison after broadcast ARP
13. smb_clear 1.0 Tries to force SMB cleartext auth
14. smb_down 1.0 Tries to force SMB to not use NTLM2 key
auth
15. stp_mangler 1.0 Become root of a switches spanning
tree
Sidejacking with Firesheep
Many social networking domains maintain user access by
means of a cookie. Cookies are used to validate users to
Facebook, Twitter, and others through an unencrypted
channel. Firesheep allows anyone to steal a user’s
cookie. With this cookie, a malicious person can have
full access to the victim’s/user’s profile.
FAQ
Is there a way to
tell if the status of a NIC in Linux? The Linux ifconfig
-a command can be used to detect promiscuous mode as
this is displays the interface’s set flags (i.e PROMISC).
Do IPID's increment? Multiple
packets sent from the same system should not have the
same sequence number.
What are some of the things that
make session hijack possible? One is plain text
communication protocols which perform authentication
only at the initiation of a session.
Why is SSL vulnerable to MitM
attacks? One
way identity verification (i.e. Server to client), which
is not truly verified due to an implementation error in
the client.