rwsps-post-exploiting-the-network-sniffing-ettercap-nmap-aireplay-ng-logo

So far in the WiFi Security and Pentesting Series we have learned to

  1. Crack WEP Using aircrack-ng suite of tools
  2. Crack the WPA/2 passphrase using Aircrack-NG
  3. Speed Up WPA/2 Cracking with Hashcat
  4. Automate WiFi Cracking

Now considering that we are into a network it is important to learn a few thing that we can do to start our penetration testing within the scope of a network.

This chapter will put some light on

  • What is Subnet ?
  • Installation of tools used
  • Scanning the Subnet
  • Sniffing using automated tools
  • Jamming the network
  • Dissecting wireless client

This article is an excerpt from my WiFi Penetration testing and Security eBook for aspiring WiFi hackers and Wireless security enthusiasts. Click here to learn more

Before beginning you need to know What is a subnet, if you already know you can slide down.

What is a SubNet ?

A SubNet (short for “subnetwork“) is an identifiably separate part of an organization’s network. It is a logical, visible subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting. Computers that belong to a subnet are addressed with a common, identical, most-significant bit-group in their IP address. see wikipedia

Typically, a subnet may represent all the machines on the same local area network (LAN)

Check your subnet by typing in cmd/Terminal:

ipconfig, in Windows and ifconfig in *nix systems

If you are connected to a network then you will see something like

ifconfig

In the above picture, My IP is 192.168.0.100 and Mask is 255.255.255.0.

This is the subnet mast of the network you are connected to. As you can notice that only last part of the mask is ‘0’. It describes that Your IP range will vary in the last place only from 1-254. As .0 and .255 are the network nodes reserved by the router itself.

For example,

Our IP Address is 192.168.0.100, Having a Subnet mask 255.255.255.0 says that our network will only contain IP addresses(devices) with IP starting from 192.168.0.1 to 192.168.0.254.

If the subnet is 255.255.0.0, Then dynamic range will be last 2 columns of IP address i.e 192.168.*.*

Here ‘*’ is the variable part. Which can go from 1-254.

NOTE: There are some more concepts acc. to which subnet can go like 255.255.255.192 instead, and Concept of Classes in subnetting which changes acc. to the IP range. I would like you to read upon those concepts to get a bit clear about the networking. see here

We will understand one concept that will be used in this tutorial. If you write you subnet mask in Binary

The common subnet mask 255.255.255.0 will be 11111111.11111111.11111111.00000000 in binary. Here 255 is written as 11111111 and of you count the total no. of 1’s they are 24 for this specific Subnet mask.

If mask is 255.255.0.0, Binary value will be 11111111.11111111.00000000.00000000. so the CIDR-style notation will be /16. Simple! isn’t it ?

So what’s the use of this 24 ? This is used to make it easy for network scanners to tell the range of IP addresses we are interested in scanning just by passing ‘/24’ along with IP address to the scanner. Scanners like nmap or sniffers like Ettercap. Which we are going to use in this tutorial.

Tools used

nMapNetwork MAPper. As the name suggests it maps the network according to the commands provided. It is used to discover hosts and services on a computer network, thus creating a “map” of the network.

nmap comes pre-installed in Kali Linux and other Pentesting distributions. You can download nmap source code from its official site.

Install nmap from Source code

Download the source code and Type in Terminal:

Install nmap via apt-get on Debian/Ubuntu

 

EttercapEttercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.

Install ettercap from source code:

You need to install a tool called cmake to compile the source code, Open Terminal and type

Now to extract and install type in Terminal

Install Ettercap using apt-get on Debian/Ubuntu

Simply Open terminal and type:

 

Scanning the Subnet

I will use 2 tools to demonstrate the concept of scanning the Network and further Pentesting.

  1. nmap – To scan Subnet and further Pentest on Devices
  2. Ettercap – To scan Subnet and Sniff thenetwork

We will only cover a small part using nmap as only scanning part lies in the scope of the chapter, but you will learn along how the system pentesting begins.

We will learn Ettercap a bit more in detail as it will show you how to scan and sniff the network to gather the credentials passed across the router, How to do it and countermeasures.

Lets begin,

Scan the Subnet using nmap

Open terminal and Type:

  • nmap <IP address>/24

IMPORTANT NOTE: 192.168.0.100 is the Kali Linux’s IP address and /24 is used as the mask which is 255.255.255.0. Check your network configuration, it may differ.

This command will simply scan the range 192.168.0.1-192.168.0.254 and dump the output showing the IP addresses and corresponding services running on the devices.

nmap offers timing options to reduce scan time or network stress, and/or evading IDS(Intrusion Detection Systems) according to need.

Output is shown only when the scan is completed, although you can press <TAB> to check the scan progress but it is not always handy to press <TAB> all the time. So we use some nmap arguments to speed up the scan and display the realtime output.

  • nmap <IP-address>/24 -T <argument> -v

Here, -T tells nmap to use timing option and -v stands for verbose output

nmap offers 6 Timing options. 0: Paranoid, 1: Sneaky, 2: Polite, 3: Normal, 4: Aggressive, 5: Insane. By default nmap uses option 3 i.e Normal scan



The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so –T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.

Output:

rwsps-nmap-scan-output-ch6

As you can see in the above output nmap displayed the open ports and corresponding services of all the alive hosts. You will see the difference when you will run it Live. Do it now!

you might be thinking now what ?

As you can see in the above image we will not go for 192.168.0.1, as it is the router itself, we will cover it in next section. But we see that 2 ports(SSH and HTTP) are open for host 192.168.0.100.

We can now perform various attacks on this specific host. Attacks like bruteforcing on SSH port 22, try opening 192.168.0.100 in browser and check whether any service is running so that we can exploit it from there only or not.

note that, different systems tend to have different services running and accordingly the penetration tests differ. I have disabled all the unnecessary ports so nmap isn’t showing any service/port.

I penetrated into My college’s Library server from my Hostel room just using a service running on remote server via browser. I was able to access the complete system with/without Metasploit. So from here you know the power of scanning(reconnaissance) using nmap.

Vulnerability was reported and fixed by the college authorities 🙂

I will surely cover all other techniques of penetration on this blog after this series. So, stay Tuned! 😉

Moving on to Ettercap. We have now installed ettercap. Now run ettercap from Terminal.

We will first learn using the GUI of Ettercap to keep it Simple and easy at the beginning.

Open Terminal and type:

using -G will start Ettercap Graphical Interface.

Now go to Sniff > Unified Sniffing and select the Wireless Interface. Mine is wlan1 and click Ok.

ettercap-unified-sniffing-wlan1

Now, as we want to sniff the network we first need to understand how this can be possible ? let’s Think!

We know all the data of a device is transferred through the router and router distinguishes between devices using their MAC addresses. So, if somehow we could pretend to be the router, wouldn’t the devices start sending me(192.168.0.100) all their traffic ? sounds legitimate, right ?

Yes it is. This is what is called MiTM, or Man-in-The-Middle Attack which we perform by poisoning the ARP(Address Resolution Protocol) tables of the device.

In which the attacker comes in between the router and device(s) and act like router to the devices. then devices send all their data to the attacker and attacker then records the data and forward it to the router.

How Does ARP Poisoning Work?

ARP poisoning is a method used for manipulating the flow of traffic between arbitrary hosts on a local area network. Exploiting a network with an ARP poisoning attack allows an attacker to reroute traffic passing between workstations and servers on the LAN through a malicious node, where the traffic can be monitored, modified, or DoSed by the attacker.At the highest level, ARP poisoning works by modifying the ARP tables

Unsolicited ARP replies are ARP reply packets received by a machine that the machine never asked for – AKA, an ARP request was never sent to the node the ARP reply is coming from.

This allows a hacker to forge an ARP reply in which the IP address and MAC address fields can be set to any values. The victim receiving this forged packet will accept the reply, and load the MAC/IP pair contained in the packet into the victim’s ARP table.

Let’s perform the ARP Poisoning attack.

Press CTRL+S to scan the hosts in the subnet

ettercap-scan-hosts-in-subnet

Now press CTRL+H to display the Hosts list

ettercap-hosts-list

Here 192.168.0.1 is the Router and 192.168.0.102 is the remote Windows machine. Note the Router MAC, it is going to be changed.

Click on Mitm > Arp poisoning… Then select the Sniff remote connections checkbox and click OK

ettercap-ARP-poisoning-sniff-remote-connections

From here on Ettercap will manage the attack you just need to monitor the output displayed in the lower column.

When I started sniffing I opened the browser on the Windows machine i.e Victim (192.168.0.102), connected via WiFi and opened the router web interface(192.168.0.1) and tried 3 different Username:Password combinations, first 2 incorrect and 3rd one correct and as soon I logged in with the correct credentials This was the output in Ettercap window

ettercap-sniff

admin:adminf and testuser:testpass are the incorrect router login credentials that the Victim was trying to log into the router. Whereas when rootsh3ll:iamrootsh3ll was entered all the accessible pages were accessible via victim’s browser whose traffic was passing through the attacker(We) system in unencrypted Plain text(HTTP) format.

Ettercap won’t capture credentials of websites running over SSL. Sniffing over SSL enabled websites requires many issues like signed certificates, SSL, HSTS, to be fixed. We’ll learn that in a separate post later.

So we were able to retrieve router’s web login credentials without even getting physical access to the victim.

Cool isn’t it ? well that’s just the beginning. You can use the router credentials for various operations like:

  1. Filter other MACs to access Internet or router web interface.
  2. Limit internet speed to all the users except you.
  3. Remove internet limit, if applied on you or other users.
  4. Change DNS address, to sniff across the globe.
  5. And many other. Just explore!

Sniffing the router is just one thing that you can explore, there are numerous other techniques we can learn to test the strength of the network or devices.

We will cover one by one in detail. Just let me know your views to keep me going and ever improve the quality of every post 🙂

See what the router interface looks like from attacker’s system

web-interface

That’s all for now on sniffing the Subnet. Let’s see

How to check whether you are being sniffed

There is only one way for the victim to confirm that s/he is being sniffed over the W/LAN.

check the arp tables and see whether no Device’s MAC matches the Router MAC.

Have a look:

check-arp-tables-for-sniffing

If you notice the MAC address of the router(0.1) in the first execution is different than the MAC of the attacker in this case i.e 0.100

When I executed command again after starting MiTM attack, from the point-of-view of victim the router is now 192.168.0.100.

How ?

As within a network the data is transferred using the MAC addresses of the connected devices. so as the MAC of the router(for victim) is spoofed, the victim starts sending traffic to the attacker MAC, which is in this case pretending to be the router.

Hope it is clear till now, as we are going to cover a different aspect being out of the network.

let’s move ahead.

Jamming the network

Note that for jamming a network i.e disallowing every user on a network to access Internet/Intranet you do not need to connect to the network or know the network passphrase.

You just need to craft some unencrypted packets and broadcast in the air including the AP’s MAC and SSID and a deauthentication packet included to tell all the connected/connecting users to disconnect.

How this works ?

We craft a packet using aireplay-ng from aircrack-ng suite of tools and broadcast it in the air which is then received by the users as they check the packet for the Source from which it is coming. There is only one way for user to check for that. The packet header, where the device put it’s MAC address, and that can be modified. We will do it using aireplay-ng. Later we will study in detail on how to do it using programming.

Packet-Filter

Make sure Aircrack-ng is installed and your card is operating on monitor mode

Open Terminal and type:

  • aireplay-ng -0 <no. of requests> -a <BSSID> -e <ESSID> <Monitor-mode-interface>

Note that ‘zero’ can be used in place of –deauth and put the SSID in quotes to avoid conflicts. -0 is the code for deauth request 1 for Fake-ARP request and so on.

aireplay-ng-options

-0 0, or –deauth 0 stands for unlimited deauth requests, –deauth  5 will send 5 requests and exit.

This was to broadcast the deauth packets to jam the network, what if attacker wants to jam network access for only one or selected users(retrieved from airodump-ng output) ?

Just use -c option to tell aireplay-ng which client you want to DoS.

Dissecting wireless client using aireplay-ng

This is request called Unicast, as we are sending packets to single/specific client. You can also call it a DoS(Denial of Service) attack.

You might remember this technique in the earlier tutorials where we tried to disconnect client by sending 5 deauth packets to capture the WPA/2 Handshake. Yes it is the same. If you just use 0 in place of 5 aireplay-ng will endlessly send packets to the client resulting in no network access/disconnection to the client.

 

That’s all for this chapter hope you learned a lot and it was also useful at the same time.

Would you like to have this tutorial in a PDF file ? One for short version i.e just commands and other complete tutorial. Let me know in the comments

See you with the next chapter on setting up rogue access point for even easier WPA/2 password retrieval. No cracking included.

Keep Learning.

 

Useful Links:

Router:

TP-LINK TL-MR3420 300 MB/s Wireless Router 2x 5dBi antennas

Network Adapters:

Alfa AWUSO36NH High Gain B/G/N USB / Alfa AWUS036NHA B/G/N USB

High Gain Antenna:

Alfa 9dBi WiFi Omni-Directional High-Gain Antenna