*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)

Chapter 5 : Eavesdropping and Privilege Escalation

Eavesdropping is overhearing the network flow between two devices by intercepting the traffic and capturing sensitive data. Just listening the network flow is passive technique like sniffing, but interfering or intercepting data is active attack(spoofing). MITM(man in the middle) attack is popular attack among other active skills. Privilege escalation is the act of gaining extra access based on a bug, design flaw and etc. Vertical privilege escalation is gaining higher privileges and horizontal privilege escalation is accessing another account which is same level of privileges of the account that has gained access.

*FYI: The difference between HTTP and HTTPS is ‘SSL’. SSL(Secure Socket Layer) is the security protocol to establish an encrypted link between the web server and browser.

As an example, the book shows MITM attack with sslstrip tool, which automate exploitation process where the HTTPS URLs are changed into HTML URLs ,so it can be captured as a clear text. I practice this sslstrip attack with Kali linux not backbox.

Environment
1. Victim : VM, Windows XP, 192.168. 247.133
a. Default gateway : 192.168.247.2
2. Attacker : VM, Kali Linux, 192.168.247.131

0607

1. Kali Linux (Attacker) turn on packet forwarding function, packet forwarding is sending packet to its destination based on its header information. After that, initialize the NAT table with iptables command and set default port as 10000 to listen. The reason why it’s set –dport 80 is because it will be based on the internet (80 port)

08

After setting up packet forwarding, start sslstrip with ‘sslstrip -a’ command and check whether it’s running or no with netstat command.

09

By typing arpspoof -t [Victim’s IP] [Gateway IP], attacker is sending arp-reply packet to disguise attacker’s MAC address as gateway’s MAC address(Attacker is pretending ‘I am the gateway’) to Victim. It changes Victim’s ARP cache table.

10

By typing another arpspoof -t [Gateway IP] [Attacker’s IP], attacker is pretending ‘I’m the victim pc’ by sending arp-reply packet to change ARP cache table.

11

You can check Victim’s MAC table with ‘arp -a’ command and check Attacker’s MAC address over there. After you check the ARP spoofing is working, Victim goes to the website (gmail) and sign in.

12

12-2  12-3

Once you sign in, you can see there will ‘http’ not ‘https’ because sslstrip function forces to change https into http(this is why we can see the password in clear text not encrypted). You can see the packet destination on Kali attacker’s packet forwarding (fragrouter -B1 command) terminal, and see sslstrip.log on root directory. You can check the password with ’ | grep’ command or open the file with texteditor and search for Passwd to get a password information.

You can protect your device by checking URL(https/http) or certificate/cookie error. Also you can set ARP address with arp -s.

12.4.png

For horizontal privilege escalation, the book described ‘password cracking’ technique. There’s offline password cracking tool, named ‘John the Ripper’. There’s three different modalities of cracking password in John(John the Ripper),  ‘Wordlist(trying words from wordfile database)’, ‘Single crack mode(using login/GECOS information for cracking)’ and ‘Incremental mode’. ‘Incremental mode’ is  the most effective one which includes lots of complicated passwords like the symbols, lower/uppercase, and numbers.

12.5.png

By typing this unshadow command, I can chain the password and shadow files contents into ‘crack.password.db’ database for John program.  The command like below #john /tmp/crack.password.db requires lot of CPU processing(that means it will cause CPU-time consuming) because it’s bruteforce attack. John the ripper is actually used for security check for password. There are lot of tools to gain root except John the ripper, if you use John the ripper, it would be easy to be caught by detecting tools(NMS) because it consumes lot of CPU power.

12.6.png

*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)

Advertisements