Many sysadmins understand how to set up and maintain a network, but the concept of auditing is an entirely different world. In the first part of a series on auditing and penetration testing (pentesting), we introduce the concepts and tools for putting all that security to the test. We’ll also talk about our pentest platform of choice, the Pwn Plug.
The tool of choice for basic network reconnaissance has been and continues to be (and will likely be until the end of time) the port scanner, NMap. Port scanning tells you everything you can learn about a target before you start taking shots at it – it tells you what’s open, what’s closed, what’s filtered, what (likely) services and even what OS the target may be running. That immediately gives you an idea of which machines are likely to yield some fruit and which are likely hardened off against your attacks.
Though its basic premise is simple, using NMap properly can be a tricky thing. Incorrectly performed port scanning is one of the fastest ways to alert the world to your presence on a network. Fortunately, NMap comes with a variety of features to help it “blend in” to regular network traffic in order to avoid being picked up by an IDS, and can be quite stealthy indeed if used right. We will be covering NMap usage in-depth (along with other network topography tools) in Part 2 of this series.
If using NMap to find active systems is likely to alert the authorities, there is the (less powerful) Netdiscover. What’s brilliant about Netdiscover is that it can be completely passive, meaning that it will do nothing but sit and watch a network’s traffic for a certain behavior (the ARP request by default). From these requests, it builds a table of IPs, MAC addresses, and adapter types. This has the added bonus of helping you quickly sort out which machines might be Wi-Fi connected vs. wired, static IPs that don’t utilize DHCP, or network appliances like copiers/printers. Netdiscover can also be run in active mode, where it sends out ARP requests and functions much like NMap’s ARP scan, but for the most part I’d rather use NMap in that case.
Ettercap is the beautifully malicious packet sniffer. It is designed through-and-through to function in the role of Man-in-the-Middle (MITM), examining the packets and subsequently forwarding them on to their original destination. Before sending it on, it can manipulate the packets in any way that you tell it to, including (but certainly not limited to): appending malicious links to HTML or email, changing the content of HTML, e-mail or IM content, stripping SSL off of encrypted communications (if the handshake was captured), snooping through SSH1 connections, blocking a host, hijacking DNS to send a user to unintended targets, and myriad other little nasty tricks.
It accomplishes this through ARP spoofing/poisoning, thus telling the router that this machine is the target system and telling the target system that it is the router. The very, very important and handy byproduct of this technique is that Ettercap can be made to sniff all traffic on switched networks, making it invaluable in an attacker’s toolbox.
If you don’t need all of the ridiculous power/complexity of Ettercap, there is the much more individualized toolset of the dSniff suite. Ettercap can be set to do many things at once, but can be unwieldy and is often overkill. On the other hand, the dSniff suite comes with a bunch of specific tools to accomplish many of the same goals – think of it as the “All I really am looking for is “. Its specialty is grabbing passwords for a variety of services (both plaintext and SSL-encrypted, under certain conditions), but it can also track a user’s browsing history (and show you the same thing they are on your screen), log IM conversations, hijack new browsing sessions or restart existing sessions, and spoof DNS responses.
We will be looking at Ettercap and dSniff in detail in Part 3 of this series, as well as how to detect and defend against them. ARP poisoning leaves a particular signature on the network which can be picked up by a properly configured IDS or even prevented by specific tools, but be warned – that’s about the only opportunity you get to detect it.
As mentioned in my seven F-ups article, providing Wi-Fi creates an extra degree of vulnerability to any network. If configured properly, Wi-Fi simply creates an extra method for harvesting a bunch of junky encrypted data for an attacker. If configured incorrectly, it opens the door for an entirely malicious system as if it was always supposed to be there.
The crux of the Aircrack-ng suite is Airodump-ng, which kicks the wireless card into passive mode and grabs every bit of traffic sent between all access points and all attached devices, saving it as a capture file. This file can then be analyzed by Aircrack-ng, which uses a dictionary attack on the handshake packets (in the case of WPA/WPA2) or IVs (if you’re foolish enough to use WEP). If you’ve captured the handshake for a client and cracked the pre-shared key (in the case of WPA/WPA2) you can decrypt the entire session afterwards using Airdecap-ng or Wireshark. No handshake or not enough IVs? Don’t worry about it, just start using Aireplay-ng to deauthorize current clients or inject yourself onto the network (depending on the protection).
Though Airodump is a beautiful quick-and-dirty capture, some people would like a little more “full-service” software – and that’s where Kismet comes in. Kismet is part packet sniffer, part analyzer, and part IDS for wireless networks. Best of all, Kismet functions in a server/client/drone aspect, allowing captured traffic to be streamed to a waiting server rather than remaining on the drone device. This is extremely important for devices with limited space like the Pwn Plug, as it prevents the need to store and analyze the capture file locally. The file can then be analyzed on a more powerful machine to attack WPA/WPA2 keys using more effective software (oclHashcat, for instance) and decrypt the sessions.