Traffic redirection. Methods of hacker attacks Introduction of malicious programs. Worms

Interception of data over the network is considered to be the receipt of any information from a remote computer device. It may consist of the user's personal information, his messages, records of visiting websites. Data capture can be carried out by spyware or using network sniffers.

Spyware is a special software, capable of recording all information transmitted over the network from a specific workstation or device.

A sniffer is a program or computer equipment that intercepts and analyzes the traffic that passes through the network. The sniffer allows you to connect to a web session and perform various operations on behalf of the computer owner.

If the information is not transmitted in real time, spyware generate reports that are convenient to view and analyze information.

Network eavesdropping may be organized legally or performed illegally. The main document fixing the legality of the acquisition of information is the Convention on Cybercrime. It was founded in Hungary in 2001. The legal requirements of different states may vary somewhat, but the key meaning is the same for all countries.

Classification and methods of intercepting data over the network

In accordance with the above, the interception of information over the network can be divided into two types: authorized and unauthorized.

Authorized data capture is carried out for various purposes, ranging from protecting corporate information to ensuring the security of the state. The grounds for performing such an operation are determined by legislation, special services, law enforcement officers, specialists from administrative organizations and company security services.

There are international standards for performing data interception. The European Telecommunications Standards Institute has managed to bring to a single standard a number of technical processes (ETSI ES 201 158 "Telecommunications security; Lawful Interception (LI); Requirements for network functions"), on which the interception of information is based. As a result, a system architecture was developed that helps secret service specialists, network administrators to legally take over data from the network. The developed structure for the implementation of data interception over the network is applied to wired and wireless voice calling systems, as well as to mail correspondence, voice message transmission over IP, and information exchange via SMS.

Unauthorized interception of data over the network is carried out by intruders who want to take possession of confidential data, passwords, corporate secrets, addresses of computer machines on the network, etc. To achieve their goals, hackers usually use a network traffic analyzer - a sniffer. This program or a hardware-software type device gives a fraudster the ability to intercept and analyze information within the network to which the victim user is connected, including encrypted SSL traffic through the substitution of certificates. Traffic data can be captured in different ways:

• listening on the network interface,
• connecting an interceptor to a channel break,
• creating a traffic branch and duplicating it on a sniffer,
• by conducting an attack.

There are also more sophisticated technologies for intercepting sensitive information that allow intruding into network interaction and changing data. One such technique is bogus ARP requests. The essence of the method is to spoof IP addresses between the victim's computer and the attacker's device. Another method that can be used to intercept data over the network is decoy routing. It consists in substituting the IP address of the network router with its own address. If a cybercriminal knows how the local network in which the victim is located is organized, then he can easily organize the receipt of information from the user's machine to his IP address. Capturing a TCP connection also serves in an efficient way data interception. An attacker interrupts a communication session by generating and sending TCP packets to the victim's computer. Further, the communication session is restored, intercepted and continued by the criminal instead of the client.

Object of influence

The objects of data interception over the network can be government agencies, industrial enterprises, commercial structures, ordinary users. Inside an organization or business company, information capture can be implemented in order to protect the network infrastructure. Special services and law enforcement agencies can carry out mass interception of information transmitted from different owners, depending on the task.

If we talk about cybercriminals, then any user or organization can become an object of influence in order to obtain data transmitted over the network. With authorized access, the informative part of the information obtained is important, while the attacker is more interested in the data with which to take possession in cash or valuable information for its subsequent sale.

Most often, the victims of information interception by cybercriminals are users connecting to a public network, for example, in a cafe with a dot WiFi access. An attacker connects to a web session using a sniffer, replaces data and steals personal information. More details on how this happens are described in the article.

Threat Source

Authorized interception of information in companies and organizations is carried out by public network infrastructure operators. Their activities are aimed at protecting personal data, trade secrets and other important information. On legal grounds, the transfer of messages and files can be monitored by special services, law enforcement agencies and various government agencies to ensure the safety of citizens and the state.

Attackers are engaged in illegal interception of data. In order not to become a victim of a cybercriminal, you need to follow some recommendations from experts. For example, you should not perform operations that require authorization and transfer of sensitive data in places where the connection is made to public networks. It is safer to choose encrypted networks, and even better, use personal 3G and LTE modems. When transferring personal data, it is advised to encrypt it using the HTTPS protocol or a personal VPN tunnel.

You can protect your computer from interception of network traffic using cryptography, anti-sniffers; dial-up rather than wireless network access will mitigate risks.

In this article, we'll look at proxying the traffic of iOS applications that use native web sockets to interact with the server. The article will be useful to those pentesters who encounter in their work the interception of confidential information sent by iOS applications in non-standard ways. These methods are relevant because the use default settings The proxy server on the device may not be sufficient to intercept the traffic of some applications.

Recently, during another pentest, I came across an application that sent information to port 20xx of a web server. The traffic of this application could not be intercepted by changing the default settings (Settings -> Wi-Fi -> HTTP Proxy -> Manual) and redirecting traffic to a proxy. One of the reasons why this method doesn't work is that native web sockets (native websockets) are used to communicate with the server instead of the UIWebView class. For more information on how web sockets are configured, see this article.

However, there is a workaround to solve this problem. We can implement DNS spoofing and redirect all HTTP traffic from all ports through a proxy like Burp. This article is divided into parts:

1. Sniffing traffic with Wireshark to find the IP address and port of the server.
2. DNS spoofing and forwarding all traffic to the machine where the proxy is installed.
3. Interception of traffic using a proxy server after performing DNS spoofing.

Below is a step-by-step diagram for implementing traffic interception for iOS applications using Native Web Socket.

1. Create a wireless access point and connect the device to it. [Note: The machine must be connected to Ethernet or otherwise connected to the Internet, since the Wi-Fi interface will be used for the hotspot. This article talks about how to set up a hotspot on a Windows machine]

2. We launch a network sniffer (for example, Wireshark) and look for traffic passing through non-standard ports.

a. We filter traffic, leaving only the one that goes to the IP address we need (ip.dst == ip.ip.ip.ip)

b. Find the port number to which the traffic is sent.

Figure 1: Finding the non-standard port to which the application sends traffic

3. Launch the Metasploit DNS spoofing console and enter the following commands:

c. set SRVHOST = (Wireless Access Point IP)

d. set SRVPORT = 53, set TARGETACTION = BYPASS, set TARGETDOMAIN = www.apple.com (Note: setting TARGETDOMAIN= www.apple.com will intercept all traffic except from apple.com).

e. set targethost = (wireless hotspot IP)

Figure 2: Setting up a DNS server using the fakedns module (inMetasploit)

4. Configure Burp to listen for incoming device traffic on specific ports and redirect it to the port found earlier.

a. Go to Proxy->Options->Add; set "bind port" to the port to which the application should forward traffic (note: this is one of those non-standard tcp ports that was found using Wireshark).

b. We listen to all interfaces.

c. In the Request Handling tab, set the server domain (the Redirect to host field).

d. In the same tab, set the corresponding port number (field Redirect to port).

e. If the traffic is sent via https, we set the forced use of SSL.

f. Click OK and repeat all of the above operations for all ports to which the application sends traffic. In other words, each port needs a separately configured proxy listener.

Figure 3: Configuring listening and redirecting traffic

5. Configure the proxy settings on the device:

a. We go to the Wi-Fi->DHCP section and set DNS = to the IP address of the access point.

b. In the HTTP proxy settings, we set the IP address of the access point and the corresponding port on which burp is configured (these settings are used to proxy standard HTTP traffic).

Figure 4: IP configuration andDNS forwardingon device

6. Type in the Metasploit console "exploit" and you will see all the intercepted traffic from non-standard ports.

The described method can be used to circumvent problems with traffic interception of iOS applications that transmit it in non-standard ways.

They are usually sent to the information servers of the enterprise, the functioning of which is a critical condition for the performance of the entire enterprise. Most often, the objects of DOS attacks are the main web servers, file and mail servers of the enterprise, as well as the root servers of the DNS system.

False DNS responses.

Types of attacks. Interception and redirection of traffic

Denial of Service (DoS) attacks.

Interception and redirection of traffic. The goal is to direct the traffic of the attacked computer to a false address, which can be the address of either an attacker or a third party.

False DNS responses.

Types of attacks. FalseDNSanswers

Denial of Service (DoS) attacks.

Interception and redirection of traffic.

False DNS responses. The attacker's task is to gain access to the corporate server. To do this, he needs to take possession of the name and password of an authorized user of the corporate network. He decides to get this information by branching the data stream that the corporate client sends to the corporate server.

Implementation malware. Trojans

Trojans, or trojans, are a type of malware that damages a system by disguising itself as some kind of useful application.

Trojans can use as a cover applications familiar to the user, with which he worked before, before the appearance of the "Trojan horse" in the computer.

Introducing malware. Worms

Network worms (worms) are programs capable of self-propagating copies of themselves among nodes within local network, as well as global connections, moving from one computer to another without any participation in this process of network users.

The worm consists of two main functional components: an attack block and a target search block.

An attack block consists of several modules (attack vectors), each of which is designed to defeat a specific type of vulnerability. This block opens the "front door" of the attacked host and transmits a copy of itself through it.

The target search block (locator) collects information about the network nodes, and then, based on this information, determines which of the studied nodes have those vulnerabilities for which the hacker has the means of attack.

Introducing malware. Viruses

A virus is a piece of malicious software that can infect other files.

Unlike worms, viruses (as well as Trojans) do not contain a built-in mechanism for active propagation over the network; they are able to multiply on their own only within one computer. As a rule, the transfer of a copy of the virus to another computer occurs with the participation of the user.

Description of any questions about information security is not possible without a description of hackers and their methods of work. The term "hacker" is used to mean a person who breaks into computers.

Hackers are knowledgeable, technically savvy people who have a clear understanding of how computers and networks work, and understand how protocols are used to perform system operations. Motivation in the work of hackers can be different, from the desire to attract attention to themselves and to the most common greed.

Modern methods of hacker attacks

Many modern attacks are performed by the so-called "script kiddies" method. The attackers simply search the Internet for exploit scripts and run them against every system they can find. Data simple ways attacks do not require special knowledge or instructions.

However, there are other methods based on a deeper understanding of the operation of computers, networks and systems under attack. In this article, we will describe such methods.

Listening to networks

Listening, or sniffing (sniffing) - a method used by hackers / crackers to collect passwords and other system information. To work, the computer's network interface is set to listen for mixed traffic (promiscuous mode), i.e., the network adapter will intercept all packets moving over the network, and not just packets addressed to this adapter. This type of sniffer works well on shared networks. throughput with network concentrators - hubs.

Now finding a hub is a very big problem - network switches are mainly used, so the efficiency of sniffing began to decrease. In a switched environment, the broadcast mode is not used; instead, packets are sent directly to the receiving system. However, switches are not safety devices. These are common network devices, so the security they provide is more of a by-product of their networking purpose than a design element. There is also a sniffer specially designed for a switched environment

To listen to traffic in a switched environment, one of the following conditions must be met:
"convince" the switch that the traffic of interest should be routed to the sniffer;
force the switch to send all traffic to all ports.

If one of the conditions is met, the sniffer will be able to read the traffic of interest and, thus, provide the hacker with the required information.

Traffic redirection

The switch directs traffic to the ports based on the Media Access Control (MAC) address for the frame on the Ethernet network. Each network interface has a unique MAC address, and the switch "knows" which addresses are on which port. Therefore, when transmitting a frame with a specific destination MAC address, the switch forwards the frame to the port to which the given MAC address is assigned.

The following are methods by which you can force the switch to direct network traffic to the sniffer:
ARP spoofing
duplication of MAC addresses;
domain name imitation.

ARP-spoofing (ARP-spoofing). ARP is an Address Resolution Protocol used to obtain the MAC address associated with a specific IP address. It works as follows: when transmitting traffic, the sending system sends an ARP request to the recipient's IP address. The receiving system responds to this request by transmitting its MAC address, which will be used by the sending system to forward the traffic.

If the sniffer captures traffic of interest to it, it will respond to the ARP request instead of the real receiving system and provide its own MAC address. As a result, the sending system will send traffic to the sniffer.

For this process to be effective, all traffic must be forwarded to the sniffer instead of the actual destination. If this is not done, then there will be a possibility of a denial of access to the network. I add..

ARP spoofing only works on subnets (a single network segment) because ARP messages are not routed. The sniffer must be located on the same LAN segment as the sender and receiver systems.

Duplicate MAC addresses. Duplicate the MAC address of the destination system is another way to "convince" the switch to send traffic to the sniffer. To do this, the hacker needs to change the MAC address on the sniffer and be located on the same local network segment.
I'll add again.

To perform ARP spoofing, the sniffer must be located on the same local subnet as both systems (sender and receiver) in order to be able to duplicate MAC addresses.

Domain name imitation. There is a third way to force the switch to send all traffic to the sniffer: you need to "trick" the sending system into using the sniffer's real MAC address for data transmission. This is done by imitating a domain name.

In this attack, the sniffer intercepts DNS requests from the sending system and responds to them. Instead of the IP address of the systems to which the request was sent, the sending system receives the IP address of the sniffer and sends all traffic to it. Next, the sniffer must redirect this traffic to the real recipient. We see that in this case the domain name spoofing attack turns into a hijacking attack.

To ensure the success of this attack, the sniffer needs to look at all DNS queries and respond to them before the real recipient does. Therefore, the sniffer must be located on the route of traffic from the sender system to the DNS server, or even better, on the same local subnet as the sender.

A sniffer could view requests sent over the Internet, but the farther it is from the sending system, the more difficult it is to ensure that it is the first to respond to them.

Sending all traffic to all ports

Instead of all of the above, a hacker can make the switch work as a hub (concentrator). Each switch uses a certain amount of memory to store a mapping table between the MAC address and the switch's physical port. This memory is limited. If it overflows, some switches may erroneously report an "open" status. This means that the switch will stop sending traffic to certain MAC addresses and start forwarding all traffic to all ports. As a result, the switch will work like a hub (hub).

Performing attacks

Now let's look at what is required to perform the above attacks. In the case of ARP spoofing, MAC address duplication, or MAC flooding, you must connect directly to the attacked switch. Such a connection is also required to imitate a domain name.

Conclusion - the hacker must install the system on the local switch. To do this, he logs into the system through a known vulnerability, and installs the software necessary for sniffing. In another version, the hacker is already inside the organization (he is its employee or contractor). In this case, he uses his legitimate access to the local network, which allows him to contact the switch.

IP address spoof

As already mentioned, the correctness of IP addresses in packets transmitted over the network is not checked. Therefore, a hacker can change the sender address so that it looks like the packet is coming from any address. The difficulty is that the returned packets (SYN ACK packets on a TCP connection) will not be able to return to the sending system. Therefore, attempting to spoof an IP address (IP spoofing) to establish a TCP connection is very difficult. In addition, the TCP header contains a sequence number used to acknowledge receipt of the packet. The initial sequence number (ISN) for each new connection is chosen pseudo-randomly.

IP Spoof Attack Details

The figure shows the execution of an IP address spoof attack. 1 - target identification. 2. - determination of the value of the increment of the initial sequence number (ISN). This can be done by making a series of legitimate connections to the target system and noting the returned ISNs (in doing so, the hacker risks exposing his real IP address). I'm sorry, it doesn't work with the drawing, although I'm spinning this way and that! Eating stronger than me...

Listening to switched networks

Learning Modern Methods

Many modern attacks are carried out by so-called "script kiddies". These are users who look up exploit scripts on the Internet and run them against every system they can find. These simple attack methods do not require special knowledge or instructions.

However, there are other methods based on a deeper understanding of the operation of computers, networks and systems under attack. In this section, we will get acquainted with such methods - with listening (sniffing, from the English sniffing) of switched networks and imitation of an IP address (IP-spoofing).

Listening, or sniffing, is used by hackers/crackers after hacking into a system to collect passwords and other system information. To do this, the sniffer sets the network interface card to listen for mixed traffic (promiscuous mode), i.e., the network adapter will intercept all packets moving through the network, and not just packets addressed to this adapter or system. This type of sniffer works well in shared bandwidth networks with network hubs.

As network switches are used more now, the efficiency of sniffing has begun to decline. In a switched environment, the broadcast mode is not used; instead, packets are sent directly to the receiving system. However, switches are not safety devices. These are common network devices, so the security they provide is more of a by-product of their networking purpose than a design element. Therefore, the emergence of a sniffer capable of working in a switched environment is quite possible. And it has already happened. A sniffer specifically designed for a switched environment can be found at http://ettercap.sourceforge.net/.

To listen to traffic in a switched environment, a hacker must fulfill one of the following conditions:

• "convince" the switch that the traffic of interest should be routed to the sniffer;
• force the switch to send all traffic to all ports.

If one of the conditions is met, the sniffer will be able to read the traffic of interest and, thus, provide the hacker with the required information.

The switch directs traffic to the ports based on the Media Access Control (MAC) address for the frame on the Ethernet network. Each network interface card has a unique MAC address, and the switch "knows" which addresses are assigned to which port. Therefore, when transmitting a frame with a specific destination MAC address, the switch forwards the frame to the port to which the given MAC address is assigned.

The following are methods by which you can force the switch to direct network traffic to the sniffer:

• ARP spoofing
• duplication of MAC addresses;
• domain name imitation.

ARP spoofing(ARP spoofing). ARP is an Address Resolution Protocol used to obtain the MAC address associated with a specific IP address. When transmitting traffic, the sending system sends an ARP request to the destination IP address. The receiving system responds to this request by transmitting its MAC address, which will be used by the sending system to forward the traffic.

If the sniffer captures traffic of interest to it, it will respond to the ARP request instead of the real receiving system and provide its own MAC address. As a result, the sending system will send traffic to the sniffer.

For this process to be effective, all traffic must be forwarded to the sniffer instead of the actual destination. If this is not done, then there will be a possibility of a denial of access to the network.

Note

ARP spoofing only works on local subnets because ARP messages are only sent within the local subnet. The sniffer must be located on the same LAN segment as the sender and receiver systems.

Duplicate MAC addresses. Duplicate the MAC address of the destination system is another way to "convince" the switch to send traffic to the sniffer. To do this, the hacker needs to change the MAC address on the sniffer and be located on a system that is on the same LAN segment.

Note

It is considered that it is impossible to change MAC addresses. However, this is not the case at all. This can be done in Unix system using the ipconfig command. Similar utilities are available in the Windows system.

To perform ARP spoofing, the sniffer must be located on the same local subnet as both systems (sender and receiver) in order to be able to duplicate MAC addresses.

Domain name imitation. There is a third way to force the switch to send all traffic to the sniffer: you need to "trick" the sending system into using the sniffer's real MAC address for data transmission. This is done by imitating a domain name.

In this attack, the sniffer intercepts DNS requests from the sending system and responds to them. Instead of the IP address of the systems to which the request was sent, the sending system receives the IP address of the sniffer and sends all traffic to it. Next, the sniffer must redirect this traffic to the real recipient. We see that in this case the domain name spoofing attack turns into a hijacking attack.

To ensure the success of this attack, the sniffer needs to look at all DNS queries and respond to them before the real recipient does. Therefore, the sniffer must be located on the route of traffic from the sending system to the DNS server, and even better, on the same local subnet as the sender.

Note

A sniffer could view requests sent over the Internet, but the farther it is from the sending system, the more difficult it is to ensure that it is the first to respond to them.