Sunday, January 08, 2006

Arp Spoofing, Network Scans and Beyond

When it comes to Network Security, my philosophy is - "You can't afford to know less than the Hacker." This means that in order to protect ourselves effectively, we need to understand and experience the same tools and techniques that are used against us.

NOTE: ARP spoofing could cause damage to your network!


Ettercap 0.6.b - A multipurpose sniffer over switched LANs
http://ettercap.sourceforge.net.

Ettercap was born as a sniffer for switched LAN (and obviously even
"hubbed" one), but during the development process it has gained more
and more features that have changed it to a powerful and flexible tool
for man-in-the-middle attacks. It supports active and passive dissec-
tion of many protocols (even ciphered ones) and includes many features
for network and host analysis (such as OS fingerprint).

It has five sniffing methods:
+ IPBASED, the packets are filtered matching IP:PORT source and IP:PORT
dest
+ MACBASED, packets filtered matching the source and dest MAC address.
(useful to sniff connections through gateway)
+ ARPBASED, uses arp poisoning to sniff in switched LAN between two
hosts (full-duplex m-i-t-m).
+ SMARTARP, uses arp poisoning to sniff in switched LAN from a victim
host to all other hosts knowing the entire list of the hosts (full-
duplex m-i-t-m).
+ PUBLICARP, uses arp poison to sniff in switched LAN from a victim
host to all other hosts (half-duplex).
With this method the ARP replies are sent in broadcast, but if ettercap
has the complete host list (on start up it has scanned the LAN) SMAR-
TARP method is automatically selected, and the arp replies are sent to
all the hosts but the victim, avoiding conflicting MAC addresses as
reported by win2K.

The most relevant ettercap features are:

Characters injection in an established connection : you can inject
character to server (emulating commands) or to client (emulating
replies) maintaining the connection alive !!

SSH1 support : you can sniff User and Pass, and even the data of an
SSH1 connection. ettercap is the first software capable to sniff an SSH
connection in FULL-DUPLEX

HTTPS support : you can sniff http SSL secured data... and even if the
connection is made through a PROXY

Remote traffic sniffing through GRE tunnel: you can sniff remote traf-
fic through a GRE tunnel from a remote cisco router and make mitm
attack on it

Plug-ins support : You can create your own plugin using the ettercap's
API.

Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB,
MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC,
LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming
soon...)

Packet filtering/dropping: You can set up a filter chain that search
for a particular string (even hex) in the TCP or UDP payload and
replace it with yours or drop the entire packet.

Passive OS fingerprint: you scan passively the lan (without sending any
packet) and gather detailed info about the hosts in the LAN: Operating
System, running services, open ports, IP, mac address and network
adapter vendor.

OS fingerprint: you can fingerprint the OS of the victim host and even
its network adapter (it uses the nmap (c) Fyodor database)

Kill a connection: from the connections list you can kill all the con-
nections you want

Packet factory: You can create and sent packet forged on the fly. The
factory let you to forge from Ethernet header to application level.

Bind sniffed data to a local port You can connect to that port with a
client and decode unknown protocols or inject data to it (only in arp
based mode)


For more check - man ettercap (For more Information)

Also check Nmap and tcpdump for Network scan and Checking TCP Traffic.

Example of the same I have pasted below


Using Nmap to find hosts that are up in your network

[root@mybox sriram]# nmap -sP 10.10.93.0/24

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2006-01-08 03:25 EST
Host 10.10.93.0 seems to be a subnet broadcast address (returned 1 extra pings).
Host 10.10.93.94 appears to be up.
Host 10.10.93.118 appears to be up.
Host mybox.sriram.com (10.10.93.220) appears to be up.
Host 10.10.93.250 appears to be up.
Host 10.10.93.252 appears to be up.
Host 10.10.93.255 seems to be a subnet broadcast address (returned 1 extra pings).
Nmap run completed -- 256 IP addresses (5 hosts up) scanned in 75.751 seconds


Using TcpDump to listen a particular port

[root@mybox sriram]# tcpdump -n -ieth0:1 tcp port ssh and host 192.168.0.20
tcpdump: listening on eth0:1
03:32:20.704268 192.168.0.20.1044 > 192.168.0.10.22: . ack 87532615 win 62952 (DF)
03:32:20.704316 192.168.0.10.22 > 192.168.0.20.1044: P 1:69(68) ack 0 win 16080 (DF) [tos 0x10]

For more options check

- man nmap
- man tcpdump