Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Ethical Hacking Workshop

You're reading from   Ethical Hacking Workshop Explore a practical approach to learning and applying ethical hacking techniques for effective cybersecurity

Arrow left icon
Product type Paperback
Published in Oct 2023
Publisher Packt
ISBN-13 9781804612590
Length 220 pages
Edition 1st Edition
Arrow right icon
Authors (2):
Arrow left icon
Rishalin Pillay Rishalin Pillay
Author Profile Icon Rishalin Pillay
Rishalin Pillay
Mohammed Abutheraa Mohammed Abutheraa
Author Profile Icon Mohammed Abutheraa
Mohammed Abutheraa
Arrow right icon
View More author details
Toc

Table of Contents (13) Chapters Close

Preface 1. Part 1:Network Fundamentals
2. Chapter 1: Networking Primer FREE CHAPTER 3. Chapter 2: Capturing and Analyzing Network Traffic 4. Chapter 3: Cryptography Primer 5. Part 2: Breaking and Entering
6. Chapter 4: Reconnaissance 7. Chapter 5: Scanning 8. Chapter 6: Gaining Access 9. Part 3: Total Immersion
10. Chapter 7: Post-Exploitation 11. Index 12. Other Books You May Enjoy

Networking tools and attacks

In this section, we will start to cover some of the attacks that exist and the tools that you can use to carry them out. As traffic traverses a network, you can perform various attacks, such as capturing the traffic and looking at what it contains, intercepting traffic and misdirecting it, acting as a man in the middle, poisoning results, and more. Let’s begin with capturing packets as they traverse the network.

Packet capturing

Packet capturing is also known as sniffing. This is the process of capturing packets as they traverse the network to look inside and discover any valuable information. By performing packet capturing, you can see all sorts of traffic. This can be both protected and unprotected traffic. Various tools exist that can perform packet capturing. The most common tool that you will hear people talking about is Wireshark. There are more tools, including native tools, within routers and switches that allow you to capture packets. The key is not to understand how each tool works, but rather how packet capturing works and what the benefits are. We will cover packet capturing in more depth in Chapter 2, Capturing and Analyzing Network Traffic.

Wireshark can be downloaded from https://www.wireshark.org/download.html and supports almost all operating systems, but best of all, it’s free! Installing Wireshark is straightforward; let’s focus more on the tool itself and how to use it. If you are using Kali Linux, Wireshark will already be installed. The following figure shows the main dashboard of Wireshark:

Figure 1.3 – Wireshark dashboard

Figure 1.3 – Wireshark dashboard

The dashboard may seem a bit daunting but let me explain all the components. We will begin with the toolbar, where I will highlight the icons and their functions in the following tables.

In the first table, we will cover the functions that you will interact with when starting a packet capture:

Icon

Name

Description

Start Icon

Start

This starts a capturing session, using either the defaults or the last set of options from a previous session

Stop Icon

Stop

This will stop a currently active capture session

Restart Icon

Restart

This can be used to restart the packet capturing session

Options Icon

Options

This button will open Capture Options

Open Icon

Open

This can be used to open a saved capture for analysis

Save As Icon

Save As

This button can be used to save your current capture to a file

Close Icon

Close

Use this button to close the currently open capture file

Table 1.1 – Wireshark icons used for packet captures

The next set of functions enables you to work within the packet capture file:

Icon

Name

Description

Find Packet

Find Packet

This button can be used to find specific packets based on various criteria that you define

Go Back

Go Back

This button allows you to go one step back in the packet history

Go Forward

Go Forward

This button allows you to jump one step forward in the packet history

Go To Packet

Go To Packet

This will enable you to move to a specific packet

Go to First Packet

Go to First Packet

Jumps to the first packet in the capture file

Go to Last Packet

Go to Last Packet

Jumps to the last packet in the capture file

Table 1.2 – Wireshark icons for working with the capture file

Next, you have the main interface view, as per the following figure. This will show you which interfaces have active traffic on them, and which ones are not seeing any traffic. This is depicted by a line next to the interface number. In the following figure, you can see that the Ethernet0 and Adapter for loopback traffic capture interfaces are seeing traffic:

Figure 1.4 – Wireshark interfaces that have traffic

Figure 1.4 – Wireshark interfaces that have traffic

Starting a packet capture with Wireshark is simple. First, you need to select the interface that you would like to capture traffic on. Next, you must click on the Start button to start capturing packets. You will then see results appear in the main display window. The following figure is an example of ARP requests on the network:

Pro tip

ARP stands for Address Resolution Protocol. It is used to discover the local MAC address of the endpoint by using its IPv4 address.

Figure 1.5 – ARP requests

Figure 1.5 – ARP requests

When you perform packet captures, you need to filter the output to look for your specific results. The display filter within Wireshark does just that. You can see it when you look at Figure 1.5 – specifically the text in the green bar, stating eth.dst == ff:ff:ff:ff:ff:ff:ff:ff. When you type text in the display filter, Wireshark will offer a list of suggestions based on what you have typed in. It also provides a way for you to see if the filter will work or not – for example, if the bar turns yellow, this means that the display filter was accepted but may not work as you expected. If it turns red, it means that the filter was not accepted and will not work. If it turns green, then the filter has been accepted

The following table defines a few useful filters:

Filter Syntax

Description

ip.addr == 192.168.1.1

Filter by IP address

ip.dst == or ip.src = =

Filter by either source or destination IP address

tcp.port == 80

Filter by a specific TCP port

tcp.dstport == 80

Filter by a specific destination port

frame.time >= “april 28, 2022 13:00:00”

Filter by a specific timestamp

Tcp.flags.syn == 1

Filter to look for a SYN flag

Table 1.3 – List of useful filters to use

There is an extensive list of filters that are well documented on Wireshark’s documentation page. You can find the complete list here: https://www.wireshark.org/docs/dfref/.

Now that we have an idea of how to capture packets with Wireshark, let’s move on to spoofing. We will focus on MAC address and ARP spoofing techniques.

MAC address spoofing

As we have identified, every network interface has a unique MAC address. MAC address spoofing is a type of computer identity theft that involves altering the MAC address on the NIC. MAC address spoofing techniques are commonly used when attempting to break into a LAN environment by assuming the identity of an authorized computer. For example, some networks may whitelist MAC addresses. If you can discover that whitelisted MAC address, you can assume its identity. You can spoof your MAC address to masquerade as a different device on the network.

Let’s look at how to perform MAC address spoofing. For this, we will use Kali Linux and the macchanger tool.

From a Terminal window, issue the macchanger --help command. This will show you all the options that are available to use with the tool, as shown in the following screenshot:

Figure 1.6 – macchanger usage options

Figure 1.6 – macchanger usage options

Before we use the tool, let’s verify our current MAC address. You can do this by using the ifconfig command, followed by your interface. In my case, this is eth0, as per the following figure:

Figure 1.7 – Current allocated MAC address

Figure 1.7 – Current allocated MAC address

Currently, my MAC address (called ether in Linux) is 00:0c:29:77:2c:99. Now, let’s modify this to some random value. This can be done in one easy step:

We will issue the sudo macchanger -r eth0 command. I am using the sudo command since my current user does not have root permissions. You can also make use of the sudo -i command, which will move you to the root user, after which you won’t need to prepend the commands with sudo. -r is used to generate a random MAC address; I could use other options if required. For example, I could set a random MAC address of the same kind using the -a switch, though keep in mind that this switch will keep the same vendor OUI as your current vendor. Lastly, I define my interface, which is eth0.

Tip

If you experience an ERROR: Can’t change MAC: message, then you will need to execute the ifconfig eth0 down command before running the macchanger command (this will switch your network interface OFF).

Once you run the macchanger command, remember to turn the interface back ON by using the ifconfig eth0 up command.

The results presented in the following figure show that the interface now has a new MAC address of 06:1d:9f:2f:db:f6:

Figure 1.8 – Using macchanger to set a random MAC address

Figure 1.8 – Using macchanger to set a random MAC address

If you want to define your own MAC address, you can use the following command:

$ sudo macchanger  --mac XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX

Note

If you are using a Windows environment, some network cards provide the functionality to change your MAC address within the interface properties.

As you have seen, randomizing your MAC address is a simple yet very effective task when it comes to either stealing an identity or masquerading on a network. Now, let’s move on to ARP spoofing.

ARP spoofing

Before we dive into ARP spoofing, let’s put the ARP into perspective. Think of MAC addresses that identify who you are; these are physical identifications. IP addresses are used to identify where you are. ARP tables are used to manage the relationship of who and where you are.

The ARP is used to discover the MAC address related to an IP address. For example, if a router needs to send data to a computer that holds the IP address of 192.168.1.20, it needs to know the MAC address and to discover this, it will send an ARP query. ARP queries are not limited to routers; other devices, such as wireless routers, switches, and computers, all work with the ARP protocol.

In an ARP spoofing attack, the attacker sends fake ARP responses to a victim. These responses essentially tell the victim that the attacker’s MAC address maps to something else, such as a router’s IP. This means that the victim would send packets that were originally destined for the router to the attacker as the router’s MAC address would be replaced with the attacker’s MAC address. ARP spoofing is a typical example of a man-in-the-middle (MITM) attack.

Note

An MITM attack occurs when an attacker listens in on the communication between a user and an application. The intent could be to either spy on the conversation with the intent to gain valuable information or to modify the conversation and redirect the communication to devices that the attacker controls.

The following diagram shows how an MITM attack works:

Figure 1.9 – Man-in-the-middle attack (Source: https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/)

Figure 1.9 – Man-in-the-middle attack (Source: https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/)

Pro tip

Remember that for Kali Linux to forward packets on behalf of other machines, you need to enable IP forwarding. This needs to be done by issuing the echo 1 > /proc/sys/net/ipv4/ip_forward command as root.

To perform an ARP spoofing attack, you need to leverage additional tools within Kali Linux. The tool suite that we will need to use is called dSniff. dSniff contains several tools that can be used to listen to and create network traffic.

The tool can be installed using the following commands:

  1. First, we must switch to the root user using the following command:
    sudo -i
  2. Next, we must ensure that we have the latest package updates by issuing the following command:
    apt-get update
  3. Finally, we must install the tool suite using the following command:
    apt-get install dsniff

Within the toolset, we will make use of arpspoof, a tool that will execute the ARP spoofing attack.

Let’s break down this command. The -i flag represents the interface that you want to use to spoof ARP requests, while the -t flag specifies the target that you would like to poison. You can leave this option out but then arpspoof will poison all targets on the network.

When you run the command, the output would look like what’s shown in Figure 1.10. Within the output, you will find the first MAC address (0:c:29:77:2c:99), which belongs to the Kali Linux machine. The second MAC address (0:c:29:ec:1e:7b) belongs to the target machine. You then have the type field (0806), which indicates that an ARP packet is contained inside the Ethernet frame. Next, you have the byte size (42) of the Ethernet frame. The ARP reply section shows what the ARP message looks like when it is seen by the target. Essentially, it forces the victim to update its ARP table so that the IP address of the router (192.168.111.2) is now at the MAC address of the Kali Linux machine:

Figure 1.10 – Results of using the arpspoof command

Figure 1.10 – Results of using the arpspoof command

When you perform an ARP spoofing attack, you need to also trick the router into believing that you are the target. To do that, you need to issue the same command but this time, reverse [ROUTER_IP] and [TARGET_IP]. The command would be as follows:

$ sudo arpspoof -i [INTERFACE] -t [ROUTER_IP] [TARGET_IP]

You will get a chance to perform an ARP spoofing attack in the upcoming section. But first, we need to build a working lab environment that we will use throughout this book. As we progress through this book’s chapters, we will add additional components to the lab; these components will be introduced at the start of each chapter.

You have been reading a chapter from
Ethical Hacking Workshop
Published in: Oct 2023
Publisher: Packt
ISBN-13: 9781804612590
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime