The Quest for passwords

posted onMay 16, 2001
by hitbsecnews

By: Shaft

Original article first published by SecurityNewsPortal. This article is also available with
screen shots @ www.netflood.net

Introduction:

Obtaining other peoples passwords can
sometimes be extremely difficult, but with the tools available today... it is
usually trivial. This paper will cover various tools and techniques for getting
those passwords. While passwords can be obtained by brute force using software
such as L0phtcrack, John the Ripper, Guess, Merlin, etc. this paper documents a
less intrusive style of obtaining passwords. The reason for this paper is not to
teach script-kiddies how to obtain the passwords of others, but to teach network
admin just how insecure a network can be...

Disclaimer:

The standard disclaimer applies. You
do what you will and I am not responsible. If you can read this, you obviously
have some form of intellect, and as such; your actions are controlled by you.
Not me. This document was written under the influence of many many Corona's
(with lime), as such, please do not flame me for not covering enough details,
poor grammar, etc.

Concepts:

This paper mainly deals with the
Data-Link layer of the OSI Model.

Data-Link Important
terms and information:

MAC address (Hardware address):
a 48-bit number which is supposed to be unique to each network adapter (ex.
John's 3com network adapter does not have the same MAC address as Dave's 3com
adapter).

Note: In Linux, you can change your
adapters MAC address with the ifconfig
hw class address command.

ARP (Address Resolution Protocol):
Ethernet IP uses ARP to locate the hardware address of a given IP address (RFC
826). For example, a router would use an ARP request to determine the MAC
address of a host with the IP address of 69.69.69.69. This would be a
broadcast (sent to all hosts on the network) and only the NIC with the IP
address of 69.69.69.69 would respond by sending an ARP reply to the
aforementioned router. The router would then pass all traffic destined to
69.69.69.69 to that MAC address.

Example:

Router- "Who is
69.69.69.69?"

69.69.69.69 Host- "That would be
me and my hardware (MAC) address is 00:XX:DB:27:XX:10"

Router- "Ok. I will add you to
my ARP table and send all traffic destined to 69.69.69.69 to MAC address
00:XX:DB:27:XX:10"

ARP Table/cache: Internal
database containing IP address to MAC address mappings (dynamic or static).
To view ARP tables, enter the following commands:

Cisco IOS: show arp

Linux: arp

Windows: arp -a

Switch: Works at the data-link
layer (layer 2). Switches listen to network traffic and learn which MAC
address/addresses reside off which ports, the switch then adds the entries to
its ARP table. If a switch does not have the MAC address in it's ARP table, it
will send the traffic (frame) to all ports (ie. broadcast).

Network Layer
Important Terms and Information:

IP address: I'm going to
assume you know what it is.

Important General
terms and Information:

Man-in-the-middle (MiM): When
a third-party or host relays or observes information not intended for it. By
placing a computer in between communication endpoints, we see all data that
passes between those endpoints. This is useful for not only observing and
relaying traffic, but also for injecting commands or information into the
communication channel, and for session hijacking. For example, if I installed a
proxy server on a network and configured every client web browser to direct HTTP
traffic to me, I could observe you trading on-line and get your username and
password, etc. I may also be able to wait for you to log in and then steal that
connection from you and sell off your Cisco stock to buy shares of netflood.net

While that's not likely because your
not going to allow me to come in and set up a proxy server on your network and
because netflood isn't a publicly traded company, all it takes is someone with
the correct tools to logically (if not physically) do that on your network. This
is referred to as a man-in-the-middle attack.

Details:

There are numerous man-in-the-middle
attack tools, this article will only focus on tools capable of ARP
spoofing/poisoning with the sole intention of obtaining passwords. ARP
spoofing/poisoning is the act of pretending to be someone else by falsely
sending non-requested ARP replies or by answering ARP requests regardless of
what host (IP address) the communication is intended for, strictly for observing
or relaying* the data that passes between the two hosts. ARP is stateless (or
unreliable). It doesn't matter if a host sent an ARP request or not, it will
usually accept your reply ARP (with the bogus information) regardless. ARP
spoofing/poisoning can only be done on local area networks (even switched
LAN's). Obviously you cannot spoof a MAC address of a host on a different
network because that traffic would never be routed to you.

Note: ARP requests/replies, RARP
requests/replies, etc are simply indicators in the Operation portion of
an ARP packet, all we need to spoof MAC addresses is a tool which can modify the
Operation portion. 1 = ARP Request, 2 = ARP Reply, 4 = RARP Request, etc.

* make sure you are forwarding the
traffic if you are going to spoof the gateway. Otherwise you could hose your
entire network segment (subnet).

The Tools:

Ettercap (v0.4.3) -download
RPM here or TAR
here

An Excellent tool for sniffing
networks (and password discovery). Collects passwords for the following
protocols: TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11,
Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC (other protocols coming soon...).

That means that if I am on a
non-switched network and I have ettercap installed, I will get almost every
password from every user on my segment (network), including MS share passwords..
A scary proposition for administrators with Linux/*BSD boxes on their network.
If I am on a switched network I can poison the switch's ARP table, so that I
will receive all traffic destined for the victim.

Using Ettercap:

Ettercap is relatively easy to use,
in fact; I don't know how they could have made it any easier.

Synopsis:

ettercap [Option] [host:port] [host:port]
[MAC] [MAC]

See man page for available
options/variables

#ettercap -
If you just start ettercap with no variables (options), ettercap will build a
list of all hosts on your network via an ARP storm.

Choose a source and destination.

You will then be able to select the
following options by typing the h key:

ARP poison for man-in-the-middle
attack

IP based sniffing for sniffing
traffic between IP addresses

MAC based sniffing for
sniffing traffic between hardware addresses

Run a plugin to enhance
ettercap functionality

check for other (ARP) Poisoner

Fingerprint an OS which is
actually pretty powerful and usually correct.

Running ettercap with
variables/options such as -za will cause ettercap to start in silent
mode (no ARP storms) = z, ARP sniff = a and allow you to perform MiM attacks,
sniffing through gateways and switches.

Dsniff: Download RPM
here or Tar here

Written by Dug Song

dsniff is a collection of tools for
network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf,
urlsnarf, and webspy passively monitor a network for interesting data
(passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the
interception of network traffic normally unavailable to an attacker (e.g, due to
layer-2 switching). sshmitm and webmitm implement active "monkey-in-the-middle
attacks" against redirected SSH and HTTPS sessions by exploiting weak
bindings in ad-hoc PKI.

As mentioned in a previous netflood
article:

dsniff -w Filename.txt will
write all sniffed passwords to Filename.txt

dsniff -r Filename.txt
will read the file and list sniffed passwords

To arp poison, after installing
dsniff:

#arpspoof -i [interface] -t [target]
host

Choose interface, if necessary.
Choose target, for example if I wanted to poison the ARP table on just the
switch I would enter the IP address of the switch using the -t variable (it's my
target). If I do not use the -t variable, I will attempt to poison all hosts on
the LAN. The host is whose traffic you want to see.

Detecting ARP
spoofing/poisoning:

Use the Ettercap "Detect
Poisoner" option

Use Arpwatch: Download it here.

Arpwatch is a tool that monitors
ethernet activity and keeps a database of ethernet/ip address pairings. It also
reports certain changes via email. Arpwatch requires tcpdump and libpcap.
Includes FDDI support, updated ethercodes, uses autoconf.

RARP a MAC address and watch for a
return of multiple IP addresses.

1.) Remote Host Discovery with Portscanning - adept
2.) Script Kiddies and Screenwhores - Grifter
3.) Intro to Packet Sniffers - Grifter
4.) Quantum Mechanics (Part 2) - Josette
5.) SWATing Samba - socrates
6.) The Quest for Passwords - Shaft
7.) Windows or Linux? - Sebastian
8.) Getting Started with MySQL - L33tdawg

Good luck.

Source

Tags

Intel

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes