Monday, July 1, 2013

MITM ATTACK - Configuration To Exploitation

DO YOU KNOW WHAT IS THE ADVANCE WEB ATTACK NOW A DAYS?
Can I ask you something?
Is there anyone who refuses to accept that you have used or you are using a public WI-FI for internet access in your mobile, laptop or an IPAD. I am sure, no one will refuse to accept this. Let me ask you another question.
Do you know your ID and Password are open to all ? Do you know anyone can see your ID password?

Yes, this is true, you might not aware of this but it is fact. When we use public or open Wi-Fi and we login into our Facebook, Twitter or email account, our credentials can be hijacked by an attacker via MITM attack which stands for Man-in-the-Middle attack.


WHAT WILL YOU LEARN TODAY?
Today, we are giving you demonstration of MITM attack, that how an attacker can perform MITM attack to see your credentials in plain text in order to gain access to your account. You will also learn that how http configuration can be done at server side and how attacker actually comes in between scenario and performs this attack.

INTRODUCTION
This report will demonstrate how to use .htaccess and .htpasswd files to protect directories and Web Pages with a username/password. The  password protected webpage will be implemented using Apache HTTP Server. This will help provide authentication, authorization and  access control capabilities. Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be while authorization is process of giving someone permission to do or have something. This will ensure that the people who access the Web Pages have the right and privilege.

Actually, this is network vulnerability but now a days professional hackers use this for web attacks. As we all know that there are so many places where we are given free public Wi-Fi. So hackers actually use those to intercept the traffic in order to gain the access of user’s different accounts.

CONFIGURATION
HTTP INSTALLATION
To begin the process, httpd will need to be installed on the Linux machine. Here I am configuring http on CentOS(Alice) and I will be using backtrack as an attacker machine (EVE) and XP(BOB) machine as a client.

#yum install httpd


As shown in the figure screenshot above, ‘httpd’ was successfully installed. Now we need to run httpd service each time the system boots up. For that gives following command in terminal.
# chkconfig httpd on
Now we can start, stop and restart the  httpd service  using the commands shown in  as in  the screenshot below figure:

EDITING httpd.conf CONFIGURATION FILE
After the successful  installation,   the next step is to edit the  httpd.conf file which is an Apache web server configuration file. This  file is located in: /etc/httpd/conf/httpd.conf and  will be edited using text editor.

Once in the text editor, The second appearance of AllowOverride None should be changed to AllowOverride AuthConfig. Actually this controls the files which we will put in the directory. It we do not change this then it will not read the files lying in our directory.

It controls .htaccess file, which we will put in our directory for the authentication purpose.


Next, a folder will be created in /html/ folder. This folder will be used to setup the password protected page. The full directory link is /var/www/html. Go to the mentioned directory and create a folder of your desired name. Here we are going to create folder named ‘adcpractical’ by making use of the ‘mkdir adcpractical’ command.

ADDING USERS
Next , we need to configure the server to request a password  and tell the servers which users are allowed to access. To do this, two files will be created, they are: .htaccess and .htpasswd. The .htaccess file will show the access login information for users and also includes the list of specific users who can login, and .htpasswd file includes the individual users and their passwords. .htaccess will be created in that folder (adcpractical)  by the use of any text editor and the file will include the following:

# touch .htaccess
# touch .htpasswd

Two files have been created within adcpractical folder. First, give below command in order to write configuration in .htaccess file.
# nano .htaccess
It will open an editor in which we need to write below lines to enable authentication.
 

We won’t write line into .htpasswd file from editor. We will use terminal to do so by using passwd command. This command is used to add encrypted passwords to desired files.
Now as we told, password will be assigned to those users assigned are listed
in : Require User  but not with a text editor  but with this command line
(Terminal)

htpasswd –md .htpasswd prithak 1234qwer
adding passwd for user prithak

htpasswd –md .htpasswd chintan password
adding passwd for user chintan

htpasswd –md .htpasswd dami password123
adding passwd for user dami

Now let’s check the .htpasswd file by giving cat .htpasswd command.


This MD5 encryption is displayed  due to the command which we have used. In our command htpasswd we have used –m option which stands for md5 encryption. It will force it to do encryption of those plain text passwords which we have given through terminal for all users. Not only md5 encryption was used but also the  –d option does crypting functionality by using MD5 in order to encrypting passwords. The screenshot below shows the option and it’s descriptions which we have used to give password for each users.

Now we can  test our password protected page to ensure it functions properly. Two screenshot are presented below -  the 1st one screenshot will show the result of a false authentication and 2nd will show the result of an authentication from an authentic user.

The welcome page files of centos were placed in our adc practical folder so if the authentication is successful,  these files will be called and  a welcome message in the browser will come up. Else it will continuously ask for the  right credentials in order to be successfully authenticated by the server. The figure below shows the welcome message files that were earlier placed  in adcpractical folder.


Now we are in a stage to check our whole configuration. In this example, the server is a centos and attacker machine is backtrack so from backtrack we will give Centos’ eth0 IP address or Local host which is running httpd service and after that,  we will add  /adcpractical/ in order to display authentication dialogue box as shown in figure.


To ensure that our server is properly configured to deny unauthorized users and give access to authorized users, we will give a wrong username and password. After doing this, no message was displayed and the dialogue box remained there continuously asking for the right credentials.  We now gave a correct username and password and clicked on the OK button to login.
 



This shows that our password protected webpage is generated through .htaccess file and .htpasswd file and the server has been configured properly to deny access to unauthorized users and give access to genuine users. Now it is time to attack page.

MITM ATTACK – ( MAN IN THE MIDDLE ) 

This attack is also known as “Bucket Brigade”. This attack is a  form of active “eavesdropping”. For this demonstration, 3 machines will be used which are the Server, Client and the attacking machine. Generally, the attacking machine makes independent connections and impersonates both the server and client.
 


The attacker convinces the  server that it's the client and  the client that it's the server then relays messages between them. Client and server think that they both are talking with each other over a private connection, when in fact the entire conversation is controlled by the attacker.

The attacker is able to trace all the packets exchanged between client and server. If any authentication is carried out by client, then attacker will find those authentication credentials by using any packet analyzing software such as “Wireshark”.


     ARPSPOOF
In this demonstration, we are going to use Arpspoof tool which is already installed in Backtrack 5 R3 distribution. This tool is able to intercept the messages between 2 machines that are interacting with each other. It has many features and supports IPv4 and Ipv6 address network resolution. It is also platform independent.
    Preparation of Attack
Here is the syntax of arpspoof tool which tells us that we need to the give interface for the target and host machine. Below is the data which we should know prior to attacking.
Machine
IP Address
CentOS – Server
192.168.41.130
Windows XP – Client
192.168.41.132
Backtrack 5 R3 – Attacker
192.168.41.131

The first step is to convince the server that our(attacking machine) is the client and our client that we are the server. We will be doing that by opening 2 different terminal and executing the following 2 commands respectively. Back track’s network interface is eth3.
 
# arpspoof –i eth3 –t 192.168.41.130 192.168.41.132
  

# arpspoof –i eth3 –t 192.168.41.132 192.168.41.130



In both process only one thing is common that is eth3. Communication is done via eth3 network interface which is back track’s network interface. So arpspoof will be able to intercept every traffic going in between the server and client. Now arpspoof is ready and intercepting traffic of network. 

We will need to have “Wireshark” tool to analyze all single packet. To do this, open the software by typing Wireshark in another terminal. In Wireshark, we will need to select eth3 interface in order to display all the packet exchange process. After clicking on the start button it will start capturing each and every single packet in that tool. Next step will be for  the  client Windows XP to login into the server using Centos’ network interface eth0’s IP address and /adcpractical/ following it. The user will provide the server the right credentials and the server will give credentials in plain text to do successful authentication. Once the user is logged in into the server, the attacking machine can now stop the capturing in Wireshark tool. Before analyzing each and every packet lets save it as any name e.g.  *.pcap file.



By analyzing each and every packet, we have found the credentials which were used by the windows XP client for authentication. The packet was normal ICMP packet in which credentials were passed in plain text to the server from client. The figure below f illustrates the concept  showing how arpspoof attack is carried out. However, It is difficult setting up this configuration and attacking targeted machines
  

CONCLUSION

This report has demonstrated how to perform MITM attack on local host for learning purpose. It clearly demonstrates how a password protect  a web page can be configured using  .Htaccess /. htpasswd on an APACHE sever and  has shown the implementation of  MITM attack namely man-in the middle attack using Backtrack as an attacker machine and XP as a client machine.

REFERENCES

1.   Anon (2008). Ettercap  Mitm attacks. Available at: http://openmaniak.com/ettercap.php. (Accessed on: 21st April 2013).
2.   Petersen, R. (2010). Fedora 14 Networking and Servers. Edition. Surfing turtle press.
3.   ArpSpoof2005/03/14, . Available at: http://arpspoof.sourceforge.net/.
4.   RALPHANGENENDT, 2010 10 10, 2010-last update, HowTos/Https - CentOS Wiki. Available: http://wiki.centos.org/HowTos/Https.
5.   Main_the_Middle.JPEG. (n.d.). Retrieved from OWASP: https://www.owasp.org/images/2/21/Main_the_middle.JPG


No comments: