Chapter 2: Discover What Your Boss is Looking At

Addison-Wesley Professional

Phoenix clenches his fists as he reads the memo on his desk. This is the last straw, Phoenix thinks to himself as he crumples the memo up and throws it away. It is a memo from his boss, Mr. Minutia, explaining that it has come to his attention that several employees are using their computers to send out personal e-mails. Phoenix’s boss would monitor all e-mail. Should he discover an e-mail that is not work related, human resources would reprimand the employee who sent it.

The memo does not stop there, however. It goes on to state that employees have been surfing the Internet for personal use during work hours, which is against company policy. As a result Phoenix is no longer allowed to delete his Web browser’s history so that his boss can come by and periodically check it.

Phoenix knows that Mr. Minutia has been spying on him for some time now. Phoenix sees Mr. Minutia at his desk, shuffling through papers, whenever he leaves his desk to go to the copy machine. Phoenix notices Mr. Minutia walk over to his desk whenever he is on the phone to eavesdrop on his conversations. Now Mr. Minutia has taken it to the next step by reading all of Phoenix’s e-mails and reviewing the Web sites Phoenix views.

The word hypocrite echoes in Phoenix’s mind. He knows his boss spends the majority of his time at work surfing the Internet. Phoenix is not sure what his boss is looking at, but Phoenix is determined to find out because he suspects it might not be work related. Then Phoenix can approach Mr. Minutia with a taste of his own medicine and expose his Internet-surfing habits. Phoenix begins to plot how he is going to spy on his boss.

Figure 2.1 illustrates Phoenix’s office scenario.

Figure 2.1

Figure 2.1

Topology diagram for scenario

The Approach

Like most of the attacks in the book, there is more than one method to launch Phoenix’s attack. Phoenix’s goal is essentially to monitor traffic to and from Mr. Minutia's machine. When deciding on a method, Phoenix needs to factor in how “loud” that method is going to be on your network. Attacks easily detected by intrusion detection or prevention systems (IDS/IPS) are "noisy" or "loud" because they trigger alarms and notify administrators of their existence. There are times when an attacker wants to be noisy, such as when launching a diversion attack to distract administrators while launching a stealthier attack, but the majority of the time an attacker wants to perform an attack that is not easily spotted by IDS/IPS software. Phoenix wants his attack to be precisely targeted and quiet.

When Is a Loud Approach Useful? - A loud method will most likely sound alarms on intrusion detection or intrusion prevention devices, but sometimes it is the only option to view traffic on a network. A loud approach is useful when an attacker wants to view all traffic on a network. To learn more about loud options an attacker has to view switched traffic, see the "For More Information" section later in this chapter.

Most networks use switches, but switches send traffic to and from only the devices that need to communicate with each other. Other devices would not necessarily be privy to communication between other computers, so Phoenix will not be able to see this traffic without a planned attack.

To understand Phoenix's attack method, you need to understand how switches work. In Figure 2.2, when UserA sends a frame to UserB, the switch records the source MAC (Media Access Control) address of UserA in its MAC address table. It then looks up the destination MAC address (UserB) in its table. If it does not have the destination MAC address in its table, the switch forwards the frame out all ports (Fa0/2 and Fa0/3, in this example).

Figure 2.2

Figure 2.2

Switch operations, part 1

Now examine Figure 2.3. In this figure, UserB is sending traffic back to UserA. The switch will record the source MAC address (UserB) in its MAC address table and look up the destination MAC address (UserA). Because it already has an entry for UserA, it forwards the frame only out Fa0/1 to UserA. UserC, connected to Fa0/3, will not receive any of the traffic between UserA and UserB. If Phoenix is UserC, he will not be seeing Mr. Minutia's traffic. But he is going to change this.

Figure 2.3

Figure 2.3

Switch operations, part 2

If you are UserC and you want to see the traffic between UserA and UserB, there are several loud methods you can undertake:

  • Gratuitous address resolution protocol (ARP) messages for individual hosts (ARP poisoning)

  • MAC spoofing

  • MAC flooding

You can learn more about these loud methods in the next section, but Phoenix's approach is different.

As an alternative to the loud approach, Phoenix can take a quieter approach to avoid detection. Because Phoenix wants to capture the traffic of only a single user (his boss), Phoenix does not need to perform ARP poisoning, MAC spoofing, or MAC flooding.

Instead, Phoenix needs to chain several exploits to get Mr. Minutia inadvertently to install packet capturing software on his computer. His boss will not blindly install software he does not recognize, so Phoenix will first set up a phishing scam to trick his boss into installing software he thinks is legitimate. A phishing scam is when a user is tricked to go to a Web site that looks like a legitimate Web site, but in fact is run by a malicious hacker. Phishing scams are often used to capture login information because the user logs to the Web site thinking it is a trusted site, but Phoenix’s will use the scam to have his manager download software that appears legitimate.

The software Mr. Minutia downloads from the phishing site will be bound with a Trojan horse application that Phoenix will use to establish a backdoor into his manager’s computer. His boss will have no idea that the Trojan is installed. After connecting, Phoenix will use the Trivial File Transfer Protocol (TFTP) to download a command-line packet-capturing tool. This tool will capture traffic to a log file that Phoenix will transfer back to his computer. Back on his computer, Phoenix will open up the log file and see what his boss is doing. Because his boss will have transferred images as well as text across the network, Phoenix will reassemble the image file using a hex editor so that he can see the pictures his boss is viewing.

In summary, the steps Phoenix will take are

  1. Copy a Web site and host it on Phoenix’s server.

  2. Bind a backdoor Trojan (Netcat) with legitimate executable.

  3. Send e-mail to his boss, Mr. Minutia, requesting that he download the free executable. His manager will install the executable and, subsequently, install Netcat.

  4. Use Netcat to connect to his manager’s machine.

  5. Use TFTP to download WinDump onto his manager’s machine.

  6. Capture traffic as his manager goes to a Web site.

  7. Analyze traffic sent to and from his manager’s computer using Wireshark.

  8. Use a hex editor to rebuild a graphic (.JPG) captured by WinDump.

For More Information

Even though they are not the approach Phoenix is taking, this section provides some more information on three loud options an attacker has to view switched traffic:

  • Gratuitous ARP messages for individual hosts (ARP poisoning)

  • MAC spoofing

  • MAC flooding

This list is by no means exhaustive. There are other techniques including variations of ARP poisoning and port mirroring (SPAN [switched port analyzer]). For more information on those, you can see Chapter 10, "Attacking the Network," in the book Penetration Testing and Network Defense by Andrew Whitaker and Daniel P. Newman (Cisco Press, 2006).

Figure 2.4 illustrates the first method, ARP poisoning. Here Phoenix sends out a gratuitous ARP message for each of the hosts that he wants to monitor. A gratuitous ARP is an unsolicited ARP message. Normally if UserA wanted to communicate to UserB (, it would first send out an ARP request to the network asking for the MAC address of Upon hearing the ARP request, UserB would send out an ARP reply with its MAC address. Phoenix can intercept all traffic sent to UserB by sending out an unsolicited ARP response announcing Phoenix’s MAC address for Phoenix can view the traffic going to other hosts by sending gratuitous ARP messages for each of the hosts on the network.

Figure 2.4

Figure 2.4

Gratuitous ARP messages

The second method—a variation of ARP poisoning—is to spoof the MAC address of a host (see Figure 2.5). This is commonly done for the default gateway, or router, on a network. In this example, Phoenix (UserC) spoofs the MAC address of the router. Whenever Phoenix hears an ARP request for, he replies with the same MAC address of the router. When a frame is sent from UserA to the Internet, it will go to the MAC address 0040:5B50:387E. The switch, seeing the router’s MAC address go out both Fa0/3 and Fa0/4, sends the frame to both the router and Phoenix’s computer. This approach will not show Phoenix all the traffic on your network, but it will show him the traffic destined out of your network.

Figure 2.5

Figure 2.5

MAC spoofing

The third technique is MAC flooding. As you’ve already learned, switches maintain a MAC address table. The MAC table reduces flooding by sending traffic out only the appropriate ports. By flooding the MAC table with thousands of bogus MAC addresses, it will no longer have entries for legitimate hosts. Subsequently, it will cause the switch to operate like a hub and forward all traffic out all ports. This makes it easy for Phoenix, the attacker, to spy on all traffic—even if it was not intended for his machine. Figure 2.6 shows a screen shot of MACOF (, which is one of many tools you can use to flood a switched network.

Figure 2.6

Figure 2.6

MAC flooding

Although these three methods are too loud for Phoenix's purposes, but they do serve to highlight some fundamentals of switched traffic that attackers can exploit. The next section begins the detailed discussion of Phoenix's chained exploit.

The Chained Exploit

This section includes the details of each step in Phoenix's chained exploit, including

  • Phishing scam

  • Installing executables

  • Setting up the phishing site

  • Sending Mr. Minutia an E-mail

  • Finding the boss’s computer

  • Connecting to the boss’s computer

  • WinPcap

  • Analyzing the packet capture

  • Reassembling the graphic

  • Other possibilities

The section ends with a summary of this chained exploit.

Phishing Scam

Phoenix's first step is to perform the phishing scam to trick Mr. Minutia into downloading software wrapped with Netcat. Netcat is a backdoor Trojan horse application Phoenix will use to connect to his manager’s computer.

Copying a Legitimate Web Site

First Phoenix needs to find a Web site that he knows will interest his boss. Phoenix has heard his boss talk about how he wants to attempt the Cisco CCNA certification exam, so Phoenix decides to use a Web site called that is offering free CCNA practice exam software for a limited time as part of a promotional offer (see Figure 2.7). is not a real Web site at the time of this writing. It is simply used for illustration purposes in this chapter.

Figure 2.7

Figure 2.7 Web site

To begin, Phoenix needs to copy down the Web site to his own Web server. One of the more popular utilities for doing this is Wget ( Wget is a command-line utility with many powerful options (see for a list of options). In Phoenix’s case, he chooses the following syntax:

wget -m -r -l 12

The switches do the following:

  • -m—Mirror the Web site.

  • -r—Recursively pull down any pages linked to the first page.

  • -l 12—Pull down pages only within 12 hyperlinks of the first page. If Phoenix does not set this to a reasonable boundary, he can end up downloading a significant amount of Web pages. If it is too small, he will not copy enough of the site to replicate it on his server.

This command results in copying the Web site to a directory called on his local hard drive. This also saves a copy of the ccna.exe executable (see Figure 2.8), which he will bind with a Trojan.

Figure 2.8

Figure 2.8


Like many install executables, this software is a zipped executable. Instead of double-clicking the executable, Phoenix unzips it using WinZip. Figure 2.9 shows an example of right-clicking the executable, which brings up a menu with an option to extract the files. Phoenix needs to extract them because he will be using the files contained in the zipped executable to create a new executable wrapped with the backdoor utility.

Figure 2.9

Figure 2.9

Extracting the executable

After extracting the files, Phoenix renames setup.exe file to another name, such as backup.exe. Phoenix will be creating a new setup.exe later.

Installing Executables

Many install executables contain both a setup.exe file and a setup.lst file that the setup.exe file references. If you rename the setup.exe file to something else, be sure to make a copy of the setup.lst file with the same name. For example, if you rename setup.exe to backup.exe, make a copy of setup.lst called backup.lst.

Binding the Back Door Trojan with the Executable

1 2 3 Page 1
Page 1 of 3
Now read: Getting grounded in IoT