any other information security business bog http://aob.kunis.nl about pentesting, information security and other Sun, 28 Feb 2010 17:51:15 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 howto do a man-in-the middle attack with APR on RDP using Cain & Abel http://aob.kunis.nl/2009/03/howto-do-a-man-in-the-middle-attack-with-apr-on-rdp-using-cain-abel/ http://aob.kunis.nl/2009/03/howto-do-a-man-in-the-middle-attack-with-apr-on-rdp-using-cain-abel/#comments Sun, 08 Mar 2009 16:03:09 +0000 Niels http://aob.kunis.nl/?p=183 Method

Warning: only try this on a network and on computers which you own or have permission to do this. In most countries it is illegal to do this on a network you do not own without permission of the owner.

The RDP protocol prior to version 6 is vulnerable for man in the middle (mitm) attacks. A man in the middle attack can be done one several ways, for example with arp poisoning routing (APR), an eval twin access point, DNS spoofing. Today, we’ll choose APR. APR only works on the local subnet, so the attacker must be somewhere in between the victim and the RDP server. The RDP server can be a any Windows host with terminal services or remote control enabled. In most cases the attacker is on the same subnet as the victim.

More information about arp-spoofing can be found on the wikipedia:

http://en.wikipedia.org/wiki/ARP_spoofing

Tooling

Man in the middle attacks can be done by for example Ettercap, Dsniff, Yersina or Cain & Abel. For this howto we’ll use the excellent password recovery tool called Cain & Abel.

Cain & Abel combines can combines a middle attack and a RDP weakness: It splits up the encrypted channel between the rdp client and server. Then there are two encrypted channels, one between the client and the attacker, and one between the attacker and the server. Now we can sniff every keystroke between the victim and the rdp-server.

The attack using arp poisoning routing and Cain & Abel

1) stop your anti-virus software because some anti-virus programs marks it as a unwanted software.

1) Start Cain & Abel

2) Start the sniffer:

cainabel-start-stop-sniffer

3) select the “Sniffer” tab and select the big plus (add to list):

cainabel-add-to-list

4) a dialog window appear. Just select “Ok” to use the defaults:

cainabel-mac-address-scanner

Now Cain & Abel looks likes this:

cainabel-sniffer-overview

Explanation:

192.168.2.1 is my Fritz!box 7170 router
192.168.2.22 is the XP workstation of my kids.
192.168.2.24 is my Linux Dreambox 7205 satellite reciever / nas / harddisk recorder
192.168.2.27 is a Windows 2003 terminal server on VMWare. Settings: high security, but without using client certifactes.
192.168.2.110 is  my Wii.

The plan is to do a ARP poisoning attack between when the Windows XP workstation (192.168.2.22) creates a RDP session to the Windows 2003 terminal server.

5) Now: use the APR tab click somewhere in the this area:

cainabel-apr

6) now press the bug plus (add to list). the following diaglog box will apear:

cainabel-new-apr

Now, select the two host which you want to sit in between. In this case we first choose the terminal server (192.68.2.27) and after that in the right pane the Windows XP workstation (192.168.2.22).

It is also possible to choose the default router (192.168.2.1 in my case) to do the attack on a terminal server which is located on another subnet.

7) After pressing “Ok”, you can start the apr poisoning routing attack with the APR button:

cainabel-start-apr

Now, the APR attack is running and we can wait till one of my kids  on the Windows XP workstation logins to the terminal server. Notice the Status “Poisoning”.

8) As soon as a RDP session is set-up, we see the session in our APR overview:

cainabel-apr-rdp-screen

Note the details: RDP v4, high level encryption, a 128 bit key. Looks secure but….

9) now, select the APR line and press the right mouse-button. A menu appears an choose “view”. A notepad window will open with the unencrypted log of the session.

This is my log:

rdp-200938153120273

Now search for the phrase “Key pressed client-side” to reveal the password:

Key pressed client-side: 0x1f – ‘s’
Key pressed client-side: 0×12 – ‘e’
Key pressed client-side: 0x2e – ‘c’
Key pressed client-side: 0×13 – ‘r’
Key pressed client-side: 0×12 – ‘e’
Key pressed client-side: 0×14 – ‘t’

countermeasures

To prevent this attack, the only way is to implement a server certificate so the client can verify it is connected to the real server intead of the attacker. See this microsoft page:

http://technet.microsoft.com/en-us/library/cc782610.aspx

references

The Cain & Abel page about APR RDP

]]> http://aob.kunis.nl/2009/03/howto-do-a-man-in-the-middle-attack-with-apr-on-rdp-using-cain-abel/feed/ 8 Kismet / airodump using a Intel PRO/Wireless 4965 http://aob.kunis.nl/2009/02/howto-start-kismet-using-a-intel-prowireless-4965/ http://aob.kunis.nl/2009/02/howto-start-kismet-using-a-intel-prowireless-4965/#comments Sun, 15 Feb 2009 22:45:47 +0000 Niels http://aob.kunis.nl/?p=121 <<< Backtrack 4 pre-release is out now which has an newer version of Kismet. For BT 4 pre-final this page is not applicable >>>

Kismet

The Intel PRO/Wireless 4965 wireless adapter, which is build-in in my laptop is now supported by Backtrack 4 using the iwlagn drivers.

Warning: only use this tooling on a network and on computers which you own or have permission to do this. In most countries it is illegal to use it on a network you do not own without permission of the owner.

The source-name for kismet is iwl4965, so you can start kismet using the following command:

kismet -c iwl4965,wlan0,wlan0

as an alternative you can edit the kismet.conf file and change the source parameter.

airodump-ng

For airodump-ng it is necessary to first create a monitoring VAP interface:

airmon-ng wlan0

now, a mon0 interface is created, which can be used by airodump-ng:

airodump-ng mon0
]]> http://aob.kunis.nl/2009/02/howto-start-kismet-using-a-intel-prowireless-4965/feed/ 0