Monthly Archives: December 2014


Sniffing the Network

This article is intended to provide a simple demonstration of how easy it is to sniff/intercept traffic on various types of networks, and serve as a warning to utilize secure methods of communication on a) untrusted networks and b) known networks with the potential for untrusted clients or administrators. The first consideration is the topology of the network we’re connected to. To consider 5 common scenarios: Wired ethernet hub network: Hubs are becoming more and more obsolete as they are changed to switches. Multiple devices can be connected to a hub, and any data received by the hub from one device is broadcast out to all other devices. This means that all devices receive all network traffic. Not only is this an inefficient use of bandwidth, but each device is trusted to accept traffic destined for itself and to ignore traffic destined for another node. To sniff such a network, a node simply needs to switch it’s network interface card to “promiscuous mode”, meaning that it accepts all traffic received. Wired ethernet switched network: Multiple devices can be connected to a switch, however a switch has greater intelligence than a hub. The switch will inspect the traffic sent on each port, and learn the hardware (MAC) address of the client connected to a particular port. Once learned, the switch will inspect any frames it receives on a port, and forward that frame to the known recipient’s port alone. Other devices connected to the switch will not receive traffic that is not destined for them. This offers enhanced bandwidth usage over a hub. Switches rely on ARP packets which are easily forged in order to learn which devices are on which ports. Wireless open networks: Multiple devices can connect to an open wireless network. All data is broadcast across the network in plain text, and any attacker can sniff/intercept traffic being broadcast across the network. An open wireless network may present the user with a form of hotspot login page before granting internet access, however this does not detract from the network itself being open. WEP encrypted wireless network: A WEP encrypted network requires a WEP key to encrypt and decrypt network traffic. WEP has long been an outdated and insecure method of wireless network protection, and cracking a wireless network’s WEP key is fast and requires low skill. WEP is not secure. In addition, all clients connected to the network use the same WEP key to connect. That results in any user on the network with the WEP key being table to view any traffic transmitted to and from other nodes on the network. WPA/WPA2 encrypted network: A WPA/WPA2 encrypted network is significantly more secure than a WEP network. Whilst attacks exist on parts of the protocol, and extensions such as WPS, no known attack is able to recover a complex WPA/WPA2 password within an acceptable period of time. Whilst all clients connect to the network with the same password, the protocol is engineered to create different keystreams between each connected client and the access point. This means that simple sniffing in the traditional sense is not possible on the network. […]

By | December 14th, 2014|Linux, Security Consultant, Wireless|0 Comments

Linux: You may have been Compromised when..

There are a number of warning signs that a system has been compromised. The cases below warrant further investigation. Of course, they aren’t all guarantees that your system has been compromised, however they can be strong indicators. 1. Your welcome banner shows the last log in from an unknown/foreign IP address: Last login: Tue Dec 2 16:08:41 2014 from root@mt:~# 2. The load on a usually idle system is suspiciously high: root@mt:~# w 17:06:39 up 62 days, 22:37, 1 user, load average: 8.12, 8.14, 8.11 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 pwn 17:03 7.00s 0.00s 0.00s w This could indicate that unknown processes are running. […]

By | December 9th, 2014|Linux, Security Consultant|0 Comments

Reset Linux Root Password

There are a couple of reasons why you might want to reset a Linux root password. If the current password is known to you, just log in as root and issue the passwd command. What if you’ve forgotten the password and can’t log in? Resetting a Linux root password is simple if you have access to the machine. There are 2 main methods. Method #1 First, we boot the machine up. If LILO is in use, enter linux init=/bin/bash at the ‘LILO:’ prompt. If GRUB is in use, then press key ‘e’. We’ll need to edit the kernel line, beginning ‘linux’, and append init=/bin/sh:   […]

By | December 6th, 2014|Linux|4 Comments

Burp Suite: Intercepting & Modifying HTTP Requests & Responses

Burp Suite is a powerful web application auditor with a huge range of features, from simple to advanced. One of its core features is an intercepting proxy server. This allows us to pass our web traffic through burp suite, allowing us to view and modify both our browsers request before it goes to the remote web server, and the web server’s response before it returns to our browser. A couple common request modifications: Add data to form submissions, modify hidden fields. View and modify browser AJAX data View and edit headers including cookies And a couple of common response modifications: Remove client side JavaScript (usually validations or other limitations) Add or remove cookies sent to the browser First, fire up Burp Suite, and browse to Proxy –> Options: […]

By | December 3rd, 2014|Linux, Security Consultant|0 Comments