Sniffing and identity authentication

purpose

• Master the use of Sniffer tools by using Wireshark software to capture data packets of protocols such as HTTP, to understand the data structure of multiple protocols in TCP/IP, and to understand the characteristics of plaintext transmission of protocols such as HTTP through experiments
• Research the implementation and prevention methods of network sniffing in the switching environment, research and use the security loopholes of the ARP protocol, implement ARP spoofing through Arpspoof to capture other user data in the intranet.
• Can use BrupSuite to achieve website login brute force cracking to obtain login password
• Able to crack ZIP passwords, understand the concept and settings of secure passwords

surroundings

• System environment: Kali Linux 2, Windows
• Network environment: switching network structure

tool

Arpspoof, WireShark, BurpSuite, fcrackzip (for zip password cracking)

Network Sniffing content

Please see my other article for the principle
https://blog.csdn.net/Woolemon/article/details/109556164

Wireshark monitors network traffic and captures packets.

A (window) host is on the external network, and B (kaili) runs sinffer (Wireshark) and selects only to capture data from A).

1. First of all, we need to confirm that Kali and Windows are in the same network segment (the state that can ping each other)
2. process

• Next, open wireshark in kali, use A (window) to ping B (kali), and observe the response
  filtering statement of wireshark : ip.scr==192.168.222.129(B's ip address) It is
  
  found that the communication between A and the external network cannot be seen (the account A just entered) And password)
• Then use A (window) to ping Baidu website (www.baidu.com), observe the wireshark response,
  and observe three DNS packets (2 domain name resolutions), 12 ICMP packets (6 pings), and two DHCP The corresponding information can be obtained through message analysis. For
  example, when you open the DNS package, you can see:
  DNS is found to be an application layer protocol, the lower transport layer uses UDP, and the lower network layer is IP protocol, and then the data link layer Ethernet frame .
  can obtain the necessary information from the lower layer:
  UDP (the User Datagram Protocol) packet: the destination port for DNS (Dst port)
  IPv4 (Internet Protocol Version 4) packet destination IP

ARP spoofing: ArpSpoof, implement ARP spoofing

In order to deceive B, let B send all the messages to A here. A needs to impersonate the role of a switch in the LAN . (At this time, B is the Window host)

1. Install arpspoof

In the process of installing this package, you may encounter some pits, solutions:

• It is recommended to replace the kali source, otherwise it may not be found
  1.kali中输入sudo vim /etc/apt/sources.list 2.输入 O,进入文件 3.按i键进入编辑模式 4.将所换源代替原来的 5.按ESC键退出编辑模式 6.shift+;进入外部编辑，再按输入qw保存并退出

• sudo apt-get install dsniffCommands used in the installation process
  Here we use a one-way attack (the attacked host sends data to the attacking host, and the attacking host forwards it to the gateway, the gateway sends the data to the server, the server returns the data to the gateway, and the gateway returns the data to the attacked host)

• First confirm the gateway address route -nand ip address of kali ifconfig.
  It can be seen that the Kali gateway address is: 192.168.222.2 ip address: 192.168.222.129
  

• Check another ip on the same local area network to
  namp -v -sn 192.168.222.2(网关地址）/24
  
  find an ip, then go to Window to check its own ip, and find that it is the same, that is, success

• Enable port forwarding, allowing the machine to forward data packets like a routerecho 1 > /proc/sys/net/ipv4/ip_forward

• ARP poisoning, claiming to host B that he (the attacker) is the gateway
  arpspoof -i eth0 -t IP1 IP2(IP1 is my attack target ip, IP2 is the gateway IP address)
  ps : if not found, reinstall arpspoof and continue the above steps

• Enter at the Window command prompt arp -a: you can see that the ip has been changed, that is, the deception is successful
  .
  

2. Find any website on the Internet that transmits the user account and password in plain text, and screenshot the plain text information displayed in Wireshark

It is known that the educational administration system of a school transmits the user account in clear text
1. Open wireshark
in Kali 2. Open the browser on Window and enter the educational administration system
3. Enter the account, password and verification code in the educational administration system
4. Observe that wireshark contains POST Packets

3. Can B see the communication between A and the external network

-No, use Window to visit a certain website and log in. I found that wireshark cannot capture the account and password just entered

FTP data restore

Use WireShark to open the experimental data data.pcapng.
1. Put data in the virtual machine
2. Pause WireShark and then pull Data in

1. Check the IP address of the FTP server

Enter ftp in wireshark, and you can see
ip: 192.168.182.1 in the Source column

2. Check the account and password of the client to log in to the FTP server

Click any one to track (right-follow-TCP stream)
as shown in the figure:
Account: anonymous
Password: [email protected]

3. The client downloaded or viewed 2 files from FTP, one is a ZIP file and the other is a TXT file. What are the file names?

Tip: The file name may be Chinese.
1. Wireshark input ftp-data
tcp.stream eq <> : display all data packets generated by both parties of the conversation from establishment to termination of a TCP connection (for example: tcp.stream eq 0)
2. Trace TCP stream
ps : when displayed as When tcp.stream eq is 0, click tracking may not be found. At this time, you can manually change the following parameters and then track!
3. The title gives the information: Chinese, so when it is tracked, you need to convert the ACSLL value to UTF-8: convert the data string to UTF-8 encoding to
get the following figure:

4. Restore the ZIP file and open it (ZIP has a decompression password, try to crack, prompt: the password is all numbers and 6 digits).

1. Wireshark precise input (convenient):
the file header of ftp-data and zip (504B0304) is shown in the figure:

2. Tracking
Save the file as raw data: change ACSII to Raw

3. Use fcrakzip password cracking under kali Tool to crack zip
PS : zip is a very popular compression format, and it provides a password protection function, only input the correct password to decompress.

• First enter sudo apt-get install fcrackzipthe tool to install fcrackzip in kali
  

• Cracking command:
  1. Enter the path of cd and saved zip
  2. Enter fcrackzip -b -c1 -l 6 -u b.zip(b.zip is the name of my zip file)
  
  b: Use brute force mode
  c1: Use pure numbers to crack
  l: Specify the length/range of the cracked password
  u: Use The unzip
  visible password is: 123456, you can see it by typing it in
  

5. View the contents of the TXT file

1. On the basis of the previous content, change the following parameters, such as: tcp.stream eq 4, you can find the txt file
2. Tracking can be directly obtained

MD5 crack

SqlMap gets the user table information of a certain database. The MD5 value of the user password is 7282C5050CFE7DF5E09A33CA456B94AE

Password plaintext

The plaintext can be obtained directly through the MD5 encryption and decryption website or software:

The role of John the Ripper

John the Ripper's free open source software is a fast password cracking tool that is used to crack the plaintext when the ciphertext is known. It supports most encryption algorithms, such as DES, MD4, MD5, etc. It supports many different types of system architectures, including Unix, Linux, Windows, DOS mode, BeOS and OpenVMS, and the main purpose is to crack the Unix/Linux system passwords that are not strong enough. The latest version is John the Ripper 1.8.0, and the latest free version for the Windows platform is John the Ripper 1.7.9.
Features :

• Users can start, pause and continue cracking
• Support all input file formats
• You can continue to crack from the session history
• Support each type of hash
• Lucky guessing function
• The configuration file exists in the .conf file (~/.john/johnny.conf),
• Support English and French

How to prevent ARP attacks

1. Do local protection

• Do not browse unsafe URLs.
  Many websites are linked to horses, and there is a risk of "winning the bid" when browsing the website. Therefore, try not to browse unfamiliar and informal websites!
• Patch system vulnerabilities in time.
  There are both good and bad sides for Microsoft to fix system vulnerabilities. Every time Microsoft releases a vulnerability patch, it tells people what insecure factors exist in the system. If you do not fix the vulnerabilities in time, then you may become the victim!
• Install firewall and anti-virus software.
  Many people's computers are "streaking" without installing anti-virus software or firewalls. This situation is the easiest to successfully invade. Therefore, it is recommended to install all anti-virus software and firewall and update anti-virus regularly.

2. Use routers to implement IP and MAC binding to prevent ARP attacks

3. Use network management software to bind IP and MAC

Principles that a secure password (password) should follow

It is strictly forbidden to use an empty password and the same password as the user name;
do not choose a password that can be found in any dictionary or language;
do not choose a password composed of simple letters;
do not choose any password related to personal information;
do not choose less than 6 characters Or contain only letters or numbers;
do not choose a password that is published as a password example;
adopt a mix of numbers and easy to remember.

Importance of dictionary in dictionary attack

When cracking the password or key, try the possible password (word or phrase) attack methods in the user-defined dictionary one by one. The difference with brute force cracking is that brute force cracking will try all possible combinations of passwords one by one, while dictionary attack will use a predefined list of words (possible passwords).

to sum up

• You must have a good and active learning awareness and learn to understand the basic concepts of network sniffing and identity authentication through the Internet
• I usually need to accumulate some basic operations about kali and wireshark, such as: what are the steps for kali to change to a new source, what key to press to enter the edit mode, etc.
• While self-study, learn to ask more and communicate with some classmates and predecessors. Perhaps her (their) ideas and methods are more accessible and refreshing
• Finally, you still need to write questions regularly to consolidate and increase your knowledge base