Attack is the best defense: ARP spoofing, sniffing unencrypted traffic and Dictionary attack

I am a software engineering student with Alx-Africa, as part of my curriculum, I come across very taxing projects. The most recent of which covered DevOps, Scripting and Hacking. I had so much fun figuring out the requirements of this project and as my introductory write up, I would want to share how I successfully completed the required task.

Overview

The project requires using tcpdump, hydra, telnet and docker to test network security.  Divided into two tasks, the first task involved ARP spoofing and sniffing unencrypted traffic. 

ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network.
This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.
Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address.
ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. 
ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.

We were provided with a user_authenticating_into_server bash script  that performs the authentication steps that showed below. Our mission was to execute user_authenticating_into_server  locally on our machine and, using tcpdump, sniff the network to find the password.

sylvain@ubuntu$ telnet smtp.sendgrid.net 587
Trying 167.89.121.145...
Connected to smtp.sendgrid.net.
Escape character is '^]'.
220 SG ESMTP service ready at ismtpd0013p1las1.sendgrid.net
EHLO ismtpd0013p1las1.sendgrid.net
250-smtp.sendgrid.net
250-8BITMIME
250-PIPELINING
250-SIZE 31457280
250-STARTTLS
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN
auth login           
334 VXNlcm5hbWU6
VGhpcyBpcyBteSBsb2dpbg==
334 UGFzc3dvcmQ6
WW91IHJlYWxseSB0aG91Z2h0IEkgd291bGQgbGV0IG15IHBhc3N3b3JkIGhlcmU/ISA6RA==
235 Authentication successful
mail from: sylvain@kalache.fr
250 Sender address accepted
rcpt to: julien@google.com
250 Recipient address accepted
data
354 Continue
To: Julien
From: Sylvain
Subject: Hello from the insecure world

I am sending you this email from a Terminal.
.
250 Ok: queued as Aq1zhMM3QYeEprixUiFYNg
quit
221 See you later
Connection closed by foreign host.
sylvain@ubuntu$ 

The second task involved using a dictionary attack to break into a password-based authentication systems on an SSH account. 

A dictionary attack is a method of guessing a password or in some cases username and password in an attempt to break into a password-protected computer,
network or other IT resource by systematically entering every word in a dictionary (prepared wordlists) as a password. 
A dictionary attack can also be used in an attempt to find the key necessary to decrypt an encrypted message or document.

This involved using hydra together with a password dictionary to try to brute force an account via SSH on the Docker container.

Task 0 Solution;

For sniffing the network:

1. Launch you linux terminal

2. Run the command:

sudo tcpdump -i eth0 -w dump.pcap 'not port 22'
-i specifies the network interface to capture packets from.
-w specifies that raw packets are written to the file dump.pcap rather than parsing and printing them on the terminal.
‘not port 22’ is a capture filter telling tcpdump to not capture any packets on port 22 (SSH).

3. You should see:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

4. Launch a second linux terminal

5. On the second terminal navigate to the file location for the   user_authenticating_into_server  bash script and execute it.

6. When the file is executed, terminate the tcpdump process using ctrl + c

7.  Install Wireshark Network Analyzer by following the steps outlined here

8. After the install, run the command:

sudo wireshark dump.pcap

9. That should open the wireshark window, check the SMTP protocols and their corresponding info. There should be one with the info in the following format:

C: Pass: alphanumeric_characters

10. Right click on the info; Select Protocol Preferences; Select Simple Mail Transfer Protocol; Select Decode Base64 encoded AUTH parameters

11. The password should be revealed in its glory 

Task 1 Solution;

1. Install Docker using;

sudo apt update
sudo apt install docker.io

2. Install Hydra using;

sudo apt install hydra

3. Pull and run the Docker image  sylvainkalache/264-1  with the command:

sudo docker run -p 2222:22 -d -ti sylvainkalache/264-1

4. Since we will be using the rockyou password list, download that from here

5. Run the command bellow:

sudo hydra -l sylvain -P /directory_to_downloaded_rockyou_txt_file ssh://127.0.0.1:2222 -t 4
NB: remember to update /directory_to_downloaded_rockyou_txt_file with the directory to the downloaded rockyou.txt file
-l specifies the username for the brute force attack.
-P specifies the password wordlist to use for the brute force attack.
-t set to 4, sets the number of parallel tasks (threads) running. 

6. Now depending on the processing power of your computer and network speed, the password will be displayed in a few minutes or several hours.

Conclusion

This project teaches the impact of transfer protocols and authentication systems on the security of a network. As software engineers it is expedient that we know and understand the pros and cons of the various  transfer protocols and authentication systems to design truly robust and secure systems.