DO YOU KNOW WHAT IS THE ADVANCE WEB ATTACK NOW A DAYS?Can I ask you something?
Is there anyone who refuses to accept that you have used or you are using a public WI-FI for internet access in your mobile, laptop or an IPAD. I am sure, no one will refuse to accept this. Let me ask you another question.
Do you know your ID and Password are open to all ? Do you know anyone can see your ID password?
Yes, this is true, you might not aware of this but it is fact. When we use public or open Wi-Fi and we login into our Facebook, Twitter or email account, our credentials can be hijacked by an attacker via MITM attack which stands for Man-in-the-Middle attack.
WHAT WILL YOU LEARN TODAY?
Today, we are giving you demonstration of MITM attack, that how an attacker can perform MITM attack to see your credentials in plain text in order to gain access to your account. You will also learn that how http configuration can be done at server side and how attacker actually comes in between scenario and performs this attack.
INTRODUCTION
This report will demonstrate how to use .htaccess and .htpasswd files to protect directories and Web Pages with a username/password. The password protected webpage will be implemented using Apache HTTP Server. This will help provide authentication, authorization and access control capabilities. Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be while authorization is process of giving someone permission to do or have something. This will ensure that the people who access the Web Pages have the right and privilege.
Actually, this is network vulnerability but now a days professional hackers use this for web attacks. As we all know that there are so many places where we are given free public Wi-Fi. So hackers actually use those to intercept the traffic in order to gain the access of user’s different accounts.
CONFIGURATION
HTTP INSTALLATION
To begin the process, httpd will need to be installed on the Linux machine. Here I am configuring http on CentOS(Alice) and I will be using backtrack as an attacker machine (EVE) and XP(BOB) machine as a client.
#yum install httpd
As shown in the figure screenshot above, ‘httpd’ was successfully installed. Now we need to run httpd service each time the system boots up. For that gives following command in terminal.
# chkconfig httpd on
Now we can start, stop and restart the httpd service using the commands shown in as in the screenshot below figure:
EDITING httpd.conf CONFIGURATION FILE
After the successful installation, the next step is to edit the httpd.conf file which is an Apache web server configuration file. This file is located in: /etc/httpd/conf/httpd.conf and will be edited using text editor.
Once in the text editor, The second appearance of AllowOverride None should be changed to AllowOverride AuthConfig. Actually this controls the files which we will put in the directory. It we do not change this then it will not read the files lying in our directory.
It controls .htaccess file, which we will put in our directory for the authentication purpose.
Next, a folder will be created in /html/ folder. This folder will be used to setup the password protected page. The full directory link is /var/www/html. Go to the mentioned directory and create a folder of your desired name. Here we are going to create folder named ‘adcpractical’ by making use of the ‘mkdir adcpractical’ command.
ADDING USERS
Next , we need to configure the server to request a password and tell the servers which users are allowed to access. To do this, two files will be created, they are: .htaccess and .htpasswd. The .htaccess file will show the access login information for users and also includes the list of specific users who can login, and .htpasswd file includes the individual users and their passwords. .htaccess will be created in that folder (adcpractical) by the use of any text editor and the file will include the following:
# touch .htaccess
# touch .htpasswd
Two files have been created within adcpractical folder. First, give below command in order to write configuration in .htaccess file.
# nano .htaccess
It will open an editor in which we need to write below lines to enable authentication.
ADDING USERS
Next , we need to configure the server to request a password and tell the servers which users are allowed to access. To do this, two files will be created, they are: .htaccess and .htpasswd. The .htaccess file will show the access login information for users and also includes the list of specific users who can login, and .htpasswd file includes the individual users and their passwords. .htaccess will be created in that folder (adcpractical) by the use of any text editor and the file will include the following:
# touch .htaccess
# touch .htpasswd
Two files have been created within adcpractical folder. First, give below command in order to write configuration in .htaccess file.
# nano .htaccess
It will open an editor in which we need to write below lines to enable authentication.
We won’t write line into .htpasswd file from editor. We will use terminal to do so by using passwd command. This command is used to add encrypted passwords to desired files.
Now as we told, password will be assigned to those users assigned are listed
in : Require User but not with a text editor but with this command line
(Terminal)
Now as we told, password will be assigned to those users assigned are listed
in : Require User but not with a text editor but with this command line
(Terminal)
htpasswd –md .htpasswd prithak 1234qwer
adding passwd for user prithak
htpasswd –md .htpasswd chintan password
adding passwd for user chintan
htpasswd –md .htpasswd dami password123
adding passwd for user dami
Now let’s check the .htpasswd file by giving cat .htpasswd command.
This MD5 encryption is displayed due to the command which we have used. In our
command htpasswd we have used –m option which stands for md5 encryption.
It will force it to do encryption of those plain text passwords which we have
given through terminal for all users. Not only md5 encryption was used but also
the –d option does crypting
functionality by using MD5 in order to encrypting passwords. The screenshot
below shows the option and it’s descriptions which we have used to give
password for each users.
Now we can
test our password protected page to ensure it functions properly. Two
screenshot are presented below - the 1st
one screenshot will show the result of a false authentication and 2nd
will show the result of an authentication from an authentic user.
The welcome page files of centos were placed in our
adc practical folder so if the authentication is successful, these files will be called and a welcome message in the browser will come
up. Else it will continuously ask for the
right credentials in order to be successfully authenticated by the
server. The figure below shows the welcome message files that were earlier
placed in adcpractical folder.
Now we are in a stage to check our whole
configuration. In this example, the server is a centos and attacker machine is
backtrack so from backtrack we will give Centos’ eth0 IP address or Local
host which is running httpd service and after that, we will add
/adcpractical/ in order to display authentication dialogue box as
shown in figure.
To ensure that our server is properly configured to
deny unauthorized users and give access to authorized users, we will give a
wrong username and password. After doing this, no message was displayed and the
dialogue box remained there continuously asking for the right credentials. We now gave a correct username and password
and clicked on the OK button to login.
This shows that our password protected webpage is
generated through .htaccess file and .htpasswd file and the
server has been configured properly to deny access to unauthorized users and
give access to genuine users. Now it is time to attack page.
MITM ATTACK – ( MAN IN THE MIDDLE )
This attack is also known as “Bucket Brigade”.
This attack is a form of active “eavesdropping”.
For this demonstration, 3 machines will be used which are the Server, Client
and the attacking machine. Generally, the attacking machine makes independent
connections and impersonates both the server and client.
The attacker convinces the server that it's the client and the client that it's the server then relays
messages between them. Client and server think that they both are talking with
each other over a private connection, when in fact the entire conversation is
controlled by the attacker.
The attacker is able to trace all the packets
exchanged between client and server. If any authentication is carried out by
client, then attacker will find those authentication credentials by using any
packet analyzing software such as “Wireshark”.
ARPSPOOF
In this demonstration, we
are going to use Arpspoof tool which is already installed in Backtrack
5 R3 distribution. This tool is able to intercept the messages between 2
machines that are interacting with each other. It has many features and
supports IPv4 and Ipv6 address network resolution. It is also platform
independent.
Preparation of Attack
Here is the syntax of
arpspoof tool which tells us that we need to the give interface for the target
and host machine. Below is the data which we should know prior to attacking.
Machine
|
IP
Address
|
CentOS – Server
|
192.168.41.130
|
Windows XP – Client
|
192.168.41.132
|
Backtrack 5 R3 – Attacker
|
192.168.41.131
|
The first step is to convince the server that
our(attacking machine) is the client and our client that we are the server. We
will be doing that by opening 2 different terminal and executing the following
2 commands respectively. Back track’s network interface is eth3.
# arpspoof –i
eth3 –t 192.168.41.130 192.168.41.132
# arpspoof –i
eth3 –t 192.168.41.132 192.168.41.130
In both process only one thing is common that is
eth3. Communication is done via eth3 network interface which is back track’s
network interface. So arpspoof will be able to intercept every traffic going in
between the server and client. Now arpspoof is ready and intercepting traffic
of network.
We will need to have “Wireshark” tool to
analyze all single packet. To do this, open the software by typing Wireshark in
another terminal. In Wireshark, we will need to select eth3 interface in order
to display all the packet exchange process. After clicking on the start button
it will start capturing each and every single packet in that tool. Next step
will be for the client Windows XP to login into the server
using Centos’ network interface eth0’s IP address and /adcpractical/ following
it. The user will provide the server the right credentials and the server will
give credentials in plain text to do successful authentication. Once the user
is logged in into the server, the attacking machine can now stop the capturing
in Wireshark tool. Before analyzing each and every packet lets save it as any
name e.g. *.pcap file.
By analyzing each and every packet, we have found
the credentials which were used by the windows XP client for authentication.
The packet was normal ICMP packet in which credentials were passed in plain
text to the server from client. The figure below f illustrates the concept showing how arpspoof attack is carried out.
However, It is difficult setting up this configuration and attacking targeted
machines
CONCLUSION
No comments:
Post a Comment