 Good morning. How's Defcon going for you guys? Yeah. Still waking up. How many of you are here with the hangover? How many of you are here still drunk? Right on. All right, we're going to go ahead and get started. My name is Andrew Whitaker. This is Dave Williams. It's Donald Hackers. So let's just start off with some brief introductions. If you got the program guide, you can read the bios. I'm not going to do this whole lot of time in the introductions. I'm going to just say briefly about myself. I'm the director of Enterprise InfoSec for the Training Camp and InfoSec Academy. We offer courses in licensed penetration testing so you can actually get an international license to be a professional hacker all over the world. So that's pretty cool because as long as you have a license, it's okay to hack, right? And we also offer the certified ethical hacking course as well. I also do a lot of writing. I'm the author of the book Penetration Testing and Network Defense. It's one of mine. It was for sale over at the EFF table in the vendor area. Last time I checked yesterday, they were all sold out, but I will be doing some book signings immediately after this over in the vendor area. Dave Williams, he started out actually as a security intern for the Training Camp and then we hired him on full time. He now supports our information security for our U.S. operations. We have about 10 sites in the United States and several over in Europe. With that, let's go ahead and get started. So what does this talk about? This talk is corporate network spying, how to spy on corporate networks. What this is, this is essentially a training on corporate network spying. This is designed for those beginner to intermediate skills. Now what you find when you come to a conference like DEF CON, there's going to be some people or some talks that are really designed more for the intermediate to advanced crowd. They're really, really cool, but only about 5% of the people that attend it can fully understand the talk. This is more designed for more the beginner to intermediate because what I find is that everybody has to start somewhere. Everybody has to learn about about packet capturing and corporate spying. This is more designed for that crowd. And I really appreciate talks like Atlas gave that really deal with okay where do we start with and how do we get to become more skilled. What this is not, this is not a discussion of some hot new exploit which may only be theoretical, only work in a lab environment. Okay, we're going to be talking about things that have been tried and true. They work. This is also not going to be an overly technical discussion that only 1% of the tech world will understand. My goal is that everybody here will be able to grasp it no matter what your background is. In fact, I was reading on the DEF CON forum, roughly about 39% of the people that come this year are new to DEF CON this year, which means so this will be a good introduction for you. So what are we going to be talking about? We're going to be discussing corporate network spying. What is corporate network spying? We're also going to do a rehash of how do you get around the issue of switches when you're spying on on local area networks. Now for a lot of you that might be reviewed but for some of you that might be brand new. A lot of the techniques I'll be talking about have been spoken at previous DEF CON conferences. Then I'll be demonstrating or showing you snapshots of several tools that are designed to capture specific types of traffic on corporate networks. For example, we'll get into things like mail snarf, which is specifically designed to capture email traffic on a network. Also demonstrate things like an MSN protocol analyzer, which is designed to capture MSN messenger traffic. Then we're going to get into a demo. Now half this is going to be our presentation. The other half is going to be our demo. Now our demo, we're going to be able to show you one of the most challenging parts of corporate network spying, which is how do you get on to a remote network and start capturing the traffic. It's easier to do if you're trying to spy on your corporate network. It's harder to do if you're trying to spy on somebody else's network. By the way, everything I'm talking about, it's all theoretical, hypothetical. I don't endorse it. That aside, so my lawyers are happy now. But when we talk about corporate networks spying on remote networks, it gets much more challenging. So the demo we're going to show you, we're actually going to set up a phishing scam. Going to set up a phishing scam to get a user to click on a link, download what looks like a legitimate executable file. Actually going to have them have a install a practice test software. While the practice test software is being installed off of a website, we're going to be installing a net cap backdoor trojan at the same time without the user knowing. Once the net cap backdoor trojan is installed, we'll then get into that remote system and then we will download a command line packet capturing software. We will capture some software, we will upload that back to our attacker machine and then we will reassemble it. So we'll be reassembling, for the sake of our demo, we'll be reassembling a JPEG. So if you ever look at a packet capturing of a JPEG, it's just a bunch of garbage. So I'll actually show you how to reassemble it and we'll be using a hex editor for that. So definitely stick around for a demo because it should be pretty cool. Let's go ahead and get started. I've already talked about what is network spying. Network spying is basically wire tapping into a network, targeted packet capturing. Now you can do it one or two ways. You can either just try to capture all traffic and then analyze it, which a lot of times if you're trying to do it remote onto another network, that makes it a lot of times you're just trying to capture everything and then sift through it and try to see if you have anything meaningful. The other way is just to try to capture traffic that is meaningful to you, such as passwords or emails or what websites people are going to. So some of the tools we'll be demonstrating are only for specific types of traffic. Who does corporate network spying? Well, legitimate would be law enforcement as well as corporate networks, FBI, NSA. They do a lot of corporate network spying. You also have corporations that have consent. So chances are your boss is probably spying on you or more likely you're spying on them. And then you also have hacker hobbyists and some corporate espionage going on as well. Just kind of give you an idea of some of the things the FBI and NSA have been doing in the past. They have been using semantic forests. What semantic forest does, and it's actually been in the news, they haven't mentioned this particular name, but we've been hearing a lot about this in the news. What semantic forest does is it does automatic capturing of all voice conversations and then does automatic transcription of all those voice conversations and indexes it so that it's easy to search. We've been hearing a lot in the news the past year about how the FBI and NSA have been capturing voice conversations. This is what they're generally using. So a tool called semantic forest. Carnivore also known as DCS 1000. They got rid of that in 2005. They actually started moving away, FBI started moving away from it about 2001, 2002 to go to some commercial solutions. But what Carnivore did is it allowed you to tap into a ISP, be able to capture traffic. It involved a packet capturing software, a tool called packet tier, which allowed you to reassemble packets and cool miner, which allowed you to search for certain phrases such as passwords. You also have things like echelon. Echelon is a cooperation between both the UK and the United States that allows you to, that allows the FBI or really the NSA to be able to capture communication that crosses borders. And you have Magic Lantern, which is another capturing software. Corporations do a lot of spying. For corporations, PC magazine said that 77% of companies are spying on their employees. I've even seen statistics higher than that. The American Management Association reported 81% of corporations are spying on their employees' email. Okay. You have 42% according to that survey that said they were spying on what their employees were doing with instant messaging. So chances are corporations are going to be monitoring what you're doing. Justifications for that with some of the justifications are to ensure employee productivity, to ensure the company is void of illegal activity, and to protect trade secrets. If you're a cis admin, you're probably spying more to make to see what your boss is up to. So you also have hacker hobbyists, people that just go around to look for wireless networks. Look for wireless networks or, I don't know, let's just say hypothetically, maybe you're at a hotel in Vegas. And you start looking for networks, like the one in your room. And you start plugging in, seeing what you can find. Maybe you can find some MAC addresses. Maybe you can duplicate your MAC address. And apparently, some of the hotels even shut down your port if you start duplicating your MAC address. Who knew? Other examples, you also have corporate espionage. With corporate espionage, a great example of that Oracle and Microsoft. Some of you may remember this story. Back, I think it was 2000 or 2001, Larry Ellison came out and confessed that he was hiring people to dig through the dumpsters of Microsoft to see what Microsoft was up to. And so a lot of companies, big and small, are doing corporate network spying. Legal and ethical considerations, I'm not going to spend a lot of time on this. Basically, if you don't have consent and you don't have authorization, it's going to get you in trouble if you get caught. So let's move on to the good stuff. There are a number of commercial solutions. So if you're in a commercial environment and you need to start doing corporate spying, there are tools called network forensics analysis tools. Just punch it into a search engine. You'll find a number of tools out there. They tend to be very pricey. The tools I'm going to show you are either open source or they are relatively inexpensive. And by inexpensive, I mean under $100. All right, so what I want to move into now is talk about sniffing on switched networks. Now again, for some of you, this is going to be a review. But for some of you, you may know one or two methods, but you may not know maybe all of the methods. What you're going to find is that when you start sniffing or start trying to capture traffic on a switched network, it becomes much more difficult. I'm not going to be introducing anything new. I just want to spend some time. So we're all on the same page knowing what are some of the methods you can do to get around switched environments. First off, what about hub environments? Now most places are not using hubs anymore. But with a hub environment, if a user say user A wants to send traffic to user B in that slide, user C would be able to see it as well. It's called a shared ethernet environment. Everybody's able to see the traffic. That's an ideal world for a malicious hacker trying to spy on a corporate network. Everybody's using hubs. In the real world, however, people are going to be using switches. What happens with a switch is when user A sends traffic to user B, well, the switch is going to record the source MAC address in its MAC table. So the switch will see that we got a source MAC coming in on FastEthernet01 and it's going to plug that into its MAC table. It's then going to look up the destination address, which is going to be user B, its MAC address, and it's going to see if it has that in its MAC table. At this point, it does not have user B in its MAC table, so it's going to end up flooding it out both ports FastEthernet02 and FastEthernet03. At this point, if a malicious hacker was at user C, user C would be able to see that traffic. What happens, though, when we have user B sending traffic back to user A? When user B sends traffic back to user A, well, the switch will record the source MAC address of user B and it will look up the destination MAC address. Now at this point, it has a destination MAC address of user A in its MAC table. As a result, it will only send that traffic out FastEthernet01 and user C, our malicious hacker, would not be able to see any of that traffic. That's the problem we're talking about when we mentioned the challenges of sniffing on a switch network. So there are several solutions. We have ARP poisoning solutions. I'm going to talk about two methods for ARP poisoning. We have MAC duplicating, MAC flooding, and port mirroring. For ARP poisoning, the first method is you're going to be crafting ARP replies. Here's what happens. When user A wants to send traffic to user B, one of the first things user A will do is send out an ARP request, saying, what is the MAC address of user B? Then user B is going to reply to that, saying, here is my MAC address. Well, when that ARP request is sent out, it is sent out broadcast, which means user C will see that broadcast. We'll see that ARP request. All we're doing in this method is that user C is sending back the same ARP reply saying, hey, I have that same MAC address. Why don't you send all traffic to user B to me as well? That's the first method of ARP poisoning. There are several tools out there that will do that. Some of the tools also use what's called gratuitous ARP. What gratuitous ARP means, we don't even wait for a request, we just go ahead and start sending out replies. A lot of times what they may do is scan a network for all the IP addresses and then just start sending out replies for every single IP address. At that point, our malicious hacker would be able to read all traffic for the entire network. This is the first method for getting around the issue of switches. We'll jump down here to poisoning method number two. With our poisoning method number two, here what we're mainly concerned about is traffic being sent out to the internet or through a router. Here we see a request, what is the MAC address for a router and our malicious hacker is going to reply and say, I am also the router. At this point, all traffic sent to and from through the router, it's going to be able to capture that traffic. This is a good way to be able to see maybe if people are going through a router to log into an email server or go to a website, be able to capture that traffic. Another method is MAC duplicating. MAC duplicating is a much more simple method. Here, all you're doing is you're finding out what is another host on the network and you're going to duplicate that same MAC address. At this point, the switch can have two entries for the same MAC address. Now, this really does depend on the switch. Some switches will allow to have the same MAC address be associated with more than one port. Other switches, they may alternate. As soon as they see MAC address on one port, they'll only send traffic out that port. They see it on another port, they'll switch over and only send it out that port. So, spoofing MAC address is not the most efficient method, but it is a method that you can do. Another method that I find pretty successful with is MAC flooding. What MAC flooding does is it floods the switch with a number of MAC addresses. Your switch has a limited amount of memory called content addressable memory of the number MAC addresses it can hold. As soon as you fill that up, at that point you're going to flush out all the MAC addresses it knows about. And now you have all these bogus MAC addresses and essentially you're going to end up turning your switch into a hub. It's just going to send traffic out all ports. The one thing about MAC flooding is, with some lower end switches, it ends up essentially doing a denial of service and it can actually end up crashing the switch. So MAC flooding, an example of MAC flooding is a tool called MAC OF. Here you see the output of MAC OF. Very simple to run is from a Linux prompt you just type MAC OF. Press enter and it will begin flooding with, I forget the statistics, but it's something like 100,000 MAC addresses per second. We'll begin flooding the switch. Another method you could use for getting around the issue of switch networks is port mirroring. Now port mirroring is actually a very legitimate method that a lot of people use if you have to maybe set up an intruder detection system or maybe you want one to actually legitimately sniff traffic on your network. With port mirroring, Cisco calls it a span switch port analyzer. You're basically setting up your switch so that all traffic on your network will be sent out this port. So it's almost as if one port on your switch is like a hub. It's able to see all traffic. Now if you're a malicious hacker what you're going to have to do first is compromise the switch to be able to configure switch port analyzer or port mirroring. I had the output here for your Cisco people in the audience. This is how you configure port mirroring on a Cisco switch. Just monitor session, you give it a number, you specify the source, and then you specify what the destination is. With Cisco you can not only specify individual ports that you want to capture, but you can even specify entire VLANs that you want to capture. So here I see the example configuration and all this is on the CD as well. So if you're trying to write it down it is on your CDs. So let's move on to talk about some specific packet capturing software. Now I'm going to use the term sniffer a lot. Sniffer is a registered trademark but it's become just a common term. So forgive me if I use a term sniffer a lot. There's a number of packet capturing software. When I went out to packet storm security there was over 200 tools or actually I think it was 198 tools just used for packet capturing. I'm going to be demonstrating some of the more popular tools, some of them from some of the open source and free tools, including wind up and TCP dump. Wind up and TCP dump these are command line tools. Wind up windows and TCP dump is Unix and Linux and ethereal or ethereal which is now called wire shark. So wind up was developed by a Loris DiGioanni, Gianluca Vereni and some other Italian people, forgive me if I pronounce your name wrongs. This is TCP dump. It requires a wind cap or LibP cap library so you have to get that installed first. There's a number of options from this. Now why am I talking about a command line tool? Well the benefit of a command line tool is when you want to get access to a system remotely. If I want to get access to a system remotely I'm probably not going to have a GUI that I can work with. I'm going to want to try to get some type of command line tool on the remote system because it's easier to get a command line than it is to get a GUI. Some examples of what you can do with wind up. Wind up dash capital D will list off all of your interfaces. Wind up dash I will allow you to select which interface you want to start capturing software on. You have some other options there including dash W which will write to a log file and dash R which will read from a log file and we'll be demonstrating this later on in our demo. Here you see the output of wind up. It's not the prettiest output to analyze but one of the nice things about wind up and TCP dump is that it can also be read by ethereal which is now wire shark. So we're actually not going to be analyzing wind up output directly. We're going to open it up within wire shark and show you that because it's easier to read within wire shark. So wire shark just I think it was was it last last month day when it switched over to wire shark? Yeah about about two months ago ethereal became wire shark. Supported by a number of programmers over a hundred programmers. Recognizes over 759 protocols. How many of you have ever used ethereal or wire shark? It's an awesome awesome tool so you're familiar with it. We'll be showing you some output here. Here just to kind of walk through it you got three main pains. The top pain is going to be showing just the overall traffic. The middle pain is going to show you the various headers and then the bottom pain is going to be all of the hex output. So I don't think you guys can see on the on the screen here but what we got here is we're doing a DNS lookup we got an we got an a lookup for defconn.org. You could then see that we got a response. You then see that we're going out to netcraft. When I did this I had the netcraft toolbar. So we see a little netcraft lookup to make sure that it's not that defconn is not part of a phishing scam and then you go through and we see the three-way TCP handshake SIN, SINAC and ACK and then the GET request. Now what a lot of people may not be familiar with is the fact that you can reassemble your TCP streams. If you right-click on any of your TCP traffic you can go down to follow TCP stream. When you do that you pull up on your screen you have the red and the blue. The red is information that was sent out. The sender, the blue is the receiver. So here we see we're sending out we have a GET request in the red and then a response in the blue. You can use Wireshark to do a lot of packet do a lot of password sniffing. There are a number of protocols that send our traffic in clear text telnet and pop and SMTP just to name a few. But in addition even those even those software applications that do try to encode or encrypt their passwords often times it's very easy to reverse such as land manager hashes which are kind of old now but land manager hashes very easy to reverse just take the password split into two seven seven characters convert to uppercase and then run DES against very very easy to to to compare hashes with that. You also have things like VNC and some others that are very easy to to crack. So if you're able just to capture some of the passwords even if they are encoded or encrypted a lot of times you can use that to then not necessarily reverse the hash but compare hashes. So one of my most popular tools is Cane Enable. Cane Enable does can capture just passwords it will just look for passwords not going to do a lot of other things but I'm just going to be showing you what it can do for passwords. Cane Enable here we see an example where it's sniffing and it's able to capture pop passwords. It's able to see somebody logging into a pop account victim 14 with a password of Defcon 14. Here we're able to see the output of looks like a NTLM session somebody was logging into a Windows box. Now here we have the hash and the hash is not the password but then we can put either do a rainbow table crack against it or we can maybe pull it into a tool like what at stake provides or some of the other tools that that will crack your land manager hash. You can even right-click on your land manager hash and choose send the cracker. So begin cracking the password. You can even do telnet conversations. Okay telnet is sent clear text it will capture telnet conversation in Cane Enable. Again if you right-click you can go straight to view you will pull up in a text file all of that telnet conversation. In this case we're logging into a router so it's able to show you that we're logging into a router and the password in this case is let me in. Here we see an example of going out to a website. Logging into two different websites. One is hotpop.com and another is excite.com. By the way hotpop.com if you've never been out to it it's one of my favorite sites it's basically anonymous email free email. So you know how when you register for it or when you get an email account a lot of times you got to put in another email account or some other information to verify you. Hotpop does not require that. So it's completely anonymous. So here we're logging into hotpop. Now it was it did do some encoding of the username but we were able to get the password. Now in comparison for excite email we were able to get the username but not the password. However it's fairly weak because if you count the number of characters here it's the same as Defconn 14. So you can see how many characters when you go to excite how many characters the password is. Here we also see an example. This is FTP and we're able to capture FTP traffic. So here we have anonymous and then a password that was sent through FTP. Now another tool you can use is dsniff. Question? Yes it can do wireless as well. Yes. His question was can cane enable sniff wireless traffic as well. The answer is yes. Yes. So another tool you can use is dsniff. dsniff is cool. It works on can work on Linux and can work on Mac. I've seen a lot of people with with Macs here. So you can use dsniff but it can be can use only to listen for passwords. So here we see we just ran it for a while and we were able to see that here we got to use your Defconn there's a password. Here we got DC Williams, Dave Williams logging in. So it will capture your password. So if you can get this on to a system just run it on a network you can begin capturing passwords. In this case it's capturing POP passwords. It's also not difficult to be able to write your own packet capturing software to do this. All you do is you just capture the traffic and then just write a filter to only look for the phrase pass or the phrase user. Begin looking for it. Ettercap is another great tool to be able to look to sniff passwords. It has both active and passive capturing capabilities. Now what do I mean by active and passive? Well passive is like in a hub or a wireless environment. It's a shared environment. You just want to capture all of the traffic. Active means it's going to use one of those five techniques I told you about. Either the R poisoning, the Mac duplicating, the Mac flooding, the port mirroring, one of those active attacks. Here we see an output of Ettercap and I'll kind of zoom in here. With Ettercap you can see it was able to grab a user, quick siller and pass. You can also get people's email traffic. Here we see an example with email traffic. We're able to see again a username victim 14 and we jump down here to the password defcon14. Now the neat thing about this is a lot of times what people use for their email password is the exact same password used to log into their Windows machine. So if you're hypothetically at a hotel and you're able to capture somebody's email password and you have their IP address you may then try to connect into the C share, the admin share on that machine using that exact same username and password because a lot of times people will reuse that password. Again you can right click and go to follow TCP stream. When you right click and follow TCP stream we have here shown out the user and the password. You can also use it to read email messages and again right click and go to follow TCP stream. We can see here we have an email message and this particular email message says hey the defcon conference is coming up. Can we send some feds to it? So there's our email message sincerely victim 14 at punkass.com. Here's an analysis of email message but this time using Adercap. Here we got the username and password as well. MailSnarf is another great one. MailSnarf is probably one of the easiest ones to use. You just type mailSnarf and it will sit back and start capturing all mail messages that it sees. Here we see an output of that and it just to run it all you do is type mailSnarf and then it will start listening. Now it listens by default on eth0 so if there are some switches you can do if you want to specify a different interface. But we can see here here is the output of the email message just saying testing mailSnarf. Analysis of FTP traffic walk you through this. Here we have username defcon14. Another output here we got password required for defcon14 so this will be the response from the FTP server. Then we have tells us it's a Microsoft FTP service. There is the password and again tells us that we're logged in. Again we can always right click and go to follow TCP stream. And here we can see username password even does a little Mac B which tells me that when this user logged in they were probably using a Mac going into a Microsoft FTP server. Etercap can do the same thing but what Etercap will also do is show you the FTP traffic once a person is logged in and makes it a little bit easier to see than say Wireshark. So here we see it's just sniffing and it's able to see we're doing a directory listing within the FTP server. It makes it really easy to monitor somebody's FTP server. Of course once you have the username and password you can just get in yourself and see what you can find. There's also tools for MSN messenger traffic. Now you can always use Wireshark. Here we're using Wireshark to capture your MSN messenger traffic. So here we got a message saying hey we need to send Feds to the DEF CON conference. Hackers are bad, very bad. And I got a response from attacker14 at punkass.com and attacker14 tells us no there's no need to send a Fed. I'm sure nobody will do anything illegal there but an even easier tool for capturing your MSN messenger traffic is you can use MSN sniffer. And there are a number of other tools out there MSN protocol analyzer and some others but MSN sniffer works pretty well. MSN sniffer you just start running it and down in the bottom window it will show you all all messages just for MSN messenger. Now the way to read it is you actually have to start on the bottom because it adds messages up to the top. So here we have it. Is it okay to leave my wireless open? You don't think anyone will use it do you? And the response nah you have nothing to worry about. Where do you live again? You can also use it to capture to capture web traffic URL snarf is a great tool for that. URL snarf run from a command line it's also part of the DSNIF suite of tools just running from a command line and it will sit back and just capture all of the URLs that a person is is viewing. Ettercap will also allow you to watch in real time what person is viewing on the web. I should pull up those web pages. What's that? Oh, instant messaging as well. You can also capture voice conversations. This is really cool. You can capture voice conversations. Cane enable is a great tool to do that. With Cane enable it will capture your voice conversations. Now in a real world it's not quite always as simple. For example like with Cisco voice over IP a lot of times with Cisco voice over IP people will encrypt all of their voice traffic. Most environments hopefully are doing that. When you have voice traffic like Skype. If you're a Skype user Skype uses AES encryption so it's very difficult to be able to read your Skype conversations. But I got some voice traffic here. I used a I used a soft phone application and it just records it as a way file. It records the voice conversation as a way file and you just right-click and hit play. Then we'll play back the entire voice conversation. Now if you're going to begin doing this you want to make sure you have a large enough hard drive because if it's a long conversation that will end up being a very large way file. Well now for the fun part of the talk we're going to get into our demo. Now let me kind of introduce check our time here. Let me kind of introduce what our demo is going to be. What we have here is we have two attacker machines and we have a victim machine and then we got a server hosting a website. It's one minute it's just one minute. What we're going to be doing here is our attacker is going to try to capture traffic on the victim's machine. We're trying to capture traffic being sent to and from the victim machine. But in this environment the victim machine we're going to pretend is on a different network. So how are we going to get on to that remote host. I know a lot of times when I do I do a lot of pen testing and I also teach our licensed pen testing courses and people always like you know these tools are great but when you're actually doing a pen test how do you get on to that remote host. How do you get that pack of captioning software on there. You can't really use Wireshark because you can't get on there and install it. It's much harder to do. So that's what we're going to walk you through is kind of start to finish. We're going to show you we're going to set up a phishing scam. So what we're going to what the attacker will do here is copy down the trust me.com website a legitimate website. We're going to copy down that website and on that website is a executable a legitimate executable. It happens to be some practice test software. What the attacker is going to do is it's going to take that software and it's going to bind it with a netcat trojan. Then we're going to send an email to the victim saying hey go to trust me.com and download this practice test software. The victim will then do that but while they're downloading the software they're not going to trust me.com they're actually be going to the attacker machine. So then the victim is going to be installing the practice test software but they're really be installing a netcat trojan in the background. Once they got the netcat trojan on the attacker can connect into that box and then use TFTP to download a command line sniffer. Once we have a command line sniffer on we could then begin capturing traffic. We then have to upload that same traffic back to the attacker machine and then analyze it. We're going to be reassembling a JPEG using a hex editor so that we can reassemble the original file. Just to recap the steps we're going to do the attacker is going to copy down the trust me.com website and it's going to begin hosting it. The attacker is going to bind a backdoor trojan netcat with a legitimate executable. The attacker will then send an email to the victim requesting that they download the executable. The victim will install the executable and subsequently without knowing it will also install netcat. The attacker is going to use netcat to connect into the victim machine. The attacker will then use TFTP to download wind-dump onto the victim's machine. The attacker will then capture traffic as victim goes to a website. The attacker will then analyze the traffic sent to and from the victim machine. The attacker will rebuild the graphic, in this case a JPEG, captured by wind-dump using a hex editor. Now what I want to show you here is that being able to spy on a corporate network or remote network there's a lot more steps involved. It's not just about running a packet capturing software. You really do have a lot more steps involved to get onto the host, capture it, send it back and then analyze it. If we have time and I think we will if we can get it working we'll also demonstrate driftnet. Driftnet will do a will reassemble those JPEGs in real time rather than have to use a hex editor. So this point we're going to switch off we're going to go to two monitors. We're going to try to get an attacker machine on one side and we're going to try to get a victim machine on the other. All right so I know we have a lot of steps here. I'm going to walk through it. I'm going to go through it very slowly but what I want to show you is that in the real world it's a lot more challenging if you want to be able to sniff traffic on a remote network. There's a lot more steps involved. So that's what that's what we're going to be walking you through. So the first thing we need to do is on the attacker machine Dave if you could go to a web browser and pull up the trustme.com website. Now this will show you that trustme.com is a website that we have hosted on the server here. You can see it says certified ethical hacking, practice exam, training camp we create our own practice exams. So the website is very simple just click this link to download the training camp ethical hacker practice exam you can click on the link and it will download the the executable. But what we need to be able to do for our phishing attack is copy down this whole website and then host it locally. So at this point Dave if you could go out to a command prompt window and it's going to go back to the root of the C drive and we have a utility called Wget. Now Wget if you've never worked with it it's a great utility to have will mirror entire websites for you. So he's going to do Wget dash M for mirror then he's going to do dash R which is to do a recursive lookup of and pull out all websites that are linked from this page. He's going to do a dash L which is the number of links you want to do a recursive lookup for. We're just going to say 2 but you can really make it whatever you want in this case and then the website www.trustme.com. At this point just copy down our website and if you can highlight it there Dave you see we'd also copy down ceh.exe that's executable. We're going to use that practice test software to bind to bind it with a Trojan netcat. So this point if we could pull up and I'll show you here that at the root of our C drive we want to pull yeah there you go. We got www.trustme.com there's a website that we copy down. Now if you go inside it if you want to launch the index.html we'll see sure enough there's our website that we copy down. Now if you want to close out of that we'll just run the ceh.exe so that you guys can see this is a legitimate program. It's going to run through the practice test installation. We can even launch it if you want. There it is. So there's our practice test. So close out of that. So that's the that's the executable that's a legitimate executable that we want to bind with netcat. So one of the first things we need to do is we need to go back into our trustme.com and we need to edit the HTML so that the location for the executable is not going to trustme.com but it's rather going to our local machine. So it's going to edit the HTML here and just put in the this machine so that when we host it the executable is going to be people will be downloading it from the attacker machine. We'll save that and we're going to close out of that. Now at this point I want to do the this point what we're going to have to do is bind the trojan. Now the trojan that we're going to be using actually first what do you want to go in there and rename the files first? Okay. First thing that Dave's going to do here is he needs to rename a couple of files. What we're going to be doing when we bind the trojan is we're going to be creating a new setup.exe. So we're going to bind netcat to a brand new setup.exe for this for this practice test software. So what we need to do first is make a backup of the original setup.exe. So the original setup.exe we'll just call it z.exe. Now setup.exe makes a call to setup.lst so we're just going to make a copy of that and name it z.lst. That's just so that when we do our binding it will work. We're going to create a brand new setup.exe. At this point we're going to pull up our binding application. We're going to use yet another binder or YAB. YAB you can get it at areyoufearless.com. So what Dave's going to do is going to click on the plus sign to select his file that he wants to bind. He's going to go ahead and browse and he's going to choose the netcat utility which we have at the root of our C drive there. There it is. And as you go down we have a the target path we're just going to keep it in the same folder. We also have some certain attributes you can set like you can set a read-only attribute or hidden attribute. We're just going to leave that as is. We also have execution methods. We're going to choose asynchronously. What asynchronously says it's going to go through and run the setup of the practice test and then run netcat. Sometimes you have problems if you try to do it synchronously and try to do it at the same time. So now we got netcat setup. Did we add the switches? And then for execution parameters we're going to add a dash p for the port number that we're going to use to connect to our victim machine. We'll just choose 50 random number here. We're going to choose dash e to execute cmd.exe. This way when we connect into our victim host we'll get a command shell and then we'll do the dash capital L. Dash capital L will set it up to listen for when we connect into it. I think we're good there. Now we're going to add the second file. The second file we're going to be adding is that z.exe. Remember that? That was the setup that we renamed. So now we're going to add that. Put in the path there for CEH practice test and then we'll call it z.exe. And hold on Dave we'll just show there is an option there for registry startup methods. We're not going to use it but what's nice about that is if a person restarts their computer you can have netcat startup every single time by putting it into the registry. It's kind of a nice option there. We'll just go ahead and hit OK there. So the next thing we need to do is we're going to go to the options menu. We're going to deselect, melt the stub after execution. We're just going to keep netcat running there. We're just going to keep it. We're not going to erase it afterwards. We're also going to change the icon of our new setup.exe so it looks like a legitimate setup.exe file. And now we're going to go ahead and click the build button. We're going to put it into CEH practice test. We're just going to call it setup.exe. We have till 1150. Yeah. Thank you though. So we're going to go ahead and build the CEH or build the setup.exe. So now we have a new setup.exe that when ran it's going to actually call z.exe and do the original installation of the practice test and it's also going to load netcat. Now in order to get this ready we need to repackage this so that it looks like one self-extracting executable. So what Dave's going to do now is going to do it kind of quickly but he's going to be going through and he's going to go into WinZip, create a zip file, then we're going to create a self-extracting archive using WinZip. We're using an evaluation version. We're still evaluating it. Love to hear your input. If it's a good software to get, eventually we'll make a decision there. So he's just going through and just creating a new calling setup.exe. He's going through this kind of quickly but there we go. Cancel out of that. All right so now we got our self-extracting archive. He's then going to put that back in the folder for www.trustme.com and we're going to rename it. We're going to get rid of the old CEH and rename this one to CEH.exe. So now what we need to do is take these files and host it. We're already running IIS on this box. So now we're just going to copy these into the CINETPUB www.root folder so we can begin hosting this website. All right. So just to recap, what we've done so far is we've copied down trustme.com, we've copied down the practice test software, we then created a new setup.exe that would bind netcat with this with with the practice test software. We then put it into the INETPUB directory so we're going to begin hosting this website. I'm now going to draw your attention over to the victim machine over on your left. Now over on the victim machine we've already sent an email to the victim so Dave if you want to open up Outlook Express, check a look at our email here. Now the email message is from Bill Gates and the email message says congratulations on winning the new certified ethical hacker practice test from the training camp. Now one of the key signs that you're under a phishing scam is grammatical errors. So if you can spot some grammatical errors in there, we are the pleas to H-E-R-E. It's usually a sign that you're under a phishing scam. So they are getting better. They're learning about the new thing called spellcheck. It's a great new technology. But what you'll see is that it says go ahead and click on this at TrustMe.com. Now we did a very simple phishing scam. If you take one of our classes we show you much more advanced ways to be able to hide what the real website is that you're going to. But here at TrustMe.com and I don't know if you can see it down the lower left but it does show you what the real IP address is that you're going to. And Dave if you want to go in and pull up the source of that email. I'm going to properties, I'm going to message source. And here we can look at the HTML source for the file. And you'll see that while it says TrustMe.com what you're really doing is going to in this case ten one one three is it? Yeah three which is the attacker machine. So the user things are going to TrustMe.com but they're really going to the attacker machine. Let's close out of that. Well if I'm the victim I say hey cool I got some free practice test software. Let me go ahead and click on it. Pull up the web page and there is our website. Now this is actually on the attacker machine but the user will think they're on TrustMe.com. Now in this case it's just showing an IP address but a lot of unsuspecting users will see an IP address and not really think twice about it. So this point Dave go ahead and let's just go ahead and run our new executable. You solve it very quickly you saw that it was extracting the archive. It's now going through it looks like it's installing the practice test. Pretty cool we got a new practice test. I like that. Now it works. Now Dave if you would go out to a command prompt and run netstat-a what netstat-a will do is tell you what ports are listening and sure enough we have port 50 listening which is used by netcat. So this point I just installed a practice test software but in the background I installed netcat. So now we're going to go back to the attacker machine so draw your eyes over here to your right and on the attacker machine we can now use netcat to get into the victim machine and download a some packet capturing software and begin capturing traffic. So he's using putty you can use really whatever telnet application that you want to use. Dave just happens to be using putty over here and he's already got a pre-configured to go to the victim machine. So we'll connect. Now at this point even though he's on the attacker machine he's telnetted into the victim machine and just to verify that if you want to type the word host name and by typing host name sure enough we are now on the victim machine. Question? Yeah yeah exactly. Yeah let me just mention their their comments there one of the comments was how do you get what the victims IP address is well you can always look in the web logs that's one method and then the center gentleman mentioned well you can also do netcat the reverse way which which would also be a might even be a more efficient way so that you can get get a reverse shell. There are many many ways to do it. Yeah yeah yeah now also we also chose port 50 chances are a lot of firewalls are going to block incoming traffic from port 50 much more common port might be TCP port 53 inbound because a lot of firewalls do have that open to be able to do zone transfers so a lot of different ways to do this we're keeping it relatively simple for the demo we really want to show is some more of the is more of the packet capturing. Alright so here we're on the remote machine and at this point we're going to do the TFTP so we're launching a TFTP server it's trivial file transfer protocol just going to be used we're going to use that to be able to download the remote Trojan and what Dave's going to do is do a TFTP actually yeah we'll go to the root TFTP-i to get a binary file going to do a get request windup.exe and of course this is expecting that it's the firewall will allow you to TFTP outbound so we're going to get windup and sure enough the transfer was successful we see it both in our telnet window as well as up top in our telnet server we were able to transfer windup now that we have windup transferred we could do windup-d that will show us what interfaces we have on our victim machine we see that we have if you can pull that up a little bit there Dave there you go so we have windup-d that shows us our interfaces we have a dial-up adapter and we have a and we have our network adapter we're going to use the second one so we're going to do windup-i for interface 2 for the for the network adapter we're going to do dash s0 now what dash s0 is going to do is that's going to specify what length or how much of the packet we want to capture it's somewhat counterintuitive because zero you would think you don't want to capture any of the packet but it's actually whenever you specify zero as your length it's going to end up capturing the entire packet we want to capture the entire packet because we want to later reassemble it we're not going to say dash i I'm sorry dash c and we'll just say 200 dash c is how many packets do you want to capture so really you could play around with this I'm just so in a basic example here we'll just say 200 packets and then we're going to do dash w so we can write this to a log file we'll call it log dot txt go ahead and run that now we need to generate some traffic so over on the victim machine over on your left Dave's going to pull up a web browser we're just going to go to another website say a victim 14.com and very simple page here what we're going to be reassembling a graphic it's just a page with a graphic on it he'll refresh a few times to try to get to 200 packets and sure enough after he refreshed a few times we got 200 packets captured so windup has now stopped now that windup has stopped we can now send that log file back to the attacker machine so we'll do a tftp and we're going to specify the IP address of our tftp server and then we're going to put that file so we're actually controlling the victim machine right now and we're putting our log file back on the attacker machine now we see the transfer was successful now what we're going to do is we're going to open up actually let's first show that the the log dot text file is there and it's there so what we're going to do is we're going to open up and within a within wire shark or ethereal to be able to show you this traffic that we were able to capture and we're going to go ahead and be reassembling the graphic I'm actually going to ask Dave to kind of take over from here he's a really good at reassembling various binaries and graphics so Dave will take it from here kind of walk through what you're doing now to have the log file there I'm going to open that up so I'm going to all files because it's a text file scroll over to a log file so now we have the full traffic that was captured on the other machine you could see windows update was trying to run over there I'm just going to search for HTTP traffic since we know that they would we just want to see what they were checking out on the web so we're going to put in HTTP for filter just to enter now pops up all the HTTP you can see a lot of the same copy because I refresh the same image multiple times here we go to file TCP stream you're going to see the get headers and then the receive headers if we start scrolling down here this is the JPEG this is what JPEG looks like in binary form doesn't look like much right now unless you're really geeky you won't be able to see what that image is so what we want to do is we want to reconstruct that we first we're going to just check out the conversation we don't that we received that we captured we don't care what was sent from this machine to the server we just want to get the other information now an FTP this is really easy doing an FTP you don't have any of this stuff here this is the HTTP headers this will mess up reconstructing the JPEG so you normally in an FTP we just do save as select raw and then name it test dot JPEG and then you'll be able to open it up no problem but for since it they're using the web and that's usually what most users are going to be using that you're going to want to spy on we going to go to raw save as save it to desktop test dot JPEG so now we're going to leave this open it'll help us reconstruct the binary in a minute here I'm going to go over to the desktop now we have test dot JPEG now this won't open because all the headers are messed up there's HTTP headers in there and then they can't see what the actual image is so what we're going to do is we're going to open this up with a hex editor we're going to use win hex so now you can see here the HTTP headers well we want to find out where JPEG starts so you can see here we have JFIF that's the first recognizable character that's printed out there but you can see that there's another couple characters here that aren't printable so what we're going to do is we're going to come here and we're going to count over one two three four five six so we know we're six over from the first JPEG readable characters so here's the J one two three four five six so this is the very start of the JPEG header once you start doing some of these reassemblies you'll see that they're always the same so all JPEGs are going to have that as the header all exes all wins it so we're going to get rid of all this other junk in front of it so we're going to go up a highlight all of it make sure you get everything you forget a bit and it's not going to reconstruct so we want to get rid of it we're going to right click go to edit go to remove it's going to ask if I want to remove it I'm going to say yes so now the top of our JPEG headers okay but we'll notice that since I refreshed a bunch of times in that follow TCP stream there's also a couple other HTTP headers that got thrown in there so we're going to want to clean them out as well sometimes a scroll doesn't work that will use a mouse so we just want to make sure we go all the way to the end get every bit in there edit remove yes so now this should be a full JPEG now we're going to just save it we're going to resave it as test.jpeg head back down to the desktop open it up and there's the JPEG the user was using now we just did it with a JPEG that's fairly easy but the main thing is if a user is downloading a program an EXE or anything else like that from their intranet we're going to be able to capture that and then reassemble it because using a JPEG is fairly easy to use using drift net or other programs but the EXE is really where it gets kind of cool awesome hey Dave if you want to try to get at the Linux box showing up there we can actually show you drift net if we can get that up and working but just to reiterate what he was mentioning there is that this works not just with JPEGs it works with EXE's it works with Word documents anything that somebody might be transferring across a network you just have to capture it figure out where the headers start figure out if there's any footers delete those and then within a hex editor and then you have the reassembled file so here we have our we have a Linux box here what's actually running a security auditor just one of several CDs that we give out for a certified ethical hacking class so we have about over a thousand software tools that we give you in that class we got a running all right so what Dave's going to do now is he's going to show you drift net drift net does the exact same thing as far as the JPEG reconstruction but it does it as you're browsing the web just so it's just one other tool that you can show that you can just do this real time without having to reassemble so Dave's going to go on our Linux box just type drift net I'll see if we can get this demo to work here drift net is now running you got to admit for Linux tool that's probably one of the easiest commands to enter just drift net and then over on the victim machine he just went to that same web page pulled up that graphic and drift net in real time was able to reconstruct the graphic okay it is open source so you can take a look at the source code see how the author did it but it shows you that it is possible just to do all of this real time but having to use a hex editor the real cool thing about this you sit on someone else's wireless network and you see bits going by big deal but you actually want to see where they're going so now you can actually see what images what web pages they're hitting and it gets a little closer to their experience hypothetically speaking so I know we're actually a little bit ahead of time I don't mind actually ending a little bit early because that gives you time to go and check out booze check out some other things so I don't think anybody's going to get real upset if we do end early because that does give you a chance to go experience more of dev con but just kind of rehash of what we did here we talked about our packet capturing software as everybody stands up alright let me conclude it real quick the point I want to show you is that packet capturing yes it's an older thing but yes it's still really really cool the biggest challenge is that if you want to spy on a remote network is finding out ways to get on to that remote host and I hope I just showed you one way I'll be at a relatively simple way but shows you that you do have to find a way to get on to a remote host and about an hour I'll be out at the vendor booth at the event vendor booth be able to sign in any books or answer any questions by the way just one last point I want to make how many of you saw our t-shirts when you saw our t-shirts how many of you right saw the business cards training camp we are sponsoring a hacker challenge the challenge is still going on the prize is $1,000 you guys like money so $1,000 for the hack for the prize we gave out 1000 shirts the shirts are gone but we still have business cards with a challenge on them and if you follow the challenges the first person to the end gets $1,000 so challenges still going on I talked to some people last night they were getting pretty close but not there yet so if you want one of those business cards just grab me and or grab Dave and I'll be happy to give you one of those cards questions see a question in the back you have to find out find that out man how far the rabbit hole goes so question yes yes absolutely question is is there a way to poison a a host file absolutely there's actually a great book called a Windows it's a Microsoft press Windows command line tools I forget the exact title but if you get into this kind of stuff you definitely want to grab a hold of that book because Windows 2000 2003 has like hundreds of command line options and one thing you can do is from a command line actually poison someone's host file or you can even change what their DNS server is so you don't need access to the GUI you can actually do it straight from a command line which is really cool redirect them to you so well I'm going to go ahead and end up early given you a chance to see some other talks give you a chance to check out the vendor booth and check out some of things going on thank you for your time