Clearly, you need to be certain that these attacks are in-scope for your testing. But, if things converge just right, you'll be sniffing credentials right off the wire, with no password guessing needed - not even a failed login record on a server. Forcing the disclosure of plaintext passwords, man-in-the-middle attacks, and targetted user attacks are all items that may be disallowed in a penetration test.
Now, if all things converge just right, this can be a great way to gain more access into an environment. For this attack, you need a desktop network which requires users to use an authenticated proxy server and that network must allow some form of man-in-the-middle attacks.
Most proxy servers that support authentication will support NTLM authentication, but many also come configured by default to support Basic authentication as well. Most websites that make use of Basic authentication must use SSL in order to prevent the credentials from passing in plain text. For proxy servers, however, SSL is not an option. I don't know of a single proxy software package that secures communication between the proxy and end-user. They all support SSL to the final destination, but when authenticating to the proxy server, there is no encryption. This makes Basic authentication with proxy servers very dangerous.
For this experiment, we'll be using ettercap, dsniff, and a custom ettercap filter. We use dsniff to capture the authentication credentials and ettercap to launch the man-in-the-middle attack. The beauty of ettercap is the filters you can create to take action on packets. The filter we'll be using does two things.
First, we'll stomp on requests to authenticate to the proxy. When a browser sends a request to a proxy server, the proxy server will deny the request, telling the browser it must authenticate, and headers in the reply indicate the methods of authentication the proxy server supports. Using the ettercap filter below, you can stomp on the methods that the proxy server supports and replace them with Basic authentication:
if (ip.proto == TCP) {This will replace the proxy response saying it supports NTLM with a response saying it supports Basic. The user will be prompted to type in credentials by their browser. If the user authenticates, then the credentials will pass in plain text.
if (tcp.src == 8080) {
if (search(DATA.data, "Proxy-Authenticate: NTLM")) {
replace("Proxy-Authenticate: NTLM", "Proxy-Authenticate: BASIC realm=\"Company\"");
msg("Proxy NTLM killed");
}
}
}
Next, we'll do something so that the browser requests don't travel beyond the system performing the man-in-the-middle attack.
if (ip.proto == TCP) {
if (tcp.dst == 8080) {
if (search(DATA.data,"Proxy-Authorization: Basic")) {
kill();
}
}
}
Just remember, this will prevent a user from accessing the proxy server while the filter is loaded, so be sure to stop the filter when you have some credentials to prevent causing a sustained problem for the user.
Posts
