Professional Documents
Culture Documents
Section 8
Creative Advanced Attacks
On the downhill slide of our journey with Wireless LAN Security Assessment Toolkit, well show you
some of the cutting edge and exciting tools and techniques that exist in the WLAN ecosystem.
Your kit includes a professional Honeypot to trap would be attackers to your Wireless LANs. Plus we’ve
included some unique ‘tools’ on a USB ‘Attack Stick’ – remember, only WITH PERMISSION.
Product Information
Source
Key Focus
KF Sensor Professional – Commercial License
$999.00
http://www.keyfocus.net/kfsensor/index.php
It is easy to update the rulebase with new rules from different sources and to
create new rules directly from an event.
Requirements / Dependencies
• Windows NT, Windows 2000, Windows XP, Windows 2003 Server
• 500mb hard disk space
• 512mb RAM
• 1 NIC card and/or direct internet connection
In this lab exercise you configure KFSensor using the Wizard and the individual
settings windows.
Step 1. Launch KFSensor (it may already be started on your system. Look for the
KFSensor icon in the system tray - it may be a different color).
Step 2. Select Settings > Set Up Wizard . The Set Up Wizard guides you
through the configurations of:
- Port Classes
- Domain Name Selection
- Email Alerts
- Systems Service
Step 3. Click the Next button to begin configuring KF Sensor. By default all the port
classes will be selected.
Step 4. Now you need to give your system a name. Use a fictitious name that may be
attractive to someone who is doing discovery for “juicy” targets. For example,
using the following words somewhere in your domain name may get you more
hits:
- credit
- bank
- financial
- investment
- accounting
- private
- internal
Enter your domain name (don’t forget to include the .com, .org, .net or
whatever extension you are going to use). Click Next .
Step 5. If you would like to receive email alerts of events, enter your target
email address and the source email address in this window.
Click Next .
Step 6. Now you can configure the system services. Click the Wizard Help
button for more details on each option.
Denial of Service
- Normal/Cautious
Port Activity
- 1-12 Hours
Proxy Emulation
- Allow banner grabs and loop backs
- No external connections
Click Next .
Step 7. Now you are on the system service set up window. A system service allows
KFSensor to run like a daemon on your system regardless of who is logged into it.
You can change between users without affecting the system service. You must be
logged in as the administrator to install the system service.
Click Next .
Step 8. KFSensor should now be ready to configure your system. Click Finish .
We definitely want to disable the audible alarm and we want to increase the
number of events that are displayed when KFSensor starts up.
Step 10. Now you are ready to review the DOS Attack Settings and see if you want to stay
with Normal – or use Cautious – or a customized setting. Select Settings >
DOS Attack Settings .
Step 11. To compare the two default settings – Normal and Cautious – click on each
separately and review the settings . You can select either
setting or define a customized setting for this lab exercise. Click OK when you
are finished.
Step 12. Now we are ready to configure the network analyzer function of KF Sensor. We
enabled this feature in the Set Up Wizard.
In this area you can select to monitor specific interfaces and define the types of
packets that you want to capture.
Step 13. Configure your KFSensor network protocol analyzer as shown on the below.
NOTE: This system has a dial-up adapter loaded. On your systems, choose all
adapters that are displayed in the list (which include your wired and wireless
adapter and the generic Microsoft adapter).
Note: Your analyzer trace files are stored in the c:\kfsensor\dumps directory.
Step 14. Select Settings > Email Alerts and review the configuration. You
may want to select a Message Title or rethink the sender’s address so you can
easily apply email filters for your KFSensor alerts. In this area you also define the
email alert interval and the message severity level. Click OK when you are
finished.
Step 15. Now select Settings > Local Sensor Configuration . Here you
will see the Sensor ID of your KFSensor server. If you install more than one KF
Sensor, assign a unique ID to each since this number is kept in the logs to enable
you to determine which KFSensor server was hit.
Change your KFSensor ID value to kfsensor-zzz where zzz are your first,
middle and last initials.
We’ll keep this default port and the log level setting at this time. Click OK to
accept this setting.
Note: It might warn about restarting KF Sensor in the ‘normal’ way and shuts
down. Just restart to return.
Step 16. Look through the other options under the Settings menu option . If you
need to know more about any setting, click the Help button on the setting
window.
In this lab exercise you continue to configure KFSensor by viewing the Main
Scenario, creating a new scenario and defining the Listens and KFSensor
behavior for those Listens.
Step 17. In the KFSensor window, select Scenario > Edit Scenarios . You
should have only one scenario defined on your system – the Main Scenario. This is
the active scenario at this time.
NOTE: First we are going to look at the Main Scenario – we are not going to edit
that scenario, however. We are going to back out and make a new scenario
called WLSAT Scenario.
Step 18. Click Edit . At this time you might see a KF Warning box appear. This is not
unusual – it indicates that certain ports were in use already when KFSensor
started. You can select “Convert to Native” on those ports to have KFSensor listen
to activity on them. For example, on Windows systems the NBT (NetBIOS) ports
are enabled by default and will generate errors.
Click OK .
We don’t want to edit this scenario – we only want to look at it. This window is
showing you “Listens” or defined ports that we are listening on using this
scenario.
Step 19. Double-click on FTP Guild (see previous graphic) to get more detail
on the configuration of the FTP Listen.
Here you can get an idea of how a Listen is defined – you define the port number
and protocol and address to bind the Listen to. This is also where you define the
KFSensor action when that Listen is hit as well as the severity level. Finally you
can define the DOS attack limits to protect KFSensor from being overwhelmed by
Step 20. Click Cancel to close the Edit Listen window and Cancel to close the Edit
Scenario Window. You should now be viewing the Edit Scenarios window as shown
below.
Step 21. Click Add to create a new scenario. You may receive the warning about ports in
use. Click OK to close the warning window.
Step 22. Enter the scenario name WLSAT Scenario . Enter the domain name that
you defined in the Set Up Wizard. Click Add/Remove Classes…
button .
Step 23. Check off all the classes listed except Linux and click OK .
Step 24. Now you will see all the Listens for these classes show up in your new scenario.
We are going to add a Listen to this group. Click Add .
You are going to add a Listen for Laura’s Attack . Enter the information as
shown in the configuration below. Click OK when you are done.
Step 25. Your new Listen should show up in the list now. Click OK to save this scenario and
close the New Scenario window. Now your NAST Scenario should be listed in the
Edit Scenario window. Click OK to close the Edit Scenario window.
Step 26. Select Scenario > Switch Scenario . Select your WLSAT
Scenario from the drop-down list and click OK .
In this lab exercise you view and edit rules related to visitors that hit KF
Sensor. You will work with your WLSAT Scenario only.
NOTE: If you are going to connect to the KFSensor system using a Listen port
(perhaps one that has been converted to native, such as the FTP port) and you
don’t want your communication to be logged, enter a Visitor Rule to exclude
your connection on that port. Visitor rules are only used to close connections
with, or ignore visitors. They are NOT a “lockout” feature. Use signatures to do
lockouts based on ports or payload.
Protocol: Any
Actions: Ignore
Step 4. Your new rule is visible when you edit the active scenario and click the Rules
button .
In this lab exercise you create a signature rule based on traffic received and
review how signatures are created and imported.
Step 6. Maximize the window so you can see the Received column information.
This column shows the data related to the event (if any).
Step 7. Double-click one of the events that show data was transferred.
The Event Detail window appears.
Step 8. Click the Signature tab . If no signature is associated with this event,
click the Create button. The Edit Signature window appears showing the signature
data definition.
Step 9. The Add Signature window is now displayed. You can provide a message with your
signature and include a Source Reference (such as a website that contains
additional information on this signature).
Note: Unless you are actively working with a ‘partner’ to see live traffic, you’ll
only see your own little network’s Windows traffic.
The official Snort and community rules sets can be obtained at:
http://www.snort.org/rules/
Product Information
Source
NirSoft
Freeware
www.nirsoft.net
• SniffPass – Listen on the network for POP3, IMAP4, SMTP, FTP and
HTTP passwords
• Network Password Recovery – Recover network passwords
stored by Windows XP
• WirelessKeyView – View Wireless LAN WEP and WPA keys
• IE PassView – View Internet Explorer passwords
• IECookiesView – View and Modify cookies stored on your computer
• IEHistoryView – View and Delete URLS you’ve visited in the last
few days
• WinUpdatesList – Display all the Windows updates on the target
machine
• ProduKey – Recover Microsoft Office/Windows Product CD-Keys
Requirements / Dependencies
• Any Windows operating system
This is the ‘Manual’ way of running these… in the next lab we will use an
‘Attack’ Stick to automate the process
Step 2. Note the wealth of information this quickly provides – web sites, passwords, etc. –
These items are clearly and easily available to anyone who has access to your
computers!
What was discovered on *your* computer? _____________________________
How does this make you feel about the security of your private information?
____________________________________________________
Step 3. Like the other NirSoft products, this too can export to an HTML file.
Step 2. Open the window that contains the asterisk text-box you want to reveal. The
password will be instantly revealed inside the password box, and in addition, a
record containing the password and other information will be added to the main
window of Asterisk Logger utility.
Step 3. After you reveal all the passwords you need, you can select the desired passwords
in the main window of Asterisk Logger, and save them into a text or HTML file.
Step 3. A Capture Options window opens. Highlight the adaptor you are using
for packet captures and select either RAW Sockets or WinPcap Packet
Capture Driver .
Note: Choose RAW Sockets if you don’t have WinPcap loaded already on your
target machine.
Step 4. Click OK .
Step 5. Generate some traffic by using the browser to login to a site where you must
enter your name and password.
Step 2. Did it find any of your Windows Network accounts and passwords? _______
Step 2. Did it find any of your Wireless accounts and passwords? ____________
Note: The keys are shown in both HEX and ASCII values
Step 2. Did it find any of your Internet Explorer accounts and passwords?
Step 2. Did you know your surfing history was this easy to see?
Step 3. Now using the options in Microsoft IE, clear out your history and cache and try
running this utility again. Did it clear your data?
Step 2. How many times has the target machine been ‘patched’ or updated by Microsoft
for the Windows OS? _______
Step 2. Cut and paste these keys into a text file and save as part of your backup. When
it’s time to restore, you’ll have your CD-Keys all ready to go.
While the USB Switchblade does require a system running Windows 2000, XP,
or 2003 logged in with Administrative privileges and physical access, the
beauty lies in the fact that the payload can run silently and without modifying
the system or sending network traffic, making it near invisible.
Product Information
Source
Hak.5 Team
Combination of Freeware
Step 3. Insert ‘Attack Stick’ in target computer. If Autorun does not launch – they you
will need to Launch USB SwitchBlade. Start the GO.BAT
file in the \WIP\CMD\ directory – or at your USB
drive prompt, type:
\WIP\CMD\go.bat .
Step 4. You might have tripped an Anti-Virus alarm by running this Attack. Try turning
off Anti-Virus for a period of time.
Step 6. On a different computer (or the same as the target – it doesn’t matter) retrieve
the ‘found’ information by opening the \WIP\DUMP folder and finding a
folder with a name of the target computer. Inside you’ll find a set of files
containing massive amounts of personal information.
Step 8. Did you find passwords? For what programs? Did it find ALL passwords?
Why or why not? _________________________________________________
Step 9. There are other sets of tools that can use this same method for good and not
for evil! Running scripts to update A/V packages, etc.