Transcription
Sec601 Lab 7 – Password SniffingAim: To become familiar with a packet capture application called a password sniffer. A password snifferlooks for packets on a network and decrypts them.General themes of exercises: Look at KeyloggersUtilise Cain and AbelCrack Windows passwordsExercise 1: KeyloggersAim: To run keylogging spyware and capture passwords as a user types.Method: Run keylogging software called actualspy on CLIENTResults:Started by navigating to c:\GTSLABS in CLIENT, with the intention of running the application.Unfortunately, the app had been deleted by Windows Defender in a previous lab, so was unable toperform the exercise. However, just gist of the exercise is clear. When keylogging software is installedon your computer, any logons that you may do will be recorded by the software and made available tothe hacker.Exercise 2: Cain and AbelAim: To play with a Windows password sniffer called Cain and Abel. In this situation, Abel is a server thatredirects traffic to Cain, the password sniffer.Method: Use Cain and Abel to sniff passwords entered in the CLIENT when authenticating access toServerResults:Started by signing into Server as CLASSROOM\Administrator and starting Server Manager. In ServerManager I ran IIS (select Tools IIS). After expanding the Server node (and closing the dialog box), Iexpand Sites and selected the Default Website node. The double-clicked Authentication in the “Home”pane and alt-clicked Anonymous Authentication and selected Disable. The enabled Basic Authentication.
The Default Web Site node:After alt-clicking Authentication:
I then disabled Authentication:And enabled Basic Authentication:Following this, I then logged into CLIENT as CLASSROOM\Administrator and set a static IP on theEthernet adapter of 10.1.0.10/24, default G/W of 10.1.0.1 and DNS of 10.1.0.1:
I then browsed to c:\GTSLABS and ran ca setup, installing with the defaults (didn’t install WinPcap):
I then started Cain and clicked OK on the following warning:After closing Cain, I then turned off the firewall (start button type firewall see below):I then ran Cain again and clicked the Start Sniffer icon to start sniffing for passwords:
With Cain working successfully - adapter and ip address has been identified, see below:I then went through the Options that Cain covers/can be used for (ARP poisoning for MitM attacks,digital certificate spoofing, etc.):Traceroute (host name info, etc.):
Challenge spoofing:Targets selected ports/protocols:
ARP poisoning:Different ARP-SSL options
Certificate spoofing:Various http fields:
Collecting certificates:Then clicked the Start Sniffing icon again (ignored following warning):
Opened http://server.classroom.local in the browser and logged on. Then opened the Internet Optionsdialog and deleted the browsing history (checking all the checkboxes):
Exercise 3: Cracking Windows PasswordsAim: To crack an encrypted password using Cain.Method: Change Authentication options on Server to Window Authentication and use CLIENT to accessthe Server, while running CainResults:Started by logging into Server and changing the authentication options to Windows Authentication:Then opened http://server.classroom.local on CLIENT and logged on. Then closed the browser. Switchedto Cain and clicked the Sniffer tab, then the Passwords tab, then selected HTTP. Found the passwordsusing basic authentication had been decoded. Scary:
The credentials captured when Windows Authentication was activated appear under theMSKerb5PrePath node (see below). As can be seen, the passwords have not been decoded:After alt-clicking one of the MSKerb5PrePath records and selecting “send to cracker”, then clicking onthe Cracker tab (see below) and selecting Kerbs PrePath Hashes, I then alt-clicked the Administratoraccount (the username) and selected Brute-Force Attack:
Leaving the options as they appeared, I then clicked the Start button:And discovered the time it would take for such an attack to be rather long (1.27e 012 years), makingthis attack strategy useless (see below):
I then stopped the aatack:I then attempted an attack with a custom character set (narrowing the possibilities):
The custom character set substantially lowered the time it would take for a brute force attack, but it wasstill 16 hours:I then tried a different hash by selecting LM & NLTM Hashes in the Cracker tab. Then I clicked Add toList on the tool bar and selected Import Hashes from local system at the prompting:
Following this I alt-clicked the Admin account (see below) and selected Brute-Force Attack, NLTMHashes, and then clicked start:
I then alt-clicked Admin and selected Cryptanalysis, NLTM Hashes, via Rainbow Tables (Rainbow Crack):If a rainbow table had been available to add to the above dialog (by click the Add Table button), thiswould potentially have reduced the time taken to crack the password, as rainbow tables are a list ofhashes and passwords that a script with the password hash to be cracked can quickly run through andfind the corresponding hash/password pair.
Aim: To play with a Windows password sniffer called Cain and Abel. In this situation, Abel is a server that redirects traffic to Cain, the password sniffer. Method: Use Cain and Abel to sniff passwords entered in the CLIENT when authenticating access to Server Results: Started by signing into Server as CLASSROOM\Administrator and starting Server Manager. In Server Manager I ran IIS (select .
