Activity narrative and attack identificationAttacker ip: 192.168.1.200I was looking in to the attacks in the wireshark capture file which was given for an assignment; there are many exploits in the file, so I narrowed down to single attack for tcp protocol for finding the passwords in it.I was going through different packets in the wireshark capture file and different filters.I tried using ssh filter in order to check the vulnerability in ssh but I found nothing there except the encryption of the ssh keys which was of version 2 and the encryption was aes128-ctr. Basically, telnet is exploitable for getting passwords from the wireshark as it does not use any kind of encryption while sending the passwords but in the file I didn’t see any filter of telnet and the passwords.
After trying many filters like udp, ftp, ssh in the capture file then I moved on to the tcp and http filters in order to find the packets which has malicious information. I started looking in to the http filter as there were many packets then started searching for the keyword ‘pass’ in the find packet in the wireshark. In the above figure I was looking for the form string in the packets so that there might be any username and passwords in the packets. In order to retrieve the information from the packets, ‘pass’ word will be used by many of the developers in the forms, so I was guessing that searching for that will help us to find the information in the packets and search was moving on from packet to packet then I finally found the packet 2906 with form and their values. We found the credentials in a packet, as the username is root and password is tslinux.
The result was not satisfied, I was searching for the other attacks which were done by the attacker.So I started searching for the new attacks which were made by the attacker by filtering the search with the following command in wireshark search “ip.addr==192.168.1.200”. The attacks made by attacker were displayed; I was looking for other strings to look in the string search box, i.e ‘post’.
Post keyword is used by web developers in order to check the credentials, add data to database and check the queries in database etc. Then I found out the packet 3901 contains information. The following packet 3901 contains the login credentials of the user. This is how I identified and analyzed the attacker.
Attack explanationThe attack is called man in the middle attack (MITM); it is also called janus attack. A man-in-the-middle attack is a type of cyber attack where attacker secretly places him/herself into a conversation between two parties who believe they are directly communicating with each other.The goal of an attacker is to steal personal information, account details and credit card numbers. In the above image, you will notice that the attacker placed him/herself in-between client and server.
Now attacker has placed between them and now attacker can get the information and intercept the data transferred between them.MITM ATTACK PROGRESSIONIn order to successfully perform MITM execution, there are two phases: interception and decryption.INTERCEPTIONThe first step is to intercepts user traffic through the attacker’s network before it reaches its intended destination. The simplest way of doing this is a passive attack in which an attacker makes free & malicious WiFi hotspots available to the public.
Once victim’s connects to this free and malicious hotspot then attacker will gain the visibility to any online data exchange.DECRYPTIONAfter interception, two-way SSL traffic needs to be decrypted without alerting the user or application. The above explains how the man-in-the-middle attack can be dangerous.MAN IN THE MIDDLE ATTACK PREVENTION• Avoid free wifi connections which aren’t password protected.• Not using public networks (e.
g., coffee shops, hotels) when performing sensitive transactions.It is considered best practice for applications to use SSL/TLS to secure every page of their site and not just the pages that require users to log in. Doing so helps decreases the chance of an attacker stealing session cookies from a user browsing on an unsecured section of a website while logged in.’