Results 1 to 10 of 13

Thread: [Video] Playing With Traffic (Squid)

Threaded View

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Playing With Traffic (Squid)

    Message from the author
    Playing with traffic. Actually, it’s more along the lines of “URL Manipulation”; however that didn’t sound as “catchy”. I do plan to do another video on “Altering (web) content”, which would be more actuate in regards to “Playing with traffic”. This would be done using Squid (instead of using Ettercap) - and I’ve had some ideas for when I do this too.

    This was posted on “April Fools” (The time for pranks and “gotchas”) and what seems to be a (harmless) “prank” is still an attack. This means you need permission to do it (just like everything else on this site!) - as you may capture/discover more than you planned. Like always, make sure you have permission, and, due to the content of one of these attacks, you need to make sure you don’t expose “minors”. On that note: you're on your own. What you do, is your doing. What you make happen is your responsibility. You have been warned.

    And with all of that out-of-the-way…



    Links
    Download scripts: http://www.mediafire.com/?fp9a1j9mxtr1xx8
    Download video: [I]http://www.mediafire.com/?a3umn4jyxh8fcgl
    Watch video on-line: http://g0tmi1k.blip.tv/file/4960204
    *If you wish to view only the effects of the attack or know how to setup Squid from before [1], skip to 03:40 in the video*

    Brief Overview
    There is more to “Man in the Middle” attacks than just getting/collecting/harvesting emails/passwords/cookies. For example, the attacker could manipulate & alter the target’s traffic to have some “malicious fun” (even though some scripts are “borderline childish”), to highlight the dangers of a “Man In The Middle” attack and what other abilities/options are available to the attacker. Below is a breakdown of the scripts demonstrated:

    Requirements
    * Nmap – Can be found in BackTrack 4-R2
    * Squid Can be found in the BackTrack repository
    * Apache Can be found in BackTrack 4-R2
    * DansGuardian Can be installed via allPornInternet.sh
    * ARPSpoof Part of the DSniff suite which can be found in the BackTrack 4-R2
    * A Text Editor – Kate can be found in BackTrack 4-R2
    * The collection of scripts – See “Links”



    Method
    * Start network services and obtain an IP address
    * Download, install and configure Squid proxy
    * Check the configuration and dependence for the script
    * Set file & folder permissions
    * Configure and perform a man in the middle attack
    * Game Over
    * Edit Squid configuration and restart service
    * Game Over ...again
    * Download & “configureDansGuardian
    * Restart Squid
    * Game Over ...once more!



    Walk-through
    The attacker installs Squid3 cache proxy via the Operating System (Backtrack 4 R2) repository. Squid is the “backbone” to this attack and after configuring it to work on the Local Area Network (LAN) and to be transparent (the proxy “works” without any configuration to the browser), the attacker chooses which script to first try out (asciiImages.pl is the first one) and adds it to the configuration file.

    The attacker then opens the script up to verify its location as well as any requirements, which in this case is ImageMagick, Ghostscript and jp2a. At the same time, the attacker checks the variables to match their local machine's configuration. For example, the attacker checks if:

    • "$debug" mode is needed for any diagnostics reasons. ("1" = enabled, "0" = disabled. The log file is placed in /tmp/[scriptname]_debug.log)
    • "$ourIP" matches the attacker's IP address. (ifconfig [interface])
    • "$baseDir" is a local path for a folder that is accessible to the webserver and is writeable by "nobody" - as Squid is running at this user level and it executes the perl scripts. (Apache default web path is /var/www/. However the attacker creates a subfolder, "tmp/" to use)
    • "$baseURL" would be the visible path for "$baseDir". (http://[ip]/anysubfolders)
    • "$convert" , "$convert" and "$jp2a" are the paths to the necessarily programs (whereis [programsname])

    Note: The variables depend on each script. The example above was taken from "asciiImages.pl".

    After this, the attacker moves on to configure the files and folder permissions to allow the necessary daemons to be able to interact correctly. The daemons are then restarted to re-load the configuration files in the new environment. The last stage in preparing the attacker’s machine is to manage the ports, as the standard HTTP port for web traffic is on port 80, however Squid is running on 3128 on the attacker’s machine (and their web server, which is needed, is also on port 80). The attacker redirects the traffic into the proxy, therefore squid is used. This is achieved with iptables.

    The attacker does a quick sweep of the network using nmap to check that the target is online. After they have been located, the attacker performs a MITM attack via ARP cache poisoning via arpspoof

    Everything is now in place… Game over.
    Last edited by g0tmi1k; 04-04-2011 at 06:20 PM.
    Have you...g0tmi1k?

Similar Threads

  1. [Video] Owning Windows (XP SP3 vs. Squid)
    By g0tmi1k in forum BackTrack Videos
    Replies: 4
    Last Post: 03-24-2011, 03:08 PM
  2. help with squid and sslstrip
    By roonie in forum Beginners Forum
    Replies: 1
    Last Post: 10-18-2010, 05:56 PM
  3. disable encryption in squid
    By bl0tch in forum Beginners Forum
    Replies: 2
    Last Post: 10-13-2010, 05:16 AM
  4. Replies: 20
    Last Post: 07-22-2010, 10:38 AM
  5. Anybody setup a Transparent Squid server?
    By imported_spankdidly in forum OLD General IT Discussion
    Replies: 3
    Last Post: 09-17-2007, 05:01 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •