Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers (21 page)

BOOK: Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers
13.12Mb size Format: txt, pdf, ePub
Chapter Wrap Up

Congratulations! We wrote quite a few tools in this chapter to analyze network traffic. We started by writing a rudimentary tool capable of detecting the Operation Aurora attack. Next, we wrote some scripts to detect the hacker group Anonymous’ LOIC toolkit in action. Following that, we replicated a program that seventeen-year-old H. D. Moore used to detect decoy network scans at the Pentagon. Next, we created some scripts to detect attacks that utilized DNS as a vector, including the Storm and Conficker worms. With the ability to analyze traffic, we replicated a two-decade old attack used by Kevin Mitnick. Finally, we utilized our network analysis skills to craft packets to overwhelm an IDS.

Hopefully this chapter has provided you with excellent skillsets to analyze network traffic. This study will prove useful in the next chapter as we write tools to audit wireless networks and mobile devices.

References

1. Binde, B., McRee, R., & O’Connor, T. (2011). Assessing outbound traffic to uncover advanced persistent threat. Retrieved from SANS Technology Institute website: <
www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf
>, May 22.

2. CIO Institute bulletin on computer security (1999). Retrieved February from <
nmap.org/press/cio-advanced-scanners.txt
>, March 8.

3. Higgins, K. J. (2007). Attackers hide in fast flux.
Dark Reading
. Retrieved from <
http://www.darkreading.com/security/perimeter-security/208804630/index.html
>, July 17.

4. Lemos, R. (2007). Fast flux foils bot-net takedown.
SecurityFocus
. Retrieved from <
http://www.securityfocus.com/news/11473
>, July 9.

5. Markoff, J. (1995). A most-wanted cyberthief is caught in his own web.
New York Times
(online edition). Retrieved from <
www.nytimes.com/1995/02/16/us/a-most-wanted-cyberthief-is-caught-in-his-own-web.html?src=pm
>, February 16.

6. Nazario, J. (2008). As the net churns: Fast-flux botnet observations.
HoneyBlog
. Retrieved from <
honeyblog.org/junkyard/paper/fastflux-malware08.pdf
>, November 5.

7. Shimomura, T. (1994). Tsutomu’s January 25 post to Usenet (online forum comment). Retrieved from <
http://www.takedown.com/coverage/tsu-post.html
>, December 25.

8. Shimomura, T. (1996). Wired 4.02: Catching Kevin.
Wired.com
. Retrieved from <
http://www.wired.com/wired/archive/4.02/catching.html
>, February 1.

9. Verton D.
The hacker diaries: Confessions of teenage hackers
. New York: McGraw-Hill/Osborne; 2002.

10. Zetter, K. (2010). Google hack attack was ultra-sophisticated, new details show.
Wired.com
. Retrieved from <
http://www.wired.com/threatlevel/2010/01/operation-aurora/
>, January 14.

Chapter 5
Wireless Mayhem with Python
Information in this chapter:

 
Sniffing Wireless Networks for Personal Information

 
Listening for Preferred Networks and Identifying Hidden Wireless Networks

 
Taking Control of Wireless Unmanned Aerial Vehicles

 
Identifying Firesheep in Use

 
Stalking Bluetooth Radios

 
Exploiting Bluetooth Vulnerabilities

Knowledge does not grow like a tree where you dig a hole, plant your feet, cover them with dirt, and pour water on them daily. Knowledge grows with time, work, and dedicated effort. It cannot come by any other means.

—Ed Parker, Senior Grand Master of American Kenpo

Introduction: Wireless (IN)Security and the Iceman

On September 5, 2007, the US Secret Service arrested a wireless hacker named Max Ray Butler (
Secret Service, 2007
). Also known as the Iceman, Mr. Butler sold tens of thousands of credit card accounts through a Website. But how did he collect this private information? Sniffing unencrypted wireless Internet connections proved to be one of the methods he used to gain access to credit card information. The Iceman rented hotel rooms and apartments using false identities. He then used high-power antennae to intercept communications to the hotel’s and nearby apartments’ wireless access points to capture the personal
information of its guests (
Peretti, 2009
). All too often, media experts classify this type of attack “sophisticated and complex.” Such a statement proves dangerous, as we can execute several of these attacks in short Python scripts. As you’ll see in the following sections, we can sniff for credit card information in less than 25 lines of code. But before we begin, let’s ensure we have our environment setup correctly.

Setting up Your Wireless Attack Environment

In the following sections, we will write code to sniff wireless traffic and send raw 802.11 frames. We will use a Hawking Hi-Gain USB Wireless-150N Network Adapter with Range Amplifier (HAWNU1) to create and test the scripts in this chapter. The default drivers for this card on Backtrack 5 allow a user to place it into monitor mode as well as transmit raw frames. Additionally, it contains an external antenna connection that allows us to attach a high-powered antenna to the card.

Our scripts require the ability to place the card into a monitor in order to passively listen for all wireless traffic. Monitor mode allows you to receive raw wireless frames rather than 802.11 Ethernet frames you typically get in Managed mode. This allows you to see beacons and the wireless management frames even if you are not associated with a network.

Testing Wireless Capture with Scapy

To place the card into monitor mode, we use the aircrack-ng suite of tools written by Thomas d’Otreppe. Iwconfig lists our wireless adapter as wlan0. Next, we run the command
airmon-ng start wlan0
to start it into monitor mode. This creates a new adapter known as
mon0.

 attacker# iwconfig wlan0

 wlan0 IEEE 802.11bgn ESSID:off/any

   Mode:Managed Access Point: Not-Associated

   Retry long limit:7 RTS thr:off Fragment thr:off

   Encryption key:off

   Power Management:on

 attacker# airmon-ng start wlan0

 Interface Chipset  Driver

 wlan0   Ralink   RT2870/3070  rt2800usb - [phy0]

      (monitor mode enabled on mon0)

Let’s quickly test that we can capture wireless traffic after placing the card into monitor mode. Notice that we set our conf.iface to the newly created
monitoring interface, mon0. Upon hearing each packet, the script runs the procedure pktPrint(). This procedure prints a message if the packet contains an 802.11 Beacon, an 802.11 Probe Response, a TCP Packet, or DNS traffic.

 from scapy.all import ∗

 def pktPrint(pkt):

  if pkt.haslayer(Dot11Beacon):

   print ‘[+] Detected 802.11 Beacon Frame’

  elif pkt.haslayer(Dot11ProbeReq):

   print ‘[+] Detected 802.11 Probe Request Frame’

  elif pkt.haslayer(TCP):

   print ‘[+] Detected a TCP Packet’

  elif pkt.haslayer(DNS):

   print ‘[+] Detected a DNS Packet’

 conf.iface = ‘mon0’

 sniff(prn=pktPrint)

After firing up the script we see quite a bit of traffic. Notice that the traffic includes the 802.11 Probe Requests looking for networks, 802.11 Beacon Frames indicating traffic, and a DNS and TCP packet. At this point we know that our card works.

 attacker# python test-sniff.py

 [+] Detected 802.11 Beacon Frame

 [+] Detected 802.11 Beacon Frame

 [+] Detected 802.11 Beacon Frame

 [+] Detected 802.11 Probe Request Frame

 [+] Detected 802.11 Beacon Frame

 [+] Detected 802.11 Beacon Frame

 [+] Detected a DNS Packet

 [+] Detected a TCP Packet

Installing Python Bluetooth Packages

We will cover some Bluetooth attacks in this chapter. To write Python Bluetooth scripts, we will utilize the Python bindings to the Linux Bluez Application Programming Interface (API) and the obexftp API. Use apt-get to install both bindings on Backtrack 5.

 attacker# sudo apt-get install python-bluez bluetooth python-obexftp

 Reading package lists... Done

 Building dependency tree

 Reading state information... Done

 <..SNIPPED..>

 Unpacking bluetooth (from .../bluetooth_4.60-0ubuntu8_all.deb)

 Selecting previously deselected package python-bluez.

 Unpacking python-bluez (from .../python-bluez_0.18-1_amd64.deb)

 Setting up bluetooth (4.60-0ubuntu8) ...

 Setting up python-bluez (0.18-1) ...

 Processing triggers for python-central .

Additionally, you will need access to a Bluetooth device. Most Cambridge Silicon Radio (CSR) chipsets work fine under Linux. For the scripts in this chapter, we will use a SENA Parani UD100 Bluetooth USB Adapter. To test if this operating system recognizes the device, run the
hciconfig
config command. This prints out the configuration details for our Bluetooth device.

 attacker# hciconfig

 hci0: Type: BR/EDR Bus: USB

   BD Address: 00:40:12:01:01:00 ACL MTU: 8192:128

   UP RUNNING PSCAN

   RX bytes:801 acl:0 sco:0 events:32 errors:0

   TX bytes:400 acl:0 sco:0 commands:32 errors:0

In this chapter, we will both intercept and forge Bluetooth frames. I’ll mention this again later in the chapter, but it is important to know that Backtrack 5 r1 comes with a glitch—it lacks the necessary kernel modules to send raw Bluetooth packets in the compiled kernel. For this reason, you need to either update your kernel or use Backtrack 5 r2.

The following sections will prove exciting. We will sniff credit cards, user credentials, takeover a UAV remotely, identify wireless hackers, and stalk and exploit Bluetooth devices. Please always check the applicable laws concerning the passive and active interception of wireless and Bluetooth transmissions.

Other books

Dreamwalker by Oswald, J.D.
Elvis Has Left the Building by Charity Tahmaseb
The Titan's Curse by Rick Riordan
Not Just a Friend by Laura Jardine
The Kremlin Device by Chris Ryan
Cellular by Ellen Schwartz
To Hell in a Handbasket by Beth Groundwater
Fibles by M. R. Everette
The fire and the gold by Phyllis A. Whitney