Start Your Free Trial

Man-in-the-middle Network Security Testing on enterprise environment replicas in AWS & Google Cloud

Author:
Clarence Chio
Clarence is a Security Research Engineer at Shape Security, working on the system that tackles malicious bot intrusion from the angle of big data analysis. Clarence has presented independent research on Machine Learning and Security at Information Security conferences in several countries, and is also the organizer of the “Data Mining for Cyber Security” meetup group in the SF Bay Area.

Have you ever used an unsecured public wifi connection and wondered if someone could be hacking you? Who could possibly be interested in monitoring your browsing activity on the web? In this post, we focus on a particularly active and common type of network hacking – man-in-the-middle (MITM) attacks. Network security testing is essential to discover these attacks, and Ravello cybersecurity labs provide an easy way to replicate enterprise environments on AWS and Google cloud and carry out MITM security testing.

Man-in-the-middle attacks refer to a class of situations where a machine’s communications with another machine is intercepted and potentially mutated by malicious actor. Because of the complexity of network protocols, attackers can often make use of commonly known loopholes that allow them to step between you and the service that you’re communicating with, and gain knowledge on private information about you. You might think: if these attacks are so ubiquitous, surely there must be lots of network security precautions in place by default to protect you against them! The truth is, even though security conscious web services indeed do have such measures in place, the vast majority of the web is still theoretically vulnerable to MITM attacks. Figuring out the vulnerabilities in your network infrastructure is crucial in ensuring that you do not become a victim.

For enterprises that manage large networks, it is almost always impossible to ensure all doors to the internal network remain securely locked. System administrators need to design systems and protections under the assumption that there are unknown and malicious entities within the internal network. (If you aren’t yet convinced of this point, check out my last blog post) Internal corporate network policy is often designed with efficiency in mind, and make the erroneous assumption that any entity within the internal network can be trusted. This is why MiTM attacks still flourish today, and is also why it is so important to understand which parts of your system are vulnerable to such attacks. With Ravello’s nested virtualization environment, you are able to create a cyber range to understand exactly how MITM attacks work and see how an attacker within your internal network can extract information to the outside world.

Section I: The Set Up

In this post, we will use the Man-in-the-middle Security Playground published in the Ravello Repo to see exactly how easy it is to execute an MITM attack.

Get it on Repo

REPO by Ravello Systems, is a library of public blueprints shared by experts in the infrastructure community.

After selecting the ‘Library’ → ‘Blueprints’ tab on the dashboard sidebar, you can then select the blueprint you just added to your library and click the orange ‘Create Application’ button.
This will take you to the ‘Applications’ section of the dashboard, where you can launch the application by publishing it to the cloud. This application is a very simple 3 node setup, consisting of a web server, a database, and our starting point for mischief – Kali Linux.

image01

Throughout this exercise, assume that you are the attacker, and you have gained access to the Kali Linux node that lies within a corporation’s internal network. We are trying to perform a MITM attack on a user that is trying to access the web server from the MySQL host.

After starting the application, enter the Kali Linux console. (login username: “root”, password: “ravellosystems”) The main tool that we will be using today is Ettercap, a suite of tools for carrying out MITM attacks that include a wide arsenal of software used to defeat most common network communication protocols and perform analysis on the target environment. This version of Kali Linux included in the blueprint application includes a graphical version of Ettercap, “ettercap-graphical”. Let’s launch it from the Kali application menu, under the “09 – Sniffing & Spoofing” folder.

image18

When you first start the Ettercap application, you have to configure and start live connection sniffing before you can carry out any more sophisticated attacks. Click on the “Sniff” dropdown menu option and select “Unified sniffing…”.

image16

You will be asked to select the network interface to sniff on, which should be “eth-0”. Ettercap is now in sniffing mode, and the game has begun. First of all, Ettercap has to gain knowledge on hosts within the internal network. The typical way that this is done is through the built-in “Hosts” → “Scan for hosts” option, which does an IP range scan, and may take some time. To speed things up, let’s say that we know that all hosts of interest are in the “10.0.0.*” IP range. With Ettercap still active, let’s open a terminal window in Kali and perform an “nmap”, just like we did in the last blog post.

image00

Enter the command:

$ nmap 10.0.0.*

image10

This triggers a scan of a narrower IP range, and allows us to more quickly get the results we want. Within seconds, you should see the results of the scan. The two hosts of interest, “webserver.localdomain (10.0.0.4)” and “mysql.localdomain (10.0.0.6)”, have been found.

image03

In scanning mode, Ettercap listens in on any network traffic that the local machine is involved in. There is therefore no need for any manual entering of IP addresses. After the nmap scan, just go back to the Ettercap window and select the “Hosts” → “Hosts list” option.

image17

You will see that 3 hosts have been found.

image07

If you dig through the nmap results in greater detail, you will see that the “10.0.0.1” host is in fact the internal DNS (Domain Name System) server of this network. At this point, let’s consider what we can do to mislead the mysql host using Ettercap’s arsenal. DNS resolution is a common target for MITM attacks. We can guess that the mysql host communicates with the webserver host through DNS names, which is a fair guess, since there is an internal DNS server which presumably has the DNS entries for “webserver” and “mysql”. Whenever the mysql host wants to communicate with the webserver host, it issues a DNS query to the DNS server (10.0.0.1), which then replies with the IP address of the webserver host that will be used as the network address.

Section II: DNS Interception

If we are able to somehow intercept the mysql host’s DNS query, and make all traffic from mysql come to the Kali box instead, then we would have succeeded in the most crucial step of MITM attacks. Ettercap has all the tools required to do this. Let’s launch a console into the mysql box just to see what effects our attacks will have. (login username: “ravello”, password: “ravellosystems”)

image22

Open a browser and navigate to “webserver”. You should see a pretty plain-looking example website served by the authentic “webserver” host with IP address 10.0.0.4.

image08

How can we make sure of that? Launch a terminal in the mysql host, and let’s use the standard Unix tool “dig” to examine a DNS query for “webserver” by doing:

$ dig webserver

image06

Only the “ANSWER SECTION” of the response is the important one. See that the “webserver.” question was given the answer “10.0.0.4”. Note also that the “SERVER” (which refers to the DNS server used to serve this response) is 10.0.0.1, which lines up with our earlier assumption that the internal DNS server does indeed contain the entry for “webserver”. All is working well from the point of view of a user on the mysql host!

Let’s switch back to the dark side and return to the Kali console. Before doing anything further with Ettercap, let’s start a web server to serve some content on the Kali host. This is the content that we want to serve the clueless user on the mysql host, assuming our MITM attack is successful. There should already be an “index.html” file in the Kali home directory.

image20

The simplest way to serve this content is probably to start a SimpleHTTPServer with Python by entering:

$ python -m SimpleHTTPServer 80

image12

Next up, we have to configure the “dns_spoof” plugin within Ettercap. Open another terminal window and edit the “etter.dns” file on the system.

We first locate the file by doing this:

$ locate etter.dns

After we know the location of this file, we open it, and see that the line

webserver                 A                 10.0.0.3

is already there. This file is used by Ettercap’s “dns_spoof” tool, and the line above simply means that if the target host makes a DNS query for “webserver”, we will return with (DNS A-record) 10.0.0.3, which is the IP address of the Kali host.

image19

Go to the “Host List” tab, select our victim server, mysql, i.e. 10.0.0.6, and select “Add to Target 1”.

image21

Then, by selecting “Targets” → “Current targets”, double check that 10.0.0.6 is indeed in the “Target 1” list.

image04

image14

To start the “dns_spoof” tool, we have to first select “Plugins” → “Manage the plugins”, then in the “Plugins” tab that appears, double-click on “dns_spoof” and ensure that the asterisk appears in the first column. This is an indication that the dns_spoof tool is running.

image02

image13

However, this is not all. The “dns_spoof” tool sends spoofed DNS replies for any DNS queries that comes our way. However, DNS queries that originate from the mysql host do not come through the Kali host. It goes straight to 10.0.0.1. How can we make DNS requests come through us? The answer is ARP poisoning. (Address Resolution Protocol)

Section III: ARP Spoofing

ARP poisoning is performed by sending spoofed ARP messages into the network with the aim of associating the MAC (hardware) address of the attacker’s host with the IP of another host. The ARP network protocol makes use of ARP caches to determine how to route network traffic. Therefore, if we associate the Kali host with the 10.0.0.1 IP address within the mysql hosts’s ARP table, any DNS queries that the mysql host makes will be routed through the Kali host. Then, “dns_spoof” will be able to work it’s magic.

Select “Mitm” → “ARP poisoning…” in Ettercap, and then check “Only poison one-way” in the selection box that pops up.

image15

image05

In just a few simple steps, (without writing a single line of code) we have launched a DNS/ARP poisoning attack within an internal network. Checking back on the mysql host console, see that all browser requests to “webserver” now instead return the content served by our Python webserver on Kali, and the “dig webserver” command now shows that the IP address returned is 10.0.0.3 – the IP address of the Kali box.

image11

image09

Section IV: Fin

The attack illustration above shows just how easy it is for an attacker within your internal network to mislead network users. A common technique for eavesdropping would be for the attacker to serve an exact copy of the original site, (instead of the “You’ve been pwned” page) and act as a literal middle-man in all transactions between the user and the server. If the site accepts login credentials or sensitive information, they would easily end up in the hands of the attacker.

Because there are so many different ways to carry out a MITM attack, it is difficult to ensure that there are no unintended eavesdroppers on the network. A good way to get around that fact is to have cryptographically secure communications, so even when traffic is intercepted, the attacker will not be able to make sense of the content. This is a large motivation for the move to SSL and HTTPS. Furthermore, many modern DNS servers implement protections against MITM attacks. To be sure that you are protected, you need to perform penetration testing on your environment. A good way of doing that is to make use of Ravello’s nested virtualization technology to spin up a copy of your network infrastructure which you can use as a cyber range. In-network detection tools such as “arpwatch” can also help network administrators to keep a close watch on the wire to make sure that any attack attempts are detected as early as possible.

The next time you connect to a public wifi network in your neighborhood coffee shop, do consider that the person sitting next to you might be using Ettercap to steal your login credentials. Always make sure that you are using the latest browsers with the newest security protections and updates, and use a VPN connection if you have one. The best way to know your vulnerabilities is to try to exploit them as an attacker would. I strongly encourage you to use the lab to build an environment that allows you to perform vulnerability assessments on your own systems. Ravello’s flexibility allows you to create a close replica of system and network infrastructures within a sandbox that can be repeatedly spun up and destroyed with a few clicks.

Once again, keep in mind that breaking into computer systems is illegal. Most system administrators, government agencies, and companies don’t have any sense of humor when it comes to security, and you don’t have to do any real damage to get into a considerable amount of trouble. Stealing credentials in your neighborhood coffeeshop with a WiFi Pineapple is not cool.

About Ravello Systems

Ravello is the industry’s leading nested virtualization and software-defined networking SaaS. It enables enterprises to create cloud-based development, test, UAT, integration and staging environments by automatically cloning their VMware-based applications in AWS. Ravello is built by the same team that developed the KVM hypervisor in Linux.

Check our product demo video

Man-in-the-middle Network Security Testing on enterprise environment replicas in AWS & Google Cloud