#but it only passes through http imap and smtp traffic | Explore Tumblr posts and blogs

infosavvy · 5 years ago

Text

Everything You Need To Know About Sniffing – Part 1

What is a sniffer in hacking?This section describes network sniffing and threats, how a sniffer works, active and passive sniffing, how an attacker hacks a network using sniffers, protocols susceptible to sniffing, sniffing within the data link layer of the OSI model, hardware protocol analyzers, SPAN ports, wiretapping, and lawful interception.

Network Sniffing

Packet sniffing may be a process of monitoring and capturing all data packets passing through a given network sniffer by using a software application or a hardware device, Sniffing is simple in hub-based networks, because the traffic on a segment passes through all the hosts related to that segment.

However, most networks today work on switches. A switch is a complicated computer networking device. the main difference between a hub and a switch is that a hub transmits line data to every port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address related to each frame passing through it and sends the data to the specified port. A MAC address may be a hardware address that uniquely identifies each node of a network,An attacker must manipulate the functionality of the switch so as to see all the traffic passing through it.

A packet sniffing program (also known as a Ip sniffer) can capture data packets only from within a given subnet, which suggests that it cannot sniff packets from another network. Often, any laptop can plug into a network and gain access to it. Many enterprises’ switch ports are open.

A packet sniffer placed on a network in promiscuous mode can capture and analyze all of the network traffic. Sniffing programs close up the filter employed by Ethernet network interface cards (NICs) to stop the host machine from seeing other stations’ traffic. Thus, sniffing programs can see everyone’s traffic.

Though most networks today employ switch technology, packet sniffing remains useful. this is often because installing remote sniffing programs on network components with heavy traffic flows like servers and routers is comparatively easy. It allows an attacker to watch and access the whole network traffic from one point.

Packet sniffers can capture data packets containing sensitive information like passwords, account information, syslog traffic, router configuration, DNS traffic, Email traffic, web traffic, chat sessions, FTP password, etc. It allows an attacker to read passwords in clear-text, the particular emails, credit card numbers, financial transactions, etc. It also allows an attacker to smell SMTP, POP, IMAP traffic, POP, IMAP, HTTP Basic, Telnet authentication, SQL database, SMB, NFS, and FTP traffic.

An attacker can gain a lot of data by reading captured data packets then use that information to interrupt into the network.An attacker carries out attacks that are simpler by combining these techniques with the active transmission. You can learn more in practical about network sniffing by becoming an EC-Council Certified Ethical Hacker from Infosavvy, Mumbai.

Read more for continue blog:- https://www.info-savvy.com/everything-you-need-to-know-about-sniffing-part-1/

This Blog Article is posted byInfosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092 visit:- https://www.info-savvy.com/

#cyber Security Training #cyber security training institute #cyber security certification #IT management course #professional certification courses

0 notes

devildroids · 6 years ago

Link

Interception of passwords with Wireshark

Many users do not even realize that by filling in the login and password when registering or authorizing on a closed Internet resource and pressing ENTER, this data can easily be intercepted. Very often they are transmitted over the network in a non-secure manner. Therefore, if the site on which you are trying to log in uses the HTTP protocol, it is very easy to capture this traffic, analyze it using Wireshark and then use special filters and programs to find and decode the password.

The best place to intercept passwords is the core of the network, where all users' traffic goes to closed resources (for example, mail) or in front of the router to access the Internet when registering with external resources. Adjust the mirror and we are ready to feel like a hacker.

Contents

Step 1. Install and run Wireshark to capture traffic

Step 2. Filtering captured POST traffic

Step 3. Find the username and password

Step 4. Determining the type of encoding for decrypting the password

Step 5. Deciphering user password

Step 6. What if the traffic is encrypted and using HTTPS?

Step 1. Install and run Wireshark to capture traffic

Sometimes for this purpose it is enough to select only the interface through which we plan to capture traffic, and click the Start button. In our case, do capture over the wireless network.

Traffic capture has begun.

Step 2. Filtering captured POST traffic

We open the browser and try to log in to any resource using the login and password. Upon completion of the authorization process and the opening of the site, we stop capturing traffic in Wireshark. Next, open the protocol analyzer and see a large number of packets. It is at this stage that most IT professionals give up, because they do not know what to do next. But we know and we are interested in specific packages that contain POST data that is generated on our local machine when the form is filled on the screen and sent to the remote server when you click the "Login" or "Authorization" button in the browser. Enter in the window a special filter to display captured packets: http. request. method == “ POST” And we see instead of a thousand packages, only one with the data we are looking for.

Step 3. Find the username and password

Quick-click the right mouse button and select the Follow TCP Steam item from the menu.

After that, a new window will display the text, which in the code restores the contents of the page. Find the fields “password” and “user”, which correspond to the password and user name. In some cases, both fields will be easily readable and not even encrypted, but if we try to capture traffic when accessing very well-known resources like Mail.ru, Facebook, Vkontakte, etc., then the password will be encoded:

123456789101112131415161718HTTP / 1.1 302 Found Date: Mon, 10 Nov 2014 23:52:21 GMT Server: Apache / 2.2.15 (CentOS) X-Powered-By: PHP / 5.3.3 P3P: CP = "NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: non = non; expires = Thu, 07-Nov-2024 23:52:21 GMT; path = / Set-Cookie: password = e4b7c855be6e3d4307b8d6ba4cd4ab91 ; expires = Thu, 07-Nov-2024 23:52:21 GMT; path = / Set-Cookie: scifuser = networkguru; expires = Thu, 07-Nov-2024 23:52:21 GMT; path = / Location: loggedin.php Content-Length: 0 Connection: close Content-Type: text / html; charset = UTF-8 Thus, in our case: Username: networkguru Password: e4b7c855be6e3d4307b8d6ba4cd4ab91

Step 4. Determining the type of encoding for decrypting the password

We go, for example, to the site http://www.onlinehashcrack.com/hash-identification.php#res and enter our password into the window for identification. I was given a list of coding protocols in order of priority:

MD5

NTLM

MD4

Step 5. Deciphering user password

At this stage, we can use the hashcat utility:

~ # hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt

At the output we got the decrypted password: simplepassword

Thus, using Wireshark, we can not only solve problems in the operation of applications and services, but also try ourselves as a hacker, intercepting passwords that users enter in web forms. You can also learn passwords to user mailboxes using simple filters to display:

The POP protocol and filter looks like this: pop.request.command == "USER" || pop.request.command == "PASS"

IMAP protocol and filter will be: imap.request contains "login"

SMTP protocol and you will need to enter the following filter: smtp.req.command == "AUTH"

and more serious utilities to decrypt the encoding protocol.

Step 6. What if the traffic is encrypted and using HTTPS?

There are several options for answering this question.

Option 1: Connect to the disconnection between the user and the server and capture traffic at the time the connection is established (SSL Handshake). At the time of the connection, you can intercept the session key.

Option 2: You can decrypt HTTPS traffic using the session key log file written by Firefox or Chrome. To do this, the browser must be configured to write these encryption keys to a log file ( example based on FireFox), and you must receive this log file. In essence, it is necessary to steal a file with a session key from another user's hard drive (which is illegal). Well, then grab traffic and use the received key to decrypt it.

Refinement. We're talking about the web browser of the person who is trying to steal the password. If we mean decoding our own HTTPS traffic and want to practice, then this strategy will work. If you are trying to decrypt HTTPS traffic of other users without access to their computers, this will not work - for that it will encrypt and private space.

After receiving the keys for option 1 or 2, you must register them in WireShark:

Go to the menu Edit - Preferences - Protocols - SSL.

Set the flag “Reassemble SSL records spanning multiple TCP segments”.

"RSA keys list" and click Edit.

Enter data in all fields and set the path in the file with the key

WireShark can decrypt packets that are encrypted using the RSA algorithm. If the algorithms used are DHE / ECDHE, FS, ECC, the sniffer is not our helper.

Option 3. Get access to the web-server, which the user uses, and get the key. But it is even more challenging. In corporate networks for the purpose of debugging applications or content filtering, this option is implemented on a legal basis, but not in order to intercept user passwords.

#News Updates #Intercept Passwords With Wireshark

0 notes

josidel · 7 years ago

Text

Security measures to protect an unmanaged VPS.

Virtual private server

have long been thought of as a next-generation shared hosting solution.

They use virtualization ‘tricks’ to let you coin your own hosting environment and be a master of your server at a pretty affordable price.

If you are well-versed in server administration, then an unmanaged VPS will help you make the most of your virtual machine’s capabilities.

However, are you well-versed enough in security as well?

Here is a Linux VPS security checklist, which comes courtesy of our Admin Department.

What exactly is an unmanaged VPS?

Before we move to the security checklist, let’s find out exactly what an unmanaged VPS is and what benefits it can bring to you.

With an unmanaged VPS, pretty much everything will be your responsibility.

Once the initial setup is complete, you will have to take care of server maintenance procedures, OS updates, software installations, etc. Data backups should be within your circle of competence as well.

This means that you will need to have a thorough knowledge of the Linux OS. What’s more, you will have to handle any and all resource usage, software configuration and server performance issues.

Your host will only look into network- and hardware-related problems.

Why an unmanaged VPS?

The key advantages of unmanaged VPSs over managed VPSs are as follows:

you will have full administrative power and no one else will be able to access your information;you will have full control over the bandwidth, storage space and memory usage;you will be able to customize the server to your needs specifically;you will be able to install any software you want;you will save some money on server management – it really isn’t that hard to set up and secure a server if you apply yourself and updating packages is very easy;you will be able to manage your server in a cost-efficient way without the need to buy the physical machine itself (you would have to if you had a dedicated server);

Unmanaged VPS – security checklist

With an unmanaged VPS, you will need to take care of your sensitive personal data.

Here is a list of the security measures that our administrators think are key to ensuring your server’s and your data’s health:

1. Use a strong password

Choosing a strong password is critical to securing your server. With a good password, you can minimize your exposure to brute-force attacks. Security specialists recommend that your password be at least 10 characters long.

Plus, it should contain a mix of lower and uppercase letters, numbers and special characters and should not include common words or personally identifiable information. You are strongly advised to use a unique password so as to avoid a compromised service-connected breakthrough.

A strong password may consist of phrases, acronyms, nicknames, shortcuts and even emoticons. Examples include:

1tsrAIn1NGcts&DGS!:-) (It’s raining cats and dogs!) humTdumt$@t0nAwa11:-0 (Humpty Dumpty sat on a wall) p@$$GOandCLCt$500 :-> (Pass Go and collect $500)

2. Change the default SSH port

Modifying the default SSH port is a must-do security measure.

You can do that in a few quick steps:

Connect to your server using SSHSwitch to the root userRun the following command: vi /etc/ssh/sshd_configLocate the following line: # Port 22Remove # and replace 22 with another port numberRestart the sshd service by running the following command: service sshd restart

3. Disable the root user login

The root user has unlimited privileges and can execute any command – even one that could accidentally open a backdoor that allows for unsolicited activities.

To prevent unauthorized root-level access to your server, you should disable the root user login and use a limited admin account instead.

Here is how you can add a new admin user that can log into the server as root via SSH:

Create the user by replacing example_user with your desired username (in our case – ‘admin’): adduser adminSet the password for the admin user account: passwd adminTo get admin privileges, use the following command: echo 'admin ALL=(ALL) ALL' >> /etc/sudoersDisconnect and log back in as the new user: ssh [email protected] you are logged in, switch to the root user using the ‘su’ command: su password: whoami rootTo disable the root user login, edit the /etc/ssh/sshd_config file. You will only need to change this line: #PermitRootLogin yes to: PermitRootLogin no

You will now be able to connect to your server via SSH using your new admin user account.

4. Use a rootkit scanner

Use a tool like rkhunter (Rootkit Hunter) to scan the entire server for rootkits, backdoors and eventual local exploits on a daily basis; you’ll get reports via email;

5. Disable compilers for non-root users (for cPanel users)

Disabling compilers will help protect against many exploits and will add an extra layer of security.

From the WebHost Manager, you can deny compiler access to unprivileged (non-root) users with a click.

Just go to Security Center ->Compiler Access and then click on the Disable Compilers link:

Alternatively, you can keep compilers for selected users only.

6. Set up a server firewall

An IPTABLES-based server firewall like CSF (ConfigServer Firewall) allows you to block public access to a given service.

You can permit connections only to the ports that will be used by the FTP, IMAP, POP3 and SMTP protocols, for example.

CSF offers an advanced, yet easy-to-use interface for managing your firewall settings.

Here is a good tutorial on how you can install and set up CSF.

Once you’ve got CSF up and running, make sure you consult the community forums for advice on which rules or ready-made firewall configurations you should implement.

Keep in mind that most OSs come with a default firewall solution. You will need to disable it if you wish to take advantage of CSF.

7. Set up intrusion prevention

An intrusion prevention software framework like Fail2Ban will protect your server from brute-force attacks. It scans logfiles and bans IPs that have unsuccessfully tried to log in too many times.

Here’s a good article on how to install and set up Fail2Ban on different Linux distributions.

You can also keep an eye on the Google+ Fail2Ban Users Community.

8. Enable real-time application security monitoring

Тhe best real-time web application monitoring and access control solution on the market – ModSecurity, allows you to gain HTTP(S) traffic visibility and to implement advanced protections.

ModSecurity is available in your Linux distribution’s repository, so installing it is very easy:

apt-get install libapache2-modsecurity

Here’s a quick guide on how to install and configure ModSecurity.

Once you’ve got ModSecurity up and running, you can download a rule set like CRS (OWASP ModSecurity Core Rule Set). This way you won’t have to enter the rules by yourself.

9. Set up anti-virus protection

One of the most reliable anti-virus engines is ClamAV – an open-source solution for detecting Trojans, viruses, malware & other malicious threats. The scanning reports will be sent to your email address.

ClamAV is available as a free cPanelplugin.

You can enable it from the Manage Plugins section of your WHM:

Just tick the ‘Install ClamAV and keep updated’ checkbox and press the ‘Save’ button.

10. Enable server monitoring

For effective protection against DDoS attacks, make sure you install a logfile scanner such as logcheck or logwatch. It will parse through your system logs and identify any unauthorized access to your server.

Use software like Nagios or Monitis to run automatic service checks to make sure that you do not run out of disk space or bandwidth or that your certificates do not expire.

With a service like Uptime Doctor or Pingdom, you can get real-time notifications when your sites go down and thus minimize accidental downtime.

11. Run data backups

Make regular off-site backups to avoid the risk of losing data through accidental deletion.

You can place your trust in a third-party service like R1Soft or Acronis, or you can build your own simple backup solution using Google Cloud Storage and the gsutil tool.

If you are on a tight budget, you can keep your backups on your local computer.

12. Keep your software up to date

Keeping your software up to date is the single biggest security precaution you can take.

Software updates range from regular minor bug fixes to critical vulnerability patches. You can set automatic updates to save time.

However, keep in mind that automatic updates do not apply to self-compiled applications. It’s advisable to first install an update in a test environment so as to see its effect before deploying it to your live production environment.

Depending on your particular OS, you can use:

yum-cron (for CentOS)unattended upgrades (for Debian and Ubuntu)dnf-automatic (Fedora)

If you have not obtained an unmanaged VPS yet, you could consider our solutions:

OpenVZ VPS packages – all setups from 4 to 10 are unmanaged and come with SSH/full root access (for cPanel setups only) and with a CentOS/Debian/Ubuntu OS installation;KVM VPS setups – all four setups are unmanaged and offer SSH/full root access; OS options include CentOS/Debian/Ubuntu as well as a few OS ISO alternatives like Fedora and FreeBSD;

via Blogger http://ift.tt/2AIEre3

0 notes