Authors: TJ O'Connor
Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers (21 page)
Congratulations! We wrote quite a few tools in this chapter to analyze network traffic. We started by writing a rudimentary tool capable of detecting the Operation Aurora attack. Next, we wrote some scripts to detect the hacker group Anonymous’ LOIC toolkit in action. Following that, we replicated a program that seventeen-year-old H. D. Moore used to detect decoy network scans at the Pentagon. Next, we created some scripts to detect attacks that utilized DNS as a vector, including the Storm and Conficker worms. With the ability to analyze traffic, we replicated a two-decade old attack used by Kevin Mitnick. Finally, we utilized our network analysis skills to craft packets to overwhelm an IDS.
Hopefully this chapter has provided you with excellent skillsets to analyze network traffic. This study will prove useful in the next chapter as we write tools to audit wireless networks and mobile devices.
1. Binde, B., McRee, R., & O’Connor, T. (2011). Assessing outbound traffic to uncover advanced persistent threat. Retrieved from SANS Technology Institute website: <
www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf
>, May 22.
2. CIO Institute bulletin on computer security (1999). Retrieved February from <
nmap.org/press/cio-advanced-scanners.txt
>, March 8.
3. Higgins, K. J. (2007). Attackers hide in fast flux.
Dark Reading
. Retrieved from <
http://www.darkreading.com/security/perimeter-security/208804630/index.html
>, July 17.
4. Lemos, R. (2007). Fast flux foils bot-net takedown.
SecurityFocus
. Retrieved from <
http://www.securityfocus.com/news/11473
>, July 9.
5. Markoff, J. (1995). A most-wanted cyberthief is caught in his own web.
New York Times
(online edition). Retrieved from <
www.nytimes.com/1995/02/16/us/a-most-wanted-cyberthief-is-caught-in-his-own-web.html?src=pm
>, February 16.
6. Nazario, J. (2008). As the net churns: Fast-flux botnet observations.
HoneyBlog
. Retrieved from <
honeyblog.org/junkyard/paper/fastflux-malware08.pdf
>, November 5.
7. Shimomura, T. (1994). Tsutomu’s January 25 post to Usenet (online forum comment). Retrieved from <
http://www.takedown.com/coverage/tsu-post.html
>, December 25.
8. Shimomura, T. (1996). Wired 4.02: Catching Kevin.
Wired.com
. Retrieved from <
http://www.wired.com/wired/archive/4.02/catching.html
>, February 1.
9. Verton D.
The hacker diaries: Confessions of teenage hackers
. New York: McGraw-Hill/Osborne; 2002.
10. Zetter, K. (2010). Google hack attack was ultra-sophisticated, new details show.
Wired.com
. Retrieved from <
http://www.wired.com/threatlevel/2010/01/operation-aurora/
>, January 14.
Wireless Mayhem with Python
Information in this chapter:
Sniffing Wireless Networks for Personal Information
Listening for Preferred Networks and Identifying Hidden Wireless Networks
Taking Control of Wireless Unmanned Aerial Vehicles
Identifying Firesheep in Use
Stalking Bluetooth Radios
Exploiting Bluetooth Vulnerabilities
Knowledge does not grow like a tree where you dig a hole, plant your feet, cover them with dirt, and pour water on them daily. Knowledge grows with time, work, and dedicated effort. It cannot come by any other means.
—Ed Parker, Senior Grand Master of American Kenpo
On September 5, 2007, the US Secret Service arrested a wireless hacker named Max Ray Butler (
Secret Service, 2007
). Also known as the Iceman, Mr. Butler sold tens of thousands of credit card accounts through a Website. But how did he collect this private information? Sniffing unencrypted wireless Internet connections proved to be one of the methods he used to gain access to credit card information. The Iceman rented hotel rooms and apartments using false identities. He then used high-power antennae to intercept communications to the hotel’s and nearby apartments’ wireless access points to capture the personal
information of its guests (
Peretti, 2009
). All too often, media experts classify this type of attack “sophisticated and complex.” Such a statement proves dangerous, as we can execute several of these attacks in short Python scripts. As you’ll see in the following sections, we can sniff for credit card information in less than 25 lines of code. But before we begin, let’s ensure we have our environment setup correctly.
In the following sections, we will write code to sniff wireless traffic and send raw 802.11 frames. We will use a Hawking Hi-Gain USB Wireless-150N Network Adapter with Range Amplifier (HAWNU1) to create and test the scripts in this chapter. The default drivers for this card on Backtrack 5 allow a user to place it into monitor mode as well as transmit raw frames. Additionally, it contains an external antenna connection that allows us to attach a high-powered antenna to the card.
Our scripts require the ability to place the card into a monitor in order to passively listen for all wireless traffic. Monitor mode allows you to receive raw wireless frames rather than 802.11 Ethernet frames you typically get in Managed mode. This allows you to see beacons and the wireless management frames even if you are not associated with a network.
To place the card into monitor mode, we use the aircrack-ng suite of tools written by Thomas d’Otreppe. Iwconfig lists our wireless adapter as wlan0. Next, we run the command
airmon-ng start wlan0
to start it into monitor mode. This creates a new adapter known as
mon0.
attacker# iwconfig wlan0
wlan0 IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
attacker# airmon-ng start wlan0
Interface Chipset Driver
wlan0 Ralink RT2870/3070 rt2800usb - [phy0]
(monitor mode enabled on mon0)
Let’s quickly test that we can capture wireless traffic after placing the card into monitor mode. Notice that we set our conf.iface to the newly created
monitoring interface, mon0. Upon hearing each packet, the script runs the procedure pktPrint(). This procedure prints a message if the packet contains an 802.11 Beacon, an 802.11 Probe Response, a TCP Packet, or DNS traffic.
from scapy.all import ∗
def pktPrint(pkt):
if pkt.haslayer(Dot11Beacon):
print ‘[+] Detected 802.11 Beacon Frame’
elif pkt.haslayer(Dot11ProbeReq):
print ‘[+] Detected 802.11 Probe Request Frame’
elif pkt.haslayer(TCP):
print ‘[+] Detected a TCP Packet’
elif pkt.haslayer(DNS):
print ‘[+] Detected a DNS Packet’
conf.iface = ‘mon0’
sniff(prn=pktPrint)
After firing up the script we see quite a bit of traffic. Notice that the traffic includes the 802.11 Probe Requests looking for networks, 802.11 Beacon Frames indicating traffic, and a DNS and TCP packet. At this point we know that our card works.
attacker# python test-sniff.py
[+] Detected 802.11 Beacon Frame
[+] Detected 802.11 Beacon Frame
[+] Detected 802.11 Beacon Frame
[+] Detected 802.11 Probe Request Frame
[+] Detected 802.11 Beacon Frame
[+] Detected 802.11 Beacon Frame
[+] Detected a DNS Packet
[+] Detected a TCP Packet
We will cover some Bluetooth attacks in this chapter. To write Python Bluetooth scripts, we will utilize the Python bindings to the Linux Bluez Application Programming Interface (API) and the obexftp API. Use apt-get to install both bindings on Backtrack 5.
attacker# sudo apt-get install python-bluez bluetooth python-obexftp
Reading package lists... Done
Building dependency tree
Reading state information... Done
<..SNIPPED..>
Unpacking bluetooth (from .../bluetooth_4.60-0ubuntu8_all.deb)
Selecting previously deselected package python-bluez.
Unpacking python-bluez (from .../python-bluez_0.18-1_amd64.deb)
Setting up bluetooth (4.60-0ubuntu8) ...
Setting up python-bluez (0.18-1) ...
Processing triggers for python-central .
Additionally, you will need access to a Bluetooth device. Most Cambridge Silicon Radio (CSR) chipsets work fine under Linux. For the scripts in this chapter, we will use a SENA Parani UD100 Bluetooth USB Adapter. To test if this operating system recognizes the device, run the
hciconfig
config command. This prints out the configuration details for our Bluetooth device.
attacker# hciconfig
hci0: Type: BR/EDR Bus: USB
BD Address: 00:40:12:01:01:00 ACL MTU: 8192:128
UP RUNNING PSCAN
RX bytes:801 acl:0 sco:0 events:32 errors:0
TX bytes:400 acl:0 sco:0 commands:32 errors:0
In this chapter, we will both intercept and forge Bluetooth frames. I’ll mention this again later in the chapter, but it is important to know that Backtrack 5 r1 comes with a glitch—it lacks the necessary kernel modules to send raw Bluetooth packets in the compiled kernel. For this reason, you need to either update your kernel or use Backtrack 5 r2.
The following sections will prove exciting. We will sniff credit cards, user credentials, takeover a UAV remotely, identify wireless hackers, and stalk and exploit Bluetooth devices. Please always check the applicable laws concerning the passive and active interception of wireless and Bluetooth transmissions.