Tuesday, March 12, 2013

Sniffing Traffic on the Wire with a Hardware Tap

By JP Dunning.

Capturing network traffic is a great way to learn more about a target network, harvest credentials, and even monitor user habits. In the Wi-Fi world, it’s easy: simply specify a channel and set the wireless card to monitor mode (assuming driver support). However, capturing traffic on a wired network is a little trickier. In this article we’ll walk through setting up a LAN tap and capturing traffic with it.

Software Taps

There are a variety of options for sniffing traffic via software on a wired network - Wireshark is probably the most common choice for a free and powerful network sniffer. If you are logged onto the computer, install Wireshark and select a capture interface.

If the target has been exploited remotely with Metasploit, Meterpreter can capture local traffic with the sniffer script. Though, there is a chance it may be picked up by Anti-Virus and it will most likely also be capturing Meterpreter’s traffic. In addition, sniffing network traffic on most Operating Systems requires Administrative privileges. So, how else can the network traffic be captured?

Hardware Taps

How about instead of using the host computers software, we tap directly into hardware. A Network Tap is hardware which taps into the physical connection between devices on a network. Taps are sometimes used by network engineers when debugging network issues. Some professional Port Mirroring TAPs can be fairly expensive.

Thowing Star LAN Tap

A cheaper alternative is to use a basic LAN tap, like the Throwing Star LAN Tap. When in place on the network, the LAN tap passively allows traffic to pass though unaltered. Think of it as a standard Ethernet coupler. What differentiates the LAN tap from a normal coupler are the two additional ports which tap the inbound and outbound traffic on the network cable.

NOTE: This hardware is designed to be used on 10BASET and 100BASET networks (which are still in use in the vast majority of networks).

Setting up Hardware

The setup requires the following:

  • 1 LAN tap
  • 1 computer to sniff the traffic
  • 4 network cables (including the one is already connected to the target computer)
  • 2 network interfaces (for sniffing)

The LAN tap is not a complex machine, in fact it is essential just a few wires and jacks. A computer needs to be in place to capture from the LAN tap. (I recommend something small like a plug computer, UMPC, or ultabook). Since most laptops do not come with more than one Ethernet interface, pick up a few USB Ethernet adapters to use for capturing.

There are four ports on the LAN tap. Two ports (J1 and J2) pass traffic unaltered two devices on the network. The other two ports (J3 and J4) are the monitoring ports. These ports physically connect to the inbound and outbound traffic wires of the network cable, but do not allow traffic to be transmitted on the network. Tapping passively keeps a misconfiguring interface on the sniffing computer from accidentally sending traffic on the network.

Connecting Components

Setting up the LAN tap should only take a few minutes once all the equipment is on hand. If you move quickly, the target computer should only have a few seconds of interruption from the network. Most operating systems and services should handle a temporary network outage with little issue. (Though it may cause issues with some real time network services).

For a quick installation:
  1. Connect an Ethernet cable to each of the 2 monitoring ports (J3 and J4) and 1 LAN port (J1). This leaves one port (J2) open.
  2. Connect the network cables from J3 and J4 to Ethernet jacks on the sniffing computer. These will be the Ethernet USB adapters (or any space Ethernet jacks) mentioned earlier.
  3. Disconnect the network cable from the target computer. (It does not really matter at which end of the network cable the tap is placed. If it is more convenient to place the tap closer to the router, then unplug the cable from the router instead.)
  4. Connect the cable plugged into J1 to the now open port on the target computer (or router). Then, connect the network cable (previously connected to the target computer) to J2.

Now all the hardware is in place to start capturing. The connection to the network should be restored. (If the connection is still down, make sure all the cables are plugged into the correct ports.) From this point on, the presence of the LAN tap will not be detectable by the target computer or network (other than a slight loss in power).

Unlike monitoring traffic on local network ports, the LAN tap requires capturing inbound and outbound traffic on two separate ports. Sniffing this traffic will create two separate capture file, one for each interface.

Capturing Traffic

After you are done sniffing, the two captures can be combined into one network flow. mergecap is a tool which can combine two captures according to the frame timestamps of each packet. This means that packets from both capture files will be placed in order according to the time at which they appeared on the network. mergecap is a part of Wireshark, but may need to be manually installed from a repository.

 root@bt:~# sudo apt-get install mergecap

I put together the lantapcap.sh script to automate the capture and merging process. It configures two interfaces to capture passive traffic from the LAN tap, and then combine the two captures into a single net flow. Copy and paste the following into your favorite text editor and save as lantapcap.sh.

I've also uploaded a copy here:

# lantapcap.sh


printf "\nUse LanTapCap for capturing network traffic with a LAN Tap\n"
printf "\nInterfaces:\n\n"
ifconfig -a | grep "Link encap:" | awk '{print $1}'

printf "\nSpecify interfaces for sniffing."
printf "\nInterface 1 of 2 [eth0]: "
read NET0

printf "Interface 2 of 2 [eth1]: "
read NET1

printf "Packet capture name [Capture]: "

printf "\nDisable interfaces ...\n\n"
ifconfig $NET0 down
ifconfig $NET1 down                                                                                                                                                                             

printf "Enable interfaces ...\n\n"
ifconfig $NET0 up
ifconfig $NET1 up

printf "Set interfaces to promiscuous mode ...\n\n"
ifconfig $NET0 promisc
ifconfig $NET1 promisc

sleep 1

printf "Starting capturing ...\n\n"

sleep 1

xterm -bg blue -fg white -geometry 90x10-0+0 -T "Capturing on $NET0" -e tcpdump -i $NET0 -w $CAPNAME-$NET0.pcap -v &

sleep 2

xterm -bg blue -fg white -geometry 90x10-0+120 -T "Capturing on $NET1" -e tcpdump -i $NET1 -w $CAPNAME-$NET1.pcap -v &

sleep 2

printf "\n\nPress ANY KEY to end capturing.\n\n"

printf "Produced capture file $CAPNAME-$NET0.pcap from $NET0\n\n"
printf "Produced capture file $CAPNAME-$NET1.pcap from $NET1\n\n"

printf "Halting captures ...\n\n"

if [[ ! -z $(pidof tcpdump) ]]; then kill $(pidof tcpdump); fi

printf "Merging captures ...\n\n"
mergecap $CAPNAME-$NET0.pcap $CAPNAME-$NET1.pcap -w $CAPNAME-Full.pcap

printf "Disable interfaces ...\n\n"
ifconfig $NET0 down
ifconfig $NET1 down

printf "Produced capture file $CAPNAME-$NET0.pcap from $NET0\n\n"
printf "Produced capture file $CAPNAME-$NET1.pcap from $NET1\n\n"
printf "Produced capture file $CAPNAME-Full.pcap from merging captures\n\n"
printf "... done\n"

Run the script with root privileges. Provide the two sniffing Ethernet interfaces when prompted.
 root@bt:~# ./lantapcap.sh

Click back into the main terminal.

When you are done capturing traffic, hit any key in the original terminal. This will stop the capturing and merge the capture files.

Unplug cables from the LAN tap and plug the original network cable back into the target computer. Again, this will cause a momentary drop in network connectivity.

Now, feel free to examine the traffic any way you like. All three capture files can be parsed by network analysis tools like Wireshark.


Tuesday, March 5, 2013

Unreal Tournament 99 Server On Ubuntu 12.04 (AWS)

By Brad Antoniewicz.

We do a lot of "team building" at Foundstone - it comes in all varieties. This week's activity was an Unreal Tournament LAN Party, and I figured I'd share the setup in case anyone else wanted to do the same - not particularly security related but still fun :)

Initially I created a dedicated Ubuntu VM however it didn't scale well over our internal VPN with various users, so instead I opt'ed for an Amazon Web Services based system.

Keep in mind this configuration is intended to use on a temporary, as needed, basis. Also this is a non-critical server on an open network. If your situation is different or you intend to host a game for not so trusted people, you might want to check out some UT99 Admin forums for additional anti-cheating and general security protections for dedicated UT servers.

Creating the Instance

The EC2 instance configuration is pretty straightforward. Use the Classic Wizard:

Select "Ubuntu Server 12.04.1 (LTS)", be sure to select 32-bit or you'll run into some problems later on.

I selected "No preference" for the geographic region in which the instance resides since we'll be having users join globally.

Also set any advanced preferences, which I left default.

The storage configuration doesn't really matter since it's just a temporary use server.

Set tags if you wish, since I dont have many AWS instances, I don't have much use for them so I left blank:

Create your SSH keys so you can remotely connect or use existing ones. I created a special key pair for this server:

Firewall Rules

The next thing you'll need to do is set up firewall rules. The default requirement is UDP 7777, which may work for you. In the end, I used a different port to help us get around any outbound filtering that might be in place on the various networks our players would be originating from. You'll also need to allow TCP22 for management.

Elastic IP

Finally, reserve and associate an Elastic IP to the instance so that your users don't have to use a long hostname when defining your server (within "Open Location" in the game).

Ubuntu Configuration

For the most part will be following the configuration detailed on the Ubuntu help pages. With the instance created, you'll need to SSH into it to perform additional configuration. Using you SSH key (I named mine utt9.pem) connect the provided in the details of your newly created instance:

 user@somehost:~$ mv ut99.pem ~/.ssh/
 user@somehost:~$ chmod 400 ~/.ssh/ut99.pem
 user@somehost:~$ ssh -i ~/.ssh/ut99.pem ubuntu@your.amazon.instance.host.com

Once connected, you'll need to install some packages so that everything runs smoothly:

 ubuntu@aws:~$ sudo apt-get update
 ubuntu@aws:~$ sudo apt-get install unrar-free libsm-dev libxi6

Also the installation requires libgtk-1.2 which is long outdated. You can use older binary packages to get things working:

 ubuntu@aws:~$ wget https://launchpad.net/ubuntu/+source/glib1.2/1.2.10-19build1/+build/462715/+files/libglib1.2ldbl_1.2.10-19build1_i386.deb
 ubuntu@aws:~$ wget https://launchpad.net/ubuntu/+source/gtk+1.2/1.2.10-18.1build2/+build/484191/+files/libgtk1.2_1.2.10-18.1build2_i386.deb
 ubuntu@aws:~$ wget https://launchpad.net/ubuntu/+source/gtk+1.2/1.2.10-18.1build2/+build/484191/+files/libgtk1.2-common_1.2.10-18.1build2_all.deb
 ubuntu@aws:~$ sudo dpkg -i libglib1.2ldbl_1.2.10-19build1_i386.deb
 ubuntu@aws:~$ sudo dpkg -i libgtk1.2-common_1.2.10-18.1build2_all.deb
 ubuntu@aws:~$ sudo dpkg -i libgtk1.2_1.2.10-18.1build2_i386.deb
 ubuntu@aws:~$ sudo ldconfig

Installation CDs

If you don't have your original installation ISOs, life will be painful until you find them. However once you do, mount them both at the same time (the installation will automatically detect them or prompt you to mount):

 ubuntu@aws:~$ mkdir m1 m2
 ubuntu@aws:~$ sudo mount -o loop UT-GOTY-CD1.iso m1
 ubuntu@aws:~$ sudo mount -o loop UT-GOTY-CD2.iso m2

The Linux Installers for Linux Gamers project offers tons of ways to play older OpenGL based games on Linux. They have a specific page dedicated to UT99. Go there and download the multilanguage installer and the bonus pack. Even if you're using the GOTY (Game of the Year) edition, don't use the GOTY specific installer because it doesn't ever seem to work. Download the following:

With your ISOs mounted and the installers downloaded, start the installation. You can take all of the default options and be fine:

 ubuntu@aws:~$ chmod +x unreal.tournament_436-multilanguage.run
 ubuntu@aws:~$ sudo ./unreal.tournament_436-multilanguage.run

Also install the bonus pack and use its default options:

 ubuntu@aws:~$ chmod +x unreal.tournament.official.bonus.pack.collection.run
 ubuntu@aws:~$ sudo ./unreal.tournament.official.bonus.pack.collection.run

For whatever reason the maps are all compressed and won't work until you decompress them. To do so just:
 ubuntu@aws:~$ cd /usr/local/games/ut/System
 ubuntu@aws:/usr/local/games/ut/System$ for i in ../Maps/*.uz ; do sudo ./ucc-bin decompress $i -nohomedir ; done
 ubuntu@aws:/usr/local/games/ut/System$ sudo mv *.unr ../Maps

You're Done! Now you can start the game:

 ubuntu@aws:~$ cd /usr/local/games/ut/System
 ubuntu@aws:/usr/local/games/ut/System$ ./ucc-bin server DM-Turbine

Alternatively, you can use the ucc binary that gets installed as part of the Loki installer.

 ubuntu@aws:~/$ ucc server


The /usr/local/games/ut/System/UnrealTournament.ini file contains all of the server configuration. When you run it as a non-root user (preferred) it'll use the one within ~/.loki/ut/System/UnrealTournament.ini. The easy items you'll want to set are:

ServerName=Foundstone Server
MOTDLine1=Your Mom is So Hawt!

I've also set the following to hopefully speed up connections:


And finally, i set up some initial bots to keep the game interesting plus some frag/time limits:



What settings do you like to use in your UnrealTournament.ini? Let us know in the comments below!