Module 06: Network Penetration Testing Methodology-Internal /4

Exercise 4: Performing Man-in-the-Middle Attack using Cain & Abel

Scenario

Unlike capturing network traffic in a hub-based network, it is not possible to capture traffic in a switch based network. Since most of the networks today are implemented on switch-based networks, it is not possible to capture traffic flowing between two hosts.
At this point, attackers implement techniques such as arp poisoning/MITM to capture clear-text traffic flowing between two machines in a network.
MITM is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
MITM attacks come in many variations and can be carried out on a switched LAN.
As a penetration tester, you need to know how to capture plain text traffic in a switch-based network
In this lab, you will learn how to:

1. Perform ARP Poisoning
2. Launch a Man-in-the-Middle attack
3. Sniff a network for password

Lab Duration: 25 Minutes

1. Select Windows Server 2012 (Internal Network) from the Resources pane. Go to Commands and click Ctrl+Alt+Delete.
   
2. In the logon box enter the following credentials and press Enter:
   User Name: Administrator
   Password: Pa$$w0rd
   

   You can use the Type Password option from the Commands menu to enter the password.

   
3. Navigate to E:\ECSAv10 Module 06 Network Penetration Testing Methodology-Internal\Cain & Abel and double-click ca_setup.exe.
   Follow the steps to install Cain & Abel.
   
4. The WinPcap Installation pop-up appears; at the time of Cain & Abel installation. Click Don’t install.
   
5. Once the installation is completed, launch Cain & Abel application by double-clicking the shortcut icon of Cain & Abel on the desktop.
   
6. The main window of Cain & Abel appears as shown in the screenshot.
   
7. To configure the Ethernet card, click Configurefrom the menu bar.
   
8. The Configuration Dialog window appears.
   The window consists of several tabs. Click Sniffertab to select sniffing adapter.
   Select the Adapter associated with the IP address 172.20.20.123, click Apply and OK.
   
9. Click Start/StopSniffer (second icon from left) on the toolbar to begin sniffing.
   

   If a Cain Warning pop-up appears, click OK.

   
10. Now click the Sniffer tab and then, click the Plus(+) icon (or) right click in the window, and select Scan MAC Addresses to scan the network for hosts.
    
11. The MAC Address Scanner window appears. Click on the Range radio button, enter the range (172.20.20.2 - 172.20.20.20) and click OK.
    Cain & Abel starts scanning for MAC addresses and lists all those found.
    
12. After scanning is completed, a list of detected MAC addresses is displayed as shown in the screenshot.
    
13. Click the APR tab at the lower end of the window.
    
14. Click anywhere on the top most section in the right pane to activate the + icon.
    
15. Click the Plus (+) icon; the New ARP Poison Routing window opens, from which we can add IP’s to listen to traffic.
    
16. To monitor the traffic between two computers, select 172.20.20.12 (FTP Server Subnet D) and 172.20.20.9 (Advertisement Dept. Subnet D). Click OK.
    In this lab, we are going to log in to FTP server from Advertisement Dept. Subnet D machine.
    
17. Select the added IP address in the Configuration/Routed packets, and click Start/Stop APR (third icon from left) icon.
    Cain begins ARP poisoning in between these machines.
    
18. Log on to Advertisement Dept. Subnet D and Sign in as Administrator.
    For doing this, select Advertisement Dept. Subnet D machine from the Resources pane. Go to Commands and click Ctrl+Alt+Delete.
    
19. Select Administrator user in the login window.
    
20. In the logon box enter the password Pa$$w0rdpress Enter:
    
21. Click on the Close button at the top right corner of the Server Manager window.
    
22. Now launch a command prompt in the machine, type ftp 172.20.20.12 (IP address of FTP Server Subnet D machine) and press Enter.
    When prompted for the Username, type "Martin"and press Enter.
    When prompted for the password, type "mystery" and press Enter.
    
23. Switch back to Windows Server 2012 (Internal Network) machine by selecting the machine from the Resources pane. You will observe that Cain & Abel captured some packets which can be observed under the Packets field.
    
24. Click the Passwords tab in the Cain & Abel GUI.
    Select FTP from the left pane under the Passwords section.
    You will observe the credentials being captured by Cain & Abel as shown in the screenshot.
    
25. This way, you have successfully captured user credentials traversing in clear-text.

In this lab, you have learned how to capture user credentials in a switch based network.