Sniffjoke Antisniffing Framework & Tool For Session Scrambling

What is sniffjoke?

SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifying and injecting fake packets inside your transmission, make them almost impossible to be correctly read by a passive wiretapping technology (IDS or sniffer).

An Internet client running SniffJoke injects in the transmission flow some packets able to seriously disturb passive analysis like sniffing, interception and low level information theft. No server support is needed!

The internet protocols have been developed to allow two elements to communicate, not some third-parts to intercept their communication. This will happen, but the communication system has been not developed with this objective. SniffJoke uses the network protocol in a permitted way, exploiting the implicit difference of network stack present in an operating system respect the sniffers dissector.

How Does It Work?

It works only under Linux (at the moment), creates a fake default gateway in your OS (the client or a default gateway) using a TUN interface check every traffic passing thru it, tracks every session and
applyies two concepts: the scramble and the hack.

The scramble is the technology to bring:

A sniffer to accept as true a packet who will be discarded by the server, or
A sniffer to drop a packet who will be accepted by the server.

The scramble technology brings in desynchronisation between the sniffer flow and the real flow.

The bogus packet accepted by the sniffer is generated by the “plugin” is a C++ simple class, which in a pseudo statefull tracking will forge the packet to be injected inside the flow. is pretty easy to develop

anew one, and if someone wants to make research on sniffers attack (or fuzzing the flow searching for bugs) need to make the hand inside its.

The configuration permits to define blacklist/whitelist ip address to scramble, a degree of aggressivity for each port, which plugin will be used.

Download SniffJoke here: sniffjoke-0.4.1.tar.bz2

Introduction to Penetration Testing

This article is just to give you the Basic knowledge and making you understand the Fundamentals of Penetration Testing


Goal of this Article 

q 

• An overview of how Vulnerability Assessment (VA) & Penetration Testing (PT) is done
• qDefining scope of the assessment
• qTypes of Penetration Testing
• qA brief understanding on how Buffer Overflow works
• qHow vulnerabilities are scanned and exploited
• qWhat are the end results
• qWhat a Penetration Testing Report should contain  

                                           Differentiating VA and PT

Vulnerability Assessment (VA)

In this case the security auditor has to only scan for the vulnerabilities in the server or application and filter out the false positives from the scan output by mapping them with the actual vulnerabilities associated with the target host.

VA Scope Includes:

• The VA test can be done both internally and externally

• No vulnerabilities are exploited

• No dangerous attacks like DOS and Buffer Overflow attacks are used

• Automated vulnerability scanning tools line Nessus, Retina or ISS are used 

Penetration Testing (PT)

In this case the security auditor or the penetration tester not only has to scan for the vulnerabilities in the server or application but also has to exploit them to gain access to the remote server.

PT Scope Includes:

• The PT test is done both internally and externally

• Vulnerabilities are exploited

• Dangerous attacks like DOS and Buffer Overflow attacks are used depending upon 

  the customer’s willingness to do so

• Automated vulnerability scanning tools and as well as exploits are used 

                                 

             Types Of Penetration Testing

Black Box Penetration Testing

• Pen tester has no previous knowledge of the remote network

• • Simulating  a real world hacking by a hacker who has no knowledge 

         (E.g. Operating System running,  application running, device type and

          network topology etc..) of the remote network environment 

White Box Penetration Testing

• • Have the   knowledge of the remote network
• •Type of Pen tester network devices (i.e. Cisco gear, TCP/IP),
• •WebServer details (i.e., Apache/*nix or Apache/Win2k),
• •Operating System type (i.e., Windows/*nix),
• •Database platform (i.e., Oracle or MS SQL),
• •Load balancers (i.e. Alteon),
• Firewalls (i.e. Cisco PIX).. etc
• •Simulating  a attack by a hacker who is having a detailed knowledge of the remote network environment  

 

                  Scope Of Penetration Testing

Non-Destructive Test

• •Scans the remote hosts for possible vulnerabilities
• •Analyze and confirm the findings
• •Map the vulnerabilities with proper exploits
• •Exploit the remote system with proper care to avoid disruption of service
• •No highly critical Denial of Service (DoS) attack is tried

Destructive Test

• •Scans the remote hosts for possible vulnerabilities
• • Analyze and confirm the findings
• • Map the vulnerabilities with proper exploits
• •All highly critical Denial of Service (DoS) attacks (e,g like buffer overflows are tried

                                           ~~~ Moving On To Penetration Testing ~~~

Penetration testing includes some steps ... 

• qFingerprinting or Footprinting
• qNetwork Information Gathering
• qSurveying / Network Mapping
• qPorts Scanning and Services Identification
• qEvading Firewall Rules
• qAutomated Vulnerability Scanning
• qExploiting Services for Known Vulnerabilities
• qExploiting Web-Based Authorization
• qPassword Cracking / Brute Forcing
• qDenial of Services (DoS) Testing
• qEscalation of Privileges

                                   FLOW CHART

 

 

1. Information Gathering

This is the first step for any remote host Penetration Testing. Here the pen-tester try to gather maximum information on the remote host to precise the attack.

 

Expected Results:

• qZone Transfer Information
• q Domain Registration Information
• q Email IDs
• q IP Addresses Range

 

Sample Screenshot (Server queried for Zone-Transfer Info):

 

(Information Gathered from Zone-Transfer Info)

 

2. Footprinting / Fingerprinting

In this step, information like WebServer and OS type running on remote host are gathered to further precise the attack.

 

Expected Results:

• qRemote server OS type
• q Remote server web-server type
• q Applications running on remote server

Sample Screenshot (Banner displaying OS, application & WebServer details):

 
3. Network Surveying / Network Mapping 

A network survey serves often as an introduction to the systems to be tested. It is best defined as a combination of data collection, information gathering, and policy control. 

Expected Results:

• qFirewall / Routers / IDS Discovery
• qPossible Local Network / Subnet Discovery
• qIP Addresses Range
• qNetwork Topology Mapping
• qISP information

Sample Screenshot (Local address of the remote network discovered):

 

  4. Port Scanning & Services Identification

Port scanning is the invasive probing of system ports on the transport and network level. This module is to enumerate live or accessible Internet services as well as penetrating the firewall to find additional live systems.

 

Expected Results:

• qOpen, closed or filtered ports
• qServices Identification

Sample Screenshot (NMAP port scan output):

 

 

5. Evading Firewall Rules

In this phase, firewall evasion techniques are used to bypass firewall rules. This can further help in port scanning, remote host detection and remote network discovery.

Expected Results:

• q Mapping of firewall configuration rules
• q Partial Access to devices behind the firewall

Sample Screenshot : (Trace Route using UDP packets)

 

 

It is clear from the two screenshots  that the packet filtering device (i.e. Firewall / Router) is not configured to block UDP packets. 

6. Automated Vulnerability Scanning

The focus of this module is identifying, understanding, and verifying the weaknesses, misconfigurations and vulnerabilities associated with remote host. The scanning is done using automated tools or scripts to make the process faster. 

Expected Results:

• qList of vulnerabilities associated with each remote services
• qList of possible denial of service vulnerabilities
• qPossible misconfiguration on the remote server

Sample Screenshot 

What is MVS ?

MVS is an automated Internet Vulnerability Scanner which can scans for web based vulnerabilities (Ex: CGI/IIS Unicode) associated with a remote host running a web server. The scanner displayed, shows that the target host is vulnerable to IIS Unicode. The vulnerable string has been highlighted in the below screen shot

7. Exploiting Services For Known Vulnerabilities 

This is the most important phase of penetration testing. Here the weaknesses found in the remote services are exploited using openly available exploits or self developed or customized exploits. 

Expected Results:

• q Gaining Access to the system
• q Retrieving hidden information
• q Domain Hijacking
• q Spamming Mail Servers

Sample Screenshot (FrontPage fp30reg.dll Overflow Exploit):

 

 

Here the web application flaws are exploited to gain access to restricted information. The Web-Based authentication is exploited by using XSS (Cross-Site Scripting) or SQL injection or MITM (Man-in-the-middle) attacks etc... 

Expected Results: qAccess to restricted / confidential information q Control over web configuration q Can also leads to gaining access over other servers Sample Screenshot (SQL injection used for gaining access to admin page):

  8. Password Cracking or Brute Forcing 

Password cracking is the process of validating password strength through the use of automated password recovery tools that expose either the application of weak  passwords due to human factors. 

Password Lists and Words List are use for validating the password in this process

Expected Results: qList of user login IDs or passwords q List of authentication PINs or Password Sample Screenshot (Brute Forcing using Brutus):

 

9. Denial of Service (DoS) Testing 

 

Denial of Service (DoS) is a situation where the applications or services running over the remote system stops functioning and prevents authenticated network users or devices to access it. 

Expected Results: Disruption of Services q List of other possible DoS vulnerable associated with the systems qSabotage of remote network Sample Screenshot (DOS attack for CISCO):   10. Escalation of Privileges    Escalation of Privileges is the type of rights the attacker gains over the remote system. It is the final stage of the remote host hacking where the attacker gains complete control over the remote system.

 

Expected Results: q Gain administrator / super user rights q Gain privilege to retrieve or modify confidential data q Gain control over server configuration q Gain Control over other servers attached to it   Sample Screenshot    ============================================================= It took me around two days to reproduce the entire paper from the ppt into a webpage.  This paper was written by Debasis Mohanty but was not published in webpage form till now so i tried my best to convert it into a webpage. Download the original PPT by him and learn the basics of Buffer Overflow written for beginners only - GO HERE