Admonition - simms-teach.com · CIS 76 Telnet Session Hijack 7 EH-Pod-05 10.76.5.0/24 EH-Kali-05.150.1 EH-WinXP-05 Microlab EH-Centos 172.30.10.0/24.160 .205 .201 EH-pfSense-05 victim

CIS 76 Telnet Session Hijack

Admonition

1


2

Unauthorized hacking is a crime.

The hacking methods and activities learned in this course can result in prison terms, large fines and lawsuits if used in an unethical manner. They may only be

used in a lawful manner on equipment you own or where you have explicit permission

from the owner.

Students that engage in any unethical, unauthorized or illegal hacking may be

dropped from the course and will receive no legal protection or help from the

instructor or the college.


TelnetSessionHijack

3

Last updated 9/12/2016


.101

.tbd

.201

4

Internet

EH-Pod-05

EH-pfSense-05gateway

and firewall

"EH-Pod-05 Network"10.76.5.0/24

EH-WinXP-05

EH-OWASP-05

EH-TBD-05

.205

.1

.1.150

“Microlab Network”172.30.10.0/24

EH-Kali-05Opus

“Server Network”172.30.5.0/24

NoSweatgateway

and firewall.1

EH-Centos

.20

.160

:af:e6:bd

:af:f2:c3

:af:16:3a

:af:63:bb


5

Requirements

1. EH-Centos VM running with telnet service on Microlab network.

2. pfSense VM (baseline snapshot or greater).

3. Install Putty on pod WinXP VM (baseline snapshot or greater).• Google putty download• Download putty.exe to desktop.

4. Install Shijack on pod Kali VM (baseline snapshot or greater).• Download shijack.tgz file from https://packetstormsecurity.com/• Use tar xvf shijack.tgz to extract files.


.101

.tbd

.201

6

Internet

EH-Pod-05

EH-pfSense-05gateway

and firewall

"EH-Pod-05 Network"10.76.5.0/24

EH-WinXP-05

EH-OWASP-05

EH-TBD-05

.205

.1

.1.150

“Microlab Network”172.30.10.0/24

EH-Kali-05Opus

“Server Network”172.30.5.0/24

NoSweatgateway

and firewall.1

EH-Centos

.20

.160

:e6:bd

:af:f2:c3

:16:3a

:63:bb

fe80::92be:37:682a:33c1

fe80::250:56ff:feaf:63bb

CIS 76 Network Topology Map


7

EH-Pod-05

10.76.5.0/24

EH-Kali-05

.150

.1

EH-WinXP-05

Microlab

172.30.10.0/24EH-Centos

.160 .201.205

EH-pfSense-05

victim

attackertelnet server

:f2:c3 :16:3a

:e6:bd

Scenario: The victim on EH-WinXP will be using telnet to log into the EH-Centos server.

The attacker on EH-Kali will do a MITM attack by ARP poisoning EH-pfSense and EH-WinXP using Ettercap. The attacker will then intercept all traffic between them including capturing the telnet session username and password.

Rather than making use of the username and password to login from EH-Kali, the attacker instead hijacks the telnet session. This leaves the attacker in control and the victim's connection is broken.

The attacker leaves a new file in the victims home directory on EH-Centos.


8Run Ettercap on EH-Kali


9Perform Unified sniffing on eth0

EH-Kali


10Scan subnet to discover all online hosts

EH-Kali


11

EH-Kali

Show the list of discovered hosts


12Hosts discovered on the Pod 5 LAN

pfSenseOWASPWinXP

EH-Kali


13Select pfSense router and add to Target 1

pfSenseOWASPWinXP

EH-Kali


14Select the WinXP VM and add to Target 2

pfSenseOWASPWinXP

EH-Kali


15

Under the Mitm menu select ARP poisoning...

EH-Kali

The check Sniff remote connections


16On the WinXP VM download the putty.exe file to your WinXP desktop

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

EH-WinXP

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


17Run Putty and Telnet (port 23) into eh-centos.cis.cabrillo.edu

EH-WinXP


18Log into EH-Centos as the cis76 user

EH-WinXP


19Back on the Kali VM notice the attacker can see your username and password (blurred here)

pfSenseOWASPWinXP

EH-Kali


20https://packetstormsecurity.com/search/?q=shijack

Shijack

https://packetstormsecurity.com/search/?q=shijack


21Download shijack.tgz to eh-kali and extract the files

EH-Kali


22Run Wireshark on EH-Kali to capture Telnet traffic between EH-WinXP and EH-Centos

EH-Kali

Record source port for the next step


23Run shijack-lnx using the IP addresses and ports for EH-WinXP and EH-Centos

EH-Kali

Make your mark by changing into the visitors directory and create a file using your own name.

Get port from Wireshark


24Notice the victim on WinXP gets rudely disconnected by the hijack

EH-WinXP


25Victim logs back in and sees the attacker added a file to his visitors directory!

EH-WinXP


26

Ethical Hacking: Session Hijacking by Malcom Shore (Lynda.com)

Credits

Documents

Admonition - simms-teach.com · CIS 76 Telnet Session Hijack 7 EH-Pod-05 10.76.5.0/24 EH-Kali-05.150.1 EH-WinXP-05 Microlab EH-Centos 172.30.10.0/24.160 .205 .201 EH-pfSense-05 victim