Byte InsightPi Hacking
The aims of this exercise are to explore a small LAN looking at:
- the sort of information we can collect.
- some of the command line tools that are available.
- how we can communicate across the network
This practical fun exercise assumes that your RPi is working and has the required packages installed:
- dnsutils – a collection of programs related to DNS such as dig and nsupdate.
- netcat – a program that allows you to send and recieve data across networks
- steghide – a program that will allow you to hide various information inside image and audio files.
- tcpdump – a program that allows us to capture packets on the network.
- iperf – a program for end to end performance testing.
- nethogs – to find out what else is on the network
- iptraf – which will show us what traffic is on the network.
and missing packages can easily be installed with sudo apt-get install … Additionally, some of the tasks will require the network to be based around a hub and not a switch so that we can take advantages of one of the inherent weaknesses of a hub – broadcasting. This means one Raspberry will have to be designated the DHCP Server and issue IP Addresses. To do this you will need to install isc-dhcp-server and I recommend reading the attached rpi_raspbianwheezy_dhcp_server By the way, this is what it looks like when you are testing this theory in your front room!
TASK 1
RPiNetworkChallenge Open a terminal and type ifconfig to discover the ip address of your Raspberry Pi. The answer is on the second line of output after the words inet adde: Make a note for it later. You should also be able to record the MAC Address. Question: In terms of the OSI Model what is the difference between the IP address and the MAC address?
TASK 2
Using nano open the /etc/hostname file and change the hostname of your machine to a unique name.
sudo nano /etc/hostname
Exit nano and check that the name has changed with the cat command. Do you see what you expect?
cat /etc/hostname
It’s much easier for us to identify our computer by its new name and not the ip address so we will add an entry to the hosts file. Use nano to open the /etc/hosts file and add a line in the format shown below:
xxx.xxx.xxx.xxx MyRaspberryPiName
You will need to reboot the Pi for these changes to take place so type:
sudo reboot
You can check everything has gone ok once it has rebooted using the command:
hostname
Question: Why do we give a computer a hostname on the network?
TASK 3
You can identify the other computers on the network using nmap where ip-address is the first three parts of your network.
sudo nmap -sP ip-address.*
This command might take a while to run but will show you all the other computers on this LAN. Now we know where they are we can start to communicate with them or attack! Experimental: Pick one of the ip addresses and use nslookup <ipaddress> to find out its hostname. If that doesn’t work you can always try host <ipaddress> or dig -x <ipaddress>. These commands query the ip address to find the hostname and vice versa demonstrating DNS (Domain Name System). Question: Which service manages the relationship between IP address and Hostname?
TASK 4
We used NMap earlier to find the ip addresses of different computers on the network. We can also use NMap for discovering open ports like:
nmap <ipaddress> or nmap <hostname>
Question: Can you explain ports and how they fit into network communications? What are some of the common ports found on a computer?
TASK 5
The NetCat program will allow us to communicate across the network for example sending simple messages or files. To do this task you will need to work in pairs (i.e. with another Raspberry Pi).
A: Basic Chat
Follow these instructions:
- Designate one of you the listener and one as the sender.
- Make sure you know the address of each Raspberry Pi.
- On the listener type nc -l -p 1234 where 1234 is a arbitary port number.
- On the sender type nc <listener ip address> 1234
- Now what ever you type on the sender is repeated on the listener.
- This works both ways so try it from the listener to the sender.
Top Tip: If you do not know the port number – try typing nc -z <listener ip address> to find out potential listening ports.
B: Advanced Chat
Now sometimes we want to send more than just a few lines. For example we might have a text file containing some sensitive information. Follow these instructions:
- Using nano create a new text file on the sender and save it as secret.txt
- Set the listener up to receive the file with nc -l -p 1234 > input.txt
- Send the file by piping it to the sender using nc <listener ip address> 1234 < secret.txt
- The file should be received by the sender and you can view the contents using more input.txt
Question: What type of communication is this? Evidence: Take a photo of the screens to show the communication to use as evidence later.
TASK 6
What if we were a bad person listening in on their conversation. Could we capture network traffic and decode it? You will need to work in groups of three for this task so that we can have a sender, a receiver and a man in the middle who will undertake the attack. You need to set up a simple chat situation as described above and then tell tcdump to capture packets
sudo tcpdump -n
Question: Can you identify the level of the OSI framework that we would be looking at here? However, this is a little bit crazy and you are probably seeing a lot of traffic but how about if we knew the IP Address of a computer we were interested in attacking. Try the following command and asking one of the computer to send a message.
sudo tcpdump -n 'src <senders ip address>' -A
Can you spot the messages on the screen? Don’t forget you could have two terminal windows open and listen to the destination at the same time.
sudo tcpdump -n 'dst <senders ip address>' -A
If you don’t know the ip address of the computer you can just carry on listening to all traffic but try and pick out specific words like password
sudo tcpdump -n -A | grep -e 'password'
If we switch to the Switch and stop using the HUB what would happen to our packets? Question: Write up a short report on what you have found out. Which particular network communication type is susceptible to this type of attack?
TASK 7
If we knew that someone might be listening maybe we would decide to encrypt or hide our messages inside another file. The science of Steganography hides data with other data. Follow these instructions
- Copy an jpeg image onto your Raspberry Pi using a USB Stick.
- Hide the message in another file using Steghide embed -cf picture.jpg -ef secret.txt
- Transfer the file using the method in Task 5b but make sure to change the receivers file type to jpg.
- Now to extract the hidden message with Steghide extract -sf picture.jpg
- You can find out more about what Steghide can do using the man Steghide command to open the manual.
Question: How do we typically encrypt traffic on the internet? How would we know if we were viewing a webpage over a secure connection?
TASK 8
*Requires internet connection Use the nslookup tool to find out the ipaddress of a favourite website e.g. this one! We can use traceroute (followed by the ip address or domain name) to display the route that a packet takes across the web and displays other information such as the time/delays between hops. If the details are stared out your firewall could be blocking this information – you could type man traceroute to open the trace route manual and allow you to see all the options the program has. -U might be helpful in this instance. There are online versions of this program which you could try from home. Question: What type of switching does this show?
WHAT NEXT?
If you have finished why not explore the PythonNetworkTasks and see what else you can do?
REFERENCES
- http://community.computingatschool.org.uk/resources/940
- http://www.networkworld.com/community/blog/raspberry-pi-network-monitoring-node
- http://elinux.org/Setting_up_your_Raspberry_Pi_as_a_DHCP_Server
- http://www.ronnutter.com/raspberry-pi-installing-dhcp-server/
- http://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/