TheHackersManual2015RevisedEdition

the web pages it sees. First, create a data directory. In this example, it’ll be in the author’s home directory, but it could be anywhere (on a separate drive is a good idea if you plan to leave it running for a while).

mkdir /home/ben/data

sudo justniffer-grab-http-traffic -d /home/ben/data -U ben -i wlan0

In both cases, you’ll need to change ben to the username that you want to have. The -U option tells it which user to save the files as.

If you connect to the hotspot using a computer, tablet or phone, and surf the web, you should see the data directory filling up with files for every unencrypted web page viewed. This will include the contents of any web-based email they read that’s not transmitted using HTTPS (Gmail does, so won’t be readable; most others do not).

Of course, not everything you may want to intercept goes over HTTP, and many other protocols are unencrypted (such as FTP and Telnet). Fortunately, there are other tools to help you attack them. For example, dsniff (http://monkey.

org/~dugsong/dsniff and in the HackWeb folder) will pull all unencrypted passwords out of network traffic.

Both of these tools are passive. That means they make a copy of the data, but otherwise let it through untouched. We can step things up a notch, but to do this we need to use an active attack, specifically sslstrip (see HackWeb folder).

This exploits the nature of web links, and the fact that the web has some pages encrypted and others not. Basically, it watches all the unencrypted web traffic and waits for links or redirects to HTTPS sites. It then starts an MITM attack, where it (sslstrip) requests the secure version of the website, and then serves it as plain HTTP to the browser.

It is possible for a site to block this kind of attack, but it’s beyond the scope of this article to go though how. However, we found that several major websites (including Facebook and Yahoo) were vulnerable. We reported the issues to their security teams. Facebook replied that they recommend enabling the secure browsing setting. However, this failed to stop the attack, and they didn’t respond to us when we pointed this out to them. Yahoo didn’t respond at all.

Get encrypted

You can view the internet a bit like the postal service. Data is normally sent unencrypted, which is like sending it on a postcard. Any number of people could read this between when you send it and when it arrives, and the same is true of information sent as HTTP, FTP, Telnet or any of the other unencrypted postcards. There are times when this doesn’t matter – you may not care that your granny’s postman knows that the weather in Spain is lovely – and there are

Using justniffer, we were able to grab emails that had been sent to a phone attached to the hotspot.

times when it does – you probably don’t want your postman to know your bank account details. The same is true online. If you don’t want your information to be publicly readable, make sure you use an encrypted protocol (HTTPS, SFTP, SSH, SCP and so on).

To help make this a little easier, the Electronic Frontier Foundation (EFF) has produced a browser extension for Firefox and Chrome called HTTPS Everywhere. This makes sure you use the encrypted version of a site by default if it exists. If the site doesn’t have an encrypted version, it will still serve the unencrypted version, so you still need to be vigilant.

As we saw with sslstrip, you need to be particularly careful when using an open network, even if the site’s normally encrypted. Remember to check that you’re really using HTTPS before entering any information.

The encrypted protocols keep the data private, but they don’t disguise which servers you’re using. For example, an intruder may be able to discover you’re using gmail.com, but they can’t find out your username or what emails you’re sending or receiving. If you need anonymisation as well as encryption, you’ll need to use a VPN or Tor (http:// torproject.org) to obfuscate or add misdirection to all of your traffic. Note that you still need to use an encrypted protocol with these to provide protection.

Certificate attacks

All forms of encryption are based around keys. These are a bit like passwords in that they let you decrypt a document. There is always

a challenge in making sure both parties to an encrypted communication know the keys to decrypt it. On the web, certificates are used. These certificates are generated by trusted authorities, and guarantee that the data you’re getting (and the keys used) really come from the

site they claim to. This process of certifying sites is open to attack. For example, if you can load a certificate into a browser as a trusted authority, you can then generate your own fake certificates that the browser will then trust. Doing this, you can then set up a Man In The Middle attack using a fake certificate.

To help penetration testers check encrypted sites, ZAP has the ability to create these trusted

authorities and run attacks using them. There are also a number of commercial proxies designed to do this on a grand scale to allow,

for example, companies to check what their employees are doing online.

The bottom line is this: if someone else controls the computer, they can spy on everything you send over the web, regardless of HTTPS encryption.

DDOS

Overwhelming servers with information.

Denial of Service (DDOS) is perhaps the most highly publicised style of attack in recent years. Anonymous, and other high profile hactivist collectives, have used

them to good effect against governments, financial institutions and any other organisations that have irked them. It’s been publicised less, but DDOS has also become a weapon used by criminal gangs. But before we talk about why, let’s review what DDOS attacks are and how they work.

Basically, a DDOS attack is one that stops a server being able to perform its normal function, and thereby denying its service to the users. Typically, this is a web server, but it doesn’t have to be. A DDOS attack does this not by compromising the computer, or gaining access, but by overloading some aspect of it.

For example, an attacker could saturate a server’s network connection with dummy data so that no malicious data can get through, or it could use all of the CPU’s cycles, so that it can’t process any other requests.

Because most modern servers have high-bandwidth connections, powerful CPUs and lots of memory, you can’t usually overpower them using just a home broadband connection. To get by this, attackers often use multiple computers to attack a target

simultaneously. In the case of hactivists, this is generally done by a group of people sympathetic to the cause; with criminals, it’s often done by a botnet.

There’s a lot of tools available to help you run a DDOS test. The favoured tool of Anonymous is the High Orbit Ion Cannon, because it’s easy for unskilled users. However, we’re going to take a look at hulk. It’s available from http:// packetstormsecurity.com/files/112856/HULK-Http- Unbearable-Load-King.html.

To run hulk, simply unzip it, and run with: unzip hulk.zip

python hulk.py http://<site>

To test it, you can set up an HTTP server quickly with: python -m SimpleHTTPServer

and then attack it with:

python hulk.py http://<ip address>:8000

We found this took down the site quite effectively. However,

Slow lorises are a type of primate found in south and south-east Asia. If you want to know what one looks like, just open the Perl file in a text editor.

We were able to run a modified version of hulk on a Nexus 7. It wasn’t as effective as it was on a desktop machine, but still brought our web server to its knees. As tablets and phones become more powerful, they could become potent attackers when attached to open Wi-Fi hotspots.

there is obviously a big difference between taking down a small Python web server and knocking a dedicated Apache system offline. Hulk simply tries to flood the machine with

requests. Next, we’ll take a look at one that’s a little cleverer. Slowloris (from http://ha.ckers.org/ slowloris) works by trying to hold as many open connections as possible, with

the intention of maxing out the server. Doing this uses far less bandwidth than a hulk-style brute force attack, but not all web server software is vulnerable. To run, you just need to make the file executable, then start it with:

chmod a+x slowloris.pl

./slowris.pl -dns <site>

Again, this took out our little Python server instantly.

Protect yourself

Protecting yourself from a DDOS attack is simply a case of minimising the hit you take from each malicious packet. This means stopping as many of them as possible as soon as they enter your network. To do this, you need a firewall, and you need to know how to configure it to identify and drop the relevant packages.

Exactly how to do this depends on your firewall, and the rules you need change in a constant game of cat and mouse as the attackers change their packets to get around firewall rules. However, we will say this: make sure you know how to protect yourself before you get attacked. Try out the various DDOS tools on offer, and practise blocking them out, because you don’t want to have to learn this after your site’s already gone down. Running DDOS tools is also an excellent way to check how your site will perform under a heavy load.

Alternatively, you can put your server on a network that can take care of this for you. Services such as CloudFlare put your server behind their firewall (virtually, you don’t have to reconnect your server). This means that you don’t need to worry about the intricacies of firewall configuration. Θ

content/linux-format-169-sale-tod

Quick tip

If your ISP will not allow your email server to send email through Port 25, you can always ask them to change that, or you can relay your outgoing email through a provider like Gmail.

Whether for greater security or just greater control, you might want to set up your own email server.

We’ll show you how to install SquirrelMail so that

you can send and receive email from your own web server through a browser, no matter where you happen to be.

If you have a complete LAMP setup, you can move straight on to ‘The email server’ just below. If not, here’s how to set up Apache, PHP and mySQL in a minute or two:

sudo apt-get install apache2

sudo apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql

sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt

The email server

To get started with email, you need to install an email server. There are several available, including Exim, but we’ll use Postfix. To install Postfix, run the following command. root@Joe-VirtualBox:~# apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql dovecot-pop3d

As you work through the easy instructions, you can create a self-signed certificate or opt out and not create SSL. When it comes to the hostname, you can leave it as the default localhost. If you plan to use a domain name, add it now under ‘System Mail Name’. Thus, if a mail address on the local host is foo@example.org, the correct value would be example.org.

Once your email server is set up, the next step is to install your webmail package. SquirrelMail is lightweight, has been around a long time and is often used by major hosting companies. To install it, run the following command as root: apt-get install squirrelmail squirrelmail-locales

When you want to configure SquirrelMail, you can simply use the command squirrelmail-configure. First, though, we need to do some more in order to make things work properly. The next step is to make a soft link:

root@Joe-VirtualBox:~# ln -s /etc/squirrelmail/apache.conf / etc/apache2/conf-enabled/squirrelmail.conf

(Note that just a few months ago, in order to make a soft link with your LAMP server, you would have used a slightly different command. But as time moves on, the names of folders and files can change slightly for various Linux packages, so that in this case yesterday’s conf.d directory is this year’s conf-enabled.)

Moving on, restart apache2. Now you should be able to open your browser, type http://localhost/squirrelmail/ src/login.php and see the login page. Although you cannot actually log in yet, being able to see this page indicates that the setup is working correctly.

The next critical page to open is http://localhost/ squirrelmail/src/configtest.php. You will see an IMAP error:

ERROR: Error connecting to IMAP server "localhost:143". Server error: (111) Connection refused

Don’t panic, this error happens and is easily fixed. To solve this problem, first run this command:

apt-get install nmap

Then, run the following as root, to scan ports: nmap localhost

This will give you a list of ports and you can see if one is missing. For example, if 143 or 25 is not there, you should be thinking of fixing things and making sure the proper services are running. With SquirrelMail, Dovecot is usually the main hangup, and you can reload it with the following.

service dovecot reload

Another handy way to troubleshoot IMAP is the command sudo netstat -a | fgrep imap

This command returns a line with LISTEN in it. If it does, you know that the IMAP server is up and running.

Another alternative is to run the command netstat -nl4. Now, to test if you can telnet port 143, run the command: telnet localhost 143

(If you don’t have telnet, install it first with apt-get install telnetd, then run the command above.)

If telnet is successful, you’ll see the line ‘Connected to Localhost’ and we can move on.

Reload Dovecot with the command we used above, and after this, SquirrelMail should be usable. If you now open the page http://localhost/squirrelmail/src/configtest.php in your browser, you should see a line in the bottom that reads ‘Congratulations, your SquirrelMail setup looks fine to me!’

Setting up SquirrelMail

Try logging in at http://localhost/squirrelmail/src/login. php with your Ubuntu username and password. If successful, you may see the webmail.php page and likely an error about the INBOX. However, the other links – namely INBOX.Drafts, INBOX.Sent and INBOX.Trash – should work fine.

If anything fails, you can find the errors in the /var/log/ mail.log file. A common error is that the user does not have the INBOX file set up in the proper location. The error log will explain that it cannot select the inbox:

Nov 17 12:30:26 Joe-VirtualBox dovecot: imap(Joe): Error: Opening INBOX failed: Mailbox isn't selectable

You need to create the INBOX file at var/mail/username. The file where you can change this setting is /etc/dovecot/ conf.d/10-mail.conf and the mail_location sets the locale for the INBOX. Ownership can be for that user (by default

‘username’) and permissions of 777. This is an empty file and not a directory.

A couple of other modifications could be needed to make SquirrelMail work. Mail location is critical to knowing where your mailbox and inbox are located. You can always find mail location using the command below.

root# grep -r "mail_location" /etc/dovecot

In this case, it points to /etc/dovecot/conf.d/10-mail.conf

The two main files where modifications need to be implemented are /etc/postfix/main.cf and /etc/dovecot/ conf.d/10-mail.conf.

At this point, it should look like everything works fine. But if you send an email it is unlikely to make its destination yet. The basic server is set up, but to get the email working we need to allow port forwarding 25 on the router for the local IP. If the IP is not forwarded, you will be able to send but not receive email. This is simple: log in to the router and forward the local IP to accept the address.

SquirrelMail should now work. You can set up in Options > Personal Information to set up your name and email address.

Now fire up a terminal and switch to the root user. Then, add a new user and set its password.

useradd test passwd test

Now create a new folder for the user within the home directory and add a mail folder as well. The instructions are below and include setting up ownership and file permissions.

Mkdir /home/test mkdir /home/test/mail chown test:test mail chmod -R 777 mail

Don’t worry about the INBOX.Drafts, INBOX.Sent and INBOX.Trash that we had discussed earlier – they will be created automatically. At this point, you should be able to send email from one user to another.

At this point, you should consider the fact that you have two options. One option is sending email from your email server and the other is to use a relay like Gmail to send the email. The relay option is good if your IP is blacklisted or your ISP blocks port 25.

To make things easier, two template main.cf files (one with a relay and one without) are provided and will work for whichever option you take. With either file, you change your myhostname and myorigin parameters so that the values match your domain name. The examples use example.org as the domain, so look for this and replace as appropriate. In addition, you would add your network IP to the mynetworks parameter. The placeholder is 192.168.0.109 and this is written at the end of the line with preceding whitespace.

If port 25 is not blocked by your ISP, you can send and receive email without a relay. If you go down this route, the code block below can be used. It comes from your Postfix configuration file /etc/postfix/main.cf. All of the comments are removed so it looks less cluttered.

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

biff = no append_dot_mydomain = no readme_directory = no

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Quick tip

MXToolbox is a fantastic resource to decipher long email headers and check against spam lists.You’ll find it at http:// mxtoolbox.com/ EmailHeaders. aspx

Sending to foreign servers

Sending email to another user with your domain name is one thing; sending mail over the net is another. The main hangup is usually good old port 25. It may be blocked by your Internet Service Provider, in which case the ISP should be able to help you with this issue. In some cases, they could even unblock it for you. You could also use Telnet to see if it is blocked or not. In the odd case, your IP could be blacklisted, which would render your email server on the problematic side of things.

Some routers offer a free DNS service so you can use a home IP as your hosting or email server needs.

Running nmap localhost can supply vital info about the ports you are using. You will want to see port 25 and port 143.

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${data_directory}/ smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/ smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_ authenticated defer_unauth_destination

myhostname = example.org alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = example.org

mydestination = example.org, Joe-VirtualBox, localhost. localdomain, localhost

relayhost =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.109

mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all

If you cannot send email other than to another email address on your new email server, then you can send email through a relay using SMTP. For this, you need to make the following three alterations in your /etc/postfix/main.cf file – just slot these in on new lines:

relayhost = [smtp.gmail.com]:587 smtp_use_tls=yes

and

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd.

If you’re a novice at this kind of thing, see /usr/share/

postfix/main.cf.dist for a commented, complete version of the necessary code. (While you’re at it, see /usr/share/doc/ postfix/TLS_README.gz in the postfix-doc package for information on enabling SSL in the SMTP client.)

Once you’ve made changes to the main.cf file and /etc/ postfix/sasl_passwd files, run the next command.

sudo postmap /etc/postfix/sasl_passwd

This command is necessary so that Postfix will know how to find the file with your Gmail username and password. The code in the sasl_passwd file will look like the line below except that you need to use your real password for your Gmail account.

[smtp.gmail.com]:587 example@gmail.com:my_secret_ password_here

Now, you need to reload Postfix and you are good to go. sudo service postfix reload

Now, when you send an email, your home email server will relay and authenticate to your Gmail account and the message will finally travel to the desired recipient. (Take note, however, that incoming messages will not be relayed through Gmail or whichever service you set up for relaying: email sent to your inbox will go straight there from the sender.)

Once you send email on a relay, the email headers will contain information from both the original sender and the Gmail account. An easy site to translate long headers is http://mxtoolbox.com/EmailHeaders.aspx

A recipient will see in the Return-Path field that the relay came from a Gmail account, but this is not a way to conceal the sender: after you run the headers through MX Toolbox or analyse the headers manually when checking your email, you will be able to track back and find that the email started from (in this case) Joe@example.org – the X-Google-Original- From header tells you that Google received it from there. The Received fields will also disclose the organisations and servers that handled the message in transit, and include the IP of the originating email server.

permission of 777 and the group and user are www-data. The simple instructions are as follows.

root:/var/lib/squirrelmail# mkdir attachments root:/var/lib/squirrelmail# chmod -R 777 attachments root:/var/lib/squirrelmail# chown www-data:www-data attachments

If you’re using a Raspberry Pi, a USB stick, a Linux partition, or a PC with only Linux installed, then you can set the IP to be static so that you don’t have to change anything as computers reboot or a router gets reset. Let’s take a look at how to make this work.

Your new email service can be accessed locally at localhost/squirrelmail/src/login.php. If you want it Internet based, you can access it on any machine with http://51.68.8.248/squirrelmail/src/login.php. (Of course, if you plan to use your IP from your ISP, it would be your own IP address in place of 51.68.8.248.)

If you want to use a domain name, you will need to complete a few extra steps in order to access SquirrelMail at a URL like http://example.org/squirrelmail/src/login.php.

There are many free DNS services where you can set the nameservers to point to your home IP. In fact, your router may even have a free service to complete the task.

In addition to free DNS service, you can install the Linux package called Bind. However, this is likely to be overkill unless you have a couple of static IPs from your ISP and a good business plan from them. This can get costly and become prohibitive for a small website. Therefore, you can just use a free DNS service and point to your IP of your home machine or set it from a VPS or dedicated server.

Once that happens, it all comes down to what Linux box on your home network is used for the Port Forwarding settings of your router. Whatever machine has port 80 will automatically be the host PC for the domain name.

If you want to keep a static IP for your Linux box, you can edit your /etc/network/interfaces file and set a static IP. You can even go a step further by logging into your router and reserving the IP to that device.

The simple code below shows the original lines two and three with new commenting, while the lines under them are new and make the network IP stick to that box. With these changes, when you boot the system it will use the local network address of 192.168.0.109. The gateway is the IP address used by your router.

# interfaces(5) file used by ifup(8) and ifdown(8) #auto lo

#iface lo inet loopback auto lo eth0

iface lo inet loopback iface eth0 inet static

address 192.168.0.109 netmask 255.255.255.0 gateway 192.168.0.1

To make the new changes take place, run the command:

/etc/init.d/networking restart

Now that you are set up and running, you may also want to install the ssh server so that you can connect and manage this system from any desired location where an Internet connection exists. The simple single line of code to install the server is as follows:

sudo apt-get install openssh-server

In order for this to work, make sure to allow port forwarding in your router for this network IP. From all the examples thus far, the IP is 192.168.0.109. Essentially, you could end up port forwarding for multiple ports that have been mentioned throughout the article. If you have SSH access at all times, then you can work with any of your files whenever and wherever you want. For remote users, it’s almost impossible to imagine life without it.

Dealing with spam

That’s about all you need for a fully-functional email server that enables you to send and receive email as you wish. However, there’s one additional consideration in the modern world, and that’s spam. Although there are packages like SpamAssassin that you can install to filter spam, you can begin by trying to keep it simple and eliminate a lot of spam with Postfix.

A helpful file that came with Postfix is /usr/share/ postfix/main.cf.dist. This file can help you choose and acquire help on various parameters. One fantastic parameter is smtpd_recipient_restrictions, which can even check against spam lists. A very good web page that helps tremendously is http://www.postfix.org/postconf.5.html.

As this page will explain, you can make a custom whitelist, a blacklist and even a list for which users can send email from your server. The updates take place in the /etc/postfix/ main.cf file. Alternatively, try SpamAssassin as below. Θ

Quick tip

Using a static IP and reserving it with your router can save you a lot of headaches compared to changing local area network IPs. If your IP

switches, you have to alter the port forwarding in the router and change configuration files to contain the proper IP.