Hacking by Solis Tech: How to Hack Computers, Basic Security and Penetration Testing (2014)
Chapter 24: Going Undercover in Your Own Network
You are aware that there are a number of attacks launched using the network, which means that hackers do consider access points to be among the most vulnerable aspects of any information technology fortress. If you remember the Heartbleed incident, you would realize that even top corporations can be easily exploited over the network, even causing their more advanced systems to suddenly spit out confidential and encrypted information about their clients. If they are vulnerable, then so are you.
If you suspect that your system has been attacked over your network, or that someone has made an announcement that they are going to hack you, then you have all the right reasons to monitor what is going on in your network and try to find out who your attacker might be. In this chapter, you would also learn what a forensic investigator may gather about an attacker during a network investigation exploitation.
Example Problem Scenario
Your browser is behaving badly and your homepage keeps on redirecting to a page that tells you that your computer is infected with a virus, and then prompts you that you need to purchase a specific antivirus program. In addition, your computer also starts lagging and you see that there are too many ads that are popping up. Not only does this disrupt your work, but it also eats up the resources of your computer.
At this point, you are certain that your computer has been infected. You want to know what it is, and where the infection came from.
If you already have Kali Linux (yes, the tool suite that can also be used to launch a network attack), then you already have this tool. You can find it in the Network Traffic Analysis dropdown menu. This interface is capable of creating a live capture on your network’s traffic and then analyze the information that is being sent and received on your access points.
Launch Wireshark and do a live capture. You can do that by clicking Capture (found at the menu at the top), and then selecting the active interface.
You will see that there are three windows on your screen. The windows on the upper portion will tell you about the packets that you are receiving, and you will also be given some information about them. The middle window will show you all the bits in your traffic and the packet header’s bytes. The lower windows will show you the packet contents both in ASCII and hexadecimal.
If you look at the contents of the packets, you would probably see that there is a messenger packet coming from a device somewhere in the World Wide Web. You can have a closer look at this packet when you click on it, and then inspecting the details that will appear in the white middle window.
If you are aware that messenger services on your network are disabled, you would see that there would be no other activity should be happening. However, you may notice that there is an ICMP packet in the list that says that it is unreachable by your request. This is most likely a suspicious activity.
Scan the Traffic then Filter It
If you are online, you would see that your computer is receiving a lot of traffic. However, with a device like Wireshark, you would be able to select traffic that you are interested in to verify the data that you are receiving. At the same time, you can also check packets and filter the safe from the suspicious ones. For example, you may see that you are receiving traffic from your reliable antivirus program. When that happens, you can remove that from all the other packets that you see in the window since you are already aware that that specific traffic is coming from a reliable device. To filter the ones that you have already inspected and remove them from view, use this syntax:
!ip.addr == (IP address of traffic)
After doing that, you can focus your attention to other traffic that can be potentially harmful to your computer.
Start Looking at DNS Queries
Check the other traffic that you see on the window. You would probably see that your computer (check for your IP address) is doing standard queries using a DNS protocol to a site that you do not remember accessing while you were using your computer. If you are aware that you are not currently viewing a site and your computer behaves this way, then you can rule that as a suspicious activity.
Now check the other packets. If your computer’s host appears to be requesting downloads from an unknown site, then it is very likely that your computer has a rootkit and the malware is reporting back to its source! The good thing is that you already know where the rootkit is coming from, and you can run a malware scan to remove it from your system. Should you think that you are incurring serious damage because of the rootkit, you can save the results to serve as evidence against the culprit once you report them to authorities.
Detecting Possible DoS Flood Signatures
Since you read about DoS attacks in an earlier chapter, you might also be very interested on how you can possibly see if your ports are being flooded by a hacker with the attempt to deny your service. If you have Wireshark, you can detect the signs of possible waves of packets that are possibly being sent to you by a criminal hacker.
Here’s a typical scenario for packet floods such as DoS attacks – if a criminal hacker wants to flood you, he would want to conceal his identity by spoofing IP addresses for each type of packet that he wants to send you. The reason why criminal hackers do this is because they are very aware that it is very easy for many commercial firewalls to detect flooding from a single source and then proceed to blacklisting that IP. Of course, if the huge wave of traffic looks like it is coming from a single source in a small amount of time, then you can just stop the connection coming from that address.
When detecting a DoS attack, you can run a Wireshark capture and look at the ports that are receiving traffic. If you see that there are too many IPs that are sending traffic to a single port, and that the packets that they are sending are coming to you in suspiciously small intervals, then you know that someone is trying to destroy (or at the very least, bog down) your network.
Making Sure that Your Network is Safe
By making sure that you are aware whenever someone is trying to send you a port scan, you would be able to secure your network and prevent any network-related attack. The only proven way to do this is to have a person monitoring the traffic that is coming in to your system, and then making sure that all data requests coming online are legitimate. Once there is a suspicious activity going on, then it is time for you, the ethical hacker, to carry out the next step in thwarting a possible attack.
What could you possibly do during a possible attack? You can simply try to find all the suspicious incoming connections and then ban them from connecting to you. This way, you would not have to deny service to anyone who should really be accessing your network – and this is of importance if your business depends on being able to offer access. In other words, you should always consider the possible repercussions of every step you take against possible attacks.