Like most of the attacks in the book, there is more than one method to launch Phoenix’s attack. Phoenix’s goal is essentially to monitor traffic to and from Mr. Minutia’s machine. When deciding on a method, Phoenix needs to factor in how “loud” that method is going to be on the network. Attacks easily detected by intrusion detection or prevention systems (IDS/IPS) are “noisy” or “loud” because they trigger alarms and notify administrators of their existence. There are times when an attacker wants to be noisy, such as when launching a diversion attack to distract administrators while launching a stealthier attack, but the majority of the time an attacker wants to perform an attack that is not easily spotted by IDS/IPS software. Phoenix wants his attack to be precisely targeted and quiet.
Most networks use switches, but switches send traffic to and from only the devices that need to communicate with each other. Other devices would not necessarily be privy to communication between other computers, so Phoenix will not be able to see this traffic without a planned attack.
To understand Phoenix’s attack method, you need to understand how switches work. In Figure 2.2, when User A sends a frame to User B, the switch records the source MAC (Media Access Control) address of User A in its MAC address table. It then looks up the destination MAC address (User B) in its table. If it does not have the destination MAC address in its table, the switch forwards the frame out all ports (Fa0/2 and Fa0/3, in this example).
Figure 2.2 Switch operations, part 1
Now examine Figure 2.3. In this figure, User B is sending traffic back to User A. The switch will record the source MAC address (User B) in its MAC address table and look up the destination MAC address (User A). Because it already has an entry for UserA, it forwards the frame only out Fa0/1 to User A. User C, connected to Fa0/3, will not receive any of the traffic between User A and User B. If Phoenix is User C, he will not be seeing Mr. Minutia’s traffic. But he is going to change this.
Figure 2.3 Switch operations, part 2
If you are User C and you want to see the traffic between User A and User B, there are several loud methods you can undertake:
- Gratuitous address resolution protocol (ARP) messages for individual hosts (ARP poisoning)
- MAC spoofing
- MAC flooding
You can learn more about these loud methods in the next section, but Phoenix’s approach is different.
As an alternative to the loud approach, Phoenix can take a quieter approach to avoid detection. Because Phoenix wants to capture the traffic of only a single user (his boss), Phoenix does not need to perform ARP poisoning, MAC spoofing, or MAC flooding.
Instead, Phoenix needs to chain several exploits to get Mr. Minutia inadvertently to install packet capturing software on his computer. His boss will not blindly install software he does not recognize, so Phoenix will first set up a phishing scam to trick his boss into installing software he thinks is legitimate. A phishing scam is when a user is tricked to go to a Web site that looks like a legitimate Web site, but in fact is run by a malicious hacker. Phishing scams are often used to capture login information because the user logs in to the Web site thinking it is a trusted site, but Phoenix’s will use the scam to have his manager download software that appears legitimate.
The software Mr. Minutia downloads from the phishing site will be bound with a Trojan horse application that Phoenix will use to establish a backdoor into his manager’s computer. His boss will have no idea that the Trojan is installed. After connecting, Phoenix will use the Trivial File Transfer Protocol (TFTP) to download a command-line packet-capturing tool. This tool will capture traffic to a log file that Phoenix will transfer back to his computer. Back on his computer, Phoenix will open up the log file and see what his boss is doing. Because his boss will have transferred images as well as text across the network, Phoenix will reassemble the image file using a hex editor so that he can see the pictures his boss is viewing.
In summary, the steps Phoenix will take are
- Copy a Web site and host it on Phoenix’s server.
- Bind a backdoor Trojan (Netcat) with legitimate executable.
- Send e-mail to his boss, Mr. Minutia, requesting that he download the free executable. His manager will install the executable and, subsequently, install Netcat.
- Use Netcat to connect to his manager’s machine.
- Use TFTP to download WinDump onto his manager’s machine.
- Capture traffic as his manager goes to a Web site.
- Analyze traffic sent to and from his manager’s computer using Wireshark.
- Use a hex editor to rebuild a graphic (.JPG) captured by WinDump.