Pakkestjeling over Telnet
Det er alment kjent at Telnet er en gammeldags og usikker protokoll. Men hvor usikker er den; stemmer det at passordet virkelig sendes i klartekst? Jeg gjorde en liten test.
Serversiden (10.0.0.2)
- Start Telnet-serveren:
sudo service telnet start - Åpne Telnet-porten i brannmuren, port 23 (UDP og TCP)
- Opprett en dummybruker, dummy:passord
Klientsiden (10.0.0.7)
- Start X11
/Applications/Utilitiesog deretter Wireshark:sudo /sw/bin/wireshark - Deretter må riktig «interface» velges. Er du usikker, kjør
ifconfigi Terminalen og se hvilke som er aktive. Dette er sannsynligvis interface «en0». Trykk deretter på Capture -> Start i Wireshark.
NB: Wireshark skal virke med trådløse forbindelser (812.11), men jeg klarte ikke å få den til å samarbeide med AirPort.
- Kjør
telnet 10.0.0.2(adressen vist her må selvsagt byttes ut slik at den passer ditt oppsett), og logg inn med riktig brukernavn og passord. - Kjør en eller annen kommando (jeg valgte «who») og logg av med «exit».
- Stopp Wireshark, Capture -> Stop
- For å eksportere pakkeinfoen velg File -> Export.
Serversiden (10.0.0.7)
- Stopp telnet-serveren:
sudo service telnet stop - Lukk porten i brannmuren og slett dummybrukeren.
Nå, la oss se på noen av pakkene Wireshark sniffet seg gjennom.
No. Time Source Destination Protocol Info
42 3.062669 10.0.0.2 10.0.0.7 TELNET Telnet Data ...
Frame 42 (67 bytes on wire, 67 bytes captured)
Ethernet II, Src: AppleCom_73:-- (--), Dst: AppleCom_37:-- (--)
Internet Protocol, Src: 10.0.0.2 (10.0.0.2), Dst: 10.0.0.7 (10.0.0.7)
Transmission Control Protocol, Src Port: telnet (23), Dst Port: 49178 (49178), Seq: 136, Ack: 168, Len: 1
Telnet
Data: d
No. Time Source Destination Protocol Info
46 3.214600 10.0.0.2 10.0.0.7 TELNET Telnet Data ...
Frame 46 (67 bytes on wire, 67 bytes captured)
Ethernet II, Src: AppleCom_73:-- (--), Dst: AppleCom_37:-- (--)
Internet Protocol, Src: 10.0.0.2 (10.0.0.2), Dst: 10.0.0.7 (10.0.0.7)
Transmission Control Protocol, Src Port: telnet (23), Dst Port: 49178 (49178), Seq: 137, Ack: 169, Len: 1
Telnet
Data: u
Her kan vi kanskje ane et mønster (se nederste linje i hver pakke)? Når jeg blir spurt om brukernavn blir hele brukernavnet mitt, «dummy», sendt pakke for pakke (med ekko). Deretter blir jeg spurt om passord, noe jeg sender. Her er et lite utdrag av de sniffede pakkene vist.
No. Time Source Destination Protocol Info
64 4.689017 10.0.0.2 10.0.0.7 TELNET Telnet Data ...
Frame 64 (75 bytes on wire, 75 bytes captured)
Ethernet II, Src: AppleCom_73:-- (--), Dst: AppleCom_37:-- (--)
Internet Protocol, Src: 10.0.0.2 (10.0.0.2), Dst: 10.0.0.7 (10.0.0.7)
Transmission Control Protocol, Src Port: telnet (23), Dst Port: 49178 (49178), Seq: 143, Ack: 174, Len: 9
Telnet
Data: Password:
No. Time Source Destination Protocol Info
65 4.689043 10.0.0.7 10.0.0.2 TCP 49178 > telnet [ACK] Seq=174 Ack=152 Win=65535 [TCP CHECKSUM INCORRECT] Len=0 TSV=1045912861 TSER=9043538
Frame 65 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: AppleCom_37:-- (--), Dst: AppleCom_73:-- (--)
Internet Protocol, Src: 10.0.0.7 (10.0.0.7), Dst: 10.0.0.2 (10.0.0.2)
Transmission Control Protocol, Src Port: 49178 (49178), Dst Port: telnet (23), Seq: 174, Ack: 152, Len: 0
No. Time Source Destination Protocol Info
66 5.664389 10.0.0.7 10.0.0.2 TELNET Telnet Data ...
Frame 66 (67 bytes on wire, 67 bytes captured)
Ethernet II, Src: AppleCom_37:-- (--), Dst: AppleCom_73:-- (--)
Internet Protocol, Src: 10.0.0.7 (10.0.0.7), Dst: 10.0.0.2 (10.0.0.2)
Transmission Control Protocol, Src Port: 49178 (49178), Dst Port: telnet (23), Seq: 174, Ack: 152, Len: 1
Telnet
Data: p
No. Time Source Destination Protocol Info
67 5.670993 10.0.0.2 10.0.0.7 TCP telnet > 49178 [ACK] Seq=152 Ack=175 Win=65535 Len=0 TSV=9043540 TSER=1045912863
Frame 67 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: AppleCom_73:-- (--), Dst: AppleCom_37:-- (--)
Internet Protocol, Src: 10.0.0.2 (10.0.0.2), Dst: 10.0.0.7 (10.0.0.7)
Transmission Control Protocol, Src Port: telnet (23), Dst Port: 49178 (49178), Seq: 152, Ack: 175, Len: 0
No. Time Source Destination Protocol Info
68 5.838076 10.0.0.7 10.0.0.2 TELNET Telnet Data ...
Frame 68 (67 bytes on wire, 67 bytes captured)
Ethernet II, Src: AppleCom_37:-- (--), Dst: AppleCom_73:--(--)
Internet Protocol, Src: 10.0.0.7 (10.0.0.7), Dst: 10.0.0.2 (10.0.0.2)
Transmission Control Protocol, Src Port: 49178 (49178), Dst Port: telnet (23), Seq: 175, Ack: 152, Len: 1
Telnet
Data: a
Frame 84 viser at jeg nå er logget inn på serveren «neptun» som brukeren «dummy».
No. Time Source Destination Protocol Info
84 7.765168 10.0.0.2 10.0.0.7 TELNET Telnet Data ...
Frame 84 (96 bytes on wire, 96 bytes captured)
Ethernet II, Src: AppleCom_73:-- (--), Dst: AppleCom_37:-- (--)
Internet Protocol, Src: 10.0.0.2 (10.0.0.2), Dst: 10.0.0.7 (10.0.0.7)
Transmission Control Protocol, Src Port: telnet (23), Dst Port: 49178 (49178), Seq: 293, Ack: 183, Len: 30
Telnet
Data: neptun:~ dummy$
NB: — symboliserer en ethernet-adressen, som jeg har valgt å skjule.
Det er helt klart at Telnet ikke er en protokoll man benytter seg av. Den krypterer ikke dataene, som jeg nettopp har vist, og i de fleste implementasjoner er det ingen måte å sjekke om pakkene blir sendt direkte mellom de to kommuniserende maskinene og ikke via en mellomstasjon. SSH er derfor et mye bedre alternativ. I eksempelet vist her har jeg i praksis sniffet mine egne pakker, altså pakker som skulle til den maskinen jeg satt på. Dette er den enkleste måten å teste pakkesniffing på, for man slipper å sørge for at man videresender pakkene, noe man må gjøre om man sniffer en annen maskins pakker.
Mer info:
- Wireshark (offisiell side)
- Wireshark (Wikipedia)
- Data frame (Wikipedia)
- Telnet (Wikipedia)
kristy's blog 
Hey Kristy,
very interesting test! I knew Telnet was unsafe but I hadn’t looked into the details before. Well, it doesn’t make me feel better about my University still using Telnet for mailbox administration.
Do you work with computers, or are you just interested in the topic? I study computer science myself and do server administration in my «free time». I’m particularly interested in IT security, therefore I couldn’t resist reading your post when I saw it in the WP dashboard. ;-)
Sorry I’m writing all this in English, but I’m from Germany and my Norwegian isn’t good enough yet. I understand almost everything, and I get along in everyday situations, but I lack the vocabulary to write something this complex and not make too many mistakes.
Ha det bra,
Annika
Hi Annika,
No, I don’t work with computers. I’m still in college and finishing my degree in electronics engineering, but I’ve always loved computers. Ever since there was a computer in the house I was glued to it, every day. :-)
I’ve looked into a little of everything related to compuers, including security, though not so much. Some password cracking and hashing (like this or this), but this was actually my first time sniffing packets. I’ll definitely look into it more!
I have to say thank you for reading my post, and I must admit I’m very impressed that you know some Norwegian! I’d take it you live here? Don’t be afraid to drop me an e-mail or post here, if you want to discuss computers or think I can help you out with something. :-)
-kristy
Hi Kristy,
yeah, I’ve also been addicted since my parents got their first PC (I must have been around 8). They weren’t so happy at first, but when I got older they were glad someone could help them out if there was trouble ;-)
Yes, this is definitely a fascinating topic. Apart from the PW and hashing stuff and everything having to do with Linux server administration I’ve played around a bit with «wardriving» software (like cracking WEP access) but I have to be careful now since «hacker tools» have recently been made illegal in Germany. Not only using them for illegitimate means, but even possession or distribution of the tools themselves. I hope our government is going to see reason on that!
It was certainly a pleasure reading your post :-) and I’ll certainly visit again. No, I don’t live in Norway. Friends of mine moved there and i love visiting them in the holidays (I was there only last August) so I decided to learn some Norwegian at the «Volkshochschule» (that would be «friundervisning» in Norwegian I think). I hate coming to a country not knowing the language. Luckily, learning languages is not that difficult for me, and I really enjoyed being able to use my Norwegian over the summer. But unfortunately I’m not yet as good as I’d like to be ;-)
Annika
Hi again,
If you’ve done Linux server adminitration, you’ve done a lot more than I have! :-) When I was in high school I had hours and hours free to learn new stuff, but now, in college, it’s definitely not like that anymore. I’ve thought about looking into WEP encryption for a while, but of course I haven’t found any time to yet. Maybe you can give me some pointers?
Do you do programming too? I love programming, but again, I haven’t had much time to program lately. :-/
Its clear, by the way, that the people that banned hacking software in Germany have no idea what they’re talking about. Luckily the Norwegian government haven’t made any such statements yet, but if the EU follows Germany, they’re probably going to follow (even though we’re not a member) too. Luckily we got DVD-jon to se the standards. ;-)
-kristy
Hiho,
if you want to experiment with WEP encryption, I recommend the Aircrack Suite. There you have everything you need and there are good tutorials out there. You might want to try the BackTrack live CD, it’s a really nice Linux (Slax-based) live CD which comes with lots of useful and interesting tools, including said Aircrack. It only works well with certain wireless cards, though. Best would be a Ralink or Atheros chipset since they have much functionality in the firmware.
Studying computer science, I naturally have to do programming at Uni. I enjoy it most of the time, but I don’t want to do software development for a living ;-) I think administration/security suits me more.
I hope you don’t get any such laws in Norway. It’s ridiculous. Admins and IT pros got punished, just like students and hobby-hackers, and the real cyber criminals probably don’t give a damn. Half the German IT pros I know consider moving away… I have no idea what you mean by DVD-jon, could you give me a hint?
Annika
Hi,
I took a brief look at AirCrack today, but it seems it doesn’t support OS X (which is my OS) or any BSDs. Linux source can, but not always, be successfully compiled under Mac OS X. But I’m guessing it doesn’t support Apple’s AirPort card, which is kinda troublesome. Except from beeing damn unstable (I got a kernel panic today due to it), it seems it’s not very supported in open source apps. I better google around some more.. :-)
And, probably a stupid question, do you have to be online with a wireless card to steal the WEP-key? What about a wired connection, as long as you’re connected to a wireless router? And how does the key stealing work?
It’s very important companies can test their security, so banning all those apps I believe will be a huge disadvantage for Germany. Why whould an IT-company want to settle down there now?
DVD-jon is a guy, from Norway, who participated in creating the DeCSS app, opened up the iPhone and removed Apple’s DRM protection from purchased music from the iTunes Music Store. He was also in court against Økokrim (Norway’s central unit for fighting economic crime) – and won! Since he won, ripping a DVD you own is legal in Norway, and the format of CDs and DVDs etc. can be changed – legally. More info here. DVD-jon is always working on something new, which I believe is good for us geeks and our rights. ;-)
-kristy
Edit: I found an app called KisMAC, which looks promising. :-)
Hi,
sorry, but I don’t have much of a clue about Macs. Closest I ever came to one was borrowing a fellow student’s for ten minutes ;-) I’ve only ever worked with Windows and Linux (well, and on Unix servers now and then but I’m far from a Unix expert yet). But I’ve picked up that KisMAC is supposed to be quite good, so you should be okay with that.
The WEP key is only used for wireless connections, so plugging a cable into the router won’t help. You steal the key by capturing the packets sent out by the AP (therefore it won’t work when there is no traffic; beacon packets DON’T work) then decrypting them.
I 100% agree with that statement. As I said, many IT guys here in Germany even consider leaving (who wants to go to jail or get fined for doing a job he or she loves and has worked hard to be good in?) so I don’t think many foreigners would come here voluntarily atm. Soon we’ll be a developing country or sth when it comes to IT security…
Thanks for the info about DVD-jon. We weren’t as lucky here. In Germany, you are not even allowed to make a backup copy of your music CDs if they are copy-protected (which they technically all are, of course you could circumvent that but simply the fact the protection is there makes burning illegal).
Annika
Aircrack-ng kjører på *BSD, så det skulle finnes håp for OS X også.
Det er en stor skam at folk fremdeles bruker WEP, og det verste er at det finnes _bedrifter_ som gjør det. WEP-standarden skulle aldri ha blitt tatt i bruk i utgangspunktet, når skal bransjen forstå at man ikke kan sette vanlige IT-folk til å utvikle slike ting? Kryptografi bør overlates til folk med doktorgrad i matematikk og mange års erfaring med krypto. Ikke en vilkårlig utvikler som tenker «siden jeg jobber som IT-profesjonell er jeg selvfølgelig skikket til å utvikle kryptografiske implementasjoner».
Interesting point Kristian(sorry, but I still don’t trust my Norwegian enough for an answer, nor an average German laptop keyboard which misses half the letters I’d need)! But the other side of it is (as for example Bruce Schneier often mentions) that people who are very good at cryptography and math often tend to develop stuff that is very good in theory but not practical at all. So people make stupid mistakes using it, or the implementation is all wrong and causes security breaches. So imho crypto guys and IT (security) experts have to work together more closely in order to make it work.
Regarding the lack of the letters:
In Linux it is super-easy to add letters.
Use «US International» as keyboard, then ALTGR + key will give you the different ones.
E.g
ALTGR+Z = æ
ALTGR+L = ø
ALTGR+W = å
(For Norwegian users, or for communicating with Norwegians and Danes)
ALTGR+P = ö
ALTGR+Q = ä
ALTGR+W = å
(for Swedish users, or for communicating with Swedes)
Regarding Telnet:
There is telnet-ssl , which works over ssl.
(I might jump in on the WEP / WPA / WPA2 later)