Introduction
We covered basic foundation on internet protocols such as telnet, HTTP, FTP, IMAP, POP3, SMTP and SSH. We also talked about protocol encryption using TLS as a method to protect data from sniffing and MITM attacks. This was part of TryHackMe Jr Penetration Tester Pathway.
The Telnet protocol is an application layer protocol used to connect to a virtual terminal of another computer. Using Telnet, a user can log into another computer and access its terminal (console) to run programs, start batch processes, and perform system administration tasks remotely.
Telnet protocol is relatively simple. When a user connects, they will be asked for a username and password. Upon correct authentication, the user will access the remote system’s terminal. Unfortunately, all this communication between the Telnet client and the Telnet server is not encrypted, making it an easy target for attackers.
Hypertext Transfer Protocol (HTTP) is the protocol used to transfer web pages. Your web browser connects to the webserver and uses HTTP to request HTML pages and images among other files and submit forms and upload various files. Anytime you browse the World Wide Web (WWW), you are certainly using the HTTP protocol.
HTTP sends and receives data as cleartext (not encrypted); therefore, you can use a simple tool, such as Telnet (or Netcat), to communicate with a web server and act as a “web browser”. The key difference is that you need to input the HTTP-related commands instead of the web browser doing that for you.
File Transfer Protocol (FTP) was developed to make the transfer of files between different computers with different systems efficient.
Email is one of the most used services on the Internet. There are various configurations for email servers; for instance, you may set up an email system to allow local users to exchange emails with each other with no access to the Internet. However, we will consider the more general setup where different email servers connect over the Internet.
Email delivery over the Internet requires the following components:
- Mail Submission Agent (MSA)
- Mail Transfer Agent (MTA)
- Mail Delivery Agent (MDA)
- Mail User Agent (MUA)
Internet Message Access Protocol (IMAP) is more sophisticated than POP3. IMAP makes it possible to keep your email synchronized across multiple devices (and mail clients). In other words, if you mark an email message as read when checking your email on your smartphone, the change will be saved on the IMAP server (MDA) and replicated on your laptop when you synchronize your inbox.
Servers implementing these protocols are subject to different kinds of attacks. To name a few, consider:
- Sniffing Attack (Network Packet Capture)
- Man-in-the-Middle (MITM) Attack
- Password Attack (Authentication Attack)
- Vulnerabilities
From a security perspective, we always need to think about what we aim to protect; consider the security triad: Confidentiality, Integrity, and Availability (CIA). Confidentiality refers to keeping the contents of the communications accessible to the intended parties. Integrity is the idea of assuring any data sent is accurate, consistent, and complete when reaching its destination. Finally, availability refers to being able to access the service when we need it. Different parties will put varying emphasis on these three. For instance, confidentiality would be the highest priority for an intelligence agency. Online banking will put most emphasis on the integrity of transactions. Availability is of the highest importance for any platform making money by serving ads.
Knowing that we are protecting the Confidentiality, Integrity, and Availability (CIA), an attack aims to cause Disclosure, Alternation, and Destruction (DAD).
Sniffing attack refers to using a network packet capture tool to collect information about the target. When a protocol communicates in cleartext, the data exchanged can be captured by a third party to analyse. A simple network packet capture can reveal information, such as the content of private messages and login credentials, if the data isn’t encrypted in transit.
A sniffing attack can be conducted using an Ethernet (802.3) network card, provided that the user has proper permissions (root permissions on Linux and administrator privileges on MS Windows). There are many programs available to capture network packets. We consider the following:
- Tcpdump is a free open source command-line interface (CLI) program that has been ported to work on many operating systems.
- Wireshark is a free open source graphical user interface (GUI) program available for several operating systems, including Linux, macOS and MS Windows.
- Tshark is a CLI alternative to Wireshark.
A Man-in-the-Middle (MITM) attack occurs when a victim (A) believes they are communicating with a legitimate destination (B) but is unknowingly communicating with an attacker (E). In the figure below, we have A requesting the transfer of $20 to M; however, E altered this message and replaced the original value with a new one. B received the modified messaged and acted on it.
Secure Shell (SSH) was created to provide a secure way for remote system administration. In other words, it lets you securely connect to another system over the network and execute commands on the remote system. Put simply, the “S” in SSH stands for secure, which can be summarized simply as:
- You can confirm the identity of the remote server
- Exchanged messages are encrypted and can only be decrypted by the intended recipient
- Both sides can detect any modification in the messages
The above three points are ensured by cryptography. In more technical terms, they are part of confidentiality and integrity, made possible through the proper use of different encryption algorithms.
Challenge Answers
telnet
command with the default parameters try to connect?MACHINE_IP 80
and retrieve the file flag.thm
. What does it contain?Using an FTP client, connect to the VM and try to recover the flag file. What is the flag?
- Username: frank
- Password: D2xc9CgD
MACHINE_IP
) at the POP3 port. Authenticate using the username frank
and password D2xc9CgD
. What is the response you get to STAT
?How many email messages are available to download via POP3 on MACHINE_IP
?
sudo tcpdump
to capture only Telnet traffic?What is the simplest display filter you can use with Wireshark to show only IMAP traffic?
In how many ways can you invoke Bettercap?
mark
with the password XBtc49AB
. Using uname -r
, find the Kernel release?Use SSH to download the file book.txt
from the remote system. How many KBs did scp
display as download size?
lazie
. What is the password used to access the IMAP service on MACHINE_IP?