Notes on my research from topics involving Linux, Network Security, Pentesting, Network/Computer Forensics and more. My intention is to use the knowledge for good and to raise awareness with regards to cyber security threats and other vulnerabilities. Therefore, as I learn, you can learn too.
Wednesday, December 16, 2009
Replaying captured web traffic using ncat
If you are not familiar with the whole idea of replaying a packet then you should get to googling. The basic idea behind this methodology is to sniff and capture interesting information from either the client or server then replay them. By doing this you can mimic a certain client's request or a server's response and vice versa. In the my demo, i will demonstrate how i was able to capture a users 'GET' request for a website (in my demo, www.ask.com) and the server's response and use the captured response to replay the same data that www.ask.com responds with to client request. This has the effect of mimicing a site and in some ways tricking a user to believe they are at the website of www.ask.com when they are basically connected to your machine. Not as fun as gaining a shell but with your imagination, you can come up with ideas for interesting packets to replay that can form the basis for some more fun stuff.
Steps:
Use wireshark to capture packets of a user making a request for www.ask.com on their web browser
Use a display filter for that stream and filter the stream to show only the servers response. Save the data of the servers response to a file.
Start up ncat to replay the saved response(data) "# ncat --send-only -l 80 < response"
Use a web browser to connect to your ncat 'fake' webserver.
If you were to practice this on a few websites you're gonna notice that not all of the contents of the page might be displayed. If you've written html code before, you should already know why this is so. If you wanna get crafty and do some editing of the packets to change some directory paths, that should get things up and running, but to me its not worth the effort since im no criminal. YES, if you actually took the time to modify the response in such a way that you will get all the original's website content to show, then you more than likely have some evil intentions in mind.
No comments:
Post a Comment