This article continues the series of publications describing practical hacking and attacking techniques involving makeshift devices that can be easily assembled at home. You will learn how to gain unauthorized access to protected information and how to protect your own data from such attacks. The previous article in this series was Cold boot attack. Dumping RAM with a memory stick.
The attack described below is truly of genius in its simplicity and originality. It involves half-duplex sniffing of traffic transmitted via an RJ45 twisted pair cable (i.e. only half of the traffic is intercepted: either incoming or outgoing one).
The idea to sniff twisted pair cables isn’t new, but it’s still relevant today due to their widespread occurrence. Even though optic cables became increasingly popular nowadays, an oldie-goodie twisted pair can still be found in almost every lobby or corridor of a residential or office building. In residential buildings, you can see such wires stretching to almost every apartment. Sometimes it looks like this.
As you can see, your home traffic can be easily intercepted. Also, you can find a twisted pair cable in any modern office.
In other words, such an attack can be delivered from any place where you have unobstructed access to twisted-pair wires: a corridor in an office building or a lobby in residential premises.
In most cases, twisted pairs occur within the ‘last mile’, right next to customer devices. Optic cables are used to transmit data over long distances between houses or territorial offices of companies; this means that you won’t be able to sniff an entire residential building or a company.
The RJ45 cable consist of four pairs of wires that differ in color. Each pair represents two wires twisted together.
Each pair performs its own function:
- green – data receiving;
- orange – data transfer;
- brown – PoE-, data transfer back and forth at 1000 Mbps; and
- blue – PoE+, data transfer at 1000 Mbps.
Incoming and outgoing network traffic goes via a certain pair of wires, while bytes are encoded by simply changing the electrical signal characteristics in them.
To deliver this attack, you’ll need an Ethernet network card and a twisted pair segment consisting of only two wires. You can either craft such a cable yourself, or buy it in a specialized store, or modify a standard patch cord.
You will only need the RX pair (the first and second wires), implemented in the form of an RJ45 connector as shown below.
On the other side of the cable, you connect the first and second wires to regular crocodile clips. As a result, you get the cable shown below.
In this particular case, the white crocodile represents the positive contact; while the black one, the negative contact. This modified cable should be connected directly to the attacker’s network card.
Traffic sniffing is implemented by connecting these crocodiles to either the orange or green pair as shown below.
The external insulation of the target cable should be gently cut with a utility knife. To ensure that wires aren’t damaged, cut along them. There is no need to remove the insulation from the wires: just slightly squeeze the crocodiles, and they will penetrate the insulation at connection points.
Push the clips until packets appear on the sniffer of the network card connected to the other end of your cable as shown below.
The attack shown above is delivered from an Android smartphone. Some external network cards are automatically identified by Android; so, all you need are root privileges. The picture below shows how such an attack can look on a test system.
The phone successfully dumps traffic going from one laptop to another (only in one direction). Concurrently, the fact of sniffing cannot be detected in any way since no additional hops (traceroute) appear between the laptops. Now let’s use utilities that extract accounts and downloaded files from traffic:
#!/bin/bashsudo ethtool -s eth0 speed 100 duplex half autoneg off
sudo ethtool eth0 | grep Speed
sudo tcpdump -i eth0 -nn -w $dumpfile &
tcpdump=$!tmux new-session -d -s rj45 'sudo tcpdump -i eth0 -nn'tmux split-window -v -t rj45 'sudo /opt/net-creds/net-creds.py -i eth0'tmux split-window -v -t rj45 'sudo tcpxtract -d eth0'tmux a -t rj45
sudo kill $tcpdumpls -lh $dumpfile
This script not only saves traffic to a file for subsequent analysis, but also conveniently divides the phone screen into three areas displaying outputs of different utilities (see below).
The upper part of the screen represents tcpdump and shows half of the sniffed traffic. The central section represents the net-creds utility that extracts credentials from traffic. Important: using crocodiles, the NetNTLM hash has been extracted at the moment the computer was connected to the network drive! The lower portion of the screen represents tcpxtract that extracts files by their signatures regardless of the data transmission protocol. As you can see, the phone has successfully saved a picture downloaded via FTP.
No home or corporate networks were harmed in the course of the above demonstration. But you understand how easily the test components can be replaced by real-life targets.
It must be noted that sniffing is only possible when the connection speed is 10 or 100 Mbps, and four wires (orange and green pairs) are used (a four-wire cable). Eight-wire cables transmit data at a speed of 1000 Mbps. However, even if the cable consists of eight wires, network cards often cannot communicate at 1000 Mbps. For instance, in the figure above, the cable is only a few meters long and all eight wires are available; however, the network cards continue to operate in the 100-Mbps mode that is vulnerable to sniffing.
If you encounter a twisted pair with an active connection at 1000 Mbps, you won’t be able to intercept traffic with two crocodiles. However, it was established experimentally that if you cut one of the additional pairs of wires required to provide a speed of 1000 Mbps (blue or brown), then, after a few seconds, the system will automatically downgrade to 100 Mbps, thus, enabling you to connect crocodiles and sniff traffic.
Some companies use PoE to power IP phones over a twisted pair in their networks, and the additional (blue and brown) wires are used for this purpose. Accordingly, such networks don’t support the 1000-Mbps mode.
The demonstrated attack involves passive traffic sniffing ‘on the fly’ and doesn’t modify traffic. Of course, you can actively intervene in the transmitted traffic and deliver, for instance, an SSLsplit (certificate substitution) attack – but this requires sufficient skills: you must cut the wire very quickly, crimp it from both sides, and then ‘jump’ into the middle. But since this technique is ‘dirty’ and primitive, it’s beyond the scope of this article.
Of course, the above-described method involving crocodiles cannot be considered perfectly ‘clean’: you have to cut, albeit slightly, the external insulation of the twisted pair. However, this doesn’t affect the cable operation in any way, and the connection isn’t disrupted.
The widespread use of SSL/TLS nowadays has significantly reduced risks associated with such passive sniffing. However, some protocols still use open authentication, including well-known network drives, FTP, HTTP-Basic proxy authentication, etc. And corporate networks often have such security holes.
Therefore, it’s extremely important to pay due attention to cable security. Network cables must never be located in uncontrolled places. To prevent their exposure to hackers, use boxes, cable ducts, or buried cable laying. Good luck!