Having recently joined a large security company, we'd been discussing TOR during training and then I spoken to a friend about TOR being on the news alot lately. So, i've decided to do some on-going investigative research into TOR. Before we get deeply involved with the networking, i'm going to make sure all my readers have a basic understanding of protocols. For this post, we'll be taking a quick look at an un-encrypted protocol: Telnet.
The first step is to go to 'Programs and Features', turn on Windows Features - Telnet Server. It was at this point that I actually learned something very interesting during the course of this post. "Local Users and Groups" has been taken out of non-pro versions of Windows 8/8.1. This is rather annoying because when you try to Telnet INTO Windows 8, you need the user you're telnetting in to be a member of the "TelnetClients" group. So as you cannot seem to do this via the GUI, we'll have to do it by commands; Rich Baldry over at SuperUser.com posted a command which you'll have to use if you wish to replicate this post.
So in my case, I had to open command prompt and type in: net localgroup TelnetClients Simon /add
Use the command 'net localgroup' as follows. This works on non-Pro Win 8 as well.
- Open a privileged command prompt: Open Explorer and search for 'cmd.exe'. When it appears in the file list, right-click and select 'Run as Administrator'.
- Run the command: In the privileged command prompt window, enter the command as follows:
To see a list of local groups available, just type:net localgroup [groupname] [username] /add
To see other options, type:net localgroup
net help localgroup
After making sure the Telnet server service was turned on in Windows 8, I started up Kali Linux so I could telnet from Kali over to Windows 8. I should mention that both Windows 8 and Kali were virtual machines. On my local computer, I had Wireshark running, capturing the packets that were flying around the network.
The first instance of telnet shows that the following flags were set: PSH and ACK. PSH is short for PUSH and all you need to know, is that TCP buffers data and that without a PSH flag, it wont be PUSHED forward instantly. If you want a more in depth look at PSH, click here.
A quick look at Wireshark's statistical protocol hierarchy shows that the traffic was communicated using ipv4 and a significant amount of traffic was TCP and Telnet - as we know, Telnet uses TCP and operates on Port 23.
Just to make the point, Kali's port 57600 was sending traffic to Windows 8's port 23. Port 57600 uses the Transmission Control Protocol aka TCP. TCP is a connection-oriented protocol, and it requires what is known as a 'hand shake' to set up end-to-end communications. Only when a connection is set up can a user's data can be sent bi-directionally over the established connection.
It's important to note that TCP guarantees delivery of data packets on port 57600 in the same order in which they were sent whereas UDP does NOT. UDP port 57600 would not have guaranteed communication, whereas TCP on port 57600 would.
Security
So, now, as an attacker, let's see what i've just picked up:
Oh dear. If this was a real scenario, the attacker has just got my username AND password. They can also see commands I have ran whilst I was using Telnet. This is why Telnet isn't really used anymore (or shouldn't be, although I have seen it being run in an IT environment before!).
So, in my next post, we'll move onto SSH and then we'll begin working out how TOR works. This wasn't even the tip of the iceberg. SSH Sniffing will be posted here around 30th June.