How to configure the Port Mirroring ? How to intercept the traffic coming to one machine on another machine? How to deploy Port Mirroring on Hyper-V environment? In this tutorial, you will find the answers to all of these questions.
You can decide if you want to use it for the good and bad scenario.
Sniffing the traffic with Wireshark
As you can see, I have three virtual machines over here. The first one having a Wireshark being launched, the second one we’ll try to steal the traffic from, and the “third party” machine involved in the traffic. If I try to ping 10.10.10.10, of course, nothing is appearing inside my Wireshark because is not a part of the communication. Packets are exchanged between those two hosts, between sniffed and the third party, and nothing goes to sniffing machine. Of course, I can easily send any type of broadcast. For example, ping 10.255.255.255, and now I will have a broadcast. Another type of forcing the broadcast or multicast is to resolve some name using NetBIOS. For example, try to ping test123, whatever, and now my workstation is trying to find such host. In such cases, I will have a traffic.
As you can see on my Wireshark, I have only multicast and broadcast being present here, because we are not having any traffic going from virtual switch to this machine, if this machine is not the part of the communication. I will clean the display in the Wireshark, and I will configure my sniffed virtual machine to have network port of this virtual machine being mirrored.
To do this, I have to:
- go to network adapter properties,
- go to advanced features,
- under port mirroring section, I have to specify that the sniffed machine is a source for mirroring mode,
- click okay
- go to my sniffing machine and again file and settings,
- set under network adapter, advanced features,
- sniffing machine is a destination for mirroring mode.
Searching for sensitive information…
Right now, I have my Wireshark up and running, I will switch this machine to the background. I can ping it like I did previously (ping 10.10.10.10), and of course, now I can see the traffic is being reported here. So traffic is coming between 10.10.10.10 and 10.10.10.100. This sniffing machine has yet another different IP address but is obtaining all the traffic from both parties of the communication because it goes through the mirrored interface on the sniffed virtual machine.
For ping is not very exciting, but if I do something more advanced, let’s go for 10.10.10.10 then logon.htm, I have my login interface for my very advanced application. If I type user, I can type some password, if I submit query I’m logged in. On my Wireshark, I can stop the collection of the traffic right now. I can easily find the communication I had, and find some sensitive information I had sent over the website. I can easily find passwords etc.
Port Mirroring on Hyper-V
In practice, if you can set up the mirroring on the port if someone is about to sniff the traffic, it’s about encrypting the protocol, about the encryption being applied in the protocol itself. Of course, if I have HTTPS over here for the login, which not unusual setting, probably I will have only useless packets for having some passwords and so on. Here, if I dig deep enough, I will easily see that my password is being sent over a network, and if I mirror the traffic I can easily intercept it and I can see it is “secretpassword”.
Communication going through the virtual machine is not safe at all
This is like bad purpose. Please do remember if someone manages your virtual environment, every single time he can set such setting for your virtual machine. So your communication going through the virtual machine is not safe at all. We have another scenario because this one is about bad guys. I will try to demonstrate a scenario when we are trying to play more white-hat guys trying to find some unusual situations in the traffic itself.
I will leave such demonstrations for one of the next episodes of our CQURE Hacks Weekly. In the meantime, I will do my favorite thing related to the administrator of the virtual platform, and I will issue one of my favorite commands, which is: “Thank you, and goodbye.”
Looking for some useful cybersecurity toolkit
Remember: trust the admin of the virtualization platform
So, as you can see, the topic is not that hard, is not that hard to configure it. But there is one thing you have to think about is about the trust for admin of the virtualization platform. If the admin of Hyper-V can do this himself, then maybe you have to policy somehow to reflect such possibility in your risk analysis. In the technical terms, I hope it was interesting to you.
You’re very welcome to comment on the tutorial!
*author Grzegorz Tworek