|
|
When you use your browser to connect to a web page (or a client program to connect to a web service), your browser (or the client) and the server must exchange a series of network messages. Behind the scenes, the messages do not travel directly between your computer and the remote server. Instead, to make their way across the Internet the messages often travel through myriad computers, as shown in Figure 9.1.
Figure 9.1: To make their way across the Internet, messages often move from one computer to the next.
At any stage along the message’s path, a hacker can intercept the message, as shown in Figure 9.2.
Figure 9.2: Hackers can intercept messages as the messages make their way across the Internet.
To better understand how messages travel (or hop) from one computer to next, consider the following tracert command that examines the path messages are traveling to reach the Jamsa Media Group website:
C:\>tracert www.jamsamediagroup.com <Enter> Tracing route to jamsamediagroup.com [209.51.153.242] over a maximum of 30 hops: 1 10 ms 10 ms 20 ms ip68-98-84-1.cox.net [68.98.84.1] 2 10 ms 20 ms 10 ms ip68-2-5-65.cox.net [68.2.5.65] 3 10 ms 10 ms 20 ms ip68-2-0-33.cox.net [68.2.0.33] 4 20 ms 20 ms 10 ms ip68-2-0-189.cox.net [68.2.0.189] 5 10 ms 20 ms 20 ms chnd-gew0303.rd.cox.net [68.2.14.13] 6 10 ms 20 ms 10 ms chnd-pos0101.rd.ph.cox.net [68.1.0.168] 7 40 ms 30 ms 40 ms dlls-pos0102.rd.dl.cox.net [68.1.0.146] 8 30 ms 30 ms 40 ms 12.119.145.125 9 30 ms 30 ms 30 ms gbr5-p30.dlstx.net [12.123.17.50] 10 41 ms 40 ms 30 ms tbr1-p012401.dlstx.net [12.122.12.65] 11 50 ms 50 ms 50 ms tbr1-p012501.la2ca. net [12.122.9.145] 12 70 ms 70 ms 50 ms tbr2-p012ip.att.net [12.122.10.37] 13 60 ms 50 ms 50 ms ggr1-p3100. ip.att.net [12.122.11.230] 14 60 ms 60 ms 50 ms nr1-p350.paix.ip.att.net [12.123.221.2] 15 60 ms 60 ms 50 ms 205.215.1.169 16 60 ms 60 ms 60 ms 205.215.12.1 17 141 ms 140 ms 140 ms 66.28.28.202 18 120 ms 120 ms 120 ms 205.215.2.6 19 120 ms 120 ms 121 ms 209.51.131.2 20 130 ms 111 ms 120 ms 209.51.153.242 Trace complete.
In this case, to reach the Jamsa Media Group website, the tracert message had to travel through 20 sites in order to reach its destination.
HTTP is a plain-text protocol, which means a hacker can intercept and easily view the messages that a client and server exchange. If the message contains credit-card data, or a username and password combination, the hacker can easily read the sensitive data. Further, after intercepting a message, a hacker can change the message contents before he or she forwards the message to the recipient.
Assume, for example, that you place an order with an online store, and that a hacker intercepts your order. The hacker could change your order to have the product sent to himself instead of to you, as shown in Figure 9.3. Later, when the server sends back the order confirmation message, the hacker can intercept and change that message, so you remain unaware of the change to your order. Network programmers refer to this type of hacker attack as a man-in-the-middle attack.
Figure 9.3: By intercepting messages between a client and server, a hacker can change the message contents without the client and server being aware of the attack.
HTTP messages are plain-text messages that are very easy for a hacker who is monitoring messages to view as the messages make their way across the Net. Using the Distinct Network Monitor application, for example, you can view TCP/IP and HTTP messages. To begin, download and install a trial version of the Distinct Network Monitor software from www.distinct.com. Next, create the following LoginDemo web service that supports the Login method shown here, which requires a username and password parameter:
string Login(string Username, string Password)
The Login method will not actually use the username and password in any way. Instead, after the method receives the values, it will return a string containing a message that states that your login information was received.
To create the LoginDemo web service, perform these steps:
Within Visual Studio .NET, select the File menu New Project option. Visual Studio .NET will display the New Project dialog box.
Within the New Project dialog box Project Types list, click C# Projects. Then, within the Templates field, click ASP.NET Web Service. Finally, within the Location field, specify the folder within which you want to store the program and the program name LoginDemo. Select OK. Visual Studio .NET will display a page onto which you can drag and drop the service’s components.
Select the View menu Code option. Visual Studio .NET will display the program’s source code. Within the source code add the LoginDemo.asmx.cs program statements shown below.
[WebMethod] public string Login(string Username, string Password) { return "Your login information was received: " + Username + " " + Password; }
Select the Build menu Build Solution option to build the web service.
Next, create the Visual Basic .NET program in the code below, SendUsernameInfo.vb, which creates an ASP.NET page that uses the service. When you run view the page, your browser will display a form similar to that shown in Figure 9.4 that prompts you to enter username and password information. After you enter the information and click Submit, the program will call the web service, displaying the service’s result within a text box.
Figure 9.4: Submitting username and password data to a web service
To create the program, perform these steps:
Within Visual Studio .NET, select the File menu New Project option. Visual Studio .NET will display the New Project dialog box.
Within the New Project dialog box Project Types list, click on Visual Basic Projects. Then, within the Templates field, click on ASP.NET Application. Within the Location field, type SendUsernameInfo. Select OK. Visual Studio .NET will display a form onto which you can drag and drop the program’s controls.
Using the Toolbox, drag and drop the labels, text boxes, and button previously shown in Figure 9.4 onto the form.
Select the Project menu Add Web Reference option. Visual Studio .NET will display the Add Web Reference dialog box.
Within the Address field, type http:/Localhost/LoginDemo/Service1.asmx?WSDL and press Enter. The dialog box will load the file’s contents. Click the Add Reference button.
Select the View menu Code option. Visual Studio .NET will display the program’s source code. Within the source code add the SendUsernameInfo.aspx.vb program statements shown below.
Private Sub Button1_Click(ByVal sender As System.Object, _ Ä ByVal e As System.EventArgs) Handles Button1.Click Dim LoginObj As New localhost.Service1() If (TextBox1.Text.Length > 0) And (TextBox2.Text.Length > 0) Then Try TextBox3.Text = LoginObj.Login(TextBox1.Text, TextBox2.Text) Catch Ex As Exception TextBox3.Text = Ex.Message End Try End If End Sub
The Distinct Network Monitor will only detect messages that come from outside of your network. If you run a program that uses a web service on your system (a web service you define using localhost), the network messages will never leave your system (and go out and return through the network card whose packets the monitor captures). To use the monitor to intercept messages to a web service, you must run the ASP.NET page that uses the service from a different computer. You can build the program on the same computer that you used to create the web service, but you must run the program from a different computer so the program’s requests enter through the network interface card.
When you create the program, you will not use the localhost name to reference the web service’s WSDL file as you have in the past. Instead, you will type in the IP address of the system that contains the service. To determine your IP address, you can run the ipconfig command as shown here:
C:\> ipconfig <Enter> Windows 2000 IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : nv.cox.net IP Address. . . . . . . . . . . . : 182.118.1.100 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 182.118.1.1 C:\>
After you build the program and display the page, connect to the page from a remote computer. To do so, in this case, you would enter a URL on the remote system in the format http://182.118.1.100/SendUsernameInfo/Webform1.aspx. Then, on the PC that contains the web service, start the Distinct Network Monitor program, select the Capture menu Settings option, and select no filtering. Then, select the Capture menu Start option to begin capturing packets. As the program begins to display entries for captured packets, scroll through the list of network messages that correspond to the PC from which you are running the program. If you open the network messages that have arrived from the remote system, you will eventually find an HTTP message that contains the username and password that your program passed to the web service, as shown in Figure 9.5.
Figure 9.5: Using a network- monitoring program to display username and password data sent by a program to a remote service (note the text highlighted in black)
|
|