Use OpenStack CDCI template to start a new VM. To access the VM, login to cloud.grid.pub.ro using your UPB credentials, and from there ssh into the private IP from OpenStack using “ubuntu” as a username and your ssh key.
root@cdci:/$ ssh mihai.chiroiu@fep.grid.pub.ro [mihai.chiroiu@fep8 ~]$ ssh -vv ubuntu@<IP>
First, make sure that your virtual machine is updated (run the provided update.sh script, or create one).
root@cdci:/# vim ~/containernet/mininet/node.py (line 828, privileged = True)
Next, in one terminal start the provided Mininet topology.
root@cdci:/# cd cdci/lab04 root@cdci:/# /usr/bin/python3 topology.py
If there are any problems with starting the topology (if all is good you should see the Mininet prompt ”>”) use the given cleanup script and try to restart the topology.
Before you begin, make sure that you have Internet connectivity on all two nodes (attacker and victim). R1 should be the gateway for the Attacker and Victim. Write down the MAC and IP addresses of all 3 nodes (including the gateway). Use the provided scripts to access the nodes.
root@ip-172-30-0-165:/# ./attacker_bash.sh root@attacker:/# root@ip-172-30-0-165:/# ./victim_bash.sh root@victim:/#
The goal of this exercise is to pass all the victim's traffic through the attacker's machine. From the Attacker node start an ARP poisoning mitm attack against the Victim machine using ettercap tool. Use “ping” tool from Victim and make sure that all traffic (including to outside) goes through the Attacker’s node (use extra verbose option for ettercap).
Use tcpdump to save all the traffic from the victim and analyze it using Wireshark. Try to answer the following questions:
Investigate the following traffic as it is generated by the Victim node:
Ettercap filters can also be used to modify packets as they pass through the attacker’s node. Use the provided filter to change icmp type from echo to reply (Hint: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml).
cat icmp.filter if (ip.proto == ICMP) { msg("Changing ICMP type!\n"); replace("8.8.8.8", "8.8.4.4"); } etterfilter icmp.filter -o icmp.ef
Another interesting plugin of Ettercap is DNS spoofing. Config it such that any queries for the “facebook.com” domain name are translated into “127.0.0.1”.
Unfortunately, HTTPS traffic cannot be inspected, or can it :). We will try to use ettercap and observe changes in the certificate chain when MITM attack is active.
root@victim:~# openssl s_client -showcerts www.google.com:443 CONNECTED(00000005) depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com verify return:1
root@attacker:~# openssl genrsa -out hacker.pem 2048 root@attacker:~# openssl req -x509 -new -key hacker.pem -sha256 -days 365 -out hacker.crt
ec_uid = 0 ec_gid = 0 # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir6_command_on = "ip6tables -t nat -A PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport" redir6_command_off = "ip6tables -t nat -D PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport"