Differences
This shows you the differences between two versions of the page.
|
cdci:labs:4 [2020/03/15 13:35] mihai.chiroiu [02. [5p] Internet connectivity] |
cdci:labs:4 [2021/03/26 18:29] (current) mihai.chiroiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Lab04. Man-in-the-middle attack ====== | ====== Lab04. Man-in-the-middle attack ====== | ||
| + | |||
| + | <note warning> | ||
| + | Important read to be graded! | ||
| + | {{page>:cdci:rec&nofooter&noeditbutton&noheader}} | ||
| + | </note> | ||
| ===== Objectives ===== | ===== Objectives ===== | ||
| Line 16: | Line 21: | ||
| First, make sure that your virtual machine is updated (run the provided update.sh script, or create one). | First, make sure that your virtual machine is updated (run the provided update.sh script, or create one). | ||
| - | <code> | ||
| - | root@cdci:/# cat update.sh | ||
| - | #!/bin/bash | ||
| - | # (c) Mihai Chiroiu - CDCI | ||
| - | |||
| - | git clone -b labs --single-branch https://github.com/mihai-chiroiu/cdci.git | ||
| - | git config user.email "student@upb.ro" | ||
| - | </code> | ||
| Next, in one terminal start the provided Mininet topology. | Next, in one terminal start the provided Mininet topology. | ||
| Line 44: | Line 41: | ||
| </code> | </code> | ||
| - | ==== 03. [20p] Virtual machine setup ==== | + | ==== 03. [30p] ARP poisoning MITM attack ==== |
| The goal of this exercise is to pass all the victim's traffic through the attacker's machine. From the Attacker node start an ARP poisoning mitm attack against the Victim machine using ettercap tool. Use “ping” tool from Victim and make sure that all traffic (including to outside) goes through the Attacker’s node (use extra verbose option for ettercap). | The goal of this exercise is to pass all the victim's traffic through the attacker's machine. From the Attacker node start an ARP poisoning mitm attack against the Victim machine using ettercap tool. Use “ping” tool from Victim and make sure that all traffic (including to outside) goes through the Attacker’s node (use extra verbose option for ettercap). | ||
| Line 87: | Line 84: | ||
| </note> | </note> | ||
| - | ==== 05. [10p] Raw packets altering ==== | + | ==== 05. [20p] Raw packets altering ==== |
| Ettercap filters can also be used to modify packets as they pass through the attacker’s node. Use the provided filter to change icmp type from echo to reply (Hint: [[https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml]]). | Ettercap filters can also be used to modify packets as they pass through the attacker’s node. Use the provided filter to change icmp type from echo to reply (Hint: [[https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml]]). | ||
| Line 100: | Line 97: | ||
| cat icmp.filter | cat icmp.filter | ||
| if (ip.proto == ICMP) { | if (ip.proto == ICMP) { | ||
| - | msg("Changing address!\n"); | + | msg("Changing ICMP type!\n"); |
| replace("8.8.8.8", "8.8.4.4"); | replace("8.8.8.8", "8.8.4.4"); | ||
| } | } | ||
| + | etterfilter icmp.filter -o icmp.ef | ||
| </code> | </code> | ||
| Line 108: | Line 106: | ||
| <code> | <code> | ||
| cat icmp.filter | cat icmp.filter | ||
| - | if (ip.proto == ICMP) { | + | if (ip.proto == ICMP && icmp.type == 0) { |
| - | msg("Changing ICMP type!\n"); | + | msg("Changing address!\n"); |
| - | replace("8.8.8.8", "8.8.4.4"); | + | icmp.type = 8; |
| } | } | ||
| etterfilter icmp.filter -o icmp.ef | etterfilter icmp.filter -o icmp.ef | ||
| Line 156: | Line 154: | ||
| </code> | </code> | ||
| </solution> | </solution> | ||
| - | ==== 07. [10p] HTTPS traffic inspection ==== | + | ==== 07. [20p] HTTPS traffic inspection ==== |
| Unfortunately, HTTPS traffic cannot be inspected, or can it :). We will try to use ettercap and observe changes in the certificate chain when MITM attack is active. | Unfortunately, HTTPS traffic cannot be inspected, or can it :). We will try to use ettercap and observe changes in the certificate chain when MITM attack is active. | ||
| Line 176: | Line 174: | ||
| root@attacker:~# openssl genrsa -out hacker.pem 2048 | root@attacker:~# openssl genrsa -out hacker.pem 2048 | ||
| root@attacker:~# openssl req -x509 -new -key hacker.pem -sha256 -days 365 -out hacker.crt | root@attacker:~# openssl req -x509 -new -key hacker.pem -sha256 -days 365 -out hacker.crt | ||
| + | </code> | ||
| + | </note> | ||
| + | |||
| + | <note tip> | ||
| + | For the MITM TLS attack we have to allow ettercap to run as root user and enable iptables configurations. This is required to allow ettercap SSL filter to receive and decode the TLS traffic. Modify the configuration file, “/etc/ettercap/etter.conf”, with the following. | ||
| + | <code> | ||
| + | ec_uid = 0 | ||
| + | ec_gid = 0 | ||
| + | # if you use iptables: | ||
| + | redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" | ||
| + | redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" | ||
| + | redir6_command_on = "ip6tables -t nat -A PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport" | ||
| + | redir6_command_off = "ip6tables -t nat -D PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport" | ||
| </code> | </code> | ||
| </note> | </note> | ||
