Differences
This shows you the differences between two versions of the page.
|
isc:labs:08 [2024/11/25 04:14] ebru.resul [[30p] 2. Iptables] |
isc:labs:08 [2024/11/27 09:47] (current) ebru.resul [[30p] 1. Port Scanning] |
||
|---|---|---|---|
| Line 80: | Line 80: | ||
| === [10p] Discover Devices on the Network === | === [10p] Discover Devices on the Network === | ||
| - | //**STEP 1: Scan the network with nmap - ping scan**// | + | //**STEP 1: Scan the network with nmap (using ping scan)**// |
| - | * __What It Does:__ Sends ICMP Echo Requests (pings) or TCP/UDP probes to detect devices on the network. | + | * __What It Does:__ Sends ICMP Echo Requests (pings) or TCP/UDP requests to detect devices on the network. |
| * __Strengths:__ Works across subnets and can identify devices beyond the local network. | * __Strengths:__ Works across subnets and can identify devices beyond the local network. | ||
| - | * __Limitations:__ May miss devices that block ICMP or TCP probes. | + | * __Limitations:__ May miss devices that block ICMP or TCP requests. |
| - | <note> **TASK:** Run a ping scan to discover active hosts in your network using nmap (you can use CIDR notation! Remember OpenStack's network prefix?).</note> | + | <note> **TASK:** Run a nmap with ping scan to discover active hosts in your network using nmap (you can use CIDR notation! Remember OpenStack's network prefix?). Hint: Search on google how to run a "nmap with ping scan option"</note> |
| <solution -hidden> | <solution -hidden> | ||
| <code> | <code> | ||
| Line 166: | Line 166: | ||
| * __Purpose:__ Helps test UDP scanning, which is slower and behaves differently than TCP due to the lack of acknowledgments. | * __Purpose:__ Helps test UDP scanning, which is slower and behaves differently than TCP due to the lack of acknowledgments. | ||
| - | <note> **TASK:** Work in pairs. One person opens an UDP server on their VM using netcat, while the other scans for it. Choose a non-standard port (e.g., 10002). </note> | + | <note> **TASK:** Work in pairs. One person opens an UDP server on their VM using netcat, while the other scans for it. Choose a non-standard port (e.g., 10002). Hint: use -k when opening the server to allow multiple connections </note> |
| <solution -hidden> | <solution -hidden> | ||
| Line 264: | Line 264: | ||
| //**STEP 1: Access Your Colleague’s VM and Observe Traffic**// | //**STEP 1: Access Your Colleague’s VM and Observe Traffic**// | ||
| - | * **Purpose:** Learn how to interact with a remote machine, analyze incoming SSH and HTTP traffic, and apply appropriate filtering rules to manage access. | + | * __Purpose:__ Learn how to interact with a remote machine, analyze incoming SSH and HTTP traffic, and apply appropriate filtering rules to manage access. |
| <note>**TASK:** Work in pairs. Follow these steps: | <note>**TASK:** Work in pairs. Follow these steps: | ||
| Line 284: | Line 284: | ||
| //**STEP 2: Monitor Incoming Traffic with tcpdump**// | //**STEP 2: Monitor Incoming Traffic with tcpdump**// | ||
| - | * **Purpose:** Analyzing network traffic is essential for troubleshooting, identifying unauthorized access, and auditing security. You can identify which machines are connecting to your services and how they interact with your system. | + | * __Purpose:__ Analyzing network traffic is essential for troubleshooting, identifying unauthorized access, and auditing security. You can identify which machines are connecting to your services and how they interact with your system. |
| Line 304: | Line 304: | ||
| //**STEP 3: Block Unwanted SSH and HTTP Traffic**// | //**STEP 3: Block Unwanted SSH and HTTP Traffic**// | ||
| - | * **Purpose:** Controlling access to services is critical for securing systems against spam, unauthorized users, and brute-force attacks. Blocking unnecessary SSH and HTTP traffic helps prevent abuse and protects sensitive data. | + | * __Purpose:__ Controlling access to services is critical for securing systems against spam, unauthorized users, and brute-force attacks. Blocking unnecessary SSH and HTTP traffic helps prevent abuse and protects sensitive data. |
| <note> **TASK:** Use `iptables` to block SSH and HTTP connections from unauthorized machines: | <note> **TASK:** Use `iptables` to block SSH and HTTP connections from unauthorized machines: | ||
| Line 322: | Line 322: | ||
| //**STEP 4: Allow Trusted Colleagues to Access Your VM**// | //**STEP 4: Allow Trusted Colleagues to Access Your VM**// | ||
| - | * **Purpose:** While blocking unwanted access is critical, allowing trusted colleagues or team members to connect to your system ensures collaboration and prevents unintentional disruptions in a shared environment. | + | * __Purpose:__ While blocking unwanted access is critical, allowing trusted colleagues or team members to connect to your system ensures collaboration and prevents unintentional disruptions in a shared environment. |
| <note> | <note> | ||
| Line 345: | Line 345: | ||
| </note> | </note> | ||
| - | --- | ||
| - | === [5p] Task C: Workstation Firewall === | ||
| - | * Any security-conscious user should secure his/her workstation. The recommended way is to block all traffic and whitelist only the required connections. | + | === [5p] Workstation Firewall === |
| - | * **Note:** this task is for reference only! But check it out: it is a very good policy if you had it on a laptop that you use with public wifi hotspots (such as the ones offered by coffee shops or hotels), and you would not want anybody to compromise it. The policy would do a good job because it allows very few things in and out. If it doesn’t know what to do with a packet, the packet gets dropped automatically, because you set that up at the very beginning in the policy (''iptables ... -P DROP''): | + | |
| + | * __Purpose:__ Everyone should take proactive measures to secure their workstation, especially when connecting to public Wi-Fi hotspots such as those found in coffee shops or hotels. By blocking all traffic and only allowing specific connections, you significantly reduce the risk of unauthorized access or compromise. This policy ensures only essential traffic is permitted, while unknown packets are automatically dropped, maintaining robust security. | ||
| + | |||
| + | * **Note:** While this task is for reference, implementing such a policy is highly effective for laptops used in insecure or high-risk environments. It minimizes exposure to threats by defaulting to a "deny-all" approach unless explicitly allowed. | ||
| <spoiler Workstation Firewall Script> | <spoiler Workstation Firewall Script> | ||
| Line 392: | Line 393: | ||
| </spoiler> | </spoiler> | ||
| - | === [10p] Task D: DNS blocking === | + | === [10p] DNS Blocking === |
| - | * Block access to Facebook by using iptables to block all [[https://routley.io/posts/hand-writing-dns-messages#question|DNS queries]] containing "facebook.com". | + | * __Purpose:__ DNS blocking is a practical way to restrict access to unwanted websites or domains, such as blocking social media on a corporate network. By intercepting and dropping DNS queries for specific domains, you can prevent users from accessing restricted content without interfering with the broader network's functionality. |
| - | * **Hint**: The ''string'' iptables module can do packet contents matching (''sudo iptables -m string -help''). But what does a DNS query look like? | + | |
| + | <note>**Task:** Block access to Facebook by dropping all DNS queries containing "facebook.com."</note> | ||
| + | |||
| + | * **Hint:** The `string` iptables module allows packet content matching, including DNS queries. Use the `--hex-string` option to specify binary contents, and choose an appropriate string matching algorithm for efficient filtering. | ||
| * **Note**: you can supply a hex string parameter with the syntax ''|HH HH HH ...|<plaintext>'' (e.g., ''hello|20 57 6F|rld'') to match binary contents of a packet! Also choose a string matching algorithm! | * **Note**: you can supply a hex string parameter with the syntax ''|HH HH HH ...|<plaintext>'' (e.g., ''hello|20 57 6F|rld'') to match binary contents of a packet! Also choose a string matching algorithm! | ||
| Line 404: | Line 408: | ||
| </solution> | </solution> | ||
| - | === [0p] Task E: Port knocking (bonus) === | ||
| - | * Start a netcat TCP server on 31337 and implement a port knocking scheme to open it! | + | === [0p] Task E: Port Knocking (Bonus) === |
| - | * Ask a colleague to scan your port. It should be seen as closed / filtered. | + | |
| - | * Then ask that colleague to knock the correct port sequence and connect to your netcat server. | + | * __Purpose:__ Port knocking is a powerful security technique used to obscure access to sensitive network services. By requiring a specific sequence of connection attempts (knocks) before opening a port, this method prevents unauthorized users from detecting or accessing the service. It’s particularly useful for protecting services on machines that need to remain hidden until needed, such as administrative tools or diagnostic servers. |
| + | |||
| + | <note>**Task:** | ||
| + | - Start a `netcat` TCP server on port `31337`. | ||
| + | - Configure a port knocking scheme so the server remains invisible (closed/filtered) until the correct sequence of port "knocks" is performed. | ||
| + | - Ask a colleague to scan your port. It should appear closed or filtered. | ||
| + | - Provide your colleague with the correct knock sequence and confirm they can access the `netcat` server after performing it. | ||
| + | </note> | ||
| + | |||
| + | * **Why It's Helpful:** | ||
| + | - Protects services from being discovered by malicious scans. | ||
| + | - Adds an extra layer of security for sensitive applications or servers. | ||
| + | - Enables stealthy and controlled access without leaving ports exposed. | ||
| + | |||
| + | * **Hint:** Use the `recent` iptables module to track and validate the knock sequence. | ||
| + | |||
| + | * **Reference:** [Arch Wiki: Port Knocking](https://wiki.archlinux.org/index.php/Port_knocking) | ||
| - | * Check out the ''recent'' iptables module! | ||
| - | * **Reference:** https://wiki.archlinux.org/index.php/Port_knocking | ||
| ==== [30p] 3. Man in the Middle ==== | ==== [30p] 3. Man in the Middle ==== | ||
| - | The ARP protocol is widely used for translating L3 (IP) addresses into L2 (data-link) addresses. | + | The Address Resolution Protocol (ARP) is used to map IP addresses (Layer 3) to MAC addresses (Layer 2) on local networks. However, ARP is inherently vulnerable because it lacks authentication. Attackers can exploit this weakness by forging ARP responses, tricking a victim into associating a legitimate IP (e.g., the router) with the attacker’s MAC address. This allows the attacker to intercept and manipulate network traffic, a classic example of a Man in the Middle (MitM) attack. |
| - | Unfortunately, it suffers from a critical security vulnerability: due to its unauthenticated nature, a destination machine has no way of determining whether a ARP reply is valid, so an attacker can forge ARP packets and tell a victim PC to associate the router's IP address to the attacker's MAC address, such that it will send all traffic through the victim's machine. | + | Think of this as you’re mailing a letter to your bank. A middleman secretly intercepts the letter, opens it, reads all your private information, and replaces it with their own fake letter before sending it to the bank. You never realize your communication was tampered with, but the middleman now has all your sensitive details. This is essentially what a Man-in-the-Middle attack does in a digital network. |
| - | === [20p] Task A: ARP Cache Poisoning === | ||
| - | * We will use two Docker containers to simulate a vulnerable local network (OpenStack filters ARP packets, so you won't be able to do this there). | + | * **Why would you do this as an attacker?** |
| - | <code bash> | + | - To intercept sensitive information like credentials or financial data being transmitted over the network. |
| - | # turn on IP Forwarding -- for the attacker (inherited from host) | + | - To disrupt communications, redirect traffic, or inject malicious content into a victim's browsing session. |
| - | # containers don't have permission for this and we don't want to bother with capabilities | + | - To gather intelligence on a target network or exploit vulnerabilities in intercepted traffic. |
| - | sudo sysctl -w net.ipv4.ip_forward=1 | + | |
| - | # Open a "Victim" terminal (on your VM): | ||
| - | docker run --rm -ti --entrypoint /bin/bash --name victim ubuntu:22.04 | ||
| - | # Open an "Attacker" terminal (also on the same VM): | ||
| - | docker run --rm -ti --entrypoint /bin/bash --name attacker --sysctl net.ipv4.ip_forward=1 ubuntu:22.04 | ||
| - | # we need two terminals for the attacker (for the tcpdump later) | + | **Real-World Example:** |
| - | # so... in a third terminal, spawn a Docker exec shell: | + | The 2015 Superfish Visual Discovery vulnerability in Lenovo laptops exposed millions of users to Man-in-the-Middle attacks by allowing attackers to intercept and decrypt HTTPS traffic, highlighting the dangers of pre-installed software and weak security practices. |
| - | docker exec -ti attacker /bin/bash | + | |
| - | </code> | + | |
| - | * **Victim terminal** (note: we're inside a container): install prerequisites & find out the IP address given by Docker: | + | **Is MitM Still Used?** Yes, Man-in-the-Middle attacks are still used today and remain a serious threat. Their methods, however, have evolved with the advance in technology |
| - | <code bash> | + | |
| - | apt update && apt install -y iproute2 iputils-ping netcat-openbsd | + | |
| - | ip a sh | + | |
| - | </code> | + | |
| - | * **Attacker terminal:** install prerequisites & establish yourself as the Man in the Middle using ARP Spoofing: | + | * Public Wi-Fi Networks: Attackers exploit insecure hotspots to intercept traffic. |
| - | <code bash> | + | * IoT Devices: Poorly secured devices provide new opportunities for interception. |
| - | # install prerequisites for this task | + | * Advanced Techniques: Attacks like SSL/TLS downgrades and HTTPS spoofing target encrypted connections. |
| - | apt update && apt install -y dsniff tcpdump iproute2 iputils-ping | + | |
| - | # start poisoning the host's ARP cache | + | **Mitigation Today:** |
| + | |||
| + | * Strict SSL/TLS protocols and certificate validation. | ||
| + | * Secure DNS implementations like DNSSEC and DNS over HTTPS. | ||
| + | * Use of Virtual Private Networks (VPNs) for secure communication on public networks. | ||
| + | |||
| + | ---- | ||
| + | For the following exercises, we will use Docker containers to simulate a local network vulnerable to ARP spoofing attacks. | ||
| + | |||
| + | === [20p] ARP Cache Poisoning === | ||
| + | |||
| + | //**STEP 1: Set up the environment**// | ||
| + | |||
| + | <note>Create a simulated network with Docker containers to demonstrate how ARP cache poisoning works in a controlled environment.</note> | ||
| + | |||
| + | |||
| + | * Ensure the host system forwards packets between devices. This is crucial for traffic to flow through the attacker container. | ||
| + | <code>sudo sysctl -w net.ipv4.ip_forward=1</code> | ||
| + | |||
| + | * Open a "Victim" terminal (inside your VM): | ||
| + | <code>docker run --rm -ti --entrypoint /bin/bash --name victim ubuntu:22.04</code> | ||
| + | |||
| + | * Open an "Attacker" terminal with IP forwarding enabled: | ||
| + | <code>docker run --rm -ti --entrypoint /bin/bash --name attacker --sysctl net.ipv4.ip_forward=1 ubuntu:22.04</code> | ||
| + | |||
| + | * Open a third terminal for an additional attacker session: | ||
| + | <code>docker exec -ti attacker /bin/bash</code> | ||
| + | |||
| + | //**STEP 2: Configure the victim container**// | ||
| + | |||
| + | <note> Prepare the victim machine to simulate a normal user in the network. | ||
| + | </note> | ||
| + | |||
| + | * Inside the "Victim" terminal | ||
| + | <code>apt update && apt install -y iproute2 iputils-ping netcat-openbsd</code> | ||
| + | |||
| + | * Find the IP address of the victim container | ||
| + | <code>ip a sh</code> | ||
| + | |||
| + | //**STEP 3: Launch the ARP spoofing attack**// | ||
| + | |||
| + | <note> Perform ARP cache poisoning from the attacker container to impersonate the gateway (router) for the victim.</note> | ||
| + | |||
| + | * Inside the "Attacker" terminal | ||
| + | <code> | ||
| + | apt update && apt install -y dsniff tcpdump iproute2 iputils-ping</code> | ||
| + | |||
| + | |||
| + | * Start ARP poisoning | ||
| + | <code> | ||
| arpspoof -i <INTERFACE> -t <VICTIM_IP> <GATEWAY_IP> -r | arpspoof -i <INTERFACE> -t <VICTIM_IP> <GATEWAY_IP> -r | ||
| </code> | </code> | ||
| - | === [10p] Task B: Test Implementation === | + | //**STEP 4: Verify the Setup**// |
| - | * **Attacker terminal:** Listen for DNS traffic from the victim: | + | <note> Observe the impact of ARP poisoning and verify the attack's success. |
| - | <code bash> | + | </note> |
| - | tcpdump udp port 53 -nvvX | + | |
| + | * Open a second session on the attacker container | ||
| + | <code> tcpdump -i <INTERFACE> -nvvX | ||
| </code> | </code> | ||
| - | * **Victim terminal:** Open a netcat server and listen for content | + | <note> Check the victim’s ARP table to confirm the gateway MAC address has been replaced with the attacker’s MAC. The victim’s traffic should now flow through the attacker. </note> |
| - | <code bash> | + | <code> ip nei sh |
| - | # check ARP table (your gateway's MAC should be the attacker's) | + | |
| - | ip nei sh | + | |
| - | # ping your favorite website | + | |
| - | ping my.secretwebsite.com | + | |
| - | # Unfortunately, IP forwarding inside container doesn't work :( | + | |
| </code> | </code> | ||
| - | The ''tcpdump'' capture on the Attacker terminal should show the intercepted DNS requests ;) | + | === [10p] Test Implementation === |
| + | |||
| + | //**STEP 1: Monitor DNS traffic from the victim**// | ||
| + | |||
| + | <note> Capture DNS traffic intercepted during the MitM attack to demonstrate how attackers can steal sensitive information.</note> | ||
| + | |||
| + | * In the attacker terminal | ||
| + | <code> | ||
| + | tcpdump udp port 53 -nvvX | ||
| + | </code> | ||
| + | |||
| + | |||
| + | //**STEP 2: Simulate victim activity**// | ||
| + | |||
| + | <note> Generate network traffic from the victim to verify interception. Observe DNS traffic in the tcpdump output to confirm interception. </note> | ||
| + | |||
| + | |||
| + | * In the victim terminal, check the ARP table | ||
| + | <code> ip nei sh</code> | ||
| + | |||
| + | * Ping a website to generate traffic | ||
| + | <code> ping my.secretwebsite.com </code> | ||
| + | |||
| + | * Unfortunately, IP forwarding inside containers doesn't work in this simulation, but the tcpdump on the attacker should still show intercepted ARP or DNS traffic. | ||
| + | |||
| + | |||
| + | === Mitigation and Defense === | ||
| + | |||
| + | * __Why Mitigation is Necessary:__ ARP spoofing is a common attack on local networks, especially public Wi-Fi. Implementing defenses can prevent unauthorized access and secure sensitive data. | ||
| + | |||
| + | * **Mitigation Techniques:** | ||
| + | - Use static ARP tables to bind specific IP-MAC pairs. | ||
| + | - Enable dynamic ARP inspection (DAI) if supported by your network hardware. | ||
| + | - Use encryption protocols (e.g., HTTPS, VPNs) to secure communications even in the presence of MitM attacks. | ||
| + | - Deploy intrusion detection systems (IDS) to monitor for unusual ARP activity. | ||
| ==== [10p] 4. Feedback ==== | ==== [10p] 4. Feedback ==== | ||
