Differences
This shows you the differences between two versions of the page.
|
isc:labs:08 [2024/11/25 04:58] ebru.resul [[30p] 3. Man in the Middle] |
isc:labs:08 [2025/11/24 12:18] (current) florin.stancu |
||
|---|---|---|---|
| Line 29: | Line 29: | ||
| # let the h4x0rs in (enables the account): | # let the h4x0rs in (enables the account): | ||
| sudo usermod -e -1 -U hacker | sudo usermod -e -1 -U hacker | ||
| + | # make all tty writable by hacker | ||
| + | sudo usermod -aG tty hacker | ||
| </code> | </code> | ||
| Line 80: | Line 82: | ||
| === [10p] Discover Devices on the Network === | === [10p] Discover Devices on the Network === | ||
| - | //**STEP 1: Scan the network with nmap - ping scan**// | + | //**STEP 1: Scan the network with nmap (using ping scan)**// |
| - | * __What It Does:__ Sends ICMP Echo Requests (pings) or TCP/UDP probes to detect devices on the network. | + | * __What It Does:__ Sends ICMP Echo Requests (pings) or TCP/UDP requests to detect devices on the network. |
| * __Strengths:__ Works across subnets and can identify devices beyond the local network. | * __Strengths:__ Works across subnets and can identify devices beyond the local network. | ||
| - | * __Limitations:__ May miss devices that block ICMP or TCP probes. | + | * __Limitations:__ May miss devices that block ICMP or TCP requests. |
| - | <note> **TASK:** Run a ping scan to discover active hosts in your network using nmap (you can use CIDR notation! Remember OpenStack's network prefix?).</note> | + | <note> **TASK:** Run a nmap with ping scan to discover active hosts in your network using nmap (you can use CIDR notation! Remember OpenStack's network prefix?). Hint: Search on google how to run a "nmap with ping scan option"</note> |
| <solution -hidden> | <solution -hidden> | ||
| <code> | <code> | ||
| Line 166: | Line 168: | ||
| * __Purpose:__ Helps test UDP scanning, which is slower and behaves differently than TCP due to the lack of acknowledgments. | * __Purpose:__ Helps test UDP scanning, which is slower and behaves differently than TCP due to the lack of acknowledgments. | ||
| - | <note> **TASK:** Work in pairs. One person opens an UDP server on their VM using netcat, while the other scans for it. Choose a non-standard port (e.g., 10002). </note> | + | <note> **TASK:** Work in pairs. One person opens an UDP server on their VM using netcat, while the other scans for it. Choose a non-standard port (e.g., 10002). Hint: use -k when opening the server to allow multiple connections </note> |
| <solution -hidden> | <solution -hidden> | ||
| Line 269: | Line 271: | ||
| - Ask your colleague for their VM IP address. | - Ask your colleague for their VM IP address. | ||
| - Use `curl` to connect to their HTTP server and display the server’s response | - Use `curl` to connect to their HTTP server and display the server’s response | ||
| - | - Attempt to SSH into their VM using the credentials `hacker:student` | + | - Attempt to SSH into their VM using the credentials `hacker:student31337` |
| - If successful, send a broadcast message to your colleague’s system <code>hacker@<colleague-VM>$ wall "Wazzaap?" </code> | - If successful, send a broadcast message to your colleague’s system <code>hacker@<colleague-VM>$ wall "Wazzaap?" </code> | ||
| </note> | </note> | ||
| + | |||
| + | <note warning> | ||
| + | Unfortunately, ''wall'' [[https://sources.debian.org/src/util-linux/2.41-5/debian/NEWS#L1-L9|was removed from modern Debian systems]] :(( | ||
| + | But we gave ''hacker'' write permissions to all ''tty'', so we could do this instead: <code> | ||
| + | # check for the TTY's address | ||
| + | who # usually, the first one is the owner of the VM, coming from FEP | ||
| + | # then write your message! | ||
| + | echo "Wazzaaa" | tee /dev/pts/0 | ||
| + | </code> | ||
| + | </note> | ||
| <solution -hidden> | <solution -hidden> | ||
| Line 278: | Line 290: | ||
| curl http://<colleague-VM-IP> | curl http://<colleague-VM-IP> | ||
| ssh hacker@<colleague-VM-IP> | ssh hacker@<colleague-VM-IP> | ||
| - | wall "Wazzaap?" | + | echo "wazzzaaaaap" | tee /dev/pts/0 |
| </code> | </code> | ||
| </solution> | </solution> | ||
| Line 459: | Line 471: | ||
| ---- | ---- | ||
| - | For the following exercises, we will use Docker containers to simulate a local network vulnerable to ARP spoofing attacks. (OpenStack filters ARP packets, so you won't be able to do this there). | + | For the following exercises, we will use Docker containers to simulate a local network vulnerable to ARP spoofing attacks. |
| === [20p] ARP Cache Poisoning === | === [20p] ARP Cache Poisoning === | ||
| Line 468: | Line 480: | ||
| - | * Enable IP forwarding on the host system to allow traffic relay | + | * Ensure the host system forwards packets between devices. This is crucial for traffic to flow through the attacker container. |
| <code>sudo sysctl -w net.ipv4.ip_forward=1</code> | <code>sudo sysctl -w net.ipv4.ip_forward=1</code> | ||
| Line 474: | Line 486: | ||
| <code>docker run --rm -ti --entrypoint /bin/bash --name victim ubuntu:22.04</code> | <code>docker run --rm -ti --entrypoint /bin/bash --name victim ubuntu:22.04</code> | ||
| - | * Open an "Attacker" terminal (on the same VM): | + | * Open an "Attacker" terminal with IP forwarding enabled: |
| <code>docker run --rm -ti --entrypoint /bin/bash --name attacker --sysctl net.ipv4.ip_forward=1 ubuntu:22.04</code> | <code>docker run --rm -ti --entrypoint /bin/bash --name attacker --sysctl net.ipv4.ip_forward=1 ubuntu:22.04</code> | ||
| Line 505: | Line 517: | ||
| </code> | </code> | ||
| + | //**STEP 4: Verify the Setup**// | ||
| + | |||
| + | <note> Observe the impact of ARP poisoning and verify the attack's success. | ||
| + | </note> | ||
| + | |||
| + | * Open a second session on the attacker container | ||
| + | <code> tcpdump -i <INTERFACE> -nvvX | ||
| + | </code> | ||
| + | |||
| + | <note> Check the victim’s ARP table to confirm the gateway MAC address has been replaced with the attacker’s MAC. The victim’s traffic should now flow through the attacker. </note> | ||
| + | <code> ip nei sh | ||
| + | </code> | ||
| === [10p] Test Implementation === | === [10p] Test Implementation === | ||
