Differences
This shows you the differences between two versions of the page.
|
isc:labs:08 [2024/11/25 04:58] ebru.resul [[30p] 3. Man in the Middle] |
isc:labs:08 [2024/11/27 09:47] (current) ebru.resul [[30p] 1. Port Scanning] |
||
|---|---|---|---|
| Line 80: | Line 80: | ||
| === [10p] Discover Devices on the Network === | === [10p] Discover Devices on the Network === | ||
| - | //**STEP 1: Scan the network with nmap - ping scan**// | + | //**STEP 1: Scan the network with nmap (using ping scan)**// |
| - | * __What It Does:__ Sends ICMP Echo Requests (pings) or TCP/UDP probes to detect devices on the network. | + | * __What It Does:__ Sends ICMP Echo Requests (pings) or TCP/UDP requests to detect devices on the network. |
| * __Strengths:__ Works across subnets and can identify devices beyond the local network. | * __Strengths:__ Works across subnets and can identify devices beyond the local network. | ||
| - | * __Limitations:__ May miss devices that block ICMP or TCP probes. | + | * __Limitations:__ May miss devices that block ICMP or TCP requests. |
| - | <note> **TASK:** Run a ping scan to discover active hosts in your network using nmap (you can use CIDR notation! Remember OpenStack's network prefix?).</note> | + | <note> **TASK:** Run a nmap with ping scan to discover active hosts in your network using nmap (you can use CIDR notation! Remember OpenStack's network prefix?). Hint: Search on google how to run a "nmap with ping scan option"</note> |
| <solution -hidden> | <solution -hidden> | ||
| <code> | <code> | ||
| Line 166: | Line 166: | ||
| * __Purpose:__ Helps test UDP scanning, which is slower and behaves differently than TCP due to the lack of acknowledgments. | * __Purpose:__ Helps test UDP scanning, which is slower and behaves differently than TCP due to the lack of acknowledgments. | ||
| - | <note> **TASK:** Work in pairs. One person opens an UDP server on their VM using netcat, while the other scans for it. Choose a non-standard port (e.g., 10002). </note> | + | <note> **TASK:** Work in pairs. One person opens an UDP server on their VM using netcat, while the other scans for it. Choose a non-standard port (e.g., 10002). Hint: use -k when opening the server to allow multiple connections </note> |
| <solution -hidden> | <solution -hidden> | ||
| Line 459: | Line 459: | ||
| ---- | ---- | ||
| - | For the following exercises, we will use Docker containers to simulate a local network vulnerable to ARP spoofing attacks. (OpenStack filters ARP packets, so you won't be able to do this there). | + | For the following exercises, we will use Docker containers to simulate a local network vulnerable to ARP spoofing attacks. |
| === [20p] ARP Cache Poisoning === | === [20p] ARP Cache Poisoning === | ||
| Line 468: | Line 468: | ||
| - | * Enable IP forwarding on the host system to allow traffic relay | + | * Ensure the host system forwards packets between devices. This is crucial for traffic to flow through the attacker container. |
| <code>sudo sysctl -w net.ipv4.ip_forward=1</code> | <code>sudo sysctl -w net.ipv4.ip_forward=1</code> | ||
| Line 474: | Line 474: | ||
| <code>docker run --rm -ti --entrypoint /bin/bash --name victim ubuntu:22.04</code> | <code>docker run --rm -ti --entrypoint /bin/bash --name victim ubuntu:22.04</code> | ||
| - | * Open an "Attacker" terminal (on the same VM): | + | * Open an "Attacker" terminal with IP forwarding enabled: |
| <code>docker run --rm -ti --entrypoint /bin/bash --name attacker --sysctl net.ipv4.ip_forward=1 ubuntu:22.04</code> | <code>docker run --rm -ti --entrypoint /bin/bash --name attacker --sysctl net.ipv4.ip_forward=1 ubuntu:22.04</code> | ||
| Line 505: | Line 505: | ||
| </code> | </code> | ||
| + | //**STEP 4: Verify the Setup**// | ||
| + | |||
| + | <note> Observe the impact of ARP poisoning and verify the attack's success. | ||
| + | </note> | ||
| + | |||
| + | * Open a second session on the attacker container | ||
| + | <code> tcpdump -i <INTERFACE> -nvvX | ||
| + | </code> | ||
| + | |||
| + | <note> Check the victim’s ARP table to confirm the gateway MAC address has been replaced with the attacker’s MAC. The victim’s traffic should now flow through the attacker. </note> | ||
| + | <code> ip nei sh | ||
| + | </code> | ||
| === [10p] Test Implementation === | === [10p] Test Implementation === | ||
