'Man In The Middle'에 해당되는 글 2건

  1. 2009.06.03 EtterCap - 스위치 환경에서 스니핑
  2. 2009.06.03 중간자 공격(Man-in-the-Middle Attack) - (동영상)
2009.06.03 17:29

EtterCap - 스위치 환경에서 스니핑

다운로드 : http://ettercap.sourceforge.net

시연 동영상 : http://milw0rm.com/video/watch.php?id=49


Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

- ARP Spoofing -

#ettercap -o -T -P repoison_arp -M arp:remote /switch ip/ /target ip/

#ettercap -Tq -M arp:remote /gateway주소/ /공격대상/

#ettercap -T -q -M arp:remote -P dns_spoof //

-q - quite 쓸데없는 패킷 없애줌
-T - Text mode
-M - man in middle 공격

공격대상의 IP 주소로 Gateway에 대한 MAC 주소를 공격자의 MAC 주소로 바꿔서 Reply 발송




EtterCap - ARP Spoofing And Beyond

When it comes to Network Security, my philosophy is - "You can't afford to know less than the Hacker." This means that in order to protect ourselves effectively, we need to understand and experience the same tools and techniques that are used against us.

The following article is a short introduction to EtterCap 0.6a, described by its authors simply as "a multipurpose sniffer / interceptor / logger for switched LANs".

Ettercap heaviliy relies on ARP spoofing, and if this concept is new to you, you might want to read more about it (at www.mutsonline.com for example) before attempting this tutorial.

NOTE: ARP spoofing could cause damage to your network!

Be sure to try this in a separate lab environment! Ettercap can be found at http://ettercap.sourceforge.net/.

(from the README file):
EtterCap is a multipurpose sniffer / interceptor / logger for a switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis. These features include

  1. Characters injection in an established connection: You can inject character to server (emulating commands) or to client (emulating replies) maintaining the connection alive!

  2. SSH1 support: you can sniff User and Pass, and even the data of an SSH1 connection.

  3. HTTPS support: you can sniff http SSL secured data... and even if the connection is made through a PROXY

  4. Remote traffic through GRE tunnel: you can sniff remote traffic through a GRE tunnel from a remote Cisco router and make mitm attack on it

  5. PPTP broker: you can perform man in the middle attack against PPTP tunnels

  6. Password collector for: TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG.

  7. Packet filtering/dropping: You can set up a filter that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet.

  8. OS fingerprint: you can fingerprint the OS of the victim host and even its network adapter

  9. Kill a connection: from the connections list you can kill all the connections you want

  10. Passive scanning of the LAN: you can retrieve info about: hosts in the LAN, open ports, services version, type of the host (gateway, router or simple host) and estimated distance in hop.

  11. Check for other poisoners: EtterCap has the ability to actively or passively find other poisoners on the LAN.

We will examine only a few of EtterCap's features - the rest is up to you.
  1. The lab network consists of the following computers. 192.168.1.138 is the default Gateway. I'm using a Cisco Catalyst 2900XL Switch (switched environment). 

     

  2. A quick IPConfig on the 192.168.1.1 machine (our victim) to show the IP and ARP cache. Notice the MAC addresses listed in the ARP Cache - this is the "Before" shot. 

     

  3. I start EtterCap on my attacking machine (192.168.1.10) and choose my correct network adapter: 

     

  4. Once this is done, a quick ARP scan is performed in order to map out the network, and then the following screen is shown: 

     

    This is the main screen. From here you can perform most of EtterCap's functions. You may press "H" on every screen to get a help menu, as shown in the next picture. 

     

  5. EtterCap knows how to "FingerPrint" machines. This is done by selecting a machine in the main screen, and pressing the "F" button. 

     

  6. Now for the hectic part… In order to start an ARP spoofing attack, we need to select a source and destination computer. I chose a client in my network (192.168.1.1) and my default gateway. This will effectively sniff all Internet traffic coming and going to 192.168.1.1. We now chose our source and destination as shown in the next picture, and press "A" in order to start the spoofing. 

     

  7. Once "A" is pressed, the attacked machine gets ARP poisoned, as we can see from the following picture. Notice that the ARP addresses for 192.168.1.10 (attacking machine) and 192.168.1.138 (Default Gateway) are the same! 

 

  1. We now will open an FTP session from the attacked computer (just as an example) and see what is logged. 

     

  2. We can see that the FTP session was captured and logged, including the cleartext username and password. 

     

    If we chose the specific session and enter it, we will see the actual data that passed on the network (see next picture). 

     

    We have successfully managed to sniff a machine on a switched network. However, EtterCap can go beyond sniffing, and even intervene in existing sessions. It's definitely one of those tools worth investigating.

  3. Don't forget that by pressing "H" on each screen you'll get a "Help" menu, to guide you as you go along. 

     

    So we've ARP spoofed a few connections…weeeha. Where's the "Beyond" you promised?

    Well, the beyond bit lies in the fact the EtterCap can intervene in the traffic stream, and modify strings at our will! The implications of this are endless, but I'll give a short demonstration of this capability.
    Say you wanted to replace a TCP stream of a WWW session, so that every time the address www.google.com would redirect you to www.mutsonline.com.

    1. Chose the Spoofed source and destination computers, as shown before, and start the spoofing process. 

       

    2. Press "F" to edit your filters: 

       

    3. We want to edit the "Filters on source" to replace www.google.com to www.mutsonline.com on destination port 80. To do this, we press "W" to enter the Source filters. We then press "A" to add a filter. Choose the specified filter (in case we have a few) and press enter to edit it. Add the required input to create your filter. 

       

    4. Pressinq "Q" will exit this screen and ask us if we want to save our filter. Choose "yes".

    5. We are now back at the filter screen. Notice that we just made the filter; we still have not ACTIVATED it (both filters are "OFF"). 

       

    6. To activate the filter we need to press "S", and then we should see the filter status turn to "ON".

    7. We now try to surf to www.google.com on the attacked machine: 

       

      ouch…

      When I tried this tutorial in class, I noticed that the example did not work perfectly - perhaps because Google has different sitenames that are redirected according to geographical location, so I followed this with another example.

      In this example we will manipulate text from a financial article on cnn.com, as seen by an attacked computer. This is the page before we intervene: 

       

      "Invertors cash in" because of a weakness in something or other…We will now manipulate the data in such a way the content of the site will change - only on the victim's computer though. Let's reverse the meaning of the article. Let's make the heading - "Investors cash out".

      Basically what this means in Ettercap terms is that we will replace the string "in" to "out", on the http session. 

       

      Please note - this is not a Web server defacement - it's manipulation of the data stream that reaches a specific host in our network, in conjunction with ARP spoofing.

      Conclusion

      So how do we protect our Organization from this evil, evil type of network activity? Well, you're not going to like the answer - There's no simple way. We could use Arpwatch, which is a small daemon that runs on Linux. Arpwatch monitors Ethernet activity and keeps a database of Ethernet / IP address pairings, and can alert on any unexpected changes. Or, we could occasionally use Ettercap to check for the presence of other poisoners. 

       

      I've heard of other solutions, concerning switch port security, however I haven't had the opportunity to test this - I'd be glad to hear your experiences. By the way, the Linux version of Ettercap has many more features and plugins (such as DNS spoofing plugins), but you have to start somewhere right?

      A FEW EXAMPLES from the EtterCap Readme PDF:

      ettercap -b
      Use broadcast ping to scan the LAN instead of ARP request all the subnet IPs.

      ettercap -s 192.168.0.1 192.168.0.2
      Enter the interactive mode and sniff only the connections between 192.168.0.1 and 192.168.0.2.

      ettercap -zs -e etter.conf
      Use the IP-based sniffing mode and load the other option from the config file (etter.conf). Note that options in the file override command line.

      ettercap -Nzs victim.my.net ANY:80
      Sniffs in console mode (non-interactive) only the connection to and from "victim.my.net" starting or ending to all other hosts but on port 80 (www). Data are dumped in ASCII mode. To dump in HEX mode add the -x option.

      ettercap -NRzs remote.host.net:23 my.local.host.com
      Useful to sniff in console mode (non-interactive) all the connections on a remote LAN on which you are executing ettercap. This example will prevent showing your telnet (:23) connection from "my.local.host.com" to "remote.host.net".

      ettercap -Nclg
      This will provide you the entire list of hosts in the LAN. Will check if someone is poisoning you and will report its IP. Will tell you if you are on a switched LAN or not.

      ettercap -NCLzs --quiet
      This will detach ettercap from console and log to a file all the collected password. Only works if the LAN is hubbed, or if collected password are directed to your host.

      ettercap -Np ooze victim.mynet.org
      Launch the plugin "ooze" that will portscan the host "victim.mynet.org" that will be translated with the right IP

      About the Author:
      Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP
      Visit the Security through Hacking Web site at http://www.secureit.co.il/ for additional information.


원문 : http://www.securitypronews.com/securitypronews-24-20030623EtterCapARPSpoofingandBeyond.html


Trackback 2 Comment 0
2009.06.03 16:49

중간자 공격(Man-in-the-Middle Attack) - (동영상)

중간자 공격(Man-in-the-Middle Attack)

동의어:
웹 사이트 스프핑(Web Site Spoofing), 가짜 웹 사이트(Spoofed or Faked Web sites), 파밍(Pharming)

설명:
“중간자 공격(Man-in-the-Middle Attack)" 이라는 말은 사이버 범죄자가 가짜 웹 사이트를 통해 소비자와 합법적인 조직 간의 통신을 빼내는 컴퓨터 공격을 설명하는데 사용됩니다. 이러한 공격에서 소비자, 조직 모두 그들의 통신이 불법적으로 모니터 되고 있다는 사실을 인식하지 못합니다. 범죄자는 사실상 소비자와 소비자의 은행, 신용회사 또는 소매업체 간의 거래 중간에 있는 것입니다.

중간자 공격 서버는 전자적으로 모든 키스트로크를 “엿들어서” 범죄자에서 사용자이름, 비밀번호, 계좌 정보를 제공합니다. 범죄자들은 여러 가지 방식으로 이런 사기 행각을 저지릅니다. 소비자를 속여 피싱(Phishing) 및 파밍 이메일 메시지에 있는 가짜 웹 사이트 링크를 클릭하도록 만듭니다. 또한, 소비자 컴퓨터에 들어가면 웹 브라우저를 가짜 사이트로 재 안내하는 스파이웨어 및 기타 멀웨어를 이용합니다. 기술적으로 가장 뛰어난 이들은 실제 웹 사이트를 조작해서 방문자들을 가짜 사이트로 안내 합니다.  

위협 확인 방법:
중요한 문제를 해결하기 위해 링크를 클릭하고, 웹 사이트에 로그인 하라는 내용의 공공기관을 사칭하는 이메일이나 문자 메시지는 모두 특히 경계해야 합니다. 의심하지 않는 사용자들을 중간자 공격 함정으로 끌어들이기 위해 공포 전술이 이용됩니다.

조치 방법:
절대로 스팸 이메일이나 문자 메시지의 링크를 클릭하거나 첨부 파일을 열지 마시기 바랍니다. 이런 이메일이나 메시지는 삭제 하십시오. 걱정이 된다면, 해당 조직에 전화를 하거나 웹 브라우저를 열어서 주소를 입력하시기 바랍니다. 해당 사이트가 지난번 방문 이후 변경이 되었다면, 주의해야 합니다. 최신 안티 바이러스와 안티 스파이웨어 프로그램을 컴퓨터에 깔고, 방화벽을 설치하십시오. 이러한 예방조치는 바이러스가 여러분을 범죄자의 웹 사이트로 안내할 가능성을 줄여 줄 것입니다. 또한, 보안이 의심되는 사이트에 들어갈 때는 브라우저 아래쪽에서 자물쇠나 키 아이콘을 찾아 보시기 바랍니다.

출처 : http://www.b4usurf.org/


SSL MITM(Man In The Middle) Attack 동영상 링크 (2007년)
 : http://www.gilgil.co.kr/bbs/view.php?id=lecture&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=614


관련 보안 뉴스 링크 (2007년)
 : http://www.boannews.com/media/view.asp?idx=7371



Trackback 0 Comment 0