Hacking with Backtrack Lecture-3
0 likes188 views
This document discusses techniques for man-in-the-middle attacks using Backtrack 5 R3. It begins with a caution that the information is for educational purposes only. It then outlines different attack scenarios like ARP poisoning and DNS spoofing that can be used locally or through a gateway. The bulk of the document provides step-by-step instructions for setting up an ARP poisoning man-in-the-middle attack on a local area network using tools like Ettercap on Backtrack 5 R3. It concludes with reminders not to use the techniques for illegal purposes and to learn more about how ports and IP addressing work.
Hacking with Backtrack Lecture-3
- 1. HACKING WITH BACKTRACK 5 R3 Zia Ush Shamszaman ANLAB, ICE, HUFS Date: 20130305 1
- 2. !!Caution!! This material is for educational purpose only. We don't intend to ha ck, crack or anything related to cyber crime 2
- 4. 4 MITM attack scenarios Different attacks in different scenarios: LOCAL AREA NETWORK: - ARP poisoning - DNS spoofing - STP mangling - Port stealing FROM LOCAL TO REMOTE (through a gateway): - ARP poisoning - DNS spoofing - DHCP spoofing - ICMP redirection - IRDP spoofing - route mangling REMOTE: - DNS poisoning - traffic tunneling - route mangling
- 5. 5 MITM ATTACK TECHNIQUES THE LOCAL SCENARIO
- 6. 6 Local attacks (1) ARP poisoning • ARP is stateless (we all knows how it works and what the problems are) • Some operating systems do not update an entry if it i s not already in the cache, others accept only the first received reply (e.g. Solaris) • The attacker can forge spoofed ICMP packets to forc e the host to make an ARP request. Immediately after the ICMP it sends the fake ARP reply
- 7. 7 The scenario Gateway Victim Attacker Gratuitous ARP (forged) Gratuitous ARP (forged)
- 8. 8 Local attacks (1) ARP poisoning - Tools • ettercap (http://ettercap.sf.net) • Poisoning • Sniffing • Hijacking • Filtering • SSH v.1 sniffing (transparent attack) • dsniff (http://www.monkey.org/~dugsong/dsniff) • Poisoning • Sniffing • SSH v.1 sniffing (proxy attack)
- 9. 9 Local attacks (1) ARP poisoning - countermeasures • YES - passive monitoring (arpwatch) • YES - active monitoring (ettercap) • YES - IDS (detect but not avoid) • YES - Static ARP entries (avoid it) • YES - Secure-ARP (public key authentication)
- 10. 10 Local attacks (2) DNS spoofing HOST DNSserverX.localdomain.in 10.1.1.50 MITM 10.1.1.1 If the attacker is able to sniff the ID of the DNS request, he/she can reply before the real DNS server
- 11. • ettercap (http://ettercap.sf.net) • Phantom plugin • dsniff (http://www.monkey.org/~dugsong/dsniff) • Dnsspoof • zodiac (http://www.packetfactory.com/Projects/zodiac) 11 Local attacks (2) DNS spoofing - tools
- 12. Man in the Middle Attack Before we going to start ettercap we have to configure the /etc/etter.conf file at /etc.etter.conf Remove two # from here 12
- 13. Man in the Middle Attack in BT 13
- 14. Step-1 14
- 15. Step-2 15
- 16. Step-3 16
- 17. Step-4 17
- 18. Step-5 18
- 21. Step-8 21
- 22. Step-9 22
- 23. Step-10 23
- 24. Step-11 24
- 25. Step-12 25
- 26. Step-13 26
- 27. Step-14 27
- 28. Step-15 28
- 29. Step-16 29
- 30. Don’t do anything harmful Thank You J 30
- 31. How Port and IP works ! 31
- 32. HOW DNS Query Works 32