130 likes | 197 Views
Man in the Middle lab #1 Aharon Brodie. Introduction to Applied Network Security By Prof. Herzberg. MAC Address. Briefly: Unique ID for Network cards Relevant for the link layer, layer 2 of the OSI model Used to find IP addresses of nodes on the same network Looking up a MAC address:
E N D
Man in the Middle lab #1 Aharon Brodie Introduction to Applied Network SecurityBy Prof. Herzberg
MAC Address • Briefly: • Unique ID for Network cards • Relevant for the link layer, layer 2 of the OSI model • Used to find IP addresses of nodes on the same network • Looking up a MAC address: • Our local one: ifconfig (Hwaddr) • Others' are listed in the Arp table: arp
ARP Spoofing • Briefly: • What can be attacked? • ARP table of HostA • ARP cache of switch • How do we attack? • Send Attacker's MAC address as belonging to HostB • What we accomplish: • HostA is communicating with Attacker thinking it is HostB • Attacker forwards data to HostB and has access to the communication (a.k.a. Man in the Middle attack)
VMWare • VMWare allows us to run virtual OS on one computer. • Download VMPlayer (it's free) from:www.vmware.com/download/player/ • Download virtual OS from:http://www.vmware.com/vmtn/appliances/directory/ • I recommend the Red Hat 6.2 image (it contains a telnet service which is easy to attack via MitM) • A direct URL for it is: http://www.vmware.com/vmtn/appliances/directory/490
Installing VMPlayer • During the installation pay attention to the following: • There are three types of network configurations available: • Bridged- The virtual OS will have a virtual NIC on the same subnet as your real NIC (and an IP on the same subnet) • NAT- The virtual OS will be on a virtual network behind your real OS and connect outside through it • Host-Only- A virtual network only connecting your real OS and the virtual ones
Running a virtual OS • Unzip the file • Check the README for default passwords • Run 'vmplayer' • Browse to the directory where you extracted the virtual OS and select the file there (should be with a .vmx extension) • You might get a dialog about creating a new configuration file. Select 'Create' • Now your virtual OS should boot
Linux Network configuration • To check your IP address: • ifconfig (usually the interface you are interested in is eth0) • To change your IP address: (Basic) • ifconfig [interface] [ip] netmask [netmask] uproute add -net [network addr.] netmask [netmask] [interface] • Example: ifconfig eth0 192.168.1.12 netmask 255.255.255.0 uproute add -net 192.168.1.0 netmask 255.255.255.0 eth0 • To add a default gateway: • Example: Route add default gw 192.168.1.1 eth0 By default VMware gives your virtual OS an IP
Nubuntu • Nubuntu is a live CD with many security tools. • You might be getting a copy in class, if not you can download and burn..www.nubuntu.org • Booting from this live cd loads a fully featured Linux OS running purely in RAM
Testing Environment • In order to perform a MitM attack we will need three computers. • If you have 1GB of RAM you can run two virtual OS from within the live CD(The virtual OS will be hostA and hostB, while nubuntu will be the attacker) • You will need to copy vmplayer and the virtual OS files after booting up nubuntu(you can mount your HD or memory stick and copy from there, or download off the 'net)
Other options • The tool we will be using to perform the attack is called ettercap • If you have Linux at home you can avoid the live CD. Just install ettercap • You can also run two virtual OS from within Windows ...BUT... • Ettercap exists for Windows but has no official binaries or support.
Ettercap on Windows • Unofficial and unsupported binary-http://sourceforge.net/projects/ettercap/ • Quoted from the forums: This applies to Win2K and WinNT and maybe other Windows: It appears that you may need to make a copy of libnet.dll and packet.dll to libnet and packet (i.e. without the file extension) to make it work. Does not apply to WinXP and Win2K3.
You can just run ettercapNG from Start->All Programs->Ettercap NG->ettercap. • Alternatively, you can start a command prompt and navigate to the ettercapNG directory and then use: • ettercap -G to run the GTK+ GUI • ettercap -C to run the Cursed GUI (assuming it has been compiled in). • To run in Text mode, you first need to list the network interfaces: • ettercap -I • and then tell ettercap which network interface to use: ettercap -i "\Device\NPF_{C5...9E}" -Tq //