Title: Intranet penetration of man-in-the-middle deception attack

ARP Attack

Introduction to the Agreement

The full name of ARP is Address Resolution Protocol, which is an address resolution protocol. It is a TCP/IP protocol that obtains physical addresses based on IP addresses. When the host sends information, it broadcasts the ARP request containing the target IP address to all hosts on the network and receives a return message to determine the target's physical address. After receiving the return message, the IP address and physical address are stored in the native ARP cache and reserved for a certain period of time. The ARP cache is directly queried the next time you request it to save resources.

The ARP address resolution protocol is based on the mutual trust between various hosts in the network. The host on the network can send ARP reply messages independently. When other hosts receive the reply message, they will not detect the authenticity of the message and will record it into the native ARP cache. Therefore, the attacker can send a pseudo ARP reply message to a certain host, so that the information it sends cannot reach the expected host or the wrong host, which constitutes an ARP spoof.

Working Principle

Environmental Assumption

Host A:

IP address: 192.168.1.1MAC address: 0A-11-22-33-44-01Host B:

IP address: 192.168.1.2MAC address: 0A-11-22-33-44-02

Workflow

Step 1: According to the routing table content on Host A, determine that the forwarding IP address used to access Host B is 192.168.1.2, and then host A checks the matching MAC address of Host B in its local ARP cache. Step 2: If Host A does not find the mapping in the ARP cache, it will ask the hardware address of 192.168.1.2, thereby widening the ARP request frames. Play to all hosts on the local network, and the IP address and MAC address of the source host A are included in the ARP request. Each host on the local network receives the ARP request and checks whether it matches its own IP address. If the host finds that the requested IP address does not match its own IP address, it will discard the ARP request. Step 3: Host B determines that the IP address in the ARP request matches its own IP address, then the IP address and MAC location of the host A are Address mapping is added to the local ARP cache. Step 4: Host B sends the ARP reply message containing its MAC address directly back to Host A. Step 5: When Host A receives the ARP reply message sent from Host B, it will update the ARP cache with the IP and MAC address mapping of Host B. The local cache has a lifetime. After the lifetime ends, the above process will be repeated again. Once the MAC address of Host B is determined, Host A can send IP communication to Host B.

Cache Mechanism

ARP cache is a buffer used to store IP addresses and MAC addresses. Its essence is a corresponding table of IP addresses-MAC addresses. Each entry in the table records the IP addresses and corresponding MAC addresses of other hosts on the network. Each Ethernet or token ring network adapter has its own separate table. When the address resolution protocol is asked about the MAC address of a known IP address node, it is first viewed in the ARP cache. If it exists, it will directly return the corresponding MAC address. If it does not exist, it will send an ARP request to query the LAN. In order to minimize the broadcast volume, ARP maintains the cache of IP addresses to MAC address mapping for future use.

ARP cache can contain dynamic and static projects. Dynamic projects are automatically added and deleted over time. The potential life cycle of each dynamic ARP cache item is 10 minutes. The newly added items are timestamped. If a project is not used within 2 minutes after it is added, the project expires and is deleted from the ARP cache. If a project is already in use, another 2 minutes of life cycle will be received. If a project is always in use, another 2 minutes of life cycle will be received until the longest life cycle of 10 minutes. The static project remains in the cache until the computer is restarted.

ARP spoofing

The ARP address resolution protocol is based on the mutual trust between various hosts in the network. Its birth makes the network run more efficiently, but it also has flaws. The ARP address translation table depends on the dynamic update of cache memory in the computer, and the update of cache memory is limited by the update cycle, and only the mapping relationship table entry of the recently used address is saved. This gives an opportunity for attackers to modify the address translation table before the cache memory updates the table entry to achieve an attack.

ARP request is sent in a broadcast form. The host on the network can send ARP reply messages independently. When other hosts receive the reply message, they will not detect the authenticity of the message and record it in the local MAC address translation table. In this way, the attacker can send a pseudo ARP reply message to the target host, thereby tampering with the local MAC address table. ARP spoofing can cause the target computer to fail to communicate with the gateway, and will also lead to communication redirection. All data will be passed through the attacker's machine. The attacker forwards the data between the target and the gateway. This can be used as an 'intermediary' to achieve the purpose of listening to the target without affecting the target's normal Internet access.

Deception Practice

Basic Environment

Attack host: 192.168.174.129 00:0c:29:39:be:eb Normal host: 192.168.174.170 00:0c:29:08:ad:eb Gateway address: 192.168.174.2

Disconnection attack

Step 1: Close port forwarding on attack host

#termination

echo 0 /proc/sys/net/ipv4/ip_forward

#allow

echo 1 /proc/sys/net/ipv4/ip_forward

Step 2: View the current ARP resolution list on a normal host

Step 3: Pin to Baidu on a normal host

ping www.baidu.com -t

You can access Baidu normally:

Step 4: Then, the network is cut off by aprspoof on the attack host

Usage: arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host

# Parameter explanation:

-i Specify the interface to use

-c Specifies the MAC address used when restoring the arp configuration. The default is to use the original MAC (that is, after stopping the arpspoof command, it will be desalted by default)

-t Specify the host to be poisoned. If not specified, it defaults to all hosts under the LAN

-r Two-way poisoning (host and target), thus bidirectional capture of data (only valid if -t is specified at the same time)

#Execution Example:

arpspoof -i eth0 -t 192.168.174.170 192.168.174.2

Step 5: You can see that the ping request timed out, and the browser cannot open www.baidu.com. At the same time, checking the ARP resolution table, you will find that the gateway's MAC address was successfully spoofed and set to the attacker's MAC address.

Step 6: Afterwards the attack was interrupted (because we did not specify the -c parameter before, the original MAC address will be restored)

You can see that the ping returns to normal, and the page and ARP table also return to normal

Image Data

Step 1: Turn on port forwarding, allowing the machine to forward data information like a router

echo 1 /proc/sys/net/ipv4/ip_forward

Step 2: View the current ARP resolution list on a normal host

Step 3: Access the web page on a normal host

Usage: arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host

# Parameter explanation:

-i Specify the interface to use

-c Specifies the MAC address used when restoring the arp configuration. The default is to use the original MAC (that is, after stopping the arpspoof command, it will be desalted by default)

-t Specify the host to be poisoned. If not specified, it defaults to all hosts under the LAN

-r Two-way poisoning (host and target), thus bidirectional capture of data (only valid if -t is specified at the same time)

#Execution Example:

arpspoof -i eth0 -t 192.168.174.170 192.168.174.2

Step 5: Afterwards, driftnet obtains the residual image data information of the victim user when visiting the website

Login credentials

Step 1: Here we continue to expand the above image data part, we use ettercap to capture communication data on the attack host

ettercap -Tq -i eth0

Step 2: Simulate a third-party FTP service

Step 3: Users access third-party FTP services and authenticate

Step 4: The attacker successfully captures the user's account password information

Spoofing Extensions

Here we add a few commonly used ARP spoofing methods and the use of ARP spoofing tools in Windows~

NetFuke

Test environment

Target host: 192.168.174.170 (Win 7) Attack host: 192.168.174.169 (Windows Server 2003) Gateway address: 192.168.174.2

Deception Process

Step 1: Run NetFuke software on the attack host and sniff configuration (the network card here must recognize the IP address, otherwise ARP spoofing cannot be performed)

Step 2: Configuring ARP spoofing

Step 3: Plugin command parameter settings

Step 4: Turn on ARP spoofing

Attack Detection

Introduction to XArp Tools

XArp is a popular ARP firewall software abroad. It can help users establish a special detection system and use advanced technology to detect and deal with various ARP attacks on the network. For example, using ARP spoofing, an attacker can eavesdrop on all your network traffic, including emails and passwords. All of this has not been discovered at all. XArp performs active and passive methods to detect such attacks.

Attack Detection

Step 1: Turn on NetFuke to implement ARP spoofing attack

Step 2: Then, the XARP side can see the alarm information and related record information

PS: I personally feel that this tool is not that good~

Defense measures

The defense methods of ARP fraud mainly start from the following two aspects:

a. Block the propagation of forged data packets:

This method mainly starts from the perspective of network devices such as switches or routers. Taking the switch as an example, it binds the switch's port, MAC address, and IP address to generate a DAI (Dynamic ARP Inspection) detection table. If the host of a certain port sends a data packet that does not match its entry in the DAI table, you can choose to disconnect the network or discard the data packet it sends.

b. The victim does not accept fake data packets

This method mainly starts from the user's perspective. First of all, it is certain not to access unfamiliar networks. Secondly, users can install an ARP firewall on the device. If they are technical personnel, they can choose to establish static ARP entries (suitable for network environments that do not change frequently and have a small number). Windonwde users use the command 'arp -s ip' address mac address to perform static binding

DNS Attack

Domain Name System

DNS (Domain Name System), that is, the domain name resolution protocol. The domain name system maps the domain name and IP addresses to each other in the form of a distributed database. Simply put, DNS is used to resolve domain names. With DNS, we no longer need to remember the annoying IP addresses. Use relatively easy-to-remember domain names to access the server. Even if the server changes its IP address, we can still access the server through the domain name, which can make us more convenient to access the Internet.

When we enter www.baidu.com into our browser, we will go through the following query process:

The client queryes the local DNS server for www.baidu.com local DNS server to check the local database. Since there is no record of the baidu.com domain, it passes the query information to the root domain DNS server and requests the resolution host name. The root domain DNS server returns the IP address of the DNS server responsible for resolving the 'com' domain to the local DNS server. The local DNS server sends the request to the DNS server responsible for the 'com' domain server responsible for the 'com' domain server. According to the request, the IP address of the DNS server responsible for the 'baidu.com' domain will be returned to the local DNS server responsible for the 'baidu.com' domain. The local DNS server sends a request to the DNS server responsible for the 'baidu.com' domain. Since this server has a record of www.baidu.com, it will www.baidu.com. The IP address is returned to the local DNS server. The local DNS server sends the IP address of www.baidu.com to the client. After the domain name is resolved successfully, the client sends the http request to the web server. The web server responds to the client's access request. The client can access the target host.

DNS spoofing

DNS plays such an important role in the Internet, but when designing the DNS protocol, the designer did not consider some security issues, which led to the security risks and defects of DNS. DNS spoofing is a very serious security defect when designing the DNS protocol.

First, the spoofer sends a constructed ARP reply packet to the target machine. After the ARP spoofing is successful, it sniffs the DNS request packet sent by the other party, analyzes the packet to obtain the ID and port number, and sends a DNS return packet constructed by the target. After receiving the DNS reply packet, it finds that the ID and port number are all correct, that is, the domain name and corresponding IP address in the return packet are saved into the DNS cache table, and the real DNS reply packet will be discarded when the later real DNS reply packet is returned.

Deception Practice

Test environment

Attack host: 192.168.174.129 Target host: 192.168.174.170

Simple Test

Step 1: Test the network connectivity of the attack host

Step 2: Then start the Apache service on the attacker's host and construct a phishing page. This is simplified into a normal HTML page. The local test effect is as follows

Step 3: Find the etter.dns file, modify the configuration file, point www.al1ex.com to the local IP address

locate etter.dns

leafpad /etc/ettercap/etter.dns

Step 4: Start spoofing with ettercap

ettercap -G

Then enable DNS spoofing