BTQLMang_Ettercap_
-
Upload
phan-quang-trung -
Category
Documents
-
view
220 -
download
0
Transcript of BTQLMang_Ettercap_
-
8/3/2019 BTQLMang_Ettercap_
1/21
Phn mm QLM Ettercap Nhm 2 H09VT9
TM HIU PHN MM QUN L MNG ETTERCAP
LI M U
C th ni ngy nay trong khoa hc my tnh khng lnh vc no c th quantrng hn lnh vc ni mng. Mng my tnh l hai hay nhiu my tnh c kt
ni vi nhau theo mt cch no sao cho chng c th trao i thng tin qua li
vi nhau, dng chung hoc chia s d liu thng qua vic in n hay sao chp qua
a mm, CDRom.
V vy h tng mng my tnh l phn khng th thiu trong cc t chc hay
cc cng ty. Trong iu kin kinh t hin nay hu ht a s cc t chc hay cng ty
c phm vi s dng b gii hn bi din tch v mt bng u trin khai xy dng
mng LAN phc v cho vic qun l d liu ni b c quan mnh c thun
li, m bo tnh an ton d liu cng nh tnh bo mt d liu mt khc mng
Lan cn gip cc nhn vin trong t chc hay cng ty truy nhp d liu mt cch
thun tin vi tc cao. Mt im thun li na l mng LAN cn gip cho
ngi qun tr mng phn quyn s dng ti nguyn cho tng i tng l ngi
dng mt cch r rng v thun tin gip cho nhng ngi c trch nhim lnh o
cng ty d dang qun l nhn vin v iu hnh cng ty. Bn cnh , ngi quntr mng cng cn phi c nhng phng thc sao cho vn bo mt d liu
c t ln hng u, trnh s tn cng ca hacker. lm c vic ny, cn
phi c s tm ti, nghin cu v th nghim mt s cng c phn mm h tr cho
vic qun l mng. Nhm 2 chng em i tm hiu v th nghim phn mm
qun l mng Ettercap dng cho window XP. Vi h hon chnh kin thc nh
chng em th vn nghin cu v th nghim cng l 1 vn kh. Do kin thc
v thi gian c hn, bi vit khng th trnh khi nhng sai st nht nh. Rtmong nhn c s ng gp, trao i t qu Thy c v cc bn bi vit c
hon chnh hn.
Xin trn trng cm n!
H Ni, ngy 20 thng 6 nm 2011
Nhm thc hin
Nhm 2
-
8/3/2019 BTQLMang_Ettercap_
2/21
Phn mm QLM Ettercap Nhm 2 H09VT9
1.TM HIU CHUNG V PHN MM
1.1Thng tin chung v phn mm
Ettercap l mt cng c trung gian gia cc cuc tn cng trong mng LAN.
N c tnh nng tm kim cc cc kt ni trc tip, lc ni dung chuyn trn mng
v nhiu th thut th v khc. N h tr m s hot ng v th ng ca nhiugiao thc (ngay c vi Ciphered) v bao gm nhiu tnh nng cho mng li phn
tch v my ch.
1.2 Mc ch
- Vi Ettercap bn c th theo di nhng lu lng thng tin hot ng trn h
thng mng ca bn, chp cc thng tin, hin th v can thip vo cc kt ni,
theo di cc host ang trao i trn mng .
- H tr k thut tn cng Address Resolution Protocol (ARP) spoofing hay cngi l ARP flooding, ARP poisoning hay ARP Poison Routing (APR). l cch
tn cng t mt my tnh trong mng LAN, thng qua giao thc ARP v a ch
MAC, IP, n nhm ngt kt ni t mt hay mt s my tnh vi Modem, dn n
tnh trng cc my tnh khng th truy cp Internet.
- Ngoi ra cn dng trong 1 kiu tn cng MITM khc l gi mo DNS (DNS
Spoofing).
1.3 Cc chc nng chnho SSH1 Support:bn c th ly c tn ngi dng v mt khu hoc thm
ch l CSDL ca 1 SSH1 connection.
o HTTP support: bn c th ly c d liu t HTTP SSL... v ngay c khi
kt ni c thc hin thng qua mt proxy.
o Giao thng t xa thng qua ng hm GRE : bn c th sniff lu lng truy
cp t xa thng qua mt ng hm GRE t mt b nh tuyn ca Cisco v
thc hin cc cuc tn cng MiTM vo n.o PPTP mi gii : bn c th thc hin l 1 ngi dng trong cuc tn cng
chng li gia PPTP.
o Mt khu thu cho : Telnet, FTP, POP, RLOGIN, SSH1, ICQ, na, MySQL,
HTTP, nntp, X11, NAPSTER, IRC, RIP, BGP, Socks 5, IMAP 4, VNC,
LDAP, giao thc NFS, SNMP, HALF LIFE , Quake 3, MSN, YMSG.
o Lc gi/th : Bn c th thit lp mt b lc m tm kim cho mt chui (k
c hex) trong TCP hay UDP Payload v thay th n bng my ca bn hocdrop ton b gi.
-
8/3/2019 BTQLMang_Ettercap_
3/21
Phn mm QLM Ettercap Nhm 2 H09VT9
o H iu hnh du vn tay: bn c th gi du vn tay h iu hnh ca cc
nn nhn v thm ch l c router mesh.
o Kill mt kt ni: kt ni t danh sch, bn c th git cht tt c cc kt ni
bn mun.
o Th ng qut cc mng LAN: bn c th ly thng tin cc my trong mngLAN, m cng, cc phin bn, loi ca cc my ch (gateway, router hoc
n ginl 1host) v c tnh t xa trong mt bc mng.
o Kim tra poisoners khc: Ettercap c kh nng ch ng hoc th ng tm
poisonners khc trn mng.
2.PHN TCH MT S C IM CA ETTERCAP
2.1 M t giao din Ettercap trn giao din Windows XP
Ettercap c th chy trn Dos v trn nn windows, linux. Sau y em xinm t phn mm ettercap c ci t trn windows XP. Hnh di y s cho ta
thy giao din ca chng trnh khi ang theo di cc my tnh trong cng mng
LAN:
Ettercap vi tnh nng Network sniffer/interceptor/logger trn mng LAN.
Cng c ny cng h tr nhiu giao thc khc nhau. C nhiu mc c th trin
khai mang li hiu qu cao trong qu trnh Sniffering, nhiu Plugins h tr. H
tr LAN Switch v c kh nng OS fingerprint (on h iu hnh ca cc my
tnh online trn mng).
-
8/3/2019 BTQLMang_Ettercap_
4/21
Phn mm QLM Ettercap Nhm 2 H09VT9
SNIFFer l g?
- L hnh thc nghe nn trn h thng mng, da trn nhng c im ca
c ch TCP/IP.
- Sniffer l k thut bo mt, c pht trin nhm gip nhng nh qun
tr mng khai thc mng hiu qu hn v c th kim tra cc d liu ra vo mng.Chc nng:
+ Thu thp gi tin trong h thng.
+ Gip qun tr mng kim tra tt h thng, li hay cc gi tin l.
Qua hnh nh trn, chng ta nhn thy cc thng tin quan trng v nhng tp
tin ring t c th b nh cp kh d dng. phng nga cc trng hp nh
vy, chng ta khng nn tin hnh cc hnh thc chng thc username v
password di dng vn bn n thun (khng m ha) m nn m ha chngbng IPSec hay SSL.
Ettercap l mt cng c mnh sniffer, n c th bt cc gi tin km an
ton mt cch r rng. Do , ta nn thay cc giao thc km an ton (Ftp, telnet,
smb) bng cc giao thc an ton hn, hay gia c thm chng (SSL, VPN+Ipsec).
M hnh mng s dng ettercap
Vi tnh nng Sniffer trn mi trng LAN Switch hiu qu v bo mt.
Ettercap (chng trnh c mnh danh l Lord Of The TokenRing).
Ettercap c th gi danh a ch MAC ca card mng my tnh b tn cng, thay v
gi tin c truyn n my tnh cn n th n li c chuyn n my tnh c
ci t ettercap trc ri sau mi truyn n my tnh ch. y l mt dng tn
-
8/3/2019 BTQLMang_Ettercap_
5/21
Phn mm QLM Ettercap Nhm 2 H09VT9
cng rt nguy him c gi l Man In The Middle (MITM), trong trng hp ny
phin lm vic gia my gi v my nhn vn din ra bnh thng nn ngi s
dng khng h hay bit mnh ang b tn cng, ging nh trng hp b t my
nghe ln m chng ta thng gp trn phim nh. Nhng chng trnh dng ny
thng c gi l sniffer.
UniFied
Card mng 1
Bridget
Card mng 1 Card mng 2
Ettercap c mt sniffer mt khu mnh m, v c th tm v hin th mt
khu trong cc giao thc sau y: TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ,
SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4,
LDAP, VNC, NFS, SNMP, Half-Life, Quake 3, MSN, YMSG
Darn, l mt LOT cc giao thc ti c th n cp mt khu t!
Sa cha v gi mo DNS
Ettercap c th nh chn cc yu cu DNS, kim tra i vi cu hnh ring
ca mnh, v tr li li vi mt IP bt hp php.
Gi phn ng xy ra trc khi cc phn ng thc s c th t c mc
tiu, do , my tnh nn nhn b qua n.
C th c thc hin d dng trong ch "thng nht", khng c cu ni
cn thit.
Victim Computer The Interwebz
Ettercap
Victim Computer The Interwebz
Ettercap
-
8/3/2019 BTQLMang_Ettercap_
6/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Cc Plug-in ca phn mm Ettercap
Bn c th dng chnh ettercap d tm ra chnh n cng nh cc chngtrnh sniffer khc trn mng theo phng php D c Tr c. Ettercap c hai
plug-in rt hu ch, mt dng tm kim cc my tnh chy chng trnh ettercap
khc trn mng v plug-in cn li dng pht hin cc chng trnh sniffer kh
nghi khc. V d, nu nghi ng c ai ang nghe ln trn mng, bn khi ng
ettercap v nhn phm P sau chn plug-in u tin s tm ra cc my ang chy
ettercap. Cn khi i phng s dng cc chng trnh khc nh dsniff, ta c th
d tm thng qua plug-in th 15 l arpcop, lc mt ca s mi s hin th nhngmy tnh ang chy cc chng trnh spoofing arp trn mng.
Khi xc nhn c i tng, ta c th tin hnh c lp my tnh ny khi
mng ngay lp tc bng cch chn P v chn plug-in tn l leech v sau chn
Yes, nhn Enter. Mt s ngi qun tr h thng cn dng ettercap pht hin
cc my b nhim virus ang pht tn trn mng ri c lp chng bng leech sau
dit bng cc chng trnh chng virus rt hiu qu.
-
8/3/2019 BTQLMang_Ettercap_
7/21
Phn mm QLM Ettercap Nhm 2 H09VT9
2. S th nghim
-C 3 my tnh :-Mt my tnh C tn cng (attacker): IP:192.168.15.3; Mac: 00:18:9A:8E:3F:DE
-My A: IP 192.168.15. 1; Mac 00:17:9A:8E:2F:DE
-My victim B: IP:192.168.15.2 ; Mac 00:16:36:2E:D2:2E
- Mt switch : Kt ni 3 my tnh trn.
-Trn my tn cng C ci t phn Ettercap.
Trn my tinh C (Attacker): Cc bc thc hin ARP Spoofing
My TnhA
My TnhB
My TnhC
Attacker Victim
Switch
-
8/3/2019 BTQLMang_Ettercap_
8/21
Phn mm QLM Ettercap Nhm 2 H09VT9
My tnh C Attacker mun thc hin ARP attack i vi my Victim B .
Attacker mun mi gi tin my A truyn ti my Victim B u c th chp li
c xem trm. Lm th no Attacker c th hin c iu ?
u tin, my A mun gi d liu cho Victim. my A cn phi bit a ch MAC
ca Victim (B) lin lc. my A s gi broadcast ARP Request ti tt c cc my
trong cng mng Lan hi xem IP 192.168.15.2 (IP ca Victim) c a ch MAC
l bao nhiu.- Attacker C, Victim B u nhn c gi tin ARP Request, nhng ch c
Victim B l gi li gi tin ARP Reply li cho HostA. ARP Reply cha thng tin v
IP ca Victim B, MAC Victim, MAC my A
Sau khi nhn c gi tin ARP Reply t Victim, my A bit c a ch
MAC ca Victim B. my A bt u thc hin lin lc, truyn d liu ti Victim.
Attacker C khng th xem ni dung d liu c truyn gia 2 my (my A v
Victim B)
1
M Ettercap ch ho #ettercap -G
2
Chn ch sniff:sniff/Unified sniffing
3
5
Scan cac hosts: hosts/scan forhosts
Xem a ch Mac v IP cac my trong mng: hosts/ hostslist
4
Chn my B u c: chn dng cha192.168.15.2 nhn nt Target 1
Hin 2 my: my A: IP 192.168.15. 1; Mac 00:17:9A:8E:2F:DEMy B: IP:192.168.15.2 ; Mac 00:16:36:2E:D2:2E
6 7
Kim tra mc tiu: Targets/ current Targets
8
Bt u u c ARP: Mitm/Arp poisoning Targets
9 Bt u Sniffer: start/ sniffing
-
8/3/2019 BTQLMang_Ettercap_
9/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Attacker C mun xem d liu truyn gia my A v Victim B . Attacker C s
dng kiu tn cng ARP Spoof. Attacker C thc hin gi lin tc ARP Reply cha
thng tin v IP Victim, MAC Attacker C, MAC my A. y, thay v l MAC
Victim B, Attacker i thnh a ch MAC ca mnh.
My A nhn c ARP Reply v ngh l IP Victim 192.168.15.2 s c a chMAC l 00:18:9A:8E:3F:DE ( MAC ca Attacker C). my A lu thng tin ny vo
bng ARP Cache.
By gi mi thng tin, d liu my A gi ti 192.168.15.2 (Victim), Attacker
u c th nhn c, Attacker c th xem tan b ni dung my A gi cho Victim
B
Attacker C cn c th kim sat tan b qu trnh lin lc gia my A v
Victim B thng qua ARP AttackAttacker C thng xuyn gi cc gi tin ARP Reply cha a ch IP ca my
A v Victim B nhng c a ch MAC l ca Attacker C.
my A nhn c gi tin ny th c ngh Victim B s c a ch MAC l
00:18:9A:8E:3F:DE (MAC ca Attacker C)
Victim nhn c gi tin ny th c ngh my A s c a ch MAC l
00:18:9A:8E:3F:DE (MAC ca Attacker)
Mi thng tin trao i gia my A v Victim B, Attacker C u c th nhnc. Nh vy l Attacker C c th bit c ni dung trao i gia my A v
Victim B
1. Tin trnh ci t chy th nghim
(chy th nghim trn 2 my PC)
Sau khi ci t ettercap, c giao din mn hnh nh sau :
-
8/3/2019 BTQLMang_Ettercap_
10/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Trn thanh cng c , chn sniff/Unified sniffing.
Mn hnh hin text box: yu cu ng nhp
-
8/3/2019 BTQLMang_Ettercap_
11/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Trong mc Network interface: ta in user eth0.
Thanh cng c xut hin nhiu chc nng hn : ta chn Targets/Current_Targets. Trong
phn ny ta c th xem trong mng lan c bao nhiu my tnh ( da trn di a ch hin
chi tit phn di)
-
8/3/2019 BTQLMang_Ettercap_
12/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Giao din xut hin target1 v target2 . trn thanh cng c chn : Host /Host List mn
hnh xut hin thng s ca 2 my tnh gm :
a ch IP / a ch MAC
My Attacker: c th hiu l my hacker, my Victim: l my b tn cng
y IP: 192.168.15.1 l my Attacker
IP: 192.168.15.2 l my Victim
Nhp chut vo di a ch my Victim n Add to Target1 , di a ch my hacker n
Add to Target2
-
8/3/2019 BTQLMang_Ettercap_
13/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Vo Mitm/MITM attack ARP Poisoning. Trong hp textbox chn Sniff remote
connections n OK.
-
8/3/2019 BTQLMang_Ettercap_
14/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Trong bng hin th pha di ca phn mm hin cc nhm , nhn Start sniffing
Chn Plugins/ Marage the plugins
-
8/3/2019 BTQLMang_Ettercap_
15/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Trong mc Plugins c hin th thng s
Nhp p chut mc repoison_arp
-
8/3/2019 BTQLMang_Ettercap_
16/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Trong phn Command Prompt g arp a
Nhp chut vo repoison_wtg, mc di xut hin user + pass ca my Victim khi ng
nhp trn trang web youtube.com
-
8/3/2019 BTQLMang_Ettercap_
17/21
Phn mm QLM Ettercap Nhm 2 H09VT9
III. ng dng thc t trn mng ln
Tn cng gi mo DNS bng phng php gi mo DNS ID
Ettercap cn c chc nng tuyt gi mo DNS v c th c s dng thc hin
nhiu kiu tn cng MITM. y l cng c c th s dng cho c Windows v
Linux.
Nu ci t Ettercap trn my tnh Windows, bn s thy n c mt giao din
ha ngi dng (GUI) kh tuyt vi, tuy nhin trong v d ny, chng ti s sdng giao din dng lnh.
Trc khi thc thi Ettercap, yu cn bn cn phi thc hin mt cht cu hnh.
Ettercap mc li ca n l mt b nh hi (sniffer) d liu, n s dng plug-in
thc hin cc tn cng khc nhau. Plug-in dns_spoof l nhng g m chng ta s
thc hin trong v d ny, v vy chng ta phi iu chnh file cu hnh c lin
quan vi plug-in . Trn h thng Windows, file ny c th download ti
C:\Program Files (x86)\EttercapNG\share\etter.dns, v ti
/usr/share/ettercap/etter.dns. y l m file kh n gin v c cha cc bn ghi
DNS m bn mun gi mo. Vi mc ch th nghim, chng ta mun bt c
ngi dng no ang c gng truy cp vo yahoo.com u b hng (direct) n
mt host trn mng ni b, hy thm mt entry c nh du trong hnh 5.
-
8/3/2019 BTQLMang_Ettercap_
18/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Hnh 5: B sung bn ghi DNS gi mo vo etter.dns
Cc entry ny s ch dn cho plug-in dns_spoof rng khi thy truy vn DNS cho
yahoo.com hoc www.yahoo.com (vi mt bn ghi ti nguyn kiu A), n s s
dng a ch IP 172.16.16.100 p tr. Trong kch bn thc, thit b ti a ch
IP 172.16.16.100 s chy mt phn mm my ch web v hin th cho ngi dngwebsite gi mo.
Khi file ny c cu hnh v lu li, chng ta hon ton c th thc thi chui lnh
dng khi chy tn cng. Chui lnh s dng cc ty chn di y:
-T Ch nh s dng giao din vn bn-q Chy cc lnh trong ch yn
lng cc gi d liu c capture khng hin th trn mn hnh.-P
dns_spoof Ch nh s dng plug-in dns_spoof-M arp Khi to tn cng
-
8/3/2019 BTQLMang_Ettercap_
19/21
Phn mm QLM Ettercap Nhm 2 H09VT9
MITM gi mo ARP chn cc gi d liu gia cc host.// // - Ch nh ton b
mng l mc tiu tn cng.
Chui lnh cui cng cho mc ch ca chng ta l:
Ettercap.exe T q P dns_spoof M arp // //
Khi chy lnh trn, bn s bt u mt tn cng hai giai on, u tin l gi mo
ARP cache ca thit b trn mng, sau l pht cc p tr truy vn DNS gi
mo.
Hnh 6: Ettercap ang lng nghe tch cc cc truy vn DNS
Khi khi chy, bt c ai ang c gng truy cp www.yahoo.com s u b redirect
n website m c ca chng ta.
-
8/3/2019 BTQLMang_Ettercap_
20/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Hnh 7: Kt qu c gng gi mo DNS t phi cnh ngi dng
Phng chng gi mo DNS
Kh kh phng chng vic gi mo DNS v c kh t cc du hiu tn cng. Thng
thng, bn khng h bit DNS ca mnh b gi mo cho ti khi iu xy ra.
Nhng g bn nhn c l mt trang web khc hon ton so vi nhng g mong
i. Trong cc tn cng vi ch ch ln, rt c th bn s khng h bit rng mnh
b la nhp cc thng tin quan trng ca mnh vo mt website gi mo cho ti
khi nhn c cuc gi t ngn hng hi ti sao bn li rt nhiu tin n vy.
Mc d kh nhng khng phi khng c bin php no c th phng chng cckiu tn cng ny, y l mt s th bn cn thc hin:
Bo v cc my tnh bn trong ca bn: Cc tn cng ging nh trn thng
c thc thi t bn trong mng ca bn. Nu cc thit b mng ca an ton th s
bn s gim c kh nng cc host b tha hip v c s dng khi chy tn
cng gi mo.Khng da vo DNS cho cc h thng bo mt: Trn cc h thng
an ton v c nhy cm cao, khng duyt Internet trn n l cch thc hin tt
nht khng s dng n DNS. Nu bn c phn mm s dng hostname thc
hin mt s cng vic ca n th chng cn phi c iu chnh nhng g cn
thit trong file cu hnh thit b.S dng IDS: Mt h thng pht hin xm nhp,
khi c t v trin khai ng, c th vch mt cc hnh thc gi mo ARP cache
v gi mo DNS.S dng DNSSEC: DNSSEC l mt gii php thay th mi cho
DNS, s dng cc bn ghi DNS c ch k bo m s hp l ha ca p tr
truy vn. Tuy DNSSEC vn cha c trin khi rng ri nhng n c chp
thun l tng lai ca DNS.Kt lun
-
8/3/2019 BTQLMang_Ettercap_
21/21
Phn mm QLM Ettercap Nhm 2 H09VT9
Gi mo DNS l mt hnh thc tn cng MITM kh nguy him khi c i cp vi
nhng d nh c c. S dng cng ngh ny nhng k tn cng c th tn dng
cc k thut gi mo nh cp cc thng tin quan trng ca ngi dng, hay ci
t malware trn mt a b khai thc, hoc gy ra mt tn cng t chi dch v.
Trong phn tip theo ca lot bi ny, chng ti s gii thiu tip cho cc bn vcc tn cng pass the hash v tn cng ny c th c s dng nh th no
ng nhp vo cc my tnh Windows m khng cn n cc mt khu ngi
dng.