Network Attacks Lab


-------------------------------------------------------------------------------------------------------


Many of these attacks will work on both WIRED and WIRELESS targets.

You can use any of:


1) Ubuntu Desktop WIRED, or

2) Boot BackTrack Desktop WIRED, or

3) Boot BackTrack on your Notebook WIRELESS


The three tools we will try are: 


dsniff tools, ettercap, and aircrack


-------------------------------------------------------------------------------------------------------


DSNIFF


1 -- % dsniff


Let's run %dsniff, and see if we sniff any passwords

or password hashes during this lab.


a) open a Terminal window in your 2ndary Workspace

b) in that Terminal just type:


dsniff


Just leave it running in that window.

We'll come back and look at this window at the end of the lab


2 -- % macof


("macof" stands for "MAC OverFlow...").

Let's flood the lookup table of the switch and see if we start

to see more traffic.  First we want to launch a traffic analysis

tool, such as %iptraf, to see what the normal traffic rate is.


a) run iptraf, select monitor mode for your main interface


iptraf


b) leave that running in a window

c) open another window and run


macof


d) did you start seeing a lot more TCP connections

in the iptraf window? __________________________________


3 -- % arpspoof


a) Pick 2 machines in your group for this exercise.

Machine #1 is the VICTIM

Write Down the IP Address of Machine #1 ___________________

Visit the Website http://www.cnn.com/

Look at your ARP Cache.  ( arp -a, or ip show neighbor )

What is the MAC Address of the Gateway? ___________________


b) Machine #2 is the Attacker

-- Install/Start APACHE on Machine #2

-- Change the Default Webpage on Machine #2 to Say: "Owned by Group #<Your Group>"

  This is probably in the directory /var/www/html/index.html

-- Check your webpage with a browser so you know it is working.


c) figure out what the IP Address of the Default Gateway

is on your network.  Example: netstat -r -n

Default route should start with 0.0.0.0 then the Gateway IP address


d) Attack Machine #1 from Machine #2

arpspoof -t <VICTIM-IP-ADDRESS> GW-IP-Address


e) now have the VICTIM connect to http://www.cnn.com/


Did they see your webpage? _____________________________


f) Have the VICTIM look at the ARP Cache.

What is the MAC Address of the Gateway?____________________


If this attack does not work, try it one more time.


-------------------------------------------------------------------------------------------------------


ETTERCAP


1 -- % ettercap MITM #1


Let's see if we can run a Man-In-The-Middle Attack.

For this exercise, we need three machines: 2 Victims

and 1 Attacker.  Write down the IP Addresses:


a) IP of VICTIM #1 _________________________________________

b) IP of VICTIM #2 _________________________________________

c) IP of ATTACKER ________________________________________


Run A Sniffer On the ATTACKER Machine to Watch For Traffic

ex. tshark -n -i eth0

or 

wireshark


d) try the attack


ettercap -T -M arp  /victim1/    /victim2/


  e) now have VICTIM1 send traffic to VICTIM2, 

      for example, on VICTIM1 say:


telnet <IP-OF-VICTIM2>


  f)  Did you see the traffic on the ATTACKER machine?________________


2 -- % ettercap MITM #2


Keep your traffic sniffer running on the attack machine.

Let's try another attack with ettercap.


a) IP of VICTIM_________________________________

b) IP of GATEWAY______________________________


ettercap -T -M arp:remote /VICTIM-IP/ /GATEWAY-IP/ 


c) Try some Remote Traffic on the VICTIM, ex. http://www.cnn.com/


d) Do you see the traffic on the ATTACKER machine?____________________


         e) Add the plugin option


         ettercap -T -P repoison_arp arp:remote /VICTIM-IP/ /GATEWAY-IP/ 


         Try it again.


-------------------------------------------------------------------------------------------------------


AIRCRACK


Let's try and knock someone off of their AP connection.

We'll send management frames to disassociate them from their AP.


a) select a wireless VICTIM

b) what is the wireless MAC Address of VICTIM ____________________

c) what is the wireless MAC Address of the AP_____________________

(Just have the victim look at %iwconfig output)

d) Launch the attack:


aireplay -0 1  -a VICTIM-MAC  -c AP-MAC [interface]


NOTE: the MAC notation is: 00:11:22:33:44:55


e) did the VICTIM lose connection during the attack???_________________



--- END