0.00 Class 3 On Path Attack - cloudsecuritylabs/ethicalhackingclass GitHub Wiki
Class 3 - MITM
Python ARP spoof detector:
- https://www.online-python.com/ZdONk3qLFj
- HSTS Preload: hstspreload.org
HSTS
https://https.cio.gov/hsts/ https://www.youtube.com/watch?v=-MWqSD2_37E
ARP Poisoning
MAC addresses identify who you are, IP addresses identify where you are.
- the attacker sends a fake ARP response to the victim, stating that the attacker’s MAC address maps to the GW IP address
- the attacker must also trick the GW into sending it the victim’s traffic
- attacker must create a fake ARP packet showing that the victim’s IP address maps to the attacker’s MAC address
- arpspoof
DNS Poisoning
Host files
- Windows 95/98/Me -> c:\windows\hosts
- Windows NT/2000/XP Pro -> c:\winnt\system32\drivers\etc\hosts
- Windows XP Home/Vista/Windows 7 -> c:\windows\system32\drivers\etc\hosts
- Windows 7 -> c:\windows\system32\drivers\etc\hosts
- Windows 8 -> c:\windows\system32\drivers\etc\hosts
- Windows 10 -> c:\windows\system32\drivers\etc\hosts
- Most Linux -> /etc/hosts
tool bettercap
- set arp.spoof.target [IP of target machine]
- arp.spoof on
- set dns.spoof.domains [domain to spoof? yahoo.com]
- set dns.dpoof.address [attacker IP]
- dns spoof on
Port Stealing
- the attacker uses the speed of forged ARP packets
- In this attack, the attacker only interacts with the switch and doesn’t perform any ARP spoofing to machine under attack’.
- However, the switch’s CAM table is manipulated, and a spoofed entry is added, redirecting victims traffic to the attacker.
SSL Stripping
- SSL stripping, or SSL downgrade, is an attack vector that downgrades an HTTPS connection to HTTP
- an attacker sits between the victim and the web server and acts as a transparent proxy.
- the attacker maintains a HTTP based downstream connection with the victim and a proper HTTPS upstream connection with the destination server. Steps:
- ARP Poisoning
- SSL stripping
- Set up a transparent proxy between the attacker and the victim
Process
- user -> cnn.com [ clear text --> this is exploited by the attacker ]
- CNN -> 302 and redirects client to https://cnn.como
- user -> https://cnn.com
Protection: HTTP Strict Transport Security (HSTS) browser(client) will remember that it is a https site
LAB 1
-
https://github.com/cloudsecuritylabs/ethicalhackingclass/wiki/0.00-Class1-Lab1
-
arpspoof -i eth0 -t [Windows machine IP] [Default Gateway IP]