--- tags: Network Security, arp spoofing, Nmap, Ettercap , MITM, Password cracking --- <style> img{ width:70%; height: auto; display: block; margin-left: auto; margin-right: auto; } </style> # 網路安全期末專題：完整ARP Spoofing 攻擊/防禦（破解密碼） ## Introduction ### Scenerio > 在疫情時刻遠距工作的需求增加，許多人透過遠距連線到公司裝置。若使用者的資安意識、使用習慣差，駭客可能以此做為跳板潛入公司LAN裡進行監聽！ ### Method > 透過IT員工遠端主機做遠距跳板，進入公司Linux系統，對該LAN做ARP Spoofing (Man in the Middle)。 ### Precondition： >1.密碼設定安全度低(Window遠端密碼、linux sudo密碼) >2.未有遠距(Teamviewer)使用後登出習慣 >3.得知IT員工Window遠端IP位置。 ### Attack Flow：  :::info [**1. VPN**：使用Window遠端登入IT員工電腦，以Teamviewer同步公司安全性低的Linux系統。](#1-VPN-and-Login-Password-📖) >**password** >RDP brute force/dictionary attack/rainbow table [**2. IP scan and get information**：使用nmap確認LAN主機權限資訊，選定攻擊目標。](#2-IP-scan-and-get-information-📖) [**3. Man in the middle**：使用ettercap進行ARP Spoofing中間人攻擊。](#3-Man-in-the-middle-📖) [**4. clean log**：將遠端連線紀錄清除。](#4-Clean-log-📖) ::: ### Defence： :::info **1. 避免當作跳板**：不在高機密工作地點自動記憶帳號密碼。 **2. Man in the middle**：使用DHCP snooping，設定好對應IP 與 MAC 即可避免。 ::: ## ARP spoofing Attack ### 1. VPN and Login Password [📖](#Attack-Flow：) > **reference:** >- [微軟：RDP暴力破解平均持續2-3天，成功率不低](https://ithome.com.tw/news/135234) >- [第十一週 資訊安全- 雜湊密碼：hash | Yakim shu](https://yakimhsu.com/project/project_w11_Info_Security-Hash.html) >- [Kali Linux - Password Cracking Tools](https://www.tutorialspoint.com/kali_linux/kali_linux_password_cracking_tools.htm?fbclid=IwAR2ENVqLcNUROEx0B_5mU1YEvX2PWS9_FkL6Ayd469CKCgj1UYrS04nGmB8) >- [how to HACK a password // password cracking with Kali Linux and HashCat](https://www.youtube.com/watch?v=z4_oqTZJqCo&t=245s) >- [1] [Crack Shadow Hashes After Getting Root on a Linux System](https://null-byte.wonderhowto.com/how-to/crack-shadow-hashes-after-getting-root-linux-system-0186386/) >- [How to identify hash types](https://miloserdov.org/?p=1254) >- [2] [Hashcat - Example hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) 由於並無Window遠端可提供攻擊練習，故並無實作此部分。可查詢關鍵詞如RDP Brute force等。可用kali工具比如Hydra, Johnny。 就算成功取得遠端權限，然而我們仍需要sudo password以取得root權限。為了完成離線（在駭客本地端）破解密碼，我們透過擷取hash資訊，帶回到本地端進行密碼破解。  ```SHELL=1 cat /etc/shadow root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7::: daemon:*:14684:0:99999:7::: bin:*:14684:0:99999:7::: sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7::: sync:*:14684:0:99999:7::: games:*:14684:0:99999:7::: man:*:14684:0:99999:7::: lp:*:14684:0:99999:7::: mail:*:14684:0:99999:7::: news:*:14684:0:99999:7::: uucp:*:14684:0:99999:7::: proxy:*:14684:0:99999:7::: www-data:*:14684:0:99999:7::: backup:*:14684:0:99999:7::: list:*:14684:0:99999:7::: irc:*:14684:0:99999:7::: gnats:*:14684:0:99999:7::: nobody:*:14684:0:99999:7::: libuuid:!:14684:0:99999:7::: dhcp:*:14684:0:99999:7::: syslog:*:14684:0:99999:7::: klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7::: sshd:*:14684:0:99999:7::: msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7::: bind:*:14685:0:99999:7::: postfix:*:14685:0:99999:7::: ftp:*:14685:0:99999:7::: postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7::: mysql:!:14685:0:99999:7::: tomcat55:*:14691:0:99999:7::: distccd:*:14698:0:99999:7::: user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7::: service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7::: telnetd:*:14715:0:99999:7::: proftpd:!:14727:0:99999:7::: statd:*:15474:0:99999:7::: //[1] ``` Linux裡hashing過的密碼會存放在/etc/shadow中，將資訊複製後存放在本地端。特別注意此處： ```SHELL=1 user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7::: ``` ```SHELL=1 $1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0 //此為hashing密碼，建立hashes.txt將其存入 //$1 = ID //$HESu9xrH = Salt //$k.o3G93DGoXIiQKkPmUgZ0 = hashing password ``` 以hashid先查詢hash type，常見Unix type有500, 1800，詳情可參閱 [2]。 ``` SHELL=1 sudo hashid -m '$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0' ``` 取得破解用的dictionary，並使用hashcat來進行破解。 ``` SHELL=1 sudo gzip -d /usr/share/wordlists/rockyou.txt.gz sudo hashcat -a 0 -m 1800 -o crackedpassword.txt hashes.txt /usr/share/wordlists/rockyou.txt // sudo hashcat -a <mode> -m <hash type> -o <save dest.> <hash source.> <dictionary> ``` ### 2. IP scan and get information [📖](#Attack-Flow：) > **reference:** >- [Nmap Tutorial to find Network Vulnerabilities](https://www.youtube.com/watch?v=4t4kBkMsDbQ&list=WL&index=37) We use nmap for IP scan. ```SHELL=1 sudo apt install nmap ``` Scan for which Host have port open service. ```SHELL=1 sudo nmap -sn -D 192.168.0.5 192.168.0.0/24 #check host in this LAN sudo nmap -sS -D 192.168.0.5 192.168.0.0/24 #half SYN Scan #-D stands for decoy.Use fake IP(192.168.0.5) for Scan. ``` The IP whcih have open port is consider to provide network service E.G. router or Web service. For this example, **192.168.0.1** is the router. <img src="https://i.imgur.com/5cyGkIz.png"> ```Shell= sudo nmap -A -D 192.168.0.5 192.168.0.1 # For more information on IP 192.168.0.1 ```  The router IP can be the victim between other connecter. ### 3. Man in the middle [📖](#Attack-Flow：) > **reference:** >- [ARP Spoofing - Man-in-the-middle attack](https://www.youtube.com/watch?v=hI9J_tnNDCc&list=WL&index=29) >- [how Hackers SNiFF (capture) network traffic // MiTM attack](https://www.youtube.com/watch?v=-rSqbgI7oZM&list=WL&index=35) >- [Pentest+: Using Ettercap to perform a MITM Attack](https://www.youtube.com/watch?v=ogtWS6MfiWM&list=WL&index=36) We use ettercap for arp poisoning and MITM. Wireshark for packet analysis. ```Shell= sudo apt install ettercap-graphical sudo apt install wireshark ``` The version is **Ettercap 0.8.3.1**  Scan and list host.  Set target for MITM and start attack.  ### 4. Clean log [📖](#Attack-Flow：) > **reference:** > - [查看 Windows 是否有被遠端登入 - 事件稽核](https://blog.xuite.net/tolarku/blog/544578900) > 清除在Window遠端主機留下的遠端登入紀錄： :::info Win鍵+R -> 事件檢視器 -> Windows 紀錄 -> 安全性 :::  將與遠端登陸記錄相關刪除即可。 ## ARP spoofing Defense ### 1. 設定Router  >帳號、密碼部分，可根據所使用Router不同進行設定後登入  >登入後頁面選項   >填入IP 與 Mac對應，防止最後IP因跳電or特殊事件跳掉 ### 2. 於linux中設定static arp  >在此我們使用智能方式進行，建立Shell檔案進行使用  ``` sudo chmod 777 test.sh ``` >更改mod，讓檔案有執行能力  ``` ls -al ``` >查看檔案mod是否順利更動  ``` ./test.sh ``` >執行程式  ``` arp -a ``` >完成static arp ### 3.後續使用 如果有新增其他機台，則將.sh檔案中list 進行更新，並再執行上述做法即可。