Network Attacks. Blossom Hands-on exercises for computer forensics and security

Size: px

Start display at page:

Download "Network Attacks. Blossom Hands-on exercises for computer forensics and security"

Coleen Miles
8 years ago
Views:

1 Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit Network Attacks BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) l.han@mmu.ac.uk

Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

2 1. Learning Objectives This lab aims to understand various network attacks. 2. Preparation 1) Under Linux environment 2) Some documents that you may need to refer to: 3. Tasks 'Virtual-MachineGuide.pdf' Linux-Guide.pdf BLOSSOM-UserGuide.pdf Setup & Installation: Start two virtual machines as you have done with previous exercises (see Virtual Machine Guide) # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:58 -net vde -name node-two

3 Task 1 DNS Spoofing Attack 1.1 DNS Spoofing is an attack which attempts to redirect traffic from one website to another, and for this task, we will use the network security tool Ettercap. This task also requires a local webserver to be active, such as Apache On one of the virtual machines, install apache2 and ettercap, and then take note of the IP address of the machine. Apache2 will set up a local webpage on the local host IP address ( ) which can also be accessed via the IP address of the machine from any of the virtual machines on the virtual network. 1.3 Now with the web server up and running, ettercap has a dns file that must be edited using the following command: #gedit /usr/share/ettercap/etter.dns In this file, delete everything and save the following into the file: * <TAB> A <TAB> <IP ADDRESS> The wildcard (*) states that any website address entered into a browser will be redirected to the IP address supplied. 1.4 With the spoofed DNS entry now present, the ettercap tool can be started to initiate the DNS spoofing attack, which is performed using the following command: #ettercap T q P dns_spoof M arp // // -T specifies the use of the text based interface, -q runs the command in quiet mode so that captured packets are not output to the screen, -P dns_spoof specifies the use of the dns_spoof plugin, -M arp initiates a MITM ARP poisoning attack to intercept packets between hosts, and // // specifies the entire network as the target of the attack. 1.5 After the command has been successfully initiated, we can now use the other virtual machine to attempt to access a web site. Try typing in any web address into the browser and it should redirect to the Apache2 local host default web page. 1.6 Whilst the script is running, access a web site from the victim virtual machine, and the website should redirect from the intended web page, to the impersonated host. Question: How would you go about only spoofing to redirect to the Apache2 local host that we created?

Apache2 will set up a local webpage on the local host IP address (127.0.0.1) which can also be accessed via the IP address of the machine from any of the virtual machines on the virtual network. 1.

4 Task 2 Spoofing 2.1 We can now take a look into a way in which spoofing can be performed. spoofing is when an is sent where the send address and other parts of the header are altered to appear as though the originated from a different source. 2.2 Following the installations, create two users on the virtual machine that will function as the sending and receiving parties respectively #adduser alice #adduser bob 2.3 After creating both users, we can now send a legitimate from one user to the other. Log in to alice and then open alpine. #su alice #alpine 2.4 In the main window, press E to bypass the first screen, then press C to access the Compose Message option. Send an to bob@localhost with a subject title and some message text. After you finish writing a basic , press CTRL+X to send the message and then Q to quit the client. 2.5 Now log in to bob s account and open alpine so that we can read the legitimate in his inbox: #su bob #alpine Again, press E to skip the first screen and then press Enter twice to view the inbox and read the first message. There should be an from alice@localhost.localdomain. Exit alpine as before by pressing Q. 2.6 Open another terminal window and type the following command: #telnet localhost 25 This will connect us to the sendmail server which runs on the default smtp port 25. Type in the following commands after executing the telnet connection: #HELO localdomain #MAIL FROM: alice@localhost #RCPT TO: bob@localhost #DATA #SUBJECT: Spoofed #Random Content

2 Following the installations, create two users on the virtual machine that will function as the sending and receiving parties respectively #adduser alice #adduser bob 2.

5 #. #QUIT Now go back to bob s mailbox and compare the addresses that the s are sent from, and they should be identical. Task 3 Netwag / Netwox 3.1 Netwox is a command line network toolbox that provides multiple different possibilities for network attacks; Netwag is the graphical front end to Netwox. doc_html/html/examples.html The above document contains some useful information and examples regarding Netwox. 3.2 In order to perform a SYN Flood using Netwox, the following command can be used: #Netwox 76 i p is the netwox tool for a SYN Flood attack, -i is the destination IP address, and p is the port number. Netwox has a significant amount of network attack capabilities at its disposal. Question/Task: Using Netwox, perform an ARP Poisoning attack on the 2 nd virtual machine.

edu/~wedu/teaching/cis758/netw522/netwox- doc_html/html/examples.html The above document contains some useful information and examples regarding Netwox. 3.

Network Forensics Network Traffic Analysis

Network Forensics Network Traffic Analysis Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative