Tm hiu v tn cng Man-in-the-Middle Gi mo ARP Cache

More Sharing

Cp nht lc 11h20' ngy 27/03/2010

Bn in

ServicesChia

Qun tr mng Trong phn u tin ca lot bi gii thiu v mt s hnh thc tn cng MITM hay c s dng nht, chng ti s gii thiu cho cc bn v tn cng gi mo ARP Cache, DNS Spoofing, chim quyn iu khin (hijacking) HTTP session,.. Gii thiu Mt trong nhng tn cng mng thng thy nht c s dng chng li nhng c nhn v cc t chc ln chnh l cc tn cng MITM (Man in the Middle). C th hiu nm na v kiu tn cng ny th n nh mt k nghe trm. MITM hot ng bng cch thit lp cc kt ni n my tnh nn nhn v relay cc message gia chng. Trong trng hp b tn cng, nn nhn c tin tng l h ang truyn thng mt cch trc tip vi nn nhn kia, trong khi s thc th cc lung truyn thng li b thng qua host ca k tn cng. V kt qu l cc host ny khng ch c th thng dch d liu nhy cm m n cn c th gi xen vo cng nh thay i lung d liu kim sot su hn nhng nn nhn ca n. Trong lot bi ny, chng ti s gii thch mt s hnh thc tn cng MITM hay c s dng nht, chng hn nh tn cng gi mo ARP Cache, DNS Spoofing, chim quyn iu khin (hijacking) HTTP session,.. Nh nhng g bn thy trong th gii thc, hu ht cc my tnh nn nhn u l cc my tnh Windows. Vi l do , lot bi ny chng ti s tp trung ton b vo nhng khai thc MITM trn cc my tnh ang chy h iu hnh Windows. C th tn cng s c thc hin t cc my tnh Windows. Tuy nhin trong mt s trng hp, khi khng c cng c no cho cc tn cng hin din, chng ti s s dng Backtrack Linux 4, c th download di dng mt live-CD hoc mt my o ti y. Gi mo ARP Cache (ARP Cache Poisoning) Trong phn u tin ca lot bi ny, chng ti s gii thiu cho cc bn v vic gi mo ARP cache. y l mt hnh thc tn cng MITM hin i c xut s lu i nht (i khi cn c bit n vi ci tn ARP Poison Routing), tn cng ny cho php k tn cng (nm trn cng mt subnet vi cc nn nhn ca n) c th nghe trm tt c cc lu lng mng gia cc my tnh nn nhn. Chng ti chn y l tn cng u tin cn gii thiu v n l mt trong nhng hnh thc tn cng n gin nht nhng li l mt hnh thc hiu qu nht khi c thc hin bi k tn cng. Truyn thng ARP thng thng Giao thc ARP c thit k phc v cho nhu cu thng dch cc a ch gia cc lp th hai v th ba trong m hnh OSI. Lp th hai (lp data-link) s dng a ch MAC cc thit b phn cng c th truyn thng vi nhau mt cch trc tip. Lp th ba (lp mng), s dng a ch IP to cc mng c kh nng m rng trn ton cu. Lp data-link x l trc tip vi cc thit b c kt ni vi nhau, cn lp mng x l cc thit b c kt ni trc tip v khng trc tip. Mi lp c c ch phn nh a ch ring, v chng phi lm vic vi nhau to nn mt mng truyn thng. Vi l do , ARP c to vi RFC 826, mt giao thc phn nh a ch Ethernet - Ethernet Address Resolution Protocol.

Hnh 1: Qu trnh truyn thng ARP Thc cht trong vn hot ng ca ARP c tp trung vo hai gi, mt gi ARP request v mt gi ARP reply. Mc ch ca request v reply l tm ra a ch MAC phn cng c lin quan ti a ch IP cho lu lng c th n c ch ca n trong mng. Gi request c gi n cc thit b trong on mng, trong khi gi n ni rng (y ch l nhn cch ha gii thch theo hng d hiu nht) Hey, a ch IP ca ti l XX.XX.XX.XX, a ch MAC ca ti l XX:XX:XX:XX:XX:XX. Ti cn gi mt vi th n mt ngi c a ch XX.XX.XX.XX, nhng ti khng bit a ch phn cng ny nm u trong on mng ca mnh. Nu ai c a ch IP ny, xin hy p tr li km vi a ch MAC ca mnh! p tr s c gi i trong gi ARP reply v cung cp cu tr li, Hey thit b pht. Ti l ngi m bn ang tm kim vi a ch IP l XX.XX.XX.XX. a ch MAC ca ti l XX:XX:XX:XX:XX:XX. Khi qu trnh ny hon tt, thit b pht s cp nht bng ARP cache ca n v hai thit b ny c th truyn thng vi nhau.
Vic gi mo Cache Vic gi mo bng ARP chnh l li dng bn tnh khng an ton ca giao thc ARP. Khng ging nh cc giao thc khc, chng hn nh DNS (c th c cu hnh ch chp nhn cc nng cp ng kh an ton), cc thit b s dng giao thc phn gii a ch (ARP) s chp nhn nng cp bt

c lc no. iu ny c ngha rng bt c thit b no c th gi gi ARP reply n mt my tnh khc v my tnh ny s cp nht vo bng ARP cache ca n ngay gi tr mi ny. Vic gi mt gi ARP reply khi khng c request no c to ra c gi l vic gi ARP vu v. Khi cc ARP reply vu v ny n c cc my tnh gi request, my tnh request ny s ngh rng chnh l i tng mnh ang tm kim truyn thng, tuy nhin thc cht h li ang truyn thng vi mt k tn cng.

Hnh 2: Chn truyn thng bng cc gi mo ARP Cache S dng Cain & Abel Hy chng ti a ra mt kch bn v xem xt n t gc l thuyt n thc t. C mt vi cng c c th thc hin cc bc cn thit gi mo ARP cache ca cc my tnh nn nhn. Chng ti s s dng cng c bo mt kh ph bin mang tn Cain & Abel ca Oxid.it. Cain & Abel thc hin kh nhiu th ngoi vn gi mo ARP cache, n l mt cng c rt hu dng cn c trong kho v kh ca bn. Vic ci t cng c ny kh n gin.

Trc khi bt u, bn cn la chn mt s thng tin b sung. C th nh giao din mng mun s dng cho tn cng, hai a ch IP ca my tnh nn nhn. Khi ln u m Cain & Abel, bn s thy mt lot cc tab pha trn ca s. Vi mc ch ca bi, chng ti s lm vic trong tab Sniffer. Khi kch vo tab ny, bn s thy mt bng trng. in vo bng ny bn cn kch hot b sniffer i km ca chng trnh v qut cc my tnh trong mng ca bn.

Hnh 3: Tab Sniffer ca Cain & Abel Kch vo biu tng th hai trn thanh cng c, ging nh mt card mng. Thi gian u thc hin, bn s b yu cu chn giao din m mnh mun sniff (nh hi). Giao din cn phi c kt ni vi mng m bn s thc hin gi mo ARP cache ca mnh trn . Khi chn xong giao din, kch OK kch hot b sniffer i km ca Cain & Abel. Ti y, biu tng thanh cng c ging nh card mng s b nhn xung. Nu khng, bn hy thc hin iu . xy dng mt danh sch cc my tnh hin c trong mng ca bn, hy kch biu tng ging nh k hiu (+) trn thanh cng c chnh v kch OK.

Hnh 4: Qut cc thit b trong mng Nhng khung li trng rng lc ny s c in y bi mt danh sch tt c cc thit b trong mng ca bn, cng vi l a ch MAC, IP cng nh cc thng tin nhn dng ca chng. y l danh sch bn s lm vic khi thit lp gi mo ARP cache. pha di ca s chng trnh, bn s thy mt lot cc tab a bn n cc ca s khc bn di tiu Sniffer. Lc ny bn xy dng c danh sch cc thit b ca mnh, nhim v tip theo ca bn l lm vic vi tab APR. Chuyn sang ca s APR bng cch kch tab. Khi trong ca s APR, bn s thy hai bng trng rng: mt bn pha trn v mt pha di. Khi thit lp chng, bng pha trn s hin th cc thit b c lin quan trong gi mo ARP cache v bng bn di s hin th tt c truyn thng gia cc my tnh b gi mo. Tip tc thit lp s gi mo ARP bng cch kch vo biu tng ging nh du (+) trn thanh cng c chun ca chng trnh. Ca s xut hin c hai ct t cnh nhau. Pha bn tri, bn s thy mt danh sch tt c cc thit b c sn trong mng. Kch a ch IP ca mt trong nhng nn nhn, bn s thy cc kt qu hin ra trong ca s bn phi l danh sch tt c cc host trong mng, b qua a ch IP va chn. Trong ca s bn phi, kch vo a ch IP ca nn nhn khc v kch OK.

Hnh 5: Chn thit b nn nhn ca vic gi mo Cc a ch IP ca c hai thit b lc ny s c lit k trong bng pha trn ca ca s ng dng chnh. hon tt qu trnh, kch vo k hiu bc x (vng en) trn thanh cng c chun. iu s kch hot cc tnh nng gi mo ARP cache ca Cain & Abel v cho php h thng phn tch ca bn tr thnh ngi nghe ln tt c cc cut truyn thng gia hai nn nhn. Nu bn mun thy nhng g ang din ra sau phng ny, hy ci t Wireshark v lng nghe t giao din khi bn kch hot gi mo. Bn s thy lu lng ARP n hai thit b v ngay lp tc thy s truyn thng gia chng.

Hnh 6: Chn lu lng ARP Khi kt thc, hy kch vo k hiu bc x (vng en) ln na ngng hnh ng gi mo ARP cache. Bin php phng chng Nghin cu qu trnh gi mo ARP cache t quan im ca ngi phng chng, chng ta c mt cht bt li. Qu trnh ARP xy ra trong ch background nn c rt t kh nng c th iu khin trc tip c chng. Khng c mt gii php c th no, tuy nhin chng ta vn cn nhng lp trng i tin phong v phn ng tr li nu bn lo lng n vn gi mo ARP cache trong mng ca mnh. Bo mt LAN Gi mo ARP Cache ch l mt k thut tn cng m n ch sng st khi c gng chn lu lng gia hai thit b trn cng mt LAN. Ch c mt l do khin cho bn lo s v vn ny l liu thit b ni b trn mng ca bn c b tha hip, ngi dng tin cy c nh him c hay khng hoc liu c ai c th cm mt thit b khng tin cy vo mng. Mc d chng ta thng tp trung ton b

nhng c gng bo mt ca mnh ln phm vi mng nhng vic phng chng li nhng mi e da ngay t bn trong v vic c mt thi bo mt bn trong tt c th gip bn loi tr c s s hi trong tn cng c cp y. M ha ARP Cache Mt cch c th bo v chng li vn khng an ton vn c trong cc ARP request v ARP reply l thc hin mt qu trnh km ng hn. y l mt ty chn v cc my tnh Windows cho php bn c th b sung cc entry tnh vo ARP cache. Bn c th xem ARP cache ca my tnh Windows bng cch m nhc lnh v nh vo lnh arp a.

Hnh 7: Xem ARP Cache C th thm cc entry vo danh sch ny bng cch s dng lnh arp s <IP ADDRESS> <MAC ADDRESS>. Trong cc trng hp, ni cu hnh mng ca bn khng my khi thay i, bn hon ton c th to mt danh sch cc entry ARP tnh v s dng chng cho cc client thng qua mt kch bn t ng. iu ny s bo m c cc thit b s lun da vo ARP cache ni b ca chng thay v cc ARP request v ARP reply. Kim tra lu lng ARP vi chng trnh ca hng th ba Ty chn cui cng cho vic phng chng li hin tng gi mo ARP cache l phng php phn ng c lin quan n vic kim tra lu lng mng ca cc thit b. Bn c th thc hin iu ny vi mt vi h thng pht hin xm phm (chng hn nh Snort) hoc thng qua cc tin ch c thit k c bit cho mc ch ny (nh xARP). iu ny c th kh thi khi bn ch quan tm n mt thit b no , tuy nhin n vn kh cng knh v vng mc trong vic gii quyt vi ton b on mng. Kt lun Gi mo ARP Cache l mt chiu kh hiu qu trong th gii nhng k tn cng th ng man-inthe-middle v n rt n gin nhng li hiu qu. Hin vic gi mo ARP Cache vn l mt mi e da rt thc trn cc mng hin i, va kh b pht hin v kh nh tr. Trong phn tip theo ca lot bi ny, chng ti s tp trung vo vn phn gii tn v khi nim gi mo DNS.

ARP v nguyn tc lm vic trong mng LAN Nh ta bit ti tng Network ca m hnh OSI , chng ta thng s dng cc loi a ch mang tnh cht quy c nh IP, IPX Cc a ch ny c phn thnh hai phn ring bit l phn a ch mng (NetID) v phn a ch my ( HostID) . Cch nh s a ch nh vy nhm gip cho vic tm ra cc ng kt ni t h thng mng ny sang h thng mng khc c d dng hn. Cc a ch ny c th c thay i theo ty ngi s dng. Trn thc t, cc card mng (NIC) ch c th kt ni vi nhau theo a ch MAC, a ch c nh v duy nht ca phn cng. Do vy ta phi c mt c ch chuyn i cc dng a ch ny qua li vi nhau. T ta c giao thc phn gii a ch: Address Resolution Protocol (ARP). Nguyn tc lm vic ca ARP trong mt mng LAN Khi mt thit b mng mun bit a ch MAC ca mt thit b mng no m n bit a ch tng network (IP, IPX) n s gi mt ARP request bao gm a ch MAC address ca n v a ch IP ca thit b m n cn bit MAC address trn ton b mt min broadcast. Mi mt thit b nhn c request ny s so snh a ch IP trong request vi a ch tng network ca mnh. Nu trng a ch th thit b phi gi ngc li cho thit b gi ARP request mt gi tin (trong c cha a ch MAC ca mnh). Trong mt h thng mng n gin, v d nh PC A mun gi gi tin n PC B v n ch bit c a ch IP ca PC B. Khi PC A s phi gi mt ARP broadcast cho ton mng hi xem "a ch MAC ca PC c a ch IP ny l g ?" Khi PC B nhn c broadcast ny, n s so snh a ch IP trong gi tin ny vi a ch IP ca n. Nhn thy a ch l a ch ca mnh, PC B s gi li mt gi tin cho PC A trong c cha a ch MAC ca B. Sau PC A mi bt u truyn gi tin Nguyn tc hot ng ca ARP cho trong mi trng h thng B. mng

Hot ng ca ARP trong mt mi trng phc tp hn l hai h thng mng gn vi nhau thng qua mt Router C. My A thuc mng A mun gi gi tin n my B thuc mng B. Do cc broadcast khng th truyn qua Router nn khi my A s xem Router C nh mt cu ni hay mt trung gian (Agent) truyn d liu. Trc , my A s bit c a ch IP ca Router C (a ch Gateway) v bit c rng truyn gi tin ti B phi i qua C. Tt c cc thng tin nh vy s c cha trong mt bng gi l bng nh tuyn (routing table). Bng nh tuyn theo c ch ny c lu gi trong mi my. Bng nh tuyn cha thng tin v cc Gateway truy cp vo mt h thng mng no . V d trong trng hp trn trong bng s ch ra rng i ti LAN B phi qua port X ca Router C. Bng nh tuyn s c cha a ch IP ca port X. Qu trnh truyn d liu theo tng bc sau : - My A gi mt ARP request (broadcast) tm a ch MAC ca port X.

Router My

tr A

li,

cung

cp gi

cho tin

my n

a port

ch

MAC X

ca ca

port

X.

truyn

Router.

- Router nhn c gi tin t my A, chuyn gi tin ra port Y ca Router. Trong gi tin c cha a ch IP ca my B. Router s gi ARP request tm a ch MAC ca my B. - My B s tr li cho Router bit a ch MAC ca mnh. Sau khi nhn c a ch MAC ca my B, Router C gi gi tin ca A n B.

Trn thc t ngoi dng bng nh tuyn ny ngi ta cn dng phng php proxyARP, trong c mt thit b m nhn nhim v phn gii a ch cho tt c cc thit b khc.Theo cc my trm khng cn gi bng nh tuyn na Router C s c nhim v thc hin, tr li tt c cc ARP request ca tt c cc my. ARP cache ARP cache c th coi nh mt bng c cha mt tp tng ng gia cc phn cng v a ch Internet Protocol (IP). Mi mt thit b trn mt mng no u c cache ring. C hai cch lu gi cc entry trong cache phn gii a ch din ra nhanh. l: * Cc entry ARP Cache tnh. y, s phn gii a ch phi c add mt cch th cng vo bng cache v c duy tr lu di. * Cc entry ARP Cache ng. y, cc a ch IP v phn cng c gi trong cache bi phn mm sau khi nhn c kt qu ca vic hon thnh qu trnh phn gii trc . Cc a ch c gi tm thi v sau c g b. ARP Cache bin mt qu trnh c th gy lng ph v mt thi gian thnh mt qu trnh s dng thi gian mt cch hiu qu. Mc d vy n c th bt gp mt s vn . Cn phi duy tr bng cache. Thm vo cng c th cc entry cache b c theo thi gian, v vy cn phi thc thi ht hiu lc i vi cc entry cache sau mt qung thi gian no .