Tm hiu v tn cng Man-in-the-Middle Gi mo DNS

More Sharing

Cp nht lc 09h00' ngy 14/04/2010 Tm hiu v tn cng Man-in-the-Middle Gi mo ARP Cache

Bn in

ServicesChia

Qun tr mng Trong bi ny chng ti s tip tc gii thiu cho cc bn v cc tn cng Man-in-the-Middle, c th l s tp trung vo gii thiu mt loi tn cng MITM khc mang tn gi mo DNS. Trong phn u ca lot bi ny, chng ti gii thiu cho cc bn v truyn thng ARP v ARP cache ca mt thit b c th b gi mo nh th no redirect lu lng mng ca cc my tnh qua mt my khc vi mc ch xu. Trong bi ny, chng ti gii thiu cho cc bn v mt kiu tn cng MITM khc, gi mo DNS (DNS Spoofing). Nu cha c phn gi mo ARP Cache, cc bn nn quay li v c qua n trc v bi vit ny s s dng mt s k thut m chng ti gii thiu trong bi . Gi mo DNS Gi mo DNS l mt k thut MITM c s dng nhm cung cp thng tin DNS sai cho mt host khi ngi dng duyt n mt a ch no , v d, www.bankofamerica.com c IP XXX.XX.XX.XX, th c gng ny s c gi n mt a ch www.bankofamerica.com gi mo c tr a ch IP YYY.YY.YY.YY, y l a ch m k tn cng to trc nh cp cc thng tin ti khon ngn hng trc tuyn t ngi dng. Tn cng ny c th thc hin kh d dng v trong bi ny chng ta s i nghin cu cch lm vic ca n, cch n thc hin tn cng th no v cui cng l cch chng tr ra sao. Truyn thng DNS Giao thc Domain Naming System (DNS) nh c nh ngha trong RFC 1034/1035 c th c xem nh l mt trong nhng giao thc quan trng nht c s dng trong Internet. Ni ngn ngn d hiu, bt c khi no bn nh mt a ch web chng hn nh http://www.google.com vo trnh duyt, yu cu DNS s c a n my ch DNS tm ra a ch IP tng xng vi tn min m bn va nhp. Cc router v cc thit b kt ni Internet s khng hiu google.com l g, chng ch hiu cc a ch chng hn nh 74.125.95.103. My ch DSN lm vic bng cch lu mt c s d liu cc entry (c gi l bn ghi ti nguyn) a ch IP bn ha tn DNS, truyn thng cc bn ghi ti nguyn n my khch v n my ch DNS khc. Kin trc my ch DNS trong ton doanh nghip v Internet l mt th kh phc tp. Nh mt vn ca thc t, bn c th hnh dung chng nh cc quyn s chuyn dng cho kin trc DNS. Chng ti s khng i vo gii thiu cc kha cnh v kin trc hay thm ch cc kiu lu lng DNS khc nhau, m ch gii thiu mt phin giao dch DNS c bn, bn c th thy iu trong hnh 1.

Hnh 1: Truy vn v p tr DNS DNS hot ng theo hnh thc truy vn v p tr (query/response). Mt my khch cn phn gii DNS cho mt a ch IP no s gi i mt truy vn n my ch DNS, my ch DNS ny s gi thng tin c yu cu trong gi p tr ca n. ng trn phi cnh my khch, ch c hai gi xut hin lc ny l truy vn v p tr.

Hnh 2: Cc gi truy vn v p tr DNS Kch bn ny s c i cht phc tp khi xem xt n s hi quy DNS. Nh c cu trc th bc DNS ca Internet, cc my ch DNS cn c kh nng truyn thng vi nhau a ra cu tr li cho cc truy vn c trnh bi my khch. Nu tt c u din ra thun li nh mong i, my ch DNS bn trong ca chng ta s bit tn bn ha a ch IP cho my ch bn trong mng ni b, tuy nhin khng th mong i n bit a ch tng quan gia

Google hoc Dell. y l ni s quy ng vai tr quan trng. S quy din ra khi mt my ch DNS truy vn my ch DNS khc vi t cch my khch to yu cu. V bn cht, cch thc ny s bin mt my ch DNS thnh mt my khch, xem trong hnh 3.

Hnh 3: Truy vn v p tr DNS bng quy

Gi mo DNS C nhiu cch c th thc hin vn gi mo DNS. Chng ti s s dng mt k thut mang tn gi mo DNS ID. Mi truy vn DNS c gi qua mng u c cha mt s nhn dng duy nht, mc ch ca s nhn dng ny l phn bit cc truy vn v p tr chng. iu ny c ngha rng nu mt my tnh ang tn cng ca chng ta c th chn mt truy vn DNS no c gi i t mt thit b c th, th tt c nhng g chng ta cn thc hin l to mt gi gi mo c cha s nhn dng gi d liu c chp nhn bi mc tiu. Chng ta s hon tt qu trnh ny bng cch thc hin hai bc vi mt cng c n gin. u tin, chng ta cn gi mo ARP cache thit b mc tiu nh tuyn li lu lng ca n qua host ang tn cng ca mnh, t c th chn yu cu DNS v gi i gi d liu gi mo. Mc ch ca kch bn ny l la ngi dng trong mng mc tiu truy cp vo website c thay v website m h ang c gng truy cp. r hn bn c th tham kho thm hnh tn cng bn di.

Hnh 4: Tn cng gi mo DNS bng phng php gi mo DNS ID C mt s cng c khc c th c s dng thc hin hnh ng gi mo DNS. Chng ti s s dng mt trong s l Ettercap, y l cng c c th s dng cho c Windows v Linux. Bn c th download Ettercap v my ca mnh ti y. Nu tm hiu thm mt cht v website ny, chc chn bn s thy rng Ettercap cn c nhiu chc nng tuyt vi khc ngoi vic gi mo DNS v c th c s dng thc hin nhiu kiu tn cng MITM. Nu ci t Ettercap trn my tnh Windows, bn s thy n c mt giao din ha ngi dng (GUI) kh tuyt vi, tuy nhin trong v d ny, chng ti s s dng giao din dng lnh. Trc khi thc thi Ettercap, yu cn bn cn phi thc hin mt cht cu hnh. Ettercap mc li ca n l mt b nh hi (sniffer) d liu, n s dng plug-in thc hin cc tn cng khc nhau. Plugin dns_spoof l nhng g m chng ta s thc hin trong v d ny, v vy chng ta phi iu chnh file cu hnh c lin quan vi plug-in . Trn h thng Windows, file ny c th download ti C:\Program Files (x86)\EttercapNG\share\etter.dns, v ti /usr/share/ettercap/etter.dns. y l m file kh n gin v c cha cc bn ghi DNS m bn mun gi mo. Vi mc ch th nghim, chng ta mun bt c ngi dng no ang c gng truy cp vo yahoo.com u b hng (direct) n mt host trn mng ni b, hy thm mt entry c nh du trong hnh 5.

Hnh 5: B sung bn ghi DNS gi mo vo etter.dns Cc entry ny s ch dn cho plug-in dns_spoof rng khi thy truy vn DNS cho yahoo.com hoc www.yahoo.com(vi mt bn ghi ti nguyn kiu A), n s s dng a ch IP 172.16.16.100 p tr. Trong kch bn thc, thit b ti a ch IP 172.16.16.100 s chy mt phn mm my ch web v hin th cho ngi dng website gi mo. Khi file ny c cu hnh v lu li, chng ta hon ton c th thc thi chui lnh dng khi chy tn cng. Chui lnh s dng cc ty chn di y:

-T Ch nh s dng giao din vn bn

-q Chy cc lnh trong ch yn lng cc gi d liu c capture khng hin th -P dns_spoof Ch nh s dng plug-in dns_spoof -M arp Khi to tn cng MITM gi mo ARP chn cc gi d liu gia cc host. // // - Ch nh ton b mng l mc tiu tn cng.

trn mn hnh.

Chui lnh cui cng cho mc ch ca chng ta l: Ettercap.exe T q P dns_spoof M arp // // Khi chy lnh trn, bn s bt u mt tn cng hai giai on, u tin l gi mo ARP cache ca thit b trn mng, sau l pht cc p tr truy vn DNS gi mo.

Hnh 6: Ettercap ang lng nghe tch cc cc truy vn DNS Khi khi chy, bt c ai ang c gng truy cp www.yahoo.com s u b redirect n website m c ca chng ta.

Hnh 7: Kt qu c gng gi mo DNS t phi cnh ngi dng Phng chng gi mo DNS Kh kh phng chng vic gi mo DNS v c kh t cc du hiu tn cng. Thng thng, bn khng h bit DNS ca mnh b gi mo cho ti khi iu xy ra. Nhng g bn nhn c l mt trang web khc hon ton so vi nhng g mong i. Trong cc tn cng vi ch ch ln, rt c th bn s khng h bit rng mnh b la nhp cc thng tin quan trng ca mnh vo mt website gi mo cho ti khi nhn c cuc gi t ngn hng hi ti sao bn li rt nhiu tin n vy. Mc d kh nhng khng phi khng c bin php no c th phng chng cc kiu tn cng ny, y l mt s th bn cn thc hin:

Bo v cc my tnh bn trong ca bn: Cc tn cng ging nh trn thng c thc thi

t bn trong mng ca bn. Nu cc thit b mng ca an ton th s bn s gim c kh nng cc host b tha hip v c s dng khi chy tn cng gi mo.

Khng da vo DNS cho cc h thng bo mt: Trn cc h thng an ton v c nhy

cm cao, khng duyt Internet trn n l cch thc hin tt nht khng s dng n DNS. Nu bn c phn mm s dng hostname thc hin mt s cng vic ca n th chng cn phi c iu chnh nhng g cn thit trong file cu hnh thit b.

S dng IDS: Mt h thng pht hin xm nhp, khi c t v trin khai ng, c th vch S dng DNSSEC: DNSSEC l mt gii php thay th mi cho DNS, s dng cc bn ghi

mt cc hnh thc gi mo ARP cache v gi mo DNS. DNS c ch k bo m s hp l ha ca p tr truy vn. Tuy DNSSEC vn cha c trin khi rng ri nhng n c chp thun l tng lai ca DNS. Kt lun Gi mo DNS l mt hnh thc tn cng MITM kh nguy him khi c i cp vi nhng d nh c c. S dng cng ngh ny nhng k tn cng c th tn dng cc k thut gi mo nh cp cc thng tin quan trng ca ngi dng, hay ci t malware trn mt a b khai thc, hoc gy ra mt tn cng t chi dch v. Trong phn tip theo ca lot bi ny, chng ti s gii thiu tip cho

cc bn v cc tn cng pass the hash v tn cng ny c th c s dng nh th no ng nhp vo cc my tnh Windows m khng cn n cc mt khu ngi dng.

Phn tch gi tin vi WIRESHARK

Gii thiu qua mt cht v Wireshark

- WireShark c mt b dy lch s. Gerald Combs l ngi u tin pht trin phn mm ny. Phin bn u tin c gi l Ethe hnh nm 1998. Tm nm sau k t khi phin bn u tin ra i, Combs t b cng vic hin ti theo ui mt c hi ngh ng khng may, ti thi im , ng khng th t c tho thun vi cng ty thu ng v vic bn quyn ca thng hiu Eth , Combs v phn cn li ca i pht trin xy dng mt thng hiu mi cho sn phm Ethereal vo nm 2006, d n t - WireShark pht trin mnh m v n nay, nhm pht trin cho n nay ln ti 500 cng tc vin. Sn phm tn Ethereal khng c pht trin - Li ch Wireshark em li gip cho n tr nn ph bin nh hin nay. N c th p ng nhu cu ca c cc nh phn tch ch nghip d v n a ra nhiu tnh nng thu ht mi i tng khc nhau. Cc giao thc c h tr bi WireShark:

WireShark vt tri v kh nng h tr cc giao thc (khong 850 loi), t nhng loi ph bin nh TCP, IP n nhng loi c bi AppleTalk v Bit Torrent. V cng bi Wireshark c pht trin trn m hnh m ngun m, nhng giao thc mi s c thm v ni rng khng c giao thc no m Wireshark khng th h tr.

Thn thin vi ngi dng: Giao din ca Wireshark l mt trong nhng giao din phn mm phn tch gi d dng nh ng dng ho vi h thng menu rt r rng v c b tr d hiu. Khng nh mt s sn phm s dng dng lnh p TCPdump, giao din ho ca Wireshark tht tuyt vi cho nhng ai tng nghin cu th gii ca phn tch giao th

Gi r: Wireshark l mt sn phm min ph GPL. Bn c th ti v v s dng Wireshark cho bt k mc ch no, k c thng mi. H tr: Cng ng ca Wireshark l mt trong nhng cng ng tt v nng ng nht ca cc d n m ngun m.

H iu hnh h tr Wireshark: Wireshark h tr hu ht cc loi h iu hnh hin nay. 1. Mt s tnh hung c bn

Trong phn ny chng ta s cp n vn c th hn. S dng Wireshark v phn tch gi tin gii quyt mt vn c th Chng ti xin a ra mt s tnh hung in hnh. A Lost TCP Connection (mt kt ni TCP)

Mt trong cc vn ph bin nht l mt kt ni mng.Chng ta s b qua nguyn nhn ti sao kt ni b mt, chng ta s nhn h mc gi tin. V d: Mt v truyn file b mt kt ni: Bt u bng vic gi 4 gi TCP ACK t 10.3.71.7 n 10.3.30.1.

Hnh 3.1-1: This capture begins simply enough with a few ACK packets.

Li bt u t gi th 5, chng ta nhn thy xut hin vic gi li gi ca TCP.

Hnh 3.1-2: These TCP retransmissions are a sign of a weak or dropped connection. Theo thit k, TCP s gi mt gi tin n ch, nu khng nhn c tr li sau mt khong thi gian n s gi li gi tin ban u. tc khng nhn c phn hi, my ngun s tng gp i thi gian i cho ln gi li tip theo.

Nh ta thy hnh trn, TCP s gi li 5 ln, nu 5 ln lin tip khng nhn c phn hi th kt ni c coi l kt thc. Hin tng ny ta c th thy trong Wireshark nh sau:

Hnh 3.1-4: Windows will retransmit up to five times by default. Kh nng xc nh gi tin b li i khi s gip chng ta c th pht hin ra mu trt mng b mt l do u.

Unreachable Destinations and ICMP Codes (khng th chm ti im cui v cc m ICMP)

Mt trong cc cng c khi kim tra kt ni mng l cng c ICMP ping. Nu may mn th pha mc tiu tr li li iu c ngha thnh cng, cn nu khng th s nhn c thng bo khng th kt ni ti my ch. S dng cng c bt gi tin trong vic nhiu thng tin hn thay v ch dung ICMP ping bnh thng. Chng ta s nhn r hn cc li ca ICMP.

Hnh 3.1-5: A standard ping request from 10.2.10.2 to 10.4.88.88 Hnh di y cho thy thng bo khng th ping ti 10.4.88.88 t my 10.2.99.99.

Nh vy so vi ping thng thng th ta c th thy kt ni b t t 10.2.99.99. Ngoi ra cn c cc m li ca ICMP, v d unreachable)

Hnh 3.1-6: This ICMP type 3 packet is not what we expected. Unreachable Port (khng th kt ni ti cng)

Mt trong cc nhim v thng thng khc l kim tra kt ni ti mt cng trn mt my ch. Vic kim tra ny s cho thy cng m hay khng, c sn sang nhn cc yu cu gi n hay khng.

V d, kim tra dch v FTP c chy trn mt server hay khng, mc nh FTP s lm vic qua cng 21 ch thng thng tin ICMP n cng 21 ca my ch, nu my ch tr li li gi ICMP loi o v m li 2 th c ngha l khng th kt ni ti cng Fragmented

Hnh 3.1-7: This ping request requires three packets rather than one because the data being transmitted is above average size. y c th thy kch thc gi tin ghi nhn c ln hn kch thc gi tin mc nh gi i khi ping l 32 bytes ti mt my tnh Kch thc gi tin y l 3,072 bytes. Determining Whether a Packet Is Fragmented (xc nh v tr gi tin b phn on) No Connectivity (khng kt ni)

Vn : chng ta c 2 nhn vin mi Hi v Thanh v c sp ngi cnh nhau v ng nhin l c trang b 2 my tnh. Sau b v lm cc thao tc a 2 my tnh vo mng, c mt vn xy ra l my tnh ca Hi chy tt, kt ni mng bnh thn Thanh khng th truy nhp Internet.

Mc tiu : tm hiu ti sao my tnh ca Thanh khng kt ni c Internet v sa li . Cc thng tin chng ta c

c 2 my tnh u mi c 2 my u c t IP v c th ping n cc my khc trong mng

Ni tm li l 2 my ny c cu hnh khng c g khc nhau. Tin hnh Ci t Wireshark trc tip ln c 2 my. Phn tch

Trc ht trn my ca Hi ta nhn thy mt phin lm vic bnh thng vi HTTP. u tin s c mt ARP broadcast tm a c tng 2, y l 192.168.0.10. Khi my tnh ca Hi nhn c thng tin n s bt tay vi my gateway v t c phin lm vi bn ngoi.

Hnh 3.1-8: His computer completes a handshake, and then HTTP data transfer begins. Trng hp my tnh ca Thanh

Hnh 3.1-9: Thanhs computer appears to be sending an ARP request to a different IP address. Hnh trn cho thy yu cu ARP khng ging nh trng hp trn. a ch gateway c tr v l 192.168.0.11. Nh vy c th thy NetBIOS c vn .

NetBIOS l giao thc c n s c thay th TCP/IP khi TCP/IP khng hot ng. Nh vy l my ca Thanh khng th kt TCP/IP. Chi tit yu cu ARP trn 2 my : My Hi

My Thanh

Kt lun : my Thanh t sai a ch gateway nn khng th kt ni Internet, cn t li l 192.168.0.10. The Ghost in Internet Explorer (con ma trong trnh duyt IE) Hin tng : my tnh ca A c hin tng nh sau, khi s dng trnh duyt IE, trnh duyt t ng tr n rt nhiu trang qung i bng tay th vn b hin tng thm ch kh ng li my cng vn b nh th. Thng tin chng ta c

A khng tho v my tnh lm My tnh ca A dng Widows XP, IE 6

Tin hnh

V hin tng ny ch xy ra trn my ca A v trang home page ca A b thay i khi bt IE nn chng ta s tip hnh bt gi tin Chng ta khng nht thit phi ci Wireshark trc tip t my ca A. Chng ta c th dng k thut Hubbing Out . Phn tch

Hnh 3.1-13: Since there is no user interaction happening on As computer at the time of this capture, all of these packets going ac should set off some alarms. Chi tit gi tin th 5:

Hnh 3.1-14: Looking more closely at packet 5, we see it is trying to download data from the Internet. T my tnh gi yu cu GET ca HTTP n a ch nh trn hnh.

Hnh 3.1-15: A DNS query to the weatherbug.com domain gives a clue to the culprit. Gi tin tr li bt u c vn : th t cc phn b thay i. Mt s gi tip theo c s lp ACK.

Hnh 3.1-16: A DNS query to the weatherbug.com domain gives a clue to the culprit. Sau mt lot cc thay i trn th c truy vn DNS n deskwx.weatherbug.com y l a ch A khng h bit v khng c nh truy cp.

Nh vy c th l c mt process no lm thay i a ch trang ch mi khi IE c bt ln. Dng mt cng c kim tra p nh Process Explore v thy rng c tin trnh weatherbug.exe ang chy. Sau khi tt tin trnh ny i khng cn hin tng trn n Thng thng cc tin trnh nh weatherbug c th l virus, spyware. Giao din Process Explore

Li kt ni FTP Tnh hung : c ti khon FTP trn Windows Server 2003 update service packs va ci t xong, phn mm FTP Server thng, khon ng nhng khng truy nhp c. Thng tin chng ta c

FTP lm vic trn cng 21

Tin hnh Ci t Wireshark trn c 2 my. Phn tch Client:

Hnh 3.1-19: The client tries to establish connection with SYN packets but gets no response; then it sends a few more. Client gi cc gi tin SYN bt tay vi server nhng khng c phn hi t server. Server :

Hnh 3.1-20: The client and server trace files are almost identical. C 3 l do c th dn n hin tng trn

FTP server cha chy, iu ny khng ng v FTP server ca chng ta chy nh kim tra lc u

Server qu ti hoc c lu lng qu ln khin khng th p ng yu cu. iu ny cng khng chnh xc v server v t.

Cng 21 b cm pha clien hoc pha server hoc c 2 pha. Sau khi kim tra v thy rng pha Server cm c Incoming v Outgoing trong Local Security Policy

Kt lun

i khi bt gi tin khng cho ta bit trc tip vn nhng n hn ch c rt nhiu trng hp v gip ta a ra suy on ch l g.