A multipurpose Hacking Tool for MITM - PowerPoint PPT Presentation

About This Presentation

Title:

A multipurpose Hacking Tool for MITM

Description:

ettercap A multipurpose Hacking Tool for MITM , 2006-12-02 (ARP , DNS Recursion, sniffing ... – PowerPoint PPT presentation

Number of Views:116

Avg rating:3.0/5.0

Slides: 45

Provided by: 4518

Category:

more less

Transcript and Presenter's Notes

Title: A multipurpose Hacking Tool for MITM

1
A multipurpose Hacking Tool for MITM
ettercap
ettercap

??? ???, ?? ???

2006-12-02
2
??

???? (ARP ????, DNS Recursion, sniffing)
ettercap ??
??? ?? ??
Man in the middle redirect (?? ???)
Plugins - ???? ?? ??
??
?? ???

3
????(ARP ????, Sniffing)
4
TCP/IP ? OSI ??
5
ARP ????(1)

ARP
Address Resolution Protocol
IP ?? ??? MAC ?? ?? ???? ????
ARP cache
IP?? ? ?? ???? MAC??? ?? ?? ????
???? ??? ??.
ARP ?? ??? ???? ?? 4??.

6
ARP ????(2)

ARP Request

ARP Response
7
ARP ????(3)

ARP ???? ??
Hard type ???? ?? ???, FDDI,
????
Proto type ???? ?? ARP ????? ?? 0806
Hard size ???? ??? ??
Proto size ???? ??? ??
OP ARP ??? ?? ? 1 ARP ?? 2
ARP ??
Sender Ethernet Addr ??? MAC
Sender IP Addr ??? IP Addr
Target Ethernet Addr ??? MAC
Target IP Addr ??? IP Addr

8
ARP ????(4)

ARP ?? ??
???? ?? ????? A ??? ????? ??? ???
???? ARP cache ? A ??? ?? IP MAC ? ?????? ARP
??? Broadcast (ARP Request) ??.
B??, C??? ??? IP? ???? ??? drop
A??? ??? MAC? ?? ??? Unicast(ARP Response)??.
???? A??? ??? MAC?? ??
??? ??? ??? ?

9
DNS Recursion(1)
www.yahoo.co.kr
kr
co
yahoo
10
DNS Recursion(2)

DNS Recursion
?? ????? www.yahoo.co.kr ??
?? ???? ??? DNS SERVER (DNS Client ? ??)? IP ??
??? ???? ?? ??? ??? ROOT DNS ??? ??
ROOT DNS ??? .kr ? ???? DNS ??? ????? ?? ?
DNS Client ? ?? .kr ? ???? DNS ??? ??
?? ?? ??? RECURSION ?? ?? ???? IP? ???? DNS
Client? ?? ??? PC?? IP? ????.
PC ? ??? Gateway (Router)? ? ??? ????
www.yahoo.co.kr? ??? ???

11
???(Sniffing)

?????? ???? ?? ???? ??
??? ?? Ethereal, ettercap
Promiscuous mode ??? ?? ?? ?? ??
?? ???? ????

12
???(Sniffer)
192.168.0.1
192.168.0.2
Packet??? 192.168.0.3
ltSniffergt NIC? Promiscuous mode ? ??
192.168.0.3
13
??? ??(1)

MAC Flooding ?? (switch ????? sniffing)
??? MAC? ????? ???? ???? ARP????Flooding
Dummy ??? ?? ?? port? Broadcasting (Fail open)
ARP Spoofing ??
?? ?????? Spoofing ??? Hosts ? arp cache ??
??? B -gt Host A (IP10.0.0.3 ? MAC(???) ?? CC)
??? B -gt Host C (IP10.0.0.2 ? MAC(???) ?? CC)

14
??? ??(2)

ARP Redirect ??
???? ?????? ??? ??? MAC? ??? ??Broadcast??.
LAN ?? ?? ????? ???? ARP Cashe ??? ??
?????? ?? ?? ??? ???? ???? ??.

15
??? ??(4)

ICMP
??? ?? ??? ? ??? ??? ???? ?? ????
ICMP Redirect
??? ???? ?? ?? ???? ?? ?? ???? ??? ????? ???
????? ???? ???? ??
ICMP Redirect ??
?? ????? ?? ????? ??? ICMP Redirect ?????? ????
???? ??? ???? ?? ??? ????? ??

16
??? ?? ??

???
SSL, SSH, VPN
??? ??? ???? ??
?? ???? ???? ??

17
ettercap ??
18
ettercap ??
ettercap.sourceforge.net

Man in the middle attack ??? ?? ?? ???? ?
MITM ARP poisoning, icmp redirection, dhcp
poisoning,
port stealing
SSH1, SSL ??? sniffing.
??? ??? data, character injection.
Packet filtering ?? dropping.
Password ??
Passive OS fingerprint
Sniffing ?? ?? ?? ? ?????? Connection ? kill ??
????, ?? ??

19
Ettercap ?? ???? ??
etter.conf ? ?? ??
etterlog
???? ????
ettercap
Text editor ???? ??
??? ??????
???? ??????
??? ?? ???????
etterfilter
??? ??????
20
?? ?????

???/????? ??? ? ?? ?? ??
?? libpcap gt 0.8.1, libnet gt 1.1.2.1,
Libpthread, zlib
??libltdl (plugin ??), libpcre (perl regexp ??),
openssl 0.9.7 (SSH, SSL ??), ncurses 5.3 ??
(cursed GUI)GTK GUI pkgconfig 0.15.0 ??,
Glib 2.4.x ??, Gtk 2.4.x ??, Atk 1.6.x ??,
Pango 1.4.x ??
????? ?? ?? ??
?? winpcap
?? ?? ettercap-NG-0.7.3-win32.exe

21
UI

-T Text only
-C Ncurses ?? GUI
-G GTK2?? GUI

22
??? ?? - Unified, Bridged
Unified - ?? NIC?? ???
Bridged - Inline ???? ?? ? ??
23
?? ? ?? ??
24
?? ??
25
Unified ??? -gt ??
26
????? ? ??? ??
?? Start ??? ??/??
?? Targets IP, MAC, ??? ?? ?? ?? ? ?? ??
??? Hosts ?? ??? ??/??
?? View ?? - ?? ??, ?? ???? - ??? ??? IP, MAC, OS, ???, ?? ?? - ??? ? ??/?? ??? ?? ??
?? MITM ARP ???, ICMP ???, ?? ???, DHCP ??
?? Filters ?? ?? ??, ??? ???
?? Logging ??? ??? ??, ??? ???? ?? ? ? (???? ?? ??, ??? ?? ?? ?? ??)
???? Plugins ARP_COP, Finger, link_type, DNS_spoof, dos_attack, isolate, rand_flood, remote_browser, reply_arp
27
GUI ??
28
??? - ?? ??? ??
?? ?? ??
29
???? - ??? ??? ??
?? ?? ??? ??? IP, MAC, OS, ???, ?? (??? X ??)
30
??? ?? ??
?? ?? ??? ??? IP, MAC, OS, ???, ?? (??? ??)
31
?? ??? ???
??? ?? ??, ???? ?? ????? ??
32
??
33
MITM - ???? Redirect (?? ???)
Target - ???? ??

ARP poisoning
?? ??? ARP cache? ??ettercap?? ???? redirect
????
ICMP redirect
? ?? ??? ???? ??
ettercap?? ???? redirect ????
Port stealing lt- ???? ??
??? ???? ARP ????? ?? ?? ?? ???? ??
ARP ?? ?? ?? ??
DHCP spoofing
????? ?? ???? IP ?? ?? ??

34
???? - Search, Detection
Find_ip Subnet ??? ???? ?? ip ??? ????.
Finger ????? ??? ??? ?????
gre_relay GRE redirected ??? ??? ??
gw_discover Gateway ????.
scan_poisoner ?? ??? ARP poisoner ? ????.
search_promisc ? ?? ?? ?? ARP request? ??? ?? ??? ?? ??? ?? ?? ARP request? ??? ???? ?? ? ?? ?? ??
Link_type hub/switch ???? ????.
arp_cop ????? ARP ??? ??? - ARP ????, IP ??, IP ?? ??? ??? ??? ? ? ???? ?? ??
find_conn LAN(??? ??) ??? ??? ??? ????.
find_ettercap Ettercap? ???? ?? ?? ??
remote_browser ??? ? ??? ??? ?? ?
35
???? - Attack
chk_poison ARP ???? ??? ????? ??
DNS_spoof DNS ??? ???? ??? ??, ?? ??? etter.dns ??
dos_attack ?? ???? ?? ?? ??? ???? SYN flooding ?? ?? ??? ?? IP ??? ??, ?? ???? ??
isolate ?? ???? LAN?? ??, ARP cache? ???? ????? ???? ???? ??? ??? ??
rand_flood ??? MAC ??? LAN? ?? ??
reply_arp ???? MAC ??? ??
SMB_clear ???? ?? ?? ?? ?????? smb ??? clear-text ??? ???? ?, ??? ????? ?? ? ? ??
SMB_Down SMB ?? ??? ?????? NTLM2 ?? ??? ?? ? ??? ??. LC4? ??? ?? ?? ???
stp_mangler ?? ?? ??? ???? ???? Spanning tree BPDUs? ?? Ettercap? unmanaged ???? ???? ??? ?
PPTP PPTP_chapms1, PPTP_clear, PPTP_pap, PPTP_reneg
36
?? ? etterfilter, etterlog