Tìm hiểu về tấn công Man-in-the-Middle- DNS cache

7/30/2019 Tm hiu v tn cng Man-in-the-Middle- DNS cache

1/20

Tm hiu v tn cng Man-in-the-Middle Gi mo DNS

Cp nht lc 09h00' ngy 14/04/2010 Bn inMore Sh

Servicess

Tm hiu v tn cng Man-in-the-Middle Gi mo ARP Cache

Qun tr mngTrong bi ny chng ti s tip tc gii thiu cho cc bn v cc tncng Man-in-the-Middle, c th l s tp trung vo gii thiu mt loi tn cng MITMkhc mang tn gi mo DNS.

Trong phn u ca lot bi ny, chng ti gii thiu cho cc bn v truyn thng ARP vARP cache ca mt thit b c th b gi mo nh th no redirectlu lng mng cacc my tnh qua mt my khc vi mc ch xu. Trong bi ny, chng ti gii thiu chocc bn v mt kiu tn cng MITM khc, gi mo DNS (DNS Spoofing). Nu cha cphngi mo ARP Cache, cc bn nn quay li v c qua n trc v bi vit ny s sdng mt s k thut m chng ti gii thiu trong bi .

Gi mo DNSGi mo DNS l mt k thut MITM c s dng nhm cung cp thng tin DNS sai chomt host khi ngi dng duyt n mt a ch no , v d,www.bankofamerica.com cIP XXX.XX.XX.XX, th c gng ny s c gi n mt ach www.bankofamerica.com gi mo c tr a ch IP YYY.YY.YY.YY, y l a chm k tn cng to trc nh cp cc thng tin ti khon ngn hng trc tuyn tngi dng. Tn cng ny c th thc hin kh d dng v trong bi ny chng ta s inghin cu cch lm vic ca n, cch n thc hin tn cng th no v cui cng l cchchng tr ra sao.

Truyn thng DNS

Giao thc Domain Naming System (DNS) nh c nh ngha trong RFC 1034/1035 c thc xem nh l mt trong nhng giao thc quan trng nht c s dng trong Internet.Ni ngn ngn d hiu, bt c khi no bn nh mt a ch web chng hnnh http://www.google.com vo trnh duyt, yu cu DNS s c a n my ch DNS tm ra a ch IP tng xng vi tn min m bn va nhp. Cc router v cc thit b kt niInternet s khng hiu google.com l g, chng ch hiu cc a ch chng hn nh74.125.95.103.

My ch DSN lm vic bng cch lu mt c s d liu cc entry (c gi l bn ghi tinguyn) a ch IP bn ha tn DNS, truyn thng cc bn ghi ti nguyn n mykhch v n my ch DNS khc. Kin trc my ch DNS trong ton doanh nghip v

Internet l mt th kh phc tp. Nh mt vn ca thc t, bn c th hnh dung chngnh cc quyn s chuyn dng cho kin trc DNS. Chng ti s khng i vo gii thiu cckha cnh v kin trc hay thm ch cc kiu lu lng DNS khc nhau, m ch gii thiumt phin giao dch DNS c bn, bn c th thy iu trong hnh 1.
http://www.quantrimang.com.vn/daily/14042010/index.aspxhttp://window.print%28%29/http://www.addthis.com/bookmark.php?v=250&username=ducsduyenhttp://www.addthis.com/bookmark.php?v=250&username=ducsduyenhttp://www.addthis.com/bookmark.php?v=250&username=ducsduyenhttp://www.addthis.com/bookmark.php?v=250&username=ducsduyenhttp://www.quantrimang.com.vn/baomat/hacker/66482_Tim-hieu-ve-tan-cong-Man-in-the-Middle-Gia-mao-ARP-Cache.aspxhttp://www.quantrimang.com.vn/baomat/hacker/66482_Tim-hieu-ve-tan-cong-Man-in-the-Middle-Gia-mao-ARP-Cache.aspxhttp://www.quantrimang.com.vn/baomat/hacker/66482_Tim-hieu-ve-tan-cong-Man-in-the-Middle-Gia-mao-ARP-Cache.aspxhttp://www.quantrimang.com.vn/baomat/hacker/66482_Tim-hieu-ve-tan-cong-Man-in-the-Middle-Gia-mao-ARP-Cache.aspxhttp://www.bankofamerica.com/http://www.bankofamerica.com/http://www.bankofamerica.com/http://window.print%28%29/http://www.addthis.com/bookmark.php?v=250&username=ducsduyenhttp://www.addthis.com/bookmark.php?v=250&username=ducsduyenhttp://www.addthis.com/bookmark.php?v=250&username=ducsduyenhttp://www.quantrimang.com.vn/baomat/hacker/66482_Tim-hieu-ve-tan-cong-Man-in-the-Middle-Gia-mao-ARP-Cache.aspxhttp://www.quantrimang.com.vn/baomat/hacker/66482_Tim-hieu-ve-tan-cong-Man-in-the-Middle-Gia-mao-ARP-Cache.aspxhttp://www.bankofamerica.com/http://www.bankofamerica.com/http://www.quantrimang.com.vn/daily/14042010/index.aspx


2/20

Hnh 1: Truy vn v p tr DNS

DNS hot ng theo hnh thc truy vn v p tr (query/response). Mt my khch cnphn gii DNS cho mt a ch IP no s gi i mt truy vn n my ch DNS, my chDNS ny s gi thng tin c yu cu trong gi p tr ca n. ng trn phi cnh mykhch, ch c hai gi xut hin lc ny l truy vn v p tr.

Hnh 2: Cc gi truy vn v p tr DNS

Kch bn ny s c i cht phc tp khi xem xt n s hi quy DNS. Nh c cu trc thbc DNS ca Internet, cc my ch DNS cn c kh nng truyn thng vi nhau a racu tr li cho cc truy vn c trnh bi my khch. Nu tt c u din ra thun li nhmong i, my ch DNS bn trong ca chng ta s bit tn bn ha a ch IP cho mych bn trong mng ni b, tuy nhin khng th mong i n bit a ch tng quan gia


3/20

Google hoc Dell. y l ni s quy ng vai tr quan trng. S quy din ra khi mtmy ch DNS truy vn my ch DNS khc vi t cch my khch to yu cu. V bn cht,cch thc ny s bin mt my ch DNS thnh mt my khch, xem trong hnh 3.

Hnh 3: Truy vn v p tr DNS bng quy

Gi mo DNS

C nhiu cch c th thc hin vn gi mo DNS. Chng ti s s dng mt k thut mang tn

gi mo DNS ID.

Mi truy vn DNS c gi qua mng u c cha mt s nhn dng duy nht, mc ch ca snhn dng ny l phn bit cc truy vn v p tr chng. iu ny c ngha rng nu mt my

tnh ang tn cng ca chng ta c th chn mt truy vn DNS no c gi i t mt thit b c

th, th tt c nhng g chng ta cn thc hin l to mt gi gi mo c cha s nhn dng gi

d liu c chp nhn bi mc tiu.

Chng ta s hon tt qu trnh ny bng cch thc hin hai bc vi mt cng c n gin. u tin,

chng ta cn gi mo ARP cache thit b mc tiu nh tuyn li lu lng ca n qua host ang

tn cng ca mnh, t c th chn yu cu DNS v gi i gi d liu gi mo. Mc ch ca kch

bn ny l la ngi dng trong mng mc tiu truy cp vo website c thay v website m h ang

c gng truy cp. r hn bn c th tham kho thm hnh tn cng bn di.


4/20

Hnh 4: Tn cng gi mo DNS bng phng php gi mo DNS ID

C mt s cng c khc c th c s dng thc hin hnh ng gi mo DNS. Chng ti s s

dng mt trong s l Ettercap, y l cng c c th s dng cho c Windows v Linux. Bn c th

download Ettercap v my ca mnh ti y. Nu tm hiu thm mt cht v website ny, chc chn

bn s thy rng Ettercap cn c nhiu chc nng tuyt vi khc ngoi vic gi mo DNS v c th

c s dng thc hin nhiu kiu tn cng MITM.

Nu ci t Ettercap trn my tnh Windows, bn s thy n c mt giao din ha ngi dng

(GUI) kh tuyt vi, tuy nhin trong v d ny, chng ti s s dng giao din dng lnh.

Trc khi thc thi Ettercap, yu cn bn cn phi thc hin mt cht cu hnh. Ettercap mc li ca

n l mt b nh hi (sniffer) d liu, n s dng plug-in thc hin cc tn cng khc nhau. Plug-

in dns_spoofl nhng g m chng ta s thc hin trong v d ny, v vy chng ta phi iu chnh file

cu hnh c lin quan vi plug-in . Trn h thng Windows, file ny c th download ti C:\Program

Files (x86)\EttercapNG\share\etter.dns, v ti/usr/share/ettercap/etter.dns. y l m file kh n

gin v c cha cc bn ghi DNS m bn mun gi mo. Vi mc ch th nghim, chng ta mun

bt c ngi dng no ang c gng truy cp vo yahoo.com u b hng (direct) n mt host trn

mng ni b, hy thm mt entry c nh du trong hnh 5.
http://ettercap.sourceforge.net/http://ettercap.sourceforge.net/http://ettercap.sourceforge.net/


5/20

Hnh 5: B sung bn ghi DNS gi mo vo etter.dns

Cc entry ny s ch dn choplug-in dns_spoofrng khi thy truy vn DNS cho yahoo.comhocwww.yahoo.com(vi mt bn ghi ti nguyn kiu A), n s s dng a ch IP 172.16.16.100

p tr. Trong kch bn thc, thit b ti a ch IP 172.16.16.100 s chy mt phn mm my ch web

v hin th cho ngi dng website gi mo.

Khi file ny c cu hnh v lu li, chng ta hon ton c th thc thi chui lnh dng khi chy

tn cng. Chui lnh s dng cc ty chn di y:

-T Ch nh s dng giao din vn bn
http://www.yahoo.com/http://www.yahoo.com/http://www.yahoo.com/


6/20


7/20

Hnh 7: Kt qu c gng gi mo DNS t phi cnh ngi dng

Phng chng gi mo DNS

Kh kh phng chng vic gi mo DNS v c kh t cc du hiu tn cng. Thng thng, bn khng

h bit DNS ca mnh b gi mo cho ti khi iu xy ra. Nhng g bn nhn c l mt trang

web khc hon ton so vi nhng g mong i. Trong cc tn cng vi ch ch ln, rt c th bn s

khng h bit rng mnh b la nhp cc thng tin quan trng ca mnh vo mt website gi mo

cho ti khi nhn c cuc gi t ngn hng hi ti sao bn li rt nhiu tin n vy. Mc d kh

nhng khng phi khng c bin php no c th phng chng cc kiu tn cng ny, y l mt s

th bn cn thc hin:

Bo v cc my tnh bn trong ca bn: Cc tn cng ging nh trn thng c thc thi

t bn trong mng ca bn. Nu cc thit b mng ca an ton th s bn s gim c kh nng

cc host b tha hip v c s dng khi chy tn cng gi mo.

Khng da vo DNS cho cc h thng bo mt : Trn cc h thng an ton v c nhy

cm cao, khng duyt Internet trn n l cch thc hin tt nht khng s dng n DNS. Nu

bn c phn mm s dng hostname thc hin mt s cng vic ca n th chng cn phi

c iu chnh nhng g cn thit trong file cu hnh thit b.

S dng IDS: Mt h thng pht hin xm nhp, khi c t v trin khai ng, c th vch

mt cc hnh thc gi mo ARP cache v gi mo DNS.

S dngDNSSEC: DNSSEC l mt gii php thay th mi cho DNS, s dng cc bn ghi

DNS c ch k bo m s hp l ha ca p tr truy vn. Tuy DNSSEC vn cha c

trin khi rng ri nhng n c chp thun l tng lai ca DNS.

Kt lun

Gi mo DNS l mt hnh thc tn cng MITM kh nguy him khi c i cp vi nhng d nh c

c. S dng cng ngh ny nhng k tn cng c th tn dng cc k thut gi mo nh cp

cc thng tin quan trng ca ngi dng, hay ci t malware trn mt a b khai thc, hoc gy ra

mt tn cng t chi dch v. Trong phn tip theo ca lot bi ny, chng ti s gii thiu tip cho


8/20

cc bn v cc tn cng pass the hash v tn cng ny c th c s dng nh th no ng

nhp vo cc my tnh Windows m khng cn n cc mt khu ngi dng.

Phn tch gi tin vi WIRESHARKGii thiu qua mt cht v Wireshark

- WireShark c mt b dy lch s. Gerald Combs l ngi u tin pht trin phn mm ny. Phin bn u tin c ghnh nm 1998. Tm nm sau k t khi phin bn u tin ra i, Combs t b cng vic hin ti theo ui mt c hkhng may, ti thi im , ng khng th t c tho thun vi cng ty thu ng v vic bn quyn ca thng, Combs v phn cn li ca i pht trin xy dng mt thng hiu mi cho sn phm Ethereal vo nm 2006- WireShark pht trin mnh m v n nay, nhm pht trin cho n nay ln ti 500 cng tc vin. Sn phmEthereal khng c pht trin- Li ch Wireshark em li gip cho n tr nn ph bin nh hin nay. N c th p ng nhu cu ca c cc nh phnghip d v n a ra nhiu tnh nng thu ht mi i tng khc nhau.

Cc giao thc c h tr bi WireShark:

WireShark vt tri v kh nng h tr cc giao thc (khong 850 loi), t nhng loi ph bin nh TCP, IP n nhng lAppleTalk v Bit Torrent. V cng bi Wireshark c pht trin trn m hnh m ngun m, nhng giao thc mi s ni rng khng c giao thc no m Wireshark khng th h tr.

Thn thin vi ngi dng: Giao din ca Wireshark l mt trong nhng giao din phn mm phn tch gi d

ng dng ho vi h thng menu rt r rng v c b tr d hiu. Khng nh mt s sn phm s dng d

TCPdump, giao din ho ca Wireshark tht tuyt vi cho nhng ai tng nghin cu th gii ca phn tc

Gi r: Wireshark l mt sn phm min ph GPL. Bn c th ti v v s dng Wireshark cho bt k mc ch n

thng mi.

H tr: Cng ng ca Wireshark l mt trong nhng cng ng tt v nng ng nht ca cc d n m ngu

H iu hnh h tr Wireshark: Wireshark h tr hu ht cc loi h iu hnh hin nay.

1. Mt s tnh hung c bnTrong phn ny chng ta s cp n vn c th hn. S dng Wireshark v phn tch gi tin gii quyt mt vn

Chng ti xin a ra mt s tnh hung in hnh.

A Lost TCP Connection (mt kt ni TCP)

Mt trong cc vn ph bin nht l mt kt ni mng.Chng ta s b qua nguyn nhn ti sao kt ni b mt, chng tamc gi tin.

V d:

Mt v truyn file b mt kt ni:

Bt u bng vic gi 4 gi TCP ACK t 10.3.71.7 n 10.3.30.1.

Hnh 3.1-1: This capture begins simply enough with a few ACK packets.


9/20

Li bt u t gi th 5, chng ta nhn thy xut hin vic gi li gi ca TCP.

Hnh 3.1-2: These TCP retransmissions are a sign of a weak or dropped connection.Theo thit k, TCP s gi mt gi tin n ch, nu khng nhn c tr li sau mt khong thi gian n s gi li gi tintc khng nhn c phn hi, my ngun s tng gp i thi gian i cho ln gi li tip theo.

Nh ta thy hnh trn, TCP s gi li 5 ln, nu 5 ln lin tip khng nhn c phn hi th kt ni c coi l kt thc

Hin tng ny ta c th thy trong Wireshark nh sau:

Hnh 3.1-4: Windows will retransmit up to five times by default.

Kh nng xc nh gi tin b li i khi s gip chng ta c th pht hin ra mu trt mng b mt l do u.


10/20

Unreachable Destinations and ICMP Codes (khng th chm ti im cui v cc m ICMP)

Mt trong cc cng c khi kim tra kt ni mng l cng c ICMP ping. Nu may mn th pha mc tiu tr li li iu thnh cng, cn nu khng th s nhn c thng bo khng th kt ni ti my ch. S dng cng c bt gi tin trnhiu thng tin hn thay v ch dung ICMP ping bnh thng. Chng ta s nhn r hn cc li ca ICMP.

Hnh 3.1-5: A standard ping request from 10.2.10.2 to 10.4.88.88

Hnh di y cho thy thng bo khng th ping ti 10.4.88.88 t my 10.2.99.99.

Nh vy so vi ping thng thng th ta c th thy kt ni b t t 10.2.99.99. Ngoi ra cn c cc m li ca ICMunreachable)

Hnh 3.1-6: This ICMP type 3 packet is not what we expected.

Unreachable Port (khng th kt ni ti cng)


11/20

Mt trong cc nhim v thng thng khc l kim tra kt ni ti mt cng trn mt my ch. Vic kim tra ny s cho tm hay khng, c sn sang nhn cc yu cu gi n hay khng.

V d, kim tra dch v FTP c chy trn mt server hay khng, mc nh FTP s lm vic qua cng 21 ch thtin ICMP n cng 21 ca my ch, nu my ch tr li li gi ICMP loi o v m li 2 th c ngha l khng th kt ni t

Fragmented

Hnh 3.1-7: This ping request requires three packets rather than one because the data being transmitted is

above average size.

y c th thy kch thc gi tin ghi nhn c ln hn kch thc gi tin mc nh gi i khi ping l 32 bytes ti mt

Kch thc gi tin y l 3,072 bytes.

Determining Whether a Packet Is Fragmented (xc nh v tr gi tin b phn on)

No Connectivity (khng kt ni)

Vn : chng ta c 2 nhn vin mi Hi v Thanh v c sp ngi cnh nhau v ng nhin l c trang b 2 myb v lm cc thao tc a 2 my tnh vo mng, c mt vn xy ra l my tnh ca Hi chy tt, kt ni mng bnThanh khng th truy nhp Internet.


12/20

Mc tiu : tm hiu ti sao my tnh ca Thanh khng kt ni c Internet v sa li .

Cc thng tin chng ta c

c 2 my tnh u mi

c 2 my u c t IP v c th ping n cc my khc trong mngNi tm li l 2 my ny c cu hnh khng c g khc nhau.

Tin hnh

Ci t Wireshark trc tip ln c 2 my.

Phn tch

Trc ht trn my ca Hi ta nhn thy mt phin lm vic bnh thng vi HTTP. u tin s c mt ARP broadcast tng 2, y l 192.168.0.10. Khi my tnh ca Hi nhn c thng tin n s bt tay vi my gateway v t c phbn ngoi.

Hnh 3.1-8: His computer completes a handshake, and then HTTP data transfer begins.

Trng hp my tnh ca Thanh

Hnh 3.1-9: Thanhs computer appears to be sending an ARP request to a different IP address.

Hnh trn cho thy yu cu ARP khng ging nh trng hp trn. a ch gateway c tr v l 192.168.0.11.

Nh vy c th thy NetBIOS c vn .


13/20

NetBIOS l giao thc c n s c thay th TCP/IP khi TCP/IP khng hot ng. Nh vy l my ca Thanh khngTCP/IP.

Chi tit yu cu ARP trn 2 my :

My Hi

My Thanh


14/20

Kt lun : my Thanh t sai a ch gateway nn khng th kt ni Internet, cn t li l 192.168.0.10.

The Ghost in Internet Explorer (con ma trong trnh duyt IE)

Hin tng : my tnh ca A c hin tng nh sau, khi s dng trnh duyt IE, trnh duyt t ng tr n rt nhiu trai bng tay th vn b hin tng thm ch kh ng li my cng vn b nh th.

Thng tin chng ta c A khng tho v my tnh lm

My tnh ca A dng Widows XP, IE 6

Tin hnh

V hin tng ny ch xy ra trn my ca A v trang home page ca A b thay i khi bt IE nn chng ta s tip hnh Chng ta khng nht thit phi ci Wireshark trc tip t my ca A. Chng ta c th dng k thut

Hubbing Out .

Phn tch


15/20

Hnh 3.1-13: Since there is no user interaction happening on As computer at the time of this capture, all of these packetshould set off some alarms.

Chi tit gi tin th 5:

Hnh 3.1-14: Looking more closely at packet 5, we see it is trying to download data from the Internet.

T my tnh gi yu cu GET ca HTTP n a ch nh trn hnh.

Hnh 3.1-15: A DNS query to the weatherbug.com domain gives a clue to the culprit.

Gi tin tr li bt u c vn : th t cc phn b thay i.

Mt s gi tip theo c s lp ACK.

Hnh 3.1-16: A DNS query to the weatherbug.com domain gives a clue to the culprit.

Sau mt lot cc thay i trn th c truy vn DNS n deskwx.weatherbug.com

y l a ch A khng h bit v khng c nh truy cp.


16/20

Nh vy c th l c mt process no lm thay i a ch trang ch mi khi IE c bt ln. Dng mt cng c knh Process Explore v thy rng c tin trnh weatherbug.exe ang chy. Sau khi tt tin trnh ny i khng cn hin t

Thng thng cc tin trnh nh weatherbug c th l virus, spyware.Giao din Process Explore


17/20

Li kt ni FTP

Tnh hung : c ti khon FTP trn Windows Server 2003 update service packs va ci t xong, phn mm FTthng, khon ng nhng khng truy nhp c.

Thng tin chng ta c


18/20

FTP lm vic trn cng 21

Tin hnh

Ci t Wireshark trn c 2 my.

Phn tchClient:

Hnh 3.1-19: The client tries to establish connection with SYN packets but gets no response; then it sends a

few more.

Client gi cc gi tin SYN bt tay vi server nhng khng c phn hi t server.

Server :


19/20

Hnh 3.1-20: The client and server trace files are almost identical.

C 3 l do c th dn n hin tng trn

FTP server cha chy, iu ny khng ng v FTP server ca chng ta chy nh kim tra lc u

Server qu ti hoc c lu lng qu ln khin khng th p ng yu cu. iu ny cng khng chnh xc v

t.

Cng 21 b cm pha clien hoc pha server hoc c 2 pha. Sau khi kim tra v thy rng pha Serve

Incoming v Outgoing trong Local Security Policy


20/20

Kt lun

i khi bt gi tin khng cho ta bit trc tip vn nhng n hn ch c rt nhiu trng hp v gip ta a ra sl g.

Tìm hiểu về tấn công Man-in-the-Middle- DNS cache

Documents

Transcript of Tìm hiểu về tấn công Man-in-the-Middle- DNS cache