2017-2018-2 "Network Countermeasure Technology" Exp7: Internet Fraud Prevention
————————CONTENTS————————
- 1. Principles and Practice Description
- 2. Record of practice process
- 3. Practice summary and experience
- Attached: References
1. Principles and Practice Description
1. Practical goals
- The goal of this practice is to understand the principles behind common online frauds, to raise awareness of prevention, and to propose specific prevention methods.
2. Overview of practice content
- Simple application of SET tools to build a fake website (1 point)
- ettercap DNS spoof (1分)
- Combining the application of two technologies, using DNS spoof to guide specific visits to impostor websites (1.5 points)
3. Answers to basic questions
- Q: In what scenarios are you usually vulnerable to DNS spoof attacks?
- A: Under the same local area network, as well as various public networks.
- Q: How to prevent the above two attack methods in daily work?
- A: DNS spoofing attacks are difficult to defend against because most such attacks are passive in nature. Normally, unless there is a spoofing attack, there is no way for you to know that your DNS has been spoofed, it's just that the web pages you open are different from the ones you intended to see.
- Use the latest version of DNS server software and install patches in time;
- Turn off the recursive function of the DNS server. The DNS server uses the record information in the cache to answer the query request, or the DNS server obtains the query information by querying other services and sends it to the client. These two types of queries become recursive queries, which can easily lead to DNS spoofing.
- Don't rely on DNS: Don't browse the web on highly sensitive and privacy-critical systems, preferably not using DNS. If there is software that depends on the hostname to run, it can be specified manually in the device hosts file.
- Use an intrusion detection system: When properly deployed and configured, an intrusion detection system can detect most forms of ARP cache poisoning and DNS spoofing attacks.
- A: DNS spoofing attacks are difficult to defend against because most such attacks are passive in nature. Normally, unless there is a spoofing attack, there is no way for you to know that your DNS has been spoofed, it's just that the web pages you open are different from the ones you intended to see.
2. Record of practice process
Attacker: kali Target: windows XP SP3 (English)
1. Simple application of SET tool to build a fake website
1. Since the phishing website needs to be linked to the http service of this machine, it is necessary to change the access port of the SET tool to the default port 80. Use the sudo vi /etc/apache2/ports.conf
command to modify the Apache port file and change the port to 80, as shown in the following figure:
2. Use the command in kali to netstat -tupln |grep 80
check whether port 80 is occupied. If there is, kill+进程号
kill the process with. As shown in the figure below, there is no other occupation:
3. Use to apachectl start
start the Apache service:
4. Enter setoolkit
to open the SET tool:
Choose 1
to perform a social engineering attack:
Choice 2
is the phishing attack vector:
Choose 3
-to-login password interception attack:
Choose 2
to clone the website:
Then enter the IP address of the attacker, which is the IP address of kali:
Enter the cloned url:
5. In order to confuse the target machine, we disguise the target machine IP as a string of addresses:
6. Enter this address in the address bar of the target machine browser, press Enter, and the attack machine will receive a connection prompt:
7. Enter the (possibly wrong) user name and password on the target aircraft, and the attack aircraft can obtain all of them:
2.ettercap DNS spoof
1. Use the command ifconfig eth0 promisc
to change the kali network card to promiscuous mode;
2. Enter the command vi /etc/ettercap/etter.dns
to modify the DNS cache table. As shown in the figure, you can add several DNS records for the website and IP. The IP address in the figure is the IP of my kali host:
3. Enter ettercap -G
the command and turn it on ettercap
, a visual interface of ettercap will pop up automatically, click on the toolbar Sniff——>unified sniffing
, and then select in the pop-up interface eth0->ok
, that is, monitor the eth0 network card:
Scan for hosts
4. Click Scan Subnet under Hosts in the toolbar , then click Hosts list
View Survival Host, add the IP of the kali gateway to target1, and add the IP of the target machine to target2:
5. Select Plugins—>Manage the plugins
, double-click dns_spoof
to select the plugin for DNS spoofing:
6. Then click the start option in the upper left corner to start sniffing. At this time, when you use the command line in the target machine, ping www.mosoteach.cn
you will find that the resolved address is the IP address of the attacking machine:
At this time, an access record is also successfully captured on ettercap:
3. Combining the two technologies, use DNS spoof to guide specific visits to impostor websites
Using the above two technologies comprehensively, first clone a login page according to the steps of Experiment 1 , and then implement DNS spoofing through Experiment 2.www.mosoteach.cn
At this time, you can successfully access our impostor website by entering the URL in the target machine :
To differentiate from the task, try logging in with another username and password, which the attacker can also obtain:
If we clone the login interface of the original page
www.mosoteach.cn
, it will be difficult for users to notice that they are visiting a phishing website. When the user enters the user name and password, he does not know that it has been quietly obtained by the attack aircraft...
3. Practice summary and experience
The original stolen password is so easy! In the past, I thought that everything would be fine if we didn’t randomly click on suspicious links, but DNS spoofing is really too difficult to defend against. Even if we enter a normal link, the page we visit may have been stolen for a long time. Therefore, not only can't click on the link at will, but also pay attention to whether the website we visit is cloned. In order to reduce the possibility of being attacked by this method, first of all, start by not connecting to public WiFi...