20155201 Network Attack and Defense Technology Experiment Seven Network Fraud Prevention
1. Practical content
- Simple application of SET tool to create a fake website.
- ettercap DNS spoof。
- Combining the two technologies, use DNS spoof to guide specific visits to impostor websites.
2. Contents of the report:
1. Answers to basic questions
1) What scenarios are usually vulnerable to DNS spoof attacks
When your computer and the attacking machine are in the same network segment, they are connected to the same wireless or the like.
2) How to prevent the above two attack methods in daily work
After opening the webpage again, look at the URL in the URL bar. I remember seeing the fake Taobao address on the news before. It just changed the order of the original Taobao URL, but the user's username and password can be obtained to steal money... and then regularly Clear DNS cache.
2. Practice summary and experience
This experiment was done according to the blogs of the seniors and classmates, but I had a lot of problems, and I tried a lot, which can be regarded as accumulating experience and psychological quality... Every experiment seems to be telling myself which loopholes to pay attention to so as not to be attacked. Others attacked, and now I feel very vigilant, haha, but I still need to learn more.
3. Record of practice process
- Simple application of SET tool to build a fake website
- ettercap DNS spoof
- Combining the two technologies, use DNS spoof to guide specific visits to impostor websites.
Simple application of SET tool to build a fake website
Change the access port of the SET tool to the default port 80, and use the
sudo vi /etc/apache2/ports.conf
command to modify the Apache port file to ensure that the port is port 80.- Open the terminal to see if there is a process occupying port 80:
netstat -tupln | grep 80
, If you see a process, use it tokill 进程号
end the process. Then check whether it is occupied, after confirming that it is not, go to the next step. service apache2 start
Open the Apache service using- Create another terminal and enter
setoolkit
to open the SET tool - Select
1 Social-Engineering Attacks
->2 Website Attack Vectors
->3 Credential Harvester Attack Method
->2 Site Cloner
- Enter the IP address of the attacker
10.211.55.5
- Enter the url of the cloned website, here I tried Baidu first, it can be connected, but it is very uncomfortable not to record keystrokes
- If
Do you want to attempt to disable Apache?
this selection appearsy
, Apache is shut down.
- Again, enter the website of the Academic Affairs Office
http://192.168.200.83/cas/login
, note that if this has a login interface, you can enter the student number, which is convenient for recording keystrokes- You can use the Url Shortener tool to disguise kali's IP as a URL that is not an IP address at first sight...
Enter the disguised address in the target machine's browser address, and you can see that the attacker has received a link prompt
- Enter the user name and password on the target machine, and the attack machine can obtain all records
ettercap DNS spoof
Use the command
ifconfig eth0 promisc
to change the kali network card to promiscuous mode; you can use ipconfig to see if eth0 is written behind[PROMISC]
Enter the command
vi /etc/ettercap/etter.dns
to modify the DNS cache table, as shown in the figure, add several DNS records for the website and IP, the IP address in the figure is the IP of my kali host:10.211.55.5
- Use the
service apache2 start
command to start Apache, because it was not turned on before, and the sniffing has been unsuccessful . It
is still the blog garden's own ip. Enter
ettercap -G
the command, turn it onettercap
, and a visual interface of the big computer will pop up automatically.Sniff
Click —> in the toolbarunified sniffing
, and then select in the pop-up interfaceeth0
, that is, monitor theeth0
network card:
In the toolbar,
Hosts
clickScan for hosts
Scan Subnet, then click击Hosts list
View Active Hosts, add the IP of the kali gateway GW totarget
1, and add the target IP totarget2
:Select
Plugins
->Manage the plugins
, double-clickdns_spoof
to select the plug-in for DNS spoofing, you can see that it becomes * is enabled
Using the command line in xp to
ping www.cnblogs.com
find that the resolved address has become the address of kali10.211.55.5
At the same time ettercap
, an access record was successfully captured on
Combining the two technologies, using DNS spoof to guide specific visits to impostor websites
- Combining the above two techniques, first clone a login page according to the steps of practice 1 , and then implement DNS spoofing through practice 2 , and enter the URL on the target machine Windows XP
www.baidu.com
to find that we have successfully accessed our impostor website:
As you can see, the username and password are captured
- In this experiment, in order to distinguish, the selected domain name and the phishing website are two URLs. If the domain name used is the URL of the Academic Affairs Office, I don’t know how many students’ passwords will be recorded, and the student status information is cool.
PS: There were always problems in practice 2 before, and it was very face-to-face. When doing practice 3, I tried the first order first: practice 1 first, then practice 2, but the result was not good, because in practice 1, one step was to shut down the Apache service. After that, DNS spoofing and sniffing will not be successful. Change the order to practice the second, and then practice the first to succeed.