{\rtf1\ansi\ansicpg1252\cocoartf949\cocoasubrtf330
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww12240\viewh12780\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\ql\qnatural\pardirnatural

\f0\fs24 \cf0 \
Network Attacks Lab\
\
-------------------------------------------------------------------------------------------------------\
\
Many of these attacks will work on both WIRED and WIRELESS targets.\
You can use any of:\
\
	1) Ubuntu Desktop WIRED, or\
	2) Boot BackTrack Desktop WIRED, or\
	3) Boot BackTrack on your Notebook WIRELESS\
\
The three tools we will try are: \
\
	dsniff tools, ettercap, and aircrack\
\
-------------------------------------------------------------------------------------------------------\
\
DSNIFF\
\
1 -- % dsniff\
\
Let's run %dsniff, and see if we sniff any passwords\
or password hashes during this lab.\
\
	a) open a Terminal window in your 2ndary Workspace\
	b) in that Terminal just type:\
\
		dsniff\
\
	Just leave it running in that window.\
	We'll come back and look at this window at the end of the lab\
\
2 -- % macof\
\
("macof" stands for "MAC OverFlow...").\
Let's flood the lookup table of the switch and see if we start\
to see more traffic.  First we want to launch a traffic analysis\
tool, such as %iptraf, to see what the normal traffic rate is.\
\
	a) run iptraf, select monitor mode for your main interface\
\
		iptraf\
\
	b) leave that running in a window\
	c) open another window and run\
\
		macof\
\
	d) did you start seeing a lot more TCP connections\
	in the iptraf window? __________________________________\
\
3 -- % arpspoof\
\
	a) Pick 2 machines in your group for this exercise.\
	Machine #1 is the VICTIM\
	Write Down the IP Address of Machine #1 ___________________\
	Visit the Website http://www.cnn.com/\
	Look at your ARP Cache.  ( arp -a, or ip show neighbor )\
	What is the MAC Address of the Gateway? ___________________\
\
	b) Machine #2 is the Attacker\
	-- Install/Start APACHE on Machine #2\
	-- Change the Default Webpage on Machine #2 to Say: "Owned by Group #<Your Group>"\
	   This is probably in the directory /var/www/html/index.html\
	-- Check your webpage with a browser so you know it is working.\
\
	c) figure out what the IP Address of the Default Gateway\
	is on your network.  Example: netstat -r -n\
	Default route should start with 0.0.0.0 then the Gateway IP address\
\
	d) Attack Machine #1 from Machine #2\
	\
		arpspoof -t <VICTIM-IP-ADDRESS> GW-IP-Address\
\
	e) now have the VICTIM connect to http://www.cnn.com/\
\
	Did they see your webpage? _____________________________\
\
	f) Have the VICTIM look at the ARP Cache.\
	What is the MAC Address of the Gateway?____________________\
\
	If this attack does not work, try it one more time.\
\
-------------------------------------------------------------------------------------------------------\
\
ETTERCAP\
\
1 -- % ettercap MITM #1\
\
Let's see if we can run a Man-In-The-Middle Attack.\
For this exercise, we need three machines: 2 Victims\
and 1 Attacker.  Write down the IP Addresses:\
\
	a) IP of VICTIM #1 _________________________________________\
	b) IP of VICTIM #2 _________________________________________\
	c) IP of ATTACKER ________________________________________\
\
	Run A Sniffer On the ATTACKER Machine to Watch For Traffic\
	ex. tshark -n -i eth0\
	or \
		wireshark\
\
	d) try the attack\
\
		ettercap -T -M arp  /victim1/    /victim2/\
\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
\cf0 \
	   e) now have VICTIM1 send traffic to VICTIM2, \
	       for example, on VICTIM1 say:\
\
			telnet <IP-OF-VICTIM2>\
\
	   f)  Did you see the traffic on the ATTACKER machine?________________\
\
2 -- % ettercap MITM #2\
\
Keep your traffic sniffer running on the attack machine.\
Let's try another attack with ettercap.\
\
	a) IP of VICTIM_________________________________\
	b) IP of GATEWAY______________________________\
\
	ettercap -T -M arp:remote /VICTIM-IP/ /GATEWAY-IP/ \
\
	c) Try some Remote Traffic on the VICTIM, ex. http://www.cnn.com/\
\
	d) Do you see the traffic on the ATTACKER machine?____________________\
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\ql\qnatural\pardirnatural
\cf0 \
         e) Add the plugin option\
\
         ettercap -T -P repoison_arp arp:remote /VICTIM-IP/ /GATEWAY-IP/ \
\
         Try it again.\
\
-------------------------------------------------------------------------------------------------------\
\
AIRCRACK\
\
Let's try and knock someone off of their AP connection.\
We'll send management frames to disassociate them from their AP.\
\
	a) select a wireless VICTIM\
	b) what is the wireless MAC Address of VICTIM ____________________\
	c) what is the wireless MAC Address of the AP_____________________\
	(Just have the victim look at %iwconfig output)\
	d) Launch the attack:\
\
\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
\cf0 	aireplay -0 1  -a VICTIM-MAC  -c AP-MAC [interface]\
\
	NOTE: the MAC notation is: 00:11:22:33:44:55\
\
	e) did the VICTIM lose connection during the attack???_________________\
\
\
--- END}