CRAZYKID CEH.

VN PHNG GIO LUYN D

------------oOo---------

c vit bi Crazykid v c s dng t liu t whitehat.vn,

wikipedia, ispace.

Trang 1

CRAZYKID CEH.VN PHNG GIO LUYN D

I. M u
Hm nay chng ta quay tr li chng trnh gio luyn vi ti Arp Tn cng v phng
th. B ti liu ln ny gm c 2 file pdf v 2 video.
-

Pdf: Tng quan Arp v cc hnh thc tn cng: Ti liu ny s cho cc bn 1 ci nhn
r nt v gi tin arp t cu trc, Cch hot ng, u nhc im, cho n 3 hnh
thc tn cng lin quan n gi tin ny. Ti liu ny cc bn hy c qua. V nu l
ngi mun ngm cu chuyn su th hy nghin cu tht k :D
Pdf: M u Tn cng sniffing Phishing: Chnh l Pdf ny. Pdf ny s tm tt ngn
gn li v arp, Sau s trnh by v Hnh thc tn cng sniffer v Phishing
3 video:
+ windows-sniff
+Linux-sniff_SSLtrip
+ Phishing

Hi vng cc bn s thu lm c nhiu kin thc qua b ti liu ny :D Bn thn kid khi
c ci Pdf Tng quan Arp v cc hnh thc tn cng ngy trc c 1 s tng hay t
n :3

Trang 2

CRAZYKID CEH.VN PHNG GIO LUYN D

II. ARP
Arp l protcol ph bin trong hu ht mi mng TCP/IP. Nu cc bn c k ti liu ca bi
trc chc hn cc bn thy s hin din ca ARP trong c m hnh OSI v TCP/IP :D
Mt thc th trong mng c xc nh ch qua a ch mng m khng cn a ch vt l.
D liu c truyn qua mng ch da vo a ch mng. Khi no d liu ti mng LAN th
a ch vt l mi cn thit a d liu ti ch.

V d:
My gi c a ch 128.1.6.7 ->a ch mng l 128.1
My nhn c a ch 132.5.8.12 ->a ch mng l 132.5
Mng Internet c trch nhim da vo 2 a ch mng trn a d liu ti mng 132.5.
Khi ti mng 132.5 th da vo a ch 8.12 s tm ra a ch vt l thc truyn d liu ti
ch. Nh vy c mt thc mc l: c a ch vt l ri, ti sao li cn thm a ch mng?

Vic tn ti 2 loi a ch l do cc nguyn nhn:

* 2 h thng a ch c pht trin mt cch c lp bi cc t chc khc nhau.

* a ch mng ch c 32 bit s tit kim ng truyn hn so vi a ch vt l 48 bit.

* Khi mch my hng th a ch vt l cng mt.

* Trn quan im ngi thit k mng th s rt hiu qu khi tng IP khng lin quan g vi
cc tng di.

Nh trn ni, t a ch mng c th tm c a ch vt l. Cng vic tm kim ny

c thc hin bi giao thc ARP (Address Resolution Protocol). Nguyn tc lm vic ca
ARP l duy tr mt bng ghi tng ng a ch IP - a ch vt l ( bng ghi IP a ch MAC
ny c gi l ARP cache) . Khi nhn c a ch IP, ARP s dng bng ny tm ra a
ch vt l. Nu khng thy, n s gi mt gi d liu, gi l ARP request, cha a ch IP vo
Trang 3

CRAZYKID CEH.VN PHNG GIO LUYN D

mng LAN. Nu my no nhn ARP request v nhn ra a ch IP ca mnh th s gi li mt

gi d liu cha a ch vt l ca n.

Trong hnh cc bn thy:

-

a ch MAC ca my tnh ny l: 60-36-DD-3E-F2-97

a ch IP v4 ca my tnh ny l: 192.168.1.109
a ch IP v6

y chnh l nhng yu t gip cc my tnh c th nhn ra nhau v trao i thng tin vi

nhau trong mng :D

Trang 4

CRAZYKID CEH.VN PHNG GIO LUYN D

III. Tn cng Man in the Middle ( MITM)

chun on h thng mng cc qun tr mng c th s dng nhng cng c gi l
sniffer, N s bt, theo di, phn tch cc gi tin trn mng, tuy nhin chnh v nhng chc
nng nn cc hacker s dng n nghe ln cc gi tin trong mng, Cuc tn cng nghe
ln cc gi tin trong 1 mng ni b nh vy c gi l Man in the Middle ( MITM). N c
hin qu trong 1 mng Lan, wifi ni b, Khng th trin khai trn WAN v kh c th vt
qua chc nng lc cc gi tin broadcast ca cc router trn cc nt mng.
Tn cng MITM ngy nay c th din ra di nhiu hnh thc nh: gi mo arp cache ( hay
anh em hay gi dn gian l sniff thi :D ) , DNS spoofing, DNS hijacking, Phishing kt hp
DNS attack,
Hm nay mnh ch yu gii thiu cho cc bn hnh thc tn cng Sniff ( gi mo arp cache)
v phishing kt hp dns poisoning. 2 hnh thc tn cng nguy him v tiu biu.
1. Tn cng gi mo arp cache
y l mt hnh thc tn cng MITM hin i c xut s lu i nht (i khi cn c bit
n vi ci tn ARP Poison Routing), tn cng ny cho php k tn cng (nm trn cng mt
subnet vi cc nn nhn ca n) c th nghe trm tt c cc lu lng mng gia cc my
tnh nn nhn.
a) Nguyn l
Thc cht trong vn hot ng ca ARP c tp trung vo hai gi, mt gi ARP request
v mt gi ARP reply. Mc ch ca request v reply l tm ra a ch MAC phn cng c lin
quan ti a ch IP cho lu lng c th n c ch ca n trong mng. Gi
request c gi n cc thit b trong on mng, trong khi gi n ni rng (y ch l
nhn cch ha gii thch theo hng d hiu nht) Hey, a ch IP ca ti l XX.XX.XX.XX,
a ch MAC ca ti l XX:XX:XX:XX:XX:XX. Ti cn gi mt vi th n mt ngi c a ch
XX.XX.XX.XX, nhng ti khng bit a ch phn cng ny nm u trong on mng ca
mnh. Nu ai c a ch IP ny, xin hy p tr li km vi a ch MAC ca mnh! p tr
s c gi i trong gi ARP reply v cung cp cu tr li, Hey thit b pht. Ti l ngi m
bn ang tm kim vi a ch IP l XX.XX.XX.XX. a ch MAC ca ti l XX:XX:XX:XX:XX:XX.
Khi qu trnh ny hon tt, thit b pht s cp nht bng ARP cache ca n v hai thit b
ny c th truyn thng vi nhau.
=========

Trang 5

CRAZYKID CEH.VN PHNG GIO LUYN D

Vic gi mo bng ARP chnh l li dng bn tnh khng an ton ca giao thc ARP. Khng
ging nh cc giao thc khc, chng hn nh DNS (c th c cu hnh ch chp nhn
cc nng cp ng kh an ton), cc thit b s dng giao thc phn gii a ch (ARP) s
chp nhn nng cp bt c lc no. iu ny c ngha rng bt c thit b no c th gi gi
ARP reply n mt my tnh khc v my tnh ny s cp nht vo bng ARP cache ca n
ngay gi tr mi ny. Vic gi mt gi ARP reply khi khng c request no c to ra c
gi l vic gi ARP vu v. Khi cc ARP reply vu v ny n c cc my tnh gi
request, my tnh request ny s ngh rng chnh l i tng mnh ang tm kim
truyn thng, tuy nhin thc cht h li ang truyn thng vi mt k tn cng.

b) Cc cng c tn cng (sniffer)

Trong windows: Cain & Abel, ettercap,Network Associates Sniffer
Trong Linux, ettercap, driftnet, Dsniff ..
c) Tn cng
- Trn windows v Linux, Xin vui lng xem Video sniff trn windows v video sniff trn
Linux
Trang 6

CRAZYKID CEH.VN PHNG GIO LUYN D

d) Phng chng.
- Thng xuyn theo di H thng Mng ( khng kh thi v khng ai kin nhn lm
chuyn cho mng c nhn )
Trong phng php ny bao gm cc k thut: S dng Ping, S dng ARP, S dng
DNS, s dng source-Route, ging by ( Decoy) , kim tra s chm tr ca gi tin.
Lin h kid nu mun tm hiu k hn.
- M ha ARP Cache. t MAC tnh ( kh thi hn nhng hi bt tin )
Mt cch c th bo v chng li vn khng an ton vn c trong cc ARP request
v ARP reply l thc hin mt qu trnh km ng hn. y l mt ty chn v cc
my tnh Windows cho php bn c th b sung cc entry tnh vo ARP cache. Bn
c th xem ARP cache ca my tnh Windows bng cch m nhc lnh v nh vo
lnh arp a.

C th thm cc entry vo danh sch ny bng cch s dng lnh arp s <IP
ADDRESS> <MAC ADDRESS>.
Trong cc trng hp, ni cu hnh mng ca bn khng my khi thay i, bn hon
ton c th to mt danh sch cc entry ARP tnh v s dng chng cho cc client
thng qua mt kch bn t ng. iu ny s bo m c cc thit b s lun da
vo ARP cache ni b ca chng thay v cc ARP request v ARP reply.
Ch : 1 vi cu hi kinh in:
1. Em hay chi game ngoi qun nt thng thy chng bn s dng netcut
ct mng em. Vy y l hnh thc tn cng g? Lin quan n arp khng?
Trang 7

CRAZYKID CEH.VN PHNG GIO LUYN D

C. y l 1 hnh thc flood s dng arp. Xin vui lng c file Tng quan Arp
v cc hnh thc tn cng
2. Vy khi b chng n ct th phi lm sao v lm sao chi li?
Xin vui lng c bi phc lc Netcut
3. Thy Sniff thc t khng thu c kt qu Bi v ngy nay ngi ta truy cp web
s dng giao thc HTTPS.
Chng ta c 1 cng c gi l SSLtrip. Chng ta li dng n a HTTPS tr
thnh HTTP v tn cng.

Trang 8

CRAZYKID CEH.VN PHNG GIO LUYN D

2. Phishing.
K thut la o c m t chi tit vo nm 1987, v nhng ghi chp u tin vi thut
ng Phising Ngun gc t Phishing l kt hp gia 2 t Fish - Fishing v Phreaking. Fishing
ngha gc l cu c nhng uc hiu l cu cc thng tin ca ngi dng. Mt khc, do
tnh cht ca n cng gn ging kiu tn cng Phreaking (Ch Ph duc cc hacker thay th
cho ch F d to thnh phishing do cch pht m gn ging) - uc bit n ln u tin
bi hacker John Draper (bit danh aka Captain Crunch) khi s dng Blue Box tn cng
h thng din thoi M nhm thc hin cc cuc gi ng di min ph hoc s dng
ng in thoi ca ngui khc thc hin cc cuc gi bt hp php, vo u thp nin
1970 - tn gi khc l Phone Phreaking

a) Bn cht
Trong 1 cuc tn cng Phishing chng ta s To ra 1 trang web gi c giao din v mi th
ging vi web site cha thng tin chng ta cn ly. V d facebook.com. Chng ta to ra 1
website ging vi trang Login facebook.com nht c th. Sau bng cch no la ngi
dng v trang ny v ng nhp. Lc ngi dng vn c chuyn hng sang facebook
tht m khng h bit password ca mnh c gi v hoc lu li cho attacker.
Mt cuc tn cng Phishing c th din ra Lan, WAN, hay ngay c ngoi internet. :D
im quan trng quyt nh mt cuc tn cng phishing c thnh cng hay khng l
phc thuc vo: s thiu hiu bit ca victim, Ngh thut nh la ca attacer.
1 cuc tn cng Phishing thnh cng chng ta cn vn dng kt hp nhiu k thut.
b) Kt hp Phishing vi DNS poisoning.
DNS cache poisoning , cn c gi l gi mo DNS , l mt kiu tn cng khai thc l hng
trong h thng tn min (DNS) chuyn hng lu lng truy cp Internet t my ch
hp php v hng n s gi mo .Mt trong nhng l do DNS poisoning l rt nguy him
v n c th ly lan t DNS server n DNS server.
Mt cuc tn cng DNS cache poisoning c th c trin khai trong Lan, WAN hoc
internet.
Khi Phishing kt hp vi DNS poisoning tc l chng ta s s dng DNS poisoning chuyn
hng truy cp ca ngi dng t site bnh thng sang site phishing ta to sn.
c) Tn cng.
Xin vui lng xem video Phishing :D
Trong video l 1 cuc tn cng Kt hp Phishing vi DNS poisoning trong mi trng Lan :D
chng ta s dng b cng c S.E.T to trang phishing. Video c thc hin bi anh
Danny t CEH vit. y l video d nh s s dng trong Thuyt trnh ti i hc TT :D c
l kid s b sung 1 vi chi tit cho n sau ;)
Trang 9

CRAZYKID CEH.VN PHNG GIO LUYN D

Ngoi video cc bn c th xem thm: ph lc Phishing ca anh Danny tm hiu thm :D

Mi thc mc hoc Thc hnh khng thnh cng xin lin h vi KID :D
Sau bi vit ny khi no rnh kid s show cho cc bn xem 1 s cc video tn cng Sniff v
phishing mc cao hn mt cht do kid thc hin mi ngi tham kho :D

Trang 10