Scribd Logo
Upload

Welcome to Scribd!

  • Lab10 SSH

    Uploaded by

    Zakaria Ahmed
    43 views3 pages
    SSH LAB

    Original Title

    Lab10 SSH (1)

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SSH LAB

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    43 views3 pages

    Lab10 SSH

    Uploaded by

    Zakaria Ahmed
    SSH LAB

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 3

    Student(s) Name and ID:____________

    Please highlight your answer with a different color.

    Lab – SSH
    Part 1
    This part figures out how to use wireshark to view the Application Layer (Layer 7) traffic between your
    targets. Please make one machine as a telnet server and login to it from the client machine, sniffing the
    traffic with wireshark on the ettercap attacker. Find the user name and password.

    Now have the client login using ssh. Can you find the username and password now?

    Show the telnet username and password in the wireshark pcap, and show the equivalent pcap for the ssh
    login.

    Check Point 1:
    CP1a: telnet username and password in pcap:

    CP1b: ssh pcap:

    Part 2
    Resource1: SSH downgrade attack using a pre-defined filter

    Resource2: SSH MitM downgrade

    Common error in this part of the lab: Protocol major versions differ: 1 vs. 2

    Obviously, it is dangerous to use clear text authentication over the network. Because of this, telnet is
    being replaced by ssh as a remote login service. As you should know, ssh encrypts traffic over the
    network. However, some ssh servers are vulnerable to man-in-the-middle attacks if they support the ssh-
    1 protocol, which has been broken. When clients and servers attempt to use encryption, they perform a
    negotiation to see which encryption protocols they should use, because they may not have the same
    updates. Ettercap tries to convince the server to use ssh-1, which it will do if ssh-1 is enabled. We will try
    that next. 

    Perform a MITM attack between the server we are logging in to and our client machine. 

    Login to the ssh server with your client, capturing the output. Take a look and ensure that it is indeed
    encrypted. Try to figure out where in the transaction the negotiation for encryption method occurs. 

    Ettercap has a predefined configuration file for creating a filter for the SSH downgrade attack: 

    /usr/share/ettercap/etter.filter.ssh 

    Take a look at it. 

    On the command line, cd into the directory in which this file resides. Compile the file to create the filter
    with the following command:  
    #etterfilter etter.filter.ssh -o etter_filter_ssh_co

    Start a MITM attack on your target host and the server. 

    Refer to the APPENDIX A and the website www.openmaniak.com for the following topics:

    what is ettercap?
    ARP poisoning
    Man in the Middle (MITM) attack
    statistics
    countermeasures

    Load the filter from the menu: 

    Filters -> Load a filter...


    Select the compiled file you created:  

    etter_filter_ssh_co

    Use putty to log in to the ssh server from a windows machine, using   this configuration.  

    Look at the message window in ettercap. Behold the user name and password. Take a look at the
    wireshark pcap. Find out where ettercap downgraded the encryption. 

    Please show the ssh username and password in ettercap message window, and the ssh downgrade
    portion of your pcap. 

    Check Point 2:
    CP2a: username and password in ettercap message window:

    CP2b: show ssh downgrade in wireshark:

    APPENDIX A

    NOTE: If you cannot generate ARP traffic to view in Wireshark because the ARP cache is complete, you
    have a couple of options:

    1. You can use arp-scan, a tool for generating and manipulating ARP traffic.
    syntax: arp-scan --interface=eth0 target-machine
    2. You can clear the ARP cache of your Kali machine and then create traffic between Kali and other
    hosts on the LAN.
    syntax: ip -s -s neigh flush all

    If you need help with wireshark, take a look at the wireshark wiki.

    Look at the ARP tables of the client:


    #arp -  n (use the man page for arp to see what the n option does)
    write the output, which shows the contents of the arp table, to a file for later study:

    #arp -n > arp.txt

    Start ettercap on the attacking machine (Backtrack):

    #ettercap -G

    Choose sniff mode, selecting the correct interface when offered a choice:

    Sniff -> Unified sniffing 

    Next we want to do a scan to find out which hosts are on our LAN:

    Hosts -> Scan for hosts 


    You will see the MAC and IP addresses of the hosts on your LAN.

    Next we will perform ARP poisoning. If you do not choose targets, the default is to poison all the ARP
    caches on the LAN. This is overkill, easier to trace, and will cause performance degradation if there are
    more than a few hosts on the LAN. So we don't want to do it. Choose two targets, by selecting each and
    clicking on an "Add to Target" button . Go to the menu and check that the targets are correct.

    Targets -> Current Targets 

    Start the ARP poisoning:

    Mitm -> Arp poisoning 

    Choose "sniff remote connections"

    Start the sniffer:

    Start -> Start sniffing

    You might also like