15-laboratoriya ishi arp poisoning tarmoq xujumi tahlili

Laboratoriya ishining bajarilish tartibi

Download 390,24 Kb.

bet	2/3
Sana	15.06.2023
Hajmi	390,24 Kb.
	#951556

1 2 3

Bog'liq
15-Laboratoriya ishi

15.3. Laboratoriya ishining bajarilish tartibi

15.3.1. Biz hujum uchun Cain&Abel dasturidan foydalaniladi, lekin avval H1 xostidagi va ATTACKER dagi ARP jadvallari ko'rib chiqiladi:

H1 ARP-jadvali

15.2-rasm
ATTACKER ARP-jadvali

15.3-rasm
15.3.2. Cain&Abel-ni ishga tushirib, sniffer yoqiladi va translyatsiya domenidagi barcha xostlar qo'shiladi:

15.4-rasm

15.3.3. ARP yorlig'iga o'tib, + ni bosiladi va biz trafik ushlab turadigan shlyuz manzili va xost tanlanadi:

15.5-rasm
15.3.4. Biz ARP-Snooping tugmasi bosiladi va H1 xostidagi ARP jadvali o'zgartirish jarayoni boshlandi:

15.6-rasm

15.3.5. H1 xostidagi ARP jadvali qanday o'zgargani ko'rib chiqiladi:

15.7-rasm
MAC manzili o`zgargani IP 192.168.1.1 o'rniga ko'rinadi.
15.3.6. H1 xostida putty dasturi ishga tushiriladi va GATEWAY ga xavfsiz telnet protokoli orqali kirishga harakat qilinadi. Telnet protokoli ma'lumotlarni oddiy matnda uzatganligi sababli, snifferdagi tajovuzkor (attacker) barcha kerakli ma'lumotlarni, ya'ni login va parol ni ko'rishi kerak. Bunda kiriladi va login/parol ni kiritiladi va parol yoqiladi:

15.8-rasm
15.3.7. ATTACKER snifferda parollar sahifasida ba'zi ma'lumotlar qo'lga olinganga o'xshap ko`rinadi:

15.9-rasm
15.3.8. Ushbu yozuv ko'rib chiqiladi va quyidagi tarkibning matni ko'riladi:
============================================
=== Cain's Telnet sniffer generated file ===
============================================
яы яы яэ яэ
User Access Verification
Username: яы яы яы яы'яэ яы яэ яъ P яряю яъ яряю'яэ яъ XTERMяряы$яю$admin
Password: cisco
Router>eennaa
Password: Cisco
Telnet paroli ushlandi.
15.3.9. Tarmoqni bunday hujumlardan qanday himoya qilish kerak. Bunda yordamga Dynamic ARP Inspection (DAI) vositasi keladi.
Dynamic ARP Inspection (DAI) ARP so'rovlarini tartibga solish uchun mo'ljallangan, ya'ni qaysilarini o'tkazib yuborishni va qaysilarini bekor qilishni hal qiladi. Dynamic ARP Inspection (DAI) tarmoqni ARP protokolining ishonchsizligi tufayli bog'lanish darajasida yuzaga keladigan ARP-spoofing hujumidan to'liq himoya qiladi.
Dynamic ARP Inspection (DAI) mexanizm ishlashi uchun tarmoqda DHCP dan foydalanish kerak va kalitda DHCP Snooping yoqilgan bo'lishi kerak. Agar tarmoq statik manzillashdan foydalansa, dynamic ARP Inspection (DAI) ishlamaydi.
DHCP snooping qanday ishlaydi. Aytaylik, bizda DHCP serveri GATEWAY ga o'rnatilgan. Buzg'unchi (ATTACKER) DHCP serverini o'rnatishga va uning ba'zi manzillarini tarqatishga qaror qildi. Ishonchsiz va ishonchli portlar mavjud. GATEWAY ga olib boradigan portga ishonchli port tayinlaymiz, chunki u biz bilan vakolatli DHCP server bo'ladi. Boshqa barcha portlar ishonchsiz bo'ladi va ulardan server so'rovlari o'chiriladi:
15.3.10. Bu DCHP snooping ma'lumotlar bazasi manzillarini xaritalash jadvalini yaratadi. SW kalitida DHCP snooping funksiyasi yoqiladi:
ip dhcp snooping vlan 1
ip dhcp snooping database flash:/dhcp-snoop.db
ip dhcp snooping

15.10-rasm

15.3.11. Portda GATEWAY tomon qarab port sozlamasi:

SW(config-if)# ip dhcp snooping trust

15.3.12. Nima bo'lgani ko'rib chiqiladi:

SW#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs: 1
DHCP snooping is configured on the following Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
— — — FastEthernet1/0/47 yes unlimited

15.3.13. Yozishmalar jadvalida nima paydo bo'lgani ko'rib chiqiladi:

SW#sh ip dhcp snooping ulanishi
MacAddress IpAddress Lease(sek) VLAN interfeysi turi
— — — E8:03:9A:BE:0C:D8 192.168.1.50 26268 dhcp-snooping 1 FastEthernet1/0/13
50:B7:C3:78:B4:1A 192.168.1.10 69421 dhcp-snooping 1 FastEthernet1/0/1
Bog'lanishlarning umumiy soni: 2

15.3.14. Agar tajovuzkor DHCP serveriga aylanishni xohlasa, uning kaliti so'rovlarni rad etadi.

Barcha MAC va IP manzillarining yozishmalarini o'z ichiga olgan DHCP snooping ma'lumotlar bazasiga asoslanib, Dynamic ARP Inspection mexanizmi ishlaydi.
1.3.15. Cisco kalitida ushbu vosita har bir VLAN uchun alohida yoqilgan. Bu holatda, SW kalitiga buyruq berish kifoya:
SW(config)#ip arp inspection vlan 1
15.3.16. Ikkala xost ham, shlyuz ham VLAN 1 da joylashgan. DAI da kommutator portlari uchun ikkita sozlama mavjud: Ishonchli va Ishonchsiz. Odatiy bo'lib, barcha portlarni Ishonchsiz qilib almashtiriladi. Shlyuzga boradigan port yoki magistralga boshqa kalit ulangan port ishonchli bo'lishi mumkin, keyin u orqali kelgan ARP so'rovlari ishonchli hisoblanadi.
SW(config-if)#ip arp inspection trust
15.3.17. Endi hujumni boshidan takrorlanadi. Cain&Abel orqali ARP-Snoopingni amalga oshirishga uriniladi. Hujum muvaffaqiyatsiz tugadi va almashtirish jurnallarida quyidagi yozuvlar paydo bo'ladi:
18:11:19: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 1.([50b7.c378.b41a/192.168.1.10/0000.0000.0000/192.168.1.1/18:11:19 UTC Mon Mar 1 1993])
18:11:19: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 1.([50b7.c378.b41a/192.168.1.10/001d.4641.02b4/192.168.1.1/18:11:19 UTC Mon Mar 1 1993])
18:11:19: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/13, vlan 1.([e803.9abe.0cd8/192.168.1.1/50b7.c378.b41a/192.168.1.10/18:11:19 UTC Mon Mar 1 1993])
18:11:19: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/13, vlan 1.([e803.9abe.0cd8/192.168.1.10/001d.4641.02b4/192.168.1.1/18:11:19 UTC Mon Mar 1 1993])
18:11:21: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 1.([50b7.c378.b41a/192.168.1.10/001d.4641.02b4/192.168.1.1/18:11:21 UTC Mon Mar 1 1993])
18:11:21: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/13, vlan 1.([e803.9abe.0cd8/192.168.1.1/50b7.c378.b41a/192.168.1.10/18:11:21 UTC Mon Mar 1 1993])
18:11:21: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/13, vlan 1.([e803.9abe.0cd8/192.168.1.10/001d.4641.02b4/192.168.1.1/18:11:21 UTC Mon Mar 1 1993])
18:11:24: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 1.([50b7.c378.b41a/192.168.1.10/001d.4641.02b4/192.168.1.1/18:11:24 UTC Mon Mar 1 1993])
18:11:25: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 1.([50b7.c378.b41a/192.168.1.10/001d.4641.02b4/192.168.1.1/18:11:25 UTC Mon Mar 1 1993])

15.3.18. Kalit "yomon" arp so'rovlarini bekor qiladi. Endi hujumchi hech narsani ushlab tura olmaydi.

Qo'shimcha DAI tekshiruvi yoqiladi:
SW(config)#errdisable recovery cause arp-inspection
Ushbu parametr 300 soniyadan so'ng port va xato bo'lgan holatlarni tiklaydi. Agar, albatta, ushbu portda MAC-IP nomuvofiqligi davom etsa, u holda port tiklanmaydi.
15.3.19. Buyruq yordamida ishonchli va ishonchsiz portlar va statistikani ko'rish mumkin:
SW#show ip arp inspection interfaces

Download 390,24 Kb.

Do'stlaringiz bilan baham:

1 2 3