3

CONFIGURATIONS

ipv4.forwarding 1 (ON)

arp_cache_poisoning between VICTIM & D.G.. (192.168.1.100 & 192.168.1.1) 

**LAN**
   VICTIM:                           192.168.1.100
   ATTACKER:                         192.168.1.105
   DEFAULT GATEAWAY:                 192.168.1.1
**WAN**
   NTP SERVERS:                      17.253.52.125
                                     17.253.52.253   
                                     17.253.34.125
                                     17.253.34.125

NORMAL BEHAVIOUR OF NTPv4 PROTOCOL

MAC machine sends NTPv4 request to one of the Apple's NTP server (NTP pool). As a reply it gets NTPv4 response updated time. The frequency between time updates 15 minutes. Since, there is not any security checks by default in NTPv4, it vulnerable to Replay attack.

MALICIOUS BEHAVIOR

The attacker runs MITM and eavesdropping the traffic until it gets NTPv4 request from VICTIM. Once the request received, it has to be redirected to FAKE NTP SERVER running on ATTACKER's machine, then it reply with fake time to the VICTIM so that it will update its time.

ISSUES

It could be achieved by using iptables. I am stating it as it have done it before and it was working for me. However, I lost my configurations. Now, the situation is that I tried to run a few different iptables settings such as:

iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123

iptables -t nat -A POSTROUTING -j MASQUERADE

FINDINGS

My logging NTP servers shows the following logging:

Sent to 192.168.1.100:55321 Sent to 192.168.1.199:54623

which indicates that NTP request are being redirected to the FAKE NTP server. However, FAKE NTP replies are not delivered to the VICTIM as expected.

Another capture is from Wireshark sniffer.

It shows that VICTIM sends NTPv4 request to Apple's NTP server via ATTACKER's machine, and gets back NTPv4 response back from the same Apple's NTP server via ATTACKER's host.

MY ATTEMPTS

Attempt: 1.

iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123

iptables -t nat -A POSTROUTING -p udp -j MASQUERADE

iptables -A OUTPUT -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123

***notes It didn't work at first hour (15mins + 15 + 15 + 15), and I decided to leave it for a night. When I came back after 7 hours, it appeared updated the time as expected. It is very unsual, and definitely something going wrong. To me, it seems like FAKE NTP SERVER won a race of updating NTP response from Apple's NTP server.

Attempt: 2.

I have tried to run the following:

iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE

iptables -A INPUT -s 17.253.0.0/16 -p udp -j DROP

***notes It didn't work at all, and even incoming NTP traffic from Apple's NTP server responses weren't blocked.

At the end, I have tried many different scenarious with iptables, and seeking for you help guys to feed the VICTIM' machine with my FAKE NTP response packet so that it get time updates from my FAKE NTP SERVER, not the Apple's NTP pool using iptables.

Thank you in advance!

mhibert
  • 31
  • 3
  • Lol, why do you want to attack a time update? – Tim_Stewart Jun 11 '18 at 19:32
  • think of the certificates, or mechanisms depending on time) – mhibert Jun 11 '18 at 19:38
  • I dont think certs will be useful to you. (Unless of course you have some how acquired apples old public and private certs.) – Tim_Stewart Jun 11 '18 at 19:43
  • 1
    You *mentioned* that you are doing a MITM attack, but, without any explanation, you leave us unsure that you know what you’re talking about. What do you expect to happen?  Do you expect the victim to send NTP requests to your (attacker) machine?  Why?  Or do you expect the attacker machine to eavesdrop on the request and send a response that will get back to the victim machine before the response from the real server? Does Wireshark show the attacker machine sending an NTP response? … (Cont’d) – G-Man Says 'Reinstate Monica' Jun 12 '18 at 01:54
  • 1
    (Cont’d) …  Do you have any evidence that the NTP server on the attacker (MITM) machine is seeing the requests from the victim? (Can you enable logging on the NTP server? Can you run `strace` on it?)  Please do not respond in comments; [edit] your question to make it clearer and more complete. – G-Man Says 'Reinstate Monica' Jun 12 '18 at 01:54
  • It seems to me that the router is intercepting and rewriting the outbound request destination but not the from address, and as the from address is likely in the same subnet as the dest address the answer is being served directly without going through the router. I guess changing this behaviour requires rewriting the from address or modifying the network architecture. – davidgo Dec 31 '18 at 20:04

0 Answers0