MITM redirecting to my own NTP server, blocking traffic to Apple NTP pool
CONFIGURATIONS
ipv4.forwarding 1 (ON)
arp_cache_poisoning between VICTIM & D.G.. (192.168.1.100 & 192.168.1.1)
**LAN**
VICTIM: 192.168.1.100
ATTACKER: 192.168.1.105
DEFAULT GATEAWAY: 192.168.1.1
**WAN**
NTP SERVERS: 17.253.52.125
17.253.52.253
17.253.34.125
17.253.34.125
NORMAL BEHAVIOUR OF NTPv4 PROTOCOL
MAC machine sends NTPv4 request to one of the Apple's NTP server (NTP pool). As a reply it gets NTPv4 response updated time. The frequency between time updates 15 minutes. Since, there is not any security checks by default in NTPv4, it vulnerable to Replay attack.
MALICIOUS BEHAVIOR
The attacker runs MITM and eavesdropping the traffic until it gets NTPv4 request from VICTIM. Once the request received, it has to be redirected to FAKE NTP SERVER running on ATTACKER's machine, then it reply with fake time to the VICTIM so that it will update its time.
ISSUES
It could be achieved by using iptables. I am stating it as it have done it before and it was working for me. However, I lost my configurations. Now, the situation is that I tried to run a few different iptables settings such as:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -j MASQUERADE
FINDINGS
My logging NTP servers shows the following logging:
Sent to 192.168.1.100:55321
Sent to 192.168.1.199:54623
which indicates that NTP request are being redirected to the FAKE NTP server. However, FAKE NTP replies are not delivered to the VICTIM as expected.
Another capture is from Wireshark sniffer.
It shows that VICTIM sends NTPv4 request to Apple's NTP server via ATTACKER's machine, and gets back NTPv4 response back from the same Apple's NTP server via ATTACKER's host.
MY ATTEMPTS
Attempt: 1.
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -A OUTPUT -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
***notes
It didn't work at first hour (15mins + 15 + 15 + 15), and I decided to leave it for a night. When I came back after 7 hours, it appeared updated the time as expected. It is very unsual, and definitely something going wrong. To me, it seems like FAKE NTP SERVER won a race of updating NTP response from Apple's NTP server.
Attempt: 2.
I have tried to run the following:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -A INPUT -s 17.253.0.0/16 -p udp -j DROP
***notes
It didn't work at all, and even incoming NTP traffic from Apple's NTP server responses weren't blocked.
At the end, I have tried many different scenarious with iptables, and seeking for you help guys to feed the VICTIM' machine with my FAKE NTP response packet so that it get time updates from my FAKE NTP SERVER, not the Apple's NTP pool using iptables.
Thank you in advance!
networking firewall iptables ntp man-in-the-middle
asked Jun 11 '18 at 19:22
mhibertmhibert
163
|
show 1 more comment
CONFIGURATIONS
ipv4.forwarding 1 (ON)
arp_cache_poisoning between VICTIM & D.G.. (192.168.1.100 & 192.168.1.1)
**LAN**
VICTIM: 192.168.1.100
ATTACKER: 192.168.1.105
DEFAULT GATEAWAY: 192.168.1.1
**WAN**
NTP SERVERS: 17.253.52.125
17.253.52.253
17.253.34.125
17.253.34.125
NORMAL BEHAVIOUR OF NTPv4 PROTOCOL
MAC machine sends NTPv4 request to one of the Apple's NTP server (NTP pool). As a reply it gets NTPv4 response updated time. The frequency between time updates 15 minutes. Since, there is not any security checks by default in NTPv4, it vulnerable to Replay attack.
MALICIOUS BEHAVIOR
The attacker runs MITM and eavesdropping the traffic until it gets NTPv4 request from VICTIM. Once the request received, it has to be redirected to FAKE NTP SERVER running on ATTACKER's machine, then it reply with fake time to the VICTIM so that it will update its time.
ISSUES
It could be achieved by using iptables. I am stating it as it have done it before and it was working for me. However, I lost my configurations. Now, the situation is that I tried to run a few different iptables settings such as:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -j MASQUERADE
FINDINGS
My logging NTP servers shows the following logging:
Sent to 192.168.1.100:55321
Sent to 192.168.1.199:54623
which indicates that NTP request are being redirected to the FAKE NTP server. However, FAKE NTP replies are not delivered to the VICTIM as expected.
Another capture is from Wireshark sniffer.
It shows that VICTIM sends NTPv4 request to Apple's NTP server via ATTACKER's machine, and gets back NTPv4 response back from the same Apple's NTP server via ATTACKER's host.
MY ATTEMPTS
Attempt: 1.
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -A OUTPUT -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
***notes
It didn't work at first hour (15mins + 15 + 15 + 15), and I decided to leave it for a night. When I came back after 7 hours, it appeared updated the time as expected. It is very unsual, and definitely something going wrong. To me, it seems like FAKE NTP SERVER won a race of updating NTP response from Apple's NTP server.
Attempt: 2.
I have tried to run the following:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -A INPUT -s 17.253.0.0/16 -p udp -j DROP
***notes
It didn't work at all, and even incoming NTP traffic from Apple's NTP server responses weren't blocked.
At the end, I have tried many different scenarious with iptables, and seeking for you help guys to feed the VICTIM' machine with my FAKE NTP response packet so that it get time updates from my FAKE NTP SERVER, not the Apple's NTP pool using iptables.
Thank you in advance!
networking firewall iptables ntp man-in-the-middle
asked Jun 11 '18 at 19:22
mhibertmhibert
163
Lol, why do you want to attack a time update?
– Tim_Stewart
Jun 11 '18 at 19:32
think of the certificates, or mechanisms depending on time)
– mhibert
Jun 11 '18 at 19:38
I dont think certs will be useful to you. (Unless of course you have some how acquired apples old public and private certs.)
– Tim_Stewart
Jun 11 '18 at 19:43
1
You mentioned that you are doing a MITM attack, but, without any explanation, you leave us unsure that you know what you’re talking about. What do you expect to happen? Do you expect the victim to send NTP requests to your (attacker) machine? Why? Or do you expect the attacker machine to eavesdrop on the request and send a response that will get back to the victim machine before the response from the real server? Does Wireshark show the attacker machine sending an NTP response? … (Cont’d)
– G-Man
Jun 12 '18 at 1:54
1
(Cont’d) … Do you have any evidence that the NTP server on the attacker (MITM) machine is seeing the requests from the victim? (Can you enable logging on the NTP server? Can you runstraceon it?) Please do not respond in comments; edit your question to make it clearer and more complete.
– G-Man
Jun 12 '18 at 1:54
|
show 1 more comment
CONFIGURATIONS
ipv4.forwarding 1 (ON)
arp_cache_poisoning between VICTIM & D.G.. (192.168.1.100 & 192.168.1.1)
**LAN**
VICTIM: 192.168.1.100
ATTACKER: 192.168.1.105
DEFAULT GATEAWAY: 192.168.1.1
**WAN**
NTP SERVERS: 17.253.52.125
17.253.52.253
17.253.34.125
17.253.34.125
NORMAL BEHAVIOUR OF NTPv4 PROTOCOL
MAC machine sends NTPv4 request to one of the Apple's NTP server (NTP pool). As a reply it gets NTPv4 response updated time. The frequency between time updates 15 minutes. Since, there is not any security checks by default in NTPv4, it vulnerable to Replay attack.
MALICIOUS BEHAVIOR
The attacker runs MITM and eavesdropping the traffic until it gets NTPv4 request from VICTIM. Once the request received, it has to be redirected to FAKE NTP SERVER running on ATTACKER's machine, then it reply with fake time to the VICTIM so that it will update its time.
ISSUES
It could be achieved by using iptables. I am stating it as it have done it before and it was working for me. However, I lost my configurations. Now, the situation is that I tried to run a few different iptables settings such as:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -j MASQUERADE
FINDINGS
My logging NTP servers shows the following logging:
Sent to 192.168.1.100:55321
Sent to 192.168.1.199:54623
which indicates that NTP request are being redirected to the FAKE NTP server. However, FAKE NTP replies are not delivered to the VICTIM as expected.
Another capture is from Wireshark sniffer.
It shows that VICTIM sends NTPv4 request to Apple's NTP server via ATTACKER's machine, and gets back NTPv4 response back from the same Apple's NTP server via ATTACKER's host.
MY ATTEMPTS
Attempt: 1.
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -A OUTPUT -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
***notes
It didn't work at first hour (15mins + 15 + 15 + 15), and I decided to leave it for a night. When I came back after 7 hours, it appeared updated the time as expected. It is very unsual, and definitely something going wrong. To me, it seems like FAKE NTP SERVER won a race of updating NTP response from Apple's NTP server.
Attempt: 2.
I have tried to run the following:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -A INPUT -s 17.253.0.0/16 -p udp -j DROP
***notes
It didn't work at all, and even incoming NTP traffic from Apple's NTP server responses weren't blocked.
At the end, I have tried many different scenarious with iptables, and seeking for you help guys to feed the VICTIM' machine with my FAKE NTP response packet so that it get time updates from my FAKE NTP SERVER, not the Apple's NTP pool using iptables.
Thank you in advance!
networking firewall iptables ntp man-in-the-middle
asked Jun 11 '18 at 19:22
mhibertmhibert
163
CONFIGURATIONS
ipv4.forwarding 1 (ON)
arp_cache_poisoning between VICTIM & D.G.. (192.168.1.100 & 192.168.1.1)
**LAN**
VICTIM: 192.168.1.100
ATTACKER: 192.168.1.105
DEFAULT GATEAWAY: 192.168.1.1
**WAN**
NTP SERVERS: 17.253.52.125
17.253.52.253
17.253.34.125
17.253.34.125
NORMAL BEHAVIOUR OF NTPv4 PROTOCOL
MAC machine sends NTPv4 request to one of the Apple's NTP server (NTP pool). As a reply it gets NTPv4 response updated time. The frequency between time updates 15 minutes. Since, there is not any security checks by default in NTPv4, it vulnerable to Replay attack.
MALICIOUS BEHAVIOR
The attacker runs MITM and eavesdropping the traffic until it gets NTPv4 request from VICTIM. Once the request received, it has to be redirected to FAKE NTP SERVER running on ATTACKER's machine, then it reply with fake time to the VICTIM so that it will update its time.
ISSUES
It could be achieved by using iptables. I am stating it as it have done it before and it was working for me. However, I lost my configurations. Now, the situation is that I tried to run a few different iptables settings such as:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -j MASQUERADE
FINDINGS
My logging NTP servers shows the following logging:
Sent to 192.168.1.100:55321
Sent to 192.168.1.199:54623
which indicates that NTP request are being redirected to the FAKE NTP server. However, FAKE NTP replies are not delivered to the VICTIM as expected.
Another capture is from Wireshark sniffer.
It shows that VICTIM sends NTPv4 request to Apple's NTP server via ATTACKER's machine, and gets back NTPv4 response back from the same Apple's NTP server via ATTACKER's host.
MY ATTEMPTS
Attempt: 1.
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -A OUTPUT -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
***notes
It didn't work at first hour (15mins + 15 + 15 + 15), and I decided to leave it for a night. When I came back after 7 hours, it appeared updated the time as expected. It is very unsual, and definitely something going wrong. To me, it seems like FAKE NTP SERVER won a race of updating NTP response from Apple's NTP server.
Attempt: 2.
I have tried to run the following:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -A INPUT -s 17.253.0.0/16 -p udp -j DROP
***notes
It didn't work at all, and even incoming NTP traffic from Apple's NTP server responses weren't blocked.
At the end, I have tried many different scenarious with iptables, and seeking for you help guys to feed the VICTIM' machine with my FAKE NTP response packet so that it get time updates from my FAKE NTP SERVER, not the Apple's NTP pool using iptables.
Thank you in advance!
networking firewall iptables ntp man-in-the-middle
networking firewall iptables ntp man-in-the-middle
asked Jun 11 '18 at 19:22
mhibertmhibert
163
asked Jun 11 '18 at 19:22
mhibertmhibert
163
edited Jun 12 '18 at 4:30
mhibert
asked Jun 11 '18 at 19:22
mhibertmhibert
163
asked Jun 11 '18 at 19:22
mhibertmhibert
163
asked Jun 11 '18 at 19:22
mhibertmhibert
163
163
Lol, why do you want to attack a time update?
– Tim_Stewart
Jun 11 '18 at 19:32
think of the certificates, or mechanisms depending on time)
– mhibert
Jun 11 '18 at 19:38
I dont think certs will be useful to you. (Unless of course you have some how acquired apples old public and private certs.)
– Tim_Stewart
Jun 11 '18 at 19:43
1
You mentioned that you are doing a MITM attack, but, without any explanation, you leave us unsure that you know what you’re talking about. What do you expect to happen? Do you expect the victim to send NTP requests to your (attacker) machine? Why? Or do you expect the attacker machine to eavesdrop on the request and send a response that will get back to the victim machine before the response from the real server? Does Wireshark show the attacker machine sending an NTP response? … (Cont’d)
– G-Man
Jun 12 '18 at 1:54
1
(Cont’d) … Do you have any evidence that the NTP server on the attacker (MITM) machine is seeing the requests from the victim? (Can you enable logging on the NTP server? Can you runstraceon it?) Please do not respond in comments; edit your question to make it clearer and more complete.
– G-Man
Jun 12 '18 at 1:54
|
show 1 more comment
Lol, why do you want to attack a time update?
– Tim_Stewart
Jun 11 '18 at 19:32
think of the certificates, or mechanisms depending on time)
– mhibert
Jun 11 '18 at 19:38
I dont think certs will be useful to you. (Unless of course you have some how acquired apples old public and private certs.)
– Tim_Stewart
Jun 11 '18 at 19:43
1
You mentioned that you are doing a MITM attack, but, without any explanation, you leave us unsure that you know what you’re talking about. What do you expect to happen? Do you expect the victim to send NTP requests to your (attacker) machine? Why? Or do you expect the attacker machine to eavesdrop on the request and send a response that will get back to the victim machine before the response from the real server? Does Wireshark show the attacker machine sending an NTP response? … (Cont’d)
– G-Man
Jun 12 '18 at 1:54
1
(Cont’d) … Do you have any evidence that the NTP server on the attacker (MITM) machine is seeing the requests from the victim? (Can you enable logging on the NTP server? Can you runstraceon it?) Please do not respond in comments; edit your question to make it clearer and more complete.
– G-Man
Jun 12 '18 at 1:54
Lol, why do you want to attack a time update?
– Tim_Stewart
Jun 11 '18 at 19:32
Lol, why do you want to attack a time update?
– Tim_Stewart
Jun 11 '18 at 19:32
think of the certificates, or mechanisms depending on time)
– mhibert
Jun 11 '18 at 19:38
think of the certificates, or mechanisms depending on time)
– mhibert
Jun 11 '18 at 19:38
I dont think certs will be useful to you. (Unless of course you have some how acquired apples old public and private certs.)
– Tim_Stewart
Jun 11 '18 at 19:43
I dont think certs will be useful to you. (Unless of course you have some how acquired apples old public and private certs.)
– Tim_Stewart
Jun 11 '18 at 19:43
1
1
You mentioned that you are doing a MITM attack, but, without any explanation, you leave us unsure that you know what you’re talking about. What do you expect to happen? Do you expect the victim to send NTP requests to your (attacker) machine? Why? Or do you expect the attacker machine to eavesdrop on the request and send a response that will get back to the victim machine before the response from the real server? Does Wireshark show the attacker machine sending an NTP response? … (Cont’d)
– G-Man
Jun 12 '18 at 1:54
You mentioned that you are doing a MITM attack, but, without any explanation, you leave us unsure that you know what you’re talking about. What do you expect to happen? Do you expect the victim to send NTP requests to your (attacker) machine? Why? Or do you expect the attacker machine to eavesdrop on the request and send a response that will get back to the victim machine before the response from the real server? Does Wireshark show the attacker machine sending an NTP response? … (Cont’d)
– G-Man
Jun 12 '18 at 1:54
1
1
(Cont’d) … Do you have any evidence that the NTP server on the attacker (MITM) machine is seeing the requests from the victim? (Can you enable logging on the NTP server? Can you run
strace on it?) Please do not respond in comments; edit your question to make it clearer and more complete.– G-Man
Jun 12 '18 at 1:54
(Cont’d) … Do you have any evidence that the NTP server on the attacker (MITM) machine is seeing the requests from the victim? (Can you enable logging on the NTP server? Can you run
strace on it?) Please do not respond in comments; edit your question to make it clearer and more complete.– G-Man
Jun 12 '18 at 1:54
|
show 1 more comment
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1330458%2fmitm-redirecting-to-my-own-ntp-server-blocking-traffic-to-apple-ntp-pool%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1330458%2fmitm-redirecting-to-my-own-ntp-server-blocking-traffic-to-apple-ntp-pool%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Lol, why do you want to attack a time update?
– Tim_Stewart
Jun 11 '18 at 19:32
think of the certificates, or mechanisms depending on time)
– mhibert
Jun 11 '18 at 19:38
I dont think certs will be useful to you. (Unless of course you have some how acquired apples old public and private certs.)
– Tim_Stewart
Jun 11 '18 at 19:43
1
You mentioned that you are doing a MITM attack, but, without any explanation, you leave us unsure that you know what you’re talking about. What do you expect to happen? Do you expect the victim to send NTP requests to your (attacker) machine? Why? Or do you expect the attacker machine to eavesdrop on the request and send a response that will get back to the victim machine before the response from the real server? Does Wireshark show the attacker machine sending an NTP response? … (Cont’d)
– G-Man
Jun 12 '18 at 1:54
1
(Cont’d) … Do you have any evidence that the NTP server on the attacker (MITM) machine is seeing the requests from the victim? (Can you enable logging on the NTP server? Can you run
straceon it?) Please do not respond in comments; edit your question to make it clearer and more complete.– G-Man
Jun 12 '18 at 1:54