Lab 11 - MFA Bypass via AiTM

📝 Problem Overview

Containerized Hosts

user-browser (victim workstation): The legitimate client system used by the operator to access the industrial web interface. This workstation is the target for credential harvesting and session compromise.
phishing-proxy (AiTM phishing proxy): A malicious service that transparently relays communications between the victim workstation and the legitimate HMI server while capturing authentication credentials and session cookies.
legit-hmi (authorized HMI server): The legitimate HMI system that provides operational control and monitoring services within the industrial environment.
attacker (adversary): The threat actor who deploys and manages the phishing infrastructure in order to conduct credential theft, session hijacking, and access persistence.

📝 Tasks

1️⃣ Access the victim container (user-browser) and open the text-based web browser using the following command: elinks http://phishing.test. The user assumes they are accessing the legitimate HMI system; however, in reality, they are connecting to a spoofed malicious domain engineered to closely resemble the authentic HMI address.
2️⃣ Authenticate using the following credentials: operator (username), otlab123 (password), 000111 (MFA code). After successful authentication, explore the HMI web interface. Do not log out at this stage.
3️⃣ In a separate terminal session, access the attacker container and execute this command: tail -f /loot/cookies.log. The phishing proxy will intercept and log the victim’s session cookie, enabling MFA bypass and session takeover.
4️⃣ Assign the captured session cookie to a variable named COOKIE on the attacker system. Then reuse the cookie to access the application through the phishing proxy: curl -H "Cookie: ihhmsession=$COOKIE" -H "Host: phishing.test" http://172.30.0.20/home -L. Successful access without MFA confirmation is expected.
5️⃣ On the attacker system, test direct access to the authorized HMI server using the stolen cookie: curl -H "Cookie: ihhmsession=$COOKIE" http://legit-hhm:8000/home or curl -H "Cookie: ihhmsession=$COOKIE" -H "Host: legit.test" http://172.30.10.40:8000/home. This step simulates an attack scenario in which an adversary reuses a valid session token directly against the legitimate infrastructure. This technique mirrors attacks commonly observed against SaaS platforms (e.g., Office 365), VPN gateways, and, in this exercise, an OT-ICS system.
6️⃣ Perform a global logout by clicking Log out in the user-browser session. Afterward, attempt to reuse the cookie again from the attacker system: curl -i -H "Cookie: ihhmsession=$COOKIE" -H "Host: phishing.test" http://172.30.0.20/home. The request should be redirected to the login page, indicating the session is invalid. This demonstrates the effectiveness of global logout mechanisms as a defensive control. The attacker would now be required to capture a new session cookie to regain access.

🛠️ Tools

The following tools are available for completing OTLab 11: curl, elinks, and tail.

🔖 Nomenclature

AiTM: Adversary-in-the-middle.
HMI: Human-machine interface.
ICS: Industrial control system.
MFA: Multi-factor authentication.
OT: Operational technology.
SaaS: Software as a service.
VPN: Virtual private network.

📝 RESOLUTION (view content) ▼


      
#!/bin/bash

lab_name="OTLab11"
compose_file="${lab_name}.yml"

# Containers
victim_name="user-browser"
proxy_name="phishing-proxy"
legit_name="legit-hmi"
attacker_name="attacker"

# Images
attacker_image="ubuntu:22.04"

# Networks
flat_net="corp-net" # 172.30.0.0/24
ot_net="ot_net" # 172.30.10.0/26

# ----------------------------------------
# Function to display the banner
show_banner() {                       
    printf "\033[1;33m" # Yellow and bold
    echo " _____ _____ __        _   "
    echo "|     |_   _|  |   ___| |_ "
    echo "|  |  | | | |  |__| .'| . |"
    echo "|_____| |_| |_____|__,|___|"
    printf "\033[1;37m" # White and bold
    printf "Exercise:  11-AiTM MFA Bypass\n"
    printf "Version:   1.0\n"
    printf "Author:    substationworm\n"
    printf "Contact:   in/lffreitas-gutierres\n"
    printf "\033[0m" # Reset all styles
    echo ""
}

# ----------------------------------------
# Function to generate Docker Compose file
generate_compose_file() {
cat > "$compose_file" <<EOF
services:
  $victim_name:
    build: ./UserBrowser
    container_name: $victim_name
    hostname: $victim_name
    networks:
      $flat_net:
        ipv4_address: 172.30.0.10
    extra_hosts:
      - "phishing.test:172.30.0.20"
    command: bash -c "tail -f /dev/null"
  
  $proxy_name:
    build: ./PhishingProxy
    container_name: $proxy_name
    hostname: $proxy_name
    volumes:
      - loot:/loot
    networks:
      $flat_net:
        ipv4_address: 172.30.0.20
      $ot_net:
        ipv4_address: 172.30.10.20
    depends_on:
      - $legit_name
    ports:
      - "8081:80"
  
  $legit_name:
    build: ./LegitHMI
    container_name: $legit_name
    hostname: $legit_name
    networks:
      $ot_net:
        ipv4_address: 172.30.10.40
    environment:
      - FLASK_SECRET=otlab-secret
    ports:
      - "8000:8000"
  
  $attacker_name:
    image: $attacker_image
    container_name: $attacker_name
    hostname: $attacker_name
    networks:
      $flat_net:
        ipv4_address: 172.30.0.30
      $ot_net:
        ipv4_address: 172.30.10.30
    extra_hosts:
      - "phishing.test:172.30.0.20"
      - "legit.test:172.30.10.40"
    volumes:
      - loot:/loot
    stdin_open: true
    tty: true
    command: bash -c "apt update && apt install -y curl && tail -f /dev/null"

networks:
  $flat_net:
    name: $flat_net
    driver: bridge
    ipam:
      config:
        - subnet: 172.30.0.0/24
  $ot_net:
    name: $ot_net
    driver: bridge
    ipam:
      config:
        - subnet: 172.30.10.0/26

volumes:
  loot:
    name: otlab-loot
EOF
}

# ----------------------------------------
# System requirements check
check_requirements() {
    error_flag=0

    if ! command -v docker >/dev/null 2>&1; then
        printf "\033[31m[Error]\033[0m Docker is not installed on this system.\n"
        error_flag=1
    elif ! docker info >/dev/null 2>&1; then
        printf "\033[31m[Error]\033[0m Docker is installed, but not accessible.\n"
        error_flag=1
    fi

    if command -v docker-compose >/dev/null 2>&1; then
        DOCKER_COMPOSE_CMD="docker-compose"
    elif docker compose version >/dev/null 2>&1; then
        DOCKER_COMPOSE_CMD="docker compose"
    else
        printf "\033[31m[Error]\033[0m Docker Compose is not installed.\n"
        error_flag=1
    fi

    if [ "$error_flag" -eq 1 ]; then
        printf "\033[31m✘ The $lab_name system requirements check failed.\033[0m\n"
        exit 1
    fi
}

# ----------------------------------------
# Function to check if a container exists
container_exists() {
    docker ps -a --format '{{.Names}}' | grep -q "^$1$"
}

# ----------------------------------------
# Command handling
case "$1" in
    -start)
        show_banner
        check_requirements
        printf "\033[1;33m[Working]\033[0m Starting $lab_name. . .\n"
        generate_compose_file
        $DOCKER_COMPOSE_CMD -f "$compose_file" up -d --build
        if [ $? -eq 0 ]; then
            printf "\033[32m✔ $lab_name started.\033[0m\n"
        else
            printf "\033[31m✘ $lab_name failed to start.\033[0m\n"
            exit 1
        fi
        ;;
    -stop)
        show_banner
        if container_exists "$victim_name" || container_exists "$proxy_name" || \
           container_exists "$legit_name" || container_exists "$attacker_name"; then
            check_requirements
            printf "\033[1;33m[Working]\033[0m Stopping $lab_name. . .\n"
            $DOCKER_COMPOSE_CMD -f "$compose_file" stop
            printf "\033[32m✔ $lab_name stopped.\033[0m\n"
        else
            printf "\033[34m[Information]\033[0m No containers to stop.\n"
            exit 1
        fi
        ;;
    -clean)
        show_banner
        check_requirements
        printf "\033[1;33m[Working]\033[0m Cleaning up all $lab_name resources. . .\n"
        $DOCKER_COMPOSE_CMD -f "$compose_file" down -v 2>/dev/null
        docker network rm "$flat_net" "$ot_net" 2>/dev/null
        rm -f "$compose_file"
        printf "\033[32m✔ All $lab_name resources removed.\033[0m\n"
        ;;
    -run)
        show_banner
        # Standard: user
        target="${2:-user}"
        case "$target" in
            user) target_name="$victim_name" ;;
            proxy) target_name="$proxy_name" ;;
            hmi) target_name="$legit_name" ;;
            attacker) target_name="$attacker_name" ;;
            *)
                printf "\033[31m[Error]\033[0m Invalid target. Use one of: user|proxy|hmi|attacker\n"
                exit 1
                ;;
        esac

        if container_exists "$target_name"; then
            check_requirements
            printf "\033[1;33m[Working]\033[0m Accessing $target_name terminal. . .\n"
            docker exec -it "$target_name" bash
        else
            printf "\033[31m[Error]\033[0m Container $target_name not found.\n"
            exit 1
        fi
        ;;
    -restart)
        show_banner
        check_requirements
        if [ ! -f "$compose_file" ]; then
            printf "\033[31m[Error]\033[0m Cannot restart: $compose_file not found.\n"
            exit 1
        fi

        printf "\033[1;33m[Working]\033[0m Restarting $lab_name. . .\n"
        $DOCKER_COMPOSE_CMD -f "$compose_file" up -d
        if [ $? -eq 0 ]; then
            printf "\033[32m✔ $lab_name restarted.\033[0m\n"
        else
            printf "\033[31m✘ $lab_name failed to restart.\033[0m\n"
            exit 1
        fi
        ;;
    -status)
        show_banner
        check_requirements
        $DOCKER_COMPOSE_CMD -f "$compose_file" ps
        ;;
    *)
        show_banner
        echo "Usage: $0 -start | -stop | -clean | -run [user|proxy|hmi|attacker] | -restart | -status"
        echo ""
        echo "  -start     Start the $lab_name environment"
        echo "  -run       Open a terminal inside one container (user|proxy|hmi|attacker)"
        echo "  -clean     Remove containers, volumes, and networks"
        echo "  -stop      Stop all containers"
        echo "  -restart   Restart previously stopped containers"
        echo "  -status    Show current containers status"
        exit 1
        ;;
esac

📝 RESOLUTION OFFLINE (view content) ▼


      
#!/bin/bash

lab_name="OTLab11"
compose_file="${lab_name}.yml"

# Containers
victim_name="user-browser"
proxy_name="phishing-proxy"
legit_name="legit-hmi"
attacker_name="attacker"

# Images
victim_image="ews-image-otlab11-user-browser"
proxy_image="ews-image-otlab11-proxy"
legit_image="ews-image-otlab11-legit-hmi"
attacker_image="ews-image-ubuntu04"

# Networks
flat_net="corp-net" # 172.30.0.0/24
ot_net="ot_net" # 172.30.10.0/26

# ----------------------------------------
# Function to display the banner
show_banner() {                       
    printf "\033[1;33m" # Yellow and bold
    echo " _____ _____ __        _   "
    echo "|     |_   _|  |   ___| |_ "
    echo "|  |  | | | |  |__| .'| . |"
    echo "|_____| |_| |_____|__,|___|"
    printf "\033[1;37m" # White and bold
    printf "Exercise:  11-AiTM MFA Bypass\n"
    printf "Version:   1.0-Offline\n"
    printf "Author:    substationworm\n"
    printf "Contact:   in/lffreitas-gutierres\n"
    printf "\033[0m" # Reset all styles
    echo ""
}

# ----------------------------------------
# Function to generate Docker Compose file
generate_compose_file() {
cat > "$compose_file" <<EOF
services:
  $victim_name:
    image: $victim_image
    container_name: $victim_name
    hostname: $victim_name
    networks:
      $flat_net:
        ipv4_address: 172.30.0.10
    extra_hosts:
      - "phishing.test:172.30.0.20"
    command: bash -c "tail -f /dev/null"
  
  $proxy_name:
    image: $proxy_image
    container_name: $proxy_name
    hostname: $proxy_name
    volumes:
      - loot:/loot
    networks:
      $flat_net:
        ipv4_address: 172.30.0.20
      $ot_net:
        ipv4_address: 172.30.10.20
    depends_on:
      - $legit_name
    ports:
      - "8081:80"
  
  $legit_name:
    image: $legit_image
    container_name: $legit_name
    hostname: $legit_name
    networks:
      $ot_net:
        ipv4_address: 172.30.10.40
    environment:
      - FLASK_SECRET=otlab-secret
    ports:
      - "8000:8000"
  
  $attacker_name:
    image: $attacker_image
    container_name: $attacker_name
    hostname: $attacker_name
    networks:
      $flat_net:
        ipv4_address: 172.30.0.30
      $ot_net:
        ipv4_address: 172.30.10.30
    extra_hosts:
      - "phishing.test:172.30.0.20"
      - "legit.test:172.30.10.40"
    volumes:
      - loot:/loot
    stdin_open: true
    tty: true

networks:
  $flat_net:
    name: $flat_net
    driver: bridge
    ipam:
      config:
        - subnet: 172.30.0.0/24
  $ot_net:
    name: $ot_net
    driver: bridge
    ipam:
      config:
        - subnet: 172.30.10.0/26

volumes:
  loot:
    name: otlab-loot
EOF
}

# ----------------------------------------
# System requirements check
check_requirements() {
    error_flag=0

    if ! command -v docker >/dev/null 2>&1; then
        printf "\033[31m[Error]\033[0m Docker is not installed on this system.\n"
        error_flag=1
    elif ! docker info >/dev/null 2>&1; then
        printf "\033[31m[Error]\033[0m Docker is installed, but not accessible.\n"
        error_flag=1
    fi

    if command -v docker-compose >/dev/null 2>&1; then
        DOCKER_COMPOSE_CMD="docker-compose"
    elif docker compose version >/dev/null 2>&1; then
        DOCKER_COMPOSE_CMD="docker compose"
    else
        printf "\033[31m[Error]\033[0m Docker Compose is not installed.\n"
        error_flag=1
    fi

    if [ "$error_flag" -eq 1 ]; then
        printf "\033[31m✘ The $lab_name system requirements check failed.\033[0m\n"
        exit 1
    fi
}

# ----------------------------------------
# Function to check if a container exists
container_exists() {
    docker ps -a --format '{{.Names}}' | grep -q "^$1$"
}

# ----------------------------------------
# Command handling
case "$1" in
    -start)
        show_banner
        check_requirements
        printf "\033[1;33m[Working]\033[0m Starting $lab_name. . .\n"
        generate_compose_file
        $DOCKER_COMPOSE_CMD -f "$compose_file" up -d
        if [ $? -eq 0 ]; then
            printf "\033[32m✔ $lab_name started.\033[0m\n"
        else
            printf "\033[31m✘ $lab_name failed to start.\033[0m\n"
            exit 1
        fi
        ;;
    -stop)
        show_banner
        if container_exists "$victim_name" || container_exists "$proxy_name" || \
           container_exists "$legit_name" || container_exists "$attacker_name"; then
            check_requirements
            printf "\033[1;33m[Working]\033[0m Stopping $lab_name. . .\n"
            $DOCKER_COMPOSE_CMD -f "$compose_file" stop
            printf "\033[32m✔ $lab_name stopped.\033[0m\n"
        else
            printf "\033[34m[Information]\033[0m No containers to stop.\n"
            exit 1
        fi
        ;;
    -clean)
        show_banner
        check_requirements
        printf "\033[1;33m[Working]\033[0m Cleaning up all $lab_name resources. . .\n"
        $DOCKER_COMPOSE_CMD -f "$compose_file" down -v 2>/dev/null
        docker network rm "$flat_net" "$ot_net" 2>/dev/null
        rm -f "$compose_file"
        printf "\033[32m✔ All $lab_name resources removed.\033[0m\n"
        ;;
    -run)
        show_banner
        # Standard: user
        target="${2:-user}"
        case "$target" in
            user) target_name="$victim_name" ;;
            proxy) target_name="$proxy_name" ;;
            hmi) target_name="$legit_name" ;;
            attacker) target_name="$attacker_name" ;;
            *)
                printf "\033[31m[Error]\033[0m Invalid target. Use one of: user|proxy|hmi|attacker\n"
                exit 1
                ;;
        esac

        if container_exists "$target_name"; then
            check_requirements
            printf "\033[1;33m[Working]\033[0m Accessing $target_name terminal. . .\n"
            docker exec -it "$target_name" bash
        else
            printf "\033[31m[Error]\033[0m Container $target_name not found.\n"
            exit 1
        fi
        ;;
    -restart)
        show_banner
        check_requirements
        if [ ! -f "$compose_file" ]; then
            printf "\033[31m[Error]\033[0m Cannot restart: $compose_file not found.\n"
            exit 1
        fi

        printf "\033[1;33m[Working]\033[0m Restarting $lab_name. . .\n"
        $DOCKER_COMPOSE_CMD -f "$compose_file" up -d
        if [ $? -eq 0 ]; then
            printf "\033[32m✔ $lab_name restarted.\033[0m\n"
        else
            printf "\033[31m✘ $lab_name failed to restart.\033[0m\n"
            exit 1
        fi
        ;;
    -status)
        show_banner
        check_requirements
        $DOCKER_COMPOSE_CMD -f "$compose_file" ps
        ;;
    *)
        show_banner
        echo "Usage: $0 -start | -stop | -clean | -run [user|proxy|hmi|attacker] | -restart | -status"
        echo ""
        echo "  -start     Start the $lab_name environment"
        echo "  -run       Open a terminal inside one container (user|proxy|hmi|attacker)"
        echo "  -clean     Remove containers, volumes, and networks"
        echo "  -stop      Stop all containers"
        echo "  -restart   Restart previously stopped containers"
        echo "  -status    Show current containers status"
        echo ""
        echo "[i] Local images required: ews-image-otlab11-user-browser, ews-image-otlab11-proxy, ews-image-otlab11-legit-hmi, and ews-image-ubuntu04"
        exit 1
        ;;
esac

📝 Problem Overview

Containerized Hosts

📝 Tasks

🛠️ Tools

🔖 Nomenclature

Related Content

Lab 01 - Basic OT-ICS Device Detection

Lab 02 - Siemens S7 PLC Emulation

Lab 03 - Service Station Control System Emulation