circumventing security
DESCRIPTION
Circumventing Security. Lecture 14 November 15, 2000. Some Terms. Spoofing - an active security attack where one machine masquerades as another. Sniffing - use of the network interface to receive data not intended for the host machine in which the interface resides. - PowerPoint PPT PresentationTRANSCRIPT
Circumventing Security
Lecture 14November 15, 2000
Some Terms
Spoofing- an active security attack where one machine masquerades as another.
Sniffing- use of the network interface to receive data not intended for the host machine in which the interface resides.
Exploit- a documented bug/hole in the software that usually allows for a user to remotely or locally gain access to the machine.
Types of Attacks
The different types of attacks can be divided into two categories.
– Local (Physical) attacks Less common More difficult to determine if compromised
– Remote attacks More common Generally easier to determine if compromised
Many attacks are a combination of both a local and remote attack!
Simple Local Attacks
Removing a computer from service:– Turning off the power– Unplugging a computer– Cutting or unplugging a network connection
Attacking a computer from the terminal– Using known exploits at the keyboard to access the
machine.– Removing a screensaver password: Reboot and
change it before screensaver turns on.
Common Remote Attacks
Most remote exploits have a common “path”:1. Use a known exploit to gain remote access to the machine
(BIND, FTPD).2. Download a copy of the /etc/passwd file.3. Run a password cracking program on the local machine until
the root password is compromised.4. Gain access to the machine (telnet, ssh, exploit, etc). 5. Change to the root user with the cracked password.
Spoofing Attacks
Spoofing attacks are a combination of both local and remote attacks.
– Hardware address spoofing– ARP spoofing– IP route spoofing
ICMP spoofing RIP spoofing Other protocol spoofing
– DNS spoofing– TCP/IP datagram spoofing
Hardware Address Spoofing
Most software does not modify the source field in an Ethernet frame leaving the interface.
When a packet is received on Ethernet, the source address is assumed to be valid.
However, most NICs have the ability to use software-controlled hardware addresses, so an address can be faked.
– 01-01-01-01-01-01 or 12-34-56-78-90-AB Consider the possibility of one machine trusting a
secure connection based on the hardware address!
Hardware Spoofing (cont.)
Consider the functionality of a bridge:1. A packet from machine A on segment 1 arrives at
the bridge, destined for machine B on segment 2.2. The bridge will modify the source address of the
packet to C and then send to machine B on segment 2.
A/B combination is transformed to C/B.
Hardware Spoofing (cont.)
Since a bridge is basically a PC, all PC’s have the ability to modify Ethernet frames.
Trusting a machine based only on the hardware address is NOT recommended!
ARP Spoofing
Most ARP spoofing attacks are accidental than intentional!
If two machines have the same IP address, they will both respond to the same ARP request!
Depending on the operating system, one of two things could happen
– The slowest (last) ARP reply to arrive will be cached until the ARP entry expires.
– The first ARP reply to arrive will be cached, and any further ARP replies will be ignored (until ARP entry expires).
ARP Spoofing (cont.)
Depending on the situation, the attacker will have to have the ARP request arrive first or last depending on what target system they are trying to compromise.
ARP Spoofing (cont.)
An attacker has a few options to ARP spoof:– Turn off the legitimate machine & use it’s IP address
Power it down locally Shut it down remotely (in Unix, halt) Throw the circuit breaker for that machine, etc
– Reconfigure target machine with a new IP address, and hijack the old for the attacker’s machine.
Preventing ARP Spoofing
A true target of an ARP spoof is the machine attempting to deceive, not the machine that one hijacks!
1. Stop using ARP! All shares based on IP addresses should use permanent entries in the ARP cache
2. Use an ARP server (but the server can still be deceived!)
Route Spoofing
Route spoofing is where one attempts to redirect IP datagrams to a location that is not the true destination.
Route spoofing, like ARP spoofing, can lead to a Denial of Service (DoS) attack.
Denial of Service- some action taken to prevent a target machine from properly communicating (sending, receiving, both) with the network.
Route Spoofing (cont.)
With sophisticated software, one use both route spoofing and ARP spoofing to give the illusion that the network is functioning properly, while removing the target machine from the communication!
If two routers exist on a network, only one can be the default router.
Route Spoofing (cont.)
Here’s how a route spoof can occur:1. A machine always sends a transmission to the default router
first.2. If the default router is not the best choice for the transmission, it
sends an ICMP redirect message back to the host on the same network segment, and forwards the datagram to the appropriate router.
3. The redirect message basically says “it would be best to send datagrams to a router with IP address A.B.C.D for network W.X.Y.Z”
4. Host machine updates its routing table so it doesn’t make the mistake again.
ICMP-Based Route Spoofing
A machine can create ICMP redirect messages and send them to any other machine in the network!
– The routing table could be unusable. DoS attack.– A machine could send an ICMP redirect with it’s own IP
address, and pose as a router, therefore filtering ALL traffic! Simplest way to avoid ICMP spoofing is disable ICMP
redirect messages, in both the hosts and the routers! But if you kept ICMP redirects, one could validate the
redirect source address as another level of security.
Domain Name System Spoofing
Overview: A machine (nameserver) holds a mapping between IP addresses and names (www.cnn.com, for example).
A client sends a request to the nameserver for the IP address of www.cnn.com, and the nameserver replies with the address.
Domain Name Spoofing (cont.)
Hosts commonly trust other machines based on their names.
If the nameserver is compromised, then the domain names are subsequently compromised.
Security-oriented TCP programs do a two-way lookup to authorize machines:
– Forward lookup (name to IP address)– Reverse lookup (IP address to name)– If both match, then machine is authorized.
Domain Name Spoofing (cont.)
In order to make attackers’ lives more difficult, administrators commonly put the “forward zone” and the “reverse zone” on two separate machines, so BOTH must be compromised.
Also DNS records commonly exist on two separate authoritative nameservers, so multiple queries to differing nameservers is also another level of authentication.
TCP Spoofing
An attacker only needs to estimate the sequence number to be assigned to the next data byte to be sent by the legitimate user.
If the correct next-sequence number is guessed, the attacker can send a forged datagram containing the tainted data that will be processed as valid data by the receiver.
If the attacker sends tainted data after the legitimate data, the target machine may completely discard the forged datagram if it contains less data than the legitimate datagram.
TCP Spoofing (cont.)
If the tainted datagram contains more data than the legitimate datagram, only the length of the legitimate datagram is rejected. The rest of the tainted transmission would be accepted as being valid.
On the other hand, if the forged datagram arrives before the legitimate datagram, the forgery will be discarded.
TCP Spoofing (cont.)
If the attacker guesses a number that’s a bit too high, the receiver will take the datagram and put in in the buffer.
Some of the bytes at the end of the datagram may be discarded because they may not fit in the space allocated by the window advertisement.
Later, the legitimate datagram will arrive and fill the wholes in the entire transmission.
A TCP Spoofing Example
Consider a user logging into a timesharing machine and leaving the session idle.
An attacker merely has to guess the total data bytes that the user sent to the server. Usually, the username, password, and a few commands are sent before the connection lies idle.
If the attacker estimates within 100 bytes, they are usually close enough to hit the advertisement window.
All the attacker has to do is send a forged datagram with a sequence of bytes that correspond to a command, and it will be executed as if the logged in user typed it!
TCP Spoofing Example (cont.)
Since the TCP forgery occurs as the regular user, only user commands can be executed.
rm –rf * for example
Reducing TCP Spoofing Risks
1. Log out of unused terminals and open new ones only when necessary.
2. Use a interactive protocol (telnet, rlogin) that adds overhead to make guessing the sequence number more difficult.
3. Use encrypted-based terminal sessions (ssh).
Common Vulnerabilities
IP Spoofing Weak passwords Default/Guest accounts Network snooping/sniffing Viruses/Trojan Horses
Common Exploits
Most common exploits involve buffer overruns. If the target software runs as a privileged user, then the
attacker can run commands as a privileged user! Exploits vary from operating system to operating
system.– Windows NT 4.0: 71 vul.– Windows NT 2000: 58 vul.– RedHat Linux 6.2 i386: 34 vul.– Windows 98: 31 vul.– Windows 95: 28 vul.
Common Exploits (cont.)
Buffer Overflow Exploits– CERT CA-99-03: FTP buffer overflow– CERT CA-99-08: qpopper (mail)– CERT CA-99-09: IMAPD (mail)– CERT CA-99-12: mountd (partition mounting)– POP3 USER buffer overflow– POP3 PASS buffer overflow
Finger services BIND NXT vulnerability (DNS) And many, many more!
Discovering Vulnerabilities
Disclaimer: This sort of unauthorized activity may go against your AUP. Do this at your own risk!
riggs:wages> telnet mail.eece.maine.edu 21Trying 130.111.113.34...Connected to rainier.eece.maine.edu.Escape character is '^]'.220 rainier FTP server (Version wu-2.6.0(1) Thu Oct 21 12:27:00
EDT 1999) ready.
Discovering (cont.)
Then, you take the information that the server is running wu-2.6.0(1) and you then look on the common bug tracking sites to see if there are any vulnerabilities.
No common bugs exist for this FTP server. Let’s look at another possibility, the SMTP
server software on port 25.
Discovering (cont.)
riggs:wages> telnet mail.eece.maine.edu 25
Trying 130.111.113.34...Connected to rainier.eece.maine.edu.Escape character is '^]'.220 rainier.eece.maine.edu ESMTP Sendmail 8.9.3/8.9.3/Marc v3.1
(09/04/98); Tue, 14 Nov 2000 23:48:19 –0500
No known exploits for Sendmail 8.9.3 Let’s look at the POP server next
Discovering (cont.)
riggs:wages> telnet mail.eece.maine.edu 110
Trying 130.111.113.34...Connected to rainier.eece.maine.edu.Escape character is '^]'.+OK POP3 rainier v7.52 server ready
No known exploits for this server.
Port scanners IP scanners