network attacks bharatha yajaman isqs 6342. outline sniffing passive sniffing active sniffing ip...
TRANSCRIPT
Network Attacks
Bharatha Yajaman
ISQS 6342
Outline Sniffing
Passive Sniffing Active Sniffing
IP Address Spoofing Changing the IP address Undermining UNIX r – commands With source routing
Session Hijacking NetCat
Sniffing Sniffers are most common tools used by
attackers Data link layer of the protocol stack is targeted Sniffer is a program that gathers traffic from local
network & is useful for attackers for attackers to get all information as well as network administrators trying to trouble shoot problems
An attacker can read data passing by a given machine in real time or can even store the data in a file
Type of Data Sniffer can capture? User IDs and Passwords DNS queries and responses email messages FTP passwords Files shared using Network File System or
Windows Shares
An Island Hopping Attack
User telnets to another system
Sniffer gathers passwords sent in clear text
Attacker now has UserID and Password on new victim
LAN
Various Sniffing tools tcpdump, freeware for UNIX platform,
www.tcpdump.org windump, freeware of tcpdump for Windows
9x, NT and 2000 Snort, freeware sniffer and network-based
intrusion detection system, www.snort.org Ethereal, freeware for UNIX and WinNT with
nice User Interface, www.ethereal.com/ Sniffit, widely used in attacker community,
reptile.rug.ac.be/ ~coder/sniffit/sniffit.html
Sniffing through a Hub – Passive Sniffing Transmitting data across a Hub based LAN
just like shouting in a crowded room A hub implements a broadcast medium
shared by all systems on the LAN Any data sent across the LAN is actually sent
to each and every machine connected to the LAN
Sniffing through a Hub – Passive Sniffing
BROADCAST ETHERNET
A LAN implemented with a hub
HUB
Sniffing through a Hub – Passive Sniffing If an attacker runs a Sniffer on one system on
LAN, he can gather data sent to and from any other system on the LAN
Majority of the Sniffer tools are well suited to sniff data in a hub environment
These tools are called passive sniffers as they passively wait for the data to be sent to them, silently gathering the data from the LAN
Active Sniffing: Sniffing through a Switch Switched Ethernet does not broadcast all
information to all systems on the LAN A switch which is more intelligent than the
hub looks at the MAC address associated with each frame passing through it and sends the data to the required connection on the switch
Active Sniffing: Sniffing through a Switch
SWITCHED ETHERNET
A LAN implemented with a switch
SWITCH
Active Sniffing: Sniffing through a Switch The switch limits the data that a passive
Sniffer can gather If there is a passive Sniffer activated on a
switched LAN the sniffer will only be able to see data going to and from one machine – the system with sniffer installed
Active Sniffing: Sniffing through a Switch So how do attacker over come this difficulty
of sniffing a switched LAN? Attackers have created a variety of tools that
support sniffing a switched environment These tools actively inject traffic into LAN to sniff a
switched LAN Dsniff is an active sniffing tool,
www.monkey.org/~dugsong/dsniff
Foiling Switches with Floods ( MAC flooding ) MAC address are physical hardware
addresses unique to every Ethernet Card LAN switches hold the MAC addresses in the
switch memory What happens if the traffic is flooded with
random MAC address on LAN ? As number of different MAC addresses in use
increases the switch dutifully stores the MAC addresses used by each link on the switch
Foiling Switches with Floods ( MAC flooding ) What happens if the traffic is flooded with
random MAC address on LAN ? Eventually, the switches memory is exhausted
with bogus MAC addresses Some switch implementations start forwarding
data to all links connected to all the links if their memory links are exhausted
The attacker can take advantage of this flaw and use any passive switching tool to sniff the switched LAN
Foiling Switches with Spoofed ARP Messages Some switches are immune to MAC flooding These switches stops storing new MAC
addresses once their memory reaches a given limit
To sniff in a switched environment where MAC flooding doesn't work Attacker can use DSniff’s tool called arpspoof arpspoof allows an attacker to manipulate ARP
traffic on LAN
OUTSIDE WORLD
OUTSIDE WORLD
Foiling Switches with Spoofed ARP Messages
SWITCH
DEFAULT ROUTER FOR
LAN
Victim’s traffic isn’t
sent to attacker
Foiling Switches with Spoofed ARP Messages To use arpspoof the attacker
First consults a map of the network likely generated during the scanning phase of the attack
Looking at the network topology the attacker observes the IP address of the default router for the LAN
Sets up the attack by configuring the IP layer of the attacker’s machine to forward any packet it receives from the LAN to the IP address of the default router (IP forwarding)
Foiling Switches with Spoofed ARP Messages To use arpspoof the attacker
Sends the fake ARP replies to the victims machine
This ARP changes the victims ARP table by remapping the default router’s IP (layer 3) to attacker own MAC address (layer2)
The victims sends the data, forwarding it to what it thinks is the default router (but using the attackers MAC address)
Foiling Switches with Spoofed ARP Messages To use arpspoof the attacker
The attacker sniffs the information using any kind of sniffing tool
The attacker’s machine will promptly forward the victim’s traffic to default router on the LAN
Upon reaching the default router the traffic is transmitted to the outside world
The attacker is now sniffing in a switched environment
OUTSIDE WORLD
OUTSIDE WORLD
Foiling Switches with Spoofed ARP Messages
SWITCH
DEFAULT ROUTER FOR LAN
1. Configure IP Forwarding
4. Sniff the traffic from the link
2. Send fake ARP response to re-map default router IP to
attacker’s MAC
3. Victim sends traffic destined for outside world based on poisoned ARP table entry
5. Packets are forwarded from attacker’s machine to the actual default router for delivery to the outside world
Sniffing and Spoofing DNS
The attacker fires up the dnsspoof program which sniffs the LAN for DNS queries for specific hosts ( www.bank.com ) - using Dsniff
At sometime later victim tries to resolve the name www.bank.com using DNS by trying to surf the website
Now the attacker sniffs the DNS query and immediately sends a fake DNS response
Sniffing and Spoofing DNS
This response will have a lie claiming that www.bank.com should resolve to IP address of the attackers machine (say 10.1.1.56)
The victim machine will cache this incorrect DNS entry
The victims machine will ignore the real response from the real DNS server as it has the mapping for www.bank.com
Finally the victims browser makes a connection with the attackers machine
OUTSIDE WORLD
OUTSIDE WORLD
Sniffing and Spoofing DNS
SWITCH
DEFAULT ROUTER FOR LAN
1. Attacker activates dnsspoof program
3. Sniff the DNS request from the line
4. Attacker quickly sends fake DNS response with any IP attacker wants the victim to use
2. Victim tries to resolve a name using DNS Attacker’s
machine at 10.10.1.56
Desired destination www.bank.com
5. Victim now surfs the attackers site instead of desired location
Sniffing HTTPS and SSH
Even though the S’s in HTTPS, SSL and SSH stand for secure, it is built on a trust model of underlying public keys
When an HTTPS connection is established the server sends a certificate which the browser verifies
If the certificate was signed by a trusted Certificate Authority, an SSL connection will be established
Sniffing HTTPS and SSH
SSL connection uses a session key to encrypt all data sent by server and client
SSH does not support digital certificates but is based on same public key encryption idea
SSL and SSH protocols are sound from a security perspective but the problem is exploited in the trust certificates and public keys
Sniffing HTTPS and SSH
For SSL if a web server sends a browser a certificate and if the browser does not recognize the browser will ask the user whether to accept this untrusted certificate or not
For SSH the user will be warned that server’s public key has changed but will still be permitted to establish connection
Sniffing HTTPS and SSH
How Dsniff exploits the problem ? Dsniff uses webmitm and sshmitm tools for
attacking HTTPS or SSH mitm stands for “monkey in the middle” a
reference to a classic person-in-the-middle attack Attackers position themselves between two
systems and actively participate in the connection to gather data
Sniffing HTTPS and SSHPerson–in–the–middle attack
ATTACKER
NETWORK NETWORK
Sniffing HTTPS and SSHPerson–in–the–middle attack To conduct a person in the middle attack
The attacker runs the dnsspoof program configured to send false DNS information so that a DNS query for a given website will resolve to the attacker’s IP address
The attacker will also activate webmitm program that will transparently proxy all HTTP and HTTPS traffic it receives
The DNS spoof program detects DNS request for www.bank.com and redirects the client to attacker’s machine
Sniffing HTTPS and SSHPerson–in–the–middle attack To conduct a person in the middle attack
Victim’s browser starts to establish a secure connection
All messages for establishing SSL connection are sent to webmitm on attacker’s machine
webmitm acts as a SSL proxy, establishing 2 SSL connections one from victim to the attacker's machine and the other from attacker’s machine to the actual web server
Sniffing HTTPS and SSHPerson–in–the–middle attack To conduct a person in the middle attack
webmitm when establishing the SSL session between victim machine to the attacker will send the attacker’s own certificate
Victim’s browser will notice that the certificate is not signed by a trusted Certificate Authority and show a message to the user asking the user whether to accept this un-trusted certificate or not
OUTSIDE WORLD
OUTSIDE WORLD
Sniffing HTTPS and SSH (Modify)
1. Attacker activates dnsspoof and webmitm program
Desired destination
10.22.12.41
2. Dnsspoof sends fake DNS response with IP address of the machine running webmitm (10.1.2.3)
3. Victim establishes SSL connection not knowing attacker is proxying the connection
4. Webmitm proxies the https connection establishing an https connection to server and sending attacker’s own certificate
10.1.2.3
5. Victim now accesses the desired server, but all the traffic is viewable by attacker using webmitm as proxy
SWITCH
DEFAULT ROUTER FOR LAN
IP address spoofing Simply changing the IP address
Simplest way of spoofing another system’s IP address can be achieved by simply changing the IP of system to the other’s system address
This can be done by using ifcommand in UNIX, or the Windows NT network control panel
This method is remarcable in achieving limited goals if the attacker wants To send packets that look like they look like they come
from some where else Obscure the source of packet flood or other Denial-of-
service attack
IP address spoofing (3 way handshake diagram)
RESET
ACK (A, ISN A ), SYN ( B, ISNB )
SYN (A , ISNA )
TCP three way handshake inhibits simple spoofing
A B
IP address spoofing - Undermining UNIX r-commands
ALICE BOB
EVE
IP address spoofing - Undermining UNIX r-commands
Eve interacts with Bob by sending TCP SYN packets to one or more of his open ports again without spoofing
This connection initiation allows Eve to approximate rate at which the initial TCP sequence numbers in Bob’s SYN-ACK response are changing with time
Eve launches a denial-of-service against Alice (SYN flood or smurf attack)
IP address spoofing - Undermining UNIX r-commands
Alice is dead for a period of time. This prevents Alice from sending RESET packet and dropping our spoofed TCP connection
Eve initiates a connection to Bob using Alice’s IP address
The first part of the 3 way handshake is complete Bob responds to 2nd part of 3 way handshake to
Alice but Alice is dead and cannot respond with a RESET
IP address spoofing - Undermining UNIX r-commands
Using the information gathered, Eve sends a ACK to Bob including a guess at sequence number, ISBB, spoofing Alice’s IP.
If the sequence number is incorrect a connection will not be established but if the sequence number is correct, Eve will open a TCP connection with Bob, pretending to be Alice
IP address spoofing - Undermining UNIX r-commands
ACK (A, ISN A ), SYN ( B, ISNB )
SYN (A , ISNA )
ALICE BOB
EVE
DIE
Open several connections to Bob to observe the initial sequence number in response
ACK (B , ISNB )
IP address spoofing - Spoofing with Source Routing A far easier method for IP address spoofing
is based on source routing This technique will let the attacker get
responses in interactive sessions and even avoid to conduct Denial-of-service attack
Source routing is an option in IP that allows the source machine sending packets to specify path it will take on the network
IP address spoofing - Spoofing with Source Routing
ALICEBOB
EVE Route1. Alice2. Eve3. BobPacketContents
PACKET
Route1. Bob2. Eve3. AlicePacketContents
PACKET
Eve generates packets with fake source route
Packets claim to come from Alice
Source route includes Eves address making Eve look like a router
Packets include destination Bob
IP address spoofing - Spoofing with Source Routing
ALICEBOB
EVE Route1. Alice2. Eve3. BobPacketContents
PACKET
Route1. Bob2. Eve3. AlicePacketContents
PACKET
Eve injects these spoofed packets on the network
Bob will take action on packets and responds
When Bob responds packets will be transmitted to Eve who is a part of the source route
Eve will intercept the packet but will not forward packet to Alice
IP Spoofing Defense
The initial set of sequence numbers generated by TCP stacks must be difficult to predict
For UNIX machines in particular, using of weak r-commands must be avoided
Implementation of anti-spoof packet filters at border routers and firewalls connecting organization to the Internet and business partners
IP Spoofing Defense
The filtering devise drops all packets coming in on one interface that have a source address of network on another interface
These packets indicate a possible spoofing attack
NETWORK BNETWORK BNETWORK ANETWORK A FILTERING
DEVICEPacket with
IP source address on Network ADropped
IP Spoofing Defense
Source routed packets through the network gateways must not be allowed This can be done by configuring routers using no ip sourceroute (this woks for Cisco routers) to drop all source routed packets at gateways
Careful with trust relationships throughout the environment
Avoid extending UNIX and Win NT trust relationship to systems across an unprotected network
Session Hijacking
Marriage of sniffing and spoofing is called session hijacking
An attacker can hijack a session even if strong authentication is used assuming the conversation following the initial authentication is not cryptographically protected As the session is sent in clear text after initial
authentication and a attacker can hijack the it at any point after authentication
Network-based Session Hijacking
A has established a telnet connection across n/w to B
Attacker sits on a segment in the network where traffic is passing from A to B
Attacker can see the session using sniffing techniques
NETWORK
NETWORK
EVE
ALICE BOB
Alice Telnet
Network-based Session Hijacking
Attacker can also monitor TCP sequence numbers of these packets while observing the session
At some point the attacker will decide to hijack the connection
NETWORK
NETWORK
EVE
BOB
Alice Telnet
Network-based Session Hijacking
Now he will start injecting spoofed traffic source with A’s IP into the network using proper TCP sequence numbers on all packets
If successful Bob will listen the commands sent by attacker thinking it came from A
NETWORK
NETWORK
EVE
BOB
Alice Telnet
Hi I’m Alice
Session Hijacking – ACK storm When a system receives a packet with TCP
connection that is out of order it resends its last ACK packet
Retransmission of ACK is supposed to help the systems resynchronize their sequence numbers
Session Hijacking – ACK storm
What happens if the attacker is injecting traffic in the TCP connection ? The sequence number
between attacker and B will go on increasing
As traffic gets routed back to A it will see sequence numbers increasing even though A has not sent any packets
NETWORK
NETWORK
EVE
BOB
ACK ACK ACK ACK ACK
Packets with increasing sequence number
Session Hijacking – ACK storm
TCP stacks of A and B get confused as attacker sends the traffic in increasing sequence number
To resynchronize connection A will resend ACK messages again and again consuming a good amount of bandwidth in what is know an ACK storm
NETWORK
NETWORK
EVE
BOB
ACK ACK ACK ACK ACK
Packets with increasing sequence number
Session Hijacking – ACK storm
During an ACK storm the performance quickly starts to suffer the attacker will be able to get one or two commands executed on B before the ACK storm causes the connection to be dropped
NETWORK
NETWORK
EVE
BOB
ACK ACK ACK ACK ACK
Packets with increasing sequence number
Session Hijacking Defenses
Utilizing all defense techniques used for spoof attacks
Using encryption tools like SSH or VPN for securing sessions
Encrypted sessions will prevent session hijacking as attackers will not have keys to encrypt or decrypt
Netcat : General purpose network tool Netcat is one of the most useful tools
available for interacting with systems across network
Netcat is often referred as “Swiss Army knife of network tools”
The idea behind Netcat is it allows a user to move data across a network while functioning much like the UNIX cat command
Instead of dumping data on the local system Netcat moves arbitrary data over any TCP or UDP port
Netcat : General purpose network tool Netcat executable operates in one of two
modes Client mode Listen mode
In client mode Netcat can be used to initiate connection to any TCP or UDP port on another machine
In listen mode Netcat opens any TCP or UDP port on the local system
Netcat supports source routing
Netcat : General purpose network tool Using these basic building blocks people
have devices many different scenarios based on Netcat File Transfer Port Scanning Making connections to open ports Vulnerability scanning To create a passive backdoor command shell To actively push a backdoor command shell Relaying traffic
Netcat : Defence
Preventing Netcat file transfers Securing against port scanning Blocking arbitrary connections to a port Protecting against vulnerability scanning Stopping backdoors Preventing relay attacks
References
Counter Hack Hacking Exposed http://www.cert.org/advisories/CA-1995-01.html http://ciac.llnl.gov/ciac/bulletins/f-08.shtml http://www.iss.net/security_center/advice/Undergrou
nd/Hacking/Methods/Technical/default.htm
http://www.althes.fr/ressources/avis/smartspoof-en.pdf
Thank You