type of attacks - ridhanegara.staff.telkomuniversity.ac.id · a quote from kevin mitnick “you...

TYPE OF ATTACKS

OUTLINE

• Social Engineering

• Network Attack

SOCIAL ENGINEERING

A Quote from Kevin Mitnick

“You could spend a fortune purchasingtechnology and services from every exhibitor,speaker and sponsor at the RSA Conference,and your network infrastructure could stillremain vulnerable to old-fashionedmanipulation.”

Types of Attacks

• Phishing

• Impersonation on help desk calls

• Physical access (such as tailgating)

• Shoulder surfing

• Dumpster diving

• Stealing important documents

Phishing

• Use of deceptive mass mailing

• Can target specific entities (“spear phishing”)

Impersonation on help desk calls

• Calling the help desk pretending to be someone else

• Usually an employee or someone with authority

• Prevention:• Assign pins for calling the help desk

• Don’t do anything on someone’s order

• Stick to the scope of the help desk

Physical access

• Tailgating

• Ultimately obtains unauthorize building access

• Prevention• Require badges

• Employee training

• Security officers

• No exceptions!

Shoulder surfing

• Someone can watch the keys you press when entering your password

• Probably less common

• Prevention:

• Be aware of who’s around when entering your password

Dumpster diving

• Looking through the trash for sensitive information

• Doesn’t have to be dumpsters: any trashcan will do

• Prevention:• Easy secure document destruction

• Lock dumpsters

• Erase magnetic media

Stealing important documents

• Can take documents off someone’s desk

• Prevention:• Lock your office

• If you don’t have an office: lock your files securely

• Don’t leave important information in the open

Attack Model

NETWORK ATTACKS

• Datalink layer : ARP poisoning, MAC flooding

• Network Layer : Attack against IP

• Transport layer : Attack against TCP and UDP

• Application layer : cookie protocol problem, session hijacking

DATALINK ATTACK

ARP CACHE POISONING

• there is no way to authenticate the IP to MAC address mapping in the ARP reply

• if computer ‘A’ has sent and ARP request and it gets an ARP reply, then ARP protocol by no means can check whether the information or the IP to MAC mapping in the ARP reply is correct or not

• even if a host did not send an ARP request and gets an ARP reply, then also it trusts the information in reply and updates its ARP cache.

• An evil hacker can craft a valid ARP reply in which any IP is mapped to any MAC address of the hackers choice and can send this message to the complete network

How ARP Works?

ARP Request is Broadcast to all the hosts in LAN

10.0.0.1

10.0.0.3

10.0.0.2

00:00:00:00:00:01

00:00:00:00:00:03

00:00:00:00:00:02

Who has IP 10.0.0.2?

Tell your MAC address

IIT Indore © Neminath Hubballi

How ARP Works?

10.0.0.1

10.0.0.3

10.0.0.2

00:00:00:00:00:01

00:00:00:00:00:03

00:00:00:00:00:02

I have IP 10.0.0.2

My MAC is 00:00:00:00:00:02

Unicast Reply from concerned host


ARP Cache Stores IP-MAC Pairs

10.0.0.1

10.0.0.3

10.0.0.2

00:00:00:00:00:01

00:00:00:00:00:03

00:00:00:00:00:02

ARP cache : updated

IP MAC TYPE

10.0.0.2 00:00:00:00:00:02 dynamic


Why is ARP Vulnerable?

ARP is a stateless protocol

Hosts cache all ARP replies sent to them even if they

had not sent an explicit ARP request for it.

No mechanism to authenticate their peer


Known Attacks Against ARP

ARP Spoofing

Man-in-the-Middle Attack

Denial-of-Service Attack

MAC Flooding ( on Switch )

DoS by spurious ARP packets


ARP Spoofing Attack

Attacker sends forged ARP packets to the victim

10.0.0.1 10.0.0.200:00:00:00:00:01 00:00:00:00:00:02

I have IP 10.0.0.3

My MAC is 00:00:00:00:00:02

ARP Reply

IP MAC TYPE

10.0.0.3 00:00:00:00:00:02 dynamic

Attacker

Target

Victim

10.0.0.3

00:00:00:00:00:03


Spoofing Results in Redirection of

Traffic

10.0.0.1

00:00:00:00:00:01

10.0.0.2

00:00:00:00:00:02

Packets for 10.0.0.3

10.0.0.3

00:00:00:00:00:03


Man-in-the-Middle Attack Allows

Third Party to Read Private Data

10.0.0.1

10.0.0.3

10.0.0.2

00:00:00:00:00:03

00:00:00:00:00:02

Attacker

IP MAC TYPE

10.0.0.3 00:00:00:00:00:01 dynamic

IP MAC TYPE

10.0.0.2 00:00:00:00:00:01 dynamic

00:00:00:00:00:01

23IIT Indore © Neminath Hubballi

Denial of Service Stops Legitimate

Communication

A malicious entry with a non-existent MAC address can lead to a

DOS attack

10.0.0.1 10.0.0.2

00:00:00:00:00:02

I have IP 10.0.0.3

My MAC is XX:XX:XX:XX:XX:XX

ARP Reply

IP MAC TYPE

10.0.0.3 XX:XX:XX:XX:XX:XX dynamic

Attacker

Victim

00:00:00:00:00:01

Target

10.0.0.300:00:00:00:00:03


Denial of Service Stops Legitimate

Communication

00:00:00:00:00:01

Victim unable to reach the IP for which the forged packet was

sent by the attacker

10.0.0.110.0.0.2

00:00:00:00:00:02

IP MAC TYPE

10.0.0.3 XX:XX:XX:XX:XX:XX dynamic

Attacker

Victim

PING 10.0.0.3 Request timed out.


MAC Flooding Degrades Network

Performance

Attacker bombards the switch with numerous forged ARP packets

at an extremely rapid rate such that its CAM table overflows

PORT MAC

1 00:00:01:01:01:01

2 00:00:02:02:02:02

…. ……

….. …….

10.0.0.1

00:00:00:00:00:01

Attacker


DoS by Spurious ARP Packets

Attacker sends numerous spurious ARP packets at the victim

such that it gets engaged in processing these packets

Makes the Victim busy and might lead to Denial of Service

10.0.0.1

00:00:00:00:00:01

Attacker

Victim

Spurious ARP Packets

Busy

ProcessingIIT Indore © Neminath Hubballi

LAB’S TIME

Objectives

• Scan, detect, protect and attack computer on LANs

What you need :

• PC with windows server 2012 as host machine

• Windows2008 running on virtual maschine as target machine

• Installed-version of WinPcap driver

• Double click WinArpAttacker.exe

What to do

1. Launch Windows server 8 Virtual Machine

2. Launch WinArpAttacker in the host machine

3. Click the scan option from toolbar menu, select Scan LAN. The scan the active host on the LAN.

4. Select a victim host (window server 2008) from the display list. Select attack -> flood. Scanning acts as another gateway or IP-forwarder without other user recognition on the LAN, while spoofingARP tables.

• 5. All data sniffed by spoofing andforwarded by WinArpAttackerIP-forward functions are counted, as shown in the main interface. The BanGateway option tells the gatewaywrong MACaddresses of target computer, so the target can’t receivepackets from the internet.

6. Click save to save the report

QUESTION

• Analize and document the scanned, attacked IP address.

NETWORK LAYER

• IP doesn’t has an authentication mechanism.

• A packet simply claims to originated from a given address, andthere is no a way to be sure that the host that sent the packet istelling the truth.

• The fitur of authentication must be provided by higher layer.

IP Spoofing

• There is one host that claims to have an IP address of another.

IP Session Hijacking

• Is an attack whereby a user’s session is taking over, being in thecontrol of an attacker.

TRANSPORT LAYER

• TCP ATTACK • TCP SYN or TCP ACK Flood attack

• TCP sequence number attack

• TCP/IP hijacking

• UDP attack• ICMP attack

• Smurf attack

• ICMP tunneling

TCP SYN

TCP Sequenced number attack

• Each time a TCP message is sent the client or the server generates a sequence number. The attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can then hijack or disrupt a session. If a valid sequence number is guessed the attacker can place himself between the client and the server. The attacker gains the connection and the data from the legitimate system.

TCP Hijacking

• This is also called active sniffing, it involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system.

ICMP Attacks

• Ping for instance, that uses the ICMP protocol. sPing is a good example of this type of attack, it overloads te server with more bytes than it can handle, larger connections. Its ping flood.

SMURF ATTACK

• This attack uses IP spoofing and broadcasting to send a ping to a group of hosts on a network. When a host is pinged it send back ICMP message traffic information indicating status to the originator. If a broadcast is sent to network, all hosts will answer back to the ping. The result is an overload of network and the target system. The only way to prevent this attack is to prohibit ICMP traffic on the router.

ICMP Tunneling

• ICMP can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. The counter measure is to deny ICMP traffic on your network.

APPLICATION LAYER

Cookie protocol problems

Server is blind:• Does not see cookie attributes (e.g. secure, HttpOnly)

• Does not see which domain set the cookie

Server only sees: Cookie: NAME=VALUE

Example 1: login server problems

1. Alice logs in at login.site.com

login.site.com sets session-id cookie for .site.com

2. Alice visits evil.site.com

overwrites .site.com session-id cookiewith session-id of user “badguy”

3. Alice visits course.site.com to submit homework

course.site.com thinks it is talking to “badguy”

Problem: course.site.com expects session-id from login.site.com;

cannot tell that session-id cookie was overwritten

Example 2: “secure” cookies are not secure

Alice logs in at https://accounts.google.com

Alice visits http://www.google.com (cleartext)

• Network attacker can inject into responseSet-Cookie: SSID=badguy; secure

and overwrite secure cookie

Problem: network attacker can re-write HTTPS cookies !• HTTPS cookie value cannot be trusted

set-cookie: SSID=A7_ESAgDpKYk5TGnf; Domain=.google.com; Path=/ ;

Expires=Wed, 09-Mar-2026 18:35:11 GMT; Secure; HttpOnly

set-cookie: SAPISID=wj1gYKLFy-RmWybP/ANtKMtPIHNambvdI4; Domain=.google.com;Path=/ ;

Expires=Wed, 09-Mar-2026 18:35:11 GMT; Secure

Interaction with the DOM SOPCookie SOP path separation:

x.com/A does not see cookies of x.com/B

Not a security measure: x.com/A has access to DOM of x.com/B

<iframe src=“x.com/B"></iframe>

alert(frames[0].document.cookie);

Path separation is done for efficiency not security:

x.com/A is only sent the cookies it needs

Cookies have no integrity

User can change and delete cookie values

• Edit cookie database (FF: cookies.sqlite)

• Modify Cookie header (FF: TamperData extension)

Silly example: shopping cart software

Set-cookie: shopping-cart-total = 150 ($)

User edits cookie file (cookie poisoning):

Cookie: shopping-cart-total = 15 ($)

Similar problem with hidden fields

<INPUT TYPE=“hidden” NAME=price VALUE=“150”>

53

Session hijacking

Attacker waits for user to login

then attacker steals user’s Session Token and “hijacks” session

⇒ attacker can issue arbitrary requests on behalf of user

Example: FireSheep [2010]

Firefox extension that hijacks Facebook session tokens over WiFi. Solution: HTTPS after login

Beware: Predictable tokensExample 1: counter

⇒ user logs in, gets counter value,

can view sessions of other users

Example 2: weak MAC. token = { userid, MACk(userid) }• Weak MAC exposes k from few cookies.

Apache Tomcat: generateSessionId()

• Returns random session ID [server retrieves client state based on sess-id]

Session tokens must be unpredictable to attacker

To generate: use underlying framework (e.g. ASP, Tomcat, Rails)

Rails: token = MD5( current time, random nonce )

Beware: Session token theftExample 1: login over HTTPS, but subsequent HTTP

• Enables cookie theft at wireless Café (e.g. Firesheep)

• Other ways network attacker can steal token:• Site has mixed HTTPS/HTTP pages ⇒ token sent over HTTP

• Man-in-the-middle attacks on SSL

Example 2: Cross Site Scripting (XSS) exploits

Amplified by poor logout procedures:• Logout must invalidate token on server

Mitigating SessionToken theft by binding

SessionToken to client’s computer

Client IP addr: makes it harder to use token at another machine• But honest client may change IP addr during session

• client will be logged out for no reason.

Client user agent: weak defense against theft, but doesn’t hurt.

SSL session id: same problem as IP address (and even worse)

A common idea: embed machine specific data in SID

Session fixation attacks

Suppose attacker can set the user’s session token:

• For URL tokens, trick user into clicking on URL

• For cookie tokens, set using XSS exploits

Attack: (say, using URL tokens)

1.Attacker gets anonymous session token for site.com

2.Sends URL to user with attacker’s session token

3.User clicks on URL and logs into site.com• this elevates attacker’s token to logged-in token

4.Attacker uses elevated token to hijack user’s session.

Session fixation: lessonWhen elevating user from anonymous to logged-in:

always issue a new session token

After login, token changes to value unknown to attacker

⇒ Attacker’s token is not elevated.

LAB’S TIME

Objectives

• Sniffing password using wireshark

What to do

1. Launch Wireshark

2. From the wireshark menu bar, select capture interfaces(Ctrl+I)

3. In the Wireshark capture interfaces dialog box, find and selectthe Ethernet Driver Interface that is connected to the system, andthen click start.

4. Switch to virtual machine and login to your email.

5. You may save the captured packets from file save as.

6. In Find by...

QUESTION

1. Evaluate the protocols that are involved in the activity thatcaptured by wireshark

2. Evaluate the result of the activity

REFERENCES

1. CEH Modul “SOCIAL ENGINEERING”

2. https://www.petri.com/social-engineering-security-plus

3. Matt Curtin.”Introduction to network security”, 1997

4. “Network Security”, www.tutorialspoint.com

5. Network Security, course slide, http://ece.duke.edu

6. Certified Ethical Hacker ver 8 (Sniffing) Modul

http://ece.duke.edu/

type of attacks - ridhanegara.staff.telkomuniversity.ac.id · a quote from kevin mitnick “you...

Documents