Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.
-
Upload
lenard-atkinson -
Category
Documents
-
view
216 -
download
4
Transcript of Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.
![Page 1: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/1.jpg)
Lab 2: SSL Security Attack
June 17, 2008
Hyun Jin Kim
![Page 2: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/2.jpg)
Objective
• Configure DNS such that https://www.paypal.com gets resolved to our own IP address of the “attack” server– Paypal uses SSL protocol.
![Page 3: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/3.jpg)
Normal DNS Query Processing
www.paypal.com
64.4.241.33
DNS Server
Paypal’s Server
![Page 4: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/4.jpg)
Attacking DNS Request
www.paypal.com
128.222.11.3
DNS Server
Paypal ServerFake Paypal Server
Filter
![Page 5: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/5.jpg)
What We Will Do
• Write a program that injects a spoofed DNS Response when the source queries the IP address of www.paypal.com
• C programming• Basic skeleton of codes are provided.• Attacker’s fake server is also provided.
![Page 6: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/6.jpg)
Libraries
• Libpcap– To capture DNS requests– /usr/include/pcap.h
• Libnet– To inject fake DNS replies– /usr/include/libnet.h
![Page 7: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/7.jpg)
Procedures
• Setup for packet sniffing• Grab packets• Check if packets are DNS queries• If the query is for www.paypal.com, inject a
spoofed DNS response back• Web browser will direct to attacker’s fake
paypal website!
![Page 8: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/8.jpg)
Step 1: Packet Sniffing Setup
• Find the network interface for sniffing– device = pcap_lookupdev(errbuf);• eth0 in our case
• Set up for sniffing– capdev = set_cap_dev(device, filter);• filter specifies some properties of DNS Requests
– UDP packets– Destination port = 53
![Page 9: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/9.jpg)
Step 2: Grab a DNS Query Packet
• Grab a packet (first fill-in)– packet = (u_char *) pcap_next(capdev, &pcap_hdr);
• Check if the packet is a DNS Query– i.e., Destination port = 53?
• Check if the DNS Query is for www.paypal.com
![Page 10: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/10.jpg)
Step 3: Create Spoofed DNS Response
• Create a new DNS Response with Attacker’s IP address
• Send it back to the source• void spoof_dns(char *device)– Open a raw socket– Start creating the header for the spoofed
response
![Page 11: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/11.jpg)
Step 3: Create Spoofed DNS Response
• Header Construction– Build DNS Header (fill in)– dns = libnet_build_dnsv4(LIBNET_DNS_H, /* header size */
ntohs(spoofpacket.dns_id), /* dns id */ 0x8100, /* control flags (QR,AA,RD,*/
1, /* number of questions */ 1, /* number of answer RR's */
0, /* number of authority RR's*/ 0, /* number of additional RR's*/ spoofpacket.payload, /* payload */ spoofpacket.payload_size, /* payload length */ handler, /* libnet handler */
0); /* ptag */
– Build UDP Header
– Build IP Header
– Calculate Checksum (fill in)• libnet_toggle_checksum(handler, udp, 1);• libnet_toggle_checksum(handler, ip, 1);
![Page 12: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/12.jpg)
Step 4: Inject DNS Response
• Inject the packet (fill in)– inject_size = libnet_write(handler);
• Destroy the packet (fill in)– libnet_destroy (handler);
![Page 13: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/13.jpg)
Test
• Compile– Type make
• Run– Type ./sslattack
• Open a web browser• Type http://www.naver.com– No attack
• Type https://www.paypal.com– Certificate Warning Sign
![Page 14: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/14.jpg)
Certificate
![Page 15: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/15.jpg)
Spoofed paypal.com
![Page 16: Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.](https://reader036.fdocuments.us/reader036/viewer/2022070412/56649ef55503460f94c08302/html5/thumbnails/16.jpg)
Actual paypal.com