Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael,...
-
Upload
frederick-hodges -
Category
Documents
-
view
216 -
download
0
Transcript of Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael,...
Sniffing, Spoofing, Hijacking
This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne
Sniffing Targets Data Link layer of protocol stack Sniffer – gathers traffic off network
This data can include userIDs passwords transmitted by telnet, DNS queries and responses, sensitive emails, FTP passwords, etc.
Allows attacker to read data passing a given machine in real time.
Two types of sniffing: Active Passive
Sniffing
Passive Attacker must have
account on LAN Done over a hub Usually once access
is gained on one computer attacker uses passwords to get in other computers
Active Attacker still needs an
account Several different
attacks: - Parsing Packets - Flooding - Spoofed ARP Messages - DNS Spoofing - HTTPS and SSH spoofing
Passive Sniffinguser1
Server
user2
Bad guy
HUBBLAH
BLAH
BLAHBLAH
- Message gets sent to all computers on hub
Active Sniffinguser1
Server
user2
Bad guy
SwitchBLAH
BLAH
- Message gets sent to only requesting computer by looking at MAC address
Dsniff
Offers several ways around a switch Available for OpenBSD, Linux, Solaris,
and there is a version for Windows Very popular and versatile In conjunction with sshmitm and
webmitm, conducts all the above attacks
Wireshark
Much better than dsniff, for packet capture, IMHO
Flooding Switches
The switch stores MAC addresses locally
Dsniff keeps sending the switch bogus MAC address
Eventually the switches memory fills and it turns into a hub
Then, just run any sniffer you want to get data from the network
Spoofing ARP Messages Some switches are immune to MAC flooding ARP maps IP to MAC address Attacker looks at network topology to find the IP for
the default router Then enables IP forwarding on their machine, so
machine forwards packets to default router Attacker runs Dsniff and poisons the ARP table on
the victim’s computer, matching his MAC with the default routers IP
Victim sends the data to “default router” Attacker sniffs data then forwards the information to
the real default router
ARP Floodinguser1
Scary place (outside world)
Bad guy
Switch
1
1
21) Fake ARP
2) Innocent Message
3) Sniffing
4) On its way3
4
DNS Spoofing Similar to ARP Spoofing Instead of mapping a MAC to an IP,
Dsniff maps the IP of an attacker’s machine to a domain name the user is trying to access
The new IP is a machine outside the network that is running a fake web page that mimics the actual web page
The user may enter a username and password thinking that the site is legit
Man/Monkey In The Middle!
User Attacker target
MITM - Getting around HTTPS and SSH
Both HTTPS and SSH use encryption while talking to each other
Sniffing the data would be useless The way HTTPS is based on certificates that are sent
to the computers This certificate is digitally signed by a trusted
Certification Authority Your browser verifies this signature to make sure the
server is trusted An SSL connection is then established SSH doesn’t use certificates but employs similar
techniques
It sounds secure, right? The connection is secure, but Dsniff exploits what
happens before the connection Attacker runs an DNS spoof along with webmitm. Webmitm proxies the connection:
establishes a https connection with the victim sending the attackers certificate to the user
establishes a https connection with the real server The victim gets a error message on the screen
stating that the certificate is unrecognizable or not properly configured. The victim can then click continue to establish a connection.
Victim then access the information they want, but the attacker sees everything that they type (HOWTO)
Anti-Sniffing Encrypt all crucial data that you are sending
across a network Never telnet to firewall, routers, sensitive
servers, or Public Key Infrastructure If you get a error message from your SSH or
browser, investigate it If feasible, replace hubs with switches For very sensitive data, enable Port-level
security on your switches by configuring each switch port with a specific MAC of the computer using that switch port
Defenses against DSniff
Hardcode MAC address of Gateway into servers
Use a gateway switch that will not “fail-open” (protect against MAC-flood)
Use ARPWATCH to monitor MAC address mismatches
IP Address Spoofing
Three main flavors- Simple Spoofing- Undermining Unix r-Commands- Spoofing with source routing
Doesn’t allow actions to be traced back to an IP
Undermine applications that rely on IP addresses for authentication or filtering
Simple Spoofing
Simply change the IP of your computer Can be done with ipconfig in UNIX or
under network control panel in Windows Use a tool that generates packets with
fake IP addresses
The only problem is attacker can’t establish a three-way-handshake with victim
Undermining UNIX r-Command
This targets UNIX trust relationships Trust relationships allow users to log onto one machine
and then log into trusting machines with out a password Use the:
rlogin (remote login) rsh (remote shell) rcp (remote copy)
A computer can also be added to the trust relationship by editing the /etc/host/equiv or ~/rhosts file
A machine is trust relies on the system’s IP address The administrator can establish a hub and spoke
relationship, logging onto one computer and then sending commands to multiple systems that trust it using rsh tool.
Hub and Spoke
Admin
Trust Trust
Trust
Trust Trust
trust
Trust
Exploiting Hub and Spoke Relationships
1. Attacker sends multiple TCP SYN packets to computer to be attacked, allows attacker to guess future sequence numbers
2. Attacker launches a DoS attack on trusted computer, so computer is dead to network
3. Attacker launches a connection with victim using trusted computer’s IP address
4. The victim returns an SYN-ACK to trusted computer, but no reply is sent because it was hit with a DoS attack
5. Using the sequence numbers gathered from step 1 the attacker sends ACK packets to the victim with a guessed sequence number again spoofing the trusted machine’s IP
Exploiting Hub and Spoke Relationships
The attacker now has a connect with the victim’s computer and can feed it commands The attacker can’t see the responses The attacker can make the computer trust
the attacker’s computer or any computer on the network
The attacker can then log on directly to the victim, no spoofing required
Spoofing with Source Routing
Source routing allows the attacker to specify a certain path the packet will take on the network
“loose source routing” allows the attacker to tell the computer some hops but not all
The attacker sets source routed packets from a fake source IP to the victim
These packets claim to be from a trusted computer They include the attackers IP address as one of the hops When the victim’s computer tries to establish a three-
way-handshake the attacker intercepts the SYN-ACK and submits its own ACK
An open connection has been established between the attacker and victim, the attacker can view the responses from the victim
Defenses against IP Spoofing
Make your initial sequence numbers generated by your TCP stack difficult to guess
apply latest security patches test predictability by scanning and trying to guess them
yourself (Nmap can be helpful with this) Avoid using r-commands
Use SSH instead or other secure programs Avoid setting up trust relationships on a network Avoid applications that validate based on IP address
authentication should be based on passwords and cryptography
use other techniques that tie the session to the user Use filters at DMZ and gateways that drop source
routed packets (both incoming and out going)