Download Presentation

Weakening Online Security Measures
with ARP Cache Poisoning
Presentation by Rob Bobek
Content

















Abstract
Presentation Focus
Routing in Ethernet
Address Resolution Protocol
Exploiting Ethernet through ARP Cache Poisoning
How ARP Cache Poisoning Works
Secure Socket Layer
SSL Handshake Process
dsniff tools
Attack Experiment
Network Topology and Configurations
Additional Tools
Attack Methodology
Mounting the Attack
Observations and Conclusions
References
Questions
Abstract

Ethernet is the most popular LAN technology
utilized in today’s computing environments.
However, it was originally designed with no
security in mind and therefore it suffers from
malicious attacks that can severely compromise
user security

Since the advent of online banking, shopping
and auctioning, putting you credit card number
or other confidential information through the
Internet has been a major concern.
Abstract

Since 1994, cryptography technologies have
emerged to mitigate the security problems that
Ethernet or the Internet in general was exposed
too


Example: SSL/TLS was introduced to provided secureend-to-end web transaction
Although we have these security measures in
place, unfortunately, because the way Ethernet
was designed, it is still possible to break this
security.
Presentation Focus
To use Arp Cache Poisoning to provide the
Attacker a man-in-the-middle platform in order to
launch further Attacks on the Victim. Ultimately, I
am demonstrating how we can use simple open
source tools in order to capture a Victim’s login
Credentials to an SSL protected Web Service.
Routing in Ethernet


Data exchanged within an Ethernet network is accomplished through Link
Layer Routing (therefore, based on MAC addresses).
An Ethernet switch will forward Ethernet frames to the corresponding Node on
the network based on the ARP and Port Mapping table.
ARP Table
IP:192.168.0.2
MAC: AA--AA-AA-AA-AA-AA
IP:192.168.0.4
MAC: DD-DD-DD-DD-DD-DD
IP:192.168.0.3
MAC: BB-BB-BB-BB-BB-BB

IP Address
MAC Address
192.168.0.2
AA-AA-AA-AA-AA-AA
192.168.0.3
BB-BB-BB-BB-BB-B
192.168.0.4
DD-DD-DD-DD-DD-DD
Port Mapping Table
MAC Address
Interface
AA-AA-AA-AA-AA-AA
1
BB-BB-BB-BB-BB-BB
2
DD-DD-DD-DD-DD-DD
3
The ARP table within an Ethernet switch contains a relational mapping of each
nodes IP address and its corresponding MAC address as well as the port they
are associated to on the switch.
Address Resolution Protocol

ARP is a protocol that resolves network layers addresses
into link layer addresses

When an IP Datagram comes to an Ethernet network and
the ARP table does not have a mapping for that specific IP
Address, ARP used is to search for it on the network
ARP Table
ARP Request: Who has IP
192.168.0.3?
ARP Request: Who has
IP 192.168.0.3?
IP Address
MAC Address
192.168.0.2
AA-AA-AA-AA-AA-AA
192.168.0.4
DD-DD-DD-DD-DD-DD
ARP Reply: I do. My MAC is:
BB-BB-BB-BB-BB-BB
and my IP is 192.168.0.3
ARP Request: Who has
IP 192.168.0.3?
IP:192.168.0.2
MAC: AA-AA-AA-AA-AA-AA
IP:192.168.0.4
MAC: DD-DD-DD-DD-DD-DD
Port Mapping Table
MAC Address
IP:192.168.0.3
MAC: BB-BB-BB-BB-BB-BB
Interface
AA-AA-AA-AA-AA-AA
1
DD-DD-DD-DD-DD-DD
3
Exploiting Ethernet through
ARP Cache Poisoning

Ethernet by design does not use any form of ARP
Request/Reply authentication which is primarily the reason
why Ethernet has become vulnerable to attacks like Man-inthe-Middle

Man-in-the-Middle Attacks can be accomplished by
manipulating the Ethernet switch ARP table and a Victim’s
ARP cache by sending these Nodes spoof ARP replies,
otherwise the process known as ARP Cache Poisoning.

Other then Authentication being the problem of Ethernet’s
design, ARP reply’s do not have to be paired with ARP
requests. The Attacker can continuously send spoof ARP
reply’s to two victim nodes to maintain its position in the
middle without waiting for ARP requests.
How ARP Cache
Poisoning Works
IP Address
MAC Address
192.168.0.2
AA-AA-AA-AA-AA-AA
192.168.0.4
BB-BB-BB-BB-BB-BB
MAC Address
Before:
Gateway:
IP:192.168.0.1
MAC: CC-CC-CC-CC-CC-CC
Interface
AA-AA-AA-AA-AA-AA
1
BB-BB-BB-BB-BB-BB
2
Victim’s ARP Cache
Victim:
IP:192.168.0.2
MAC: AA-AA-AA-AA-AA-AA
Attacker:
IP:192.168.0.4
MAC: BB-BB-BB-BB-BB-BB
After:
ARP Reply to Victim:
My MAC: BB-BB-BB-BB-BB-BB
My IP: 192.168.0.1
Gateway:
IP:192.168.0.1
MAC: CC-CC-CC-CC-CC-CC
IP Address
MAC Address
192.168.0.1
CC-CC-CC-CC-CC-CC
192.168.0.4
BB-BB-BB-BB-BB-BB
IP Address
MAC Address
192.168.0.2
BB-BB-BB-BB-BB-BB
192.168.0.4
BB-BB-BB-BB-BB-BB
MAC Address
ARP Reply to Switch:
My MAC: BB-BB-BB-BB-BB-BB
My IP: 192.168.0.2
Interface
AA-AA-AA-AA-AA-AA
1
BB-BB-BB-BB-BB-BB
2
Victim’s ARP Cache
Victim:
IP:192.168.0.2
MAC: AA-AA-AA-AA-AA-AA
Attacker:
IP:192.168.0.4
MAC: BB-BB-BB-BB-BB-BB
IP Address
MAC Address
192.168.0.1
BB-BB-BB-BB-BB-BB
192.168.0.4
BB-BB-BB-BB-BB-BB
Secure Socket Layer

The Internet has become a popular source for
banking, shopping, auctioning and other services
like this. Therefore it has become necessary to
have our banking or other confidential information
protected during transit through the public
network.

Secure Socket Layer has become a standard
technology used in the industry to achieve
confidentially, integrity and authentication while
transmitting data from one computer to another
through the Internet.
Secure Socket Layer

SSL can be paired with a variety of unsecured
protocols like POP, SMTP, LDAP but commonly it
used for HTTP.

SSL in it simplest form works by using an
encryption key to encrypt all communication data
before it is sent off to the public network and then
the corresponding recipient uses a decryption key
to decrypt and process the data.
Secure Socket Layer

SSL uses the following cryptographic technologies




Asymmetrical Encryption
Symmetrical Encryption
Digital Signatures
Certificates

Digital certificates will confirm the identity of the owner
that you are trying to establish a connection with and
also to attest that the public key you are to use in fact
belongs to the domain owner as well.

Digital certificates prevent Servers from impersonating
false entities. A valid certificate will give the customer
reassurance that they are sending their personal
information to the intended destination securely.

Issued from a Certifying Authority (CA)

Must submit CSR
SSL Handshake Process
Client makes a request to a secured website 
https://webmail1.uwindsor.ca
Server presents Client with X.509 Certificate.
Certificate contains Servers public key
Client’s browser validates Certificate
-------------------------------------Client’s browser generates a random symmetric key and
encrypts is using the Server’s public key
Server decrypts message using its private key. Both the
Client and Server now know the Symmetric key and
Communication can begin
DSNIFF tools

dsniff is a collection of security tools directed at layer 2
switching. Each tool can perform a unique attack at layer 2,
some of which include ARP Cache Poisoning, DSN Spoofing
and password sniffing.

arpspoof
 arpspoof is a tool that easily aids the process of
conducting a Man-in-the-Middle Attack. It usage only
requires two parameters. For example;
arpspoof –t 192.168.1.1 192.168.1.103

Using this command, arpspoof will tell 192.168.1.1 (the
gateway) that our MAC address belongs to IP Address
192.168.1.103 (which in fact does not).
DSNIFF tools

dsniff


dsniff is an advanced password sniffing tool. What makes
this tool interesting is that it will only filter out passwords
to the screen as apposed to other sniffing tools that will
also output other packet info. Note, this tool will only
sniff out passwords from protocols that don’t encrypt the
communication stream, such as POP, IMAP and FTP.
webspy

webspy is capable of listening for HTTP connections and
reconstructing all HTML data on the Attackers browser.
This allows you to visually see where the victims are
navigating to on the Internet.
DSNIFF tools

dnsspoof
 dnsspoof forges DNS replies. An attacker can create a file
that will list IP Address to DNS name relationships in
which dnsspoof can then use to make corresponding
forged DNS replies.

webmitm
 Primarily used to sniff out SSL traffic between two
Nodes. When webmitm is executed, it runs an HTTP and
HTTPS proxy. It also goes through the process of
creating a fake SSL certificate. Using webmitm in
conjunction with dnsspoof, we can re-direct our Victim to
our HTTPS proxy and relay his/her traffic from our proxy
to the intended destination.
Attack Experiment
Goal

The attack will demonstrate how a man-in-the-middle
attack in combination with dsniff tools can be mounted
together to retrieve the Victim’s login credentials from a
Secure Socket Layered Connection.
Network Topology and
Configurations
- Gateway IP: 192.168.1.1
MAC: 00-1A-70-F9-3E-3D
Internet
Linksys WRT54GS-CA Wireless - G
10/100 Mbps Router/Switch
RCA
Modem
54Mbps
100Mbps
-Victim IP: 192.168.1.103
MAC: 00-50-8D-FB-0E-A7
Athlon XP 2400+
Windows XP with SP2
- Attacker IP: 192.168.1.102
MAC: 00-0E-35-D7-AD-2C
Intel Centrino 1.6GHz
Ubuntu 7.04
Additional Tools
Software:
Version:
Source:
Description:
SSL Dump
0.9 Beta 3
http://www.rtfm.com/ssldump/
An SSLv3/TLS analyzer.
Software:
Version:
Source:
Wireshark
0.99.6a
http://www.wireshark.org/
Software:
Version:
Source:
grep
2.5.1
Installed with Ubuntu
Description: A UNIX utility that performs a search on given text
and will output the lines matching a specific search
pattern or regular expression.
Attack Methodology

What are we doing?
https://webmail1.uwindsor.ca
Attacker
Victim
Mounting the Attack –
Perform Man-in-the-Middle Attack

Before we start, we need to enable IP Forwarding on the
Attacker’s machine. This is to ensure that the attacker does
not disrupt the existing communication between the
Gateway and the Victim while acting as the man-in-themiddle
echo "1" > /proc/sys/net/ipv4/ip_forward

Using arpspoof;
sudo arpspoof -i eth1 -t 192.168.1.1 192.168.1.103
sudo arpspoof -i eth1 -t 192.168.1.103 192.168.1.1
Mounting the Attack –
Man-in-the-Middle Results
Before ARP Cache Poisoning
After ARP Cache Poisoning
Mounting the Attack –
Generating Fake Certificate

We will now use the webmitm tool. This tool can be executed
using the command;
webmitm –d
Mounting the Attack –
Setup dnsspoof

The next stage in the attack is to setup dnsspoofing so that when
the Victim connects to https://webmail1.uwindsor.ca, the Victim is
redirected to our HTTPS proxy.

Hosts File:

The Attacker will then execute dnsspoof like so;
sudo dnsspoof -i eth1 -f hosts
Mounting the Attack –
Setup Wireshark


At this point, the Attacker will execute Wireshark to capture
all traffic between the Victim and *.uwindsor.ca. In the
'Capture Options', the Attacker will select to listen on the
eth1 interface and under 'Capture File', the Attacker will
specify 'ciphered.pcap' as the filename to capture all
packets.
That’s it!
Victim’s Machine

When the Victim navigates to https://webmail1.uwindsor.ca,
he or she is prompted with this;
Victim’s Machine –
Certificate Details
Mounting the Attack –
Decrypting ciphered dump file

At this point, the Attacker shuts down Wireshark and begins to
analyze the packets. However, because the packets are
encrypted, SSLdump can be used in combination with the
ciphered pcap file and keyfile to decrypt the data.
ssldump -r ciphered -k webmitm.crt -d > deciphered

This tells SSLdump to take the capture packets (-r) and use
the webmitm.crt as the keyfile (-k) and decrypt (-d) the
contents into 'deciphered' file.
Mounting the Attack –
Parsing through dump file

'deciphered' will contains a large amount of plaintext data.
That Attacker will use the unix utility grep to conveniently
search for typical words that would likely output something
important. The Attacker will execute;
cat deciphered | grep -A 5 -B 5 Pass

The result is…
Mounting the Attack –
Parsing through dump file
Observation and Conclusions

SSL is actually a very secured protocol

Not a problem with SSL, but with Ethernet

Use tools like ArpWatch

Arpwatch will monitor MAC/IP associations and can send
alerts if it notices suspicious activity
References
[1] Burkholder, Peter. “SSL Man-in-the-Middle Attacks”. Sans Institute 2002.
February 1, 2002 (v. 2.0)
URL: http://www.sans.org/reading_room/whitepapers/threats/480.php
[2] M.S. Bhiogade. “Secure Socket Layer”. June 2002.
URL: http://www.informingscience.org/proceedings/IS2002Proceedings/papers/Bhiog05
8Secur.pdf
[3] “Network Security – Authenticating through SSL”. IBM.
URL: http://publib.boulder.ibm.com/infocenter/cicstg/v6r1m0/index.jsp?topic=/com.ibm
.cics.tg.doc/cclai/cclaim0008.htm
[4] “What is SSL”
URL: http://info.ssl.com/article.aspx?id=10241
[5] “Introduction to Secure Sockets Layer”. Cisco.
URL: http://www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns140/networking_solution
s_white_paper09186a0080136858.shtml
[6] “Arp Message Format”
URL: http://www.h3c.com/portal/Products___Solutions/Technology/IPv4___IPv6_Servi
ces/ARP/200701/195560_57_0.htm
References
[7] ”Arp Cache Poisoning”
URL: http://www.grc.com/nat/arp.htm
[8] “DSNIFF”
URL: http://codeidol.com/security/anti-hacker-tool-kit/Sniffers/DSNIFF/
Questions?