Download 13-ARPPoisoning

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
Document related concepts
no text concepts found
Transcript 
Network Sniffing
• Sometimes it is possible observe/record traffic
traveling on a network
• Network traffic may contain valuable information:
– Usernames and passwords
• Encrypted
• Unencrypted
– E-mail, web requests (and replies), data files
– Etc.
• A sniffer is a piece of software that captures
network traffic
Analogy - Wiretapping
• The FBI conducts wiretaps
– Go to a judge and get a court order authorizing the
wiretap
•
•
•
•
Who?
What?
When?
Why?
– With the help of the phone company, can listen
to/record a suspect’s phone conversations to obtain
evidence
Analogy – Wiretapping (cont)
• Sniffer allows an administrator (or attacker) to
record/listen in on conversations between
computers
– May need authorization to monitor network traffic
– Electronic Communications Privacy Act
– https://www.cdt.org/issue/wiretap-ecpa
– May not need authorization to monitor network traffic
– “Trap and Trace”/”Pen register”
– Consent
– May not care - attackers
Sniffing - Environment
• Some networks use shared media so passive
sniffing is very easy
– Network interface cards can be placed in
“promiscuous” mode so that they do not ignore
traffic to other hosts
• Wireless network traffic can also be
captured (but may be encrypted)
• Sniffing is more difficult (but not
impossible) in switched environments
Protocol Analysis
• Captured network packets contain binary
data which is difficult to interpret
• Most sniffers include a protocol analysis
component which organizes and displays
the (human-readable) contents of the traffic
– Example: Wireshark
Example – An Nmap Port Scan
• Target host: 10.0.0.207
– Start Wireshark
• Source host: 10.0.0.204
– Perform a TCP-connect scan
• nmap –sT <target host>
• View results
Example – A Web Connection
• Target host: 10.0.0.207
– Start Wireshark
• Source host: 10.0.0.204
– Open a text-based web browser
• Get default web page on the target host
• View results
Example – An FTP Connection
• Target host: 10.0.0.207
– Start Wireshark
• Source host: 10.0.0.204
– Use the ftp client
• ftp <target host>
• View results
Example – An SFTP Connection
• Target host 10.0.0.204
• Source host 10.0.0.207
– Use the sftp client
• sftp guest@<target host>
• View results
Man-in-the-Middle
• In a switched environment a host only
receives:
– Traffic destine for itself
– Broadcast traffic
• Cannot see traffic between other hosts
• Man-in-the-middle = insert yourself as an
(undetected) intermediary between
communicating hosts
Man-in-the-middle (cont)
• Normal:
I
Alice
Bob
• Man-in-the-middle:
I
Alice
Bob
Man-in-the-middle (cont)
• How to achieve man-in-the-middle in a
switched environment?
• Exploit address resolution protocols
Address Resolution
• All network communications must be carried out
over physical networks
– Each machine has a unique physical address
• Programs (and humans) use IP addresses to
specify the machine to which a message is sent
• The address resolution problem – need to map IP
address to physical address
The Address Resolution Problem
Hosts A and B are on the same physical
network
B wants to communicate with A but only
knows A’s IP address
A
B
C
D
E
The Address Resolution Protocol (ARP)
Host A wants to resolve the IP address IB
Host A broadcasts a special (ARP) packet that
asks the host with IP address IB to respond
with its physical address
All hosts receive the request
Host B recognizes its IP address
Host B sends a reply containing its physical
address
ARP
• Phase 1:
A
X
B
Y
X
B
Y
• Phase 2:
A
ARP Caches
• Each host maintains a cache of recentlyused mappings
– Information in the cache expires after a set time
has elapsed
• When sending an ARP request a host
includes its IP-to-physical address binding
• All machines on a physical network
“snoop” ARP packets for mappings
Demo – ARP Cache
• Host 10.0.0.207 has not communicated with
10.0.0.205
– 207’s ARP cache probably doesn’t contain an
entry for 205
• Host 207 makes a web request to 205
– ARP for 205’s physical address
• Added to 207’s cache
– Web request sent and reply received
ARP Cache Poisoning
• Broadcast ARP replies associating your
physical address with a given IP address
– Other hosts receive this message and put the
mapping into their ARP cache
– When a machine wants to communicate with
the given IP address it sends the frame to your
physical address
– You read the frame and then forward it on to
the real destination host
Cain and Abel
• A man-in-the-middle LAN attack tool
– Sniffer
– Protocol analyzer
• URL: http://www.oxid.it/cain.html
• Can be used to poison hosts ARP caches
Demo – ARP Cache Poisoning
• Hosts 10.0.0.204 and 10.00.205 may or may
not have communicated
– ARP caches may or may not contain entries for
each other
• Start Cain (on .207) and poison both 204
and 205’s ARP caches:
– 207’s HW address associated with .204’s IP
– 207’s HW address associated with .205’s IP
ARP Cache Poisoning - Result
• 204 and 205 will communicate with each other
– May not realize that their communications are flowing through a
third-party
• All communications will flow through 207
– 207 can read/store traffic
– 207 forwards between the two hosts
Example – An FTP Connection
• Switched Environment
– Source host: .204
– Destination host: .205
– Attacker: .207
• Using:
– Cain and Abel
ARP Poisoning
• Can:
• Read traffic
• Modify traffic
Example – DNS Spoofing
• Switched Environment
– Source host: .203
– Destination host: Google
– Attacker: .207
• Using:
– Cain and Abel
Example – SSH Downgrade
• Switched Environment
– Source host: my laptop
– Destination host: 10.0.0205
– Attacker: .207
• Using:
– Cain and Abel
ARP Poisoning
• What attackers look for:
– Sensitive, unencrypted communications
• Web requests/replies, e-mail, FTP
– Weakly-encrypted communications
• Old versions of SSH, RDC
ARP Poisoning - Countermeasures
• Static ARP tables/smart switch
• ARPwatch
• IDS
Summary
• Network traffic may contain valuable information:
– Usernames and passwords
• Encrypted
• Unencrypted
– E-mail, web requests (and replies), data files
– Etc.
• ARP poisoning can allow an attacker to capture and
modify network traffic as a man-in-the-middle:
– Cain and Abel
Related documents
Security Lab
Security Lab
Chapter 5: ARP
Chapter 5: ARP
ARP Poisoning Attacks
ARP Poisoning Attacks
Chapter 5
Chapter 5
ch-3-FIT-pt2
ch-3-FIT-pt2
MIMAttack_Assignment
MIMAttack_Assignment
Scaling the Network: The Internet Protocol Networking CS 3470, Section 1
Scaling the Network: The Internet Protocol Networking CS 3470, Section 1
aas_scott - Arecibo Observatory
aas_scott - Arecibo Observatory
Ben A & Matt
Ben A & Matt
CS412 Computer Networks - Winona State University
CS412 Computer Networks - Winona State University
Sample Solution for Exercise Communication Networks I
Sample Solution for Exercise Communication Networks I
Chapter 5
Chapter 5