Download 13-ARPPoisoning

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
Network Sniffing
• Sometimes it is possible observe/record traffic
traveling on a network
• Network traffic may contain valuable information:
– Usernames and passwords
• Encrypted
• Unencrypted
– E-mail, web requests (and replies), data files
– Etc.
• A sniffer is a piece of software that captures
network traffic
Analogy - Wiretapping
• The FBI conducts wiretaps
– Go to a judge and get a court order authorizing the
wiretap
•
•
•
•
Who?
What?
When?
Why?
– With the help of the phone company, can listen
to/record a suspect’s phone conversations to obtain
evidence
Analogy – Wiretapping (cont)
• Sniffer allows an administrator (or attacker) to
record/listen in on conversations between
computers
– May need authorization to monitor network traffic
– Electronic Communications Privacy Act
– https://www.cdt.org/issue/wiretap-ecpa
– May not need authorization to monitor network traffic
– “Trap and Trace”/”Pen register”
– Consent
– May not care - attackers
Sniffing - Environment
• Some networks use shared media so passive
sniffing is very easy
– Network interface cards can be placed in
“promiscuous” mode so that they do not ignore
traffic to other hosts
• Wireless network traffic can also be
captured (but may be encrypted)
• Sniffing is more difficult (but not
impossible) in switched environments
Protocol Analysis
• Captured network packets contain binary
data which is difficult to interpret
• Most sniffers include a protocol analysis
component which organizes and displays
the (human-readable) contents of the traffic
– Example: Wireshark
Example – An Nmap Port Scan
• Target host: 10.0.0.207
– Start Wireshark
• Source host: 10.0.0.204
– Perform a TCP-connect scan
• nmap –sT <target host>
• View results
Example – A Web Connection
• Target host: 10.0.0.207
– Start Wireshark
• Source host: 10.0.0.204
– Open a text-based web browser
• Get default web page on the target host
• View results
Example – An FTP Connection
• Target host: 10.0.0.207
– Start Wireshark
• Source host: 10.0.0.204
– Use the ftp client
• ftp <target host>
• View results
Example – An SFTP Connection
• Target host 10.0.0.204
• Source host 10.0.0.207
– Use the sftp client
• sftp guest@<target host>
• View results
Man-in-the-Middle
• In a switched environment a host only
receives:
– Traffic destine for itself
– Broadcast traffic
• Cannot see traffic between other hosts
• Man-in-the-middle = insert yourself as an
(undetected) intermediary between
communicating hosts
Man-in-the-middle (cont)
• Normal:
I
Alice
Bob
• Man-in-the-middle:
I
Alice
Bob
Man-in-the-middle (cont)
• How to achieve man-in-the-middle in a
switched environment?
• Exploit address resolution protocols
Address Resolution
• All network communications must be carried out
over physical networks
– Each machine has a unique physical address
• Programs (and humans) use IP addresses to
specify the machine to which a message is sent
• The address resolution problem – need to map IP
address to physical address
The Address Resolution Problem
Hosts A and B are on the same physical
network
B wants to communicate with A but only
knows A’s IP address
A
B
C
D
E
The Address Resolution Protocol (ARP)
Host A wants to resolve the IP address IB
Host A broadcasts a special (ARP) packet that
asks the host with IP address IB to respond
with its physical address
All hosts receive the request
Host B recognizes its IP address
Host B sends a reply containing its physical
address
ARP
• Phase 1:
A
X
B
Y
X
B
Y
• Phase 2:
A
ARP Caches
• Each host maintains a cache of recentlyused mappings
– Information in the cache expires after a set time
has elapsed
• When sending an ARP request a host
includes its IP-to-physical address binding
• All machines on a physical network
“snoop” ARP packets for mappings
Demo – ARP Cache
• Host 10.0.0.207 has not communicated with
10.0.0.205
– 207’s ARP cache probably doesn’t contain an
entry for 205
• Host 207 makes a web request to 205
– ARP for 205’s physical address
• Added to 207’s cache
– Web request sent and reply received
ARP Cache Poisoning
• Broadcast ARP replies associating your
physical address with a given IP address
– Other hosts receive this message and put the
mapping into their ARP cache
– When a machine wants to communicate with
the given IP address it sends the frame to your
physical address
– You read the frame and then forward it on to
the real destination host
Cain and Abel
• A man-in-the-middle LAN attack tool
– Sniffer
– Protocol analyzer
• URL: http://www.oxid.it/cain.html
• Can be used to poison hosts ARP caches
Demo – ARP Cache Poisoning
• Hosts 10.0.0.204 and 10.00.205 may or may
not have communicated
– ARP caches may or may not contain entries for
each other
• Start Cain (on .207) and poison both 204
and 205’s ARP caches:
– 207’s HW address associated with .204’s IP
– 207’s HW address associated with .205’s IP
ARP Cache Poisoning - Result
• 204 and 205 will communicate with each other
– May not realize that their communications are flowing through a
third-party
• All communications will flow through 207
– 207 can read/store traffic
– 207 forwards between the two hosts
Example – An FTP Connection
• Switched Environment
– Source host: .204
– Destination host: .205
– Attacker: .207
• Using:
– Cain and Abel
ARP Poisoning
• Can:
• Read traffic
• Modify traffic
Example – DNS Spoofing
• Switched Environment
– Source host: .203
– Destination host: Google
– Attacker: .207
• Using:
– Cain and Abel
Example – SSH Downgrade
• Switched Environment
– Source host: my laptop
– Destination host: 10.0.0205
– Attacker: .207
• Using:
– Cain and Abel
ARP Poisoning
• What attackers look for:
– Sensitive, unencrypted communications
• Web requests/replies, e-mail, FTP
– Weakly-encrypted communications
• Old versions of SSH, RDC
ARP Poisoning - Countermeasures
• Static ARP tables/smart switch
• ARPwatch
• IDS
Summary
• Network traffic may contain valuable information:
– Usernames and passwords
• Encrypted
• Unencrypted
– E-mail, web requests (and replies), data files
– Etc.
• ARP poisoning can allow an attacker to capture and
modify network traffic as a man-in-the-middle:
– Cain and Abel