Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Weakening Online Security Measures with ARP Cache Poisoning Presentation by Rob Bobek Content Abstract Presentation Focus Routing in Ethernet Address Resolution Protocol Exploiting Ethernet through ARP Cache Poisoning How ARP Cache Poisoning Works Secure Socket Layer SSL Handshake Process dsniff tools Attack Experiment Network Topology and Configurations Additional Tools Attack Methodology Mounting the Attack Observations and Conclusions References Questions Abstract Ethernet is the most popular LAN technology utilized in today’s computing environments. However, it was originally designed with no security in mind and therefore it suffers from malicious attacks that can severely compromise user security Since the advent of online banking, shopping and auctioning, putting you credit card number or other confidential information through the Internet has been a major concern. Abstract Since 1994, cryptography technologies have emerged to mitigate the security problems that Ethernet or the Internet in general was exposed too Example: SSL/TLS was introduced to provided secureend-to-end web transaction Although we have these security measures in place, unfortunately, because the way Ethernet was designed, it is still possible to break this security. Presentation Focus To use Arp Cache Poisoning to provide the Attacker a man-in-the-middle platform in order to launch further Attacks on the Victim. Ultimately, I am demonstrating how we can use simple open source tools in order to capture a Victim’s login Credentials to an SSL protected Web Service. Routing in Ethernet Data exchanged within an Ethernet network is accomplished through Link Layer Routing (therefore, based on MAC addresses). An Ethernet switch will forward Ethernet frames to the corresponding Node on the network based on the ARP and Port Mapping table. ARP Table IP:192.168.0.2 MAC: AA--AA-AA-AA-AA-AA IP:192.168.0.4 MAC: DD-DD-DD-DD-DD-DD IP:192.168.0.3 MAC: BB-BB-BB-BB-BB-BB IP Address MAC Address 192.168.0.2 AA-AA-AA-AA-AA-AA 192.168.0.3 BB-BB-BB-BB-BB-B 192.168.0.4 DD-DD-DD-DD-DD-DD Port Mapping Table MAC Address Interface AA-AA-AA-AA-AA-AA 1 BB-BB-BB-BB-BB-BB 2 DD-DD-DD-DD-DD-DD 3 The ARP table within an Ethernet switch contains a relational mapping of each nodes IP address and its corresponding MAC address as well as the port they are associated to on the switch. Address Resolution Protocol ARP is a protocol that resolves network layers addresses into link layer addresses When an IP Datagram comes to an Ethernet network and the ARP table does not have a mapping for that specific IP Address, ARP used is to search for it on the network ARP Table ARP Request: Who has IP 192.168.0.3? ARP Request: Who has IP 192.168.0.3? IP Address MAC Address 192.168.0.2 AA-AA-AA-AA-AA-AA 192.168.0.4 DD-DD-DD-DD-DD-DD ARP Reply: I do. My MAC is: BB-BB-BB-BB-BB-BB and my IP is 192.168.0.3 ARP Request: Who has IP 192.168.0.3? IP:192.168.0.2 MAC: AA-AA-AA-AA-AA-AA IP:192.168.0.4 MAC: DD-DD-DD-DD-DD-DD Port Mapping Table MAC Address IP:192.168.0.3 MAC: BB-BB-BB-BB-BB-BB Interface AA-AA-AA-AA-AA-AA 1 DD-DD-DD-DD-DD-DD 3 Exploiting Ethernet through ARP Cache Poisoning Ethernet by design does not use any form of ARP Request/Reply authentication which is primarily the reason why Ethernet has become vulnerable to attacks like Man-inthe-Middle Man-in-the-Middle Attacks can be accomplished by manipulating the Ethernet switch ARP table and a Victim’s ARP cache by sending these Nodes spoof ARP replies, otherwise the process known as ARP Cache Poisoning. Other then Authentication being the problem of Ethernet’s design, ARP reply’s do not have to be paired with ARP requests. The Attacker can continuously send spoof ARP reply’s to two victim nodes to maintain its position in the middle without waiting for ARP requests. How ARP Cache Poisoning Works IP Address MAC Address 192.168.0.2 AA-AA-AA-AA-AA-AA 192.168.0.4 BB-BB-BB-BB-BB-BB MAC Address Before: Gateway: IP:192.168.0.1 MAC: CC-CC-CC-CC-CC-CC Interface AA-AA-AA-AA-AA-AA 1 BB-BB-BB-BB-BB-BB 2 Victim’s ARP Cache Victim: IP:192.168.0.2 MAC: AA-AA-AA-AA-AA-AA Attacker: IP:192.168.0.4 MAC: BB-BB-BB-BB-BB-BB After: ARP Reply to Victim: My MAC: BB-BB-BB-BB-BB-BB My IP: 192.168.0.1 Gateway: IP:192.168.0.1 MAC: CC-CC-CC-CC-CC-CC IP Address MAC Address 192.168.0.1 CC-CC-CC-CC-CC-CC 192.168.0.4 BB-BB-BB-BB-BB-BB IP Address MAC Address 192.168.0.2 BB-BB-BB-BB-BB-BB 192.168.0.4 BB-BB-BB-BB-BB-BB MAC Address ARP Reply to Switch: My MAC: BB-BB-BB-BB-BB-BB My IP: 192.168.0.2 Interface AA-AA-AA-AA-AA-AA 1 BB-BB-BB-BB-BB-BB 2 Victim’s ARP Cache Victim: IP:192.168.0.2 MAC: AA-AA-AA-AA-AA-AA Attacker: IP:192.168.0.4 MAC: BB-BB-BB-BB-BB-BB IP Address MAC Address 192.168.0.1 BB-BB-BB-BB-BB-BB 192.168.0.4 BB-BB-BB-BB-BB-BB Secure Socket Layer The Internet has become a popular source for banking, shopping, auctioning and other services like this. Therefore it has become necessary to have our banking or other confidential information protected during transit through the public network. Secure Socket Layer has become a standard technology used in the industry to achieve confidentially, integrity and authentication while transmitting data from one computer to another through the Internet. Secure Socket Layer SSL can be paired with a variety of unsecured protocols like POP, SMTP, LDAP but commonly it used for HTTP. SSL in it simplest form works by using an encryption key to encrypt all communication data before it is sent off to the public network and then the corresponding recipient uses a decryption key to decrypt and process the data. Secure Socket Layer SSL uses the following cryptographic technologies Asymmetrical Encryption Symmetrical Encryption Digital Signatures Certificates Digital certificates will confirm the identity of the owner that you are trying to establish a connection with and also to attest that the public key you are to use in fact belongs to the domain owner as well. Digital certificates prevent Servers from impersonating false entities. A valid certificate will give the customer reassurance that they are sending their personal information to the intended destination securely. Issued from a Certifying Authority (CA) Must submit CSR SSL Handshake Process Client makes a request to a secured website https://webmail1.uwindsor.ca Server presents Client with X.509 Certificate. Certificate contains Servers public key Client’s browser validates Certificate -------------------------------------Client’s browser generates a random symmetric key and encrypts is using the Server’s public key Server decrypts message using its private key. Both the Client and Server now know the Symmetric key and Communication can begin DSNIFF tools dsniff is a collection of security tools directed at layer 2 switching. Each tool can perform a unique attack at layer 2, some of which include ARP Cache Poisoning, DSN Spoofing and password sniffing. arpspoof arpspoof is a tool that easily aids the process of conducting a Man-in-the-Middle Attack. It usage only requires two parameters. For example; arpspoof –t 192.168.1.1 192.168.1.103 Using this command, arpspoof will tell 192.168.1.1 (the gateway) that our MAC address belongs to IP Address 192.168.1.103 (which in fact does not). DSNIFF tools dsniff dsniff is an advanced password sniffing tool. What makes this tool interesting is that it will only filter out passwords to the screen as apposed to other sniffing tools that will also output other packet info. Note, this tool will only sniff out passwords from protocols that don’t encrypt the communication stream, such as POP, IMAP and FTP. webspy webspy is capable of listening for HTTP connections and reconstructing all HTML data on the Attackers browser. This allows you to visually see where the victims are navigating to on the Internet. DSNIFF tools dnsspoof dnsspoof forges DNS replies. An attacker can create a file that will list IP Address to DNS name relationships in which dnsspoof can then use to make corresponding forged DNS replies. webmitm Primarily used to sniff out SSL traffic between two Nodes. When webmitm is executed, it runs an HTTP and HTTPS proxy. It also goes through the process of creating a fake SSL certificate. Using webmitm in conjunction with dnsspoof, we can re-direct our Victim to our HTTPS proxy and relay his/her traffic from our proxy to the intended destination. Attack Experiment Goal The attack will demonstrate how a man-in-the-middle attack in combination with dsniff tools can be mounted together to retrieve the Victim’s login credentials from a Secure Socket Layered Connection. Network Topology and Configurations - Gateway IP: 192.168.1.1 MAC: 00-1A-70-F9-3E-3D Internet Linksys WRT54GS-CA Wireless - G 10/100 Mbps Router/Switch RCA Modem 54Mbps 100Mbps -Victim IP: 192.168.1.103 MAC: 00-50-8D-FB-0E-A7 Athlon XP 2400+ Windows XP with SP2 - Attacker IP: 192.168.1.102 MAC: 00-0E-35-D7-AD-2C Intel Centrino 1.6GHz Ubuntu 7.04 Additional Tools Software: Version: Source: Description: SSL Dump 0.9 Beta 3 http://www.rtfm.com/ssldump/ An SSLv3/TLS analyzer. Software: Version: Source: Wireshark 0.99.6a http://www.wireshark.org/ Software: Version: Source: grep 2.5.1 Installed with Ubuntu Description: A UNIX utility that performs a search on given text and will output the lines matching a specific search pattern or regular expression. Attack Methodology What are we doing? https://webmail1.uwindsor.ca Attacker Victim Mounting the Attack – Perform Man-in-the-Middle Attack Before we start, we need to enable IP Forwarding on the Attacker’s machine. This is to ensure that the attacker does not disrupt the existing communication between the Gateway and the Victim while acting as the man-in-themiddle echo "1" > /proc/sys/net/ipv4/ip_forward Using arpspoof; sudo arpspoof -i eth1 -t 192.168.1.1 192.168.1.103 sudo arpspoof -i eth1 -t 192.168.1.103 192.168.1.1 Mounting the Attack – Man-in-the-Middle Results Before ARP Cache Poisoning After ARP Cache Poisoning Mounting the Attack – Generating Fake Certificate We will now use the webmitm tool. This tool can be executed using the command; webmitm –d Mounting the Attack – Setup dnsspoof The next stage in the attack is to setup dnsspoofing so that when the Victim connects to https://webmail1.uwindsor.ca, the Victim is redirected to our HTTPS proxy. Hosts File: The Attacker will then execute dnsspoof like so; sudo dnsspoof -i eth1 -f hosts Mounting the Attack – Setup Wireshark At this point, the Attacker will execute Wireshark to capture all traffic between the Victim and *.uwindsor.ca. In the 'Capture Options', the Attacker will select to listen on the eth1 interface and under 'Capture File', the Attacker will specify 'ciphered.pcap' as the filename to capture all packets. That’s it! Victim’s Machine When the Victim navigates to https://webmail1.uwindsor.ca, he or she is prompted with this; Victim’s Machine – Certificate Details Mounting the Attack – Decrypting ciphered dump file At this point, the Attacker shuts down Wireshark and begins to analyze the packets. However, because the packets are encrypted, SSLdump can be used in combination with the ciphered pcap file and keyfile to decrypt the data. ssldump -r ciphered -k webmitm.crt -d > deciphered This tells SSLdump to take the capture packets (-r) and use the webmitm.crt as the keyfile (-k) and decrypt (-d) the contents into 'deciphered' file. Mounting the Attack – Parsing through dump file 'deciphered' will contains a large amount of plaintext data. That Attacker will use the unix utility grep to conveniently search for typical words that would likely output something important. The Attacker will execute; cat deciphered | grep -A 5 -B 5 Pass The result is… Mounting the Attack – Parsing through dump file Observation and Conclusions SSL is actually a very secured protocol Not a problem with SSL, but with Ethernet Use tools like ArpWatch Arpwatch will monitor MAC/IP associations and can send alerts if it notices suspicious activity References [1] Burkholder, Peter. “SSL Man-in-the-Middle Attacks”. Sans Institute 2002. February 1, 2002 (v. 2.0) URL: http://www.sans.org/reading_room/whitepapers/threats/480.php [2] M.S. Bhiogade. “Secure Socket Layer”. June 2002. URL: http://www.informingscience.org/proceedings/IS2002Proceedings/papers/Bhiog05 8Secur.pdf [3] “Network Security – Authenticating through SSL”. IBM. URL: http://publib.boulder.ibm.com/infocenter/cicstg/v6r1m0/index.jsp?topic=/com.ibm .cics.tg.doc/cclai/cclaim0008.htm [4] “What is SSL” URL: http://info.ssl.com/article.aspx?id=10241 [5] “Introduction to Secure Sockets Layer”. Cisco. URL: http://www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns140/networking_solution s_white_paper09186a0080136858.shtml [6] “Arp Message Format” URL: http://www.h3c.com/portal/Products___Solutions/Technology/IPv4___IPv6_Servi ces/ARP/200701/195560_57_0.htm References [7] ”Arp Cache Poisoning” URL: http://www.grc.com/nat/arp.htm [8] “DSNIFF” URL: http://codeidol.com/security/anti-hacker-tool-kit/Sniffers/DSNIFF/ Questions?