Download Sniffing/Spoofing - Dr. Stephen C. Hayne

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts

Computer network wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

IEEE 1355 wikipedia , lookup

Wireless security wikipedia , lookup

Cross-site scripting wikipedia , lookup

Computer security wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Sniffing, Spoofing, Hijacking
This presentation is an amalgam of presentations by Mark
Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne
Sniffing
Targets Data Link layer of protocol stack
Sniffer – gathers traffic off network




This data can include userIDs passwords
transmitted by telnet, DNS queries and
responses, sensitive emails, FTP passwords, etc.
Allows attacker to read data passing a given
machine in real time.
Two types of sniffing:



Active
Passive
Sniffing



Passive
Attacker must have
account on LAN
Done over a hub
Usually once access is
gained on one
computer attacker uses
passwords to get in
other computers


Active
Attacker still needs an
account
Several different attacks:
- Parsing Packets
- Flooding
- Spoofed ARP Messages
- DNS Spoofing
- HTTPS and SSH spoofing
Passive Sniffing
user1
BLAH
HUB
user2
Server
- Message gets sent to all
computers on hub
Bad
guy
Active Sniffing
user1
BLAH
Switch
user2
Server
- Message gets sent to only
requesting computer by looking
at MAC address
Bad
guy
Dsniff




Offers several ways around a switch
Available for OpenBSD, Linux, Solaris,
and there is a version for Windows
Very popular and versatile
In conjunction with sshmitm and
webmitm, conducts all the above
attacks
Wireshark

Much better than dsniff, for packet
capture, IMHO
Flooding Switches




The switch stores MAC addresses locally
Dsniff keeps sending the switch bogus MAC
address
Eventually the switches memory fills and it
turns into a hub
Then, just run any sniffer you want to get
data from the network
Spoofing ARP Messages







Some switches are immune to MAC flooding
ARP maps IP to MAC address
Attacker looks at network topology to find the IP for the
default router
Then enables IP forwarding on their machine, so machine
forwards packets to default router
Attacker runs Dsniff and poisons the ARP table on the
victim’s computer, matching his MAC with the default
routers IP
Victim sends the data to “default router”
Attacker sniffs data then forwards the information to the
real default router
ARP Flooding
user1
1
Switch
1) Fake ARP
Scary
place
(outside
world)
2
4
1
2) Innocent Message
3) Sniffing
3
Bad
guy
4) On its way
DNS Spoofing




Similar to ARP Spoofing
Instead of mapping a MAC to an IP, Dsniff
maps the IP of an attacker’s machine to a
domain name the user is trying to access
The new IP is a machine outside the
network that is running a fake web page
that mimics the actual web page
The user may enter a username and
password thinking that the site is legit
Man/Monkey In The Middle!
User
Attacke
r
target
MITM - Getting around HTTPS and SSH

Both HTTPS and SSH use encryption while talking to each
other
Sniffing the data would be useless
The way HTTPS is based on certificates that are sent to the
computers
This certificate is digitally signed by a trusted Certification
Authority
Your browser verifies this signature to make sure the server
is trusted
An SSL connection is then established

SSH doesn’t use certificates but employs similar techniques





It sounds secure, right?



The connection is secure, but Dsniff exploits what happens
before the connection
Attacker runs an DNS spoof along with webmitm.
Webmitm proxies the connection:




establishes a https connection with the victim sending the attackers
certificate to the user
establishes a https connection with the real server
The victim gets a error message on the screen stating that
the certificate is unrecognizable or not properly configured.
The victim can then click continue to establish a
connection.
Victim then access the information they want, but the
attacker sees everything that they type (HOWTO)
Anti-Sniffing





Encrypt all crucial data that you are sending across
a network
Never telnet to firewall, routers, sensitive servers,
or Public Key Infrastructure
If you get a error message from your SSH or
browser, investigate it
If feasible, replace hubs with switches
For very sensitive data, enable Port-level security
on your switches by configuring each switch port
with a specific MAC of the computer using that
switch port
Defenses against DSniff



Hardcode MAC address of Gateway into
servers
Use a gateway switch that will not “failopen” (protect against MAC-flood)
Use ARPWATCH to monitor MAC
address mismatches
IP Address Spoofing



Three main flavors
- Simple Spoofing
- Undermining Unix r-Commands
- Spoofing with source routing
Doesn’t allow actions to be traced back to an
IP
Undermine applications that rely on IP
addresses for authentication or filtering
Simple Spoofing

Simply change the IP of your computer



Can be done with ipconfig in UNIX or under
network control panel in Windows
Use a tool that generates packets with fake
IP addresses
The only problem is attacker can’t establish
a three-way-handshake with victim
Undermining UNIX r-Command



This targets UNIX trust relationships
Trust relationships allow users to log onto one machine
and then log into trusting machines with out a password
Use the:






rlogin (remote login)
rsh (remote shell)
rcp (remote copy)
A computer can also be added to the trust relationship by
editing the /etc/host/equiv or ~/rhosts file
A machine is trust relies on the system’s IP address
The administrator can establish a hub and spoke
relationship, logging onto one computer and then sending
commands to multiple systems that trust it using rsh tool.
Hub and Spoke
Admi
n
Exploiting Hub and Spoke
Relationships
1.
2.
3.
4.
5.
Attacker sends multiple TCP SYN packets to computer to
be attacked, allows attacker to guess future sequence
numbers
Attacker launches a DoS attack on trusted computer, so
computer is dead to network
Attacker launches a connection with victim using trusted
computer’s IP address
The victim returns an SYN-ACK to trusted computer, but no
reply is sent because it was hit with a DoS attack
Using the sequence numbers gathered from step 1 the
attacker sends ACK packets to the victim with a guessed
sequence number again spoofing the trusted machine’s IP
Exploiting Hub and Spoke
Relationships

The attacker now has a connect with the
victim’s computer and can feed it commands



The attacker can’t see the responses
The attacker can make the computer trust the
attacker’s computer or any computer on the
network
The attacker can then log on directly to the
victim, no spoofing required
Spoofing with Source Routing







Source routing allows the attacker to specify a certain path the
packet will take on the network
“loose source routing” allows the attacker to tell the computer
some hops but not all
The attacker sets source routed packets from a fake source IP to
the victim
These packets claim to be from a trusted computer
They include the attackers IP address as one of the hops
When the victim’s computer tries to establish a three-wayhandshake the attacker intercepts the SYN-ACK and submits its
own ACK
An open connection has been established between the attacker
and victim, the attacker can view the responses from the victim
Defenses against IP Spoofing

Make your initial sequence numbers generated by your TCP
stack difficult to guess



Avoid using r-commands



Use SSH instead or other secure programs
Avoid setting up trust relationships on a network
Avoid applications that validate based on IP address



apply latest security patches
test predictability by scanning and trying to guess them yourself
(Nmap can be helpful with this)
authentication should be based on passwords and cryptography
use other techniques that tie the session to the user
Use filters at DMZ and gateways that drop source routed
packets (both incoming and out going)
Related documents
Hands on Demonstration for Testing Security in Web Applications
Hands on Demonstration for Testing Security in Web Applications
MIMAttack_Assignment
MIMAttack_Assignment
Security in network
Security in network
BUNDLE PROTOCOL
BUNDLE PROTOCOL
Forms of Network Attacks
Forms of Network Attacks
Representatives from 196 nations made a historic pact Saturday
Representatives from 196 nations made a historic pact Saturday
Integrity - Andrew.cmu.edu
Integrity - Andrew.cmu.edu
www.bestitdocuments.com
www.bestitdocuments.com
Detecting Spoofing and Anomalous Traffic in Wireless
Detecting Spoofing and Anomalous Traffic in Wireless
The Internet and Security
The Internet and Security
Attacking 802.11 Networks
Attacking 802.11 Networks
Chapter8 Phase3: Gaining Access Using Network Attacks
Chapter8 Phase3: Gaining Access Using Network Attacks
3/11
3/11
Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse Rob Sherwood Bobby Bhattacharjee
Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse Rob Sherwood Bobby Bhattacharjee