820 likes | 830 Views
Explore network attacks such as sniffing, session hijacking, and IP address spoofing. Learn about tools like Wireshark, Snort, and Dsniff used by both attackers and administrators. Understand passive and active sniffing methods and how to detect and prevent these attacks.
E N D
Network Attacks Network Attacks 1
Topics • Sniffing • IP address spoofing • Session hijacking • Netcat • General-purpose network tool Network Attacks 2
Sniffing • Sniffer gathers traffic from LAN • Can see packets in real time • Usually, interface put in promiscuous mode • Gathers everything, regardless of IP address • Sniffer is useful for attacker • And useful for administrator • Sniffer can collect data such as … • ID/password sent over telnet, DNS, email messages, files sent over NFS, etc. Network Attacks 3
Sniffing • Attacker who has access to LAN can sniff packets • Usually requires admin/root privilege • Typically, use sniffer to gather pwds • Sniffing can be used in “island hopping” attack • Next slide Network Attacks 4
Island Hopping Attack Network Attacks 5
Sniffers • Freeware sniffers include • windump --- port of tcpdump • Snort --- sniffer/IDS • Wireshark (formerly, Ethereal) --- able to decode lots of protocols • Sniffit --- popular with attackers • Dsniff --- perhaps most powerful Network Attacks 6
Passive Sniffing Thru a Hub • Recall that hub broadcasts everything • Passive sniffer sees everything Network Attacks 7
Snort • Snort: open source, UNIX-based IDS • Started out as a sniffer • Still can serve as a capable sniffer • Why does sniffer-to-IDS make sense? • Snort not often used by attackers • Has more features than attacker needs Network Attacks 8
Sniffit • Sniffit popular with attackers • UNIX-based • Sniffit has “interactive mode” • Keeps track of individual sessions • Can view these as separate conversations Network Attacks 9
Sniffit Interactive Mode Network Attacks 10
Wireshark • Wireshark (formerly Ethereal) • Available for many platforms • Probably easiest sniffer to use, great UI, etc. • Wireshark is a “protocol genius” • Decodes every bit of packet • “Follow TCP stream” function • Select a TCP packet, view entire connection Network Attacks 11
Wireshark Network Attacks 12
Sniffer as Scanning Tool • Nmap, Nessus, etc., may be detected • Active • Sniffer is passive, so no such risk • What can be determined by sniffing? • May be able to ID OS (maybe even version of OS) • E.g., based on way connections are made Network Attacks 13
P0f2 • Tool to passively ID OS • Available for most platforms • To “fingerprint” OS’s network stack • Can also ID firewall, NAT, etc. • What info does it use? • TTL, IP ID, other? Network Attacks 14
P0f2 Network Attacks 15
Switch • Recall that switch does not broadcast Network Attacks 16
Active Sniffing • Sniffing thru a switch? • Switch limits what you see with sniffers such as Wireshark • May be able to “sniff” thru switch by inserting traffic • Dsniff and Ettercap Network Attacks 17
Dsniff • Developed by developer of FragRouter • Dsniff decodes lots application level protocols • FTP, telnet, POP,…, Napster, pcAnywhere • Makes it easy to find passwords • Dsniff also has active operations Network Attacks 18
Dsniff • Switch remembers MAC addresses • MAC address flooding • Dsniff sends packets with random spoofed MAC addresses • Switches address memory eventually exhausted • Then what does switch do? • It depends…, but some start acting like hubs • If so, then passive sniffing works Network Attacks 19
Dsniff • What to do if flooding fails? • ARP spoofing (ARP cache poisoning) • Attacker sets “IP forwarding” on his machine to default gateway (router) • Attacker poisons ARP cache so that he appears to be default gateway • Attacker see all traffic destined for outside world, and traffic still sent to default gateway Network Attacks 20
Default Router Network Attacks 21
Spoofed “Default Router” Network Attacks 22
Dsniff ARP Spoofing • How could this be detected? • What happens when packet sent from attacker to default gateway? • IP forwarding is “really simple routing” • So, TTL is decremented • Could be detected by, say, traceroute • How can attacker avoid this? Network Attacks 23
Ettercap • Ettercap uses method known as “port stealing” to sniff switched LAN • Sometimes, hard-coded MAC addresses • In such case, ARP poisoning not possible • Port stealing may be an option Network Attacks 24
Ettercap • Switch associates MAC addresses to each of its physical ports • Mapping created by examining packets • Ettercap floods LAN with frames • Attacker’s MAC address is destination • Source MAC address is victim machine (e.g., default gateway) • What does this accomplish? • Switch associates default gateway with its physical port on which attacker resides Network Attacks 25
Ettercap • Port stealing • So far… switch thinks default gateway on same physical port as attacker • Note: ARP tables on hosts not affected • Then attacker can sniff data intended for victim • How does attacker then get these packets to the default gateway? Network Attacks 26
Ettercap • So far… packets intended for gateway can be sniffed by attacker • How to get these packets to gateway? • Forward packets to switch with gateway’s MAC address? • That won’t work! Network Attacks 27
Ettercap • Attacker sends ARP request for IP address of gateway • When attacker sees response • Knows switch has also seen response • So what? • Now switch send data intended for gateway to the gateway • Attacker can then send buffered data • Brilliant! Network Attacks 28
Port Stealing Network Attacks 29
DNS Spoofing • Dsniff can send false DNS info • Used to redirect traffic • Victim tries to resolve name via DNS • Attacker sniffs DNS request • Attacker responds quickly with bogus IP • Victim goes to bogus address • Works provided bogus reply arrives first Network Attacks 30
DNS Spoofing Network Attacks 31
Sniffing SSL and SSH • Dsniff webmitm enables man-in-the-middle (MIM) attack • Send certificate signed by bogus “CA” • In SSL, browser warns use, and … • …warning is ignored • In SSH user is warned, and … • …warning is ignored Network Attacks 32
Sniffing SSL and SSH • Man-in-the-middle • Politically correct: “monkey-in-the-middle” Network Attacks 33
Simplified SSL Protocol Can we talk?, cipher list, RA • S is pre-master secret • K = h(S,RA,RB) • msgs = all previous messages • CLNT and SRVR are constants certificate, cipher, RB {S}Bob, E(h(msgs,CLNT,K),K) h(msgs,SRVR,K) Data protected with key K Bob Alice Network Attacks 34
SSL MiM Attack RA RA • Q: What prevents this MiM attack? • A: Bob’s certificate must be signed by a certificate authority (such as Verisign) • What does browser do if signature not valid? • What does user do if signature is not valid? certificateT, RB certificateB, RB {S1}Trudy,E(X1,K1) {S2}Bob,E(X2,K2) h(Y1,K1) h(Y2,K2) Trudy E(data,K1) E(data,K2) Alice Bob Network Attacks 35
Sniffing SSL Network Attacks 36
Firefox Certificate Warning Network Attacks 37
IE Certificate Warning Network Attacks 38
Webmitm Output Network Attacks 39
SSH Sniffing • SSH gives a warning too • Specifically mentions MiM attack • Still, it’s easy to ignore • Ettercap also does SSH MiM • But Ettercap is not really in the “middle” • It establishes key with client, then connects client to server using same key Network Attacks 40
Other Dsniff Features • Tcpkill --- kill active TCP connection • Tcpnice --- “shape traffic” using, e.g., ICMP source quench • Filesnarf --- grab NFS files • Mailsnarf --- grab email • Msgsnarf --- grab IM traffic • Urlsnarf --- grab URLs from HTTP traffic • Webspy --- view web pages victim views Network Attacks 41
Sniffing Defenses • Use secure protocols • SSL, SSH, SMIME, PGP, IPSec • Do not use telnet for sensitive info • Take certificate warnings seriously • Prefer switches to hubs • Hard code MAC addresses, if possible • Static ARP tables, where possible Network Attacks 42
Sniffing Defenses • Use tools to detect promiscuous mode • Ipconfig (UNIX), PromiscDetect (Windows) • Sentinel looks for anomalies on LAN that indicate sniffing • Send packet (ping, for example) with bogus destination MAC address • Any reply indicates sniffing • Also, some Windows-specific tools Network Attacks 43
IP Address Spoofing • IP Address Spoofing • Changing source IP address • Enables Trudy to… • Cover her tracks • Break applications that use IP address for authentication • Previous examples: Nmap, Dsniff, … Network Attacks 44
Simple Spoofing • Simply change the IP address • Ipconfig or Windows network Control Panel • Works when Trudy does not need response • DoS, for example • Tools for packet crafting • Hping2 • Nemesis • NetDude Network Attacks 45
Simple Spoofing • Limitations of simple spoofing • Trudy cannot easily interact with target • Spoofing TCP especially difficult • Interactive simple spoofing works if Trudy on same LAN as spoofed address Network Attacks 46
Simple Spoofing Network Attacks 47
Predicting Sequence Numbers • Not-so-simple spoofing… • Trusted machines often require no authentication beyond TCP connection • Trudy can pretend to be trusted machine by spoofing IP address • To establish connection, Trudy must predict initial sequence number Network Attacks 48
Not-So-Simple Spoofing Network Attacks 49
Not-So-Simple Spoofing • Note that… • Trudy must correctly guess ISNB • Trudy does not see responses (not a true interactive session) • Bob thinks packets came from Alice • Good attack for r-commands Network Attacks 50