1 / 23

Sniffing, Spoofing, Hijacking

Sniffing, Spoofing, Hijacking. This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne. Sniffing. Targets Data Link layer of protocol stack Sniffer – gathers traffic off network

jmoran
Download Presentation

Sniffing, Spoofing, Hijacking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

  2. Sniffing • Targets Data Link layer of protocol stack • Sniffer – gathers traffic off network • This data can include userIDs passwords transmitted by telnet, DNS queries and responses, sensitive emails, FTP passwords, etc. • Allows attacker to read data passing a given machine in real time. • Two types of sniffing: • Active • Passive

  3. Passive Attacker must have account on LAN Done over a hub Usually once access is gained on one computer attacker uses passwords to get in other computers Active Attacker still needs an account Several different attacks: - Parsing Packets - Flooding - Spoofed ARP Messages - DNS Spoofing - HTTPS and SSH spoofing Sniffing

  4. Passive Sniffing user1 Server BLAH HUB BLAH BLAH user2 BLAH Bad guy - Message gets sent to all computers on hub

  5. Active Sniffing user1 Server BLAH Switch BLAH user2 Bad guy - Message gets sent to only requesting computer by looking at MAC address

  6. Dsniff • Offers several ways around a switch • Available for OpenBSD, Linux, Solaris, and there is a version for Windows • Very popular and versatile • In conjunction with sshmitm and webmitm, conducts all the above attacks

  7. Wireshark • Much better than dsniff, for packet capture, IMHO

  8. Flooding Switches • The switch stores MAC addresses locally • Dsniff keeps sending the switch bogus MAC address • Eventually the switches memory fills and it turns into a hub • Then, just run any sniffer you want to get data from the network

  9. Spoofing ARP Messages • Some switches are immune to MAC flooding • ARP maps IP to MAC address • Attacker looks at network topology to find the IP for the default router • Then enables IP forwarding on their machine, so machine forwards packets to default router • Attacker runs Dsniff and poisons the ARP table on the victim’s computer, matching his MAC with the default routers IP • Victim sends the data to “default router” • Attacker sniffs data then forwards the information to the real default router

  10. ARP Flooding user1 Scary place (outside world) 1 Switch • Fake ARP • Innocent Message • Sniffing • On its way 2 4 1 Bad guy 3

  11. DNS Spoofing • Similar to ARP Spoofing • Instead of mapping a MAC to an IP, Dsniff maps the IP of an attacker’s machine to a domain name the user is trying to access • The new IP is a machine outside the network that is running a fake web page that mimics the actual web page • The user may enter a username and password thinking that the site is legit

  12. Man/Monkey In The Middle! User target Attacker

  13. MITM- Getting around HTTPS and SSH • Both HTTPS and SSH use encryption while talking to each other • Sniffing the data would be useless • The way HTTPS is based on certificates that are sent to the computers • This certificate is digitally signed by a trusted Certification Authority • Your browser verifies this signature to make sure the server is trusted • An SSL connection is then established • SSH doesn’t use certificates but employs similar techniques

  14. It sounds secure, right? • The connection is secure, but Dsniff exploits what happens before the connection • Attacker runs an DNS spoof along with webmitm. • Webmitm proxies the connection: • establishes a https connection with the victim sending the attackers certificate to the user • establishes a https connection with the real server • The victim gets a error message on the screen stating that the certificate is unrecognizable or not properly configured. The victim can then click continue to establish a connection. • Victim then access the information they want, but the attacker sees everything that they type (HOWTO)

  15. Anti-Sniffing • Encrypt all crucial data that you are sending across a network • Never telnet to firewall, routers, sensitive servers, or Public Key Infrastructure • If you get a error message from your SSH or browser, investigate it • If feasible, replace hubs with switches • For very sensitive data, enable Port-level security on your switches by configuring each switch port with a specific MAC of the computer using that switch port

  16. Defenses against DSniff • Hardcode MAC address of Gateway into servers • Use a gateway switch that will not “fail-open” (protect against MAC-flood) • Use ARPWATCH to monitor MAC address mismatches

  17. IP Address Spoofing • Three main flavors - Simple Spoofing - Undermining Unix r-Commands - Spoofing with source routing • Doesn’t allow actions to be traced back to an IP • Undermine applications that rely on IP addresses for authentication or filtering

  18. Simple Spoofing • Simply change the IP of your computer • Can be done with ipconfig in UNIX or under network control panel in Windows • Use a tool that generates packets with fake IP addresses • The only problem is attacker can’t establish a three-way-handshake with victim

  19. Undermining UNIX r-Command • This targets UNIX trust relationships • Trust relationships allow users to log onto one machine and then log into trusting machines with out a password • Use the: • rlogin (remote login) • rsh (remote shell) • rcp (remote copy) • A computer can also be added to the trust relationship by editing the /etc/host/equiv or ~/rhosts file • A machine is trust relies on the system’s IP address • The administrator can establish a hub and spoke relationship, logging onto one computer and then sending commands to multiple systems that trust it using rsh tool.

  20. Hub and Spoke Trust Trust Admin Trust trust Trust Trust Trust

  21. Exploiting Hub and Spoke Relationships • Attacker sends multiple TCP SYN packets to computer to be attacked, allows attacker to guess future sequence numbers • Attacker launches a DoS attack on trusted computer, so computer is dead to network • Attacker launches a connection with victim using trusted computer’s IP address • The victim returns an SYN-ACK to trusted computer, but no reply is sent because it was hit with a DoS attack • Using the sequence numbers gathered from step 1 the attacker sends ACK packets to the victim with a guessed sequence number again spoofing the trusted machine’s IP

  22. Exploiting Hub and Spoke Relationships • The attacker now has a connect with the victim’s computer and can feed it commands • The attacker can’t see the responses • The attacker can make the computer trust the attacker’s computer or any computer on the network • The attacker can then log on directly to the victim, no spoofing required

  23. Defenses against IP Spoofing • Make your initial sequence numbers generated by your TCP stack difficult to guess • apply latest security patches • test predictability by scanning and trying to guess them yourself (Nmap can be helpful with this) • Avoid using r-commands • Use SSH instead or other secure programs • Avoid setting up trust relationships on a network • Avoid applications that validate based on IP address • authentication should be based on passwords and cryptography • use other techniques that tie the session to the user • Use filters at DMZ and gateways that drop source routed packets (both incoming and out going)

More Related