330 likes | 513 Views
Address Spoofing and Denial of Service. Agenda Mac Modification Address Resolution Protocol Trickery IP address spoofing TCP session Hijacking Domain Name Spoofing Email Spoofing (not in lab) Denial of Service. IP Spoofing and Denial of Service Lab Exercises.
E N D
Address Spoofing and Denial of Service • Agenda • Mac Modification • Address Resolution Protocol Trickery • IP address spoofing • TCP session Hijacking • Domain Name Spoofing • Email Spoofing (not in lab) • Denial of Service ECE 4112 - Internetwork Security
IP Spoofing and Denial of Service Lab Exercises Medium Access Control Address Spoofing Windows XP MAC modification Linux MAC modification IP Spoofing From Windows wINJECT From Linux fraggle.c Domain Name System Spoofing dsniff tool Denial of Service datapool tool synful teardrop udpflood ECE 4112 - Internetwork Security
The Ethernet Frame - IEEE 802.3 • Destination and Source MAC Addresses are modified for spoofing. ECE 4112 - Internetwork Security
MAC modification/Spoofing • Change the MAC on a Host (Cloning) • Linux (ifconfig) • Windows Network Settings • Creating Link Layer Packets (Spoofing) • libnet (API) • Linkcat (tool – netcat for link layer) ECE 4112 - Internetwork Security
Modifying Windows XP Network Interface ECE 4112 - Internetwork Security
Modifying Windows XP Network Interface (continued) ECE 4112 - Internetwork Security
Modifying Linux Network Interface ECE 4112 - Internetwork Security
Address Resolution Protocol (ARP) • Method to finding a host's Ethernet address • Broadcast message looking for the IP address • Hosts maintain a cache to avoid frequent requests ECE 4112 - Internetwork Security
ARP Cache Poisoning • Man in the Middle (MiM) Attack • Session Stealing • Packet/Data Injection • Beat the Switch • Making a Switch into a Hub ECE 4112 - Internetwork Security
Arpspoof Example ECE 4112 - Internetwork Security
Network and Transport Layers • Internet Protocol (IP) • Internet Control Message Protocol (ICMP) • Transmission Control Protocol (TCP) • User Data Protocol • TCP Session Hijacking ECE 4112 - Internetwork Security
version IHL Type of Service Total length Identification DF DF MF Fragment offset Time to live Protocol Header checksum Source address Destination address Options (0 or more words) Internet Protocol (IP) • IP provides a best-effort way to route datagrams from source to destination • Source address, destination address: network number and host number • IP spoofing: change or disguise source address ECE 4112 - Internetwork Security
IP Spoofing • Non-blind attacks • Attacker and target on same subnet • Reply traffic can be sniffed • Blind attacks • Attacker and target on different subnets • Reply traffic cannot be seen by attacker • Attacker must be able to predict replies ECE 4112 - Internetwork Security
IP Spoofing • Attacks made possible by IP spoofing include • Denial of Service (DOS) • Session Hijacking • Man in the Middle • To take over a TCP stream, sequence and acknowledgement numbers must be sniffed or predicted. ECE 4112 - Internetwork Security
Source port Destination port Sequence number Acknowledgement number TCP HL URG ACK PSH RST SYN FIN Window size Checksum Urgent pointer Options (0 or more 32-bit words) Data (Optional) Transmission Control Protocol (TCP) • Source and Destination Ports • Sequence and Acknowledgement number • Reliability Checksum (not tamperproof) ECE 4112 - Internetwork Security
Transmission Control Protocol (TCP) • Packet Types • URG - Urgent • ACK - Acknowledge • PSH - Push • RST - Reset • SYN - Synchronize can flood a server • FIN - Finish ECE 4112 - Internetwork Security
Host 1 Host 2 SYN (SEQ=x) SYN (SEQ=y, ACK=x+1) (SEQ=x+1, ACK=y+1) Transmission Control Protocol (TCP) (4) • TCP connection initiation • Three-way handshake ECE 4112 - Internetwork Security
Session Hijacking • Session hijacking attacks: based on sniffing and IP spoofing • Attacker monitors packets between Alice and Bob • Attacker injects spoofed traffic with a source IP address of Alice Alice telnet Alice Bob network “Hi, I am Alice” Attacker ECE 4112 - Internetwork Security
DNS Spoofing • Causes name resolution to result in an • incorrect IP address • In our lab, use tool dsniff to accomplish ECE 4112 - Internetwork Security
DSniff • Collection of tools for network auditing and penetration testing. • Tools included • ArpSpoof • DNSspoof • Dsniff • Filesnarf • Macof ECE 4112 - Internetwork Security
DSniff • Mailsnarf • Msgsnarf • TCPKill • TCPnice • URLSnarf • WebSpy • SSHMITM • WebMITM ECE 4112 - Internetwork Security
DSniff • All kinds of attacks can be run. E.g. – • Password Sniffing • Message and File Capture • URL Capture • Man-In-The-Middle • Lab exercises • DNS Spoofing ECE 4112 - Internetwork Security
Email Spoofing • Email spoofing is effective because most people don’t have time to double check their headers all the time. • An email’s true origin can be further obfuscated by forging extra “Received:” lines. • To force a verification, email can be cryptographically signed. ECE 4112 - Internetwork Security
Email Spoofing • Email spoofing is a form of social engineering. • Email spoofing is also used by spammers to make it more difficult to track them. • A forged email can be detected by close inspection of its headers. • Login to SMTP (port 25) is unauthenticated, so anyone can log in and send mail. ECE 4112 - Internetwork Security
Email Spoofing (Not in Lab Assignment) • telnet mail.xyz.gatech.edu 25 • 220 sark.xyz.gatech.edu ESMTP Sendmail 8.12.10/8.12.8; • Mon, 1 Dec 2003 040500 (EST) • HELO abc4883.com • 250 sark.xyz.gatech.edu Hello ece-237-37.abc.gatech.edu • [130.207.237.37], pleased to meet you • MAIL FROM: <fake@abc4883.com> • 250 2.1.0 <fake@abc4883.com>... Sender ok • RCPT TO: <gotcha@abc.gatech.edu> • 250 2.1.5 <gotcha@abc.gatech.edu>... Recipient ok • DATA • 354 Enter mail, end with "." on a line by itself • Greetings from abc4883! • . • 250 2.0.0 hAUMOh6c005386 Message accepted for delivery • QUIT • 221 2.0.0 sark.xyz.gatech.edu closing connection ECE 4112 - Internetwork Security
Raw Sockets • Allows the application to directly access the Network Access Layer (TCP/IP model) • Develop new or build upon existing protocols • Programming difference: • socket( sockfd, SOCK_RAW, IPPROTO_TCP); • Manually build the necessary headers • Requires super user access • Not implemented the same across all platforms ECE 4112 - Internetwork Security
libnet • Raw Sockets and Link Layer facilities • Simplifies packet injection programming • libnet_build_ipv4( packet_length, type_of_service, identity, fragment, time-to-live, protocol, checksum, source_port, destination_port, payload, payload_size, libnet, ptag) • libnet_autobuild_ipv4( packet_length, protocol, destination_port, libnet); • Allows for prebuilding streams of packets • Efficient mechanism for packet injection • Portable solution for packet injection ECE 4112 - Internetwork Security
Denial of Service • Denial of Service • Easy to mount – script kiddies • Requires few computing resources • Most common attack – deadly results • Comes in various forms. E.g. – • Buffer Overflow Attack • Teardrop Attack • Syn Flood • Smurf Attack ECE 4112 - Internetwork Security
Internet Control Message Protocol (ICMP) • ICMP is used to test the Internet. • Each ICMP message type is encapsulated in an IP packet. ECE 4112 - Internetwork Security
Denial of Service • Buffer Overflow • Send more data than allotted buffer space. E.g. – More than 256 chars in email from field. • Tear Drop • Takes advantage of IP Fragmentation. • Syn Flood • Flood target with connection requests. • Smurf • ICMP echo requests with spoofed IP. ECE 4112 - Internetwork Security
Denial of Service • Tool to be used in lab – Datapool • Customizable script with capabilities to run 106 different DoS attacks (including ones discussed)! • Can run attacks against multiple IPs and learns about vulnerabilities of each. • IPSpoofing used to disguise source of attack. ECE 4112 - Internetwork Security
References WWW • OSI Model: RAD Data Communications • libnet (packetfactory.net) • Raw Socket Programming (mixter.void.ru) • Paketto (www.doxpara.com/paketto) • Dsniff (naughty.monkey.org/~dugsong/dsniff) ECE 4112 - Internetwork Security
References Books • Computer Networks Third Edition, Andrew Tanenbaum, Prentice-Hall1996. • Counter Hack. Ed Skoudis, Prentice-Hall 2002. • TCP/IP Illustrated, Volume 1. W. Richard Stevens, Addison-Wesley1994. ECE 4112 - Internetwork Security