1 / 82

Network Attacks

Network Attacks. Topics. Sniffing IP address spoofing Session hijacking Netcat General-purpose network tool. Sniffing. Sniffer gathers traffic from LAN Can see packets in real time Usually, interface put in promiscuous mode Gathers everything, regardless of IP address

zola
Download Presentation

Network Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Attacks Network Attacks 1

  2. Topics • Sniffing • IP address spoofing • Session hijacking • Netcat • General-purpose network tool Network Attacks 2

  3. Sniffing • Sniffer gathers traffic from LAN • Can see packets in real time • Usually, interface put in promiscuous mode • Gathers everything, regardless of IP address • Sniffer is useful for attacker • And useful for administrator • Sniffer can collect data such as … • ID/password sent over telnet, DNS, email messages, files sent over NFS, etc. Network Attacks 3

  4. Sniffing • Attacker who has access to LAN can sniff packets • Usually requires admin/root privilege • Typically, use sniffer to gather pwds • Sniffing can be used in “island hopping” attack • Next slide Network Attacks 4

  5. Island Hopping Attack Network Attacks 5

  6. Sniffers • Freeware sniffers include • windump --- port of tcpdump • Snort --- sniffer/IDS • Wireshark (formerly, Ethereal) --- able to decode lots of protocols • Sniffit --- popular with attackers • Dsniff --- perhaps most powerful Network Attacks 6

  7. Passive Sniffing Thru a Hub • Recall that hub broadcasts everything • Passive sniffer sees everything Network Attacks 7

  8. Snort • Snort: open source, UNIX-based IDS • Started out as a sniffer • Still can serve as a capable sniffer • Why does sniffer-to-IDS make sense? • Snort not often used by attackers • Has more features than attacker needs Network Attacks 8

  9. Sniffit • Sniffit popular with attackers • UNIX-based • Sniffit has “interactive mode” • Keeps track of individual sessions • Can view these as separate conversations Network Attacks 9

  10. Sniffit Interactive Mode Network Attacks 10

  11. Wireshark • Wireshark (formerly Ethereal) • Available for many platforms • Probably easiest sniffer to use, great UI, etc. • Wireshark is a “protocol genius” • Decodes every bit of packet • “Follow TCP stream” function • Select a TCP packet, view entire connection Network Attacks 11

  12. Wireshark Network Attacks 12

  13. Sniffer as Scanning Tool • Nmap, Nessus, etc., may be detected • Active • Sniffer is passive, so no such risk • What can be determined by sniffing? • May be able to ID OS (maybe even version of OS) • E.g., based on way connections are made Network Attacks 13

  14. P0f2 • Tool to passively ID OS • Available for most platforms • To “fingerprint” OS’s network stack • Can also ID firewall, NAT, etc. • What info does it use? • TTL, IP ID, other? Network Attacks 14

  15. P0f2 Network Attacks 15

  16. Switch • Recall that switch does not broadcast Network Attacks 16

  17. Active Sniffing • Sniffing thru a switch? • Switch limits what you see with sniffers such as Wireshark • May be able to “sniff” thru switch by inserting traffic • Dsniff and Ettercap Network Attacks 17

  18. Dsniff • Developed by developer of FragRouter • Dsniff decodes lots application level protocols • FTP, telnet, POP,…, Napster, pcAnywhere • Makes it easy to find passwords • Dsniff also has active operations Network Attacks 18

  19. Dsniff • Switch remembers MAC addresses • MAC address flooding • Dsniff sends packets with random spoofed MAC addresses • Switches address memory eventually exhausted • Then what does switch do? • It depends…, but some start acting like hubs • If so, then passive sniffing works Network Attacks 19

  20. Dsniff • What to do if flooding fails? • ARP spoofing (ARP cache poisoning) • Attacker sets “IP forwarding” on his machine to default gateway (router) • Attacker poisons ARP cache so that he appears to be default gateway • Attacker see all traffic destined for outside world, and traffic still sent to default gateway Network Attacks 20

  21. Default Router Network Attacks 21

  22. Spoofed “Default Router” Network Attacks 22

  23. Dsniff ARP Spoofing • How could this be detected? • What happens when packet sent from attacker to default gateway? • IP forwarding is “really simple routing” • So, TTL is decremented • Could be detected by, say, traceroute • How can attacker avoid this? Network Attacks 23

  24. Ettercap • Ettercap uses method known as “port stealing” to sniff switched LAN • Sometimes, hard-coded MAC addresses • In such case, ARP poisoning not possible • Port stealing may be an option Network Attacks 24

  25. Ettercap • Switch associates MAC addresses to each of its physical ports • Mapping created by examining packets • Ettercap floods LAN with frames • Attacker’s MAC address is destination • Source MAC address is victim machine (e.g., default gateway) • What does this accomplish? • Switch associates default gateway with its physical port on which attacker resides Network Attacks 25

  26. Ettercap • Port stealing • So far… switch thinks default gateway on same physical port as attacker • Note: ARP tables on hosts not affected • Then attacker can sniff data intended for victim • How does attacker then get these packets to the default gateway? Network Attacks 26

  27. Ettercap • So far… packets intended for gateway can be sniffed by attacker • How to get these packets to gateway? • Forward packets to switch with gateway’s MAC address? • That won’t work! Network Attacks 27

  28. Ettercap • Attacker sends ARP request for IP address of gateway • When attacker sees response • Knows switch has also seen response • So what? • Now switch send data intended for gateway to the gateway • Attacker can then send buffered data • Brilliant! Network Attacks 28

  29. Port Stealing Network Attacks 29

  30. DNS Spoofing • Dsniff can send false DNS info • Used to redirect traffic • Victim tries to resolve name via DNS • Attacker sniffs DNS request • Attacker responds quickly with bogus IP • Victim goes to bogus address • Works provided bogus reply arrives first Network Attacks 30

  31. DNS Spoofing Network Attacks 31

  32. Sniffing SSL and SSH • Dsniff webmitm enables man-in-the-middle (MIM) attack • Send certificate signed by bogus “CA” • In SSL, browser warns use, and … • …warning is ignored • In SSH user is warned, and … • …warning is ignored Network Attacks 32

  33. Sniffing SSL and SSH • Man-in-the-middle • Politically correct: “monkey-in-the-middle” Network Attacks 33

  34. Simplified SSL Protocol Can we talk?, cipher list, RA • S is pre-master secret • K = h(S,RA,RB) • msgs = all previous messages • CLNT and SRVR are constants certificate, cipher, RB {S}Bob, E(h(msgs,CLNT,K),K) h(msgs,SRVR,K) Data protected with key K Bob Alice Network Attacks 34

  35. SSL MiM Attack RA RA • Q: What prevents this MiM attack? • A: Bob’s certificate must be signed by a certificate authority (such as Verisign) • What does browser do if signature not valid? • What does user do if signature is not valid? certificateT, RB certificateB, RB {S1}Trudy,E(X1,K1) {S2}Bob,E(X2,K2) h(Y1,K1) h(Y2,K2) Trudy E(data,K1) E(data,K2) Alice Bob Network Attacks 35

  36. Sniffing SSL Network Attacks 36

  37. Firefox Certificate Warning Network Attacks 37

  38. IE Certificate Warning Network Attacks 38

  39. Webmitm Output Network Attacks 39

  40. SSH Sniffing • SSH gives a warning too • Specifically mentions MiM attack • Still, it’s easy to ignore • Ettercap also does SSH MiM • But Ettercap is not really in the “middle” • It establishes key with client, then connects client to server using same key Network Attacks 40

  41. Other Dsniff Features • Tcpkill --- kill active TCP connection • Tcpnice --- “shape traffic” using, e.g., ICMP source quench • Filesnarf --- grab NFS files • Mailsnarf --- grab email • Msgsnarf --- grab IM traffic • Urlsnarf --- grab URLs from HTTP traffic • Webspy --- view web pages victim views Network Attacks 41

  42. Sniffing Defenses • Use secure protocols • SSL, SSH, SMIME, PGP, IPSec • Do not use telnet for sensitive info • Take certificate warnings seriously • Prefer switches to hubs • Hard code MAC addresses, if possible • Static ARP tables, where possible Network Attacks 42

  43. Sniffing Defenses • Use tools to detect promiscuous mode • Ipconfig (UNIX), PromiscDetect (Windows) • Sentinel looks for anomalies on LAN that indicate sniffing • Send packet (ping, for example) with bogus destination MAC address • Any reply indicates sniffing • Also, some Windows-specific tools Network Attacks 43

  44. IP Address Spoofing • IP Address Spoofing • Changing source IP address • Enables Trudy to… • Cover her tracks • Break applications that use IP address for authentication • Previous examples: Nmap, Dsniff, … Network Attacks 44

  45. Simple Spoofing • Simply change the IP address • Ipconfig or Windows network Control Panel • Works when Trudy does not need response • DoS, for example • Tools for packet crafting • Hping2 • Nemesis • NetDude Network Attacks 45

  46. Simple Spoofing • Limitations of simple spoofing • Trudy cannot easily interact with target • Spoofing TCP especially difficult • Interactive simple spoofing works if Trudy on same LAN as spoofed address Network Attacks 46

  47. Simple Spoofing Network Attacks 47

  48. Predicting Sequence Numbers • Not-so-simple spoofing… • Trusted machines often require no authentication beyond TCP connection • Trudy can pretend to be trusted machine by spoofing IP address • To establish connection, Trudy must predict initial sequence number Network Attacks 48

  49. Not-So-Simple Spoofing Network Attacks 49

  50. Not-So-Simple Spoofing • Note that… • Trudy must correctly guess ISNB • Trudy does not see responses (not a true interactive session) • Bob thinks packets came from Alice • Good attack for r-commands Network Attacks 50

More Related