Network Attacks

Topics Sniffing IP address spoofing Session hijacking Netcat General-purpose network tool Network Attacks 2

Sniffing Sniffer gathers traffic from LAN Can see packets in real time Usually, interface put in promiscuous mode Gathers everything, regardless of IP address Sniffer is useful for attacker And useful for administrator Sniffer can collect data such as … ID/password sent over telnet, DNS, email messages, files sent over NFS, etc. Network Attacks 3

Sniffing Attacker who has access to LAN can sniff packets Usually requires admin/root privilege Typically, use sniffer to gather pwds Sniffing can be used in “island hopping” attack Next slide Network Attacks 4

Island Hopping Attack Network Attacks 5

Sniffers Freeware sniffers include windump --- port of tcpdump Snort --- sniffer/IDS Wireshark (formerly, Ethereal) --- able to decode lots of protocols Sniffit --- popular with attackers Dsniff --- perhaps most powerful Network Attacks 6

Passive Sniffing Thru a Hub Recall that hub broadcasts everything Passive sniffer sees everything Network Attacks 7

Snort Snort: open source, UNIX-based IDS Started out as a sniffer Still can serve as a capable sniffer Why does sniffer-to-IDS make sense? Snort not often used by attackers Has more features than attacker needs Network Attacks 8

Sniffit Sniffit popular with attackers Sniffit has “interactive mode” UNIX-based Sniffit has “interactive mode” Keeps track of individual sessions Can view these as separate conversations Network Attacks 9

Sniffit Interactive Mode Network Attacks 10

Wireshark Wireshark (formerly Ethereal) Available for many platforms Probably easiest sniffer to use, great UI, etc. Wireshark is a “protocol genius” Decodes every bit of packet “Follow TCP stream” function Select a TCP packet, view entire connection Network Attacks 11

Wireshark Network Attacks 12

Sniffer as Scanning Tool Nmap, Nessus, etc., may be detected Active Sniffer is passive, so no such risk What can be determined by sniffing? May be able to ID OS (maybe even version of OS) E.g., based on way connections are made Network Attacks 13

P0f2 Tool to passively ID OS Available for most platforms To “fingerprint” OS’s network stack Can also ID firewall, NAT, etc. What info does it use? TTL, IP ID, other? Network Attacks 14

P0f2 Network Attacks 15

Switch Recall that switch does not broadcast Network Attacks 16

Active Sniffing Sniffing thru a switch? Switch limits what you see with sniffers such as Wireshark May be able to “sniff” thru switch by inserting traffic Dsniff and Ettercap Network Attacks 17

Dsniff Developed by developer of FragRouter Dsniff decodes lots application level protocols FTP, telnet, POP,…, Napster, pcAnywhere Makes it easy to find passwords Dsniff also has active operations Network Attacks 18

Dsniff Switch remembers MAC addresses MAC address flooding Dsniff sends packets with random spoofed MAC addresses Switches address memory eventually exhausted Then what does switch do? It depends…, but some start acting like hubs If so, then passive sniffing works Network Attacks 19

Dsniff What to do if flooding fails? ARP spoofing (ARP cache poisoning) Attacker sets “IP forwarding” on his machine to default gateway (router) Attacker poisons ARP cache so that he appears to be default gateway Attacker see all traffic destined for outside world, and traffic still sent to default gateway Network Attacks 20

Default Router Network Attacks 21

Spoofed “Default Router” Network Attacks 22

Dsniff ARP Spoofing How could this be detected? What happens when packet sent from attacker to default gateway? IP forwarding is “really simple routing” So, TTL is decremented Could be detected by, say, traceroute How can attacker avoid this? Network Attacks 23

Ettercap Ettercap uses method known as “port stealing” to sniff switched LAN Sometimes, hard-coded MAC addresses In such case, ARP poisoning not possible Port stealing may be an option Network Attacks 24

Ettercap Switch associates MAC addresses to each of its physical ports Mapping created by examining packets Ettercap floods LAN with frames Attacker’s MAC address is destination Source MAC address is victim machine (e.g., default gateway) What does this accomplish? Switch associates default gateway with its physical port on which attacker resides Network Attacks 25

Ettercap Port stealing So far… switch thinks default gateway on same physical port as attacker Note: ARP tables on hosts not affected Then attacker can sniff data intended for victim How does attacker then get these packets to the default gateway? Network Attacks 26

Ettercap So far… packets intended for gateway can be sniffed by attacker How to get these packets to gateway? Forward packets to switch with gateway’s MAC address? That won’t work! Network Attacks 27

Ettercap Attacker sends ARP request for IP address of gateway When attacker sees response Knows switch has also seen response So what? Now switch send data intended for gateway to the gateway Attacker can then send buffered data Brilliant! Network Attacks 28

Port Stealing Network Attacks 29

DNS Spoofing Dsniff can send false DNS info Used to redirect traffic Victim tries to resolve name via DNS Attacker sniffs DNS request Attacker responds quickly with bogus IP Victim goes to bogus address Works provided bogus reply arrives first Network Attacks 30

DNS Spoofing Network Attacks 31

Sniffing SSL and SSH Dsniff webmitm enables man-in-the-middle (MIM) attack Send certificate signed by bogus “CA” In SSL, browser warns use, and … …warning is ignored In SSH user is warned, and … Network Attacks 32

Sniffing SSL and SSH Man-in-the-middle Politically correct: “monkey-in-the-middle” Network Attacks 33

Simplified SSL Protocol Can we talk?, cipher list, RA certificate, cipher, RB {S}Bob, E(h(msgs,CLNT,K),K) h(msgs,SRVR,K) Data protected with key K Bob Alice S is pre-master secret K = h(S,RA,RB) msgs = all previous messages CLNT and SRVR are constants Network Attacks 34

SSL MiM Attack RA RA certificateT, RB certificateB, RB {S1}Trudy,E(X1,K1) {S2}Bob,E(X2,K2) h(Y1,K1) h(Y2,K2) Trudy E(data,K1) E(data,K2) Alice Bob Q: What prevents this MiM attack? A: Bob’s certificate must be signed by a certificate authority (such as Verisign) What does browser do if signature not valid? What does user do if signature is not valid? Network Attacks 35

Sniffing SSL Network Attacks 36

Firefox Certificate Warning Network Attacks 37

IE Certificate Warning Network Attacks 38

Webmitm Output Network Attacks 39

SSH Sniffing SSH gives a warning too Ettercap also does SSH MiM Specifically mentions MiM attack Still, it’s easy to ignore Ettercap also does SSH MiM But Ettercap is not really in the “middle” It establishes key with client, then connects client to server using same key Network Attacks 40

Other Dsniff Features Tcpkill --- kill active TCP connection Tcpnice --- “shape traffic” using, e.g., ICMP source quench Filesnarf --- grab NFS files Mailsnarf --- grab email Msgsnarf --- grab IM traffic Urlsnarf --- grab URLs from HTTP traffic Webspy --- view web pages victim views Network Attacks 41

Sniffing Defenses Use secure protocols SSL, SSH, SMIME, PGP, IPSec Do not use telnet for sensitive info Take certificate warnings seriously Prefer switches to hubs Hard code MAC addresses, if possible Static ARP tables, where possible Network Attacks 42

Sniffing Defenses Use tools to detect promiscuous mode Ipconfig (UNIX), PromiscDetect (Windows) Sentinel looks for anomalies on LAN that indicate sniffing Send packet (ping, for example) with bogus destination MAC address Any reply indicates sniffing Also, some Windows-specific tools Network Attacks 43

IP Address Spoofing IP Address Spoofing Enables Trudy to… Changing source IP address Enables Trudy to… Cover her tracks Break applications that use IP address for authentication Previous examples: Nmap, Dsniff, … Network Attacks 44

Simple Spoofing Simply change the IP address Ipconfig or Windows network Control Panel Works when Trudy does not need response DoS, for example Tools for packet crafting Hping2 Nemesis NetDude Network Attacks 45

Simple Spoofing Limitations of simple spoofing Trudy cannot easily interact with target Spoofing TCP especially difficult Interactive simple spoofing works if Trudy on same LAN as spoofed address Network Attacks 46

Simple Spoofing Network Attacks 47

Predicting Sequence Numbers Not-so-simple spoofing… Trusted machines often require no authentication beyond TCP connection Trudy can pretend to be trusted machine by spoofing IP address To establish connection, Trudy must predict initial sequence number Network Attacks 48

Not-So-Simple Spoofing Network Attacks 49

Not-So-Simple Spoofing Note that… Trudy must correctly guess ISNB Trudy does not see responses (not a true interactive session) Bob thinks packets came from Alice Good attack for r-commands Network Attacks 50

Spoofing via Source Routing Specify path packet will take Loose source routing Specify some hops Source routing makes Trudy’s life much easier Next slide Network Attacks 51

Spoofing via Source Routing Network Attacks 52

Spoofing via Source Routing Seldom works across Internet Source routing blocked by gateway May work on internal network Makes insider attacks easy Network Attacks 53

IP Spoofing Defenses Be sure ISNs are reasonably random Avoid using r-commands Or use only with SSH or VPN IP address for authentication … NOT! Do not allow source routing Be careful with trust relationships Network Attacks 54

IP Spoofing Defense Employ anti-spoof packet filters Network Attacks 55

Session Hijacking Trudy “steals” an existing session Network-based session hijacking Combines spoofing and sniffing Alice and Bob have existing connection Trudy is sniffing packets (on LAN) Trudy starts injecting packets Bob thinks packets came from Alice This works even if strong authentication used, provided there is no encryption Network Attacks 56

Session Hijacking Also, host-based session hijacking Tools for session hijacking Hunt Dsniff --- sshmitm Ettercap Juggernaut IP Watcher, TTYWatcher, TTYSnoop Network Attacks 57

ACK Storm If Alice is alive during session hijack… Limits the attack Network Attacks 58

Ettercap Ettercap can prevent ACK storm ARP cache poisoning Ettercap makes Trudy MiM Network Attacks 59

Ettercap Network Attacks 60

Hunt Hunt offers similar feature as Ettercap Includes a “resync” feature that may allow Trudy out of MiM And allow Alice and Bob to continue Ettercap and Hunt attacks can work even if Trudy not on same LAN Trudy must be on network between Alice & Bob Network Attacks 61

MiM Attack Network Attacks 62

Wireless Access Points All attacks so far also work on wireless networks But wireless has unique attack… Access point hijacking Given SSID, pretend to be access point Then need to get victims to associate with fake access point Tool for this: AirJack Network Attacks 63

Session Hijacking Defenses Use defenses against spoofing and sniffing Use SSH version 2 Dsniff and Ettercap MiM work against SSH version 1 Pay careful attention to certificate warnings Network Attacks 64

Netcat General-purpose networking tool You get the idea… “…single most useful tool … for interacting with a system across a network” “Swiss army knife of network tools” If you were stranded on a desert island, your one attack tool would be Netcat You get the idea… Network Attacks 65

Netcat Send or receive data from any TCP or UDP port to any TCP or UDP port Network Attacks 66

Netcat For File Transfer File transfer: any port, push or pull Network Attacks 67

Netcat For Port Scanning Plain vanilla port scanning Unlike Nmap, which has many options Network Attacks 68

Netcat: Connect to Open Ports Send data and see what comes back Better than telnet because Easier to redirect output to file Easier to drop a connection No telnet control data/characters No telnet error messages telnet cannot make UDP connections Network Attacks 69

Netcat: Vulnerability Scanning Netcat as “vulnerability engine” I.e., attacker writes scripts that use Netcat’s capabilities Netcat comes with scripts to check for vulnerabilites in RPC, NFS, trust, FTP, a really weak passwords (very limited compared to Nessus) Network Attacks 70

Netcat Backdoors With access to a machine, Trudy can Start a Netcat listener for future access Create an active backdoor (i.e., push data) These are most common uses of Netcat by bad guys Network Attacks 71

Netcat to Relay Traffic Can use Netcat to relay traffic Trudy can hide her true location 10 or more “hops” sometimes seen Across political/language boundaries Network Attacks 72

Evade Packet Filter Network Attacks 73

How to Create Netcat Relay? Three popular techniques Modify inted in UNIX/Linux Add a line to inted.conf file “backpipe” on UNIX/Linux Use mknod: pipes data in FIFO order Relay bat file in Windows Network Attacks 74

Backpipe Network Attacks 75

Netcat Listeners By default, Netcat listener is nonpersistent In Windows version, can create persistent listeners In UNIX, requires a little more work from Trudy to get same effect see book for details Network Attacks 76

Netcat Honeypots Good guys can create Netcat (persistent) listeners These can be used as honeypots Network Attacks 77

Netcat Defenses Prevent Netcat file transfers Firewall configuration issue Secure against port scanning Minimal number of listening ports Block arbitrary connections to ports Close unused ports Protect against vulnerability scanning Apply patches Network Attacks 78

Netcat Defenses Stop backdoors Prevent relay attacks Need to know what processes are running so you can detect rogue processes Prevent relay attacks No single point that attacker can relay around Stop persistent listeners Periodically check for unexpected listening ports Network Attacks 79