Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

Sniffing Targets Data Link layer of protocol stack Sniffer – gathers traffic off network This data can include userIDs passwords transmitted by telnet, DNS queries and responses, sensitive s, FTP passwords, etc. Allows attacker to read data passing a given machine in real time. Two types of sniffing: Active Passive

Sniffing Passive Attacker must have account on LAN Done over a hub Usually once access is gained on one computer attacker uses passwords to get in other computers Active Attacker still needs an account Several different attacks: - Parsing Packets - Flooding - Spoofed ARP Messages - DNS Spoofing - HTTPS and SSH spoofing

Passive Sniffing user1 Server user2 Bad guy HUB BLAH - Message gets sent to all computers on hub

Active Sniffing user1 Server user2 Bad guy Switch BLAH - Message gets sent to only requesting computer by looking at MAC address

Dsniff Offers several ways around a switch Available for OpenBSD, Linux, Solaris, and there is a version for WindowsLinuxWindows Very popular and versatile In conjunction with sshmitm and webmitm, conducts all the above attacks

Wireshark Much better than dsniff, for packet capture, IMHO

Flooding Switches The switch stores MAC addresses locally Dsniff keeps sending the switch bogus MAC address Eventually the switches memory fills and it turns into a hub Then, just run any sniffer you want to get data from the network

Spoofing ARP Messages Some switches are immune to MAC flooding ARP maps IP to MAC address Attacker looks at network topology to find the IP for the default router Then enables IP forwarding on their machine, so machine forwards packets to default router Attacker runs Dsniff and poisons the ARP table on the victim’s computer, matching his MAC with the default routers IP Victim sends the data to “default router” Attacker sniffs data then forwards the information to the real default router

ARP Flooding user1 Scary place (outside world) Bad guy Switch )Fake ARP 2)Innocent Message 3)Sniffing 4)On its way 3 4

DNS Spoofing Similar to ARP Spoofing Instead of mapping a MAC to an IP, Dsniff maps the IP of an attacker’s machine to a domain name the user is trying to access The new IP is a machine outside the network that is running a fake web page that mimics the actual web page The user may enter a username and password thinking that the site is legit

Man/Monkey In The Middle! User Attacke r target

MITM MITM - Getting around HTTPS and SSH Both HTTPS and SSH use encryption while talking to each other Sniffing the data would be useless The way HTTPS is based on certificates that are sent to the computers This certificate is digitally signed by a trusted Certification Authority Your browser verifies this signature to make sure the server is trusted An SSL connection is then established SSH doesn’t use certificates but employs similar techniques

It sounds secure, right? The connection is secure, but Dsniff exploits what happens before the connection Attacker runs an DNS spoof along with webmitm.webmitm Webmitm proxies the connection: establishes a https connection with the victim sending the attackers certificate to the user establishes a https connection with the real server The victim gets a error message on the screen stating that the certificate is unrecognizable or not properly configured. The victim can then click continue to establish a connection. Victim then access the information they want, but the attacker sees everything that they type (HOWTO)HOWTO

Anti-Sniffing Encrypt all crucial data that you are sending across a network Never telnet to firewall, routers, sensitive servers, or Public Key Infrastructure If you get a error message from your SSH or browser, investigate it If feasible, replace hubs with switches For very sensitive data, enable Port-level security on your switches by configuring each switch port with a specific MAC of the computer using that switch port

Defenses against DSniff Hardcode MAC address of Gateway into servers Use a gateway switch that will not “fail- open” (protect against MAC-flood) Use ARPWATCH to monitor MAC address mismatches

IP Address Spoofing Three main flavors - Simple Spoofing - Undermining Unix r-Commands - Spoofing with source routing Doesn’t allow actions to be traced back to an IP Undermine applications that rely on IP addresses for authentication or filtering

Simple Spoofing Simply change the IP of your computer Can be done with ipconfig in UNIX or under network control panel in Windows Use a tool that generates packets with fake IP addresses The only problem is attacker can’t establish a three-way-handshake with victim

Undermining UNIX r-Command This targets UNIX trust relationships Trust relationships allow users to log onto one machine and then log into trusting machines with out a password Use the: rlogin (remote login) rsh (remote shell) rcp (remote copy) A computer can also be added to the trust relationship by editing the /etc/host/equiv or ~/rhosts file A machine is trust relies on the system’s IP address The administrator can establish a hub and spoke relationship, logging onto one computer and then sending commands to multiple systems that trust it using rsh tool.

Hub and Spoke Admi n Trust trust Trust

Exploiting Hub and Spoke Relationships 1. Attacker sends multiple TCP SYN packets to computer to be attacked, allows attacker to guess future sequence numbers 2. Attacker launches a DoS attack on trusted computer, so computer is dead to network 3. Attacker launches a connection with victim using trusted computer’s IP address 4. The victim returns an SYN-ACK to trusted computer, but no reply is sent because it was hit with a DoS attack 5. Using the sequence numbers gathered from step 1 the attacker sends ACK packets to the victim with a guessed sequence number again spoofing the trusted machine’s IP

Exploiting Hub and Spoke Relationships The attacker now has a connect with the victim’s computer and can feed it commands The attacker can’t see the responses The attacker can make the computer trust the attacker’s computer or any computer on the network The attacker can then log on directly to the victim, no spoofing required

Spoofing with Source RoutingSource Routing Source routing allows the attacker to specify a certain path the packet will take on the network “loose source routing” allows the attacker to tell the computer some hops but not all The attacker sets source routed packets from a fake source IP to the victim These packets claim to be from a trusted computer They include the attackers IP address as one of the hops When the victim’s computer tries to establish a three-way- handshake the attacker intercepts the SYN-ACK and submits its own ACK An open connection has been established between the attacker and victim, the attacker can view the responses from the victim

Defenses Defenses against IP Spoofing Make your initial sequence numbers generated by your TCP stack difficult to guess apply latest security patches test predictability by scanning and trying to guess them yourself (Nmap can be helpful with this) Avoid using r-commands Use SSH instead or other secure programs Avoid setting up trust relationships on a network Avoid applications that validate based on IP address authentication should be based on passwords and cryptography use other techniques that tie the session to the user Use filters at DMZ and gateways that drop source routed packets (both incoming and out going)