1 Mike Beekey- Black Hat Briefings ‘01 ARP Vulnerabilities Indefensible Local Network Attacks? Mike Beekey.

Slides:



Advertisements
Similar presentations
Security Lab 2 MAN IN THE MIDDLE ATTACK
Advertisements

ARP Spoofing.
ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
CISCO NETWORKING ACADEMY Chabot College ELEC Address Resolution Protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Guide to Network Defense and Countermeasures Second Edition
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CSEE W4140 Networking Laboratory
ITIS 6167/8167: Network and Information Security Weichao Wang.
CSEE W4140 Networking Laboratory Lecture 2: ARP Jong Yul Kim
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
COEN 252: Computer Forensics Router Investigation.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing.
TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.
Managing Network connections. Network Cabling Ethernet Topology Bus topology – Connects each node in a line – Has no central connection point Star topology.
Computer Security and Penetration Testing
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Exploring How IP Address Protocols Work INTRO v2.0—4-1.
CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Chapter 13 – Network Security
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Sniffing and Spoofing. Spoofing  Fraudulent authentication one machine as another  ARP spoofing  IP spoofing  DNS spoofing  Web spoofing.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
--Harish Reddy Vemula Distributed Denial of Service.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.
1 Chapter 8 – TCP/IP Fundamentals TCP/IP Protocols IP Addressing.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing
Lesson 7: Network Security and Attacks. Computer Security Operational Model Protection = Prevention+ (Detection + Response) Access Controls Encryption.
1 Bus topology network. 2 Data is sent to all computers, but only the destination computer accepts 02608c
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
© 2002, Cisco Systems, Inc. All rights reserved..
Lab #2 NET332 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,
TCP/IP Protocol Suite and IP Addressing Presented By : Dupien AMS.
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
1 K. Salah Module 5.1: Internet Protocol TCP/IP Suite IP Addressing ARP RARP DHCP.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
TCP Sliding Windows For each TCP connection each hosts keep two Sliding Windows, send sliding window, and receive sliding window to make sure the correct.
1 Address Resolution Protocol (ARP). 2 Overview 3 Need for Address Translation Note: –The Internet is based on IP addresses –Local area networks use.
An Introduction To ARP Spoofing & Other Attacks
CSCE 548 Student Presentation By Manasa Suthram
IP: Addressing, ARP, Routing
Intro to Networks (part 1)
Address Resolution Protocol (ARP)
Computer Networks 9/17/2018 Computer Networks.
Address Resolution Protocol (ARP)
Networking Essentials For Firewall-1 Administrators
Presentation transcript:

1 Mike Beekey- Black Hat Briefings ‘01 ARP Vulnerabilities Indefensible Local Network Attacks? Mike Beekey

2 Mike Beekey- Black Hat Briefings ‘01 Overview ARP Refresher ARP Vulnerabilities Types of Attacks Vulnerable Systems Countermeasures Detection Tools and Utilities Demonstrations

3 Mike Beekey- Black Hat Briefings ‘01 ARP Refresher

4 Mike Beekey- Black Hat Briefings ‘01 ARP Message Formats ARP packets provide mapping between hardware layer and protocol layer addresses 28 byte header for IPv4 ethernet network –8 bytes of ARP data –20 bytes of ethernet/IP address data 6 ARP messages –ARP request and reply –ARP reverse request and reply –ARP inverse request and reply

5 Mike Beekey- Black Hat Briefings ‘01 ARP Request Message Source contains initiating system’s MAC address and IP address Destination contains broadcast MAC address ff.ff.ff.ff.ff.ff

6 Mike Beekey- Black Hat Briefings ‘01 ARP Reply Message Source contains replying system’s MAC address and IP address Destination contains requestor’s MAC address and IP address

7 Mike Beekey- Black Hat Briefings ‘01 ARP Vulnerabilities

8 Mike Beekey- Black Hat Briefings ‘01 Unsolicited ARP Reply Any system can spoof a reply to an ARP request Receiving system will cache the reply –Overwrites existing entry –Adds entry if one does not exist Usually called ARP poisoning

9 Mike Beekey- Black Hat Briefings ‘01 Types of Attacks

10 Mike Beekey- Black Hat Briefings ‘01 Types of Attack Sniffing Attacks Session Hijacking/MiM Denial of Service

11 Mike Beekey- Black Hat Briefings ‘01 Sniffing on a Hub

12 Mike Beekey- Black Hat Briefings ‘01 Switch Sniffing Normal switched networks –Switches relay traffic between two stations based on MAC addresses –Stations only see broadcast or multicast traffic Compromised switched networks –Attacker spoofs destination and source addresses –Forces all traffic between two stations through its system

13 Mike Beekey- Black Hat Briefings ‘01 Host to Host Exploit

14 Mike Beekey- Black Hat Briefings ‘01 Host to Router Exploit

15 Mike Beekey- Black Hat Briefings ‘01 Relay Configuration

16 Mike Beekey- Black Hat Briefings ‘01 Relay Configuration (cont.)

17 Mike Beekey- Black Hat Briefings ‘01 Sniffing Comments Depending on traffic content, attacker does NOT have to successively corrupt cache of both endpoints Useful when “true” permanent ARP entries are used or OS is not vulnerable to corruption

18 Mike Beekey- Black Hat Briefings ‘01 Session Hijacking/MiM Natural extension of sniffing capability “Easier” than standard hijacking –Don’t have to deal with duplicate/un-sync’d packets arriving at destination and source –Avoids packet storms

19 Mike Beekey- Black Hat Briefings ‘01 Denial of Service Spoofing the destination MAC address of a connection will prevent the intended source from receiving/accepting it Benefits –No protocol limitation –Eliminates synchronization issues Examples –UDP DoS –TCP connection killing instead of using RST’s

20 Mike Beekey- Black Hat Briefings ‘01 DoS MAC Entries

21 Mike Beekey- Black Hat Briefings ‘01 Denial of Service Examples

22 Mike Beekey- Black Hat Briefings ‘01 Web Surfing Web surfers require gateway router to reach Internet Method –Identify surfer’s MAC address –Change their cached gateway MAC address (or DNS MAC address if local) to “something else”

23 Mike Beekey- Black Hat Briefings ‘01 Network-based IDS Poorly constructed (single homed) IDS network systems relay auditing data/alerts to management/admin consoles Method –Identify local IDS network engine –Modify gateway MAC address –Modify console/management station address

24 Mike Beekey- Black Hat Briefings ‘01 Hostile Users Attacker continuously probing/scanning either your system or other target Method –Scanning you –Scanning a system under your protection

25 Mike Beekey- Black Hat Briefings ‘01 Switch Attacks Certain attacks may overflow switch’s ARP tables Method –A MAC address is composed of six bytes which is equivalent to 2^48 possible addresses –See how many randomly generated ARP- replies or ARP requests it takes before the switch “fails”

26 Mike Beekey- Black Hat Briefings ‘01 Switch Attacks (cont.) Switches may –Fail open- switch actually becomes a hub –Fail- no traffic passes through the switch, requiring a hard or soft reboot

27 Mike Beekey- Black Hat Briefings ‘01 Network “Bombs” “Hidden” application installed on a compromised system Method –Passively or actively collects ARP entries –Attacker specifies timeout or future time –Application transmits false ARP entries to its list

28 Mike Beekey- Black Hat Briefings ‘01 Vulnerable Systems

29 Mike Beekey- Black Hat Briefings ‘01 Operating Systems Windows 95 Windows 98 Windows NT Windows 2000 AIX 4.3 HP 10.2 Linux RedHat 7.0 FreeBSD 4.2 Cisco IOS 11.1 Netgear

30 Mike Beekey- Black Hat Briefings ‘01 Not Vulnerable Sun Solaris 2.8 –Appears to resist cache poisoning

31 Mike Beekey- Black Hat Briefings ‘01 Countermeasures

32 Mike Beekey- Black Hat Briefings ‘01 Firewalls Most “personal” firewalls are not capable of defending against or correctly identifying attacks below IP level UNIX –ipfw –ipf (IP Filter) Windows environments –Network Ice/Black Ice ©

33 Mike Beekey- Black Hat Briefings ‘01 Session Encryption Examples –Establishing VPNs between networks or systems –Using application-level encryption Effects –Prevents against disclosure attacks –Will not prevent against DoS attacks

34 Mike Beekey- Black Hat Briefings ‘01 Strong Authentication Examples –One-time passwords –Certificates Effects –None on disclosure attacks –None on DoS attacks

35 Mike Beekey- Black Hat Briefings ‘01 Port Security Cisco switches –set port security ?/? enable –Restricts source MAC addresses Hard coded ones “Learned” ones –Ability to set timeouts –Ability to generate traps –Ability to “shutdown” violating port

36 Mike Beekey- Black Hat Briefings ‘01 Port Security (Cont.) Issues –Only restricts source MAC addresses –Will not prevent against ARP relay attacks –Will only prevent against ARP source spoofing attacks

37 Mike Beekey- Black Hat Briefings ‘01 Hard Coding Addresses Example –Individual systems can hard code the corresponding MAC address of another system/address Issues –Management nightmare –Not scalable –Not supported by some OS vendors

38 Mike Beekey- Black Hat Briefings ‘01 Hard Coding Results Operating SystemResults Windows 95FAIL Windows 98FAIL Windows NTFAIL Windows 2000FAIL Linux RedHat 7.0YES FreeBSD 4.2YES Solaris 2.8YES

39 Mike Beekey- Black Hat Briefings ‘01 Countermeasure Summary Sniffing Session Hijacking Denial of Service Firewalls Session Encryption Strong Authentication Port Security Hard Coding

40 Mike Beekey- Black Hat Briefings ‘01 Detection

41 Mike Beekey- Black Hat Briefings ‘01 IDS Architecture Issues

42 Mike Beekey- Black Hat Briefings ‘01 OS Level Detection Operating System Detection Windows 95NO Windows 98NO Windows NTNO Windows 2000NO Linux RedHat 7.0NO FreeBSD 4.2YES

43 Mike Beekey- Black Hat Briefings ‘01 Hypothetical Detection Application Purpose –Track and maintain ARP/IP pairings –Identify non-standard ARP-replies versus acceptable ones Timeout issues –OS must withstand corruption itself –Fix broken ARP entries of systems Transmission of correct ARP replies

44 Mike Beekey- Black Hat Briefings ‘01 Tools and Utilities

45 Mike Beekey- Black Hat Briefings ‘01 Public Domain Tools Manipulation –Dsniff 2.3 –Hunt 1.5 –Growing number of others Local monitoring –Arpwatch 1.11

46 Mike Beekey- Black Hat Briefings ‘01 Bibliography Finlayson, Mann, Mogul, Theimer, RFC 903 “A Reverse Address Resolution Protocol,” June 1984 Kra, Hunt 1.5, Copyright 2000http:// Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996ftp://ftp.ee.lbl.gov/arpwatch.tar.Z Plummer, David C., RFC 826 “An Ethernet Address Resolution Protocol,” November 1982 Russel, Ryan and Cunningham, Stace, “Hack Proofing Your Network,”, Syngress Publishing Inc, Copyright 2000 Song, Dug, Dsniff 2.3, Copyright 2000http://

47 Mike Beekey- Black Hat Briefings ‘01 Demonstrations

48 Mike Beekey- Black Hat Briefings ‘01 Demo Environment

49 Mike Beekey- Black Hat Briefings ‘01 Demonstration Tools rfarp 1.1 –Provides ARP relay capability and packet dump for two selected stations –Corrects MAC entries upon exiting farp 1.1b –Passive and active collection of ARP messages –DoS Attacks on single hosts –DoS Attacks on entire collection –Arbitrary and manual input of spoofed MAC addresses

50 Mike Beekey- Black Hat Briefings ‘01 ARP Attacks Disclosure attacks –ARP relaying for a single target –Sniffing attacks DoS related –Port scan defense –DoS attacks on a single host, group, or subnet

51 Mike Beekey- Black Hat Briefings ‘01 Questions Mike Beekey

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.