Sniffing and Spoofing
Spoofing Fraudulent authentication one machine as another ARP spoofing IP spoofing DNS spoofing Web spoofing
ARP spoofing Address resolution Protocol (ARP) IP address hardware(ethernet) address mapping send ARP packet “who has IP address and what is your hardware address?” ARP cache – table of recent responses ARP Spoofing 1. Assume IP address “a” of trusted host 2. Respond to ARP packets for address “a” 3. Sending false hardware address (I.e. the fraud’s address) 4. Solution: make ARP cache static (manual updates!?!)
ARP Message Formats ARP packets provide mapping between hardware layer and protocol layer addresses 28 byte header for IPv4 ethernet network 8 bytes of ARP data 20 bytes of ethernet/IP address data 6 ARP messages ARP request and reply ARP reverse request and reply ARP inverse request and reply
ARP Request Message Source contains initiating system’s MAC address and IP address Destination contains broadcast MAC address ff.ff.ff.ff.ff.ff
ARP Reply Message Source contains replying system’s MAC address and IP address Destination contains requestor’s MAC address and IP address
Types of Attack Sniffing Attacks Session Hijacking/MiM Denial of Service
Sniffing on a Hub
Switch Sniffing Normal switched networks Switches relay traffic between two stations based on MAC addresses Stations only see broadcast or multicast traffic Compromised switched networks Attacker spoofs destination and source addresses Forces all traffic between two stations through its system
Unsolicited ARP Reply Any system can spoof a reply to an ARP request Receiving system will cache the reply Overwrites existing entry Adds entry if one does not exist Usually called ARP poisoning
Host to Host Exploit
Host to Router Exploit
Relay Configuration
Relay Configuration (cont.)
Session Hijacking/MiM Natural extension of sniffing capability “Easier” than standard hijacking Don’t have to deal with duplicate/un- sync’d packets arriving at destination and source Avoids packet storms
Denial of Service Spoofing the destination MAC address of a connection will prevent the intended source from receiving/accepting it Benefits No protocol limitation Eliminates synchronization issues Examples UDP DoS TCP connection killing instead of using RST ’ s
DoS MAC Entries
Denial of Service Examples
ARP Attack on Web Surfing Web surfers require gateway router to reach Internet Method Identify surfer’s MAC address Change their cached gateway MAC address (or DNS MAC address if local) to “something else”
ARP Attack on Network-based IDS Poorly constructed (single homed) IDS network systems relay auditing data/alerts to management/admin consoles Method Identify local IDS network engine Modify gateway MAC address Modify console/management station address
Switch Attacks Certain attacks may overflow switch ’ s ARP tables Method A MAC address is composed of six bytes which is equivalent to 2^48 possible addresses See how many randomly generated ARP-replies or ARP requests it takes before the switch “ fails ”
Switch Attacks (cont.) Switches may Fail open- switch actually becomes a hub Fail- no traffic passes through the switch, requiring a hard or soft reboot
Network “Bombs” “Hidden” application installed on a compromised system Method Passively or actively collects ARP entries Attacker specifies timeout or future time Application transmits false ARP entries to its list
Windows 95 Windows 98 Windows NT Windows 2000 AIX 4.3 HP 10.2 Linux RedHat 7.0 FreeBSD 4.2 Cisco IOS 11.1 Netgear Vulnerable Systems
Not Vulnerable Sun Solaris 2.8 Appears to resist cache poisoning
Countermeasures
Firewalls Most “personal” firewalls are not capable of defending against or correctly identifying attacks below IP level UNIX ipfw ipf (IP Filter) Windows environments Network Ice/Black Ice ©
Session Encryption Examples Establishing VPNs between networks or systems Using application-level encryption Effects Prevents against disclosure attacks Will not prevent against DoS attacks
Strong Authentication Examples One-time passwords Certificates Effects None on disclosure attacks None on DoS attacks
Port Security Cisco switches set port security ?/? enable Restricts source MAC addresses Hard coded ones “Learned” ones Ability to set timeouts Ability to generate traps Ability to “shutdown” violating port
Port Security (Cont.) Issues Only restricts source MAC addresses Will not prevent against ARP relay attacks Will only prevent against ARP source spoofing attacks
Hard Coding Addresses Example Individual systems can hard code the corresponding MAC address of another system/address Issues Management nightmare Not scalable Not supported by some OS vendors
Hard Coding Results Operating System Results Windows 95FAIL Windows 98FAIL Windows NTFAIL Windows 2000FAIL Linux RedHat 7.0YES FreeBSD 4.2YES Solaris 2.8YES
Countermeasure Summary Sniffing Session Hijacking Denial of Service Firewalls Session Encryption Strong Authentication Port Security Hard Coding
Detection
IDS Architecture Issues
OS Level Detection Operating System Detection Windows 95NO Windows 98NO Windows NTNO Windows 2000NO Linux RedHat 7.0NO FreeBSD 4.2YES
Hypothetical Detection Application Purpose Track and maintain ARP/IP pairings Identify non-standard ARP-replies versus acceptable ones Timeout issues OS must withstand corruption itself Fix broken ARP entries of systems Transmission of correct ARP replies
Public Domain Tools Manipulation Dsniff 2.3 Hunt 1.5 Growing number of others Local monitoring Arpwatch 1.11
Demo Environment
Demonstration Tools rfarp 1.1 Provides ARP relay capability and packet dump for two selected stations Corrects MAC entries upon exiting farp 1.1b Passive and active collection of ARP messages DoS Attacks on single hosts DoS Attacks on entire collection Arbitrary and manual input of spoofed MAC addresses
Bibliography Finlayson, Mann, Mogul, Theimer, RFC 903 “ A Reverse Address Resolution Protocol, ” June 1984 Kra, Hunt 1.5, Copyright 2000http:// Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996 ftp://ftp.ee.lbl.gov/arpwatch.tar.Z Plummer, David C., RFC 826 “ An Ethernet Address Resolution Protocol, ” November 1982 Russel, Ryan and Cunningham, Stace, “ Hack Proofing Your Network, ”, Syngress Publishing Inc, Copyright 2000 Song, Dug, Dsniff 2.3, Copyright
IP Spoofing
Definitions An open connection between two computers communicating by TCP/IP is called a socket and is defined by: Source IP number Source Port number Destination IP number Destination Port number Initial source SEQ number Initial destination SEQ number AN ID # that is increased for each packet
TCP packet header 16-bit source port number16-bit destination port number 32-bit sequence number 32-bit acknowledgement number lengthunusedflags16-bit window size 16-bit TCP checksum16-bit urgent offset Options (if any) Data (if any)
Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = in seq# Ack = NULL Flags = S Src ID = src ID + 1
Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = src seq# Ack = NULL Flags = S Syn / Ack Src ip,Dst ip Src prt, Dst Prt Syn = Dst seq# Ack = src seq# +1 Flags = S+A Dst ID = Dst ID + 1
Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = src seq# Ack = dst seq# +1 Flags = A Src ID = src ID + 1 Syn / Ack Ack
Establishing a socket AB SYN (seq a ) SYN/ACK (seq b /ack= seq a +1) ACK (ack= seq b +1)
Traditional port scanning targetattacker syn Syn / Ack Ack
targetattacker syn Syn / Ack Traditional stealth scanning 1
Traditional stealth scanning 2 targetattacker syn Syn / Ack Rst
Sequence numbers Are in place to provide easy packet reassembly. Increments each time a packet is sent. Various incrementation schemes exist
ID flag Are in place to identify each tcp session Is also in some cases used for packet reassembly The id counter is increased every time a packet is sent This is valid far all packets including reset packets
ID flag prediction Most unix boxes increments the ID by a random or seudo random number. Up till today id numbers has not been known to be security critical. Some Windows tend to increment id# by 1 While some seem to increment id# by 254 This is due to reversed byte ordering of the id# in these operating systems.
IP spoofing 3 computers: A, B, C C sends packet to A, but making A believe that the packets comes from B How to do it? Easy? Set the source IP address of IP header to the IP address of B This can be done easily using “raw” ip packets You can make ip packets on your own. So you can also set the source ip address to any value you want
Spoofed scanning in theory By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets. By analyzing this we will know whether a port on the scanned host is open or not This is done totally blind from the scanned host.
Spoofed scanning in theory Since we know a machine will increase the id# by sending a packet we can by constantly probing the host to see how many packets it has sent between our polls This is done my monitoring the ID# increment
Spoofed scanning in theory If a port is open on a scanned host the server will respond with a syn/ack If a port is closed on the scanned host it will respond with a rst
Spoofed scanning in theory If a host receives a syn ack from a unknown source it will send a rst packet back If a host receives a rst packet from a unknown source it will NOT send a packet back
Internet security threats IP Spoofing: can generate “raw” IP packets directly from application, putting any value into IP source address field receiver can’t tell if source is spoofed e.g.: C pretends to be B A B C src:B dest:A payload
Why IP spoofing? IP address as authentication method It is not as safe as username/password authentication, but used in many cases E.g. rlogin host Network of workstations. They have the same user database Host detects the IP address of the client. If it is in the trusted list, login is granted without asking username and password Consequence: Attacker can get access all the information of the spoofed computer on the server
How to do IP spoofing? IP spoofing is Blind Attack Why? Where does the victim send reply to? It is extremely hard to carry out successful IP spoofing Must create a successful TCP connection with the victim. How?
TCP Connection Establishment Active participant (client) Passive participant (server) SYN, SequenceNum = x SYN + ACK, SequenceNum = y, ACK, Acknowledgment = y + 1 Acknowledgment = x + 1
Spoofing TCP connection A SYN request sent by C to A. C is impersonating B A will reply to B (not C) by sending SYN/ACK packet Case 1: B receives SYN/ACK and got confused. It replies with NACK. Spoofing fails Case 2: B doesn’t reply to A (hopefully) C sends ACK to A Have to guess the SYN SEQ# number A sent to B and reply it with SEQ#+1 Hard but possible
TCP SYN attack in Berkeley implementations, the ISN is incremented by a constant amount (64000) once per 0.5 second, and each time a connection is initiated it is not hopeless to guess the next ISN to be used by a server an attacker can impersonate a trusted host (e.g., in case of r commands, authentication is based on source IP address solely) SYN = ISN X, SRC_IP = T SYN = ISN S, ACK(ISN X ) ACK(ISN S ), SRC_IP = T SRC_IP = T, nasty_data attackerserver trusted host (T)
Steps of IP spoofing attack Detecting the trusted system C wants to access A and finds the A trusts B Blocking the trusted system (B) To let it not response to SYN request from A. How? DOS attack to B Guessing the SEQ# of B Must know how TCP generates SEQ# Try to connect to open ports of B right before the attack. Check the SEQ# Predict the next SEQ# according to TCP algorithm given last SEQ# and elapsed time Making TCP connection Do Damages
Counter Measures Avoid using IP as authentication method Username/password better Install firewall Trusted IP usually on the same network Spoofed IP comes from outside network Firewall prevents IP packets from outside the network, especially with source IP inside network Also the attacker’s firewall should prevent packets with source IP different from internal network IPsec Secure IP using encryption
SYN Floods Simple to execute. Send many SYNs to target host in quick succession with spoofed IPs. Target allocates buffer in kernel space, which stays allocated until time out.
Reconnaissance with Spoofed IPs 3 basic recon methods Spoofed IPs as Misinformation Port Scanning by IP Seq Number Observation Port Scanning by Indirect Observation
Spoofed IP Addresses As Background Noise An attacker can use spoofed IP addresses to create suspicious traffic that cannot easily be tracked down to the actual attacker. The intent here is not to leverage data from the actual spoofed packets, but to allow the attacker’s real activity, or identity, to be hidden among the false packets. Nmap, perhaps the most common network scanner at the moment, allows the use of numerous ‘decoy’ addresses. Using the –D option in Nmap, such as nmap –O –D , , actual.attacker.ip.address, will allow an attacker to determine the operating system of the host at while making it appear that the system is being scanned by four simultaneous hosts, only one of which (the 3rd sequentially) is the attacker. Nmap
Spoofed IPs as Background Noise Scan from 100 random used IPs and your own. All must be checked to determine actual scanner. Ex: -D option in nmap
Indirect Reconnaissance of a Target 1) * hosts reply SYN|ACK to SYN if tcp target port is open, reply RST|ACK if tcp target port is closed. 2) * You can know the number of packets that hosts are sending using id ip header field. 3) * hosts reply RST to SYN|ACK, reply nothing to RST. The significance of this is that due to predictable IP IDs, it is possible to remotely determine if a particular host is sending traffic to a third party. Using another of the described tendencies, it is also possible to predict how a host will react to a port scan. If a host is listening on a port, a probe (SYN) to that port will result in a SYN/ACK.
Indirect Reconnaissance of a Target
IP Sequence Number Observation Step 1Step 2Step 3 A Z A Z T A Z echo response Spoof e d SYN from Z Unknown traffic echo response
Indirect Reconnaissance of a Target
Introducing our players targetattacker Spoof host
Why do we need three of them targetattacker Spoof host unknowing.com 3vil.org
Phase one (sync the id# of spoof) targetattacker Spoof host unknowing.com 3vil.org Syn:80
Phase one (sync the id# of spoof) targetattacker Spoof host unknowing.com 3vil.org Syn/ack
Why did we do that Attacker now knows the spoofs initial ID#
Phase2 (spoofing the source) targetattacker Spoof host Syn src = Dst =
Phase 3 (fooling the respons) targetattacker Spoof host Syn/Ack src = Dst =
Phase 3 (fooling the respons) targetattacker Spoof host Rst src == Dst =
Phase 4 (probing the spoof host) targetattacker Spoof host Syn:80
Phase 4 (probing the spoof host) targetattacker Spoof host Syn:80 Syn/ack
Case port open Adding the ID counters
Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn:80 Spoof host ID =
Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn/ack Spoof host ID =
Phase2 (spoofing the source) targetattacker Spoof host ID = Syn src = Dst =
Phase 3 (fooling the respons) targetattacker Syn/Ack src = Dst = Spoof host ID =
Phase 3 (fooling the respons) targetattacker Rst src == Dst = Spoof host ID =
Phase 4 (probing the spoof host) targetattacker Syn:80 Spoof host ID =
Phase 4 (probing the spoof host) targetattacker Syn:80 Syn/ack Spoof host ID =
Case port closed Adding the ID counters
Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn:80 Spoof host ID =
Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn/ack Spoof host ID =
Phase2 (spoofing the source) targetattacker Spoof host ID = Syn src = Dst =
Phase 3 (fooling the respons) targetattacker Rst src = Dst = Spoof host ID =
Phase 4 (probing the spoof host) targetattacker Syn:80 Spoof host ID =
Phase 4 (probing the spoof host) targetattacker Syn:80 Syn/ack Spoof host ID =
The basic technique and its flaws If the poll host is active it will increase the id# for each connection. This will result in false positives. These false positives can be minimized by sending multiple packets for each port. Then calculating the increase The port will only show up true if the increase is > (#packets_sent*255)/2
Phase2 (spoofing the source) targetattacker Spoof host ID = (Syn src = Dst = ) * 20
Phase 3 (fooling the respons) targetattacker Syn /Ack src = Dst = Spoof host ID=
Summary By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets. By analysing this we will know whether a port on the scanned host is open or not This is done totally blind from the scanned host.
DoS/DDoS DoS attacks are as old as the Internet itself Year 2000 when a complete new quality of DoS attack started (DDoS). (DDoS) stroke a huge number of prominent web sites including Yahoo, Ebay, Amazon and Buy.com DDoS Concepts: Distributing the attack across several hosts. Coordinating the attack among many machines. Using the distribution system to thwart all attempts of discovering the origin of the attack.
DoS/DDoS Flood Attack Methods Smurf Attack TCP SYN Attack UDP Attack TCP Attack ICMP Attack
DoS/DDoS TCP SYN Attack Exploits the three-way handshake
“Smurf”
DNS Spoofing Someone else’s domain name -> your computer Possible damages: Redirected sent from A to B goes to C instead. C spoofed B’s domain name Redirected web server Possible attack by exploiting browser’s vulnerability
How to do DNS snooping? C: attacker want to spoof B A communicates with B Method 1 Modify C’s name server ns.C Let it response to “C=?” to “B=C.ip” This is replying something that is not asked for Send DNS request “C=?” to ns.A ns.A asks ns.C ns.C replies “B=C.ip” Method 2 C sends DNS request “B=?” to ns.A C replies “B=C.ip” to ns.A UDP makes it easier, still need to guess request ID
Countermeasures Paranoid DNS checking Resolved IP address is sent to DNS for reverse resolve to get the hostname Send the hostname to DNS again to get the IP address If two IP addresses match = OK Secure name server DNSsec Digitally signed answers
Web-spoofing or Phishing or Carding use spoofed s and fraudulent websites that trick innocent users into divulging private information such as username and passwords credit card numbers, social security numbers, etc. Web Spoofing
A typical web spoofing attack
Web Spoofing Web browsing goes through an intermediate attacker The attacker goes to server and fetch data and send it back to the victim Attacker is able to monitor all traffic between the victim and server Including forms Even secure connections! Lost privacy Hard for a ordinary victim to notice anything wrong
How it works Javascript and Plug-ins Redirect all web traffic to attacker’s machine include the links on the pages Initiated by visiting a malicious website
Countermeasures Check “lock” button for secure connection. Check if it is indeed the website you are visiting Check status bar Does it go to somewhere strange?