Network Attacks Bharatha Yajaman ISQS 6342
Outline Sniffing Passive Sniffing Active Sniffing IP Address Spoofing Changing the IP address Undermining UNIX r – commands With source routing Session Hijacking NetCat
Sniffing Sniffers are most common tools used by attackers Data link layer of the protocol stack is targeted Sniffer is a program that gathers traffic from local network & is useful for attackers for attackers to get all information as well as network administrators trying to trouble shoot problems An attacker can read data passing by a given machine in real time or can even store the data in a file
Type of Data Sniffer can capture? User IDs and Passwords DNS queries and responses messages FTP passwords Files shared using Network File System or Windows Shares
An Island Hopping Attack User telnets to another system Sniffer gathers passwords sent in clear text Attacker now has UserID and Password on new victim LAN
Various Sniffing tools tcpdump, freeware for UNIX platform, windump, freeware of tcpdump for Windows 9x, NT and 2000 Snort, freeware sniffer and network-based intrusion detection system, Ethereal, freeware for UNIX and WinNT with nice User Interface, Sniffit, widely used in attacker community, reptile.rug.ac.be/ ~coder/sniffit/sniffit.html reptile.rug.ac.be/ ~coder/sniffit/sniffit.html
Sniffing through a Hub – Passive Sniffing Transmitting data across a Hub based LAN just like shouting in a crowded room A hub implements a broadcast medium shared by all systems on the LAN Any data sent across the LAN is actually sent to each and every machine connected to the LAN
Sniffing through a Hub – Passive Sniffing BROADCAST ETHERNET A LAN implemented with a hub HUB
Sniffing through a Hub – Passive Sniffing If an attacker runs a Sniffer on one system on LAN, he can gather data sent to and from any other system on the LAN Majority of the Sniffer tools are well suited to sniff data in a hub environment These tools are called passive sniffers as they passively wait for the data to be sent to them, silently gathering the data from the LAN
Active Sniffing: Sniffing through a Switch Switched Ethernet does not broadcast all information to all systems on the LAN A switch which is more intelligent than the hub looks at the MAC address associated with each frame passing through it and sends the data to the required connection on the switch
Active Sniffing: Sniffing through a Switch SWITCHED ETHERNET A LAN implemented with a switch SWITCH
Active Sniffing: Sniffing through a Switch The switch limits the data that a passive Sniffer can gather If there is a passive Sniffer activated on a switched LAN the sniffer will only be able to see data going to and from one machine – the system with sniffer installed
Active Sniffing: Sniffing through a Switch So how do attacker over come this difficulty of sniffing a switched LAN? Attackers have created a variety of tools that support sniffing a switched environment These tools actively inject traffic into LAN to sniff a switched LAN Dsniff is an active sniffing tool,
Foiling Switches with Floods ( MAC flooding ) MAC address are physical hardware addresses unique to every Ethernet Card LAN switches hold the MAC addresses in the switch memory What happens if the traffic is flooded with random MAC address on LAN ? As number of different MAC addresses in use increases the switch dutifully stores the MAC addresses used by each link on the switch
Foiling Switches with Floods ( MAC flooding ) What happens if the traffic is flooded with random MAC address on LAN ? Eventually, the switches memory is exhausted with bogus MAC addresses Some switch implementations start forwarding data to all links connected to all the links if their memory links are exhausted The attacker can take advantage of this flaw and use any passive switching tool to sniff the switched LAN
Foiling Switches with Spoofed ARP Messages Some switches are immune to MAC flooding These switches stops storing new MAC addresses once their memory reaches a given limit To sniff in a switched environment where MAC flooding doesn't work Attacker can use DSniff’s tool called arpspoof arpspoof allows an attacker to manipulate ARP traffic on LAN
OUTSID E WORLD OUTSID E WORLD Foiling Switches with Spoofed ARP Messages SWITCH DEFAULT ROUTER FOR LAN Victim’s traffic isn’t sent to attacker
Foiling Switches with Spoofed ARP Messages To use arpspoof the attacker First consults a map of the network likely generated during the scanning phase of the attack Looking at the network topology the attacker observes the IP address of the default router for the LAN Sets up the attack by configuring the IP layer of the attacker’s machine to forward any packet it receives from the LAN to the IP address of the default router (IP forwarding)
Foiling Switches with Spoofed ARP Messages To use arpspoof the attacker Sends the fake ARP replies to the victims machine This ARP changes the victims ARP table by remapping the default router’s IP (layer 3) to attacker own MAC address (layer2) The victims sends the data, forwarding it to what it thinks is the default router (but using the attackers MAC address)
Foiling Switches with Spoofed ARP Messages To use arpspoof the attacker The attacker sniffs the information using any kind of sniffing tool The attacker’s machine will promptly forward the victim’s traffic to default router on the LAN Upon reaching the default router the traffic is transmitted to the outside world The attacker is now sniffing in a switched environment
OUTSID E WORLD OUTSID E WORLD Foiling Switches with Spoofed ARP Messages SWITCH DEFAULT ROUTER FOR LAN 1. Configure IP Forwarding 4. Sniff the traffic from the link 2. Send fake ARP response to re-map default router IP to attacker’s MAC 3. Victim sends traffic destined for outside world based on poisoned ARP table entry 5. Packets are forwarded from attacker’s machine to the actual default router for delivery to the outside world
Sniffing and Spoofing DNS The attacker fires up the dnsspoof program which sniffs the LAN for DNS queries for specific hosts ( ) - using Dsniffwww.bank.com At sometime later victim tries to resolve the name using DNS by trying to surf the websitewww.bank.com Now the attacker sniffs the DNS query and immediately sends a fake DNS response
Sniffing and Spoofing DNS This response will have a lie claiming that should resolve to IP address of the attackers machine (say ) The victim machine will cache this incorrect DNS entry The victims machine will ignore the real response from the real DNS server as it has the mapping for Finally the victims browser makes a connection with the attackers machine
OUTSID E WORLD OUTSID E WORLD Sniffing and Spoofing DNS SWITCH DEFAULT ROUTER FOR LAN 1. Attacker activates dnsspoof program 3. Sniff the DNS request from the line 4. Attacker quickly sends fake DNS response with any IP attacker wants the victim to use 2. Victim tries to resolve a name using DNS Attacker’s machine at Desired destination Victim now surfs the attackers site instead of desired location
Sniffing HTTPS and SSH Even though the S’s in HTTPS, SSL and SSH stand for secure, it is built on a trust model of underlying public keys When an HTTPS connection is established the server sends a certificate which the browser verifies If the certificate was signed by a trusted Certificate Authority, an SSL connection will be established
Sniffing HTTPS and SSH SSL connection uses a session key to encrypt all data sent by server and client SSH does not support digital certificates but is based on same public key encryption idea SSL and SSH protocols are sound from a security perspective but the problem is exploited in the trust certificates and public keys
Sniffing HTTPS and SSH For SSL if a web server sends a browser a certificate and if the browser does not recognize the browser will ask the user whether to accept this untrusted certificate or not For SSH the user will be warned that server’s public key has changed but will still be permitted to establish connection
Sniffing HTTPS and SSH How Dsniff exploits the problem ? Dsniff uses webmitm and sshmitm tools for attacking HTTPS or SSH mitm stands for “monkey in the middle” a reference to a classic person-in-the-middle attack Attackers position themselves between two systems and actively participate in the connection to gather data
Sniffing HTTPS and SSH Person–in–the–middle attack ATTACKER NETWORK
Sniffing HTTPS and SSH Person–in–the–middle attack To conduct a person in the middle attack The attacker runs the dnsspoof program configured to send false DNS information so that a DNS query for a given website will resolve to the attacker’s IP address The attacker will also activate webmitm program that will transparently proxy all HTTP and HTTPS traffic it receives The DNS spoof program detects DNS request for and redirects the client to attacker’s machine
Sniffing HTTPS and SSH Person–in–the–middle attack To conduct a person in the middle attack Victim’s browser starts to establish a secure connection All messages for establishing SSL connection are sent to webmitm on attacker’s machine webmitm acts as a SSL proxy, establishing 2 SSL connections one from victim to the attacker's machine and the other from attacker’s machine to the actual web server
Sniffing HTTPS and SSH Person–in–the–middle attack To conduct a person in the middle attack webmitm when establishing the SSL session between victim machine to the attacker will send the attacker’s own certificate Victim’s browser will notice that the certificate is not signed by a trusted Certificate Authority and show a message to the user asking the user whether to accept this un-trusted certificate or not
OUTSID E WORLD OUTSID E WORLD Sniffing HTTPS and SSH (Modify) 1. Attacker activates dnsspoof and webmitm program Desired destination Dnsspoof sends fake DNS response with IP address of the machine running webmitm ( ) 3. Victim establishes SSL connection not knowing attacker is proxying the connection 4. Webmitm proxies the https connection establishing an https connection to server and sending attacker’s own certificate Victim now accesses the desired server, but all the traffic is viewable by attacker using webmitm as proxy SWITCH DEFAULT ROUTER FOR LAN
IP address spoofing Simply changing the IP address Simplest way of spoofing another system’s IP address can be achieved by simply changing the IP of system to the other’s system address This can be done by using ifcommand in UNIX, or the Windows NT network control panel This method is remarcable in achieving limited goals if the attacker wants To send packets that look like they look like they come from some where else Obscure the source of packet flood or other Denial-of- service attack
IP address spoofing (3 way handshake diagram) RESET ACK (A, ISN A ), SYN ( B, ISN B ) SYN (A, ISN A ) TCP three way handshake inhibits simple spoofing AB
IP address spoofing - Undermining UNIX r-commands ALICEBOB EVE
IP address spoofing - Undermining UNIX r-commands Eve interacts with Bob by sending TCP SYN packets to one or more of his open ports again without spoofing This connection initiation allows Eve to approximate rate at which the initial TCP sequence numbers in Bob’s SYN-ACK response are changing with time Eve launches a denial-of-service against Alice (SYN flood or smurf attack)
IP address spoofing - Undermining UNIX r-commands Alice is dead for a period of time. This prevents Alice from sending RESET packet and dropping our spoofed TCP connection Eve initiates a connection to Bob using Alice’s IP address The first part of the 3 way handshake is complete Bob responds to 2 nd part of 3 way handshake to Alice but Alice is dead and cannot respond with a RESET
IP address spoofing - Undermining UNIX r-commands Using the information gathered, Eve sends a ACK to Bob including a guess at sequence number, ISB B, spoofing Alice’s IP. If the sequence number is incorrect a connection will not be established but if the sequence number is correct, Eve will open a TCP connection with Bob, pretending to be Alice
IP address spoofing - Undermining UNIX r-commands ACK (A, ISN A ), SYN ( B, ISN B ) SYN (A, ISN A ) ALICE BOB EVE DIE Open several connections to Bob to observe the initial sequence number in response ACK (B, ISN B )
IP address spoofing - Spoofing with Source Routing A far easier method for IP address spoofing is based on source routing This technique will let the attacker get responses in interactive sessions and even avoid to conduct Denial-of-service attack Source routing is an option in IP that allows the source machine sending packets to specify path it will take on the network
IP address spoofing - Spoofing with Source Routing ALICE BOB EVE Route 1.Alice 2.Eve 3.Bob Packet Contents PACKET Route 1.Bob 2.Eve 3.Alice Packet Contents PACKET Eve generates packets with fake source route Packets claim to come from Alice Source route includes Eves address making Eve look like a router Packets include destination Bob
IP address spoofing - Spoofing with Source Routing ALICE BOB EVE Route 1.Alice 2.Eve 3.Bob Packet Contents PACKET Route 1.Bob 2.Eve 3.Alice Packet Contents PACKET Eve injects these spoofed packets on the network Bob will take action on packets and responds When Bob responds packets will be transmitted to Eve who is a part of the source route Eve will intercept the packet but will not forward packet to Alice
IP Spoofing Defense The initial set of sequence numbers generated by TCP stacks must be difficult to predict For UNIX machines in particular, using of weak r-commands must be avoided Implementation of anti-spoof packet filters at border routers and firewalls connecting organization to the Internet and business partners
IP Spoofing Defense The filtering devise drops all packets coming in on one interface that have a source address of network on another interface These packets indicate a possible spoofing attack NETWORK B NETWORK A FILTERIN G DEVICE Packet with IP source address on Network A Dropped
IP Spoofing Defense Source routed packets through the network gateways must not be allowed This can be done by configuring routers using no ip sourceroute (this woks for Cisco routers) to drop all source routed packets at gateways Careful with trust relationships throughout the environment Avoid extending UNIX and Win NT trust relationship to systems across an unprotected network
Session Hijacking Marriage of sniffing and spoofing is called session hijacking An attacker can hijack a session even if strong authentication is used assuming the conversation following the initial authentication is not cryptographically protected As the session is sent in clear text after initial authentication and a attacker can hijack the it at any point after authentication
Network-based Session Hijacking A has established a telnet connection across n/w to B Attacker sits on a segment in the network where traffic is passing from A to B Attacker can see the session using sniffing techniques NETWO RK EVE ALICE BOB Alice Telnet
Network-based Session Hijacking Attacker can also monitor TCP sequence numbers of these packets while observing the session At some point the attacker will decide to hijack the connection NETWO RK EVE BOB Alice Telnet
Network-based Session Hijacking Now he will start injecting spoofed traffic source with A’s IP into the network using proper TCP sequence numbers on all packets If successful Bob will listen the commands sent by attacker thinking it came from A NETWO RK EVE BOB Alice Telnet Hi I’m Alice
Session Hijacking – ACK storm When a system receives a packet with TCP connection that is out of order it resends its last ACK packet Retransmission of ACK is supposed to help the systems resynchronize their sequence numbers
Session Hijacking – ACK storm What happens if the attacker is injecting traffic in the TCP connection ? The sequence number between attacker and B will go on increasing As traffic gets routed back to A it will see sequence numbers increasing even though A has not sent any packets NETWO RK EVE BOB ACK ACK ACK ACK ACK Packets with increasing sequence number
Session Hijacking – ACK storm TCP stacks of A and B get confused as attacker sends the traffic in increasing sequence number To resynchronize connection A will resend ACK messages again and again consuming a good amount of bandwidth in what is know an ACK storm NETWO RK EVE BOB ACK ACK ACK ACK ACK Packets with increasing sequence number
Session Hijacking – ACK storm During an ACK storm the performance quickly starts to suffer the attacker will be able to get one or two commands executed on B before the ACK storm causes the connection to be dropped NETWO RK EVE BOB ACK ACK ACK ACK ACK Packets with increasing sequence number
Session Hijacking Defenses Utilizing all defense techniques used for spoof attacks Using encryption tools like SSH or VPN for securing sessions Encrypted sessions will prevent session hijacking as attackers will not have keys to encrypt or decrypt
Netcat : General purpose network tool Netcat is one of the most useful tools available for interacting with systems across network Netcat is often referred as “Swiss Army knife of network tools” The idea behind Netcat is it allows a user to move data across a network while functioning much like the UNIX cat command Instead of dumping data on the local system Netcat moves arbitrary data over any TCP or UDP port
Netcat : General purpose network tool Netcat executable operates in one of two modes Client mode Listen mode In client mode Netcat can be used to initiate connection to any TCP or UDP port on another machine In listen mode Netcat opens any TCP or UDP port on the local system Netcat supports source routing
Netcat : General purpose network tool Using these basic building blocks people have devices many different scenarios based on Netcat File Transfer Port Scanning Making connections to open ports Vulnerability scanning To create a passive backdoor command shell To actively push a backdoor command shell Relaying traffic
Netcat : Defence Preventing Netcat file transfers Securing against port scanning Blocking arbitrary connections to a port Protecting against vulnerability scanning Stopping backdoors Preventing relay attacks
References Counter Hack Hacking Exposed nd/Hacking/Methods/Technical/default.htm nd/Hacking/Methods/Technical/default.htm en.pdf en.pdf
Thank You