Presentation is loading. Please wait.

Presentation is loading. Please wait.

University Hacking & Security Frontier Spoofing & Scanning 2008. 2. 25. 서 승 현 1.

Published byElmer Terry Modified over 9 years ago

Similar presentations

Presentation on theme: "University Hacking & Security Frontier Spoofing & Scanning 2008. 2. 25. 서 승 현 1."— Presentation transcript:

1 University Hacking & Security Frontier http://www.padocon.org Spoofing & Scanning 2008. 2. 25. 서 승 현 (tgnice@Nchovy.kr) 1

2 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 발표자 소개 홍익대학교 컴공과 2 학년 Nchovy.kr 네트워크 담당 Nchovy.kr 웹개발 RSS Reader 개발 관련 자격증 - CCNP - LPIC

3 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 목 차 ARP Packet 분석 - Header 의 내용 ARP Spoofing MAC Flooding DNS Spoofing IDLE Scan 3 PAraDOx CONference 2008

4 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Test 환경 VMware 상 PC3(4) 대 - Server, XP, Whoppix(or BackTrack) 필요한 상황에서는 GNS 를 이용 - 가상 Emulator 사용 원격환경 설정 Packet Analyzer - WireShark Cisco Simulator 사용 4

5 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Test 구성 Test 환경 - 좌측 Local 은 192.168.10.0/24 - 우측 Local 은 192.168.20.0/24 - Routing protocol 은 Rip 을 사용 - Cisco 2xxx 장비를 사용 - Ethernet 환경

6 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 ARP Packet Test Cisco Emulator 환경

7 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Test 1 10.1 -> 20.1 Ping Test ( 외부 Network)

8 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Test 2 Router –ARP Request Packet 받음 BB,CC,DD –ARP Request Packet 드랍

9 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Test 3 PC -> Router : Arp Request Router -> Pc : Arp Reponse

10 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Packet Analyze 환경 VMware 환경구축 - NAT 환경 192.168.8.0/24 Network - PC 8.1, VMware 8.100, GW 8.2 Flooding Attack : MAC Flooding - Packet Analyzer 로 확인 Sniffing Attack : Analyzer 로 확인

11 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Packet Analyze 1 VMware -> PC Ping Test

12 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Packet Analyze 2 ARP 요청 -> ICMP 패킷의 교환 - Request -> Reply 로 이루어져 있음 - Packet Forwarding 시 Ethernet 헤더 (MAC) 이 필요함을 알수 있음 - ARP Packet 에는 인증이 없음.

13 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 ARP Request Header ARP Request Packet 내용

14 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 ARP Request Header 분석 Ethernet Header - DM : FF:FF:FF:FF:FF:FF(Broad Cast) - SM : ARP Request 요청 PC MAC ARP Header - Target MAC : 00:00:00:00:00:00 - Target IP : 수신자측 (192.168.8.1) ※ ARP 는 상대의 MAC 만 알아올때 쓰인다 !

15 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 ARP Reply Header ARP Reply Header 내용

16 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 ARP Reply Header 분석 Ethernet Header - DM : ARP Request 요청 PC MAC - SM : Reply 측 PC MAC ARP Header - Target MAC : Reply 측 PC MAC - Target IP : 수신자측 (192.168.8.100) ※ ARP Request 의 DM & TM 내용만 바뀐다.

17 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 공 격 방 법공 격 방 법 ARP 를 이용한 ARP Spoofing - 결국 Sniffing 을 위한 사전공격 - MITM 공격을 위한 사전공격 Analyzer 를 이용한 Sniffing - Data 를 빼내기 위한 공격 TCP 취약점을 이용한 Scanning - Idle Scanning - Syn Scanning, Fin Scanning - X-mas Scanning, Y-mas Scanning

18 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 ARP Spoofing Ethernet 통신의 취약점 이용한 공격 ARP 프로토콜 취약점 – 인증이 없다 ! Local 에서 일어나는 공격 PC 가 Routing 이 가능해야 한다.

19 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 MAC Flooding Switch 의 MAC Table 학습 취약점 이용 DoS 공격의 일종 - Local DoS 공격 - Rip Flooding, (BPDU, HSRP) Attack

20 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Sniffing Sniffing : 훔쳐듣다 - ARP Spoofing 이 선행되어야한다 - Hub 환경에서는 기본적으로 가능 MITM 공격의 일종 Data 를 빼내는 공격.

21 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Scanning Scanning : 검색 - 원격에서 Attacker 가 공격을 위한 사전조사 단계에서 실행 - TCP 의 성질을 이용함 - Three-way Handshaking 을 이용

22 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 ARP Spoofing 방법론 ARP 취약점을 이용한 ARP Spoofing - Local 통신시 Ethernet(MAC) 통신임을 노린 공격 - ARP Reply 를 피해자에게 변조공격 - Sniffing 공격을 시도하기 위한 사전공격

23 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 ARP Spoofing 공격 환경설정 - XP *.1.100, Server *.1.101, Whoppix *.1.102 - 외부 환경과 단절된 네트워크 구성 - XP 와 Server 의 통신 간 패킷이 공격자를 거쳐가는 경로 확인.

24 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 ARP Spoofing 정상경로와 Spoofing 후의 경로

25 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 정상적인 통신 MAC

26 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 정상적인 ARP Table

27 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 공격 Packet Forwarding

28 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 WireShark Analyze

29 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 공격 후 ARP Table

30 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 ARP Spoofing 검토 ARP Spoofing 만으로 할 수 있는 일은 없다. 공격자의 NIC 이 Promiscuous mode 로 되어있어 야 한다. - /proc/sys/net/ipv4/ip_forward File 0 -> 1 - FragRouter Tool 사용 Sniffing 을 위한 사전단계 공격

31 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 MAC Flooding 방법론 MAC & IP Random 변조 공격 Switch 의 MAC Table 학습 취약점 - Table 에 없는 Mac Address 일 경우 All Port Flooding 48 Bit Random MAC 생성할수 있음 - 거의 무한으로 Flooding 할수 있다.

32 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 MAC Flooding 정상적인 Packet 들

33 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 MAC Flooding MAC Address, IP 랜덤 생성 무한루프

34 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 MAC Flooding 공격중인 화면

35 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 MAC Flooding 공격 중 패킷 캡처

36 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 MAC Flooding 랜덤 MAC 확인

37 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 MAC Flooding 사후검토 DoS Attack 의 일종 - Smurf, Syn Flooding, Land Attack - BPDU Attack, Rip Flooding,HSRP Attack Switch 의 MAC 학습 취약점 이용 Network 점유율 대폭 증가 - Local Network 속도 저하

38 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 DNS Spoofing 방법론 MITM 공격의 일종 DNS 프로토콜의 인증이 없는 취약점 공격 Phishing 에 이용될 수 있음. ARP Spoofing 이 선행되어야 함.

39 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 DNS Spoofing 정상 DNS 쿼리 경로와 Spoofing 후 경로

40 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 DNS Spoofing XP 의 통신확인

41 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 DNS Spoofing 사전 ARP Spoofing

42 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 DNS Spoofing DNS Spoofing 정보 파일 작성

43 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 DNS Spoofing ARP Spoofing 후 통신불능 상태 해제 DNS Spoofing 공격

44 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 DNS Spoofing DNS Spoofing 공격 성공

45 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 DNS Spoofing 사후 검토 MITM 공격의 일종 ARP Spoofing 으로 Packet Sniffing DNS 의 통신 취약점 - DNS 쿼리는 먼저 온 패킷을 받아들인다. - 나중에 온 패킷은 Drop

46 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Idle Scanning 방법론 조용한 윈도우 서버를 이용한 Scanning Linux 와 Windows 의 패킷 ID 값 관리 차이를 이용한 Scanning 윈도우는 모든 세션에 대하여 ID 를 공유 리눅스는 세션별로 ID 가 다르다.

47 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Idle Scanning Idle Scan Packet 흐름

48 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Idle Scanning IP Spoofing 을 이용한 Scanning Server 가 Victim 에게 ICMP 패킷을 보내는 것으로 위장 Windows 는 패킷 ID 를 공유하므로 ID 값의 변화를 관찰하여 포트를 스캐닝

49 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Idle Scanning Hping 으로 조용한 Server 에 지속적인 ICMP Packet Forwarding

50 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Idle Scanning IP Spoofing 을 통한 Syn Scan

51 University Hacking & Security Frontier http://www.padocon.org PAraDOx CONference 2008 Idle Scanning 검토 조용한 서버를 찾기만 한다면 Attacker 가 드러나지 않는다. 가능한 이유 - Victim 의 Port 가 닫힌 경우 RST 를 보내므로 Server 가 응답하지 않음. - Victim 의 Port 가 열린 경우 ACK/SYN 을 보내므로 서버가 RST 를 보낸다.

Download ppt "University Hacking & Security Frontier Spoofing & Scanning 2008. 2. 25. 서 승 현 1."

Similar presentations

Security Lab 2 MAN IN THE MIDDLE ATTACK

Security Lab 2 MAN IN THE MIDDLE ATTACK
Sniffing in a Switched Network -With A Recipe To Hack A Switch Using Ettercap and Ethereal -Manu GargManu Garg manugarg at gmail.

Sniffing in a Switched Network -With A Recipe To Hack A Switch Using Ettercap and Ethereal -Manu GargManu Garg manugarg at gmail.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Dr. Igor Santos.  Denial of Service  Man in the middle  ICMP attacks 2.

Dr. Igor Santos.  Denial of Service  Man in the middle  ICMP attacks 2.
Precept 3 Host Configuration 1 Peng Sun. What TCP conn. running? Commands netstat [-n] [-p] [-c] (Linux) lsof -i -P (Mac) ss (newer version of netstat)

Precept 3 Host Configuration 1 Peng Sun. What TCP conn. running? Commands netstat [-n] [-p] [-c] (Linux) lsof -i -P (Mac) ss (newer version of netstat)
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 Reminding - ARP Two machines on a given network can communicate only if they know each other’s physical network address ARP (Address Resolution Protocol)

1 Reminding - ARP Two machines on a given network can communicate only if they know each other’s physical network address ARP (Address Resolution Protocol)
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
ECE-6612 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: Klaus 3362.

ECE Prof. John A. Copeland fax Office: Klaus 3362.

Similar presentations

Ads by Google