Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Attacks Bharatha Yajaman ISQS 6342. Outline Sniffing  Passive Sniffing  Active Sniffing IP Address Spoofing  Changing the IP address  Undermining.

Published byCecily Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Attacks Bharatha Yajaman ISQS 6342. Outline Sniffing  Passive Sniffing  Active Sniffing IP Address Spoofing  Changing the IP address  Undermining."— Presentation transcript:

1 Network Attacks Bharatha Yajaman ISQS 6342

2 Outline Sniffing  Passive Sniffing  Active Sniffing IP Address Spoofing  Changing the IP address  Undermining UNIX r – commands  With source routing Session Hijacking NetCat

3 Sniffing Sniffers are most common tools used by attackers Data link layer of the protocol stack is targeted Sniffer is a program that gathers traffic from local network & is useful for attackers for attackers to get all information as well as network administrators trying to trouble shoot problems An attacker can read data passing by a given machine in real time or can even store the data in a file

4 Type of Data Sniffer can capture? User IDs and Passwords DNS queries and responses email messages FTP passwords Files shared using Network File System or Windows Shares

5 An Island Hopping Attack User telnets to another system Sniffer gathers passwords sent in clear text Attacker now has UserID and Password on new victim LAN

6 Various Sniffing tools tcpdump, freeware for UNIX platform, www.tcpdump.org www.tcpdump.org windump, freeware of tcpdump for Windows 9x, NT and 2000 Snort, freeware sniffer and network-based intrusion detection system, www.snort.orgwww.snort.org Ethereal, freeware for UNIX and WinNT with nice User Interface, www.ethereal.com/www.ethereal.com/ Sniffit, widely used in attacker community, reptile.rug.ac.be/ ~coder/sniffit/sniffit.html reptile.rug.ac.be/ ~coder/sniffit/sniffit.html

7 Sniffing through a Hub – Passive Sniffing Transmitting data across a Hub based LAN just like shouting in a crowded room A hub implements a broadcast medium shared by all systems on the LAN Any data sent across the LAN is actually sent to each and every machine connected to the LAN

8 Sniffing through a Hub – Passive Sniffing BROADCAST ETHERNET A LAN implemented with a hub HUB

9 Sniffing through a Hub – Passive Sniffing If an attacker runs a Sniffer on one system on LAN, he can gather data sent to and from any other system on the LAN Majority of the Sniffer tools are well suited to sniff data in a hub environment These tools are called passive sniffers as they passively wait for the data to be sent to them, silently gathering the data from the LAN

10 Active Sniffing: Sniffing through a Switch Switched Ethernet does not broadcast all information to all systems on the LAN A switch which is more intelligent than the hub looks at the MAC address associated with each frame passing through it and sends the data to the required connection on the switch

11 Active Sniffing: Sniffing through a Switch SWITCHED ETHERNET A LAN implemented with a switch SWITCH

12 Active Sniffing: Sniffing through a Switch The switch limits the data that a passive Sniffer can gather If there is a passive Sniffer activated on a switched LAN the sniffer will only be able to see data going to and from one machine – the system with sniffer installed

13 Active Sniffing: Sniffing through a Switch So how do attacker over come this difficulty of sniffing a switched LAN?  Attackers have created a variety of tools that support sniffing a switched environment  These tools actively inject traffic into LAN to sniff a switched LAN  Dsniff is an active sniffing tool, www.monkey.org/~dugsong/dsniff www.monkey.org/~dugsong/dsniff

14 Foiling Switches with Floods ( MAC flooding ) MAC address are physical hardware addresses unique to every Ethernet Card LAN switches hold the MAC addresses in the switch memory What happens if the traffic is flooded with random MAC address on LAN ?  As number of different MAC addresses in use increases the switch dutifully stores the MAC addresses used by each link on the switch

15 Foiling Switches with Floods ( MAC flooding ) What happens if the traffic is flooded with random MAC address on LAN ?  Eventually, the switches memory is exhausted with bogus MAC addresses  Some switch implementations start forwarding data to all links connected to all the links if their memory links are exhausted The attacker can take advantage of this flaw and use any passive switching tool to sniff the switched LAN

16 Foiling Switches with Spoofed ARP Messages Some switches are immune to MAC flooding These switches stops storing new MAC addresses once their memory reaches a given limit To sniff in a switched environment where MAC flooding doesn't work  Attacker can use DSniff’s tool called arpspoof  arpspoof allows an attacker to manipulate ARP traffic on LAN

17 OUTSID E WORLD OUTSID E WORLD Foiling Switches with Spoofed ARP Messages SWITCH DEFAULT ROUTER FOR LAN Victim’s traffic isn’t sent to attacker

18 Foiling Switches with Spoofed ARP Messages To use arpspoof the attacker  First consults a map of the network likely generated during the scanning phase of the attack  Looking at the network topology the attacker observes the IP address of the default router for the LAN  Sets up the attack by configuring the IP layer of the attacker’s machine to forward any packet it receives from the LAN to the IP address of the default router (IP forwarding)

19 Foiling Switches with Spoofed ARP Messages To use arpspoof the attacker  Sends the fake ARP replies to the victims machine  This ARP changes the victims ARP table by remapping the default router’s IP (layer 3) to attacker own MAC address (layer2)  The victims sends the data, forwarding it to what it thinks is the default router (but using the attackers MAC address)

20 Foiling Switches with Spoofed ARP Messages To use arpspoof the attacker  The attacker sniffs the information using any kind of sniffing tool  The attacker’s machine will promptly forward the victim’s traffic to default router on the LAN  Upon reaching the default router the traffic is transmitted to the outside world  The attacker is now sniffing in a switched environment

21 OUTSID E WORLD OUTSID E WORLD Foiling Switches with Spoofed ARP Messages SWITCH DEFAULT ROUTER FOR LAN 1. Configure IP Forwarding 4. Sniff the traffic from the link 2. Send fake ARP response to re-map default router IP to attacker’s MAC 3. Victim sends traffic destined for outside world based on poisoned ARP table entry 5. Packets are forwarded from attacker’s machine to the actual default router for delivery to the outside world

22 Sniffing and Spoofing DNS The attacker fires up the dnsspoof program which sniffs the LAN for DNS queries for specific hosts ( www.bank.com ) - using Dsniffwww.bank.com At sometime later victim tries to resolve the name www.bank.com using DNS by trying to surf the websitewww.bank.com Now the attacker sniffs the DNS query and immediately sends a fake DNS response

23 Sniffing and Spoofing DNS This response will have a lie claiming that www.bank.com should resolve to IP address of the attackers machine (say 10.1.1.56) www.bank.com The victim machine will cache this incorrect DNS entry The victims machine will ignore the real response from the real DNS server as it has the mapping for www.bank.comwww.bank.com Finally the victims browser makes a connection with the attackers machine

24 OUTSID E WORLD OUTSID E WORLD Sniffing and Spoofing DNS SWITCH DEFAULT ROUTER FOR LAN 1. Attacker activates dnsspoof program 3. Sniff the DNS request from the line 4. Attacker quickly sends fake DNS response with any IP attacker wants the victim to use 2. Victim tries to resolve a name using DNS Attacker’s machine at 10.10.1.56 Desired destination www.bank.com www.bank.com 5. Victim now surfs the attackers site instead of desired location

25 Sniffing HTTPS and SSH Even though the S’s in HTTPS, SSL and SSH stand for secure, it is built on a trust model of underlying public keys When an HTTPS connection is established the server sends a certificate which the browser verifies If the certificate was signed by a trusted Certificate Authority, an SSL connection will be established

26 Sniffing HTTPS and SSH SSL connection uses a session key to encrypt all data sent by server and client SSH does not support digital certificates but is based on same public key encryption idea SSL and SSH protocols are sound from a security perspective but the problem is exploited in the trust certificates and public keys

27 Sniffing HTTPS and SSH For SSL if a web server sends a browser a certificate and if the browser does not recognize the browser will ask the user whether to accept this untrusted certificate or not For SSH the user will be warned that server’s public key has changed but will still be permitted to establish connection

28 Sniffing HTTPS and SSH How Dsniff exploits the problem ?  Dsniff uses webmitm and sshmitm tools for attacking HTTPS or SSH  mitm stands for “monkey in the middle” a reference to a classic person-in-the-middle attack  Attackers position themselves between two systems and actively participate in the connection to gather data

29 Sniffing HTTPS and SSH Person–in–the–middle attack ATTACKER NETWORK

30 Sniffing HTTPS and SSH Person–in–the–middle attack To conduct a person in the middle attack  The attacker runs the dnsspoof program configured to send false DNS information so that a DNS query for a given website will resolve to the attacker’s IP address  The attacker will also activate webmitm program that will transparently proxy all HTTP and HTTPS traffic it receives  The DNS spoof program detects DNS request for www.bank.com and redirects the client to attacker’s machine www.bank.com

31 Sniffing HTTPS and SSH Person–in–the–middle attack To conduct a person in the middle attack  Victim’s browser starts to establish a secure connection  All messages for establishing SSL connection are sent to webmitm on attacker’s machine  webmitm acts as a SSL proxy, establishing 2 SSL connections one from victim to the attacker's machine and the other from attacker’s machine to the actual web server

32 Sniffing HTTPS and SSH Person–in–the–middle attack To conduct a person in the middle attack  webmitm when establishing the SSL session between victim machine to the attacker will send the attacker’s own certificate  Victim’s browser will notice that the certificate is not signed by a trusted Certificate Authority and show a message to the user asking the user whether to accept this un-trusted certificate or not

33 OUTSID E WORLD OUTSID E WORLD Sniffing HTTPS and SSH (Modify) 1. Attacker activates dnsspoof and webmitm program Desired destination 10.22.12.41 2. Dnsspoof sends fake DNS response with IP address of the machine running webmitm (10.1.2.3) 3. Victim establishes SSL connection not knowing attacker is proxying the connection 4. Webmitm proxies the https connection establishing an https connection to server and sending attacker’s own certificate 10.1.2.3 5. Victim now accesses the desired server, but all the traffic is viewable by attacker using webmitm as proxy SWITCH DEFAULT ROUTER FOR LAN

34 IP address spoofing Simply changing the IP address  Simplest way of spoofing another system’s IP address can be achieved by simply changing the IP of system to the other’s system address  This can be done by using ifcommand in UNIX, or the Windows NT network control panel  This method is remarcable in achieving limited goals if the attacker wants To send packets that look like they look like they come from some where else Obscure the source of packet flood or other Denial-of- service attack

35 IP address spoofing (3 way handshake diagram) RESET ACK (A, ISN A ), SYN ( B, ISN B ) SYN (A, ISN A ) TCP three way handshake inhibits simple spoofing AB

36 IP address spoofing - Undermining UNIX r-commands ALICEBOB EVE

37 IP address spoofing - Undermining UNIX r-commands  Eve interacts with Bob by sending TCP SYN packets to one or more of his open ports again without spoofing  This connection initiation allows Eve to approximate rate at which the initial TCP sequence numbers in Bob’s SYN-ACK response are changing with time  Eve launches a denial-of-service against Alice (SYN flood or smurf attack)

38 IP address spoofing - Undermining UNIX r-commands  Alice is dead for a period of time. This prevents Alice from sending RESET packet and dropping our spoofed TCP connection  Eve initiates a connection to Bob using Alice’s IP address  The first part of the 3 way handshake is complete  Bob responds to 2 nd part of 3 way handshake to Alice but Alice is dead and cannot respond with a RESET

39 IP address spoofing - Undermining UNIX r-commands  Using the information gathered, Eve sends a ACK to Bob including a guess at sequence number, ISB B, spoofing Alice’s IP.  If the sequence number is incorrect a connection will not be established but if the sequence number is correct, Eve will open a TCP connection with Bob, pretending to be Alice

40 IP address spoofing - Undermining UNIX r-commands ACK (A, ISN A ), SYN ( B, ISN B ) SYN (A, ISN A ) ALICE BOB EVE DIE Open several connections to Bob to observe the initial sequence number in response ACK (B, ISN B )

41 IP address spoofing - Spoofing with Source Routing A far easier method for IP address spoofing is based on source routing This technique will let the attacker get responses in interactive sessions and even avoid to conduct Denial-of-service attack Source routing is an option in IP that allows the source machine sending packets to specify path it will take on the network

42 IP address spoofing - Spoofing with Source Routing ALICE BOB EVE Route 1.Alice 2.Eve 3.Bob Packet Contents PACKET Route 1.Bob 2.Eve 3.Alice Packet Contents PACKET Eve generates packets with fake source route Packets claim to come from Alice Source route includes Eves address making Eve look like a router Packets include destination Bob

43 IP address spoofing - Spoofing with Source Routing ALICE BOB EVE Route 1.Alice 2.Eve 3.Bob Packet Contents PACKET Route 1.Bob 2.Eve 3.Alice Packet Contents PACKET Eve injects these spoofed packets on the network Bob will take action on packets and responds When Bob responds packets will be transmitted to Eve who is a part of the source route Eve will intercept the packet but will not forward packet to Alice

44 IP Spoofing Defense The initial set of sequence numbers generated by TCP stacks must be difficult to predict For UNIX machines in particular, using of weak r-commands must be avoided Implementation of anti-spoof packet filters at border routers and firewalls connecting organization to the Internet and business partners

45 IP Spoofing Defense The filtering devise drops all packets coming in on one interface that have a source address of network on another interface These packets indicate a possible spoofing attack NETWORK B NETWORK A FILTERIN G DEVICE Packet with IP source address on Network A Dropped

46 IP Spoofing Defense Source routed packets through the network gateways must not be allowed  This can be done by configuring routers using no ip sourceroute (this woks for Cisco routers) to drop all source routed packets at gateways Careful with trust relationships throughout the environment Avoid extending UNIX and Win NT trust relationship to systems across an unprotected network

47 Session Hijacking Marriage of sniffing and spoofing is called session hijacking An attacker can hijack a session even if strong authentication is used assuming the conversation following the initial authentication is not cryptographically protected  As the session is sent in clear text after initial authentication and a attacker can hijack the it at any point after authentication

48 Network-based Session Hijacking A has established a telnet connection across n/w to B Attacker sits on a segment in the network where traffic is passing from A to B Attacker can see the session using sniffing techniques NETWO RK EVE ALICE BOB Alice Telnet

49 Network-based Session Hijacking Attacker can also monitor TCP sequence numbers of these packets while observing the session At some point the attacker will decide to hijack the connection NETWO RK EVE BOB Alice Telnet

50 Network-based Session Hijacking Now he will start injecting spoofed traffic source with A’s IP into the network using proper TCP sequence numbers on all packets If successful Bob will listen the commands sent by attacker thinking it came from A NETWO RK EVE BOB Alice Telnet Hi I’m Alice

51 Session Hijacking – ACK storm When a system receives a packet with TCP connection that is out of order it resends its last ACK packet Retransmission of ACK is supposed to help the systems resynchronize their sequence numbers

52 Session Hijacking – ACK storm What happens if the attacker is injecting traffic in the TCP connection ?  The sequence number between attacker and B will go on increasing  As traffic gets routed back to A it will see sequence numbers increasing even though A has not sent any packets NETWO RK EVE BOB ACK ACK ACK ACK ACK Packets with increasing sequence number

53 Session Hijacking – ACK storm  TCP stacks of A and B get confused as attacker sends the traffic in increasing sequence number  To resynchronize connection A will resend ACK messages again and again consuming a good amount of bandwidth in what is know an ACK storm NETWO RK EVE BOB ACK ACK ACK ACK ACK Packets with increasing sequence number

54 Session Hijacking – ACK storm  During an ACK storm the performance quickly starts to suffer the attacker will be able to get one or two commands executed on B before the ACK storm causes the connection to be dropped NETWO RK EVE BOB ACK ACK ACK ACK ACK Packets with increasing sequence number

55 Session Hijacking Defenses Utilizing all defense techniques used for spoof attacks Using encryption tools like SSH or VPN for securing sessions Encrypted sessions will prevent session hijacking as attackers will not have keys to encrypt or decrypt

56 Netcat : General purpose network tool Netcat is one of the most useful tools available for interacting with systems across network Netcat is often referred as “Swiss Army knife of network tools” The idea behind Netcat is it allows a user to move data across a network while functioning much like the UNIX cat command Instead of dumping data on the local system Netcat moves arbitrary data over any TCP or UDP port

57 Netcat : General purpose network tool Netcat executable operates in one of two modes  Client mode  Listen mode In client mode Netcat can be used to initiate connection to any TCP or UDP port on another machine In listen mode Netcat opens any TCP or UDP port on the local system Netcat supports source routing

58 Netcat : General purpose network tool Using these basic building blocks people have devices many different scenarios based on Netcat  File Transfer  Port Scanning  Making connections to open ports  Vulnerability scanning  To create a passive backdoor command shell  To actively push a backdoor command shell  Relaying traffic

59 Netcat : Defence Preventing Netcat file transfers Securing against port scanning Blocking arbitrary connections to a port Protecting against vulnerability scanning Stopping backdoors Preventing relay attacks

60 References Counter Hack Hacking Exposed http://www.cert.org/advisories/CA-1995-01.html http://ciac.llnl.gov/ciac/bulletins/f-08.shtml http://www.iss.net/security_center/advice/Undergrou nd/Hacking/Methods/Technical/default.htm http://www.iss.net/security_center/advice/Undergrou nd/Hacking/Methods/Technical/default.htm http://www.althes.fr/ressources/avis/smartspoof- en.pdf http://www.althes.fr/ressources/avis/smartspoof- en.pdf

61 Thank You

Download ppt "Network Attacks Bharatha Yajaman ISQS 6342. Outline Sniffing  Passive Sniffing  Active Sniffing IP Address Spoofing  Changing the IP address  Undermining."

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
Security Lab 2 MAN IN THE MIDDLE ATTACK

Security Lab 2 MAN IN THE MIDDLE ATTACK
Man in the Middle Attack

Man in the Middle Attack
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Similar presentations

Ads by Google