Sniffing and Spoofing

SpoofingFraudulent authentication one machine as another

ARP spoofingIP spoofingDNS spoofingWeb spoofing

ARP spoofingAddress resolution Protocol (ARP)IP address hardware(ethernet) address mapping send ARP packet who has IP address and what is your hardware address?ARP cache table of recent responsesARP SpoofingAssume IP address a of trusted hostRespond to ARP packets for address aSending false hardware address (I.e. the frauds address)Solution: make ARP cache static (manual updates!?!)

ARP Message FormatsARP packets provide mapping between hardware layer and protocol layer addresses28 byte header for IPv4 ethernet network8 bytes of ARP data20 bytes of ethernet/IP address data6 ARP messagesARP request and replyARP reverse request and replyARP inverse request and reply

ARP Request MessageSource contains initiating systems MAC address and IP addressDestination contains broadcast MAC address ff.ff.ff.ff.ff.ff

ARP Reply MessageSource contains replying systems MAC address and IP addressDestination contains requestors MAC address and IP address

Types of AttackSniffing AttacksSession Hijacking/MiMDenial of Service

Sniffing on a Hub

Switch SniffingNormal switched networksSwitches relay traffic between two stations based on MAC addressesStations only see broadcast or multicast trafficCompromised switched networksAttacker spoofs destination and source addressesForces all traffic between two stations through its system

Unsolicited ARP ReplyAny system can spoof a reply to an ARP requestReceiving system will cache the replyOverwrites existing entryAdds entry if one does not existUsually called ARP poisoning

Host to Host Exploit

Host to Router Exploit

Relay Configuration

Relay Configuration (cont.)

Session Hijacking/MiMNatural extension of sniffing capabilityEasier than standard hijackingDont have to deal with duplicate/un-syncd packets arriving at destination and sourceAvoids packet storms

Denial of ServiceSpoofing the destination MAC address of a connection will prevent the intended source from receiving/accepting itBenefitsNo protocol limitationEliminates synchronization issuesExamplesUDP DoSTCP connection killing instead of using RSTs

DoS MAC Entries

Denial of Service Examples

ARP Attack on Web SurfingWeb surfers require gateway router to reach InternetMethodIdentify surfers MAC addressChange their cached gateway MAC address (or DNS MAC address if local) to something else

ARP Attack on Network-based IDSPoorly constructed (single homed) IDS network systems relay auditing data/alerts to management/admin consolesMethodIdentify local IDS network engineModify gateway MAC addressModify console/management station address

Switch AttacksCertain attacks may overflow switchs ARP tablesMethodA MAC address is composed of six bytes which is equivalent to 2^48 possible addressesSee how many randomly generated ARP-replies or ARP requests it takes before the switch fails

Switch Attacks (cont.)Switches mayFail open- switch actually becomes a hubFail- no traffic passes through the switch, requiring a hard or soft reboot

Network BombsHidden application installed on a compromised systemMethodPassively or actively collects ARP entriesAttacker specifies timeout or future timeApplication transmits false ARP entries to its list

Windows 95Windows 98Windows NTWindows 2000AIX 4.3HP 10.2Linux RedHat 7.0FreeBSD 4.2Cisco IOS 11.1NetgearVulnerable Systems

Not VulnerableSun Solaris 2.8Appears to resist cache poisoning

Countermeasures

FirewallsMost personal firewalls are not capable of defending against or correctly identifying attacks below IP levelUNIXipfwipf (IP Filter)Windows environmentsNetwork Ice/Black Ice

Session EncryptionExamplesEstablishing VPNs between networks or systemsUsing application-level encryptionEffectsPrevents against disclosure attacksWill not prevent against DoS attacks

Strong AuthenticationExamplesOne-time passwordsCertificatesEffectsNone on disclosure attacksNone on DoS attacks

Port SecurityCisco switchesset port security ?/? enable Restricts source MAC addressesHard coded onesLearned onesAbility to set timeoutsAbility to generate trapsAbility to shutdown violating port

Port Security (Cont.)IssuesOnly restricts source MAC addressesWill not prevent against ARP relay attacksWill only prevent against ARP source spoofing attacks

Hard Coding AddressesExampleIndividual systems can hard code the corresponding MAC address of another system/addressIssuesManagement nightmareNot scalableNot supported by some OS vendors

Hard Coding Results

Operating SystemResultsWindows 95FAILWindows 98FAILWindows NTFAILWindows 2000FAILLinux RedHat 7.0YESFreeBSD 4.2YESSolaris 2.8YES

Countermeasure Summary

SniffingSession HijackingDenial of ServiceFirewallsSession EncryptionStrong AuthenticationPort SecurityHard Coding

Detection

IDS Architecture Issues

OS Level Detection

Operating SystemDetectionWindows 95NOWindows 98NOWindows NTNOWindows 2000NOLinux RedHat 7.0NOFreeBSD 4.2YES

Hypothetical Detection ApplicationPurposeTrack and maintain ARP/IP pairingsIdentify non-standard ARP-replies versus acceptable onesTimeout issuesOS must withstand corruption itselfFix broken ARP entries of systemsTransmission of correct ARP replies

Public Domain ToolsManipulationDsniff 2.3Hunt 1.5Growing number of othersLocal monitoringArpwatch 1.11

Demo Environment

Demonstration Toolsrfarp 1.1Provides ARP relay capability and packet dump for two selected stationsCorrects MAC entries upon exitingfarp 1.1bPassive and active collection of ARP messagesDoS Attacks on single hostsDoS Attacks on entire collectionArbitrary and manual input of spoofed MAC addresses

BibliographyFinlayson, Mann, Mogul, Theimer, RFC 903 A Reverse Address Resolution Protocol, June 1984Kra, Hunt 1.5, http://www.gncz.cz/kra/index.html, Copyright 2000Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996Plummer, David C., RFC 826 An Ethernet Address Resolution Protocol, November 1982Russel, Ryan and Cunningham, Stace, Hack Proofing Your Network,, Syngress Publishing Inc, Copyright 2000Song, Dug, Dsniff 2.3, http://www.monkey.org/~dugsong/, Copyright 2000

IP Spoofing

DefinitionsAn open connection between two computers communicating by TCP/IP is called a socket and is defined by:Source IP numberSource Port numberDestination IP numberDestination Port numberInitial source SEQ numberInitial destination SEQ numberAN ID # that is increased for each packet2.6.1.1

TCP packet header16-bit source port number16-bit destination port number32-bit sequence number32-bit acknowledgement numberlengthunusedflags16-bit window size16-bit TCP checksum16-bit urgent offsetOptions (if any)Data (if any)

Traditional TCP/IP handshaketargetattackersynSrc ip,Dst ipSrc prt, Dst PrtSyn = in seq#Ack = NULLFlags = SSrc ID = src ID + 1

Traditional TCP/IP handshaketargetattackersynSrc ip,Dst ipSrc prt, Dst PrtSyn = src seq#Ack = NULLFlags = SSyn / AckSrc ip,Dst ipSrc prt, Dst PrtSyn = Dst seq#Ack = src seq# +1Flags = S+ADst ID = Dst ID + 1

Traditional TCP/IP handshaketargetattackersynSrc ip,Dst ipSrc prt, Dst PrtSyn = src seq#Ack = dst seq# +1Flags = ASrc ID = src ID + 1

Syn / AckAck

Establishing a socketABSYN (seqa)SYN/ACK (seqb/ack= seqa+1)ACK (ack= seqb+1)

Traditional port scanningtargetattackersynSyn / AckAck

Traditional stealth scanning 1targetattackersynSyn / Ack

Traditional stealth scanning 2targetattackersynSyn / AckRst

Sequence numbersAre in place to provide easy packet reassembly.Increments each time a packet is sent.Various incrementation schemes exist

ID flagAre in place to identify each tcp sessionIs also in some cases used for packet reassemblyThe id counter is increased every time a packet is sentThis is valid far all packets including reset packets

ID flag predictionMost unix boxes increments the ID by a random or seudo random number.Up till today id numbers has not been known to be security critical.Some Windows tend to increment id# by 1While some seem to increment id# by 254This is due to reversed byte ordering of the id# in these operating systems.

IP spoofing3 computers: A, B, CC sends packet to A, but making A believe that the packets comes from BHow to do it?Easy? Set the source IP address of IP header to the IP address of BThis can be done easily using raw ip packets You can make ip packets on your own. So you can also set the source ip address to any value you want

Spoofed scanning in theoryBy constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets.By analyzing this we will know whether a port on the scanned host is open or notThis is done totally blind from the scanned host.

Spoofed scanning in theorySince we know a machine will increase the id# by sending a packet we can by constantly probing the host to see how many packets it has sent between our pollsThis is done my monitoring the ID# increment

Spoofed scanning in theoryIf a port is open on a scanned host the server will respond with a syn/ackIf a port is closed on the scanned host it will respond wit