Sniffing and Spoofing. Spoofing  Fraudulent authentication one machine as another  ARP...

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Sniffing and Spoofing. Spoofing  Fraudulent authentication one machine as another  ARP...

  • Sniffing and Spoofing

  • SpoofingFraudulent authentication one machine as another

    ARP spoofingIP spoofingDNS spoofingWeb spoofing

  • ARP spoofingAddress resolution Protocol (ARP)IP address hardware(ethernet) address mapping send ARP packet who has IP address and what is your hardware address?ARP cache table of recent responsesARP SpoofingAssume IP address a of trusted hostRespond to ARP packets for address aSending false hardware address (I.e. the frauds address)Solution: make ARP cache static (manual updates!?!)

  • ARP Message FormatsARP packets provide mapping between hardware layer and protocol layer addresses28 byte header for IPv4 ethernet network8 bytes of ARP data20 bytes of ethernet/IP address data6 ARP messagesARP request and replyARP reverse request and replyARP inverse request and reply

  • ARP Request MessageSource contains initiating systems MAC address and IP addressDestination contains broadcast MAC address ff.ff.ff.ff.ff.ff

  • ARP Reply MessageSource contains replying systems MAC address and IP addressDestination contains requestors MAC address and IP address

  • Types of AttackSniffing AttacksSession Hijacking/MiMDenial of Service

  • Sniffing on a Hub

  • Switch SniffingNormal switched networksSwitches relay traffic between two stations based on MAC addressesStations only see broadcast or multicast trafficCompromised switched networksAttacker spoofs destination and source addressesForces all traffic between two stations through its system

  • Unsolicited ARP ReplyAny system can spoof a reply to an ARP requestReceiving system will cache the replyOverwrites existing entryAdds entry if one does not existUsually called ARP poisoning

  • Host to Host Exploit

  • Host to Router Exploit

  • Relay Configuration

  • Relay Configuration (cont.)

  • Session Hijacking/MiMNatural extension of sniffing capabilityEasier than standard hijackingDont have to deal with duplicate/un-syncd packets arriving at destination and sourceAvoids packet storms

  • Denial of ServiceSpoofing the destination MAC address of a connection will prevent the intended source from receiving/accepting itBenefitsNo protocol limitationEliminates synchronization issuesExamplesUDP DoSTCP connection killing instead of using RSTs

  • DoS MAC Entries

  • Denial of Service Examples

  • ARP Attack on Web SurfingWeb surfers require gateway router to reach InternetMethodIdentify surfers MAC addressChange their cached gateway MAC address (or DNS MAC address if local) to something else

  • ARP Attack on Network-based IDSPoorly constructed (single homed) IDS network systems relay auditing data/alerts to management/admin consolesMethodIdentify local IDS network engineModify gateway MAC addressModify console/management station address

  • Switch AttacksCertain attacks may overflow switchs ARP tablesMethodA MAC address is composed of six bytes which is equivalent to 2^48 possible addressesSee how many randomly generated ARP-replies or ARP requests it takes before the switch fails

  • Switch Attacks (cont.)Switches mayFail open- switch actually becomes a hubFail- no traffic passes through the switch, requiring a hard or soft reboot

  • Network BombsHidden application installed on a compromised systemMethodPassively or actively collects ARP entriesAttacker specifies timeout or future timeApplication transmits false ARP entries to its list

  • Windows 95Windows 98Windows NTWindows 2000AIX 4.3HP 10.2Linux RedHat 7.0FreeBSD 4.2Cisco IOS 11.1NetgearVulnerable Systems

  • Not VulnerableSun Solaris 2.8Appears to resist cache poisoning

  • Countermeasures

  • FirewallsMost personal firewalls are not capable of defending against or correctly identifying attacks below IP levelUNIXipfwipf (IP Filter)Windows environmentsNetwork Ice/Black Ice

  • Session EncryptionExamplesEstablishing VPNs between networks or systemsUsing application-level encryptionEffectsPrevents against disclosure attacksWill not prevent against DoS attacks

  • Strong AuthenticationExamplesOne-time passwordsCertificatesEffectsNone on disclosure attacksNone on DoS attacks

  • Port SecurityCisco switchesset port security ?/? enable Restricts source MAC addressesHard coded onesLearned onesAbility to set timeoutsAbility to generate trapsAbility to shutdown violating port

  • Port Security (Cont.)IssuesOnly restricts source MAC addressesWill not prevent against ARP relay attacksWill only prevent against ARP source spoofing attacks

  • Hard Coding AddressesExampleIndividual systems can hard code the corresponding MAC address of another system/addressIssuesManagement nightmareNot scalableNot supported by some OS vendors

  • Hard Coding Results

    Operating SystemResultsWindows 95FAILWindows 98FAILWindows NTFAILWindows 2000FAILLinux RedHat 7.0YESFreeBSD 4.2YESSolaris 2.8YES

  • Countermeasure Summary

    SniffingSession HijackingDenial of ServiceFirewallsSession EncryptionStrong AuthenticationPort SecurityHard Coding

  • Detection

  • IDS Architecture Issues

  • OS Level Detection

    Operating SystemDetectionWindows 95NOWindows 98NOWindows NTNOWindows 2000NOLinux RedHat 7.0NOFreeBSD 4.2YES

  • Hypothetical Detection ApplicationPurposeTrack and maintain ARP/IP pairingsIdentify non-standard ARP-replies versus acceptable onesTimeout issuesOS must withstand corruption itselfFix broken ARP entries of systemsTransmission of correct ARP replies

  • Public Domain ToolsManipulationDsniff 2.3Hunt 1.5Growing number of othersLocal monitoringArpwatch 1.11

  • Demo Environment

  • Demonstration Toolsrfarp 1.1Provides ARP relay capability and packet dump for two selected stationsCorrects MAC entries upon exitingfarp 1.1bPassive and active collection of ARP messagesDoS Attacks on single hostsDoS Attacks on entire collectionArbitrary and manual input of spoofed MAC addresses

  • BibliographyFinlayson, Mann, Mogul, Theimer, RFC 903 A Reverse Address Resolution Protocol, June 1984Kra, Hunt 1.5,, Copyright 2000Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11,, Copyright 1996Plummer, David C., RFC 826 An Ethernet Address Resolution Protocol, November 1982Russel, Ryan and Cunningham, Stace, Hack Proofing Your Network,, Syngress Publishing Inc, Copyright 2000Song, Dug, Dsniff 2.3,, Copyright 2000

  • IP Spoofing

  • DefinitionsAn open connection between two computers communicating by TCP/IP is called a socket and is defined by:Source IP numberSource Port numberDestination IP numberDestination Port numberInitial source SEQ numberInitial destination SEQ numberAN ID # that is increased for each packet2.6.1.1

  • TCP packet header16-bit source port number16-bit destination port number32-bit sequence number32-bit acknowledgement numberlengthunusedflags16-bit window size16-bit TCP checksum16-bit urgent offsetOptions (if any)Data (if any)

  • Traditional TCP/IP handshaketargetattackersynSrc ip,Dst ipSrc prt, Dst PrtSyn = in seq#Ack = NULLFlags = SSrc ID = src ID + 1

  • Traditional TCP/IP handshaketargetattackersynSrc ip,Dst ipSrc prt, Dst PrtSyn = src seq#Ack = NULLFlags = SSyn / AckSrc ip,Dst ipSrc prt, Dst PrtSyn = Dst seq#Ack = src seq# +1Flags = S+ADst ID = Dst ID + 1

  • Traditional TCP/IP handshaketargetattackersynSrc ip,Dst ipSrc prt, Dst PrtSyn = src seq#Ack = dst seq# +1Flags = ASrc ID = src ID + 1

    Syn / AckAck

  • Establishing a socketABSYN (seqa)SYN/ACK (seqb/ack= seqa+1)ACK (ack= seqb+1)

  • Traditional port scanningtargetattackersynSyn / AckAck

  • Traditional stealth scanning 1targetattackersynSyn / Ack

  • Traditional stealth scanning 2targetattackersynSyn / AckRst

  • Sequence numbersAre in place to provide easy packet reassembly.Increments each time a packet is sent.Various incrementation schemes exist

  • ID flagAre in place to identify each tcp sessionIs also in some cases used for packet reassemblyThe id counter is increased every time a packet is sentThis is valid far all packets including reset packets

  • ID flag predictionMost unix boxes increments the ID by a random or seudo random number.Up till today id numbers has not been known to be security critical.Some Windows tend to increment id# by 1While some seem to increment id# by 254This is due to reversed byte ordering of the id# in these operating systems.

  • IP spoofing3 computers: A, B, CC sends packet to A, but making A believe that the packets comes from BHow to do it?Easy? Set the source IP address of IP header to the IP address of BThis can be done easily using raw ip packets You can make ip packets on your own. So you can also set the source ip address to any value you want

  • Spoofed scanning in theoryBy constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets.By analyzing this we will know whether a port on the scanned host is open or notThis is done totally blind from the scanned host.

  • Spoofed scanning in theorySince we know a machine will increase the id# by sending a packet we can by constantly probing the host to see how many packets it has sent between our pollsThis is done my monitoring the ID# increment

  • Spoofed scanning in theoryIf a port is open on a scanned host the server will respond with a syn/ackIf a port is closed on the scanned host it will respond wit