Sniffing and Spoofing. Spoofing Fraudulent authentication one machine as another ARP spoofing IP...

Sniffing and Spoofing

Spoofing

Fraudulent authentication one machine as another

ARP spoofing IP spoofing DNS spoofing Web spoofing

ARP spoofing

Address resolution Protocol (ARP) IP address hardware(ethernet)

address mapping send ARP packet “who has IP address and

what is your hardware address?” ARP cache – table of recent responses

ARP Spoofing1. Assume IP address “a” of trusted host2. Respond to ARP packets for address “a”3. Sending false hardware address (I.e. the

fraud’s address)4. Solution: make ARP cache static (manual

updates!?!)

ARP Message Formats

ARP packets provide mapping between hardware layer and protocol layer addresses

28 byte header for IPv4 ethernet network 8 bytes of ARP data 20 bytes of ethernet/IP address data

6 ARP messages ARP request and reply ARP reverse request and reply ARP inverse request and reply

ARP Request Message

Source contains initiating system’s MAC address and IP address

Destination contains broadcast MAC address ff.ff.ff.ff.ff.ff

ARP Reply Message

Source contains replying system’s MAC address and IP address

Destination contains requestor’s MAC address and IP address

Types of Attack

Sniffing Attacks Session Hijacking/MiM Denial of Service

Sniffing on a Hub

CISCOSYSTEMS

Sniffer Source Destination

Hub

Switch Sniffing

Normal switched networks Switches relay traffic between two

stations based on MAC addresses Stations only see broadcast or

multicast traffic Compromised switched networks

Attacker spoofs destination and source addresses

Forces all traffic between two stations through its system

Unsolicited ARP Reply

Any system can spoof a reply to an ARP request

Receiving system will cache the reply Overwrites existing entry Adds entry if one does not exist

Usually called ARP poisoning

Host to Host Exploit

Spoofed ARP ReplyCReal ARP Reply

Broadcast ARP RequestSpoofed ARP ReplyS

Client (C) Server (S) Hostile

Host to Router Exploit

Real ARP Reply

Broadcast ARP Request

CISCOSYSTEMS

Spoofed ARP ReplyC

Spoofed ARP ReplyR

Client (C) Gateway Router (R) Hostile

Relay Configuration

Alice Bob

0:c:3b:9:4d:8- 10.1.1.70:c:3b:1c:2f:1b- 10.1.1.2

0:c:3b:1a:7c:ef- 10.1.1.7 0:c:3b:1a:7c:ef- 10.1.1.2

0:c:3b:1a:7c:ef- 10.1.1.10

Attacker

Relay Configuration (cont.)

CISCOSYSTEMS

Sniffer Source Destination

Switch

Session Hijacking/MiM

Natural extension of sniffing capability

“Easier” than standard hijacking Don’t have to deal with duplicate/un-

sync’d packets arriving at destination and source

Avoids packet storms

Denial of Service

Spoofing the destination MAC address of a connection will prevent the intended source from receiving/accepting it

Benefits No protocol limitation Eliminates synchronization issues

Examples UDP DoS TCP connection killing instead of using RST’s

DoS MAC Entries

Alice Bob

0:c:3b:9:4d:8- 10.1.1.70:c:3b:1c:2f:1b- 10.1.1.2

a:b:c:1:2:3- 10.1.1.7 0:c:3b:1c:2f:1b 10.1.1.2

0:c:3b:1a:7c:ef- 10.1.1.10

Attacker

Denial of Service Examples

ARP Attack on Web Surfing

Web surfers require gateway router to reach Internet

Method Identify surfer’s MAC address Change their cached gateway MAC

address (or DNS MAC address if local) to “something else”

ARP Attack on Network-based IDS

Poorly constructed (single homed) IDS network systems relay auditing data/alerts to management/admin consoles

Method Identify local IDS network engine Modify gateway MAC address Modify console/management station

address

Switch Attacks

Certain attacks may overflow switch’s ARP tables

Method A MAC address is composed of six bytes

which is equivalent to 2^48 possible addresses

See how many randomly generated ARP-replies or ARP requests it takes before the switch “fails”

Switch Attacks (cont.)

Switches may Fail open- switch actually becomes a

hub Fail- no traffic passes through the

switch, requiring a hard or soft reboot

Network “Bombs”

“Hidden” application installed on a compromised system

Method Passively or actively collects ARP

entries Attacker specifies timeout or future

time Application transmits false ARP entries

to its list

Windows 95 Windows 98 Windows NT Windows 2000 AIX 4.3

HP 10.2 Linux RedHat 7.0 FreeBSD 4.2 Cisco IOS 11.1 Netgear

Vulnerable Systems

Not Vulnerable

Sun Solaris 2.8 Appears to resist cache poisoning

Countermeasures

Firewalls

Most “personal” firewalls are not capable of defending against or correctly identifying attacks below IP level

UNIX ipfw ipf (IP Filter)

Windows environments Network Ice/Black Ice©

Session Encryption

Examples Establishing VPNs between networks or

systems Using application-level encryption

Effects Prevents against disclosure attacks Will not prevent against DoS attacks

Strong Authentication

Examples One-time passwords Certificates

Effects None on disclosure attacks None on DoS attacks

Port Security

Cisco switches set port security ?/? enable <MAC address>

Restricts source MAC addresses Hard coded ones “Learned” ones

Ability to set timeouts Ability to generate traps Ability to “shutdown” violating port

Port Security (Cont.)

Issues Only restricts source MAC addresses Will not prevent against ARP relay

attacks Will only prevent against ARP source

spoofing attacks

Hard Coding Addresses

Example Individual systems can hard code the

corresponding MAC address of another system/address

Issues Management nightmare Not scalable Not supported by some OS vendors

Hard Coding Results

Operating System

Results

Windows 95 FAIL

Windows 98 FAIL

Windows NT FAIL

Windows 2000 FAIL

Linux RedHat 7.0 YES

FreeBSD 4.2 YES

Solaris 2.8 YES

Countermeasure Summary

SniffingSession

HijackingDenial of Service

Firewalls

Session Encryption

Strong Authentication

Port Security

Hard Coding

Detection

HostileSystem

ManagementConsole

NetworkMonitor

Monitored Network

CriticalServer

IDS Architecture Issues

HostileSystem

ManagementConsole

NetworkMonitor

Monitored Network

CriticalServer

OS Level Detection

Operating System

Detection

Windows 95 NO

Windows 98 NO

Windows NT NO

Windows 2000 NO

Linux RedHat 7.0 NO

FreeBSD 4.2 YES

Hypothetical Detection Application

Purpose Track and maintain ARP/IP pairings Identify non-standard ARP-replies

versus acceptable ones Timeout issues

OS must withstand corruption itself Fix broken ARP entries of systems

Transmission of correct ARP replies

Public Domain Tools

Manipulation Dsniff 2.3 Hunt 1.5 Growing number of others

Local monitoring Arpwatch 1.11

Demo Environment

CISCOSYSTEMS

802.11b

172.16.10.133Win2k

172.16.10.25FreeBSD 4.2

172.16.10.30Linux Redhat

172.16.10.40FreeBSD/ Win2k

Demonstration Tools

rfarp 1.1 Provides ARP relay capability and packet dump

for two selected stations Corrects MAC entries upon exiting

farp 1.1b Passive and active collection of ARP messages DoS Attacks on single hosts DoS Attacks on entire collection Arbitrary and manual input of spoofed MAC

addresses

Bibliography

Finlayson, Mann, Mogul, Theimer, RFC 903 “A Reverse Address Resolution Protocol,” June 1984

Kra, Hunt 1.5, http://www.gncz.cz/kra/index.html, Copyright 2000

Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996

Plummer, David C., RFC 826 “An Ethernet Address Resolution Protocol,” November 1982

Russel, Ryan and Cunningham, Stace, “Hack Proofing Your Network,”, Syngress Publishing Inc, Copyright 2000

Song, Dug, Dsniff 2.3, http://www.monkey.org/~dugsong/, Copyright 2000

IP Spoofing

Definitions An open connection between two computers

communicating by TCP/IP is called a socket and is defined by:

Source IP number Source Port number Destination IP number Destination Port number Initial source SEQ number Initial destination SEQ number AN ID # that is increased for each packet

2.6.1.1

TCP packet header

16-bit source port number 16-bit destination port number

32-bit sequence number

32-bit acknowledgement number

length unused flags 16-bit window size

16-bit TCP checksum 16-bit urgent offset

Options (if any)

Data (if any)

Traditional TCP/IP handshake

targetattacker

synSrc ip,Dst ip

Src prt, Dst Prt

Syn = in seq#

Ack = NULL

Flags = S

Src ID = src ID + 1


targetattacker

synSrc ip,Dst ip

Src prt, Dst Prt

Syn = src seq#

Ack = NULL

Flags = S

Syn / Ack

Src ip,Dst ip

Src prt, Dst Prt

Syn = Dst seq#

Ack = src seq# +1

Flags = S+A

Dst ID = Dst ID + 1


targetattacker

synSrc ip,Dst ip

Src prt, Dst Prt

Syn = src seq#

Ack = dst seq# +1

Flags = A

Src ID = src ID + 1

Syn / Ack

Ack

Establishing a socket

A B

SYN (seqa) SYN/ACK (seqb/ack= seqa+1)

ACK (ack= seqb+1)

Traditional port scanning

targetattacker

syn

Syn / Ack

Ack

targetattacker

syn

Syn / Ack

Traditional stealth scanning 1

Traditional stealth scanning 2

targetattacker

syn

Syn / Ack

Rst

Sequence numbers

Are in place to provide easy packet reassembly.

Increments each time a packet is sent.

Various incrementation schemes exist

ID flag

Are in place to identify each tcp session

Is also in some cases used for packet reassembly

The id counter is increased every time a packet is sent

This is valid far all packets including reset packets

ID flag prediction

Most unix boxes increments the ID by a random or seudo random number.

Up till today id numbers has not been known to be security critical.

Some Windows tend to increment id# by 1

While some seem to increment id# by 254

This is due to reversed byte ordering of the id# in these operating systems.

IP spoofing

3 computers: A, B, C C sends packet to A, but making A believe

that the packets comes from B How to do it?

Easy? Set the source IP address of IP header to the IP address of B

This can be done easily using “raw” ip packets You can make ip packets on your own. So you can

also set the source ip address to any value you want

Spoofed scanning in theory

By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets.

By analyzing this we will know whether a port on the scanned host is open or not

This is done totally blind from the scanned host.


Since we know a machine will increase the id# by sending a packet we can by constantly probing the host to see how many packets it has sent between our polls

This is done my monitoring the ID# increment


If a port is open on a scanned host the server will respond with a syn/ack

If a port is closed on the scanned host it will respond with a rst


If a host receives a syn ack from a unknown source it will send a rst packet back

If a host receives a rst packet from a unknown source it will NOT send a packet back

Internet security threats

IP Spoofing: can generate “raw” IP packets directly from application,

putting any value into IP source address field receiver can’t tell if source is spoofed e.g.: C pretends to be B

A

B

C

src:B dest:A payload

Why IP spoofing?

IP address as authentication method It is not as safe as username/password

authentication, but used in many cases E.g. rlogin host

Network of workstations. They have the same user database

Host detects the IP address of the client. If it is in the trusted list, login is granted without asking username and password

Consequence: Attacker can get access all the information of

the spoofed computer on the server

How to do IP spoofing?

IP spoofing is Blind Attack Why? Where does the victim send reply to?

It is extremely hard to carry out successful IP spoofing Must create a successful TCP

connection with the victim. How?

TCP Connection Establishment

Active participant(client)

Passive participant(server)

SYN, SequenceNum = x

SYN + ACK, SequenceNum = y,

ACK, Acknowledgment = y + 1

Acknowledgment = x + 1

Spoofing TCP connection

A SYN request sent by C to A. C is impersonating B

A will reply to B (not C) by sending SYN/ACK packet Case 1: B receives SYN/ACK and got confused.

It replies with NACK. Spoofing fails Case 2: B doesn’t reply to A (hopefully)

C sends ACK to A Have to guess the SYN SEQ# number A

sent to B and reply it with SEQ#+1 Hard but possible

TCP SYN attack

in Berkeley implementations, the ISN is incremented by a constant amount (64000) once per 0.5 second, and each time a connection is initiated

it is not hopeless to guess the next ISN to be used by a server

an attacker can impersonate a trusted host (e.g., in case of r commands, authentication is based on source IP address solely)

SYN = ISNX, SRC_IP = T

SYN = ISNS, ACK(ISNX)

ACK(ISNS), SRC_IP = T

SRC_IP = T, nasty_data

attacker server trusted host (T)

Steps of IP spoofing attack

Detecting the trusted system C wants to access A and finds the A trusts B

Blocking the trusted system (B) To let it not response to SYN request from A. How?

DOS attack to B Guessing the SEQ# of B

Must know how TCP generates SEQ# Try to connect to open ports of B right before the

attack. Check the SEQ# Predict the next SEQ# according to TCP algorithm

given last SEQ# and elapsed time Making TCP connection Do Damages

Counter Measures

Avoid using IP as authentication method Username/password better

Install firewall Trusted IP usually on the same network Spoofed IP comes from outside network Firewall prevents IP packets from outside the

network, especially with source IP inside network

Also the attacker’s firewall should prevent packets with source IP different from internal network

IPsec Secure IP using encryption

SYN Floods

Simple to execute.

Send many SYNs to target host in quick succession with spoofed IPs.

Target allocates buffer in kernel space, which stays allocated until time out.

Reconnaissance with Spoofed IPs

3 basic recon methods

Spoofed IPs as Misinformation

Port Scanning by IP Seq Number Observation

Port Scanning by Indirect Observation

Spoofed IP Addresses As Background Noise

An attacker can use spoofed IP addresses to create suspicious traffic that cannot easily be tracked down to the actual attacker. The intent here is not to leverage data from the actual spoofed packets, but to allow the attacker’s real activity, or identity, to be hidden among the false packets.

Nmap, perhaps the most common network scanner at the moment, allows the use of numerous ‘decoy’ addresses. Using the –D option in Nmap, such as nmap –O –D 10.1.1.1, 10.1.1.2, actual.attacker.ip.address, 10.1.1.3 10.2.2.1 will allow an attacker to determine the operating system of the host at 10.2.2.1 while making it appear that the system is being scanned by four simultaneous hosts, only one of which (the 3rd sequentially) is the attacker.

Spoofed IPs as Background Noise

Scan from 100 random used IPs and your own.

All must be checked to determine actual scanner.

Ex: -D option in nmap

Indirect Reconnaissance of a Target

1) * hosts reply SYN|ACK to SYN if tcp target port is open, reply RST|ACK if tcp target port is closed.

2) * You can know the number of packets that hosts are sending using id ip header field.

3) * hosts reply RST to SYN|ACK, reply nothing to RST.

The significance of this is that due to predictable IP IDs, it is possible to remotely determine if a particular host is sending

traffic to a third party. Using another of the described tendencies, it is also possible to

predict how a host will react to a port scan. If a host is listening on a port, a probe (SYN) to that port will result in a SYN/ACK.

IP Sequence Number Observation

Step 1 Step 2 Step 3

A

Z

A

Z

T

A

Z

echo

responseSpoofed

SYN from Z

Unknowntraffic

echo

response

Introducing our players

targetattacker

Spoof host

10.0.0.1 192.0.0.1

172.0.0.1

Why do we need three of them

targetattacker

Spoof host

www.anycompany.com:80

unknowing.com3vil.org

Phase one (sync the id# of spoof)

targetattacker

Spoof host



Syn:80


targetattacker

Spoof host



Syn/ack

Why did we do that

Attacker now knows the spoofs initial ID#

Phase2 (spoofing the source)

targetattacker

Spoof host

10.0.0.1 192.0.0.1

172.0.0.1

Syn src = 172.0.0.1 Dst = 192.0.0.1

Phase 3 (fooling the respons)

targetattacker

Spoof host

10.0.0.1 192.0.0.1

172.0.0.1

Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1


targetattacker

Spoof host

10.0.0.1 192.0.0.1

172.0.0.1

Rst src == 172.0.0.1 Dst = 192.0.0.1

Phase 4 (probing the spoof host)

targetattacker

Spoof host

10.0.0.1 192.0.0.1

172.0.0.1

Syn:80


targetattacker

Spoof host

10.0.0.1 192.0.0.1

172.0.0.1

Syn:80Syn/ack

Case port open

Adding the ID counters


targetattacker


Syn:80

Spoof host ID =0

172.0.0.1


targetattacker


Syn/ack

Spoof host ID =1

172.0.0.1


targetattacker

Spoof host ID =1

10.0.0.1 192.0.0.1

172.0.0.1

Syn src = 172.0.0.1 Dst = 192.0.0.1


targetattacker

10.0.0.1 192.0.0.1

Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1

Spoof host ID =1

172.0.0.1


targetattacker

10.0.0.1 192.0.0.1

Rst src == 172.0.0.1 Dst = 192.0.0.1

Spoof host ID =2

172.0.0.1


targetattacker

10.0.0.1 192.0.0.1

Syn:80

Spoof host ID =2

172.0.0.1


targetattacker

10.0.0.1 192.0.0.1

Syn:80Syn/ack

Spoof host ID =3

172.0.0.1

Case port closed

Adding the ID counters


targetattacker


Syn:80

Spoof host ID =0

172.0.0.1


targetattacker


Syn/ack

Spoof host ID =1

172.0.0.1


targetattacker

Spoof host ID =1

10.0.0.1 192.0.0.1

172.0.0.1

Syn src = 172.0.0.1 Dst = 192.0.0.1


targetattacker

10.0.0.1 192.0.0.1

Rst src = 192.0.0.1 Dst = 172.0.0.1

Spoof host ID =1

172.0.0.1


targetattacker

10.0.0.1 192.0.0.1

Syn:80

Spoof host ID =1

172.0.0.1


targetattacker

10.0.0.1 192.0.0.1

Syn:80Syn/ack

Spoof host ID =2

172.0.0.1

The basic technique and its flaws

If the poll host is active it will increase the id# for each connection.

This will result in false positives. These false positives can be

minimized by sending multiple packets for each port.

Then calculating the increase The port will only show up true if the

increase is > (#packets_sent*255)/2


targetattacker

Spoof host ID =1

10.0.0.1 192.0.0.1

172.0.0.1

(Syn src = 172.0.0.1 Dst = 192.0.0.1) * 20


targetattacker

10.0.0.1 192.0.0.1

Syn /Ack src = 192.0.0.1 Dst = 172.0.0.1

Spoof host ID=1+20

172.0.0.1

Summary

By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets.

By analysing this we will know whether a port on the scanned host is open or not

This is done totally blind from the scanned host.

DoS/DDoS

DoS attacks are as old as the Internet itself Year 2000 when a complete new quality of

DoS attack started (DDoS). (DDoS) stroke a huge number of prominent

web sites including Yahoo, Ebay, Amazon and Buy.com

DDoS Concepts: Distributing the attack across several hosts. Coordinating the attack among many machines. Using the distribution system to thwart all attempts of discovering the origin of the attack.

DoS/DDoS Flood Attack Methods

Smurf Attack TCP SYN Attack UDP Attack TCP Attack ICMP Attack

DoS/DDoS TCP SYN Attack

Exploits the three-way handshake

S D

SYNx LISTEN

SYNy , ACKx+1 SYN_RECIEVED

ACKy+1

CONNECTED

Figure 1. Three-way Handshake

S D

Nonexistent (spoofed) SYN LISTEN

SYN SYN SYN_RECEIVED

SYN+ACK

Figure 2. SYN Flooding Attack

“Smurf”

Internet

Perpetrator V ictim

IC M P echo (spoofed source address of vic tim )Sent to IP broadcast address

IC M P echo rep ly

DNS Spoofing

Someone else’s domain name -> your computer

Possible damages: Redirected email

Email sent from A to B goes to C instead. C spoofed B’s domain name

Redirected web server Possible attack by exploiting browser’s

vulnerability

How to do DNS snooping? C: attacker want to spoof B A communicates with B Method 1

Modify C’s name server ns.C Let it response to “C=?” to “B=C.ip”

This is replying something that is not asked for Send DNS request “C=?” to ns.A ns.A asks ns.C ns.C replies “B=C.ip”

Method 2 C sends DNS request “B=?” to ns.A C replies “B=C.ip” to ns.A UDP makes it easier, still need to guess request ID

Countermeasures

Paranoid DNS checking Resolved IP address is sent to DNS for

reverse resolve to get the hostname Send the hostname to DNS again to get

the IP address If two IP addresses match = OK

Secure name server DNSsec

Digitally signed answers

Web-spoofing or Phishing or Carding use spoofed emails and fraudulent websites that trick innocent users into divulging private information such as username and passwords credit card numbers, social security numbers, etc.

Web Spoofing

A typical web spoofing attack

Web Spoofing

Web browsing goes through an intermediate attacker

The attacker goes to server and fetch data and send it back to the victim

Attacker is able to monitor all traffic between the victim and server Including forms Even secure connections! Lost privacy

Hard for a ordinary victim to notice anything wrong

How it works

Javascript and Plug-ins Redirect all web traffic to attacker’s

machine include the links on the pages

Initiated by visiting a malicious website

Countermeasures

Check “lock” button for secure connection. Check if it is indeed the website you are visiting

Check status bar Does it go to somewhere strange?

Sniffing and Spoofing. Spoofing Fraudulent authentication one machine as another ARP spoofing IP...

Documents

Transcript of Sniffing and Spoofing. Spoofing Fraudulent authentication one machine as another ARP spoofing IP...