Sniffing, Spoofing, Hijacking

This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.

I have edited and added material.

Dr. Stephen C. Hayne

Sniffing Targets Data Link layer of protocol stack Sniffer – gathers traffic off network

This data can include userIDs passwords transmitted by telnet, DNS queries and responses, sensitive emails, FTP passwords, etc.

Allows attacker to read data passing a given machine in real time.

Two types of sniffing: Active Passive

Sniffing

Passive Attacker must have

account on LAN Done over a hub Usually once access

is gained on one computer attacker uses passwords to get in other computers

Active Attacker still needs an

account Several different

attacks: - Parsing Packets - Flooding - Spoofed ARP Messages - DNS Spoofing - HTTPS and SSH spoofing

Passive Sniffinguser1

Server

user2

Bad guy

HUBBLAH

BLAH

BLAHBLAH

- Message gets sent to all computers on hub

Active Sniffinguser1

Server

user2

Bad guy

SwitchBLAH

BLAH

- Message gets sent to only requesting computer by looking at MAC address

Dsniff

Offers several ways around a switch Available for OpenBSD, Linux, Solaris,

and there is a version for Windows Very popular and versatile In conjunction with sshmitm and

webmitm, conducts all the above attacks

Wireshark

Much better than dsniff, for packet capture, IMHO

Flooding Switches

The switch stores MAC addresses locally

Dsniff keeps sending the switch bogus MAC address

Eventually the switches memory fills and it turns into a hub

Then, just run any sniffer you want to get data from the network

Spoofing ARP Messages Some switches are immune to MAC flooding ARP maps IP to MAC address Attacker looks at network topology to find the IP for

the default router Then enables IP forwarding on their machine, so

machine forwards packets to default router Attacker runs Dsniff and poisons the ARP table on

the victim’s computer, matching his MAC with the default routers IP

Victim sends the data to “default router” Attacker sniffs data then forwards the information to

the real default router

ARP Floodinguser1

Scary place (outside world)

Bad guy

Switch

1

1

21) Fake ARP

2) Innocent Message

3) Sniffing

4) On its way3

4

DNS Spoofing Similar to ARP Spoofing Instead of mapping a MAC to an IP,

Dsniff maps the IP of an attacker’s machine to a domain name the user is trying to access

The new IP is a machine outside the network that is running a fake web page that mimics the actual web page

The user may enter a username and password thinking that the site is legit

Man/Monkey In The Middle!

User Attacker target

MITM - Getting around HTTPS and SSH

Both HTTPS and SSH use encryption while talking to each other

Sniffing the data would be useless The way HTTPS is based on certificates that are sent

to the computers This certificate is digitally signed by a trusted

Certification Authority Your browser verifies this signature to make sure the

server is trusted An SSL connection is then established SSH doesn’t use certificates but employs similar

techniques

It sounds secure, right? The connection is secure, but Dsniff exploits what

happens before the connection Attacker runs an DNS spoof along with webmitm. Webmitm proxies the connection:

establishes a https connection with the victim sending the attackers certificate to the user

establishes a https connection with the real server The victim gets a error message on the screen

stating that the certificate is unrecognizable or not properly configured. The victim can then click continue to establish a connection.

Victim then access the information they want, but the attacker sees everything that they type (HOWTO)

Anti-Sniffing Encrypt all crucial data that you are sending

across a network Never telnet to firewall, routers, sensitive

servers, or Public Key Infrastructure If you get a error message from your SSH or

browser, investigate it If feasible, replace hubs with switches For very sensitive data, enable Port-level

security on your switches by configuring each switch port with a specific MAC of the computer using that switch port

Defenses against DSniff

Hardcode MAC address of Gateway into servers

Use a gateway switch that will not “fail-open” (protect against MAC-flood)

Use ARPWATCH to monitor MAC address mismatches

IP Address Spoofing

Three main flavors- Simple Spoofing- Undermining Unix r-Commands- Spoofing with source routing

Doesn’t allow actions to be traced back to an IP

Undermine applications that rely on IP addresses for authentication or filtering

Simple Spoofing

Simply change the IP of your computer Can be done with ipconfig in UNIX or

under network control panel in Windows Use a tool that generates packets with

fake IP addresses

The only problem is attacker can’t establish a three-way-handshake with victim

Undermining UNIX r-Command

This targets UNIX trust relationships Trust relationships allow users to log onto one machine

and then log into trusting machines with out a password Use the:

rlogin (remote login) rsh (remote shell) rcp (remote copy)

A computer can also be added to the trust relationship by editing the /etc/host/equiv or ~/rhosts file

A machine is trust relies on the system’s IP address The administrator can establish a hub and spoke

relationship, logging onto one computer and then sending commands to multiple systems that trust it using rsh tool.

Hub and Spoke

Admin

Trust Trust

Trust

Trust Trust

trust

Trust

Exploiting Hub and Spoke Relationships

1. Attacker sends multiple TCP SYN packets to computer to be attacked, allows attacker to guess future sequence numbers

2. Attacker launches a DoS attack on trusted computer, so computer is dead to network

3. Attacker launches a connection with victim using trusted computer’s IP address

4. The victim returns an SYN-ACK to trusted computer, but no reply is sent because it was hit with a DoS attack

5. Using the sequence numbers gathered from step 1 the attacker sends ACK packets to the victim with a guessed sequence number again spoofing the trusted machine’s IP

Exploiting Hub and Spoke Relationships

The attacker now has a connect with the victim’s computer and can feed it commands The attacker can’t see the responses The attacker can make the computer trust

the attacker’s computer or any computer on the network

The attacker can then log on directly to the victim, no spoofing required

Spoofing with Source Routing

Source routing allows the attacker to specify a certain path the packet will take on the network

“loose source routing” allows the attacker to tell the computer some hops but not all

The attacker sets source routed packets from a fake source IP to the victim

These packets claim to be from a trusted computer They include the attackers IP address as one of the hops When the victim’s computer tries to establish a three-

way-handshake the attacker intercepts the SYN-ACK and submits its own ACK

An open connection has been established between the attacker and victim, the attacker can view the responses from the victim

Defenses against IP Spoofing

Make your initial sequence numbers generated by your TCP stack difficult to guess

apply latest security patches test predictability by scanning and trying to guess them

yourself (Nmap can be helpful with this) Avoid using r-commands

Use SSH instead or other secure programs Avoid setting up trust relationships on a network Avoid applications that validate based on IP address

authentication should be based on passwords and cryptography

use other techniques that tie the session to the user Use filters at DMZ and gateways that drop source

routed packets (both incoming and out going)