Sniffing and Spoofing
Spoofing
Fraudulent authentication one machine as another
ARP spoofing IP spoofing DNS spoofing Web spoofing
ARP spoofing
Address resolution Protocol (ARP) IP address hardware(ethernet)
address mapping send ARP packet “who has IP address and
what is your hardware address?” ARP cache – table of recent responses
ARP Spoofing1. Assume IP address “a” of trusted host2. Respond to ARP packets for address “a”3. Sending false hardware address (I.e. the
fraud’s address)4. Solution: make ARP cache static (manual
updates!?!)
ARP Message Formats
ARP packets provide mapping between hardware layer and protocol layer addresses
28 byte header for IPv4 ethernet network 8 bytes of ARP data 20 bytes of ethernet/IP address data
6 ARP messages ARP request and reply ARP reverse request and reply ARP inverse request and reply
ARP Request Message
Source contains initiating system’s MAC address and IP address
Destination contains broadcast MAC address ff.ff.ff.ff.ff.ff
ARP Reply Message
Source contains replying system’s MAC address and IP address
Destination contains requestor’s MAC address and IP address
Types of Attack
Sniffing Attacks Session Hijacking/MiM Denial of Service
Sniffing on a Hub
CISCOSYSTEMS
Sniffer Source Destination
Hub
Switch Sniffing
Normal switched networks Switches relay traffic between two
stations based on MAC addresses Stations only see broadcast or
multicast traffic Compromised switched networks
Attacker spoofs destination and source addresses
Forces all traffic between two stations through its system
Unsolicited ARP Reply
Any system can spoof a reply to an ARP request
Receiving system will cache the reply Overwrites existing entry Adds entry if one does not exist
Usually called ARP poisoning
Host to Host Exploit
Spoofed ARP ReplyCReal ARP Reply
Broadcast ARP RequestSpoofed ARP ReplyS
Client (C) Server (S) Hostile
Host to Router Exploit
Real ARP Reply
Broadcast ARP Request
CISCOSYSTEMS
Spoofed ARP ReplyC
Spoofed ARP ReplyR
Client (C) Gateway Router (R) Hostile
Relay Configuration
Alice Bob
0:c:3b:9:4d:8- 10.1.1.70:c:3b:1c:2f:1b- 10.1.1.2
0:c:3b:1a:7c:ef- 10.1.1.7 0:c:3b:1a:7c:ef- 10.1.1.2
0:c:3b:1a:7c:ef- 10.1.1.10
Attacker
Relay Configuration (cont.)
CISCOSYSTEMS
Sniffer Source Destination
Switch
Session Hijacking/MiM
Natural extension of sniffing capability
“Easier” than standard hijacking Don’t have to deal with duplicate/un-
sync’d packets arriving at destination and source
Avoids packet storms
Denial of Service
Spoofing the destination MAC address of a connection will prevent the intended source from receiving/accepting it
Benefits No protocol limitation Eliminates synchronization issues
Examples UDP DoS TCP connection killing instead of using RST’s
DoS MAC Entries
Alice Bob
0:c:3b:9:4d:8- 10.1.1.70:c:3b:1c:2f:1b- 10.1.1.2
a:b:c:1:2:3- 10.1.1.7 0:c:3b:1c:2f:1b 10.1.1.2
0:c:3b:1a:7c:ef- 10.1.1.10
Attacker
Denial of Service Examples
ARP Attack on Web Surfing
Web surfers require gateway router to reach Internet
Method Identify surfer’s MAC address Change their cached gateway MAC
address (or DNS MAC address if local) to “something else”
ARP Attack on Network-based IDS
Poorly constructed (single homed) IDS network systems relay auditing data/alerts to management/admin consoles
Method Identify local IDS network engine Modify gateway MAC address Modify console/management station
address
Switch Attacks
Certain attacks may overflow switch’s ARP tables
Method A MAC address is composed of six bytes
which is equivalent to 2^48 possible addresses
See how many randomly generated ARP-replies or ARP requests it takes before the switch “fails”
Switch Attacks (cont.)
Switches may Fail open- switch actually becomes a
hub Fail- no traffic passes through the
switch, requiring a hard or soft reboot
Network “Bombs”
“Hidden” application installed on a compromised system
Method Passively or actively collects ARP
entries Attacker specifies timeout or future
time Application transmits false ARP entries
to its list
Windows 95 Windows 98 Windows NT Windows 2000 AIX 4.3
HP 10.2 Linux RedHat 7.0 FreeBSD 4.2 Cisco IOS 11.1 Netgear
Vulnerable Systems
Not Vulnerable
Sun Solaris 2.8 Appears to resist cache poisoning
Countermeasures
Firewalls
Most “personal” firewalls are not capable of defending against or correctly identifying attacks below IP level
UNIX ipfw ipf (IP Filter)
Windows environments Network Ice/Black Ice©
Session Encryption
Examples Establishing VPNs between networks or
systems Using application-level encryption
Effects Prevents against disclosure attacks Will not prevent against DoS attacks
Strong Authentication
Examples One-time passwords Certificates
Effects None on disclosure attacks None on DoS attacks
Port Security
Cisco switches set port security ?/? enable <MAC address>
Restricts source MAC addresses Hard coded ones “Learned” ones
Ability to set timeouts Ability to generate traps Ability to “shutdown” violating port
Port Security (Cont.)
Issues Only restricts source MAC addresses Will not prevent against ARP relay
attacks Will only prevent against ARP source
spoofing attacks
Hard Coding Addresses
Example Individual systems can hard code the
corresponding MAC address of another system/address
Issues Management nightmare Not scalable Not supported by some OS vendors
Hard Coding Results
Operating System
Results
Windows 95 FAIL
Windows 98 FAIL
Windows NT FAIL
Windows 2000 FAIL
Linux RedHat 7.0 YES
FreeBSD 4.2 YES
Solaris 2.8 YES
Countermeasure Summary
SniffingSession
HijackingDenial of Service
Firewalls
Session Encryption
Strong Authentication
Port Security
Hard Coding
Detection
HostileSystem
ManagementConsole
NetworkMonitor
Monitored Network
CriticalServer
IDS Architecture Issues
HostileSystem
ManagementConsole
NetworkMonitor
Monitored Network
CriticalServer
OS Level Detection
Operating System
Detection
Windows 95 NO
Windows 98 NO
Windows NT NO
Windows 2000 NO
Linux RedHat 7.0 NO
FreeBSD 4.2 YES
Hypothetical Detection Application
Purpose Track and maintain ARP/IP pairings Identify non-standard ARP-replies
versus acceptable ones Timeout issues
OS must withstand corruption itself Fix broken ARP entries of systems
Transmission of correct ARP replies
Public Domain Tools
Manipulation Dsniff 2.3 Hunt 1.5 Growing number of others
Local monitoring Arpwatch 1.11
Demo Environment
CISCOSYSTEMS
802.11b
172.16.10.133Win2k
172.16.10.25FreeBSD 4.2
172.16.10.30Linux Redhat
172.16.10.40FreeBSD/ Win2k
Demonstration Tools
rfarp 1.1 Provides ARP relay capability and packet dump
for two selected stations Corrects MAC entries upon exiting
farp 1.1b Passive and active collection of ARP messages DoS Attacks on single hosts DoS Attacks on entire collection Arbitrary and manual input of spoofed MAC
addresses
Bibliography
Finlayson, Mann, Mogul, Theimer, RFC 903 “A Reverse Address Resolution Protocol,” June 1984
Kra, Hunt 1.5, http://www.gncz.cz/kra/index.html, Copyright 2000
Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996
Plummer, David C., RFC 826 “An Ethernet Address Resolution Protocol,” November 1982
Russel, Ryan and Cunningham, Stace, “Hack Proofing Your Network,”, Syngress Publishing Inc, Copyright 2000
Song, Dug, Dsniff 2.3, http://www.monkey.org/~dugsong/, Copyright 2000
IP Spoofing
Definitions An open connection between two computers
communicating by TCP/IP is called a socket and is defined by:
Source IP number Source Port number Destination IP number Destination Port number Initial source SEQ number Initial destination SEQ number AN ID # that is increased for each packet
2.6.1.1
TCP packet header
16-bit source port number 16-bit destination port number
32-bit sequence number
32-bit acknowledgement number
length unused flags 16-bit window size
16-bit TCP checksum 16-bit urgent offset
Options (if any)
Data (if any)
Traditional TCP/IP handshake
targetattacker
synSrc ip,Dst ip
Src prt, Dst Prt
Syn = in seq#
Ack = NULL
Flags = S
Src ID = src ID + 1
Traditional TCP/IP handshake
targetattacker
synSrc ip,Dst ip
Src prt, Dst Prt
Syn = src seq#
Ack = NULL
Flags = S
Syn / Ack
Src ip,Dst ip
Src prt, Dst Prt
Syn = Dst seq#
Ack = src seq# +1
Flags = S+A
Dst ID = Dst ID + 1
Traditional TCP/IP handshake
targetattacker
synSrc ip,Dst ip
Src prt, Dst Prt
Syn = src seq#
Ack = dst seq# +1
Flags = A
Src ID = src ID + 1
Syn / Ack
Ack
Establishing a socket
A B
SYN (seqa) SYN/ACK (seqb/ack= seqa+1)
ACK (ack= seqb+1)
Traditional port scanning
targetattacker
syn
Syn / Ack
Ack
targetattacker
syn
Syn / Ack
Traditional stealth scanning 1
Traditional stealth scanning 2
targetattacker
syn
Syn / Ack
Rst
Sequence numbers
Are in place to provide easy packet reassembly.
Increments each time a packet is sent.
Various incrementation schemes exist
ID flag
Are in place to identify each tcp session
Is also in some cases used for packet reassembly
The id counter is increased every time a packet is sent
This is valid far all packets including reset packets
ID flag prediction
Most unix boxes increments the ID by a random or seudo random number.
Up till today id numbers has not been known to be security critical.
Some Windows tend to increment id# by 1
While some seem to increment id# by 254
This is due to reversed byte ordering of the id# in these operating systems.
IP spoofing
3 computers: A, B, C C sends packet to A, but making A believe
that the packets comes from B How to do it?
Easy? Set the source IP address of IP header to the IP address of B
This can be done easily using “raw” ip packets You can make ip packets on your own. So you can
also set the source ip address to any value you want
Spoofed scanning in theory
By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets.
By analyzing this we will know whether a port on the scanned host is open or not
This is done totally blind from the scanned host.
Spoofed scanning in theory
Since we know a machine will increase the id# by sending a packet we can by constantly probing the host to see how many packets it has sent between our polls
This is done my monitoring the ID# increment
Spoofed scanning in theory
If a port is open on a scanned host the server will respond with a syn/ack
If a port is closed on the scanned host it will respond with a rst
Spoofed scanning in theory
If a host receives a syn ack from a unknown source it will send a rst packet back
If a host receives a rst packet from a unknown source it will NOT send a packet back
Internet security threats
IP Spoofing: can generate “raw” IP packets directly from application,
putting any value into IP source address field receiver can’t tell if source is spoofed e.g.: C pretends to be B
A
B
C
src:B dest:A payload
Why IP spoofing?
IP address as authentication method It is not as safe as username/password
authentication, but used in many cases E.g. rlogin host
Network of workstations. They have the same user database
Host detects the IP address of the client. If it is in the trusted list, login is granted without asking username and password
Consequence: Attacker can get access all the information of
the spoofed computer on the server
How to do IP spoofing?
IP spoofing is Blind Attack Why? Where does the victim send reply to?
It is extremely hard to carry out successful IP spoofing Must create a successful TCP
connection with the victim. How?
TCP Connection Establishment
Active participant(client)
Passive participant(server)
SYN, SequenceNum = x
SYN + ACK, SequenceNum = y,
ACK, Acknowledgment = y + 1
Acknowledgment = x + 1
Spoofing TCP connection
A SYN request sent by C to A. C is impersonating B
A will reply to B (not C) by sending SYN/ACK packet Case 1: B receives SYN/ACK and got confused.
It replies with NACK. Spoofing fails Case 2: B doesn’t reply to A (hopefully)
C sends ACK to A Have to guess the SYN SEQ# number A
sent to B and reply it with SEQ#+1 Hard but possible
TCP SYN attack
in Berkeley implementations, the ISN is incremented by a constant amount (64000) once per 0.5 second, and each time a connection is initiated
it is not hopeless to guess the next ISN to be used by a server
an attacker can impersonate a trusted host (e.g., in case of r commands, authentication is based on source IP address solely)
SYN = ISNX, SRC_IP = T
SYN = ISNS, ACK(ISNX)
ACK(ISNS), SRC_IP = T
SRC_IP = T, nasty_data
attacker server trusted host (T)
Steps of IP spoofing attack
Detecting the trusted system C wants to access A and finds the A trusts B
Blocking the trusted system (B) To let it not response to SYN request from A. How?
DOS attack to B Guessing the SEQ# of B
Must know how TCP generates SEQ# Try to connect to open ports of B right before the
attack. Check the SEQ# Predict the next SEQ# according to TCP algorithm
given last SEQ# and elapsed time Making TCP connection Do Damages
Counter Measures
Avoid using IP as authentication method Username/password better
Install firewall Trusted IP usually on the same network Spoofed IP comes from outside network Firewall prevents IP packets from outside the
network, especially with source IP inside network
Also the attacker’s firewall should prevent packets with source IP different from internal network
IPsec Secure IP using encryption
SYN Floods
Simple to execute.
Send many SYNs to target host in quick succession with spoofed IPs.
Target allocates buffer in kernel space, which stays allocated until time out.
Reconnaissance with Spoofed IPs
3 basic recon methods
Spoofed IPs as Misinformation
Port Scanning by IP Seq Number Observation
Port Scanning by Indirect Observation
Spoofed IP Addresses As Background Noise
An attacker can use spoofed IP addresses to create suspicious traffic that cannot easily be tracked down to the actual attacker. The intent here is not to leverage data from the actual spoofed packets, but to allow the attacker’s real activity, or identity, to be hidden among the false packets.
Nmap, perhaps the most common network scanner at the moment, allows the use of numerous ‘decoy’ addresses. Using the –D option in Nmap, such as nmap –O –D 10.1.1.1, 10.1.1.2, actual.attacker.ip.address, 10.1.1.3 10.2.2.1 will allow an attacker to determine the operating system of the host at 10.2.2.1 while making it appear that the system is being scanned by four simultaneous hosts, only one of which (the 3rd sequentially) is the attacker.
Spoofed IPs as Background Noise
Scan from 100 random used IPs and your own.
All must be checked to determine actual scanner.
Ex: -D option in nmap
Indirect Reconnaissance of a Target
1) * hosts reply SYN|ACK to SYN if tcp target port is open, reply RST|ACK if tcp target port is closed.
2) * You can know the number of packets that hosts are sending using id ip header field.
3) * hosts reply RST to SYN|ACK, reply nothing to RST.
The significance of this is that due to predictable IP IDs, it is possible to remotely determine if a particular host is sending
traffic to a third party. Using another of the described tendencies, it is also possible to
predict how a host will react to a port scan. If a host is listening on a port, a probe (SYN) to that port will result in a SYN/ACK.
Indirect Reconnaissance of a Target
IP Sequence Number Observation
Step 1 Step 2 Step 3
A
Z
A
Z
T
A
Z
echo
responseSpoofed
SYN from Z
Unknowntraffic
echo
response
Indirect Reconnaissance of a Target
Introducing our players
targetattacker
Spoof host
10.0.0.1 192.0.0.1
172.0.0.1
Why do we need three of them
targetattacker
Spoof host
www.anycompany.com:80
unknowing.com3vil.org
Phase one (sync the id# of spoof)
targetattacker
Spoof host
www.anycompany.com:80
unknowing.com3vil.org
Syn:80
Phase one (sync the id# of spoof)
targetattacker
Spoof host
www.anycompany.com:80
unknowing.com3vil.org
Syn/ack
Why did we do that
Attacker now knows the spoofs initial ID#
Phase2 (spoofing the source)
targetattacker
Spoof host
10.0.0.1 192.0.0.1
172.0.0.1
Syn src = 172.0.0.1 Dst = 192.0.0.1
Phase 3 (fooling the respons)
targetattacker
Spoof host
10.0.0.1 192.0.0.1
172.0.0.1
Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1
Phase 3 (fooling the respons)
targetattacker
Spoof host
10.0.0.1 192.0.0.1
172.0.0.1
Rst src == 172.0.0.1 Dst = 192.0.0.1
Phase 4 (probing the spoof host)
targetattacker
Spoof host
10.0.0.1 192.0.0.1
172.0.0.1
Syn:80
Phase 4 (probing the spoof host)
targetattacker
Spoof host
10.0.0.1 192.0.0.1
172.0.0.1
Syn:80Syn/ack
Case port open
Adding the ID counters
Phase one (sync the id# of spoof)
targetattacker
unknowing.com3vil.org
Syn:80
Spoof host ID =0
172.0.0.1
Phase one (sync the id# of spoof)
targetattacker
unknowing.com3vil.org
Syn/ack
Spoof host ID =1
172.0.0.1
Phase2 (spoofing the source)
targetattacker
Spoof host ID =1
10.0.0.1 192.0.0.1
172.0.0.1
Syn src = 172.0.0.1 Dst = 192.0.0.1
Phase 3 (fooling the respons)
targetattacker
10.0.0.1 192.0.0.1
Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1
Spoof host ID =1
172.0.0.1
Phase 3 (fooling the respons)
targetattacker
10.0.0.1 192.0.0.1
Rst src == 172.0.0.1 Dst = 192.0.0.1
Spoof host ID =2
172.0.0.1
Phase 4 (probing the spoof host)
targetattacker
10.0.0.1 192.0.0.1
Syn:80
Spoof host ID =2
172.0.0.1
Phase 4 (probing the spoof host)
targetattacker
10.0.0.1 192.0.0.1
Syn:80Syn/ack
Spoof host ID =3
172.0.0.1
Case port closed
Adding the ID counters
Phase one (sync the id# of spoof)
targetattacker
unknowing.com3vil.org
Syn:80
Spoof host ID =0
172.0.0.1
Phase one (sync the id# of spoof)
targetattacker
unknowing.com3vil.org
Syn/ack
Spoof host ID =1
172.0.0.1
Phase2 (spoofing the source)
targetattacker
Spoof host ID =1
10.0.0.1 192.0.0.1
172.0.0.1
Syn src = 172.0.0.1 Dst = 192.0.0.1
Phase 3 (fooling the respons)
targetattacker
10.0.0.1 192.0.0.1
Rst src = 192.0.0.1 Dst = 172.0.0.1
Spoof host ID =1
172.0.0.1
Phase 4 (probing the spoof host)
targetattacker
10.0.0.1 192.0.0.1
Syn:80
Spoof host ID =1
172.0.0.1
Phase 4 (probing the spoof host)
targetattacker
10.0.0.1 192.0.0.1
Syn:80Syn/ack
Spoof host ID =2
172.0.0.1
The basic technique and its flaws
If the poll host is active it will increase the id# for each connection.
This will result in false positives. These false positives can be
minimized by sending multiple packets for each port.
Then calculating the increase The port will only show up true if the
increase is > (#packets_sent*255)/2
Phase2 (spoofing the source)
targetattacker
Spoof host ID =1
10.0.0.1 192.0.0.1
172.0.0.1
(Syn src = 172.0.0.1 Dst = 192.0.0.1) * 20
Phase 3 (fooling the respons)
targetattacker
10.0.0.1 192.0.0.1
Syn /Ack src = 192.0.0.1 Dst = 172.0.0.1
Spoof host ID=1+20
172.0.0.1
Summary
By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets.
By analysing this we will know whether a port on the scanned host is open or not
This is done totally blind from the scanned host.
DoS/DDoS
DoS attacks are as old as the Internet itself Year 2000 when a complete new quality of
DoS attack started (DDoS). (DDoS) stroke a huge number of prominent
web sites including Yahoo, Ebay, Amazon and Buy.com
DDoS Concepts: Distributing the attack across several hosts. Coordinating the attack among many machines. Using the distribution system to thwart all attempts of discovering the origin of the attack.
DoS/DDoS Flood Attack Methods
Smurf Attack TCP SYN Attack UDP Attack TCP Attack ICMP Attack
DoS/DDoS TCP SYN Attack
Exploits the three-way handshake
S D
SYNx LISTEN
SYNy , ACKx+1 SYN_RECIEVED
ACKy+1
CONNECTED
Figure 1. Three-way Handshake
S D
Nonexistent (spoofed) SYN LISTEN
SYN SYN SYN_RECEIVED
SYN+ACK
Figure 2. SYN Flooding Attack
“Smurf”
Internet
Perpetrator V ictim
IC M P echo (spoofed source address of vic tim )Sent to IP broadcast address
IC M P echo rep ly
DNS Spoofing
Someone else’s domain name -> your computer
Possible damages: Redirected email
Email sent from A to B goes to C instead. C spoofed B’s domain name
Redirected web server Possible attack by exploiting browser’s
vulnerability
How to do DNS snooping? C: attacker want to spoof B A communicates with B Method 1
Modify C’s name server ns.C Let it response to “C=?” to “B=C.ip”
This is replying something that is not asked for Send DNS request “C=?” to ns.A ns.A asks ns.C ns.C replies “B=C.ip”
Method 2 C sends DNS request “B=?” to ns.A C replies “B=C.ip” to ns.A UDP makes it easier, still need to guess request ID
Countermeasures
Paranoid DNS checking Resolved IP address is sent to DNS for
reverse resolve to get the hostname Send the hostname to DNS again to get
the IP address If two IP addresses match = OK
Secure name server DNSsec
Digitally signed answers
Web-spoofing or Phishing or Carding use spoofed emails and fraudulent websites that trick innocent users into divulging private information such as username and passwords credit card numbers, social security numbers, etc.
Web Spoofing
A typical web spoofing attack
Web Spoofing
Web browsing goes through an intermediate attacker
The attacker goes to server and fetch data and send it back to the victim
Attacker is able to monitor all traffic between the victim and server Including forms Even secure connections! Lost privacy
Hard for a ordinary victim to notice anything wrong
How it works
Javascript and Plug-ins Redirect all web traffic to attacker’s
machine include the links on the pages
Initiated by visiting a malicious website
Countermeasures
Check “lock” button for secure connection. Check if it is indeed the website you are visiting
Check status bar Does it go to somewhere strange?
Top Related