Network Attacks 1

Network Attacks

Network Attacks 2

Topics Sniffing IP address spoofing Session hijacking Netcat

o General-purpose network tool

Network Attacks 3

Sniffing Sniffer gathers traffic from LAN

o Can see packets in real timeo Usually, interface put in promiscuous

modeo Gathers everything, regardless of IP address

Sniffer is useful for attackero And useful for administrator

Sniffer can collect data such as … o ID/password sent over telnet, DNS, email

messages, files sent over NFS, etc.

Network Attacks 4

Sniffing Attacker who has access to LAN

can sniff packetso Usually requires admin/root privilegeo Typically, use sniffer to gather pwds

Sniffing can be used in “island hopping” attacko Next slide

Network Attacks 5

Island Hopping Attack

Network Attacks 6

Sniffers Freeware sniffers include

o windump --- port of tcpdumpo Snort --- sniffer/IDSo Wireshark (formerly, Ethereal) --- able

to decode lots of protocolso Sniffit --- popular with attackerso Dsniff --- perhaps most powerful

Network Attacks 7

Passive Sniffing Thru a Hub

Recall that hub broadcasts everything

Passive sniffer sees everything

Network Attacks 8

Snort Snort: open source, UNIX-based

IDS Started out as a sniffer

o Still can serve as a capable sniffero Why does sniffer-to-IDS make sense?

Snort not often used by attackerso Has more features than attacker

needs

Network Attacks 9

Sniffit Sniffit popular with attackers

o UNIX-based Sniffit has “interactive mode”

o Keeps track of individual sessionso Can view these as separate

conversations

Network Attacks 10

Sniffit Interactive Mode

Network Attacks 11

Wireshark Wireshark (formerly Ethereal)

o Available for many platformso Probably easiest sniffer to use, great UI, etc.

Wireshark is a “protocol genius”o Decodes every bit of packet

“Follow TCP stream” functiono Select a TCP packet, view entire connection

Network Attacks 12

Wireshark

Network Attacks 13

Sniffer as Scanning Tool Nmap, Nessus, etc., may be

detectedo Active

Sniffer is passive, so no such risko What can be determined by sniffing?

May be able to ID OS (maybe even version of OS)o E.g., based on way connections are

made

Network Attacks 14

P0f2 Tool to passively ID OS Available for most platforms To “fingerprint” OS’s network stack

o Can also ID firewall, NAT, etc. What info does it use? TTL, IP ID, other?

Network Attacks 15

P0f2

Network Attacks 16

Switch Recall that switch does not broadcast

Network Attacks 17

Active Sniffing Sniffing thru a switch? Switch limits what you see with

sniffers such as Wireshark May be able to “sniff” thru switch

by inserting traffico Dsniff and Ettercap

Network Attacks 18

Dsniff Developed by developer of

FragRouter Dsniff decodes lots application

level protocolso FTP, telnet, POP,…, Napster,

pcAnywhereo Makes it easy to find passwords

Dsniff also has active operations

Network Attacks 19

Dsniff Switch remembers MAC addresses MAC address flooding

o Dsniff sends packets with random spoofed MAC addresses

o Switches address memory eventually exhausted

Then what does switch do?o It depends…, but some start acting like

hubso If so, then passive sniffing works

Network Attacks 20

Dsniff What to do if flooding fails? ARP spoofing (ARP cache poisoning)

o Attacker sets “IP forwarding” on his machine to default gateway (router)

o Attacker poisons ARP cache so that he appears to be default gateway

o Attacker see all traffic destined for outside world, and traffic still sent to default gateway

Network Attacks 21

Default Router

Network Attacks 22

Spoofed “Default Router”

Network Attacks 23

Dsniff ARP Spoofing How could this be detected? What happens when packet sent

from attacker to default gateway?o IP forwarding is “really simple routing”o So, TTL is decrementedo Could be detected by, say, traceroute

How can attacker avoid this?

Network Attacks 24

Ettercap Ettercap uses method known as

“port stealing” to sniff switched LANo Sometimes, hard-coded MAC addresseso In such case, ARP poisoning not

possible Port stealing may be an option

Network Attacks 25

Ettercap Switch associates MAC addresses to

each of its physical portso Mapping created by examining packets

Ettercap floods LAN with frameso Attacker’s MAC address is destinationo Source MAC address is victim machine

(e.g., default gateway) What does this accomplish?

o Switch associates default gateway with its physical port on which attacker resides

Network Attacks 26

Ettercap Port stealing So far… switch thinks default gateway

on same physical port as attackero Note: ARP tables on hosts not affected

Then attacker can sniff data intended for victim

How does attacker then get these packets to the default gateway?

Network Attacks 27

Ettercap So far… packets intended for

gateway can be sniffed by attacker How to get these packets to

gateway?o Forward packets to switch with

gateway’s MAC address?o That won’t work!

Network Attacks 28

Ettercap Attacker sends ARP request for IP

address of gateway When attacker sees response

o Knows switch has also seen response So what?

o Now switch send data intended for gateway to the gateway

o Attacker can then send buffered data Brilliant!

Network Attacks 29

Port Stealing

Network Attacks 30

DNS Spoofing Dsniff can send false DNS info

o Used to redirect traffic Victim tries to resolve name via DNS

o Attacker sniffs DNS requesto Attacker responds quickly with bogus IPo Victim goes to bogus address

Works provided bogus reply arrives first

Network Attacks 31

DNS Spoofing

Network Attacks 32

Sniffing SSL and SSH Dsniff webmitm enables man-in-

the-middle (MIM) attack Send certificate signed by bogus

“CA”o In SSL, browser warns use, and …o …warning is ignoredo In SSH user is warned, and …o …warning is ignored

Network Attacks 33

Sniffing SSL and SSH Man-in-the-middle

o Politically correct: “monkey-in-the-middle”

Network Attacks 34

Simplified SSL Protocol

Alice Bob

Can we talk?, cipher list, RA

certificate, cipher, RB

{S}Bob, E(h(msgs,CLNT,K),K)

Data protected with key K

h(msgs,SRVR,K)

S is pre-master secret K = h(S,RA,RB) msgs = all previous messages CLNT and SRVR are constants

Network Attacks 35

SSL MiM Attack

Alice Bob

RA

certificateT, RB

{S1}Trudy,E(X1,K1)

E(data,K1)

h(Y1,K1)

Q: What prevents this MiM attack? A: Bob’s certificate must be signed by a

certificate authority (such as Verisign) What does browser do if signature not valid? What does user do if signature is not valid?

Trudy

RA

certificateB, RB

{S2}Bob,E(X2,K2)

E(data,K2)

h(Y2,K2)

Network Attacks 36

Sniffing SSL

Network Attacks 37

Firefox Certificate Warning

Network Attacks 38

IE Certificate Warning

Network Attacks 39

Webmitm Output

Network Attacks 40

SSH Sniffing SSH gives a warning too

o Specifically mentions MiM attacko Still, it’s easy to ignore

Ettercap also does SSH MiMo But Ettercap is not really in the

“middle”o It establishes key with client, then

connects client to server using same key

Network Attacks 41

Other Dsniff Features Tcpkill --- kill active TCP connection Tcpnice --- “shape traffic” using, e.g.,

ICMP source quench Filesnarf --- grab NFS files Mailsnarf --- grab email Msgsnarf --- grab IM traffic Urlsnarf --- grab URLs from HTTP traffic Webspy --- view web pages victim views

Network Attacks 42

Sniffing Defenses Use secure protocols

o SSL, SSH, SMIME, PGP, IPSec Do not use telnet for sensitive info Take certificate warnings seriously Prefer switches to hubs Hard code MAC addresses, if possible Static ARP tables, where possible

Network Attacks 43

Sniffing Defenses Use tools to detect promiscuous mode Ipconfig (UNIX), PromiscDetect

(Windows) Sentinel looks for anomalies on LAN that

indicate sniffingo Send packet (ping, for example) with bogus

destination MAC addresso Any reply indicates sniffing

Also, some Windows-specific tools

Network Attacks 44

IP Address Spoofing IP Address Spoofing

o Changing source IP address Enables Trudy to…

o Cover her trackso Break applications that use IP address

for authentication Previous examples: Nmap, Dsniff,

…

Network Attacks 45

Simple Spoofing Simply change the IP address

o Ipconfig or Windows network Control Panel Works when Trudy does not need

responseo DoS, for example

Tools for packet craftingo Hping2o Nemesiso NetDude

Network Attacks 46

Simple Spoofing Limitations of simple spoofing

o Trudy cannot easily interact with targeto Spoofing TCP especially difficult

Interactive simple spoofing works if Trudy on same LAN as spoofed address

Network Attacks 47

Simple Spoofing

Network Attacks 48

Predicting Sequence Numbers

Not-so-simple spoofing…o Trusted machines often require no

authentication beyond TCP connection

Trudy can pretend to be trusted machine by spoofing IP addresso To establish connection, Trudy must

predict initial sequence number

Network Attacks 49

Not-So-Simple Spoofing

Network Attacks 50

Not-So-Simple Spoofing Note that…

o Trudy must correctly guess ISNBo Trudy does not see responses (not a

true interactive session)o Bob thinks packets came from Aliceo Good attack for r-commands

Network Attacks 51

Spoofing via Source Routing

Source routingo Specify path packet will take

Loose source routingo Specify some hops

Source routing makes Trudy’s life much easiero Next slide

Network Attacks 52

Spoofing via Source Routing

Network Attacks 53

Spoofing via Source Routing

Seldom works across Interneto Source routing blocked by gateway

May work on internal networko Makes insider attacks easy

Network Attacks 54

IP Spoofing Defenses Be sure ISNs are reasonably random Avoid using r-commands

o Or use only with SSH or VPN IP address for authentication … NOT! Do not allow source routing Be careful with trust relationships

Network Attacks 55

IP Spoofing Defense Employ anti-spoof packet filters

Network Attacks 56

Session Hijacking Trudy “steals” an existing session Network-based session hijacking

o Combines spoofing and sniffingo Alice and Bob have existing connectiono Trudy is sniffing packets (on LAN)o Trudy starts injecting packetso Bob thinks packets came from Alice

This works even if strong authentication used, provided there is no encryption

Network Attacks 57

Session Hijacking Also, host-based session hijacking Tools for session hijacking

o Hunto Dsniff --- sshmitmo Ettercapo Juggernauto IP Watcher, TTYWatcher, TTYSnoop

Network Attacks 58

ACK Storm If Alice is

alive during session hijack…o Limits

the attack

Network Attacks 59

Ettercap Ettercap can prevent ACK storm ARP cache poisoning

o Ettercap makes Trudy MiM

Network Attacks 60

Ettercap

Network Attacks 61

Hunt Hunt offers similar feature as Ettercap Includes a “resync” feature that may

allow Trudy out of MiMo And allow Alice and Bob to continue

Ettercap and Hunt attacks can work even if Trudy not on same LANo Trudy must be on network between Alice &

Bob

Network Attacks 62

MiM Attack

Network Attacks 63

Wireless Access Points All attacks so far also work on wireless

networks But wireless has unique attack… Access point hijacking

o Given SSID, pretend to be access pointo Then need to get victims to associate with

fake access pointo Tool for this: AirJack

Network Attacks 64

Session Hijacking Defenses

Use defenses against spoofing and sniffing

Use SSH version 2o Dsniff and Ettercap MiM work against

SSH version 1 Pay careful attention to certificate

warnings

Network Attacks 65

Netcat General-purpose networking tool

o “…single most useful tool … for interacting with a system across a network”

o “Swiss army knife of network tools”o If you were stranded on a desert island,

your one attack tool would be Netcat You get the idea…

Network Attacks 66

Netcat Send or

receive data from any TCP or UDP port to any TCP or UDP port

Network Attacks 67

Netcat For File Transfer File transfer: any port, push or pull

Network Attacks 68

Netcat For Port Scanning Plain vanilla port scanning

o Unlike Nmap, which has many options

Network Attacks 69

Netcat: Connect to Open Ports

Connect to open porto Send data and see what comes back

Better than telnet becauseo Easier to redirect output to fileo Easier to drop a connectiono No telnet control data/characterso No telnet error messageso telnet cannot make UDP connections

Network Attacks 70

Netcat: Vulnerability Scanning

Netcat as “vulnerability engine”o I.e., attacker writes scripts that use

Netcat’s capabilitieso Netcat comes with scripts to check for

vulnerabilites in RPC, NFS, trust, FTP, a really weak passwords (very limited compared to Nessus)

Network Attacks 71

Netcat Backdoors With access to a machine, Trudy

cano Start a Netcat listener for future

accesso Create an active backdoor (i.e., push

data) These are most common uses of

Netcat by bad guys

Network Attacks 72

Netcat to Relay Traffic Can use Netcat to relay traffic

o Trudy can hide her true location

10 or more “hops” sometimes seeno Across political/language boundaries

Network Attacks 73

Evade Packet Filter

Network Attacks 74

How to Create Netcat Relay?

Three popular techniques Modify inted in UNIX/Linux

o Add a line to inted.conf file “backpipe” on UNIX/Linux

o Use mknod: pipes data in FIFO order Relay bat file in Windows

Network Attacks 75

Backpipe

Network Attacks 76

Netcat Listeners By default, Netcat listener is

nonpersistent In Windows version, can create

persistent listeners In UNIX, requires a little more work from

Trudy to get same effecto see book for details

Network Attacks 77

Netcat Honeypots Good guys can create Netcat

(persistent) listenerso These can be used as honeypots

Network Attacks 78

Netcat Defenses Prevent Netcat file transfers

o Firewall configuration issue Secure against port scanning

o Minimal number of listening ports Block arbitrary connections to ports

o Close unused ports Protect against vulnerability scanning

o Apply patches

Network Attacks 79

Netcat Defenses Stop backdoors

o Need to know what processes are running so you can detect rogue processes

Prevent relay attackso No single point that attacker can relay

around Stop persistent listeners

o Periodically check for unexpected listening ports

Network Attacks 80

Conclusions

Network Attacks 81

Summary

Network Attacks 82

Netcat