Network Attacks 1 Network Attacks Network Attacks 2 Topics Sniffing IP address spoofing Session...
-
date post
19-Dec-2015 -
Category
Documents
-
view
231 -
download
2
Transcript of Network Attacks 1 Network Attacks Network Attacks 2 Topics Sniffing IP address spoofing Session...
Network Attacks 2
Topics Sniffing IP address spoofing Session hijacking Netcat
o General-purpose network tool
Network Attacks 3
Sniffing Sniffer gathers traffic from LAN
o Can see packets in real timeo Usually, interface put in promiscuous
modeo Gathers everything, regardless of IP address
Sniffer is useful for attackero And useful for administrator
Sniffer can collect data such as … o ID/password sent over telnet, DNS, email
messages, files sent over NFS, etc.
Network Attacks 4
Sniffing Attacker who has access to LAN
can sniff packetso Usually requires admin/root privilegeo Typically, use sniffer to gather pwds
Sniffing can be used in “island hopping” attacko Next slide
Network Attacks 6
Sniffers Freeware sniffers include
o windump --- port of tcpdumpo Snort --- sniffer/IDSo Wireshark (formerly, Ethereal) --- able
to decode lots of protocolso Sniffit --- popular with attackerso Dsniff --- perhaps most powerful
Network Attacks 7
Passive Sniffing Thru a Hub
Recall that hub broadcasts everything
Passive sniffer sees everything
Network Attacks 8
Snort Snort: open source, UNIX-based
IDS Started out as a sniffer
o Still can serve as a capable sniffero Why does sniffer-to-IDS make sense?
Snort not often used by attackerso Has more features than attacker
needs
Network Attacks 9
Sniffit Sniffit popular with attackers
o UNIX-based Sniffit has “interactive mode”
o Keeps track of individual sessionso Can view these as separate
conversations
Network Attacks 11
Wireshark Wireshark (formerly Ethereal)
o Available for many platformso Probably easiest sniffer to use, great UI, etc.
Wireshark is a “protocol genius”o Decodes every bit of packet
“Follow TCP stream” functiono Select a TCP packet, view entire connection
Network Attacks 13
Sniffer as Scanning Tool Nmap, Nessus, etc., may be
detectedo Active
Sniffer is passive, so no such risko What can be determined by sniffing?
May be able to ID OS (maybe even version of OS)o E.g., based on way connections are
made
Network Attacks 14
P0f2 Tool to passively ID OS Available for most platforms To “fingerprint” OS’s network stack
o Can also ID firewall, NAT, etc. What info does it use? TTL, IP ID, other?
Network Attacks 17
Active Sniffing Sniffing thru a switch? Switch limits what you see with
sniffers such as Wireshark May be able to “sniff” thru switch
by inserting traffico Dsniff and Ettercap
Network Attacks 18
Dsniff Developed by developer of
FragRouter Dsniff decodes lots application
level protocolso FTP, telnet, POP,…, Napster,
pcAnywhereo Makes it easy to find passwords
Dsniff also has active operations
Network Attacks 19
Dsniff Switch remembers MAC addresses MAC address flooding
o Dsniff sends packets with random spoofed MAC addresses
o Switches address memory eventually exhausted
Then what does switch do?o It depends…, but some start acting like
hubso If so, then passive sniffing works
Network Attacks 20
Dsniff What to do if flooding fails? ARP spoofing (ARP cache poisoning)
o Attacker sets “IP forwarding” on his machine to default gateway (router)
o Attacker poisons ARP cache so that he appears to be default gateway
o Attacker see all traffic destined for outside world, and traffic still sent to default gateway
Network Attacks 23
Dsniff ARP Spoofing How could this be detected? What happens when packet sent
from attacker to default gateway?o IP forwarding is “really simple routing”o So, TTL is decrementedo Could be detected by, say, traceroute
How can attacker avoid this?
Network Attacks 24
Ettercap Ettercap uses method known as
“port stealing” to sniff switched LANo Sometimes, hard-coded MAC addresseso In such case, ARP poisoning not
possible Port stealing may be an option
Network Attacks 25
Ettercap Switch associates MAC addresses to
each of its physical portso Mapping created by examining packets
Ettercap floods LAN with frameso Attacker’s MAC address is destinationo Source MAC address is victim machine
(e.g., default gateway) What does this accomplish?
o Switch associates default gateway with its physical port on which attacker resides
Network Attacks 26
Ettercap Port stealing So far… switch thinks default gateway
on same physical port as attackero Note: ARP tables on hosts not affected
Then attacker can sniff data intended for victim
How does attacker then get these packets to the default gateway?
Network Attacks 27
Ettercap So far… packets intended for
gateway can be sniffed by attacker How to get these packets to
gateway?o Forward packets to switch with
gateway’s MAC address?o That won’t work!
Network Attacks 28
Ettercap Attacker sends ARP request for IP
address of gateway When attacker sees response
o Knows switch has also seen response So what?
o Now switch send data intended for gateway to the gateway
o Attacker can then send buffered data Brilliant!
Network Attacks 30
DNS Spoofing Dsniff can send false DNS info
o Used to redirect traffic Victim tries to resolve name via DNS
o Attacker sniffs DNS requesto Attacker responds quickly with bogus IPo Victim goes to bogus address
Works provided bogus reply arrives first
Network Attacks 32
Sniffing SSL and SSH Dsniff webmitm enables man-in-
the-middle (MIM) attack Send certificate signed by bogus
“CA”o In SSL, browser warns use, and …o …warning is ignoredo In SSH user is warned, and …o …warning is ignored
Network Attacks 33
Sniffing SSL and SSH Man-in-the-middle
o Politically correct: “monkey-in-the-middle”
Network Attacks 34
Simplified SSL Protocol
Alice Bob
Can we talk?, cipher list, RA
certificate, cipher, RB
{S}Bob, E(h(msgs,CLNT,K),K)
Data protected with key K
h(msgs,SRVR,K)
S is pre-master secret K = h(S,RA,RB) msgs = all previous messages CLNT and SRVR are constants
Network Attacks 35
SSL MiM Attack
Alice Bob
RA
certificateT, RB
{S1}Trudy,E(X1,K1)
E(data,K1)
h(Y1,K1)
Q: What prevents this MiM attack? A: Bob’s certificate must be signed by a
certificate authority (such as Verisign) What does browser do if signature not valid? What does user do if signature is not valid?
Trudy
RA
certificateB, RB
{S2}Bob,E(X2,K2)
E(data,K2)
h(Y2,K2)
Network Attacks 40
SSH Sniffing SSH gives a warning too
o Specifically mentions MiM attacko Still, it’s easy to ignore
Ettercap also does SSH MiMo But Ettercap is not really in the
“middle”o It establishes key with client, then
connects client to server using same key
Network Attacks 41
Other Dsniff Features Tcpkill --- kill active TCP connection Tcpnice --- “shape traffic” using, e.g.,
ICMP source quench Filesnarf --- grab NFS files Mailsnarf --- grab email Msgsnarf --- grab IM traffic Urlsnarf --- grab URLs from HTTP traffic Webspy --- view web pages victim views
Network Attacks 42
Sniffing Defenses Use secure protocols
o SSL, SSH, SMIME, PGP, IPSec Do not use telnet for sensitive info Take certificate warnings seriously Prefer switches to hubs Hard code MAC addresses, if possible Static ARP tables, where possible
Network Attacks 43
Sniffing Defenses Use tools to detect promiscuous mode Ipconfig (UNIX), PromiscDetect
(Windows) Sentinel looks for anomalies on LAN that
indicate sniffingo Send packet (ping, for example) with bogus
destination MAC addresso Any reply indicates sniffing
Also, some Windows-specific tools
Network Attacks 44
IP Address Spoofing IP Address Spoofing
o Changing source IP address Enables Trudy to…
o Cover her trackso Break applications that use IP address
for authentication Previous examples: Nmap, Dsniff,
…
Network Attacks 45
Simple Spoofing Simply change the IP address
o Ipconfig or Windows network Control Panel Works when Trudy does not need
responseo DoS, for example
Tools for packet craftingo Hping2o Nemesiso NetDude
Network Attacks 46
Simple Spoofing Limitations of simple spoofing
o Trudy cannot easily interact with targeto Spoofing TCP especially difficult
Interactive simple spoofing works if Trudy on same LAN as spoofed address
Network Attacks 48
Predicting Sequence Numbers
Not-so-simple spoofing…o Trusted machines often require no
authentication beyond TCP connection
Trudy can pretend to be trusted machine by spoofing IP addresso To establish connection, Trudy must
predict initial sequence number
Network Attacks 50
Not-So-Simple Spoofing Note that…
o Trudy must correctly guess ISNBo Trudy does not see responses (not a
true interactive session)o Bob thinks packets came from Aliceo Good attack for r-commands
Network Attacks 51
Spoofing via Source Routing
Source routingo Specify path packet will take
Loose source routingo Specify some hops
Source routing makes Trudy’s life much easiero Next slide
Network Attacks 53
Spoofing via Source Routing
Seldom works across Interneto Source routing blocked by gateway
May work on internal networko Makes insider attacks easy
Network Attacks 54
IP Spoofing Defenses Be sure ISNs are reasonably random Avoid using r-commands
o Or use only with SSH or VPN IP address for authentication … NOT! Do not allow source routing Be careful with trust relationships
Network Attacks 56
Session Hijacking Trudy “steals” an existing session Network-based session hijacking
o Combines spoofing and sniffingo Alice and Bob have existing connectiono Trudy is sniffing packets (on LAN)o Trudy starts injecting packetso Bob thinks packets came from Alice
This works even if strong authentication used, provided there is no encryption
Network Attacks 57
Session Hijacking Also, host-based session hijacking Tools for session hijacking
o Hunto Dsniff --- sshmitmo Ettercapo Juggernauto IP Watcher, TTYWatcher, TTYSnoop
Network Attacks 59
Ettercap Ettercap can prevent ACK storm ARP cache poisoning
o Ettercap makes Trudy MiM
Network Attacks 61
Hunt Hunt offers similar feature as Ettercap Includes a “resync” feature that may
allow Trudy out of MiMo And allow Alice and Bob to continue
Ettercap and Hunt attacks can work even if Trudy not on same LANo Trudy must be on network between Alice &
Bob
Network Attacks 63
Wireless Access Points All attacks so far also work on wireless
networks But wireless has unique attack… Access point hijacking
o Given SSID, pretend to be access pointo Then need to get victims to associate with
fake access pointo Tool for this: AirJack
Network Attacks 64
Session Hijacking Defenses
Use defenses against spoofing and sniffing
Use SSH version 2o Dsniff and Ettercap MiM work against
SSH version 1 Pay careful attention to certificate
warnings
Network Attacks 65
Netcat General-purpose networking tool
o “…single most useful tool … for interacting with a system across a network”
o “Swiss army knife of network tools”o If you were stranded on a desert island,
your one attack tool would be Netcat You get the idea…
Network Attacks 68
Netcat For Port Scanning Plain vanilla port scanning
o Unlike Nmap, which has many options
Network Attacks 69
Netcat: Connect to Open Ports
Connect to open porto Send data and see what comes back
Better than telnet becauseo Easier to redirect output to fileo Easier to drop a connectiono No telnet control data/characterso No telnet error messageso telnet cannot make UDP connections
Network Attacks 70
Netcat: Vulnerability Scanning
Netcat as “vulnerability engine”o I.e., attacker writes scripts that use
Netcat’s capabilitieso Netcat comes with scripts to check for
vulnerabilites in RPC, NFS, trust, FTP, a really weak passwords (very limited compared to Nessus)
Network Attacks 71
Netcat Backdoors With access to a machine, Trudy
cano Start a Netcat listener for future
accesso Create an active backdoor (i.e., push
data) These are most common uses of
Netcat by bad guys
Network Attacks 72
Netcat to Relay Traffic Can use Netcat to relay traffic
o Trudy can hide her true location
10 or more “hops” sometimes seeno Across political/language boundaries
Network Attacks 74
How to Create Netcat Relay?
Three popular techniques Modify inted in UNIX/Linux
o Add a line to inted.conf file “backpipe” on UNIX/Linux
o Use mknod: pipes data in FIFO order Relay bat file in Windows
Network Attacks 76
Netcat Listeners By default, Netcat listener is
nonpersistent In Windows version, can create
persistent listeners In UNIX, requires a little more work from
Trudy to get same effecto see book for details
Network Attacks 77
Netcat Honeypots Good guys can create Netcat
(persistent) listenerso These can be used as honeypots
Network Attacks 78
Netcat Defenses Prevent Netcat file transfers
o Firewall configuration issue Secure against port scanning
o Minimal number of listening ports Block arbitrary connections to ports
o Close unused ports Protect against vulnerability scanning
o Apply patches
Network Attacks 79
Netcat Defenses Stop backdoors
o Need to know what processes are running so you can detect rogue processes
Prevent relay attackso No single point that attacker can relay
around Stop persistent listeners
o Periodically check for unexpected listening ports