Scanning, Sniffing, Spoofing and Man-in-the-middle Attacks Lesson 13.
-
Upload
joella-rose -
Category
Documents
-
view
244 -
download
2
Transcript of Scanning, Sniffing, Spoofing and Man-in-the-middle Attacks Lesson 13.
Scanning, Sniffing, Spoofing andMan-in-the-middle Attacks
Scanning, Sniffing, Spoofing andMan-in-the-middle Attacks
Lesson 13
ScanningScanning
Ping Sweeps Port Scanners Application Scanning Operating System Scanning SNMP scanning Vulnerability Scanning
Ping SweepPing Sweep
PING (Packet INternet Groper)A utility designed to determine whether or not a remote system is accessible.
Using PING, attackers can send an ICMP echo request to every address within a range to determine which systems are “up and running”
Every system that is up will respond with an echo reply, providing a list of potential targets
PING SweepsPING Sweeps
Echo Request
Unused Address10.1.1.9
Attacker
Target List
Echo Request
Echo Request
Unused Address10.1.1.11
10.1.1.10
10.1.1.10
Echo Reply
PING SweepsPING Sweeps Less effective today than in the past
Recent rise in DoS attacks which also use ICMP have resulted in administrators setting their systems to drop inbound ICMP echo requests.
Can still be effective for insiders or attackers who have been able to penetrate at least one system.
There are a number of different packages that can be downloaded that accomplish this type of scan.
Port ScanningPort Scanning A Port Scanner is a program that checks a
computer’s TCP/IP stack for ports that are in the LISTEN state.
There are 65,535 possible ports– 1-1023 are considered “well known”– 1024-49151 are called “registered ports”– 49152-65,535 are dynamic or private ports
RFC 793 defines how TCP will react to FIN, ACK, and SYN packets.
RFC 793RFC 793If the state is CLOSED (that is, Transmission Control Block does not exist) then all data in the incoming segment is discarded. An incoming segment containing a RESET (RST) is discarded. An incoming segment not containing a RST causes a RST to be sent in response. The acknowledgment and sequence field values are selected to make the reset sequence acceptable to the TCP that sent the offending segment.
If the state is LISTEN then first check for an RST, An incoming RST should be ignored. Second check for an ACK. Any acknowledgment is bad if it arrives on a connection still in the LISTEN state. An acceptable reset segment should be formed for any arriving ACK-bearing segment. Third check for a SYN, if the SYN bit is set, check the security. IF the security/compartment on the incoming segment does not exactly match the security/compartment in the TCB then send a reset and return.
Some Well-known portsSome Well-known ports
Port Number Network Service 20 File Transfer Protocol (FTP) Data21 File Transfer Protocol (FTP) Control23 Telnet25 Simple Mail Transfer Protocol (SMTP)53 Domain Name Server (DNS)79 Finger80 World Wide Web (HTTP)110 Post Office Protocol – Version 3443 HTTPS
Port ScanningPort Scanning In a Port Scan, the system will attempt to connect to
specific (or all) ports on the remote system to see which respond.
Responding ports are considered “open” and the attacker can then attempt to exploit (especially known services on well-known ports).
Large number of tools available to perform port scanning. nmap is one of the most popular tools that can perform a port scan.
Port ScanningPort Scanning
Attacker
Web server
80
79
82
81
80
Services List
HTTP
Types of Port ScanningTypes of Port Scanning TCP SYN Scanning – “half open” scanning. Sends a SYN packet to each remote port.
Open ports respond with a SYN/ACK packet. Closed ports usually respond with an RST packet.
TCP FIN Scanning – Sends a FIN packet (normally sent to clear connection when conversation is finished). Closed ports usually respond with an RST packet. Open ports usually ignore FIN packets.
UDP Scanning – often more difficult than TCP since UDP services may not respond. If a ICMP “port unreachable” message is received, however, it is an indication the service is NOT running.
Fragmentation Scanning – break scan up into several smaller packets. This may result in being able to hide the scan from firewalls and IDS.
Relay or bounce scanning – send scan through another system (proxy or forwarding gateway), may confuse/hide origin of attack
Decoy scanning – send a large number of spoofed packets along with your real one so they hide the real scan.
nmapnmap
nmap ping sweepnmap ping sweep
nmap host scannmap host scan
Super ScanSuper Scan
Vulnerability ScanningVulnerability Scanning One approach to vulnerability scanning is to
Use a port-scanning tool such as nmap to identify the OS and to log all listening ports– May return something like
Linux Kernel 2.2 with ports 21, 25, 53, 80 listening– What the ports are and what vulnerabilities that may exist in them is an
exercise left up to the user. The purpose of a vulnerability scanner is to detect the
presence of specific vulnerabilitiesCommon components for vulnerability scanners– Vulnerability data – information about known vulnerabilities, how
knowledgeable is the tool?– Scanning mechanism – the “guts” of the scanner, how accurate is the tool?– Reporting mechanism – interface with user
Types of vulnerability scannersTypes of vulnerability scanners
Commercial scanners: developed and sold by companies (e.g. ISS and Cisco).Due to development time, often lag freeware scanners.
Freeware scanners: developed and released “in the community” General-purpose scanners: look for a wide range of vulnerabilities on a large number
of operating systems and applications. Often used in a security audit. Application scanners: written to examine a specific application for vulnerabilities
associated with it. Service scanners: Scanning tool used to examine a specific network service, such as
WWW, for common vulnerabilities associated with that service. Specific vulnerability scanners: written to only check for a specific vulnerability.
WhiskerWhisker
SNMPSNMP
Share SnifferShare Sniffer
Share SnifferShare Sniffer
Share SnifferShare Sniffer
Possible information from scanningPossible information from scanning Which systems are active What services are available/listening What operating system is in use Which version of an application is running Which users have an account on the system and which are active What the security configuration/settings are Whether certain patches have been installed Information about specific vulnerabilities Possibly whether a specific exploit will be successful
Ways to recognize scanningWays to recognize scanning
System log file analysis – look for multiple, short duration connections or connection attempts.
Network traffic – monitor the volume of inbound and outbound network traffic. If you have established a profile of what is normal activity you will be able to recognize spikes in the activity level which may indicate scanning activity.
Firewall and router logs – look for multiple rejections or access violations coming from the same source or group of sources.
Intrusion detection systems – most IDS contain built-in methods for examining traffic to detect scanning attempts.
Defending against Scanning and its effectsDefending against Scanning and its effects Block ports at your router/firewall. Block ICMP, including echo Create a DMZ Use bastion hosts/proxy servers Use NAT to hide private, internal IP addresses Remove default/sample materials Remove unnecessary services Restrict permissions Change default headers associated with services Keep applications and operating systems patched Establish a “Honeypot” to trap attackers
Scanning Your Own NetworkScanning Your Own Network
Will provide you with “hackers view” into your network
Will illustrate the most visible vulnerabilities Scan from both “internal” and “external” vantage
points
New Target – Wireless EthernetNew Target – Wireless Ethernet
802.11b WEP (Wired Equivalent Privacy)
40-bit encryption key and 24-bit Initialization Vector (64-bit encryption) 104-bit key plus the 24-bit Initialization Vector (128-bit encryption)
Most Access Points are deployed with no encryption, or with default keys
SniffingSniffing Sniffers are programs or HW devices that monitor
(“listen in to”) traffic flowing across a network.They can pull in all packets or be selective and only grab packets destined for certain addresses or that carry a certain type of traffic
For a sniffer to work correctly, it needs to view all of the traffic going across a network. Thus, it must be on an internal network or on a main connection into/out of a network.
Computer Network MonitoringComputer Network Monitoring
Port Scanning Keystroke Monitoring Packet sniffers
takes advantage of “friendly” nature of net.Grabs packets not destined for systemused by– hackers– sysadmins– Law enforcement agencies
IP PacketIP Packet
Version Length Type of Srvc Total Length
Identification Flags Fragment Offset
Time to live Protocol Header Checksum
Source Address
Destination Address
Options
Data
4 8 16 19 32
SnifferProSnifferPro
SnifferProSnifferPro
SnifferProSnifferPro
SnifferProSnifferPro
NetXrayNetXray
TCP packetTCP packet
Dataoffset
Unused
U A P R S FR C S S Y IG K H T NN
Window
Source Port
Urgent Pointer
Sequence Number
Acknowledgement Number
Options Padding
Data
4 8 16 32
Destination Port
Checksum
NetXrayNetXray
Van Eck receptionVan Eck reception
Relies on the fact that electronic equipment radiates electromagnetic signals which can be intercepted
With the proper equipment signals can be recreated up to 1 kilometer away
Seizing the SignalsSeizing the Signals
Eavesdropping on conversations“listening in”, the content
Traffic analysisdata about the signals themselves
EavesdroppingEavesdropping
Cellular Interceptsextremely vulnerable to interception
Pager Interceptsalso fairly simple
Law Enforcement Wiretapsgenerally require court order with probable cause
Foreign Intelligence InterceptsUS and others have VERY active program in this arena
Defeating Sniffer AttacksDefeating Sniffer Attacks Detecting and Eliminating Sniffers
Possible on a single box if you have control of the systemDifficult (depending on OS) to impossible (if somebody splices network and adds hardware) from network perspective
Safer TopologiesSniffers capture data from network segment they are attached to, so – create segments
EncryptionIf you sniff encrypted packets, who cares?– (outside of traffic analysis, of course)
Traffic AnalysisTraffic Analysis Looks at activity, not contents Pen Registers and Trap & Trace
pen registers provide access to the numbers that are dialed from a phonetrap & trace provides incoming numbers
Location Trackingpossible with cellular phonescan work even when phone not in use
SpoofingSpoofing
“a sophisticated technique of authenticating one machine to another by forging packets from a trusted source address.”
IP SpoofingIP Spoofing
This may simply consist of forging the from address in an IP packet so it appears to have come from somewhere else.
Often used to trick target machine into believing packet is coming from a host it trusts, thus getting the target machine to perform some task.
To do appropriately it may involve sniffing, spoofing, and DoS attack
Two themes present in these definitionsTwo themes present in these definitions
Trust“the relationship between machines that are authorized to connect to one another.”
Authentication“the process those machines use to identify each other.”
Generally these two have an inverse relationship:If a high degree of trust exists between two machines, the amount of authentication is low.If little trusts exists between the machines, a great deal of authentication is required.
Authentication and TrustAuthentication and Trust Most common method of authentication is the
userid/password combination. If a user on a local network wants to access another
system on the local network, having to supply the password to log on is a nuisance. Consequently, a trusted relationship may be established where one local system will trust the other to have authenticated the user originally and will thus not require additional authentication.
An example of this is the UNIX .rhosts and hosts.equiv files.
Trusted relationships in UNIXTrusted relationships in UNIX
.rhosts file is used to establish a trusted relationship between machines. Used by rlogin, rsh, and rcp to determine which remote hosts and users are considered “trusted” and are allowed to access the host without supplying a password.
rlogin (remote login), rsh (remote shell), rcp (remote copy) File consists of
A host name, indicating that this user is trusted when accessing the system from the specified host, orA host name followed by a login name, which indicates that the listed login name is trusted when accessing the system from the specified host
.rhosts example.rhosts example If user1 had the following .rhosts file in their home directory
(/home/user1/.rhosts)system2system4system5 user2system2 user5
It would mean user1 could log in from system2 as user1 user1 could log in from system4 as user1 user1 could log in from system5 as user2 user1 could also log in from system2 as user5
/etc/hosts.equiv file example/etc/hosts.equiv file example /etc/hosts.equiv are essentially equivalent to a system-
wide .rhosts file and contain lines with hostnames. If system1 contained the /etc/hosts.equiv file:
system2system4system5
It would indicate that any user on system2, system4, or system5 could log into system1 without having to supply a password.
This assumes that an equivalent username exists on system1 as the one being used on the accessing system (i.e. system2, system4, or system5).
A + in the /etc/hosts.equiv file says all systems trusted.
Authentication and UNIX Trusted relationshipsAuthentication and UNIX Trusted relationships
UNIX will base its trust decision, using the .rhosts or hosts.equiv files, on the IP address of the connecting system.
But…. The IP address (and most other fields) of an IP header can be forged!!!
IP Spoofing on LANIP Spoofing on LAN
Attacker
Trusted System 1 Trusted System 2
Attacker
This is System 1,Please send file A
OK, here it is...
Huh? I didn’t ask for that...
IP Spoofing on LAN
Attacker
Trusted System 1 Trusted System 2
Attacker
This is System 1,Please send file A
OK, here it is...
DoS attacklaunched
Attacker usessniffer to grabfile
IP Spoofing across the Internet
Attacker
Trusted System 1 Trusted System 2
Attacker
This is System 1,Please add user Xto your password file
OK, I’ve done it
DoS attacklaunched
Login asuser X
SpoofingSpoofing
In the preceding slides, the actions represented by the “OK, I’ve done it” or the “OK, here it is” lines may actually consist of a series of messages with appropriate responses.
The attacker knows what the responses should be, so the attacker can send them, timed appropriately, to ensure the connection is maintained.
Blind spoofingBlind spoofing
In non-blind spoofing the response sent by the target machine can be observed (sniffed).
In blind spoofing, the target’s responses can not be observed.
The steps of a spoofing attackThe steps of a spoofing attack Identify the target of the attack (a system with a trusted
relationship with another). “Eliminate” (DOS attack) the host you wish to spoof. Forge the address of the host being spoofed in your
packet to be sent to the target. Send the spoofed packet to the target Keep the connection active by guessing the correct
sequence number used by the target machine.
Sequence numbersSequence numbers
Used to acknowledge receipt of data. Remember 3-way handshake process
Client sends TCP packet with an initial sequence number.Server responds with it’s own sequence number and an acknowledgement (ACK).The client acknowledges receipt by sending packet with server’s number plus one.
Guessing the sequence numberGuessing the sequence number
For non-blind spoofing, no problem as you can see the responses.
For blind spoofing:Contact the target and attempt several connectionsTarget will respond with a sequence number for eachAnalyze the responses to determine the pattern the target uses for incrementing
Once you’ve succeeded…Once you’ve succeeded…
Attempt to secure a better connectionModify password fileModify hosts.equiv or .rhosts file
Shut down spoofed connection (stop the DOS attack). Now log into the target host using new account or based on trusted relationship.
Spoofing Prevention TipsSpoofing Prevention Tips
General rule of thumb: Don’t have any trusted relationships if you can help it.
Don’t accept packets from outside of your network that claim to be originating from inside of your network.
Man-in-the-Middle AttacksMan-in-the-Middle Attacks
Name given to a type of spoofing attack where the intruder assumes a position between the two legitimate users and
Simply listens in (thus really just sniffing)Relays information, thus can substitute appropriate public key to convince the legitimate users that their communication is secret, when it isn’t.
Man-in-the-middle attackMan-in-the-middle attack
Public KeyRepository
SystemA
SystemB
What is System B’sPublic Key?
Here it is
Message sent usingSystem B’s public key
Man-in-the-middle attack
Public KeyRepository
SystemA
SystemB
What is System B’sPublic Key?
Here it is
What is System A’sPublic Key?What is System B’sPublic Key?Here it isHere it is
Quick DoSOn System AMessage sent using New
System B’s public key
Hi, I’m System B,Here is my new Public key
Quick DoSOn System BMessage sent using New
System A’s public keyMessage sent using
System B’s public keyMessage sent using
System A’s public key
Hi, I’m System A,Here is my new Public key
What is System A’sPublic Key?
Here it is
SummarySummary
What is the Importance and Significance of this material?
How does this topic fit into the subject of “Voice and Data Security”?