Sniffing, Spoofing, Hijacking

1
Sniffing, Spoofing, Hijacking

• This presentation is an amalgam of presentations
  by Mark Michael, Randy Marchany and Ed Skoudis.
• I have edited and added material.
• Dr. Stephen C. Hayne

2
Sniffing

• Targets Data Link layer of protocol stack
• Sniffer gathers traffic off network
• This data can include userIDs passwords
  transmitted by telnet, DNS queries and responses,
  sensitive emails, FTP passwords, etc.
• Allows attacker to read data passing a given
  machine in real time.
• Two types of sniffing
• Active
• Passive

3
Sniffing

• Active
• Attacker still needs an account
• Several different attacks
• - Parsing Packets
• - Flooding
• - Spoofed ARP Messages
• - DNS Spoofing
• - HTTPS and SSH spoofing

• Passive
• Attacker must have account on LAN
• Done over a hub
• Usually once access is gained on one computer
  attacker uses passwords to get in other computers

4
Passive Sniffing
user1
Server
BLAH
HUB
BLAH
BLAH
user2
BLAH
Bad guy
- Message gets sent to all computers on hub
5
Active Sniffing
user1
Server
BLAH
Switch
BLAH
user2
Bad guy
- Message gets sent to only requesting computer
by looking at MAC address
6
Dsniff

• Offers several ways around a switch
• Available for OpenBSD, Linux, Solaris, and there
  is a version for Windows
• Very popular and versatile
• In conjunction with sshmitm and webmitm, conducts
  all the above attacks

7
Wireshark

• Much better than dsniff, for packet capture,
  IMHO

8
Flooding Switches

• The switch stores MAC addresses locally
• Dsniff keeps sending the switch bogus MAC address
  
• Eventually the switches memory fills and it turns
  into a hub
• Then, just run any sniffer you want to get data
  from the network

9
Spoofing ARP Messages

• Some switches are immune to MAC flooding
• ARP maps IP to MAC address
• Attacker looks at network topology to find the IP
  for the default router
• Then enables IP forwarding on their machine, so
  machine forwards packets to default router
• Attacker runs Dsniff and poisons the ARP table on
  the victims computer, matching his MAC with the
  default routers IP
• Victim sends the data to default router
• Attacker sniffs data then forwards the
  information to the real default router

10
ARP Flooding
user1
Scary place (outside world)
1
Switch

1. Fake ARP
2. Innocent Message
3. Sniffing
4. On its way

2
4
1
Bad guy
3
11
DNS Spoofing

• Similar to ARP Spoofing
• Instead of mapping a MAC to an IP, Dsniff maps
  the IP of an attackers machine to a domain name
  the user is trying to access
• The new IP is a machine outside the network that
  is running a fake web page that mimics the actual
  web page
• The user may enter a username and password
  thinking that the site is legit

12
Man/Monkey In The Middle!
User
target
Attacker
13
MITM - Getting around HTTPS and SSH

• Both HTTPS and SSH use encryption while talking
  to each other
• Sniffing the data would be useless
• The way HTTPS is based on certificates that are
  sent to the computers
• This certificate is digitally signed by a trusted
  Certification Authority
• Your browser verifies this signature to make sure
  the server is trusted
• An SSL connection is then established
• SSH doesnt use certificates but employs similar
  techniques

14
It sounds secure, right?

• The connection is secure, but Dsniff exploits
  what happens before the connection
• Attacker runs an DNS spoof along with webmitm.
• Webmitm proxies the connection
• establishes a https connection with the victim
  sending the attackers certificate to the user
• establishes a https connection with the real
  server
• The victim gets a error message on the screen
  stating that the certificate is unrecognizable or
  not properly configured. The victim can then
  click continue to establish a connection.
• Victim then access the information they want, but
  the attacker sees everything that they type
  (HOWTO)

15
Anti-Sniffing

• Encrypt all crucial data that you are sending
  across a network
• Never telnet to firewall, routers, sensitive
  servers, or Public Key Infrastructure
• If you get a error message from your SSH or
  browser, investigate it
• If feasible, replace hubs with switches
• For very sensitive data, enable Port-level
  security on your switches by configuring each
  switch port with a specific MAC of the computer
  using that switch port

16
Defenses against DSniff

• Hardcode MAC address of Gateway into servers
• Use a gateway switch that will not fail-open
  (protect against MAC-flood)
• Use ARPWATCH to monitor MAC address mismatches

17
IP Address Spoofing

• Three main flavors
• - Simple Spoofing
• - Undermining Unix r-Commands
• - Spoofing with source routing
• Doesnt allow actions to be traced back to an IP
• Undermine applications that rely on IP addresses
  for authentication or filtering

18
Simple Spoofing

• Simply change the IP of your computer
• Can be done with ipconfig in UNIX or under
  network control panel in Windows
• Use a tool that generates packets with fake IP
  addresses
• The only problem is attacker cant establish a
  three-way-handshake with victim

19
Undermining UNIX r-Command

• This targets UNIX trust relationships
• Trust relationships allow users to log onto one
  machine and then log into trusting machines with
  out a password
• Use the
• rlogin (remote login)
• rsh (remote shell)
• rcp (remote copy)
• A computer can also be added to the trust
  relationship by editing the /etc/host/equiv or
  /rhosts file
• A machine is trust relies on the systems IP
  address
• The administrator can establish a hub and spoke
  relationship, logging onto one computer and then
  sending commands to multiple systems that trust
  it using rsh tool.

20
Hub and Spoke
Trust
Trust
Admin
Trust
trust
Trust
Trust
Trust
21
Exploiting Hub and Spoke Relationships

• Attacker sends multiple TCP SYN packets to
  computer to be attacked, allows attacker to guess
  future sequence numbers
• Attacker launches a DoS attack on trusted
  computer, so computer is dead to network
• Attacker launches a connection with victim using
  trusted computers IP address
• The victim returns an SYN-ACK to trusted
  computer, but no reply is sent because it was hit
  with a DoS attack
• Using the sequence numbers gathered from step 1
  the attacker sends ACK packets to the victim with
  a guessed sequence number again spoofing the
  trusted machines IP

22
Exploiting Hub and Spoke Relationships

• The attacker now has a connect with the victims
  computer and can feed it commands
• The attacker cant see the responses
• The attacker can make the computer trust the
  attackers computer or any computer on the
  network
• The attacker can then log on directly to the
  victim, no spoofing required

23
Spoofing with Source Routing

• Source routing allows the attacker to specify a
  certain path the packet will take on the network
• loose source routing allows the attacker to
  tell the computer some hops but not all
• The attacker sets source routed packets from a
  fake source IP to the victim
• These packets claim to be from a trusted computer
• They include the attackers IP address as one of
  the hops
• When the victims computer tries to establish a
  three-way-handshake the attacker intercepts the
  SYN-ACK and submits its own ACK
• An open connection has been established between
  the attacker and victim, the attacker can view
  the responses from the victim

24
Defenses against IP Spoofing

• Make your initial sequence numbers generated by
  your TCP stack difficult to guess
• apply latest security patches
• test predictability by scanning and trying to
  guess them yourself (Nmap can be helpful with
  this)
• Avoid using r-commands
• Use SSH instead or other secure programs
• Avoid setting up trust relationships on a network
• Avoid applications that validate based on IP
  address
• authentication should be based on passwords and
  cryptography
• use other techniques that tie the session to the
  user
• Use filters at DMZ and gateways that drop source
  routed packets (both incoming and out going)