Types of Attacks
Attacks
Physical
Dialog
Penetration
Social
Engineering
Wiretapping
Eavesdropping
Scanning
Opening
Attachment
Server
Hacking
Impersonation
Break-in
Password
Theft
Vandalism
Message
Alternation
DOS
Information
Theft
Malware
�Major Problems with Sniffing
Any mischievious machine can examine any
packet on a BROADCAST medium
Ethernet is BROADCAST
at least on the segments over which it travels
Getting passwords is the first step in exploiting
a machine
email is plaintext and vulnerable
�What does one sniff?
passwords
email
financial account information
confidential information
low-level protocol info to attack
hardware addresses
IP addresses
routing, etc
�Spoofing
In spoofing (fooling, deceiving), an
attacker impersonates someone else.
�Spoofing
In spoofing (fooling, deceiving), an attacker impersonates
someone else.
Sonny, are you still alive?
Yes Im here!
Faishal
Kevin
Sonny
�Type of Spoofing
ARP Spoofing / MAC Spoofing
Attacker change MAC address client with MAC
Address Attacker
IP spoofing
Attacker uses IP address of another computer to
acquire information or gain access
Email spoofing
Attacker sends email but makes it appear to come
from someone else
Web spoofing
Attacker tricks web browser into communicating with
a different web server than the user intended.\
Non-network (social engineering)
�MAC level Spoofing
Focus on ethernet (widespread use)
Cards have unique addresses at manufacturer
Many cards CAN be reconfigured by user
bridge has no MAC address but sends with source
address of the originator
faking address has opportunity for mischief
�Finding the Owner of a MAC Address
�ARP Table Modifications
However Host A doesnt know that Host B really did send the ARP reply.
In the previous example, attackers could spoof an ARP reply to Host A
before Host B responded, indicating that the hardware address
E0:E0:E0:E0:E0:E0 corresponds to Host B's IP address.
Host A would then send any traffic intended for Host B to the attacker, and the
attacker could choose to forward that data (probably after some tampering)
to Host B.
�Spoofed Reply
�ARP spoofing
What is ARP? IP->MAC mapping
Make some machine think that the IP address
it is searching for is you.
How it works:
Broadcast and ask if anyone knows
Response is typically from that IP
�ARP spoofing
(more)
If 2 machines (real and fake) respond, effect
depends on OS
some OS overwrite earlier response
other OS ignore unless its current entry expires
Original can be disconnected by
Power
Wiring (connectivity)
�IP Spoofing
IP spoofing is the creation of TCP/IP packets with
somebody else's IP address in the header.
Routers use the destination IP address to forward
packets, but ignore the source IP address.
The source IP address is used only by the
destination machine, when it responds back to
the source.
When an attacker spoofs someones IP address,
the victims reply goes back to that address.
Since the attacker does not receive packets back,
this is called a one-way attack or blind spoofing.
�Email Spoofing
3 Basic way to perform :
Aliasing
Modify mail client
Telnet to port 25
�Email Spoofing
One simple form of email spoofing is to
create a valid email account (on yahoo or
hotmail) and put someone elses name in the
alias field.
In mail relaying, an attacker uses a mail
server to send mail to someone in a different
domain
When email is sent by a user, the From:
address is not validated.
�Web Spoofing
One way to lure people to a malicious site is to
give it a URL that is similar to that of a legitimate
site, e.g.,
www.paypai.com
wwwFirstNationalBank.com
Another way is for the attacker to provide HTML
with a mislabeled link to another page, e.g., in an
email. Example:
<a HREF="http://www.badhack.org"> American Red
Cross</a>
�Fake url
that is, sites claiming to be a particular Web site but, when clicked on, actually link to a
hacker's Web site. The URL is the Web address for any Web site
There are some clues in it that may indicate it will lead you to a fake or a phishing site.
Defence :
One of the first rules of online security is to exercise caution at all times. Try to avoid clicking on links
in pop-up ads or links in emails that seem to be phony or suspicious. A good general rule is to type
the Web site address in your address bar directly, rather than use a link in an email message,
especially if you are going to a financial site.
You can check the URL in any email or on another Web site by simply holding your mouse above the
link. The URL will appear in your browser or status bar (the bar that is usually at the bottom of your
screen) and you can see what the name of the site is before you actually click on it.
A fairly sure sign that a URL is fake is if the URL contains the "@" sign in the middle of the address. If
a URL contains the "@" sign, the browser ignores everything to the left of the link. For example, if
you go to a Web site that is [email protected], you are not going to the Paypal site at all.
Legitimate sites and companies use a domain name as part of their name rather than the "@" sign.
A dead giveaway for a fake URL or a fake Web site is basic spelling mistakes in the Web address itself.
Some URLs look very much like the name of a well-known company, but there may be letters
transposed or left out. An example might be "mircosoft.com" instead of "microsoft.com." These
slight differences can be easy to miss, and that's what phishers are counting on.
The popular Paypal site is a common target for phishers and scammers. Even if a URL contains the
word "paypal," it may not be the authentic Paypal site. Some common URLs that will NOT lead you
to the real Paypal site are: www.paypalsecure.com and [email protected].
�TCP Session Hijacking
TCP session hijacking is when a hacker takes
over a TCP session between two machines.
Since most authentication only occurs at the
start of a TCP session, this allows the hacker to
gain access to a machine.
�Categories of TCP Session Hijacking
Based on the anticipation of sequence
numbers there are two types of TCP hijacking:
Man-in-the-middle (MITM)
Blind Hijack
�Passive Sniffers
Passive sniffers monitors and sniffs packet
from a network having same collision domain
(i.e. network with a hub, as all packets are
broadcasted on each port of hub.)
�Active Sniffers
One way of doing so is to change the default gateway of the clients
machine so that it will route its packets via the hijackers machine.
This can be done by ARP spoofing (i.e. by sending malicious ARP packets
mapping its MAC address to the default gateways IP address so as to
update the ARP cache on the client, to redirect the traffic to hijacker).
�Typical Session
1: Request Connection
2: Create Session
3: Session Id
Client
(Browser)
5: Validate Session
4: Subsequent Requests
(Session id passed)
Server
6: Retrieve Session Data
7: Successful response
Session
Data
�Attack Methods
Guessing Session Id
shorter length, predictable
Session Fixing
predictable, session created before authenticated
Security Vulnerabilities in Hops
trusting private networks, vulnerabilites in web servers, etc
Session Sniffing (typical on non SSL sessions)
same subnet as client or server
Man in the Middle Attack (SSL)
ARP Poisoning, DNS Spoofing
Cross Site Scripting (XSS)
User trusting source, application vulnerability
�Session Sniffing
1: Request Connection
2: Create Session
3: Session Id
Client
(Browser)
5: Validate Session
4: Subsequent Requests
(Session id passed)
Server
6: Retrieve Session Data
7: Successful response
sniff
Request
(session-id)
Successful
Response
Hacker
Session
Data
�Man-in-the-middle (MITM)
A hacker can also be "inline" between B and C
using a sniffing program to watch the
sequence numbers and acknowledge numbers
in the IP packets transmitted between B and C.
And then hijack the connection.
This is known as a "man-in-the-middle attack".
�Man in the Middle Attack Using Packet Sniffers
This technique involves using a packet sniffer
to intercept the communication between
client and the server.
Packet sniffer comes in two categories:
Active sniffers
Passive sniffers.
�Blind Hijacking [Shray Kapoor]
If you are NOT able to sniff the packets and
guess the correct sequence number expected
by server, you have to implement Blind
Session Hijacking.
You have to brute force 4 billion combinations
of sequence number which will be an
unreliable task.
�Ways to Suppress a Hijacked Host to Send Packets
A common way is to execute a Denial-of-Service (DoS) attack against one
end-point to stop it from responding.
This attack can be either
against the machine to force it to crash
or
against the network connection to force heavy packet loss.
Send packets with commands that request the recipient not to send back
response.
�Man in the Middle Attack
1: Request HTTPS
Connection
2: Request HTTPS
Connection
4: Provide HTTP Response
3: Provide Server
Certificate
With public key
Client
(Browser)
5: Subsequent Requests
Hacker
Machine 1
Server
6: Forward Request
Request
(session-id)
Wait for Session to be created
Pass Session Id
Successful
Response
Hacker
Machine 2
�MitM Attacks
Man-in-the-Middle refers to a machine that is set up so that traffic between two
other machines must pass through the MitM machine.
Difficult to setup, especially over the Internet. Not so difficult in a LAN
environment.
Provides no additional advantages over a sniffer is actually just a way to
implement a sniffer.
Defense:
Encryption however, MitM can refer to an intermediate encrypter
Strong perimeter security for Internet MitM attacks.
Only secure as the weakest link the MitM can attack from either end. So, even if you
have strong security, but your partner does not, the MitM is possible from the other
end.
�Prevention of Sniffing
Segmentation into trustworthy segments
bridges
better yet .. switched hubs
Not enough not to allow sniffing
easy to add a machine on the net
may try using X-terminals vs workstations
�Prevention of Sniffing
(more)
Avoid password transmission
one solution is r..family
rlogin, rcp, rsh, etc
put trusted hosts in .rhosts
many SAs dont want users to use them
Using encrypted passwords
Kerberos
PGP public keys
�Prevention MAC spoofing
VERY difficult
Intelligent hubs
can be made to expect certain MACs on ports
but machines can still be swapped
physical measures
�Prevention of ARP spoofing
Basic Premise: ARP TRUSTS RESPONSE
If the machine is one you need to trust:
make a PERMANENT entry in arp cache
arp -p ...
Use an arp server
Dont let the machine respond for itself
make administration a little more cumbersone
but is probably worth it!
but.. server can be spoofed
�Countermeasure
IP Spoofing
Protect against with good firewall rules keep your machines from launching a spoofed IP router filters
Limit configuration access on machines
Programs like arpwatch that keep track of IP/MAC pairings
The best way to protect against source routing spoofing is to simply disable source routing at your routers.
Email Spoofing
Most email servers today do not allow email relaying. They only allow emails to be sent to/from their range of IP addresses. They insure that the
recipients domain is the same domain as the mail server. The attacker can run his own email server, but then he is easier to trace.
Defense - Do not allow Email relaying on your STMP servers
Web Spoofing
Use a server-side certificate. Still, users should
Examine the browser location/status line
Examine links in HTML source code.
Disable active content (Java, JavaScript, Active X) in the browser.
Ensure that your browser starts on a secure page (a local HTML page)
�Countermeasures - Encryption
The most effective is encryption such as IPSec.
Internet Protocol Security has the ability to encrypt your IP packets based on a PreShared Key or with more complex systems like a Public Key Infrastructure PKI.
This will also defend against many other attack vectors such as sniffing.
The attacker may be able to passively monitor your connection, but they will not be
able to read any data as it is all encrypted.
There might be actions an attacker could take against an IPSec enabled network,
depending on if they use IKE-PSK or PKI to manage the encryption keys, but this
would require an experienced hacker.
Dont think that IPSec is the panacea to all your ills, there are IPSec cracking
tools available on the internet that will attempt to guess the PSK and decrypt
packets.
�Countermeasures Encrypted Application
Other countermeasures include encrypted applications like ssh (Secure SHell, an
encrypted telnet) or ssl (Secure Sockets Layer, HTTPS traffic).
Again this reflects back to using encryption, but a subtle difference being that you are using
the encryption within an application.
Be aware though that there are known attacks against ssh and ssl.
OWA, Outlook Web Access uses ssl to encrypt data between an internet client browser
and the Exchange mail server, but tools like Cain & Abel can spoof the ssl
certificate and mount a Man-In-The-Middle (MITM) attack and decrypt everything!
