Types of Attacks

Attacks

Physical

Dialog

Penetration

Social
Engineering

Wiretapping

Eavesdropping

Scanning

Opening
Attachment

Server
Hacking

Impersonation

Break-in

Password
Theft

Vandalism

Message
Alternation

DOS

Information
Theft

Malware

Major Problems with Sniffing

Any mischievious machine can examine any
packet on a BROADCAST medium
Ethernet is BROADCAST
at least on the segments over which it travels

Getting passwords is the first step in exploiting

a machine
email is plaintext and vulnerable

What does one sniff?

passwords
email
financial account information
confidential information
low-level protocol info to attack
hardware addresses
IP addresses
routing, etc

Spoofing
In spoofing (fooling, deceiving), an
attacker impersonates someone else.

Spoofing
In spoofing (fooling, deceiving), an attacker impersonates
someone else.
Sonny, are you still alive?

Yes Im here!

Faishal

Kevin

Sonny

Type of Spoofing
ARP Spoofing / MAC Spoofing
Attacker change MAC address client with MAC
Address Attacker

IP spoofing

Attacker uses IP address of another computer to

acquire information or gain access

Email spoofing

Attacker sends email but makes it appear to come

from someone else

Web spoofing

Attacker tricks web browser into communicating with

a different web server than the user intended.\

Non-network (social engineering)

MAC level Spoofing

Focus on ethernet (widespread use)
Cards have unique addresses at manufacturer
Many cards CAN be reconfigured by user
bridge has no MAC address but sends with source
address of the originator

faking address has opportunity for mischief

Finding the Owner of a MAC Address

ARP Table Modifications

However Host A doesnt know that Host B really did send the ARP reply.
In the previous example, attackers could spoof an ARP reply to Host A
before Host B responded, indicating that the hardware address
E0:E0:E0:E0:E0:E0 corresponds to Host B's IP address.
Host A would then send any traffic intended for Host B to the attacker, and the
attacker could choose to forward that data (probably after some tampering)
to Host B.

Spoofed Reply

ARP spoofing
What is ARP? IP->MAC mapping
Make some machine think that the IP address
it is searching for is you.
How it works:
Broadcast and ask if anyone knows
Response is typically from that IP

ARP spoofing

(more)

If 2 machines (real and fake) respond, effect

depends on OS
some OS overwrite earlier response
other OS ignore unless its current entry expires

Original can be disconnected by

Power
Wiring (connectivity)

IP Spoofing
IP spoofing is the creation of TCP/IP packets with
somebody else's IP address in the header.
Routers use the destination IP address to forward
packets, but ignore the source IP address.
The source IP address is used only by the
destination machine, when it responds back to
the source.
When an attacker spoofs someones IP address,
the victims reply goes back to that address.
Since the attacker does not receive packets back,
this is called a one-way attack or blind spoofing.

Email Spoofing
3 Basic way to perform :
Aliasing
Modify mail client
Telnet to port 25

Email Spoofing
One simple form of email spoofing is to
create a valid email account (on yahoo or
hotmail) and put someone elses name in the
alias field.
In mail relaying, an attacker uses a mail
server to send mail to someone in a different
domain
When email is sent by a user, the From:
address is not validated.

Web Spoofing
One way to lure people to a malicious site is to
give it a URL that is similar to that of a legitimate
site, e.g.,
www.paypai.com
wwwFirstNationalBank.com

Another way is for the attacker to provide HTML

with a mislabeled link to another page, e.g., in an
email. Example:
<a HREF="http://www.badhack.org"> American Red
Cross</a>

Fake url

that is, sites claiming to be a particular Web site but, when clicked on, actually link to a
hacker's Web site. The URL is the Web address for any Web site
There are some clues in it that may indicate it will lead you to a fake or a phishing site.
Defence :

One of the first rules of online security is to exercise caution at all times. Try to avoid clicking on links
in pop-up ads or links in emails that seem to be phony or suspicious. A good general rule is to type
the Web site address in your address bar directly, rather than use a link in an email message,
especially if you are going to a financial site.
You can check the URL in any email or on another Web site by simply holding your mouse above the
link. The URL will appear in your browser or status bar (the bar that is usually at the bottom of your
screen) and you can see what the name of the site is before you actually click on it.
A fairly sure sign that a URL is fake is if the URL contains the "@" sign in the middle of the address. If
a URL contains the "@" sign, the browser ignores everything to the left of the link. For example, if
you go to a Web site that is www.paypal@150.44.134.189, you are not going to the Paypal site at all.
Legitimate sites and companies use a domain name as part of their name rather than the "@" sign.
A dead giveaway for a fake URL or a fake Web site is basic spelling mistakes in the Web address itself.
Some URLs look very much like the name of a well-known company, but there may be letters
transposed or left out. An example might be "mircosoft.com" instead of "microsoft.com." These
slight differences can be easy to miss, and that's what phishers are counting on.
The popular Paypal site is a common target for phishers and scammers. Even if a URL contains the
word "paypal," it may not be the authentic Paypal site. Some common URLs that will NOT lead you
to the real Paypal site are: www.paypalsecure.com and www.paypal@accounts.com.

TCP Session Hijacking

TCP session hijacking is when a hacker takes
over a TCP session between two machines.
Since most authentication only occurs at the
start of a TCP session, this allows the hacker to
gain access to a machine.

Categories of TCP Session Hijacking

Based on the anticipation of sequence

numbers there are two types of TCP hijacking:
Man-in-the-middle (MITM)
Blind Hijack

Passive Sniffers
Passive sniffers monitors and sniffs packet
from a network having same collision domain
(i.e. network with a hub, as all packets are
broadcasted on each port of hub.)

Active Sniffers
One way of doing so is to change the default gateway of the clients
machine so that it will route its packets via the hijackers machine.
This can be done by ARP spoofing (i.e. by sending malicious ARP packets
mapping its MAC address to the default gateways IP address so as to
update the ARP cache on the client, to redirect the traffic to hijacker).

Typical Session
1: Request Connection

2: Create Session

3: Session Id

Client
(Browser)

5: Validate Session
4: Subsequent Requests
(Session id passed)

Server
6: Retrieve Session Data

7: Successful response

Session
Data

Attack Methods

Guessing Session Id
shorter length, predictable

Session Fixing
predictable, session created before authenticated

Security Vulnerabilities in Hops

trusting private networks, vulnerabilites in web servers, etc

Session Sniffing (typical on non SSL sessions)

same subnet as client or server

Man in the Middle Attack (SSL)

ARP Poisoning, DNS Spoofing

Cross Site Scripting (XSS)

User trusting source, application vulnerability

Session Sniffing
1: Request Connection

2: Create Session

3: Session Id

Client
(Browser)

5: Validate Session
4: Subsequent Requests
(Session id passed)

Server
6: Retrieve Session Data

7: Successful response

sniff
Request
(session-id)
Successful
Response

Hacker

Session
Data

Man-in-the-middle (MITM)
A hacker can also be "inline" between B and C
using a sniffing program to watch the
sequence numbers and acknowledge numbers
in the IP packets transmitted between B and C.
And then hijack the connection.
This is known as a "man-in-the-middle attack".

Man in the Middle Attack Using Packet Sniffers

This technique involves using a packet sniffer

to intercept the communication between
client and the server.
Packet sniffer comes in two categories:
Active sniffers
Passive sniffers.

Blind Hijacking [Shray Kapoor]

If you are NOT able to sniff the packets and
guess the correct sequence number expected
by server, you have to implement Blind
Session Hijacking.
You have to brute force 4 billion combinations
of sequence number which will be an
unreliable task.

Ways to Suppress a Hijacked Host to Send Packets

A common way is to execute a Denial-of-Service (DoS) attack against one
end-point to stop it from responding.
This attack can be either
against the machine to force it to crash
or
against the network connection to force heavy packet loss.

Send packets with commands that request the recipient not to send back
response.

Man in the Middle Attack

1: Request HTTPS
Connection

2: Request HTTPS
Connection

4: Provide HTTP Response

3: Provide Server
Certificate
With public key

Client
(Browser)
5: Subsequent Requests

Hacker
Machine 1

Server
6: Forward Request

Request
(session-id)
Wait for Session to be created

Pass Session Id

Successful
Response

Hacker
Machine 2

MitM Attacks

Man-in-the-Middle refers to a machine that is set up so that traffic between two

other machines must pass through the MitM machine.
Difficult to setup, especially over the Internet. Not so difficult in a LAN
environment.
Provides no additional advantages over a sniffer is actually just a way to
implement a sniffer.
Defense:
Encryption however, MitM can refer to an intermediate encrypter
Strong perimeter security for Internet MitM attacks.
Only secure as the weakest link the MitM can attack from either end. So, even if you
have strong security, but your partner does not, the MitM is possible from the other
end.

Prevention of Sniffing
Segmentation into trustworthy segments
bridges
better yet .. switched hubs

Not enough not to allow sniffing

easy to add a machine on the net
may try using X-terminals vs workstations

Prevention of Sniffing

(more)

Avoid password transmission

one solution is r..family
rlogin, rcp, rsh, etc
put trusted hosts in .rhosts
many SAs dont want users to use them

Using encrypted passwords

Kerberos
PGP public keys

Prevention MAC spoofing

VERY difficult
Intelligent hubs
can be made to expect certain MACs on ports
but machines can still be swapped

physical measures

Prevention of ARP spoofing

Basic Premise: ARP TRUSTS RESPONSE
If the machine is one you need to trust:
make a PERMANENT entry in arp cache
arp -p ...

Use an arp server

Dont let the machine respond for itself
make administration a little more cumbersone
but is probably worth it!
but.. server can be spoofed

Countermeasure

IP Spoofing
Protect against with good firewall rules keep your machines from launching a spoofed IP router filters
Limit configuration access on machines
Programs like arpwatch that keep track of IP/MAC pairings
The best way to protect against source routing spoofing is to simply disable source routing at your routers.

Email Spoofing

Most email servers today do not allow email relaying. They only allow emails to be sent to/from their range of IP addresses. They insure that the
recipients domain is the same domain as the mail server. The attacker can run his own email server, but then he is easier to trace.
Defense - Do not allow Email relaying on your STMP servers

Web Spoofing
Use a server-side certificate. Still, users should
Examine the browser location/status line
Examine links in HTML source code.
Disable active content (Java, JavaScript, Active X) in the browser.
Ensure that your browser starts on a secure page (a local HTML page)

Countermeasures - Encryption

The most effective is encryption such as IPSec.

Internet Protocol Security has the ability to encrypt your IP packets based on a PreShared Key or with more complex systems like a Public Key Infrastructure PKI.
This will also defend against many other attack vectors such as sniffing.
The attacker may be able to passively monitor your connection, but they will not be
able to read any data as it is all encrypted.
There might be actions an attacker could take against an IPSec enabled network,
depending on if they use IKE-PSK or PKI to manage the encryption keys, but this
would require an experienced hacker.
Dont think that IPSec is the panacea to all your ills, there are IPSec cracking
tools available on the internet that will attempt to guess the PSK and decrypt
packets.

Countermeasures Encrypted Application

Other countermeasures include encrypted applications like ssh (Secure SHell, an

encrypted telnet) or ssl (Secure Sockets Layer, HTTPS traffic).
Again this reflects back to using encryption, but a subtle difference being that you are using
the encryption within an application.
Be aware though that there are known attacks against ssh and ssl.
OWA, Outlook Web Access uses ssl to encrypt data between an internet client browser
and the Exchange mail server, but tools like Cain & Abel can spoof the ssl
certificate and mount a Man-In-The-Middle (MITM) attack and decrypt everything!