Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tim Maletic Security Consultant. Goal of this talk To convince you that: Layer 2 must be included in the scope of your security assessments Thou shalt.

Similar presentations


Presentation on theme: "Tim Maletic Security Consultant. Goal of this talk To convince you that: Layer 2 must be included in the scope of your security assessments Thou shalt."— Presentation transcript:

1 Tim Maletic Security Consultant

2 Goal of this talk To convince you that: Layer 2 must be included in the scope of your security assessments Thou shalt test Layer 2

3 Why might someone object to this? – The “why bother” objection – The “sniffing isn’t that bad” objection – The “theoretical attack” objection too rocket science too improbable – The “untestable” objection

4 Thou shalt test Layer 2 Or to rephrase, Layer 2 attacks are: 1.devastating 2.being actively exploited 3.simple 4.testable

5 Road map Part 1: Devastation Part II: Active exploitation Part III: Simplicity Part IV: Testability

6 Devastation: OSI model subverted Handy mnemonic: All Pretty Serious Teenagers Never Do Physics

7 Devastation: realistic attack scenarios DMZInternal Network

8 Devastation: we’re talking CVSS ≥ 8

9 Devastation Recall these famous words: “In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an message or Instant Messenger message that takes users to the attacker’s Web site.” Well, now we get that for free! Our slogan is: “Don’t send the user to the malicious web site, send the malicious web site to the user!” or “Why convince when you can force?”

10 Road map Part 1: Devastation Part II: Active exploitation Part III: Simplicity Part IV: Testability

11 Active exploitation

12 Active exploitation: timeline 2006/02 NAI’s documentation of W32/Snow.a 2006/06 Freenode hack 2006/12 NAI’s documentation of NetSniff malware 2007/06 MSRC blogs on ARP cache poisoning in the wild 2008/06 Metasploit.com “defacement” 2009/03 SANS ISC reports mass exploitation [Others? Let me know.]

13 zxarps

14 Road map Part 1: Devastation Part II: Active exploitation Part III: Simplicity Part IV: Testability

15 Simplicity: ARP review “The world is a jungle in general, and the networking game contributes many animals.” -David C. Plummer, RFC 826, “An Ethernet Address Resolution Protocol” IP: MAC: 00:0c:41:76:32:d4 IP: MAC: 00:97:27:34:48:bc Who has ?I’m at 00:97:27:34:48:bc ARP replies are cached New ARP replies overwrite existing entries in the cache

16 Simplicity: ARP viewed through tcpdump Normal ARP traffic

17 Simplicity: ARP cache poisoning IP: MAC: 00:0c:41:76:32:d4 ARP cache:...5 is at...48:bc IP: MAC: 00:97:27:34:48:bc ARP cache:....1 is at...32:d4 IP: MAC: 00:16:76:cf:e8: is at...e8: is at...e8:04

18 Simplicity: ARP cache poisoned IP: MAC: 00:0c:41:76:32:d4 ARP cache:...5 is at...e8:04 IP: MAC: 00:97:27:34:48:bc ARP cache:....1 is at...e8:04 IP: MAC: 00:16:76:cf:e8: is at...e8: is at...e8:04

19 Simplicity: ARP viewed through tcpdump Normal ARP traffic Suspicious ARP traffic

20 Simplicity: The Toolbox arpspoof – Part of Dug Song’s dsniff suite – First released 12/17/1999 ettercap – Written by Alberto Ornaghi (ALoR) and Marco Valleri (NaGA) – First released 01/25/2001 Cain – Written by Mao (Massimiliano Montoro) – First released in 2001(?) – ARP spoofing first integrated in 2003(?)

21 Simplicity: The Toolbox: ettercap

22 Simplicity: The Toolbox: Cain

23 Simplicity: The Toolbox NG Scapy – Written by Phillippe Biondi – First released <2003? The Middler – Written by Jay Beale, Matt Carpenter and Justin Searle – First released in 2008?

24 Road map Part 1: Devastation Part II: Active exploitation Part III: Simplicity Part IV: Testability

25 Testability: You don’t want to be that guy The guy using arpspoof who forgot to enable ip_forwarding The guy who used the ettercap command line syntax he found on some web tutorial – “ettercap -T -q -F ig.ef -M ARP // //” The guy who was man-in-the-middling the network when his laptop died

26 Testability: Ettercap safety manual (1) 1.Read this list in its entirety before you begin. 2.Play in your sandbox. 3.Don’t mess with kernel IP Forwarding. Unlike arpspoof, ettercap handles this internally. 4.Don’t target infrastructure. (yet :) 5.Choose precise targets.

27 Testability: Ettercap safety manual (2) 6.Be familiar with the in-line commands for the Text interface.

28 Testability: Ettercap safety manual (3) 7.Always exit using the “q” in-line command.

29 Testability: From chainsaw to scalpel Recon targets Specify precise targets Performed multi-staged attacks Stitch the network back together

30 Testability: Enhancing the Middler Problem #1 The Middler doesn’t clean up after itself Why is this a problem? From the Middler’s code: “TODO: If we used scapy, send out three ARP replies with the impersonated_host’s real MAC address. For now, don't worry about it. ARP caches recover quickly.” But reality is more complicated than that. Problem #2 The Middler targets the entire local subnet

31 Testability+Devastation=Scalpel Massacre Own domain credentials – deliver UNC path to attackers malicious SMB share – crack hashes via HALFLMCHALL Rainbow Tables Own browsers – deliver Metasploit’s BrowserAutopwn – to specific targets – exactly one time Own SSL – deliver SSLstrip – to particular victims, against particular web servers, for a fixed number of requests Own 2-factor auth – while modifying victim’s valid PIN+Tokencode value – you use it

32 Testability+Devastation=Scalpel Massacre Downgrade attacks – NTLM – SSL – SSH Subvert software update processes – a la evilgrade The only limit is your imagination! :)

33 Mitigation Detection – ARPwatch – snort rules(?) Prevention – Cisco Switch port security – Cisco Dynamic ARP Inspection? – NAC

34 Recap Layer 2 attacks are: 1.devastating 2.simple 3.being actively exploited 4.testable Ergo... Thou shalt test layer 2

35 Discussion: Questions? I’m interested in your feedback:


Download ppt "Tim Maletic Security Consultant. Goal of this talk To convince you that: Layer 2 must be included in the scope of your security assessments Thou shalt."

Similar presentations


Ads by Google