IIT Kanpur Hackers Workshop , 24 Feb A current analysis of man in the middle (mitm) attacks Sachin Deodhar
IIT Kanpur Hackers Workshop , 24 Feb The scenario Server Client Attacker
IIT Kanpur Hackers Workshop , 24 Feb MITM attack scenarios TOC Different attacks in different scenarios: LOCAL AREA NETWORK: - ARP poisoning- DNS spoofing- STP mangling ARP poisoningDNS spoofingSTP manglingARP poisoningDNS spoofingSTP mangling - Port stealing Port stealingPort stealing FROM LOCAL TO REMOTE (through a gateway): FROM LOCAL TO REMOTE (through a gateway): - ARP poisoning- DNS spoofing- DHCP spoofing ARP poisoningDNS spoofingDHCP spoofingARP poisoningDNS spoofingDHCP spoofing - ICMP redirection- IRDP spoofing- route mangling ICMP redirectionIRDP spoofingroute manglingICMP redirectionIRDP spoofingroute mangling REMOTE: REMOTE: - DNS poisoning- traffic tunneling- route mangling DNS poisoningtraffic tunnelingroute manglingDNS poisoningtraffic tunnelingroute mangling
IIT Kanpur Hackers Workshop , 24 Feb MITM attack techniques The local scenario
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (1) ARP poisoning ARP is stateless (we all knows how it works and what the problems are) Some operating systems do not update an entry if it is not already in the cache, others accept only the first received reply (e.g. Solaris) The attacker can forge spoofed ICMP packets to force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP reply
IIT Kanpur Hackers Workshop , 24 Feb The scenario Server Client Attacker Gratuitous ARP (forged)
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (1) ARP poisoning - Tools ettercap ( Poisoning Poisoning Sniffing Sniffing Hijacking Hijacking Filtering Filtering SSH v.1 sniffing (transparent attack) SSH v.1 sniffing (transparent attack) dsniff ( Poisoning Poisoning Sniffing Sniffing SSH v.1 sniffing (proxy attack) SSH v.1 sniffing (proxy attack)
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (1) ARP poisoning - countermeasures YES - passive monitoring (arpwatch) YES - active monitoring (ettercap) YES - IDS (detect but not avoid) YES - Static ARP entries (avoid it) YES - Secure-ARP (public key authentication)
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (2) DNS spoofing HOST DNS serverX.localdomain.in MITM If the attacker is able to sniff the ID of the DNS request, he/she can reply before the real DNS server
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (2) DNS spoofing - tools ettercap ( Phantom plugin Phantom plugin dsniff ( Dnsspoof Dnsspoof zodiac (
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (2) DNS spoofing - countermeasures YES - detect multiple replies (IDS) YES - use lmhost or host file for static resolution of critical hosts YES - DNSSEC
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (3) STP mangling It is not a real MITM attack since the attacker is able to receive only unmanaged traffic The attacker can forge BPDU with high priority pretending to be the new root of the spanning tree
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (3) STP mangling - tools Ettercap ( With the Lamia plugin With the Lamia plugin
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (3) STP mangling - countermeasures YES - Disable STP on VLAN without loops YES - Root Guard, BPDU Guard.
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (4) Port stealing Attacker floods the switch with forged gratuitous ARP packets with the source MAC address being that of the target host and the destination MAC address being that of the attacker. Since the destination MAC address of each flooding packet is the attackers MAC address, the switch will not forward these packets to other ports, meaning they will not be seen by other hosts on the network A race condition: because the target host will send packets too. The switch will see packets with the same source MAC address on two different ports and will constantly change the binding of the MAC address to the port. Remember that the switch binds a MAC address to a single port. If the attacker is fast enough, packets intended for the target host will be sent to the attackers switch port and not the target host. When a packet arrives, the attacker performs an ARP request asking for the target hosts IP address. Next, the attacker stops the flooding and waits for the ARP reply. When the attacker receives the reply, it means that the target hosts switch port has been restored to its original binding. The attacker now sniffs the packet and forwards it to the target host and restarts the attack ad naseum …
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (5) Port stealing how to 123 AAttackerB Layer 2 switch Gratuitous ARP (forged)
IIT Kanpur Hackers Workshop , 24 Feb Local attacks (4) Port stealing - tools ettercap ( With the Confusion plugin With the Confusion plugin
IIT Kanpur Hackers Workshop , 24 Feb Local Attacks (4) Port stealing - countermeasures YES - port security on the switch
IIT Kanpur Hackers Workshop , 24 Feb Attack techniques From local to remote
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (1) DHCP spoofing The DHCP requests are made in broadcast mode. If the attacker replies before the real DHCP server it can manipulate: IP address of the victim IP address of the victim GW address assigned to the victim GW address assigned to the victim DNS address DNS address
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (1) DHCP spoofing - countermeasures YES - detection of multiple DHCP replies
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (2) ICMP redirect G1 AT H T LAN The attacker can forge ICMP redirect packet in order to redirect traffic to himself ICMP redirect to AT
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (2) ICMP redirect - tools IRPAS icmp_redirect (Phenoelit) ( IRPAS icmp_redirect (Phenoelit) ( icmp_redir (Yuri Volobuev) icmp_redir (Yuri Volobuev)
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (2) ICMP redirect - countermeasures YES - Disable the ICMP REDIRECT NO - Linux has the secure redirect options but it seems to be ineffective against this attack
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (3) IRDP spoofing The attacker can forge some advertisement packet pretending to be the router for the LAN. He/she can set the preference level and the lifetime at high values to be sure the hosts will choose it as the preferred router. The attack can be improved by sending some spoofed ICMP Host Unreachable pretending to be the real router
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (3) IRDP spoofing - tools IRPAS by Phenoelit ( IRPAS by Phenoelit (
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (3) IRDP spoofing - countermeasures YES - Disable IRDP on hosts if the operating system permit it.
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (4) ROUTE mangling The attacker can forge packets for the gateway (GW) pretending to be a router with a good metric for a specified host on the internet INTERNETGWAT H
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (4) ROUTE mangling Now the problem for the attacker is to send packets to the real destination. He/she cannot send it through GW since it is convinced that the best route is AT. INTERNET GWAT H D AT2 Tunnel
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (4) ROUTE mangling - tools IRPAS (Phenoelit) ( IRPAS (Phenoelit) ( Nemesis (
IIT Kanpur Hackers Workshop , 24 Feb Local to remote attacks (4) ROUTE mangling - countermeasures YES - Disable dynamic routing protocols in this type of scenario YES - Enable ACLs to block unexpected update YES - Enable authentication on the protocols that support authentication
IIT Kanpur Hackers Workshop , 24 Feb Attacks techniques Remote scenarios
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (1) DNS poisoning Type 1 attack The attacker sends a request to the victim DNS asking for one host The attacker sends a request to the victim DNS asking for one host The attacker spoofs the reply which is expected to come from the real DNS The attacker spoofs the reply which is expected to come from the real DNS The spoofed reply must contain the correct ID (brute force or semi-blind guessing) The spoofed reply must contain the correct ID (brute force or semi-blind guessing)
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (1) DNS poisoning Type 2 attack The attacker can send a dynamic update to the victim DNS The attacker can send a dynamic update to the victim DNS If the DNS processes it, it is even worst because it will be authoritative for those entries If the DNS processes it, it is even worst because it will be authoritative for those entries
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (1) DNS poisoning - tools ADMIdPack Zodiac (
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (1) DNS poisoning - countermeasures YES - Use DNS with random transaction ID (Bind v9) YES - DNSSec (Bind v9) allows the digital signature of the replies. NO - restrict the dynamic update to a range of IPs (they can be spoofed)
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (2) Traffic tunneling Router 1 Gateway INTERNET Server Client Fake host Attacker Tunnel GRE
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (2) Traffic tunneling - tools ettercap ( Zaratan plugin Zaratan plugin tunnelX (
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (2) Traffic tunneling - countermeasure YES - Strong passwords and community on routers
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (3) ROUTE mangling revisited The attacker aims to hijack the traffic between the two victims A and B The attack will collect sensitive information through: Traceroute Traceroute port scanning port scanning protoscanning protoscanning Quite impossible against link state protocols
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (3) ROUTE mangling revisited Scenario 1 a (IGRP inside the AS) AB The attacker pretends to be the GW R1 R2
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (3) ROUTE mangling revisited Scenario 1 b (IGRP inside the AS) ABR1 R2 R3
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (3) ROUTE mangling revisited Scenario 2 a (the traffic does not pass thru the AS) AS 1AS 2 BG 1BG 2 BG 3 AS 3 BGP RIP
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (3) ROUTE mangling revisited - tools IRPAS di Phenoelit ( IRPAS di Phenoelit ( Nemesis (
IIT Kanpur Hackers Workshop , 24 Feb Remote attacks (3) ROUTE mangling revisited - countermeasure YES - Use routing protocol authentication
IIT Kanpur Hackers Workshop , 24 Feb Conclusions The security of a connection relies on: Proper configuration of the client (avoiding ICMP Redirect, ARP Poisoning etc.) Proper configuration of the client (avoiding ICMP Redirect, ARP Poisoning etc.) the other endpoint infrastructure (e.g.. DNS dynamic update), the other endpoint infrastructure (e.g.. DNS dynamic update), the strength of a third party appliances on which we dont have access (e.g.. Tunneling and Route Mangling). the strength of a third party appliances on which we dont have access (e.g.. Tunneling and Route Mangling). The best way to ensure secure communication is the correct and conscious use of cryptographic systems both client and server side both client and server side at the network layer (i.e.. IPSec) at the network layer (i.e.. IPSec) at transport layer (i.e.. SSLv3) at transport layer (i.e.. SSLv3) at application layer (i.e.. PGP). at application layer (i.e.. PGP).
IIT Kanpur Hackers Workshop , 24 Feb Once in the middle… Injection attacks Key Manipulation attacks Downgrade attacks Filtering attacks
IIT Kanpur Hackers Workshop , 24 Feb Injection attacks Add packets to an already established connection (only possible in full-duplex mitm) The attacker can modify the sequence numbers and keep the connection synchronized while injecting packets. If the mitm attack is a proxy attack it is even easier to inject (there are two distinct connections)
IIT Kanpur Hackers Workshop , 24 Feb Injection attack examples Command injection Useful in scenarios where a one time authentication is used (e.g. RSA token). In such scenarios sniffing the password is useless, but hijacking an already authenticated session is critical Injection of commands to the server Emulation of fake replies to the client
IIT Kanpur Hackers Workshop , 24 Feb Key Manipulation in the case of popular VPN/crypto systems SSH v1 IPSECHTTPS
IIT Kanpur Hackers Workshop , 24 Feb Key Manipulation attack example SSH v1 Modification of the public key exchanged by server and client. ServerClient MITM start KEY(rsa) E key [S-Key] S-KEY M E skey (M) D(E(M))
IIT Kanpur Hackers Workshop , 24 Feb Key manipulation attack example IPSEC If two or more clients share the same secret, each of them can impersonate the server with another client. If two or more clients share the same secret, each of them can impersonate the server with another client. ClientmitmServer Diffie-Hellman exchange 1 – Authenticated by pre-shared secret Diffie-Hellman exchange 2 – Authenticated by pre-shared secret De-Crypt Packet Re-Crypt Packet
IIT Kanpur Hackers Workshop , 24 Feb Key manipulation attack example HTTPS We can create a fake certificate (eg: issued by VerySign) relying on browser misconfiguration or user dumbness. We can create a fake certificate (eg: issued by VerySign) relying on browser misconfiguration or user dumbness. Client MiMServer Fake cert. Real Connection to the server
IIT Kanpur Hackers Workshop , 24 Feb Filtering attacks The attacker can modify the payload of the packets by recalculating the checksum He/she can create filters on the fly The length of the payload can also be changed but only in full-duplex (in this case the seq has to be adjusted)
IIT Kanpur Hackers Workshop , 24 Feb Filtering attacks example Code Filtering / Injection Insertion of malicious code into web pages or mail (javascript, trojans, virus, etc) Modification on the fly of binary files during the download phase (virus, backdoor, etc)
IIT Kanpur Hackers Workshop , 24 Feb Filtering attacks example HTTPS redirection Lets see an example Http main page with https login form Change form destination to Http post (login\password) Auto-submitting hidden form with right authentication data Real https authentication post Authenticated connection Client Server MiM login password
IIT Kanpur Hackers Workshop , 24 Feb Downgrade attacks for typical VPN/crypto systems SSH v2 IPSECPPTP
IIT Kanpur Hackers Workshop , 24 Feb Downgrade attack examples SSH v2 v1 Parameters exchanged by server and client can be substituted in the beginning of a connection. (algorithms to be used later) The attacker can force the client to initialize a SSH1 connection instead of SSH2. The server replies in this way: The server replies in this way: SSH the server supports ssh1 and ssh2 SSH the server supports ONLY ssh1 The attacker makes a filter to replace 1.99 with 1.51 The attacker makes a filter to replace 1.99 with 1.51 Possibility to circumvent known_hosts
IIT Kanpur Hackers Workshop , 24 Feb Downgrade attack examples IPSEC Failure Block the key material exchanged on the port 500 UDP End points think that the other cannot start an IPSEC connection If the client is configured in rollback mode, there is a good chance that the user will not notice that the connection is in clear text
IIT Kanpur Hackers Workshop , 24 Feb Downgrade attack examples PPTP attack (1) During negotiation phase Force PAP authentication (almost fails) Force PAP authentication (almost fails) Force MS-CHAPv1 from MS-CHAPv2 (easier to crack) Force MS-CHAPv1 from MS-CHAPv2 (easier to crack) Force no encryption Force no encryption Force re-negotiation (clear text terminate-ack) Retrieve passwords from existing tunnels Retrieve passwords from existing tunnels Perform previous attacks Perform previous attacks Force password change to obtain password hashes Hashes can be used directly by a modified SMB or PPTP client Hashes can be used directly by a modified SMB or PPTP client MS-CHAPv2 hashes are not useful (you can force v1) MS-CHAPv2 hashes are not useful (you can force v1)
IIT Kanpur Hackers Workshop , 24 Feb Downgrade attack examples PPTP attack (2) ServerClient MITM start req | auth | chap nak | auth | pap req | auth | pap ack | auth | pap req | auth | fake nak| auth | chap req | auth | pap ack | auth | pap Force PAP from CHAP We dont have to mess with GRE sequences...
IIT Kanpur Hackers Workshop , 24 Feb Downgrade attack examples L2TP rollback L2TP can use IPSec ESP as transport layer (stronger than PPTP) By default L2TP is tried before PPTP Blocking ISAKMP packets results in an IPSec failure Client starts a request for a PPTP tunnel (rollback) Now you can perform PPTP previous attacks