Presentation is loading. Please wait.

Presentation is loading. Please wait.

Man in the middle attacks

Published byCornelius Chapman Modified over 6 years ago

Similar presentations

Presentation on theme: "Man in the middle attacks"— Presentation transcript:

1 Man in the middle attacks
Alberto Ornaghi Marco Valleri Man in the middle attacks What they are How to achieve them How to use them How to prevent them Blackhats Italia 2003 Blackhats italia 2002

2 Table of contents Different attacks in different scenarios:
LOCAL AREA NETWORK: - ARP poisoning - DNS spoofing - STP mangling FROM LOCAL TO REMOTE (through a gateway): - ARP poisoning - DNS spoofing - DHCP spoofing - ICMP redirection - IRDP spoofing - route mangling REMOTE: - DNS poisoning - traffic tunneling - route mangling Blackhats Italia 2003 Blackhats italia 2002

3 Once in the middle... Blackhats Italia 2003 Blackhats italia 2002

4 Sniffing It is the easiest attack to launch since all the packets transit through the attacker. All the “plain text” protocols are compromised (the attacker can sniff user and password of many widely used protocol such as telnet, ftp, http) Blackhats Italia 2003 Blackhats italia 2002

5 Hijacking Easy to launch
It isn’t blind (the attacker knows exactly the sequence numbers of the TCP connection) Blackhats Italia 2003 Blackhats italia 2002

6 Injecting Possibility to add packets to an already established connection (only possible in full-duplex mitm) The attacker can modify the sequence numbers and keep the connection synchronized while injecting packets. If the mitm attack is a “proxy attack” it is even easier to inject (there are two distinct connections) Blackhats Italia 2003 Blackhats italia 2002

7 Filtering The attacker can modify the payload of the packets by recalculating the checksum He/she can create filters on the fly The length of the payload can also be changed but only in full-duplex (in this case the seq has to be adjusted) Blackhats Italia 2003 Blackhats italia 2002

8 Attacks examples Blackhats Italia 2003 Blackhats italia 2002

9 Attacks examples (1) Command injection
Useful in scenarios where a one time authentication is used (e.g. RSA token). In such scenarios sniffing the password is useless, but hijacking an already authenticated session is critical Injection of commands to the server Emulation of fake replies to the client Blackhats Italia 2003 Blackhats italia 2002

10 Attacks examples (2) Malicious code injection
Insertion of malicious code into web pages or mail (javascript, trojans, virus, ecc) Modification on the fly of binary files during the download phase (virus, backdoor, ecc) Blackhats Italia 2003 Blackhats italia 2002

11 Attacks examples (3) Key exchanging
Modification of the public key exchanged by server and client. (eg SSH1) start Server Client KEY(rsa) KEY(rsa) MITM Ekey[S-Key] Ekey[S-Key] S-KEY S-KEY S-KEY Eskey(M) D(E(M)) M Blackhats Italia 2003 Blackhats italia 2002

12 Attacks examples (4) Parameters and banners substitution
Parameters exchanged by server and client can be substituted in the beginning of a connection. (algorithms to be used later) Example: the attacker can force the client to initialize a SSH1 connection instead of SSH2. The server replies in this way: SSH the server supports ssh1 and ssh2 SSH the server supports ONLY ssh1 The attacker makes a filter to replace “1.99” with “1.51” Possibility to circumvent known_hosts Blackhats Italia 2003 Blackhats italia 2002

13 Attacks examples (5) IPSEC Failure
Block the keymaterial exchanged on the port 500 UDP End points think that the other cannot start an IPSEC connection If the client is configured in rollback mode, there is a good chance that the user will not notice that the connection is in clear text Blackhats Italia 2003 Blackhats italia 2002

14 Attacks examples (6) PPTP (1) - description
Uses GRE as transport layer (no encryption, no authentication) Uses the same negotiation scheme as PPP (req, ack, nak, rej) Negotiation phases are not authenticated MS-CHAPv2 mutual authentication can’t prevent this kind of mitm Blackhats Italia 2003 Blackhats italia 2002

15 Attacks examples (6) PPTP (2) - attacks
During negotiation phase Force PAP authentication (almost fails) Force MS-CHAPv1 from MS-CHAPv2 (easier to crack) Force no encryption Force re-negotiation (clear text terminate-ack) Retrieve passwords from existing tunnels Perform previous attacks Force “password change” to obtain password hashes Hashes can be used directly by a modified SMB or PPTP client MS-CHAPv2 hashes are not usefull (you can force v1) Blackhats Italia 2003 Blackhats italia 2002

16 Attacks examples (6) PPTP (3) - attack example
Force PAP from CHAP start Server Client MITM req | auth | chap req | auth | fake nak | auth | pap nak| auth | chap req | auth | pap req | auth | pap ack | auth | pap ack | auth | pap We don’t have to mess with GRE sequences... Blackhats Italia 2003 Blackhats italia 2002

17 Attacks examples (6) PPTP (4) - L2TP rollback
L2TP can use IPSec ESP as transport layer (stronger than PPTP) By default L2TP is tried before PPTP Blocking ISAKMP packets results in an IPSec failure Client starts a request for a PPTP tunnel (rollback) Now you can perform PPTP previous attacks Blackhats Italia 2003 Blackhats italia 2002

18 Attacks examples (6) PPTP (5) - tools
Ettercap ( Hydra plugins suite Anger ( Blackhats Italia 2003 Blackhats italia 2002

19 Attack techniques LOCAL SCENARIO
Blackhats Italia 2003 Blackhats italia 2002

20 Local Attacks (1) ARP poisoning
ARP is stateless (we all knows how it works and what the problems are) Some operating systems do not update an entry if it is not already in the cache, others accept only the first received reply (e.g solaris) The attacker can forge a spoofed ICMP packets to force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP replay Request attack against linux (IDS evasion) Blackhats Italia 2003 Blackhats italia 2002

21 Local Attacks (1) ARP poisoning
Useful to sniff on switched LANs The switch works at layer 2 and it is not aware of the poisoning in the hosts’ ARP cache (unless some ARP inspection) Blackhats Italia 2003 Blackhats italia 2002

22 Local Attacks (1) ARP poisoning - tools
Ettercap ( Poisoning Sniffing Hijacking Filtering SSH sniffing (transparent attack) Dsniff ( SSH sniffing (proxy attack) Blackhats Italia 2003 Blackhats italia 2002

23 Local Attacks (1) ARP poison - countermeasures
YES - passive monitoring (arpwatch) YES - active monitoring (ettercap) YES - IDS (detect but not avoid) YES - Static ARP entries (avoid it) YES - Secure-ARP (public key auth) NO - Port security on the switch NO - anticap, antidote, middleware approach Blackhats Italia 2003 Blackhats italia 2002

24 Local Attacks (2) DNS spoofing
If the attacker is able to sniff the ID of the DNS request, he/she can reply before the real DNS server MITM HOST serverX.localdomain.it DNS Blackhats Italia 2003 Blackhats italia 2002

25 Local Attacks (2) DNS spoofing - tools
Ettercap ( Phantom plugin Dsniff ( Dnsspoof Zodiac ( Blackhats Italia 2003 Blackhats italia 2002

26 Local Attacks (2) DNS spoofing - countermeasures
YES - detect multiple replies (IDS) YES - use lmhost or host file for static resolution of critical hosts YES - DNSSEC Blackhats Italia 2003 Blackhats italia 2002

27 Local Attacks (3) STP mangling
It is not a real MITM attack since the attacker is able to receive only “unmanaged” traffic The attacker can forge BPDU with high priority pretending to be the new root of the spanning tree Blackhats Italia 2003 Blackhats italia 2002

28 Local Attacks (3) STP mangling - tools
Ettercap ( Lamia plugin Blackhats Italia 2003 Blackhats italia 2002

29 Local Attacks (3) STP mangling - countermeasures
YES - Disable STP on VLAN without loops YES - Root Guard, BPDU Guard. Blackhats Italia 2003 Blackhats italia 2002

30 Attack techniques FROM LOCAL TO REMOTE
Blackhats Italia 2003 Blackhats italia 2002

31 Local to remote attacks (1) DHCP spoofing
The DHCP request are made in broadcast. If the attacker replies before the real DHCP server it can manipulate: IP address of the victim GW address assigned to the victim DNS address Blackhats Italia 2003 Blackhats italia 2002

32 Local to remote attacks (1) DHCP spoofing - countermeasures
YES - detection of multiple DHCP replies Blackhats Italia 2003 Blackhats italia 2002

33 Local to remote attacks (2) ICMP redirect
The attacker can forge ICMP redirect packet in order to Redirect traffic to himself T AT G1 ICMP redirect to AT LAN H Blackhats Italia 2003 Blackhats italia 2002

34 Local to remote attacks (2) ICMP redirect - tools
IRPAS icmp_redirect (Phenoelit) ( icmp_redir (Yuri Volobuev) Blackhats Italia 2003 Blackhats italia 2002

35 Local to remote attacks (2) ICMP redirect - countermeasures
YES - Disable the ICMP REDIRECT NO - Linux has the “secure redirect” options but it seems to be ineffective against this attack Blackhats Italia 2003 Blackhats italia 2002

36 Local to remote attacks (3) IRDP spoofing
The attacker can forge some advertisement packet pretending to be the router for the LAN. He/she can set the “preference level” and the “lifetime” at high values to be sure the hosts will choose it as the preferred router. The attack can be improved by sending some spoofed ICMP Host Unreachable pretending to be the real router Blackhats Italia 2003 Blackhats italia 2002

37 Local to remote attacks (3) IRDP spoofing - tools
IRPAS by Phenoelit ( Blackhats Italia 2003 Blackhats italia 2002

38 Local to remote attacks (3) IRDP spoofing - countermeasures
YES - Disable IRDP on hosts if the operating system permit it. Blackhats Italia 2003 Blackhats italia 2002

39 Local to remote attacks (4) ROUTE mangling
INTERNET GW AT H The attacker can forge packets for the gateway (GW) pretending to be a router with a good metric for a specified host on the internet The netmask should be big enough to win against other routes Blackhats Italia 2003 Blackhats italia 2002

40 Local to remote attacks (4) ROUTE mangling
Now the problem for the attacker is to send packets to the real destination. He/she cannot send it through GW since it is convinced that the best route is AT. AT2 Tunnel GW AT D INTERNET H Blackhats Italia 2003 Blackhats italia 2002

41 Local to remote attacks (4) ROUTE mangling - tools
IRPAS (Phenoelit) ( Nemesis ( Blackhats Italia 2003 Blackhats italia 2002

42 Local to remote attacks (4) ROUTE mangling - countermeasures
YES - Disable dynamic routing protocols on this type of scenarios YES - Enable some ACL to block unexpected update YES - Enable authentications on the protocols that support them Blackhats Italia 2003 Blackhats italia 2002

43 Attacks techniques REMOTE SCENARIOS
Blackhats Italia 2003 Blackhats italia 2002

44 Remote attacks (1) DNS poisoning
Type 1 attack The attacker sends a request to the victim DNS asking for one host The attacker spoofs the reply which is expected to come from the real DNS The spoofed reply must contain the correct ID (brute force or semi-blind guessing) Blackhats Italia 2003 Blackhats italia 2002

45 Remote attacks (1) DNS poisoning
Type 2 attack The attacker can send a “dynamic update” to the victim DNS If the DNS processes it, it is even worst because it will be authoritative for those entries Blackhats Italia 2003 Blackhats italia 2002

46 Remote attacks (1) DNS poisoning - tools
ADMIdPack Zodiac ( Blackhats Italia 2003 Blackhats italia 2002

47 Remote attacks (1) DNS poisoning - countermeasures
YES - Use DNS with random transaction ID (Bind v9) YES - DNSSec (Bind v9) allows the digital signature of the replies. NO - restrict the dynamic update to a range of IP (they can be spoofed) Blackhats Italia 2003 Blackhats italia 2002

48 Remote attacks (2) Traffic Tunneling
Server Router 1 Tunnel GRE INTERNET Client Fake host Gateway Attacker Blackhats Italia 2003 Blackhats italia 2002

49 Remote attacks (2) Traffic Tunneling - tools
Ettercap ( Zaratan plugin TunnelX ( Blackhats Italia 2003 Blackhats italia 2002

50 Remote attacks (2) Traffic Tunneling - countermeasure
YES - Strong passwords and community on routers Blackhats Italia 2003 Blackhats italia 2002

51 Remote attacks (3) ROUTE mangling
The attacker aims to hijack the traffic between the two victims A and B The attack will collect sensitive information through: traceroute portscanning protoscanning Quite impossible against link state protocols Blackhats Italia 2003 Blackhats italia 2002

52 Remote attacks (3) ROUTE mangling
Scenario 1 a (IGRP inside the AS) A R1 B R2 The attacker pretends to be the GW Blackhats Italia 2003 Blackhats italia 2002

53 Remote attacks (3) ROUTE mangling
Scenario 1 b (IGRP inside the AS) A R1 R3 B R2 Blackhats Italia 2003 Blackhats italia 2002

54 Remote attacks (3) ROUTE mangling
Scenario 2 a (the traffic does not pass thru the AS) AS 1 AS 2 BGP BG 1 BG 2 BG 3 RIP AS 3 Blackhats Italia 2003 Blackhats italia 2002

55 Remote attacks (3) ROUTE mangling
IRPAS di Phenoelit ( Nemesis ( Blackhats Italia 2003 Blackhats italia 2002

56 Remote attacks (3) ROUTE mangling - countermeasure
YES - Use routing protocol authentications Blackhats Italia 2003 Blackhats italia 2002

57 Conclusions The security of a connection relies on:
a proper configuration of the client (avoiding ICMP Redirect, ARP Poisoning etc.) the other endpoint infrastructure (es. DNS dynamic update), the strongness of a third party appliances on which we don’t have access (es. Tunnelling and Route Mangling). The best to protect a communication is the correct and conscious use of criptographic suites both client and server side at the network layer (ie. IPSec) at transport layer (ie. SSLv3) at application layer (ie. PGP). Blackhats Italia 2003 Blackhats italia 2002

58 Marco Valleri <naga@blackhats.it>
Alberto Ornaghi Blackhats Italia 2003 Blackhats italia 2002

Download ppt "Man in the middle attacks"

Similar presentations

IIT Kanpur Hackers Workshop 2004 23, 24 Feb 2004 1 A current analysis of man in the middle (mitm) attacks Sachin Deodhar.

IIT Kanpur Hackers Workshop , 24 Feb A current analysis of man in the middle (mitm) attacks Sachin Deodhar.
Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How.

Blackhats Italia Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How.
Security Lab 2 MAN IN THE MIDDLE ATTACK

Security Lab 2 MAN IN THE MIDDLE ATTACK
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols - 802.1q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.

Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
ECE 4112 - Internetwork Security 1 Password Cracking, Sniffing and Man-in-the Middle Agenda  Storing Passwords on the system  Password Cracking on Windows.

ECE Internetwork Security 1 Password Cracking, Sniffing and Man-in-the Middle Agenda  Storing Passwords on the system  Password Cracking on Windows.
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.

Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Similar presentations

Ads by Google