Presentation is loading. Please wait.

Presentation is loading. Please wait.

Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How.

Published byAmira Dark Modified over 10 years ago

Similar presentations

Presentation on theme: "Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How."— Presentation transcript:

1 Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How to prevent them How to prevent them Alberto Ornaghi Marco Valleri

2 Blackhats Italia 20032 Table of contents Different attacks in different scenarios: LOCAL AREA NETWORK: - ARP poisoning- DNS spoofing- STP mangling ARP poisoningDNS spoofingSTP manglingARP poisoningDNS spoofingSTP mangling FROM LOCAL TO REMOTE (through a gateway): FROM LOCAL TO REMOTE (through a gateway): - ARP poisoning- DNS spoofing- DHCP spoofing ARP poisoningDNS spoofingDHCP spoofingARP poisoningDNS spoofingDHCP spoofing - ICMP redirection- IRDP spoofing- route mangling ICMP redirectionIRDP spoofingroute manglingICMP redirectionIRDP spoofingroute mangling REMOTE: REMOTE: - DNS poisoning- traffic tunneling- route mangling DNS poisoningtraffic tunnelingroute manglingDNS poisoningtraffic tunnelingroute mangling

3 Blackhats Italia 2003 3 Once in the middle...

4 Blackhats Italia 20034 Sniffing It is the easiest attack to launch since all the packets transit through the attacker. All the plain text protocols are compromised (the attacker can sniff user and password of many widely used protocol such as telnet, ftp, http)

5 Blackhats Italia 20035 Hijacking Easy to launch Easy to launch It isnt blind (the attacker knows exactly the sequence numbers of the TCP connection) It isnt blind (the attacker knows exactly the sequence numbers of the TCP connection)

6 Blackhats Italia 20036 Injecting Possibility to add packets to an already established connection (only possible in full-duplex mitm) Possibility to add packets to an already established connection (only possible in full-duplex mitm) The attacker can modify the sequence numbers and keep the connection synchronized while injecting packets. The attacker can modify the sequence numbers and keep the connection synchronized while injecting packets. If the mitm attack is a proxy attack it is even easier to inject (there are two distinct connections) If the mitm attack is a proxy attack it is even easier to inject (there are two distinct connections)

7 Blackhats Italia 20037 Filtering The attacker can modify the payload of the packets by recalculating the checksum The attacker can modify the payload of the packets by recalculating the checksum He/she can create filters on the fly He/she can create filters on the fly The length of the payload can also be changed but only in full-duplex (in this case the seq has to be adjusted) The length of the payload can also be changed but only in full-duplex (in this case the seq has to be adjusted)

8 Blackhats Italia 2003 8 Attacks examples

9 Blackhats Italia 20039 Attacks examples (1) Command injection Useful in scenarios where a one time authentication is used (e.g. RSA token). In such scenarios sniffing the password is useless, but hijacking an already authenticated session is critical Useful in scenarios where a one time authentication is used (e.g. RSA token). In such scenarios sniffing the password is useless, but hijacking an already authenticated session is critical Injection of commands to the server Injection of commands to the server Emulation of fake replies to the client Emulation of fake replies to the client

10 Blackhats Italia 200310 Attacks examples (2) Malicious code injection Insertion of malicious code into web pages or mail (javascript, trojans, virus, ecc) Insertion of malicious code into web pages or mail (javascript, trojans, virus, ecc) Modification on the fly of binary files during the download phase (virus, backdoor, ecc) Modification on the fly of binary files during the download phase (virus, backdoor, ecc)

11 Blackhats Italia 200311 Attacks examples (3) Key exchanging Modification of the public key exchanged by server and client. (eg SSH1) Modification of the public key exchanged by server and client. (eg SSH1) ServerClient MITM start KEY(rsa) E key [S-Key] S-KEY M E skey (M) D(E(M))

12 Blackhats Italia 200312 Attacks examples (4) Parameters and banners substitution Parameters exchanged by server and client can be substituted in the beginning of a connection. (algorithms to be used later) Parameters exchanged by server and client can be substituted in the beginning of a connection. (algorithms to be used later) Example: the attacker can force the client to initialize a SSH1 connection instead of SSH2. Example: the attacker can force the client to initialize a SSH1 connection instead of SSH2. –The server replies in this way: SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.51 -- the server supports ONLY ssh1 SSH-1.51 -- the server supports ONLY ssh1 –The attacker makes a filter to replace 1.99 with 1.51 Possibility to circumvent known_hosts Possibility to circumvent known_hosts

13 Blackhats Italia 200313 Attacks examples (5) IPSEC Failure Block the keymaterial exchanged on the port 500 UDP Block the keymaterial exchanged on the port 500 UDP End points think that the other cannot start an IPSEC connection End points think that the other cannot start an IPSEC connection If the client is configured in rollback mode, there is a good chance that the user will not notice that the connection is in clear text If the client is configured in rollback mode, there is a good chance that the user will not notice that the connection is in clear text

14 Blackhats Italia 200314 Attacks examples (6) PPTP (1) - description Uses GRE as transport layer (no encryption, no authentication) Uses GRE as transport layer (no encryption, no authentication) Uses the same negotiation scheme as PPP (req, ack, nak, rej) Uses the same negotiation scheme as PPP (req, ack, nak, rej) Negotiation phases are not authenticated Negotiation phases are not authenticated MS-CHAPv2 mutual authentication cant prevent this kind of mitm MS-CHAPv2 mutual authentication cant prevent this kind of mitm

15 Blackhats Italia 200315 Attacks examples (6) PPTP (2) - attacks During negotiation phase During negotiation phase –Force PAP authentication (almost fails) –Force MS-CHAPv1 from MS-CHAPv2 (easier to crack) –Force no encryption Force re-negotiation (clear text terminate-ack) Force re-negotiation (clear text terminate-ack) –Retrieve passwords from existing tunnels –Perform previous attacks Force password change to obtain password hashes Force password change to obtain password hashes –Hashes can be used directly by a modified SMB or PPTP client –MS-CHAPv2 hashes are not usefull (you can force v1)

16 Blackhats Italia 200316 Attacks examples (6) PPTP (3) - attack example ServerClient MITM start req | auth | chap nak | auth | pap req | auth | pap ack | auth | pap req | auth | fake nak| auth | chap req | auth | pap ack | auth | pap Force PAP from CHAP We dont have to mess with GRE sequences...

17 Blackhats Italia 200317 Attacks examples (6) PPTP (4) - L2TP rollback L2TP can use IPSec ESP as transport layer (stronger than PPTP) L2TP can use IPSec ESP as transport layer (stronger than PPTP) By default L2TP is tried before PPTP By default L2TP is tried before PPTP Blocking ISAKMP packets results in an IPSec failure Blocking ISAKMP packets results in an IPSec failure Client starts a request for a PPTP tunnel (rollback) Client starts a request for a PPTP tunnel (rollback) Now you can perform PPTP previous attacks Now you can perform PPTP previous attacks

18 Blackhats Italia 200318 Attacks examples (6) PPTP (5) - tools Ettercap (http://ettercap.sf.net) Ettercap (http://ettercap.sf.net)http://ettercap.sf.net –Hydra plugins suite Anger ( http://packetstormsecurity.org/sniffers/anger.tar.gz) Anger ( http://packetstormsecurity.org/sniffers/anger.tar.gz)

19 Blackhats Italia 2003 19 Attack techniques LOCAL SCENARIO

20 Blackhats Italia 200320 Local Attacks (1) ARP poisoning ARP is stateless (we all knows how it works and what the problems are) ARP is stateless (we all knows how it works and what the problems are) Some operating systems do not update an entry if it is not already in the cache, others accept only the first received reply (e.g solaris) Some operating systems do not update an entry if it is not already in the cache, others accept only the first received reply (e.g solaris) The attacker can forge a spoofed ICMP packets to force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP replay The attacker can forge a spoofed ICMP packets to force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP replay Request attack against linux (IDS evasion) Request attack against linux (IDS evasion)

21 Blackhats Italia 200321 Local Attacks (1) ARP poisoning Useful to sniff on switched LANs Useful to sniff on switched LANs The switch works at layer 2 and it is not aware of the poisoning in the hosts ARP cache (unless some ARP inspection) The switch works at layer 2 and it is not aware of the poisoning in the hosts ARP cache (unless some ARP inspection)

22 Blackhats Italia 200322 Local Attacks (1) ARP poisoning - tools Ettercap (http://ettercap.sf.net) Ettercap (http://ettercap.sf.net)http://ettercap.sf.net –Poisoning –Sniffing –Hijacking –Filtering –SSH sniffing (transparent attack) Dsniff (http://www.monkey.org/~dugsong/dsniff) Dsniff (http://www.monkey.org/~dugsong/dsniff)http://www.monkey.org/~dugsong/dsniff –Poisoning –Sniffing –SSH sniffing (proxy attack)

23 Blackhats Italia 200323 Local Attacks (1) ARP poison - countermeasures YES - passive monitoring (arpwatch) YES - passive monitoring (arpwatch) YES - active monitoring (ettercap) YES - active monitoring (ettercap) YES - IDS (detect but not avoid) YES - IDS (detect but not avoid) YES - Static ARP entries (avoid it) YES - Static ARP entries (avoid it) YES - Secure-ARP (public key auth) YES - Secure-ARP (public key auth) NO - Port security on the switch NO - Port security on the switch NO - anticap, antidote, middleware approach NO - anticap, antidote, middleware approach

24 Blackhats Italia 200324 Local Attacks (2) DNS spoofing HOST DNS serverX.localdomain.it 10.1.1.50 MITM 10.1.1.1 If the attacker is able to sniff the ID of the DNS request, he/she can reply before the real DNS server

25 Blackhats Italia 200325 Local Attacks (2) DNS spoofing - tools Ettercap (http://ettercap.sf.net) Ettercap (http://ettercap.sf.net)http://ettercap.sf.net –Phantom plugin Dsniff (http://www.monkey.org/~dugsong/dsniff) Dsniff (http://www.monkey.org/~dugsong/dsniff)http://www.monkey.org/~dugsong/dsniff –Dnsspoof Zodiac (http://www.packetfactory.com/Projects/zodiac) Zodiac (http://www.packetfactory.com/Projects/zodiac)http://www.packetfactory.com/Projects/zodiac

26 Blackhats Italia 200326 Local Attacks (2) DNS spoofing - countermeasures YES - detect multiple replies (IDS) YES - detect multiple replies (IDS) YES - use lmhost or host file for static resolution of critical hosts YES - use lmhost or host file for static resolution of critical hosts YES - DNSSEC YES - DNSSEC

27 Blackhats Italia 200327 Local Attacks (3) STP mangling It is not a real MITM attack since the attacker is able to receive only unmanaged traffic It is not a real MITM attack since the attacker is able to receive only unmanaged traffic The attacker can forge BPDU with high priority pretending to be the new root of the spanning tree The attacker can forge BPDU with high priority pretending to be the new root of the spanning tree

28 Blackhats Italia 200328 Local Attacks (3) STP mangling - tools Ettercap (http://ettercap.sf.net) Ettercap (http://ettercap.sf.net)http://ettercap.sf.net –Lamia plugin

29 Blackhats Italia 200329 Local Attacks (3) STP mangling - countermeasures YES - Disable STP on VLAN without loops YES - Disable STP on VLAN without loops YES - Root Guard, BPDU Guard. YES - Root Guard, BPDU Guard.

30 Blackhats Italia 2003 30 Attack techniques FROM LOCAL TO REMOTE

31 Blackhats Italia 200331 Local to remote attacks (1) DHCP spoofing The DHCP request are made in broadcast. The DHCP request are made in broadcast. If the attacker replies before the real DHCP server it can manipulate: If the attacker replies before the real DHCP server it can manipulate: –IP address of the victim –GW address assigned to the victim –DNS address

32 Blackhats Italia 200332 Local to remote attacks (1) DHCP spoofing - countermeasures YES - detection of multiple DHCP replies YES - detection of multiple DHCP replies

33 Blackhats Italia 200333 Local to remote attacks (2) ICMP redirect G1 AT H T LAN The attacker can forge ICMP redirect packet in order to Redirect traffic to himself ICMP redirect to AT

34 Blackhats Italia 200334 Local to remote attacks (2) ICMP redirect - tools IRPAS icmp_redirect (Phenoelit) (http://www.phenoelit.de/irpas/) IRPAS icmp_redirect (Phenoelit) (http://www.phenoelit.de/irpas/)http://www.phenoelit.de/irpas/ icmp_redir (Yuri Volobuev) icmp_redir (Yuri Volobuev)

35 Blackhats Italia 200335 Local to remote attacks (2) ICMP redirect - countermeasures YES - Disable the ICMP REDIRECT YES - Disable the ICMP REDIRECT NO - Linux has the secure redirect options but it seems to be ineffective against this attack NO - Linux has the secure redirect options but it seems to be ineffective against this attack

36 Blackhats Italia 200336 Local to remote attacks (3) IRDP spoofing The attacker can forge some advertisement packet pretending to be the router for the LAN. He/she can set the preference level and the lifetime at high values to be sure the hosts will choose it as the preferred router. The attacker can forge some advertisement packet pretending to be the router for the LAN. He/she can set the preference level and the lifetime at high values to be sure the hosts will choose it as the preferred router. The attack can be improved by sending some spoofed ICMP Host Unreachable pretending to be the real router The attack can be improved by sending some spoofed ICMP Host Unreachable pretending to be the real router

37 Blackhats Italia 200337 Local to remote attacks (3) IRDP spoofing - tools IRPAS by Phenoelit (http://www.phenoelit.de/irpas/) IRPAS by Phenoelit (http://www.phenoelit.de/irpas/)http://www.phenoelit.de/irpas/

38 Blackhats Italia 200338 Local to remote attacks (3) IRDP spoofing - countermeasures YES - Disable IRDP on hosts if the operating system permit it. YES - Disable IRDP on hosts if the operating system permit it.

39 Blackhats Italia 200339 Local to remote attacks (4) ROUTE mangling The attacker can forge packets for the gateway (GW) pretending to be a router with a good metric for a specified host on the internet The netmask should be big enough to win against other routes INTERNETGWAT H

40 Blackhats Italia 200340 Local to remote attacks (4) ROUTE mangling Now the problem for the attacker is to send packets to the real destination. He/she cannot send it through GW since it is convinced that the best route is AT. Now the problem for the attacker is to send packets to the real destination. He/she cannot send it through GW since it is convinced that the best route is AT. INTERNET GWAT H D AT2 Tunnel

41 Blackhats Italia 200341 Local to remote attacks (4) ROUTE mangling - tools IRPAS (Phenoelit) (http://www.phenoelit.de/irpas/) IRPAS (Phenoelit) (http://www.phenoelit.de/irpas/)http://www.phenoelit.de/irpas/ Nemesis (http://www.packetfactory.net/Projects/nemesis/) Nemesis (http://www.packetfactory.net/Projects/nemesis/)http://www.packetfactory.net/Projects/nemesis/

42 Blackhats Italia 200342 Local to remote attacks (4) ROUTE mangling - countermeasures YES - Disable dynamic routing protocols on this type of scenarios YES - Disable dynamic routing protocols on this type of scenarios YES - Enable some ACL to block unexpected update YES - Enable some ACL to block unexpected update YES - Enable authentications on the protocols that support them YES - Enable authentications on the protocols that support them

43 Blackhats Italia 2003 43 Attacks techniques REMOTE SCENARIOS

44 Blackhats Italia 200344 Remote attacks (1) DNS poisoning Type 1 attack Type 1 attack –The attacker sends a request to the victim DNS asking for one host –The attacker spoofs the reply which is expected to come from the real DNS –The spoofed reply must contain the correct ID (brute force or semi-blind guessing)

45 Blackhats Italia 200345 Remote attacks (1) DNS poisoning Type 2 attack Type 2 attack –The attacker can send a dynamic update to the victim DNS –If the DNS processes it, it is even worst because it will be authoritative for those entries

46 Blackhats Italia 200346 Remote attacks (1) DNS poisoning - tools ADMIdPack ADMIdPack Zodiac (http://www.packetfactory.com/Projects/zodiac) Zodiac (http://www.packetfactory.com/Projects/zodiac)http://www.packetfactory.com/Projects/zodiac

47 Blackhats Italia 200347 Remote attacks (1) DNS poisoning - countermeasures YES - Use DNS with random transaction ID (Bind v9) YES - Use DNS with random transaction ID (Bind v9) YES - DNSSec (Bind v9) allows the digital signature of the replies. YES - DNSSec (Bind v9) allows the digital signature of the replies. NO - restrict the dynamic update to a range of IP (they can be spoofed) NO - restrict the dynamic update to a range of IP (they can be spoofed)

48 Blackhats Italia 200348 Remote attacks (2) Traffic Tunneling Router 1 Gateway INTERNET Server Client Fake host Attacker Tunnel GRE

49 Blackhats Italia 200349 Remote attacks (2) Traffic Tunneling - tools Ettercap (http://ettercap.sf.net) Ettercap (http://ettercap.sf.net)http://ettercap.sf.net –Zaratan plugin TunnelX (http://www.phrack.com) TunnelX (http://www.phrack.com)http://www.phrack.com

50 Blackhats Italia 200350 Remote attacks (2) Traffic Tunneling - countermeasure YES - Strong passwords and community on routers YES - Strong passwords and community on routers

51 Blackhats Italia 200351 Remote attacks (3) ROUTE mangling The attacker aims to hijack the traffic between the two victims A and B The attacker aims to hijack the traffic between the two victims A and B The attack will collect sensitive information through: The attack will collect sensitive information through: –traceroute –portscanning –protoscanning Quite impossible against link state protocols Quite impossible against link state protocols

52 Blackhats Italia 200352 Remote attacks (3) ROUTE mangling Scenario 1 a (IGRP inside the AS) Scenario 1 a (IGRP inside the AS) AB The attacker pretends to be the GW R1 R2

53 Blackhats Italia 200353 Remote attacks (3) ROUTE mangling Scenario 1 b (IGRP inside the AS) Scenario 1 b (IGRP inside the AS) ABR1 R2 R3

54 Blackhats Italia 200354 Remote attacks (3) ROUTE mangling Scenario 2 a (the traffic does not pass thru the AS) Scenario 2 a (the traffic does not pass thru the AS) AS 1AS 2 BG 1BG 2 BG 3 AS 3 BGP RIP

55 Blackhats Italia 200355 Remote attacks (3) ROUTE mangling IRPAS di Phenoelit ( http://www.phenoelit.de/irpas/) IRPAS di Phenoelit ( http://www.phenoelit.de/irpas/) http://www.phenoelit.de/irpas/ Nemesis ( http://www.packetfactory.net/Projects/nemesis/) Nemesis ( http://www.packetfactory.net/Projects/nemesis/) http://www.packetfactory.net/Projects/nemesis/

56 Blackhats Italia 200356 Remote attacks (3) ROUTE mangling - countermeasure YES - Use routing protocol authentications YES - Use routing protocol authentications

57 Blackhats Italia 200357 Conclusions The security of a connection relies on: The security of a connection relies on: –a proper configuration of the client (avoiding ICMP Redirect, ARP Poisoning etc.) –the other endpoint infrastructure (es. DNS dynamic update), –the strongness of a third party appliances on which we dont have access (es. Tunnelling and Route Mangling). The best to protect a communication is the correct and conscious use of criptographic suites The best to protect a communication is the correct and conscious use of criptographic suites –both client and server side –at the network layer (ie. IPSec) –at transport layer (ie. SSLv3) –at application layer (ie. PGP).

58 Blackhats Italia 200358 –Marco Valleri –Marco Valleri –Alberto Ornaghi –Alberto Ornaghi

Download ppt "Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How."

Similar presentations

Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
TinyOS Tutorial, Part I Phil Levis et al. MobiSys 2003.

TinyOS Tutorial, Part I Phil Levis et al. MobiSys 2003.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
IIT Kanpur Hackers Workshop 2004 23, 24 Feb 2004 1 A current analysis of man in the middle (mitm) attacks Sachin Deodhar.

IIT Kanpur Hackers Workshop , 24 Feb A current analysis of man in the middle (mitm) attacks Sachin Deodhar.
Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Security Lab 2 MAN IN THE MIDDLE ATTACK

Security Lab 2 MAN IN THE MIDDLE ATTACK
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
ARP Spoofing.

ARP Spoofing.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols - 802.1q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.

Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Similar presentations

Ads by Google