Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Attacks Network Attacks 1.

Published byHillary Campbell Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Attacks Network Attacks 1."— Presentation transcript:

1 Network Attacks Network Attacks

2 Topics Sniffing IP address spoofing Session hijacking Netcat
General-purpose network tool Network Attacks

3 Sniffing Sniffer gathers traffic from LAN
Can see packets in real time Usually, interface put in promiscuous mode Gathers everything, regardless of IP address Sniffer is useful for attacker And useful for administrator Sniffer can collect data such as … ID/password sent over telnet, DNS, messages, files sent over NFS, etc. Network Attacks

4 Sniffing Attacker who has access to LAN can sniff packets
Usually requires admin/root privilege Typically, use sniffer to gather pwds Sniffing can be used in “island hopping” attack Next slide Network Attacks

5 Island Hopping Attack Network Attacks

6 Sniffers Freeware sniffers include windump --- port of tcpdump
Snort --- sniffer/IDS Wireshark (formerly, Ethereal) --- able to decode lots of protocols Sniffit --- popular with attackers Dsniff --- perhaps most powerful Network Attacks

7 Passive Sniffing Thru a Hub
Recall that hub broadcasts everything Passive sniffer sees everything Network Attacks

8 Snort Snort: open source, UNIX-based IDS Started out as a sniffer
Still can serve as a capable sniffer Why does sniffer-to-IDS make sense? Snort not often used by attackers Has more features than attacker needs Network Attacks

9 Sniffit Sniffit popular with attackers Sniffit has “interactive mode”
UNIX-based Sniffit has “interactive mode” Keeps track of individual sessions Can view these as separate conversations Network Attacks

10 Sniffit Interactive Mode
Network Attacks

11 Wireshark Wireshark (formerly Ethereal)
Available for many platforms Probably easiest sniffer to use, great UI, etc. Wireshark is a “protocol genius” Decodes every bit of packet “Follow TCP stream” function Select a TCP packet, view entire connection Network Attacks

12 Wireshark Network Attacks

13 Sniffer as Scanning Tool
Nmap, Nessus, etc., may be detected Active Sniffer is passive, so no such risk What can be determined by sniffing? May be able to ID OS (maybe even version of OS) E.g., based on way connections are made Network Attacks

14 P0f2 Tool to passively ID OS Available for most platforms
To “fingerprint” OS’s network stack Can also ID firewall, NAT, etc. What info does it use? TTL, IP ID, other? Network Attacks

15 P0f2 Network Attacks

16 Switch Recall that switch does not broadcast Network Attacks

17 Active Sniffing Sniffing thru a switch?
Switch limits what you see with sniffers such as Wireshark May be able to “sniff” thru switch by inserting traffic Dsniff and Ettercap Network Attacks

18 Dsniff Developed by developer of FragRouter
Dsniff decodes lots application level protocols FTP, telnet, POP,…, Napster, pcAnywhere Makes it easy to find passwords Dsniff also has active operations Network Attacks

19 Dsniff Switch remembers MAC addresses MAC address flooding
Dsniff sends packets with random spoofed MAC addresses Switches address memory eventually exhausted Then what does switch do? It depends…, but some start acting like hubs If so, then passive sniffing works Network Attacks

20 Dsniff What to do if flooding fails?
ARP spoofing (ARP cache poisoning) Attacker sets “IP forwarding” on his machine to default gateway (router) Attacker poisons ARP cache so that he appears to be default gateway Attacker see all traffic destined for outside world, and traffic still sent to default gateway Network Attacks

21 Default Router Network Attacks

22 Spoofed “Default Router”
Network Attacks

23 Dsniff ARP Spoofing How could this be detected?
What happens when packet sent from attacker to default gateway? IP forwarding is “really simple routing” So, TTL is decremented Could be detected by, say, traceroute How can attacker avoid this? Network Attacks

24 Ettercap Ettercap uses method known as “port stealing” to sniff switched LAN Sometimes, hard-coded MAC addresses In such case, ARP poisoning not possible Port stealing may be an option Network Attacks

25 Ettercap Switch associates MAC addresses to each of its physical ports
Mapping created by examining packets Ettercap floods LAN with frames Attacker’s MAC address is destination Source MAC address is victim machine (e.g., default gateway) What does this accomplish? Switch associates default gateway with its physical port on which attacker resides Network Attacks

26 Ettercap Port stealing
So far… switch thinks default gateway on same physical port as attacker Note: ARP tables on hosts not affected Then attacker can sniff data intended for victim How does attacker then get these packets to the default gateway? Network Attacks

27 Ettercap So far… packets intended for gateway can be sniffed by attacker How to get these packets to gateway? Forward packets to switch with gateway’s MAC address? That won’t work! Network Attacks

28 Ettercap Attacker sends ARP request for IP address of gateway
When attacker sees response Knows switch has also seen response So what? Now switch send data intended for gateway to the gateway Attacker can then send buffered data Brilliant! Network Attacks

29 Port Stealing Network Attacks

30 DNS Spoofing Dsniff can send false DNS info
Used to redirect traffic Victim tries to resolve name via DNS Attacker sniffs DNS request Attacker responds quickly with bogus IP Victim goes to bogus address Works provided bogus reply arrives first Network Attacks

31 DNS Spoofing Network Attacks

32 Sniffing SSL and SSH Dsniff webmitm enables man-in-the-middle (MIM) attack Send certificate signed by bogus “CA” In SSL, browser warns use, and … …warning is ignored In SSH user is warned, and … Network Attacks

33 Sniffing SSL and SSH Man-in-the-middle
Politically correct: “monkey-in-the-middle” Network Attacks

34 Simplified SSL Protocol
Can we talk?, cipher list, RA certificate, cipher, RB {S}Bob, E(h(msgs,CLNT,K),K) h(msgs,SRVR,K) Data protected with key K Bob Alice S is pre-master secret K = h(S,RA,RB) msgs = all previous messages CLNT and SRVR are constants Network Attacks

35 SSL MiM Attack RA RA certificateT, RB certificateB, RB
{S1}Trudy,E(X1,K1) {S2}Bob,E(X2,K2) h(Y1,K1) h(Y2,K2) Trudy E(data,K1) E(data,K2) Alice Bob Q: What prevents this MiM attack? A: Bob’s certificate must be signed by a certificate authority (such as Verisign) What does browser do if signature not valid? What does user do if signature is not valid? Network Attacks

36 Sniffing SSL Network Attacks

37 Firefox Certificate Warning
Network Attacks

38 IE Certificate Warning
Network Attacks

39 Webmitm Output Network Attacks

40 SSH Sniffing SSH gives a warning too Ettercap also does SSH MiM
Specifically mentions MiM attack Still, it’s easy to ignore Ettercap also does SSH MiM But Ettercap is not really in the “middle” It establishes key with client, then connects client to server using same key Network Attacks

41 Other Dsniff Features Tcpkill --- kill active TCP connection
Tcpnice --- “shape traffic” using, e.g., ICMP source quench Filesnarf --- grab NFS files Mailsnarf --- grab Msgsnarf --- grab IM traffic Urlsnarf --- grab URLs from HTTP traffic Webspy --- view web pages victim views Network Attacks

42 Sniffing Defenses Use secure protocols
SSL, SSH, SMIME, PGP, IPSec Do not use telnet for sensitive info Take certificate warnings seriously Prefer switches to hubs Hard code MAC addresses, if possible Static ARP tables, where possible Network Attacks

43 Sniffing Defenses Use tools to detect promiscuous mode
Ipconfig (UNIX), PromiscDetect (Windows) Sentinel looks for anomalies on LAN that indicate sniffing Send packet (ping, for example) with bogus destination MAC address Any reply indicates sniffing Also, some Windows-specific tools Network Attacks

44 IP Address Spoofing IP Address Spoofing Enables Trudy to…
Changing source IP address Enables Trudy to… Cover her tracks Break applications that use IP address for authentication Previous examples: Nmap, Dsniff, … Network Attacks

45 Simple Spoofing Simply change the IP address
Ipconfig or Windows network Control Panel Works when Trudy does not need response DoS, for example Tools for packet crafting Hping2 Nemesis NetDude Network Attacks

46 Simple Spoofing Limitations of simple spoofing
Trudy cannot easily interact with target Spoofing TCP especially difficult Interactive simple spoofing works if Trudy on same LAN as spoofed address Network Attacks

47 Simple Spoofing Network Attacks

48 Predicting Sequence Numbers
Not-so-simple spoofing… Trusted machines often require no authentication beyond TCP connection Trudy can pretend to be trusted machine by spoofing IP address To establish connection, Trudy must predict initial sequence number Network Attacks

49 Not-So-Simple Spoofing
Network Attacks

50 Not-So-Simple Spoofing
Note that… Trudy must correctly guess ISNB Trudy does not see responses (not a true interactive session) Bob thinks packets came from Alice Good attack for r-commands Network Attacks

51 Spoofing via Source Routing
Specify path packet will take Loose source routing Specify some hops Source routing makes Trudy’s life much easier Next slide Network Attacks

52 Spoofing via Source Routing
Network Attacks

53 Spoofing via Source Routing
Seldom works across Internet Source routing blocked by gateway May work on internal network Makes insider attacks easy Network Attacks

54 IP Spoofing Defenses Be sure ISNs are reasonably random
Avoid using r-commands Or use only with SSH or VPN IP address for authentication … NOT! Do not allow source routing Be careful with trust relationships Network Attacks

55 IP Spoofing Defense Employ anti-spoof packet filters
Network Attacks

56 Session Hijacking Trudy “steals” an existing session
Network-based session hijacking Combines spoofing and sniffing Alice and Bob have existing connection Trudy is sniffing packets (on LAN) Trudy starts injecting packets Bob thinks packets came from Alice This works even if strong authentication used, provided there is no encryption Network Attacks

57 Session Hijacking Also, host-based session hijacking
Tools for session hijacking Hunt Dsniff --- sshmitm Ettercap Juggernaut IP Watcher, TTYWatcher, TTYSnoop Network Attacks

58 ACK Storm If Alice is alive during session hijack… Limits the attack
Network Attacks

59 Ettercap Ettercap can prevent ACK storm ARP cache poisoning
Ettercap makes Trudy MiM Network Attacks

60 Ettercap Network Attacks

61 Hunt Hunt offers similar feature as Ettercap
Includes a “resync” feature that may allow Trudy out of MiM And allow Alice and Bob to continue Ettercap and Hunt attacks can work even if Trudy not on same LAN Trudy must be on network between Alice & Bob Network Attacks

62 MiM Attack Network Attacks

63 Wireless Access Points
All attacks so far also work on wireless networks But wireless has unique attack… Access point hijacking Given SSID, pretend to be access point Then need to get victims to associate with fake access point Tool for this: AirJack Network Attacks

64 Session Hijacking Defenses
Use defenses against spoofing and sniffing Use SSH version 2 Dsniff and Ettercap MiM work against SSH version 1 Pay careful attention to certificate warnings Network Attacks

65 Netcat General-purpose networking tool You get the idea…
“…single most useful tool … for interacting with a system across a network” “Swiss army knife of network tools” If you were stranded on a desert island, your one attack tool would be Netcat You get the idea… Network Attacks

66 Netcat Send or receive data from any TCP or UDP port to any TCP or UDP port Network Attacks

67 Netcat For File Transfer
File transfer: any port, push or pull Network Attacks

68 Netcat For Port Scanning
Plain vanilla port scanning Unlike Nmap, which has many options Network Attacks

69 Netcat: Connect to Open Ports
Send data and see what comes back Better than telnet because Easier to redirect output to file Easier to drop a connection No telnet control data/characters No telnet error messages telnet cannot make UDP connections Network Attacks

70 Netcat: Vulnerability Scanning
Netcat as “vulnerability engine” I.e., attacker writes scripts that use Netcat’s capabilities Netcat comes with scripts to check for vulnerabilites in RPC, NFS, trust, FTP, a really weak passwords (very limited compared to Nessus) Network Attacks

71 Netcat Backdoors With access to a machine, Trudy can
Start a Netcat listener for future access Create an active backdoor (i.e., push data) These are most common uses of Netcat by bad guys Network Attacks

72 Netcat to Relay Traffic
Can use Netcat to relay traffic Trudy can hide her true location 10 or more “hops” sometimes seen Across political/language boundaries Network Attacks

73 Evade Packet Filter Network Attacks

74 How to Create Netcat Relay?
Three popular techniques Modify inted in UNIX/Linux Add a line to inted.conf file “backpipe” on UNIX/Linux Use mknod: pipes data in FIFO order Relay bat file in Windows Network Attacks

75 Backpipe Network Attacks

76 Netcat Listeners By default, Netcat listener is nonpersistent
In Windows version, can create persistent listeners In UNIX, requires a little more work from Trudy to get same effect see book for details Network Attacks

77 Netcat Honeypots Good guys can create Netcat (persistent) listeners
These can be used as honeypots Network Attacks

78 Netcat Defenses Prevent Netcat file transfers
Firewall configuration issue Secure against port scanning Minimal number of listening ports Block arbitrary connections to ports Close unused ports Protect against vulnerability scanning Apply patches Network Attacks

79 Netcat Defenses Stop backdoors Prevent relay attacks
Need to know what processes are running so you can detect rogue processes Prevent relay attacks No single point that attacker can relay around Stop persistent listeners Periodically check for unexpected listening ports Network Attacks

80 Conclusions Network Attacks

81 Summary Network Attacks

82 Netcat Network Attacks

Download ppt "Network Attacks Network Attacks 1."

Similar presentations

Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Man in the Middle Attack

Man in the Middle Attack
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.

Similar presentations

Ads by Google