ARP cache Poisoning For the Detection of Sniffers in an Ethernet

Download Report

Transcript ARP cache Poisoning For the Detection of Sniffers in an Ethernet

ARP cache Poisoning
For the Detection of Sniffers in an
Ethernet Network
Raoudha KHCHERIF
Assistant Professor
National School of Computer Science University of
Mannouba TUNISIA
[email protected]
Network and computer
• Are you secure?
I Don’t Know
NO
NO
NO
I Don’t Know
NO
NO
NO
I Don’t Know
NO
NO
YES
NO
NO
I Don’t Know
I Don’t Know
YES
YES
YES
I Don’t Know
YES
YES
I Don’t Know
I Don’t Know
NO
YES
NO
YES
NO
I Don’t Know
Network Intrusions
• Intrusions can be achieved in a matter of seconds
using automated intruder tools
• Gain access to computing resources (to launch
attacks) as well as to private data
• Compromise series of remote systems, making it
difficult to trace their activities
• Network intrusions originating outside of your
jurisdiction may be difficult (or impossible) to
prosecute
Number of Intruders able to execute attacks
http://www.cert.org/present/cert-overview-trends/module-2.pdf
External ?
95% of computer crime are from internal employees
Internal ?
Security Issues in Networking
Normal Flow
Host A
Host A
Host B
Interruption
Attack on the Availability
Host B
Interception
Host A
Host B
Attack on the confidentiality
Modification
Host A
Host B
Attack on the integrity
Fabrication
Host A
Host B
Attack on the authenticity
Active Attacks
Intruder
Host A
Host B
Passive Attacks
Intruder
Host A
Host B
Outline
•
•
•
•
•
Basics
ARP Poisoning Attack
Sniffers
Promiscuous Node detection
ARP Cache Poisoning for Promiscuous
Node Detection
• Conclusion
What is ARP?
- Protocol Which maps IP address to MAC address
- Operates in Network and Datalink Layer
- ARP is designed to work for protocols other than IP
Purpose of ARP
32-bit Internet address
ARP
RARP
48-bit Ethernet address
Basics and working of ARP
HP Laser jet printer
129.119.103.2
My Computer 129.119.10.42
Who has 129.119.103.2
ARP Request
Check ARP cache
IP address Broadcast
HP Laser jet printer
129.119.103.2
My Computer 129.119.10.42
I have 129.119.103.2
My MAC is [??-??-??-??-??-??]
ARP Reply
MAC return
Basics and working of ARP (cont)
ARP table of Source host
IP Address
Physical Address
Type
129.119.103.1
00-E0-2B-13-68-00
dynamic
129.119.103.2
??-??-??-??-??-??
dynamic
ARP Spoofing/ ARP Poisoning
•
ARP Spoofing is a kind of Spoofing
in which a forged ARP reply is sent
to the original ARP request
•
Updation of target computer‘s cache
with a forged entry.
Vulnerable & Non Vulnerable OS
OS Vulnerable to ARP Spoofing
1. Windows 95/98/2000
2. Windows NT
3. Linux
4. Netgear
5. AIX 4.3
OS Not Vulnerable to ARP Spoofing
• SUN SOLARIS
ARP Poisoning
• Introducing a spurious IP Ethernet
address mapping in another host’s ARP
cache.
• Many techniques are used…
ARP Poisoning --Broadcast request
Host A
10.10.0.1
10.10.0.2
10.10.0.2
Host B
10.10.0.2
00-E0-2B-13-68-00
??-??-??-??-??-??
Who has 10.10.0.1
My IP is 10.10.0.2
Host C (Hacker)
10.10.0.11
ARP Poisoning--Response to a request
Who has 10.10.0.2
My IP is 10.10.0.1
Host A
10.10.0.1
10.10.0.2
??-??-??-??-??-??
Host B
10.10.0.2
I have 10.10.0.2
My MAC is [00-E0-2B-13-68-00]
I have 10.10.0.2
My MAC is [??-??-??-??-??-??]
Host C (Hacker)
10.10.0.2
ARP Poisoning -- Unsolicited Responses
Host A
10.10.0.1
10.10.0.2
10.10.0.2
10.10.0.29
Host B
10.10.0.2
00-E0-2B-13-68-00
00-E0-2B-13-68-00
??-??-??-??-??-??
I have 10.10.0.29
My MAC is [??-??-??-??-??-??]
Host C (Hacker)
10.10.0.11
Passive Protocol Analysis: Sniffing
• A packet sniffer is a tool that plugs into
a computer network and monitors all
network traffic.
• It monitors traffic destined to itself as
well as to all other hosts on the
network.
Ingredients for successful sniffing
1. Shared Media : usually an Ethernet card
2. Promiscuous Mode Operations
To this machine
NIC Normal
Hardware Filter
To Other
All Packet
NIC Promiscuous
NIC’s Hardware addresses
• The NIC can set up different filters called
hardware filter in order to receive different
kinds of packets.
– Broadcast: FF:FF:FF:FF:FF:FF
– Promiscuous
– Others
• Packets are filterd differently when the NIC
is set to promiscuous mode and that to
normal mode
Anatomy of a sniffer
Logging/Editing
Packet
Decode
Buffer
Capture Driver
Media
Logging: permanent storage of packets
for offline analysis
Decode: packets must be decoded
to human readable form.
Buffer: packets must temporarily buffered
prior to storage or processing.
Capture driver: software driver
to capture and filter network traffic.
Media: usually an Ethernet card but
could also be a wireless card or anything else.
Uses of a sniffer
•
•
•
•
Traffic Analysis
Fault analysis of networks
Intrusion detection Systems are built on sniffers
Performance analysis to identify bottlenecks
•
Stealing clear-text content
–
–
–
•
Passwords
Credit card numbers
“Secret” email conversations
Gaining unauthorized access to remote hosts.
Are sniffers bad?
YES & NO
Example
FTP
Packet
FTP
Packet
FTP Packet
FTP
Packet
FTP
Packet
http://www.ethereal.com/download.html
Example
Email
Packets
Great! He is
sending some
interesting
information to his
boss
Email
Packets
Email
Email
Packets
Email
Packets
Prevention vs Detection ?
• Sniffing is a passive activity, hence
done properly it is impossible to detect
a sniffer!
• Difficult to prevent it.
Why is so difficult to detect
sniffers?
• The attack is essentially passive
– They don’t generate unusual traffic
– They are normally linked to active
intrusion attacks
• Only requires a standard machine
• Threat is always seen as external
– 80% to 95% are internal!
Winpcap, Libpcap
http://winpcap.polito.it/
http://www.cet.nau.edu/~mc8/Socket/Tutorials/section1.html
Prevention ?
Switched Network
Host A
Host B
Switch
CISCOS YSTEMS
Sniffer
Switch Sniffing -- ARP spoofing
Switch
CISCOS YSTEMS
Forwarded Packet
Packet destined for IP B
Host A
ARP Reply: IP of B
Has MAC C
Host B
Host C
Hacker
ARP Reply: IP of A
Has MAC C
Traffic from the Switch to target machines
Switch
CISCOS YSTEMS
ARP Poisoning
Host A
Host B
Hacker
Traffic from Target machine to the switch
Switch
CISCOS YSTEMS
Host A
ARP Reply: IP of the switch
Has MAC FF:FF:FF:FF:FF:FF
Host B
Hacker
ARP Reply: IP of the switch
Has MAC FF:FF:FF:FF:FF
Switch sniffing -- MAC Spoofing
• Keep a translation table that maps various MAC
addresses to the physical ports on the switch
• Has a limited memory for this work.
• Bombard the switch with fake MAC addresses
till the switch can’t keep up.
• It enters into what is known as “failopen mode”
wherein it starts acting as a hub by broadcasting
packets to all the machines on the network.
Detection?
• There are some practical solutions:
–
–
–
–
–
Local detection of promiscuous mode
The RTT detection technique
The DNS detection technique
The ARP detection technique
Employing a honeypot
RTT detection technique
• The RTT ( Round Trip Time), time taken by
a packet to reach destination + time that the
response took to reach the source.
• The simples of the collected RTT
measurements represents tow different
populations, normal mode population and the
promiscuous mode population
• Measurements are statistically different
enough and therefore represent two different
populations.
DNS detection technique
Good GUY
IP: 192.168.0.62
BINGO! You must be in
promiscuous mode!
Decoding fake traffic!
Listening for DNS lookup 10.10.10.10
Hey! Who is 10.10.10.10?
DNS Lookup: <CNAME, IP 10.10.10.10>
TCP Packet: <SYN, IP 10.10.10.10, Port 23>
TCP Packet: <SYN:ACK, IP 192.168.0.62, Port 23>
TCP Packet: <ACK, IP 10.10.10.10, Port 23>
TCP Packet: <ACK, IP 10.10.10.10, Port 23>
TCP Packet: <RST, IP 10.10.10.10, Port 23>
SNIFFER
ARP detection technique
BINGO! You must be in
promiscuous mode!
Good GUY
IP: 192.168.0.62
Eth.Mode: Normal
Eh.MAC: 00:b8:66:15:9a:11
Dest MAC:FF:00:00:00:00:00
Src.IP :192.168.0.62
Dst IP: 192.168.0.63
Type ARP Request
Dest. MAC: 00:b8:66:15:9a:11
Src. IP: 192.168.0.63
Dst. IP: 192.168.0.62
Type: ARP Reply
NIC: In promiscuous mode,
picks it up and gives to OS IP
Stack: Hmm…, ARP Request
to me, send reply back
SNIFFER
IP: 192.168.0.63
Eth.Mode: Promiscous
Eh.MAC: 00:88:c9:22:14:8c
Limits
• ARP detection technique
– If a host does not generate any ARP reply
• RTT detection technique: Probabilistic
technique,
– Many known and unknown factors, OS,
Traffic, may affect the results
• DNS detection technique
– Sniffers can easily be changed to not
perform the reverse lookup
Detection using ARP cache
Poisoning
Idea
Telnet 10.10.10.2
Host A
10.10.10.1
ARP request
Host B
10.10.10.2
ARP cache
10.10.10.2 00:00:00:00:00:01
TCP Packet
Check it’s ARP cache
If there is no entries
ICMP Packet
If the port 23 is open
If not
ARP cache poisoning attack based detection technique
• 3 different phases
– Phase 1: Corrupt ARP cache of each
sniffing host in the LAN with fake entries
– Phase 2: Establish a TCP connection
– Phase 3: Sniff the LAN in order to capture
any packet containing the fake entry.
How can I poison only the Sniffing hosts?
•
Send ARP Reply with hardware destination is set to an address that does not exist.
•
NIC is in normal mode: the packet is refused by the hardware filter of the NIC.
•
NIC is in promiscuous mode, the NIC does not perform any filter operation. Then this
packet is able to pass to the system kernel.
•
The system kernel assumes that this ARP reply packet arrives because it contains the same
IP address as that machine, so it should respond to the packet.
•
Software Filter: The packet is actually filtered again by the system kernel. The software
filter depends on the operating system kernel.
•
It is unnecessary to sent ARP packet with MAC addresses that do not exist, since the
software filter will block such packets.
•
We need to send ARP packets with MAC addresses that may pass the software filter.
Software filtering
Windows9x/ME
Windows2k/NT
Linux
Hardware Addresses
Norm
Promis
Norm
Promis
Norm
Promis
FF:FF:FF:FF:FF:FF






FF:FF:FF:FF:FF:FE
-

-

-

FF:FF:00:00:00:00
-

-

-

FF:00:00:00:00:00
-

-
-
-

01:00:00:00:00:00
-
-
-
-
-

01:00:5E:00:00:00
-
-
-
-
-

01:00:5E:00:00:01






First Phase: ARP Poisoning
• We Configure an ARP Reply packet such that it has fake
broadcast address as the destination address
Ethernet address of destination
FF:FF:FF:FF:FF:FE
Ethernet address of sender
Fake address
Protocol type (ARP =0806)
08 06
Hardware address space (Ethernet =01)
00 01
Protocol address space (Ipv4= 0800)
08 00
Byte length of hardware address
06
Byte Leth of protocol address
04
Opcode (ARP request =01, ARP reply =02)
00 02
Hardware address of sender of this packet
Protocol address of sender of this packet
Hardware address of target of this packet
Protocol address of Target
Fake Address
ARP Poisoning
NIC normal
ARP Reply with fake sender address
NIC Promiscuous
ARP cache Poisoned
2nd Phase : Establishing TCP
connection
• We configure now an TCP packet (with
the bit SYN set) with source address is
the fake one.
• Send this packet on Broadcast.
Establishing TCP connection
NIC normal
TCP packet with fake sender address
NIC Promiscuous
3th Phase: Detection of the sniffing
hosts
• Machines with ARP cache poisoned reply
with an ICMP error message or TCP ( the
connection can be done)
• Machines with NIC on normal mode will
reply with an ARP request.
• We use a sniffer to capture and analyze the
packets on the net and the machines who
send ICMP or TCP that has fake IP and
MAC addresses as the destination addresses,
are the machine who are running a sniffer.
Detection of the sniffing hosts
BINGO! You must be in
promiscuous mode!
ARP Request
ICMP or TCP
NIC normal
NIC Promiscuous
Evaluation
• We tested this Method with simple sniffer
and advanced one,
• According to our experimentations,
compared to other anti-sniffers (PromiScan,
PMD, L0pht Antisniff ), only this method can
detect both advanced and simple sniffers in
the LAN.
http://www.securityfriday.com
http://webteca.port5.com
http://www.l0pht.com/antisniff
How to avoid Sniffers?
• Switched Network
• Never send clear-text messages on the
Net
– SSH for telnet
– SFTP for FTP
– VPN for clear-text traffic
Kiddie:
A friend of mine told me that it is possible to sniff on a LAN...
so I bought a switch ;)
NaGoR:
mmhhh....
Kiddie:
Now my LAN is SECURE ! you can't sniff my packets... ah ah ah
NaGoR:
are you sure ? look at ettercap doing its work...
Kiddie:
Oh my god... it sniffs all my traffic !!
I will use only ciphered connections on my LAN, so ettercap can't
sniff them ! ah ah ah
NaGoR:
mmhhh....
Kiddie:
Now I'm using SSH. My LAN is SECURE !
NaGoR: are you sure ? look at ettercap doing its work...
Kiddie:
shit !! grrrr...
Tools
• ettercap (http://ettercap.sf.net)
• dsniff (http://www.monkey.org/~dugsong/dsniff)
“A false sense of security, is
worse than insecurity”
Steve Gibson
Thank You
[email protected]