Transcript History - ECE Users Pages

Address Spoofing and
Denial of Service
• Agenda







Mac Modification
Address Resolution Protocol Trickery
IP address spoofing
TCP session Hijacking
Domain Name Spoofing
Email Spoofing (not in lab)
Denial of Service
ECE 4112 - Internetwork Security
1
IP Spoofing and Denial of
Service Lab Exercises
Medium Access Control Address Spoofing
Windows XP MAC modification
Linux MAC modification
IP Spoofing
From Windows wINJECT
From Linux fraggle.c
Domain Name System Spoofing
dsniff tool
Denial of Service
datapool tool
synful
teardrop
udpflood
ECE 4112 - Internetwork Security
2
The Ethernet Frame - IEEE 802.3
•Destination and Source MAC Addresses are
modified for spoofing.
ECE 4112 - Internetwork Security
3
MAC modification/Spoofing
• Change the MAC on a Host (Cloning)
 Linux (ifconfig)
 Windows Network Settings
• Creating Link Layer Packets (Spoofing)
 libnet (API)
 Linkcat (tool – netcat for link layer)
ECE 4112 - Internetwork Security
4
Modifying Windows XP
Network Interface
ECE 4112 - Internetwork Security
5
Modifying Windows XP
Network Interface (continued)
ECE 4112 - Internetwork Security
6
Modifying Linux Network
Interface
ECE 4112 - Internetwork Security
7
Address Resolution Protocol
(ARP)
• Method to finding a host's Ethernet address
• Broadcast message looking for the IP address
• Hosts maintain a cache to avoid frequent
requests
ECE 4112 - Internetwork Security
8
ARP Cache Poisoning
• Man in the Middle (MiM) Attack
 Session Stealing
 Packet/Data Injection
• Beat the Switch
 Making a Switch into a Hub
ECE 4112 - Internetwork Security
9
Arpspoof Example
ECE 4112 - Internetwork Security
10
Network and Transport Layers
•
•
•
•
•
Internet Protocol (IP)
Internet Control Message Protocol (ICMP)
Transmission Control Protocol (TCP)
User Data Protocol
TCP Session Hijacking
ECE 4112 - Internetwork Security
11
Internet Protocol (IP)
• IP provides a best-effort way to route datagrams from
source to destination
• Source address, destination address: network number
and host number
• IP spoofing: change or disguise source address
version
IHL
Type of Service
Total length
DF DF MF
Identification
Fragment offset
Time to live
Protocol
Header checksum
Source address
Destination address
Options (0 or more words)
ECE 4112 - Internetwork Security
12
IP Spoofing
• Non-blind attacks
 Attacker and target on same subnet
 Reply traffic can be sniffed
• Blind attacks
 Attacker and target on different subnets
 Reply traffic cannot be seen by attacker
 Attacker must be able to predict replies
ECE 4112 - Internetwork Security
13
IP Spoofing
• Attacks made possible by IP spoofing
include
 Denial of Service (DOS)
 Session Hijacking
 Man in the Middle
• To take over a TCP stream, sequence and
acknowledgement numbers must be
sniffed or predicted.
ECE 4112 - Internetwork Security
14
Transmission Control Protocol
(TCP)
• Source and Destination Ports
• Sequence and Acknowledgement number
• Reliability Checksum (not tamperproof)
Source port
Destination port
Sequence number
Acknowledgement number
TCP HL
UR
G
A
C
K
P
SH
R
S
T
S
Y
N
F
I
N
Checksum
Window size
Urgent pointer
Options (0 or more 32-bit words)
Data (Optional)
ECE 4112 - Internetwork Security
15
Transmission Control Protocol
(TCP)
• Packet Types






URG
ACK
PSH
RST
SYN
FIN
-
Urgent
Acknowledge
Push
Reset
Synchronize can flood a server
Finish
ECE 4112 - Internetwork Security
16
Transmission Control Protocol
(TCP) (4)
• TCP connection initiation
 Three-way handshake
Host 1
Host 2
SYN (SEQ=x)
ECE 4112 - Internetwork Security
17
Session Hijacking
• Session hijacking attacks: based on sniffing and IP
spoofing
 Attacker monitors packets between Alice and Bob
 Attacker injects spoofed traffic with a source IP
address of Alice
Alice telnet
Alice
Bob
network
“Hi, I am
Alice”
Attacker
ECE 4112 - Internetwork Security
18
DNS Spoofing
• Causes name resolution to result in an
incorrect IP address
• In our lab, use tool dsniff to accomplish
ECE 4112 - Internetwork Security
19
DSniff
• Collection of tools for network auditing
and penetration testing.
• Tools included





ArpSpoof
DNSspoof
Dsniff
Filesnarf
Macof
ECE 4112 - Internetwork Security
20
DSniff








Mailsnarf
Msgsnarf
TCPKill
TCPnice
URLSnarf
WebSpy
SSHMITM
WebMITM
ECE 4112 - Internetwork Security
21
DSniff
• All kinds of attacks can be run. E.g. –




Password Sniffing
Message and File Capture
URL Capture
Man-In-The-Middle
• Lab exercises
 DNS Spoofing
ECE 4112 - Internetwork Security
22
Email Spoofing
• Email spoofing is effective because most
people don’t have time to double check
their headers all the time.
• An email’s true origin can be further
obfuscated by forging extra “Received:”
lines.
• To force a verification, email can be
cryptographically signed.
ECE 4112 - Internetwork Security
23
Email Spoofing
• Email spoofing is a form of social engineering.
• Email spoofing is also used by spammers to
make it more difficult to track them.
• A forged email can be detected by close
inspection of its headers.
• Login to SMTP (port 25) is unauthenticated, so
anyone can log in and send mail.
ECE 4112 - Internetwork Security
24
Email Spoofing (Not in Lab
Assignment)
telnet mail.xyz.gatech.edu 25
220 sark.xyz.gatech.edu ESMTP Sendmail 8.12.10/8.12.8;
Mon, 1 Dec 2003 040500 (EST)
HELO abc4883.com
250 sark.xyz.gatech.edu Hello ece-237-37.abc.gatech.edu
[130.207.237.37], pleased to meet you
MAIL FROM: <[email protected]>
250 2.1.0 <[email protected]>... Sender ok
RCPT TO: <[email protected]>
250 2.1.5 <[email protected]>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Greetings from abc4883!
.
250 2.0.0 hAUMOh6c005386 Message accepted for delivery
QUIT
221 2.0.0 sark.xyz.gatech.edu closing connection
ECE 4112 - Internetwork Security
25
Raw Sockets
• Allows the application to directly access the
Network Access Layer (TCP/IP model)
• Develop new or build upon existing protocols
• Programming difference:
 socket( sockfd, SOCK_RAW, IPPROTO_TCP);
 Manually build the necessary headers
• Requires super user access
• Not implemented the same across all platforms
ECE 4112 - Internetwork Security
26
libnet
• Raw Sockets and Link Layer facilities
• Simplifies packet injection programming


libnet_build_ipv4( packet_length, type_of_service, identity,
fragment, time-to-live, protocol, checksum, source_port,
destination_port, payload, payload_size, libnet, ptag)
libnet_autobuild_ipv4( packet_length, protocol, destination_port,
libnet);
• Allows for prebuilding streams of packets
• Efficient mechanism for packet injection
• Portable solution for packet injection
ECE 4112 - Internetwork Security
27
Denial of Service
• Denial of Service
 Easy to mount – script kiddies
 Requires few computing resources
 Most common attack – deadly results
• Comes in various forms. E.g. –




Buffer Overflow Attack
Teardrop Attack
Syn Flood
Smurf Attack
ECE 4112 - Internetwork Security
28
Internet Control Message
Protocol (ICMP)
• ICMP is used to test the Internet.
• Each ICMP message type is encapsulated in an IP
packet.
Message type
Description
Destination unreachable
Packet could not be delivered
Time exceeded
Time to live field hit 0
Parameter problem
Invalid header field
Redirect
Teach a router about geography
Echo request
Ask a machine if it is alive
Echo reply
Yes, I am alive
ECE 4112 - Internetwork Security
29
Denial of Service
• Buffer Overflow
 Send more data than allotted buffer space. E.g. –
More than 256 chars in email from field.
• Tear Drop
 Takes advantage of IP Fragmentation.
• Syn Flood
 Flood target with connection requests.
• Smurf
 ICMP echo requests with spoofed IP.
ECE 4112 - Internetwork Security
30
Denial of Service
• Tool to be used in lab – Datapool
• Customizable script with capabilities to
run 106 different DoS attacks (including
ones discussed)!
• Can run attacks against multiple IPs and
learns about vulnerabilities of each.
• IPSpoofing used to disguise source of
attack.
ECE 4112 - Internetwork Security
31
References WWW
•
•
•
•
•
OSI Model: RAD Data Communications
libnet (packetfactory.net)
Raw Socket Programming (mixter.void.ru)
Paketto (www.doxpara.com/paketto)
Dsniff (naughty.monkey.org/~dugsong/dsniff)
ECE 4112 - Internetwork Security
32
References Books
• Computer Networks Third Edition, Andrew
Tanenbaum, Prentice-Hall1996.
• Counter Hack. Ed Skoudis, Prentice-Hall
2002.
• TCP/IP Illustrated, Volume 1. W. Richard
Stevens, Addison-Wesley1994.
ECE 4112 - Internetwork Security
33