0
Alberto Ornaghi <alor@blackhats.it>                                   Marco Valleri <naga@blackhats.it>Man in the middleat...
Table of contents Different attacks in different scenarios: LOCAL AREA NETWORK: - ARP poisoning - DNS spoofing            ...
Once in the middle...         Blackhats Italia 2003   3
Sniffing   It is the easiest attack to launch since    all the packets transit through the    attacker.   All the “plain...
Hijacking   Easy to launch   It isn’t blind (the attacker knows    exactly the sequence numbers of the    TCP connection...
Injecting   Possibility to add packets to an already established    connection (only possible in full-duplex mitm)   The...
Filtering   The attacker can modify the payload of the    packets by recalculating the checksum   He/she can create filt...
Attacks examples      Blackhats Italia 2003   8
Attacks examples (1)Command injection   Useful in scenarios where a one time    authentication is used (e.g. RSA token). ...
Attacks examples (2)Malicious code injection   Insertion of malicious code into web    pages or mail (javascript, trojans...
Attacks examples (3)Key exchanging   Modification of the public key exchanged by    server and client. (eg SSH1)         ...
Attacks examples (4)Parameters and banners substitution   Parameters exchanged by server and client can be    substituted...
Attacks examples (5)IPSEC Failure   Block the keymaterial exchanged on the    port 500 UDP   End points think that the o...
Attacks examples (6)PPTP (1) - description   Uses GRE as transport layer (no encryption,    no authentication)   Uses th...
Attacks examples (6)PPTP (2) - attacks   During negotiation phase    –   Force PAP authentication (almost fails)    –   F...
Attacks examples (6)PPTP (3) - attack exampleForce PAP from CHAP                                       start  Server      ...
Attacks examples (6)PPTP (4) - L2TP rollback   L2TP can use IPSec ESP as transport layer (stronger    than PPTP)   By de...
Attacks examples (6)PPTP (5) - tools   Ettercap            (http://ettercap.sf.net)    – Hydra plugins suite   Anger (ht...
Attack techniquesLOCAL SCENARIO       Blackhats Italia 2003   19
Local Attacks (1)ARP poisoning   ARP is stateless (we all knows how it works and what the    problems are)   Some operat...
Local Attacks (1)ARP poisoning   Useful to sniff on switched LANs   The switch works at layer 2 and it is    not aware o...
Local Attacks (1)ARP poisoning - tools   Ettercap      (http://ettercap.sf.net)    –   Poisoning    –   Sniffing    –   H...
Local Attacks (1)ARP poison - countermeasures   YES - passive monitoring (arpwatch)   YES - active monitoring (ettercap)...
Local Attacks (2)DNS spoofing If the attacker is able to sniff the ID of the DNS request, he/she can reply before the real...
Local Attacks (2)DNS spoofing - tools   Ettercap (http://ettercap.sf.net)    – Phantom plugin   Dsniff (http://www.monke...
Local Attacks (2)DNS spoofing - countermeasures   YES - detect multiple replies (IDS)   YES - use lmhost or host file fo...
Local Attacks (3)STP mangling   It is not a real MITM attack since the    attacker is able to receive only    “unmanaged”...
Local Attacks (3)STP mangling - tools   Ettercap (http://ettercap.sf.net)    – Lamia plugin                  Blackhats It...
Local Attacks (3)STP mangling - countermeasures   YES - Disable STP on VLAN without    loops   YES - Root Guard, BPDU Gu...
Attack techniquesFROM LOCAL TO    REMOTE       Blackhats Italia 2003   30
Local to remote attacks (1)DHCP spoofing   The DHCP request are made in broadcast.   If the attacker replies before the ...
Local to remote attacks (1)DHCP spoofing - countermeasures   YES - detection of multiple DHCP    replies             Blac...
Local to remote attacks (2)ICMP redirectThe attacker can forge ICMP redirect packet in order toRedirect traffic to himself...
Local to remote attacks (2)ICMP redirect - tools   IRPAS icmp_redirect (Phenoelit)    (http://www.phenoelit.de/irpas/)  ...
Local to remote attacks (2)ICMP redirect - countermeasures   YES - Disable the ICMP REDIRECT   NO - Linux has the “secur...
Local to remote attacks (3)IRDP spoofing   The attacker can forge some advertisement    packet pretending to be the route...
Local to remote attacks (3)IRDP spoofing - tools   IRPAS by Phenoelit    (http://www.phenoelit.de/irpas/)                ...
Local to remote attacks (3)IRDP spoofing - countermeasures   YES - Disable IRDP on hosts if the    operating system permi...
Local to remote attacks (4)ROUTE mangling      INTERNET                  GW                       AT                      ...
Local to remote attacks (4)ROUTE mangling   Now the problem for the attacker is to send packets    to the real destinatio...
Local to remote attacks (4)ROUTE mangling - tools   IRPAS (Phenoelit)    (http://www.phenoelit.de/irpas/)   Nemesis    (...
Local to remote attacks (4)ROUTE mangling - countermeasures   YES - Disable dynamic routing    protocols on this type of ...
Attacks techniquesREMOTE SCENARIOS        Blackhats Italia 2003   43
Remote attacks (1)DNS poisoning   Type 1 attack    – The attacker sends a request to the victim DNS      asking for one h...
Remote attacks (1)DNS poisoning   Type 2 attack    – The attacker can send a “dynamic      update” to the victim DNS    –...
Remote attacks (1)DNS poisoning - tools   ADMIdPack   Zodiac    (http://www.packetfactory.com/Projects/zodiac)          ...
Remote attacks (1)DNS poisoning - countermeasures   YES - Use DNS with                     random    transaction ID (Bind...
Remote attacks (2)Traffic Tunneling Server        Router 1      Tunnel GRE                          INTERNET          Clie...
Remote attacks (2)Traffic Tunneling - tools   Ettercap (http://ettercap.sf.net)    – Zaratan plugin   TunnelX (http://ww...
Remote attacks (2)Traffic Tunneling -countermeasure   YES - Strong passwords and community on    routers               Bl...
Remote attacks (3)ROUTE mangling   The attacker aims to hijack the traffic    between the two victims A and B   The atta...
Remote attacks (3)ROUTE mangling   Scenario 1 a    (IGRP inside the AS)A       R1                                        ...
Remote attacks (3)ROUTE mangling   Scenario 1 b    (IGRP inside the AS)A       R1    R3                           B      ...
Remote attacks (3)ROUTE mangling   Scenario 2 a    (the traffic does not pass thru the AS)           AS 1                ...
Remote attacks (3)ROUTE mangling    IRPAS di Phenoelit    (http://www.phenoelit.de/irpas/)   Nemesis    (http://www.pack...
Remote attacks (3)ROUTE mangling -countermeasure   YES - Use routing protocol authentications                Blackhats It...
Conclusions   The security of a connection relies on:     – a proper configuration of the client (avoiding ICMP Redirect,...
– Marco Valleri        <naga@blackhats.it>– Alberto Ornaghi      <alor@blackhats.it>           Blackhats Italia 2003   58
Upcoming SlideShare
Loading in...5
×

1unit2ndpart

256

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
256
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "1unit2ndpart"

  1. 1. Alberto Ornaghi <alor@blackhats.it> Marco Valleri <naga@blackhats.it>Man in the middleattacks What they are How to achieve them How to use them How to prevent them Blackhats Italia 2003 1
  2. 2. Table of contents Different attacks in different scenarios: LOCAL AREA NETWORK: - ARP poisoning - DNS spoofing - STP mangling FROM LOCAL TO REMOTE (through a gateway): - ARP poisoning - DNS spoofing - DHCP spoofing - ICMP redirection - IRDP spoofing - route mangling REMOTE: - DNS poisoning - traffic tunneling - route mangling Blackhats Italia 2003 2
  3. 3. Once in the middle... Blackhats Italia 2003 3
  4. 4. Sniffing It is the easiest attack to launch since all the packets transit through the attacker. All the “plain text” protocols are compromised (the attacker can sniff user and password of many widely used protocol such as telnet, ftp, http) Blackhats Italia 2003 4
  5. 5. Hijacking Easy to launch It isn’t blind (the attacker knows exactly the sequence numbers of the TCP connection) Blackhats Italia 2003 5
  6. 6. Injecting Possibility to add packets to an already established connection (only possible in full-duplex mitm) The attacker can modify the sequence numbers and keep the connection synchronized while injecting packets. If the mitm attack is a “proxy attack” it is even easier to inject (there are two distinct connections) Blackhats Italia 2003 6
  7. 7. Filtering The attacker can modify the payload of the packets by recalculating the checksum He/she can create filters on the fly The length of the payload can also be changed but only in full-duplex (in this case the seq has to be adjusted) Blackhats Italia 2003 7
  8. 8. Attacks examples Blackhats Italia 2003 8
  9. 9. Attacks examples (1)Command injection Useful in scenarios where a one time authentication is used (e.g. RSA token). In such scenarios sniffing the password is useless, but hijacking an already authenticated session is critical Injection of commands to the server Emulation of fake replies to the client Blackhats Italia 2003 9
  10. 10. Attacks examples (2)Malicious code injection Insertion of malicious code into web pages or mail (javascript, trojans, virus, ecc) Modification on the fly of binary files during the download phase (virus, backdoor, ecc) Blackhats Italia 2003 10
  11. 11. Attacks examples (3)Key exchanging Modification of the public key exchanged by server and client. (eg SSH1) start Server Client KEY(rsa) KEY(rsa) MITM Ekey[S-Key] Ekey[S-Key] S-KEY S-KEY S-KEY D(E(M)) Eskey(M) M D(E(M)) Blackhats Italia 2003 11
  12. 12. Attacks examples (4)Parameters and banners substitution Parameters exchanged by server and client can be substituted in the beginning of a connection. (algorithms to be used later) Example: the attacker can force the client to initialize a SSH1 connection instead of SSH2. – The server replies in this way:  SSH-1.99 -- the server supports ssh1 and ssh2  SSH-1.51 -- the server supports ONLY ssh1 – The attacker makes a filter to replace “1.99” with “1.51” Possibility to circumvent known_hosts Blackhats Italia 2003 12
  13. 13. Attacks examples (5)IPSEC Failure Block the keymaterial exchanged on the port 500 UDP End points think that the other cannot start an IPSEC connection If the client is configured in rollback mode, there is a good chance that the user will not notice that the connection is in clear text Blackhats Italia 2003 13
  14. 14. Attacks examples (6)PPTP (1) - description Uses GRE as transport layer (no encryption, no authentication) Uses the same negotiation scheme as PPP (req, ack, nak, rej) Negotiation phases are not authenticated MS-CHAPv2 mutual authentication can’t prevent this kind of mitm Blackhats Italia 2003 14
  15. 15. Attacks examples (6)PPTP (2) - attacks During negotiation phase – Force PAP authentication (almost fails) – Force MS-CHAPv1 from MS-CHAPv2 (easier to crack) – Force no encryption Force re-negotiation (clear text terminate-ack) – Retrieve passwords from existing tunnels – Perform previous attacks Force “password change” to obtain password hashes – Hashes can be used directly by a modified SMB or PPTP client – MS-CHAPv2 hashes are not usefull (you can force v1) Blackhats Italia 2003 15
  16. 16. Attacks examples (6)PPTP (3) - attack exampleForce PAP from CHAP start Server Client MITM req | auth | chap req | auth | fake nak | auth | pap nak| auth | chap req | auth | pap req | auth | pap ack | auth | pap ack | auth | pap We don’t have to mess with GRE sequences... Blackhats Italia 2003 16
  17. 17. Attacks examples (6)PPTP (4) - L2TP rollback L2TP can use IPSec ESP as transport layer (stronger than PPTP) By default L2TP is tried before PPTP Blocking ISAKMP packets results in an IPSec failure Client starts a request for a PPTP tunnel (rollback) Now you can perform PPTP previous attacks Blackhats Italia 2003 17
  18. 18. Attacks examples (6)PPTP (5) - tools Ettercap (http://ettercap.sf.net) – Hydra plugins suite Anger (http://packetstormsecurity.org/sniffers/anger.tar.gz) Blackhats Italia 2003 18
  19. 19. Attack techniquesLOCAL SCENARIO Blackhats Italia 2003 19
  20. 20. Local Attacks (1)ARP poisoning ARP is stateless (we all knows how it works and what the problems are) Some operating systems do not update an entry if it is not already in the cache, others accept only the first received reply (e.g solaris) The attacker can forge a spoofed ICMP packets to force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP replay Request attack against linux (IDS evasion) Blackhats Italia 2003 20
  21. 21. Local Attacks (1)ARP poisoning Useful to sniff on switched LANs The switch works at layer 2 and it is not aware of the poisoning in the hosts’ ARP cache (unless some ARP inspection) Blackhats Italia 2003 21
  22. 22. Local Attacks (1)ARP poisoning - tools Ettercap (http://ettercap.sf.net) – Poisoning – Sniffing – Hijacking – Filtering – SSH sniffing (transparent attack) Dsniff (http://www.monkey.org/~dugsong/dsniff) – Poisoning – Sniffing – SSH sniffing (proxy attack) Blackhats Italia 2003 22
  23. 23. Local Attacks (1)ARP poison - countermeasures YES - passive monitoring (arpwatch) YES - active monitoring (ettercap) YES - IDS (detect but not avoid) YES - Static ARP entries (avoid it) YES - Secure-ARP (public key auth) NO - Port security on the switch NO - anticap, antidote, middleware approach Blackhats Italia 2003 23
  24. 24. Local Attacks (2)DNS spoofing If the attacker is able to sniff the ID of the DNS request, he/she can reply before the real DNS server MITM HOST serverX.localdomain.it DNS 10.1.1.1 10.1.1.50 Blackhats Italia 2003 24
  25. 25. Local Attacks (2)DNS spoofing - tools Ettercap (http://ettercap.sf.net) – Phantom plugin Dsniff (http://www.monkey.org/~dugsong/dsniff) – Dnsspoof Zodiac (http://www.packetfactory.com/Projects/ zodiac) Blackhats Italia 2003 25
  26. 26. Local Attacks (2)DNS spoofing - countermeasures YES - detect multiple replies (IDS) YES - use lmhost or host file for static resolution of critical hosts YES - DNSSEC Blackhats Italia 2003 26
  27. 27. Local Attacks (3)STP mangling It is not a real MITM attack since the attacker is able to receive only “unmanaged” traffic The attacker can forge BPDU with high priority pretending to be the new root of the spanning tree Blackhats Italia 2003 27
  28. 28. Local Attacks (3)STP mangling - tools Ettercap (http://ettercap.sf.net) – Lamia plugin Blackhats Italia 2003 28
  29. 29. Local Attacks (3)STP mangling - countermeasures YES - Disable STP on VLAN without loops YES - Root Guard, BPDU Guard. Blackhats Italia 2003 29
  30. 30. Attack techniquesFROM LOCAL TO REMOTE Blackhats Italia 2003 30
  31. 31. Local to remote attacks (1)DHCP spoofing The DHCP request are made in broadcast. If the attacker replies before the real DHCP server it can manipulate: – IP address of the victim – GW address assigned to the victim – DNS address Blackhats Italia 2003 31
  32. 32. Local to remote attacks (1)DHCP spoofing - countermeasures YES - detection of multiple DHCP replies Blackhats Italia 2003 32
  33. 33. Local to remote attacks (2)ICMP redirectThe attacker can forge ICMP redirect packet in order toRedirect traffic to himself T G AT 1 ICMP redirect to AT H LAN Blackhats Italia 2003 33
  34. 34. Local to remote attacks (2)ICMP redirect - tools IRPAS icmp_redirect (Phenoelit) (http://www.phenoelit.de/irpas/) icmp_redir (Yuri Volobuev) Blackhats Italia 2003 34
  35. 35. Local to remote attacks (2)ICMP redirect - countermeasures YES - Disable the ICMP REDIRECT NO - Linux has the “secure redirect” options but it seems to be ineffective against this attack Blackhats Italia 2003 35
  36. 36. Local to remote attacks (3)IRDP spoofing The attacker can forge some advertisement packet pretending to be the router for the LAN. He/she can set the “preference level” and the “lifetime” at high values to be sure the hosts will choose it as the preferred router. The attack can be improved by sending some spoofed ICMP Host Unreachable pretending to be the real router Blackhats Italia 2003 36
  37. 37. Local to remote attacks (3)IRDP spoofing - tools IRPAS by Phenoelit (http://www.phenoelit.de/irpas/) Blackhats Italia 2003 37
  38. 38. Local to remote attacks (3)IRDP spoofing - countermeasures YES - Disable IRDP on hosts if the operating system permit it. Blackhats Italia 2003 38
  39. 39. Local to remote attacks (4)ROUTE mangling INTERNET GW AT HThe attacker can forge packets for the gateway (GW)pretending to be a router with a good metric for a specified hoston the internetThe netmask should be big enough to win against other routes Blackhats Italia 2003 39
  40. 40. Local to remote attacks (4)ROUTE mangling Now the problem for the attacker is to send packets to the real destination. He/she cannot send it through GW since it is convinced that the best route is AT. Tunnel AT2 D INTERNET GW AT H Blackhats Italia 2003 40
  41. 41. Local to remote attacks (4)ROUTE mangling - tools IRPAS (Phenoelit) (http://www.phenoelit.de/irpas/) Nemesis (http://www.packetfactory.net/Projects/nemesis/) Blackhats Italia 2003 41
  42. 42. Local to remote attacks (4)ROUTE mangling - countermeasures YES - Disable dynamic routing protocols on this type of scenarios YES - Enable some ACL to block unexpected update YES - Enable authentications on the protocols that support them Blackhats Italia 2003 42
  43. 43. Attacks techniquesREMOTE SCENARIOS Blackhats Italia 2003 43
  44. 44. Remote attacks (1)DNS poisoning Type 1 attack – The attacker sends a request to the victim DNS asking for one host – The attacker spoofs the reply which is expected to come from the real DNS – The spoofed reply must contain the correct ID (brute force or semi-blind guessing) Blackhats Italia 2003 44
  45. 45. Remote attacks (1)DNS poisoning Type 2 attack – The attacker can send a “dynamic update” to the victim DNS – If the DNS processes it, it is even worst because it will be authoritative for those entries Blackhats Italia 2003 45
  46. 46. Remote attacks (1)DNS poisoning - tools ADMIdPack Zodiac (http://www.packetfactory.com/Projects/zodiac) Blackhats Italia 2003 46
  47. 47. Remote attacks (1)DNS poisoning - countermeasures YES - Use DNS with random transaction ID (Bind v9) YES - DNSSec (Bind v9) allows the digital signature of the replies. NO - restrict the dynamic update to a range of IP (they can be spoofed) Blackhats Italia 2003 47
  48. 48. Remote attacks (2)Traffic Tunneling Server Router 1 Tunnel GRE INTERNET ClientFake host Gateway Attacker Blackhats Italia 2003 48
  49. 49. Remote attacks (2)Traffic Tunneling - tools Ettercap (http://ettercap.sf.net) – Zaratan plugin TunnelX (http://www.phrack.com) Blackhats Italia 2003 49
  50. 50. Remote attacks (2)Traffic Tunneling -countermeasure YES - Strong passwords and community on routers Blackhats Italia 2003 50
  51. 51. Remote attacks (3)ROUTE mangling The attacker aims to hijack the traffic between the two victims A and B The attack will collect sensitive information through: – traceroute – portscanning – protoscanning Quite impossible against link state protocols Blackhats Italia 2003 51
  52. 52. Remote attacks (3)ROUTE mangling Scenario 1 a (IGRP inside the AS)A R1 B R2 The attacker pretends to be the GW Blackhats Italia 2003 52
  53. 53. Remote attacks (3)ROUTE mangling Scenario 1 b (IGRP inside the AS)A R1 R3 B R2 Blackhats Italia 2003 53
  54. 54. Remote attacks (3)ROUTE mangling Scenario 2 a (the traffic does not pass thru the AS) AS 1 AS 2 BGP BG 1 BG 2 BG 3 RIP AS 3 Blackhats Italia 2003 54
  55. 55. Remote attacks (3)ROUTE mangling IRPAS di Phenoelit (http://www.phenoelit.de/irpas/) Nemesis (http://www.packetfactory.net/Projects/nemesis/) Blackhats Italia 2003 55
  56. 56. Remote attacks (3)ROUTE mangling -countermeasure YES - Use routing protocol authentications Blackhats Italia 2003 56
  57. 57. Conclusions The security of a connection relies on: – a proper configuration of the client (avoiding ICMP Redirect, ARP Poisoning etc.) – the other endpoint infrastructure (es. DNS dynamic update), – the strongness of a third party appliances on which we don’t have access (es. Tunnelling and Route Mangling). The best to protect a communication is the correct and conscious use of criptographic suites – both client and server side – at the network layer (ie. IPSec) – at transport layer (ie. SSLv3) – at application layer (ie. PGP). Blackhats Italia 2003 57
  58. 58. – Marco Valleri <naga@blackhats.it>– Alberto Ornaghi <alor@blackhats.it> Blackhats Italia 2003 58
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×