2. Overview
• Reconnaissance Attacks
– Passive Sniffing
– Ping Sweeps
– Port Scans (tcp&udp)
• Active Attacks
– Password attacks
– Trust exploitation
– Port redirection
• External Attacks
– IP Spoofing
– DoS, DDoS Attacks
• Internal Attacks
– DHCP and ARP Attacks
3. Reconnaissance Attacks
• Reconnaissance refers to the
overall act of learning
information about a target
network by using readily
available information and
applications.
• Reconnaissance attacks include
these attacks:
– Packet sniffers
– Port scans
– Ping sweeps
– Internet information queries
4. Packet Sniffers
• A packet sniffer is a software application that uses a network
adapter card in promiscuous mode to capture all network
packets. There are packet sniffer features:
– Packet sniffers exploit information passed in clear text.
Protocols that pass information in clear text are Telnet,
FTP, SNMP, Post Office Protocol (POP), and HTTP.
– Packet sniffers must be on the same collision domain as
the machine that they are targeting.
– Packet sniffers can be used legitimately or can be
designed specifically for attack.
Host A Host B
Router A Router B
6. Packet Sniffer Attack Mitigation
• Here are some packet sniffer mitigation techniques and tools:
– Authentication
– Switched infrastructure
– Antisniffer tools
– Cryptography
Host A Host B
Router A Router B
7. Port Scans and Ping Sweeps
• Port scan and ping sweep attacks:
– Identify all services on the network
– Identify all hosts and devices on the network
– Identify the operating systems on the network
– Identify vulnerabilities on the network
10. Blocking Ping Sweeps
access-list 102 deny icmp any any echo
access-list 102 permit ip any any
interface FastEthernet0/0
ip address 10.1.1.254 255.255.255.0
ip access-group 102 in
13. To block messages originating from
the blocking router…
access-list 103 permit icmp any any unreachable
class-map match-all STOPSHARING
match access-group 103!
policy-map STOPSHARING
class STOPSHARING
drop
class class-default
control-plane
service-policy output STOPSHARING
18. How to block…
access-list 101 deny icmp any any unreachable
access-list 101 permit ip any any
interface FastEthernet0/0
ip address 10.1.1.254 255.255.255.0
ip access-group 101 out
21. • Port scans and ping sweeps cannot be prevented without
compromising network capabilities.
Port Scan and Ping Sweep
Attack Mitigation
However, damage can be mitigated using IPS at the network
and host levels.
Workstation
with HIPS
Laptop
with HIPS
Scan Port Shared
Connection
IDS and IPS
23. Access Attacks
• Intruders use access attacks on
networks or systems for the these
reasons:
– Retrieve data
– Gain access
– Escalate their access privileges
• Access attacks include:
– Password attacks
– Trust exploitation
– Port redirection
25. Password Attack Example
– The bgp_md5crack tool is used for cracking a secret used for
RFC2385 based packet signing and authentication. It is designed
for offline cracking, means to work on a sniffed, correct signed
packet. This packet can either be directly sniffed of the wire or
be provided in a pcap file.
28. Trust Exploitation
– A hacker leverages
existing trust
relationships.
– Several trust models
exist:
• Microsoft Windows:
– Domains
– Active directory
• Linux and UNIX:
– NIS
– NIS+
System A
User = psmith; Pat Smith
System B is compromised
by a hacker.
User = psmith; Pat Smith
Hacker
User = psmith; Pat Smithson
A hacker
gains
access to
System A .
Trust relationships:
• System A trusts System B.
• System B trusts everyone.
• System A trusts everyone.
29. Port Redirection
Host B
Attacker
Source: A
Destination: B
Port: 23
Compromised
Host A
Source: Attacker
Destination: A
Port: 22
Source: Attacker
Destination: B
Port: 23
30. Port Redirection Configuration
On HOSTA we create a named pipe using the mkfifo commands:
#pipe will be the name of our named pipe
mkfifo pipe
We then create our two way tunnel using Netcat on HOSTA:
nc -lvp 25 <pipe | nc -t 10.1.2.253 23 >pipe
Then telnet from Attacker machine
telnet 10.1.2.1 80
32. IP Spoofing
– IP spoofing occurs when a hacker inside or outside a
network impersonates a trusted source.
– IP spoofing uses trusted internal IP addresses or trusted
external IP addresses.
– Attackers use IP spoofing for many reasons:
• To gain root access
• To inject malicious data or commands into an existing
data stream
• To divert network packets to the hacker who can then
reply as a trusted user by changing the routing tables
• To crash servers by overloading memory (DoS)
• As a step in a larger attack
33. IP Spoofing—Types of Attack
•IP spoofing attacks are either:
– Nonblind spoofing
• The attacker sniffs sequence numbers
(i.e., from inside the subnet of the victim).
– Blind spoofing
• The attacker calculates sequence numbers.
•IP spoofing can lead to these types of attacks:
– Man-in-the-middle attack
– DoS attack
– Distributed DoS (DDoS) attack
36. Man-in-the-Middle Attacks
– A man-in-the-middle attack requires that the hacker has
access to network packets that come across a network.
– A man-in-the-middle attack is implemented using the
following:
• Network packet sniffers (nonblind attack)
• Routing and transport protocols (blind attack)
Host A Host B
Router A Router B
Data in Clear Text
37. IP Spoofing Attack Mitigation
• The threat of IP spoofing can be reduced, but not eliminated,
using these measures:
– Strong access control at the router
• ACLs on outbound interface
• ACLs on inbound interface
– Data encryption
– Additional authentication requirements
Host A Host B
Router A ISP Router B
IPSec tunnel
38. DoS Attacks
• A DoS attack damages or
corrupts your computer
system or denies you and
others access to your
networks, systems, or
services.
• DoS attack techniques almost
always use IP spoofing.
39. TCP SYN Flooding DoS Attack
Attacker
TCP
Client
-------------
Client Ports
1024–65535
Victim TCP
Server
-------------
Service Ports
1–1024
80
1SYN
2 SYN and ACK
?
SYN Packet
with Spoofed
Source
Address
TCP
Client
-------------
Client Ports
1024–65535
TCP
Server
-------------
Service Ports
1–1024
80
1SYN
3ACK
2 SYN and ACK
TCP Three-
Way
Handshake
40. DDoS Attacks
• DoS and DDoS attacks have these characteristics:
– They are not generally targeted to gain access.
– They aim at making a service unavailable.
– They require very little effort to execute.
– They are difficult to eliminate.
• DoS
Attack
• DDoS Attack
Attacker Victim
Attack Control
Mechanism
Zombie Zombie Zombie
Victim
41. DDoS Example
Handler
Systems
Client System
4. The client
issues commands
to handlers
that control agents
in a mass attack.
1. The cracker looks for
targets.
2. The cracker installs
software to scan,
compromise, and
infect agents with
zombies.
3. Agents are loaded with remote control attack software.
Agent
Systems
46. DoS and DDoS Attack Mitigation
• Reduce DoS and DDoS attacks by:
– Protecting yourself against IP spoofing with ingress- and
egress-filtering ACLs
– Using antivirus software to find zombie agents
– Using anti-DoS features on routers and firewalls
• ip verify unicast reverse-path interface command
• ACLs to filter all private Internet address space (RFC
1918)
– Using traffic rate limiting at the ISP level
• Use class-based traffic policing on ICMP packets
• Use SYN rate limiting
47. Rate Limiting
What rate limiting does:
• Allows network managers to set bandwidth thresholds for users and by traffic type
Benefits:
• Prevents the deliberate or accidental flooding of the network
• Keeps traffic flowing smoothly
Rate Limiting for
Different Classes of UsersNetwork
Manager
Teachers
Students
2 Mbps
10 Mbps
50 Mbps
Otherwise, there can be a
deliberate or accidental
slowdown or freezing of the
network.
48. Example: ICMP rate limiting
access-list 170 permit icmp any any
Interface f0/0
rate-limit input access-group 170 128000 16000 24000
conform-action transmit exceed-action drop
49. Spoofing the DHCP Server
1. An attacker activates a DHCP
server on a network segment.
2. The client broadcasts a request
for DHCP configuration
information.
3. The rogue DHCP server
responds before the legitimate
DHCP server can respond,
assigning attacker-defined IP
configuration information.
4. Host packets are redirected to
the attacker address as it
emulates a default gateway for
the erroneous DHCP address
provided to the client.
ClientRogue DHCP
Attacker
Legitimate
DHCP
Server
51. Storm Control can be in help…
Interface fastethernet 0/1
storm-control broadcast level 10.00 8.00
52. DHCP Snooping
– DHCP snooping allows the
configuration of ports as
trusted or untrusted.
• Trusted ports can send
DHCP requests and
acknowledgements.
• Untrusted ports can
forward only DHCP
requests.
– DHCP snooping enables the
switch to build a DHCP
binding table that maps a
client MAC address, IP
address, VLAN, and port ID.
– Use the ip dhcp snooping
command.
Client
Rogue DHCP
Attacker
Legitimate
DHCP
Server
53. DHCP Snooping Configuration
ip dhcp snooping
ip dhcp snooping vlan 20
interface FastEthernet0/13
switchport access vlan 20
ip dhcp snooping trust
Switch#sh ip dhcp snooping binnding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:14:A8:96:2C:40 10.1.2.12 86371 dhcp-snooping 20 FastEthernet0/24
00:14:6A:1D:B8:00 10.1.2.13 86371 dhcp-snooping 20 FastEthernet0/23
Total number of bindings: 2
54. ARP Spoofing: Man-in-the-Middle
Attacks
•10.1.1.1 = MAC C.C.C.C
ARP Table in Host A
IP 10.1.1.2
MAC A.A.A.A
A
B
•10.1.1.2 = MAC C.C.C.C
ARP Table in Host B
•10.1.1.1 = MAC B.B.B.B
•10.1.1.2 = MAC A.A.A.A
ARP Table in Host C
CIP 10.1.1.3
MAC C.C.C.C
1. IP 10.1.1.2
? MAC for 10.1.1.1
2. Legitimate ARP reply
10.1.1.1 = MAC B.B.B.B
3. Subsequent gratuitous ARP replies
overwrite legitimate replies
•10.1.1.1 bound to C.C.C.C
•10.1.1.2 bound to C.C.C.C
Attacker
IP 10.1.1.1
MAC B.B.B.B
A B
C
A = host A
B = host B
C = host C
55. 10.1.1.1
Mitigating Man-in-the-Middle
Attacks with DAI
• MAC or IP Tracking Built on DHCP Snooping
10.1.1.2
DHCP Server
DHCP Discovery (BCAST)
DHCP Offer (UCAST)
DAI provides protection against attacks such as ARP poisoning using
spoofing tools such as ettercap, dsniff, and arpspoof.
DAI Function:
Track Discovery
Track DHCP Offer MAC or IP
Track Subsequent ARPs for MAC or IP
56. DAI in Action
•A binding table containing IP-address and MAC-address associations is
dynamically populated using DHCP snooping.
10.1.1.1
10.1.1.2
10.1.1.2
GARP is sent to attempt to change the IP
address to MAC bindings.
Gateway
is
10.1.1.1
Attacker is not
gateway according to
this binding table
I am your
gateway:
10.1.1.1
57. DAI Configuration…
ip arp inspection vlan 20
ip arp inspection vlan 20 logging dhcp-bindings all
ip arp inspection validate src-mac
Windows Domain Models - http://is-it-true.org/nt/atips/atips307.shtml
Linux/UNIX Trusts - http://nim.cit.cornell.edu/usr/share/man/info/en_US/a_doc_lib/files/aixfiles/hosts.equiv.htm
Allows traffic entering a compromised machine on a particular port (that is, TCP/22-SSH) to be redirected to a different machine on a different port (TCP/23-Telnet)
Allows an attacker to exploit trust relationships to circumvent the firewall for all hosts once he controls one host.
Root kit based install allows the redirection process, files, and connections to be hidden.
IP Spoofing – an attacker sends a message to a target host with an IP address indicating that the message is coming from a trusted host. The attacker must know the IP address of a trusted host in order to modify the packet headers so that it appears that the packets are coming from that host.
TCP Session Hijacking – an attacker sniffs for packets being sent from a client to a server in order to identify the two hosts&apos; IP addresses and relative port numbers. Using this information an attacker modifies his packet headers to spoof TCP/IP packets from the client. The attacker then waits to receive an ACK packet from the client communicating with the server (which contains the sequence number of the next packet the client is expecting). The attacker replies to the client using a modified packet with the source address of the server and the destination address of the client. This results in a RST which disconnects the legitimate client. The attacker takes over communications with the server spoofing the expected sequence number from the ACK that was previously sent from the legitimate client to the server.
IP Fragmentation – Firewalls that support stateful inspection of established connections analyze packets to see if they are being received in the proper sequence. In the case of IP fragments, the firewall attempts to reassemble all fragments prior to forwarding them on to the final destination. If an attacker sends repeated incomplete or out-of-order fragmented packets to the firewall it will log and wait for all remaining fragments to be received before handling the connection. As a result, system resources are exhausted due to logging and the firewall is subject to a denial of service. Also, some Intrusion Detection Systems (IDS) do not handle IP fragmentation, Out-of-Order fragmentation, TCP segment overlap, and Out-of-Order TCP segments properly; which results in packets slipping through because the IDS failed to alarm!!!