ARP Spoofing A computer connected to an IP/Ethernet has two
addresses Address of network card (MAC address) Globally unique and
unchangeable address stored on the network card. Ethernet header
contains the MAC address of the source and the destination
computer. IP address Each computer on a network must have a unique
IP address to communicate. Virtual and assigned by software
Slide 3
ARP Spoofing IP communicates by constructing packets. Packet
are delivered by Ethernet. Adds an Ethernet header for delivery
Splits the packets into frames Sends them down the cable to the
switch. The switch then decides which port to send the frame to. By
comparing the destination address of the frame to an internal table
which maps port numbers to MAC addresses.
Slide 4
ARP Spoofing When an Ethernet frame is constructed from an IP
packet, it has no idea what the MAC address of the destination
machine is. The only information available is the destination IP
address. There must be a way to the Ethernet protocol to find the
MAC address of the destination machine, given a destination IP.
This is where ARP, Address Resolution Protocol, come in.
Slide 5
Address Resolution & Reverse Address Resolution
Slide 6
Slide 7
Slide 8
Encapsulation of ARP
Slide 9
How ARP Works Get IP address of target. Create a request ARP
message Fill sender physical address Fill sender IP address Fill
target IP address Target physical address is filled with 0 The
message is passed to the data link layer where it is encapsulated
in a frame. Source address: physical address of the sender.
Destination address: broadcast address.
Slide 10
How ARP Works (cont) Every host or router on the LAN receives
the frame. All stations pass it to ARP. All machines except the one
targeted drop the packet. The target machine replies with an ARP
message that contains its physical address. A unicast message. The
sender receives the reply message and knows the physical address of
the target machine.
Slide 11
How ARP Works (cont)
Slide 12
Slide 13
Slide 14
Slide 15
Slide 16
Slide 17
To avoid having to send an ARP request packet each time, a host
can cache the IP and the corresponding host addresses in its ARP
table (ARP cache). Each entry in the ARP table is usually aged so
that the contents are erased if no activity occurs within a certain
period. When a computer receives an ARP reply, it will update its
ARP cache. ARP is a stateless protocol, most operating systems will
update their cache if a reply is received, regardless of whether
they have sent out an actual request.
Slide 18
ARP Spoofing Construct spoofed ARP replies. A target computer
could be convinced to send frames destined for computer A to
instead go to computer B. Computer A will have no idea that this
redirection took place. This process of updating a target computers
ARP cache is referred to as ARP poisoning.
ARP Spoofing A IP:10.0.0.1 MAC:aa:aa:aa:aa B IP:10.0.0.2
MAC:bb:bb:bb:bb Hacker IP:10.0.0.3 MAC:cc:cc:cc:cc switch IPMAC
10.0.0.2cc:cc:cc:cc ARP cache IPMAC 10.0.0.1aa:aa:aa:aa ARP cache
As cache is poisoned
Slide 21
ARP Spoofing Now all the packets that A intends to send to B
will go to the hackers machine. Cache entry would expire, so it
needs to be updated by sending the ARP reply again. How often?
depends on the particular system. Usually every 40s should be
sufficient. In addition the hacker may not want his Ethernet driver
talk too much Accomplish with ifconfig -arp
Slide 22
ARP Spoofing Complication Some systems would try to update
their cache entries by sending a unicast ARP request. Like your
wife calling you just to make sure you are there. Such a request
can screw things up, because it could change victims ARP entry that
the hacker just faked. A computer will also cache the MAC address
appeared in the ARP request.
Slide 23
ARP Spoofing Prevention is better than cure Accomplished by
feeding the wife system with replies so that it never has to ask
for it. A real packet from B to A will be sent by the hackers
machine. How often? Again every 40s is usually OK.
Slide 24
ARP Spoofing A IP:10.0.0.1 MAC:aa:aa:aa:aa B IP:10.0.0.2
MAC:bb:bb:bb:bb Hacker IP:10.0.0.3 MAC:cc:cc:cc:cc switch To:
cc:cc:cc:cc Spoofed ARP reply IP:1.2.3.4 MAC:aa:aa:aa:aa Spoofed
ARP reply IP:1.2.3.4 MAC:aa:aa:aa:aa The switch will then think
that aa:aa:aa:aa is connected at this port
Slide 25
Port Scanning Attackers wish to discover services they can
break into. Security audit: Why are certain ports open? sending a
packet to each port, one at a time. Based on the type of response,
an attacker knows if the port is used. The used ports can be probed
further for weakness.
Slide 26
Port Scanning An abstraction of the OS + Net Stds Part of UDP
and TCP packets UDP and TCP port numbers are disjoint Typical to
use the same port number for both UDP and TCP service E.g., 80/TCP
and 80/UDP for www 16-bit unsigned integer Well Known Ports (0..
1023) Registered Ports (1024.. 49151) Dynamic and/or Private Ports
(49152.. 65535).
Slide 27
Sockets
Slide 28
28 Socket calls for connection-oriented communication
Slide 29
Sockets 29 socket() bind() sendto() close() socket() bind()
recvfrom() sendto() close() blocks until server receives data from
client data Server Client recvfrom() Socket calls for
connection-oriented communication
Slide 30
Well Known Ports Only root-privileged programs are allowed to
open these ports. Examples ftp-data 20/udp ftp 21/tcp ssh 22/tcp
telnet 23/tcp Time 37/tcp Time 37/udp Whois 43/tcp Imap
143/tcp
Slide 31
Registered Ports Ordinary programs/users can use these
shockwave2 1257/tcp Shockwave 2 shockwave2 1257/udp Shockwave 2 x11
6000-6063/tcp X Window System x11 6000-6063/udp X Window
System
Slide 32
Dynamic/Private Ports Ordinary programs can use these
Slide 33
State of a Port Open A service process is listening at the
port. The OS receives packets arriving at this port and gives the
messages to the service process. If the OS receives a SYN at an
open port, this is the first packet of the three way handshake.
Closed No process is listening at the port. If the OS receives a
SYN at a closed port, an RST is sent. Filtered A packet filter is
listening at the port.
Slide 34
TCP connect(0) scanning Try connect()-ing to every port If the
port is listening, connect() will succeed. Otherwise, the port isnt
reachable. No need for any special privileges. Any user can use it.
Speed - slow. Scanner can be identified.
Slide 35
TCP SYN scanning Often referred to as half-open scanning. Send
a SYN packet Wait for a response. A SYN/ACK indicates the port is
listening. If a SYN/ACK is received, send an RST to tear down the
connection immediately. Most sites do not log these. Need root
privileges to build SYN packets.
Slide 36
TCP FIN scanning Send a FIN packet (without a preceding SYN
etc.) FIN packets may pass through firewalls Closed ports reply
with RST. Open ports ignore the FIN packet. Some hosts violate RFC.
Reply with RSTs regardless of the port state Thus, are not
vulnerable to this scan.
Slide 37
TCP reverse identd scanning identd protocol (rfc1413): Disclose
the username of the owner of any process connected via TCP, even if
that process didnt initiate the connection. Example: connect to the
http port (80), and then use identd to find out whether the server
is running as root. Must have full TCP connection to the port.
Slide 38
Fragmentation scanning Not a new scanning method in and of
itself. A modification of other techniques. Split the probe packet
into IP fragments. By splitting up the TCP header over several
packets, it is harder for packet filters to detect a probe.
Slide 39
FTP Bounce Scan A port scanner can exploit this to scan TCP
ports form a proxy ftp server. Connect to an FTP server behind a
firewall, and then scan ports that are more likely to be blocked.
If the ftp server allows reading from and writing to a directory
(such as /incoming), you can send arbitrary data to ports that you
do find open.
Slide 40
FTP Bounce Scan Take advantage of a vulnerability of FTP
protocol. Requires support for proxy ftp connections. For example,
evil.com can establish a control communication connection to FTP
server-PI (protocol interpreter) of target.com. Then it is able to
request the server-PI to initiate an active server-DTP (data
transfer process) to send a file anywhere on the Internet.
Slide 41
FTP Bounce Scan Use the PORT command (of FTP) to declare that
our passive user-DTP is listening on the target box at a certain
port number. LIST the current directory, and the results is sent
over the server-DTP channel. If our target host is listening on the
port, the transfer will be successful. Otherwise, connection will
be refused. Then issue another PORT command to try the next port on
the target.
Slide 42
FTP Bounce Scan Advantages Harder to trace Potential to bypass
firewalls. Disadvantages Slow Many FTP servers have (finally)
disabled the proxy feature.
Slide 43
UDP Scans UDP is simpler, but the scanning is more difficult
Open ports do not have to send an ACK. Closed ports are not
required to send an error packet. Most hosts send an
ICMP_PORT_UNREACH error when you send a packet to a closed UDP
port. Can find out if a port is NOT open.
Slide 44
UDP Scans Neither UDP packets, nor the ICMP errors are
guaranteed to arrive. Slow: the ICMP error message rate is limited.
Need to be root for access to raw ICMP socket. Non-root users
cannot read port unreachable errors directly.
Slide 45
UDP Scans But users can learn it indirectly. For example, a
second write() call to a closed port will usually fail. recvfrom()
on non-blocking UDP sockets usually return EAGAIN (try again), if
the ICMP error hasnt been received. It will return ECONNREFUSED
(connection refuse), if ICMP error has been received.
Slide 46
Stealth Scan Simple port scanning can be easily logged by the
services listening at the ports. E.g. they see an incoming
connection with no data, thus they log an error. Stealth scan
refers to scanning techniques that can avoid being logged. These
techniques include fragmented packets, SYN scanning, FIN scanning
etc.
Slide 47
Stealth Scan Scan slowly A port scanner typically scans a host
too rapidly Some detectors recognize these signatures. So, scanning
very slowly (e.g., over several days) is a stealth technique.
Firing packets with fake IPs Flood with spoofed scans and embed one
scan from the real source (network) address.
Slide 48
Signatures of a port scan Several packets to different
destination ports from the same source within a short period of
time. SYN to a non-listening port
Slide 49
Detection of Port Scanning Open a socket SOCK_RAW mode.
protocol type IPPROTO_IP recvfrom() to capture the packets
Discovering stealth scans requires kernel level work. A detector
can inform us that we have been port-scanned, but the source
address may have been spoofed.
Slide 50
Scanner Leaks If the packets we received have an IP TTL of 255,
we can conclude that it was sent from or local network, regardless
of what the source address field says. if TTL is 250, we can only
tell that the attacker was no more than 5 hops away.
Slide 51
Wireshark- Network Protocol Analyzer Computer s/w or h/w,
intercepts & logs traffic passing over the network Captures
packets, decodes & analyzes contents A network Analyzer is used
for Troubleshooting problems on the network Analyzing the
performance of a network to discover bottlenecks Network intrusion
detection Analyzing the operations of applications
Slide 52
About Wireshark It is a packet sniffer Computer application
Functionality is very similar to tcpdump Has a GUI front-end and
many more information sorting and filtering options eWeek Labs
named Wireshark one of "The Most Important Open-Source Apps of All
Time" as of May 2, 2007
Slide 53
Graphical Interpretation
Slide 54
Stream Analysis Select Problematic stream-> Click Find
Reverse button-> Click Analyze to provided packet by packet look
at the stream Lost packets will show up as having the wrong
sequence number Also Displays current bandwith,latency and
jitter
Slide 55
What Wireshark Cant Do It cannot be used to map out a network
It does not generate network data-Passive tool Only shows detail
information about protocols it understand It can only capture data
as well as the OS\Interface\Interface driver supports. An example
of this is capturing data over wireless networks.
Slide 56
Conclusion Wireshark's wireless analysis features have grown to
be a very powerful tool for troubleshooting and analyzing wireless
networks. With Wireshark's display filters and powerful protocol
dissector features, you can sift through large quantities of
wireless traffic Without a doubt, Wireshark is a powerful
assessment and analysis tool for wireless networks that should be a
part of every auditor, engineer, and consultant toolkit.
Slide 57
Wireshark- Network Protocol Analyzer Computer s/w or h/w,
intercepts & logs traffic passing over the network Captures
packets, decodes & analyzes contents A network Analyzer is used
for Troubleshooting problems on the network Analyzing the
performance of a network to discover bottlenecks Network intrusion
detection Analyzing the operations of applications