Beruflich Dokumente
Kultur Dokumente
The scenario
Server
Attacker
Client
- STP mangling
- traffic tunneling
- route mangling
The scenario
Gratuitous ARP (forged)
Server
Client
Attacker
(http://ettercap.sf.net)
Poisoning
Sniffing
Hijacking
Filtering
SSH v.1 sniffing (transparent attack)
dsniff (http://www.monkey.org/~dugsong/dsniff)
Poisoning
Sniffing
SSH v.1 sniffing (proxy attack)
HOST
serverX.localdomain.in
DNS
10.1.1.1
10.1.1.50
Phantom plugin
dsniff (http://www.monkey.org/~dugsong/dsniff)
Dnsspoof
zodiac (http://www.packetfactory.com/Projects/zodiac)
10
11
12
13
14
15
Layer 2 switch
Attacker
16
17
18
Attack techniques
From local to remote
19
20
21
G1
AT
ICMP redirect to AT
LAN
22
23
24
25
IRPAS by Phenoelit
(http://www.phenoelit.de/irpas/)
26
27
INTERNET
GW
AT
H
The attacker can forge packets for the gateway (GW)
pretending to be a router with a good metric for a
specified host on the internet
28
AT2
INTERNET
Tunnel
GW
AT
H
29
IRPAS (Phenoelit)
(http://www.phenoelit.de/irpas/)
Nemesis
(http://www.packetfactory.net/Projects/nemesis/)
30
31
Attacks techniques
Remote scenarios
32
33
34
Zodiac
(http://www.packetfactory.com/Projects/zodiac)
35
36
Server
Router 1
Tunnel GRE
INTERNET
Client
Fake host
Attacker
Gateway
37
ettercap (http://ettercap.sf.net)
Zaratan plugin
tunnelX
(http://www.phrack.com)
38
39
Traceroute
port scanning
protoscanning
40
R1
R2
The attacker pretends to be the GW
IIT Kanpur Hackers Workshop 2004
23, 24 Feb 2004
41
R1
R3
R2
42
BGP
BG 1
AS 2
BG 2
BG 3
AS 3
RIP
43
44
45
Conclusions
The security of a connection relies on:
Proper configuration of the client (avoiding ICMP Redirect,
ARP Poisoning etc.)
the other endpoint infrastructure (e.g.. DNS dynamic
update),
the strength of a third party appliances on which we dont
have access (e.g.. Tunneling and Route Mangling).
The best way to ensure secure communication is the correct
and conscious use of cryptographic systems
both client and server side
at the network layer (i.e.. IPSec)
at transport layer (i.e.. SSLv3)
at application layer (i.e.. PGP).
IIT Kanpur Hackers Workshop 2004
23, 24 Feb 2004
46
47
Injection attacks
Add packets to an already established connection (only
possible in full-duplex mitm)
The attacker can modify the sequence numbers and
keep the connection synchronized while injecting
packets.
If the mitm attack is a proxy attack it is even easier to
inject (there are two distinct connections)
48
49
50
Server
KEY(rsa)
S-KEY
Ekey[S-Key]
Eskey(M)
MITM
S-KEY
Client
KEY(rsa)
Ekey[S-Key]
S-KEY
D(E(M))
D(E(M))
51
Client
Diffie-Hellman
exchange 2
Authenticated by
pre-shared secret
mitm
De-Crypt
Packet
Server
Re-Crypt
Packet
52
Fake cert.
MiM
Real
Connection
to the server
Server
53
Filtering attacks
The attacker can modify the payload of the
packets by recalculating the checksum
He/she can create filters on the fly
The length of the payload can also be changed
but only in full-duplex (in this case the seq has to
be adjusted)
IIT Kanpur Hackers Workshop 2004
23, 24 Feb 2004
54
55
Client
Auto-submitting hidden
form with right
authentication data
MiM
login
password
Server
56
57
58
59
60
Server
req | auth | chap
MITM
Client
req | auth | fake
61
62