Вы находитесь на странице: 1из 66

TYPE OF ATTACKS

OUTLINE

Social Engineering
Network Attack
SOCIAL ENGINEERING
A Quote from Kevin Mitnick

You could spend a fortune purchasing


technology and services from every exhibitor,
speaker and sponsor at the RSA Conference,
and your network infrastructure could still
remain vulnerable to old-fashioned
manipulation.
Types of Attacks

Phishing
Impersonation on help desk calls
Physical access (such as tailgating)
Shoulder surfing
Dumpster diving
Stealing important documents
Phishing

Use of deceptive mass mailing


Can target specific entities (spear phishing)
Impersonation on help desk calls

Calling the help desk pretending to be someone else


Usually an employee or someone with authority
Prevention:
Assign pins for calling the help desk
Dont do anything on someones order
Stick to the scope of the help desk
Physical access

Tailgating
Ultimately obtains unauthorize building access
Prevention
Require badges
Employee training
Security officers
No exceptions!
Shoulder surfing

Someone can watch the


keys you press when
entering your password
Probably less common
Prevention:
Be aware of whos
around when entering
your password
Dumpster diving

Looking through the trash for


sensitive information
Doesnt have to be dumpsters: any
trashcan will do
Prevention:
Easy secure document destruction
Lock dumpsters
Erase magnetic media
Stealing important documents

Can take documents off someones desk


Prevention:
Lock your office
If you dont have an office: lock your files securely
Dont leave important information in the open
Attack Model
NETWORK ATTACKS
Datalink layer : ARP poisoning, MAC flooding
Network Layer : Attack against IP
Transport layer : Attack against TCP and UDP
Application layer : cookie protocol problem, session hijacking
DATALINK ATTACK
ARP CACHE POISONING

there is no way to authenticate the IP to MAC address mapping in the


ARP reply
if computer A has sent and ARP request and it gets an ARP reply, then
ARP protocol by no means can check whether the information or the IP
to MAC mapping in the ARP reply is correct or not
even if a host did not send an ARP request and gets an ARP reply, then
also it trusts the information in reply and updates its ARP cache.
An evil hacker can craft a valid ARP reply in which any IP is mapped to
any MAC address of the hackers choice and can send this message to the
complete network
How ARP Works?
ARP Request is Broadcast to all the hosts in LAN

Who has IP 10.0.0.2?


Tell your MAC address
10.0.0.2
00:00:00:00:00:02

10.0.0.1
00:00:00:00:00:01

10.0.0.3
00:00:00:00:00:03
IIT Indore Neminath Hubballi
How ARP Works?

Unicast Reply from concerned host


I have IP 10.0.0.2
My MAC is 00:00:00:00:00:02

10.0.0.2
00:00:00:00:00:02

10.0.0.1
00:00:00:00:00:01

10.0.0.3
00:00:00:00:00:03
IIT Indore Neminath Hubballi
ARP Cache Stores IP-MAC Pairs

ARP cache : updated

10.0.0.2
00:00:00:00:00:02

10.0.0.1
00:00:00:00:00:01

IP MAC TYPE 10.0.0.3


10.0.0.2 00:00:00:00:00:02 dynamic 00:00:00:00:00:03

IIT Indore Neminath Hubballi


Why is ARP Vulnerable?

ARP is a stateless protocol

Hosts cache all ARP replies sent to them even if they


had not sent an explicit ARP request for it.

No mechanism to authenticate their peer

IIT Indore Neminath Hubballi


Known Attacks Against ARP

ARP Spoofing

Man-in-the-Middle Attack

Denial-of-Service Attack

MAC Flooding ( on Switch )

DoS by spurious ARP packets

IIT Indore Neminath Hubballi


ARP Spoofing Attack

Attacker sends forged ARP packets to the victim

10.0.0.3
00:00:00:00:00:03 I have IP 10.0.0.3
My MAC is 00:00:00:00:00:02
Victim

Target

10.0.0.1 ARP Reply 10.0.0.2


00:00:00:00:00:01 00:00:00:00:00:02

IP MAC TYPE Attacker


10.0.0.3 00:00:00:00:00:02 dynamic
IIT Indore Neminath Hubballi
Spoofing Results in Redirection of
Traffic
10.0.0.3
00:00:00:00:00:03

Packets for 10.0.0.3

10.0.0.1 10.0.0.2
00:00:00:00:00:01 00:00:00:00:00:02

IIT Indore Neminath Hubballi


Man-in-the-Middle Attack Allows
Third Party to Read Private Data
IP MAC TYPE
10.0.0.3 00:00:00:00:00:01 dynamic

10.0.0.2
00:00:00:00:00:02

10.0.0.1
00:00:00:00:00:01

Attacker
10.0.0.3
00:00:00:00:00:03

IP MAC TYPE
IIT Indore 10.0.0.2
Neminath Hubballi 00:00:00:00:00:01 dynamic
23
Denial of Service Stops Legitimate
Communication
A malicious entry with a non-existent MAC address can lead to a
DOS attack
Victim
10.0.0.3 I have IP 10.0.0.3
00:00:00:00:00:03 My MAC is XX:XX:XX:XX:XX:XX

Target

10.0.0.1 ARP Reply


10.0.0.2
00:00:00:00:00:01 00:00:00:00:00:02

Attacker
IP MAC TYPE
10.0.0.3 XX:XX:XX:XX:XX:XX dynamic
IIT Indore Neminath Hubballi 24
Denial of Service Stops Legitimate
Communication
Victim unable to reach the IP for which the forged packet was
sent by the attacker

PING 10.0.0.3 Request timed out.

Victim

10.0.0.1
10.0.0.2
00:00:00:00:00:01
00:00:00:00:00:02

Attacker
IP MAC TYPE
10.0.0.3 XX:XX:XX:XX:XX:XX dynamic IIT Indore Neminath Hubballi
MAC Flooding Degrades Network
Performance
Attacker bombards the switch with numerous forged ARP packets
at an extremely rapid rate such that its CAM table overflows

10.0.0.1

00:00:00:00:00:01
PORT MAC
Attacker 1 00:00:01:01:01:01

2 00:00:02:02:02:02

.
.. .
IIT Indore Neminath Hubballi 26
DoS by Spurious ARP Packets
Attacker sends numerous spurious ARP packets at the victim
such that it gets engaged in processing these packets

Makes the Victim busy and might lead to Denial of Service

Victim

10.0.0.1
Spurious ARP Packets
00:00:00:00:00:01

Attacker
Busy
Processing
IIT Indore Neminath Hubballi
LABS TIME
Objectives

Scan, detect, protect and attack computer on LANs


What you need :

PC with windows server 2012 as host machine


Windows2008 running on virtual maschine as target machine
Installed-version of WinPcap driver
Double click WinArpAttacker.exe
What to do

1. Launch Windows server 8 Virtual Machine


2. Launch WinArpAttacker in the host machine
3. Click the scan option from toolbar menu, select Scan LAN. The
scan the active host on the LAN.
4. Select a victim host (window server 2008) from the display list.
Select attack -> flood. Scanning acts as another gateway or IP-
forwarder without other user recognition on the LAN, while spoofing
ARP tables.
5. All data sniffed by spoofing and
forwarded by WinArpAttackerIP-
forward functions are counted, as
shown in the main interface. The
BanGateway option tells the gateway
wrong MACaddresses of target
computer, so the target cant receive
packets from the internet.
6. Click save to save the report
QUESTION

Analize and document the scanned, attacked IP address.


NETWORK LAYER
IP doesnt has an authentication mechanism.
A packet simply claims to originated from a given address, and
there is no a way to be sure that the host that sent the packet is
telling the truth.
The fitur of authentication must be provided by higher layer.
IP Spoofing

There is one host that claims to have an IP address of another.


IP Session Hijacking

Is an attack whereby a users session is taking over, being in the


control of an attacker.
TRANSPORT LAYER
TCP ATTACK
TCP SYN or TCP ACK Flood attack
TCP sequence number attack
TCP/IP hijacking
UDP attack
ICMP attack
Smurf attack
ICMP tunneling
TCP SYN
TCP Sequenced number attack

Each time a TCP message is sent the client or the server generates
a sequence number. The attacker intercepts and then responds
with a sequence number similar to the one used in the original
session. This attack can then hijack or disrupt a session. If a valid
sequence number is guessed the attacker can place himself
between the client and the server. The attacker gains the
connection and the data from the legitimate system.
TCP Hijacking

This is also called active sniffing, it involves the attacker gaining


access to a host in the network and logically disconnecting it from
the network. The attacker then inserts another machine with the
same IP address. This happens quickly and gives the attacker
access to the session and to all the information on the original
system.
ICMP Attacks

Ping for instance, that uses the ICMP protocol. sPing is a good
example of this type of attack, it overloads te server with more
bytes than it can handle, larger connections. Its ping flood.
SMURF ATTACK

This attack uses IP spoofing and broadcasting to


send a ping to a group of hosts on a network.
When a host is pinged it send back ICMP message
traffic information indicating status to the
originator. If a broadcast is sent to network, all
hosts will answer back to the ping. The result is
an overload of network and the target system.
The only way to prevent this attack is to prohibit
ICMP traffic on the router.
ICMP Tunneling

ICMP can contain data about timing and routes. A packet can be
used to hold information that is different from the intended
information. This allows an ICMP packet to be used as a
communications channel between two systems. The channel can
be used to send a Trojan horse or other malicious packet. The
counter measure is to deny ICMP traffic on your network.
APPLICATION LAYER
Cookie protocol problems

Server is blind:
Does not see cookie attributes (e.g. secure, HttpOnly)
Does not see which domain set the cookie

Server only sees: Cookie: NAME=VALUE


Example 1: login server problems
1. Alice logs in at login.site.com
login.site.com sets session-id cookie for .site.com

2. Alice visits evil.site.com


overwrites .site.com session-id cookie
with session-id of user badguy

3. Alice visits course.site.com to submit homework


course.site.com thinks it is talking to badguy

Problem: course.site.com expects session-id from login.site.com;


cannot tell that session-id cookie was overwritten
Example 2: secure cookies are not secure
Alice logs in at https://accounts.google.com
set-cookie: SSID=A7_ESAgDpKYk5TGnf; Domain=.google.com; Path=/ ;
Expires=Wed, 09-Mar-2026 18:35:11 GMT; Secure; HttpOnly
set-cookie: SAPISID=wj1gYKLFy-RmWybP/ANtKMtPIHNambvdI4; Domain=.google.com;Path=/ ;
Expires=Wed, 09-Mar-2026 18:35:11 GMT; Secure

Alice visits http://www.google.com (cleartext)


Network attacker can inject into response
Set-Cookie: SSID=badguy; secure
and overwrite secure cookie

Problem: network attacker can re-write HTTPS cookies !


HTTPS cookie value cannot be trusted
Interaction with the DOM SOP
Cookie SOP path separation:
x.com/A does not see cookies of x.com/B

Not a security measure: x.com/A has access to DOM of x.com/B

<iframe src=x.com/B"></iframe>
alert(frames[0].document.cookie);

Path separation is done for efficiency not security:


x.com/A is only sent the cookies it needs
Cookies have no integrity
User can change and delete cookie values
Edit cookie database (FF: cookies.sqlite)
Modify Cookie header (FF: TamperData extension)

Silly example: shopping cart software


Set-cookie: shopping-cart-total = 150 ($)

User edits cookie file (cookie poisoning):


Cookie: shopping-cart-total = 15 ($)

Similar problem with hidden fields


<INPUT TYPE=hidden NAME=price VALUE=150>

53
Session hijacking
Attacker waits for user to login

then attacker steals users Session Token


and hijacks session

attacker can issue arbitrary requests on behalf of user

Example: FireSheep [2010]


Firefox extension that hijacks Facebook
session tokens over WiFi. Solution: HTTPS after login
Beware: Predictable tokens
Example 1: counter
user logs in, gets counter value,
can view sessions of other users

Example 2: weak MAC. token = { userid, MACk(userid) }


Weak MAC exposes k from few cookies.

Apache Tomcat: generateSessionId()


Returns random session ID [server retrieves client state based on sess-id]
Session tokens must be unpredictable to attacker

To generate: use underlying framework (e.g. ASP, Tomcat, Rails)

Rails: token = MD5( current time, random nonce )


Beware: Session token theft
Example 1: login over HTTPS, but subsequent HTTP
Enables cookie theft at wireless Caf (e.g. Firesheep)
Other ways network attacker can steal token:
Site has mixed HTTPS/HTTP pages token sent over HTTP
Man-in-the-middle attacks on SSL

Example 2: Cross Site Scripting (XSS) exploits

Amplified by poor logout procedures:


Logout must invalidate token on server
Mitigating SessionToken theft by binding
SessionToken to clients computer
A common idea: embed machine specific data in SID
Client IP addr: makes it harder to use token at another machine
But honest client may change IP addr during session
client will be logged out for no reason.

Client user agent: weak defense against theft, but doesnt hurt.

SSL session id: same problem as IP address (and even worse)


Session fixation attacks
Suppose attacker can set the users session token:
For URL tokens, trick user into clicking on URL
For cookie tokens, set using XSS exploits
Attack: (say, using URL tokens)
1.Attacker gets anonymous session token for site.com
2.Sends URL to user with attackers session token
3.User clicks on URL and logs into site.com
this elevates attackers token to logged-in token

4.Attacker uses elevated token to hijack users session.


Session fixation: lesson
When elevating user from anonymous to logged-in:

always issue a new session token

After login, token changes to value unknown to attacker

Attackers token is not elevated.


LABS TIME
Objectives

Sniffing password using wireshark


What to do

1. Launch Wireshark
2. From the wireshark menu bar,
select capture interfaces
(Ctrl+I)
3. In the Wireshark capture interfaces dialog box, find and select
the Ethernet Driver Interface that is connected to the system, and
then click start.
4. Switch to virtual machine and login to your email.
5. You may save the captured packets from file save as.
6. In Find by...
QUESTION

1. Evaluate the protocols that are involved in the activity that


captured by wireshark
2. Evaluate the result of the activity
REFERENCES

1. CEH Modul SOCIAL ENGINEERING


2. https://www.petri.com/social-engineering-security-plus
3. Matt Curtin.Introduction to network security, 1997
4. Network Security, www.tutorialspoint.com
5. Network Security, course slide, http://ece.duke.edu
6. Certified Ethical Hacker ver 8 (Sniffing) Modul