Section 8 Phase3: Gaining Access Using Network Attacks

0
0
1794 days ago, 633 views
PowerPoint PPT Presentation
Apparatuses utilized as a part of Network Attacks. SniffingSpoofingSession hijackingNetcat. Sniffer. Permits assailant to see everything sent over the system, including userIDs and passwordsNIC put in wanton modeTcpdump http://www.tcpdump.orgWindump http://netgroup-serv.polito.it/windumpSnort http://www.snort.orgEthereal http://www.ethereal.comSniffit http://reptile.rug.ac.be/~coder/sniffit/sniffit.htmlDsni

Presentation Transcript

Slide 1

´╗┐Section 8 Phase3: Gaining Access Using Network Attacks

Slide 2

Tools utilized as a part of Network Attacks Sniffing Spoofing Session seizing Netcat

Slide 3

Sniffer Allows aggressor to see everything sent over the system, including userIDs and passwords NIC set in wanton mode Tcpdump http://www.tcpdump.org Windump http://netgroup-serv.polito.it/windump Snort http://www.snort.org Ethereal http://www.ethereal.com Sniffit http://reptile.rug.ac.be/~coder/sniffit/sniffit.html Dsniff http://www.monkey.org/~dugsong/dsniff

Slide 4

Island Hopping Attack Attacker at first assumes control over a machine by means of some endeavor Attacker introduces a sniffer to catch userIDs and passwords to assume control different machines

Slide 5

Figure 8.1 An island bouncing assault

Slide 6

Passive Sniffers that latently sit tight for movement to be sent to them Well suited for center point condition Snort Sniffit

Slide 7

Figure 8.2 A LAN executed with a center point

Slide 8

Sniffit in Interactive Mode Useful for checking session-situated applications, for example, telnet, rlogin, and ftp Activated by beginning sniffit with "- i" alternative Sorts bundles into sessions in view of IP addresses and port numbers Identifies userIDs and passwords Allows assailant to watch keystrokes of casualty progressively. http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

Slide 9

Figure 8.3 Using Sniffit in intelligent mode to sniff a userID and secret word

Slide 10

Switched Ethernet LANs Forwards arrange parcels in view of the goal MAC address in the Ethernet header Renders uninvolved sniffers ineffectual

Slide 11

Figure 8.4 A LAN actualized with a switch

Slide 12

Figure 8.5 An exchanged LAN keeps an assailant from inactively sniffing movement

Slide 13

Active Sniffers Effective in sniffing exchanged LANs Injects activity into the LAN to divert casualty's activity to aggressor

Slide 14

Dsniff Active sniffer http://www.monkey.org/~dugsong/dsniff Runs on Linux, Solaris, OpenBSD Excels at interpreting an expansive number of Application level conventions FTP, telnet, SMTP, HTTP, POP, NTTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, NFS, NIS, SOCKS, X11, IRC, ICQ, Napster, MS SMB, and SQL Performs dynamic sniffing utilizing MAC flooding or arpspoof

Slide 15

Dsniff's MAC Flooding Initiated by means of Dsniff's Macof program Foul up changes by conveying a surge of bundles with irregular MAC addresses When switch's memory turns out to be full, the switch will begin sending information to all connections on the switch At this point, Dsniff or any aloof sniffer can catch sought bundles

Slide 16

Dsniff's Arpspoof Used in exchanged condition where MAC flooding does not work massacres switches by means of caricature ARP messages Attacker's machine at first designed with "IP sending" to forward approaching system activity to a default switch Dsniff's arpspoof program enacted to send fake ARP answers to the casualty's machine to toxin its ARP table Attacker can now sniff all activity on the LAN

Slide 17

Figure 8.6 Arpspoof diverts movement, permitting the assailant to sniff an exchanged LAN

Slide 18

Dsniff's DNSspoof diverts activity by sending false DNS data to casualty Attacker at first actuates arpspoof and dnsspoof When casualty tries to peruse a site, a DNS inquiry is sent yet the assailant sends a harmed DNS reaction Victim unwittingly speaks with another web server

Slide 19

Figure 8.7 A DNS assault utilizing Dsniff

Slide 20

Sniffing HTTPS and SSH Security is based on a trust model of fundamental open keys HTTPS server sends to program an endorsement containing server's open key marked by a Certificate Authority SSL association utilizes a session scratch haphazardly produced by server to encode information amongst server and customer With SSH, a session key is transmitted in a scrambled manner utilizing a private key put away on the server Dsniff exploits poor trust choices made by a confused client through man-in-the center assault Web program client may believe a declaration that is not marked by a trusted gathering SSH client can even now interface with a server whose open key has changed

Slide 21

Attacking HTTPS and SSH by means of Dsniff Webmitm Sshmitm

Slide 22

Figure 8.8 In a man in-the-center assault, the assailant can snatch or adjust movement amongst Alice and Bob

Slide 23

Dsniff's Webmitm Program used to intermediary all HTTP and HTTPS movement going about as a SSL intermediary, webmitm can build up two separate SSL associations One association amongst casualty and aggressor One association amongst assailant and web server Webmitm sends assailant's authentication to casualty

Slide 24

Figure 8.9 Sniffing a HTTPS association utilizing dsniff's individual in-the-center assault

Slide 25

Figure 8.10 Netscape's notice messages for SSL associations utilizing testaments that aren't put stock in

Slide 26

Figure 8.11 Internet Explorer's notice messages are better, however not by much

Slide 27

Figure 8.12 Webmitm's yield demonstrates whole substance of SSL-encoded session, including the userID and watchword

Slide 28

Dsniff's sshmitm Allows aggressor to view information sent over a SSH session Supports sniffing of SSH convention rendition 1

Slide 29

Dsniff's different Tools Tcpkill Kills a dynamic TCP association. Permits assailant to sniff the UserID and watchword on resulting session Tcpnice Slows down movement by infusing little TCP window notices and ICMP source extinguish parcels so sniffer can stay aware of the information Filesnarf Grabs documents transmitted utilizing NFS

Slide 30

Dsniff's different Tools (cont.) Mailsnarf Grabs email sent utilizing SMTP and POP Msgsnarf Grabs messages sent utilizing AOL Instant Messenger, ICQ, IRC, and Yahoo Messenger URLsnarf Grabs a rundown of all URLs from HTTP activity Webspy Allows aggressor to view all site pages saw by casualty

Slide 31

Sniffing Defenses Use HTTPS for scrambled web movement Use SSH for encoded login sessions Avoid utilizing Telnet Use S/MIME or PGP for scrambled email Pay regard for notice messages on your program and SSH customer Configuring Ethernet switch with MAC address of machine utilizing that port to anticipate MAC flooding and arpspoofing Use static ARP tables on the end frameworks

Slide 32

IP Address Spoofing Changing or masking the source IP address utilized by Nmap in fake mode Used by Dsniff in dnsspoof assault DNS reaction sent by Dsniff contains source address of the DNS server Used trying to claim ignorance of-administration assaults Used in undermining Unix r-summons Used with source steering assaults

Slide 33

Simple IP Address Spoofing Pros Works well secluded from everything wellspring of a bundle surge or other dissent of-administration assault Cons Difficult for aggressor to screen reaction bundles Any reaction bundle will be sent to satirize IP deliver Difficult to IP address parody against any TCP-construct benefit unless machines are in light of same LAN and ARP farce is utilized

Slide 34

Figure 8.13 The TCP three-way handshake restrains straightforward caricaturing

Slide 35

Undermining Unix r-orders by means of IP Address Spoofing When one Unix framework puts stock in another, a client can sign into the trusted machine and after that get to the confiding in machine without providing a secret key by utilizing rlogin, rsh, and rcp hosts.equiv or .rhosts records used to actualize trusts IP address of trusted framework utilized as frail type of confirmation Attacker mocking IP address of trusted framework can interface with trusting framework without giving secret word "Rbone" instrument http://packetstorm.security.com

Slide 36

Figure 8.14 Bob puts stock in Alice

Slide 37

Figure 8.15 Everyone puts stock in Alice, the overseer's fundamental administration framework

Slide 38

Spoofing Attack against Unix Trust Relationships Attacker collaborates with focused trusting server to decide consistency of beginning succession number Attacker dispatches a refusal of-administration assault (eg. SYN surge or smurf assault) against trusted framework to constrain it not to react to a satirize TCP association Attacker rsh to focused trusting server utilizing ridiculed IP address of trusted server Trusting server sends a SYN-ACK parcel to the lethargic trusted server Attacker sends an ACK bundle to trusting server with a speculate the succession number. On the off chance that ISN is right, an association is made. Despite the fact that aggressor can't at first observe answer parcels from confiding in server, assailant can issue charge to add "++" to hosts.equiv or .rhosts record. Trusting server will now confide in all machines. IP caricaturing is did not require anymore

Slide 39

Figure 8.16 Spoofing assault against Unix confide seeing someone

Slide 40

Spoofing with Source Routing Works if switches bolster source steering Attacker creates TCP SYN bundle bound for trusting server containing satirize IP address of trusted machine and fake source course in IP header Trusting server will answer with a SYN-ACK parcel containing a source course from putting stock in server to aggressor to put stock in machine. Assailant gets the answer however does not forward it to the put stock in machine. Assailant can act like confided in machine and have intelligent sessions with putting stock in machine

Slide 41

Figure 8.17 Spoofing assault utilizing source steering

Slide 42

IP Spoofing Defenses Make beyond any doubt that underlying succession numbers created by TCP stacks are hard to anticipate Apply most recent arrangement of security patches from OS seller Used Nmap to confirm consistency of ISN Use ssh rather than r-orders Avoid applications that utilization IP addresses for confirmation Authentication ought to utilize passwords, PKI, or Kerberos or different techniques that attach a session back to a client. Utilize "hostile to parody" bundle channels at outskirt switches and firewalls entrance (approaching) and departure (active) channels Block source-steered parcels on switches "no ip sourceroute"

Slide 43

Figure 8.18 Anti-parody channels

Slide 44

Session Hijacking

Slide 45

Figure 8.19 A system based session seizing situation

Slide 46

Figure 8.20 An ACK storm activated by session capturing

Slide 47

Figure 8.21 Avoiding the ACK storm

SPONSORS