Address Spoofing and
This presentation is the property of its rightful owner.
Sponsored Links
1 / 33

Address Spoofing and Denial of Service PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on
  • Presentation posted in: General

Address Spoofing and Denial of Service. Agenda Mac Modification Address Resolution Protocol Trickery IP address spoofing TCP session Hijacking Domain Name Spoofing Email Spoofing (not in lab) Denial of Service. IP Spoofing and Denial of Service Lab Exercises.

Download Presentation

Address Spoofing and Denial of Service

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Address spoofing and denial of service

Address Spoofing and

Denial of Service

  • Agenda

    • Mac Modification

    • Address Resolution Protocol Trickery

    • IP address spoofing

    • TCP session Hijacking

    • Domain Name Spoofing

    • Email Spoofing (not in lab)

    • Denial of Service

ECE 4112 - Internetwork Security


Address spoofing and denial of service

IP Spoofing and Denial of Service Lab Exercises

Medium Access Control Address Spoofing

Windows XP MAC modification

Linux MAC modification

IP Spoofing

From Windows wINJECT

From Linux fraggle.c

Domain Name System Spoofing

dsniff tool

Denial of Service

datapool tool

synful

teardrop

udpflood

ECE 4112 - Internetwork Security


The ethernet frame ieee 802 3

The Ethernet Frame - IEEE 802.3

  • Destination and Source MAC Addresses are modified for spoofing.

ECE 4112 - Internetwork Security


Mac modification spoofing

MAC modification/Spoofing

  • Change the MAC on a Host (Cloning)

    • Linux (ifconfig)

    • Windows Network Settings

  • Creating Link Layer Packets (Spoofing)

    • libnet (API)

    • Linkcat (tool – netcat for link layer)

ECE 4112 - Internetwork Security


Modifying windows xp network interface

Modifying Windows XP Network Interface

ECE 4112 - Internetwork Security


Modifying windows xp network interface continued

Modifying Windows XP Network Interface (continued)

ECE 4112 - Internetwork Security


Modifying linux network interface

Modifying Linux Network Interface

ECE 4112 - Internetwork Security


Address resolution protocol arp

Address Resolution Protocol (ARP)

  • Method to finding a host's Ethernet address

  • Broadcast message looking for the IP address

  • Hosts maintain a cache to avoid frequent requests

ECE 4112 - Internetwork Security


Arp cache poisoning

ARP Cache Poisoning

  • Man in the Middle (MiM) Attack

    • Session Stealing

    • Packet/Data Injection

  • Beat the Switch

    • Making a Switch into a Hub

ECE 4112 - Internetwork Security


Arpspoof example

Arpspoof Example

ECE 4112 - Internetwork Security


Network and transport layers

Network and Transport Layers

  • Internet Protocol (IP)

  • Internet Control Message Protocol (ICMP)

  • Transmission Control Protocol (TCP)

  • User Data Protocol

  • TCP Session Hijacking

ECE 4112 - Internetwork Security


Internet protocol ip

version

IHL

Type of Service

Total length

Identification

DF

DF

MF

Fragment offset

Time to live

Protocol

Header checksum

Source address

Destination address

Options (0 or more words)

Internet Protocol (IP)

  • IP provides a best-effort way to route datagrams from source to destination

  • Source address, destination address: network number and host number

  • IP spoofing: change or disguise source address

ECE 4112 - Internetwork Security


Ip spoofing

IP Spoofing

  • Non-blind attacks

    • Attacker and target on same subnet

    • Reply traffic can be sniffed

  • Blind attacks

    • Attacker and target on different subnets

    • Reply traffic cannot be seen by attacker

    • Attacker must be able to predict replies

ECE 4112 - Internetwork Security


Ip spoofing1

IP Spoofing

  • Attacks made possible by IP spoofing include

    • Denial of Service (DOS)

    • Session Hijacking

    • Man in the Middle

  • To take over a TCP stream, sequence and acknowledgement numbers must be sniffed or predicted.

ECE 4112 - Internetwork Security


Transmission control protocol tcp

Source port

Destination port

Sequence number

Acknowledgement number

TCP HL

URG

ACK

PSH

RST

SYN

FIN

Window size

Checksum

Urgent pointer

Options (0 or more 32-bit words)

Data (Optional)

Transmission Control Protocol (TCP)

  • Source and Destination Ports

  • Sequence and Acknowledgement number

  • Reliability Checksum (not tamperproof)

ECE 4112 - Internetwork Security


Transmission control protocol tcp1

Transmission Control Protocol (TCP)

  • Packet Types

    • URG- Urgent

    • ACK- Acknowledge

    • PSH- Push

    • RST- Reset

    • SYN- Synchronize can flood a server

    • FIN- Finish

ECE 4112 - Internetwork Security


Transmission control protocol tcp 4

Host 1

Host 2

SYN (SEQ=x)

SYN (SEQ=y, ACK=x+1)

(SEQ=x+1, ACK=y+1)

Transmission Control Protocol (TCP) (4)

  • TCP connection initiation

    • Three-way handshake

ECE 4112 - Internetwork Security


Session hijacking

Session Hijacking

  • Session hijacking attacks: based on sniffing and IP spoofing

    • Attacker monitors packets between Alice and Bob

    • Attacker injects spoofed traffic with a source IP address of Alice

Alice telnet

Alice

Bob

network

“Hi, I am Alice”

Attacker

ECE 4112 - Internetwork Security


Address spoofing and denial of service

DNS Spoofing

  • Causes name resolution to result in an

  • incorrect IP address

  • In our lab, use tool dsniff to accomplish

ECE 4112 - Internetwork Security


Dsniff

DSniff

  • Collection of tools for network auditing and penetration testing.

  • Tools included

    • ArpSpoof

    • DNSspoof

    • Dsniff

    • Filesnarf

    • Macof

ECE 4112 - Internetwork Security


Dsniff1

DSniff

  • Mailsnarf

  • Msgsnarf

  • TCPKill

  • TCPnice

  • URLSnarf

  • WebSpy

  • SSHMITM

  • WebMITM

ECE 4112 - Internetwork Security


Dsniff2

DSniff

  • All kinds of attacks can be run. E.g. –

    • Password Sniffing

    • Message and File Capture

    • URL Capture

    • Man-In-The-Middle

  • Lab exercises

    • DNS Spoofing

ECE 4112 - Internetwork Security


Email spoofing

Email Spoofing

  • Email spoofing is effective because most people don’t have time to double check their headers all the time.

  • An email’s true origin can be further obfuscated by forging extra “Received:” lines.

  • To force a verification, email can be cryptographically signed.

ECE 4112 - Internetwork Security


Email spoofing1

Email Spoofing

  • Email spoofing is a form of social engineering.

  • Email spoofing is also used by spammers to make it more difficult to track them.

  • A forged email can be detected by close inspection of its headers.

  • Login to SMTP (port 25) is unauthenticated, so anyone can log in and send mail.

ECE 4112 - Internetwork Security


Email spoofing not in lab assignment

Email Spoofing (Not in Lab Assignment)

  • telnet mail.xyz.gatech.edu 25

  • 220 sark.xyz.gatech.edu ESMTP Sendmail 8.12.10/8.12.8;

  • Mon, 1 Dec 2003 040500 (EST)

  • HELO abc4883.com

  • 250 sark.xyz.gatech.edu Hello ece-237-37.abc.gatech.edu

  • [130.207.237.37], pleased to meet you

  • MAIL FROM: <[email protected]>

  • 250 2.1.0 <[email protected]>... Sender ok

  • RCPT TO: <[email protected]>

  • 250 2.1.5 <[email protected]>... Recipient ok

  • DATA

  • 354 Enter mail, end with "." on a line by itself

  • Greetings from abc4883!

  • .

  • 250 2.0.0 hAUMOh6c005386 Message accepted for delivery

  • QUIT

  • 221 2.0.0 sark.xyz.gatech.edu closing connection

ECE 4112 - Internetwork Security


Raw sockets

Raw Sockets

  • Allows the application to directly access the Network Access Layer (TCP/IP model)

  • Develop new or build upon existing protocols

  • Programming difference:

    • socket( sockfd, SOCK_RAW, IPPROTO_TCP);

    • Manually build the necessary headers

  • Requires super user access

  • Not implemented the same across all platforms

ECE 4112 - Internetwork Security


Libnet

libnet

  • Raw Sockets and Link Layer facilities

  • Simplifies packet injection programming

    • libnet_build_ipv4( packet_length, type_of_service, identity, fragment, time-to-live, protocol, checksum, source_port, destination_port, payload, payload_size, libnet, ptag)

    • libnet_autobuild_ipv4( packet_length, protocol, destination_port, libnet);

  • Allows for prebuilding streams of packets

  • Efficient mechanism for packet injection

  • Portable solution for packet injection

ECE 4112 - Internetwork Security


Denial of service

Denial of Service

  • Denial of Service

    • Easy to mount – script kiddies

    • Requires few computing resources

    • Most common attack – deadly results

  • Comes in various forms. E.g. –

    • Buffer Overflow Attack

    • Teardrop Attack

    • Syn Flood

    • Smurf Attack

ECE 4112 - Internetwork Security


Internet control message protocol icmp

Internet Control Message Protocol (ICMP)

  • ICMP is used to test the Internet.

  • Each ICMP message type is encapsulated in an IP packet.

ECE 4112 - Internetwork Security


Denial of service1

Denial of Service

  • Buffer Overflow

    • Send more data than allotted buffer space. E.g. – More than 256 chars in email from field.

  • Tear Drop

    • Takes advantage of IP Fragmentation.

  • Syn Flood

    • Flood target with connection requests.

  • Smurf

    • ICMP echo requests with spoofed IP.

ECE 4112 - Internetwork Security


Denial of service2

Denial of Service

  • Tool to be used in lab – Datapool

  • Customizable script with capabilities to run 106 different DoS attacks (including ones discussed)!

  • Can run attacks against multiple IPs and learns about vulnerabilities of each.

  • IPSpoofing used to disguise source of attack.

ECE 4112 - Internetwork Security


References www

References WWW

  • OSI Model: RAD Data Communications

  • libnet (packetfactory.net)

  • Raw Socket Programming (mixter.void.ru)

  • Paketto (www.doxpara.com/paketto)

  • Dsniff (naughty.monkey.org/~dugsong/dsniff)

ECE 4112 - Internetwork Security


References books

References Books

  • Computer Networks Third Edition, Andrew Tanenbaum, Prentice-Hall1996.

  • Counter Hack. Ed Skoudis, Prentice-Hall 2002.

  • TCP/IP Illustrated, Volume 1. W. Richard Stevens, Addison-Wesley1994.

ECE 4112 - Internetwork Security


  • Login