Network attacks
This presentation is the property of its rightful owner.
Sponsored Links
1 / 82

Network Attacks PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Network Attacks. Topics. Sniffing IP address spoofing Session hijacking Netcat General-purpose network tool. Sniffing. Sniffer gathers traffic from LAN Can see packets in real time Usually, interface put in promiscuous mode Gathers everything, regardless of IP address

Download Presentation

Network Attacks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Network attacks

Network Attacks

Network Attacks 1



  • Sniffing

  • IP address spoofing

  • Session hijacking

  • Netcat

    • General-purpose network tool

Network Attacks 2



  • Sniffer gathers traffic from LAN

    • Can see packets in real time

    • Usually, interface put in promiscuous mode

    • Gathers everything, regardless of IP address

  • Sniffer is useful for attacker

    • And useful for administrator

  • Sniffer can collect data such as …

    • ID/password sent over telnet, DNS, email messages, files sent over NFS, etc.

Network Attacks 3



  • Attacker who has access to LAN can sniff packets

    • Usually requires admin/root privilege

    • Typically, use sniffer to gather pwds

  • Sniffing can be used in “island hopping” attack

    • Next slide

Network Attacks 4

Island hopping attack

Island Hopping Attack

Network Attacks 5



  • Freeware sniffers include

    • windump --- port of tcpdump

    • Snort --- sniffer/IDS

    • Wireshark (formerly, Ethereal) --- able to decode lots of protocols

    • Sniffit --- popular with attackers

    • Dsniff --- perhaps most powerful

Network Attacks 6

Passive sniffing thru a hub

Passive Sniffing Thru a Hub

  • Recall that hub broadcasts everything

  • Passive sniffer sees everything

Network Attacks 7



  • Snort: open source, UNIX-based IDS

  • Started out as a sniffer

    • Still can serve as a capable sniffer

    • Why does sniffer-to-IDS make sense?

  • Snort not often used by attackers

    • Has more features than attacker needs

Network Attacks 8



  • Sniffit popular with attackers

    • UNIX-based

  • Sniffit has “interactive mode”

    • Keeps track of individual sessions

    • Can view these as separate conversations

Network Attacks 9

Sniffit interactive mode

Sniffit Interactive Mode

Network Attacks 10



  • Wireshark (formerly Ethereal)

    • Available for many platforms

    • Probably easiest sniffer to use, great UI, etc.

  • Wireshark is a “protocol genius”

    • Decodes every bit of packet

  • “Follow TCP stream” function

    • Select a TCP packet, view entire connection

Network Attacks 11



Network Attacks 12

Sniffer as scanning tool

Sniffer as Scanning Tool

  • Nmap, Nessus, etc., may be detected

    • Active

  • Sniffer is passive, so no such risk

    • What can be determined by sniffing?

  • May be able to ID OS (maybe even version of OS)

    • E.g., based on way connections are made

Network Attacks 13

Network attacks


  • Tool to passively ID OS

  • Available for most platforms

  • To “fingerprint” OS’s network stack

    • Can also ID firewall, NAT, etc.

  • What info does it use?

  • TTL, IP ID, other?

Network Attacks 14

Network attacks


Network Attacks 15



  • Recall that switch does not broadcast

Network Attacks 16

Active sniffing

Active Sniffing

  • Sniffing thru a switch?

  • Switch limits what you see with sniffers such as Wireshark

  • May be able to “sniff” thru switch by inserting traffic

    • Dsniff and Ettercap

Network Attacks 17



  • Developed by developer of FragRouter

  • Dsniff decodes lots application level protocols

    • FTP, telnet, POP,…, Napster, pcAnywhere

    • Makes it easy to find passwords

  • Dsniff also has active operations

Network Attacks 18



  • Switch remembers MAC addresses

  • MAC address flooding

    • Dsniff sends packets with random spoofed MAC addresses

    • Switches address memory eventually exhausted

  • Then what does switch do?

    • It depends…, but some start acting like hubs

    • If so, then passive sniffing works

Network Attacks 19



  • What to do if flooding fails?

  • ARP spoofing (ARP cache poisoning)

    • Attacker sets “IP forwarding” on his machine to default gateway (router)

    • Attacker poisons ARP cache so that he appears to be default gateway

    • Attacker see all traffic destined for outside world, and traffic still sent to default gateway

Network Attacks 20

Default router

Default Router

Network Attacks 21

Spoofed default router

Spoofed “Default Router”

Network Attacks 22

Dsniff arp spoofing

Dsniff ARP Spoofing

  • How could this be detected?

  • What happens when packet sent from attacker to default gateway?

    • IP forwarding is “really simple routing”

    • So, TTL is decremented

    • Could be detected by, say, traceroute

  • How can attacker avoid this?

Network Attacks 23



  • Ettercap uses method known as “port stealing” to sniff switched LAN

    • Sometimes, hard-coded MAC addresses

    • In such case, ARP poisoning not possible

  • Port stealing may be an option

Network Attacks 24



  • Switch associates MAC addresses to each of its physical ports

    • Mapping created by examining packets

  • Ettercap floods LAN with frames

    • Attacker’s MAC address is destination

    • Source MAC address is victim machine (e.g., default gateway)

  • What does this accomplish?

    • Switch associates default gateway with its physical port on which attacker resides

Network Attacks 25



  • Port stealing

  • So far… switch thinks default gateway on same physical port as attacker

    • Note: ARP tables on hosts not affected

  • Then attacker can sniff data intended for victim

  • How does attacker then get these packets to the default gateway?

Network Attacks 26



  • So far… packets intended for gateway can be sniffed by attacker

  • How to get these packets to gateway?

    • Forward packets to switch with gateway’s MAC address?

    • That won’t work!

Network Attacks 27



  • Attacker sends ARP request for IP address of gateway

  • When attacker sees response

    • Knows switch has also seen response

  • So what?

    • Now switch send data intended for gateway to the gateway

    • Attacker can then send buffered data

  • Brilliant!

Network Attacks 28

Port stealing

Port Stealing

Network Attacks 29

Dns spoofing

DNS Spoofing

  • Dsniff can send false DNS info

    • Used to redirect traffic

  • Victim tries to resolve name via DNS

    • Attacker sniffs DNS request

    • Attacker responds quickly with bogus IP

    • Victim goes to bogus address

  • Works provided bogus reply arrives first

Network Attacks 30

Dns spoofing1

DNS Spoofing

Network Attacks 31

Sniffing ssl and ssh

Sniffing SSL and SSH

  • Dsniff webmitm enables man-in-the-middle (MIM) attack

  • Send certificate signed by bogus “CA”

    • In SSL, browser warns use, and …

    • …warning is ignored

    • In SSH user is warned, and …

    • …warning is ignored

Network Attacks 32

Sniffing ssl and ssh1

Sniffing SSL and SSH

  • Man-in-the-middle

    • Politically correct: “monkey-in-the-middle”

Network Attacks 33

Simplified ssl protocol

Simplified SSL Protocol

Can we talk?, cipher list, RA

  • S is pre-master secret

  • K = h(S,RA,RB)

  • msgs = all previous messages

  • CLNT and SRVR are constants

certificate, cipher, RB

{S}Bob, E(h(msgs,CLNT,K),K)


Data protected with key K



Network Attacks 34

Ssl mim attack

SSL MiM Attack



  • Q: What prevents this MiM attack?

  • A: Bob’s certificate must be signed by a certificate authority (such as Verisign)

  • What does browser do if signature not valid?

  • What does user do if signature is not valid?

certificateT, RB

certificateB, RB










Network Attacks 35

Sniffing ssl

Sniffing SSL

Network Attacks 36

Firefox certificate warning

Firefox Certificate Warning

Network Attacks 37

Ie certificate warning

IE Certificate Warning

Network Attacks 38

Webmitm output

Webmitm Output

Network Attacks 39

Ssh sniffing

SSH Sniffing

  • SSH gives a warning too

    • Specifically mentions MiM attack

    • Still, it’s easy to ignore

  • Ettercap also does SSH MiM

    • But Ettercap is not really in the “middle”

    • It establishes key with client, then connects client to server using same key

Network Attacks 40

Other dsniff features

Other Dsniff Features

  • Tcpkill --- kill active TCP connection

  • Tcpnice --- “shape traffic” using, e.g., ICMP source quench

  • Filesnarf --- grab NFS files

  • Mailsnarf --- grab email

  • Msgsnarf --- grab IM traffic

  • Urlsnarf --- grab URLs from HTTP traffic

  • Webspy --- view web pages victim views

Network Attacks 41

Sniffing defenses

Sniffing Defenses

  • Use secure protocols


  • Do not use telnet for sensitive info

  • Take certificate warnings seriously

  • Prefer switches to hubs

  • Hard code MAC addresses, if possible

  • Static ARP tables, where possible

Network Attacks 42

Sniffing defenses1

Sniffing Defenses

  • Use tools to detect promiscuous mode

  • Ipconfig (UNIX), PromiscDetect (Windows)

  • Sentinel looks for anomalies on LAN that indicate sniffing

    • Send packet (ping, for example) with bogus destination MAC address

    • Any reply indicates sniffing

  • Also, some Windows-specific tools

Network Attacks 43

Ip address spoofing

IP Address Spoofing

  • IP Address Spoofing

    • Changing source IP address

  • Enables Trudy to…

    • Cover her tracks

    • Break applications that use IP address for authentication

  • Previous examples: Nmap, Dsniff, …

Network Attacks 44

Simple spoofing

Simple Spoofing

  • Simply change the IP address

    • Ipconfig or Windows network Control Panel

  • Works when Trudy does not need response

    • DoS, for example

  • Tools for packet crafting

    • Hping2

    • Nemesis

    • NetDude

Network Attacks 45

Simple spoofing1

Simple Spoofing

  • Limitations of simple spoofing

    • Trudy cannot easily interact with target

    • Spoofing TCP especially difficult

  • Interactive simple spoofing works if Trudy on same LAN as spoofed address

Network Attacks 46

Simple spoofing2

Simple Spoofing

Network Attacks 47

Predicting sequence numbers

Predicting Sequence Numbers

  • Not-so-simple spoofing…

    • Trusted machines often require no authentication beyond TCP connection

  • Trudy can pretend to be trusted machine by spoofing IP address

    • To establish connection, Trudy must predict initial sequence number

Network Attacks 48

Not so simple spoofing

Not-So-Simple Spoofing

Network Attacks 49

Not so simple spoofing1

Not-So-Simple Spoofing

  • Note that…

    • Trudy must correctly guess ISNB

    • Trudy does not see responses (not a true interactive session)

    • Bob thinks packets came from Alice

    • Good attack for r-commands

Network Attacks 50

Spoofing via source routing

Spoofing via Source Routing

  • Source routing

    • Specify path packet will take

  • Loose source routing

    • Specify some hops

  • Source routing makes Trudy’s life much easier

    • Next slide

Network Attacks 51

Spoofing via source routing1

Spoofing via Source Routing

Network Attacks 52

Spoofing via source routing2

Spoofing via Source Routing

  • Seldom works across Internet

    • Source routing blocked by gateway

  • May work on internal network

    • Makes insider attacks easy

Network Attacks 53

Ip spoofing defenses

IP Spoofing Defenses

  • Be sure ISNs are reasonably random

  • Avoid using r-commands

    • Or use only with SSH or VPN

  • IP address for authentication … NOT!

  • Do not allow source routing

  • Be careful with trust relationships

Network Attacks 54

Ip spoofing defense

IP Spoofing Defense

  • Employ anti-spoof packet filters

Network Attacks 55

Session hijacking

Session Hijacking

  • Trudy “steals” an existing session

  • Network-based session hijacking

    • Combines spoofing and sniffing

    • Alice and Bob have existing connection

    • Trudy is sniffing packets (on LAN)

    • Trudy starts injecting packets

    • Bob thinks packets came from Alice

  • This works even if strong authentication used, provided there is no encryption

Network Attacks 56

Session hijacking1

Session Hijacking

  • Also, host-based session hijacking

  • Tools for session hijacking

    • Hunt

    • Dsniff --- sshmitm

    • Ettercap

    • Juggernaut

    • IP Watcher, TTYWatcher, TTYSnoop

Network Attacks 57

Ack storm

ACK Storm

  • If Alice is alive during session hijack…

    • Limits the attack

Network Attacks 58



  • Ettercap can prevent ACK storm

  • ARP cache poisoning

    • Ettercap makes Trudy MiM

Network Attacks 59



Network Attacks 60

Network attacks


  • Hunt offers similar feature as Ettercap

  • Includes a “resync” feature that may allow Trudy out of MiM

    • And allow Alice and Bob to continue

  • Ettercap and Hunt attacks can work even if Trudy not on same LAN

    • Trudy must be on network between Alice & Bob

Network Attacks 61

Mim attack

MiM Attack

Network Attacks 62

Wireless access points

Wireless Access Points

  • All attacks so far also work on wireless networks

  • But wireless has unique attack…

  • Access point hijacking

    • Given SSID, pretend to be access point

    • Then need to get victims to associate with fake access point

    • Tool for this: AirJack

Network Attacks 63

Session hijacking defenses

Session Hijacking Defenses

  • Use defenses against spoofing and sniffing

  • Use SSH version 2

    • Dsniff and Ettercap MiM work against SSH version 1

  • Pay careful attention to certificate warnings

Network Attacks 64



  • General-purpose networking tool

    • “…single most useful tool … for interacting with a system across a network”

    • “Swiss army knife of network tools”

    • If you were stranded on a desert island, your one attack tool would be Netcat

  • You get the idea…

Network Attacks 65



  • Send or receive data from any TCP or UDP port to any TCP or UDP port

Network Attacks 66

Netcat for file transfer

Netcat For File Transfer

  • File transfer: any port, push or pull

Network Attacks 67

Netcat for port scanning

Netcat For Port Scanning

  • Plain vanilla port scanning

    • Unlike Nmap, which has many options

Network Attacks 68

Netcat connect to open ports

Netcat: Connect to Open Ports

  • Connect to open port

    • Send data and see what comes back

  • Better than telnet because

    • Easier to redirect output to file

    • Easier to drop a connection

    • No telnet control data/characters

    • No telnet error messages

    • telnet cannot make UDP connections

Network Attacks 69

Netcat vulnerability scanning

Netcat: Vulnerability Scanning

  • Netcat as “vulnerability engine”

    • I.e., attacker writes scripts that use Netcat’s capabilities

    • Netcat comes with scripts to check for vulnerabilites in RPC, NFS, trust, FTP, a really weak passwords (very limited compared to Nessus)

Network Attacks 70

Netcat backdoors

Netcat Backdoors

  • With access to a machine, Trudy can

    • Start a Netcat listener for future access

    • Create an active backdoor (i.e., push data)

  • These are most common uses of Netcat by bad guys

Network Attacks 71

Netcat to relay traffic

Netcat to Relay Traffic

  • Can use Netcat to relay traffic

    • Trudy can hide her true location

  • 10 or more “hops” sometimes seen

    • Across political/language boundaries

Network Attacks 72

Evade packet filter

Evade Packet Filter

Network Attacks 73

How to create netcat relay

How to Create Netcat Relay?

  • Three popular techniques

  • Modify inted in UNIX/Linux

    • Add a line to inted.conf file

  • “backpipe” on UNIX/Linux

    • Use mknod: pipes data in FIFO order

  • Relay bat file in Windows

Network Attacks 74



Network Attacks 75

Netcat listeners

Netcat Listeners

  • By default, Netcat listener is nonpersistent

  • In Windows version, can create persistent listeners

  • In UNIX, requires a little more work from Trudy to get same effect

    • see book for details

Network Attacks 76

Netcat honeypots

Netcat Honeypots

  • Good guys can create Netcat (persistent) listeners

    • These can be used as honeypots

Network Attacks 77

Netcat defenses

Netcat Defenses

  • Prevent Netcat file transfers

    • Firewall configuration issue

  • Secure against port scanning

    • Minimal number of listening ports

  • Block arbitrary connections to ports

    • Close unused ports

  • Protect against vulnerability scanning

    • Apply patches

Network Attacks 78

Netcat defenses1

Netcat Defenses

  • Stop backdoors

    • Need to know what processes are running so you can detect rogue processes

  • Prevent relay attacks

    • No single point that attacker can relay around

  • Stop persistent listeners

    • Periodically check for unexpected listening ports

Network Attacks 79



Network Attacks 80



Network Attacks 81



Network Attacks 82

  • Login