ARP Spoofing ManinthemiddleAttack

Blackhat Conference - USA 2003 Blackhat Conference - USA 2003 1 1
Man in the middle

Man in the middle
attacks
attacks
Demos
Demos
Alberto Ornaghi <alor@antifork.org>
Marco Valleri <naga@antifork.org>
The scenario
The scenario
Server
Client
Attacker
Once in the middle
Once in the middle

Injection
Injection

Key Manipulation
Key Manipulation

Downgrade attack
Downgrade attack

Filtering
Filtering
Injecting
Injecting
Possibility to add packets to an already established Possibility to add packets to an already established
connection (only possible in full-duplex connection (only possible in full-duplex mitm mitm) )
The attacker can modify the sequence numbers and The attacker can modify the sequence numbers and
keep the connection synchronized while injecting keep the connection synchronized while injecting
packets. packets.
If the If the mitm mitm attack is a attack is a proxy attack proxy attack it is even it is even
easier to inject (there are two distinct connections) easier to inject (there are two distinct connections)
Injecting
Injecting
Command injection
Command injection
Useful in scenarios where a one time Useful in scenarios where a one time
authentication is used (e.g. RSA token). authentication is used (e.g. RSA token).
In such scenarios sniffing the password is In such scenarios sniffing the password is
useless, but hijacking an already useless, but hijacking an already
authenticated session is critical authenticated session is critical
Injection of commands to the server Injection of commands to the server
Emulation of fake replies to the client Emulation of fake replies to the client
Command Injection
Command Injection
DEMO
DEMO
Key Manipulation
Key Manipulation

SSH v1
SSH v1

IPSEC
IPSEC

HTTPS
HTTPS
Key Manipulation
Key Manipulation
SSH v1
SSH v1
Modification of the public key exchanged by Modification of the public key exchanged by
server and client server and client. .
Server Client
MITM
start
KEY(rsa) KEY(rsa)
E
key
[S-Key] E
key
[S-Key]
S-KEY S-KEY S-KEY
M
E
skey
(M)
D(E(M))
D(E(M))
SSH v1 Attack
SSH v1 Attack
DEMO
DEMO
Key Manipulation
Key Manipulation
IPSEC
IPSEC
If two or more clients share the same If two or more clients share the same secret secret , each , each
of them can impersonate the server with another of them can impersonate the server with another
client. client.
Client MiM Server
Diffie-Hellman
exchange 1
Authenticated by
pre-shared secret
Diffie-Hellman
exchange 2
Authenticated by
pre-shared secret
De-Crypt
Packet
Re-Crypt
Packet
Key Manipulation
Key Manipulation
HTTPS
HTTPS
We can create a fake certificate (
We can create a fake certificate (
eg
eg
:
:
issued by
issued by
Ver
Ver
y
y
Sign
Sign
) relying on browser
) relying on browser
misconfiguration
misconfiguration
or user dumbness.
or user dumbness.
Client MiM Server
Fake cert.
Real
Connection
to the server
HTTPS Attack
HTTPS Attack
DEMO
DEMO
Filtering
Filtering
The attacker can modify the payload of the The attacker can modify the payload of the
packets by recalculating the checksum packets by recalculating the checksum
He/she can create filters on the fly He/she can create filters on the fly
The length of the payload can also be The length of the payload can also be
changed but only in full-duplex (in this case changed but only in full-duplex (in this case
the the seq seq has to be adjusted) has to be adjusted)
Filtering
Filtering
Code Filtering / Injection
Code Filtering / Injection

Insertion of malicious code into web
Insertion of malicious code into web
pages or mail (
pages or mail (
javascript
javascript
,
,
trojans
trojans
, virus,
, virus,
ecc
ecc
)
)

Modification on the fly of binary files
Modification on the fly of binary files
during the download phase (virus,
during the download phase (virus,
backdoor,
backdoor,
ecc
ecc
)
)
Binary Modification
Binary Modification
DEMO
DEMO
Filtering
Filtering
HTTPS redirection
HTTPS redirection
Let Let s see an example s see an example
Http main page with
https login form
Change form destination
to http://attacker
Http post
(login\password)
Auto-submitting hidden
form with right
authentication data
Real https authentication post
Authenticated connection
Client
Server
MiM
login
password
HTTPS Redirection Attack
HTTPS Redirection Attack
DEMO
DEMO
Downgrade Attacks
Downgrade Attacks

SSH v2
SSH v2

IPSEC
IPSEC

PPTP
PPTP
Downgrade Attacks
Downgrade Attacks
SSH v2
SSH v2

v1
v1
Parameters exchanged by server and client can be Parameters exchanged by server and client can be
substituted in the beginning of a connection. substituted in the beginning of a connection.
(algorithms to be used later) (algorithms to be used later)
The attacker can force the client to initialize a SSH1 The attacker can force the client to initialize a SSH1
connection instead of SSH2. connection instead of SSH2.
The server replies in this way: The server replies in this way:
SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.99 -- the server supports ssh1 and ssh2
SSH-1.51 -- the server supports ONLY ssh1 SSH-1.51 -- the server supports ONLY ssh1
The attacker makes a filter to replace The attacker makes a filter to replace 1.99 1.99 with with 1.51 1.51
Possibility to circumvent known_hosts Possibility to circumvent known_hosts
SSH v2 Downgrade
SSH v2 Downgrade
DEMO
DEMO
Downgrade Attacks
Downgrade Attacks
IPSEC Failure
IPSEC Failure
Block the Block the keymaterial keymaterial exchanged on the exchanged on the
port 500 UDP port 500 UDP
End points think that the other cannot start End points think that the other cannot start
an IPSEC connection an IPSEC connection
If the client is configured in rollback mode, If the client is configured in rollback mode,
there is a good chance that the user will not there is a good chance that the user will not
notice that the connection is in clear text notice that the connection is in clear text
Downgrade Attacks
Downgrade Attacks
PPTP attack (1)
PPTP attack (1)
During negotiation phase During negotiation phase
Force PAP authentication (almost fails) Force PAP authentication (almost fails)
Force MS-CHAPv1 from MS-CHAPv2 (easier to crack) Force MS-CHAPv1 from MS-CHAPv2 (easier to crack)
Force no encryption Force no encryption
Force re-negotiation (clear text terminate- Force re-negotiation (clear text terminate-ack ack) )
Retrieve passwords from existing tunnels Retrieve passwords from existing tunnels
Perform previous attacks Perform previous attacks
Force Force password change password change to obtain password hashes to obtain password hashes
Hashes can be used directly by a modified SMB or PPTP Hashes can be used directly by a modified SMB or PPTP
client client
MS-CHAPv2 hashes are not MS-CHAPv2 hashes are not usefull usefull (you can force v1) (you can force v1)
Downgrade Attacks
Downgrade Attacks
PPTP attack (2)
PPTP attack (2)
Server Client
MITM
start
req | auth | chap
nak | auth | pap
req | auth | pap
ack | auth | pap
req | auth | fake
nak| auth | chap
req | auth | pap
ack | auth | pap
Force PAP from CHAP
We dont have to mess with GRE sequences...
Downgrade Attacks
Downgrade Attacks
L2TP rollback
L2TP rollback
L2TP can use L2TP can use IPSec IPSec ESP as transport layer (stronger ESP as transport layer (stronger
than PPTP) than PPTP)
By default L2TP is tried before PPTP By default L2TP is tried before PPTP
Blocking ISAKMP packets results in an Blocking ISAKMP packets results in an IPSec IPSec failure failure
Client starts a request for a PPTP tunnel (rollback) Client starts a request for a PPTP tunnel (rollback)
Now you can perform PPTP previous attacks Now you can perform PPTP previous attacks
PPTP Attack
PPTP Attack
DEMO
DEMO
MITM attacks
MITM attacks
Different attacks in different scenarios: Different attacks in different scenarios:
LOCAL AREA NETWORK: LOCAL AREA NETWORK:
- - ARP poisoning ARP poisoning - DNS spoofing - DNS spoofing - STP - STP mangling mangling
- - Port Port stealing stealing
FROM LOCAL TO REMOTE FROM LOCAL TO REMOTE (through a gateway): (through a gateway):
- - ARP poisoning ARP poisoning - DNS spoofing - DNS spoofing - DHCP spoofing - DHCP spoofing
- ICMP redirection - ICMP redirection - IRDP spoofing - IRDP spoofing - route mangling - route mangling
REMOTE: REMOTE:
- DNS poisoning - DNS poisoning - - traffic traffic tunneling tunneling - route - route mangling mangling
WIRELESS WIRELESS: :
- - A Acce ccess ss Point Point Reassociation Reassociation
MITM attacks
MITM attacks
ARP
ARP
poisoning
poisoning
ARP is stateless (we all knows how it works and what ARP is stateless (we all knows how it works and what
the problems are) the problems are)
Some operating systems do not update an entry if it is Some operating systems do not update an entry if it is
not already in the cache, others accept only the first not already in the cache, others accept only the first
received reply (e.g received reply (e.g solaris solaris) )
The attacker can forge a spoofed ICMP packets to force The attacker can forge a spoofed ICMP packets to force
the host to make an ARP request. Immediately after the the host to make an ARP request. Immediately after the
ICMP it sends the fake ARP replay ICMP it sends the fake ARP replay
Usefull Usefull on switched on switched lan lan (the switch will not notice the (the switch will not notice the
attack) attack)
MITM attacks
MITM attacks
ARP
ARP
poisoning
poisoning
- countermeasures
- countermeasures
YES YES - passive monitoring (arpwatch) - passive monitoring (arpwatch)
YES YES - active monitoring (ettercap) - active monitoring (ettercap)
YES YES - IDS (detect but not avoid) - IDS (detect but not avoid)
YES YES - - Static Static ARP ARP entries entries (avoid it) (avoid it)
YES YES - Secure-ARP (public - Secure-ARP (public key key auth auth) )
NO NO - - Port Port security security on the on the switch switch
NO NO - - anticap anticap, antidote, , antidote, middleware middleware approach approach
ARP Poisoning
ARP Poisoning
DEMO
DEMO
(all we have done until now
(all we have done until now
)
)
ARP Poisoning
ARP Poisoning
Antidote
Antidote
Kernel Patch
Kernel Patch
http://www. http://www.securityfocus securityfocus.com/archive/1/299929 .com/archive/1/299929
Kernel will send ARP request to test if there is a Kernel will send ARP request to test if there is a
host at old MAC address. If such response is host at old MAC address. If such response is
received it lets us know than one IP pretends to received it lets us know than one IP pretends to
have several MAC addresses at one moment, that have several MAC addresses at one moment, that
probably caused by ARP spoof attack. probably caused by ARP spoof attack.
We can fake this protection if the ARP entry is not We can fake this protection if the ARP entry is not
in the cache and the real in the cache and the real mac mac address will be address will be
banned banned
Antidote Attack
Antidote Attack
DEMO
DEMO
MITM attack
MITM attack
Port stealing
Port stealing
The attacker sends many layer 2 packets with: The attacker sends many layer 2 packets with:
Source address equal to victim hosts Source address equal to victim hosts address address
Destination address equal to its own Destination address equal to its own mac mac address address
The attacker now has The attacker now has stolen stolen victim hosts victim hosts ports ports
When the attacker receives a packet for one of the victims it When the attacker receives a packet for one of the victims it
generates a broadcast ARP request for the victim generates a broadcast ARP request for the victim s IP address. s IP address.
When the attacker receives the ARP reply from the victim, the When the attacker receives the ARP reply from the victim, the
victim victim s port has been restored to the original binding state s port has been restored to the original binding state
The attacker can now forward the packet and restart the stealing The attacker can now forward the packet and restart the stealing
process process
Possibility to circumvent static-mapped Possibility to circumvent static-mapped arp arp entries entries
MITM attack
MITM attack
Port stealing
Port stealing
- countermeasures
- countermeasures

YES
YES
- port security on the switch
- port security on the switch

NO
NO
- static ARP
- static ARP
Port Stealing
Port Stealing
DEMO
DEMO
Q & A
Q & A
Alberto Ornaghi <alor@antifork.org>
Marco Valleri <naga@antifork.org>

ARP Spoofing ManinthemiddleAttack

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ARP Spoofing ManinthemiddleAttack

Uploaded by

Copyright:

Available Formats

Blackhat Conference - USA 2003 Blackhat Conference - USA 2003 1 1

Man in the middle

You might also like