Professional Documents
Culture Documents
ARP attacks
Session hijacking TCP session stealing
Source routing
ignore source routes secure routing protocols ssh/ secure connection ? Publish ARP tables ssh/ secure connection
X
C
2. replies
Open a TCP connection to rshd spoofing the address of a trusted host, but include yourself in the source route.
SESSION HIJACKING
Normal TCP operation from client, C, to server, S C->S: SYN(ISNC) S->C: SYN(ISNS), ACK(ISNC+1) C->S: ACK(ISNS +1) Client and Server exchange data ISN number generation 4.2BSD: increments 128/sec 4.3BSD: increments 125000/sec
Client C
SYN(ISNC)
SYN(ISNS), ACK(ISNC+1 )
Server S
ACK(ISNS+1)
SESSION HIJACKING
Session hijacking: Find a machine, C, thats down, guess the ISN. Usually in regular increments. X->S: SYN(ISNX) [spoofs C] S: rshd server S->C: SYN(ISNS), ACK(ISNX +1) X->S: ACK(ISNS +1) [spoofs C; estimates ISNS] X->S: [ echo * * >> ~/.rhosts] [spoofs C] X->S: RESET [spoofs C] X rlogins from anywhere in the world.
1. ISN estimation:
1: Disables C
X
2. SYN(1000)
3. SYN(5000), ACK(1001)
Trusted relationship
SESSION HIJACKING
2. Session hijacking:
X
4: SYN(ISNX) (spoofs C)
5: SYN(ISNS), ACK(ISNX+1)
X C
8: RESET (spoofs C)
10
ICMP ATTACK
ICMP redirect: forces a machine to route through you. Requires an existing connection Open a spoofed connection to the host you want to attack. Then send a spoofed ICMP redirect to the victim redirecting it to the gateway youve compromised. Others ICMP destination unreachable Frequent ICMP source quenches
11
ARP ATTACKS
When a machines sends an ARP request out, you could answer that you own the address. But in a race condition with the real machine. Unfortunately, ARP will just accept replies without requests! Just send a spoofed reply message saying your MAC address owns a certain IP address. Repeat frequently so that cache doesnt timeout Messages are routed through you to sniff or modify.
12
Publish MAC address of router/default gateway and trusted hosts to prevent ARP spoof Statically defining the IP to Ethernet address mapping Example: arp -s hostname 00:01:02:03:04:ab pub
13
14
In both cases, the ACK(S_ACK) is sent (ACK packet with S_SEQ, S_ACK)
15
X
1: C->S: C_SEQ, C_ACK
C
C_SEQ, C_ACK
(dropped)
S
S_SEQ, S_ACK
16
DESYNCHRONIZATION
X
Early desynchronization 3,4, 6 2
1. C->S(Syn): C_Seq0 ; C: Syn_Sent 2. S->C(Syn/Ack): S_Seq0, C_Seq0+1 ; S: Syn_Rcvd ; C: Established (C_Seq0+1, S_Seq0+1) (before the packet C->S(Ack): S_Seq0+1) 3. X->S(spoofing C, Rst) 4. X->S(spoofing C, Syn): X_Seq0 ; the same port # used in (1) 5. S->C(Syn/Ack): S_Seq1, X_Seq0+1 6. X->S(spoofing C, Ack): S_Seq1+1 ; S: Established (S_Seq1+1, X_Seq0+1)
17
THE ATTACK
Null data desynchronization 1. The attacker watches the session without interfering. 2. During a quiet period, the attacker sends a large amount of null data (IAC, NOP for telnet): nothing happens, server only changes the TCP Ack number 3. Now, when the client sends data, it is dropped by the server because its lower than the servers window. 4. The attacker does the same with the client. Defense: ssh connection, or IPsec
18