Man-In-the-Middle Attack - A Brief
Transcription
Man-In-the-Middle Attack - A Brief
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission. Interested in learning more? Check out the list of upcoming events offering "Security Essentials Bootcamp Style (Security 401)" at http://www.giac.org/registration/gsec tai ns f -A Brief ull rig ht s. Man-In-the-Middle Attack Au th or re Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Bhavin Bharat Bhansali February 16, 2001 © SA NS In sti tu te 20 00 -2 00 2, Author: Submitted on: Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. 1 Author retains full rights. ull rig ht s. Objective: The Objective of this document is to understand the Execution of "Man-In-the-Middle" attack. tai ns f Overview: The "Man In The Middle" or "TCP Hijacking" attack is a well known attack where an attacker sniffs packets from network, modifies them and inserts them back into the network. There are few programs/source codes available for doing a TCP hijack. Juggernaut, TSight and Hunt are some these programs. In this paper we shall explore Hunt for understanding how TCP Hijacking is deployed on an Ethernet segment. Hunt is designed by kra [email protected]. The Hunt source code is available at the following URL:fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key re ftp://ftp.gncz.cz/pub/linux/hunt/hunt-1.5.tgz 2, Au th or Relevance: TCP Hijacking is an exploit that targets the victims TCP based applications like Telnet, rlogin, ftp, mail application, web browser etc. An attacker can grab unenrcypted confidential information from a victim's network based TCP application. He can further tamper the Authenticity and Integrity of the data. 20 00 -2 00 Definition of Important Terms: • IP spoofing - IP spoofing involves forging one's source IP address. It is the act of using one machine to impersonate another. Many applications and tools in UNIX systems rely on source IP address authentication. ARP spoofing - ARP spoofing involves forging packet source hardware address (MAC address) to the address of the host you pretend to be. • Simple Active Attack against TCP connections - An attack in which the attacker does not merely eavesdrop but takes action to change, delete, reroute, add, forge or divert data. Perhaps the best-known active attack is Man-In-the-Middle. © SA NS In sti tu te • Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. 2 Author retains full rights. tai ns f ull rig ht s. The Attack: 20 00 -2 00 2, Au th or re Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SA NS In sti tu te Attack Scenario involves three hosts: Attacker, Victim, and Target. • Attacker is the system used by the attacker for the hijack. • Victim is the system used by the victim for Telnet client connections to the target system. • Target is the target system that the intruder wants to compromise. It is where the telnetd daemon is running. A simple diagram of the network shows the Attacker and Victim hosts are on the same network (which can be Ethernet switched and the attack will still work), while the target system can be anywhere. (Actually, either victim or target can be on the same network as attacker: it doesn't matter.) For the attack to succeed, the victim must use Telnet, rlogin, ftp, or any other non-encrypted TCP/IP utility. Use of SecurID card, or other token-based two-factor authentication is useless as protection against hijacking, as the attacker can simply wait until after the user authenticates, then hijack the session. Key fingerprint = AF19 FA27 2F94 as: 998D FDB5 DE3D F8B5 06E4 A169 4E46 The attack scenario can be as simple 1. Attacker: Spends some time determining the IP addresses of target and victim systems. Determining trust relationships can be easily done with utilities like © SANS Institute 2000 - 2002 As part of GIAC practical repository. 3 Author retains full rights. © SA NS In sti tu te 20 00 -2 00 2, Au th or re tai ns f ull rig ht s. SATAN, finger, systat, rwho or running who, ps, or last from previously stolen (or wide open "guest" style) accounts. 2. Attacker: Runs hunt as root on attacking host. Waits for hunt to indicate a session has been detected. 3. Attacker: Starts ARP relay daemon1, prepares RST daemon2 entry for use later, sets option to enable host name resolution (for convenience). 4. Victim: Logs in to target using Telnet. Runs pine to read/compose email. 5. Attacker: Sees new connection3; lists active connections to see if this one is potentially "interesting." If it is, attacker can either watch the session (packet sniffing) or hijack the session. Decides to hijack. 6. Victim: Sees strange new prompt. Tries pressing RETURN and doesn't know what to think. Tries web browser and notices that it still works fine (not a network problem). Not sure what to think. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 7. Attacker: Finds this is a user session and decides to give it back (resynchronizes TCP/IP stream). 8. Victim: Sees prompt for keystroke, follows request, gets session back. Puzzled, decides to log in to root account to take a closer look. 9. Attacker: Turns on RST daemon to prevent new connections, waits to hijack root session. 10. Victim: Runs ssu to get SecurID protected root shell. 11. Attacker: Completes hijack after seeing root login. 12. Victim: Sees strange prompt. Tries pressing RETURN again. Same result as before. Tries web browser again. Same thing. Tries getting a new Telnet session. Fails. Tries ftp. Fails. 13. Attacker: Sets up backdoor, disables command history, resets session, turns off RST daemon. 14. Victim: Finally gets a new session. Original session is now gone. Assumes network outage or Windows TCP/IP stack corruption. Reboots system and everything is back to "normal". 15. Attacker: Waits for admin's sessions to all disappear (gone home for the night), then logs in using new backdoor. Installs rootkit (more backdoors, sniffer), cleans log files. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 1 Pls. refer to th e "ARP Daemon" paragrap h of th e "Brief Overview of the Daemon s / threads that ar e used by the exploi t" topic Pls. refer to the "Res et Daemo n" p aragraph of th e "Brief Overview of th e D aemons / threads that are us ed b y the exploit" to pic 3 Pls. refer to the "Sniff Daemo n" p aragraph of the "Brief Ov erview of th e D aem ons / threads that are us ed b y the exploit" topi c 2 © SANS Institute 2000 - 2002 As part of GIAC practical repository. 4 Author retains full rights. ull rig ht s. Design Overview: The development model is based on a packet engine (hunt.c) which runs in its own thread and captures packets from the network. The packet engine collects information of TCP connections/starting/termination, sequence numbers and MAC addresses. It collects the MAC addresses and sequence numbers from the server point of view and separate MAC addresses and sequence numbers from the client point of view. So it is prepared for hijacking. This information (seq. num., MAC, etc.) is available to modules so they don't have to analyze and collect it. th or re tai ns f Modules can register functions with the packet engine, which are then invoked when new packets are received. A module function determines if the module is interested in a packet or not and can place the packet in a module specific list of packets. A module function can also Key = AF19 2F94 FDB5 DE3D A169 4E46 (usually in send fingerprint some packet to theFA27 network if 998D it is desirable to do itF8B5 very06E4 fast. The module some other thread so it needs to be scheduled to be run) then gets packets from the list and analyzes them. In this way, you can easily develop modules, which perform various activities. Refer to the appendix section for learning the features offered by hunt. -2 00 2, Au Brief Overview of the Daemons / threads that are used by the exploit: • Reset daemon Reset daemon is used to perform automatic resets of ongoing connections that hunt can see. You can describe which connections should be terminated by giving src/dst host/mask and src/dst ports. ARP daemon ARP daemon is used to do ARP spoofing of hosts. You enter src and dst addresses and desired src MAC. The dst is then forced to think that src has srcMAC. You can use some fake MAC or better MAC of host that is currently down. • Sniff daemon Sniff daemon can log specified packets. The sniff daemon can also search for a simple pattern (string) in the data stream (see the bugs section). You can specify which connection you are interested in, where to search (src, dst, both), what do you want to search, how many bytes you want to log, from what direction (src, dst, both) and to what file should the daemon write. • MAC discovery daemon MAC discovery daemon is used to collect MAC addresses corresponding to the specified IP range. © SA NS In sti tu te 20 00 • Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. 5 Author retains full rights. References: Krauz's, Pavel. "HUNT Project." 1.5 - bug fix release. 30th May 2000. URL: http://lin.fsid.cvut.cz/~kra/index.html#HUNT(9th February, 2001) • Dave, Dittrich. "Session hijack script". 9th Dec 1999. URL: http://staff.washington.edu/dittrich/talks/agora/script.html • Dave, Paras. "TCP Connection Hijacking". URL: http://cs.baylor.edu/~donahoo/NIUNet/hijack.html (12th February, 2001) tai ns f ull rig ht s. • th or re Key fingerprinttechnical = AF19support. FA27 2F94 998D FDB5 DE3D F8B5Microsoft 06E4 A169 4E46 Bulletin • Microsoft "Microsoft Security Program: Security (MS99-046) "December 23, 1999. URL:http://www.microsoft.com/TechNet/security/bulletin/ms99-046.asp(12th February 2001) Stevens, Richard. "TCP Connection Establishment and Termination". October 1993. Book Name: TCP/IP illustrated Volume I - The Protocols (7th February 2001). • Kurtz, George. "Session Hijacking". July 28th, 1999. Book Name: HACKING EXPOSED - Network Security Secrets and Solutions (8th February, 2001) © SA NS In sti tu te 20 00 -2 00 2, Au • Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. 6 Author retains full rights. Appendix Connection sniffing/watching - You can watch hunt output for any connection which you choose from the list that hunt displays on the console. tai ns f • ull rig ht s. Features of the hunt exploit: • Connection Reset - With a single properly constructed packet you can reset the connection (RST flag in TCP header). You can reset server, client, or both. When you reset only one end the other end is reset when it tries to send data to the first host which will response with RST because of the connection reset on it. or re Key fingerprint- = AF19 998D FDB5 DE3D F8B5 06E4 A169 • ARP-relay You can FA27 insert2F94 packets to the network (rerouting) of all data4E46 it receives from ARP spoofed hosts. Connection Synchronization - This is one of the main features of hunt. If you put some data to the TCP stream (through simple active attack or ARP spoofing), you desynchronize the stream from the server/original client point of view. After some work done on that connection you can just reset it or you can try to synchronize both original ends again. The main goal behind this is to synchronize the sequence numbers on both client and server again. • Switch/Segment traffic rerouting - With ARP spoofing you can force the Switch to send you the traffic for hosts on another segment/switched port. This may not work if the Switch has some security policy and MACs have been explicitly set up on a per port basis but in reality this configuration is hardly done on an "ordinary" network. • ACK Storm - The ACK storm is caused by majority of TCP stacks Let's imagine that you send some data to an ongoing connection to the server (as if sent by the client - with expected seq. numbers, etc.). The server responds with the acknowledgment of the data you sent but the original client receives this acknowledgment too. But from the original client point of view, the server has acknowledged data that doesn't exist on the client. So something strange occurred and the original client sends the "right" sequence number with ACK to the server. But the TCP rules say that it is required to generate an immediate acknowledgment when an out-of-order segment is received. This ACK should not be delayed. So the server sends the acknowledgment of non-existent data to the client again and the client responds. - Bhavin Bharat Bhansali - February 16, 2001 © SA NS In sti tu te 20 00 -2 00 2, Au th • Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. 7 Author retains full rights. Last Updated: September 29th, 2016 Upcoming Training SANS Seattle 2016 Seattle, WA Oct 03, 2016 - Oct 08, 2016 Live Event Mentor AW Session - SEC401 Toronto, ON Oct 07, 2016 - Dec 09, 2016 Mentor SANS Baltimore 2016 Baltimore, MD Oct 10, 2016 - Oct 15, 2016 Live Event Mentor Session - SEC401 Riverside, CA Oct 12, 2016 - Dec 14, 2016 Mentor SANS Tysons Corner 2016 Tysons Corner, VA Oct 22, 2016 - Oct 29, 2016 Live Event SANS San Diego 2016 San Diego, CA Oct 23, 2016 - Oct 28, 2016 Live Event Community SANS Ottawa SEC401 Ottawa, ON Oct 24, 2016 - Oct 29, 2016 Community SANS Community SANS Colorado Springs SEC401 - USO-Academy Colorado Springs, CO Oct 24, 2016 - Oct 29, 2016 Community SANS Community SANS Paris SEC401 (in French) Paris, France Oct 24, 2016 - Oct 29, 2016 Community SANS SOS SANS October Singapore 2016 Singapore, Singapore Oct 24, 2016 - Nov 06, 2016 Live Event SANS Sydney 2016 Sydney, Australia Nov 03, 2016 - Nov 19, 2016 Live Event SANS Gulf Region 2016 Nov 05, 2016 - Nov 17, 2016 Live Event Community SANS Detroit SEC401 Dubai, United Arab Emirates Detroit, MI SANS Miami 2016 Miami, FL Nov 07, 2016 - Nov 12, 2016 Live Event SANS London 2016 Nov 12, 2016 - Nov 21, 2016 Live Event Healthcare CyberSecurity Summit & Training London, United Kingdom Houston, TX Nov 14, 2016 - Nov 21, 2016 Live Event SANS San Francisco 2016 San Francisco, CA Nov 27, 2016 - Dec 02, 2016 Live Event Community SANS Richmond SEC401 Richmond, VA Dec 05, 2016 - Dec 10, 2016 Community SANS SANS Dublin Dublin, Ireland Dec 05, 2016 - Dec 10, 2016 Community SANS San Diego SEC401 San Diego, CA Dec 05, 2016 - Dec 10, 2016 Community SANS Community SANS St Louis SEC401 St Louis, MO Dec 05, 2016 - Dec 10, 2016 Community SANS SANS Cologne Cologne, Germany Dec 05, 2016 - Dec 10, 2016 Live Event SANS Cyber Defense Initiative 2016 Washington, DC Dec 10, 2016 - Dec 17, 2016 Live Event SANS vLive - SEC401: Security Essentials Bootcamp Style SEC401 - 201612, Dec 13, 2016 - Feb 02, 2017 vLive SANS Security East 2017 New Orleans, LA Jan 09, 2017 - Jan 14, 2017 Live Event Community SANS Virginia Beach SEC401 Virginia Beach, VA Jan 09, 2017 - Jan 14, 2017 Community SANS Community SANS Marina del Rey SEC401 Marina del Rey, CA Jan 09, 2017 - Jan 14, 2017 Community SANS Mentor Session - SEC401 Philadelphia, PA Jan 10, 2017 - Feb 21, 2017 Mentor Community SANS New York SEC401 New York, NY Jan 16, 2017 - Jan 21, 2017 Community SANS SANS Las Vegas 2017 Las Vegas, NV Jan 23, 2017 - Jan 30, 2017 Live Event Community SANS Chantilly SEC401 Chantilly, VA Jan 23, 2017 - Jan 28, 2017 Community SANS Nov 07, 2016 - Nov 12, 2016 Community SANS Live Event
Documents pareils
SEPTEMBER 2016
The following SANS Mentor sessions will begin in September: MGT512: SANS Security Leadership Essentials For Managers with Knowledge Compression™ Minneapolis, MN | Sep 8-Nov 10 SEC504: Hacker Tools,...
Plus en détail