Man in the middle. Bởi: Hung Tran

Transcription

1 Man in the middle Bởi: Hung Tran INTRODUCTION In today society people rely a lot on the Internet for studying, doing research and doing business. Internet becomes an integral part of modern life and many efforts were put to make it secure for example the series of cryptography techniques and secure protocols like SSL. Unfortunately not all the computers are equipped with the necessary protection, in the network environment, when a packet travels from the source host to the destination host, it can be recorded, extracted, or altered by the third party host which we call man in the middle or MITM. In the man in the middle attack, the attacker tries to locate his host between two victim hosts so he can intercept the data transmitted between the victims as they are not aware of the man in the middle. Man In The Middle Illustration 1/19

2 Figure 1 illustrates the MITM context, the man in the middle impersonate both Alice and Bob by relaying the messages between them. Alice believes that she is directly talking to Bob and so does Bob; however, the attacker now can control the whole communication. In this project, I will present the techniques to implement the MITM attacks in the LAN environment, the most common type of MITM attacks. In these attacks, the attacker will have the ability to: capture the sensitive data like username and password of hosts in LAN during the authentication phase tamper the data transmitted between victim hosts Then I will present some solutions provided by the security experts to prevent MITM attacks as well as reduce the risks that they can cause. SYSTEM DESCRIPTION The key factor to ensure the success of MITM attacks is that the attacker must have the ability to place his host at the position that he can intercept the communication between his victims. Unfortunately, the weakness of Address Resolution Protocol (ARP) in Local Area Network (LAN) environment which translates the IP addresses into MAC addresses totally allows the attacker spoof the MAC addresses of other hosts. Hence, he can capture all the traffic to those spoofed hosts. In this section I will present a technique called ARP Spoofing or ARP Redirect that is commonly used to redirect the traffic between two hosts through the third host which is owned by the attacker. Then, I will describe the network configuration of the lab that will be used to implement the MITM attacks. ARP Spoofing Assume that Alice and Bob s hosts are connected into a LAN and Alice wants to send a packet to Bob. Although Alice knows Bob s IP address, the Data Link Layer in Alice still needs to know the MAC address of Bob to transmit the packet via LAN. To get Bob s MAC address, Alice first checks if she store Bob s MAC address in her ARP cache. If it exists, she can use Bob s MAC address, else, she sends the ARP request to ask for the MAC address corresponding to Bob s IP address. All the hosts on LAN will receive the ARP request from Alice but only Bob has the IP address described in the ARP request, so Bob will return his MAC address to Alice. When Alice has Bob s MAC address, the data transmission begins. 2/19

3 ARP Spoofing Now we assume that there is one more host, Charlie, is connected to LAN with Alice and Bob. Charlie will send Alice the ARP reply message saying that the MAC corresponding to Bob s IP is Charlie s MAC and at the same time Charlie sends Bob the ARP reply saying that the MAC corresponding to Alice s IP is Charlie s MAC. Both Alice and Bob update their ARP cache and use that information to transmit packet. As the result, the entire conversation between Alice and Bob flows through Charlie (as shown in the Figure 2.) Lab Network Configuration As mentioned above, in this project, I will implement the MITM attacks on LAN environment to demonstrate how the attacker can launch the MITM attacks and what he can do with the data of his victim. I setup the simple network for the lab as shown in the Figure 3. 3/19

4 Lab Network Configuration Linux server: is used to provide some common Internet services. This machine also plays the roles of the attacker s host in some scenes and as the victim host in the other scene OS: Ubuntu Linux 7.10 Services: HTTP (Apache), FTP (ProFTPD), SMTP/POP3 (Postfix), MySQL MITM Tools: ettercap, dsniff, ethereal Windows XP desktop: plays the roles as a attacker s host in some scenes and as the victim host in the other scenes OS: Windows XP Professional MITM Tools: ettercap, CAIN, Wireshark Windows Vista laptop: plays the roles as the victim host All these machines are connected into switched LAN network and have access to the Internet via router. The router here also plays the roles of victim host since there will be the attack to the communication between a host inside LAN and the router. 4/19

5 MITM ATTACK AND DEFENSE Capture Sensitive Data Attack #1 Scenario: Windows Vista laptop accesses to Linux server for services like HTTP, FTP, , and Database. Windows XP desktop launches the MITM attack to reveal username and password that the laptop uses as shown in Figure 4. MITM attack inside LAN Method: To launch this attack, Windows XP machine first has to poison the ARP caches of Linux machine and Windows Vista machine. There are many software tools available to do ARP poisoning, however I use ettercap in this attack since it is all-in-one tool which can do both ARP poisoning and network 5/19

6 sniffing. In addition, I can use ettercap in both Windows and Linux platforms. The attack is described in the following steps Step 1: Launch ettercap in Windows XP then choose working mode as Promisc mode Ettercap working mode and choose Sniff mode as Unified sniffing then select the network card that has connection to lab s LAN Ettercap sniffing mode Step 2: Add Windows Vista machine and Linux machine to the target of ettercap. This can be done by select menu Hosts Scan for hosts and then select menu Hosts Host list then select for Target 1 and select for Target 2. Verify the targets by choosing menu Targets Current Targets 6/19

7 Targets of the attack Step 3: Poison the ARP caches of Windows Vista and Linux machines by select menu Mitm Arp poisoning then choose Sniff remote connections Poisoning the ARP caches of targets 7/19

8 To verify that the ARP poisoning is successful, I check the ARP caches at both targets by using command: arp a ARP cache of Windows Vista machine ARP cache of Linux machine We can easily see that both ARP caches are poisoned, in Windows Vista machine, the entry (Linux machine) has the MAC address 00-1D (Windows XP machine) and in Linux machine the entry (Windows Vista machine) has the MAC address 00:1D:09:82:22:95 (Windows XP machine) Step 4: Sniff the traffic between Windows Vista machine and Linux machine and capture the sensitive information by choosing menu Start Start Sniffing Sniffing traffic between two targets 8/19

9 The connections can be seen by choosing menu View Connections. For each connection, we can see the data by select it and choose View Details Connections between two targets Result: After successfully capturing the data transmitted between two targets, we can now examine it to reveal the sensitive information. In this attack, Windows Vista machine will access the following services which require authentication from Linux machine: Online music via web FTP via SMTP/POP3 By viewing the details of each connection between two targets, I can easily see all the usernames and passwords. Furthermore, ettercap automatically records the usernames and passwords transmitted in clear text form. 9/19

10 FTP username and password username and password 10/19

11 Usernames and passwords detected by ettercap Attack #2 Scenario: Windows XP desktop accesses to an Internet site that uses SSL, Gmail, for example. Linux server launches the MITM attack to capture the username and password of the desktop as shown in Figure /19

12 MITM attack between a host inside LAN and the router Method: In this attack, I am trying to mislead the Gmail user to accept the fake certificate that is issued by me, not by Google. If the user has some knowledge about computer security and s/he examines the certificate before accepting it. The attack would not be successful. 12/19

13 Fake certificate To launch this attack, I use the following tools: ettercap: to do ARP poisoning dsniff software suite:dnsspoof to answer the DNS requests from Windows XP machine with Linux machine as the DNS server and webmitm to relay all the HTTP and HTTPS request from Linux machine to the real servers. ssldump: to decrypt the encrypted data with fake certificate Wireshark: to capture traffic between Windows XP machine and the router. Firstly, I need to do the ARP poisoning the ARP caches of Windows XP machine and the router using tool ettercap like the attack presented in section And then I do the DNS spoofing by using tool dnsspoof. At this stage I launch the webmitm -d tool which is the used to relay the traffic from Windows XP machine to Gmail. Then I use Winshark to capture the traffic and save as gmail.log file. All the packets captured in gmail.log can be decrypted by using the tool ssldump: ssldump r gmail.log k webmitm.cert d > out Result: The username and password of Gmail user can be obtain from the out file by using the command: cat out grep Passwd 13/19

14 Gmail username and password Using the same attack method I also get the account information from the SSL connections to my bank s server: Bank account information and also, my HawkID and password in ICON Iowa Courses Online. : 14/19

15 HawkID and password in ICON the same result with ISIS Iowa Student Information Services. : Tamper the Data HawkID and password in ISIS Scenario: Windows XP desktop accesses to an Internet site via the router. Linux server launches the MITM attack between the desktop and the router to deface the website that the desktop are surfing as shown in Figure /19

16 Method: The preparation for this attack is similar to the attack mentioned in section with two targets: Windows XP machine and the router of the lab. In this case, ettercap will modify the data from the router before forwarding to Windows XP machine. To automate this task, I will create the filter, which is a method to extend the ability of ettercap, to automatically alter the incoming data. The filter is developed based on the original one from [4] as follow: # Change the Accept-Encoding of the client so server will send data to # client in the text plain format. if (ip.proto == TCP && tcp.dst == 80) { if (search(data.data, "Accept-Encoding")) { replace("accept-encoding", "Accept- Rubbish!"); msg("zapped Accept-Encoding!\n"); } } # Replace google s logo with other image and change Google text into Hacker if (ip.proto == TCP && tcp.src == 80) { replace("/intl/en_all/images/logo.gif", " replace("google", "Hacker"); msg("filter Ran.\n"); } I save the filter source code as img.filter and then use the command etterfilter img.filter o img.ef to compile it. After doing ARP poisoning to Windows XP and Linux s ARP cache like in the section 3.1.1, I apply the filter by choosing menu Filters Load a filter and select img.ef. Result: After applying the filter, the Windows XP machine gets the modified Google page: 16/19

17 Modified Google page Prevent MITM Attacks As we already saw in the previous sections, the MITM attacks could be prevented if: attacker does not have the ability to poison the ARP cache of victim hosts even if the attacker can poison the ARP cache of the victim hosts and capture data, he cannot learn anything from that if the data is strongly encrypted If we encrypt all the data passing over the network, MITM attacks can be avoided however, this is difficult to implement because of the complexity and the overhead processing. There are some methods to help prevent ARP poisoning suggested by the security experts [15]: For small network: Using static ARP table. In addition, in Windows machines, I installed the software called Symantec Endpoint Protection and enable the option Enable anti-mac spoofing and this helps prevent ARP poisoning of your ARP cache. 17/19

18 For large network: Using switch with Port Security feature which allows only one MAC address for each port For all network: Monitoring ARP caches by using the ARP monitoring tools like ARPwatch [16] to detect the changes in ARP cache. From my experience, when we detect some change in ARP cache of the machine, we may find the MAC address of the attacker in that machine and we can use this information to identify the attacker. RELATED WORK There are some groups conducting MITM attacks against the Secure Shell (SSH) version 1 [12], and Radio-frequency identification (RFID) Cards [13] and Universal Mobile Telecommunication Standard (UMTS) [14] which the different methods of attacking in comparison with the attacks in this project. CONCLUSION After successfully conducted the attacks above I fully understood how the Man-In-The- Middle attack works in switched LAN environment. With the ability of capturing and modifying data, the risk that the attacker can cause by using MITM attack is huge. As we discussed earlier, the key factor of MITM is ARP poisoning based on the weakness of ARP protocol. Unfortunately, the attack to it is very easy and there are numerous of freely available tools to help launch the attack. There are some solutions to prevent this kind of attack for example using personal firewall in the Windows computers, using static ARP caches in small network or using ARPwatch for the large net work as well as using the encrypted connections. In addition, by doing this project, I have an opportunity to setup an Internet server in Linux with all the basic services. REFERENCES [1] Wikipedia. Man In The Middle Attack. Man_in_the_middle. March 2008 [2] Wikipedia. ARP Spoofing. March 2008 [3] Ettercap. February 2008 [4] Fun with Ettercap Filters. ettercapfilter. March 2008 [5] ETTERCAP - The Easy Tutorial. February /19

19 [6] Crimemachine. How to decrypt SSL encrypted traffic using a man in the middle attack. April 2008 [7] Ethereal. April 2008 [8] dsniff. April 2008 [9] Haidong Xia and Jose' C. Brustoloni. Hardening Web Browsers Against Man-in-the- Middle and Eavesdropping Attacks. March 2008 [10] Ross Anderson and Mike Bond. The Man-in-the-Middle Defence. Computer Laboratory, University of Cambridge, Mar research/man-in-the-middle-defence.pdf [11] Serpanos, D.N., Lipton, R.J. Defense against man-in-the-middle attack in clientserver systems. Computers and Communications, Proceedings. Sixth IEEE Symposium on, vol., no., pp.9-14, 2001 [12] Threats Addressed by Secure Shell. ssh_overview/ssh_overview_threats.html. April 2008 [13] RFID Cards and Man-in-the-Middle Attacks. archives/2006/04/rfid_cards_and.html. April 2008 [14] A Man-in-the-Middle Attack on UMTS. abstract.aspx?&docid=141953&promo= April 2008 [15] Anatomy of an ARP Poisoning Attack. editorial/ asp. April 2008 [16] Arpwatch. April /19