Switched environments security... A fairy tale.

Similar documents
AN INTRODUCTION TO ARP SPOOFING

1 TABLE OF CONTENTS UNCLASSIFIED//LES

CIT 380: Securing Computer Systems. Network Security Concepts

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Muhammad Farooq-i-Azam CHASE-2006 Lahore

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Switching & ARP Week 3

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

ICS 451: Today's plan

Chapter 2. Switch Concepts and Configuration. Part II

CSE 565 Computer Security Fall 2018

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Summary of MAC protocols

Lecture 9: Switched Ethernet Features: STP and VLANs

VLAN Hopping, ARP Poisoning, and Man-In-TheMiddle Attacks in Virtualized Environments

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

GenCyber Networking. ARP Poisoning

A Framework for Optimizing IP over Ethernet Naming System

ARP Inspection and the MAC Address Table

Session Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Man in the middle. Bởi: Hung Tran

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Top-Down Network Design

Post Connection Attacks

Computer Network Routing Challenges Associated to Tackle Resolution Protocol

ARP SPOOFING Attack in Real Time Environment

Ethical Hacking and Prevention

20-CS Cyber Defense Overview Fall, Network Basics

::/Topics/Configur...

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Ruijie Anti-ARP Spoofing

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

CS 161 Computer Security

CSc 466/566. Computer Security. 18 : Network Security Introduction

Medium Access Protocols

Introduction to Security. Computer Networks Term A15

Operation Manual DHCP. Table of Contents

Principles behind data link layer services:

Principles behind data link layer services:

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Data Link Layer. Our goals: understand principles behind data link layer services: instantiation and implementation of various link layer technologies

On the Internet, nobody knows you re a dog.

ECCouncil Certified Ethical Hacker. Download Full Version :

Network Design First Hop

Basic L2 and L3 security in Campus networks. Matěj Grégr CNMS 2016

CSC 401 Data and Computer Communications Networks

CS 457 Lecture 11 More IP Networking. Fall 2011

History Page. Barracuda NextGen Firewall F

Francisco Amato evilgrade, "You have pending upgrades..."

Principles behind data link layer services

2. Network Infrastructure Security -- Switching

Foundations of Network and Computer Security

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

Chapter 3 Part 2 Switching and Bridging. Networking CS 3470, Section 1

Detecting Sniffers on Your Network

Chapter 5 Reading Organizer After completion of this chapter, you should be able to:

4. Basic IP Support Protocols

Networking for Data Acquisition Systems. Fabrice Le Goff - 14/02/ ISOTDAQ

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Network Security. Thierry Sans

in-the-middle attack

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

DDoS Testing with XM-2G. Step by Step Guide

Application Firewalls

CTS2134 Introduction to Networking. Module 08: Network Security

Network Security Fundamentals. Network Security Fundamentals. Roadmap. Security Training Course. Module 2 Network Fundamentals

CIS 5373 Systems Security

CCNP Switch Questions/Answers Securing Campus Infrastructure

Wireless LAN Security (RM12/2002)

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Selected Network Security Technologies

Towards Layer 2 Authentication: Preventing Attacks based on Address Resolution Protocol Spoofing

Protocol Layers, Security Sec: Application Layer: Sec 2.1 Prof Lina Battestilli Fall 2017

Man In The Middle Project completed by: John Ouimet and Kyle Newman

Top-Down Network Design, Ch. 7: Selecting Switching and Routing Protocols. Top-Down Network Design. Selecting Switching and Routing Protocols

Computer Networks Security: intro. CS Computer Systems Security

Introduction to Computer Security

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Defeating All Man-in-the-Middle Attacks

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

3. What could you use if you wanted to reduce unnecessary broadcast, multicast, and flooded unicast packets?

Chapter 5: Ethernet. Introduction to Networks - R&S 6.0. Cisco Networking Academy. Mind Wide Open

NETWORK SECURITY. Ch. 3: Network Attacks

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

1.4 VPN Processing Principle and Communication Method

Control Plane Protection

The Anatomy of a Man in the Middle Attack

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

Massimiliano Sbaraglia

Hands-On Network Security: Practical Tools & Methods

How Insecure is Wireless LAN?

Transcription:

Switched environments security... A fairy tale. Cédric Blancher <blancher@cartel-securite.fr> 10 july 2002

Outline 1 Network basics Ethernet basics ARP protocol Attacking LAN Several ways to redirect network streams on a LAN. ARP cache poisoning, how and why... ARP cache poisoning study Exploiting How to protect yourself? Defending against LAN attacks

Outline Network basics 2 Network basics Ethernet basics ARP protocol Attacking LAN Several ways to redirect network streams on a LAN. ARP cache poisoning, how and why... ARP cache poisoning study Exploiting How to protect yourself? Defending against LAN attacks

Network basics 3 Ethernet : Layer 1 and layer 2 protocol Different media : 10base2, 10base5, 10baseT, 100baseTX, 100baseFX, etc. Focus on star bus media such as 100baseTX or 100baseFX.

Network basics 4 Ethernet as layer 1 protocol : Relies on CSMA/CD Layer 1 network using hubs Constitutes a collision domain Electrical signal is sent to whole collision domain Within a collision domain, frames are sent to everyone

Network basics 5 Ethernet as layer 2 protocol : Ethernet frame : Destination MAC Source MAC Type Payload Checksum Ethernet frame Layer 2 addressing : MAC addresses Layer 2 networks using switches

Network basics 6 Switches : designed for bandwidth improvement Is able to read ethernet adresses in frames Associates a port to a MAC addresses list Reads source MAC address to keep list up to date Reads destination MAC address to switch frame

Network basics 7 Consequences : Network is split into collision domains Frames are only sent to the concerned port Bandwidth is improved Urban legend : can t sniff a switched network

Network basics 8 Communicating with upper layers Layer 2 addressing : ethernet Layer 3 addressing : IP Need to associate IP addresses to MAC addresses ARP : Address Resolution Protocol (RFC 826)

Network basics 9 Hardware type Protocol type HW addr lth P addr lth Source hardware address Source protocol address Destination hardware address Destination protocol address ARP message Opcode

Network basics 10 HW type : ethernet (0x1) Proto type : IP (0x800) HW address length : 48 bits Proto address length : 32 bits ARP request : Opcode=1 ARP reply : Opcode=2

Network basics 11 An ARP request : who has 192.168.1.11 tells 192.168.1.10 From 00:10:A4:9B:6D:81 To FF:FF:FF:FF:FF:FF (broadcast) 0x1 0x800 0x30 0x20 0x1 00:10:A4:9B:6D:81 192.168.1.10 00:00:00:00:00:00 192.168.1.11 ARP request

Network basics 12 An ARP reply : 192.168.1.11 is at 00:04:76:40:65:5E From 00:04:76:40:65:5E To 00:10:A4:9B:6D:81 0x1 0x800 0x30 0x20 0x2 00:04:76:40:65:5E 192.168.1.11 00:10:A4:9B:6D:81 192.168.1.10 ARP reply

Network basics 13 ARP cache Need to cache ARP informations Need for a mecanism to keep cache up to date Aging timers Update processes Keep alive stuff According to RFC, we are very opportunist when gathering informations

Network basics 14 We gather informations wherever they are to keep cache up to date ARP requests source informations ARP replies informations (even unasked for!) ARP cache is a good target for attackers ;)

Network basics 15 OK... We re done with the basics, let s move on to attacks now.

Outline Attacking LAN 16 Network basics Ethernet basics ARP protocol Attacking LAN Several ways to redirect network streams on a LAN. ARP cache poisoning, how and why... ARP cache poisoning study Exploiting How to protect yourself? Defending against LAN attacks

Attacking LAN 17 LAN attacks Layer 1 : sniffing Layer 2 : MAC spoofing and disturbing switches ARP level : ARP spoofing ARP level : ARP cache poisoning Other attacks

Attacking LAN 18 Ethernet frames sniffing You can sniff all frames within your collision domain using promiscuous mode Pros Cons Passive if done the right way Passive Acting on traffic is tricky (ACK storm) Useless in full switched environments

Attacking LAN 19 MAC spoofing Use a spoofed MAC address as ethernet source Relies on MAC/port association table update Promiscuous mode to get interesting frames Pros Cons Redirects traffic : we can act on it Spoofed host is no longer reachable by anyone Creates port/mac association conflicts Easily detectable behaviour Often leads to port shutdown

Attacking LAN 20 Disturbing switches Associations table can be flooded Too much conflicts can lead to strange behaviour When disturbed, some switches falls into repeater mode (hub-like) Pros Cons Hub-like behaviours Relies on flooding Easily detected Works on equipements with old firmware Often leads to port shutdown

Attacking LAN 21 ARP spoofing ARP request are sent to broadcast It is possible to reply to arbitrary requests, with arbitrary replies Pros Cons No need to attack switch Allows traffic redirection Leads to conflicts

Attacking LAN 22 ARP cache poisoning We force changes into victim ARP cache See next part ;) Pros Cons Allows traffic redirection Quite difficult to prevent Not much...

Attacking LAN 23 Other protocols Spanning tree protocol (STP) Discovery protocols (CDP) Automatic VLAN exportation protocols (VTP, DTP) Failover protocols (HSRP, VRRP) Can lead to traffic redirection and DoS

Attacking LAN 24 Let s focus on ARP cache poisoning...

Outline ARP cache poisoning, how and why 25 Network basics Ethernet basics ARP protocol Attacking LAN Several ways to redirect network streams on a LAN. ARP cache poisoning, how and why... ARP cache poisoning study Exploiting How to protect yourself? Defending against LAN attacks

ARP cache poisoning, how and why 26 ARP cache updates Opportunistic behaviour Entry insertion Entry update Entry deletion Let s see how we can fool this...

ARP cache poisoning, how and why 27 Available parameters Ethernet source MAC address Ethernet destination MAC address ARP HW source address ARP Proto source address ARP HW destination address ARP Proto destination address

ARP cache poisoning, how and why 28 ARP cache entry creation When communicationg with unkown IP (ARP request is sent) When unknown IP wants to talk to us (ARP request is received) Acting on first case is ARP spoofing Acting on second case is OK if sent directly to target

ARP cache poisoning, how and why 29 ARP cache entry creation forcing using spoofed request Ethernet destination MAC is target address instead of broadcast arp-sk -w -d Target -S Spoofed -D Target 0x1 0x800 0x30 0x20 0x1 Spoofing MAC Spoofed IP 00:00:00:00:00:00 Target IP Fooled ARP request

ARP cache poisoning, how and why 30 ARP cache entry creation forcing using spoofed reply Does not work on all OS (can t fool Linux 2.4, Windows XP) arp-sk -r -d Target -S Spoofed -D Target 0x1 0x800 0x30 0x20 0x2 Spoofing MAC address Spoofed IP Target MAC address Target IP Fooled ARP reply We prefer use spoofed requests to create entries

ARP cache poisoning, how and why 31 ARP cache entry update forcing Can be done using spoofed ARP requests Can be done using spoofed ARP replies Must be sent regularly to avoid legitimate cache update! Interesting entries are always cached : gateways, DNS servers, etc.

ARP cache poisoning, how and why 32 ARP cache entry deletion forcing Entries can expire Entries number is limited (typically 20) By creating enough entries, we force older entries deletion

ARP cache poisoning, how and why 33 ARP cache poisoning applications Spying : you can read data without using promiscuous mode Interception : you can transparently proxy connections Decrypting : you can decrypt connections using Man in the Middle attack Hijacking : you can steal proxied connections Tampering : you can inject traffic into proxied connections Firewall bypassing : you can bypass firewalling rulesets using IP spoofing DoS : packets are redirect to a dead MAC

ARP cache poisoning, how and why 34 ARP MitM for spying, decrypting connections!! " "# Batman Batcave gw 2. ARP attack 4.. Robin< >batman traffic 1. ARP attack Joker 3. Routing Robin

ARP cache poisoning, how and why 35 %$ * * ARP proxying for traffic tampering and connection hijacking ()( ' ()( '& & Batman Batcave gw 2. ARP attack 4. External data gathering Robin< >Internet traffic 1. ARP attack Joker Robin 3. Data interception and modification

ARP cache poisoning, how and why 36,+ One way ARP cache poisoning for IP spoofing and firewall bypassing -./0/ /0/ 101 101 Batman Batcave gw 1. ARP attack 4. Robin traffic 2. Joker s traffic and returning packets 3. Traffic sorting 6. Robin traffic Joker Robin 5. Robin traffic redirection Can be done using MitM between robin and batcave-gw ;)

ARP cache poisoning, how and why 37 32 DoS using ARP cache poisoning 6 4 45 67 6 7 67 7 Batman Batcave gw 3. ARP attack 2. ARP attack Dropped 1. ARP attack Joker Robin DoSed hosts are likely to check their entries when things go wrong

ARP cache poisoning, how and why 38 Consequence Once an attacker is root on a network, the whole ethernet segment is no more secure

Outline Protections 39 8 8 8 8 Network basics Ethernet basics ARP protocol Attacking LAN Several ways to redirect network streams on a LAN. ARP cache poisoning, how and why... ARP cache poisoning study Exploiting How to protect yourself? Defending against LAN attacks

Protections 40 9 9 9 9 9 9 Protections Maximum segmentation Switches security features Static ARP caches NIDS stuff Layer 2 and ARP filtering Strong authentication Theses protections are not easy to maintain, but are needed

Protections 41 : : : Switches security features Use recent firmware to avoid strange behaviours Use static MAC/port associations when available Use administrative port shutdown when conflict occurs Prevents MAC spoofing or flooding, but not ARP attacks Some layer 3 switches feature IP/MAC/port associations

Protections 42 ; ; ; Static ARP caches ARP entries can be added manually using arp -s /etc/ethers like files can be loaded using arp -f Such entries are permanent : cannot be nor deleted nor updated Prevents ARP attacks Beware of the Windows world, in which permanent entries can be updated (except in XP) You can sometimes set ARP entries expiration time (Solaris, Linux) A lot of commercial products do not feature ARP cache tuning

Protections 43 < < NIDS stuff ARPWatch (and WinARPWatch) allows you to track IP/MAC associations through ARP messages Some NIDS feature an ARP plugin that monitors ARP messages (Prelude IDS) Allows detection, but reaction is tricky : fooled messages don t violate RFC NIDS lack ARP support : you can t specify specific rules for ARP

Protections 44 = = Layer 2 and ARP filtering Linux Netfilter has a MAC source address match Linux Netfilter will soon provide an ARP table for ARP messages filtering Lack of products that allow this kind of filtering

Protections 45 > > Strong authentication Relies on cryptographic authentication Use public keys, certificates or secure authentication protocols Reliable but quite painful to deploy Users can be fooled by well crafted false certificates

Protections 46??? Check physical accesses to your network Social engineering Foreign computers, such as laptops Wireless access points (802.11b) Do not let anybody plug himself onto your network!

Conclusion 47 ARP is a weak protocol, easy to fool : it was not designed for security. We need a more secure way to authenticate hosts. Whatever, it is obvious that switches are not security tools.

Links 48 http: //www.networksorcery.com/enp/default0402.htm http://www.arp-sk.org/ http://www.monkey.org/~dugsong/dsniff/ http://www.bitland.net/taranis/ http://www.off.net/~jme/ols2000/html/img0.htm http://www.netfilter.org/ http: //letanou.linuxfr.org/arpwatch/arpwatch.html http://jota.sm.luth.se/~andver-8/warp/ http://www.prelude-ids.org/ http://www.cartel-securite.fr/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback