Intrusion Techniques Mgr. Rudolf B. Blažek, Ph.D. Department of Systems Faculty of Information Technologies Czech Technical University in Prague Rudolf Blažek 2010-2011 Network Security MI-SIB, ZS 2011/12, Lecture 3 The European Social Fund Prague & EU: We Invest in Your Future
Metody síťových útoků Mgr. Rudolf B. Blažek, Ph.D. Katedra počítačových systémů Fakulta informačních technologií České vysoké učení technické v Praze Rudolf Blažek 2010-2011 Síťová bezpečnost MI-SIB, ZS 2011/12, Přednáška 3 Evropský sociální fond Praha & EU: Investujeme do vaší budoucnosf
Hubs and Switches Security in a LAN With a Hub Network Hub All hosts see all traffic Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC LAN (Local Area Network) 3
Hubs and Switches Security in a LAN With a Hub Network Hub All hosts see all traffic This is not secure at all Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC LAN (Local Area Network) 4
Hubs and Switches LAN Hubs and Switches OSI Layer LAN Component Host Layers Media Layers 7. Application 6. Presentation Web-switch, Content-switch 5. Session 4. Transport 3. Network Multi-Layer Switch 2. Data Link Switch 1. Physical Hub (e.g. load balancing) 5
Hubs and Switches Security in a LAN With a Switch Hosts only see traffic intended for them This is more secure, but not by much Network Switch ARP attacks can be used to capture traffic in switched networks Desktop PC Desktop PC Desktop PC Desktop PC Desktop PC 6
Hubs and Switches Security in a LAN With a Switch Hosts only see traffic intended for them This is more secure, but not by much Network Switch ARP attacks can be used to capture traffic in switched networks Desktop PC Desktop PC Attacker Desktop PC Desktop PC 7
MiM Attacks Man-in-the-Middle Attack on Two Hosts Compromising traffic between two hosts 8
MiM Attacks ARP Man-in-the-Middle Attack (2 hosts) A 192.168.1.3 Who has IP 192.168.1.8? ARP Request (broadcast) B 192.168.1.8 Attacker 192.168.1.11 9
MiM Attacks ARP Man-in-the-Middle Attack (2 hosts) A 192.168.1.3 A updates IP/MAC Cache I have IP 192.168.1.8 ARP Reply with MAC address of B B 192.168.1.8 Attacker 192.168.1.11 10
MiM Attacks ARP Man-in-the-Middle Attack (2 hosts) A 192.168.1.3 Established Connection B 192.168.1.8 Attacker 192.168.1.11 11
MiM Attacks ARP Man-in-the-Middle Attack (2 hosts) A 192.168.1.3 A updates IP/MAC Cache Forged ARP Reply with MAC address of Attacker Established Connection Attacker 192.168.1.11 My IP address is 192.168.1.8 B 192.168.1.8 12
MiM Attacks ARP Man-in-the-Middle Attack (2 hosts) A 192.168.1.3 My IP address is 192.168.1.3 Established Connection Forged ARP Reply with MAC address of Attacker Attacker 192.168.1.11 B 192.168.1.8 B updates IP/MAC Cache 13
MiM Attacks ARP Man-in-the-Middle Attack (2 hosts) A 192.168.1.3 B 192.168.1.8 Compromised Connection Attacker 192.168.1.11 14
MiM Attacks MiM Attack on a Router Compromising traffic between all hosts in a local network and the outside world (e.g. Internet) 15
MiM Attacks Man-in-the-Middle Attack Router Internet (or remote LAN) LAN A B Attacker 16
MiM Attacks Man-in-the-Middle Attack Stage 1 IP/MAC Cache is updated and updating is disabled by attacker Router Internet (or remote LAN) LAN A B Many Forged ARP Requests with MAC address of Attacker who pretends to be all the computers in the LAN My IP is that of all A, B, C Attacker 17
MiM Attacks Man-in-the-Middle Attack Stage 1 Router Internet (or remote LAN) LAN A B Inbound Traffic Compromised Attacker 18
MiM Attacks Man-in-the-Middle Attack Stage 2 Router Internet (or remote LAN) LAN A IP/MAC Cache of all computers is updated by attacker B Many Forged ARP Requests With MAC address of Attacker who pretends to be the Router Inbound Traffic Compromised Attacker My IP is that of the Router 19
MiM Attacks Man-in-the-Middle Attack Router Internet (or remote LAN) LAN A B ALL Traffic Compromised Attacker 20
WLAN Security 802.11 Deauthentication Attack 802.11 Deauthentication Attack The link-layer of wireless networks is open to intrusions. 21
WLAN Security 802.11 Deauthentication Attack 802.11 Handshake Probe Request Probe Response Authentication Request Authentication Challenge Authentication Response Authentication Success 802.11 Client Association Request Association Response 802.11 Access Point Data Data Deauthentication Deauthentication 22
WLAN Security 802.11 Deauthentication Attack Deauthentication Attack Data 802.11 Client Intruder Data Deauthentication 802.11 Access Point Deauthentication 23
WLAN Security 802.11 Deauthentication Attack Goals of 802.11 Deauthentication Attack DoS Attack: A flood of forged deauthentication frames causes some or all clients to disconnect from the AP even if they reconnect again. The WLAN is then essentially disabled WEP Cracking: In order to break the WEP encryption, the intruder forces the clients to deauthenticate so that it can observe authentication initialization vectors exchanged during reauthentication. 24
WLAN Security 802.11 Deauthentication Attack Goals of 802.11 Deauthentication Attack MiM Attack: The Man-in-the-Middle attack is performed by first forcing the clients to disconnect from an AP, and then using a fake WLAN with the same SSID. The traffic of clients that connected to the fake AP is then channeled through the intruder to steal data and credentials. 25
Man-in-the Middle Attacks Man-in-the Middle Attacks Can use ARP, DNS, WiFi or other protocols Encrypted connections like SSH or HTTPS hijacked via fake public keys (fake identity) Goals of MiM attacks: Capture login names and passwords Record or hijack connections both in a LAN and to the outside world 26
Man-in-the Middle Attacks Man-in-the Middle Attacks False feeling of security: Encrypted communication channels Switched networks Encrypted communications and switched networks do not protect us completely from MiM attacks! New: Quantum computers may soon decrypt secure connections that are captured now 27
Intrusion Detection Methods Detecting Network Intrusions Common detection methods: Data-mining Statistical modeling Neural networks Genetic algorithms Signature based approaches... 28