Man in the middle. Bởi: Hung Tran

Similar documents
Man In The Middle Project completed by: John Ouimet and Kyle Newman

FUN WITH ETTERCAP FILTERS IronGeek

Post Connection Attacks

CIT 380: Securing Computer Systems. Network Security Concepts

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Man-in-the-Middle Laboratory

The Anatomy of a Man in the Middle Attack

ELEC5616 COMPUTER & NETWORK SECURITY

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Chapter 2. Switch Concepts and Configuration. Part II

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

The following virtual machines are required for completion of this lab: Exercise I: Mapping a Network Topology Using

Defeating All Man-in-the-Middle Attacks

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

AN INTRODUCTION TO ARP SPOOFING

Endpoint Security - what-if analysis 1

Switched environments security... A fairy tale.

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Security and Privacy. Xin Liu Computer Science University of California, Davis. Introduction 1-1

Studying the Security in VoIP Networks

Network security - basic attacks

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

ACCURATE STUDY GUIDES, HIGH PASSING RATE! Question & Answer. Dump Step. provides update free of charge in one year!

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

NETGEAR-FVX Relation. Fabrizio Celli;Fabio Papacchini;Andrea Gozzi

Extending NTOP feature to detect ARP spoofing

NETWORK SECURITY. Ch. 3: Network Attacks

Wireless LAN Security (RM12/2002)

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

ECCouncil Certified Ethical Hacker. Download Full Version :

Computer Network Routing Challenges Associated to Tackle Resolution Protocol

Network Security. Thierry Sans

Sniffing & Keylogger. Deff Arnaldy, M.Si

A Framework for Optimizing IP over Ethernet Naming System

Analysis of OpenFlow Networks.

A Study on Intrusion Detection Techniques in a TCP/IP Environment

On the Internet, nobody knows you re a dog.

Securing ARP and DHCP for mitigating link layer attacks

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Case Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University

Problem Set 10 Due: Start of class December 11

Modern IP Communication bears risks

What action do you want to perform by issuing the above command?

Hacking Wireless Networks by data

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Jackson State University Department of Computer Science CSC 437/539 Computer Security Fall 2013 Instructor: Dr. Natarajan Meghanathan

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1

Types of Attacks That Can Be Carried Out on Wireless Networks

GenCyber Networking. ARP Poisoning

Project 4: Penetration Test

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

Lab 1: Packet Sniffing and Wireshark

Muhammad Farooq-i-Azam CHASE-2006 Lahore

Networks and Communications MS216 - Course Outline -

Security: Focus of Control. Authentication

Networking and Health Information Exchange Unit 1a ISO Open Systems Interconnection (OSI) Slide 1. Slide 2. Slide 3

Foundations of Network and Computer Security

Secure Communications Over a Network

CSE 565 Computer Security Fall 2018

Crypto meets Web Security: Certificates and SSL/TLS

VPN-against-Firewall Lab: Bypassing Firewalls using VPN

Mile2 MK CPTS - Certified Pen Testing Specialist. Download Full Version :

Ethical Hacking and Prevention

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

::/Topics/Configur...

1 TABLE OF CONTENTS UNCLASSIFIED//LES

COMP2330 Data Communications and Networking

Networking and Health Information Exchange: ISO Open System Interconnection (OSI)

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

Advanced Vmware Security The Lastest Threats and Tools

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Security and Privacy

A Visualization Tool for Wireless Network Attacks

Sniffing HTTPS Traffic in LAN by Address Resolution Protocol Poisoning

Web Mechanisms. Draft: 2/23/13 6:54 PM 2013 Christopher Vickery

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Webomania Solutions Pvt. Ltd. 2017

Wireless Attacks and Countermeasures

CCNP Switch Questions/Answers Securing Campus Infrastructure

CSC 574 Computer and Network Security. TCP/IP Security

Corso di Network Security a.a. 2012/2013. Solutions of exercises on the second part of the course

INTERNET & WORLD WIDE WEB (UNIT-1) MECHANISM OF INTERNET

Linux Network Administration

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Introduction to Computer Security

Microsoft Exam Security fundamentals Version: 9.0 [ Total Questions: 123 ]

ICS 451: Today's plan

Telnet Session Hijack

Transcription:

Man in the middle Bởi: Hung Tran INTRODUCTION In today society people rely a lot on the Internet for studying, doing research and doing business. Internet becomes an integral part of modern life and many efforts were put to make it secure for example the series of cryptography techniques and secure protocols like SSL. Unfortunately not all the computers are equipped with the necessary protection, in the network environment, when a packet travels from the source host to the destination host, it can be recorded, extracted, or altered by the third party host which we call man in the middle or MITM. In the man in the middle attack, the attacker tries to locate his host between two victim hosts so he can intercept the data transmitted between the victims as they are not aware of the man in the middle. Man In The Middle Illustration 1/19

Figure 1 illustrates the MITM context, the man in the middle impersonate both Alice and Bob by relaying the messages between them. Alice believes that she is directly talking to Bob and so does Bob; however, the attacker now can control the whole communication. In this project, I will present the techniques to implement the MITM attacks in the LAN environment, the most common type of MITM attacks. In these attacks, the attacker will have the ability to: capture the sensitive data like username and password of hosts in LAN during the authentication phase tamper the data transmitted between victim hosts Then I will present some solutions provided by the security experts to prevent MITM attacks as well as reduce the risks that they can cause. SYSTEM DESCRIPTION The key factor to ensure the success of MITM attacks is that the attacker must have the ability to place his host at the position that he can intercept the communication between his victims. Unfortunately, the weakness of Address Resolution Protocol (ARP) in Local Area Network (LAN) environment which translates the IP addresses into MAC addresses totally allows the attacker spoof the MAC addresses of other hosts. Hence, he can capture all the traffic to those spoofed hosts. In this section I will present a technique called ARP Spoofing or ARP Redirect that is commonly used to redirect the traffic between two hosts through the third host which is owned by the attacker. Then, I will describe the network configuration of the lab that will be used to implement the MITM attacks. ARP Spoofing Assume that Alice and Bob s hosts are connected into a LAN and Alice wants to send a packet to Bob. Although Alice knows Bob s IP address, the Data Link Layer in Alice still needs to know the MAC address of Bob to transmit the packet via LAN. To get Bob s MAC address, Alice first checks if she store Bob s MAC address in her ARP cache. If it exists, she can use Bob s MAC address, else, she sends the ARP request to ask for the MAC address corresponding to Bob s IP address. All the hosts on LAN will receive the ARP request from Alice but only Bob has the IP address described in the ARP request, so Bob will return his MAC address to Alice. When Alice has Bob s MAC address, the data transmission begins. 2/19

ARP Spoofing Now we assume that there is one more host, Charlie, is connected to LAN with Alice and Bob. Charlie will send Alice the ARP reply message saying that the MAC corresponding to Bob s IP is Charlie s MAC and at the same time Charlie sends Bob the ARP reply saying that the MAC corresponding to Alice s IP is Charlie s MAC. Both Alice and Bob update their ARP cache and use that information to transmit packet. As the result, the entire conversation between Alice and Bob flows through Charlie (as shown in the Figure 2.) Lab Network Configuration As mentioned above, in this project, I will implement the MITM attacks on LAN environment to demonstrate how the attacker can launch the MITM attacks and what he can do with the data of his victim. I setup the simple network for the lab as shown in the Figure 3. 3/19

Lab Network Configuration Linux server: is used to provide some common Internet services. This machine also plays the roles of the attacker s host in some scenes and as the victim host in the other scene OS: Ubuntu Linux 7.10 Services: HTTP (Apache), FTP (ProFTPD), SMTP/POP3 (Postfix), MySQL MITM Tools: ettercap, dsniff, ethereal Windows XP desktop: plays the roles as a attacker s host in some scenes and as the victim host in the other scenes OS: Windows XP Professional MITM Tools: ettercap, CAIN, Wireshark Windows Vista laptop: plays the roles as the victim host All these machines are connected into switched LAN network and have access to the Internet via router. The router here also plays the roles of victim host since there will be the attack to the communication between a host inside LAN and the router. 4/19

MITM ATTACK AND DEFENSE Capture Sensitive Data Attack #1 Scenario: Windows Vista laptop accesses to Linux server for services like HTTP, FTP, Email, and Database. Windows XP desktop launches the MITM attack to reveal username and password that the laptop uses as shown in Figure 4. MITM attack inside LAN Method: To launch this attack, Windows XP machine first has to poison the ARP caches of Linux machine and Windows Vista machine. There are many software tools available to do ARP poisoning, however I use ettercap in this attack since it is all-in-one tool which can do both ARP poisoning and network 5/19

sniffing. In addition, I can use ettercap in both Windows and Linux platforms. The attack is described in the following steps Step 1: Launch ettercap in Windows XP then choose working mode as Promisc mode Ettercap working mode and choose Sniff mode as Unified sniffing then select the network card that has connection to lab s LAN Ettercap sniffing mode Step 2: Add Windows Vista machine and Linux machine to the target of ettercap. This can be done by select menu Hosts Scan for hosts and then select menu Hosts Host list then select 192.168.5.100 for Target 1 and select 192.168.5.250 for Target 2. Verify the targets by choosing menu Targets Current Targets 6/19

Targets of the attack Step 3: Poison the ARP caches of Windows Vista and Linux machines by select menu Mitm Arp poisoning then choose Sniff remote connections Poisoning the ARP caches of targets 7/19

To verify that the ARP poisoning is successful, I check the ARP caches at both targets by using command: arp a ARP cache of Windows Vista machine ARP cache of Linux machine We can easily see that both ARP caches are poisoned, in Windows Vista machine, the entry 192.168.5.250 (Linux machine) has the MAC address 00-1D-09-82-22-95 (Windows XP machine) and in Linux machine the entry 192.168.5.100 (Windows Vista machine) has the MAC address 00:1D:09:82:22:95 (Windows XP machine) Step 4: Sniff the traffic between Windows Vista machine and Linux machine and capture the sensitive information by choosing menu Start Start Sniffing Sniffing traffic between two targets 8/19

The connections can be seen by choosing menu View Connections. For each connection, we can see the data by select it and choose View Details Connections between two targets Result: After successfully capturing the data transmitted between two targets, we can now examine it to reveal the sensitive information. In this attack, Windows Vista machine will access the following services which require authentication from Linux machine: Online music via web FTP Email via SMTP/POP3 By viewing the details of each connection between two targets, I can easily see all the usernames and passwords. Furthermore, ettercap automatically records the usernames and passwords transmitted in clear text form. 9/19

FTP username and password Email username and password 10/19

Usernames and passwords detected by ettercap Attack #2 Scenario: Windows XP desktop accesses to an Internet site that uses SSL, Gmail, for example. Linux server launches the MITM attack to capture the username and password of the desktop as shown in Figure 16. 11/19

MITM attack between a host inside LAN and the router Method: In this attack, I am trying to mislead the Gmail user to accept the fake certificate that is issued by me, not by Google. If the user has some knowledge about computer security and s/he examines the certificate before accepting it. The attack would not be successful. 12/19

Fake certificate To launch this attack, I use the following tools: ettercap: to do ARP poisoning dsniff software suite:dnsspoof to answer the DNS requests from Windows XP machine with Linux machine as the DNS server and webmitm to relay all the HTTP and HTTPS request from Linux machine to the real servers. ssldump: to decrypt the encrypted data with fake certificate Wireshark: to capture traffic between Windows XP machine and the router. Firstly, I need to do the ARP poisoning the ARP caches of Windows XP machine and the router using tool ettercap like the attack presented in section 3.1.1. And then I do the DNS spoofing by using tool dnsspoof. At this stage I launch the webmitm -d tool which is the used to relay the traffic from Windows XP machine to Gmail. Then I use Winshark to capture the traffic and save as gmail.log file. All the packets captured in gmail.log can be decrypted by using the tool ssldump: ssldump r gmail.log k webmitm.cert d > out Result: The username and password of Gmail user can be obtain from the out file by using the command: cat out grep Passwd 13/19

Gmail username and password Using the same attack method I also get the account information from the SSL connections to my bank s server: Bank account information and also, my HawkID and password in ICON Iowa Courses Online. http://icon.uiowa.edu : 14/19

HawkID and password in ICON the same result with ISIS Iowa Student Information Services. http://isis.uiowa.edu : Tamper the Data HawkID and password in ISIS Scenario: Windows XP desktop accesses to an Internet site via the router. Linux server launches the MITM attack between the desktop and the router to deface the website that the desktop are surfing as shown in Figure 16. 15/19

Method: The preparation for this attack is similar to the attack mentioned in section 3.1.1 with two targets: Windows XP machine and the router of the lab. In this case, ettercap will modify the data from the router before forwarding to Windows XP machine. To automate this task, I will create the filter, which is a method to extend the ability of ettercap, to automatically alter the incoming data. The filter is developed based on the original one from [4] as follow: # Change the Accept-Encoding of the client so server will send data to # client in the text plain format. if (ip.proto == TCP && tcp.dst == 80) { if (search(data.data, "Accept-Encoding")) { replace("accept-encoding", "Accept- Rubbish!"); msg("zapped Accept-Encoding!\n"); } } # Replace google s logo with other image and change Google text into Hacker if (ip.proto == TCP && tcp.src == 80) { replace("/intl/en_all/images/logo.gif", "http://hawksec.net/shrek.jpg"); replace("google", "Hacker"); msg("filter Ran.\n"); } I save the filter source code as img.filter and then use the command etterfilter img.filter o img.ef to compile it. After doing ARP poisoning to Windows XP and Linux s ARP cache like in the section 3.1.1, I apply the filter by choosing menu Filters Load a filter and select img.ef. Result: After applying the filter, the Windows XP machine gets the modified Google page: 16/19

Modified Google page Prevent MITM Attacks As we already saw in the previous sections, the MITM attacks could be prevented if: attacker does not have the ability to poison the ARP cache of victim hosts even if the attacker can poison the ARP cache of the victim hosts and capture data, he cannot learn anything from that if the data is strongly encrypted If we encrypt all the data passing over the network, MITM attacks can be avoided however, this is difficult to implement because of the complexity and the overhead processing. There are some methods to help prevent ARP poisoning suggested by the security experts [15]: For small network: Using static ARP table. In addition, in Windows machines, I installed the software called Symantec Endpoint Protection and enable the option Enable anti-mac spoofing and this helps prevent ARP poisoning of your ARP cache. 17/19

For large network: Using switch with Port Security feature which allows only one MAC address for each port For all network: Monitoring ARP caches by using the ARP monitoring tools like ARPwatch [16] to detect the changes in ARP cache. From my experience, when we detect some change in ARP cache of the machine, we may find the MAC address of the attacker in that machine and we can use this information to identify the attacker. RELATED WORK There are some groups conducting MITM attacks against the Secure Shell (SSH) version 1 [12], and Radio-frequency identification (RFID) Cards [13] and Universal Mobile Telecommunication Standard (UMTS) [14] which the different methods of attacking in comparison with the attacks in this project. CONCLUSION After successfully conducted the attacks above I fully understood how the Man-In-The- Middle attack works in switched LAN environment. With the ability of capturing and modifying data, the risk that the attacker can cause by using MITM attack is huge. As we discussed earlier, the key factor of MITM is ARP poisoning based on the weakness of ARP protocol. Unfortunately, the attack to it is very easy and there are numerous of freely available tools to help launch the attack. There are some solutions to prevent this kind of attack for example using personal firewall in the Windows computers, using static ARP caches in small network or using ARPwatch for the large net work as well as using the encrypted connections. In addition, by doing this project, I have an opportunity to setup an Internet server in Linux with all the basic services. REFERENCES [1] Wikipedia. Man In The Middle Attack. http://en.wikipedia.org/wiki/ Man_in_the_middle. March 2008 [2] Wikipedia. ARP Spoofing. http://en.wikipedia.org/wiki/arp_spoofing. March 2008 [3] Ettercap. http://ettercap.sourceforge.net/. February 2008 [4] Fun with Ettercap Filters. http://www.irongeek.com/i.php?page=security/ ettercapfilter. March 2008 [5] ETTERCAP - The Easy Tutorial. http://www.openmaniak.com/ettercap.php. February 2008 18/19

[6] Crimemachine. How to decrypt SSL encrypted traffic using a man in the middle attack. http://www.crimemachine.com/tuts/flash/sslmitm.swf. April 2008 [7] Ethereal. http://www.ethereal.com/. April 2008 [8] dsniff. http://www.monkey.org/~dugsong/dsniff/. April 2008 [9] Haidong Xia and Jose' C. Brustoloni. Hardening Web Browsers Against Man-in-the- Middle and Eavesdropping Attacks. March 2008 [10] Ross Anderson and Mike Bond. The Man-in-the-Middle Defence. Computer Laboratory, University of Cambridge, Mar 2006. http://www.cl.cam.ac.uk/~mkb23/ research/man-in-the-middle-defence.pdf [11] Serpanos, D.N., Lipton, R.J. Defense against man-in-the-middle attack in clientserver systems. Computers and Communications, 2001. Proceedings. Sixth IEEE Symposium on, vol., no., pp.9-14, 2001 [12] Threats Addressed by Secure Shell. http://www.vandyke.com/solutions/ ssh_overview/ssh_overview_threats.html. April 2008 [13] RFID Cards and Man-in-the-Middle Attacks. http://www.schneier.com/blog/ archives/2006/04/rfid_cards_and.html. April 2008 [14] A Man-in-the-Middle Attack on UMTS. http://whitepapers.techrepublic.com.com/ abstract.aspx?&docid=141953&promo=100511. April 2008 [15] Anatomy of an ARP Poisoning Attack. http://www.watchguard.com/infocenter/ editorial/135324.asp. April 2008 [16] Arpwatch. http://www.securityfocus.com/tools/142. April 2008 19/19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback