58
Blackhats Italia 2003 Blackhats Italia 2003 1 Man in the middle Man in the middle attacks attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How to prevent them How to prevent them Alberto Ornaghi <[email protected] Marco Valleri <[email protected]

Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Embed Size (px)

Citation preview

Page 1: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 11

Man in the middle Man in the middle attacksattacks

What they are What they are How to achieve themHow to achieve them How to use themHow to use them How to prevent themHow to prevent them

Alberto Ornaghi <[email protected]>Marco Valleri <[email protected]>

Page 2: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 22

Table of contentsTable of contents

Different attacks in different scenarios:Different attacks in different scenarios:

LOCAL AREA NETWORK:LOCAL AREA NETWORK:- ARP poisoning- ARP poisoning - DNS spoofing- DNS spoofing - STP - STP manglingmangling

FROM LOCAL TO REMOTEFROM LOCAL TO REMOTE (through a gateway): (through a gateway):- ARP poisoning- ARP poisoning - DNS spoofing- DNS spoofing - DHCP - DHCP spoofing spoofing - ICMP redirection- ICMP redirection - IRDP spoofing- IRDP spoofing - route - route manglingmangling

REMOTE: REMOTE: - DNS poisoning- DNS poisoning - traffic tunneling- traffic tunneling - route - route manglingmangling

Page 3: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 33

Once in the middle...Once in the middle...

Page 4: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 44

SniffingSniffing

It is the easiest attack to launch since all the packets transit through the attacker.

All the “plain text” protocols are compromised (the attacker can sniff user and password of many widely used protocol such as telnet, ftp, http)

Page 5: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 55

HijackingHijacking

Easy to launchEasy to launch

It isn’t blind (the attacker knows It isn’t blind (the attacker knows exactly the sequence numbers of exactly the sequence numbers of the TCP connection)the TCP connection)

Page 6: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 66

InjectingInjecting

Possibility to add packets to an already Possibility to add packets to an already established connection (only possible in full-established connection (only possible in full-duplex mitm)duplex mitm)

The attacker can modify the sequence The attacker can modify the sequence numbers and keep the connection numbers and keep the connection synchronized while injecting packets. synchronized while injecting packets.

If the mitm attack is a “proxy attack” it is If the mitm attack is a “proxy attack” it is even easier to inject (there are two distinct even easier to inject (there are two distinct connections)connections)

Page 7: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 77

FilteringFiltering

The attacker can modify the payload of The attacker can modify the payload of the packets by recalculating the the packets by recalculating the checksumchecksum

He/she can create filters on the flyHe/she can create filters on the fly

The length of the payload can also be The length of the payload can also be changed but only in full-duplex (in this changed but only in full-duplex (in this case the seq has to be adjusted)case the seq has to be adjusted)

Page 8: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 88

Attacks examplesAttacks examples

Page 9: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 99

Attacks examples Attacks examples (1)(1)Command injectionCommand injection

Useful in scenarios where a one time Useful in scenarios where a one time authentication is used (e.g. RSA authentication is used (e.g. RSA token).token).In such scenarios sniffing the password In such scenarios sniffing the password is useless, but hijacking an already is useless, but hijacking an already authenticated session is criticalauthenticated session is critical

Injection of commands to the serverInjection of commands to the server

Emulation of fake replies to the clientEmulation of fake replies to the client

Page 10: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 1010

Attacks examples Attacks examples (2)(2)Malicious code injectionMalicious code injection

Insertion of malicious code into Insertion of malicious code into web pages or mail (javascript, web pages or mail (javascript, trojans, virus, ecc)trojans, virus, ecc)

Modification on the fly of binary Modification on the fly of binary files during the download phase files during the download phase (virus, backdoor, ecc)(virus, backdoor, ecc)

Page 11: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 1111

Attacks examples Attacks examples (3)(3)Key exchangingKey exchanging

Modification of the public key Modification of the public key exchanged by server and clientexchanged by server and client. (eg . (eg SSH1)SSH1)

Server Client

MITM

start

KEY(rsa) KEY(rsa)

Ekey[S-Key]Ekey[S-Key]S-KEY S-KEY S-KEY

MEskey(M)

D(E(M))

D(E(M))

Page 12: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 1212

Attacks examplesAttacks examples (4)(4)Parameters and banners Parameters and banners substitutionsubstitution Parameters exchanged by server and client Parameters exchanged by server and client

can be substituted in the beginning of a can be substituted in the beginning of a connection. (algorithms to be used later)connection. (algorithms to be used later)

Example: the attacker can force the client to Example: the attacker can force the client to initialize a SSH1 connection instead of SSH2.initialize a SSH1 connection instead of SSH2.

– The server replies in this way:The server replies in this way: SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.51 -- the server supports ONLY ssh1 SSH-1.51 -- the server supports ONLY ssh1

– The attacker makes a filter to replace “1.99” with The attacker makes a filter to replace “1.99” with “1.51”“1.51”

Possibility to circumvent known_hostsPossibility to circumvent known_hosts

Page 13: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 1313

Attacks examples Attacks examples (5)(5)IPSEC FailureIPSEC Failure

Block the keymaterial exchanged on the Block the keymaterial exchanged on the port 500 UDPport 500 UDP

End points think that the other cannot End points think that the other cannot start an IPSEC connectionstart an IPSEC connection

If the client is configured in rollback If the client is configured in rollback mode, there is a good chance that the mode, there is a good chance that the user will not notice that the connection user will not notice that the connection is in clear textis in clear text

Page 14: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 1414

Attacks examples Attacks examples (6)(6)PPTP (1) - descriptionPPTP (1) - description

Uses GRE as transport layer (no Uses GRE as transport layer (no encryption, no authentication)encryption, no authentication)

Uses the same negotiation scheme as Uses the same negotiation scheme as PPP (req, ack, nak, rej)PPP (req, ack, nak, rej)

Negotiation phases are not Negotiation phases are not authenticatedauthenticated

MS-CHAPv2 mutual authentication MS-CHAPv2 mutual authentication can’t prevent this kind of mitmcan’t prevent this kind of mitm

Page 15: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 1515

Attacks examples Attacks examples (6)(6)PPTP (2) - attacksPPTP (2) - attacks

During negotiation phaseDuring negotiation phase– Force PAP authentication (almost fails)Force PAP authentication (almost fails)– Force MS-CHAPv1 from MS-CHAPv2 (easier to crack)Force MS-CHAPv1 from MS-CHAPv2 (easier to crack)– Force no encryptionForce no encryption

Force re-negotiation (clear text terminate-ack)Force re-negotiation (clear text terminate-ack)– Retrieve passwords from existing tunnelsRetrieve passwords from existing tunnels– Perform previous attacksPerform previous attacks

Force “password change” to obtain password Force “password change” to obtain password hasheshashes– Hashes can be used directly by a modified SMB or Hashes can be used directly by a modified SMB or

PPTP clientPPTP client– MS-CHAPv2 hashes are not usefull (you can force v1)MS-CHAPv2 hashes are not usefull (you can force v1)

Page 16: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 1616

Attacks examples Attacks examples (6)(6)PPTP (3) - attack examplePPTP (3) - attack example

Server ClientMITM

start

req | auth | chapnak | auth | papreq | auth | papack | auth | pap

req | auth | fakenak| auth | chapreq | auth | papack | auth | pap

Force PAP from CHAP

We don’t have to mess with GRE sequences...

Page 17: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 1717

Attacks examples Attacks examples (6)(6)PPTP (4) - L2TP rollbackPPTP (4) - L2TP rollback

L2TP can use IPSec ESP as transport layer L2TP can use IPSec ESP as transport layer (stronger than PPTP)(stronger than PPTP)

By default L2TP is tried before PPTPBy default L2TP is tried before PPTP

Blocking ISAKMP packets results in an IPSec Blocking ISAKMP packets results in an IPSec failurefailure

Client starts a request for a PPTP tunnel Client starts a request for a PPTP tunnel (rollback)(rollback)

Now you can perform PPTP previous attacksNow you can perform PPTP previous attacks

Page 18: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 1818

Attacks examples Attacks examples (6)(6)PPTP (5) - toolsPPTP (5) - tools

EttercapEttercap (http://ettercap.sf.net)(http://ettercap.sf.net)– Hydra plugins suiteHydra plugins suite

AngerAnger ((http://packetstormsecurity.org/sniffers/anger.tar.gz)http://packetstormsecurity.org/sniffers/anger.tar.gz)

Page 19: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 1919

Attack techniquesAttack techniquesLOCAL SCENARIOLOCAL SCENARIO

Page 20: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 2020

Local Attacks (1)Local Attacks (1)ARP poisoningARP poisoning

ARP is stateless (we all knows how it works and what ARP is stateless (we all knows how it works and what the problems are)the problems are)

Some operating systems do not update an entry if it is Some operating systems do not update an entry if it is not already in the cache, others accept only the first not already in the cache, others accept only the first received reply (e.g solaris)received reply (e.g solaris)

The attacker can forge a spoofed ICMP packets to The attacker can forge a spoofed ICMP packets to force the host to make an ARP request. Immediately force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP replay after the ICMP it sends the fake ARP replay

Request attack against linux (IDS evasion)Request attack against linux (IDS evasion)

Page 21: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 2121

Local Attacks (1)Local Attacks (1)ARP poisoningARP poisoning

Useful to sniff on switched LANsUseful to sniff on switched LANs

The switch works at layer 2 and it The switch works at layer 2 and it is not aware of the poisoning in is not aware of the poisoning in the hosts’ ARP cache (unless the hosts’ ARP cache (unless some ARP inspection)some ARP inspection)

Page 22: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 2222

Local Attacks (1)Local Attacks (1)ARP poisoning ARP poisoning - tools- tools

EttercapEttercap ((http://ettercap.sf.nethttp://ettercap.sf.net))– PoisoningPoisoning– SniffingSniffing– HijackingHijacking– FilteringFiltering– SSH sniffing (transparent attack)SSH sniffing (transparent attack)

DsniffDsniff ((http://www.monkey.org/~dugsong/dsniffhttp://www.monkey.org/~dugsong/dsniff))– PoisoningPoisoning– SniffingSniffing– SSH sniffing (proxy attack)SSH sniffing (proxy attack)

Page 23: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 2323

Local Attacks (1)Local Attacks (1)ARP poison ARP poison - countermeasures- countermeasures

YESYES - passive monitoring (arpwatch) - passive monitoring (arpwatch) YESYES - active monitoring (ettercap) - active monitoring (ettercap) YESYES - IDS (detect but not avoid) - IDS (detect but not avoid)

YESYES - Static ARP entries (avoid it) - Static ARP entries (avoid it) YESYES - Secure-ARP (public key auth) - Secure-ARP (public key auth)

NONO - Port security on the switch - Port security on the switch NONO - anticap, antidote, middleware approach - anticap, antidote, middleware approach

Page 24: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 2424

Local Attacks (2)Local Attacks (2)DNS spoofingDNS spoofing

HOST DNSserverX.localdomain.it

10.1.1.50

MITM

10.1.1.1

If the attacker is able to sniff the ID of the DNS request,he/she can reply before the real DNS server

Page 25: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 2525

Local Attacks (2)Local Attacks (2)DNS spoofing DNS spoofing - tools- tools

EttercapEttercap ((http://ettercap.sf.nethttp://ettercap.sf.net))

– Phantom pluginPhantom plugin

DsniffDsniff ((http://www.monkey.org/~dugsong/dsniffhttp://www.monkey.org/~dugsong/dsniff))

– DnsspoofDnsspoof

Zodiac Zodiac ((http://www.packetfactory.com/http://www.packetfactory.com/ProjectsProjects//zodiaczodiac))

Page 26: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 2626

Local Attacks (2)Local Attacks (2)DNS spoofing DNS spoofing - - countermeasurescountermeasures YESYES - detect multiple replies (IDS) - detect multiple replies (IDS)

YESYES - use lmhost or host file for - use lmhost or host file for static resolution of critical hostsstatic resolution of critical hosts

YESYES - DNSSEC - DNSSEC

Page 27: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 2727

Local Attacks (3)Local Attacks (3)STP manglingSTP mangling

It is not a real MITM attack since It is not a real MITM attack since the attacker is able to receive the attacker is able to receive only “unmanaged” trafficonly “unmanaged” traffic

The attacker can forge BPDU with The attacker can forge BPDU with high priority pretending to be the high priority pretending to be the new root of the spanning treenew root of the spanning tree

Page 28: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 2828

Local Attacks (3)Local Attacks (3)STP mangling STP mangling - tools- tools

EttercapEttercap ((http://ettercap.sf.nethttp://ettercap.sf.net))

– Lamia pluginLamia plugin

Page 29: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 2929

Local Attacks (3)Local Attacks (3)STP mangling STP mangling - - countermeasurescountermeasures YESYES - Disable STP on VLAN - Disable STP on VLAN

without loopswithout loops

YESYES - Root Guard, BPDU Guard. - Root Guard, BPDU Guard.

Page 30: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 3030

Attack techniquesAttack techniquesFROM LOCAL TO FROM LOCAL TO

REMOTEREMOTE

Page 31: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 3131

Local to remote attacks Local to remote attacks (1)(1)DHCP spoofingDHCP spoofing

The DHCP request are made in The DHCP request are made in broadcast. broadcast.

If the attacker replies before the real If the attacker replies before the real DHCP server it can manipulate:DHCP server it can manipulate:

– IP address of the victimIP address of the victim– GW address assigned to the victimGW address assigned to the victim– DNS addressDNS address

Page 32: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 3232

Local to remote attacks Local to remote attacks (1)(1)DHCP spoofing DHCP spoofing - countermeasures- countermeasures

YESYES - detection of multiple DHCP - detection of multiple DHCP repliesreplies

Page 33: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 3333

Local to remote attacks Local to remote attacks (2)(2)ICMP redirectICMP redirect

G1

AT

H

T

LAN

The attacker can forge ICMP redirect packet in order to Redirect traffic to himself

ICMP redirect to AT

Page 34: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 3434

Local to remote attacks Local to remote attacks (2)(2)ICMP redirect ICMP redirect - tools- tools

IRPAS icmp_redirectIRPAS icmp_redirect (Phenoelit) (Phenoelit)((http://www.phenoelit.de/http://www.phenoelit.de/irpasirpas//))

icmp_rediricmp_redir (Yuri Volobuev) (Yuri Volobuev)

Page 35: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 3535

Local to remote attacks Local to remote attacks (2)(2)ICMP redirect ICMP redirect - countermeasures- countermeasures

YESYES - Disable the ICMP REDIRECT - Disable the ICMP REDIRECT

NONO - Linux has the “secure redirect” - Linux has the “secure redirect” options but it seems to be ineffective options but it seems to be ineffective against this attackagainst this attack

Page 36: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 3636

Local to remote attacks Local to remote attacks (3)(3)IRDP spoofingIRDP spoofing The attacker can forge some The attacker can forge some

advertisement packet pretending to be advertisement packet pretending to be the router for the LAN. He/she can set the router for the LAN. He/she can set the “preference level” and the “lifetime” the “preference level” and the “lifetime” at high values to be sure the hosts will at high values to be sure the hosts will choose it as the preferred router.choose it as the preferred router.

The attack can be improved by sending The attack can be improved by sending some spoofed ICMP Host Unreachable some spoofed ICMP Host Unreachable pretending to be the real routerpretending to be the real router

Page 37: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 3737

Local to remote attacks Local to remote attacks (3)(3)IRDP spoofing IRDP spoofing - tools- tools

IRPAS IRPAS by Phenoelitby Phenoelit((http://www.phenoelit.de/http://www.phenoelit.de/irpasirpas//))

Page 38: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 3838

Local to remote attacks Local to remote attacks (3)(3)IRDP spoofing IRDP spoofing - countermeasures- countermeasures

YESYES - Disable IRDP on hosts if the - Disable IRDP on hosts if the operating system permit it.operating system permit it.

Page 39: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 3939

Local to remote attacks Local to remote attacks (4)(4)ROUTE manglingROUTE mangling

The attacker can forge packets for the gateway (GW) pretending to be a router with a good metric for a specified host on the internet

The netmask should be big enough to win against other routes

INTERNET GW AT

H

Page 40: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 4040

Local to remote attacks Local to remote attacks (4)(4)ROUTE manglingROUTE mangling Now the problem for the attacker is to send Now the problem for the attacker is to send

packets to the real destination. He/she packets to the real destination. He/she cannot send it through GW since it is cannot send it through GW since it is convinced that the best route is AT.convinced that the best route is AT.

INTERNET GW AT

H

D

AT2Tunnel

Page 41: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 4141

Local to remote attacks Local to remote attacks (4)(4)ROUTE mangling ROUTE mangling - tools- tools

IRPASIRPAS (Phenoelit) (Phenoelit)((http://www.phenoelit.de/http://www.phenoelit.de/irpasirpas//))

Nemesis Nemesis (http://www.packetfactory.net/Projects/neme(http://www.packetfactory.net/Projects/nemesis/)sis/)

Page 42: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 4242

Local to remote attacks Local to remote attacks (4)(4)ROUTE mangling ROUTE mangling - countermeasures- countermeasures

YESYES - Disable dynamic routing - Disable dynamic routing protocols on this type of scenarios protocols on this type of scenarios

YES YES - Enable some ACL to block - Enable some ACL to block unexpected updateunexpected update

YESYES - Enable authentications on - Enable authentications on the protocols that support themthe protocols that support them

Page 43: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 4343

Attacks techniquesAttacks techniquesREMOTE SCENARIOSREMOTE SCENARIOS

Page 44: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 4444

Remote attacks (1)Remote attacks (1)DNS poisoningDNS poisoning

Type 1 attackType 1 attack– The attacker sends a request to the victim The attacker sends a request to the victim

DNS asking for one hostDNS asking for one host

– The attacker spoofs the reply which is The attacker spoofs the reply which is expected to come from the real DNSexpected to come from the real DNS

– The spoofed reply must contain the correct The spoofed reply must contain the correct ID (brute force or semi-blind guessing)ID (brute force or semi-blind guessing)

Page 45: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 4545

Remote attacks (1)Remote attacks (1)DNS poisoningDNS poisoning

Type 2 attackType 2 attack– The attacker can send a “dynamic The attacker can send a “dynamic

update” to the victim DNSupdate” to the victim DNS

– If the DNS processes it, it is even If the DNS processes it, it is even worst because it will be authoritative worst because it will be authoritative for those entriesfor those entries

Page 46: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 4646

Remote attacks Remote attacks (1)(1)DNS poisoning DNS poisoning - tools- tools

ADMIdPackADMIdPack

Zodiac Zodiac (http://www.packetfactory.com/Projects/zodia(http://www.packetfactory.com/Projects/zodiac)c)

Page 47: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 4747

Remote attacks Remote attacks (1)(1)DNS poisoning DNS poisoning - - countermeasurescountermeasures YESYES - Use DNS with random - Use DNS with random

transaction ID (Bind v9)transaction ID (Bind v9)

YESYES - DNSSec (Bind v9) allows the - DNSSec (Bind v9) allows the digital signature of the replies. digital signature of the replies.

NONO - restrict the dynamic update to - restrict the dynamic update to a range of IP (they can be spoofed)a range of IP (they can be spoofed)

Page 48: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 4848

Remote attacks Remote attacks (2)(2)Traffic TunnelingTraffic Tunneling

Router 1

Gateway

INTERNET

Server

Client

Fake host

Attacker

Tunnel GRE

Page 49: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 4949

Remote attacks Remote attacks (2)(2)Traffic Tunneling Traffic Tunneling - tools- tools

EttercapEttercap (http://ettercap.sf.net)(http://ettercap.sf.net)– Zaratan pluginZaratan plugin

TunnelXTunnelX (http://www.phrack.com)(http://www.phrack.com)

Page 50: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 5050

Remote attacks Remote attacks (2)(2)Traffic Tunneling Traffic Tunneling - - countermeasurecountermeasure YESYES - Strong passwords and - Strong passwords and

community on routerscommunity on routers

Page 51: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 5151

Remote attacks Remote attacks (3)(3)ROUTE manglingROUTE mangling

The attacker aims to hijack the traffic The attacker aims to hijack the traffic between the two victims A and Bbetween the two victims A and B

The attack will collect sensitive The attack will collect sensitive information through:information through:– traceroutetraceroute– portscanning portscanning – protoscanningprotoscanning

Quite impossible against link state Quite impossible against link state protocolsprotocols

Page 52: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 5252

Remote attacks Remote attacks (3)(3)ROUTE manglingROUTE mangling

Scenario 1 aScenario 1 a(IGRP inside the AS)(IGRP inside the AS)

A B

The attacker pretends to be the GW

R1

R2

Page 53: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 5353

Remote attacks Remote attacks (3)(3)ROUTE manglingROUTE mangling

Scenario 1 b Scenario 1 b (IGRP inside the AS)(IGRP inside the AS)

A BR1

R2

R3

Page 54: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 5454

Remote attacks Remote attacks (3)(3)ROUTE manglingROUTE mangling

Scenario 2 aScenario 2 a((the traffic does not pass thru thethe traffic does not pass thru the AS)AS) AS 1 AS 2

BG 1 BG 2

BG 3

AS 3

BGP

RIP

Page 55: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 5555

Remote attacks Remote attacks (3)(3)ROUTE manglingROUTE mangling

IRPASIRPAS di Phenoelit di Phenoelit((http://www.phenoelit.de/irpas/)http://www.phenoelit.de/irpas/)

Nemesis Nemesis ((http://www.packetfactory.net/Projects/nemehttp://www.packetfactory.net/Projects/nemesis/)sis/)

Page 56: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 5656

Remote attacks Remote attacks (3)(3)ROUTE mangling ROUTE mangling - - countermeasurecountermeasure YESYES - Use routing protocol - Use routing protocol

authenticationsauthentications

Page 57: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 5757

ConclusionsConclusions

The security of a connection relies on:The security of a connection relies on:– a proper configuration of the client (avoiding ICMP a proper configuration of the client (avoiding ICMP

Redirect, ARP Poisoning etc.) Redirect, ARP Poisoning etc.) – the other endpoint infrastructure (es. DNS dynamic the other endpoint infrastructure (es. DNS dynamic

update),update),– the strongness of a third party appliances on which we the strongness of a third party appliances on which we

don’t have access (es. Tunnelling and Route Mangling).don’t have access (es. Tunnelling and Route Mangling).

The best to protect a communication is the correct The best to protect a communication is the correct and conscious use of criptographic suitesand conscious use of criptographic suites– both client and server sideboth client and server side– at the network layer (ie. IPSec)at the network layer (ie. IPSec)– at transport layer (ie. SSLv3) at transport layer (ie. SSLv3) – at application layer (ie. PGP).at application layer (ie. PGP).

Page 58: Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them How to achieve them How to use them How to use them How

Blackhats Italia 2003Blackhats Italia 2003 5858

– Marco Valleri Marco Valleri <[email protected]><[email protected]>

– Alberto Ornaghi Alberto Ornaghi <[email protected]><[email protected]>