Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecs.
Man-In-the-Middle Attack
ht
rig
-A Brief
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
Author: Bhavin Bharat Bhansali
2,
Submitted on: February 16, 2001
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
1
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Objective:
The Objective of this document is to understand the Execution of
"Man-In-the-Middle" attack.
s.
Overview:
ht
The "Man In The Middle" or "TCP Hijacking" attack is a well known attack where an
rig
attacker sniffs packets from network, modifies them and inserts them back into the network.
There are few programs/source codes available for doing a TCP hijack. Juggernaut, T-
Sight and Hunt are some these programs. In this paper we shall explore Hunt for
ull
understanding how TCP Hijacking is deployed on an Ethernet segment.
f
Hunt is designed by kra kra@gncz.cz. The Hunt source code is available at the following
ns
URL:fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key
tai
ftp://ftp.gncz.cz/pub/linux/hunt/hunt-1.5.tgz
re
Relevance:
or
TCP Hijacking is an exploit that targets the victims TCP based applications like Telnet,
th
rlogin, ftp, mail application, web browser etc. An attacker can grab unenrcypted confidential
Au
information from a victim's network based TCP application. He can further tamper the
Authenticity and Integrity of the data.
2,
Definition of Important Terms:
00
• IP spoofing - IP spoofing involves forging one's source IP address. It is the act of using
-2
one machine to impersonate another. Many applications and tools in UNIX systems rely
on source IP address authentication.
00
20
• ARP spoofing - ARP spoofing involves forging packet source hardware address (MAC
address) to the address of the host you pretend to be.
te
Simple Active Attack against TCP connections - An attack in which the attacker does
tu
•
not merely eavesdrop but takes action to change, delete, reroute, add, forge or divert
sti
data. Perhaps the best-known active attack is Man-In-the-Middle.
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
2
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.The Attack:
s.
ht
rig
f ull
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
Attack Scenario involves three hosts: Attacker, Victim, and Target.
te
• Attacker is the system used by the attacker for the hijack.
tu
• Victim is the system used by the victim for Telnet client connections to the target
sti
system.
• Target is the target system that the intruder wants to compromise. It is where the
In
telnetd daemon is running.
NS
A simple diagram of the network shows the Attacker and Victim hosts are on the same
network (which can be Ethernet switched and the attack will still work), while the target system can
SA
be anywhere. (Actually, either victim or target can be on the same network as attacker: it
doesn't matter.)
©
For the attack to succeed, the victim must use Telnet, rlogin, ftp, or any other non-encrypted
TCP/IP utility. Use of SecurID card, or other token-based two-factor authentication is
useless as protection against hijacking, as the attacker can simply wait until after the user
authenticates, then hijack the session.
Key fingerprint
The attack = AF19
scenario can beFA27 2F94 as:
as simple 998D FDB5 DE3D F8B5 06E4 A169 4E46
1. Attacker: Spends some time determining the IP addresses of target and victim
systems. Determining trust relationships can be easily done with utilities like
3
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.SATAN, finger, systat, rwho or running who, ps, or last from previously stolen (or
wide open "guest" style) accounts.
2. Attacker: Runs hunt as root on attacking host. Waits for hunt to indicate a session
has been detected.
3. Attacker: Starts ARP relay daemon1, prepares RST daemon2 entry for use later, sets
s.
option to enable host name resolution (for convenience).
ht
4. Victim: Logs in to target using Telnet. Runs pine to read/compose email.
rig
5. Attacker: Sees new connection3; lists active connections to see if this one is
potentially "interesting." If it is, attacker can either watch the session (packet sniffing)
ull
or hijack the session. Decides to hijack.
6. Victim: Sees strange new prompt. Tries pressing RETURN and doesn't know what
f
to think. Tries web browser and notices that it still works fine (not a network
ns
problem).
Key fingerprint Not sure
= AF19 FA27what to think.
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
7. Attacker: Finds this is a user session and decides to give it back (resynchronizes
TCP/IP stream).
re
8. Victim: Sees prompt for keystroke, follows request, gets session back. Puzzled,
or
decides to log in to root account to take a closer look.
9. Attacker: Turns on RST daemon to prevent new connections, waits to hijack root
th
session.
10. Victim: Runs ssu to get SecurID protected root shell. Au
11. Attacker: Completes hijack after seeing root login.
2,
12. Victim: Sees strange prompt. Tries pressing RETURN again. Same result as before.
00
Tries web browser again. Same thing. Tries getting a new Telnet session. Fails. Tries
ftp. Fails.
-2
13. Attacker: Sets up backdoor, disables command history, resets session, turns off RST
daemon.
00
14. Victim: Finally gets a new session. Original session is now gone. Assumes network
20
outage or Windows TCP/IP stack corruption. Reboots system and everything is
back to "normal".
te
15. Attacker: Waits for admin's sessions to all disappear (gone home for the night), then
tu
logs in using new backdoor. Installs rootkit (more backdoors, sniffer), cleans log
sti
files.
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
1
Pls. refer to th e "ARP Daemon" paragrap h of th e "Brief Overview of the Daemon s / threads that ar e used by the exploi t" topic
2
Pls. refer to the "Res et Daemo n" p aragraph of th e "Brief Overview of th e D aemons / threads that are us ed b y the exploit" to pic
3
Pls. refer to the "Sniff Daemo n" p aragraph of the "Brief Ov erview of th e D aem ons / threads that are us ed b y the exploit" topi c
4
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Design Overview:
The development model is based on a packet engine (hunt.c) which runs in its own thread
and captures packets from the network. The packet engine collects information of TCP
connections/starting/termination, sequence numbers and MAC addresses. It collects the
s.
MAC addresses and sequence numbers from the server point of view and separate MAC
ht
addresses and sequence numbers from the client point of view. So it is prepared for
hijacking. This information (seq. num., MAC, etc.) is available to modules so they don't have
rig
to analyze and collect it.
ull
Modules can register functions with the packet engine, which are then invoked when new
f
packets are received. A module function determines if the module is interested in a packet or
ns
not and can place the packet in a module specific list of packets. A module function can also
Key
send fingerprint
some packet= AF19
to theFA27 2F94
network if 998D FDB5 DE3D
it is desirable to do itF8B5
very06E4 A169
fast. The 4E46 (usually in
module
tai
some other thread so it needs to be scheduled to be run) then gets packets from the list and
re
analyzes them. In this way, you can easily develop modules, which perform various activities.
Refer to the appendix section for learning the features offered by hunt.
or
th
Brief Overview of the Daemons / threads that are used by the exploit:
• Reset daemon Au
Reset daemon is used to perform automatic resets of ongoing connections that hunt can
see. You can describe which connections should be terminated by giving src/dst
2,
host/mask and src/dst ports.
00
-2
• ARP daemon
ARP daemon is used to do ARP spoofing of hosts. You enter src and dst addresses and
00
desired src MAC. The dst is then forced to think that src has srcMAC. You can use
20
some fake MAC or better MAC of host that is currently down.
te
• Sniff daemon
tu
Sniff daemon can log specified packets. The sniff daemon can also search for a simple
sti
pattern (string) in the data stream (see the bugs section). You can specify which
connection you are interested in, where to search (src, dst, both), what do you want to
In
search, how many bytes you want to log, from what direction (src, dst, both) and to what
NS
file should the daemon write.
SA
• MAC discovery daemon
MAC discovery daemon is used to collect MAC addresses corresponding to the specified
©
IP range.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
5
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.References:
• Krauz's, Pavel. "HUNT Project." 1.5 - bug fix release. 30th May 2000.
URL: http://lin.fsid.cvut.cz/~kra/index.html#HUNT(9th February, 2001)
s.
ht
• Dave, Dittrich. "Session hijack script". 9th Dec 1999.
rig
URL: http://staff.washington.edu/dittrich/talks/agora/script.html
ull
• Dave, Paras. "TCP Connection Hijacking".
URL: http://cs.baylor.edu/~donahoo/NIUNet/hijack.html (12th February, 2001)
f
ns
• Microsoft
Key fingerprinttechnical
= AF19support.
FA27 2F94 998D FDB5
"Microsoft DE3D
Security F8B5Microsoft
Program: 06E4 A169 4E46 Bulletin
Security
tai
(MS99-046) "December 23, 1999.
re
URL:http://www.microsoft.com/TechNet/security/bulletin/ms99-046.asp(12th
February 2001)
or
th
• Stevens, Richard. "TCP Connection Establishment and Termination". October 1993.
Au
Book Name: TCP/IP illustrated Volume I - The Protocols (7th February 2001).
• Kurtz, George. "Session Hijacking". July 28th, 1999.
2,
Book Name: HACKING EXPOSED - Network Security Secrets and Solutions (8th
00
February, 2001)
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
6
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Appendix
Features of the hunt exploit:
• Connection Reset - With a single properly constructed packet you can reset the
s.
connection (RST flag in TCP header). You can reset server, client, or both. When you
ht
reset only one end the other end is reset when it tries to send data to the first host which
rig
will response with RST because of the connection reset on it.
ull
• Connection sniffing/watching - You can watch hunt output for any connection which
you choose from the list that hunt displays on the console.
f
ns
• ARP-relay
Key fingerprint- =
You can FA27
AF19 insert2F94
packets to the
998D network
FDB5 DE3D (rerouting)
F8B5 06E4 of all
A169data4E46
it receives from
tai
ARP spoofed hosts.
re
or
• Connection Synchronization - This is one of the main features of hunt. If you put some
th
data to the TCP stream (through simple active attack or ARP spoofing), you
desynchronize the stream from the server/original client point of view. After some work
Au
done on that connection you can just reset it or you can try to synchronize both original
ends again. The main goal behind this is to synchronize the sequence numbers on both
2,
client and server again.
00
-2
• Switch/Segment traffic rerouting - With ARP spoofing you can force the Switch to send
you the traffic for hosts on another segment/switched port. This may not work if the
00
Switch has some security policy and MACs have been explicitly set up on a per port basis
but in reality this configuration is hardly done on an "ordinary" network.
20
te
• ACK Storm - The ACK storm is caused by majority of TCP stacks Let's imagine that
tu
you send some data to an ongoing connection to the server (as if sent by the client - with
expected seq. numbers, etc.). The server responds with the acknowledgment of the data
sti
you sent but the original client receives this acknowledgment too. But from the original
In
client point of view, the server has acknowledged data that doesn't exist on the client. So
something strange occurred and the original client sends the "right" sequence number
NS
with ACK to the server. But the TCP rules say that it is required to generate an
immediate acknowledgment when an out-of-order segment is received. This ACK
SA
should not be delayed. So the server sends the acknowledgment of non-existent data to
the client again and the client responds.
©
- Bhavin Bharat Bhansali
- February 16, 2001
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
7
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: May 23rd, 2019
Upcoming Training
SANS San Antonio 2019 San Antonio, TX May 28, 2019 - Jun 02, 2019 Live Event
San Antonio 2019 - SEC401: Security Essentials Bootcamp Style San Antonio, TX May 28, 2019 - Jun 02, 2019 vLive
SANS Atlanta 2019 Atlanta, GA May 28, 2019 - Jun 02, 2019 Live Event
Mentor Session @work - SEC401 Birmingham, AL Jun 03, 2019 - Jul 08, 2019 Mentor
Mentor Session - SEC401 Tysons, VA Jun 08, 2019 - Jul 13, 2019 Mentor
SANS Kansas City 2019 Kansas City, MO Jun 10, 2019 - Jun 15, 2019 Live Event
SANSFIRE 2019 Washington, DC Jun 15, 2019 - Jun 22, 2019 Live Event
Community SANS Raymondville SEC401 Raymondville, TX Jun 17, 2019 - Jun 22, 2019 Community SANS
SANSFIRE 2019 - SEC401: Security Essentials Bootcamp Style Washington, DC Jun 17, 2019 - Jun 22, 2019 vLive
SANS Cyber Defence Canberra 2019 Canberra, Australia Jun 24, 2019 - Jul 13, 2019 Live Event
SANS Cyber Defence Japan 2019 Tokyo, Japan Jul 01, 2019 - Jul 13, 2019 Live Event
SANS Charlotte 2019 Charlotte, NC Jul 08, 2019 - Jul 13, 2019 Live Event
Community SANS Philadelphia SEC401 Philadelphia, PA Jul 08, 2019 - Jul 13, 2019 Community SANS
Community SANS Ottawa SEC401 Ottawa, ON Jul 08, 2019 - Jul 13, 2019 Community SANS
SANS London July 2019 London, United Jul 08, 2019 - Jul 13, 2019 Live Event
Kingdom
SANS Cyber Defence Singapore 2019 Singapore, Singapore Jul 08, 2019 - Jul 20, 2019 Live Event
Pittsburgh 2019 - SEC401: Security Essentials Bootcamp Style Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 vLive
SANS Pittsburgh 2019 Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 Live Event
SANS Rocky Mountain 2019 Denver, CO Jul 15, 2019 - Jul 20, 2019 Live Event
SANS Columbia 2019 Columbia, MD Jul 15, 2019 - Jul 20, 2019 Live Event
SANS San Francisco Summer 2019 San Francisco, CA Jul 22, 2019 - Jul 27, 2019 Live Event
Mentor Session - SEC401 Seattle, WA Jul 25, 2019 - Aug 29, 2019 Mentor
SANS Boston Summer 2019 Boston, MA Jul 29, 2019 - Aug 03, 2019 Live Event
SANS Crystal City 2019 Arlington, VA Aug 05, 2019 - Aug 10, 2019 Live Event
SANS Melbourne 2019 Melbourne, Australia Aug 05, 2019 - Aug 10, 2019 Live Event
SANS London August 2019 London, United Aug 05, 2019 - Aug 10, 2019 Live Event
Kingdom
Community SANS Raleigh SEC401 Raleigh, NC Aug 12, 2019 - Aug 17, 2019 Community SANS
SANS San Jose 2019 San Jose, CA Aug 12, 2019 - Aug 17, 2019 Live Event
SANS Minneapolis 2019 Minneapolis, MN Aug 12, 2019 - Aug 17, 2019 Live Event
Minneapolis 2019 - SEC401: Security Essentials Bootcamp Style Minneapolis, MN Aug 12, 2019 - Aug 17, 2019 vLive
SANS Virginia Beach 2019 Virginia Beach, VA Aug 19, 2019 - Aug 30, 2019 Live EventYou can also read
