TYPE OF ATTACKS
OUTLINE
• Social Engineering
• Network Attack
SOCIAL ENGINEERING
A Quote from Kevin Mitnick
“You could spend a fortune purchasingtechnology and services from every exhibitor,speaker and sponsor at the RSA Conference,and your network infrastructure could stillremain vulnerable to old-fashionedmanipulation.”
Types of Attacks
• Phishing
• Impersonation on help desk calls
• Physical access (such as tailgating)
• Shoulder surfing
• Dumpster diving
• Stealing important documents
Phishing
• Use of deceptive mass mailing
• Can target specific entities (“spear phishing”)
Impersonation on help desk calls
• Calling the help desk pretending to be someone else
• Usually an employee or someone with authority
• Prevention:• Assign pins for calling the help desk
• Don’t do anything on someone’s order
• Stick to the scope of the help desk
Physical access
• Tailgating
• Ultimately obtains unauthorize building access
• Prevention• Require badges
• Employee training
• Security officers
• No exceptions!
Shoulder surfing
• Someone can watch the keys you press when entering your password
• Probably less common
• Prevention:
• Be aware of who’s around when entering your password
Dumpster diving
• Looking through the trash for sensitive information
• Doesn’t have to be dumpsters: any trashcan will do
• Prevention:• Easy secure document destruction
• Lock dumpsters
• Erase magnetic media
Stealing important documents
• Can take documents off someone’s desk
• Prevention:• Lock your office
• If you don’t have an office: lock your files securely
• Don’t leave important information in the open
Attack Model
NETWORK ATTACKS
• Datalink layer : ARP poisoning, MAC flooding
• Network Layer : Attack against IP
• Transport layer : Attack against TCP and UDP
• Application layer : cookie protocol problem, session hijacking
DATALINK ATTACK
ARP CACHE POISONING
• there is no way to authenticate the IP to MAC address mapping in the ARP reply
• if computer ‘A’ has sent and ARP request and it gets an ARP reply, then ARP protocol by no means can check whether the information or the IP to MAC mapping in the ARP reply is correct or not
• even if a host did not send an ARP request and gets an ARP reply, then also it trusts the information in reply and updates its ARP cache.
• An evil hacker can craft a valid ARP reply in which any IP is mapped to any MAC address of the hackers choice and can send this message to the complete network
How ARP Works?
ARP Request is Broadcast to all the hosts in LAN
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:01
00:00:00:00:00:03
00:00:00:00:00:02
Who has IP 10.0.0.2?
Tell your MAC address
IIT Indore © Neminath Hubballi
How ARP Works?
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:01
00:00:00:00:00:03
00:00:00:00:00:02
I have IP 10.0.0.2
My MAC is 00:00:00:00:00:02
Unicast Reply from concerned host
IIT Indore © Neminath Hubballi
ARP Cache Stores IP-MAC Pairs
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:01
00:00:00:00:00:03
00:00:00:00:00:02
ARP cache : updated
IP MAC TYPE
10.0.0.2 00:00:00:00:00:02 dynamic
IIT Indore © Neminath Hubballi
Why is ARP Vulnerable?
ARP is a stateless protocol
Hosts cache all ARP replies sent to them even if they
had not sent an explicit ARP request for it.
No mechanism to authenticate their peer
IIT Indore © Neminath Hubballi
Known Attacks Against ARP
ARP Spoofing
Man-in-the-Middle Attack
Denial-of-Service Attack
MAC Flooding ( on Switch )
DoS by spurious ARP packets
IIT Indore © Neminath Hubballi
ARP Spoofing Attack
Attacker sends forged ARP packets to the victim
10.0.0.1 10.0.0.200:00:00:00:00:01 00:00:00:00:00:02
I have IP 10.0.0.3
My MAC is 00:00:00:00:00:02
ARP Reply
IP MAC TYPE
10.0.0.3 00:00:00:00:00:02 dynamic
Attacker
Target
Victim
10.0.0.3
00:00:00:00:00:03
IIT Indore © Neminath Hubballi
Spoofing Results in Redirection of
Traffic
10.0.0.1
00:00:00:00:00:01
10.0.0.2
00:00:00:00:00:02
Packets for 10.0.0.3
10.0.0.3
00:00:00:00:00:03
IIT Indore © Neminath Hubballi
Man-in-the-Middle Attack Allows
Third Party to Read Private Data
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:03
00:00:00:00:00:02
Attacker
IP MAC TYPE
10.0.0.3 00:00:00:00:00:01 dynamic
IP MAC TYPE
10.0.0.2 00:00:00:00:00:01 dynamic
00:00:00:00:00:01
23IIT Indore © Neminath Hubballi
Denial of Service Stops Legitimate
Communication
A malicious entry with a non-existent MAC address can lead to a
DOS attack
10.0.0.1 10.0.0.2
00:00:00:00:00:02
I have IP 10.0.0.3
My MAC is XX:XX:XX:XX:XX:XX
ARP Reply
IP MAC TYPE
10.0.0.3 XX:XX:XX:XX:XX:XX dynamic
Attacker
Victim
00:00:00:00:00:01
Target
10.0.0.300:00:00:00:00:03
24IIT Indore © Neminath Hubballi
Denial of Service Stops Legitimate
Communication
00:00:00:00:00:01
Victim unable to reach the IP for which the forged packet was
sent by the attacker
10.0.0.110.0.0.2
00:00:00:00:00:02
IP MAC TYPE
10.0.0.3 XX:XX:XX:XX:XX:XX dynamic
Attacker
Victim
PING 10.0.0.3 Request timed out.
IIT Indore © Neminath Hubballi
MAC Flooding Degrades Network
Performance
Attacker bombards the switch with numerous forged ARP packets
at an extremely rapid rate such that its CAM table overflows
PORT MAC
1 00:00:01:01:01:01
2 00:00:02:02:02:02
…. ……
….. …….
10.0.0.1
00:00:00:00:00:01
Attacker
26IIT Indore © Neminath Hubballi
DoS by Spurious ARP Packets
Attacker sends numerous spurious ARP packets at the victim
such that it gets engaged in processing these packets
Makes the Victim busy and might lead to Denial of Service
10.0.0.1
00:00:00:00:00:01
Attacker
Victim
Spurious ARP Packets
Busy
ProcessingIIT Indore © Neminath Hubballi
LAB’S TIME
Objectives
• Scan, detect, protect and attack computer on LANs
What you need :
• PC with windows server 2012 as host machine
• Windows2008 running on virtual maschine as target machine
• Installed-version of WinPcap driver
• Double click WinArpAttacker.exe
What to do
1. Launch Windows server 8 Virtual Machine
2. Launch WinArpAttacker in the host machine
3. Click the scan option from toolbar menu, select Scan LAN. The scan the active host on the LAN.
4. Select a victim host (window server 2008) from the display list. Select attack -> flood. Scanning acts as another gateway or IP-forwarder without other user recognition on the LAN, while spoofingARP tables.
• 5. All data sniffed by spoofing andforwarded by WinArpAttackerIP-forward functions are counted, as shown in the main interface. The BanGateway option tells the gatewaywrong MACaddresses of target computer, so the target can’t receivepackets from the internet.
6. Click save to save the report
QUESTION
• Analize and document the scanned, attacked IP address.
NETWORK LAYER
• IP doesn’t has an authentication mechanism.
• A packet simply claims to originated from a given address, andthere is no a way to be sure that the host that sent the packet istelling the truth.
• The fitur of authentication must be provided by higher layer.
IP Spoofing
• There is one host that claims to have an IP address of another.
IP Session Hijacking
• Is an attack whereby a user’s session is taking over, being in thecontrol of an attacker.
TRANSPORT LAYER
• TCP ATTACK • TCP SYN or TCP ACK Flood attack
• TCP sequence number attack
• TCP/IP hijacking
• UDP attack• ICMP attack
• Smurf attack
• ICMP tunneling
TCP SYN
TCP Sequenced number attack
• Each time a TCP message is sent the client or the server generates a sequence number. The attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can then hijack or disrupt a session. If a valid sequence number is guessed the attacker can place himself between the client and the server. The attacker gains the connection and the data from the legitimate system.
TCP Hijacking
• This is also called active sniffing, it involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system.
ICMP Attacks
• Ping for instance, that uses the ICMP protocol. sPing is a good example of this type of attack, it overloads te server with more bytes than it can handle, larger connections. Its ping flood.
SMURF ATTACK
• This attack uses IP spoofing and broadcasting to send a ping to a group of hosts on a network. When a host is pinged it send back ICMP message traffic information indicating status to the originator. If a broadcast is sent to network, all hosts will answer back to the ping. The result is an overload of network and the target system. The only way to prevent this attack is to prohibit ICMP traffic on the router.
ICMP Tunneling
• ICMP can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. The counter measure is to deny ICMP traffic on your network.
APPLICATION LAYER
Cookie protocol problems
Server is blind:• Does not see cookie attributes (e.g. secure, HttpOnly)
• Does not see which domain set the cookie
Server only sees: Cookie: NAME=VALUE
Example 1: login server problems
1. Alice logs in at login.site.com
login.site.com sets session-id cookie for .site.com
2. Alice visits evil.site.com
overwrites .site.com session-id cookiewith session-id of user “badguy”
3. Alice visits course.site.com to submit homework
course.site.com thinks it is talking to “badguy”
Problem: course.site.com expects session-id from login.site.com;
cannot tell that session-id cookie was overwritten
Example 2: “secure” cookies are not secure
Alice logs in at https://accounts.google.com
Alice visits http://www.google.com (cleartext)
• Network attacker can inject into responseSet-Cookie: SSID=badguy; secure
and overwrite secure cookie
Problem: network attacker can re-write HTTPS cookies !• HTTPS cookie value cannot be trusted
set-cookie: SSID=A7_ESAgDpKYk5TGnf; Domain=.google.com; Path=/ ;
Expires=Wed, 09-Mar-2026 18:35:11 GMT; Secure; HttpOnly
set-cookie: SAPISID=wj1gYKLFy-RmWybP/ANtKMtPIHNambvdI4; Domain=.google.com;Path=/ ;
Expires=Wed, 09-Mar-2026 18:35:11 GMT; Secure
Interaction with the DOM SOPCookie SOP path separation:
x.com/A does not see cookies of x.com/B
Not a security measure: x.com/A has access to DOM of x.com/B
<iframe src=“x.com/B"></iframe>
alert(frames[0].document.cookie);
Path separation is done for efficiency not security:
x.com/A is only sent the cookies it needs
Cookies have no integrity
User can change and delete cookie values
• Edit cookie database (FF: cookies.sqlite)
• Modify Cookie header (FF: TamperData extension)
Silly example: shopping cart software
Set-cookie: shopping-cart-total = 150 ($)
User edits cookie file (cookie poisoning):
Cookie: shopping-cart-total = 15 ($)
Similar problem with hidden fields
<INPUT TYPE=“hidden” NAME=price VALUE=“150”>
53
Session hijacking
Attacker waits for user to login
then attacker steals user’s Session Token and “hijacks” session
⇒ attacker can issue arbitrary requests on behalf of user
Example: FireSheep [2010]
Firefox extension that hijacks Facebook session tokens over WiFi. Solution: HTTPS after login
Beware: Predictable tokensExample 1: counter
⇒ user logs in, gets counter value,
can view sessions of other users
Example 2: weak MAC. token = { userid, MACk(userid) }• Weak MAC exposes k from few cookies.
Apache Tomcat: generateSessionId()
• Returns random session ID [server retrieves client state based on sess-id]
Session tokens must be unpredictable to attacker
To generate: use underlying framework (e.g. ASP, Tomcat, Rails)
Rails: token = MD5( current time, random nonce )
Beware: Session token theftExample 1: login over HTTPS, but subsequent HTTP
• Enables cookie theft at wireless Café (e.g. Firesheep)
• Other ways network attacker can steal token:• Site has mixed HTTPS/HTTP pages ⇒ token sent over HTTP
• Man-in-the-middle attacks on SSL
Example 2: Cross Site Scripting (XSS) exploits
Amplified by poor logout procedures:• Logout must invalidate token on server
Mitigating SessionToken theft by binding
SessionToken to client’s computer
Client IP addr: makes it harder to use token at another machine• But honest client may change IP addr during session
• client will be logged out for no reason.
Client user agent: weak defense against theft, but doesn’t hurt.
SSL session id: same problem as IP address (and even worse)
A common idea: embed machine specific data in SID
Session fixation attacks
Suppose attacker can set the user’s session token:
• For URL tokens, trick user into clicking on URL
• For cookie tokens, set using XSS exploits
Attack: (say, using URL tokens)
1.Attacker gets anonymous session token for site.com
2.Sends URL to user with attacker’s session token
3.User clicks on URL and logs into site.com• this elevates attacker’s token to logged-in token
4.Attacker uses elevated token to hijack user’s session.
Session fixation: lessonWhen elevating user from anonymous to logged-in:
always issue a new session token
After login, token changes to value unknown to attacker
⇒ Attacker’s token is not elevated.
LAB’S TIME
Objectives
• Sniffing password using wireshark
What to do
1. Launch Wireshark
2. From the wireshark menu bar, select capture interfaces(Ctrl+I)
3. In the Wireshark capture interfaces dialog box, find and selectthe Ethernet Driver Interface that is connected to the system, andthen click start.
4. Switch to virtual machine and login to your email.
5. You may save the captured packets from file save as.
6. In Find by...
QUESTION
1. Evaluate the protocols that are involved in the activity thatcaptured by wireshark
2. Evaluate the result of the activity
REFERENCES
1. CEH Modul “SOCIAL ENGINEERING”
2. https://www.petri.com/social-engineering-security-plus
3. Matt Curtin.”Introduction to network security”, 1997
4. “Network Security”, www.tutorialspoint.com
5. Network Security, course slide, http://ece.duke.edu
6. Certified Ethical Hacker ver 8 (Sniffing) Modul