ece 4112 - internetwork security 1 password cracking, sniffing and man-in-the middle agenda storing...

ECE 4112 - Internetwork Security 1

Password Cracking, Sniffing and Man-in-the Middle

• Agenda Storing Passwords on the system Password Cracking on Windows and Linux Defenses against Password cracking Address Resolution Protocol (ARP) Sniffing Defenses against Sniffing Man in the Middle


Cracking Passwords

• Passwords that can be guessed easily are a problem

• Lots of tools available to figure out passwords

• L0phtcrack windows password cracker• “John the Ripper” Unix password

cracker• Default passwords remaining on a

system are a typical vulnerability


Password storage

• Password files have passwords stored in a hashed or encrypted form

• Hash algorithm example is message digest 4 (MD4)

• Encrypted algorithm example is Data Encryption Standard (DES)

• When you use your password, it is hashed or encrypted and then compared to the stored value

• Crackers use a downloaded local copy of password file on their own machine


Storing Passwords

• Systems have a file with all hashed/encrypted passwords Windows – SAM (Security Accounts Manager) database UNIX - /etc/passwd or /etc/shadow

• Access to these files can make it easy for a hacker to break in


Windows Passwords

• Security Accounts Manager (SAM) has two versions for each password

• LanMan (LM) password version for backward compatibility with windows workgroups

• NT Hash – cryptographic hash for windows NT/2000 (Uses MD4)

• SAM file is in \WINNT\system32\config\ directory which is a binary file that is hard to read

• Back up copy stored in \WINNT\repair


Using Passwords

• System has a hashed/encrypted version of the password stored in a file

• On login attempt– system hashes/encrypts the password typed in by using for

example crypt() function in linux Compares hashed/encrypted value to stored

hashed/encrypted value Idea behind password cracking is to get a copy of the

hashed/encrypted passwords and then make guesses, hash/encrypt the guess and compare


Password Cracking

• Dictionary Attack Hackers steal a copy of the stored password file Guess a password (may use a dictionary) Find hash/encrypted value of the guess Compare hash to entries from stored file Continue this until success or out of options for

password guesses.• Brute Force – Guess every possible combination of

characters• Hybrid – Use dictionary but add characters to dictionary

entries


Password retrieval on Windows

• Sniff the network for passwords being transmitted

• From Administrator’s emergency repair disk

• From back-up directory


Password Cracking on Windows

• L0phtCrack – lc4 (Windows) Available at [email protected]/research/lc/ Password Auditing and Recovery Application Default English dictionary 50,000 words Does “hybrid” attacks Our free trial version does not allow brute force (for $350 can

purchase with that capability) Works on weaker LanMan (LM) as well as NT hashes Can sniff a network for LanMan hashed passwords Can download from a local machine or remote computer the hashed

password file


L0phtCrack (lc4)

• Some statistics (from the website) L0phtCrack obtained 18% of the passwords in 10

minutes 90% of the passwords were recovered within 48

hours on a Pentium II/300 The Administrator and most Domain Admin

passwords were cracked


Password Cracking on UNIX

• John the Ripper

• Available at http://www.openwall.com/john/

• Supports six hashing schemes including XP

• Old Unix used /etc/passwd to store passwords

• Password is stored after cryptographically altered

• Various algorithms (hash/encrypted) used by various Unix platforms

• /etc/password is readable by everyone

• Some Unix store in a shadow password file thus /etc/passwd does not contain the passwords since they are instead in /etc/shadow or /etc/secure, only root can access these files

• If shadow file used, must have root to copy

http://www.openwall.com/john/


Password retrieval on Linux

• List of login names and usernames in /etc/passwd

• List of encrypted passwords in /etc/shadow

• Only /etc/shadow is enough to crack the passwords.

• Having both files makes it easier


John the Ripper

• Combine information from /etc/passwd and /etc/shadow into one file

• Use this file as input for John the Ripper

• John can create guesses by Using built-in dictionary Using account information Using brute-force guessing algorithm


John the Ripper

• Scrambling used for each guess

• When a password is cracked, result displayed on screen

• During execution of this tool, hitting any key will give current guess and status

• Password complexity determines time needed for cracking them


Defenses against Password Cracking

• Select good passwords (not dictionary based)• Change regularly• Use tools to prevent easy passwords• Use password cracking tests against own systems• Protect system back ups that have password files• Unix: activate password shadowing• Windows: disable weaker LM authentication if no

windows 95/98 machines on network


Agenda

Storing Passwords on the systemPassword Cracking on Windows and LinuxDefenses against Password cracking

• Address Resolution Protocol (ARP)

• Sniffing

• Defenses against Sniffing

• Man in the Middle


What is ARP?

• Address Resolution Protocol Used to convert IP addresses to MAC

addresses Low-Level Protocol Essential for inter-network

communication Used in networks with broadcast

capabilities; usually Ethernet


How does ARP work?

• Internetwork Example A forwards packet to Gateway Gateway checks to see if it

has the IP address in the cache

If so, change the address and format packet appropriately and forward on the network

Otherwise broadcast a request on the network. B will respond with MAC address. Format packet and forward to B.


How does ARP work?

• LAN Example A sends ARP request

packet on LAN Only the machine with

matching IP responds with MAC

B caches the IP & MAC pair

Forwards all packets for same IP to the cached MAC


Example of ARP in Use

The figure shows the use of ARP when a computer is trying to contact another computer on the same LAN using ping:


Four Types of ARP Messages

ARP request ARP reply RARP requestRARP reply


Reverse Address Resolution Protocol (RARP)

• Physical address of host machine is able to request its IP from a gateway server’s ARP table

• A router maps the MAC address to corresponding Internet Protocol addresses

• RARP client program requests from the RARP server on the router to be sent its IP address

• RARP then returns the IP address to the machine which can store it for future use


Format of ARP Message

The ARP request includes: -target machine (TARGET IP) -IP address of the sender

machine (SENDER IP) -physical address of the sender (SENDER HA) -physical address of target

machine (TARGET HA)


ARP Poisoning

Note: ARP is stateless

The malicious computer (Machine C) can send an ARP Reply to A and cause A to associate B’s IP with C’s MAC address.

This will cause all messages from A to B to go to C

Do the same to B


ARP Poisoning

C can now act as middle man for all communications between A and B.

C can decide which packets are forwarded and which are discarded.

C can also alter communications packets between A and B.

This attack can act as a doorway.


Agenda

Storing Passwords on the systemPassword Cracking on Windows and LinuxDefenses against Password crackingAddress Resolution Protocol (ARP)

• Sniffing

• Defenses against Sniffing



Sniffing

• Collect information being transmitted on the network

• Attacker must be either on source, destination or intermediate network

• Sniffed information can be stored/logged


Sniffing traditional LANS

• Traditional networks Broadcast medium – easy to sniff

HUB

attacker

Data A

Data A

Data A

Data A


Sniffing Switched LANS

• Switched LANS Difficult to do, but possible Address Resolution Protocol Cache Poisoning -

Attacker must inject packets into the network to redirect traffic

Attacker lies about the MAC address intercepts traffic– ARP tells which MAC address corresponds to which IP

address


Sniffing Switched LANS

SWITCH

attacker

Data A Data A


Sniffit

• Easy to use sniffer• Available at:

http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

• Can be run in interactive mode

• Can be used to sniff traditional LANS

• For Switched LANS, must be used with ARP Cache Poisoning tools

http://reptile.rug.ac.be/~coder/sniffit/sniffit.html


Sniffit

• Conditions (from the Sniffit web page): You should be ROOT on your machine The machine has to be connected to a network You have to be allowed to sniff (ethical condition)


Sniffit – Interactive mode

• All TCP traffic can be viewed in main screen

• Traffic from each system and port to each system and port can be seen

• Has option to see data in a particular stream flow


ethereal

• From http://www.ethereal.com/• Ethereal is a free network protocol analyzer for

Unix and Windows. • It allows you to examine data from a live network

or from a capture file on disk. • You can interactively browse the capture data,

viewing summary and detail information for each packet.

• Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

Source: www.ethereal.com


Source: www.ethereal.com


Defense against Sniffing

• Transmit encrypted data across a network

• Don’t use telnet, rsh,rlogin

• Use Secure Shell

• Use VPNs to encrypt data between systems

• Use switches instead of hubs – makes sniffing more difficult


Defense against Sniffing

• For critical systems MAC address filtering on switches Restrict MAC addresses that can send and receive

data on specific switch connectors (plugs) Hard code ARP tables on critical systems


Agenda

Storing Passwords on the systemPassword Cracking on Windows and LinuxDefenses against Password crackingAddress Resolution Protocol (ARP)SniffingDefenses against Sniffing



Man in the Middle:Sniffing

• It is the easiest attack to launch since all the packets transit through the attacker.

• All the “plain text” protocols are compromised (the attacker can sniff user and password of many widely used protocol such as telnet, ftp, http)


Man in the Middle: Hijacking

• Easy to launch

• It isn’t blind (the attacker knows exactly the sequence numbers of the TCP connection)


Man in the Middle: Injecting

• Possibility to add packets to an already established connection (only possible in full-duplex MITM)

• The attacker can modify the sequence numbers and keep the connection synchronized while injecting packets.

• If the MITM attack is a “proxy attack” it is even easier to inject (there are two distinct connections)


Attacks examples (1)Command injection

• Useful in scenarios where a one time authentication is used (e.g. RSA token). In such scenarios sniffing the password is useless, but hijacking an already authenticated session is possible

• Injection of commands to the server

• Emulation of fake replies to the client


Attacks examples (2)Malicious code injection

• Insertion of malicious code into web pages or mail (javascript, trojans, virus, etc)

• Modification on the fly of binary files during the download phase (virus, backdoor, etc)


Attacks examples (3)Payload modification

• The attacker can modify the payload of the packets by recalculating the checksum

• The length of the payload can also be changed but only in full-duplex (in this case the seq number has to be adjusted)


The Lab Exercise – Set up


The Exercise - Tools

• Address Resolution Protocol• Ettercap to passively sniff a

connection• Ettercap to actively disrupt a

connection• Hunt to hijack a connection


Exercise – Investigating ARP

• Check ARP Table on all machines• Observe changes to the ARP table using

Ethereal as unknown IP addresses are pinged• Get a better feel for ARP by making manual

changes to the ARP table• Observe effects of making incorrect entries

into the ARP table


Exercise – Using Ettercap


The Lab - Introduce Ettercap


Exercise – Using Ettercap

• Use Ettercap passively for sniffing Use Redhat 8.0 machine to ARP poison both 7.2

machines Start an FTP communication between the two 7.2

machines Observe traffic between the two 7.2 machines

• Use Ettercap actively for disruption Start a telnet connection between the two 7.2

machines Use filters to disrupt the connection between the

two machines


Exercise – Using Hunt

• Hijack a connection between the two 7.2 machines ARP poison the 7.2 machines Start an active connection between the two

7.2 machines Use Hunt to hijack the connections


This demonstration involves three hosts: attacker, victim, and target. •attacker is the system used by the attacker for the hijack. •victim is the system used by the victim for telnet client connections to the target system. •target is the target system that the intruder wants to compromise. It is where the telnetd daemon is running.

A simple diagram of the network shows the attacker and victim hosts are on the same network (which may use an ethernet switch and the attack will still work), while the target system can be anywhere. (Actually, either victim or target can be on the same network as attacker: it doesn't matter.)

For the attack to succeed, the victim must use telnet, rlogin, ftp, or any other non-encrypted TCP/IP utility. Use of SecurID card, or other token based secondary authentication is useless as protection against hijacking, as the attacker can simply wait until after the user authenticates, then hijack the session.

Session hijack example From http://staff.washington.edu/dittrich/talks/qsm-sec/


The attack scenario can be as simple as:

1. Attacker: Spends some time determining the IP addresses of target and victim systems. Determining trust relationships can be easily done with utilities like SATAN, finger, systat, rwho or running who, ps, or last from previously stolen (or wide open "guest" style) accounts.

2. Attacker: Runs hunt as root on attacking host. Waits for hunt to indicate a session has been detected (hunt will note a new session by changing its prompt from "->" to "*>").

3. Attacker: Starts ARP relay daemon, prepares RST daemon entry for use later, sets option to enable host name resolution (for convenience).

4. Victim: Logs in to target using telnet. Runs pine to read/compose email.



5. Attacker: Sees new connection; lists active connections to see if this one is potentially "interesting." If it is, attacker can either watch the session (packet sniffing) or hijack the session. Decides to hijack.

6. Victim: Sees strange new prompt. Tries pressing RETURN and doesn't know what to think. Tries web browser and notices that it still works fine (not a network problem). Not sure what to think.

7. Attacker: Finds this is a user session and decides to give it back (resynchronizes TCP/IP stream).

8. Victim: Sees prompt for keystrokes, follows request, gets session back. Puzzled, decides to log in to root account to take a closer look.

9. Attacker: Turns on RST daemon to prevent new connections, waits to hijack root session.

10. Victim: Runs ssu to get SecurID protected root shell.



11. Attacker: Completes hijack after seeing root login.

12. Victim: Sees strange prompt. Tries pressing RETURN again. Same result as before. Tries web browser again. Same thing. Tries getting a new telnet session. Fails. Tries ftp. Fails.

13. Attacker: Sets up backdoor, disables command history, resets session, turns off RST daemon.

14. Victim: Finally gets a new session. Original session is now gone. Assumes network outage or Windows TCP/IP stack corruption. Reboots system and everything is back to "normal").

15. Attacker: Waits for admin's sessions to all disappear (gone home for the night), then logs in using new backdoor. Installs rootkit (more backdoors, sniffer), cleans log files.



References

• http://alor.antifork.org/talks/MITM-BHeu03.ppt

• http://www.csc.vill.edu/~fsalandr/netclass/cassel.ppt

• http://staff.washington.edu/dittrich/talks/qsm-sec/script.html

http://www.csc.vill.edu/~fsalandr/netclass/cassel.ppt

http://www.csc.vill.edu/~fsalandr/netclass/cassel.ppt

ece 4112 - internetwork security 1 password cracking, sniffing and man-in-the middle agenda storing...

Documents

password guesses

stored password fileguess

middleagendastoring

stored filecontinue

stored valuecrackers

hashedencrypted version

domain admin passwords

hashedencrypted valueidea