Circumventing Security

1
Circumventing Security

• Lecture 14
• November 15, 2000

2
Some Terms

• Spoofing- an active security attack where one
  machine masquerades as another.
• Sniffing- use of the network interface to receive
  data not intended for the host machine in which
  the interface resides.
• Exploit- a documented bug/hole in the software
  that usually allows for a user to remotely or
  locally gain access to the machine.

3
Types of Attacks

• The different types of attacks can be divided
  into two categories.
• Local (Physical) attacks
• Less common
• More difficult to determine if compromised
• Remote attacks
• More common
• Generally easier to determine if compromised
• Many attacks are a combination of both a local
  and remote attack!

4
Simple Local Attacks

• Removing a computer from service
• Turning off the power
• Unplugging a computer
• Cutting or unplugging a network connection
• Attacking a computer from the terminal
• Using known exploits at the keyboard to access
  the machine.
• Removing a screensaver password Reboot and
  change it before screensaver turns on.

5
Common Remote Attacks

• Most remote exploits have a common path
• Use a known exploit to gain remote access to the
  machine (BIND, FTPD).
• Download a copy of the /etc/passwd file.
• Run a password cracking program on the local
  machine until the root password is compromised.
• Gain access to the machine (telnet, ssh, exploit,
  etc).
• Change to the root user with the cracked password.

6
Spoofing Attacks

• Spoofing attacks are a combination of both local
  and remote attacks.
• Hardware address spoofing
• ARP spoofing
• IP route spoofing
• ICMP spoofing
• RIP spoofing
• Other protocol spoofing
• DNS spoofing
• TCP/IP datagram spoofing

7
Hardware Address Spoofing

• Most software does not modify the source field in
  an Ethernet frame leaving the interface.
• When a packet is received on Ethernet, the source
  address is assumed to be valid.
• However, most NICs have the ability to use
  software-controlled hardware addresses, so an
  address can be faked.
• 01-01-01-01-01-01 or 12-34-56-78-90-AB
• Consider the possibility of one machine trusting
  a secure connection based on the hardware address!

8
Hardware Spoofing (cont.)

• Consider the functionality of a bridge
• A packet from machine A on segment 1 arrives at
  the bridge, destined for machine B on segment 2.
• The bridge will modify the source address of the
  packet to C and then send to machine B on segment
  2.
• A/B combination is transformed to C/B.

9
Hardware Spoofing (cont.)

• Since a bridge is basically a PC, all PCs have
  the ability to modify Ethernet frames.
• Trusting a machine based only on the hardware
  address is NOT recommended!

10
ARP Spoofing

• Most ARP spoofing attacks are accidental than
  intentional!
• If two machines have the same IP address, they
  will both respond to the same ARP request!
• Depending on the operating system, one of two
  things could happen
• The slowest (last) ARP reply to arrive will be
  cached until the ARP entry expires.
• The first ARP reply to arrive will be cached, and
  any further ARP replies will be ignored (until
  ARP entry expires).

11
ARP Spoofing (cont.)

• Depending on the situation, the attacker will
  have to have the ARP request arrive first or last
  depending on what target system they are trying
  to compromise.

12
ARP Spoofing (cont.)

• An attacker has a few options to ARP spoof
• Turn off the legitimate machine use its IP
  address
• Power it down locally
• Shut it down remotely (in Unix, halt)
• Throw the circuit breaker for that machine, etc
• Reconfigure target machine with a new IP address,
  and hijack the old for the attackers machine.

13
Preventing ARP Spoofing

• A true target of an ARP spoof is the machine
  attempting to deceive, not the machine that one
  hijacks!
• Stop using ARP! All shares based on IP addresses
  should use permanent entries in the ARP cache
• Use an ARP server (but the server can still be
  deceived!)

14
Route Spoofing

• Route spoofing is where one attempts to redirect
  IP datagrams to a location that is not the true
  destination.
• Route spoofing, like ARP spoofing, can lead to a
  Denial of Service (DoS) attack.
• Denial of Service- some action taken to prevent a
  target machine from properly communicating
  (sending, receiving, both) with the network.

15
Route Spoofing (cont.)

• With sophisticated software, one use both route
  spoofing and ARP spoofing to give the illusion
  that the network is functioning properly, while
  removing the target machine from the
  communication!
• If two routers exist on a network, only one can
  be the default router.

16
Route Spoofing (cont.)

• Heres how a route spoof can occur
• A machine always sends a transmission to the
  default router first.
• If the default router is not the best choice for
  the transmission, it sends an ICMP redirect
  message back to the host on the same network
  segment, and forwards the datagram to the
  appropriate router.
• The redirect message basically says it would be
  best to send datagrams to a router with IP
  address A.B.C.D for network W.X.Y.Z
• Host machine updates its routing table so it
  doesnt make the mistake again.

17
ICMP-Based Route Spoofing

• A machine can create ICMP redirect messages and
  send them to any other machine in the network!
• The routing table could be unusable. DoS attack.
• A machine could send an ICMP redirect with its
  own IP address, and pose as a router, therefore
  filtering ALL traffic!
• Simplest way to avoid ICMP spoofing is disable
  ICMP redirect messages, in both the hosts and the
  routers!
• But if you kept ICMP redirects, one could
  validate the redirect source address as another
  level of security.

18
Domain Name System Spoofing

• Overview A machine (nameserver) holds a mapping
  between IP addresses and names (www.cnn.com, for
  example).
• A client sends a request to the nameserver for
  the IP address of www.cnn.com, and the nameserver
  replies with the address.

19
Domain Name Spoofing (cont.)

• Hosts commonly trust other machines based on
  their names.
• If the nameserver is compromised, then the domain
  names are subsequently compromised.
• Security-oriented TCP programs do a two-way
  lookup to authorize machines
• Forward lookup (name to IP address)
• Reverse lookup (IP address to name)
• If both match, then machine is authorized.

20
Domain Name Spoofing (cont.)

• In order to make attackers lives more difficult,
  administrators commonly put the forward zone
  and the reverse zone on two separate machines,
  so BOTH must be compromised.
• Also DNS records commonly exist on two separate
  authoritative nameservers, so multiple queries to
  differing nameservers is also another level of
  authentication.

21
TCP Spoofing

• An attacker only needs to estimate the sequence
  number to be assigned to the next data byte to be
  sent by the legitimate user.
• If the correct next-sequence number is guessed,
  the attacker can send a forged datagram
  containing the tainted data that will be
  processed as valid data by the receiver.
• If the attacker sends tainted data after the
  legitimate data, the target machine may
  completely discard the forged datagram if it
  contains less data than the legitimate datagram.

22
TCP Spoofing (cont.)

• If the tainted datagram contains more data than
  the legitimate datagram, only the length of the
  legitimate datagram is rejected. The rest of the
  tainted transmission would be accepted as being
  valid.
• On the other hand, if the forged datagram arrives
  before the legitimate datagram, the forgery will
  be discarded.

23
TCP Spoofing (cont.)

• If the attacker guesses a number thats a bit too
  high, the receiver will take the datagram and put
  in in the buffer.
• Some of the bytes at the end of the datagram may
  be discarded because they may not fit in the
  space allocated by the window advertisement.
• Later, the legitimate datagram will arrive and
  fill the wholes in the entire transmission.

24
A TCP Spoofing Example

• Consider a user logging into a timesharing
  machine and leaving the session idle.
• An attacker merely has to guess the total data
  bytes that the user sent to the server. Usually,
  the username, password, and a few commands are
  sent before the connection lies idle.
• If the attacker estimates within 100 bytes, they
  are usually close enough to hit the advertisement
  window.
• All the attacker has to do is send a forged
  datagram with a sequence of bytes that correspond
  to a command, and it will be executed as if the
  logged in user typed it!

25
TCP Spoofing Example (cont.)

• Since the TCP forgery occurs as the regular user,
  only user commands can be executed.
• rm rf for example

26
Reducing TCP Spoofing Risks

• Log out of unused terminals and open new ones
  only when necessary.
• Use a interactive protocol (telnet, rlogin) that
  adds overhead to make guessing the sequence
  number more difficult.
• Use encrypted-based terminal sessions (ssh).

27
Common Vulnerabilities

• IP Spoofing
• Weak passwords
• Default/Guest accounts
• Network snooping/sniffing
• Viruses/Trojan Horses

28
Common Exploits

• Most common exploits involve buffer overruns.
• If the target software runs as a privileged user,
  then the attacker can run commands as a
  privileged user!
• Exploits vary from operating system to operating
  system.
• Windows NT 4.0 71 vul.
• Windows NT 2000 58 vul.
• RedHat Linux 6.2 i386 34 vul.
• Windows 98 31 vul.
• Windows 95 28 vul.

29
Common Exploits (cont.)

• Buffer Overflow Exploits
• CERT CA-99-03 FTP buffer overflow
• CERT CA-99-08 qpopper (mail)
• CERT CA-99-09 IMAPD (mail)
• CERT CA-99-12 mountd (partition mounting)
• POP3 USER buffer overflow
• POP3 PASS buffer overflow
• Finger services
• BIND NXT vulnerability (DNS)
• And many, many more!

30
Discovering Vulnerabilities

• Disclaimer This sort of unauthorized activity
  may go against your AUP. Do this at your own
  risk!
• riggswages telnet mail.eece.maine.edu 21
• Trying 130.111.113.34...
• Connected to rainier.eece.maine.edu.
• Escape character is ''.
• 220 rainier FTP server (Version wu-2.6.0(1) Thu
  Oct 21 122700 EDT 1999) ready.

31
Discovering (cont.)

• Then, you take the information that the server is
  running wu-2.6.0(1) and you then look on the
  common bug tracking sites to see if there are any
  vulnerabilities.
• No common bugs exist for this FTP server.
• Lets look at another possibility, the SMTP
  server software on port 25.

32
Discovering (cont.)

• riggswages telnet mail.eece.maine.edu 25
  
• Trying 130.111.113.34...
• Connected to rainier.eece.maine.edu.
• Escape character is ''.
• 220 rainier.eece.maine.edu ESMTP Sendmail
  8.9.3/8.9.3/Marc v3.1 (09/04/98) Tue, 14 Nov
  2000 234819 0500
• No known exploits for Sendmail 8.9.3
• Lets look at the POP server next

33
Discovering (cont.)

• riggswages telnet mail.eece.maine.edu 110
  
• Trying 130.111.113.34...
• Connected to rainier.eece.maine.edu.
• Escape character is ''.
• OK POP3 rainier v7.52 server ready
• No known exploits for this server.
• Port scanners
• IP scanners