IP-Spoofing and Source Routing Connections - PowerPoint PPT Presentation

About This Presentation
Title:

IP-Spoofing and Source Routing Connections

Description:

IP-Spoofing and Source Routing Connections Spoofing Internet protocol (IP) spoofing: 1. The creation of IP packets with counterfeit (spoofed) IP source addresses. – PowerPoint PPT presentation

Number of Views:364
Avg rating:3.0/5.0
Slides: 11
Provided by: bestitdoc
Category:

less

Transcript and Presenter's Notes

Title: IP-Spoofing and Source Routing Connections


1
IP-Spoofing and Source Routing Connections
2
Spoofing
  • Internet protocol (IP) spoofing 1. The creation
    of IP packets with counterfeit (spoofed) IP
    source addresses. 2. A method of attack used by
    network intruders to defeat network security
    measures such as authentication based on IP
    addresses. Note 1 An attack using IP spoofing
    may lead to unauthorized user access, and
    possibly root access, on the targeted system Note
    2 A packet-filtering-router firewall may not
    provide adequate protection against IP spoofing
    attacks. It is possible to route packets through
    this type of firewall if the router is not
    configured to filter incoming packets having
    source addresses on the local domain Note 3 IP
    spoofing is possible even if no reply packets can
    reach the attacker. Note 4 A method for
    preventing IP spoofing problems is to install a
    filtering router that does not allow incoming
    packets to have a source address different from
    the local domain In addition, outgoing packets
    should not be allowed to contain a source address
    different from the local domain, in order to
    prevent an IP spoofing attack from originating
    from the local network.

3
Full Connection IP-Spoof with Source Route
net E gt net B deny
B.2
B.1
A.1
C.1
A.2
C.2
E.2
D.1
E.1
  • ifconfig eth00 A.2
  • route add -net A eth00
  • ifconfig eth0 down
  • ifconfig eth0 hw ether a
  • route add -net U eth0
  • route add default gw U.2

nc -n -v -s A.2 -g E.2 E.2 23 nc -n -v -s A.2 -g
E.2 E.1 23 nc -n -v -s A.2 -g E.2 -g E.1 C.1
23 nc -n -v -s A.2 -g E.2 -g E.1 -g C.1 B.2 23
4
Ending
  • Solution
  • Disable Source Routing (part of
    IP-options)(Default on firewalls, not default on
    routers)
  • Implement spoofing protection(Not default on all
    firewalls)
  • Do not use filter rules over an untrusted network
    use VPN

5
Enumerate NT Information
  • Null Session
  • net use \\172.16.1.50\ipc /user
  • NetUserEnum (local, global, DumpACL)
  • NetWkstaTransportEnum (Getmac)
  • RpcMgmt Query (EPDump)

6
Privilege Escalation
  • Plant sechole on NT Server
  • Execute sechole via http
  • IUSR account becomes admin
  • Add new user account (via http)
  • Add new user account to Administrator group (via
    http)

7
IIS Buffer Overflow
  • Determine if Server is vulnerable
  • nc 172.16.1.200 80
  • GET /.htr HTTP/1.0
  • Evaluate response
  • Crash IIS and Send Payload
  • Target server contacts our web server and
    downloads payload
  • payload executes on server and contacts our
    attack host

8
Network Countermeasures
  • Block ALL ports at the border routers
  • Open only those ports that support your security
    policy
  • Review Logs
  • Implement Network and Host Intrusion Detection

9
Unix Countermeasures
  • TTDB
  • Kill the "rpc.ttdbserverd" process
  • Apply vendor specific patches
  • Block low and high numbered RPC locator services
    at the border router
  • Xterm
  • Remove trusted relationships with xhost -
  • If sending sessions to another terminal, restrict
    to a specific terminal
  • Block ports 6000-6063 if necessary

10
NT Countermeasures
  • Block tcp and udp ports 135, 137, 138 and 139 at
    the router.
  • Prevent Information leakage
  • Utilize the Restrict anonymous registry
    keyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Control\Lsa\ RestrictAnonymous DWORD 1
  • Unbind WINS Client (TCP/IP) from the
    Internet-connected NIC
Write a Comment
User Comments (0)
About PowerShow.com