Hackers Beware

120

TCP Sequence Prediction: Class=trivial time dependency Difficulty=2 (Trivial joke)

Remote operating system guess: Windows NT4 / Win95 / Win98 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

Interesting ports on (10.4.0.5):

(The 1514 ports scanned but not shown below are in state: closed)

TCP Sequence Prediction: Class=trivial time dependency Difficulty=2 (Trivial joke)

Remote operating system guess: Windows NT4 / Win95 / Win98

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

Now we can see that we have two Cisco devices, one Netware and two Windows machines.

Protection

Once again, the best means of protection is a firewall that properly blocks traffic and only allows traffic on specific ports to specific machines. This way, the attacker only gets a limited view of what is going on. Remember the less information an attacker has the better.

Exploiting the System

At this point, we have a really clear map of the network, active machines, type of machines, and potential vulnerabilities. Now it is just a matter of exploiting those machines. The way this is usually done is after you know

the operating system, version, and open ports, you look up known vulnerabilities in a database or on the Internet and go after those first. Exploiting systems is what this book is about. So as we go through this book, covering each exploit and how they work, remember this section and how it fits into the big picture

Summary

This chapter laid the groundwork for the steps an attacker would take to plan an attack. It also gave a roadmap for the rest of this book. Everything else that we cover fits into this picture. It is always important to remember that the sooner you can stop someone by limiting the information they gain or the sooner you can detect someone trying to get into your system, the more secure your network will be. The other key point is that even though what we covered in this chapter seems very straightforward, if you run it against another network without permission, it could be perceived as an offensive action against the site, and it could get you in a lot of trouble. From a security perspective, you should definitely run these steps against your own site, so you can better understand what information an attacker could gather. After you know this information, you will have a better idea of what things in your company need to be fixed and their priority.

Chapter 4. Spoofing

As I watch the opening scene of the movie Mission: Impossible 2 (M:I2), I am amazed as a person who I think is Tom Cruise gases everyone in the airplane and takes the test tubes from the scientist who is sitting next to him. How could this be? I thought Ethan (the character Tom Cruise plays) was a good guy. Then, as he walks through the plane, much to everyone’s astonishment, he peels off the fake face he is wearing and reveals the true person. It’s not really Ethan, but someone who is impersonating him. This has nothing to do with computers, but this is a form of spoofing.

By wearing a mask, the person I thought was Tom Cruise was able to deceive or spoof the scientist into believing that he was someone else. From a hacking standpoint, there are many reasons someone would want to do this.

As we will cover in this chapter, there are various types of spoofing, each with various levels of difficulty. In its most basic form, an attacker alters his identity so that someone thinks he is someone else. This can be as easy as changing his IP address or as deceptive as impersonating the president of your company with email. The bottom line is he is altering his identity to be someone or something that he is not.

Most of this chapter will cover computer-based spoofing attacks such as IP spoofing, but because non-computer-based techniques can be just as effective, they are also covered at the end of the chapter. Remember that it does not matter how an attacker can compromise your network, just whether he can be successful. This chapter will make sure that your company is prepared to defend against any type of spoofing attack

Why Spoof?

As in the preceding example, if an attacker can convince a computer or a network that he is someone else (a trusted party), he can probably access information he normally could not get. For example, if you trust John but you do not trust Joe, and Joe can spoof his identity to appear to be John, you will trust Joe (because you think he is John); and Joe can get the access he wants.

When engineers design networks, they often set up access permissions and trusts based on information like IP addresses. It is critical that you understand how easy it is to spoof such information, so that you can design better security models for your computer networks. Only by understanding the current limitations can you move forward and build networks that are less prone to attacks.

Types of Spoofing

There are four types of spoofing that will be covered in this chapter. Here is a brief explanation of each:

•IP spoofing. An attacker uses an IP address of another computer to acquire information or gain access.

•Email spoofing. Involves spoofing from the address of an email. In essence, the email looks like it came from Eric, but in reality, Eric did not send the email. Someone who was impersonating Eric sent it.

•Web spoofing. The World Wide Web is being used for more and more e-commerce. To use the web for e-commerce, people have to be identified and authenticated so that they can be trusted. Whenever an entity has to be trusted, the opportunity for spoofing arises.

•Non-technical spoofing. These types of attacks concentrate on compromising the human element of a company. This is done through social engineering techniques.

IP Spoofing

When most analysts think of spoofing, they think of IP spoofing, where an attacker changes his IP address so that he appears to be someone else. The key to remember is that because an attacker is spoofing someone’s IP address, when the victim replies back to the address, it goes back to the spoofed address, not the attacker’s real address.

Figure 4.1 is an example of an attacker sending a packet with a spoofed IP address to John. John receives the packet but then replies to the IP address listed as the recipient and not the attacker’s address. Therefore, the attacker can send packets to a machine with a spoofed address but does not receive any packets back. This is referred to as a flying blind attack, or a one-way attack, because you only can send packets to the victim. You cannot receive any packets back.

Figure 4.1. Attacker sending a spoofed packet.

The attacker does not see any replies from the victim. Depending on where the attacker is located, if he inserts himself in the path between the victim’s machine and the machine whose address he is spoofing, he might be able to pull off the replies shown in Figure 4.2.

Figure 4.2. Attacker injecting himself in the path so that he can observe all traffic.

There are three basic flavors of IP spoofing attacks, as follows:

•Basic address change

•Use of source routing to intercept packets

•Exploitation of a trust relationship on UNIX machines

More active attacks, where you take over an existing session by spoofing an address, are covered in Chapter 5, “Session Hijacking.” Session hijacking is similar to IP spoofing but requires taking over an active session by knocking a machine offline. Therefore, it is covered in a separate chapter.

Basic Address Change

Because IP address spoofing involves changing one machine’s IP address to look like someone else’s, the most basic form of IP spoofing is to go into a network configuration and change the IP address. By doing that, all packets that are sent out have an IP address of the address the attacker wants to spoof. This is very low tech, because all replies go back to the address he is spoofing and not his machine. Also, because TCP requires a three-way handshake to get initialized, this cannot be completed, because the replies go back to a machine that knows nothing about the session, because its IP address was spoofed.

This has several limitations, but in terms of certain types of denial of service attacks, it only takes one packet to crash the machine. And spoofing the address makes it much harder to trace back to the attacker. With certain attacks, if a system receives an unexpected packet, it could still crash the system. Also, because UDP is connectionless, a single UDP packet could be sent to a victim system. For additional details on how TCP and the three-way handshake work, see Chapter 5.

To change the IP address on a Windows machine, an attacker would perform the following steps:

1.From the Start menu, select Settings, Control Panel.

2.Double-click the Network icon (see Figure 4.3).

Figure 4.3. Network information for a Windows 98 machine.

3.Select the TCP/IP protocol for the network card you are using, and the IP Address screen appears (see Figure 4.4).

Figure 4.4. TCP/IP properties for a Windows 98 machine.

The attacker enters the IP address he wants to spoof and reboots the machine. Now, any packets that are sent will have a spoofed source address.

On UNIX machines, an attacker uses the ifconfig command from a terminal window or runs Control Panel from X-Windows to change the IP

information. By typing ifconfig, the following results appear, which display information on the network interfaces for the system:

frame:1

TX packets:25087 errors:0 dropped:0 overruns:0

carrier:0

collisions:1185 txqueuelen:100 Interrupt:17 Base address:0x8000

RX packets:6588 errors:0 dropped:0 overruns:0

frame:0

TX packets:6588 errors:0 dropped:0 overruns:0

carrier:0

collisions:0 txqueuelen:0

The following command changes the address:

ifconfig <interface> x.x.x.x

where <interface> is the name of the interface—for example, eth0. If the attacker uses Control Panel under X-windows, he gets similar screens to those that are shown for Windows.

To illustrate how basic IP spoofing works, let’s look at some sample sniffer data from a machine 208.246.68.46 attempting a connection:

11:17:09.145118 eth0 < 208.246.68.46.2231 > 208.246.68.48.ftp: R

1850475754:1850475754(0) win 0 (DF)

11:17:10.915599 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp: S

1850495970:1850495970(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)

11:17:10.915633 eth0 > 208.246.68.48.ftp > 208.246.68.46.2232: S

352591502:352591502(0) ack 1850495971 win 32120 <mss 1460,nop,nop,sackOK> (DF)

11:17:10.915771 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp:

. 1:1(0) ack 1 win

8760 (DF)

11:17:13.952415 eth0 > 208.246.68.48.ftp > 208.246.68.46.2232: P 1:97(96) ack 1

win 32120 (DF) [tos 0x10]

11:17:14.125905 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp:

. 1:1(0) ack 97 win 8664 (DF)

11:17:14.530384 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp: R

1850495971:1850495971(0) win 0 (DF)

As you can see, the machine could perform a three-way handshake with the machine it is connecting to. The attacker then changes his address to spoof the connection. The new address is 218.246.68.46, and the following is the data he receives:

11:17:10.915599 eth0 < 218.246.68.46.2232 > 208.246.68.48.ftp: S

1850495970:1850495970(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)

11:17:10.915633 eth0 > 208.246.68.48.ftp > 218.246.68.46.2232: S

352591502:352591502(0) ack 1850495971 win 32120 <mss 1460,nop,nop,sackOK> (DF)

Notice that, because the address is spoofed, when the target machine replies, the packet goes back to the IP address of the machine the attacker is spoofing. Because the machine is not expecting the packet, the connection is dropped. Just by changing the IP address, a machine cannot complete the three-way handshake and open a TCP connection.

Protection Against Address Changes

There are some steps a company can take to protect against this basic form of spoofing. It is important to note that you can protect your machines from being used to launch a spoofing attack, but there is little you can do to prevent an attacker from spoofing your address. Think about it this way: Is there any way for you to protect against an attacker spoofing your address on a letter he sends out? There is nothing you can do to prevent someone from mailing a letter to another party and writing in your return address instead of his. This is the same problem that occurs with spoofing.

To prevent an attacker from using a machine to launch a spoofing attack, first, limit who has access to configuration information on a machine. By doing this, you can stop an employee from performing spoofing. For example, with NT workstation, you can limit access so that a normal user is not allowed to make any changes to the network configuration.

To protect your company from being the victim of a basic IP spoofing attack, you can apply basic filters at your routers. Most routers have builtin spoofing filters. The most basic form of filter is to not allow any packets that are entering your network from the outside to have a source address from your internal network. For example, a packet that originates from inside your network and is going to an internal host never has to go outside your company’s network. Therefore, if a packet is coming from the Internet, claiming to originate from your internal network, you can have a high level of confidence that it is a spoofed packet and can be dropped. This type of filtering is referred to as ingress filtering and protects a company’s network from being the victim of a spoofing attack.

Egress filtering prevents someone from using a company’s computers to launch an attack against another site. To perform egress filtering, your router examines any packet leaving your network and makes sure that the source address is an address from your local network. If it is not, the packet should be dropped because this indicates that someone is using a spoofed address to launch an attack against another network. Any legitimate packet that is leaving your company’s network must have a source address, where the network portion matches your internal network.

There are also packages like arpwatch that keep track of Ethernet/IP address pairings to reduce the likelihood of a spoofing attack. For additional information on arpwatch, go to http://www.appwatch.com/.

Source Routing

Remember that one of the big problems with spoofing is that the return traffic goes back to the spoofed address and the attacker never gets to see it. Flying blind is effective if you are really good or are launching a small attack. But for more advanced attacks, the attacker would like to see both sides of the conversation.

One way is for an attacker to inject himself into the path that the traffic would normally take, to get from the destination machine back to the source. This is very difficult because an attacker has to compromise a machine on the victim’s network, and there is no guarantee that the traffic will continue to go through the attacker’s machine. The Internet is dynamic in terms of how it routes. There are a lot of cases where traffic takes the same route through the Internet, but it is not guaranteed. It could change every day, every hour, or even every minute. There is a way to guarantee that a packet takes a set path through the Internet, and as a spoof, to make sure it goes through the attacker’s machine. You do this with source routing, which is built into the TCP/IP protocol suite. Source routing lets you specify the path a packet will take through the Internet. There are two types of source routing, as follows: