Chapter 2 - 03 - Understand Network-level Attacks - 04_ocred.pdf

Transcript

Lertified Cybersecurity Technician Information Security Attacks Exam 212-82 e Domain Name Server (DNS) poisoning is the unauthorized manipulation of IP addresses in the DNS cache i A corrupted DNS redirects a user request to a malicious website to perform illegal i activities......................................................... DNS Poisoning DNS is the protocol that translates a dom ain name (e.g., www.eccouncil.org) into an IP address (e.g., 208.66.172.56). The protocol uses DNS tables that contain the domain name and its equivalent IP address stored in a dist ributed large database. In DNS poisonin g, also known as DNS spoofing, the attacker tricks a DNS server into believing that it has rece ived authentic information when, in reality, it has not received any. The attacker tries to redirect the victim to a malicious server instead of the legitima te server. The attacker does this by mani pulating the DNS table entries in the DNS. This results in substitution of a false IP address at the DNS level, where web addresses are converted into numeric IP addresses. (containing malicious content) with the same names as that of the target serv er. Thus, the victim connects to the attacker’s serv er without realizing it. For example, if a victim types ww.google.com, the request is redi rected to the fake website www.goggl e.c om. Once the victim connects to the attacker’s serv er, the attacker can compromise the victim’s system and Module 02 Page 190 Certified Cybersecurity Technician Copyr ight © by E@-Gouncil All Rights Reserved. Reproduction is Strictl v Exam 212-82 DNS IR..........cccc00nsssonsd > Bing —_— Google @ \> TN o 2o @ B w ‘l' geesssssssssnsnsnanannnnnns Certified Cybersecurity Technician Information Security Attacks Figure 2.12: lllustration of a normal DNS request.................... QN Py TessssessssescasenessP yahoo : - : g l 7.8, : Poisoned DNS H - Malicious Servers - — l l 5 i Servers : W—...- Figure 2.13: lllustration of a poisoned DNS request Module 02 Page 191 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks O Exam 212-82 Domain hijacking is an attack in which the domain ownership is changed to the attacker’s server without the consent of the actual owner Q The attacker attempts to infiltrate the domain registrar account using techniques such as phishing or social engineering i Attacker. *......... Registrar eee % Hij aclting‘ » J.................................. L Registrant Domain * Legitimate website........ Registry I ° ° e E E E_a DNS server Malicious DNS server Copyright © by Malicious website EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Domain Hijacking Domain hijacking is an attack in which the domain ownership is changed to the attacker’s server without the consent of the actual owner. In this attack, the attacker attempts to infiltrate the domain registrar account using techniques such as phishing or social engineering. After obtaining the registrar account credentials, the attacker masquerades as the legitimate owner of the account, exploits some identified vulnerabilities, and changes the ownership of the original registered domain to the attacker’s domain name. Later, when a client or user sends a request to the original website, the DNS server sends a response with the malicious domain name that belongs to the attacker. As the response webpage appears similar to the original webpage, it lures the user into entering sensitive information such as usernames, passwords, and bank credentials. Through domain hijacking, attackers even install malware on their website, which when accessed by a victim automatically downloads and installs malware such as viruses, worms, starts executing covertly in the background. Module 02 Page 192 or Trojans in the victim’s system and Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Working of Domain Hijacking : Attacker Registrar Registrant «ccccininiiiiiiiiiiiii, 0 Registry ° Legitimate website DNS server Malicious Malicious website DNS server Figure 2.14: Domain hijacking = Step 1: The attacker compromises the registrar account using techniques phishing or social engineering and logs in to the registrar account. such as = Step 2: After successful login, the attacker modifies the registration details of the actual owner of the domain. The attacker changes the actual IP (178.15.10.43) to a malicious IP address (99.99.99.99). = Step 3: When the legitimate user requests for the website www.realwebsite.com, the request reaches the DNS name server to be resolved into the domain name. = Step 4: As the domain name has already been updated, the DNS response contains the attacker’s malicious IP address, i.e., 99.99.99.99. = Step 5: The user unknowingly logs in to the malicious website www.fakewebsite.com. Module 02 Page 193 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 ARP Spoofing Attack How Does ARP Spoofing Work Address Resolution A " MAC address is AL1.81. C1-01-E1F2 ,/ ) Protocol (ARP) is a protocol used for mapping an IP address to a physical @:&n -. " Pelasned ARD cache [ e | wac | _ 0 1 want to connect to machine address which is 10113,bt nees recognized in the local : network 9 SO o ARP spoofing/poisoning User A involves Sending a large. number of forged entries 21-56-88-99-55-66 10111 11-22-33-43-55-66 e — AR 10110 Sends e MAC address ARP cache ; D lamm_x 1.1 nnd + : User C Actual legitimate user : respondsto the ARP request i Ialommlon for IP address 10.1.1.1 is now being sentto address 11-22-33-44-55-66 4 : ee ) : e : Malicious user eavesdrops on § the ARP request snd responses and spoofs lemimaleusef ll 22-33-44-55-66 MAC 8 User B [EaTa] «3g-e oo e Sends his malicious to the target machine’s Switch broadcasts the wire Switch % ) = ARP request onto ARP request V/ @ a as the $ User D E Attacker ARP Spoofing Attack Address Resolution Protocol (ARP) is a protocol used for mapping an IP address to a physical machine address which is recognized in the local network. ARP packets can be forged to send data to the attacker’s machine. ARP spoofing involves constructing a large number of forged ARP request and reply packets to overload a switch. When a machine sends an ARP request, it assumes that the ARP reply will come from the right machine. ARP provides no means of verifying the authenticity of the responding device. Even systems that have not made an ARP request can accept the ARP replies coming from other devices. Attackers use this flaw in ARP to create malformed ARP replies containing spoofed IP and MAC addresses. Assuming it to be the legitimate ARP reply, the victim’s computer blindly accepts the ARP entry into its ARP table. Once the ARP table is flooded with spoofed ARP replies, the switch is set in forwarding mode, and the attacker intercepts all the data that flows from the victim’s machine without the victim being aware of the attack. Attackers flood a target computer’s ARP cache with forged entries, which is also known as poisoning. ARP spoofing is an intermediary for performing attacks such as DoS, MITM, and session hijacking. How does ARP Spoofing Work? ARP spoofing is a method of attacking an Ethernet LAN. When a legitimate user initiates a session with another user in the same layer 2 broadcast domain, the switch broadcasts an ARP request using the recipient's IP address, while the sender waits for the recipient to respond with a MAC address. An attacker eavesdropping on this unprotected layer 2 broadcast domain can respond to the broadcast ARP request and replies to the sender by spoofing the intended recipient’s IP address. The attacker runs a sniffer and turns the machine’s NIC adapter to promiscuous mode. Module 02 Page 194 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 ARP spoofing is a method of attacking an Ethernet LAN. It succeeds by changing the of the attacker’s computer to that of the target computer. A forged ARP request packet can find a place in the target ARP cache in this process. As the ARP reply forged, the destination computer (target) sends frames to the attacker’s computer, attacker can modify the frames before sending them to the source machine IP address and reply has been where the (User A) in an MITM attack. The attacker can also launch a DoS attack by associating a non-existent MAC address to the IP address of the gateway; alternatively, the attacker may sniff the traffic passively and then forward it to the target destination. Yes, | am here Thisis10.1.1.1 and my MACaddressis Al-B1- C1-D1-E1-F1 Poisoned ARP cache e 10.1.1.0 T e 21-56-88-99-55-66 | want to connect to 10.1.1.1 11-22-33-44-55-66 10.1.1.1,but1 10112 55-88-66-55.33.44 e e d Sends. V 9 ARP request O Do User A (10.1.1.0) - ey | Switch OIS “ Switch broadcasts : s Actual legitimate user : the wire ¢ ¥ ¥ responds to the ARP request & \/ it ssssesy M L : e Sends his malicious e MAC address : S : : : : lam 10.1.1.1and my MAC address is Usir C 4 ARP request onto : : User B : I e sessss ST ) g : : Malicious user eavesdrops on the ARP request and responses and spoofs as the legitimate user v User D ; 11-22-33-44-55-66 Information for IP address 10.1.1.1is now being sent to Attacker MAC address 11-22-33-44-55-66 Figure 2.15: Working of an ARP spoofing attack Module 02 Page 195 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.