Chapter 2 - 03 - Understand Network-level Attacks - 05_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Information Security Attacks DHCP Starvation Attack DHCP is a configuration protocol that assigns valid IP addresses to host systems out of a L = pre-assigned DHCP pool Py DHCP starvation attack is a process of inundating DHCP servers with fake DHCP requests and using all the available IP addresses erver Server runs out of IP addresses to allocate to valid users User will be unable to get the valid IP address DHCP Scope 10.10.10.1 10.10.10.2 e This results in a denial-of-service attack, where the DHCP server cannot issue new IP S Attacker sends many 10.10.10.3 e addresses to genuine host requests 10.10.10.254 Copyright © by E DHCP IL All Rights Reserved. Reproductionis Strictly Prohibited. Starvation Attack DHCP is a configuration protocol that assigns valid IP addresses to host systems from a preassigned DHCP pool. In a DHCP starvation attack, an attacker floods the DHCP server by sending numerous DHCP requests and uses all of the available IP addresses that the DHCP server can issue. As a result, the server cannot issue any more IP addresses, leading to a DoS attack. Because of this issue, valid users cannot obtain or renew their IP addresses; thus, they fail to access their network. An attacker broadcasts DHCP requests with spoofed MAC addresses with the help of tools such as Yersinia, Hyenae, and Gobbler. P User '7 User will be unable to getthe valid IP address _ DHCP Server Server runs out of IP 4;\",,, P4 gi‘os\',?,.-"' VS?G?’O-":. NS é‘sé" to valid users ST.-';\85' & S JREINGN addresses to allocate 4—, _.-"'g#q";\’ o il it : 2 ] AN : AT, St DHCP Scope 10.10.10.1 10.10.10.2 10.10.10.3 Attacker sends many i different DHCP requests with many source MACs : Attacker 10.10.10.254 Figure 2.16: DHCP starvation attack Module 02 Page 196 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 DHCP Spoofing Attack The attacker sets up a on the network and responds to DHCP requests with bogus IP addresses resulting in compromised network access This attack works in conjunction with the DHCP starvation attack; the attacker sends a /IP se to the user after knocking him/her out from the genuine DHCP server DHCP Server IP Address: 10.0.0.20 Subnet Mask: Default Routers: DNS Servers: 192.168.168.3 Tz i 9 Py ) é 255.255.255.0 10.0.0.1 192.168.168.2, : o. H o e. By running a rough DHCP server, an attacker can send incorrect TCP/IP setting Wrong Default Gateway => Attacker is the gateway Wrong DNS server =» Attacker is the DNS server Wsirnnmsnyssnse Wrong IP Address DoS with spoofed IP Copyright Dby £ DHCP Spoofing Attack In addition to DHCP starvation attacks, an attacker can perform MITM attacks such as sniffing. An attacker who succeeds in exhausting the DHCP server’s IP address space can set up a rogue DHCP server on the network, which is not under the control of the network administrator. The rogue DHCP server impersonates a legitimate server and offers IP addresses and other network information to other clients in the network, acting as a default gateway. Clients connected to the network with the addresses assigned by the rogue server will now become victims of MITM and other attacks, whereby server first. packets forwarded from a client’s machine will reach the rogue In a DHCP spoofing attack, an attacker will introduce a rogue server into the network. This rogue server can respond to clients’ DHCP discovery requests. Although both the rogue and actual DHCP servers respond to the request, the client accepts the response that comes first. In the case where the rogue server responds earlier than the actual DHCP server, the client takes the response of the rogue server. The information provided to the clients by this rogue server can disrupt their network access, causing a DoS attack. The DHCP response from the attacker’s rogue DHCP server may assign the IP address that serves as a client’s default gateway. As a result, the attacker’s IP address receives all the traffic from the client. The attacker then captures all the traffic and forwards it to the appropriate default gateway. The client thinks that everything is functioning correctly. This type of attack is difficult for the client to detect for long periods. Sometimes, the client uses a rogue DHCP server instead of the standard one. The rogue server directs the client to visit fake websites in an attempt to gain their credentials. Module 02 Page 197 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 To mitigate a rogue DHCP server attack, set the connection between the interface and the rogue server as untrusted. This action will block all incoming DHCP server messages from that interface. DHCPDISCOVERY (IPva) / SOLICIT (IPv6) (Broadcast) < DHCPOFFER (1Pv4) / ADVERTISE (IPv6) (Unicast) from Rogue Server SEsssssRREREERRssRRRREEE T eee ene TR DHCPREQUEST (IPvd) / REQUEST (IPv6) (Broadcast) DHCP Server User IP Address: Subnet Mask: Default < By running a rough DHCP server, an attacker can send incorrect TCP/IP setting 10.0.0.20 255.255.285.0 Routera: Wrong Default Gateway > Attacker is the gateway 10.0,0.1 DNS Servers: 192.168.168.2, 192.168.168.3 Lease Tinme: Wrong DNS server => Attacker is the DNS server 2 days Wrong IP Address = DoS with spoofed IP Rogue Server Figure 2.17: DHCP spoofing attack Module 02 Page 198 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Switch Port Stealing Layer 2 Switch The Switch Port Stealing sniffing technique uses MAC flooding to sniff the packets O0000O0O | J i J < brrw p— The attacker floods the switch with forged gratuitous ARP packets with the target MAC address as the source and his/her own MAC address as the destination A race condition of the attacker’s flooded packets and the target host’s packets occurs; thus the switch must change its MAC address, binding constantly between two different ports In such a case, if the attacker is fast enough, he/she will able to direct the packets intended for the target host toward his/her switch port The attacker now manages to steal the target host’s switch port and sends ARP requests to the stolen switch port to discover the target host’s IP address ==== When the attacker gets an ARP reply, this indicates that the target host’s switch port binding has been restored, and the attacker can now sniff the packets sent toward the targeted host ------ Copyright © by EC Logical Connection Real Connection L Al Rights Reserved. Reproductionis Strictly Prohibited Switch Port Stealing The switch port stealing sniffing technique uses MAC flooding to sniff the packets. The attacker floods the switch with forged gratuitous ARP packets with the target MAC address as the source and his/her own MAC address as the destination. A race condition of the attacker’s flooded packets and target host packets will occur, and thus, the switch has to change its MAC address to bind constantly between two different ports. In this case, if the attacker is fast enough, he/she will be able to direct the packets intended for the target host toward his switch port. Here, the attacker manages to steal the target host switch port and sends an ARP request to this switch port to discover the target host’s IP address. When the attacker gets an ARP reply, this indicates that the target host’s switch port binding has been restored and the attacker can now sniff the packets sent towards the targeted host. Module 02 Page 199 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 { m : Layer 2 Switch | | M : ---- Logical Connection ------ Real Connection | { m- HARE: | Figure 2.18: Switch port stealing Assume that there attacker’s Host C. are three machines in a network: Host A, the target’s Machine MAC Address IP Address Ports Host A aa-bb-cc-dd-ee-ff 10.0.0.1 Port A Host B bb-cc-dd-ee-ff-gg 10.0.0.2 Port B Host C cc-dd-ee-ff-gg-hh 10.0.0.3 Port C Host B, and the Table 2.2: Details of three hosts in a network The switch’s ARP cache and MAC table contain the following values: MAC Table Vian MAC Address Type Learn Age Ports P Host A aa-bb-cc-dd-ee-ff 10.0.0.1 0 Port A 5 Host B bb-cc-dd-ee-ff-gg 10.0.0.2 0 Port B 5 Host C cc-dd-ee-ff-gg-hh 10.0.0.3 0 Port C Table 2.3: MAC table Module 02 Page 200 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 ARP Cache IP MAC 10.0.0.1 aa-bb-cc-dd-ee-ff 10.0.0.2 bb-cc-dd-ee-ff-gg 10.0.0.3 cc-dd-ee-ff-gg-hh Table 2.4: ARP cache table 1. Switch port stealing is a sniffing technique used by an attacker who spoofs both the IP address and the MAC address of the target machine (Host B). Machine MAC Address IP Address Ports Host A aa-bb-cc-dd-ee-ff 10.0.0.1 Port A Host B bb-cc-dd-ee-ff-gg 10.0.0.2 Port B Host C bb-cc-dd-ee-ff-gg 10.0.0.2 Port C Table 2.5: Switch updated with a spoofed entry 2. The attacker’s machine runs a sniffer that turns the machine’s NIC adapter to promiscuous mode. 3. Host A, associated with the IP address (10.0.0.1), wants to communicate with Host B, associated with the IP address (10.0.0.2). Therefore, host A sends an ARP request (I want to communicate with 10.0.0.2. What is the MAC address of 10.0.0.2?). 4. The switch broadcasts this ARP request to all the machines in the network. 5. Before Host B (the target machine) can respond to the ARP request, the attacker responds to the ARP request by sending an ARP reply containing the spoofed MAC and IP addresses (I am 10.0.0.2, and my MAC address is bb-cc-dd-ee-ff-gg). The attacker can achieve this by launching an attack such as denial of service (DoS) on Host B, which slows down its response. 6. Now the ARP cache in the switch records the spoofed MAC and IP addresses. P MAC 10.0.0.1 aa-bb-cc-dd-ee-ff 10.0.0.2 bb-cc-dd-ee-ff-gg 10.0.0.2 bb-cc-dd-ee-ff-gg Table 2.6: ARP cache updated with a spoofed entry 7. The spoofed MAC address of target Host B (bb-cc-dd-ee-ff-gg) and the port connect to the attacker’s machine (Port C) and update the switch’s CAM table. Now, a connection is established between Host A and the attacker’s machine (Host C). Module 02 Page 201 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 VLAN MAC Address Type Learn Age Ports 255 Host A aa-bb-cc-dd-ee-ff 10.0.0.1 0 Port A 5 Host B bb-cc-dd-ee-ff-gg 10.0.0.2 0 Port B 5 Host C bb-cc-dd-ee-ff-gg 10.0.0.2 0 Port C Table 2.7: MAC Table updated with a spoofed entry 8. Now, the system will forward all the packets directed towards Host B to Host C through Port C, i.e., the attacker’s machine. Thus, an attacker can sniff the packets sent to Host B. Module 02 Page 202 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.