Chapter 2 - 03 - Understand Network-level Attacks - 06_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 MAC Spoofing/Duplicating/Cloning O A MAC duplicating/cloning attack is launched by sniffing a network for MAC addresses of clients who are actively associated with a switch port and re-using one of those addresses Q By listening to the traffic on the network, a malicious user can intercept and use a legitimate user's MAC address to receive all the traffic destined for the user QO This attack allows an attacker to gain access to the network and take over someone’s identity on the network My MAC address Is aa:bb:cc:dd:ee:ff Switch Rule: Allow access to the network only if your MAC address is aa:bb:cc:dd:ee:ff Switch * Legitimate User | No! My MACAddress is _aabbicc:dd:ee:ff. ) ; i Attacker sniffs the network for MAC addresses of the currently associated users and then uses that MAC address to attack other users associated to the same switch port Attacker Internet Copyright © by EC L All Rights Reserved. Reproduction is Strictly Prohibited. MAC Spoofing/Duplicating/Cloning MAC duplicating or cloning refers to spoofing a MAC address with the MAC address of a legitimate user on the network. A MAC duplicating attack involves sniffing a network for MAC addresses of legitimate clients connected to the network. In this attack, the attacker first retrieves the MAC addresses of clients who are actively associated with the switch port. Then, the attacker spoofs a MAC address with the MAC address of the legitimate client. If the spoofing is successful, then the attacker can receive all the traffic destined for the client. Thus, an attacker can gain access to the network and take over the identity of someone on the network. Attackers perform this attack by changing the vendor-assigned MAC address of the NIC card using OS commands or software such as packet crafting tools. The diagram shows how an attacker performs a MAC spoofing/duplicating/cloning attack. My MAC address Switch Rule: Allow access to the network only Is aa:bb:cc:dd:ee:ff if your MAC address is aa:bb:cc:dd:ee:ff Legitimate User Switch No! My MAC Address is \) N aabbccddeeff\/ ‘ Attacker sniffs the network for MAC addresses of i the currently associated users and then uses that 3 MAC address to attack other users associated to the same switch port ¥ Attacker Internet Figure 2.19: MAC spoofing/duplicating/cloning attack Module 02 Page 203 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 (0 MAC MAC flooding involves the flooding of the CAM table with fake MAC address and IP pairs until it is full Flooding T The switch then acts as a hub by broadcasting packets to all machines on the network, and therefore, the attackers can sniff the traffic easily MAC i A Mac Flooding Switches with macof £ macof is a Unix/Linux tool that floods the switch CAM tables (131,000 per min) by sending bogus MAC entries 2, user1 tps//www.monkey.org Copyright © by EC-Comncil. Al Rights Reserved. Reproductionis Strictly Prohibited. MAC Flooding MAC flooding is a technique used to compromise the security of network switches that connect network segments or devices. Attackers use the MAC flooding technique to force a switch to act as a hub so that they can easily sniff the traffic. In a switched network, an Ethernet switch contains a CAM table that stores all the MAC addresses of devices connected in the network. A switch acts as an intermediate device between one or more computers in a network. It looks for Ethernet frames, which carry the destination MAC address; then, it tallies this address with the MAC address in its CAM table and forwards the traffic to the destined machine. Unlike a hub, which broadcasts data across the network, a switch sends data only to the intended recipient. Thus, a switched network is more secure compared to a hub network. However, the size of the CAM table is fixed, and as it can store only a limited number of MAC addresses in it, an attacker may send numerous fake MAC address to the switch. No problem occurs until the MAC address table is full. Once the MAC address table is full, any further requests may force the switch to enter fail-open mode. In the fail-open mode, the switch starts behaving like a hub and broadcasts incoming traffic through all the ports in the network. The attacker then changes his/her machine’s NIC to promiscuous mode to enable the machine to accept all the traffic entering it. Thus, attackers can sniff the traffic easily and steal sensitive information. Module 02 Page 204 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Attacks dd MACI Address Floo d -........-..--...-..-.--.)—.|~,, AAA —_— Attacker ‘:* User1l | : E A. o Switch : Figure 2.20 MAC flooding MAC Flooding Switches with macof Source: https://www.monkey.org macof is a Unix/Linux tool that is a part of the dsniff collection. It floods the local network with random thereby MAC and IP addresses, causing some switches to fail and open in repeating mode, facilitating sniffing. This tool floods the switch’s CAM tables (131,000 per min) by sending forged MAC entries. When the MAC table fills up, and the switch converts to hub-like operation, an attacker can monitor the data being broadcast. o0 File Parrot Terminal Edit View Search 1-[ @parrot #macof -i eth® 5d:27:98:3c:94:6d 4890(0) win win win 74:88:e0:40:8b:3c 4:bb:21:27:82:db 9f:84:98:37:ec:55 512 53:e8:38:25:¢7:42 win win 0.0.0.0.39850 > 0.0.0.0.49263: 0.0.0.0.48709 > 0.0.0.0.9433 > 0.0.0.0.62409: 1044800461:1044 S 1330659371:1330659 > 0.0.0.0.6910: a6:94:65:25:c7:ad 0.0.0.0.58215 > 0.0.0.0.56497: S 447162501:4471 win 512 cb:b9:b9:59:8d:67 0.0.0.0.17385 > 0.0.0.0.28393: S 1018850322:101 b9:f1:34:7€:9:67 0.0.0.0.60630 > 0.0.0.0.3405: af:dd:77:46:4e:26 0.0.0.0.56144 > 0.0.0.0.16970: win 512 S 628366088:62836 0.0.0.0.27895 > 0.0.0.0.61217: S S 1066823910:1066 99214739:99214739 512 le:e:ab:4:d3:16 68613(0) S 0.0.0.0.57830 95:a0:68:c:1d:fc win 586168580:5861 3f:4c:6a:1f:el:d6 8T7:6a:9d:2b:ea:ec (0) 746864890:74686 S 0.0.0.0.15710: 35:23:C:5e:59:b6 823910(0) S 512 27:d5:2e:56:23:74 8850322(0) 0.0.0.0.45855: 512 60:7c:41:47:e9:c2 62501(0) > 512 3:1e:f4:12:9:e 6088(0) 0.0.0.0.21067 512 14:83:59:7f:2f:fc 371(0) 10| 512 win 800461(0) -n Help ) 9a:5:5b:17:75:13 7f:e8:cc:4a:51:59 68580(0) Terminal win S 1864068613:18640 512 Figure 2.21: MAC flooding using macof Module 02 Page 205 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 IP Address Spoofing O 1P spoofing refers to changing the source IP addresses so that the attack appears to be coming from someone else O When the victim replies to the address, it goes back to the spoofed address rather than the attacker’s real address Q Attackers modify the address information in the IP packet header and the source address bits field in order to bypass the IDS or firewall IP spoofing using Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7 Attacker sending a packet with a spoofed :’ i; address 7.7.7.7 Victim IP address 5.5.5.5 = Real address 71777 Note: You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses Copyright © by E L All Rights Reserved. Reproductionis Strictly Prohibited IP Address Spoofing Most firewalls filter packets based on the source IP address. These firewalls examine the source IP address and determine whether the packet is coming from a legitimate source or an illegitimate source. The IDS filters packets from illegitimate sources. Attackers use IP spoofing technique to bypass such IDS/firewalls. IP address spoofing is a hijacking technique in which an attacker obtains a computer’s IP address, alters the packet headers, and sends request packets to a target machine, pretending to be a legitimate host. The packets appear to be sent from a legitimate machine but are actually sent from the attacker’s machine, while his/her machine's IP address is concealed. When the victim replies to the address, it goes back to the spoofed address and not to the attacker’s real address. Attackers mostly use IP address spoofing to perform DoS attacks. When the attacker sends a connection request to the target host, the target host replies to the spoofed IP address. When spoofing a nonexistent address, the target replies to a nonexistent system and then hangs until the session times out, thus consuming a significant amount of its own resources. Module 02 Page 206 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 IP spoofing using Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7 Attacker sending a packet with a spoofed address 7.7.7.7 Victim IP address [2 5.5.5.5 - i “ ) — Real address 71.7.1.7 Figure 2.22: IP Spoofing using Hping3 IP spoofing using Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7 You can use Hping3 to perform IP spoofing. The above command TCP/IP packets to network hosts. helps you to send arbitrary Note: You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses. Module 02 Page 207 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.