Upload File

man in the middle attacks and arp poisoning explained why you shouldn’t ignore invalid...

  • Home
  • Documents
  • Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com
15
Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

Upload: barbara-paul

Post on 23-Dec-2015

214 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

Man in the Middle attacks and ARP poisoning explained

Why you shouldn’t ignore invalid certificates

Page 2: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

A review of ARP

In order for host A to begin communication with host B, host A needs to know both host B’s IP address (where it is on the network) and its MAC address (the address for the network adapter)

Page 3: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

1. Host A sends an ARP request destined to host B’s ip address.2. Host B responds with an ARP reply and sends its MAC

address to host A.3. Host A stores the response in its ARP table (also known as an

ARP cache) so it can look it up for future reference.4. Host A and B can now communicate freely.

Page 4: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

IP: 192.168.1.1MAC: AA:AA:AA:AA:AA:AA

IP: 192.168.1.5MAC: BB.BB.BB.BB.BB.BB

ARP table ARP table

Who has 192.168.1.1?192.168.1.1 = AA:AA:AA:AA:AA:AA192.168.1.5 = BB.BB.BB.BB.BB.BB.BB

ARP Review

2. 192.168.1.5 sends an ARP request destined to 192.168.1.1.

3. 192.168.1.1 responds with an ARP reply and sends its MAC address to 192.168.1.5.

4. 192.168.1.5 stores the response in its ARP table (also known as an ARP cache) so it can look it up for future reference.5. The two hosts can now communicate freely.

1. Host 192.168.1.5 wants to know the MAC address of 192.168.1.1

Page 5: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

Man in the Middle

Fool two hosts into thinking you area legitimate one by using false ARP replies.

This allows you to intercept all traffic between the two hosts.

Page 6: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

• Send fake ARP replies in order to impersonate target hosts.

• All legitimate traffic goes to the targeting machine and then gets forwarded to the other victim.

• Targets are unaware they are being attacked.• Attacker can listen to data or inject fake data.• Attacker must be on the same physical network.

Page 7: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

IP: 192.168.1.1MAC: AA:AA:AA:AA:AA:AA

IP: 192.168.1.5MAC: BB.BB.BB.BB.BB.BB

ARP table ARP table

192.168.1.1 = AA:AA:AA:AA:AA:AA192.168.1.5 = BB.BB.BB.BB.BB.BB.BB

Man in the Middle

IP: 192.168.1.10MAC: CC:CC:CC:CC:CC:CC

192.168.1.5 = CC:CC:CC:CC:CC:CC 192.168.1.1 = CC:CC:CC:CC:CC:CC

Attacker

aLL y0uR bAs3 aR3 b3l0nG to uS, n00b!!

1. Send fake ARP replies.2. ARP packets say that both 192.168.1.5 and 192.168.1.1 are located at the attacker’s MAC address of CC:CC:CC:CC:CC:CC3. All traffic between two victims is sent through the attacker.

Page 8: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

SSL Certificate

Data between two hosts is encrypted using a certificate so third parties

cannot eavesdrop.

Page 9: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

IP: 192.168.1.1MAC: AA:AA:AA:AA:AA:AA

IP: 192.168.1.5MAC: BB.BB.BB.BB.BB.BB

SSL Certificates

IP: 192.168.1.10MAC: CC:CC:CC:CC:CC:CC

Attacker

Get https://www.onlinebankingcom

? ? username = jonDoepassword = password1i*fk3903kd#1;OKfjm3Kelq;l(3k_11fkP10394

username = johnDoepassword = password1

2. Client requests certificate from server.3. Client encrypts data using certificate

4. Attacker is unable to read encrypted traffic.

1. Client requests secure web page

Page 10: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

SSL Certificate Forging

Page 11: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

• An attacker is able to intercept the certificate request and inject a forged certificate.

• The attacker can then encrypt the data sent by the client, and then re-encrypt the data with the real certificate when it sends it to the server.

• Often times this will cause a certificate warning in browser (See picture on previous slide).

Page 12: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

IP: 192.168.1.1MAC: AA:AA:AA:AA:AA:AA

IP: 192.168.1.5MAC: BB.BB.BB.BB.BB.BB

SSL Certificate Forging

IP: 192.168.1.10MAC: CC:CC:CC:CC:CC:CC

Attacker

Get https://www.onlinebanking.com

username = johnDoePassword = password1Fjkel(83;aljffke19(30Fj3kl250_(235’)@@!

username = johnDoePassword = password133k3l*&93)|fka|}3adF[}Fjek:LE1Qapd13=fda3#+

username = johnDoePassword = password1

1. Client requests certificate.

2. Certificate is intercepted by attacker.3. Attacker forges a copy of the certificate with a new key.

4. Victim encrypts data using fake key.

5. Attacker re-encrypts the data using the original key.6. Attacker records bank account information and books a trip to the bahamas.

Page 13: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

ARP poisoningDenial of Service

Attacker tells the victim that the default router cannot be found. No data can be

sent outside the network.

Page 14: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

IP: 192.168.1.1MAC: AA:AA:AA:AA:AA:AA

IP: 192.168.1.5MAC: BB.BB.BB.BB.BB.BB

ARP table ARP table

192.168.1.1 = AA:AA:AA:AA:AA:AA192.168.1.5 = BB.BB.BB.BB.BB.BB.BB

ARP poisoning- DoS

IP: 192.168.1.10MAC: CC:CC:CC:CC:CC:CC

Attacker

192.168.1.1 = DB:9F:39:1F:92:11

1. Attacker tells victim the router is at a non-existent MAC address.

2. No data packets reach the router.

Page 15: Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

CrashCourseSecurity.com

CrashCourseSecurity.com


Invalid Ecj and Invalid Wa

Introduction to Algorithms · Day 1 Introduction to Algorithms L1.23 Asymptotic performance n T(n) n0 • We shouldn’t ignore asymptotically slower algorithms, however. • Real-world

INCONTINENCE shouldn’t be inevitable

Invalid Business Assumptions

TAX TIPS DENTISTS SHOULDN’T IGNORE

HR Analytics: 15+ Metrics You Shouldn’t Ignore

The 8 Best Shipping Practices You Shouldn’t Ignore | ShipMonk

Cutting - Invalid Request

Russky invalid april advert

ERROR: Invalid Request

Invalid Http Request Header

GAMBLING SHOULDN’T BE LEGALIZED

Shouldn’t Ignore their Foot Pain · 2020. 6. 20. · Foot pain can be an inevitable side effect for runners, signs your body is giving you that should not be ignored. If you experience

[INFOGRAPHIC] Virtualization and Mobility: Why Companies Shouldn’t Ignore These Trends

Everything Investors Need to Know— and Should Ignore—About … · 2016-02-05 · arguments shouldn’t distract us from trying to figure out how to best participate in the other

The researcher’s blind spot: 6 cognitive biases we shouldn’t ignore … · 2018-05-07 · The researcher’s blind spot: 6 cognitive biases we shouldn’t ignore in research UX

CONNECTORS - Invalid Request

Lightning Talk #12:7 cognitive biases we shouldn’t ignore in research by Ruth Ellison

How Do You Know When It Is Time To Start Job Searching? Signs You Shouldn’t Ignore!

Invalid Cobie Sample

Ignore it!

THE REPORT - Knight Frank · 2014-09-01 · landowners shouldn’t ignore 06 fracking in the last issue.Farmalnd Market The latest trends and property highlights ... Why Knight Frank

“ Christians Shouldn’t Judge”

Valid & invalid arguments

Zone Report Report Date: 16/06/2020 INTR000101 IR Fast Integriti … · 2020. 6. 16. · 166 1 Rdr10 Invalid 167 1 Rdr11 Invalid 168 1 Rdr12 Invalid 169 1 Rdr13 Invalid 170 1 Rdr14

RURAL THE REPORT - Knight Frank · 2018-11-05 · landowners shouldn’t ignore. 06 Farmalnd Market The latest trends and property highlights. 10 nt ee cas i Cl study Renovating an

Introduction - Amazon S3...Facebook, and Twitter. But Instagram is one channel that you shouldn’t ignore. Since Facebook’s acquisition of the channel in 2012, Instagram has seen

Vojni Invalid 099

Introduction to Algorithms 6.046J/18Asymptotic performance n T (n) n 0 • We shouldn’t ignore asymptotically slower algorithms, however. • Real-world design situations often call

Moliere - The Imaginary Invalid

Literal Error ListingsPhys 19 SMT {Invalid code entered} Phys 2 WGT {Invalid/not entered} Phys 3 SKN {Skin tone invalid/not entered} DL 1 OLS {Invalid code used} DL 61 OLT {DL type

Signs You Shouldn’t Ignore! How Do You Know When It Is Time to Start Job Searching?

Valid and Invalid Arguments

Lessons From An Oops At Consumer Reports Consumer Follow Experts; Ignore Invalid Information

Vojni Invalid 101