{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

ppt06 - A current analysis of man in the middle(mitm...

Info icon This preview shows pages 1–15. Sign up to view the full content.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 1 A current analysis of man in the middle (mitm) attacks Sachin Deodhar <[email protected]>
Image of page 1

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 2 The scenario Server Client Attacker
Image of page 2
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 3 MITM attack scenarios TOC Different attacks in different scenarios: LOCAL AREA NETWORK: - ARP poisoning- DNS spoofing - STP mangling - Port stealing FROM LOCAL TO REMOTE (through a gateway): - ARP poisoning- DNS spoofing - DHCP spoofing - ICMP redirection - IRDP spoofing - route mangling REMOTE: - DNS poisoning - traffic tunneling - route mangling
Image of page 3

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 4 MITM attack techniques The local scenario
Image of page 4
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 5 Local attacks (1) ARP poisoning ARP is stateless (we all knows how it works and what the problems are) Some operating systems do not update an entry if it is not already in the cache, others accept only the first received reply (e.g. Solaris) The attacker can forge spoofed ICMP packets to force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP reply
Image of page 5

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 6 The scenario Server Client Attacker Gratuitous ARP (forged) Gratuitous ARP (forged)
Image of page 6
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 7 Local attacks (1) ARP poisoning - Tools ettercap (http://ettercap.sf.net) n Poisoning n Sniffing n Hijacking n Filtering n SSH v.1 sniffing (transparent attack) dsniff (http://www.monkey.org/~dugsong/dsniff) n Poisoning n Sniffing n SSH v.1 sniffing (proxy attack)
Image of page 7

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 8 Local attacks (1) ARP poisoning - countermeasures YES - passive monitoring (arpwatch) YES - active monitoring (ettercap) YES - IDS (detect but not avoid) YES - Static ARP entries (avoid it) YES - Secure-ARP (public key authentication)
Image of page 8
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 9 Local attacks (2) DNS spoofing HOST DNS serverX.localdomain.in 10.1.1.50 MITM 10.1.1.1 If the attacker is able to sniff the ID of the DNS request, he/she can reply before the real DNS server
Image of page 9

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 10 Local attacks (2) DNS spoofing - tools ettercap (http://ettercap.sf.net) n Phantom plugin dsniff (http://www.monkey.org/~dugsong/dsniff) n Dnsspoof zodiac (http://www.packetfactory.com/Projects/zodiac)
Image of page 10
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 11 Local attacks (2) DNS spoofing - countermeasures YES - detect multiple replies (IDS) YES - use lmhost or host file for static resolution of critical hosts YES - DNSSEC
Image of page 11

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 12 Local attacks (3) STP mangling It is not a real MITM attack since the attacker is able to receive only “unmanaged” traffic The attacker can forge BPDU with high priority pretending to be the new root of the spanning tree
Image of page 12
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 13 Local attacks (3) STP mangling - tools Ettercap (http://ettercap.sf.net) n With the Lamia plugin
Image of page 13

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 14 Local attacks (3) STP mangling - countermeasures YES - Disable STP on VLAN without loops YES - Root Guard, BPDU Guard.
Image of page 14
Image of page 15
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern