{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

ppt06 - A current analysis of man in the middle(mitm...

Info iconThis preview shows pages 1–15. Sign up to view the full content.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 1 A current analysis of man in the middle (mitm) attacks Sachin Deodhar <[email protected]>
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 2 The scenario Server Client Attacker
Background image of page 2
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 3 MITM attack scenarios TOC Different attacks in different scenarios: LOCAL AREA NETWORK: - ARP poisoning- DNS spoofing - STP mangling - Port stealing FROM LOCAL TO REMOTE (through a gateway): - ARP poisoning- DNS spoofing - DHCP spoofing - ICMP redirection - IRDP spoofing - route mangling REMOTE: - DNS poisoning - traffic tunneling - route mangling
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 4 MITM attack techniques The local scenario
Background image of page 4
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 5 Local attacks (1) ARP poisoning ARP is stateless (we all knows how it works and what the problems are) Some operating systems do not update an entry if it is not already in the cache, others accept only the first received reply (e.g. Solaris) The attacker can forge spoofed ICMP packets to force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP reply
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 6 The scenario Server Client Attacker Gratuitous ARP (forged) Gratuitous ARP (forged)
Background image of page 6
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 7 Local attacks (1) ARP poisoning - Tools ettercap (http://ettercap.sf.net) n Poisoning n Sniffing n Hijacking n Filtering n SSH v.1 sniffing (transparent attack) dsniff (http://www.monkey.org/~dugsong/dsniff) n Poisoning n Sniffing n SSH v.1 sniffing (proxy attack)
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 8 Local attacks (1) ARP poisoning - countermeasures YES - passive monitoring (arpwatch) YES - active monitoring (ettercap) YES - IDS (detect but not avoid) YES - Static ARP entries (avoid it) YES - Secure-ARP (public key authentication)
Background image of page 8
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 9 Local attacks (2) DNS spoofing HOST DNS serverX.localdomain.in 10.1.1.50 MITM 10.1.1.1 If the attacker is able to sniff the ID of the DNS request, he/she can reply before the real DNS server
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 10 Local attacks (2) DNS spoofing - tools ettercap (http://ettercap.sf.net) n Phantom plugin dsniff (http://www.monkey.org/~dugsong/dsniff) n Dnsspoof zodiac (http://www.packetfactory.com/Projects/zodiac)
Background image of page 10
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 11 Local attacks (2) DNS spoofing - countermeasures YES - detect multiple replies (IDS) YES - use lmhost or host file for static resolution of critical hosts YES - DNSSEC
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 12 Local attacks (3) STP mangling It is not a real MITM attack since the attacker is able to receive only “unmanaged” traffic The attacker can forge BPDU with high priority pretending to be the new root of the spanning tree
Background image of page 12
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 13 Local attacks (3) STP mangling - tools Ettercap (http://ettercap.sf.net) n With the Lamia plugin
Background image of page 13

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIT Kanpur Hacker’s Workshop 2004 23, 24 Feb 2004 14 Local attacks (3) STP mangling - countermeasures YES - Disable STP on VLAN without loops YES - Root Guard, BPDU Guard.
Background image of page 14
Image of page 15
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

Page1 / 62

ppt06 - A current analysis of man in the middle(mitm...

This preview shows document pages 1 - 15. Sign up to view the full document.

View Full Document Right Arrow Icon bookmark
Ask a homework question - tutors are online