Man in the Middle Attacks Engineering Secure Software Last Revised: - - PowerPoint PPT Presentation

▶

Sep 22, 2022 242 likes •399 views

Man in the Middle Attacks Engineering Secure Software Last Revised: September 1, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 High Level View Allows the hacker to sit in between all communication between client and

SLIDE 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

Man in the Middle Attacks

Engineering Secure Software

Last Revised: September 1, 2020 1

SLIDE 2

SWEN-331: Engineering Secure Software Benjamin S Meyers

High Level View

Allows the hacker to sit in between all communication

between client and server

They sniff packets, manipulate/change/insert new

data/commands without either client or server being aware

User Hacker Target App/Server

SLIDE 3

SWEN-331: Engineering Secure Software Benjamin S Meyers

How Can This Happen?

One of the most common methods is called “ARP Cache

Poisoning”

○ ARP: Address Relay Protocol (DataLink Layer)

ARP is used by computers to find ‘who has a particular IP

address’ and then bind to that computer’s MAC address

ARP is a broadcast protocol (a cry for help)
Attackers can send false replies to an ARP request, inserting

their own computer as a fake network citizen

○ Once this happens, they can impersonate either the end-point

r the gateway (which allows snooping/inserting into all traffic)

SLIDE 4

SWEN-331: Engineering Secure Software Benjamin S Meyers

ARP Spoofing

Hacker IP: 200.21.22.21 MAC: cc:cc:cc:cc:cc:cc User IP: 200.21.22.20 Target App/Server IP: 200.21.22.23 MAC: aa:aa:aa:aa:aa:aa Switch

W h

a s 2 . 2 1 . 2 2 . 2 3 ? W h

a s 2 . 2 1 . 2 2 . 2 3 ?

SLIDE 5

SWEN-331: Engineering Secure Software Benjamin S Meyers

ARP Spoofing

Hacker IP: 200.21.22.21 MAC: cc:cc:cc:cc:cc:cc User IP: 200.21.22.20 Target App/Server IP: 200.21.22.23 MAC: aa:aa:aa:aa:aa:aa Switch

cc:cc:cc:cc:cc:cc

SLIDE 6

SWEN-331: Engineering Secure Software Benjamin S Meyers

ARP Spoofing

Hacker IP: 200.21.22.21 MAC: cc:cc:cc:cc:cc:cc User IP: 200.21.22.20 Target App/Server IP: 200.21.22.23 MAC: aa:aa:aa:aa:aa:aa Switch

SLIDE 7

SWEN-331: Engineering Secure Software Benjamin S Meyers

ARP Example

Command: arp -a

nitron$ arp -a Host Ethernet Address Netif Expire Flags nitron.se.rit.edu 00:50:56:99:72:ec em0 permanent 1 gleep.se.rit.edu 00:a0:98:31:30:58 em0 10m6s control.se.rit.edu 00:50:56:8c:00:36 em0 17m12s potamus.se.rit.edu 00:50:56:8c:00:1e em0 19m46s norville.se.rit.edu 00:c0:9f:3f:4a:1e em0 12m31s freezoid.se.rit.edu 00:25:90:6c:38:82 em0 19m39s zin.se.rit.edu 00:0d:b9:42:d6:60 em0 19m39s grapeape.se.rit.edu 00:50:56:99:6c:19 em0 13m26s dynomutt.se.rit.edu 00:0d:b9:4c:ab:3c em0 19m39s rit-west3-gw-070-vlan208.rit.edu f4:cc:55:de:3a:92 em0 20m0s

SLIDE 8

SWEN-331: Engineering Secure Software Benjamin S Meyers

Notes

Attack can only be used on networks that use ARP and the

attacker must have direct access to the local network segment being targeted

○ Just about everyone uses ARP! ○ Since you need to have your attacking software on the local network segment for this to work, hackers are always looking for ways to infiltrate your environment ■ Thus, all of the network discovery port scans

SLIDE 9

SWEN-331: Engineering Secure Software Benjamin S Meyers

How Can This Be Prevented?

ARP cache poisoning is one of the hardest hacks to prevent,

but some tools do exist

○ Static IP/MAC lists (difficult to manage on large networks) ○ ARP spoofing detection software ■ Can be integrated into DHCP server ■ Can be part of the switch/router ■ Can be on local PC ■ Can be within the OS

SLIDE 10

SWEN-331: Engineering Secure Software Benjamin S Meyers

DNS Cache Poisoning

Cache poisoning affects more than just ARP
Domain Name Server/System (DNS)

○ DNS nameservers keep track of which IP addresses map to which hostnames (e.g. www.google.com) ○ There are multiple authoritative DNS nameservers ○ When you ask for an IP address for www.google.com, an attacker can respond with a malicious IP address ○ CVE-2008-1447 and CVE-2008-4392 ○ CAPEC-141

10 10

SLIDE 11

SWEN-331: Engineering Secure Software Benjamin S Meyers

DNS Cache Poisoning

11 11

Source: https://www.cloudflare.com/learning/dns/dns-cache-poisoning/

query_id query_id

SLIDE 12

SWEN-331: Engineering Secure Software Benjamin S Meyers

DNS Cache Poisoning

12 12

Source: https://www.cloudflare.com/learning/dns/dns-cache-poisoning/

query_id query_id

SLIDE 13

SWEN-331: Engineering Secure Software Benjamin S Meyers

DNS Cache Poisoning

13 13

Source: https://www.cloudflare.com/learning/dns/dns-cache-poisoning/

query_id query_id query_id

SLIDE 14

SWEN-331: Engineering Secure Software Benjamin S Meyers

DNS Cache Poisoning

Why does this happen?

○ DNS uses UDP, not TCP

14 14

Source: https://www.cloudflare.com/learning/dns/dns-cache-poisoning/

SLIDE 15

SWEN-331: Engineering Secure Software Benjamin S Meyers

How Can This Be Prevented?

DNS cache expires

○ Time-to-Live (TTL) ○ BUT: attackers sets a TTL when they poison the DNS cache

Admins can flush DNS caches, but they usually don’t
Randomizing query_ids

○ Attackers can still guess the query_id (there’s no such thing as true random in computers)

Also randomize the source port for the DNS query
DNSSEC: authenticate nameservers using public/private keys

15 15