Ismael Briones talk

ENGLISH

Start of #qc buffer: Tue Dec 04 23:50:23 2001

ENGLISH TRANSLATION HERE: "The new web programmation: web and PHP"'

dani our next lecture runs by Ismael Briones Vilar

dani is an activ developer working on PHP, a system

administrator, an a long list of jobs..

dani by now works at I+D departament on the spanish newspaper "El

Mundo"

has

dani We whant to thanks to Ismael for his presence here today and

for

his lecture

dani and to all you for your interest

dani the lecture's title is "Arp Spoofing: sniffing segmented

networks"

dani Mr. Briones: good night all

dani i'll start developing this lecture

dani you can ask questions, better in private query, to avoit

duplicated questions

dani first of all, you can find the lecture at

http://www.inkatel.com/

html/Articulos/Arroba/arp-spoofing.doc.html

(irvine.us.uninet.edu irc.br.uninet.edu)

irc.br.uninet.edu)

irc.br.uninet.edu)

(irvine.us.uninet.edu

irc.br.uninet.edu)

irc.br.uninet.edu)

FloodeR First

has

FloodeR In ethernet lan

FloodeR All the computers share the same medium

FloodeR All the computers get "all the traffic"

unizar.es.uninet.edu)

FloodeR But only take the message to that be destain

FloodeR An sniffer eliminate this filter in the ethernet card

FloodeR And put it in promiscue mode (Taken as himself all the

traffic)

FloodeR With it, the ethernet card (ecard) is capable to see all

the

traffic that flow on the net

FloodeR you only need to put the appropiate filter

FloodeR And begin to capture the packet in that we're interested

(login/pass, telne, pop3)

FloodeR The use of switch resolve this problem

FloodeR By the lan segmentation, we only can "see" the traffic that

belong to us

FloodeR Because the switch only route to our lan segment the

packets

destined to our MAC address

FloodeR What's a MAC address?

(Signed

off)

FloodeR All the computers in the same LAN share de media. For this,

there must be a unique identificator for each machine

FloodeR Or best, for each ethernet card (ecard)

FloodeR This not happen in a RTC conexion

FloodeR Because all the data are destinated to the machine that be

FloodeR At other point of the telefon line

FloodeR But when we send data to a LAN (Local area network)

FloodeR Me must specify exactily who are the destination machine

FloodeR We can do it by the MAC address

FloodeR A numbre composed by 12 hexadecimal digit

FloodeR That identify each ecard

FloodeR The mac address has 48 bit

FloodeR First 24 bit identify the crafter

FloodeR This guarantied that can't exist two ecard with the same

MAC

address

FloodeR Duplicated MAC cause problems in the net

dani the restant 24 bits identify the serial number asigned by the

manucacturer, what guarantees that there are not 2 cards with the same MAC

FloodeR In unix

FloodeR We can know the mac addres

FloodeR Typing ifconfig -g

FloodeR The output seems like:

FloodeR ifconfig -a. La salida de este comando se asemejará al

siguiente:

FloodeR <ismak> eth0   Link encap:Ethernet  HWaddr

00:C0:4F:68:BA:50

FloodeR <ismak>           inet addr:192.168.0.1

Bcast:192.168.0.255

FloodeR                   Mask:255.255.255.0

FloodeR <ismak>           UP BROADCAST RUNNING MULTICAST  MTU:1500

Metric:1

FloodeR <ismak>           RX packets:31658 errors:0 dropped:0

overruns:0 frame:0

FloodeR <ismak>           TX packets:20940 errors:0 dropped:0

overruns:0 carrier:0

FloodeR <ismak>           collisions:0 txqueuelen:100

FloodeR <ismak>           Interrupt:19 Base address:0xdc00

dani where the MAC address is 00:C0:4F:68:BA:50.

dani if we whant to know other computer addresses, we'll use our's

computer arp cache

dani with the command:     arp -a

dani this command will show us the computers IP/MAC table stored on

that cache at that momment

dani (if we wont to get a computer's MAC address, wi'll fist ping.

This way wi save the MAC on the cache, and with "arp -a" we obtain this MAC

address)

dani Each time we whant to communicate with another computer on the

network we need to know it's MAC address

dani to get this we use the arp-request function on the broadcast

address ff:ff:ff:ff:ff:ff

dani asking for the MAC from the IP of the computer we neet to

access

to

dani that will reply with arp-reply giving us it's MAC

dani this MAC will be cached for a few minutes, to be used on

future

communications

dani here is where the problem starts

dani ARP's working way

dani the protocol arp (Address resolution protocol) have the

mission

of "translate" 32bit addresses to it's corresponding hardware addresses

dani when the computer needs to resolve an IP address to a MAC one,

sends a broadcast Arp Request to the network segment FF:FF:FF:FF:FF:FF

dani asking to this IP's owner replay with it's ethernet (MAC)

address.

dani you can watch to the first page on the document to see this

process

josh[shine.cmw.sld.cu]: Connection reset by peer)

dani with the goal of shrinking the network flow, each arp-reply

recived by the ecard is cached, anyway if we have not requested this.

dani that is, every arp-reply we recive is cached.

dani this factor is used to make arp-spoofing.

dani Solaris have a timeout and doesn't refresh the cache until

this

timeout is reached

dani limit expiration time

dani that's why solaris is not a wall to make arp spoofing

dani Arp-Spoofing:

dani this method doesn't put the network interface on promiscuous

mode.

dani this is not needed because packets are for us and the switch

will route it to our computer.

dani Let's see wether it is possible..

dani this method consists on "corrupt" arp caceh of two machines we

wanto to sniff

dani once caches are corrupted, both hosts will start

communication,

but all packets will be destinated to us

dani then we sniff it and re-route to the correct host

FloodeR One time the cache are poisoned

FloodeR Looking at the cache of the machines

FloodeR And see that there be 2 machines with the same mac

FloodeR In the second figure in the document you can see the

comunication diagram

FloodeR From our machine, we send bogus arp-reply packets to the

hosts that we want to sniff

FloodeR In this replies, we must tell to the host 1

FloodeR That the arp address of the second host is our address

FloodeR This information remain in his arp cache

FloodeR This machine send now the packet to host 2 but with our MAC

addres

FloodeR The packet are now in our machine

FloodeR The switch route the data to our lan segment

(irvine.us.uninet.edu irc.br.uninet.edu)

(irvine.us.uninet.edu

irc.br.uninet.edu)

FloodeR We send a constan flow of arp-reply (the cache of the

machines can't take real arp information)

<FloodeR>

http://www.inkatel.com/html/Articulos/Arroba/arp-spoofing.doc.

html

FloodeR (This is the url of the document)

FloodeR HOST 1 : arp-reply informando que 192.168.0.2 tiene

dirección

MAC

FloodeR           03:03:03:03:03:03

FloodeR HOST 2 : arp-reply informando que 192.168.0.1 tiene

dirección

MAC

FloodeR           03:03:03:03:03:03

FloodeR The MAC 03:03:03:03:03:03 is of the machine who realiases

the

arp-spoofing

FloodeR With this, we poisoned the arp cache

FloodeR From this point, the traffic inter host 1 and 2, reach our

computer

FloodeR But we must make that the sniffed host don't see any

extrange

FloodeR For this, we must treat the packet that arrives our machine

http://www.inkatel.com/htm

l/Articulos/Arroba/arp-spoofing.doc.html'

FloodeR With this, the communication from host 1 to 2, don't be

interrupted

FloodeR And we can see all the traffic

FloodeR We must configure now a sniffer to captuer all the traffic

(login/passwf, telnet, ftp, pop3, etc..)

FloodeR Perhaps the full session

FloodeR As we can see, the proccess be easy

FloodeR but

FloodeR What tools can we use to refuse arp-spoofing?

FloodeR Excuse

FloodeR tools to send arp-packet

FloodeR Not to refuse :)

FloodeR arptool, arp-fun, ettercap

FloodeR ARPoison

dani ettercap is a complet one, it allows may sniffing types: by

IP,

MAC, Arp-Spoofing

dani sorry.. 4 methods: IP, MAC, ARP and Public ARP

dani it can be executed from a shell or from graphical mode

dani and behind other isues:

dani insert chars on a conection, sniff SSH1 enchripted sessions,

catch passwords, kill connections, dettect Operating Systems, ..

dani on the graphical environment we'll get shown at start a list

of

found hosts on the lan.

dani to realize this search the proggram sends ARP-REQUEST of IPs

having in count the own IP and the netmask

FloodeR Obtainig the arp-replys we can compose the list of the host

alive in the LAN. We must be too much carefully with the lan mask,

because if

milisecond of time inter each request :)

dani an other effect we can get with arp spoofing is a DoS

(Denial of

Service)

ub.es.uninet.edu)

dani Updating ARP caches with unexistant MAC addresses

dani it will couse all packets to be droped

dani if we repeat it on all network clients we get a DoS attack on

all network computers (but don't do it.. ;-))

dani there exist a proggram called Parasite that listens on the

network for ARP Request packets and automatically send a spoofed ARP Reply

dani this puts the attacker machine like a MiM (Man in the Middle)

dani on all the network, and can catch all switches network flow

dani we must think about, after we used one of theese proggrams,

ettercap.., we must restore IP/MAC real values

dani if not, we will cause a DoS on the spoofed machines

dani ARP-SPOOFING PROTECTION:

dani there's no universal way to avoid theese attacks

dani indeed, the only one proper way is ussing statical MAC

addresses

dani if MAC are statical, can't be updatet, so.. ARP Replies are

ignored

dani to avoid it, ARP addresses table should have a IP/MAC entry

for

each box on the network

bio.hgy.es)

dani but.. how not.. windows doen't will not work this way

dani it's seen that Windows boxes, using or not statical MACs,

updates the cache when recived an ARP Reply

dani about Windows, I don't know whether exists any configuration

parameter (I haven't make enough tests on it) but some one comments to me

that it seems to exist something

dani to avoid this update when using statical ARP

dani The most efficient method is to dettect it early

dani with ARPwatch we can dettect it

dani ARPwatch listens all arp-replies on the network

dani and build a table with all pairs IP/MAC whichs is stored in a

file

dani when a MAC address assigned to an IP changes, a mail is sent

to

the network admin

dani until now we have seen the way we can use ARP protocol

vulneravilities to sniff on our network.

dani but there are many possibilities

dani Any switches can be mangled using ARP packets to reach that it

will act as a REPEATING mode insted of BRIDGING mode

dani it means, insted of sending packets by the correct switch's

"port", it will be send by all them, so all machines recives all network

packets

dani it will be reached by filling the addresses table with a big

amount of fake MACs

MAC will sent all computers

dani waiting for a response from the destination to cache this MAC.

dani but.. we are overloading the network with false MACs, so, it

will never happend

dani whell, that's all for this lecture

dani ^Bclap clap clap clap clap clap clap clap clap clap

dani ^Bclap clap clap clap clap clap clap clap clap clap

FloodeR XDD

> ^C8,12 ¡FELIZ NAVIDAD!.

#qc Cannot send to channel

FloodeR splas splas splas splas splas

FloodeR splas splas splas splas splas

FloodeR splas splas splas splas splas

FloodeR splas splas splas splas splas

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> ^C4 bravooooooooooooooooooooooooooooo

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

candelita[ahao.ijv.sld.cu]: Connection reset by peer)

End of #qc buffer Tue Dec 04 23:50:23 2001

Generated by irclog2html.pl by Jeff Waugh - find it at freshmeat.net!

Mas información: