Sunteți pe pagina 1din 66



Social Engineering
Network Attack
A Quote from Kevin Mitnick

You could spend a fortune purchasing

technology and services from every exhibitor,
speaker and sponsor at the RSA Conference,
and your network infrastructure could still
remain vulnerable to old-fashioned
Types of Attacks

Impersonation on help desk calls
Physical access (such as tailgating)
Shoulder surfing
Dumpster diving
Stealing important documents

Use of deceptive mass mailing

Can target specific entities (spear phishing)
Impersonation on help desk calls

Calling the help desk pretending to be someone else

Usually an employee or someone with authority
Assign pins for calling the help desk
Dont do anything on someones order
Stick to the scope of the help desk
Physical access

Ultimately obtains unauthorize building access
Require badges
Employee training
Security officers
No exceptions!
Shoulder surfing

Someone can watch the

keys you press when
entering your password
Probably less common
Be aware of whos
around when entering
your password
Dumpster diving

Looking through the trash for

sensitive information
Doesnt have to be dumpsters: any
trashcan will do
Easy secure document destruction
Lock dumpsters
Erase magnetic media
Stealing important documents

Can take documents off someones desk

Lock your office
If you dont have an office: lock your files securely
Dont leave important information in the open
Attack Model
Datalink layer : ARP poisoning, MAC flooding
Network Layer : Attack against IP
Transport layer : Attack against TCP and UDP
Application layer : cookie protocol problem, session hijacking

there is no way to authenticate the IP to MAC address mapping in the

ARP reply
if computer A has sent and ARP request and it gets an ARP reply, then
ARP protocol by no means can check whether the information or the IP
to MAC mapping in the ARP reply is correct or not
even if a host did not send an ARP request and gets an ARP reply, then
also it trusts the information in reply and updates its ARP cache.
An evil hacker can craft a valid ARP reply in which any IP is mapped to
any MAC address of the hackers choice and can send this message to the
complete network
How ARP Works?
ARP Request is Broadcast to all the hosts in LAN

Who has IP

Tell your MAC address
IIT Indore Neminath Hubballi
How ARP Works?

Unicast Reply from concerned host

I have IP
My MAC is 00:00:00:00:00:02
IIT Indore Neminath Hubballi
ARP Cache Stores IP-MAC Pairs

ARP cache : updated

IP MAC TYPE 00:00:00:00:00:02 dynamic 00:00:00:00:00:03

IIT Indore Neminath Hubballi

Why is ARP Vulnerable?

ARP is a stateless protocol

Hosts cache all ARP replies sent to them even if they

had not sent an explicit ARP request for it.

No mechanism to authenticate their peer

IIT Indore Neminath Hubballi

Known Attacks Against ARP

ARP Spoofing

Man-in-the-Middle Attack

Denial-of-Service Attack

MAC Flooding ( on Switch )

DoS by spurious ARP packets

IIT Indore Neminath Hubballi

ARP Spoofing Attack

Attacker sends forged ARP packets to the victim
00:00:00:00:00:03 I have IP
My MAC is 00:00:00:00:00:02

Target ARP Reply

00:00:00:00:00:01 00:00:00:00:00:02

IP MAC TYPE Attacker 00:00:00:00:00:02 dynamic
IIT Indore Neminath Hubballi
Spoofing Results in Redirection of

Packets for
00:00:00:00:00:01 00:00:00:00:00:02

IIT Indore Neminath Hubballi

Man-in-the-Middle Attack Allows
Third Party to Read Private Data
IP MAC TYPE 00:00:00:00:00:01 dynamic


IIT Indore
Neminath Hubballi 00:00:00:00:00:01 dynamic
Denial of Service Stops Legitimate
A malicious entry with a non-existent MAC address can lead to a
DOS attack
Victim I have IP
00:00:00:00:00:03 My MAC is XX:XX:XX:XX:XX:XX

Target ARP Reply
00:00:00:00:00:01 00:00:00:00:00:02

IIT Indore Neminath Hubballi 24
Denial of Service Stops Legitimate
Victim unable to reach the IP for which the forged packet was
sent by the attacker

PING Request timed out.


IP MAC TYPE XX:XX:XX:XX:XX:XX dynamic IIT Indore Neminath Hubballi
MAC Flooding Degrades Network
Attacker bombards the switch with numerous forged ARP packets
at an extremely rapid rate such that its CAM table overflows

Attacker 1 00:00:01:01:01:01

2 00:00:02:02:02:02

.. .
IIT Indore Neminath Hubballi 26
DoS by Spurious ARP Packets
Attacker sends numerous spurious ARP packets at the victim
such that it gets engaged in processing these packets

Makes the Victim busy and might lead to Denial of Service

Spurious ARP Packets

IIT Indore Neminath Hubballi

Scan, detect, protect and attack computer on LANs

What you need :

PC with windows server 2012 as host machine

Windows2008 running on virtual maschine as target machine
Installed-version of WinPcap driver
Double click WinArpAttacker.exe
What to do

1. Launch Windows server 8 Virtual Machine

2. Launch WinArpAttacker in the host machine
3. Click the scan option from toolbar menu, select Scan LAN. The
scan the active host on the LAN.
4. Select a victim host (window server 2008) from the display list.
Select attack -> flood. Scanning acts as another gateway or IP-
forwarder without other user recognition on the LAN, while spoofing
ARP tables.
5. All data sniffed by spoofing and
forwarded by WinArpAttackerIP-
forward functions are counted, as
shown in the main interface. The
BanGateway option tells the gateway
wrong MACaddresses of target
computer, so the target cant receive
packets from the internet.
6. Click save to save the report

Analize and document the scanned, attacked IP address.

IP doesnt has an authentication mechanism.
A packet simply claims to originated from a given address, and
there is no a way to be sure that the host that sent the packet is
telling the truth.
The fitur of authentication must be provided by higher layer.
IP Spoofing

There is one host that claims to have an IP address of another.

IP Session Hijacking

Is an attack whereby a users session is taking over, being in the

control of an attacker.
TCP SYN or TCP ACK Flood attack
TCP sequence number attack
TCP/IP hijacking
UDP attack
ICMP attack
Smurf attack
ICMP tunneling
TCP Sequenced number attack

Each time a TCP message is sent the client or the server generates
a sequence number. The attacker intercepts and then responds
with a sequence number similar to the one used in the original
session. This attack can then hijack or disrupt a session. If a valid
sequence number is guessed the attacker can place himself
between the client and the server. The attacker gains the
connection and the data from the legitimate system.
TCP Hijacking

This is also called active sniffing, it involves the attacker gaining

access to a host in the network and logically disconnecting it from
the network. The attacker then inserts another machine with the
same IP address. This happens quickly and gives the attacker
access to the session and to all the information on the original
ICMP Attacks

Ping for instance, that uses the ICMP protocol. sPing is a good
example of this type of attack, it overloads te server with more
bytes than it can handle, larger connections. Its ping flood.

This attack uses IP spoofing and broadcasting to

send a ping to a group of hosts on a network.
When a host is pinged it send back ICMP message
traffic information indicating status to the
originator. If a broadcast is sent to network, all
hosts will answer back to the ping. The result is
an overload of network and the target system.
The only way to prevent this attack is to prohibit
ICMP traffic on the router.
ICMP Tunneling

ICMP can contain data about timing and routes. A packet can be
used to hold information that is different from the intended
information. This allows an ICMP packet to be used as a
communications channel between two systems. The channel can
be used to send a Trojan horse or other malicious packet. The
counter measure is to deny ICMP traffic on your network.
Cookie protocol problems

Server is blind:
Does not see cookie attributes (e.g. secure, HttpOnly)
Does not see which domain set the cookie

Server only sees: Cookie: NAME=VALUE

Example 1: login server problems
1. Alice logs in at sets session-id cookie for

2. Alice visits

overwrites session-id cookie
with session-id of user badguy

3. Alice visits to submit homework thinks it is talking to badguy

Problem: expects session-id from;

cannot tell that session-id cookie was overwritten
Example 2: secure cookies are not secure
Alice logs in at
set-cookie: SSID=A7_ESAgDpKYk5TGnf;; Path=/ ;
Expires=Wed, 09-Mar-2026 18:35:11 GMT; Secure; HttpOnly
set-cookie: SAPISID=wj1gYKLFy-RmWybP/ANtKMtPIHNambvdI4;;Path=/ ;
Expires=Wed, 09-Mar-2026 18:35:11 GMT; Secure

Alice visits (cleartext)

Network attacker can inject into response
Set-Cookie: SSID=badguy; secure
and overwrite secure cookie

Problem: network attacker can re-write HTTPS cookies !

HTTPS cookie value cannot be trusted
Interaction with the DOM SOP
Cookie SOP path separation: does not see cookies of

Not a security measure: has access to DOM of


Path separation is done for efficiency not security: is only sent the cookies it needs
Cookies have no integrity
User can change and delete cookie values
Edit cookie database (FF: cookies.sqlite)
Modify Cookie header (FF: TamperData extension)

Silly example: shopping cart software

Set-cookie: shopping-cart-total = 150 ($)

User edits cookie file (cookie poisoning):

Cookie: shopping-cart-total = 15 ($)

Similar problem with hidden fields

<INPUT TYPE=hidden NAME=price VALUE=150>

Session hijacking
Attacker waits for user to login

then attacker steals users Session Token

and hijacks session

attacker can issue arbitrary requests on behalf of user

Example: FireSheep [2010]

Firefox extension that hijacks Facebook
session tokens over WiFi. Solution: HTTPS after login
Beware: Predictable tokens
Example 1: counter
user logs in, gets counter value,
can view sessions of other users

Example 2: weak MAC. token = { userid, MACk(userid) }

Weak MAC exposes k from few cookies.

Apache Tomcat: generateSessionId()

Returns random session ID [server retrieves client state based on sess-id]
Session tokens must be unpredictable to attacker

To generate: use underlying framework (e.g. ASP, Tomcat, Rails)

Rails: token = MD5( current time, random nonce )

Beware: Session token theft
Example 1: login over HTTPS, but subsequent HTTP
Enables cookie theft at wireless Caf (e.g. Firesheep)
Other ways network attacker can steal token:
Site has mixed HTTPS/HTTP pages token sent over HTTP
Man-in-the-middle attacks on SSL

Example 2: Cross Site Scripting (XSS) exploits

Amplified by poor logout procedures:

Logout must invalidate token on server
Mitigating SessionToken theft by binding
SessionToken to clients computer
A common idea: embed machine specific data in SID
Client IP addr: makes it harder to use token at another machine
But honest client may change IP addr during session
client will be logged out for no reason.

Client user agent: weak defense against theft, but doesnt hurt.

SSL session id: same problem as IP address (and even worse)

Session fixation attacks
Suppose attacker can set the users session token:
For URL tokens, trick user into clicking on URL
For cookie tokens, set using XSS exploits
Attack: (say, using URL tokens)
1.Attacker gets anonymous session token for
2.Sends URL to user with attackers session token
3.User clicks on URL and logs into
this elevates attackers token to logged-in token

4.Attacker uses elevated token to hijack users session.

Session fixation: lesson
When elevating user from anonymous to logged-in:

always issue a new session token

After login, token changes to value unknown to attacker

Attackers token is not elevated.


Sniffing password using wireshark

What to do

1. Launch Wireshark
2. From the wireshark menu bar,
select capture interfaces
3. In the Wireshark capture interfaces dialog box, find and select
the Ethernet Driver Interface that is connected to the system, and
then click start.
4. Switch to virtual machine and login to your email.
5. You may save the captured packets from file save as.
6. In Find by...

1. Evaluate the protocols that are involved in the activity that

captured by wireshark
2. Evaluate the result of the activity


3. Matt Curtin.Introduction to network security, 1997
4. Network Security,
5. Network Security, course slide,
6. Certified Ethical Hacker ver 8 (Sniffing) Modul