2-1 spoofing and sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters...

Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018

13

2-1 Spoofing and Sniffing

Spoofing, in general, is a fraudulent مريب or malicious practice in which

communication is sent from an unknown source disguised (متنكر) as a source

known to the receiver. Spoofing is most prevalent )منتشر( or popular in

communication mechanisms that lack a high level of security.

On the other hand, a packet sniffer is a utility that has been used since the

original release of Ethernet. Packet sniffing allows individuals to capture

data as it is transmitted over a network. This technique is used by

network professionals to diagnose network issues, and by malicious

users to capture unencrypted data, like passwords and usernames. If

this information is captured in transit, a user can gain access to a system or

network.

https://www.computerhope.com/jargon/s/sniffing.htm

2-2 Spoofing attack Examples

1- Content Spoofing

Content spoofing is a hacking technique used to lure اغراء a user to interact

on a website that looks legitimate, but is actually an perfect copy of it.

Hackers looking to spoof content use dynamic HTML and frames to

create a website with the expected URL and a similar appearance, and

then prompts the user for personal information. Content spoofing is also

common with email alerts, account notifications and so on.

Q: what are the characterstics of wev site used to spoof content?

https://www.computerhope.com/jargon/s/sniffing.htm


14

2- Email Spoofing

Email spoofing is a fraudulent email activity hiding email origins. The act of

e-mail spoofing occurs when imposters are able to deliver emails by

altering emails' sender information. Although this is usually done by

spammers and through phishing emails for advertising purposes, email

spoofing can have malicious motives such as virus spreading or attempts to

gain personal banking information. Simple Mail Transfer Protocol (SMTP)

does not provide any type of authentication process for persons

sending emails. Yet, it is the primary email system for most people,

facilitating email spoofing. Now a days, most email servers can provide

further security. Also many digital software vendors have created products

remedying تعالج this problem.

3- Spoof Website مهمة A spoof website is a site that uses dishonest آمن رغي designs to trick users into

thinking that it represents some other uninvolved party. Spoof websites

commonly imitate )تقلد( the sites of banks and other official businesses or

government agencies, often in order to fraudulently collect sensitive financial

or personal information from users.

4- Trojan مهمة A Trojan horse is a seemingly benign ()حميد او غير ضار program that when activated, causes

harm to a computer system.

The following are types of trojan horses:


15

Backdoor Trojan: opens a back door for a user to access a victim’s

system at a later time

Downloader: This Trojan downloads malicious software and causes

harm to the victim’s computer system.

Infostealer: This Trojan attempts to steal information from the victim’s

computer.

Remote Access Trojan (RAT): This can be hidden in games or other

programs of a smaller variety and give the attacker control of the

victim’s computer.

Data Sending Trojan: This gives the perpetrator sensitive information

like passwords or other information programmed to be hijacked.

Destructive Trojan: This destroys the victim’s files.

Proxy Trojan: As a proxy server, this allows the attacker to hijack a

victim’s computer and conduct illegal activities from the victim’s

computer.

5- IP Spoofing مهمة جدا

IP spoofing refers to connection hijacking through a fake Internet

Protocol (IP) address. IP spoofing is the action of masking a computer

IP address so that it looks like it is authentic. During this masking

process, the fake IP address sends what appears to be a malevolent

message رسالة مسيئة coupled with an IP address that appears to be authentic

and trusted. In IP spoofing, IP headers are masked through a form of

Transmission Control Protocol (TCP) in which spoofers discover and then

manipulate vital information contained in the IP header such as IP address

and source and destination information.


16

IP spoofing aims to hijack computer sessions through denial-of-

service attacks, which aim to overwhelm the victim with traffic.

https://www.techopedia.com/definition/5398/spoofing

Q: hoe the IP spoofing works?

2-3 Spoof Packet IP IP packets are composed of a header and payload. The IPv4 packet header

consists of:

To engage in IP spoofing, a hacker must first use a variety of techniques to find

an IP address of a trusted host and then modify the packet headers so that it

appears that the packets are coming from that host.

Newer routers and firewall arrangements can offer protection against IP spoofing

http://www.webopedia.com/TERM/I/IP_spoofing.html

2-3-1 History

The concept of IP spoofing, was initially discussed in academic circles in the 1980's.

It was primarily theoretical until Robert Morris, whose son wrote the first Internet

https://www.techopedia.com/definition/5398/spoofing

http://www.webopedia.com/TERM/I/IP_spoofing.html


17

Worm (see http://en.wikipedia.org/wiki/Robert_Tappan_Morris ) discovered a

security weakness in the TCP protocol known as sequence prediction. Stephen

Bellovin discussed the problem in-depth in Security Problems in the TCP/IP

Protocol Suite, a paper that addressed design problems with the TCP/IP protocol

suite. Another infamous attack, Kevin Mitnick's Christmas Day crack of Tsutomu

Shimomura's machine, employed the IP spoofing and TCP sequence prediction

techniques. While the popularity of such cracks has decreased due to the demise of

the services they exploited, spoofing can still be used and needs to be addressed by

all security administrators.

2-3-2 Background The basic protocol for sending data over the Internet network and many other

computer networks is the Internet Protocol ("IP"). The header of each IP packet

contains numerical source and destination address of the packet. The source

address is normally the address that the packet was sent from. By forging تحريف

the header, it will look came from different address, an attacker can make يبدو

it appear that the packet was sent by a different machine. The machine that

receives spoofed packets will send a response back to the forged source address,

which means that this technique is mainly used when the attacker does not care

about the response.

Q: Why IP spoofing technique used when no care about response for victim machine?

IP spoofing, also known as IP address forgery. When IP spoofing is used to hijack

a browser, a visitor who types in the URL (Uniform Resource Locator) of a

legitimate site is taken to a fraudulent Web page created by the hijacker. For

http://en.wikipedia.org/wiki/Robert_Tappan_Morris


18

example, if the hijacker spoofed the Library of Congress Web site, then any Internet

user who typed in the URL www.loc.gov would see spoofed content created by the

hijacker.

If a user interacts with dynamic content on a spoofed page, the hijacker can

gain access to sensitive information or computer or network resources. He

could steal or alter sensitive data, such as a credit card number or password, or

install malware. The hijacker would also be able to take control of a

compromised computer to use it as part of a zombie غير واعي army in order to

send out spam.

2-3-3 Where to be used

IP spoofing is most frequently used in denial-of-service attacks. In such attacks,

the goal is to flood the victim with overwhelming الحد الذي ال يمكن تحمله amounts of

traffic, and the attacker does not care about receiving responses to the attack

packets. Packets with spoofed addresses are thus suitable for such attacks.

IP spoof technique has additional advantages for this purpose, they are more

difficult to filter since each spoofed packet appears to come from a different

address, and they hide the true source of the attack. Denial of service attacks

that use spoofing typically randomly choose addresses from the entire IP

address space. The increase number of large botnets makes spoofing less

important in denial of service attacks, but attackers typically have spoofing

available as a tool, if they want to use it.

Q: What is Botnet?


19

IP spoofing can also be a method of attack used by network

intruders to defeat يكسر network security measures, such as

authentication based on IP addresses. This type of attack is most

effective where trust relationships exist between machines. For example, it is

common on some corporate networks to have internal systems trust each other, so

that users can log in without a username or password provided they are connecting

from another machine on the internal network (and so must already be logged in).

By spoofing a connection from a trusted machine, an attacker may be able to access

the target machine without authentication.

Q: How spoofing used for security measure and when that possible?

2-3-5 How the Technique works

To completely understand how these attacks can take place, one must examine the

structure of the TCP/IP protocol suite

A- Internet Protocol – IP Internet protocol (IP) is a network protocol operating at layer 3 (network) of the OSI

model. It is a connectionless model, meaning there is no information regarding

transaction state, which is used to route packets on a network. Additionally,

there is no method in place to ensure that a packet is properly delivered to the

destination.

Q: what is the mean of connectionless protocol model?


20

IP diagram

Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the

header) contain various information about the packet. The next 8 bytes (the next 2

rows), however, contains the source and destination IP addresses. Using one of

several tools, an attacker can easily modify these addresses – specifically the

“source address” field. It's important to note that each datagram is sent

independent of all others due to the stateless nature of IP.

B- Transmission Control Protocol – TCP جدا مهمة Unlike IP, TCP uses a connection-oriented design. This means that the

participants in a TCP session must first build a connection - via the 3-way

handshake (SYN-SYN/ACK-ACK) –


21

Then update one another on progress - via sequences and acknowledgements.

This “conversation”, ensures data reliability, since the sender receives an OK

from the recipient after each packet exchange.


22

TCP

diagram

IP diagram

As you can see above, a TCP header is very different from an IP header. We are

concerned with the first 12 bytes of the TCP packet, which contain port and

sequencing information. Much like an IP datagram, TCP packets can be

manipulated using software. The source and destination ports normally depend on

the network application in use (for example, HTTP via port 80). What's important

for our understanding of spoofing are the sequence &

acknowledgement numbers. The data contained in these fields

ensures packet delivery by determining whether or not a packet needs to be

resent. The sequence number is the number of the first byte in the current

packet, which is relevant to the data stream. The acknowledgement number, in

turn, contains the value of the next expected sequence number in the stream.


23

This relationship confirms, on both ends, that the proper packets were received.

It’s quite different than IP, since transaction state is closely monitored.

Q: What are the benefits from the data in the sequence and acknowledge fields

in the TCP header?

Obviously, it's very easy to mask a source address by manipulating an IP

header. Another consequence, specific to TCP, is sequence number prediction,

which can lead to session hijacking or host impersonating.

H. W

Q: What is "connection-oriented design" protocol?

Q: Explain with the diagram of 3-way handshake connection?

Q: What are the values for the packet headers of (IP and TCP) protocols, what

each value means? See answers in "Practical analysis packet" 2nd edition, by

CHRIS SANDERS, 201

2-4 Types of Spoofing Attacks مهمه جدا There are a few variations on the types of attacks that successfully employ IP

spoofing such as:

1- Non-Blind Spoofing

This type of attack takes place when the attacker is on the same subnet as the victim.

The sequence and acknowledgement numbers can be sniffed تكتشف, eliminating

the potential difficulty of calculating them accurately. The biggest threat ofازالة

spoofing in this instance would be session hijacking. This is accomplished by


24

corrupting the DataStream of an established connection, then re-establishing it based

on correct sequence and acknowledgement numbers with the attack machine. Using

this technique, an attacker could effectively bypass any authentication measures

taken place to build the connection.

2- Blind Spoofing

This is a more sophisticated تطور attack, because the sequence and

acknowledgement numbers are unreachable. In order to circumvent يراوغthis,

several packets are sent to the target machine (so as to) لكي sample sequence

numbers. While not the case today, machines in the past used basic techniques for

generating sequence numbers. It was relatively easy to discover the exact formula

by studying packets and TCP sessions. Today, most OSs implement random

sequence number generation, making it difficult to predict them accurately. If,

however, the sequence number was compromised, data could be sent to the target.

Several years ago, many machines used host-based authentication services. A

properly crafted attack could add the requisite data to a system (i.e. a new user

account), blindly, enabling full access for the attacker who was impersonating a

trusted host .ماذا يعني هذا الكالم

2-4-1 Man in the Middle Attack Both types of spoofing are forms of a common security violation known as a man in

the middle (MITM) attack. In this attacks, a malicious party intercepts يعترض a

legitimate communication between two friendly parties . The malicious host

then controls the flow of communication and can eliminate or alter the

information sent by one of the original participants المشاركين without the

knowledge of either the original sender or the recipient المستلم.


25

2-4-2 Legitimate uses of IP spoofing

Spoofed IP packets are not always evidence of malicious intent الغراض االيذاء, in

performance testing of websites, hundreds or even thousands of "users"

(virtual users) may be created, each executing a test script خطوات برمجية against

the Web Site under test, in order to simulate الجراء محاكاة what will happen when

the system goes "live" and a large number of users log on at once.

Since each user will normally have its own IP address, commercial testing products

(such as HP's Loadrunner software) can use IP spoofing, allowing each user its own

"return address" as well.

Q: What is HP's Loadrunner software?

2-4-3 How do you detect spoofed IPs?

It depends on what part of the network path you're talking about.

1- Near the final host, it is very difficult: you more or less have to have a way

to do the vet يدقق for each and every packet that arrives.

2- At or near the source of the traffic: it is much easier, you simply drop

every packet that has a source address that isn't part of the networks that

you connected to it.

3- In between, you could filter traffic using in/egress دخول والخروج rules

In computer networking, egress filtering is the practice of monitoring and

potentially restricting the flow of information outbound from one network to

another.

TCP/IP packets that are being sent out of the internal network are examined

via a router, firewall, or similar edge device. Packets that do not meet security

policies are not allowed to leave - they are denied.


26

Egress filtering helps ensure that unauthorized or malicious traffic never leaves

the internal network.

Q Why egrees used in security?

2-5 Defending Against Spoofing مهمة جدا

There are a few precautions تحوطات that can be taken to limit لتحديد IP spoofing risks

on your network, such as:

1- Filtering at the Router - Implementing ingress ولوج دخول and egress

filtering on your border routers is a great place to start your spoofingخروج

defense. You will need to implement تنفيذan ACL (access control list) that

blocks private IP addresses on your downstream interface واجهة قدوم البيانات.

Additionally, this interface should not accept addresses with your internal range as

the source, as this is a common شائع spoofing technique used to circumvent

اجهة خروج البياناتو firewalls. On the upstream interfaceتجنب , you should restrict تحديد

source addresses outside of your valid range, which will prevent someone on your

network from sending spoofed traffic to the Internet.

2- Consider an ISP; from the ISP point of view, there are two sorts of IP

addresses: its addresses (i.e. the one it grants to its customers), and the rest of

the World. In the ISP routers, packets with a "external" source address should

be seen as incoming packets (coming from the outside), not as outgoing

packets; and vice versa for packets with an "internal" source address. If one

of the ISP customer sends a packet with a spoofed external address, this will

show up as an outgoing packet, coming from the inside, but with an external

source address; the ISP routers will find such an occurrence anomalous شاذة

and may report it. The ISP can then further track down such packets down its

infrastructure and thus pinpoint يحدد بدققه the culprit (causer, intiator المسبب).


27

3- Encryption and Authentication - Implementing encryption and

authentication will also reduce spoofing threats. Both of these features are

included in Ipv6, which will eliminate current spoofing threats.

4- Eliminate all host-based authentication measures, which are sometimes

common for machines on the same subnet. Ensure that the proper

authentication measures are in place and carried out over a secure (encrypted)

channel.

5- Upper layers - تم شرحها وتوضيحها سابقا

some upper layer protocols provide their own defense against IP spoofing

attacks. For example, Transmission Control Protocol (TCP) uses sequence

numbers negotiated يتناقش او يتفاوض with the remote machine to ensure

that arriving packets are part of an established connection. Since the

attacker normally can't see any reply packets, the sequence number must

be guessed in order to hijack the connection. The poor implementation in

many older operating systems and network devices, however, means that

TCP sequence numbers can be predicted.

References Tanase, M. (2003). IP Spoofing: An Introduction. http://www.symantec.com/connect/articles/ip-spoofing-

introduction.

2-1 spoofing and sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters...

Documents