2-1 spoofing and sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters...
TRANSCRIPT
![Page 1: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/1.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
13
2-1 Spoofing and Sniffing
Spoofing, in general, is a fraudulent مريب or malicious practice in which
communication is sent from an unknown source disguised (متنكر) as a source
known to the receiver. Spoofing is most prevalent )منتشر( or popular in
communication mechanisms that lack a high level of security.
On the other hand, a packet sniffer is a utility that has been used since the
original release of Ethernet. Packet sniffing allows individuals to capture
data as it is transmitted over a network. This technique is used by
network professionals to diagnose network issues, and by malicious
users to capture unencrypted data, like passwords and usernames. If
this information is captured in transit, a user can gain access to a system or
network.
https://www.computerhope.com/jargon/s/sniffing.htm
2-2 Spoofing attack Examples
1- Content Spoofing
Content spoofing is a hacking technique used to lure اغراء a user to interact
on a website that looks legitimate, but is actually an perfect copy of it.
Hackers looking to spoof content use dynamic HTML and frames to
create a website with the expected URL and a similar appearance, and
then prompts the user for personal information. Content spoofing is also
common with email alerts, account notifications and so on.
Q: what are the characterstics of wev site used to spoof content?
![Page 2: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/2.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
14
2- Email Spoofing
Email spoofing is a fraudulent email activity hiding email origins. The act of
e-mail spoofing occurs when imposters are able to deliver emails by
altering emails' sender information. Although this is usually done by
spammers and through phishing emails for advertising purposes, email
spoofing can have malicious motives such as virus spreading or attempts to
gain personal banking information. Simple Mail Transfer Protocol (SMTP)
does not provide any type of authentication process for persons
sending emails. Yet, it is the primary email system for most people,
facilitating email spoofing. Now a days, most email servers can provide
further security. Also many digital software vendors have created products
remedying تعالج this problem.
3- Spoof Website مهمة A spoof website is a site that uses dishonest آمن رغي designs to trick users into
thinking that it represents some other uninvolved party. Spoof websites
commonly imitate )تقلد( the sites of banks and other official businesses or
government agencies, often in order to fraudulently collect sensitive financial
or personal information from users.
4- Trojan مهمة A Trojan horse is a seemingly benign ()حميد او غير ضار program that when activated, causes
harm to a computer system.
The following are types of trojan horses:
![Page 3: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/3.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
15
Backdoor Trojan: opens a back door for a user to access a victim’s
system at a later time
Downloader: This Trojan downloads malicious software and causes
harm to the victim’s computer system.
Infostealer: This Trojan attempts to steal information from the victim’s
computer.
Remote Access Trojan (RAT): This can be hidden in games or other
programs of a smaller variety and give the attacker control of the
victim’s computer.
Data Sending Trojan: This gives the perpetrator sensitive information
like passwords or other information programmed to be hijacked.
Destructive Trojan: This destroys the victim’s files.
Proxy Trojan: As a proxy server, this allows the attacker to hijack a
victim’s computer and conduct illegal activities from the victim’s
computer.
5- IP Spoofing مهمة جدا
IP spoofing refers to connection hijacking through a fake Internet
Protocol (IP) address. IP spoofing is the action of masking a computer
IP address so that it looks like it is authentic. During this masking
process, the fake IP address sends what appears to be a malevolent
message رسالة مسيئة coupled with an IP address that appears to be authentic
and trusted. In IP spoofing, IP headers are masked through a form of
Transmission Control Protocol (TCP) in which spoofers discover and then
manipulate vital information contained in the IP header such as IP address
and source and destination information.
![Page 4: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/4.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
16
IP spoofing aims to hijack computer sessions through denial-of-
service attacks, which aim to overwhelm the victim with traffic.
https://www.techopedia.com/definition/5398/spoofing
Q: hoe the IP spoofing works?
2-3 Spoof Packet IP IP packets are composed of a header and payload. The IPv4 packet header
consists of:
To engage in IP spoofing, a hacker must first use a variety of techniques to find
an IP address of a trusted host and then modify the packet headers so that it
appears that the packets are coming from that host.
Newer routers and firewall arrangements can offer protection against IP spoofing
http://www.webopedia.com/TERM/I/IP_spoofing.html
2-3-1 History
The concept of IP spoofing, was initially discussed in academic circles in the 1980's.
It was primarily theoretical until Robert Morris, whose son wrote the first Internet
![Page 5: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/5.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
17
Worm (see http://en.wikipedia.org/wiki/Robert_Tappan_Morris ) discovered a
security weakness in the TCP protocol known as sequence prediction. Stephen
Bellovin discussed the problem in-depth in Security Problems in the TCP/IP
Protocol Suite, a paper that addressed design problems with the TCP/IP protocol
suite. Another infamous attack, Kevin Mitnick's Christmas Day crack of Tsutomu
Shimomura's machine, employed the IP spoofing and TCP sequence prediction
techniques. While the popularity of such cracks has decreased due to the demise of
the services they exploited, spoofing can still be used and needs to be addressed by
all security administrators.
2-3-2 Background The basic protocol for sending data over the Internet network and many other
computer networks is the Internet Protocol ("IP"). The header of each IP packet
contains numerical source and destination address of the packet. The source
address is normally the address that the packet was sent from. By forging تحريف
the header, it will look came from different address, an attacker can make يبدو
it appear that the packet was sent by a different machine. The machine that
receives spoofed packets will send a response back to the forged source address,
which means that this technique is mainly used when the attacker does not care
about the response.
Q: Why IP spoofing technique used when no care about response for victim machine?
IP spoofing, also known as IP address forgery. When IP spoofing is used to hijack
a browser, a visitor who types in the URL (Uniform Resource Locator) of a
legitimate site is taken to a fraudulent Web page created by the hijacker. For
![Page 6: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/6.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
18
example, if the hijacker spoofed the Library of Congress Web site, then any Internet
user who typed in the URL www.loc.gov would see spoofed content created by the
hijacker.
If a user interacts with dynamic content on a spoofed page, the hijacker can
gain access to sensitive information or computer or network resources. He
could steal or alter sensitive data, such as a credit card number or password, or
install malware. The hijacker would also be able to take control of a
compromised computer to use it as part of a zombie غير واعي army in order to
send out spam.
2-3-3 Where to be used
IP spoofing is most frequently used in denial-of-service attacks. In such attacks,
the goal is to flood the victim with overwhelming الحد الذي ال يمكن تحمله amounts of
traffic, and the attacker does not care about receiving responses to the attack
packets. Packets with spoofed addresses are thus suitable for such attacks.
IP spoof technique has additional advantages for this purpose, they are more
difficult to filter since each spoofed packet appears to come from a different
address, and they hide the true source of the attack. Denial of service attacks
that use spoofing typically randomly choose addresses from the entire IP
address space. The increase number of large botnets makes spoofing less
important in denial of service attacks, but attackers typically have spoofing
available as a tool, if they want to use it.
Q: What is Botnet?
![Page 7: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/7.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
19
IP spoofing can also be a method of attack used by network
intruders to defeat يكسر network security measures, such as
authentication based on IP addresses. This type of attack is most
effective where trust relationships exist between machines. For example, it is
common on some corporate networks to have internal systems trust each other, so
that users can log in without a username or password provided they are connecting
from another machine on the internal network (and so must already be logged in).
By spoofing a connection from a trusted machine, an attacker may be able to access
the target machine without authentication.
Q: How spoofing used for security measure and when that possible?
2-3-5 How the Technique works
To completely understand how these attacks can take place, one must examine the
structure of the TCP/IP protocol suite
A- Internet Protocol – IP Internet protocol (IP) is a network protocol operating at layer 3 (network) of the OSI
model. It is a connectionless model, meaning there is no information regarding
transaction state, which is used to route packets on a network. Additionally,
there is no method in place to ensure that a packet is properly delivered to the
destination.
Q: what is the mean of connectionless protocol model?
![Page 8: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/8.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
20
IP diagram
Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the
header) contain various information about the packet. The next 8 bytes (the next 2
rows), however, contains the source and destination IP addresses. Using one of
several tools, an attacker can easily modify these addresses – specifically the
“source address” field. It's important to note that each datagram is sent
independent of all others due to the stateless nature of IP.
B- Transmission Control Protocol – TCP جدا مهمة Unlike IP, TCP uses a connection-oriented design. This means that the
participants in a TCP session must first build a connection - via the 3-way
handshake (SYN-SYN/ACK-ACK) –
![Page 9: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/9.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
21
Then update one another on progress - via sequences and acknowledgements.
This “conversation”, ensures data reliability, since the sender receives an OK
from the recipient after each packet exchange.
![Page 10: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/10.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
22
TCP
diagram
IP diagram
As you can see above, a TCP header is very different from an IP header. We are
concerned with the first 12 bytes of the TCP packet, which contain port and
sequencing information. Much like an IP datagram, TCP packets can be
manipulated using software. The source and destination ports normally depend on
the network application in use (for example, HTTP via port 80). What's important
for our understanding of spoofing are the sequence &
acknowledgement numbers. The data contained in these fields
ensures packet delivery by determining whether or not a packet needs to be
resent. The sequence number is the number of the first byte in the current
packet, which is relevant to the data stream. The acknowledgement number, in
turn, contains the value of the next expected sequence number in the stream.
![Page 11: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/11.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
23
This relationship confirms, on both ends, that the proper packets were received.
It’s quite different than IP, since transaction state is closely monitored.
Q: What are the benefits from the data in the sequence and acknowledge fields
in the TCP header?
Obviously, it's very easy to mask a source address by manipulating an IP
header. Another consequence, specific to TCP, is sequence number prediction,
which can lead to session hijacking or host impersonating.
H. W
Q: What is "connection-oriented design" protocol?
Q: Explain with the diagram of 3-way handshake connection?
Q: What are the values for the packet headers of (IP and TCP) protocols, what
each value means? See answers in "Practical analysis packet" 2nd edition, by
CHRIS SANDERS, 201
2-4 Types of Spoofing Attacks مهمه جدا There are a few variations on the types of attacks that successfully employ IP
spoofing such as:
1- Non-Blind Spoofing
This type of attack takes place when the attacker is on the same subnet as the victim.
The sequence and acknowledgement numbers can be sniffed تكتشف, eliminating
the potential difficulty of calculating them accurately. The biggest threat ofازالة
spoofing in this instance would be session hijacking. This is accomplished by
![Page 12: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/12.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
24
corrupting the DataStream of an established connection, then re-establishing it based
on correct sequence and acknowledgement numbers with the attack machine. Using
this technique, an attacker could effectively bypass any authentication measures
taken place to build the connection.
2- Blind Spoofing
This is a more sophisticated تطور attack, because the sequence and
acknowledgement numbers are unreachable. In order to circumvent يراوغthis,
several packets are sent to the target machine (so as to) لكي sample sequence
numbers. While not the case today, machines in the past used basic techniques for
generating sequence numbers. It was relatively easy to discover the exact formula
by studying packets and TCP sessions. Today, most OSs implement random
sequence number generation, making it difficult to predict them accurately. If,
however, the sequence number was compromised, data could be sent to the target.
Several years ago, many machines used host-based authentication services. A
properly crafted attack could add the requisite data to a system (i.e. a new user
account), blindly, enabling full access for the attacker who was impersonating a
trusted host .ماذا يعني هذا الكالم
2-4-1 Man in the Middle Attack Both types of spoofing are forms of a common security violation known as a man in
the middle (MITM) attack. In this attacks, a malicious party intercepts يعترض a
legitimate communication between two friendly parties . The malicious host
then controls the flow of communication and can eliminate or alter the
information sent by one of the original participants المشاركين without the
knowledge of either the original sender or the recipient المستلم.
![Page 13: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/13.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
25
2-4-2 Legitimate uses of IP spoofing
Spoofed IP packets are not always evidence of malicious intent الغراض االيذاء, in
performance testing of websites, hundreds or even thousands of "users"
(virtual users) may be created, each executing a test script خطوات برمجية against
the Web Site under test, in order to simulate الجراء محاكاة what will happen when
the system goes "live" and a large number of users log on at once.
Since each user will normally have its own IP address, commercial testing products
(such as HP's Loadrunner software) can use IP spoofing, allowing each user its own
"return address" as well.
Q: What is HP's Loadrunner software?
2-4-3 How do you detect spoofed IPs?
It depends on what part of the network path you're talking about.
1- Near the final host, it is very difficult: you more or less have to have a way
to do the vet يدقق for each and every packet that arrives.
2- At or near the source of the traffic: it is much easier, you simply drop
every packet that has a source address that isn't part of the networks that
you connected to it.
3- In between, you could filter traffic using in/egress دخول والخروج rules
In computer networking, egress filtering is the practice of monitoring and
potentially restricting the flow of information outbound from one network to
another.
TCP/IP packets that are being sent out of the internal network are examined
via a router, firewall, or similar edge device. Packets that do not meet security
policies are not allowed to leave - they are denied.
![Page 14: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/14.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
26
Egress filtering helps ensure that unauthorized or malicious traffic never leaves
the internal network.
Q Why egrees used in security?
2-5 Defending Against Spoofing مهمة جدا
There are a few precautions تحوطات that can be taken to limit لتحديد IP spoofing risks
on your network, such as:
1- Filtering at the Router - Implementing ingress ولوج دخول and egress
filtering on your border routers is a great place to start your spoofingخروج
defense. You will need to implement تنفيذan ACL (access control list) that
blocks private IP addresses on your downstream interface واجهة قدوم البيانات.
Additionally, this interface should not accept addresses with your internal range as
the source, as this is a common شائع spoofing technique used to circumvent
اجهة خروج البياناتو firewalls. On the upstream interfaceتجنب , you should restrict تحديد
source addresses outside of your valid range, which will prevent someone on your
network from sending spoofed traffic to the Internet.
2- Consider an ISP; from the ISP point of view, there are two sorts of IP
addresses: its addresses (i.e. the one it grants to its customers), and the rest of
the World. In the ISP routers, packets with a "external" source address should
be seen as incoming packets (coming from the outside), not as outgoing
packets; and vice versa for packets with an "internal" source address. If one
of the ISP customer sends a packet with a spoofed external address, this will
show up as an outgoing packet, coming from the inside, but with an external
source address; the ISP routers will find such an occurrence anomalous شاذة
and may report it. The ISP can then further track down such packets down its
infrastructure and thus pinpoint يحدد بدققه the culprit (causer, intiator المسبب).
![Page 15: 2-1 Spoofing and Sniffing - uomustansiriyah.edu.iq11_40... · e-mail spoofing occurs when imposters are able to deliver emails by altering emails' sender information. Although this](https://reader031.vdocuments.pub/reader031/viewer/2022020215/5b5d83427f8b9aa1428e4fb9/html5/thumbnails/15.jpg)
Topic 2 Spoofing & Sniffing Fourth Stage 2017-2018
27
3- Encryption and Authentication - Implementing encryption and
authentication will also reduce spoofing threats. Both of these features are
included in Ipv6, which will eliminate current spoofing threats.
4- Eliminate all host-based authentication measures, which are sometimes
common for machines on the same subnet. Ensure that the proper
authentication measures are in place and carried out over a secure (encrypted)
channel.
5- Upper layers - تم شرحها وتوضيحها سابقا
some upper layer protocols provide their own defense against IP spoofing
attacks. For example, Transmission Control Protocol (TCP) uses sequence
numbers negotiated يتناقش او يتفاوض with the remote machine to ensure
that arriving packets are part of an established connection. Since the
attacker normally can't see any reply packets, the sequence number must
be guessed in order to hijack the connection. The poor implementation in
many older operating systems and network devices, however, means that
TCP sequence numbers can be predicted.
References Tanase, M. (2003). IP Spoofing: An Introduction. http://www.symantec.com/connect/articles/ip-spoofing-
introduction.