ARP Vulnerabilities Indefensible Local Network Attacks? Mike Beekey Mike Beekey- Black Hat Briefings ‘01
Download ReportTranscript ARP Vulnerabilities Indefensible Local Network Attacks? Mike Beekey Mike Beekey- Black Hat Briefings ‘01
ARP Vulnerabilities Indefensible Local Network Attacks? Mike Beekey Mike Beekey- Black Hat Briefings ‘01 1 Overview • • • • • • • • ARP Refresher ARP Vulnerabilities Types of Attacks Vulnerable Systems Countermeasures Detection Tools and Utilities Demonstrations Mike Beekey- Black Hat Briefings ‘01 2 ARP Refresher Mike Beekey- Black Hat Briefings ‘01 3 ARP Message Formats • ARP packets provide mapping between hardware layer and protocol layer addresses • 28 byte header for IPv4 ethernet network – 8 bytes of ARP data – 20 bytes of ethernet/IP address data • 6 ARP messages – ARP request and reply – ARP reverse request and reply – ARP inverse request and reply Mike Beekey- Black Hat Briefings ‘01 4 ARP Request Message • Source contains initiating system’s MAC address and IP address • Destination contains broadcast MAC address ff.ff.ff.ff.ff.ff Mike Beekey- Black Hat Briefings ‘01 5 ARP Reply Message • Source contains replying system’s MAC address and IP address • Destination contains requestor’s MAC address and IP address Mike Beekey- Black Hat Briefings ‘01 6 ARP Vulnerabilities Mike Beekey- Black Hat Briefings ‘01 7 Unsolicited ARP Reply • Any system can spoof a reply to an ARP request • Receiving system will cache the reply – Overwrites existing entry – Adds entry if one does not exist • Usually called ARP poisoning Mike Beekey- Black Hat Briefings ‘01 8 Types of Attacks Mike Beekey- Black Hat Briefings ‘01 9 Types of Attack • Sniffing Attacks • Session Hijacking/MiM • Denial of Service Mike Beekey- Black Hat Briefings ‘01 10 Sniffing on a Hub Sniffer Source Destination CISCOSYSTEMS Hub Mike Beekey- Black Hat Briefings ‘01 11 Switch Sniffing • Normal switched networks – Switches relay traffic between two stations based on MAC addresses – Stations only see broadcast or multicast traffic • Compromised switched networks – Attacker spoofs destination and source addresses – Forces all traffic between two stations through its system Mike Beekey- Black Hat Briefings ‘01 12 Host to Host Exploit Client (C) Server (S) Real ARP Reply Broadcast ARP Request Mike Beekey- Black Hat Briefings ‘01 Hostile Spoofed ARP ReplyC Spoofed ARP ReplyS 13 Host to Router Exploit Client (C) Gateway Router (R) Hostile CISCO SYSTEMS Real ARP Reply Broadcast ARP Request Mike Beekey- Black Hat Briefings ‘01 Spoofed ARP ReplyC Spoofed ARP ReplyR 14 Relay Configuration Attacker 0:c:3b:1a:7c:ef- 10.1.1.10 Alice Bob 0:c:3b:1c:2f:1b- 10.1.1.2 0:c:3b:9:4d:8- 10.1.1.7 0:c:3b:1a:7c:ef- 10.1.1.7 0:c:3b:1a:7c:ef- 10.1.1.2 Mike Beekey- Black Hat Briefings ‘01 15 Relay Configuration (cont.) Sniffer Source Destination CISCOSYSTEMS Switch Mike Beekey- Black Hat Briefings ‘01 16 Sniffing Comments • Depending on traffic content, attacker does NOT have to successively corrupt cache of both endpoints • Useful when “true” permanent ARP entries are used or OS is not vulnerable to corruption Mike Beekey- Black Hat Briefings ‘01 17 Session Hijacking/MiM • Natural extension of sniffing capability • “Easier” than standard hijacking – Don’t have to deal with duplicate/un-sync’d packets arriving at destination and source – Avoids packet storms Mike Beekey- Black Hat Briefings ‘01 18 Denial of Service • Spoofing the destination MAC address of a connection will prevent the intended source from receiving/accepting it • Benefits – No protocol limitation – Eliminates synchronization issues • Examples – UDP DoS – TCP connection killing instead of using RST’s Mike Beekey- Black Hat Briefings ‘01 19 DoS MAC Entries Attacker 0:c:3b:1a:7c:ef- 10.1.1.10 Alice Bob 0:c:3b:1c:2f:1b- 10.1.1.2 0:c:3b:9:4d:8- 10.1.1.7 a:b:c:1:2:3- 10.1.1.7 0:c:3b:1c:2f:1b 10.1.1.2 Mike Beekey- Black Hat Briefings ‘01 20 Denial of Service Examples Mike Beekey- Black Hat Briefings ‘01 21 Web Surfing • Web surfers require gateway router to reach Internet • Method – Identify surfer’s MAC address – Change their cached gateway MAC address (or DNS MAC address if local) to “something else” Mike Beekey- Black Hat Briefings ‘01 22 Network-based IDS • Poorly constructed (single homed) IDS network systems relay auditing data/alerts to management/admin consoles • Method – Identify local IDS network engine – Modify gateway MAC address – Modify console/management station address Mike Beekey- Black Hat Briefings ‘01 23 Hostile Users • Attacker continuously probing/scanning either your system or other target • Method – Scanning you – Scanning a system under your protection Mike Beekey- Black Hat Briefings ‘01 24 Switch Attacks • Certain attacks may overflow switch’s ARP tables • Method – A MAC address is composed of six bytes which is equivalent to 2^48 possible addresses – See how many randomly generated ARPreplies or ARP requests it takes before the switch “fails” Mike Beekey- Black Hat Briefings ‘01 25 Switch Attacks (cont.) • Switches may – Fail open- switch actually becomes a hub – Fail- no traffic passes through the switch, requiring a hard or soft reboot Mike Beekey- Black Hat Briefings ‘01 26 Network “Bombs” • “Hidden” application installed on a compromised system • Method – Passively or actively collects ARP entries – Attacker specifies timeout or future time – Application transmits false ARP entries to its list Mike Beekey- Black Hat Briefings ‘01 27 Vulnerable Systems Mike Beekey- Black Hat Briefings ‘01 28 Operating Systems • • • • • Windows 95 Windows 98 Windows NT Windows 2000 AIX 4.3 Mike Beekey- Black Hat Briefings ‘01 • • • • • HP 10.2 Linux RedHat 7.0 FreeBSD 4.2 Cisco IOS 11.1 Netgear 29 Not Vulnerable • Sun Solaris 2.8 – Appears to resist cache poisoning Mike Beekey- Black Hat Briefings ‘01 30 Countermeasures Mike Beekey- Black Hat Briefings ‘01 31 Firewalls • Most “personal” firewalls are not capable of defending against or correctly identifying attacks below IP level • UNIX – ipfw – ipf (IP Filter) • Windows environments – Network Ice/Black Ice© Mike Beekey- Black Hat Briefings ‘01 32 Session Encryption • Examples – Establishing VPNs between networks or systems – Using application-level encryption • Effects – Prevents against disclosure attacks – Will not prevent against DoS attacks Mike Beekey- Black Hat Briefings ‘01 33 Strong Authentication • Examples – One-time passwords – Certificates • Effects – None on disclosure attacks – None on DoS attacks Mike Beekey- Black Hat Briefings ‘01 34 Port Security • Cisco switches – set port security ?/? enable <MAC address> – Restricts source MAC addresses • Hard coded ones • “Learned” ones – Ability to set timeouts – Ability to generate traps – Ability to “shutdown” violating port Mike Beekey- Black Hat Briefings ‘01 35 Port Security (Cont.) • Issues – Only restricts source MAC addresses – Will not prevent against ARP relay attacks – Will only prevent against ARP source spoofing attacks Mike Beekey- Black Hat Briefings ‘01 36 Hard Coding Addresses • Example – Individual systems can hard code the corresponding MAC address of another system/address • Issues – Management nightmare – Not scalable – Not supported by some OS vendors Mike Beekey- Black Hat Briefings ‘01 37 Hard Coding Results Operating System Results Windows 95 FAIL Windows 98 FAIL Windows NT FAIL Windows 2000 FAIL Linux RedHat 7.0 YES FreeBSD 4.2 YES Solaris 2.8 YES Mike Beekey- Black Hat Briefings ‘01 38 Countermeasure Summary Sniffing Session Hijacking Denial of Service Firewalls Session Encryption Strong Authentication Port Security Hard Coding Mike Beekey- Black Hat Briefings ‘01 39 Detection Mike Beekey- Black Hat Briefings ‘01 40 IDS Architecture Issues Management Console Network Monitor Management Console Monitored Network Critical Server Mike Beekey- Black Hat Briefings ‘01 Network Monitor Monitored Network Hostile System Critical Server Hostile System 41 OS Level Detection Operating System Detection Windows 95 NO Windows 98 NO Windows NT NO Windows 2000 NO Linux RedHat 7.0 NO FreeBSD 4.2 YES Mike Beekey- Black Hat Briefings ‘01 42 Hypothetical Detection Application • Purpose – Track and maintain ARP/IP pairings – Identify non-standard ARP-replies versus acceptable ones • Timeout issues – OS must withstand corruption itself – Fix broken ARP entries of systems • Transmission of correct ARP replies Mike Beekey- Black Hat Briefings ‘01 43 Tools and Utilities Mike Beekey- Black Hat Briefings ‘01 44 Public Domain Tools • Manipulation – Dsniff 2.3 – Hunt 1.5 – Growing number of others • Local monitoring – Arpwatch 1.11 Mike Beekey- Black Hat Briefings ‘01 45 Bibliography • Finlayson, Mann, Mogul, Theimer, RFC 903 “A Reverse Address Resolution Protocol,” June 1984 • Kra, Hunt 1.5, http://www.gncz.cz/kra/index.html, Copyright 2000 • Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996 • Plummer, David C., RFC 826 “An Ethernet Address Resolution Protocol,” November 1982 • Russel, Ryan and Cunningham, Stace, “Hack Proofing Your Network,”, Syngress Publishing Inc, Copyright 2000 • Song, Dug, Dsniff 2.3, http://www.monkey.org/~dugsong/, Copyright 2000 Mike Beekey- Black Hat Briefings ‘01 46 Demonstrations Mike Beekey- Black Hat Briefings ‘01 47 Demo Environment 172.16.10.40 FreeBSD/ Win2k CISCOSYSTEMS 802.11b 172.16.10.30 Linux Redhat 172.16.10.25 FreeBSD 4.2 Mike Beekey- Black Hat Briefings ‘01 172.16.10.133 Win2k 48 Demonstration Tools • rfarp 1.1 – Provides ARP relay capability and packet dump for two selected stations – Corrects MAC entries upon exiting • farp 1.1b – – – – Passive and active collection of ARP messages DoS Attacks on single hosts DoS Attacks on entire collection Arbitrary and manual input of spoofed MAC addresses Mike Beekey- Black Hat Briefings ‘01 49 ARP Attacks • Disclosure attacks – ARP relaying for a single target – Sniffing attacks • DoS related – Port scan defense – DoS attacks on a single host, group, or subnet Mike Beekey- Black Hat Briefings ‘01 50 Questions Mike Beekey [email protected] Mike Beekey- Black Hat Briefings ‘01 51