29
Network security- Man in the middle (mitm) attacks Ravi Kumar Purbey @TheRavikr

Network security man in the middle (MITM) attacks

Embed Size (px)

DESCRIPTION

Network security man in the middle (MITM) attacks

Citation preview

Page 1: Network security man in the middle (MITM) attacks

Network security- Man in the middle (mitm) attacksRavi Kumar Purbey@TheRavikr

Page 2: Network security man in the middle (MITM) attacks

Why Network Security ?

In today's technologically advanced world, computers play a dominant role. No matter you are at work, in studies at college or school, or just enjoying a leisurely time in your home, it is certain that you may either switch on your computer or any other related state of the art devices. The importance of computer is further enhanced by increased usage of the internet.

Page 3: Network security man in the middle (MITM) attacks

Denial of service 

Man in the middle

SQL Injection Scripts Attack Buffer overflows Logic Bomb etc.

Different types of attack

Page 4: Network security man in the middle (MITM) attacks

Network security- Man in the middle (mitm) attacks

Page 5: Network security man in the middle (MITM) attacks

What is MITM ?

A man-in-the-middle (MITM) attack is a form of eavesdropping where communication between two users is monitored and modified by an unauthorized party. Generally, the attacker actively eavesdrops by intercepting a public key message exchange and retransmits the message while replacing the requested key with his own.

Page 6: Network security man in the middle (MITM) attacks

MITM attack is also known as:

Bucket-brigade attack Fire brigade attack Monkey-in-the-middle attack Session hijacking TCP hijacking TCP session hijacking

Page 7: Network security man in the middle (MITM) attacks

Name Origin:

The name "Man-in-the-Middle" is derived from the basketball scenario where two players intend to pass a ball to each other while one player between them tries to seize it. MITM attacks are sometimes referred to as "bucket brigade attacks" or "fire brigade attacks." Those names are derived from the fire brigade operation of dousing off the fire by passing buckets from one person to another between the water source and the fire.

Page 8: Network security man in the middle (MITM) attacks

Man in the middle is known most to others as "session hijacking" and to general public as "hijacking". These hackers are primarily targeting specific data about the transactions on computers. This can be anything from an email to a bank transaction that said the hackers begin their investigation of the party of interest

How Does It Work?

Page 9: Network security man in the middle (MITM) attacks

How Does It Work?

Page 10: Network security man in the middle (MITM) attacks

A BASIC ILLUSTRATION An attacker puts up a fake bank website and

entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.

Page 11: Network security man in the middle (MITM) attacks

A BASIC ILLUSTRATION

Page 12: Network security man in the middle (MITM) attacks

MITM TECHNIQUES The techniques used for MITM attacks can

be classified below in consideration of the following three network environment types:

Local Area Network From Local To Remote (through a

gateway) Remote

Page 13: Network security man in the middle (MITM) attacks

Local Area Network Attack

ARP poisoning- ARP (Address Resolution Protocol) spoofing is also known as "ARP spoofing " or ARP Poison Routing. The attacker may use ARP spoofing to sniff data frames on LAN and to modify the packets. The attacker may corrupt the ARP caches of directly connected hosts and finally take over the IP address of the victim host.

Page 14: Network security man in the middle (MITM) attacks

Local Area Network Attack

DNS spoofing- The attacker starts by sniffing the ID of any DNS request, and then replies to the target requests before the real DNS server.

Page 15: Network security man in the middle (MITM) attacks

MITM TECHNIQUES

HOST DNSserverX.localdomain.in

10.1.1.50

MITM

10.1.1.1

Page 16: Network security man in the middle (MITM) attacks

Local Area Network Attack

IP address spoofing- The attacker creates IP packets with a forged source IP address in order to conceal the identity of the packet sender or to impersonate another computer system. (This method of attack on a remote system can be very difficult, because it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between endpoints.)

Page 17: Network security man in the middle (MITM) attacks

Local Area Network Attack

 Port stealing-The term "Port Stealing" refers to the MITM technique used to spoof the switch forwarding database (FDB) and usurp the switch port of the victim host for packet sniffing on Layer 2 switched networks. The attacker starts by flooding the switch with the forged ARP packets that contain the same source MAC address as that of the victim host and the same destination MAC address as that of the attacker host.

Page 18: Network security man in the middle (MITM) attacks

Local Area Network Attack

1 2 3

A Attacker B

Layer 2 switch

Gratuitous ARP (forged)

Page 19: Network security man in the middle (MITM) attacks

From Local to Remote (through a gateway)

DHCP spoofing- The DHCP requests are made in broadcast mode. If the attacker replies before the real DHCP server it can manipulate:

• IP address of the victim• GW address assigned to the victim• DNS address

Page 20: Network security man in the middle (MITM) attacks

From Local to Remote (through a gateway)

IRDP spoofing- The attacker can forge some advertisement packet pretending to be the router for the LAN. He/she can set the “preference level” and the “lifetime” at high values to be sure the hosts will choose it as the preferred router.

Page 21: Network security man in the middle (MITM) attacks

From Local to Remote (through a gateway)

The attacker can forge packets for the gateway (GW) pretending to be a router with a good metric for a specified host on the internet

INTERNET GW AT

H

Page 22: Network security man in the middle (MITM) attacks

REMOTE ATTACK

DNS poisoningType 1 attack•The attacker sends a request to the victim DNS asking for one host.•The attacker spoofs the reply which is expected to come from the real DNS•The spoofed reply must contain the correct ID (brute force or semi-blind guessing)

Type 2 attack•The attacker can send a “dynamic update” to the victim DNS•If the DNS processes it, it is even worst because it will be authoritative for those entries

Page 23: Network security man in the middle (MITM) attacks

REMOTE- Traffic tunneling

Router 1

Gateway

INTERNET

Server

Client

Fake host

Attacker

Tunnel GRE

Page 24: Network security man in the middle (MITM) attacks

REMOTE- Traffic tunneling

ROUTE mangling revisitedThe attacker aims to hijack the traffic between the two victims A and B. The attack will collect sensitive information through:•Traceroute•port scanning •protoscanning

Page 25: Network security man in the middle (MITM) attacks

REMOTE- Traffic tunneling

A B

The attacker pretends to be the GW

R1

R2

Scenario 1 a(IGRP inside the AS)

Page 26: Network security man in the middle (MITM) attacks

REMOTE- Traffic tunneling

A BR1

R2

R3

Scenario 1 b (IGRP inside the AS)

Page 27: Network security man in the middle (MITM) attacks

MITM Tools For Hacking

dsniff - A tool for SSH and SSL MITM attacks .Cain - A Windows GUI tool which can perform MITM attacks, along with sniffing and ARP poisoningEttercap - A tool for LAN based MITM attacksKarma - A tool that uses 802.11 Evil Twin attacks to perform MITM attacksAirJack - A tool that demonstrates 802.11 based MITM attackswsniff - A tool for 802.11 HTTP/HTTPS based MITM attacksan additional card reader and a method to intercept key-presses on an Automated teller machine

Page 28: Network security man in the middle (MITM) attacks

Conclusions

The security of a connection relies on:•Proper configuration of the client (avoiding ICMP Redirect, ARP Poisoning etc.) •The other endpoint infrastructure (e.g.. DNS dynamic update),•The strength of a third party appliances on which we don’t have access (e.g.. Tunneling and Route Mangling).The best way to ensure secure communication is the correct and conscious use of cryptographic systems.•Both client and server side•At the network layer (i.e.. IPSec)•At transport layer (i.e.. SSLv3) •At application layer (i.e.. PGP).

Page 29: Network security man in the middle (MITM) attacks

Thanks

Ravi Kumar Purbey

@TheRavikrFb.com/[email protected]

www.ravikumarpurbey.com

16x9

4x3