Académique Documents
Professionnel Documents
Culture Documents
Security Vulnerabilities
Security Problems in the TCP/IP Protocol Suite
Attacks on Different Layers
IPAttacks
ICMP Attacks
Routing Attacks
TCP Attacks
Hijacking
Trojans
routing, etc
Prevention of Sniffing
Avoid unencrypted password transmission
Kerberos
PGP public keys
Eavesdropping tools
Network intruders can use Internet tools, such as the
nslookup and whois utilities, to easily determine the IP
address space assigned to a given organization or network.
Simple tools like Wireshark and Comview can be used to
sniff network traffic especially handy in Wi-Fi networks.
There are automate ping sweep tool which an attacker can
use, such as fping or pinger or hping, these tools
methodically pings all network addresses in a given range or
subnet.
The intruder or attacker uses a port scanner (Nmap or
Superscan -softwares designed to search a network host for
open ports) to determine which network services or ports are
active on the active IP addresses.
bci.edu.pk
google.com
CommView
Wire shark
Wire shark
Ping sweep
Port scan …
Network Attacks
Reconnaissance
Sniffing / Eavesdropping / Mapping
Access Control
Spoofing
Hijacking
Trojans
IP route spoofing
ICMP spoofing
DNS spoofing
TCP/IP datagram spoofing
Spoofing & OSI
Penetration techniques
TCP socket
exploit any and all
levels of the model
IP
DNS Attacks vary based
IP ARP upon the vulnerability
at that level
Physical ethernet
Hardware Address Spoofing
When a packet is received on Ethernet, the source address is
assumed to be valid.
However, most NICs have the ability to use software-controlled
hardware addresses, so an address can be faked.
01-01-01-01-01-01 or 12-34-56-78-90-AB
E.g.,
SMAC (freeware)
Technitium MAC Address Changer 5.0 R3
Changing MAC via system registry (Windows XP)
SMAC
ARP Introduction
low level network protocol
operates at Layer 2 of the OSI model which
is usually implemented in the device drivers
of network operating systems.
used by the Internet Protocol (IP),
specifically IPv4, to map IP network
addresses to the hardware addresses used by
a data link protocol.
ARP packets are one of the most frequent
packets found on a local area network
When ARP is Used
For two hosts on the same network and one host
desires to send a packet to the other
For two hosts on different networks while using a
gateway/router
TCP
ARP OPERATION
1. Get IP address of target.
2. Create a request ARP message
– Fill sender physical address
– Fill sender IP address
– Fill target IP address
– Target physical address is filled with 0
3. The message is passed to the data link layer where it
is encapsulated in a frame.
– Source address: physical address of the sender.
– Destination address: broadcast address.
ARP OPERATION
4. Every host or router on the LAN receives the frame.
– All stations pass it to ARP.
– All machines except the one targeted drop the packet.
5. The target machine replies with an ARP message that
contains its physical address.
– A unicast message.
6. The sender receives the reply message and knows
the physical address of the target machine.
ARP Packet Format
Format of ARP request or reply packet when used
on an Ethernet.
Ethernet header
hard size prot size
hard prot Sender Sender target target
op
type type Ethernet addr IP addr Ethernet addr IP addr
2 2 1 1 2 6 4 6 4
Host A
204.240.18.10
204.240.18.1
Direct Routing:
Packets sent Router Internet
directly using
MAC address of A
Host B
204.240.18.20
Host C
Indirect Routing: 36.14.0.200
Packets sent to the MAC address
of the router. At the IP level, B is
The source and C is the destination
Some Facts about ARP
To avoid having to send an ARP request packet each
time, a host can cache the IP and the corresponding
host addresses in its ARP table (ARP cache).
Each entry in the ARP table is usually “aged” so that
the contents are erased if no activity occurs within a
certain period (windows XP time of aging is 2 to10min).
When a computer receives an ARP reply, it will update
its ARP cache.
ARP is a stateless protocol, most operating systems will
update their cache if a reply is received, regardless of
whether they have sent out an actual request.
arp …
ARP Spoofing
Construct spoofed ARP replies.
By sending FALSE ARP reply packets, Target
computer could be convinced to send frames
destined for computer A to go to computer B.
Computer A will have no idea that this redirection
took place.
This process of updating a target computer’s ARP
cache is referred to as “ARP poisoning”.
Spoofed ARP reply Spoofed ARP reply
IP:10.0.0.2 IP:10.0.0.2
MAC:cc:cc:cc:cc MAC:cc:cc:cc:cc
switch
A B Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc
A B Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc
switch
T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc
T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc
switch
T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc
T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc
switch
Hacker will
relay the
message
T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc
switch
Message
intended to
send to T1
T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc
A www.carleton.ca
10.10.10.1 134.117.1.60
http://www.carleton.ca
spoofed
sender
partner
sender
Oops, a lot of
replies without any
request… victim
Prevention of IP Spoofing:
To prevent IP spoofing in your network, the following are some common
practices: