Monday, November 17, 2008

Social engineering


Social engineering is a scheme using social techniques to attempt to gain information or access. An attacker may claim to be someone authorized to access the system such as a help desk technician, vendor or contractor and attempt to get the victim to reveal his user ID or passwords, or even request the set up of a new account for the attacker himself. An attacker may also call the organisation's help desk impersonating an authorized user to gain information about the system (e.g. requesting the help desk to change the original system password to one designated by the attacker).

Wednesday, November 12, 2008

LAN Security and local attacks-part 1



Traffic Eavesdropping
• Easy on shared media LANs
• Still possible on switched LANs
• e.g. flood or trick the bridge address table
• Easy on wireless LANs
• Possible to install physical splitter/tap/hub/bridge
• Would you see a physical something?
• Does the link bounce? Would you notice that?


LAN Bridge/Switch Attacks
• Overflow MAC address tables to cause flooding
• Typical gear can hold a few thousand addresses
• MAC addresses = 48 bits or >> a few thousand
• Spoof spanning tree BPDU messages
• Take over as root/designated bridge
• Cause continuous topology recomputations
• Forge VLAN, priority or aggregation tags
• Spoof PAUSE (flow control) frames (gig only)
• DDoS/floods, broadcast storms


Preventing LAN Bridge Attacks
• Monitor MAC address tables
• Manually set root bridge and monitor
• Use knobs like Cisco's BPDU and Root Guard
• Manually set and prune trunked switch ports
• Use 802.1x port authentication


ARP-based Attacks
• ARP request spoofing
• Responders to a request cache the sender's info
• As do others who already have the sender's info
• ARP update spoofing (gratutious ARP)
• Thinking out loud:
• Is UNARP widely used? No.
• Can we poison ARP entries to = group address?


Preventing ARP-based Attacks
• Use LAN switches with one port per end host
• Enable port security to limit source MAC addresses
• Use 802.1x port authentication
• Enable (get) knobs on end hosts to validate ARPs
• How to best do this?
• Monitor LAN bridge/switch address tables
• Monitor router ARP tables
• Keep history of address/ARP tables
• FYI... vendors must support knobs (at line rate)

Tuesday, November 11, 2008

An Introduction to Arp Spoofing Attacks


ARP spoofing is a method of exploiting the interaction of IP and Ethernet protocols. It is only applicable to Ethernet networks running IP.


A computer connected to an IP/Ethernet LAN has two addresses. One is the address of the network card,called the MAC address. The MAC, in theory, is a globally unique and unchangeable address which is stored on thenetwork card itself. MAC addresses are necessary so that the Ethernet protocol can send data back and forth,independent of whatever application protocols are used on top of it. Ethernet builds “frames” of data, consistingof 1500 byte blocks. Each frame has an ethernet header, containing the MAC address of the source and thedestination computer.


When an Ethernet frame is constructed, it must be built from an IP packet. However, at the time ofconstruction, Ethernet has no idea what the MAC address of the destination machine is, which it needs to createan Ethernet header. The only information it has available is the destination IP from the packet’s header. Theremust be a way for the Ethernet protocol to find the MAC address of the destination machine, given a destinationIP.This is where ARP, the Address Resolution Protocol, comes in.


ARP operates by sending out “ARP request” packets. An ARP request asks the question, “Is your IPaddress x.x.x.x? If so, send your MAC back to me.” These packets are broadcast to all computers on the LAN,even on a switched network. Each computer examines the ARP request, checks if it is currently assigned thespecified IP, and sends an ARP reply containing its MAC address.To minimize the number of ARP packets being broadcast, operating systems keep a cache of ARP replies.When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association.


ARP spoofing involves constructing forged ARP request and reply packets. By sending forged ARP replies,a target computer could be convinced to send frames destined for Attacker to instead go to computer A. Whendone properly, Attacker will have no idea that this redirection took place. The process of updating a targetcomputer’s ARP cache with a forged entry is referred to as “ARP poisoning”.


by ARP Spoofing, Attacker can do two type of another attacks: 1.Sniffing Attacks 2.Session Hijacking Attacks.



ARPoison is a command-line tool for UNIX which creates spoofed ARP packets. Users can specify thesource and destination IP/MAC addresses.



following procedures:

-Injecting characters into connections

Sniffing encrypted SSH sessions

-Password collection

-OS fingerprinting

-Connection killing.