Lab2 Lecture

7/27/2019 Lab2 Lecture

1/57

ECE 4883 - Internetwork Security 1

Password Cracking and Sniffing Agenda

! Storing Passwords on the system

! Password Cracking on Windows and Linux

!Defenses against Password cracking

! Sniffing

! Defenses against Sniffing

! Address Resolution Protocol (ARP)! Man in the Middle


2/57


Cracking Passwords

Passwords that can be guessed easily area problem

Lots of tools available to figure out

passwords L0phtcrack windows password cracker

John the Ripper Unix password cracker Default passwords remaining on a systemare a typical vulnerability


3/57


Password storage Password files have passwords stored in a hashed or

encrypted form

Hash algorithm example is message digest 4 (MD4)

Encrypted algorithm example is Data EncryptionStandard (DES)

When you use your password, it is hashed or encryptedand then compared to the stored value

Crackers use a downloaded local copy of password fileon their own machine


4/57


Storing Passwords

Systems have a file with all hashed/encrypted

passwords

! Windows SAM (Security Accounts Manager) database

! UNIX - /etc/passwd or /etc/shadow

Access to these files can make it easy for a

hacker to break in


5/57


Windows Passwords Security Accounts Manager (SAM) has two versions for each

password LanMan (LM) password version for backward compatibility with

windows workgroups

NT Hash cryptographic hash for windows NT/2000 (Uses MD4)

SAM file is in \WINNT\system32\config\ directory which is a binaryfile that is hard to read

Back up copy stored in \WINNT\repair


6/57


Using Passwords System has a hashed/encrypted version of the password stored

in a file

On login attempt

! system hashes/encrypts the password typed in by using for

example crypt() function in linux

! Compares hashed/encrypted value to stored

hashed/encrypted value

! Idea behind password cracking is to get a copy of the

hashed/encrypted passwords and then make guesses,

hash/encrypt the guess and compare


7/57


Password Cracking Dictionary Attack

! Hackers steal a copy of the stored password file! Guess a password (may use a dictionary)

! Find hash/encrypted value of the guess

! Compare hash to entries from stored file! Continue this till success or out of options for password

guesses.

Brute Force Guess every possible combination of characters

Hybrid Use dictionary but add characters to dictionary entries


8/57


Password retrieval on Windows

Sniff the network for passwords being

transmitted

From Administrators emergency repair disk

From back-up directory


9/57


Password Cracking on Windows L0phtCrack lc4 (Windows)

! Available at [email protected]/research/lc/! Password Auditing and Recovery Application

! Default English dictionary 50,000 words

! Does hybrid attacks! Our free trial version does not allow brute force (for $350 can purchase

with that capability)

! Works on weaker LanMan (LM) as well as NT hashes

! Can sniff a network for LanMan hashed passwords

! Can download from a local machine or remote computer the hashed

password file


10/57


L0phtCrack (lc4)

Some statistics (from the website)

! L0phtCrack obtained 18% of the passwords in 10

minutes

! 90% of the passwords were recovered within 48hours on a Pentium II/300

! The Administrator and most Domain Admin

passwords were cracked


11/57



12/57


Password Cracking on UNIX John the Ripper

Available at http://www.openwall.com/john/ Supports six hashing schemes including XP

Old Unix used /etc/passwd to store passwords

Password is stored after cryptographically altered Various algorithms (hash/encrypted) used by various Unix platforms

/etc/password is readable by everyone

Some Unix store in a shadow password file thus /etc/passwd does not

contain the passwords since they are instead in /etc/shadow or /etc/secure,

only root can access these files

If shadow file used, must have root to copy


13/57


Password retrieval on Linux List of login names and usernames in

/etc/passwd

List of encrypted passwords in /etc/shadow

Only /etc/shadow is enough to crack the

passwords.

Having both files makes it easier


14/57


John the Ripper Combine information from /etc/passwd and

/etc/shadow into one file

Use this file as input for John the Ripper

John can create guesses by

! Using built-in dictionary

! Using account information

! Using brute-force guessing algorithm


15/57


John the Ripper Scrambling used for each guess

When a password is cracked, result displayed

on screen

During execution of this tool, hitting any key

will give current guess and status

Password complexity determines time neededfor cracking them


16/57


Defenses against Password Cracking

Select good passwords (not dictionary based)

Change regularly

Use tools to prevent easy passwords

Use password cracking tests against own systems

Protect system back ups that have password files

Unix: activate password shadowing Windows: disable weaker LM authentication if no

windows 95/98 machines on network


17/57


Agenda"Storing Passwords on the system

"Password Cracking on Windows and Linux

"Defenses against Password cracking

Sniffing

Defenses against Sniffing

Address Resolution Protocol (ARP)

Man in the Middle


18/57


Sniffing Collect information being transmitted on the

network

Attacker must be either on source, destination

or intermediate network

Sniffed information can be stored/logged


19/57


Sniffing traditional LANS Traditional networks

! Broadcast medium easy to sniff

H

UB

attacker

Data A

DataA

Data A

DataA


20/57


Sniffing Switched LANS Switched LANS

! Difficult to do, but possible

! ARP Cache Poisoning - Attacker must inject

packets into the network to redirect traffic! Attacker lies about the MAC address intercepts

traffic

ARP tells which MAC address corresponds to which IPaddress


21/57


Sniffing Switched LANS

S

W

I

T

C

H

attacker

Data A Data A


22/57


Sniffit Easy to use sniffer

Available at:http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

Can be run in interactive mode

Can be used to sniff traditional LANS

For Switched LANS, must be used with ARPCache Poisoning tools


23/57


Sniffit Conditions to use (from the Sniffit web page):

! You should be ROOT on your machine

! The machine has to be connected to a network

! You have to be allowed to sniff (ethical condition)


24/57


Sniffit Interactive mode All TCP traffic can be viewed in main screen

Traffic from each system and port to each

system and port can be seen

Has option to see data in a particular stream

flow


25/57


ethereal From http://www.ethereal.com/

Ethereal is a free network protocol analyzer for Unix andWindows.

It allows you to examine data from a live network or

from a capture file on disk.

You can interactively browse the capture data, viewingsummary and detail information for each packet.

Ethereal has several powerful features, including a richdisplay filter language and the ability to view thereconstructed stream of a TCP session.

Source: www.ethereal.com


26/57


Source: www.ethereal.com


27/57


Defense against Sniffing Transmit encrypted data across a network

Dont use telnet, rsh,rlogin

Use Secure Shell

Use VPNs to encrypt data between systems

Use switches instead of hubs makes sniffing

more difficult


28/57


Defense against Sniffing For critical systems

! MAC level filtering on switches

! Restrict MAC addresses that can send and receive

data on specific switch plugs! Hard code ARP tables on critical systems


29/57


Agenda"Storing Passwords on the system

"Password Cracking on Windows and Linux

"Defenses against Password cracking

"Sniffing

"Defenses against Sniffing

Address Resolution Protocol (ARP)

Man in the Middle


30/57


What is ARP?Address Resolution Protocol

! Used to convert IP addresses to MACaddresses

! Low-Level Protocol! Essential for inter-network communication

!Used in networks with broadcast capabilities;usually Ethernet


31/57


How does ARP work? Inter-network Example

! A forwards packet to Gateway

! Gateway checks to see if it hasthe IP address in the cache

! If so, change the address andformat packet appropriately and

forward on the network

! Otherwise broadcast a requeston the network. B will respondwith MAC address. Format

packet and forward to B.


32/57


How does ARP work?

LAN Example! A sends ARP request packet

on LAN

! Only the machine withmatching IP responds withMAC

! B caches the IP & MAC pair

! Forwards all packets forsame IP to the cached MAC


33/57


Example of ARP in Use

The figure shows the

use of ARP when acomputer is trying to

contact another

computer (sysa) on

the same LAN using

the ping program:


34/57


Four Types of ARP Messages

ARP request

ARP reply

RARP requestRARP reply

Reverse Address Resolution


35/57


Reverse Address Resolution

Protocol (RARP) Physical address of host machine is able to

request its IP from a gateway servers ARP table

A router maps the MAC address to

corresponding Internet Protocol addresses RARP client program requests from the RARP

server on the router to be sent its IP address

RARP then returns the IP address to themachine which can store it for future use


36/57


Format of ARP Message

The ARP request includes:

-target machine (TARGET IP)

-IP address of the sendermachine

(SENDER IP)

-physical address of the sender

(SENDER HA)-physical address of target

machine

(TARGET HA)


37/57


ARP Poisoning

Note: ARP is stateless

The malicious computer

(Machine C) can send an

ARP Reply to A and causeA to associate Bs IP with

Cs MAC address.

This will cause allmessages from A to B to go

to C

Do the same to B


38/57


ARP Poisoning

C can now act as middle

man for all communications

between A and B.

C can decide which packetsare forwarded and which

are discarded.

C can also altercommunications packets

between A and B.

This attack can act as a

doorway.


39/57


After in the Middle:Sniffing It is the easiest attack to launch since all

the packets transit through the attacker.

All the plain text protocols arecompromised (the attacker can sniff userand password of many widely used

protocol such as telnet, ftp, http)


40/57


41/57


After in the Middle: Injecting Possibility to add packets to an already established

connection (only possible in full-duplex MITM)

The attacker can modify the sequence numbers and

keep the connection synchronized while injectingpackets.

If the MITM attack is a proxy attack it is even easier toinject (there are two distinct connections)

Attacks examples (1)


42/57



Command injection

Useful in scenarios where a one time

authentication is used (e.g. RSA token). In suchscenarios sniffing the password is useless, buthijacking an already authenticated session is

possible

Injection of commands to the server

Emulation of fake replies to the client



43/57



Malicious code injection

Insertion of malicious code into web

pages or mail (javascript, trojans, virus,etc)

Modification on the fly of binary files

during the download phase (virus,backdoor, etc)


44/57


Attacks The attacker can modify the payload of the

packets by recalculating the checksum

The length of the payload can also be changedbut only in full-duplex (in this case the seqnumber has to be adjusted)


45/57


The Lab Exercise Set up


46/57


The Exercise - Tools

Ethereal Ettercap

Hunt


47/57


The Exercise Playing with ARP

Check ARP Table on all machines Observe changes to the ARP table using Ethereal as

unknown IP addresses are pinged

Get a better feel for ARP by making manual changesto the ARP table

Observe effects of making incorrect entries into the

ARP table


48/57


Using Ettercap

Th L b


49/57


The Lab - Introduce Ettercap

Th E i U i E


50/57


The Exercise Using Ettercap

Use Ettercap for Operating System finger printing Use Ettercap passively for sniffing

! Use Redhat 8.0 machine to ARP poison both 7.2 machines

! Start an FTP communication between the two 7.2 machines

! Observe traffic between the two 7.2 machines

Use Ettercap actively for disruption

! Start a telnet connection between the two 7.2 machines

! Use filters to disrupt the connection between the twomachines

Th E i U i H t


51/57


The Exercise Using Hunt

Hijack a connection between the two 7.2machines

! ARP poison the 7.2 machines

! Start an active connection between the two 7.2machines

! Use Hunt to hijack the connections

#This may take a little time to complete

Session hijack exampleFrom http://staff.washington.edu/dittrich/talks/qsm-sec/


52/57


This demonstration involves three hosts: attacker, victim, and target.attacker is the system used by the attacker for the hijack.

victim is the system used by the victim for telnet client connections to the target system.target is the target system that the intruder wants to compromise. It is where the telnetddaemon is running.

A simple diagram of the network shows the attacker and victim hosts are on the same network

(which can be ethernet switched and the attack will still work), while the target system can beanywhere. (Actually, either victim or target can be on the same network as attacker: it doesn'tmatter.)

For the attack to succeed, the victim must use telnet, rlogin, ftp, or any other non-encrypted

TCP/IP utility. Use of SecurID card, or other token based secondary authentication is useless asprotection against hijacking, as the attacker can simply wait until afterthe user authenticates, thenhijack the session.


53/57


Session hijack example


54/57


The attack scenario can be as simple as:

1. Attacker: Spends some time determining the IP addresses of target and victim

systems. Determining trust relationships can be easily done with utilities likeSATAN, finger, systat, rwho or running who, ps, or last from previously stolen(or wide open "guest" style) accounts.

2. Attacker: Runs hunt as root on attacking host. Waits for hunt to indicate asession has been detected (hunt will note a new session by changing its prompt

from "->" to "*>").

3. Attacker: Starts ARP relay daemon, prepares RST daemon entry for use later,sets option to enable host name resolution (for convenience).

4. Victim: Logs in to target using telnet. Runs pine to read/compose email.

From http://staff.washington.edu/dittrich/talks/qsm-sec/



55/57


5. Attacker: Sees new connection; lists active connections to see if this one is

potentially "interesting." If it is, attacker can either watch the session (packetsniffing) or hijack the session. Decides to hijack.

6. Victim: Sees strange new prompt. Tries pressing RETURN and doesn't know whatto think. Tries web browser and notices that it still works fine (not a networkproblem). Not sure what to think.

7. Attacker: Finds this is a user session and decides to give it back (resynchronizesTCP/IP stream).

8. Victim: Sees prompt for keystrokes, follows request, gets session back. Puzzled,

decides to log in to root account to take a closer look.9. Attacker: Turns on RST daemon to prevent new connections, waits to hijack root

session.

10. Victim: Runs ssu to get SecurID protected root shell.




56/57


11. Attacker: Completes hijack after seeing root login.

12. Victim: Sees strange prompt. Tries pressing RETURN again. Same result as

before. Tries web browser again. Same thing. Tries getting a new telnet session.Fails. Tries ftp. Fails.

13. Attacker: Sets up backdoor, disables command history, resets session, turns offRST daemon.

14. Victim: Finally gets a new session. Original session is now gone. Assumesnetwork outage or Windows TCP/IP stack corruption. Reboots system andeverything is back to "normal").

15. Attacker: Waits for admin's sessions to all disappear (gone home for the night),

then logs in using new backdoor. Installs rootkit (more backdoors, sniffer), cleanslog files.


References


57/57


References

http://alor.antifork.org/talks/MITM-

BHeu03.ppt

http://www.csc.vill.edu/~fsalandr/netclass

/cassel.ppt http://staff.washington.edu/dittrich/talks/

qsm-sec/script.html

Documents

Lab2 Lecture