Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

MITM Attacks

No description
by

Shailvi Shah

on 6 December 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of MITM Attacks

MITM Attacks
Team 8
Brian, Harsha, Shailvi, Sven

Agenda

Project Scenario
Common MITM Attacks
Tools Used
Eavesdropping
Attacks
ARP Poisoning
Replay Attack
Insertion Attack
SSL attacks
Comparison of Defense Mechanisms

Project Scenario

Common MITM Attacks
Eavesdropping:
Intentionally listening to private conversation
ARP Poisoning/Spoofing:
Associate the attacker’s MAC address with victim’s IP address
Replay Attack
Replay the payload/packet for the same result
Insertion Attack
Changes existing data or insert new data in network conversation
SSL Attack
See encrypted data



Image by goodtextures: http://fav.me/d2he3r8
Tools Used

TCPdump:
Packet sniffer
Chaosreader:
Inspect and analyze tcpdump captures
Ettercap:
ARP poisoning
Packet filtering
eLinks/curl:
Text based browsers

Attack - Eavesdropping
Capture packets being transferred between Alice and Bob
Procedure:
Setup arp spoofing using ettercap
Information found
What kind of data is being transmitted?
Nature of the communication
Authentication information

Attack - Eavesdropping (Cont.)
ARP Poisoning
ARP Poisoning Defense Schemes
ARPWatch (detection)
ARPWatch monitors transmission of request and reply messages over Ethernet and check them against a database of (IP addr, hardware addr) pairings
Static ARP caches (prevention)
Static ARP cache stores permanent (IP addr, hardware addr) pairs of trusted hosts to avoid sending request and reply messages over Ethernet.

Defense - ArpWatch
Advantages - ARPWatch and Static ARP
Favorable when the network configuration does not change often. A list of static ARP entries deployed to hosts via an automated script.
Ensures that hosts rely on local arp caches rather than arp reply and requests.
In general, third party tools to monitor ARP traffic are feasible when considering individual hosts.


ArpWatch - cont’d
ArpWatch - cont’d
Static ARP Cache - cont’d
Static ARP Cache - Screenshots
Replay Attack
- Other Defenses

Nonce
Server sends nonce to client
Client adds hash to message using nonce
Each nonce can only be used once
Timestamp
Problems
Overhead
MITM can intercept token/nonce/timestamp

Static ARP Cache - cont’d
Static ARP Cache - cont’d
Static ARP Cache - cont’d
Static ARP Cache - cont’d
ArpWatch - Screenshots
Insufficiencies - ARPWatch and Static ARP
ARPWatch does not support dynamic assignment of IP addresses.
Static ARP caches does not support dynamic assignment of IP addresses and detection of destination failures.
Updating and maintaining static ARP tables on all machines is a significant overhead in even medium -sized networks.
In networks where there are frequent entries and exits, static ARP tables are very difficult to maintain.

DHCP Snooping and Dynamic ARP Inspection
DHCP Snooping
Trusted and untrusted ports.
Maintains DHCP Binding Table : IP, MAC, port, lease timer, binding type.
Dynamic ARP Inspection (DAI)
DAI with DHCP Snooping : strict control over what packets are allowed into the network. Prevents ARP Poisoning.
Switch only forwards legitimate ARP Replies.


DHCP Snooping and Dynamic ARP Inspection
Replay Attack
- Scenario
Replay Attack
- Attack Scheme
Replay Attack
Defense - Session Token

Replay Attack
Defense - Session Token
Attack - Insertion Attack
filter.ef
if (ip.proto == TCP && tcp.src == 80)
{
replace("FZCO","OWND");
}
if (ip.proto == TCP && tcp.src == 80)
{
replace(" $", "$9");
}


Insertion Attack (Cont.)
Defenses against Insertion Attacks
Encryption
Authentication
Message Integrity
Message Authentication Code


Defense against SSL attack schemes:
Issue
Use HTTPs with HSTS (HTTP Strict Transport Security)
Enable SSL/TLS for IMAP on server side
Information about SSL certificates on website home page

Defense Mechanism Recommendation
ARP poisoning/spoofing
ARPon
Static ARP Inspection (SAPRI)
Dynamic ARP Inspection (DAPRI)
Hybrid ARP Inspection (HAPRI)
Replay Attack
Timestamp + Hashing
Insertion Attack
Message Authentication Codes + Timestamp
SSL Attack
General awareness

Thank You !

Happy Holidays!

Monitors ARP traffic
Detects Layer 2 / Layer 3 address pairing changes
Records to syslog
Emails to administrator
Changes detected
New station : new pairing using previously unseen layer 2 address
Ethernet mismatch : layer 2 address changed on host

ArpWatch - cont’d
Full transcript