SECURITY + SPOOFING AND POISONING 5.2
HTTP (Session) Hijacking
A real-time attack in which the attacker hijacks a legitimate user's cookies and uses them to take over the HTTP session.
ARP Spoofing
ARP spoofing (also known as ARP poisoning) uses spoofed ARP messages to associate a different MAC address with an IP address. ARP spoofing can be used to perform a man-in-the-middle attack as follows: . When an ARP request is sent by a client for the MAC address of a device, such as the default gateway router, the attacker's system responds to the ARP request with the MAC address of the attacker's system. 2. The client receives the spoofed ARP response and uses that MAC address when communicating with the destination host. For example, packets sent to the default gateway are sent instead to the attacker. 3. The attacker receives all traffic sent to the destination host. The attacker can then forward these packets on to the correct destination using its own MAC address as the source address. ARP spoofing can also be used to perform Denial of Service (DoS) attacks by redirecting communications to fake or non-existent MAC addresses.
Reconnaissance
Actions taken to gather information for an attack.
Man-in-theMiddle Attac
An attack that intercepts information passing between two communication partne
Session-Based Attack
An attack that takes over the TCP/IP session or captures information that can be used at a later date.
Replay Attack
An attack that uses a protocol analyzer or sniffer to capture authentication information going from the client to the server and then uses this information to connect at a later time and pretend to be the client.
ARP Spoofing or ARP Poisoning
An attack that uses spoofed ARP messages to associate a different MAC address with an IP address.
IP Spoofing
An attack where IP address information is changed within a packet to amplify or redirect responses to a victim.
Null Session
An attack where a connection is made using a blank username and password that is used to discover information about the system.
Domain Hijacking
An attack where an attacker gains access to the domain control panel itself and reconfigures the domain name to point toward another web serve
DNS Poisoning
An attack where malicious or misleading data that incorrectly maps hostnames and IP addresses is sent to a name server
Domain Name Kiting
An attack where spammers exploit domain registration by taking advantage of the five-day grace period for a newly registered domain nam
MAC Spoofing
An attack where that MAC address of a valid host currently in the MAC address table of a switch is spoofed so that frames are redirected to the attacker.
TCP/IP (Session) Hijacking
An extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user
To mitigate reconnaissance DNS attacks:
Configure your DNS servers to only accept queries for zone transfers from specific hosts. Secure zone transfer data using IPSec or a VPN tunnel
Common methods of spoofing
IP Spoofing MAC Spoofing ARP Spoofing
Countermeasures for hijacking include using TCP/IP (Session) Hijacking
IPSec or other encryption protocols Certificate authentication Mutual authentication Randomizing sequencing mechanisms Packet time stamps Packet sequencing
Countermeasures for preventing spoofing are as follows:
Implement firewall and router filters to prevent spoofed packets from crossing into or out of your private secured network. Filters will drop any packet suspected of being spoofed. Use certificates to prove identity. Use reverse DNS lookup to verify the source email addres Use encrypted communication protocols, such as IPsec. Use ingress and egress filters to examine packets and identify spoofed packets. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. Any packet suspected of being spoofed on its way into or out of your network will be dropped.
DNS Poisoning attack:
Incorrect DNS data is introduced into the cache of a primary DNS server
MAC Spoofing
MAC spoofing is when an attacking device spoofs the MAC address of a valid host currently in the MAC address table of the switch. The switch then forwards frames destined for that valid host to the attacking device. This can be used to bypass: A wireless access point with MAC filtering on a wireless network Router access control lists (ACLs) 802.1x port-based security
Session-Based Attacks are
Man-intheMiddle TCP/IP (Session) Hijacking HTTP (Session) Hijacking Replay Attack Null Session
Reconnaissance A DNS-based attack are
Performing direct queries on DNS servers (using a tool such as nslookup) to request individual records. Attaching to a DNS server as a secondary server and requesting a zone transfer of DNS records. Using a protocol analyzer to gather zone transfer traffic, which is transferred in cleartext from the primary DNS server to the secondary DNS serve
Other ways to protect your organization from DNS attacks include:
Using the latest version of DNS software. Consistently monitoring traffic going through your network. Configuring servers to duplicate, separate, and isolate DNS functions. Using Domain Name System Security Extensions (DNSSEC) to secure certain kinds of information provided by DNS. DNSSEC adds cryptographic signatures to existing DNS records, helping the server correctly validate DNS responses. Securing and automatically renewing domain registration accounts
Null Session are allowed
are allowed through the SMB and NetBIOS protocols used on Microsoft system
Man-intheMiddle, Both parties
at the endpoints believe they are communicating directly with the other, while the attacker intercepts and/or modifies the data in transit. The attacker can then authenticate to the server using the intercepted credentials.
ARP spoofing can also
be used to perform Denial of Service (DoS) attacks by redirecting communications to fake or non-existent MAC addresses
to prevent null session attacks,
block ports 139 and 445 on network firewalls. Windows NT uses TCP port 139 to establish NetBIOS sessions, and Windows 2000 uses TCP port 445 for SMB sessions.
Domain Name Kiting This allows spammers to Generate income through clicks
by automatically registering thousands of domains and putting ads on them. They can create link farms (multiple domains with automatic hyperlinks to targeted sites) to spam the index of a search engine (such as Google) and trick the search engine into conferring a page ranking on the spammed website
IP Spoofing Amplify attacks
by sending a message to a broadcast address and then redirecting responses to a victim who is overwhelmed with response
Man-intheMiddle, the attacker
inserts himself in the communication flow between the client and server. The client is fooled into authenticating to the attacker
Standard DNS
is configured with one primary DNS server that maintains a read/write copy of all the computer names and IP addresses registered in DNS for the domain.
In a DNS poisoning attack The incorrect mapping is
is made available to client applications
TCP/IP (Session) Hijacking, The session state
is manipulated so that the attacker is able to insert alternate packets into the communication stream
Spoofing
is used to hide the true source of packets or redirect traffic to another location. Spoofing attacks:
A DNS-based attack
k occurs when stolen DNS records are used to redirect traffic to fake websites for malicious purposes. Below are important facts you should know about DNS:
Spoofing Use
modified source and/or destination addresses in packets
Domain Name Kiting This allows spammers to Acquire domains
never pay for the registration of domain names by unregistering a domain name just before the grace period is up and then immediately re-registering the domain name.
Using security software to
prevent modification of the HOSTS file without your knowledge. This will prevent hackers from placing a mapping in the file to redirect traffic to a fake s
Secondary DNS
servers obtain a read-only copy of this data from the primary DNS server or another secondary server
Spoofing Can include
site spoofing, which tricks users into revealing information
TCP/IP (Session) Hijacking, The attacker
takes over the session and cuts off the original source device
session-based attack,
the attacker takes over the TCP/IP session or captures information that can be used at a later date. Common sessionbased attacks
IP Spoofing Hide
the origin of the attack by spoofing the source address.
. In a DNS poisoning attack Traffic is redirected
to incorrect sites (known as pharming) for phishing purposes to perform: Identity theft Financial theft Malware downloads (drive-by downloads), which can be used to capture sensitive information, such as passwords and financial information.
Mapping known malicious sites to the loopback address of 127.0.0.1
to prevent browsers from displaying the malicious sites.
Man-in-the-middle attacks are commonly used
to steal credit cards, online bank credentials, and confidential personal and business information
Null Session, Older Microsoft system
used null sessions between computers. Attackers can use this vulnerability to log on and discover information about the system, such as a list of user names or shared folders
The process of copying the records from the primary to the secondary DNS server is called
zone transfer and is performed in cleartext