31-03-2010, 02:41 PM
Types of Spoofing
IP
Web
Non-network (social engineering)
IP Spoofing
Keep in mind that the replies will go to the spoofed return address.
Easy to do.. simply change your machineâ„¢s IP address. You may have to alter your routing table so that the packets
get delivered.
Three basic flavors of IP spoof attacks:
Basic Address Change
Use of source routing to intercept packets
Exploitation of a trust relationship (UNIX)
Basic IP Address Change
Low tech “ no replies are received.
Typically only used to extend blame to innocent persons, or for DoS
Simple to do
Protect against with good firewall rules “ keep your machines from launching a spoofed IP “ router filters
Limit configuration access on machines
Programs like arpwatch that keep track of IP/MAC pairings
Source Routing
Source routing is one of the IP options that allows the specification of an IP address that should be on the route
for the packet delivery.
This allows someone to use a spoofed return address, and still see the traffic by placing his machine in the path.
Doesnâ„¢t work very well these days, since most routersâ„¢ default configuration is to not allow source routing (the
option is ignored, or the packets are dropped)
Two Types:
Loose Source Routing (LSR)
Strict Source Routing (SRS)
Trust Relationships
UNIX systems are notorious for this.
A trust relationship uses IP address for authentication. From a convenience standpoint, this is really easy.
Protection is simple “ do not allow them to be used.
Email Spoofing
Done for 3 main purposes:
Hide Identity
Impersonate someone to extend blame
Social engineering “ impersonate someone to get information or privileges
Email Spoofing Techniques
Similar email addresses
Modify mail client
Telnet to port 25 to manipulate the SNMP agent.
Anonymous Remailers can be used “ forwards an email, concealing who really sent the message.
Similar Email Address
Attacker registers and address that looks very similar to the person he wants to impersonate.
Defense
Employee education and awareness.
Set up the company™s email so that it can be accessed remotely “ thereby eliminating the ˜need™ to use another
email server. Policy that states that all business email must be via the businesses email server.
Modifying a Mail Client
Edit the client to change the Ëœfromâ„¢ address.
Any replies will go back to the spoofed address, however.
Defense
Strict policy against any employee doing this.
Education “ look at the full email header. Email logging.
Telnet to Port 25 “ Email Relaying
Most email servers today do not allow email relaying. They only allow emails to be sent to/from their range of IP
addresses. They insure that the recipientâ„¢s domain is the same domain as the mail server. The attacker can run his
own email server, but then he is easier to trace.
Defense - Do not allow Email relaying on your STMP servers
Web Spoofing
Similar URLâ„¢s
Protection:
Educate Users
Use a Ëœserver-side certificateâ„¢. Still, users should be educated on how to recognize a valid certificate, since
these can be spoofed as well.
MitM Attacks
ËœMan-in-the-Middleâ„¢ refers to a machine that is set up so that traffic between two other machines must pass through
the MitM machine.
Difficult to setup, especially over the Internet. Not so difficult in a LAN environment.
Provides no additional advantages over a ˜sniffer™ “ is actually just a way to implement a sniffer.
Defense:
Encryption “ however, MitM can refer to an intermediate encrypter
Strong perimeter security for Internet MitM attacks.
Only secure as the weakest link “ the MitM can attack from either end. So, even if you have strong security, but
your partner does not, the MitM is possible from the other end.
URL Re-Writing
Attacker is re-directing web traffic to another site that is controlled by the attacker
Accomplished by re-writing the links on a web page.
Only way to tell is by looking at the HTML code, or watching the link in the browser
The link can be set to Ëœpass throughâ„¢ the attackerâ„¢s machine (another form of MitM)
<a href=http://attackersmachinehttp://www.google.com
There are sites which do this on purpose for the user. The Anonymizer.com site is one such site.
Defense
Again “ educate your users
Look at the actual URL
Examine the source
Defend your pages against re-write. Install latest patches.
Tracking State
Attacker visits a site and impersonates a user.
It is important for business purposes to keep track of what users do on your site.
Typically handled with..
Cookies
URL Session Tracking
Hidden Form Elements
Cookies
Easy to use and quite popular
Two types:
Persistent “ stored on the hard drive as a text file, and accessed by the browser
Non-persistent “ stored in memory and disappears when machine is shut down
If a hacker wants to impersonate another user, he simply needs to copy their cookie onto his machine.
Cookies can be sniffed.
Cookies can be guessed. Hacker gets his own cookie, then makes experimental changes in some of the values.
Can NOT be used to pass viruses or malicious code
Cookie Defense
Insure that cookie files cannot be obtained from user™s machines “ password-protected screen savers, for example
Insure that your companyâ„¢s cookies use un-guessable cookie IDâ„¢s.
Cookies can be disabled “ however many convenience functions are lost, and some web sites may not even work. They
can be set to Ëœapproveâ„¢ on each occurrence, but this can get quite annoying and eventually have no effect (user
simply says Ëœyesâ„¢ to all)
URL Session Tracking
Another way of tracking session information is to place it right in the URL:
http://www.somecompanyordering/id=9872651667.659843
Attacker may be able to guess an ID. Yahoo chat is an example of this.
If there are enough digits in the ID, then guessing a valid one would be difficult. This is the key to using this
technique securely.
There is little that the user can do for protection. You might educate them to be wary of any ID values that do not
have a large number of digits.
Hidden Form Elements
HTML can include form elements that have ˜hidden™ properties “ that is they are not displayed
The userâ„¢s ID can be stored in these forms.
The attacker can view the HTML code and find the formâ„¢s name and use the url area to edit the information in the
form, thereby accomplishing the same thing.
Defense is still the same “ hard to guess ID™s.
Non-technical Spoofing
Calls help desk, impersonating an employee
Calls to IT, acting like a vendor to find out software being used
Calls an employee, impersonating a manager in order to get reports, etc.
Impersonate a company that supplies/supports target company “ by implanting false information (say a postcard with
a new phone number)
courtesy
campus.murraystate.edu/