p1vPHCP/tr2 Internet Security Pro Ref 557-7 dc 1-23-96 Parts LP#2 P A R T P A R T P A R T P A R T P A R T P A R T P A R T P A R T P A R T P A R T P A R T P A R T P A R T II Gaining Access and Securing the Gateway 6 IP Spoofing and Sniffing .257 7 How to Build a Firewall .317 8 SATAN and the Internet Inferno 429 9 Kerberos .535 257 IP Spoofing and Sniffing p1vPHCP/nhb1 Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3 IP Spoofing and Sniffing C H A P T E R C H A P T E R C H A P T E R C H A P T E R C H A P T E R C H A P T E R C H A P T E R C H A P T E R S 6 niffing and spoofing are security threats that target the lower layers of the networking infrastructure supporting applications that use the Internet. Users do not interact directly with these lower layers and are typically completely unaware that they exist. Without a deliber- ate consideration of these threats, it is impossible to build effective security into the higher levels. Sniffing is a passive security attack in which a machine separate from the intended destination reads data on a network. The term “sniffing” comes from the notion of “sniffing the ether” in an Ethernet network and is a bad pun on the two meanings of the word “ether.” Passive security attacks are those that do not alter the normal flow of data on a communication link or inject data into the link. 258 Part II: Gaining Access and Securing the Gateway p1vPHCP/nhb1 Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3 Spoofing is an active security attack in which one machine on the network masquerades as a different machine. As an active attack, it disrupts the normal flow of data and may involve injecting data into the communications link between other machines. This masquerade aims to fool other machines on the network into accepting the impostor as an original, either to lure the other machines into sending it data or to allow it to alter data. The meaning of “spoof” here is not “a lighthearted parody,” but rather “a deception intended to trick one into accept- ing as genuine something that is actually false.” Such deception can have grave consequences because notions of trust are central to many networking systems. Sniffing may seem innocuous (depending on just how sensitive and confidential you consider the information on your network), some network security attacks use sniffing as a prelude to spoofing. Sniffing gathers sufficient information to make the deception believable. Sniffing Sniffing is the use of a network interface to receive data not intended for the machine in which the interface resides. A variety of types of machines need to have this capability. A token-ring bridge, for example, typically has two network interfaces that normally receive all packets traveling on the media on one interface and retransmit some, but not all, of these packets on the other interface. Another example of a device that incorporates sniffing is one typically marketed as a “network analyzer.” A network analyzer helps network administrators diagnose a variety of obscure problems that may not be visible on any one particular host. These problems can involve unusual interactions between more than just one or two machines and sometimes involve a variety of protocols interacting in strange ways. Devices that incorporate sniffing are useful and necessary. However, their very existence implies that a malicious person could use such a device or modify an existing machine to snoop on network traffic. Sniffing programs could be used to gather passwords, read inter-machine e-mail, and examine client-server database records in transit. Besides these high-level data, low- level information might be used to mount an active attack on data in another computer system. Sniffing: How It Is Done In a shared media network, such as Ethernet, all network interfaces on a network segment have access to all of the data that travels on the media. Each network interface has a hardware-layer address that should differ from all hardware-layer addresses of all other network interfaces on the network. Each network also has at least one broadcast address that corresponds not to an individual network interface, but to the set of all network interfaces. Normally, a network interface will only respond to a data frame carrying either its own hardware-layer address in the frame’s destination field or the “broadcast address” in the destination field. It responds to these frames by generating a hardware interrupt to the CPU. This interrupt gets the attention of the operating system, and passes the data in the frame to the operating system for further processing. 259 IP Spoofing and Sniffing p1vPHCP/nhb1 Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3 Note The term “broadcast address” is somewhat misleading. When the sender wants to get the attention of the operating systems of all hosts on the network, he or she uses the “broadcast address.” Most network interfaces are capable of being put into a “promiscuous mode.” In promiscuous mode, network interfaces generate a hard- ware interrupt to the CPU for every frame they encounter, not just the ones with their own address or the “broadcast address.” The term “shared media” indicates to the reader that such networks broadcast all frames—the frames travel on all the physical media that make up the network. At times, you may hear network administrators talk about their networking trouble spots— when they observe failures in a localized area. They will say a particular area of the Ethernet is busier than other areas of the Ethernet where there are no problems. All of the packets travel through all parts of the Ethernet segment. Interconnection devices that do not pass all the frames from one side of the device to the other form the boundaries of a segment. Bridges, switches, and routers divide segments from each other, but low-level devices that operate on one bit at a time, such as repeaters and hubs, do not divide segments from each other. If only low-level devices separate two parts of the network, both are part of a single segment. All frames traveling in one part of the segment also travel in the other part. The broadcast nature of shared media networks affects network performance and reliability so greatly that networking professionals use a network analyzer, or sniffer, to troubleshoot problems. A sniffer puts a network interface in promiscuous mode so that the sniffer can monitor each data packet on the network segment. In the hands of an experienced system administrator, a sniffer is an invaluable aid in determining why a network is behaving (or misbehaving) the way it is. With an analyzer, you can determine how much of the traffic is due to which network protocols, which hosts are the source of most of the traffic, and which hosts are the destination of most of the traffic. You can also examine data traveling between a particular pair of hosts and categorize it by protocol and store it for later analysis offline. With a sufficiently powerful CPU, you can also do the analysis in real time. Most commercial network sniffers are rather expensive, costing thousands of dollars. When you examine these closely, you notice that they are nothing more than a portable computer with an Ethernet card and some special software. The only item that differentiates a sniffer from an ordinary computer is software. It is also easy to download shareware and freeware sniffing software from the Internet or various bulletin board systems. The ease of access to sniffing software is great for network administrators because this type of software helps them become better network troubleshooters. However, the availability of this software also means that malicious computer users with access to a network can capture all the data flowing through the network. The sniffer can capture all the data for a short period of time or selected portions of the data for a fairly long period of time. Eventually, the malicious user will run out of space to store the data—the network I use often has 1000 packets per second flowing on it. Just capturing the first 64 bytes of data from each packet fills up my system’s local disk space within the hour. 260 Part II: Gaining Access and Securing the Gateway p1vPHCP/nhb1 Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3 Note Esniff.c is a simple 300-line C language program that works on SunOS 4.x. When run by the root user on a Sun workstation, Esniff captures the first 300 bytes of each TCP/IP connection on the local network. It is quite effective at capturing all usernames and passwords entered by users for telnet, rlogin, and FTP. TCPDump 3.0.2 is a common, more sophisticated, and more portable Unix sniffing program written by Van Jacobson, a famous developer of high-quality TCP/IP software. It uses the libpcap library for portably interfacing with promiscuous mode network interfaces. The most recent version is available via anonymous FTP to ftp.ee.lbl.gov . NetMan contains a more sophisticated, portable Unix sniffer in several programs in its network management suite. The latest version of NetMan is available via anonymous FTP to ftp.cs.curtin.edu.au in the directory /pub/netman. EthDump is a sniffer that runs under DOS and can be obtained via anonymous FTP from ftp.eu.germany.net in the directory /pub/networking/inet/ethernet/. On some Unix systems, TCPDump comes bundled with the vendor OS. When run by an ordinary, unprivileged user, it does not put the network interface into promiscuous mode. With this command available, a user can only see data being sent to the Unix host, but is not limited to seeing data sent to processes owned by the user. Systems administrators concerned about sniffing should remove user execution privileges from this program. Sniffing: How It Threatens Security Sniffing data from the network leads to loss of privacy of several kinds of information that should be private for a computer network to be secure. These kinds of information include the following: ■ Passwords ■ Financial account numbers ■ Private data ■ Low-level protocol information The following subsections are intended to provide examples of these kinds. Warning 261 IP Spoofing and Sniffing p1vPHCP/nhb1 Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3 Sniffing Passwords Perhaps the most common loss of computer privacy is the loss of passwords. Typical users type a password at least once a day. Data is often thought of as secure because access to it requires a password. Users usually are very careful about guarding their password by not sharing it with anyone and not writing it down anywhere. Passwords are used not only to authenticate users for access to the files they keep in their private accounts but other passwords are often employed within multilevel secure database systems. When the user types any of these passwords, the system does not echo them to the computer screen to ensure that no one will see them. After jealously guarding these passwords and having the computer system reinforce the notion that they are private, a setup that sends each character in a password across the network is extremely easy for any Ethernet sniffer to see. End users do not realize just how easily these passwords can be found by someone using a simple and common piece of software. Sniffing Financial Account Numbers Most users are uneasy about sending financial account numbers, such as credit card numbers and checking account numbers, over the Internet. This apprehension may be partly because of the carelessness most retailers display when tearing up or returning carbons of credit card receipts. The privacy of each user’s credit card numbers is important. Although the Internet is by no means bulletproof, the most likely location for the loss of privacy to occur is at the endpoints of the transmission. Presumably, businesses making electronic transactions are as fastidious about security as those that make paper transactions, so the highest risk probably comes from the same local network in which the users are typing passwords. However, much larger potential losses exist for businesses that conduct electronic funds transfer or electronic document interchange over a computer network. These transactions involve the transmission of account numbers that a sniffer could pick up; the thief could then transfer funds into his or her own account or order goods paid for by a corporate account. Most credit card fraud of this kind involves only a few thousand dollars per incident. Sniffing Private Data Loss of privacy is also common in e-mail transactions. Many e-mail messages have been publicized without the permission of the sender or receiver. Remember the Iran-Contra affair in which President Reagan’s secretary of defense, Caspar Weinberger, was convicted. A crucial piece of evidence was backup tapes of PROFS e-mail on a National Security Agency computer. The e-mail was not intercepted in transit, but in a typical networked system, it could have been. It is not at all uncommon for e-mail to contain confidential business information or personal information. Even routine memos can be embarrassing when they fall into the wrong hands. 262 Part II: Gaining Access and Securing the Gateway p1vPHCP/nhb1 Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3 Sniffing Low-Level Protocol Information Information network protocols send between computers includes hardware addresses of local network interfaces, the IP addresses of remote network interfaces, IP routing information, and sequence numbers assigned to bytes on a TCP connection. Knowledge of any of this informa- tion can be misused by someone interested in attacking the security of machines on the network. See the second part of this chapter for more information on how these data can pose risks for the security of a network. A sniffer can obtain any of these data. After an attacker has this kind of information, he or she is in a position to turn a passive attack into an active attack with even greater potential for damage. Protocol Sniffing: A Case Study At one point in time, all user access to computing facilities in the organization under study (the university at which the author is employed) was done via terminals. It was not practical to hardwire each terminal to the host, and users needed to use more than one host. To solve these two problems, Central Computing used a switch (an AT&T ISN switch) between the termi- nals and the hosts. The terminals connected to the switch so that the user had a choice of hosts. When the user chose a host the switch connected the terminal to the chosen host via a very real, physical connection. The switch had several thousand ports and was, in theory, capable of setting up connections between any pair of ports. In practice, however, some ports attached to terminals and other ports attached to hosts. Figure 6.1 illustrates this setup. Figure 6.1 Case study system before networking. ~2500 Input ~400 Output [SN Switcher] IBM Mainframe DEC Vax DEC Vax Multiplexor To make the system more flexible, the central computing facility was changed to a new system that uses a set of (DEC 550) Ethernet terminal servers with ports connected to the switch, rather than the old system, which used a fixed number of switch ports connected to each host. The new terminal servers are on an Ethernet segment shared by the hosts in the central machine room. 263 IP Spoofing and Sniffing p1vPHCP/nhb1 Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3 Offices have a cable running from a wallplate to a wiring closet punchdown block. The punch- down block has cables running to multiplexers which in turn connect to the switch. The multiplexers serve to decrease the number of cables that need to be long. With this arrange- ment sniffing or other forms of security problems are not an issue. No two offices share any media. The switch mediates all interaction between computers, isolating the flow of data away from the physical location of the end users (see fig. 6.2). Figure 6.2 Case study system after networking of machine room but before networking of user areas. ~2500 Input ~400 Output [SN Switcher] IBM Mainframe DEC Vax DEC Vax Multiplexor Terminal Server Terminal Server Terminal Server Ethernet Hub Rather than using simple terminals, however, most computer users have a computer on their desktop that they use in addition to the Central Computing computers. The switch services these computers as well as simple terminals. The number of computer users, however, has grown rapidly over the past decade and the switch is no longer adequate. Terminal ports are in short supply, host ports are in even shorter supply, and the switch does not supply particularly high-speed connections. To phase out the switch, Central Computing installed an Ethernet hub in the basement of each building next to the punchdown block used to support both the switch multiplexer and the telephone lines. The hubs in the basements connect to the central facility using fiber-optic cables to prevent signal degradation over long distances. Hubs also were placed in the wiring closets on each floor of each building that connected to the basement hub. Now the cables leading to the wallplates in the offices are being moved from the punchdown block that leads to the multiplexer to a punchdown block that leads to one of these hubs. The new wiring scheme neatly parallels the old and was changed relatively inexpensively. Figure 6.3 illustrates the system after the networking of user areas. Figure 6.4 shows the user area networking detail. 264 Part II: Gaining Access and Securing the Gateway p1vPHCP/nhb1 Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3 Although the new wiring scheme neatly parallels the old, the data traveling on the new wiring scheme does not neatly parallel its previous path. From a logical standpoint, it can get to the same places, but the data can and does go to many other places as well. Under this scheme, any office can sniff on all the data flowing to Central Computing from all of the other offices in the building. Different departments are located in the same building. These departments compete for resources allocated by upper management and are not above spying on one another. Ordinary staff, the managers that supervise them, and middle management all are located in the same building. A fair amount of potential exists for employees to want to know what other people are sending in e-mail messages, storing in personnel files, and storing in project planning files. In addition to nosiness and competition, a variety of people sharing the same physical media in the new wiring scheme, could easily misuse the network. Since all occupants of a building IBM Mainframe DEC Vax DEC Vax Ethernet Hub Ethernet Hub Ethernet Hub Ethernet Hub Router Figure 6.3 Case study system after networking of user areas. Mac OS MS Windows Unix Punch Block Hubs Staff Offices Hub NetWare  Server NFS Server Departmental Machine Room Figure 6.4 Case study user area networking detail. [...]... Address 147.226.112.1 aa-0 0-0 4-0 0-bc-06 147.226.112.88 0 8-0 0-2 0-0 b-f 0-8 d 147.226.112.101 0 8-0 0-2 b-1 8-9 3-6 8 147.226.112.102 0 8-0 0-2 b-1b-d7-fd 147.226.112.103 0 0-0 0-c 0-6 3-3 3-2 d 147.226.112.104 0 0-0 0-c0-d5-da-47 147.226.112.105 0 8-0 0-2 0-0 b-7b-df 147.226.112.106 0 8-0 0-2 0-0 e-86-ef 147.226.112.124 0 8-0 0-2 b-1c-0 8-6 8 147.226.112.169 0 8-0 0-0 9-2 a-3c-08 p1vPHCP/nhb1 Type static dynamic static static dynamic dynamic... of understanding p1vPHCP/nhb1 Internet Security Pro Ref 57 7-7 Gina 1-2 7-9 6 CH06 LP#3 275 276 Part II: Gaining Access and Securing the Gateway Note The rlogin protocol is used by a whole family of programs that use the same authentication protocol The family is collectively referred to as the r-commands The family includes rlogin for terminal sessions, rsh for remote shell execution of command-line programs,... else to modify it then the ability to modify it can be leveraged into the ability to obtain full access to the account Note that if your home directory is on an NFS mounted file system exported to someone else’s machine your rhosts file is vulnerable to simple attacks on NFS A standard attack for the superuser of another machine is to give you an account on the other machine and then use the su command... p1vPHCP/nhb1 Internet Security Pro Ref 57 7-7 Gina 1-2 7-9 6 CH06 LP#3 IP Spoofing and Sniffing Do not confuse the rexec commands (rexec and rcmd) with the r-commands The rexec daemon waits for a username and cleartext password to authenticate a client It will then execute a single shell command Although this is similar to rsh, rexec requires the transmission of a cleartext password to be sniffed Also, it provides... and Windows 95/NT machines, you use the arp command to manipulate and inspect the ARP cache This command has several options arp -a The -a option displays all ARP cache entries for all interfaces of the host The following output is an example of what you would see on a Windows 95 machine: Interface: 147.226.112.167 Internet Address Physical Address 147.226.112.1 aa-0 0-0 4-0 0-bc-06 147.226.112.88 0 8-0 0-2 0-0 b-f 0-8 d... authentication The rlogin Family of Protocols The rlogin protocol, originally used with Unix -to- Unix terminal sessions, uses end -to- end mutual trust to avoid the transmission of any form of password The protocol requires that the server trust the client to authenticate the user The user places a file on the server indicating what combinations of username and hostname may connect to a particular account on machines... HP, and IBM ARP Spoofing A more common form of spoofing that is accidental is ARP spoofing ARP (Address Resolution Protocol) is part of Ethernet and some other similar protocols (such as token-ring) that associate hardware addresses with IP addresses ARP is not part of IP but part of these Ethernet-like protocols; ARP supports IP and arbitrary network-layer protocols When an IP datagram is ready to. .. should keep these other factors in mind as well One can use these factors to sell the introduction of additional hardware to parties less concerned with security p1vPHCP/nhb1 Internet Security Pro Ref 57 7-7 Gina 1-2 7-9 6 CH06 LP#3 265 266 Part II: Gaining Access and Securing the Gateway A segment is a subset of machines on the same subnet Routers are used to partition networks into subnets Hence, they also... username and one for an invalid password Hence, a brute-force attack can be mounted by attempting all possible usernames to both determine what usernames are valid and which users have no password A standard login program will not provide this distinction and provide a mechanism to prevent rapid-fire attempts to log in Security conscious system administrators often disable the rexec daemon and rexec commands... Permanent ARP Cache Entry The -s option inserts a permanent (static) ARP cache entry for the given IP address Typically, the Ethernet address would be obtained by displaying the entire ARP cache as shown previously arp -s 147.226.112.101 0 8-0 0-2 b-1 8-9 3-6 8 To ensure that the address is in the ARP cache you can first use the ping command to send an ICMP/IP echo request to the IP address in question A . sniffer into a room and jacking it into the network connec- tions available there, or even installing an unauthorized network connection to sniff. To counter. untrustworthy machines. Sniffing: How to Prevent It To be able to prevent a sniffing attack, you first need to understand the network segments and trust between computer