NST - Spoofing and Sniffing (Lesson)

Spoofing and Sniffing

Introduction

In this lesson, you will learn how to examine the types of attacks that can be executed using networked systems and how to identify signs of and secure against spoofing and sniffing attacks. We will learn about the different spoofing methods and how sniffing integrates with many of these attacks.

IP Spoofing Video

Links to an external site.

In spoofing attacks, an attacker poses as another by falsifying data to gain access to target systems or to eavesdrop (sniffing) on messages. This can result in:

  • Stealing data, which threatens the Confidentiality of data.
  • Spreading malware or intruding, which threatens the Integrity of data.

Data Theft; Confidentiality
Website Defacement; Integrity
Denial of Service (DoS); Availability

Spoofing attacks happen when an unauthorized person gets access to data so they can read it (breach of Confidentiality), change the data, or add malware (both are breaches of Integrity). There are many ways for an attacker to pretend they are a different system. It is possible to spoof identifiers such as an IP address, a MAC address, or even a URL.

IP Spoofing Attacks

IP spoofing is actually very simple. Attackers provide false information about the source of a packet or series of packets by faking the source IP address, to make it look like data is coming from a different source. What are the reasons for IP spoofing?

  • Get access to a network even though you are located externally by fooling external routers into allowing entry for packets by making them believe it originated internally.
  • Cover your tracks by masking who you are.
  • Create a scenario where you request something from websites using the victim’s IP address so that responses are delivered to them.

IP Spoofing Example

 

IP Spoofing Example

The attacker is external in the 10.10.10.0 network. They send a packet that has a spoofed source address from the 192.168.0 network.  The router recognizes that as an internal address and allows it into the network to be delivered to 192.168.0.77.

IP Spoofing Flaw and Uses

IP spoofing sounds like a great tool but it has a major flaw!  The source IP address is used by the receiving system as a means to send replies. If you send a packet with a spoofed IP address, then any replies, including the 3-way handshake messages, will go to that spoofed address and NOT to you. So, this, by itself, won’t work as a means of sending bi-directional packets while hiding your identity. There are ways to use it with additional software to get around those problems, but there are, in fact, better ways of achieving online anonymity.

So, what is IP spoofing commonly used for by malicious actors? It masks who you are, so can be used as a method of fooling external routers into allowing entry for packets by making them believe it originated internally. It also delivers malware, which is just a drop and go, so you won’t need a reply after sending the malware packet.

DDoS and Spoofing

Here is an example of using IP spoofing to create a DDoS. If you remember, that’s a Distributed Denial of Service attack.

In the Smurf attack, an ICMP packet (ping) is sent to the broadcast address of a network BUT the packet has spoofed the sender’s IP address with the target’s IP.  All the hosts on the network respond to the ping with an echo reply, which saturates the victim’s system, because all replies are redirected to the target computer, and can also use up all the network bandwidth. The attacker uses source IP spoofing. Attacks like the Smurf are a good reason to block the Ping (ICMP) protocol as a mitigation method. By the way, it is named after the Smurf characters created by cartoonist Peyo..

 

ARP Poisoning aka ARP Spoofing

Eavesdropping on a network used to be really easy. All you had to do was plug into a hub and you were good to go because hubs forward all messages to all connected devices. Now that we use switches, it is a bit harder to sniff a network because switches will only forward messages to the MAC address of the intended receiver. To get around this block, the malicious actor must find a way to spoof this address. This is possible by abusing the ARP protocol through ARP Poisoning.

If you remember from a previous lesson, Address Resolution Protocol (ARP) is a protocol or procedure that connects an ever-changing Internet Protocol (IP) address to a fixed physical machine address, also known as a media access control (MAC) address, in a local-area network (LAN).

ARP poisoning aka spoofing is putting a false MAC address entry in the target’s ARP cache with the result that packets will be directed to the attack computer instead of the intended receiver. It results in network sniffing where the malicious actor can “eavesdrop” on messages between two or more devices.

ARPSpoofing

Sniffing, aka eavesdropping, is the objective of ARP poisoning -- to capture messages between two devices on the network. Note that this attack only works in a Local Area Network (LAN) because it relies on packets being delivered based on their MAC address. Remember that a switch connects devices in a LAN, and it uses only the MAC address to make deliveries. If the malicious actor wanted to eavesdrop on messages between devices on different networks, this ARP Poison technique won’t work because it takes a router to move packages between LANs – and routers rely on IP addresses to make delivery decisions.

How ARP Works Normally Animation

In this animation, we see ARP working normally:

  • Bob’s computer sends out a broadcast ARP request for the MAC address that belongs to 10.0.0.1.
  • Tania’s computer replies that she is 10.0.0.1 and provides her MAC address.
  • Bob’s computer stores the matching IP and MAC addresses in his ARP cache to make future communications faster.

ARP Poisoning:  Part 1 Animation

In this animation, we see the ARP messages being used for an attack.

  • The malicious actor sends out an ARP reply to let one target on the network know that his MAC address should be associated with 10.0.0.1. Then the actor sends out another ARP reply on the network that his MAC address should be associated with 10.0.0.3.
  • Even though they never asked the question, Bob and Tania’s computers will update their ARP caches with the new information.

Stateless means that it doesn’t need to do things in a certain order and doesn’t keep track of any previous events. So, the normal order of business is for someone to make an ARP request and then there is an ARP reply. But, since ARP is stateless, it is fine with just getting the replies it never asked for!

Gratuitous means uncalled for, lacking good reason, or unwarranted – no one asked, why did we get a reply?

ARP Poisoning: Part 2

In this animation, the attacker has just misrepresented themselves to the two targets so that each will send their packets to the malicious actor instead of sending the packets to each other.  The malicious actor has “poisoned” Bob and Tania’s ARP caches, yikes! This is the basis for an Adversary in the Middle Attack (AiTm).

AiTM Attacks Use ARP Poisoning

Using ARP Poisoning, the attacker will be able to intercept all messages between the two victim devices, resulting in an Adversary in the Middle attack (AiTM). It means that malicious actors place themselves in the communication channel between the two parties. If a secure protocol is being used, when one party sends its key to another party, the AiTM takes this key and replaces it with theirs.

Example of an AiTM Attack
Server, Attacker, Client

 

Note that this attack has typically been known as a “Man in the Middle Attack (MITM)”.  However, the cybersecurity industry is moving towards using inclusive language and AiTM is a recommended replacement term.

A version of this attack is used on mobile devices.  The Adversary in the Mobile, AitMo Attack (previously known as the Man in the Mobile (MitMo) attack) is used to take control over a user’s mobile device.  When infected, the mobile device is instructed to grab user-sensitive information and send it to the attackers. Zeus is one example of a malware package with AitMo capabilities. It allows attackers to quietly capture two-step verification SMS messages sent to users!

DNS Spoofing aka DNS Poisoning

Domain Name System (DNS) is an Internet service that translates domain names into IP addresses. To understand DNS spoofing, we need to review how DNS works normally.

DNS Spoofing example
User makes a request to Real website
DNS Server
Request is sent to Real website
Real website

As shown in the image above, to get from a website name to an IP address, something (a DNS server) must do the translation for you.

For example,

  1. The user opens a browser and enters the URL in the address bar.
  2. The computer automatically looks in its local DNS cache to see if the information is there. If the user had recently visited that URL, then the information would be in the cache.
  3. If it is not there, the computer then sends a request to its designated DNS server to provide the IP address for the URL.
  4. The DNS server provides the correct information and the user’s request arrives at the correct destination.

However, in a DNS poisoning attack, false data is introduced into a DNS database or a computer’s DNS cache – the temporary database on a computer’s operating system that records recent visits to websites and other Internet domains.

DNS Poisoning Ex. Inserts fake DNS info for Real website
Makes a request to Real website
Request is sent to Fake website

Here is what is shown in the image above:

  1. The DNS server has the correct information for RealWebsite that says “URL:www.realwebsite.com = IPAddress: 13.201.5.44”.
  2. The attacker uses malware or an exploit to get into the DNS server that manages the Real Website information.
  3. The attacker changes the database entry to read “URL:www.realwebsite.com = IPAddress: 56.3.89.6”.
  4. This IP address belongs to Fake Website. This is called “poisoning” because it inserts false info into the DNS database.
  5. Any computer that asks for DNS resolution for the www.realwebsite.com URL will be given the IP address 56.4.89.6.

Mitigating Spoofing

Spoofing is a common tactic that can be used in many ways so it is difficult to mitigate. Here are three simple methods to block some types of spoofing:

  1. Configure the router for ingress filtering – keeps external packets from entering if they have source IP # from the internal network.
    1. We have not used the terms “ingress” (means entry) and “egress” (means exit). The concept is simple… Even though a packet SAYS it is from inside the network, if it is actually entering through an external door (interface) on the network router, then something is pretty fishy there! The solution is to shut that possibility down. Set the router to look at the IP address in conjunction with the interface so that filtering can take place if they don’t match. Note this doesn’t stop IP spoofing from happening inside the network, and it can’t stop someone from using your IP as their mask for an attack.
  2. Monitor the network to spot duplicate MAC addresses or gratuitous ARP replies.
  3. Use encryption -- this requires an exchange of keys or certificates, meaning there has to be a two-way communication which makes it much harder to try IP spoofing or ARP Poisoning. As we discussed in a previous lesson, encryption offers multiple ways to protect digital data, so it is the “go-to” solution to avoid spoofing.

IP Spoofing Protection Video

Reflection and Wrap-up

In this lesson, we learned about various methods through which networked systems can be attacked, with a particular focus on spoofing and sniffing techniques. We explored how attackers can impersonate others by falsifying data in spoofing attacks to gain unauthorized access to networks and eavesdrop on communications, thereby threatening the confidentiality and integrity of data. We delved into specific types of spoofing, including IP spoofing, ARP poisoning, and DNS spoofing, and discussed their mechanisms, objectives, and the security risks they pose. Additionally, we addressed strategies for mitigating these attacks, such as configuring routers for ingress filtering, monitoring for duplicate MAC addresses or unsolicited ARP replies, and using encryption to secure data transmissions. We also learned how to identify signs of spoofing and sniffing attacks and implement effective security measures to protect networked systems.

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON. Video courtesy of rootshellace, CC-BY; Video courtesy of Forti Tip, CC-BY

Vincenzo Paolo Fraddosio, CC BY-SA 3.0 <http://creativecommons.org/licenses/by-sa/3.0/>, via Wikimedia Commons

Saeed azadi, CC BY-SA 3.0 <https://creativecommons.org/licenses/by-sa/3.0>, via Wikimedia Commons