Hassan

Disponible uniquement sur Etudier
  • Pages : 9 (2211 mots )
  • Téléchargement(s) : 0
  • Publié le : 25 janvier 2011
Lire le document complet
Aperçu du document
Man-In-the-Middle Attack
-A Brief

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

©

SA

NS

In

sti

tu

te

20

00

-2

00

Author: Submitted on:

Bhavin Bharat Bhansali February 16, 2001

2,

Au

th

or

re

tai ns f

© SANS Institute 2000 - 2002

As part ofGIAC practical repository.

ull rig ht s.
1 Author retains full rights.

Objective: The Objective of this document is to understand the Execution of "Man-In-the-Middle" attack. Overview: The "Man In The Middle" or "TCP Hijacking" attack is a well known attack where an attacker sniffs packets from network, modifies them and inserts them back into the network. There are few programs/sourcecodes available for doing a TCP hijack. Juggernaut, TSight and Hunt are some these programs. In this paper we shall explore Hunt for understanding how TCP Hijacking is deployed on an Ethernet segment. Hunt is designed by kra kra@gncz.cz. The Hunt source code is available at the following URL: Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Relevance: TCP Hijacking is anexploit that targets the victims TCP based applications like Telnet, rlogin, ftp, mail application, web browser etc. An attacker can grab unenrcypted confidential information from a victim's network based TCP application. He can further tamper the Authenticity and Integrity of the data. Definition of Important Terms: • IP spoofing - IP spoofing involves forging one's source IP address. It is the act ofusing one machine to impersonate another. Many applications and tools in UNIX systems rely on source IP address authentication.




Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

©

SA

NS

In

Simple Active Attack against TCP connections - An attack in which the attacker does not merely eavesdrop but takes action to change, delete, reroute, add, forge ordivert data. Perhaps the best-known active attack is Man-In-the-Middle.

sti

tu

te

ARP spoofing - ARP spoofing involves forging packet source hardware address (MAC address) to the address of the host you pretend to be.

20

00

-2

00

2,

Au

th

or

re

ftp://ftp.gncz.cz/pub/linux/hunt/hunt-1.5.tgz

tai ns f

© SANS Institute 2000 - 2002

As part of GIACpractical repository.

ull rig ht s.

2 Author retains full rights.

The Attack:

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

For the attack to succeed, the victim must use Telnet, rlogin, ftp, or any other non-encrypted TCP/IP utility. Use of SecurID card, or other token-based two-factor authentication is useless as protection against hijacking, as the attacker cansimply wait until after the user authenticates, then hijack the session. Key attack scenario can be as simple as: FDB5 DE3D F8B5 06E4 A169 4E46 The fingerprint = AF19 FA27 2F94 998D 1. Attacker: Spends some time determining the IP addresses of target and victim systems. Determining trust relationships can be easily done with utilities like

©

Attack Scenario involves three hosts: Attacker,Victim, and Target. • Attacker is the system used by the attacker for the hijack. • Victim is the system used by the victim for Telnet client connections to the target system. • Target is the target system that the intruder wants to compromise. It is where the telnetd daemon is running. A simple diagram of the network shows the Attacker and Victim hosts are on the same network (which can be Ethernetswitched and the attack will still work), while the target system can be anywhere. (Actually, either victim or target can be on the same network as attacker: it doesn't matter.)

SA

NS

In

sti

tu

te

20

00

-2

00

2,

Au

th

or

re

tai ns f

© SANS Institute 2000 - 2002

As part of GIAC practical repository.

ull rig ht s.
3 Author retains full...