Understanding Man-in-the-Middle Attacks – ARP Cache Poisoning (Part 1)

Author: Chris Sanders
Company: SPAWAR


The first part of an article series on some of the most widely used forms of MITM attacks, including ARP Cache Poisoning, DNS Spoofing, HTTP session hijacking, passing the hash and more.

Introduction

One of the most prevalent network attacks used against individuals and large organizations alike are man-in-the-middle (MITM) attacks. Considered an active eavesdropping attack, MITM works by establishing connections to victim machines and relaying messages between them. In cases like these, one victim believes it is communicating directly with another victim, when in reality the communication flows through the host performing the attack. The end result is that the attacking host can not only intercept sensitive data, but can also inject and manipulate a data stream to gain further control of its victims.
In this series of articles we will examine some of the most widely used forms of MITM attacks including ARP cache poisoning, DNS spoofing, HTTP session hijacking, passing the hash, and more. As you will mostly find in the real world, most victim machines are Windows-based hosts. That being the case, this series of articles will focus entirely on MITM exploitation of hosts running versions of Windows. When possible, attacks will also be performed from Windows based hosts. In cases when there are no tools available for the attack being presented we will be utilizing Backtrack Linux 4, downloadable as a live-CD or a virtual machine from here.

ARP Cache Poisoning

n the first article of this series we will take a look at ARP cache poisoning. One of the oldest forms of modern MITM attack, ARP cache poisoning (sometimes also known as ARP Poison Routing) allows an attacker on the same subnet as its victims to eavesdrop on all network traffic between the victims. I’ve deliberately chosen this as the first attack to examine because it is one of the simplest to execute but is considered one of the most effective once implemented by attackers.

Normal ARP Communication

The ARP protocol was designed out of necessity to facilitate the translation of addresses between the second and third layers of the OSI model. The second layer, or data-link layer, uses MAC addresses so that hardware devices can communicate to each other directly on a small scale. The third layer, or network layer, uses IP addresses (most commonly) to create large scalable networks that can communicate across the globe. The data link layer deals directly with devices connected together where as the network layer deals with devices that are directly connected AND indirectly connected. Each layer has its own addressing scheme, and they must work together in order to make network communication happen. For this very reason, ARP was created with RFC 826, “An Ethernet Address Resolution Protocol”.

                                       Figure 1: The ARP Communication Proces

The nitty gritty of ARP operation is centered around two packets, an ARP request and an ARP reply. The purpose of the request and reply are to locate the hardware MAC address associated with a given IP address so that traffic can reach its destination on a network. The request packet is sent to every device on the network segment and says “Hey, my IP address is XX.XX.XX.XX, and my MAC address is XX:XX:XX:XX:XX:XX. I need to send something to whoever has the IP address XX.XX.XX.XX, but I don’t know what their hardware address is. Will whoever has this IP address please respond back with their MAC address?” The response would come in the ARP reply packet and effectively provide this answer, “Hey transmitting device. I am who you are looking for with the IP address of XX.XX.XX.XX. My MAC address is XX:XX:XX:XX:XX:XX.” Once this is completed the transmitting device will update its ARP cache table and the devices are able to communicate with one another.

Poisoning the Cache

ARP cache poisoning takes advantage of the insecure nature of the ARP protocol. Unlike protocols such as DNS that can be configured to only accept secured dynamic updates, devices using ARP will accept updates at any time. This means that any device can send an ARP reply packet to another host and force that host to update its ARP cache with the new value. Sending an ARP reply when no request has been generated is called sending a gratuitous ARP. When malicious intent is present the result of a few well placed gratuitous ARP packets used in this manner can result in hosts who think they are communicating with one host, but in reality are communicating with a listening attacker.

                           Figure 2: Intercepting Communication with ARP Cache Poisoning

Using Cain & Abel

Let us take the given scenario and take it from theory to reality. There are a few different tools that will perform the necessary steps to poison the ARP cache of victim machines. We will use the popular security tool Cain & Abel from Oxid.it. Cain & Abel does quite a few things beyond ARP cache poisoning and is a very useful tool to have in your arsenal. The installation of the tool is pretty clear cut so I won’t go through that here.

Before beginning you need to collect some additional information. This includes the network interface you wish you to use for the attack, and the two IP addresses of your communicating victims.

When you first open Cain & Abel, you will notice a series of tabs near the top of the window. For our purposes, we’ll be working in the Sniffer tab. When you click this tab, you will see an empty table. In order to fill this table you will need to activate the program’s built-in sniffer and scan your network for hosts.

                                        Figure 3: Cain and Abel’s Sniffer Tab

Click the second icon on the toolbar, which resembles a network card. The first time you do this you will be asked to select the interface you wish to sniff. This interface should be the one that is connected to the network you will be performing your ARP cache poisoning on. Once you’ve selected this interface, click OK to activate Cain & Abel’s built-in sniffer. At this point the toolbar icon resembling a network card should be depressed. If it isn’t, do so now. To build a list of available hosts on your network, click the icon that resembles a plus (+) symbol on the main toolbar, and click OK.

                                                   Figure 4: Scanning for Hosts

The once-empty grid should now be filled with a list of all the hosts on your attached network, along with their MAC addresses, IP addresses, and vendor identifying information. This is the list you will work from when setting up your ARP cache poisoning.

At the bottom of the program window, you will see a set of tabs that will take you to other windows under the Sniffer heading. Now that you have built your host list, you will be working from the APR tab. Switch to the APR window by clicking the tab.

Once in the APR window, you are presented with two empty tables: an upper and a lower one. Once you set them up, the upper table will show the devices involved in your ARP cache poisoning, and the lower table will show all communication between your poisoned machines.

Continue setting up your ARP poisoning by clicking the icon resembling the plus (+) symbol on the program’s standard toolbar. The window that appears has two selection columns side by side. On the left side, you will see a list of all available hosts on your network. Click the IP address of one of your victims. This will result in the right window showing a list of all hosts in the network, omitting the IP address you just selected. In the right window, click the IP address of the other victim, and click OK.

                                      Figure 5: Selecting Victim Hosts for Poisoning

The IP addresses of both devices should now be listed in the upper table in the main application window. To complete the process, click the yellow-and-black radiation symbol on the standard toolbar. This will activate Cain & Abel’s ARP cache poisoning features and allow your analyzing system to be the middleman for all communications between the two victims. If you are curious to see what is happening behind the scenes try installing Wireshark and listen to the interface when you enable poisoning. You will see a flurry of ARP traffic to both hosts and immediately begin seeing the communication between them.

                                    Figure 6: ARP Traffic Injection

When you are finished, simply click the yellow-and-black radiation symbol again to stop ARP cache poisoning.

Defending Against ARP Cache Poisoning

Looking at ARP cache poisoning from the defenders standpoint we are at a bit of a disadvantage. The ARP process happens in the background with very little ability to be controlled directly by us. There is no catch all solution, but proactive and reactive stances can be taken if you are concerned about ARP cache poisoning on your network.


Securing the LAN

ARP Cache Poisoning is only a viable attack technique when attempting to intercept traffic between two hosts on the same local area network. The only reason you would have to fear this is if a local device on your network has been compromised, a trusted user has malicious intent, or someone has managed to plug an un-trusted device into the network. Although we too often focus the entirety of our security efforts on the network perimeter, defending against internal threats and having a good internal security posture can help eliminate the fear of the attack mentioned here.

Hard Coding the ARP Cache

One way to protect against the unsecured dynamic nature of ARP requests and replies is to make the process a little less…dynamic. This is an option because Windows-based hosts allow for the addition of static entries into the ARP cache. You can view the ARP cache of a Windows host by opening a command prompt and type the command arp –a.

                                        Figure 7: Viewing the ARP Cache

You can add entries to this list by using the command, arp –s .

In cases where your network configuration does not change often, it is entirely feasible to make a listing of static ARP entries and deploy them to clients via an automated script. This will ensure that devices will always rely on their local ARP cache rather than relying on ARP requests and replies.

Monitoring ARP Traffic with a Third Party Program

The last option for defending against ARP cache poisoning is a reactive approach that involves monitoring the network traffic of hosts. This can be done with a few different intrusion detection systems (such as Snort) or through downloadable utilities designed specifically for this purpose (such as xARP). This may be feasible when you are only concerned about a single host, but can be a bit cumbersome to deal with when concerned with entire network segments.

ARP Cache Poisoning is a great introduction into the world of passive man-in-the-middle attacks because it’s very simple to execute, is a very real threat on modern networks, and is difficult to detect and defend against. In the next article in this series we will focus on name resolution and the concept of DNS spoofing.


Source: http://www.windowsecurity.com/articles/Understanding-Man-in-the-Middle-Attacks-ARP-Part1.html
thanks!

Virus & Antivirus in Linux

Part 1:

All windows users would have heard about computer virus and anti-virus software’s and the first thing they do is install a anti-virus software in their computer. Often, the buzz in the Windows security world is about which protection-for-profit firm was the first to discover and offer protection for the malwares.


If a rogue program gets in your windows machine, the time and money you have to invest to remove those malwares not only helps to reinforce the notion that you have to have malware protection, but that it has to be the right protection, too. The security firms are aware of this and they play on hte security fears of the end-user in their advertising. The huge amount of malware available for windows and the way windows user permissions works has conditioned Windows users to accept this security tax.


It is no wonder when Windows users who are finally convinced to try Linux are in disbelief when I tell them to lay that burden down. The first question they all ask is whether Linux is virus proof and is it true that it doesn't need an Anti-virus software? My answer to that question is no. Linux is not virus proof, but the way user permission are played out and considering the number of malwares available for Linux, the role played by the Anti-virus software is negligible and downplayed in a Linux environment.


User permission on Linux

Linux implements a multi-user environment where users are granted specific privileges, due to this, to gain control over a Linux system or cause any serious damages to the system itself, the malware would have to gain root access to the system. To be clear just remember permissions on Linux are universal. They cover three things you can do with files: read, write, and execute. Not only that, they come in three levels: for the root user, for the individual user who is signed in, and for the rest of the world. By default system files can only be accessed as root user, while a normal user can have permission to read, write and execute his files alone and others can access or read the users file only if the user have given permission for them to do so. Normally in a Linux environment no user is given root permission to access system files. Because of this a malware needs root permission to have an impact on the system as a whole.


Virus in Linux environment

No, virus are environment dependent and they have limited life time. Like any biological entity, a computer virus needs to spread(reproduce) before it dies to successfully cause an outbreak. Due to the hostile nature in Linux, a virus life is short and dies before it can cause any significant damages. Also due to the difference between the binary/executable files between Windows and Linux, Windows virus has no impact on a Linux machine, and virus writers have to spend significant amount of time to create a Linux virus that can survive the hostile environment of Linux. Because of this only a couple hundred of Linux viruses are in the open (Windows has over a million malwares) and those available too have problems in taking control of an entire system.


Some malware programs require that you open an attachment. Others don't even require that user error. On Linux, there is built-in protection against such craft. Newly deposited files from your email client or Web browser are not given execute privileges. Cleverly renaming executable files as something else doesn't matter, because Linux and its applications don't depend on file extensions to identify the properties of a file, so they won't mistakenly execute malware as they interact with it. Due to this only users who tries to execute all the programs as root are those who likely get a malware to control the system. But fortunately most of the Linux users are either geeks who know what they are doing or those who even don't know how to execute a program as root. This also makes Linux a place for a virus.


Another thing to note is the software repositories used by Linux. These repositories contain all the software’s that can run in Linux and are maintained by Open Source communities and are often checked thoroughly for malware. Also most of the Linux programs or software’s are available as open-source, meaning the source code is available and the executable can be compiled and installed, thus further reducing any chance of malware.


So, is Linux virus proof?


No. But the number of viruses and the damage they can make are insignificant. Linux users, like users on every operating system, must always be aware of security issues. They must act intelligently to keep their systems safe and secure. They should not run programs with root privileges when they are not required, and they should apply security patches regularly.

Part 2: Types of Malware and how they can infect you

In the previous article we discussed about how virus has a hard time in Linux OS due to its permission system. In this article we will see the different malwares available for Linux and how they affect your system and conclude our two part article on Virus & Anti-virus in Linux.

Viruses and Trojan horses

Although there are only few Linux viruses available, it is always best to use free anti-virus scanners (like clam anti-virus) to scan the software’s you download from unknown sources. Because if the software is infected and was run with root permission, it will infect the whole system and cause enormous damages. Basically the false sense of security among the user's mind is what allows most Linux viruses to infect your system. There are some Linux distributions that allow users login as root by default (Lindows) and falsely advertise that they are secure. But the truth is any Linux OS that allows you to login as root by default is not secure than a windows 9x operating systems.
Ignorance Is Bliss

The lack of knowledge that is seen in first time Linux users makes their system more protected than most Linux users ans they don't know how to run a program or login as root by default. These type of users usually download software’s only from Linux repositories configured by that particular distro team.

For more accustomed users who use root login and download the software from many sources must be aware, that they must try to limit the habit of running unknown programs as root and if they have to then use a free anti-virus software for Linux and scan those executable's firs before running.

Remember as long as u don't run application as root and don't install software’s from website you don't know or trust, a Linux OS is much more safer than a Windows system with an anti-virus.

Worms and targeted attacks

The classical threat to Unix-like systems is vulnerabilities in network daemons, such as ssh and WWW servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.

WWW scripts

Linux servers may also be used by malware without any attack against the system itself, where e.g. WWW content and scripts are insufficiently restricted or checked and used by malware to attack visitors. Typically a CGI script (meant for leaving comments) by mistake allows inclusion of code exploiting vulnerabilities in the browser.

Buffer overruns

Older Linux distributions were relatively sensitive to buffer overrun attacks: if the program did not care about the size of the buffer itself, the kernel provided only limited protection, allowing an attacker to execute arbitrary code under the rights of the vulnerable application under attack. Programs that gain root access even when launched by a non-root user (via the setuid bit) were particularly attractive to attack. However as of 2009 most of the kernels include address space randomization, enhanced memory protection and other extensions making such attacks much more difficult to arrange.

Cross-platform viruses

A new area of concern identified in 2007 is that of cross-platform viruses, driven by the popularity of cross-platform applications. This was brought to the forefront of malware awareness by the distribution of an Openoffice.org virus called Bad Bunny.

Social engineering

Linux is as vulnerable to malware that tricks the user into installing it through social engineering as other operating systems. In December 2009 a malicious waterfall screen-saver was discovered that contained a script that used the infected Linux PC in denial-of-service attacks.

Conclussion


As you can see most of the malwares discussed above need users permission or mistakes to take over a Linux System. And to give you an answer about is Linux is secure, yes most Linux distro's (that dont allow you to login as root )are secure than a Windows with basic antivirus software, but also remember, being secure doesn't mean bulletproof. So if your one of these people feeling secure, think about this next time you go online. There is no bigger security hole than the one between chair and computer. Always be careful on the internet, don't click on those links marked as dangerous(I know it sounds obvious), watch out with pop-ups and try to avoid running programs as root unless it is absolutely necessary.

Source:
http://www.primeinspiration.com/os/linux/security/20-virus-a-antivirus-in-linux-part-2-types-of-malware-and-how-they-can-infect-you.html
http://www.primeinspiration.com/os/linux/security/20-virus-a-antivirus-in-linux-part-2-types-of-malware-and-how-they-can-infect-you.html

Top 5 Malware Threats of 2010

1 - STUXNET - STUXNET was the hottest topic for 2010 when it comes to malware. Reversing STUXNET uncovered 4 zero-day exploits for vulnerabilities in the Microsoft windows operating system. While it was believed to be the first known malware to target the controls at industrial facilities such as power plants, this worm has successfully infected hundreds of thousands of computers on the Internet.


Here are the 4 vulnerabilities targeted by STUXNET:

- Microsoft Security Bulletin MS10-046
- Microsoft Security Bulletin MS10-061
- Microsoft Security Bulletin MS08-067
- Microsoft Security Bulletin MS10-073

2 - TDL4 - TDL4 is the latest version of a rootkit originally known as TDSS or Tidserv, which appeared back in 2008. However, unlike its predecessors, TDL4 is able to bypass code signing protection in 64-bit versions of Windows Vista and 7. By default these systems do not allow drivers that are not digitally signed to be loaded, but TDL4 manages to get around that by changing boot options before the operating system actually starts. TDSS is one of the most complex and dangerous malicious programs family in the world and it continues to evolve.

3 - Asprox - Asprox is a small botnet that has been used in password stealing, spam propagation, and phishing attacks. This botnet based attack is innovative by interfacing with Google’s search engine to locate vulnerable web pages. When a weakness is found, Asprox injects an iFrame based redirectional link on a vulnerable website in order to spread various types of malware.

4 - ZeuS 2.0 - ZEUS Botnet is still active in 2010. This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored. ZeuS is sold in the criminal underground as a kit for around $3000-4000, and is likely the one malware most utilized by criminals specializing in financial fraud.

5 - Trojan Proxies - This type of malware turns the victim’s computer into a proxy server. This gives the attacker the opportunity to remotely perform malicious activity through your computer.


source: http://vitalisec.blogspot.com/2011/01/top-5-malware-threats-of-2010.html
thks