Website Attacks

Network Sniffing:-
Sniffing involves capturing, decoding, inspecting and interpreting the information inside

a network packet on a TCP/IP network. The purpose is to steal information, usually user

IDs, passwords, network details, credit card numbers, etc. Sniffing is generally referred

to as a “passive” type of attack, wherein the attackers can be silent/invisible on the

network. This makes it difficult to detect, and hence it is a dangerous type of attack.

The TCP/IP packet contains vital information required for two network interfaces to

communicate with each other. It contains fields such as source and destination IP

addresses, ports, sequence numbers and the protocol type. Each of these fields is crucial

for various network layers to function, and especially for the Layer 7 application that

makes use of the received data.

By its nature, the TCP/IP protocol is only meant for ensuring that a packet is

constructed, mounted on an Ethernet packet frame, and reliably delivered from the

sender to the receiver across networks. However, it does not by default have

mechanisms to ensure data security. Thus, it becomes the responsibility of the upper

network layers to ensure that information in the packet is not tampered with.

The OSI layers and the information a hacker can steal at each layer by successfully

sniffing a network. The sniffing process is used by hackers either to get information

directly or to map the technical details of the network in order to create a further attack.

Hackers are always in favour of sniffing, because it can be done for a longer time

without getting caught.

Network sniffing uses sniffer software, either open source or commercial. There are

three ways to sniff a network.

1) Wireless Sniffer

2) External Sniffer

3) Internal Sniffer

Using spoofing techniques, a hacker outside the target network can intercept packets at

the firewall level and steal the information. In the latest form of packet sniffing, wide

usage of wireless networks has made it easy to sit near the network and penetrate it to

get information. The hackers are located on the network being sniffed, they use packet

capturing or packet sniffer software. Modern packet sniffers are supposed to be used for

troubleshooting network problems, can also used for hacking too.

Sniffer tool usage:-
Ethical usage

1) Packet capturing

2) Network traffic usage and analysis

3) Packet conversion for data analysis

4) Network troubleshooting

Unethical usage

1) User identity and password stealing

2) Email or instant message data stealing

3) Packet spoofing and data theft

4) Monetary or reputational damage

Sniffer software contains its own network driver and buffer memory in order to capture

a large chunk of packets. Modern sniffers are capable of analysing the captured packets

and converting them into sensible statistical information.

A LAN sniff:-
A sniffer deployed on an internal LAN can scan the entire IP range promiscuously. This

helps in providing further details such as live hosts, open ports, server inventory, etc.

Once a list of open ports is gathered, a port-specific vulnerability attack is possible.

A protocol sniff:-
This method involves sniffing data related to the network protocols being used. First, a

list of protocols is created based on the captured data. This is further segregated to create

special sniffers for each attack. For example, in a network sniff capture, if the ICMP

protocol is not seen, it is assumed to be blocked. However, if UDP packets are seen, a

separate UDP sniffer is started to capture and decipher Telnet, PPP, DNS and other

related application details.

An ARP sniff:-
In this method, the hacker captures a lot of data in order to create a map of IP addresses

and the associated MAC addresses. Such a map is further used to create ARP poisoning

attacks, packet-spoofing attacks, or to dig into router-based vulnerabilities.

TCP session stealing:-
This method is a very basic form of sniffing, in which a network interface in

promiscuous mode captures traffic between a source and a destination IP address.

Details such as port numbers, service types, TCP sequence numbers and the data itself

are of interest to hackers. Upon capturing enough packets, advanced hackers can create

fabricated TCP sessions to fool the source and destination, and be the man in the middle

to take over the TCP session.

Application-level sniffing:-
Usually, from the data packets sniffed and captured, a few intricate application details

are found out for information stealing or to create further attacks. As an example, the

capture file can be parsed to perform OS fingerprinting, SQL query analysis, reveal

application-specific TCP port data information, etc. In another approach, creating a mere

list of applications running on a server is good enough to plan an application-specific

attack on it.

Web password sniffing:-
In this method, HTTP sessions are stolen and parsed for user ID and password stealing.

While the Secure Socket Layers (SSL) are incorporated for securing HTTP sessions on

the network, there are numerous internal websites that still use standard but less secure

encryption. It is easy to capture Base64 or Base128 packets and run a deciphering agent

against it to crack the password. In modern sniffers, SSL sessions can also be captured

and parsed for information, though this method is not very easy.

Detecting sniffers:-
since sniffers work silently, it is very difficult to detect them on a network. There are few

tricks that can provide a clue to a possible sniffer presence. There are two ways to detect

a sniffer — host-based and network-based.

In host-based detection, you can use small utilities to detect if the NIC is running in a

promiscuous mode on any host in a network. Since the basic requirement for a sniffer to

work is to put the network interface in “read all” mode, disabling it can very effectively

help shutting down stray sniffers.

In case of network-based detection, anti-sniffer software can be run to detect the

presence of specific signature packets. In another approach, scripts can be run to check

each network host for the presence of known sniffers, processes, etc. Modern anti-virus

or anti-spyware software are capable of detecting sniffing software and disabling it.

Protection from sniffers:-
There are a few methods that could be deployed to make the infrastructure less sniffer-

prone. The following methods help to achieve that to a great extent.

Disabling promiscuous mode on network interfaces results in shutting down most sniffer

software. This can be done by running an admin script as a daily job on the network, or

deploying a network policy at the host level to control access to the network card

configuration settings.

Using switched networks can reduce the possibility of a sniffer running on the network.

Unlike in a network hub, in a switched network the packets are delivered to the

destination and are not visible to all nodes — thus reducing the chances of someone

sniffing it on the way. Also, for network administrators it becomes easy to detect sniffers

by focusing on the switched network segments, one at a time.

Anti-sniffing tools can be used to detect the network interface mode, as well as various

processes and software present on servers or network hosts. Modern intrusion-detection

systems have this as an integrated feature.

IPSec encryption can be used for token-based packet security in the network

infrastructure, if the data is of a confidential nature. IPSec provides data encapsulation

and encryption of high standards, and is available on modern routers, firewalls and other

network components. Almost all operating systems do support IPSec, and it is widely

used in serious IT infrastructure. For session layer protection, SSL and TLS can be used

to encrypt traffic.

Protecting FOSS systems:-
Linux systems use the tcpdump utility, which is an excellent built-in sniffer to capture

and store TCP packets. As for third-party open source tools, Wireshark (Ethereal) is very

famous due to its GUI interface, and packet-filtering and viewing capabilities. Sniffit,

DSniff and Ettercap are similar utilities, but meant for different purposes. DSniff is

powerful in terms of capturing SSL traffic.

FOSS systems have no built-in method to protect themselves from sniffers. The methods

described above could used for various Linux distros, to make those less vulnerable to

sniffer attacks. A smart utility available on Linux distros, called AntiSniff, can be used in

a script to detect network interfaces in promiscuous mode.Network sniffing is difficult to

detect because it is a passive and silent type of attack.

DNS Invasions:-
The name resolution fundamentally works. When an application (like a browser) wants

to connect to a destination service, it queries the DNS server, asking for the IP address.

This query is sent over UDP port 53 as a single request and receives a single-packet

reply from the server. When the client receives a reply, it updates its local cache with the

received entry, speeding up subsequent queries to the same domain. Entries in local

cache are automatically purged after their TTL (Time to Live) expires.

The DNS-based attacks, is based on two types of queries — iterative and recursive.
An iterative DNS query:- When a client queries a DNS server, asking if it has the answer

for a given domain name, the DNS server may or may not have the answer ready. If the

DNS server doesn’t have an answer, instead of shutting the request down, it sends the

name of an upstream DNS server that might have the answer. This is usually called a

DNS referral. The client sends the query to the next (referred) server; if that one too

doesn’t have an answer, it sends a referral to yet another upstream server. This process

continues till either the client gets an IP address or gets a “query failed” error message.

The recursive DNS query:- In this case, the query begins by a client host requesting a

name resolution to its immediate DNS server. If the DNS server does not have the

answer, it is supposed to do the job of talking to upstream servers, instead of providing

their referral names. Again, if the upstream server does not have an answer, it needs to

take on the responsibility further. This continues till either the root domain server is

reached, which must have the answer, or if the queried name itself does not exist, in

which case an error message percolates down the chain to the client. Unlike the iterative

method, a recursive query proves to be more aggressive in getting query results.

Iterative queries are usually made by DNS servers while recursive queries are made by

clients, which helps to reduce the burden of referral searches. From the security

perspective, it is important to know the basics of DNS, such as, there can be multiple

DNS servers in an organisation replicating their zone records to each other in order to

maintain name resolution consistency.

DNS data can be updated dynamically without needing any service to be restarted, and

when a change is made on the master server, it triggers replication to partner servers

automatically. The actual time required for replication is defined by the TTL of each

record. In case of geographically dispersed DNS servers, this time period can be as long

as a day, since all servers in the chain maintain their own cache to speed up replication.

Client-side DNS Attacks:-
1) Cache Poisoning

2) URL Phishing

3) Rebinding

Over-the-wire DNS Attacks:-
1) Spoofing

2) Sniffing

Server-side DNS Attacks:-
1) Hijacking

2) Amplification

3) Denial of Service

DNS cache poisoning:-
This attack lets name resolution to be tweaked in two ways. In one method, the hacker

installs a rootkit or a virus, which is intended to take control of the local DNS cache of

the client. Once done, entries in the local DNS are altered to point to a different IP

address.

In a different and more dangerous approach, the hacker attacks a DNS server and alters

its local cache — so all servers using that DNS server for resolution end up at a wrong

IP address, causing a system-wide failure, apart from information loss or theft.

In rare cases, hackers can access a root DNS server, which holds the base entries that

form the root domain, such as .com, .net or any country-specific name system. Hackers

then modify entries on that server, which triggers automatic replication, and can cause

serious global outages for multiple businesses and websites.

DNS hijacking:-
This attack is also commonly used to bend the DNS system. Here, the client DNS cache

on a client is not altered, but instead the client’s DNS settings are changed to point to the

hackers’ own DNS server. Usually the purpose is not to steal data, but to gather

statistical data from the client computer. All name resolution requests going to the

hacker are resolved to the correct addresses, but the hacker learns of the typical sites

visited by the client.

This information can further be used by online advertisers to target that client with Web-

visit-specific advertisements. Some ill-behaved e-thieves also redirect users to their own

websites, or search engines, either to gain money from advertisements, or simply to steal

data and use it for social engineering. While it is inappropriate to use this feature for any

personal gain, it is being used by many well-known websites and ISPs to collect user

browsing statistics.

DNS spoofing:-
This refers to merely a man-in-the-middle type of attack in which the hacker gains

access to the network the DNS server is on, and performs ARP cache poisoning and

spoofing on that network. Once MAC-level control is achieved, the hacker then fetches

the IP address of the DNS server, and starts sniffing and spoofing requests meant for the

real DNS server.

The hacker’s machine resolves all DNS queries, completely bypassing the real DNS

server. This has serious consequences, because all machines on that network can be

completely unaware of this, and end up sending DNS traffic to the hacker’s machine.

There is an alternate method called DNS ID spoofing. Each DNS request and response

carries a unique identifier, to differentiate between various simultaneously generated

requests to a DNS server. This unique ID is usually a combination of the MAC address

and the date/time stamp, and is created by the protocol stack automatically.

A hacker uses a sniffer to look at one or more DNS requests and responds with their

respective unique number, but with a false IP address. This results in the client’s local

cache being updated to this fabricated address. Further damage can be caused by hosting

a virus on the machine at that IP address.

DNS rebinding:-
Also called DNS pinning, this is an advanced type of attack. In this method, the hacker

first registers his own domain name and sets the TTL value of that domain at a lower

value, which prevents that domain name from being cached.

DNS denial of service:-
Bombarding the UDF port 53 or TCP port 53 with DNS queries can cause a DoS attack.

Another method is to perform a ping of death or a TCP SYN flood attack. The idea

behind this is to overwhelm server resources (CPU and memory) to stop it responding to

queries. Though DNS servers are protected by firewalls, if care is not taken to block

DNS UDP ports from non-trusted networks, it exposes the name resolution system to

this attack.

DNS amplification:-
Amplification means to provide the DNS server with a task heavier than it is capable of

handling. There are multiple ways to stress the server and eventually make it non-

functional. In one method of amplification, a Trojan is written to poison and populate the

local cache of multiple client hosts. This forces all infected clients to send their name

requests to a particular name server, which is being targeted by the hackers.

Each server can only respond to a certain number of queries (based on CPU speed and

configuration) and eventually starts queuing up requests. As more and more clients get

infected, the increasing number of queries ultimately makes the server give up.

In another type of attack, a hacker poisons the DNS server’s cache; instead of changing

the associated IP address of an A or CNAME record, a change is made to the domain

name. To make it worse, the domain name is made to contain a few hundreds or

thousands of characters. This starts the replication process, and hence the download of

multiple kilobytes of data from the main name server to its replicating partners, and

eventually to clients.

Upon expiration of the TTL, the replication process initiates again, and results in the

breakdown of one or more DNS servers in the chain. This trick actually simulates a

distributed denial of service attack, and hence is very dangerous and hard to control.

Leave a Reply