ARP Poisoning

ARP Poisoning

We touched on ARP poisoning briefly in Chapter 5 as one of the ways to perform an eavesdropping attack. ARP poisoning is actually the most popular technique to perform an MITM attack, in which eavesdropping is simply one of the potential impacts possible. As you'll remember, ARP poisoning is possible because some operating systems will replace or accept an entry in their ARP cache regardless of whether or not they have sent an ARP request before. This means that an attacker may be able to trick one or both hosts into thinking that the attacker's MAC address is the address of the other computer or of a critical server (SIP proxy, DNS server, and so on). This further means that the attacker can act as a gateway (man-in-the-middle), silently sniffing all the traffic while forwarding it on to the intended host, all unbeknownst to the victim(s).

We'll illustrate a very simple MITM attack with ARP poisoning against our sample SIP deployment shown in Figure 6-1.

image from book
Figure 6-1: Our SIP test bed

As the attacker, our hacking goal is to insert ourselves silently as a gateway between the Cisco 7940 phone (192.168.1.22) and the Asterisk SIP proxy (192.168.1.103). Our attacking IP address is 192.168.1.120. To accomplish this, the general approach we take is to

  1. Determine the MAC addresses of our two victims (phone and proxy).

  2. Send an unsolicited ARP reply to the phone, fooling it into thinking that the MAC address for the Asterisk server has changed to our MAC address.

  3. Send an unsolicited ARP reply to the Asterisk server also fooling it into thinking that the Cisco 7940's MAC address has changed to our MAC address.

  4. Enable IP forwarding on our attacking computer so traffic flows freely between the phone and the Asterisk proxy.

  5. Voila! Start up a sniffer and watch the traffic!

The following sections will detail how this approach is performed in practice using several freely available tools.

Attack Cain and Abel

Popularity:

7

Simplicity:

5

Impact:

9

Risk Rating:

7

Cain and Abel (http://www.oxid.it/cain.html) is a powerful ARP poisoning and VoIP sniffer that we introduced briefly in Chapter 5. The tool is powerful because it helps automate all of the steps outlined in the previous section. Let's perform the actual ARP poisoning and VoIP traffic capturing example described in those steps.

First, start up Cain and Abel and click the Sniffer tab. Next, click the Start/Stop Sniffer button in the upper left of the window (second button from the left). Next, click the + button to start scanning for the MAC addresses of potential victims. A screen similar to the one in Figure 6-2 should appear.

image from book
Figure 6-2: Cain's MAC Address Scanner

Select All Tests and click OK. Once the scanning has been completed, a listing of all hosts that were found will appear, as shown in Figure 6-3.

image from book
Figure 6-3: List of newly found hosts

Next, click the APR (ARP Poison Routing) tab at the bottom of the screen. Right-click once in the upper-right panel to ungray the + button. Then click the + button to select your ARP poisoning victims. A new window will pop up, similar to the one shown in Figure 6-4.

image from book
Figure 6-4: New ARP Poison Routing window

To reproduce the example in the previous section using the Cisco 7940 phone (192.168.1.22) and the Asterisk server (192.168.1.103), let's select both of those IP addresses. We select 192.168.1.22 in the left panel, and the right panel is then populated with other IP addresses. We then select 192.168.1.103 in the right panel, as shown in Figure 6-5, and press OK.

image from book
Figure 6-5: Selecting the ARP poisoning victims

After you press OK, you should see a new entry in the upper-right panel that looks like the one in Figure 6-6. Now you're all set to start ARP poisoning. All you need to do is click the APR button in the upper-left part of the window (looks like a biohazard icon).

image from book
Figure 6-6: All ready to begin the ARP poisoning

Because Cain has a built-in VoIP sniffer, there's no need to launch an external sniffing application such as Wireshark (formerly Ethereal). Now, let's make a phone call with our 7940 phone and see what happens. We dial extension 201 and have a brief conversation between the two phones. As you can see from Figure 6-7, we've intercepted 429 packets from the phone to the Asterisk server and 435 packets from the Asterisk server to the phone.

image from book
Figure 6-7: Packet interception after our phone call

Now let's see what the VoIP sniffer saw. Click the VoIP tab at the bottom of the screen. As you can see in Figure 6-8, Cain and Abel managed to reconstruct and capture the conversation as a WAV file. Simply select that conversation by right-clicking it, and then select Play. The conversation you just had is played right back to you!

image from book
Figure 6-8: Our captured conversation converted to a WAV file

Another interesting feature of Cain is its ability to crack the passwords contained within the SIP messages. For example, you now click the Passwords tab at the bottom of the window and click SIP in the left-hand panel. As you can see in Figure 6-9, we managed to capture the encrypted MD5 hash of the password for our Cisco 7940 phone, along with its username (202) when it was calling extension 201. In order to try and crack this password, select the line by right-clicking it and then select Send To Cracker.

image from book
Figure 6-9: Capturing SIP hashes

Now, click the Cracker tab at the top of the screen. Next, click SIP Hashes in the left-hand panel, and you should see a screen similar to the one shown in Figure 6-10.

image from book
Figure 6-10: Listing of all passwords we can try to crack

On the right-hand side of the screen, we select the line with our Cisco 7940's credentials by right-clicking and selecting Brute-Force Attack. A window should pop up, similar to one shown in Figure 6-11. Press Start. The phone's weak password of "1234" was cracked in a few seconds, as shown in Figure 6-11.

image from book
Figure 6-11: Cracking the phone's password through a brute-force attack

Attack ettercap

Popularity:

4

Simplicity:

4

Impact:

9

Risk Rating:

5

ettercap (http://ettercap. sourceforge .net) is another MITM/sniffing tool that runs on Linux. The process for performing an ARP poisoning attack is similar to the previous example. First, we launch the ettercap GUI version (instead of the command-line version):

 # /usr/local/bin/ettercap -w logfile.pcap --gtk 

We specify the file logfile.pcap ahead of time to store the sniffed traffic. Later we can reconstruct the conversations recorded with that file using Wireshark and the same eavesdropping technique demonstrated in Chapter 5. You should now see the following ettercap screen (see Figure 6-12). Select Sniff Unified Sniffing, and select the correct network interface to sniff on (for example, eth0).

image from book
Figure 6-12: ettercap setup

Next, you should be presented with a screen similar to the one shown in Figure 6-13 with the menus redrawn.

image from book
Figure 6-13: ettercap is now ready to start scanning for hosts.

Click Hosts and select Scan For Hosts in order to discover the MAC addresses of potential victims. Once the scanning is complete, click Hosts Hosts Lists, and you should see a list of all the discovered hosts. We'll be selecting 192.168.1.22 as our first target, so click that line to highlight the IP address, and then click Add To Target 1. Next, you'll click the line containing the 192.168.1.103 address and then select Add To Target 2. Notice the log entry in the text field at the bottom of Figure 6-14, acknowledging our selections.

image from book
Figure 6-14: Our targets are now selected.

Let's click Targets Current Targets to make sure our selections are reflected correctly. Next click Mitm Arp Poisoning and click OK, leaving both checkboxes unselected to set up the attack. Finally, click Start Start Sniffing to begin the attack. Go to View Connections to monitor all active sessions (see Figure 6-15).

image from book
Figure 6-15: Our active VoIP connection

We now make a brief phone call from the Cisco 7940 (extension 202) to extension 201. Once we're done talking, we can exit ettercap and load the PCAP file into Wireshark (Ethereal) for further analysis:

 # ethereal logfile.pcap & 
Note 

Refer to Chapter 5 for the techniques we used to reconstruct and replay the audio recording in Wireshark.

If you wanted to perform the same attack from the command line instead of the GUI interface, you could launch it like so:

 # /usr/local/bin/ettercap -T -w logfile.pcap \192.168.1.22 \192.168.1.103 ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA Listening on eth0... (Ethernet)   eth0 ->       00:09:7A:44:17:D9     192.168.1.104     255.255.255.0 SSL dissection needs a valid 'redir_command_on' script in the etter.conf file Privileges dropped to UID 65534 GID 65534...   28 plugins   39 protocol dissectors   53 ports monitored 7587 mac vendor fingerprint 1698 tcp OS fingerprint 2183 known services Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts... * ==================================================> 100.00 % 13 hosts added to the hosts list... Starting Unified sniffing... Text only Interface activated... Hit 'h' for inline help Inline help:  [vV]      - change the visualization mode  [pP]      - activate a plugin  [lL]      - print the hosts list  [oO]      - print the profiles list  [cC]      - print the connections list  [sS]      - print interfaces statistics  [<space>] - stop/cont printing packets  [qQ]      - quit 

Here we make the phone call from the Cisco 7940 (extension 202) to extension 201. Once we're done talking, we press the letter q to quit.

 q Closing text interface ARP Poisoner Deactivated RE-ARPing the victims Unified sniffing was stopped. 

Attack dsniff

Popularity:

4

Simplicity:

5

Impact:

9

Risk Rating:

6

dsniff (http://www. monkey .org/~dugsong/dsniff/) is one more Linux suite of tools that facilitates ARP poisoning with a program called arpspoof. Dsniff is not as full featured as Cain and Abel or ettercap. By that, we mean you'll need to take care of the IP forwarding and VoIP sniffing with other tools. To perform an ARP spoofing attack with dsniff, you'll need three different xterm windows : one to run arpspoof from Dsniff, one to run the IP forwarder, and one to run the sniffer.

Window 1    First, we use the arpspoof tool to poison the ARP cache of our victim.

 arpspoof -i eth0 -t 192.168.1.22 192.168.1.103 0:9:7a:44:17:d9 0:f:34:11:80:45 0806 42: arp reply 192.168.1.103 is-at 0:9:7a:44:17:d9 0:9:7a:44:17:d9 0:f:34:11:80:45 0806 42: arp reply 192.168.1.103 is-at 0:9:7a:44:17:d9 0:9:7a:44:17:d9 0:f:34:11:80:45 0806 42: arp reply 192.168.1.103 is-at 0:9:7a:44:17:d9 0:9:7a:44:17:d9 0:f:34:11:80:45 0806 42: arp reply 192.168.1.103 is-at 0:9:7a:44:17:d9 0:9:7a:44:17:d9 0:f:34:11:80:45 0806 42: arp reply 192.168.1.103 is-at 0:9:7a:44:17:d9 

Window 2    For the IP forwarding, we're using a tool called fragrouter (http://packetstormsecurity.org):

 # fragrouter -B1 fragrouter: base-1: normal IP forwarding 192.168.1.22.50896 > 192.168.1.103.5060: udp 987 [tos 0x60] 192.168.1.22.50896 > 192.168.1.103.5060: udp 1038 [tos 0x60] 192.168.1.22.18032 > 192.168.1.103.10764: udp 172 [tos 0xb8] 192.168.1.22.18032 > 192.168.1.103.10764: udp 172 [tos 0xb8] 192.168.1.22.18032 > 192.168.1.103.10764: udp 172 [tos 0xb8] 192.168.1.22.18032 > 192.168.1.103.10764: udp 172 [tos 0xb8] 192.168.1.22.50896 > 192.168.1.103.5060: udp 666 [tos 0x60] 192.168.1.22.18032 > 192.168.1.103.10764: udp 172 [tos 0xb8] 192.168.1.22.18032 > 192.168.1.103.10764: udp 172 [tos 0xb8] 192.168.1.22.18032 > 192.168.1.103.10764: udp 172 [tos 0xb8] 

Window 3    Finally, in the third window, we'll run Wireshark (Ethereal) and capture the traffic as we did in the Chapter 5 eavesdropping examples.

 # ethereal & 

ARP Poisoning Countermeasures

The following are several countermeasures that span the various networking layers .

Countermeasurs Static OS Mappings

While it is somewhat tedious , but you can manually enter the valid MAC address to IP mappings into a static ARP table for each host on the network. Typically, it's easier to apply port security settings on your switch that do this for every possible host on your network; however, for critical workstations and servers (VoIP proxy, gateway, DHCP server, and so on), this may not be a bad investment of time.

Countermeasurs Switch Port Security

ARP poisoning can also be mitigated by applying strict port security settings on your switches. By manually entering the list of source MAC addresses allowed to access each port on a switch, rogue or foreign network nodes will be unable to gain access to the network. For Cisco switches, the following guide walks you through how to enable port security, http://www.cisco.com/en/US/products/hw/switches/ps679/products_configuration_guide_chapter09186a008007ef1a.html (or http://tinyurl.com/4a32m).

Port security is not a panacea for ARP poisoning, however. It can be defeated by an attacker who unplugs the phone, inserts his rogue laptop, and spoofs the MAC. Port security is also inconvenient if you're trying to move devices, including IP phones, around the network.

Countermeasurs VLANs

Virtual LANs (VLANs) can provide an extra layer of protection against trivial ARP spoofing techniques by logically segmenting your critical VoIP infrastructure from the standard user data network. While not entirely feasible in all scenarios, VLANS can also help mitigate against an attacker scanning for legitimate MAC addresses on the network in the first place.

Countermeasurs Session Encryption

As we covered in the countermeasures in Chapter 5, there are several encryption solutions for VoIP available for various layers that will mitigate ARP poisoning attacks: IPSec (VPN) on the network layer and SRTP and ZRTP on the application layer. For two people chatting with Zfone, a connection that has been potentially hijacked might exhibit the behavior shown in Figure 6-16.

image from book
Figure 6-16: Dialog box showing a possible man-in-the-middle attack as it's occurring

Enabling TLS is also a good alternative countermeasure (SIP/TLS, SCCP/TLS, and so on) for mitigating against man-in-the-middlebased VoIP signaling attacks.

Countermeasurs ARP Poisoning Detection Tools

Finally, there are a few tools that can detect the precursor to an ARP poisoning attack. arpwatch (ftp://ftp.ee.lbl.gov/arpwatch.tar.gz) is one such tool that keeps track of MAC address/IP address mappings and reports changes via email or syslog. An example warning email from arpwatch might looks like the following, indicating an IP address mapping has changed:

 Changed ethernet address             hostname: AC 3605?           ip address: 192.168.2.132     ethernet address: 0:6:5b:b4:6a:3e      ethernet vendor: <unknown> old ethernet address: 0:10:4b:e:2e:69  old ethernet vendor: 3Com 3C905-TX PCI            timestamp: Thursday, June 2, 2005 15:34:47 -0400   previous timestamp: Wednesday, May 25, 2005 11:38:01 -0400                delta: 8 days 
Note 

A nice graphical tool for detecting ARP poisoning attacks is XArp written by Christoph Mayer (http://www.chrismc.de/developing/xarp/index.htm).



Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net