Join Lisa Bock for an in-depth discussion in this video Introducing protocol spoofing, part of IT Security Foundations: Network Security.
- Protocol spoofing is when a malicious party impersonates another entity on the network with the objective of stealing data, spreading malware, or circumventing access controls. An attacker has several tools in his or her arsenal. Common methods include DNS spoofing, IP address spoof, email spoof, or ARP spoofing. Domain name system is a host name to an IP address resolution. It is essential to any network.
A spoof will modify the DNS server cache. Now, I'm going to show you on your own system, you have a certain cache. And, this is so you can access websites quickly. If you go into the command line and we type ipconfig /displaydns, here we can see our own local cache. Now if we were to modify the server cache or any cache for that matter, it would direct us to websites we probably don't want to go to.
An IP Address Spoof An IP address uniquely identifies a host on a network. Spoofing an IP address will conceal the actual IP. It doesn't change it because if it did it wouldn't be able to return data because it wouldn't know where to go. Now, anonymous browsing is used to hide the sender's location. If not, then somehow we know exactly where the location of the IP address is. Let's take a look. I'm at this website where I'm going to type in one of Google's addresses and the geolocation.
I'll select query and here's the geolocation for Google. Now, it says it's somewhere near San Jose. Well, let's just check. Where's Google headquarters? Mountain View, California and we see exactly as it's shown, near San Jose. An email spoof makes an email look like it came from someone else, with a goal of obtaining information. I'm at this website which is one of many which shows that you can spoof an email address.
We can put From Name, somebody important to whomever with the inclusion of Please read this and send information. Address Resolution Protocol is used to associate an IP address with a hardware address. Address Resolution Protocol is used on a local network. It is used to test for duplicate IP addresses. And remember, it is not routable. There is no IP header. Normal ARP traffic is simply a request and a reply. I'm going to show you here where ARP resides.
Down below, in this illustration, we see the application layer protocols at the top, The transport layer showing UDP or TCP, And then the network layer, or layer three, and layer two is the DataLink layer. Address resolution protocol sits right there in between layer three and layer two. There's no IP header because it's already where it should be. It's just trying to resolve that and locate a MAC address so it can deliver the packet. Let's just show this example of an Ettercap Poisoner.
Using Ettercap, a suite for a Man in the Middle Attack on a LAN, the Ettercap Poisoner positions himself right in the center of that network. Now, here we see the players; the Ettercap Poisoner, and over there on the right hand side, we see Aaron's computer. The Ettercap Poisoner is attached to port one and Aaron's computer is attached to port four. We see the switch and then over on the right hand side, we see the router. In the upper left hand corner, we see what's called a CAM Table, or a Content Addressable Memory.
You might also here this called a MAC address table or a switching table. And this table is used by the switch and it associates the MAC address to the port. So, as we see the Ettercap Poisoner, has the last two digits, are six, nine is associated with port one. Aaron's computer, the last two digits of his MAC address is eight, seven. After the poison takes place, you can see now the Ettercap poisoner holds the MAC address of eight, seven, just like Aaron.
With ARP spoofing, a fake or spoofed MAC address is placed on the LAN. This then allows the attacker to redirect traffic to somewhere else in order to steal information by performing a Man In the Middle Attack. Keep in mind, ARP is not routable, so this attack only works on a local area network. Meaning, you have to be in the local area network where an ARP poison attack can be launched. I'm using Wireshark, a free protocol analysis tool, to demonstrate what happens when you see the ARP poisoning attack occur.
I'm not going to show you how to use Wireshark, but I'm just going to show you, the two are duplicated here. You can see the IP addresses of .103 and .1 are both using the same MAC address. The traffic appears to be unique but as you can see this traffic has been poisoned.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Implementing secure content management (SCM)
- Implementing unified threat management (UTM)
- Introducing VLANs
- NAT addressing
- Network sniffing
- Understanding common attack methods, such as password attacks
- Protecting clients with antivirus software
- Implementing physical security