<4D F736F F F696E74202D B3D7C6AEBFF6C5A9C7D8C5B72E BC8A3C8AF20B8F0B5E55D>

네트워크해킹 6. Switch Security 7. Spoofing Attacks 8. Sniffing Attacks 9. Hijacking Attacks 10. DoS & DDoS

Chapter 6 : Switch Security

Switch Security 목차 Switch Infra 이해 MAC Address학습기능 Frame Forwarding Spanning-tree and VLAN Forwarding Process 취약점 MAC Flooding Attack MAC Flooding & Spoofing 방어 Spanning Tree Protocol Attacking STP Operation STP Attacking STP 취약점방어 Information Leaks with Cisco Ancillary Protocol CDP Spoofing and Flooding Attack CDP 방어기법 DTP 취약점공격및방어기법 VTP 취약점공격및방어기법 Network Security - 3

Switch Security 목차 ( 계속 ) DHCP 취약점 DoS Attacks Against DHCP DHCP 취약점방어 HSRP 취약점 Attacking HSRP HSRP Attack 방어 VRRP 취약점 Discovering VRRP Risk Analysis for VRRP VRRP 공격방어 Network Security - 4

L2 Switch Hacking LAB Topology Network Security - 5

Ethernet Switches and Bridges Address learning Forward/filter decision Loop avoidance Network Security - 6

MAC Address Table MAC Address Table A B 0260.8c01.1111 E0 E1 0260.8c01.3333 C E2 E3 D 0260.8c01.2222 2222 0260.8c01.4444 초기에는 MAC Address Table 이비어있다 Network Security - 7

Learning Addresses MAC Address Table E0 : 0260.8c01.1111 A B 0260.8c01.1111 E0 E1 0260.8c01.3333 C E2 E3 D 0260.8c01.2222 0260.8c01.4444 Host A 가 Host B 에게 Frame 을전달한다 Switch 는 MAC Address Table 이비어있기때문에 Frame 을모든포트로 Flooding 한다 Host A 에서온 Frame 을 Flooding 하는동안스위치는 E0 에 Host A 의 MAC Address 를학습한다 Host A 에대한 MAC Address Table 정보는 Cache 에저장된다 (Aging Time 300 초 ) Network Security - 8

Learning Addresses (Cont.) A MAC Address Table E0 : 0260.8c01.1111 E3 : 0260.8c01.4444 B 0260.8c01.1111 E0 E1 0260.8c01.3333 C E2 E3 D 0260.8c01.2222 0260.8c01.4444 Host D 가 Host C 에게 Frame 을전달한다 Switch 는 MAC Address Table 에목적지 MAC Address 에대한정보가없기때문에 Frame 을전달된포트를제외한모든포트로 Flooding한다 Host D 에서온 Frame 을 Flooding 하는동안스위치는 E3 에 Host D 의 MAC Address 를학습한다 Host D에대한MAC Address Table 정보는 Cache에저장된다 (Aging g Time 300초 ) Network Security - 9

Filtering Frames MAC Address Table A 0260.8c01.1111 E0 : 0260.8c01.1111 E2 : 0260.8c01.2222 E1 : 0260.8c01.3333 E3 : 0260.8c01.4444 E0 E1 B 0260.8c01.3333 C E2 E3 D 0260.8c01.2222 0260.8c01.4444 Host A가 Host C에게 Frame을전달한다 Switch 는 MAC Address Table 에목적지 MAC Address 에대한정보를찾아해당하는포트인 E2 로 Frame을전달한다 E2에대한Aging Time이초기화된다 Network Security - 10

Filtering Frames (Cont.) MAC Address Table A E0 : 0260.8c01.1111 E0 : 0260.8c01.4444 0260.8c01.1111 B Hub E0 Switch E1 0260.8c01.4444 Host A 가 Host B 에게 Frame 을보낸다 Switch 는 MAC Address Table 에 Host B 의 MAC Address 를추가한다 Network Security - 11

Broadcast and Multicast Frames MAC Address Table A 0260.8c01.1111 E0 : 0260.8c01.1111 E2 : 0260.8c01.2222 E1 : 0260.8c01.3333 E3 : 0260.8c01.4444 E0 E1 B 0260.8c01.3333 C E2 E3 D 0260.8c01.2222 0260.8c01.4444 Host D가 Broadcast또는 Multicast를보낸다 Broadcast 나 Multicast 는전달된포트를제외한모든포트로 Flooding 된다 Network Security - 12

MAC Flooding Attacking Network Security - 13

Preventing MAC Flooding & Spoofing Attacks Enabling MAC Address Moves Alarms on Cisco Switch Switch(config)# mac-address-table notification mac-move Dec 23 12:22:12.100: %MAC_MOVE-SP-4-NOTIF : Host 0000.0903.0002 in VLAN 10 is flapping between port Fa0/2 and Port Gi1/1 Port Security! Port-Security 활성화하기 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 3 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky! 유해트래픽발생 MAC Address Filtering Switch(config-if)# mac-address-table static 0050.bf82.dc32 vlan vlan_id drop Network Security - 14

6. LAN Switch Security 6-1. Spanning Tree Protocol 6-2. RSTP 6-3. STP Attack

What Is a Bridge Loop? Bridge loops can occur any time there is a redundant path or loop in t he bridge network. BCMSN v3.0 3-16

Preventing Bridge Loops Bridge loops can be prevented by disabling the redundant path. BCMSN v3.0 3-17

802.1D STP Configured root switch Redundant d switch links Optimal path selection BCMSN v3.0 3-18

BPDU Packet Format BCMSN v3.0 3-19

Bridge Protocol Data Unit BPDUs provide for the exchange of information between switches. BCMSN v3.0 3-20

Root Bridge Selection Criteria BCMSN v3.0 3-21

Extended System ID in Bridge ID Field Bridge ID Without the Extended System ID Bridge ID with the E xtended System ID BCMSN v3.0 3-22

802.1D 16-bit Bridge Priority Field Using the Extended S ystem ID Only four high-order bits of the 16-bit Bridge Priority fie 2 15 4 bits 12 bits 2 0 ld carry actual priority. Therefore, priority can be Priority VLAN Number incremented only in steps Priority Values (Hex) Priority Values (Dec) of 4096, onto which will be added the VLAN number. 0 0 Example: 1 4096 For VLAN 11: If the priority 2 8192 is left at default, the 16-bit Priority field will hold.. 32768 + 11 = 32779... 8 (default) 32768.... F 61440 BCMSN v3.0 3-23

Configuring the Root Bridge Switch(config)#spanning-tree vlan 1 root primary This command forces this switch to be the root. Switch(config)#spanning-tree vlan 1 root secondary This command configures this switch to be the secondary root. Or Switch(config)#spanning-tree vlan 1 priority priority This command statically configures the priority (in increments of 4096). BCMSN v3.0 3-24

Root Bridge Selection Which switch has the lowest bridge ID? BCMSN v3.0 3-25

Spanning Tree Operation One root bridge per network One root port per no nroot bridge One designated port per segment Nondesignated ports are blocking BCMSN v3.0

Spanning Tree Port States Spanning tree transitions each port through several different states. BCMSN v3.0 3-27

Local Switch Root Port Election Link Speed Cost (Revised IEEE Spec) Cost (Previous IEEE Spec) 10 Gbps 2 1 1 Gbps 4 1 100 Mbps 19 10 10 Mbps 100 100 BCMSN v3.0 3-28

Spanning Tree Protocol Root Port Selection BCMSN v3.0 3-29

Example: Layer 2 Topology Negotiation BCMSN v3.0 3-30

Enhancements to STP PortFast Per VLAN Spanning Tree+ (PVST+) Rapid Spanning Tree Protocol (RSTP) Multiple Spanning Tree Protocol (MSTP) MSTP is also known as Multi-Instance Spanning Tree Protocol l( (MISTP) on Cisco Catalyst 6500 switches and above Per VLAN Rapid Spanning Tree (PVRST) BCMSN v3.0 3-31

Describing PortFast BCMSN v3.0 3-32

Configuring PortFast Configuring spanning-tree portfast (interface command) or spanning-tree portfast default (global command) enables PortFast on all nontrunking ports Verifying show running-config interface fastethernet 1/1 BCMSN v3.0 3-33

6. LAN Switch Security 6-1. Spanning Tree Protocol 6-2. RSTP 6-3. STP Attack

Rapid Spanning Tree Protocol BCMSN v3.0 3-35

RSTP Port States BCMSN v3.0 3-36

RSTP Port Roles BCMSN v3.0 3-37

What Are Edge Ports? Will never have a switch connected to it Immediately transitions to forwarding Functions similarly to PortFast Configured by issuing the spanning-tree portfast command BCMSN v3.0 3-38

RSTP Link Types BCMSN v3.0 3-39

RSTP BPDU Flag Byte Use BCMSN v3.0 3-40

RSTP Proposal and Agreement Process BCMSN v3.0 3-41

Downstream RSTP Proposal and Agreement Root and switch A synchronize. Ports on A come out of sync. Proposal or agreement takes place between A and B. BCMSN v3.0 3-42

RSTP Topology Change Mechanism BCMSN v3.0 3-43

PVRST Implementation Commands Configuring spanning-tree mode rapid-pvst Verifying show spanning-tree vlan 101 Debugging debug spanning-tree BCMSN v3.0 3-44

How to Implement Rapid PVRST BCMSN v3.0 3-45

Verifying PVRST Switch# show spanning-tree vlan 30 VLAN0030 Spanning tree enabled protocol rstp Root ID Priority 24606 Address 00d0.047b.2800 047b This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24606 (priority 24576 sys-id-ext 30) Address 00d0.047b.2800 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type -------- ----- --- --- -------- ---- Gi1/1 Desg FWD 4 128.1 P2p Gi1/2 Desg FWD 4 128.2 P2p Gi5/1 Desg FWD 4 128.257 P2p Display spanning tree mode is set to PVRST. BCMSN v3.0 3-46

6. LAN Switch Security 6-1. Spanning Tree Protocol 6-2. RSTP 6-3. STP Attack

STP Attack Topology STP Attack 취약점 Taking Over the Root Bridge DoS Using a Flood of Config BPDU Simulating a Dual-Homed Switch Network Security - 48

Taking Over the Root Bridge Network Security - 49

Yersinia 실행모드 # yersinia G -GDK 기반그래픽모드 ( 아직 Alpha Version) # yersinia I - Interactive Mode ( 사용하기편한텍스트그래픽모드 ) # yersinia D - Deamon Mode ( tcp:12000 포트로활성화됨 ) - telnet t localhost lh 12000 으로접속하여사용 - user : root, password : root - enable password : tomac Network Security - 50

Taking Over the Root Bridge Network Security - 51

공격후 Switch STP 정보 Network Security - 52

STP Attack 방어 Root Guide BPDU Guide Network Security - 53

6. LAN Switch Security 6-4. VLAN & VTP & DTP 개요 6-5. DTP 공격및방어 6-6. VTP 공격및방어

VLAN 개요 Network Security - 55

VLAN Access Ports VLAN Access Port VLAN Access Port Configuring VLANs vlan 101 switchport mode access switchport access vlan 101 Verifying VLANs show interfaces show vlan

VLAN Trunking Trunking VLAN1 and VLAN2 and VLAN3 802.1Q or ISL

ISL Encapsulation

The 802.1Q Tagging Process

802.1Q Native VLAN Native VLAN frames are carried over the trunk link untagged.

VLAN Ranges VLAN Range Use 0, 4095 Reserved for system use only 1 Cisco default 2 1001 For Ethernet VLANs 1002 10051005 Cisco defaults for FDDI and Token Ring 1006 4094 Ethernet VLANs only, unusable on specific legacy platforms

Switchport Mode Interactions Dynamic Auto Dynamic Desirable Dynamic Auto Dynamic Desirable Trunk Access Access Trunk Trunk Access Trunk Trunk Trunk Access Trunk Trunk Trunk Trunk Access Access Access Not recommended Access Not recommended Note: Table assumes DTP is enabled at both ends. show dtp interface to determine current setting

Cisco DTP 취약점 Cisco Dynamic Trunk Protocol 은기본값으로 Port 가 STP가활성화되어있다. Desirable 상태이므로자동으로 Trunk를설정할수있다. Trunk 가설정되면, 후 VTP 취약점을이용하여 VLAN 을생성, 제거하는등에공격을수행할수있다.

Yersinia 를이용한 DTP Attacking yersinia 를시작한후 g DTP 선택 enter x 1 enter l 을누른화면.

DTP 공격을받은 Switch 상태 ASW1#show debug DTP events debugging is on 00:16:40: DTP-event:Fa0/1:Received packet event../dyntrk/dyntrk_process.c:2203 00:16:41: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down 00:16:41: DTP-event:Fa0/1:Received packet event../dyntrk/dyntrk_process.c:2203 00:16:42: DTP-event:Fa0/1:Received packet event../dyntrk/dyntrk_process.c:2203 00:16:44: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up ASW1#sh int trunk Port Mode Encapsulation Status Native vlan Fa0/1 desirable 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 1-4094 Port Vlans allowed and active in management domain Fa0/1 1,10,20,30

DTP 취약점대응방법 DTP 취약점대응방법은 Dynamic Trunk Protocol 기능을해제하고수동으로 Access Link 와 Trunk Link를구성한다. Configuring a Trunk Configuring a Access switchport mode trunk switchport mode access switchport nonegotiate switchport access vlan 10 switchport nonegotiate

The VTP Protocol

VTP Operation VTP advertisements are sent as multicast frames. VTP servers and clients are synchronized to the latest revision number. VTP advertisements are sent every 5 minutes or when there is a change.

VTP 취약점및공격 VTP 는 Vlan 정보를 trunk 를통해스위치간 Update 하는프로토콜이다. VTP password 를설정하지않는경우 multicast 를통해 VLAN 정보를추가및제거가가능하다. Network Security - 69

Cisco Discovery Protocol Network Security - 70

Network Security - 71

6. LAN Switch Security 6-7. DHCP 취약점 6-8. HSRP 취약점

DHCP Operation Network Security - 73

DHCP 취약점 Hijacking Traffic Using DHCP Rogue Servers DHCP 자원고갈공격 Network Security - 74

Network Security - 75

6. LAN Switch Security 6-7. DHCP 취약점 6-8. HSRP 취약점

HSRP Packet Format Version Op code State Hello time Hold time Priority Group Reserved Authentication Data Authentication Data Virtual IP Address Verion : HSRP 메시지의버전으로 0 으로설정되어있음. Op Code : Op Code 는메시지의유형을나타낸다. 0 (Hello) Hello : HSRP 동작중임을나타내며 Hello 메시지로 Active 와 Standby 라우터가될수있다. Coup : 라우터가 Active Router 가되기원할때보낸다. Resign : Coup 에응답메시지로 Active Rouer 역할을넘겨준다. State t : 0 : Initial, 1 : Learn, 2 : Listen, 4 : Speak, 8 : Standby, 16 : Active Hello Time : Hello 를정기적으로모든라우터에게알리는시간기본 3 초 Priority : Default : 100 우선순위가높은라우터가 Active Router 로선출된다. Network Security - 77

HSRP Packet Network Security - 78

DoS Attack Against HSRP #while (true) ; do (hsrp -d 224.0.0.2 -v 10.10.18.254 -a cisco -g 1 -i eth0 -S 10.10.18.1 ; sleep 3) ; done #while [ 1 ] >do >hsrp -d 224.0.0.2 -v 10.10.18.254 -a cisco -g 1 -i eth0 -S 10.10.18.1 >sleep 3 >done Network Security - 79

HSRP Attack 방어 강력한인증암호를사용한다. ACL 을이용한 HSRP router Filter 를사용한다. Network Security - 80

7. Spoofing Attack 7-1. ARP 개요및취약점 7-2. ARP Spoofing Attack

Spoofing Attack 목차 ARP Spoofing Linux 기반 ARP Spoofing Attacking Windows 기반 ARP Spoofing Attacking ARP Spoofing 방어 IP Spoofing IP Spoofing Attacking DNS Spoofing DNS Spoofing Attacking Network Security - 82

3.1 ARP vulnerabilities( 취약점 ) 분석 ARP Protocol 은 3 개의취약점을가지고있다. No Authentication( 무인증 ) Host 는 ARP 응답에상대방을인증할수있는어떠한요소도없으며, 무결성도제공하지않습니다. Information Leak( 정보누수 ) 같은 Ethernet VLAN 의모든 Host 는호스트의매핑 (IP:MAC) 정보를학습할수있습니다. Availability issue( 가용성 ) 같은 Ethernet VLAN 의모든 Host 는 ARP 요구를수신하고그것을처리해야합니다. 공격자는초당수천개의 ARP request 프레임을생성하여보낼수있으며, LAN위의모든호스트는프레임처리과정을거치게됩니다. 이것은네트워크대역폭과 CPU 성능을낭비합니다. Network Security - 83

3.1 ARP vulnerabilities( 취약점 ) 분석 (Cont.) CAFÉ -> FFFF.FFFF.FFFF Who is 10.0.0.2? Host B IP:10002 10.0.0.2 MAC 0000.C5C0.0000 Host A IP : 10.0.0.1 MAC 0000.CAFÉ.0000 Host B IP : 10.0.0.2 MAC 0000.C5C0.0000 Network Security - 84

3.1 ARP vulnerabilities( 취약점 ) 분석 (Cont.) MAC:C5C0 - > CAFÉ 10.0.0.2 is at C5CO Host B IP:10002 10.0.0.2 MAC 0000.C5C0.0000 Host A IP : 10.0.0.1 MAC 0000.CAFÉ.0000 Host B IP : 10.0.0.2 MAC 0000.C5C0.0000 Network Security - 85

3.1 ARP vulnerabilities( 취약점 ) 분석 (Cont.) Host B IP:10002 10.0.0.2 MAC 0000.C5C0.0000 Host A IP : 10.0.0.1 MAC 0000.CAFÉ.0000 MAC:0666 - > CAFÉ 10.0.0.2 is at 0666 MAC:0666 - > CAFÉ 10.0.0.2 is at 0666 BT3 Host B IP : 10.0.0.2 MAC 0000.0666.0000 Network Security - 86

3.1 ARP vulnerabilities( 취약점 ) 분석 (Cont.) MAC:CAFÉ CAFÉ -> 0666 IP: 10.0.0.1 -> 10.0.0.2 Telnet : Password=xyz Host B IP:10002 10.0.0.2 MAC 0000.C5C0.0000 Host A IP : 10.0.0.1 MAC 0000.CAFÉ.0000 MAC:0666 - > C5C0 IP: 10.0.0.1 -> 10.0.0.2 Telnet : Passoword = XYZ Host B IP : 10.0.0.2 MAC 0000.0666.0000 Network Security - 87

3.1 ARP vulnerabilities( 취약점 ) 분석 (Cont.) ARP 정상동작 #1 Host A ARP Table IP Address MAC Address Network Security - 88

3.1 ARP vulnerabilities( 취약점 ) 분석 (Cont.) ARP 정상동작 #2 Host A ARP Table IP Address MAC Address 10.0.0.2 0000.C5C0.0000 Network Security - 89

3.1 ARP vulnerabilities( 취약점 ) 분석 (Cont.) ARP Spoofing 공격 #1 Host A ARP Table IP Address MAC Address 10.0.0.2 0000.C5C0.0000 Network Security - 90

3.1 ARP vulnerabilities( 취약점 ) 분석 (Cont.) ARP Spoofing 공격 #2 Host A ARP Table IP Address MAC Address 10.0.0.2 0000.C5C0.0000 Network Security - 91

7. Spoofing Attack 7-1. ARP 개요및취약점 7-2. ARP Spoofing Attack

1.1 BT3 이용한 ARP Spoofing 공격 공격대상 MAC 주소속이기 Network Security - 93

1.1 BT3 이용한 ARP Spoofing 공격 공격대상 MAC 주소알아내기 Network Security - 94

7. Spoofing Attack 7-3. IP Spoofing 7-4. IP Spoofing Attack

IP 주소를속이고통신하는공격 IP Spoofing 을통해 IP filter 를우회할수있다. 원격 IP Spoofing 을현실적으로불가능하다. Network Security - 96

Local Network 에서의 IP Spoofing 1. Host B가 Host A에게 ARP Cache Poisoning 공격. 2. Host B가 IP spoofing을이용하여 Host A에게 Syn 전송. Host B 3. Host A 는 Host B 에게 Syn/Ack 전송. IP:10002 10.0.0.2 MAC 0000.C5C0.0000 MAC:CAFÉ -> 0666 Host A IP: 10.0.0.1 -> 10.0.0.2 IP : 10.0.0.1 Telnet : Password=xyz MAC 0000.CAFÉ.0000 MAC:0666 - > CAFE IP: 10.0.0.2 -> 10.0.0.1 Telnet : Passoword = XYZ Host B IP : 10.0.0.3 MAC 0000.0666.0000 Network Security - 97

IP Spoofing 고려사항 IP Spoofing 공격시고려사항 ARP cache poisoning을통해packet을유도하더라도실제 IP가다르므로TCP Protocol Suit는 Layer2에서 Layer3로 Packet이올라가지않는다. IP Spoofing을이용하여공격하기위해서는 Layer3까지올라가서통신이가능하도록개죄돈 Application 이필요하다. *** Telnet 의경우 www.oxid.it 의 sterm 이라는공격툴이있다. Network Security - 98

7. Spoofing Attack 7-3. IP Spoofing 7-4. IP Spoofing Attack

IP Spoofing 을이용한 Access-list 우회공격 1. Router에 Telnet을활성화하고 Access-list를생성하여 Backtrack 만허용한다. Router(config)# username admin privilege 15 secret cisco Router(config)# access-list 10 permit 10.10.1.5 0.0.0.0.0 Router(config)# line vty 0 4 Router(config-line)# login local Router(config-line)# access-class 10 in Network Security - 100

IP Spoofing 을이용한 Access-list 우회공격 2. Windows XP 에서 sterm 을설치한후실행한다. sterm 은 IP Spoofing, ARP Poisoning, MAC Spoofing 을수행할수있는툴이다. 실제 MAC과 IP를숨긴체특정 IP로위장하여통신이가능함. Network Security - 101

7. Spoofing Attack 7-5. DNS Spoofing Attack

DNS Spoofing DNS Spoofing 이란? 클라이언트가 DNS Query 를할때 DNS 서버보다먼저응답하여 Attacker 가의도한 IP 를알려주는방법. DNS 취약점 DNS는 UDP 기반이므로 Stateless 한 Protocol이다. Query시인증을수행하지않는다. 공격자가 Local에존재하므로실제 DNS 서버보다빠르게응답할수있다. 클라이언트는 DNS Query 를수행한후먼저응답한 IP 를수용한다. Network Security - 103

DNS Spoofing 공격 공격자는 DNS Query 를스니핑해야함. Transaction ID 사용된, local Port, Name Server Address 등의정보를알아야하므로주로 Local 에서공격하게됨. DNS SCache Poisoning DNS 와비슷한공격기법으로공격대상이클라이언트가아닌 DNS 서버가대상이되며, DNS 서버의 DNS Cache 를조작하는공격기법이다. 공격성공률을높이기위해 Birthday Attack 기법이적용됨. Network Security - 104

DNS Name Query 순서 Domain Name 해석요구 Host file 확인 DNS Cache 확인 Windows c: window system32 drivers etc hosts Unix/Linux /etc/hosts DNS Query 이름해석성공 이름해석실패 Network Security - 105

정상적인 DNS Query & Reply 과정 Client 1. DNS Query www.naver.com 2. DNS Reply 192.168.10.1168 10 1 DNS Server 3. Web Connection www.naver.com IP =19.168.10.1 Network Security - 106

DNS Spoofing 공격시나리오 3. Web Connection www.naver.com IP =10.10.10.1 가짜 Web Server DNS Cache 초기화 Linux : nsdc 재시작 Windows : ipconfig /flushdns 1. DNS Query www.naver.com Client 2. DNS Reply 10.10.10.1 DNS Server Attacker 1. 가짜 Web Server를생성한다. ( 공격자 PC에생성함.) 2. ARP Spoofing을이용하여 Gateway로위장한다. 3. dnsspoof f < 파일명 > 을입력한다. 4. 파일내용을다음처럼생성한다. 10.10.10.1 www.naver.com www.naver.com 192.168.10.1 Network Security - 107

Chapter 8 : Sniffing Attack Network Security - 108

Sniffing Attack 목차 Sniffing Attack Sniffing Attacking 개요 Switch 환경에서의 Sniffing ARP Spoofing ARP/ICMP Redirect Macof를이용한 Switch jamming SPAN port 를이용한 Monitoring ( 관리적인스니핑 ) Dsniff 를이용한 Sniffing Sniffing 공격대응책 ARP Watch를이용한 MAC 변조탐지 암호화를통한 Sniffing 방어 Network Security - 109

Sniffing 이란? Sniffing 이란? 통신망에서돌아다니는데이터를몰래훔쳐보기위한공격 Sniffing 용어? 도청 (eavesdropping) 타인의통신내용을당사자의동의없이은밀히청취, 녹음하는것. 와이어태핑 (Wire Tapping) 기계적인방법을이용하여유선으로부터데이터를도청하는것. 방사 (emanation) 전자파에대한도청 템페스트 (tempest) 사용중인전자파를이용한정보도청에대한방지기술도는장치 Network Security - 110

Sniffing 분류 Sniffing 분류 Passive Sniffing hub와같이모든노드에동일한전기적신호가복제되는경우 Sniffing 가능 단순히스니퍼만동작시키고지나가는패킷을볼수있음. Active Sniffing Switch 환경에서는해당포트로만데이터가전송되기때문에데이터신호가 Sniffer가설치된시스템을경유하도록유도해야하는방법 일종의 MITM (Man In The Middle) 공격기법 Network Security - 111

NIC 의 Promiscuous 모드 NIC 의기본적인동작모드 자신에게도착한패킷의목적지주소를확인하여목적지가자신의패킷과브로드캐스트패킷만을받아들인다. NIC 의 Promiscuous 모드 Promiscuous 모드는 Software적으로만들어진다. 하드웨어방식으로처리하는것을 ByPass 모드라고한다. 자신에게도착한패킷의주소값을무시하고모든패킷을받아들인다. Promiscuous 모드를사용하려면관리자권한이필요한다. Network Security - 112

Switch 환경에서의 Sniffing Switch Jamming ARP Redirect ARP Spoofing ICMP Redirect ect Network Security - 113

Switch Jamming Switch Jamming Switch에 MAC Table을공격하여MAC Table이가득찬경우 Flooding 하는속성을이용함. 현재는 MAC Table 운영방법은 Switch Jamming 공격이불가능함. 공격방법 랜덤하게 MAC Address를생성하여Frame을스위치에전송해서 MAC Address 를학습하게하는방법으로 Switch에 MAC Table을 Overflow 시킴. 공격툴 : macof, havoc Network Security - 114

ARP Redirect ARP Redirect 공격자가 MAC이 Router(Gateway) 의 MAC이라고위조하여브로드캐스트함. Local Network의 System들의 Cache table이변경된다. Local Network의 System이외부와통신하는모든패킷은공격자를경유하게된다. arpspoof 192.168.1.254 Network Security - 115

ARP Spoofing ARP Spoofing 공격 Sniffing 하고자하는두개의 System을선택한후서로의 MAC 주소를공격자의 MAC 주소로위조하여보냄. 두시스템이통신할때공격자를경유하여통신하게됨. MITM(Man In The Middle) 형태가됨. 서로에게공격자가상대방인것으로속이기위해 ARP Spoofing 을한다. arpspoof t 10.10.1.2 10.10.1.254 arpspoof t 10.10.1.254 10.10.1.2 Network Security - 116

ICMP Redirect ICMP Redirec 네트워크에 Router 나 Gateway 를두개이상운영하는경우최적경로로전달을위해 Route 정보를변경하는기능. Client 는 Default 경로로 R1 을지정하고있음. Client 1 4 5 R1 2 Net-A Client 가 Net-B 로 Data 를전송함. 1. Route Table 에의해 R1 으로전송됨. 2. R1 은 Net-B 에 Data 를전송하기위해 R2로전송함. 3. R2 는 Net-B 로 Data 를전송함. 4. R1은 Client에게 ICMP Redirec를전송하여 Net-B는 R2를이용하도록 Route Table 변경을요구함. R2 3 Net-B Client 는 Route Table 에 Net-B 로가는경로를 R2 로추가함. 5. Client 는 Net-B 에게 Data 를보내기위해 R2 로전송함 Network Security - 117

ICMP Redirect Attack icmpush icmpush vv red sp 10.10.1.254 gw 10.10.1.5 dest 100.10.10.0 c host 10.10.1.2 - vv : 자세히보기 - red : ICMP Redirect - sp : 원래 Gateway 주소 - gw : 변경할 Gateway 주소 - dest : 라우팅테이블에등록할목적지네트워크 - c : code ** ICMP Redirect 공격은 ICMP Redirect 기능이꺼져있는호스트는공격이불가능한다. ** Windows, Cisco Router, BSD 등은기본적으로켜져있으나, Linux는꺼져있다. Network Security - 118

Sniffer 의탐지 Sniffer 의탐지 NIC가 Promiscuous 모드로작동중인지검사 Etherping을이용 의심스런 Host에네트워크존재하지않는 MAC 주소를 Dst MAC으로설정하여 Ping을보낸다. arping T 10.10.1.5 11:22:33:44:55:66 요청 MAC 과수신 MAC 이다르므로응답이보이지않음. wireshark 등으로확인 ARP ping 을이용 의심가는 Host나 Broadcast로확인 arping t 11:22:33:44:55:66 10.10.1.5 Wireshark 등으로확인 Network Security - 119

Sniffer 의탐지 (Cont) ARP watch, sentinel, sniffdet promiscan 등의툴을이용한다. arpwatch MAC 과 IP 의매치이변경되면관리자에게메일로통보한다. arpwatch» root 계정에게 mail 로통보 arpwatch d» 디버깅모드로실시간으로보여줌. Promiscan 윈도우즈용툴, IP 와 MAC 주소를가짜로기입 http://www.securityfriday.com/products/promiscan.html Network Security - 120

Sniffing 방지 데이터암호화 SSL PGP and S/MIME SSH VPN 스위치환경구성 스위치환경에서는 ARP Spoofing 공격방어를위한 Port Security 를구성한다. Network Security - 121

Chapter 9 : Hijacking Attacks Network Security - 122

Session Hijacking Attacks 목차 HTTP Session Hijacking Attack HTTP Session Hijacking 개요 Paros를이용한Web Mail hijacking Attack Network Security - 123

HTTP Protocol 의특성 HTTP 프로토콜의특성 HTTP 는기본적으로비연결유지 (stateless) 프로토콜이다. 반면, telnet 과 ftp 와같은프로토콜은클라이언트와서버사이에하나의연결 (session) 이성립되어통신하는프로토콜이다. 따라서, 우리가보통웹브라우저를열어 URL 을입력하고해당홈페이지에들어간다는것은해당홈페이지에포함되어있는페이지 (html), 그림 (jpg, gif 등 ), 자바스크립트 (js) 등을다운받기위해개별적인여러개의 80 요청 (request) 을발송한후서버로부터각각의응답 (reply) 을받는것을의미한다. 이러한일련의요청과응답이이루어진후해당서버와의통신은다시종료된다. 위와같은기본적인지식을알고있다면다음과같은질문을할수있다. HTTP 는비연결유지프로토콜이라고하였는데 Session Hijacking 이란공격은어떻게가능한것인가? 이는 HTTP 세션관리를위해사용되는 Session ID 를통해서가능하다. Network Security - 124

Session ID 란? 웹서버는다수의웹페이지요청자를구별하기위하여각각의사용자의세션에대해서임의의긴문자열값인 Session ID 를부여한다. 사용자가홈페이지방문시혹은인증로그인시에생성된다. 이러한 Session ID는사용자의계정, 암호, 그밖의IP 주소, timestamp 등의여러파라미터들을조합하여생성할수있다. Session ID는사용자와일련의웹서핑동작을연결시켜줌으로써웹사이트로그인후다른페이지방문시마다매번로그인을하지않아도되는편리함을제공해준다. 우리가신문홈페이지나포털사이트에들어갈때광고배너가자동으로바뀐다던지, 쇼핑몰이나인터넷서적몰에서구매카트의목록이유지되는것은모두이러한원리이다. 즉, Session ID 를통해인증과인가 (authentication & authorization) 라는세션관리를수행할수있다. Network Security - 125

Session ID 의위치? Session ID는우리가흔히듣는쿠키 (cookie) 라는곳에저장되는것이일반적이다. 그러나가끔은웹브라우저주소창 URL이나 HTML 페이지폼소스상의 hidden 필드에포함되어드러나기도한다. 1. 쿠키 (cookie) 2. 웹브라우저주소창의 URL 3. 웹페이지폼소스상의 Hidden field Network Security - 126

Session ID 취약점 웹서버에서의 Session ID 췽약점 강력하지못한알고리즘 (Weak Algorithm) : session ID 스트링값을생성함에있어서공격자가 reverse 엔지니어링이가능한쉬운알고리즘으로생성될경우 cracking 이나 brute-force guessing 공격의위험이있다. 길이가짧은 Session ID : 강력한암호알고리즘을사용하더라도그길이가충분하지않고짧은경우에는 cracking이나 brute-force guessing 공격의위험이있다. 계정잠금기능미비 : 로그인패스워드의특정회수실패에대해서는보통계정잠금기능이나해당 IP 차단기능을구현하지않는경우 brute-force guessing g 공격의위험이있다. 무한만료의 Session ID : 사용자의로그아웃이후에도서버측에서해당세션 ID 값을폐기하지않고무한정유효인정한다면 cookie sniffing 이나프락시서버의로그취득을통하여 session ID 공격이가능하다. 평문으로전달되는 Session ID : 서버에서클라이언트로의 session ID 쿠키전달방식이비암호화방식일경우 Network Security - 127

Session ID 공격유형 직접적인 Cookie Sniffing 을통한 Session ID 도용 간접우회공격을통한 Session ID 도용 Brute-force guessing 을통한 Session ID 도용 Network Security - 128

Session ID Hijacking 대응방안 1. Session ID 는가능한한추측불가능 (random) 하게생성한다. 2. Session Timeout 기능과 Session ID 재생성기능을사용한다. 3. 무작위추측대입 (Brute-force Guessing) 에대비하여일정회수이상의인증실패시에는사용자잠금기능을구현한다. 4. 로그인이후에도중요한서비스이용시에는사용자인증을통하여인가된사용자만이해당서비스를이용할수있도록통제한다. 5. Cookie 내용안의 Session ID 와기타변수값자체를암호화한다. 6. 웹서비스자체의중요성에따라 Cookie 가전달되는방식을 SSL 로구현함으로써 Sniffing 공격에대응할수도있다. 7. 웹서비스상에공격자가 HTML 공격코드삽입이가능한페이지가있는지점검한다. 직접적인공격코드삽입을차단할수있도록특수문자및스크립트코드를필터링하여야한다. Network Security - 129

LAB HTTP Session ID Hijacking 1. ARP Spoofing 공격을통한 Packet 모니터링 사용자쿠키획득 2. Paros를이용한 Proxy 구성 3. Web Browser에연결을 paros proxy를통해access하도록설정 4. Paros에 Filter를이용하여획득한 cookie로변환후웹접속 Network Security - 130

Network Security - 131

Network Security - 132

Network Security - 133