EC312 Lesson 29: The Man-In-The-Middle Attack Objectives: (a) Describe the Man-In-The-Middle (MITM) attack and list what advantages it provides the attacker. (b) Construct a routing table based on a network diagram and manipulate a routing table to exploit a specific target. (c) Describe the steps that should be taken to prevent false route injection and identify who is responsible for performing these preventative actions and how they can be applied. I. Trust 1. A Quick Review Where are we at in our understanding of how networks interconnect? We’ve talked about routing algorithms and how these weird things called routing tables are constructed; we’ve talked about the layers and protocols involved in networking; we’ve also talked about addressing schemes and specifically how MAC addresses and IP addresses are used; but, what is the point of all this? Much like the host section in the first six weeks of EC312, we need to understand how networks work before we can manipulate their operation and violate the principles of security. Much like a locksmith, once we understand how a lock operates, we know that a key is not the only thing that can open a door. If we are thinking like a locksmith about networks from a security perspective, what is the underlying assumption between routers in the routing algorithms they use to construct their routing tables? The assumption is that each router can trust the information that other routers are sending it. That is, Router A assumes by default that Router B is telling the truth about the state of its links or the distance between it and other routers. But what happens when that is not the case? Would a machine ever lie to another machine? Are there evil machines out there that want to do bad, mean, horrible things to people? Gasp, what if it was true! Have you ever seen Terminator 2: Judgment Day!? Sadly, most of your classmates were not born when this movie released, but I highly recommend it for your Netflix queue. You will not be able to call yourself a hacker until you watch it. 1 Example 1 Consider the network below. How would the routing table evolve using distance vector routing? RB 4 2 RA RD RC 5 2 Solution: B C D RA 4 (B) 5 (C) ∞ RB 4 (A) ∞ 2 (D) A C D A B D RC 5 (A) ∞ 2 (D) A B C RD ∞ 2 (B) 2 (C) Everyone shares table with neighbors. But what if Router C was evil and began to falsify information about its link to Router A; how would the routing table change? RB 4 2 RA RD RC 1 B C D RA 4 (B) 5 (C) ∞ A C D RB 4 (A) ∞ 2 (D) A B D Everyone shares table with neighbors. 2 2 RC 1 (A) ∞ 2 (D) A B C RD ∞ 2 (B) 2 (C) What does this mean for all of Router D’s traffic destined for Router A? More importantly, why would Router D’s traffic go through Router C instead? Fortunately, machines cannot lie to one another, but the humans that operate the machines do lie (or make mistakes) and can force the machines to do the same. In the previous example, we saw how a simple lie about the distance between two routers could change the direction of traffic flow within the network, but why is this of concern? Even with this manipulation, if Router D wanted to send packets to Router A won’t the information be delivered just as before? No. Now that Router C is in the middle of Router D and Router A, it can: 1. Observe the traffic moving between these devices. 2. Change the information moving between these devices. 3. Stop the traffic from moving between these devices. Hi, remember me? I’m Ciana. Why is this an issue? Recall from SI110, there are five pillars of information assurance we want to preserve when offering services through routers and other information systems.1 1. Confidentiality – protection of information from disclosure to unauthorized individuals, systems, or entities. 2. Integrity – protection of information, systems, and services from unauthorized modification or destruction. 3. Availability – timely, reliable access to data and information services by authorized users. 4. Non-repudiation – the ability to correlate, with high certainty, a recorded action with its originating individual or entity. 5. Authentication – the ability to verify the identity of an individual or entity. Grr…Don’t remember me, huh? You’d better for the test! Example 2 What primary pillar of information assurance is violated in each thing Router C can do once it is in the middle of Router D and Router A? (a) The ability to observe traffic violates: (b) The ability to change traffic violates: (c) The ability to stop traffic violates: 2. The Man-In-The-Middle (MITM) Attack 1 See http://www.usna.edu/CS/si110/lec/l00/lec.html to review these topics and definitions. 3 This type of problem is called the Man-In-The-Middle attack. We have seen this once already during Practical Exercise 27 in Lesson 27. Specifically, the technique used to conduct the MITM attack in Practical Exercise 27 was called ARP-Spoofing because to redirect another computer’s traffic on a single network required your computer to tell a specific lie about the association between its MAC address and IP address Much like a nasty rumor in the Brigade, that lie had to spread around for it to be effective. Similarly, you included your own MAC address with the target’s IP address through multiple unsolicited ARP-Replies to convince everyone on your local network that your machine was the target host. Finally, everyone on your local network had to believe your lie for you to begin receiving packets destined for the target machine. Do you think it is possible for something like this to happen on a bigger scale? That is, instead of a Man-InThe-Middle attack on one network as with ARP-spoofing, can this happen between multiple networks? Yes it could happen, and things similar to this have already happened, but to understand how requires a bit more understanding of the how networks interconnect. However, just as before with ARP-Spoofing, there are four critical steps that must occur for an attacker to make this possible. 1. Take control of a machine on the network and manipulate its operation. 2. Force the machine to tell the “right” kind of lie. 3. Force the machine to spread the lie around. 4. Force other machines to believe the lie. 3. Wait a Minute… “Boring! Okay, so I may not remember much from SI110, but the one thing I do remember is that encryption solves all of our problems. If someone is snooping around and reading my packets, then I will just encrypt them and ruin their ability to influence my communication. Done, may I go now?” 4 As Mr. Eric Snowden recently revealed, that is exactly what the National Security Agency (NSA) and others would want you to think.2 While it is true that encryption may make eavesdropping harder for the man in the middle, it is not insurmountable. In reality, as the New York Times explains, some of the core encryption protocols of the Internet are already broken. For those that are not, the NSA allegedly spends upwards of $250 million a year on US and foreign industries to covertly influence commercial product designs to make them exploitable. To leverage this advantage, the NSA pays a significant amount of money to become the man in the middle so they can read any Internet traffic, encrypted or not. One example from WIRED magazine talks about a $652 million NSA project to help take control of routers and networks to monitor foreign communications.3 Hopefully, it is clear that understanding how a MITM attack can take place across multiple networks is very important to Cyber Warfare as a whole. Yes, sir! Please give me more details so that I can understand this critically important material. II. A Closer Look at How Networks Interconnect 1. An Important Example Let’s say there is an important website that all midshipmen need to access to in order to prepare for EC312 each day. That website is located at IP address 4.4.5.155 on the network 4.4.5.0/24. The midshipmen who need access to it are located on network 192.168.65.0/24, and have one of the 253 available host IP addresses assigned to their laptops. See “SSL has Fallen” for more details (http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internetencryption.html?pagewanted=1&_r=2&). 3 See “NSA Hacks Routers, not User PCs” for more details (http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/) 2 5 Example 3 Construct the routing table for Router A using address aggregation where appropriate. Now, let’s pretend there is an evil instructor (because aren’t all instructors evil?) located on the 5.5.5.0/25 network that wants to prevent students from reaching the EC312 website at 4.4.5.155. What would that instructor need to do in order to make the student’s traffic go to some place they did not intend? 6 a) First, the instructor will need to: take control of a machine on the network and manipulate its operation. Being an instructor, ITSD has graciously allowed him (or her) privileged access to his office computer for ‘academic research’, but nowhere else. ITSD has restricted the instructor’s privileged access in order to prevent him from making any changes that could affect other computers on the network. Therefore, the instructor will need to manipulate his computer in such a way where it can alter the flow of traffic across the networks and deny midshipmen access to the course website. To accomplish this, he decides to turn his computer into a router using a special software tool called Loki.4 This tool ‘speaks’ the Open Shortest Path First (OSPF) protocol, which will enable the injection of false routing information into the networks. 4 Loki is a Python based framework implementing many packet generation and attack modules for Layer 3 protocols. It was developed by ERNW, an IT security service provider, in 2010. See https://www.ernw.de/research/loki.html for more details. 7 b) Second, the instructor will need to: force his router to tell the “right” kind of lie. But what is the “right” kind of lie to tell? Well, that depends on the effect the instructor wants to have on the networks. For example, if the instructor wanted to cause a panic across the entire Brigade, he or she might say that “buffalo chicken sandwiches will no longer be offered in King Hall.” However, if he only wanted to terrorize the students in his EC312 section, the instructor could say “you will have a quiz tomorrow over Lessons 1 through 15 worth 99.2003% of your final grade.” The instructor’s goal is to stop the students’ traffic from reaching the EC312 web server located at 4.4.5.155. To do this the instructor would like to direct the students’ traffic to a different location where their web requests will go unanswered. Knowing that routers transmit information to the destination that matches the longest network prefix in their routing table, the instructor decides to create a false network from his router with a more specific network ID that will direct the student’s traffic away. Example 4 What is the first and last IP address of the 4.4.5.0/24 network where the webserver is located? (a) First Address: (b) Last Address: Looking at Router A’s table, what network ID and mask should the evil instructor choose? Other options? What is the first and last address of the false network the evil instructor will advertise? (a) First Address: (b) Last Address: Does the IP address of the webserver fall within the IP address block that the evil instructor will advertise? c) Third, the instructor will need to: force his router to spread the lie around. Recall from Lesson 28, under the Internet’s Open Shortest Path First (OSPF) protocol, routers communicate with one another using Link State Packets (LSP). These packets are distributed to all routers through “controlled flooding” to allow each router to build a full and complete picture of the topology of the entire network. However, before routers swap LSP with each other, they must become neighbors first and agree on a basic set of operating parameters. Therefore, in order for the evil instructor to spread his lie about the fake 8 network he must become neighbors first with a router on his network. Then he can send his malicious LSP advertising the false network he is connected to. d) Fourth, the instructor will need to: force the other routers to believe the lie. Fortunately in OSPF this is relatively easy because controlled flooding is already built into the protocol. As previously mentioned, LSP are forwarded to all routers through controlled flooding to ensure all routers have a complete picture of the network’s topology. Thus, once Router B learns about the new false network from the evil instructor, Router B will turn around and tell Routers A and C. Example 5 What will Router A’s routing table look like, once it hears the lie about the fake network from Router B? 9 Thus, whenever a student sends a packet destined for the webserver at 4.4.5.155, where will Router A forward their packet? Will the EC312 students ever be able to reach the course web page? Do you think it is possible that something like this could ever happen on the Internet? Unlike the previous example, the Internet consists of hundreds of thousands of networks stretched across the entire globe. Could it be possible for someone to change the way traffic flows across such a big and complex distributed system? Yes it could happen, and similar things like this have already happened, but to understand how requires a bit more understanding of the Internet. 2. Protection Against False Route Injection How can we stop such malicious behavior? Recall that by default routers trust the information other routers are sending, but this does not have to be the case. The Open Shortest Path First protocol has two authentication mechanism built in to protect against false route injection. The first is a simple plaintext-password added to all LSPs so each router can authenticate the information it is receiving. If a router sends a LSP without the appropriate password, then the LSP is rejected. The second method is an MD5-hash of the OSPF packet and a shared secret key. Recall from SI110, that hashing is a ‘one-way’ encryption technique that produces the same message digest (i.e., encrypted output) given the same input string. Additionally, while it is easy to hash the input string, it is very hard to identify the input string given only the message digest (remember the Rubik’s cube?). In OSPF, routers can send the hash of the OSPF packet and a shared secret key along with their LSP to authenticate themselves with other routers. Of course, all routers must know the shared secret key in advance. This may seem trivial at first, but consider the number of routers at a place like Google or Amazon Web Services where there are literally thousands of routers. Lastly, separate from these two authentication mechanisms, most implementations of OSPF allow for creation of passive interfaces. Just like when your roommate starts getting on your nerves and you tune him or her out by putting your headphones on, routers can do the same thing. Once a network administrator sets up a passive interface on a router, the router will ignore all routing information being sent over that interface. However, this requires network administrators to make smart decisions when setting up the topology of their networks and configuring their routers. Example 6 Briefly describe two technical solutions to protect against false route injection and identify who is responsible for implementing them. Solution #1: Solution #2: OPTIONAL: Interestingly, of the three actions an attacker can take during a MITM attack, what do you think an attacker would most likely want to do? Observe, change, or stop your traffic? It seems frightening to have our traffic 10 stopped by someone else or changed as it is moving to its destination, but recent cyber activity has indicated it is more likely an attacker would want to observe your traffic in the end. Consider the following excerpt from Kevin Mandiant’s report on Advanced Persistent Threat 1 (APT1), a Chinese cyber warfare unit: Our evidence indicates that APT1 has been stealing hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006. Remarkably, we have witnessed APT1 target dozens of organizations simultaneously. Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from victim organizations’ leadership. We believe that the extensive activity we have directly observed represents only a small fraction of the cyber espionage that APT1 has committed. Once APT1 has compromised a network, they repeatedly monitor and steal proprietary data and communications from the victim for months or even years. For [141] organizations... we found that APT1 maintained access to the victim’s network for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was at least 1,764 days, or four years and ten months. APT1 was not continuously active on a daily basis during this time period; however, in the vast majority of cases we observed, APT1 continued to commit data theft as long as they had access to the network.5 Notice the chosen behavior of this Chinese cyber warfare unit. Rather than shut down the networks of the various companies they invaded or change the information located there, they simply observed the traffic and stole copies for themselves. It would seem their primary desire was not to do damage but to gain information. Maj. Agur Adams, USMC Help us improve these notes! Send comments, corrections and clarifications to aadams@usna.edu 5 See http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf for the full report on APT1 originally published in 2013. 11