Spoofing
As I watch the opening scene of the movie
am amazed as a person who I think is Tom Cruise gases everyone in the
airplane and takes the test tubes from the scientist who is sitting next to
him. How could this be? I thought Ethan (the character Tom Cruise plays)
was a good guy. Then, as he walks through the plane, much to everyone’s
astonishment, he peels off the fake face he is wearing and reveals the
true person. It’s not really Ethan, but someone who is impersonating him.
This has nothing to do with computers, but this is a form of
By wearing a mask, the person I thought was Tom Cruise was able to
deceive or spoof the scientist into believing that he was someone else.
From a hacking standpoint, there are many reasons someone would want
to do this.
Mission: Impossible 2 (M:I2), Ispoofing.
“
Hackers Beware “ New Riders Publishing 123
As we will cover in this chapter, there are various types of spoofing, each
with various levels of difficulty. In its most basic form, an attacker alters
his identity so that someone thinks he is someone else. This can be as
easy as changing his IP address or as deceptive as impersonating the
president of your company with email. The bottom line is he is altering his
identity to be someone or something that he is not.
Most of this chapter will cover computer-based spoofing attacks such as IP
spoofing, but because non-computer-based techniques can be just as
effective, they are also covered at the end of the chapter. Remember that
it does not matter how an attacker can compromise your network, just
whether he can be successful. This chapter will make sure that your
company is prepared to defend against any type of spoofing attack
Why Spoof?
As in the preceding example, if an attacker can convince a computer or a
network that he is someone else (a trusted party), he can probably access
information he normally could not get. For example, if you trust John but
you do not trust Joe, and Joe can spoof his identity to appear to be John,
you will trust Joe (because you think he is John); and Joe can get the
access he wants.
When engineers design networks, they often set up access permissions
and trusts based on information like IP addresses. It is critical that you
understand how easy it is to spoof such information, so that you can
design better security models for your computer networks. Only by
understanding the current limitations can you move forward and build
networks that are less prone to attacks.
Types of Spoofing
There are four types of spoofing that will be covered in this chapter. Here
is a brief explanation of each:
•
to acquire information or gain access.
IP spoofing. An attacker uses an IP address of another computer
•
In essence, the email looks like it came from Eric, but in reality, Eric
did not send the email. Someone who was impersonating Eric sent
it.
Email spoofing. Involves spoofing from the address of an email.
•
more e-commerce. To use the web for e-commerce, people have to
be identified and authenticated so that they can be trusted.
Whenever an entity has to be trusted, the opportunity for spoofing
arises.
Web spoofing. The World Wide Web is being used for more and
“
Hackers Beware “ New Riders Publishing 124
•
compromising the human element of a company. This is done
through social engineering techniques.
Non-technical spoofing. These types of attacks concentrate on
IP Spoofing
When most analysts think of spoofing, they think of
attacker changes his IP address so that he appears to be someone else.
The key to remember is that because an attacker is spoofing someone’s IP
address, when the victim replies back to the address, it goes back to the
spoofed address, not the attacker’s real address.
IP spoofing, where an
Figure 4.1
address to John. John receives the packet but then replies to the IP
address listed as the recipient and not the attacker’s address. Therefore,
the attacker can send packets to a machine with a spoofed address but
does not receive any packets back. This is referred to as a
attack
victim. You cannot receive any packets back.
is an example of an attacker sending a packet with a spoofed IPflying blind, or a one-way attack, because you only can send packets to the
Figure 4.1. Attacker sending a spoofed packet.
The attacker does not see any replies from the victim. Depending on
where the attacker is located, if he inserts himself in the path between the
victim’s machine and the machine whose address he is spoofing, he might
be able to pull off the replies shown in
Figure 4.2.
Figure 4.2. Attacker injecting himself in the path so that he can observe all
traffic.
“
Hackers Beware “ New Riders Publishing 125
There are three basic flavors of IP spoofing attacks, as follows:
•
Basic address change
•
Use of source routing to intercept packets
•
More active attacks, where you take over an existing session by spoofing
an address, are covered in
hijacking
session by knocking a machine offline. Therefore, it is covered in a
separate chapter.
Exploitation of a trust relationship on UNIX machinesChapter 5, “Session Hijacking.” Sessionis similar to IP spoofing but requires taking over an active
Basic Address Change
Because IP address spoofing involves changing one machine’s IP address
to look like someone else’s, the most basic form of IP spoofing is to go
into a network configuration and change the IP address. By doing that, all
packets that are sent out have an IP address of the address the attacker
wants to spoof. This is very low tech, because all replies go back to the
address he is spoofing and not his machine. Also, because TCP requires a
three-way handshake to get initialized, this cannot be completed, because
the replies go back to a machine that knows nothing about the session,
because its IP address was spoofed.
This has several limitations, but in terms of certain types of denial of
service attacks, it only takes one packet to crash the machine. And
spoofing the address makes it much harder to trace back to the attacker.
With certain attacks, if a system receives an unexpected packet, it could
still crash the system. Also, because UDP is connectionless, a single UDP
packet could be sent to a victim system. For additional details on how TCP
and the three-way handshake work, see
To change the IP address on a Windows machine, an attacker would
perform the following steps:
1. From the Start menu, select Settings, Control Panel.
2. Double-click the Network icon (see
Chapter 5.Figure 4.3).
“
Hackers Beware “ New Riders Publishing 126
Figure 4.3. Network information for a Windows 98 machine.
3. Select the TCP/IP protocol for the network card you are using, and
the IP Address screen appears (see
Figure 4.4).
Figure 4.4. TCP/IP properties for a Windows 98 machine.
The attacker enters the IP address he wants to spoof and reboots the
machine. Now, any packets that are sent will have a spoofed source
address.
On UNIX machines, an attacker uses the
terminal window or runs Control Panel from X-Windows to change the IP
ifconfig command from a
“
Hackers Beware “ New Riders Publishing 127
information. By typing
display information on the network interfaces for the system:
ifconfig, the following results appear, which
eth0 Link encap:Ethernet HWaddr 00:50:8B:9A:4C:1B
inet addr:10.10.50.60 Bcast:10.10.50.60
Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4129755 errors:0 dropped:0 overruns:0
frame:1
TX packets:25087 errors:0 dropped:0 overruns:0
carrier:0
collisions:1185 txqueuelen:100
Interrupt:17 Base address:0x8000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:6588 errors:0 dropped:0 overruns:0
frame:0
TX packets:6588 errors:0 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:0
The following command changes the address:
ifconfig <
interface> x.x.x.x
where
attacker uses Control Panel under X-windows, he gets similar screens to
those that are shown for Windows.
To illustrate how basic IP spoofing works, let’s look at some sample sniffer
data from a machine 208.246.68.46 attempting a connection:
<interface> is the name of the interface—for example, eth0. If the
11:17:09.145118 eth0 < 208.246.68.46.2231 > 208.246.68.48.ftp:
R
1850475754:1850475754(0) win 0 (DF)
11:17:10.915599 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp:
S
1850495970:1850495970(0) win 8192 <mss 1460,nop,nop,sackOK>
(DF)
11:17:10.915633 eth0 > 208.246.68.48.ftp > 208.246.68.46.2232:
S
352591502:352591502(0) ack 1850495971 win 32120 <mss
1460,nop,nop,sackOK> (DF)
11:17:10.915771 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp:
. 1:1(0) ack 1 win
“
Hackers Beware “ New Riders Publishing 128
8760 (DF)
11:17:13.952415 eth0 > 208.246.68.48.ftp > 208.246.68.46.2232:
P 1:97(96) ack 1
win 32120 (DF) [tos 0x10]
11:17:14.125905 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp:
. 1:1(0) ack 97 win
8664 (DF)
11:17:14.530384 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp:
R
1850495971:1850495971(0) win 0 (DF)
As you can see, the machine could perform a three-way handshake with
the machine it is connecting to. The attacker then changes his address to
spoof the connection. The new address is 218.246.68.46, and the
following is the data he receives:
11:17:10.915599 eth0 < 218.246.68.46.2232 > 208.246.68.48.ftp:
S
1850495970:1850495970(0) win 8192 <mss 1460,nop,nop,sackOK>
(DF)
11:17:10.915633 eth0 > 208.246.68.48.ftp > 218.246.68.46.2232:
S
352591502:352591502(0) ack 1850495971 win 32120 <mss
1460,nop,nop,sackOK> (DF)
Notice that, because the address is spoofed, when the target machine
replies, the packet goes back to the IP address of the machine the
attacker is spoofing. Because the machine is not expecting the packet, the
connection is dropped. Just by changing the IP address, a machine cannot
complete the three-way handshake and open a TCP connection.
Protection Against Address Changes
There are some steps a company can take to protect against this basic
form of spoofing. It is important to note that you can protect your
machines from being used to launch a spoofing attack, but there is little
you can do to prevent an attacker from spoofing your address. Think
about it this way: Is there any way for you to protect against an attacker
spoofing your address on a letter he sends out? There is nothing you can
do to prevent someone from mailing a letter to another party and writing
in your return address instead of his. This is the same problem that occurs
with spoofing.
To prevent an attacker from using a machine to launch a spoofing attack,
first, limit who has access to configuration information on a machine. By
doing this, you can stop an employee from performing spoofing. For
example, with NT workstation, you can limit access so that a normal user
is not allowed to make any changes to the network configuration.
“
Hackers Beware “ New Riders Publishing 129
To protect your company from being the victim of a basic IP spoofing
attack, you can apply basic filters at your routers. Most routers have builtin
spoofing filters. The most basic form of filter is to not allow any packets
that are entering your network from the outside to have a source address
from your internal network. For example, a packet that originates from
inside your network and is going to an internal host never has to go
outside your company’s network. Therefore, if a packet is coming from the
Internet, claiming to originate from your internal network, you can have a
high level of confidence that it is a spoofed packet and can be dropped.
This type of filtering is referred to as
company’s network from being the victim of a spoofing attack.
ingress filtering and protects a
Egress filtering
launch an attack against another site. To perform egress filtering, your
router examines any packet leaving your network and makes sure that the
source address is an address from your local network. If it is not, the
packet should be dropped because this indicates that someone is using a
spoofed address to launch an attack against another network. Any
legitimate packet that is leaving your company’s network must have a
source address, where the network portion matches your internal
network.
There are also packages like arpwatch that keep track of Ethernet/IP
address pairings to reduce the likelihood of a spoofing attack. For
additional information on arpwatch, go to
prevents someone from using a company’s computers tohttp://www.appwatch.com/.
Source Routing
Remember that one of the big problems with spoofing is that the return
traffic goes back to the spoofed address and the attacker never gets to
see it. Flying blind is effective if you are really good or are launching a
small attack. But for more advanced attacks, the attacker would like to
see both sides of the conversation.
One way is for an attacker to inject himself into the path that the traffic
would normally take, to get from the destination machine back to the
source. This is very difficult because an attacker has to compromise a
machine on the victim’s network, and there is no guarantee that the traffic
will continue to go through the attacker’s machine. The Internet is
dynamic in terms of how it routes. There are a lot of cases where traffic
takes the same route through the Internet, but it is not guaranteed. It
could change every day, every hour, or even every minute. There is a way
to guarantee that a packet takes a set path through the Internet, and as a
spoof, to make sure it goes through the attacker’s machine. You do this
with
routing lets you specify the path a packet will take through the Internet.
There are two types of source routing, as follows:
source routing, which is built into the TCP/IP protocol suite. Source
“
Hackers Beware “ New Riders Publishing 130
•
addresses that the traffic or packet must go through, but it could
also go through any other addresses that it needs to. In other
words, you do not care about the exact path the packet takes
through the network, as long as it goes through these addresses.
Loose source routing (LSR). The sender specifies a list of IP
•
that the packet must take. If the exact path cannot be taken, the
packet is dropped and an ICMP message is returned to the sender.
In other words, you care about the exact path the packet must take,
and if it cannot take this path for any reason, the packet is not sent.
You might wonder why source routing was put into the TCP specification in
the first place. In the early days of the Internet, it was helpful from a
troubleshooting standpoint, because you could specify which path a packet
took through the network. Also, when new links are set up on a network,
it is helpful to force certain packets through those links to make sure they
are working properly before all traffic is sent across the link. This way, if
there is a problem, it can be fixed without causing a disruption of service.
Also, it can be helpful if you want to send traffic to make sure it does not
go through a competitor’s router or a hostile router. For example, if one of
your competitors owns an ISP, you might want to specify the exact route
your proposals take through the network to make sure that your
competitors cannot get a copy.
Some companies use source routing to test the redundancy of their
networks. For some companies, high availability is very important. This
means that if a device or connection on a network goes down, there are
alternate ways for the traffic to get routed. The simplest way to do this is
to have backup routers. A company has a primary router and a backup
router, and the backup router only is used if the primary router goes
down.
But how does a company know if the backup router is working properly?
Ideally, there should be some way to test it beforehand, because waiting
for the primary router to go down to see if the backup is working can be
very risky. By utilizing source routing, the company can send test packets
where it specifies that it wants the packet to go through the backup
router. This way, the company can see if the backup system is configured
correctly without taking down the primary system.
Source routing works by using a 39-byte source route option field in the IP
header. Because source routing is put in the IP header, there is a limit to
how many IP addresses can be specified. Because the option field for
source routing is 39 bytes, and 3 bytes of that are overhead information,
36 bytes are left for the addresses. Each address uses 4 bytes. If you
divide 36 by 4, you have room for 9 addresses—but it’s not that simple.
Because the last address must be the destination address, it only leaves
Strict source routing (SRS). The sender specifies the exact path
“
Hackers Beware “ New Riders Publishing 131
room for 8 addresses. As you can imagine, with the growth of the
Internet, there are cases where the number of hops or IP addresses a
packet goes through is more than 8. In these cases, only loose source
routing can be used, because strict source routing would drop the packet
if the exact path were not found. For an in-depth description of the IP and
TCP protocols, please see
Stevens and Gary Wright, published by Addison Wesley Longman.
Basically, source routing works by taking the first address from the list
and making that the destination address. If strict source routing is
specified, it must be the next hop; if it is not, it is dropped. Depending on
how your firewall is configured, this can result in an ICMP Destination
Unreachable message being generated. In most cases, if your firewall
filter is set to Reject Only, an ICMP Destination Unreachable message is
generated. If the firewall is configured to Deny, no message is generated
and the packet is just dropped.
With loose source routing, it does not matter how many other hops a
packet goes through before it gets to the address specified in the list.
After it gets to the destination, it pulls the next address off the list and
that becomes the destination. It then continues in that fashion until either
the destination is found or the packet cannot be routed. It is important to
note that if the sender specifies source routing to get to the destination,
the destination machine automatically uses the same source routing to get
back to the sender. This is why it is so dangerous: you might not know it
is being used. You might reply to a packet, and if the sender used source
routing, you will automatically be using source routing without knowing it.
To illustrate how source routing is used, we will look at the traceroute
program that comes with both UNIX and Windows. Traceroute has the
option to specify source routing when you use the program. On a UNIX
machine, you use the
an example:
TCP/IP Illustrated, Volume 1, by Richard-g option for loose source routing. The following is
Traceroute -g 10.10.10.5 10.35.50.10
On a Windows machine, you would use the
routing, as follows:
-j option for loose source
Tracert -j 10.10.10.5 10.35.50.10
To show you how source routing modifies the route, the following is the
traceroute output from doing an ordinary traceroute to
www.newriders.com
:
“
Hackers Beware “ New Riders Publishing 132
Tracing route to scone.donet.com [205.133.113.87]
over a maximum of 30 hops:
1 5 ms 4 ms 2 ms 10.4.0.1
2 5 ms 5 ms 4 ms 208.246.68.97
3 7 ms 7 ms 7 ms 208.246.68.130
4 9 ms 11 ms 7 ms Loopback0.GW2.DCA1.ALTER.NET
[137.39.2.154]
5 7 ms 7 ms 15 ms 105.ATM2-0.XR1.DCA1.ALTER.NET
[146.188.161.34]
6 79 ms 14 ms 14 ms 195.ATM9-0-
0.GW1.PIT1.ALTER.NET [146.188.162.73]
7 67 ms 270 ms 234 ms oarnet-gw.customer.ALTER.NET
[157.130.39.10]
8 45 ms 54 ms 45 ms dlp1-atm2-0.dayton.oar.net
[199.18.202.101]
9 47 ms 50 ms 46 ms donet2-atm3-0s1.dayton.oar.net
[199.18.109.226]
10 49 ms 50 ms 50 ms scone.donet.com
[205.133.113.87]
Trace complete.
Next, I perform a traceroute using loose source routing with an IP address
of 205.171.24.5, which means that I do not care what route the
traceroute program uses as long as it goes through the specified IP
address. The following is the command that is issued on a UNIX machine:
Traceroute -g www.newriders.com 205.171.24.5
The following is the output generated from running this command:
Tracing route to scone.donet.com [205.133.113.87]
over a maximum of 30 hops:
1 2 ms 4 ms 3 ms 10.4.0.1
2 7 ms 7 ms 9 ms 208.246.68.97
3 11 ms 10 ms 11 ms 208.246.68.130
4 27 ms 145 ms 64 ms Loopback0.GW2.DCA1.ALTER.NET
[137.39.2.154]
5 728 ms 21 ms 25 ms 105.ATM2-0.XR1.DCA1.ALTER.NET
[146.188.161.34]
6 74 ms 106 ms 82 ms 295.ATM7-0.XR1.DCA8.ALTER.NET
[146.188.163.14]
7 33 ms 54 ms 43 ms 189.ATM7-0.BR1.DCA8.ALTER.NET
[146.188.162.209]
“
Hackers Beware “ New Riders Publishing 133
8 136 ms 60 ms 150 ms wdc-brdr-03.inet.qwest.net
[205.171.4.69]
9 768 ms 14 ms 32 ms wdc-core-03.inet.qwest.net
[205.171.24.69]
10 69 ms 126 ms 81 ms wdc-core-02.inet.qwest.net
[205.171.24.5]
11 101 ms 47 ms 110 ms wdc-core-01.inet.qwest.net
[205.171.24.1]
12 93 ms 53 ms 131 ms chi-core-02.inet.qwest.net
[205.171.5.227]
13 202 ms 61 ms 119 ms chi-core-01.inet.qwest.net
[205.171.20.1]
14 104 ms 136 ms 156 ms chi-edge-01.inet.qwest.net
[205.171.20.10]
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * equest timed out.
18 * * * Request timed out.
19 208.46.62.50 reports: Invalid source route specified.
Trace complete.
You can see that the input I provided altered the path that the program
used. At step 8, the packet took a different path. I did this to make sure
the packet went through the gateway that I specified. Also, notice that as
dynamic as the Internet is, every path does not work. In this case, based
on the IP address that I told it to go through, the packet could not find a
path to the route. This is something to keep in mind with source routing:
make sure that your packets can still find a valid path to their destination.
As you can see, source routing has tremendous benefits for spoofing.An
attacker sends a packet to the destination with a spoofed address but
specifies loose source routing and puts his IP address in the list. Then,
when the recipient responds, the packet goes back to the spoofed
address, but not before it goes through the attacker’s machine. The
attacker is not flying blind because he can see both sides of the
conversation.
A couple of points are worth noting. First, you might want to specify
several addresses besides yours—this way, if someone catches it, he
cannot pinpoint who is targeting him. Second, strict source routing could
also be used but is a lot harder because you have to know the exact path.
My philosophy is, because both will work, why not use loose source
routing—after all, it is easy and has a higher chance of success.
As you have seen, using source routing makes it very straightforward to
spoof an address and see both sides of the conversation that is taking
place. There is a little more detail that has to be covered to make this
“
Hackers Beware “ New Riders Publishing 134
work smoothly (in terms of sequence numbers), but that will be covered
in
Chapter 5.
Protection Against Source Routing
The best way to protect yourself or your company against source routing
spoofing attacks is to disable source routing at your routers. There are
very few cases where people actually use source routing for legitimate
purposes. For this reason, it is usually a good idea to block this type of
traffic from entering or leaving your network. If your router blocks all
traffic that has source routing specified, an attacker cannot launch this
type of attack. On a Cisco router, you use the
to enable or disable source routing. Other routers have similar commands
that you can use to disable source routing.
Now let’s look at the third possible way to spoof IP addresses, which is
prevalent on UNIX machines: exploiting a trust relationship.
IP source-route command
Trust Relationships
Mainly in UNIX environments, machines can set up trust relationships.
This is done to make it easier to move from machine to machine. For
example, if I am a developer at a company that has five UNIX servers and
I work on all five servers, I do not want to constantly have to log on to all
the systems. Instead, I set up a trust relationship between the servers. If
a user is authenticated by one server and that server has a trust
relationship with other servers, the user can move freely between the
servers without re-authenticating. The trust relationship basically uses IP
addresses for authentication, which, based on what you learned about IP
spoofing, is very dangerous. From a convenience standpoint, trust
relationships are really nice, but from a security standpoint, they are a
nightmare.
After a trust relationship is set up, you can move from machine to
machine using the UNIX r commands for access. These commands do not
require authentication, which means the user does not have to re-type her
password. To set up a trust relationship, an administrator puts a list of
hosts and/or users that are trusted in either an .rhosts file that is in a
user’s home directory or an /etc/hosts.equiv for the entire system. The
hosts.equiv file is usually more popular because it is done on a system
basis, as opposed to a user-by-user basis. The hosts.equiv file either
allows or denies hosts and users to use the r commands (like
rlogin or
rsh
general format for each line of the file is the following:
) to connect to another machine without supplying a password. The
+ or -
hostname username
“
Hackers Beware “ New Riders Publishing 135
where the + sign allows access and the - sign denies access. Basically, the
- sign means that the user must always supply a password to gain access.
The
the
For example, if I trust Sally’s machine, I would put Sally’s hostname in my
hosts.equiv file. This way, anyone that is authenticated by Sally is
automatically trusted by my machine.
From a spoofing standpoint, trust relationships are easy to exploit. For
example, if an attacker knows that server A trusts anyone coming from
machine Y, which has an IP address of 10.10.10.5, and he spoofs his
address to 10.10.10.5, he is allowed access without a password, because
he is trusted. The main problem is still seeing the response traffic,
because all of the responses are sent back to the actual IP that is being
spoofed and not the attacker. For this reason, the attacker is flying blind,
where he can send packets to a victim but not receive any response. This
will be addressed in more detail in the
hostname is the name of the host or IP address, which is trusted, andusername is optional, but is a username that is trusted on that host.Chapter 6.
Protection Against Trust Relationships
The easiest way to protect against a spoofing attack involving trust
relationships is to not use them. This is not always an easy solution,
because some companies depend on them, but there are things that can
be done to minimize exposure. First, limit who has a trust relationship. I
have known several companies where, by default, when a new UNIX
machine is set up, administrators configure it to trust every other box,
when in reality trust relationships are very rarely used at the company. In
this case, it makes more sense to determine who really needs a trust
relationship and set it up for a small number of machines.
Second, do not allow trust relationships to be used via the Internet. In
most cases, a trust relationship is for internal users to access several
machines; yet some companies trust machines that are located at an
individual’s house or a contractor facility. This is extremely dangerous and
should be eliminated or minimized.
Email Spoofing
Email spoofing is done for three main purposes. First, attackers do it to
hide their identity. If an attacker wants to send an email to someone, but
does not want that person to know it came from him, email spoofing is
very effective. Also, in this case, anonymous remailers can be used. An
anonymous remailer
the remailer forwards it to the destination concealing who really sent the
message. This allows an attacker to send anonymous email via the
Internet. For additional information on how anonymous remailers work,
you can access the Anonymous Remailers FAQ at
is an entity that an attacker sends his email to, and
“
Hackers Beware “ New Riders Publishing 136
http://www.andrebacard.com/remail.html
can be found at
. A list of anonymous remailers
http://www.looksmart.com/eus1/eus53832/eus155852/eus282841/eus55
8112/r?l&
Second, if an attacker wants to impersonate someone or get someone else
in trouble, he can spoof that person’s email. This way, whoever receives
the email will think it came from the person the attacker is impersonating
and will blame that person for the content. Third, email spoofing can be
used as a form of social engineering. For example, if an attacker wants
you to send him a sensitive file and the attacker spoofs his email address
so you think the request is coming from your boss, you might send him
the email.
There are three basic ways to perform email spoofing and each has
various levels of difficulty to perform and various levels of covertness. The
following are the three main types:
.
•
Similar email address
•
Modify mail client
•
Each of these types will be covered, showing the relative ease to perform
email spoofing and what can be done to protect against it.
Telnet to port 25
Similar Email Address
Some people do not consider this email spoofing, because it is so easy
and straightforward, but because I see attackers use this to exploit
information, we will cover it in this section. People have become so
accustomed to using email that they tend to blindly trust emails, without
careful examining who the email is really going to.
With this type of attack, an attacker finds out the name of a boss or
supervisor at a company. Because most companies post their
management team on their Web site, it is fairly easy to do. After he has
an individual’s name and his supervisor’s name, the attacker registers an
email address that looks similar to the supervisor’s name. For example,
suppose that Eric works at ABC Company and Johny John, Eric’s
supervisor, is the vice president of IT. The attacker simply goes to
hotmail, Netscape, or one of the companies that offers free email, and
signs up for an account. The attacker picks a username like johnyjohn,
john2, johnyjohn55, or something that looks like an account that could
belong to Johny John. In the Alias field of the email, he puts the username
as Johny John. The
email client. Have you ever noticed when you receive an email, it does not
have the full email address; it only has a person’s name? That is because
Alias field is what is displayed in the From field in your
“
Hackers Beware “ New Riders Publishing 137
the email client is set to display just the Name or Alias field. By viewing
the email header, you can see what the real email address is, but few
users do this.
Now that the attacker has an email address, he sends an email to Eric
from this address. In the body of the email, he might say something like
the following:
Hello, how is everything going? I was working from home so I
am sending this from
my personal email account. I am under some tight deadlines
from management and
need you to help me out. Could you send me all of the
proposals you have worked on
for the last 3 months and your client list? I have to put
together a master list
for management showing them how hard we have been working and
I need it ASAP. Your
job depends on it.
Thanks for you help,
Johny John
When Eric receives this, there is a good chance he only sees Johny John in
the From field and might not even know it is his personal account. Even if
Eric checks, because the email address appears correct, he would
probably reply to it and the attacker would get the information he wants.
This is a very simple but effective attack methodology. I have seen many
clients have very sensitive information compromised, because they
trusted the From field of an email.
Protection Against Similar Email Addresses
Users need to be educated on the dangers of email and informed that
email is not a secure means of communication. Companies also should
teach users how easy it is to spoof or disguise email and to always verify
the From field. One way to help users is to configure mail clients so that
they always show the full email address and not the alias. The full email
address can provide some indication that something unusual is going on.
In the preceding case, doing this might not help, because an ambitious
employee would not want to question his boss, and if the boss says he
needs the information ASAP, the employee might not want to doubt the
legitimacy of the email.
To overcome these problems, you should set up the company’s email so
that it can be accessed remotely and via the Internet. Next, make it
company policy that, for security reasons, any work-related activities have
“
Hackers Beware “ New Riders Publishing 138
to use work email. This way, if the user questions an external email
address, he has a policy backing him.
Another possible solution is to use public key encryption. If the sender of
the message attaches a digital signature, which is signed with his private
key, and you can encrypt it with his public key, you can assume that the
message actually came from him, unless his key was compromised. As
you will see throughout this book, encryption helps solve a lot of security
problems, if used properly. Yet, few companies utilize and harness the
power of encryption.
Modifying a Mail Client
When email is sent from a user, there is no authentication or validation
performed on the From address. Therefore, if an attacker has a mail client
like Eudora or Outlook, he can go in and specify whatever address he
wants to appear in the From line.
by Eudora.
Figure 4.5 shows the screen that is used
Figure 4.5. Account setup dialog box for Eudora mail client.
In this case, an attacker can specify whatever return address he wants.
The only catch is that when the user replies, the reply goes back to the
real address and not to the person spoofing the address. In the workplace,
this can be nasty if employees start spoofing addresses of other
employees with negative comments.
Protection Against Modifying a Mail Client
In this case, preventing employees from modifying a mail client is difficult,
but there are some things you can do to minimize their chances. First,
make sure you have a security policy or, more specifically an email policy,
outlining that this type of behavior is unacceptable and will result in
“
Hackers Beware “ New Riders Publishing 139
immediate termination. Then, the policy must be enforced. In other
words, if anyone does this, no matter who he is, he must be terminated.
One problem that companies make with security policies is that they do
not uniformly enforce them—therefore, people do not take them seriously.
Next, you need to make sure that logging is performed on all systems,
especially your mail server, and that these logs are carefully preserved.
This is so important because, if an employee spoofs another’s email
address, you can discover who it was by looking at the logs. Nothing is
worse than having a policy that you cannot enforce.
Another way to detect email spoofing is by looking at the full email
header. Most mail systems have an option that allows you to view all of
the hosts that a message went through from source to destination. This
can indicate not only whether someone spoofed an email but where the
message originated from. The following is the full header of an email
message:
X-Persona: <test>
Received: from manic.cs.test.edu (manic [141.161.20.10])
by cssun.test.edu (8.9.2/8.9.2) with ESMTP id NAA08916
for <colee@cssun.test.edu>; Mon, 30 Oct 2000 13:47:18
-0500 (EST)
Received: from test.com ([207.159.90.19])
by manic.cs.test.edu (8.9.1b+Sun/8.9.1) with ESMTP id
NAA11633
for <colee@cs.test.edu>; Mon, 30 Oct 2000 13:46:27 -
0500 (EST)
Received: by test.com from localhost
(router,SLMail V2.7); Mon, 30 Oct 2000 15:39:17 -0500
Received: by test.com from ibm1
(208.246.68.48::mail daemon; unverified,SLMail V2.7); Mon,
30 Oct 2000
15:39:16 -0500
Message-Id: <4.2.0.58.20001030134740.0094acd0@mail1.test.com>
X-Sender: ecole@209.229.51.254
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
Date: Mon, 30 Oct 2000 13:48:18 -0500
To: eric@cs.test.edu
From: Eric Cole <eric@test.com>
Subject: Test
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-UIDL: 7cd8eb5f25d62871b140b12063f92b35
test
In this example, test.edu and test.com are sample names that were used
to protect the real sites. By going through this header, you can see that
“
Hackers Beware “ New Riders Publishing 140
the message originated from 208.246.68.48 and then connected to a
system running SLMail with an IP of 207.159.90.19. From there, it
connected to the test.edu server to send the email to
You can see who spoofed the address and the path he took to try and hide
his tracks. Therefore, it is critical that you know how to view the full
header for the mail client that you are using.
eric@cs.test.edu.
Telnet to Port 25
A more complicated way to perform email spoofing is to telnet to port 25
on a mail server. Port 25 is used for Simple Mail Transfer Protocol (SMTP).
This is what mail servers use to send mail across the Internet. When an
attacker wants to send you a message, he composes a message and clicks
Send. His mail server then contacts your mail server, connects on port 25,
and transfers the message. Your mail server then forwards the message
to you. Because mail servers use port 25 to send messages, there is no
reason why an attacker cannot connect to port 25, act like a mail server,
and compose a message.
To do this, an attacker first finds out the IP address of a mail server or
runs a port scan against several systems to see which ones have port 25
open. After an attacker has a machine with port 25 open and a mail server
running, he types the following commands:
telnet ip-address 25
After he is connected, he types the following:
helo
mail from:spoofed-mail-address
rcpt to: person-sending-mail-to
data
the message you want to send, followed by the period sign
The first step of issuing the command
systems, but it does not do any damage when issued.
It is that easy. The following is the output from a session where an
attacker telnets to port 25 on a mail server and sends a spoofed message:
helo is not necessary on all
220 computing.com Smtp Server SLMail v2.7 Ready ESMTP spoken
here
mail from: eric@somewhere.com
250 OK
rcpt to: ecole@rusecure.com
250 OK, ecole@rusecure.com
data
354 Start mail input; end with <CRLF>.<CRLF>
“
Hackers Beware “ New Riders Publishing 141
hello, this is a test
.
250 OK, Submitted & queued (24f428b0.in)
In this case, the message was sent to the recipient with a spoofed From
address. As you can see, this is very easy to perform.
More and more system administrators are realizing that attackers are
using their systems for spoofing, so newer mail servers do not allow mail
relaying. A mail server should only being sending or receiving mail for a
specific domain name or company.
to use a mail server to send mail to someone else on a different domain or
relay his mail off of another mail server.
The most basic form of mail spoofing protection is to validate that the
recipient’s domain is the same domain as the mail server; if it is not, the
message is dropped. In some cases, it also validates that the sender’s
domain is valid. Newer SMTP servers also validate for any remote
connection to the mail server that the To and From addresses are from
the same domain as the mail server; if they are not, it drops the message.
This last check is important; otherwise, an attacker could connect
remotely and send a message to someone within the company from a
spoofed address. The following is a message from a mail server that does
not allow relaying:
Mail relaying is where an attacker tries
220 seclinux1 ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Aug 2000
06:46:07 -0400
mail from: eric@somewhere.com
250 eric@somewhere.com... Sender ok
rcpt to: ecole@rusecure.com
550 ecole@rusecure.com... Relaying denied
An attacker can avoid this problem by running his own mail server. The
only problem is it becomes a little easier to trace back, because the
attacker’s IP address is in the mail header. Older versions of Sendmail had
an exploit that allowed an attacker to overwrite the IP address with
garbage data so that the IP address of the spoofed mail server could not
be viewed. This is another example of why it is so important to keep your
key servers patched with the latest version of the software.
There are several programs that allow you to set up a mail server on
virtually any operating system. To find a list of SMTP servers, go to
www.tucows.com
recommend is SLMail.Just in case you think this is too complicated, there
is an easier way. There is a program called Phasma available from
and search on mail or SMTP server. The program I
http://www.8th-wonder.net/
that provides a nice GUI interface for
“
Hackers Beware “ New Riders Publishing 142
Windows machines to perform mail spoofing.
of the program.
Figure 4.6 is the main screen
Figure 4.6. Phasma mail spoofing program.
To use it, you just type in the mail server, the To and From address, the
subject, and data, and you are all set. With this program, mail spoofing is
just as easy as sending a legitimate mail message.
Protection Against Telneting to Port 25
The best way to protect against this type of attack is to have all the latest
patches installed for your mail server and make sure all of the spoofing
and relay filters are properly configured. By doing this, you eliminate 90
percent of the problem, because an attacker cannot spoof your email from
the outside. The filters check each mail message and make sure that the
To and From addresses are the same domain as the one that the email
server resides on. If it is not, it drops the email. This does not stop an
attacker from spoofing an internal user and sending it to an internal user.
As we covered in the last section, you cannot prevent these types of
attacks, but you can minimize the damage by having proper security
policies in place and proper auditing turned on.
Web Spoofing
As the Bob Dole campaign realized in 1996, web spoofing can be a very
easy technique to accomplish. During the campaign, an attacker
registered the site dole96.org, which many guessed was a pro-Dole web
site. In reality, it was a site that shined a negative light on the whole
campaign. When people surf the web, most forget that many sites are not
“
Hackers Beware “ New Riders Publishing 143
what they claim to be. When some users want to go to a web site, they
use a search engine to try and find the site. In other cases, users guess
the Web address by using the name of the company they are looking for—
for example, if the name of the company is Eric, they try eric.com or
eric.org. Then, when they go to that site and see the logo for the Eric
Company, users assume that they are at the right place.
For his campaign, George W. Bush registered several domain names, but
he didn’t cover all the bases. Interestingly enough, if you go to
bushsucks.com, it automatically forwards you to his campaign web site.
However, if you go to votebush.com, you get a site that has several
domain names for sale, some of which could have been used against Bush
(see
votebush.com and put up a negative site about his campaign.
Figure 4.7). It would have been trivial for someone to acquire or buy
Figure 4.7. List of possible domains for sale and associated price.
Recently, a similar type of attack was launched against customers of an
online bank. Attackers registered an URL similar to the bank’s URL, but
without the period between the www and the bank’s name. The real URL
was
(with the period missing). An email was then sent to the bank’s customers
saying
below
www.banksname.com and the spoofed URL was wwwbanksname.comTo connect to the new online Web site, click on the link, which was wwwbanksname.com. At quick glance, it looks correct,
“
Hackers Beware “ New Riders Publishing 144
so several people went to this site and entered their account information.
The attackers gathered the information and then went to the real site and
had access to several accounts.
Now let’s take a look at several web spoofing techniques, starting with
some very basic attacks.
Basic Web Spoofing
Most people fail to realize that there are no requirements for registering a
domain name—basically it’s first come, first served. Before the web
became popular, many people registered a name and later tried to sell it
back to the company for big dollars. I have worked with several
companies that came late to the Internet game, and they had to pay big
dollars to get the right to use their name. There have been a lot of legal
proceedings around this because some consider it extortion, but it will be
interesting to see how this continues to play out.
Let’s look at another alternative. Suppose Eric is a software company that
is selling several products and someone owns eric.com. If he is nice, he
either sells it back to the company or includes a link on the site that says
If you are looking for Eric Software Company, click here
then takes users to the real site,
But what if that someone is an attacker who wants to make money off of
your name? He could set up a Web site for eric.com and make it look like
the Eric company’s web site. This way, when people go to that URL, they
think they have entered the real site and try to order software.
Here’s how it works: A user goes through this spoofed site and clicks on
items she wants to order. She then goes to checkout to buy the items,
and the site prompts her for her shipping and credit card information. At
this point, the site records the credit card information, gives the user a
cookie, and puts up the message
experiencing problems. Please try back later
back later, the site receives the cookie, knows that this is a user that has
already been spoofed, and, because her credit card data has already been
gathered, it automatically forwards the user to the real site at
ericcompany.com. Because so many people do not look at the URL line or
hide it on their browser, they probably would not even notice that the URL
has changed.
, whichericcompany.com.This site is currently. When the user tries
Note
A
help track state information. The client then stores this information on the
local hard drive. The next time the user goes back to that web server, it
cookie is a piece of information that the browser passes to the client to
“
Hackers Beware “ New Riders Publishing 145
gives the cookie back to the server and the server processes it so that it
can track that user over time.
Protection Against Basic Web Spoofing
The best way to protect against basic web spoofing is for sites to use
server-side certificates
and provide a higher level of protection, ensuring that the site you are
connecting to really belongs to the company you are expecting. A server
side certificate is a validated certificate that the server presents to a client
to prove they are who they say they are. It can be thought of as an ID
card for a server.
The biggest problem is that users do not understand the inherent dangers
of using the web. They don’t understand certificates, so even if a site does
not give a certificate, they still trust it. For those sites that give
certificates, users frequently just click OK without ever looking at the
certificates. Users need to take the time to verify that the certificates
belong to the companies they want to connect to. Another way you should
educate your users is by configuring web browsers to always display the
URL. This way, you can better help users understand where they are
going.
. Server-side certificates are much harder to spoof
Man-in-the-Middle Attacks
We have covered a very basic and effective method of web spoofing, but
now we will look at a more complex method.
Man-in-the-middle attacks
can be used for all different types of exploits, not just web spoofing. We
cover them in this context because they‘re fairly easy to do and extremely
effective. With a man-in-the-middle attack, the attacker has to position
himself so that all traffic coming and going to the victim goes through
him. For an ordinary user, this might be hard, but for an attacker, he can
compromise the external router for your company (see
Figure 4.8).
Figure 4.8. Diagram of a man-in-the-middle attack.
“
Hackers Beware “ New Riders Publishing 146
All traffic coming in and going out of your organization has to pass
through this router. If an attacker can compromise it, he can launch a
passive attack at a minimum. He cannot read information that is
encrypted with SSL, so he might not be able to get credit card
information—but he can still get sensitive information.
Remember that passive attacks can provide a lot more information than
you might realize. When I worked internal security at one company, it had
a policy of monitoring all traffic that was coming in and leaving the
organization. You’d be amazed at what we were able to observe. We
caught two people committing corporate espionage, one person actually
committing a crime, and several people connecting to sites that they
should not have been connecting to.
In an active attack, an attacker not only can intercept your traffic, but he
also can modify it. Let’s say that you connect to an e-commerce site and
you put in the online ordering form that you want to order five widgets at
$1000 each. What if an attacker adds two zeroes to that five without you
knowing about it and you order 500 widgets? You can expect a lot of
potential problems.
Also, consider this scenario: You are using Web mail to send mail to a
prospective client about an upcoming meeting and you agree to meet the
client at 2:00 p.m. on Wednesday. Let’s say that a competitor intercepts
and modifies this traffic, and he changes the date and time to 4:00 p.m.
on Tuesday. Now, you think the meeting is on Wednesday and your client
thinks it is on Tuesday. When you do not show up at the meeting, you can
insist that the meeting was on Wednesday and probably lose the client
because you look incompetent. (Remember, the client is always right.) Or,
you can figure out what happened and admit that you had a major
security breach. Either way, from a business standpoint, your chances of
winning that client’s business are slim.
Let’s make this a little more interesting. If instead of just intercepting the
traffic, as in the preceding example, the attacker actually inserts himself
in the middle of your communication. With this attack, the attacker plays
the role of a
recipient of the communication. A proxy is a system that sits between two
computers that are communicating and, in most cases, opens a separate
connection between each system. For example, if computer A and B were
communicating through a proxy, computer A would open up a connection
to the proxy and the proxy would open a second connection to computer
B.
Even if you encrypt the traffic with SSL, the attacker can still read it
because the traffic is being encrypted between the victim and the attacker
and the attacker and the end recipient, so there are actually two
proxy, passing all information between the victim and the
“
Hackers Beware “ New Riders Publishing 147
encrypted streams as opposed to one. From a victim’s standpoint, he has
no way of knowing that this is happening. Not only can all of his data be
read, but it can be modified. Therefore, it is very important that the
perimeter of your organization be properly secured.
A similar type of attack is a
records all the traffic between a user and a server, including
authentication information and requests (Bob thinks he is talking directly
with the server) for data. At a later point in time, the attacker sends the
same data or replays it back to the server to impersonate that user and
gain access.
The man-in-the-middle attack is effective but fairly complex. Later, we will
look at another technique that is as effective, but simpler to perform.
replay attack. This is where an attacker
Protection Against Man-in-the-Middle Attacks
For the first type of man-in-the-middle attack, where someone is just
reading your traffic, encryption definitely helps. Because the attacker does
not know your encryption key, he cannot read or modify any of the data.
In the case of the man-in-the-middle attack where the attacker acts like a
proxy, encryption does not help because you have one connection to the
attacker and the attacker has a separate connection to the recipient.
Therefore, he can un-encrypt the traffic, read or modify it, and then reencrypt
it for the recipient. In this case, it is important that you have
strong perimeter security, because in most cases, for an attacker to
launch this type of attack, he either has compromised your perimeter or
the company’s perimeter you are communicating with. If you do your part
and secure your perimeter, hopefully the person you are connecting to
has strong security. Remember that if your company has strong security
and if the person you are communicating with has weak security, this
attack can still be successful because an attacker will just compromise the
other company’s router. An attacker will compromise the weakest link in
the chain. This can be frustrating because even if your company has topnotch
security, it can still be compromised if everyone else you are
communicating with does not.
URL Rewriting
With URL rewriting, an attacker inserts himself in the flow of
communication, as in the man-in-the-middle attack. The only difference
is, with the man-in-the-middle attack, the attacker has to physically be
able to intercept the traffic as it goes over the Internet. If you are on the
same local network or can compromise a router, this is fairly easy; but in
other cases, it can be very difficult to perform. In those cases, the
attacker will probably use URL rewriting. With URL rewriting, an attacker
is redirecting web traffic to another site that is controlled by the attacker.
“
Hackers Beware “ New Riders Publishing 148
Usually, a web page has links to several other sites or several other
pages. (If a web page only has static text with no links to anything else, it
is not useful to the attacker.) With URL rewriting, the attacker has to
rewrite all of the URLs (or links) on a web page. Instead of pointing to the
real page, the rewritten links point or redirect the user to the attacker’s
machine. Through a web browser, this looks no different to the user. The
only way the user can tell is if he looks at the source or at the bottom of
the browser where it states where the link goes. Looking at the HTML, a
normal link might look like the following:
<BR><A href=" http:://www.newriders.com/write.php3"
style="TEXT-DECORATION:
none"><B>Write for Us</B></A>
The attacker changes this link to the following:
<BR><A
href="http://
e.php3"
style="TEXT-DECORATION: none"><B>Write for Us</B></A>
attackermachine.com/http://www.newriders.com/writ
The attacker makes this change for all links on that page. As you can see,
all the attacker has to do is insert his URL before the original URL. When a
user clicks on these links, she goes to the attacker’s site, which then
redirects her to the real site. From a user’s standpoint, everything looks
fine, but an attacker is placed in the middle of all communication and can
intercept or modify any information.
To illustrate how URL redirecting works, I will use a site on the Internet
that performs this for users. The site is
to surf sites anonymously so that the end site does not know who you are.
With this site, a user goes to the site first and puts in the URL he wants to
surf to. After that, all communication goes through the Anonymizer to
shield the privacy of the user.
Anonymizer.
www.anonymizer.com and is usedFigure 4.9 is the main page for the
Figure 4.9. Main Web page for the Anonymizer program.
“
Hackers Beware “ New Riders Publishing 149
Now when the user goes to
if the user directly connected to it. From an attacker’s standpoint, he could
do the same thing and it would seem transparent to the user.
www.newriders.com, the site comes up just asFigure 4.10
shows the New Riders’ web site going through the Anonymizer.
Figure 4.10. How the URL changes when a user connects to a site via the
Anonymizer.
“
Hackers Beware “ New Riders Publishing 150
From a detection perspective, there are two important things to note.
First, if you look closely at the URL, it looks suspicious:
http://anon.free.anonymizer.com/http://www.newriders.com
The URL of the Anonymizer is followed by the URL of the real site. If an
attacker is using URL redirecting, you can see it. As long as users keep the
Address field visible and look at it, they can probably detect this type of
attack.
Another way to detect this is to look at the source. From any browser, you
can choose View Source (or View Page Source in Netscape) and look at
the source code. As you can see in the following source code, all links
have been preceded with the Anonymizer’s URL:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Welcome to New Riders [Anonymized-spica]</TITLE>
<META content="text/html; charset=windows-1252" http--
equiv=Content-Type>
</HEAD>
<BODY aLink=#003366 bgColor=#ffffff leftMargin=0 link=#003399
text=#000000
topMargin=0 vLink=#006699><!– Begin Anonymizer Control Bar –>
<CENTER><FORM METHOD="POST"
ACTION="http://util.anonymizer.com/cgibin/
freeaction.cgi" TARGET="_top">
<TABLE BGCOLOR="#000099"><TR><TD>
<B><FONT COLOR="#FFFFFF">Please visit the Anonymizer's
Sponsors:</FONT></B><BR>
<TD
background=http://anon.free.anonymizer.com/http://www.newrider
s.com/images/fade.gi
f width=600>
<IMG alt="" border=0 height=20
src="http://invis.free.anonymizer.com/http://www.newriders.com
/images/dot_c.gif"
width=1>
</TD>
…..
<p>
<img alt="welcome to newriders.com"
src="http://invis.free.anonymizer.com/http://www.newriders.com
/images/nrp
“
Hackers Beware
“ New Riders Publishing 151
logo.gif">
<p>
<img alt="welcome to newriders.com"
src="http://invis.free.anonymizer.com/http://www.newriders.com
/images/road-
150.jpg">
<TABLE border=0 cellpadding="4">
<TBODY>
<TR>
<TD vAlign=top>
<FORM
action="http://anon.free.anonymizer.com/http://www.newriders.c
om/cfm/prod_search.c
fm" method=post>
href="http://anon.free.anonymizer.com/http://www.newriders.com
/calendar.php3"
style="TEXT-DECORATION: none"><B>Calendar</B></A>
<BR><A
href="http://anon.free.anonymizer.com/http://www.newriders.com
/promotions.php3"
style="TEXT-DECORATION: none"><B>Current Promotions</B></A>
<BR><A
href="http://anon.free.anonymizer.com/http://www.newriders.com
/faq.php3"
style="TEXT-DECORATION: none"><B>FAQ</B></A>
<BR><A
href="http://anon.free.anonymizer.com/http://www.newriders.com
/international.php3"
style="TEXT-DECORATION: none"><B>International</B></A>
<BR><A
href="http://anon.free.anonymizer.com/http://www.pearsonptr.co
m/"
style="TEXT-DECORATION: none" target=new_window><B>Pearson
PTR</B></A>
<BR><A
href="http://anon.free.anonymizer.com/http://www.newriders.com
/write.php3"
style="TEXT-DECORATION: none"><B>Write for Us</B></A>
</FONT>
<p>
</TD>
If an attacker really wants to hide his tracks, he could make them more
difficult to detect. With JavaScript, it’s possible to modify the Address field
so an attacker can write code that strips out his portion of the URL and
hides the fact that URL redirecting is taking place. The one thing that is
“
Hackers Beware “ New Riders Publishing 152
hard to cover is the source. Because the source is what is actually loaded,
if an attacker changes it, it can cause some problems and change what
was loaded. I know of very few users who actually check the source, so
this probably is not a big issue for an attacker.
As you can see, for an attacker to run this attack, he must be able to
redirect all of the links. He can do this either by modifying the source code
on the server or using a proxy that modifies the links as the web pages
are being loaded.
Protection Against URL Rewriting
As we have stated, there are two easy ways to determine that URL
redirecting is taking place. First, web browsers should be configured to
always display the destination URL, and users should be trained to look at
it. If they see two HTTP requests coupled, they have a pretty good idea
that URL redirecting is taking place.
The second method, examining the source, is guaranteed to tell you if
redirecting is taking place. Unfortunately, it is unreasonable to assume
that users will check the source for every page they connect to. Hopefully,
most attackers are not sophisticated enough to write JavaScript, which
can modify the source field to hide the fact that redirecting is taking place.
But even if they are and do, if the browser is set up to check with a user
before running any code, a well-trained, educated user might detect this.
As you might notice, having very strong security is dependent on having
users who are well educated and do the right thing. From a purely
technical standpoint, you can have some level of protection, but to have
really strong security, you must depend on your users.
Another way to protect against this attack is to make sure that the code
for your web pages is properly protected not only on the web server but
also in transit. If an attacker cannot redirect the URLs, he cannot launch
this attack.
Tracking State
Another popular way attackers spoof the web is by attacking the ecommerce
web sites and impersonating a user. By nature of how the web
works, there is no concept of state or tracking a user over time. If a user
connects to a web site and then connects to three other pages on the web
site, there is nothing inherent in the HTTP protocol or HTML that allows
the web server to know that the same person connected those three
times.
For e-commerce, being able to track the state of a connection and what a
user does over time is very important. If a web site wants to track a user
“
Hackers Beware “ New Riders Publishing 153
over time or identify the user, as in the case of online banking, a web
application must take care of that.
There is no feature built into web servers or web browsers that tracks a
user over time and allows her to perform multiple actions in sequence.
Because web application developers are usually under very tight deadlines
and usually are not security professionals, there is room for mistake. What
works from a functionality standpoint does not necessarily work from a
security standpoint.
As with normal authentication, users are usually authenticated at the
beginning of the session only, and that authentication is valid as long as
they stay active or logged in. Remember, after a user logs on, it is the
responsibility of the application developers to track this information. In
practice, there are three ways to track a user after he logs on to a Web
site:
•
Cookies
•
URL session tracking
•
Hidden form elements
Cookies
Cookies are a piece of information that the server passes to the browser
and the browser stores for the server. Whenever a user connects to the
server, the server can request the cookie from the browser, the browser
passes it back to the server, and the server can track the user.
Cookies are fairly easy to use and very popular. However, cookies have
gotten a lot of negative press. People compare them to wearing a bar
code, because now you can be tracked in cyberspace by cookies. People
also have claimed that cookies can be used to pass viruses and other
malicious code, which is not true. Cookies are just text stored on a local
machine and generated by a server.
There are two types of cookies: persistent and non-persistent. A
persistent cookie
accessed by the browser. Because it is stored in a text file, an attacker
that has local access can easily access the cookie. A
is stored on the hard drive in a text file format, which isnon-persistent cookie
is stored in memory and is a little harder to access, because it goes away
after you reboot or turn off the machine.
To launch an attack against non-persistent cookies, an attacker has to
access and edit memory or get the source code for a shareware browser
and modify it to write non-persistent cookies to a file. Another easy way is
to write Java code that intercepts the cookies as they are sent back and
forth.
“
Hackers Beware “ New Riders Publishing 154
Also,
cookies off the wire as they are transmitted from source to destination.
There is also a program called Achilles that allows you to edit http
sessions and modify non-persistent cookies. The program is available at
sniffers are applications that can be used to pull non-persistent
http://www.digizen-security.com
For the remainder of our discussion on cookies, we will concentrate on
persistent cookies. To modify the cookies, search your hard drive for a file
called cookies.txt. The following is a copy of the cookies file for my
Netscape browser, located in
C:\Program Files\Netscape\Users\default:
.
# Netscape HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This is a generated file! Do not edit.
www.webtrends.com FALSE / FALSE
125439375653685 WEBTRENDS
J8ELWGNW56FGPMA
.netscape.com TRUE / FALSE 1293343364751
UIDC
207.139.40.22:093418703649:143018323
.miningco.com TRUE / FALSE 12932102302393
Tmog
29523211252159102514m
www.prosofttraining.com FALSE / FALSE
12923232327238513
EGSOFT_ID 227.153.90.22-52552323323904.2239250232926
.imgis.com TRUE / FALSE 1075923454743428
JFEDEB2
28C51302DB2GF09E7FCF935F5A1653430SDF04DEHFDF
The values that are stored after each of the URLs is the state information
for me. If an attacker wants to be Eric, all he has to do is copy this
information to his cookie file.
Another effective method is to guess the cookie. An attacker can go to a
site several times and get an idea of the values that site assigns for
tracking users. If the attacker guesses and puts in a different value, he
can become a different user. Numerous times, I have performed
penetration tests against web sites, have randomly guessed cookie values,
and instantly have taken the identity of someone else. An attacker can
access account information, change an order, make an order, change the
shipping address, or just cause chaos. (In all cases referenced in this
book, I always have authorization before attempting any of these
exploits.)
Protection Against Cookies
“
Hackers Beware “ New Riders Publishing 155
To protect against cookies, a company needs good physical security. An
attacker cannot access a user’s cookie file if he cannot gain access to a
machine. I recommend that systems be properly protected and users log
off when they are not using their computers. One way to accomplish this
is to use a password protected screen saver, so if a user walks away from
his machine, another party cannot gain access.
In general, it is better to have non-persistent cookies, because a copy of
the cookie file is not permanently present on the user’s hard drive. In
some cases, where you need to track a user over a longer period of time
and there is a good chance he will be turning off his computer, nonpersistent
cookies do not work. Of course, users cannot decide what kinds
of cookies they will receive from Web sites, but it is good to be aware of
the difference.
To make guessing your ID difficult, make sure the values you use are as
long and random as possible. Using a 100-character string containing
letters and numbers for your cookie value ensures that there is no pattern
and makes the value almost impossible to guess. For example, if the first
time an attacker goes to your site he gets a value of 0000000888, and the
next time he goes he gets a value of 0000000889, there’s a good chance
that if he tries 0000000885 he will get a valid cookie. The attacker can
use this to access information he normally shouldn’t have access to.
On most browsers, you can disable cookies or selectively decide which
cookies to accept. Just keep in mind that if you do not accept cookies,
some sites do not work. To disable cookies, set the Security Level for the
Internet Zone to High.
Figure 4.11 shows this for Internet Explorer.
Figure 4.11. How to disable cookies using Internet Explorer.
“
Hackers Beware “ New Riders Publishing 156
URL Session Tracking
Another common way of tracking session information is by placing it right
in the URL. When you go to certain sites, you might notice that the URL
looks something like the following:
http://www.fakecompany.com/ordering/id=982671666273882.6647382
The number at the end is your session ID. If an attacker can guess that
ID, he can take your identity and take over your active session. As with
cookies, dozens of times while checking the security of a web site for a
client, I have connected to a site to get a feel for the patterns the
company uses for session IDs. After connecting, I try to guess some IDs.
Usually, I can find out the session ID of a user within five guesses and
access and modify their information. In one case, I accessed the results of
a very sensitive online medical exam. Only the individual who took the
exam was supposed to see the results, but they were stored online for a
month in case the individual wanted to go back and check the results.
With this type of attack, you need to remember that the user does not
have to be online for the attacker to be successful. In many cases, the
web application does not time out a user immediately and can sometimes
wait a couple of hours until the session ID is no longer valid. During this
time, an attacker can guess the session ID and become that user. The
way a web application is configured dictates whether the attacker can
guess a session ID and connect while the user is still online.
Protection Against URL Session Tracking
“
Hackers Beware “ New Riders Publishing 157
The best defense against URL session tracking is to use long and randomlike
strings for the session ID. Also, the more characters you use, the
harder the chance of guessing correctly. For example, a four-character
session ID, containing only numbers, is easy to guess or figure out the
pattern. On the other hand, a 75-character session ID with letters,
numbers, and special characters is much harder to guess. Remember,
because most of your security is based on the session ID, it is worth a
little extra time and energy to make sure it is secure. To protect against
this type of attack, the defensive measures have to be done on the Web
server side. There is little that a user can do to prevent this type of attack.
Hidden Form Elements
The old saying “What you see is what you get” is not necessarily true
when it comes to the web. The data or document that the server sends to
your browser is interpreted by your browser and displayed to you. The
next time you have a Web page up, select Source from the View menu,
and you will see all of the code that is interpreted by your browser. In
some cases, the browser ignores some text, called
following is a portion of code taken from an online bookstore:
hidden text. The
<HTML>
<HEAD>
<title>Somestore.com - Product Info for A Guide to Expert
Systems
(Teknowledge Series in Knowledge Engineering)</title>
<BASE HREF="http://www1.somestore.com">
<!– START PAGE HEADER CODE –>
<meta name="robots" content="all, index, follow"></head>
<body bgcolor="#FFFFFF" text="#000000" link="#003399"
vlink="#666633"
alink="#CC3300" topmargin="6">
<table cellpadding=0 cellspacing=0 border=0 width=100%>
<!–Top Row : Logo and Tabs–><tr>
…..
<INPUT TYPE=HIDDEN NAME=YWH
VALUE="http://www1.somestore.com/catalogs/computing/subjects.a
sp?VM=C&SubjectCode=
XES" >
<form action="http://www1.somestore.com/shop/quicksearch.cl"
method="get">
<input type="hidden" name="SearchFunction"
value="key"><input type="hidden"
“
Hackers Beware “ New Riders Publishing 158
name="vm" value="c">
<table border="0" cellpadding="2" cellspacing="0"
bgcolor="#D6D3C4">
<tr>
<td align="center"><table border="0"
cellpadding="4" cellspacing="0"
bgcolor="#D6D3C4">
<tr>
You might notice that several places begin with
NAME
want displayed to the user. HTML is not true WYSIWYG (What You See Is
What You Get); therefore, data can be hidden in the HTML page but not
displayed to the end user by the web browser. This is another way web
sites track users. They use a session ID, as in the other examples, but in
this case, the session ID is hidden in the form. Again, an attacker can go
in and modify this information so that he can act or spoof a different
account and therefore have access to that information.
<INPUT TYPE=HIDDEN. This is information that the browser wants to keep but does not
Protection Against Hidden Form Elements
The best way to protect against these types of attacks is to have hard-toguess
IDs that are as random as possible. These measures are the same
protection I recommended for cookies and URL session tracking. In all of
these cases, the session ID must be protected and difficult to guess. If an
attacker can make logical guesses and have a high chance of getting a
session ID, it doesn’t really matter how the session ID was transmitted to
the user.
The only thing the user can do is make sure his computers are properly
protected and only use web applications for sensitive information like
banking, if the connecting Web site has the site properly designed and
protected security-wise. It all comes down to how well the session IDs are
protected and how difficult they are for someone to guess.
For example, for an online banking application, I recommend at least a
15-character session ID that is composed of lowercase letters, uppercase
letters, numbers, and special characters that are randomized, so the
chances of guessing the ID are slim. I also recommend using two session
IDs. One session ID for viewing information should be good for a
maximum of an hour and expire as soon as a user logs off the system or
after five minutes of inactivity. A second session ID is used for updating
information and is good for a maximum time of five minutes. Remember,
this might seem complicated, but these are things that the computers do,
not humans. What is the difference between a 10-character or 30-
character session ID? From the user’s point of view, it does not matter, so
why not err on the cautious side and, if in doubt, make it longer.
“
Hackers Beware “ New Riders Publishing 159
Because an attacker only needs to successfully guess one session ID, the
length of the key is also a factor of the number of users on the system. If
I have a five-character session ID but only two users, the chance of an
attacker guessing one valid ID is slim. On the other hand, if I have a fivecharacter
session ID and 20,000 users, the chance of success is much
greater, because there are a greater number of valid sessions IDs to
guess.
General Web Spoofing Protection
The scary thing about Web spoofing is that it does not require a lot of
expertise or tools. Basically, if you have access to a browser and text
editor, which come with most any operating system, you can launch these
attacks. However, there are some things that you can do to prevent
against these types of attacks. The following are some high-level
suggestions:
•
execute locally or in your browser so that the attacker cannot hide
the evidence of the attack.
With Java or ActiveX, an attacker can run a process in the
background that does whatever he wants and it is transparent to the
user. The only way the victim would know is if she examines the
source code for every page she views, which we all know is not a
practical solution.
If it is not possible to disable scripting languages, at least make sure
the warning banners are enabled and that users are educated on
what these messages mean.
Some other examples of malicious code that have been used to
breach security are Visual Basic Scripting language and the Windows
Scripting host (wscript.exe) and its DOS equivalent (cscript.exe).
Disable JavaScript, ActiveX, or any other scripting languages that
•
tracking users. This is not easy to do because it requires a company
that runs a web server to validate the source code and have an
independent security assessment done of the site. This might seem
like a lot of time and energy, but if the site is to process large
amounts of money, it is worth every penny to make sure it is secure
before it goes live. A company can be in a lot of trouble if it is held
liable for compromising sensitive information.
Make sure you validate your application and that you are properly
•
important information. Also, make sure that the browser’s location
line is always visible and checked.
Make sure users cannot customize their browser to display
“
Hackers Beware “ New Riders Publishing 160
•
URLs displayed on your browser’s location line. Then, if something
looks suspicious, they will not ignore it but will take action. For
example, if a user thinks he is surfing Microsoft.com’s Web site but
the URL listed says
help desk or internal security immediately.
Education is very important. Make sure users pay attention to thewww.btmicrosoft.com, the user should notify the
•
and random as possible. This makes it much harder to guess.
Because most web spoofing attacks are not that sophisticated, they are
very popular. It is paramount that you protect your site and users from
these attacks. Unfortunately, a big part of the prevention is awareness of
users and education of developers, neither of which is a simple task.
Now that we have looked at several different technical ways of performing
spoofing on the Internet, let’s switch gears and look at some nontechnical
ways of spoofing users. It is interesting that these types of
attacks can be used to gain as much access, if not more, than their
technical counterparts.When using any form of ID to track a user, make sure it is as long
No comments:
Post a Comment