Spoofing can be translated as "posing as another" and the aim of this technique is precisely to act on behalf of other users, usually to perform Snooping or Tampering tasks. A common form of Spoofing is to get the name and password of a legitimate user to, once entered the system, take actions on behalf of him.
The intruder usually uses one system to obtain information and enter another, and then uses this to enter another, and so on. This process, called Looping, and has the purpose of "evaporate" the identification and location of the attacker.
The road taken from the origin to the destination can have many stations, which obviously exceed the limits of a country. Another consequence of Looping is that a company or government may assume that they are being attacked by a competitor or a foreign government agency, when in fact they are surely being attacked by an Insider, or by a student thousands of miles away, but has taken the identity of others.
The investigation of origin of a Looping is almost impossible, since the investigator must count on the collaboration of each Administrator of each network used in the route. Sending fake e-mails is another form of Spoofing that networks allow. Here the attacker sends E-Mails on behalf of another person for any purpose and purpose. Such was the case of a university in the USA. which in 1998 had to reschedule a full examination date since someone on behalf of the secretariat had canceled the actual date and sent the message to the entire student list.
Many attacks of this type begin with Social Engineering and users, due to lack of culture, facilitate to strangers their identifications within the system usually through a simple telephone call.
Spoofing in terms of network security refers to the use of spoofing techniques generally with malicious or research uses.
There are different types depending on the technology to which we refer, which will be described later, such as IP spoofing (perhaps the best known), ARP spoofing, DNS spoofing, Web spoofing or e-mail spoofing, although in general it can be encompassing within spoofing any network technology susceptible to identity theft.
Types of Spoofing
Impersonation of IP. It basically consists of replacing the source IP address of a TCP / IP packet with another IP address to which it is desired to supplant. This is usually achieved thanks to programs intended for it and can be used for any protocol within TCP / IP such as ICMP, UDP or TCP. Keep in mind that the responses of the host that receives the packets will be directed to the counterfeit IP. For example if we send a ping (icmp package "echo request") spoofed, the response will be received by the host to which the IP belongs legally. This type of spoofing coupled with the use of broadcast requests to different networks is used in a type of flood attack known as a Smurf attack. In order to perform IP SPOOFING in TCP sessions, you must take into account the behavior of such a protocol with the sending of SYN and ACK packets with your specific ISN and taking into account that the actual owner of the IP could (if not be prevented from doing so) from cutting the connection at any time when receiving packages without having requested them. Also note that current routers do not support sending packets with source IP not belonging to one of the networks it manages (spoofed packets will not exceed the router).
Spoofing for ARP table spoofing. This is the construction of modified ARP request and response frames in order to falsify a victim's ARP (IP-MAC relationship) table and force it to send the packets to an attacking host rather than to its legitimate destination. Explaining it in a simpler way: The Ethernet protocol works through MAC addresses, not through IP addresses. ARP is the protocol in charge of translating IP addresses to MAC addresses so that communication can be established; so when a host wants to communicate with an IP it sends an ARP-Request frame to the Broadcast address requesting the MAC of the host host the IP with which it wants to communicate. The computer with the requested IP responds with an ARP-Reply indicating its MAC. Switches and hosts store a local table with the IP-MAC relationship called "ARP table". This ARP table can be falsified by an attacking computer that issues ARP-REPLY frames indicating its MAC as a valid destination for a specific IP, such as that of a router, in this way the information addressed to the router would pass through the attacking computer, sniff this information and redirect it if you wish. The ARP protocol works at the data link level of OSI, so this technique can only be used in LAN networks or in any case in the part of the network that remains before the first Router. One way to protect yourself from this technique is by using static ARP tables (as long as network ips are fixed), which can be difficult on large networks.
arp -s IP MAC
For example: arp -s 192.168.85.212 00-aa-00-62-c6-09
Other ways to protect yourself include using ARP table change detection programs (such as Arpwatch) and using the port security of switches to avoid changes to MAC addresses.
Phishing by domain name. It is the distortion of an "IP-Domain Name" relationship to a name resolution query, that is, to resolve with a false IP address a certain DNS name or vice versa. This is achieved by falsifying the entries in the Domain Name-IP relationship of a DNS server, through a particular server vulnerability or by its reliance on unreliable servers. Faked entries on a DNS server are likely to infect (poison) the DNS cache of a different server (DNS Poisoning).
Impersonation of a real web page (not to be confused with phising). It routes the connection of a victim through a false page to other WEB pages in order to obtain information about that victim (WEB pages viewed, information of forms, passwords etc.). The fake WEB page acts as a proxy requesting the information required by the victim to each original server and even skipping SSL protection. The attacker can modify any information from and to any server that the victim visits. The victim can open the fake website through any type of deception, even opening a simple LINK. The WEB SPOOFING is difficult to detect, perhaps the best measure is a browser plugin that shows the IP of the server visited at all times,
Impersonation in email of the e-mail address of other people or entities. This technique is used regularly for sending hoax e-mails as a perfect supplement for the use of phishing and for SPAM, it is as simple as using an SMTP server configured for this purpose. To protect yourself, you should check the sender's IP address (to find out if that IP belongs to the entity that indicates the message) and the address of the SMTP server used. Another technique of protection is the use of digital signatures.
Occurs when an attacker manages to intercept an already established session. The attacker waits for the victim to identify himself / herself to the system and after that, he / she replaces him / her as an authorized user
The back doors are pieces of code in a program that allow the one who knows them to skip the usual authentication methods to perform certain tasks. They are usually inserted by system programmers to speed up the task of testing code during the development phase. "(1)
This situation becomes a security breach if it is kept, unintentionally or intentionally, once the product is finished as any that knows the hole or finds it in its code can skip the normal control mechanisms.Using
It is very frequent to enter a system exploiting holes in the encryption algorithms used, in the administration of the keys by the company, or simply finding an error in the programs used.
The programs to exploit these "holes" are called Exploits and what they do is take advantage of the weakness, failure or error found in the system (hardware or software) to enter it.
New exploits (exploiting new errors in systems) are published every day so keeping informed of them and the tools to combat them is of vital importance.
This method involves obtaining by "Gross Force" those keys that allow you to enter the systems, applications, accounts, etc. attacked.
Many access passwords are easily obtained because they involve the user's name or other family data and, in addition, it is never (or rarely) changed. In this case the attack is simplified and involves some time of trial and error. Other times, systematic attacks (even with several computers at the same time) are carried out with the help of special programs and "dictionaries" that test millions of possible passwords until finding the correct password.
The password management policy will be discussed in later chapters.
Dictionaries are files with millions of words, which can be passwords of users. This file is used to discover this password in brute force tests.
The program in charge of testing each of the words encrypts each of them, using the algorithm used by the attacked system, and compares the encrypted word against the password file of the attacked system (previously obtained). If they match, the system access key has been found, using the user corresponding to the key found.
Currently it is possible to find large dictionaries oriented, even, to a specific area according to the type of organization that is attacking.
In Table 7.4 we can observe the search time of a key according to its length and type of characters used. The search speed is assumed at 100,000 passwords per second, although this number is usually much higher depending on the program used.
Here you can see the importance of using passworS of 8 characters in length.