Monday, March 3, 2014

Reverse engineering IPmsg: UDP spoof attack to annoy users!

What really caught my attention after reading about Kevin Mitnick was how he conducted the TCP blind spoofing attack. It was an attack which required packet crafting and insertion into an already established TCP connection. What is interesting about this attack is that it does not require knowledge about any specific tools but instead relies on the person's knowledge about the protocol. So I started reading about packet crafting and a protocol or an application that I could play with. The modern OS puts random sequence numbers in the TCP packets making it very difficult to achieve what Kevin Mitnick did.

Thus UDP becomes the obvious choice. In comes IPMsg! It is a UDP based chatting application especially useful in LAN networks. What it suffers from is the spoofing attack. So if you are able to decode the IPmsg packet formats it is upto your imagination how you want to annoy others. From my experience following is an IPMSG packet structure:

|----------------------------------------------------------------|
| 0 | Sequence no | ipmsg-name | hostname | packet-type | data  |                                                                   |                                                                                               |
----------------------------------------------------------------

The 0 is fixed for all packets. Each packet that a user sends is marked by a sequence number, which is increased by one for every new message sent.  The next field is the display name that you have set for Ipmsg. Packet type field defines what kind of packet has been sent. The receiving application processes the data accordingly.

Now by default the sequence number is initialized to the timestamp when the application started.

Let me quickly go through some interesting packet types:

0:startup packet to announce that the host is running ipmsg
288: New packet.
33: acknowledgment for the packet. this is done in the background for all the packets.
1051424: a sealed message. 
1048624: acknowledge a sealed message. Upon receiving such a packet the sender machine will display a pop-up message shown below.

If you start the application, it registers itself on the network by sending a specific message. Following is a sample of the message.

Note that it initializes a counter which increments whenever it sends a new message.

Ipmsg traffic seen on wireshark

The client increases the counter when it sends another message


All the hosts keep track of this counter and ignores any packet with wrong value.

The IPmsg Attack


Ipmsg is a very lightweight and simple application. It has a very basic error detection mechanism at the application layer (verifying the counter value) and it cannot detect a spoofed packet. To slyly insert you can either send an initiation packet and reset the counter value stored by recipient victim. Or you can simply use the values being used by the original sender.

I prefer the former approach since it gives the attacker more control.

Sending the initiation packet:


Send a packet with 0 as the packet type and NULL as data. And set the counter with whichever value you want to. Here is an example.

Note the message type as 0


With this simple packet you have hijacked the connection. The original machine is unaware of this and it will keep using its own counter value which the recipient machine will ignore since the attacker has reset and changed the value.

Sending messages

You need to run Wireshark while you send spoofed packets to know the counter value of the recipient machine. As soon as you send the packet mentioned above the recipient machine will reply with its confirmation message and its own counter value.

A Demo:

Important Note:

The latest version of Ipmsg encrypts all data and it cannot be configured to send in plaintext. Therefore install the older version and change the registry value
HKEY_CURRENT_USER\Software\HSTools\IPMsgEng --> EncryptNum to 0.

This will force the Ipmsg to use plaintext.


I have used colasoft packet crafter which works on windows. it is a little difficult to use and I would highly suggest tools like scapy or hping3.

First send a packet with message type 0 and set a custom counter value.




To send a message use the packet type 288. Construct a packet with appropriate mac entries. If the destination pc does not reside on your own subnet then you will have to put your gateways mac as the destination mac.




Even more fun

There are two ways to send a message in ipmsg. One is the default method and the other is known as a "sealed" message. When you send a sealed message the receiver has to click on the a greyed box to display it. Upon clicking a UDP message is sent to the initial sender of the message and an intrusive pop up is displayed on his screen.

video

Colasoft packet crafter running 




Now, suppose I start sending these UDP messages to a victim machine acting as someone else?


Moreover you can automate the entire process using hping with Tcl or Scapy.

I hope you get my point!

Some interesting things that you can do-
a) Act as some other device and send packets with someone else's name.
b) Fill the victim machine's screen with confirmation pop ups.

Conclusion


As it is clear by now, there is no way to tell who sent what. Although this post is concentrated on Ipmsg, the subtle point is that it is strongly recommended that such applications are not run in corporate or critical environments.
All important data should be encrypted and only reliable clients should be used.

For a protocol designer, there are techniques to make a protocol robust against such replay or spoofed attacks.

Important Links


1) Wiki on Kevin mitnick
2) TCP/IP spoofing attack
3) Ipmsg older version
4) Replay attacks

Sunday, February 16, 2014

IPv6 DoS attack using router flooding


This is one of the simplest DoS attacks I have ever seen. It is very easy to carry out and it's effects are devastating. It is a little different from normal DoS attacks in the sense that even when the attacker stops the attack the victim machines' resources will not free up! This makes it very lethal. The other point of difference is that it can be carried out only in a LAN environment.

Before we delve into the actual attack and its solutions we need to understand a little about ipv6 and its functioning.

Stateless autoconfiguration in IPv6 and Router advertisement packets

When a machine is statically assigned an ip address or it receives one via a dhcp server it is called as a stateful configuration. An ipv6 machine has the ability to generate a unique ipv6 address even if it is not able to communicate to a dhcpv6 server. This is known as stateless autoconfiguration.

It generates the ipv6 address using network blocks advertised in what is known as router advertisement packets (RA). The local router maintains a list of all network blocks which are supposed to be given by a dhcp server and which are supposed to be given as stateless address blocks.

So whenever a router sends a RA packet containing stateless address blocks a hosts accepts the packet and assigns an address to itself belonging to that network.

By default, all the modern OS listen to ipv6 Router advertisement packets without verifying and authenticating the router. Interestingly, OS like Windows (7 and 8) and FreeBSD do not have an upper limit to the number of such stateless network a machine can belong to. ( an ipv6 device can be a part of many ipv6 networks).

Moreover the whole process of listening and generating ipv6 address is somewhat CPU intensive.

These are the key ingredients of an ipv6 attack.

Suppose a malicious attacker rapidly starts sending bogus ipv6 router advertisements. Windows and FreeBSD at some point will get overwhelmed and will start using a lot of memory and CPU. Infact a tool designed to exploit this utility can bring down an entire network of ipv6 hosts within seconds.

The ipv6 router flood attack


All you need is the script which can be found in Kali linux. Connect your machine to a LAN network and simply run this script. Right now, you cannot direct this attack to a particular host and it will bring down the entire network.

It is as easy as running:

flood_router6 [interface]

For demonstration I ran a Kali VM and connected my laptop with another. Both were running windows 7. I ran this command and within seconds the CPU spiked to 100% utilisation. Infact even after stopping the attack the machine remained unresponsive and I had to reboot the machine!

IPv6 addresses bound to the attacked machine

Wireshark capture of the attack.
CPU utilisation after half an hour of stopping the attack




Solutions:


There are many ways to stop this attack.

1) Disabling router discovery

System administrators can disable router discovery. The machine will discard any RA packets.

netsh int ipv6 set int "[int number]" routerdiscovery=disabled

To find your interface number run the command

netsh interface ipv6 show interface

Disabling router discovery

the netsh show interface command

2) RA Guard:


There are switches with RA guard feature. Turning it can mitigate this attack although the script has a few advanced options which can be used to defeat it. More about this in a later post.


3) Using firewall to block such packets. 

Conclusion


This attack is very lethal since it renders the machine totally unusable. Only rebooting solves the problem. Moreover many latest operating systems including Windows 7, 8 , Surface and Android are vulnerable! Since all the modern OS are ipv6 ready and listen for RA packets, this attack can create chaos in a network.


Important links:


1) How IPv6 works
2) IPv6 message formats
3) Kali linux
4) Router flood author
5) Router Guard