spoofing full report
Active In SP
Joined: Mar 2010
31-03-2010, 02:41 PM
Types of Spoofing
Non-network (social engineering)
Keep in mind that the replies will go to the spoofed return address.
Easy to do.. simply change your machineâ„¢s IP address. You may have to alter your routing table so that the packets
Three basic flavors of IP spoof attacks:
Basic Address Change
Use of source routing to intercept packets
Exploitation of a trust relationship (UNIX)
Basic IP Address Change
Low tech â€œ no replies are received.
Typically only used to extend blame to innocent persons, or for DoS
Simple to do
Protect against with good firewall rules â€œ keep your machines from launching a spoofed IP â€œ router filters
Limit configuration access on machines
Programs like arpwatch that keep track of IP/MAC pairings
Source routing is one of the IP options that allows the specification of an IP address that should be on the route
for the packet delivery.
This allows someone to use a spoofed return address, and still see the traffic by placing his machine in the path.
Doesnâ„¢t work very well these days, since most routersâ„¢ default configuration is to not allow source routing (the
option is ignored, or the packets are dropped)
Loose Source Routing (LSR)
Strict Source Routing (SRS)
UNIX systems are notorious for this.
A trust relationship uses IP address for authentication. From a convenience standpoint, this is really easy.
Protection is simple â€œ do not allow them to be used.
Done for 3 main purposes:
Impersonate someone to extend blame
Social engineering â€œ impersonate someone to get information or privileges
Email Spoofing Techniques
Similar email addresses
Modify mail client
Telnet to port 25 to manipulate the SNMP agent.
Anonymous Remailers can be used â€œ forwards an email, concealing who really sent the message.
Similar Email Address
Attacker registers and address that looks very similar to the person he wants to impersonate.
Employee education and awareness.
Set up the companyâ„¢s email so that it can be accessed remotely â€œ thereby eliminating the Ëœneedâ„¢ to use another
email server. Policy that states that all business email must be via the businesses email server.
Modifying a Mail Client
Edit the client to change the Ëœfromâ„¢ address.
Any replies will go back to the spoofed address, however.
Strict policy against any employee doing this.
Education â€œ look at the full email header. Email logging.
Telnet to Port 25 â€œ Email Relaying
Most email servers today do not allow email relaying. They only allow emails to be sent to/from their range of IP
addresses. They insure that the recipientâ„¢s domain is the same domain as the mail server. The attacker can run his
own email server, but then he is easier to trace.
Defense - Do not allow Email relaying on your STMP servers
Use a Ëœserver-side certificateâ„¢. Still, users should be educated on how to recognize a valid certificate, since
these can be spoofed as well.
ËœMan-in-the-Middleâ„¢ refers to a machine that is set up so that traffic between two other machines must pass through
the MitM machine.
Difficult to setup, especially over the Internet. Not so difficult in a LAN environment.
Provides no additional advantages over a Ëœsnifferâ„¢ â€œ is actually just a way to implement a sniffer.
Encryption â€œ however, MitM can refer to an intermediate encrypter
Strong perimeter security for Internet MitM attacks.
Only secure as the weakest link â€œ the MitM can attack from either end. So, even if you have strong security, but
your partner does not, the MitM is possible from the other end.
Attacker is re-directing web traffic to another site that is controlled by the attacker
Accomplished by re-writing the links on a web page.
Only way to tell is by looking at the HTML code, or watching the link in the browser
The link can be set to Ëœpass throughâ„¢ the attackerâ„¢s machine (another form of MitM)
There are sites which do this on purpose for the user. The Anonymizer.com site is one such site.
Again â€œ educate your users
Look at the actual URL
Examine the source
Defend your pages against re-write. Install latest patches.
Attacker visits a site and impersonates a user.
It is important for business purposes to keep track of what users do on your site.
Typically handled with..
URL Session Tracking
Hidden Form Elements
Easy to use and quite popular
Persistent â€œ stored on the hard drive as a text file, and accessed by the browser
Non-persistent â€œ stored in memory and disappears when machine is shut down
If a hacker wants to impersonate another user, he simply needs to copy their cookie onto his machine.
Cookies can be sniffed.
Cookies can be guessed. Hacker gets his own cookie, then makes experimental changes in some of the values.
Can NOT be used to pass viruses or malicious code
Insure that cookie files cannot be obtained from userâ„¢s machines â€œ password-protected screen savers, for example
Insure that your companyâ„¢s cookies use un-guessable cookie IDâ„¢s.
Cookies can be disabled â€œ however many convenience functions are lost, and some web sites may not even work. They
can be set to Ëœapproveâ„¢ on each occurrence, but this can get quite annoying and eventually have no effect (user
simply says Ëœyesâ„¢ to all)
URL Session Tracking
Another way of tracking session information is to place it right in the URL:
Attacker may be able to guess an ID. Yahoo chat is an example of this.
If there are enough digits in the ID, then guessing a valid one would be difficult. This is the key to using this
There is little that the user can do for protection. You might educate them to be wary of any ID values that do not
have a large number of digits.
Hidden Form Elements
HTML can include form elements that have Ëœhiddenâ„¢ properties â€œ that is they are not displayed
The userâ„¢s ID can be stored in these forms.
The attacker can view the HTML code and find the formâ„¢s name and use the url area to edit the information in the
form, thereby accomplishing the same thing.
Defense is still the same â€œ hard to guess IDâ„¢s.
Calls help desk, impersonating an employee
Calls to IT, acting like a vendor to find out software being used
Calls an employee, impersonating a manager in order to get reports, etc.
Impersonate a company that supplies/supports target company â€œ by implanting false information (say a postcard with
a new phone number)
Use Search at http://topicideas.net/search.php wisely To Get Information About Project Topic and Seminar ideas with report/source code along pdf and ppt presenaion
smart paper boy|
Active In SP
Joined: Jun 2011
20-06-2011, 10:16 AM
Presentation_Spoofing.ppt (Size: 383.5 KB / Downloads: 72)
The False Digital Identity
What is Spoofing?
Spoofing is the action of making something look like something that it is not in order to gain unauthorized access to a user's private information.
IP spoofing is the act of manipulated the headers in a transmitted message to mask a hackers true identity so that the message could appear as though it is from a trusted source.
In a Man-in-the-Middle attack, the message sent to a recipient is intercepted by a third-party which manipulates the packets and resends it own message.
Denial of Service (DoS) Attack
A DoS attack is when a attacker floods a system with more packets than its resources can handle.
Monitoring packets using network monitoring software.
Installing a filtering router
URL spoofing occurs when one website poses as another. The URL address displayed appears to be legitimate but is not the actual URL of the site.
For example the URL chase.com may be displayed in the website however information is sent to an entirely different location.
Using a Fraudulent site to obtain sensitive information
Browser security patches
Altering the header of an email so that the email appears to be sent from someone else
Cause confusion or discredit a person
Social engineering (phishing)
Hide the identity of the sender (spamming)
Relay replies of your own messages to a different mailbox
How can you find out if an email is spoofed?
Check the content of the email:
Is the content weird in some way, or really unexpected from the sender?
Does it contain a form?
Does it request to either confirm or update login or any kind of information?
Check the header of the email
What if someone pretends to be me?
You can’t really do anything
How do you prevent it?
Do not post your email address on boards, forums or chats
Do not use your email address as a username to login to a site
Have separate addresses for different online activities
What makes email spoofing possible?
It is easy to spoof email because SMTP (Simple Mail Transfer Protocol) lacks authentication. If a site has configured the mail server to allow connections to the SMTP port, anyone can connect to the SMTP port of a site and (in accordance with that protocol) issue commands that will send email that appears to be from the address of the individual's choice; this can be a valid email address or a fictitious address that is correctly formatted.
Yahoo! – DomainKeys – “Internet standard from Yahoo! that lets us confirm whether emails are really from their claimed domain “
CertifiedMail's Secure Email System for in-house use enhances your existing email system by providing secure, trackable delivery of e-mail messages to any Internet recipient.
Mail Server Authentication
Digitally Signed Email with Desktop Verification
Digitally Signed Email with Gateway Verification
Mail Server IP Verification