	              
                                                     
                                                       
               ۰߰     ܰ۰  
             ۱      ܱ߰    ۰
             ۱          ۱      ۰  
                 ܰ߱    ߰۲    
              Outbreak Magazine Issue #13 - Article 1 of 15
          '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

######################################################################
##       .:: Network Layer Attacks. -dropcode. 13.01.2003 ::.       ##
######################################################################

The  network  layer  is  the  third layer of the standard Open Systems 
Interconnection  (OSI)  model.  It  handles  addressing and routing of 
packets  over  networks.  Some  of the network layer functions include
the  translation  of  logical  addresses  (ip/hostnames)  to  physical 
addresses  (MAC/computernames)  using  ARP/RARP/etc,  determining  the 
most  efficient  routes  for  data  to  take  using  RIP/OSPF/BGP/etc, 
and breaking data down and reasembling it.

The  network  layer  is  the  bridge between the transport layer which 
handles  flow  control  between  two  parties of a network session and
the  datalink  layer  which translates network packets into raw binary
bits (111101001101001).

This  article  will  discuss  various  insecurities in various network
layer protocols and methods of exploitation.

----------------------------------------------------------------------
Sniffing.
----------------------------------------------------------------------

Sniffing  is  basically picking up packets that weren't meant for you.
It  can  be done either passively (on shared networks) or actively (on 
either shared or switched networks).

The   ethernet   protocol   (rfc  1483)  broadcasts  frames  (ethernet
equivilent  to ip packets) to every node on a network. The node it was 
intended  for will pick it up and all other nodes will ignore it. This
is  how  traffic on an ethernet network flows. On bigger networks this 
becomes  quite  chaotic. In order to get around the mess of packets on
an  ethernet  network,  switches  are  used to direct packets to their 
destinations.  On a switched network, each node will only recieve data
meant  for  it, whereas on a shared network each node will recieve ALL 
data traversing the network.

If  you  need  to  determine  whether a network is shared or switched, 
just  examine  the  packets  you're  getting.  If  you're only getting 
broadcasted  packets  and packets that were meant for you, then you're
either  the  only active system, or the network is switched. If you're
getting  tons  of  packets  that  weren't  meant  for  you... than the
network is shared.

On  a shared network, it is possible to sniff passively. All one needs
to do is capture packets on one of the systems of the network. Because
all  packets are broadcasted, that system will see every single packet
and  therefore  be  able  to grab data being sent from or to any other 
system  on  said  network.  It is possible to get email, passwords and 
other sensitive information in this way.

On  a  switched  network, passive sniffing is not possible because the
data  isn't broadcasted. The attacker must resort to actively sniffing 
for data. There are various ways for an attacker to actively sniff the 
network. We'll examine a few below.

ARP Cache Poisoning.

On  an  ethernet network frames are sent to the physical MAC addresses
of  nodes. Obviously, packets coming in from the wild will have no way
of  knowing  the  MAC  address of the device it was meant for. For the
task  of resolving the MAC address of a device from the destination ip 
in  the  header of a packet, the Adress Request Protocol (rfc 1433) is 
used. Network devices have ARP caches which store associations between
ip's  and  mac  addresses. The switch or hub will get the packet, find 
the  ip  in  its  table  and  forward  the  data to the associated mac 
address.

ARP  is  a  stateless protocol, meaning that it must honor all replies 
whether  or not they were requested. It is possible for an attacker to
use  this  to  his  advantage  in  mounting a man-in-the-middle attack
in the following manner:

The  attacker  needs  first to have access to a system on the network. 
This  could  be  done locally, or by remotely compromising the system.
He  would then determine the IP address of the target system. He would
send  ARP  packets  to  the networks switch/hub spoofed as the targets 
IP  containing  the MAC address of the NIC card actually being used by
the  attacker.  "Hey this is my IP (actually the ip of the target) and
this  is  my  mac  addy (the actual mac addy of the NIC in the box the
attacker is using)"

From  that  point  on, all packets wrapped with the targets ip will be
forwarded  to  the  attackers  mac addy. The attacker would record and 
forward all packets to their destination. 

The target will often be the head router.

Once  the  attacker  is finished intercepting data, he will repair the 
ARP cache by replacing his entry with the real entry, this is called a
clean MITM attack.

It  is  also possible to DoS the network by filling the ARP cache with 
bogus MACs. 

DoSing switches.

Sometimes, if a switch gets flooded with bogus MACs it will run out of 
memory and revert to acting as a hub. This means an attacker can sniff
data passively after flooding a switch.

----------------------------------------------------------------------
Weaknesses in Routing Protocols.
----------------------------------------------------------------------

This  section will deal with weaknesses specific to the protocols used
by routers and not weaknesses in the routers themselves. We will focus
on  the Routing Information Protocol. Most network devices are capable
of using this protocol (including unix daemon routed) and it is one of
the easiest to exploit.

The  Routing  Information  Protocol  (RIP  rfc  1058)  was  originally 
designed  without  any  security  provisions  and was later revised as 
RIPv2  (rfc  1723)  implementing  an  authorization scheme involving a 
cleartext password.

RIP/RIPv2  make  use  of 'distance vectoring' to determine the fastest
route   to  a  destination  address,  and  forward  data  accordingly. 
Distance  vectoring  protocols  give  each known path a cost according
to the hops between the source  and  destination  systems, and forward
data across the path that costs the least. The more hops between links
the higher the cost.

networkA -> networkB -> networkC -> networkD     ==   3
networkA -> networkE -> networkD                 ==   2

In the above example, the first path has 3 hops, and the second has 2.
Therefore,  path  2  would be chosen as long as it was available. This 
method is sometimes reffered to as hop count routing.

RIP/RIPv2  enabled  devices use a method called network convergence to
to  teach  other  routers  what  it  knows  about  the  networks it is 
connected  to.  Every 30s it will send out a copy of its routing table
(which  contains  information  about  all  the  devices it can see) to 
the  nearest  router to it. That router will compare that table to its 
own,  update any changes and pass the data on to the next router. That
router  will  do  the  same,  and the routing update will make its way 
across the entire network.

RIP/RIPv2 Packet example (courtasy of cisco.com):

<ripped src="http://www.cisco.com">

RIP Packet Format:
   ______________________________________________________________
  |com   |ver   |zero  |afi   |zero  |ip    |zero  |zero  |metric|
  |8 bit |8 bit |16 bit|16 bit|16 bit|32 bit|32 bit|32 bit|32 bit|
   --------------------------------------------------------------
  - Command  Indicates whether the packet is a request or a response. 
    The  request  asks  that  a router send all or part of its routing 
    table.  The  response can be an unsolicited regular routing update
    or  a reply to a request. Responses contain routing table entries. 
    Multiple  RIP  packets  are  used to convey information from large 
    routing tables.

  - Version number  Specifies  the  RIP  version used. This field can 
    signal different potentially incompatible versions.

  - Zero  This  field  is  not  actually used by RFC 1058 RIP; it was 
    added  solely  to  provide backward compatibility with prestandard 
    varieties of RIP. Its name comes from its defaulted value: zero. 

  - Address-family identifier (AFI)Specifies the address family used. 
    RIP is designed to carry routing information for several different 
    protocols. Each entry has an address-family identifier to indicate 
    the type of address being specified. The AFI for IP is 2.

  - AddressSpecifies the IP address for the entry.

  - Metric  Indicates  how many internetwork hops (routers) have been 
    traversed  in  the  trip to the destination. This value is between 
    1 and 15 for a valid route, or 16 for an unreachable route.

RIPv2 Packet Format:
   ______________________________________________________________
  |com   |ver   |unused|afi   |rt tag|net ad|subnet|nxthop|metric|
  |8 bit |8 bit |16 bit|16 bit|16 bit|32 bit|32 bit|32 bit|32 bit|
   --------------------------------------------------------------
  - Command  Indicates whether the packet is a request or a response. 
    The  request  asks that a router send all or a part of its routing
    table.  The  response can be an unsolicited regular routing update 
    or  a reply to a request. Responses contain routing table entries. 
    Multiple  RIP  packets  are  used to convey information from large 
    routing tables.

  - Version  Specifies   the  RIP  version  used.  In  a  RIP  packet 
    implementing any of the RIP 2 fields or using authentication, this 
    value is set to 2.

  - UnusedHas a value set to zero.

  - Address-family identifier (AFI)Specifies the address family used. 
    RIPv2's  AFI  field  functions  identically  to RFC 1058 RIP's AFI 
    field,  with  one exception: If the AFI for the first entry in the 
    message   is   0xFFFF,   the   remainder  of  the  entry  contains 
    authentication  information.  Currently,  the  only authentication 
    type is simple password.

  - Route  tagProvides  a  method for distinguishing between internal 
    routes  (learned by RIP)  and  external routes (learned from other 
    protocols).

  - IP addressSpecifies the IP address for the entry.

  - Subnet mask  Contains  the  subnet  mask  for  the entry. If this 
    field is zero, no subnet mask has been specified for the entry.

  - Next hopIndicates the IP address of the next hop to which packets 
    for the entry should be forwarded.

  - Metric  Indicates  how many internetwork hops (routers) have been 
    traversed  in the trip to the destination. This value is between 1 
    and 15 for a valid route, or 16 for an unreachable route.

</ripped>

RIP/RIPv2  are  UDP  based  protocols meaning that interaction between 
RIP  routers  doesn't  require  a  full  connection.  (where TCP based 
protocols  require  a communication channel between devices, UDP based 
protocols do not). Both RIP/RIPv2 are also stateless protocols meaning
they  have  no means for remembering whether or not a request has been
sent, therefore they must assume all replies were requested.

These   two  facts  present  some  interesting  potential  for  abuse. 
An  attacker  could  generate  RIP/RIPv2  packets,  containing routing 
information  beneficial  to  mounting  his  attack,  send said packets 
to  routers  on  the  target  network  thereby  orchestrating the flow
of packets on the network.

If  he  wanted  to  DoS  the network, he could convince the routers to 
forward  the  packets  in  an  infinate loop. RIP/RIPv2 will only send 
a  packet  a  maximum  of  15  hops before dropping it and marking the
path  unreachable.  In this way an entire network could be tackled and
dropped.

The   attacker   could   also   use   these   weaknesses  to  mount  a 
man-in-the-middle  type  data  interception  attack.  he  would simply 
send  routing-updates  claiming  to be a new router on the network. He 
would  also  claim  to be the next router in the fastest route between
the  two  systems  he  wants  to  watch.  All data on that route would 
end  up  going  through  his  system,  where he would be watching with 
snort/tcpdump/generic-packet-capture-util  and  ultimately  forwarding
the data to its requested destination.

RIPv2  uses  a  cleartext  password  for authentication. This could be 
easily  compromised  by  passively  sniffing  the  network  for  RIPv2
packets, or actively requesting the packets from RIPv2 devices.

----------------------------------------------------------------------
I noticed this text was getting a little long, so I decided to cut it 
here, i'll release a followup containing info on spoofing and more in
the next issue of outbreak.

Greets to the usuals:
        ramb0x,  gr3p,  kleptic,  jenny,  lexi, lenny, 
        turbo, Count, Solomance, xarrrr, archon, gestapo,
        oj, smiley, and anyone i'm forgetting. :D
        
