CS473: Lecture 7

Network Attacks - Lower Layers

Spring 2024

Mobin Javed

Slides adapted from Vern Paxson’s CS161 at UC Berkeley

 Note

Some defenses in this module use cryptographic primitives, we

will treat them as a blackbox for now (and learn the inner details
in the cryptography module)
 Lesson Plan

• Layers 1 & 2 Threats

• Eavesdropping

• Spoo ng

• Wireless Network Security

fi
Layers 1 & 2: General Threats?
Framing and transmission of a
collection of bits into individual
messages sent across a single
7 Application “subnetwork” (one physical
4 Transport technology)
3 (Inter)Network
2 Link
Encoding bits to send them
1 Physical over a single physical link
e.g. patterns of
voltage levels /
photon intensities /
RF modulation
Physical/Link-Layer Threats: Eavesdropping

• Also termed sniffing

• For subnets using broadcast technologies (e.g., WiFi,
some types of Ethernet), get it for “free”
– Each attached system’s NIC (= Network Interface Card)
can capture any communication on the subnet
– Some handy tools for doing so
o tcpdump (low-level ASCII printout)
TCPDUMP: Packet Capture & ASCII Dumper
Physical/Link-Layer Threats: Eavesdropping

• Also termed sniffing

• For subnets using broadcast technologies (e.g., WiFi,
some types of Ethernet), get it for “free”
– Each attached system’s NIC (= Network Interface Card)
can capture any communication on the subnet
– Some handy tools for doing so
o tcpdump (low-level ASCII printout)
o Wireshark (GUI for displaying 800+ protocols)
Wireshark: GUI for Packet Capture/Exam.
Wireshark: GUI for Packet Capture/Exam.
Wireshark: GUI for Packet Capture/Exam.
 Physical/Link-Layer Threats: Eavesdropping
• Also termed sniffing
• For subnets using broadcast technologies (e.g., WiFi,
some types of Ethernet), get it for “free”
– Each attached system’s NIC (= Network Interface Card)
can capture any communication on the subnet
– Some handy tools for doing so
o tcpdump (low-level ASCII printout)
o Wireshark (GUI for displaying 800+ protocols)
o Bro (scriptable real-time network analysis; see bro.org)
• For any technology, routers (and internal “switches”)
can look at / export traffic they forward
• You can also “tap” a link
– Insert a device to mirror the physical signal
Protecting Against Eavesdropping
in the Coffee Shop
1. Join the wireless network

If either match up, your

laptop joins the network.
Optionally performs a
cryptographic exchange.
1. Join the wireless network

If either match up, your

laptop joins the network.
Optionally performs a
cryptographic exchange.
1. Join the wireless network

If either match up, your

laptop joins the network.
Optionally performs a
cryptographic exchange.
Most commonly today,
that is done using WPA2.
 Password: $secret!

KeyCounter
(and other stuff)

KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 SSID

Password: $secret!

KeyCounter
(and other stuff)

Both your laptop and the AP now compute:

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)
KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 This function

Password: $secret!

KeyCounter
(and other stuff)

Both your laptop and the AP now compute:

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)
KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 This function
computes this many iterations

Password: $secret!

KeyCounter
(and other stuff)

Both your laptop and the AP now compute:

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)
KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 This function
computes this many iterations
of this function

Password: $secret!

KeyCounter
(and other stuff)

Both your laptop and the AP now compute:

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)
KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 This function
computes this many iterations
of this function
using this as the MAC key

Password: $secret!

KeyCounter
(and other stuff)

Both your laptop and the AP now compute:

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)
KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 This function
computes this many iterations
of this function
using this as the MAC key
and the XOR of these as the initial input.

Password: $secret!

KeyCounter
(and other stuff)

Both your laptop and the AP now compute:

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)
KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 This function
computes this many iterations
of this function
using this as the MAC key
and the XOR of these as the initial input.

Each subsequent iteration takes the

output of the previous computation as its Password: $secret!
input.
KeyCounter
(and other stuff)

Both your laptop and the AP now compute:

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)
KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 Now your laptop and the AP
have derived a shared secret.
K

K Password: $secret!

KeyCounter
(and other stuff)

KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 Eve
Eve
attacks!
K

K Password: $Secret!

KeyCounter
(and other stuff)

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)

KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 Eve Since the password is never exposed, if
Eve doesn’t know it, the best she can do
is a dictionary attack to try to guess it.

K Password: $secret!

KeyCounter
(and other stuff)

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)

KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 Eve Since the password is never exposed, if
Eve doesn’t know it, the best she can do
is a dictionary attack to try to guess it.

This goes slowly due to the 1000s of K

HMAC iterations.

K Password: $secret!

KeyCounter
(and other stuff)

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)

KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 Eve BUT: if Eve ponies up $2.25 for a cup of
coffee and gets the password to the local
net …

K Password: $secret!

KeyCounter
(and other stuff)

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)

KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
 K

Eve BUT: if Eve ponies up $2.25 for a cup of

coffee and gets the password to the local
net … then she knows both of these!

K Password: $secret!

KeyCounter
(and other stuff)

K = F(HMAC-SHA1, “$secret!", “ATT192”, KeyCounter, 4096)

KeyCounter
(and other stuff) WPA2, common form (“Personal”; simplified)
WPA2, actually-secure-but-inconvenient form(“Enterprise”; simplified)
 Your laptop is preconfigured with a
cert for an Authentication Server.

a
{Auth: A}K-1CA

Auth

WPA2, actually-secure-but-inconvenient form(“Enterprise”; simplified)

 You establish a secure connection via
the AP to the Authentication Server
using TLS.

a
{Auth: A}K-1CA

Auth

WPA2, actually-secure-but-inconvenient form(“Enterprise”; simplified)

 You then transmit your authentication
info (username/password, or your own
cert) to the server

User=Alice, Password=
ReallyHard2Gue$$

a
{Auth: A}K-1CA

Auth

WPA2, actually-secure-but-inconvenient form(“Enterprise”; simplified)

 The Authentication Server creates a
random secret key and sends it to both
your laptop and the AP.

K
a
{Auth: A}K-1CA

Auth

WPA2, actually-secure-but-inconvenient form(“Enterprise”; simplified)

Physical/Link-Layer Threats: Spoofing

• With physical access to a subnetwork,

attacker can create any message they like
– When with a bogus source address: spoofing
Physical/Link-Layer Threats: Spoofing

• With physical access to a subnetwork,

attacker can create any message they like
– When with a bogus source address: spoofing
• When using a typical computer, may require
root/administrator to have full freedom
• Particularly powerful when combined with
eavesdropping
– Because attacker can understand exact state of
victim’s communication and craft their spoofed
traffic to match it
– Spoofing w/o eavesdropping = “blind spoofing”
 Spoofing Considerations

• “On path” attackers can see victim’s traffic ⇒

spoofing is easy
• “Off path” attackers can’t see victim’s traffic
– They have to resort to blind spoofing
– Often must guess/infer header values to succeed
o We care about the work factor: how hard is this
– Sometimes they can just brute force
o E.g., 16-bit value: just try all 65,536 possibilities!
• When we say an attacker “can spoof”, we usually
mean “w/ feasible chance of achieving their goal”
2. Configure your connection

Your laptop shouts:

HEY, ANYBODY, WHAT
BASIC CONFIG DO I
NEED TO USE?
Internet Bootstrapping: DHCP
• New host doesn’t have an IP address yet
– So, host doesn’t know what source address to use
• Host doesn’t know who to ask for an IP address
– So, host doesn’t know what destination address to use
• (Note, host does have a separate WiFi address)

• Solution: shout to “discover” server that can help

– Broadcast a server-discovery message (layer 2)
– Server(s) sends a reply offering an address

...
host host host DHCP = Dynamic Host
Configuration Protocol

DHCP server
Dynamic Host Configuration Protocol

DHCP
disco
(broa ver
dcas
t)

new P offer DHCP server

D HC
client “offer” message
includes IP address,
DNS server, “gateway
router”, and how long
DNS server = system used by client to
client can have these
map hostnames like gmail.com to IP (“lease” time)
addresses like 74.125.224.149

Gateway router = router that client

uses as the first hop for all of its
Internet traffic to remote hosts
Dynamic Host Configuration Protocol

DHCP
disco
(broa ver
dcas
t)

new P offer DHCP server

D HC
client “offer” message
includes IP address,
DHCP DNS server, “gateway
reque router”, and how long
(broa st
dcas client can have these
t) (“lease” time)

AC K
H C P
D
Dynamic Host Configuration Protocol

DHCP
disco
(broa ver
dcas
t)

new P offer DHCP server

D HC
client “offer” message
includes IP address,
DHCP DNS server, “gateway
reque router”, and how long
(broa st
dcas client can have these
t) (“lease” time)
Threats?
AC K
H C P
D
Dynamic Host Configuration Protocol

DHCP
disco
(broa ver
dcas
t)

new P offer DHCP server

D HC
client “offer” message
includes IP address,
DHCP DNS server, “gateway
reque router”, and how long
(broa st
Local attacker on dcas client can have these
t) (“lease” time)
same subnet can
hear new host’s
DHCP request P AC K
D H C
Dynamic Host Configuration Protocol

DHCP
disco
(broa ver
dcas
t)

new P offer DHCP server

D HC
client “offer” message
includes IP address,
DHCP DNS server, “gateway
reque router”, and how long
(broa st
This happens even for dcas client can have these
t) (“lease” time)
WPA2-Enterprise, since
request is explicitly sent
using broadcast AC K
H C P
D
Dynamic Host Configuration Protocol

DHCP
disco
(broa ver
dcas
t)

new P offer DHCP server

D HC
client “offer” message
includes IP address,
DHCP DNS server, “gateway
reque router”, and how long
(broa st
dcas client can have these
t) (“lease” time)

AC K
H C P Attacker can race the actual server;
D
if attacker wins, replaces DNS
server and/or gateway router
 DHCP Threats
• Substitute a fake DNS server
– Redirect any of a host’s lookups to a machine of
attacker’s choice (e.g., gmail.com = 6.6.6.6)
• Substitute a fake gateway router
– Intercept all of a host’s off-subnet traffic
o (even if not preceded by a DNS lookup)
– Relay contents back and forth between host and remote
server
o Modify however attacker chooses
– This is one type of invisible Man In The Middle (MITM)
o Victim host generally has no way of knowing it’s happening! 😟
o (Can’t necessarily alarm on peculiarity of receiving multiple DHCP
replies, since that can happen benignly)
• How can we fix this? Hard, because we lack
a trust anchor
Class Activity

DHCP Defenses: DHCP Snooping

• https://packetpushers.net/five-things-to-know-about-
dhcp-snooping/

• https://support.huawei.com/enterprise/en/doc/
EDOC1000178177/83420524/defense-against-
bogus-dhcp-server-attacks