Detecting and Stopping a Replay Attack

Until now, you have seen fwknop put to legitimate uses in an effort to reduce the attack surface of SSHD. When an SPA packet travels over an untrusted network, anyone who can watch the packet on the wire can save it, analyze it, and replay it. I have mentioned that the fwknop SPA implementation is well-suited to thwarting replay attacks by comparing MD5 sums of incoming SPA messages, but here's a concrete example.

In Figure 13-2, an attacker is placed within the Internet cloud and monitors an SPA packet in transit from the spaclient system to the spaserver system. The attacker uses tcpdump to capture the SPA packet to a file (spa.pcap) and examines it enough to see that the packet is encrypted gibberish. Then the attacker replays the packet back over the network with tcpreplay, which is depicted by the dotted line labeled Replayed SPA Packet in Figure 13-2.

fwknop SPA/ SSH Client 204.23.X.X (spaclient)

iptables Firewall/ fwknop SPA Server 71.157.XX (spaserver)

fwknop SPA/ SSH Client 204.23.X.X (spaclient)

iptables Firewall/ fwknop SPA Server 71.157.XX (spaserver)

Attacker with Sniffer

Figure 13-2: An attacker monitors and replays an SPA packet

Attacker with Sniffer

Figure 13-2: An attacker monitors and replays an SPA packet

The command sequence to accomplish the SPA packet replay appears below. First, the spaclient system sends a valid SPA packet to the spaserver system at ©. The fwknop -L command-line argument allows fwknop to recall the last command-line options that were used against the fwknop server host. This is handy for simplifying the relatively complex fwknop command-line interface. As the SPA packet is en route over the network, the attacker © captures the packet with tcpdump, and © finds that it appears to be unintelligible. The attacker hence deduces that this packet may be an SPA packet (particularly since the packet is captured on the default port UDP 62201 that fwknop uses to communicate). Another tip-off that the packet may be part of an SPA scheme is that SSHD is not accessible from the attacker's IP address, but an SSH session may be established between the spaclient and spaserver. The attacker then 0 replays the SPA packet on the network against the spaserver system in an effort to connect to the SSH server. The fwknop daemon running on spaserver has detected the replayed SPA packet as indicated by the syslog message in ©, and the iptables policy does not grant the attacker any access. Although not displayed here, fwknop also sends an email alert to highlight the fact that a previous SPA packet was replayed, since this is not something that should happen under any reasonable circumstances.

[+] Running with last command-line args: -A tcp/22 --gpg-recip fwknop_server --gpg-sign fwknop_client -R -k spaserver [+] Starting fwknop in client mode. [+] Resolving hostname: spaserver

Resolving external IP via: http://www.whatismyip.com/ Got external address: 204.23.X.X

[+] Enter the GnuPG password for signing key: fwknop_client GnuPG signing password:

[+] Building encrypted Single Packet Authorization (SPA) message. [+] Packet fields:

Random data: 2018495891979939

Username: mbr

Timestamp: 1161229378

Version: 1.0

Action: 1 (access mode)

Access: 204.23.X.X,tcp/22

MD5 sum: 1P53i1YNdwou/xA+361T3w e

[+] Sending 1010 byte message to 71.157.X.X over udp/62201... [[email protected] ~]# tcpdump -i eth0 -l -nn -s 0 udp port 62201 -w spa.pcap [[email protected] ~]# tcpdump -l -nn -X -r spa.pcap | head reading from file spa.pcap, link-type EN10MB (Ethernet) 23:31:43.883144 IP 204.23.X.X.42245 > 71.157.X.X.62201: UDP, length 1010

0x0000: 4500 040e e5ff 4000 0000 0000 0000 0000 0x0010: 0000 0000 a505 f2f9 03fa 1d59 6851 494f 0x0020: 4177 7668 5165 7735 3476 3347 4541 662f 0x0030: 5754 6335 4279 736b 5544 5a76 5830 6873 0x0040: 6b59 5047 7774 6664 7349 5774 4948 3548 0x0050: 5658 4c49 4731 656a 562b 3639 7057 6866 0x0060: 4474 7443 7541 626b 4941 474c 3665 4c33 0x0070: 426f 3632 5757 4231 3867 7975 7141 5a72 0x0080: 2f71 687a 3234 614e 7042 596a 4a2f 524d [[email protected] ~]# tcpreplay -i eth0 spa.pcap sending on: eth0

1 packets (1052 bytes) sent in 0.15 seconds 6831169.0 bytes/sec 52.12 megabits/sec 6493 packets/sec [[email protected] ~]# ssh -l root 71.157.X.X [[email protected] ~]# tail /var/log/messages

Oct 18 23:32:50 spaserver fwknopd: attempted message replay from: 204.23.X.X

AwvhQew54v3GEAf/ WTc5ByskUDZvX0hs kYPGwtfdsIWtIH5H VXLIG1ejV+69pWhf DttCuAbkIAGL6eL3 Bo62WWB18gyuqAZr /qhz24aNpBYjJ/RM

Was this article helpful?

0 0

Post a comment