So Im writing the TechNet Flash for Australia editorial today and I end up talking about TCP/IP protocol hardening and man-in-the-middle attacks then I realise…not everyone knows about this stuff! Lets explain it then – even from the point of view of an attack. I talked about this stuff in my TechEd 2005 Best Practises for hardening Windows Server 2003 session.
Before we proceed lets talk about a Microsoft Support article Q324270. It talks about preventing Denial of Service attacks but settings such as these also prevent a much more sinister application to TCP/IP “hacking” so to speak. Denial of Service attacks are really only that…a denial of service…Yes they are bad and can cost lots of money but man in the middle attacks can cost a whole lot more. Man in middle attacks allow you to impersonate other people and do anything that they can do. So how is this done you ask?
In another Q article it talks about ICMP Redirect Attacks. What an ICMP Redirect actually does is allow a remote network service to let a client (or a server for that matter) know that there is a better route available than the one it chose and to advise it of the new route by the use of a specific ICMP type and code. Nice idea really but lets think how this can be abused. Imagine that Im an attacker and I want to penetrate your network, using this setting I can tell the service that I want to break into that Im the best route to take by sending an ICMP message. So I become the router. So what you say? Next imagine that the service Im attacking is a VPN Server and that Im using a weak authentication protocol such as CHAP or MS-CHAP. Because both of these arent mutually authenticated and are based on a shared secret I now have an easy attack vector and best of all, because Im now the router Im able to capture all the traffic passing between the client and the VPN server including all the CHAP hashes. Im now a man in the middle and because Im capturing all the hashes I now can do anything that the authorised person can do including break into what was thought to be a secure tunnel. So even though PPTP is secure and it really is, the fact that Im using weak security authentication is the problem combined with the fact that I didnt change a basic TCP/IP setting. The implication of setting the parameter is much better than the risk. Essentially with this setting off it means that automatic routing efficiency cant be achieved and assumes that you have set it correctly the first time – which you should have!
Note: This attack doesnt apply to MS-CHAPv2 or EAP authentication such as EAP-TLS as its mutually authenticated