Skip to main content

Spoofing Attacks

Updated Jan 30, 2024 ·

Overview

Cybercriminals uses spoofing attacks to impersonate a familiar or trusted source to interact with targets, aiming to steal information, extort money, or install malicious software on their devices.

Example of spoofing attacks:

  • Email Spoofing
  • Caller ID Spoofing
  • Website/Domain Spoofing
  • IP Spoofing
  • ARP Spoofing
  • GPS Spoofing
  • Facial Spoofing
  • Man-in-the-middle attack

Mitigations:

  • Email Security: Use SPF, DKIM, and DMARC.
  • User Training: Educate on recognizing suspicious communications.
  • Secure Authentication: Use multifactor authentication.
  • Access Controls: Limit sensitive system access.
  • Secure Routing: Implement SBGP or similar protocols.
  • Network Access Control (NAC): Restrict unauthorized devices.
  • IDS/IPS: Detect spoofing patterns.
Reference: https://www.crowdstrike.com/cybersecurity-101/spoofing-attacks/

IP Address Spoofing

Impersonating a trusted IP address to gain unauthorized access.

Mitigations:

  • Packet Filtering: Block spoofed IP addresses.
  • Secure Routing: Use SBGP to validate routing.
  • Network Access Control (NAC): Restrict unauthorized devices from network access.
  • IDS/IPS: Monitor for spoofing patterns.

Session Hijacking

Session Management

Session management enables web applications to identify users consistently.

  • Allows for unique identification of users across requests.
  • Maintains the state of user data throughout interactions.
  • Ensures that data generated by the user is assigned solely to that user.
  • Information can be stored in databases or cookies.

Cookies

Cookies are important for managing state in web applications, as HTTP is a stateless protocol.

  • HTTP doesn’t store client info, so cookies are used.
  • Cookies store information about users for future requests.
  • Every request from the client includes the stored cookie.
  • Encrypting cookies helps protect session data.
  • For more information, please see Secure Cookies.

Types of Cookies:

  • Session Cookies

    • Non-persistent, only stored in the browser.
    • When browser is closed, cookies are deleted.

  • Persistent Cookies

    • Stay around even after the browser is closed.
    • Stored in the browser cache until they're deleted by the user.
    • Delete when user "Clear cookies", or when they pass the defined expiration date.

Session Hijacking

Session hijacking is a spoofing attack where the host is disconnected and replaced by the attacker.

  • Occurs through theft or modification of cookies.
  • Can be performed when user is currently logged in to a web session.

Session Prediction

In session prediction, an attacker attempts to predict session token to hijack the session.

  • If token is predictable, they can be guessed.
  • Attackers can take over the session.

Cookie poisoning involves modifying the contents of the cookies to be sent to a client's browser.

  • Modified cookie can be used to exploit vulnerabilities.

Replay Attack

Attacker intercepts and retransmits a valid data transmission to trick the receiver into unauthorized actions, often impersonating one of the legitimate parties in the communication.

  • Interception and retransmission of valid data packets.
  • Unauthorized access, data manipulation, session hijacking.

Mitigations:

  • Time-stamped tokens or nonces, ensures each transaction is unique and only valid for a short period.
  • Use TLS/SSL to encrypt data and make interception more difficult.
  • Mutual authentication techniques, validate each other's identities.
  • Maintain a session or message log to track and verify unique transactions.
  • Replay detection mechanisms to identify and block replayed messages.
  • Use WPA3 to avoid replay attacks.

Difference with Session Hijacking:

  • Replay Attacks - attacker intercepts data, decides whether to retransmit it later.
  • Session Hijacking - attacker alters data transmission in real-time.

Disassociation Attack

A disassociation attack forces a device to disconnect from a Wi-Fi network by sending fake disassociation frames.

  • Interrupts an active session without fully logging the user out
  • Often used to disrupt or weaken wireless connections
  • Can cause annoyance or service disruption, especially in public Wi-Fi

Deauthentication Attack

A deauthentication attack tricks a device into logging out of the network, forcing it to reconnect.

  • Helps capture authentication handshakes for password cracking
  • Useful in penetration testing when traffic is low
  • Performed using tools like aircrack-ng or Bettercap

Disassociation vs. Deauthentication

Deauthentication and disassociation are different, though they are related and often confused. Both are Wi-Fi management frame types used to disconnect devices, but they occur at different stages of the connection process.

FeatureDeauthenticationDisassociation
PurposeEnds authenticationEnds association (but keeps authentication)
Stage in Wi-FiHappens before or during loginHappens after authentication, during session
EffectFully disconnects a client (must reauthenticate)Disconnects client but keeps session keys (temporarily)
Attack Use CaseUsed to capture handshake (force re-login)Used to disrupt sessions
Frame TypeManagement frameManagement frame

In simple terms:

  • Deauthentication = “Log out now. You need to reauthenticate to come back.”
  • Disassociation = “We're ending this session, but we still know who you are.”