Lesson 2: Network Security

mustardpruneΔίκτυα και Επικοινωνίες

23 Οκτ 2013 (πριν από 3 χρόνια και 10 μήνες)

80 εμφανίσεις

Lesson 2

Network Security

and

Attacks

Computer Security Operational Model

Protection = Prevention

+ (Detection + Response)

Access Controls

Encryption

Firewalls

Intrusion Detection

Incident Handling


Intrusion
detection



Firewalls



Encryption



Authentication



Security

Design

Review



Security
Integration
Services


24 Hr Monitoring Services


Remote Firewall Monitoring


Vulnerability Assessment Services


Vulnerability Scanners

Security Operational Model

Improve

Monitor

Secure

Evaluate

Protocols


A protocol is an agreed upon format for
exchanging information.


A protocol will define a number of
parameters:


Type of error checking


Data compression method


Mechanisms to signal reception of a
transmission


There are a number of protocols that have
been established in the networking world.

OSI Reference Model


ISO standard describing 7 layers of protocols


Application
: Program
-
level communication


Presentation
: Data conversion functions, data format,
data encryption


Session
: Coordinates communication between endpoints.
Session state maintained for security.


Transport
: end
-
to
-
end transmission, controls data flow


Network
: routes data from one system to the next


Data Link
: Handles passing of data between nodes


Physical
: Manages the transmission media/HW
connections


You only have to communicate with the layer
directly above and below

The OSI Model

Application Layer

Physical Layer

Data
-
Link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Each layer serves only its
adjacent layers. Thus the
software which
implements the Transport
Layer receives input from
the Session Layer or the
Network Layer.

Implemented
By Hardware

These Layers
Implemented
By Software
Such as an
Operating
System

TCP/IP Protocol Suite


TCP/IP refers to two network protocols
used on the Internet:


Transmission Control Protocol (TCP)


Internet Protocol (IP)


TCP and IP are only two of a large group of
protocols that make up the entire “suite”


A “real
-
world” application of the layered
concept.


There is not a one
-
to
-
one relationship
between the layers in the TCP/IP suite and
the OSI Model.


OSI and TCP/IP comparison

OSI Model


Application


Presentation


Session


Transport


Network


Data
-
link


Physical


TCP/IP Protocol Suite




NFS

FTP, Telnet,

SSH, SMTP

SMB

HTTP, NNTP



RPC



TCP,UDP



IP


ICMP


ARP



Physical


Application
-
level

protocols

Network
-
level

protocols

Communication Between Two
Networks Via the Protocol Stack

Application

Physical

Data
-
Link

Network

Transport

Session

Presentation

Data

Data

Data

Data

Data

Data

Data

H

H

H

H

H

Data

Data

Data

Data

Data

Data

Data

H

H

H

H

H

Windows Machine on an
Ethernet

Linux Machine
on a FDDI
Network

H

H

A Windows Machine Sending data to a linux machine

1

2

1

The Windows machine adds headers as the packet traverses down the TCP/IP Stack from the sending application.

2

The Linux machine removes headers as the packet traverses up the TCP/IP Stack to the receiving application.

Email

Packet is Transmitted Via Network Media

E

M

A

I

L

E

M

A

I

L

Ethernet

FDDI

TCP/IP Protocol Suite

User

Process

User

Process

User

Process

User

Process

TCP

UDP

IP

HW

Interface

RARP

ARP

ICMP

IGMP

Media

TCP/IP Encapsulation

User
Data

Application

Ethernet

Driver

IP

TCP or
UDP

TCP
Header

Application
Header

User
Data

IP
Header

Application Layer

Transport Layer

Network Layer

Data Link Layer

Ethernet

Application
Header

User
Data

TCP
Header

Application
Header

User
Data

Ethernet
Trailer

IP
Header

TCP
Header

Application
Header

User
Data

Ethernet
Header

Email

1

2

3

4

5

IPv4 Header Layout


Identification Flags


Offset


TTL


Protocol


Header Checksum


Version Length TOS Total Length

Source IP Address

Destination IP Address

Options

Data

4 Bytes (32 Bits)

20 Bytes
(160 Bits)

IP Packet

Version

Length


Type of Srvc


Total Length



Identification



Flags



Fragment Offset



Time to live



Protocol



Header Checksum



Source Address



Destination Address



Options



Data



4 8 16 19 32

TCP Header Layout

Sequence Number

Header Info

Window Size

Source Port

Destination Port

TCP Checksum

Urgent Pointer

Acknowledgement

Options

Data

4 Bytes (32 Bits)

20 Bytes
(160 Bits)

TCP packet

Data

offset


Unused




U A P R S F

R C S S Y I

G K H T NN




Window




Source Port



Urgent Pointer



Sequence Number



Acknowledgement Number



Options

Padding


Data



4 8 16 32


Destination Port



Checksum


Establishment of a TCP connection

(“3
-
way Handshake”)

client

Server

SYN

Client sends connection request,

Specifying a port to connect to

On the server.

client

Server

SYN/ACK

Server responds with both an

acknowledgement and a queue

for the connection.

client

Server

ACK

Client returns an acknowledgement

and the circuit is opened.

Ports

Data

1033

80

Source Port

Destination Port

Packet One

Data

80

1033

Source Port

Destination Port

Packet Two

UDP Header Layout

Source Port

Destination Port

Length

Checksum

Data

4 Bytes (32 Bits)

8 Bytes
(64 Bits)

IP

Ethernet

802.5

802.4

802.3

X.25

Frame

Relay

SLIP

IPX

ATM

Arcnet

Appletalk

PPP

Telnet

FTP

SNMP

SMTP

NFS

DNS

TFTP

NTP

RIP

BGP

802.6

SMDS

Layer 6/7: Applications

Layer 5: Session

Layer 4: Transport

Layer 3: Network

Layer 2 & 1: Data Link &

Physical

RETAIL

BANKING

B2B

MEDICAL

WHOLESALEl

Windows

X

IGP

EGP

TCP

UDP

IGMP

ICMP

IP Centric Network

...

...

Twenty
-
six years after the Defense Department
created the INTERNET as a means of
maintaining vital communications needs in the
event of nuclear war, that system has instead
become the weak link in the nations defense”


USA Today
-

5 Jun 1996



True hackers don't give up. They explore every
possible way into a network, not just the well
known ones.




The hacker Jericho
.


By failing to prepare, you are preparing to
fail.







Benjamin Franklin



“Popular” and receive a great deal of
media attention.


Attempt to exploit vulnerabilities in
order to:


Access sensitive data (e.g. credit card
#’s)


Deface the web page


Disrupt, delay, or crash the server


Redirect users to a different site

Typical Net
-
based Attacks
--

Web

Typical Net
-
based attacks
--

Sniffing


Essentially eavesdropping on the network


Takes advantage of the shared nature of the
transmission media.


Passive in nature (i.e. just listening, not
broadcasting)


The increased use of switching has made
sniffing more difficult (less productive) but
has not eliminated it (e.g. DNS poisoning
will allow you to convince target hosts to
send traffic to us intended for other systems)

Defeating Sniffer Attacks


Detecting and Eliminating Sniffers


Possible on a single box if you have control of the
system


Difficult (depending on OS) to impossible (if somebody
splices network and adds hardware) from network
perspective


Safer Topologies


Sniffers capture data from network segment they are
attached to, so


create segments


Encryption


If you sniff encrypted packets, who cares?


(outside of traffic analysis, of course)

Typical Net
-
Based Attacks


Spoofing, Hijacking, Replay


Spoofing attacks involve the attacker
pretending to be someone else.


Hijacking involves the assumption of
another systems role in a “conversation”
already taking place.


Replay occurs when the attacker
retransmits a series of packets
previously sent to a target host.

Typical Net
-
Based Attacks


Denial of Service


DOS and Distributed DOS (DDOS)
attacks have received much attention in
the media in the last year due to some
high
-
profile attacks. Types:


Flooding


sending more data than the
target can process


Crashing


sending data, often
malformed, designed to disable the
system or service


Distributed


using multiple hosts in a
coordinated attack effort against a
target system.

A Distributed DoS in Action

Client Hacker

Broadcast

Host

Broadcast

Host

Master

Host

Master

Host

Broadcast

Host

Broadcast

Host

Broadcast

Host

Master Control

Programs

Broadcast

Agents

Registration Phase

*Hello*

*Hello*

Verify

Registration

PONG

PONG

png

The Internet

The Attack Phase

Target

Client Hacker

Broadcast

Host

Broadcast

Host

Broadcast

Host

Broadcast

Host

Broadcast

Host

Broadcast

Agents

The Internet

Attack

Target

Attack

Target

Attack

Target

UDP Flood

Attack

UDP Flood

Attack

How CODE RED Works

First infected system

How CODE RED Works

First infected system

100 system probes

Scans to find new victims

How CODE RED Works

First infected system

100 system probes

Scans to find new victims

Each new victim scans

the same “random”


address space

How CODE RED Works

-

Each new victim starts scanning process over again

-

From 20th to EOM, primary target is www.whitehouse.gov

How NIMDA Works

First infected system

How NIMDA Works

First infected system

Attacking system

tftp Admin.dll from attacking system

(contains NIMDA payload)

How NIMDA Works

First infected system

Sends infected

email attachment

NIMDA attaches

to web pages on

infected server

Infected system

scans network for

vulnerable IIS web servers

NIMDA propagates

via open file shares

How NIMDA Works

-

NIMDA prefers to target its neighbors

-

Very rapid propagation

Common Attacks



IP Spoofing


Session Hijacking


WWW Cracking


DNS Cache Poisoning

The TCP connection

(“3
-
way Handshake”)

client

Server

SYN

Client sends connection request,

Specifying a port to connect to

On the server.

client

Server

SYN/ACK

Server responds with both an

acknowledgement and a queue

for the connection.

client

Server

ACK

Client returns an acknowledgement

and the circuit is opened.

client

Server

client

Server

client

Server

ACK (Client, ISN+1)

SYN (Server, ISNserver
)

ACK (Server, ISN+1)

SYN (Client, ISNclient)

ISN
--
Initial Sequence Number

The TCP Connection in Depth

The TCP Reset

Student

Server

Evil hacker

RESET

ACK (Student, ISN+1)

SYN (Server, ISNserver
)

SYN (Student, ISNstudent
)

IP Address Spoofing

Student

Server

Evil hacker

ACK (Student, ISN+1)

SYN (Server, ISNserver
)

SYN (Student, ISNstudent
)

ACK (Server, ISNserver+1
)

Guess Server ISN

DOS

PING OF DEATH

IP Address Spoofing

Student

Server

Evil hacker

ACK (Student, ISN+1)

SYN (Server, ISNserver
)

SYN (Student, ISNstudent
)


DOS

Session Hijacking

Student

Server

Evil hacker

TCP Connection Established

Hey, I am

The Student

TCP RESET

SMB



Server Message Block (SMB)
--
an application


layer protocol that allows system resources to


be shared across networks



An old technology developed by MS and Intel



Several versions of authentication over network



Plaintext: easy to sniff



LanMan: stronger than Plaintext, uses PW hash



NTLM: PW Hash Plus ciphertext


SMB Relay

Man
-
in
-
the Middle Attack

CLIENT

SERVER

EVIL

HACKER

Session Request

Session Request

Name OK

Name OK

Dialect

Dialect w/o NT4 security

Dialect Selection, Challenge

Dialect Selection, Challenge

Reply

Reply

Session OK

Session OK

Attacker forces weaker LANMAN authentication!

Windows Authenticaion

LANMAN vs NTLMv2

CLIENT

SERVER

1

Session Request

2

Session Response
--
NETBIOS
name OK

6


All OK
--
Connected

3


Negotiate Dialect

4

Challenge, Dialect Selection

5


Username and Response

WEB CRACKING

Student

Server

Evil hacker

WEB CRACKING

Student

Server

Evil hacker

SSL in Action

CLIENT

SERVER

1

ClientHello

2

ServerHello

3

ServerKey Exchange

4

ServerHelloDone

5

ClientKey Exchange

6

ChangeCiperSpec

7

Finished

SSL in Action

CLIENT

SERVER

4

ServerHelloDone

5

ClientKey Exchange

6

ChangeCiperSpec

7

Finished

8

ChangeCipherSpec

9


Finished

SSL WEB CRACKING

Student

Server

Evil hacker

DNS Cache Poisoning
-
Step 1

Dr. Evil

GOOD DNS

Rich Student

Bank

Bank DNS

Where is Evil ?

Evil DNS

Where is Evil ?

Dr Evil

Stores Query ID

DNS Cache Poisoning
-
Step 2

Dr. Evil

Evil DNS

GOOD DNS

Rich Student

Bank

Bank DNS

Where is Bank?

Are You Bank?

I am Bank

Dr Evil

Uses Stored Query ID

to predict next query ID

DNS Cache Poisoning
-
Step 3

Dr. Evil

Evil DNS

GOOD DNS

Rich Student

Bank

Bank DNS

Where is Bank?

Dr. Evil is Bank

DNS Cache Poisoning
-
Step 4

Dr. Evil

Evil DNS

GOOD DNS

Rich Student

Bank

Bank DNS

Can I Bank With You?

Summary



Threat is Real


Hard to Detect


A little understanding and
situational Awareness can goes a
long way to preventing…and
detecting