Lesson 2
Network Security
and
Attacks
Computer Security Operational Model
Protection = Prevention
+ (Detection + Response)
Access Controls
Encryption
Firewalls
Intrusion Detection
Incident Handling
•
Intrusion
detection
•
Firewalls
•
Encryption
•
Authentication
•
Security
Design
Review
•
Security
Integration
Services
•
24 Hr Monitoring Services
•
Remote Firewall Monitoring
•
Vulnerability Assessment Services
•
Vulnerability Scanners
Security Operational Model
Improve
Monitor
Secure
Evaluate
Protocols
•
A protocol is an agreed upon format for
exchanging information.
•
A protocol will define a number of
parameters:
–
Type of error checking
–
Data compression method
–
Mechanisms to signal reception of a
transmission
•
There are a number of protocols that have
been established in the networking world.
OSI Reference Model
•
ISO standard describing 7 layers of protocols
–
Application
: Program
-
level communication
–
Presentation
: Data conversion functions, data format,
data encryption
–
Session
: Coordinates communication between endpoints.
Session state maintained for security.
–
Transport
: end
-
to
-
end transmission, controls data flow
–
Network
: routes data from one system to the next
–
Data Link
: Handles passing of data between nodes
–
Physical
: Manages the transmission media/HW
connections
•
You only have to communicate with the layer
directly above and below
The OSI Model
Application Layer
Physical Layer
Data
-
Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Each layer serves only its
adjacent layers. Thus the
software which
implements the Transport
Layer receives input from
the Session Layer or the
Network Layer.
Implemented
By Hardware
These Layers
Implemented
By Software
Such as an
Operating
System
TCP/IP Protocol Suite
•
TCP/IP refers to two network protocols
used on the Internet:
–
Transmission Control Protocol (TCP)
–
Internet Protocol (IP)
•
TCP and IP are only two of a large group of
protocols that make up the entire “suite”
•
A “real
-
world” application of the layered
concept.
•
There is not a one
-
to
-
one relationship
between the layers in the TCP/IP suite and
the OSI Model.
OSI and TCP/IP comparison
OSI Model
Application
Presentation
Session
Transport
Network
Data
-
link
Physical
TCP/IP Protocol Suite
NFS
FTP, Telnet,
SSH, SMTP
SMB
HTTP, NNTP
RPC
TCP,UDP
IP
ICMP
ARP
Physical
Application
-
level
protocols
Network
-
level
protocols
Communication Between Two
Networks Via the Protocol Stack
Application
Physical
Data
-
Link
Network
Transport
Session
Presentation
Data
Data
Data
Data
Data
Data
Data
H
H
H
H
H
Data
Data
Data
Data
Data
Data
Data
H
H
H
H
H
Windows Machine on an
Ethernet
Linux Machine
on a FDDI
Network
H
H
A Windows Machine Sending data to a linux machine
1
2
1
The Windows machine adds headers as the packet traverses down the TCP/IP Stack from the sending application.
2
The Linux machine removes headers as the packet traverses up the TCP/IP Stack to the receiving application.
Email
Packet is Transmitted Via Network Media
E
M
A
I
L
E
M
A
I
L
Ethernet
FDDI
TCP/IP Protocol Suite
User
Process
User
Process
User
Process
User
Process
TCP
UDP
IP
HW
Interface
RARP
ARP
ICMP
IGMP
Media
TCP/IP Encapsulation
User
Data
Application
Ethernet
Driver
IP
TCP or
UDP
TCP
Header
Application
Header
User
Data
IP
Header
Application Layer
Transport Layer
Network Layer
Data Link Layer
Ethernet
Application
Header
User
Data
TCP
Header
Application
Header
User
Data
Ethernet
Trailer
IP
Header
TCP
Header
Application
Header
User
Data
Ethernet
Header
Email
1
2
3
4
5
IPv4 Header Layout
Identification Flags
Offset
TTL
Protocol
Header Checksum
Version Length TOS Total Length
Source IP Address
Destination IP Address
Options
Data
4 Bytes (32 Bits)
20 Bytes
(160 Bits)
IP Packet
Version
Length
Type of Srvc
Total Length
Identification
Flags
Fragment Offset
Time to live
Protocol
Header Checksum
Source Address
Destination Address
Options
Data
4 8 16 19 32
TCP Header Layout
Sequence Number
Header Info
Window Size
Source Port
Destination Port
TCP Checksum
Urgent Pointer
Acknowledgement
Options
Data
4 Bytes (32 Bits)
20 Bytes
(160 Bits)
TCP packet
Data
offset
Unused
U A P R S F
R C S S Y I
G K H T NN
Window
Source Port
Urgent Pointer
Sequence Number
Acknowledgement Number
Options
Padding
Data
4 8 16 32
Destination Port
Checksum
Establishment of a TCP connection
(“3
-
way Handshake”)
client
Server
SYN
Client sends connection request,
Specifying a port to connect to
On the server.
client
Server
SYN/ACK
Server responds with both an
acknowledgement and a queue
for the connection.
client
Server
ACK
Client returns an acknowledgement
and the circuit is opened.
Ports
Data
1033
80
Source Port
Destination Port
Packet One
Data
80
1033
Source Port
Destination Port
Packet Two
UDP Header Layout
Source Port
Destination Port
Length
Checksum
Data
4 Bytes (32 Bits)
8 Bytes
(64 Bits)
IP
Ethernet
802.5
802.4
802.3
X.25
Frame
Relay
SLIP
IPX
ATM
Arcnet
Appletalk
PPP
Telnet
FTP
SNMP
SMTP
NFS
DNS
TFTP
NTP
RIP
BGP
802.6
SMDS
Layer 6/7: Applications
Layer 5: Session
Layer 4: Transport
Layer 3: Network
Layer 2 & 1: Data Link &
Physical
RETAIL
BANKING
B2B
MEDICAL
WHOLESALEl
Windows
X
IGP
EGP
TCP
UDP
IGMP
ICMP
IP Centric Network
...
...
Twenty
-
six years after the Defense Department
created the INTERNET as a means of
maintaining vital communications needs in the
event of nuclear war, that system has instead
become the weak link in the nations defense”
USA Today
-
5 Jun 1996
True hackers don't give up. They explore every
possible way into a network, not just the well
known ones.
The hacker Jericho
.
By failing to prepare, you are preparing to
fail.
Benjamin Franklin
•
“Popular” and receive a great deal of
media attention.
•
Attempt to exploit vulnerabilities in
order to:
–
Access sensitive data (e.g. credit card
#’s)
–
Deface the web page
–
Disrupt, delay, or crash the server
–
Redirect users to a different site
Typical Net
-
based Attacks
--
Web
Typical Net
-
based attacks
--
Sniffing
•
Essentially eavesdropping on the network
•
Takes advantage of the shared nature of the
transmission media.
•
Passive in nature (i.e. just listening, not
broadcasting)
•
The increased use of switching has made
sniffing more difficult (less productive) but
has not eliminated it (e.g. DNS poisoning
will allow you to convince target hosts to
send traffic to us intended for other systems)
Defeating Sniffer Attacks
•
Detecting and Eliminating Sniffers
–
Possible on a single box if you have control of the
system
–
Difficult (depending on OS) to impossible (if somebody
splices network and adds hardware) from network
perspective
•
Safer Topologies
–
Sniffers capture data from network segment they are
attached to, so
–
create segments
•
Encryption
–
If you sniff encrypted packets, who cares?
•
(outside of traffic analysis, of course)
Typical Net
-
Based Attacks
–
Spoofing, Hijacking, Replay
•
Spoofing attacks involve the attacker
pretending to be someone else.
•
Hijacking involves the assumption of
another systems role in a “conversation”
already taking place.
•
Replay occurs when the attacker
retransmits a series of packets
previously sent to a target host.
Typical Net
-
Based Attacks
–
Denial of Service
•
DOS and Distributed DOS (DDOS)
attacks have received much attention in
the media in the last year due to some
high
-
profile attacks. Types:
–
Flooding
–
sending more data than the
target can process
–
Crashing
–
sending data, often
malformed, designed to disable the
system or service
–
Distributed
–
using multiple hosts in a
coordinated attack effort against a
target system.
A Distributed DoS in Action
Client Hacker
Broadcast
Host
Broadcast
Host
Master
Host
Master
Host
Broadcast
Host
Broadcast
Host
Broadcast
Host
Master Control
Programs
Broadcast
Agents
Registration Phase
*Hello*
*Hello*
Verify
Registration
PONG
PONG
png
The Internet
The Attack Phase
Target
Client Hacker
Broadcast
Host
Broadcast
Host
Broadcast
Host
Broadcast
Host
Broadcast
Host
Broadcast
Agents
The Internet
Attack
Target
Attack
Target
Attack
Target
UDP Flood
Attack
UDP Flood
Attack
How CODE RED Works
First infected system
How CODE RED Works
First infected system
100 system probes
Scans to find new victims
How CODE RED Works
First infected system
100 system probes
Scans to find new victims
Each new victim scans
the same “random”
address space
How CODE RED Works
-
Each new victim starts scanning process over again
-
From 20th to EOM, primary target is www.whitehouse.gov
How NIMDA Works
First infected system
How NIMDA Works
First infected system
Attacking system
tftp Admin.dll from attacking system
(contains NIMDA payload)
How NIMDA Works
First infected system
Sends infected
email attachment
NIMDA attaches
to web pages on
infected server
Infected system
scans network for
vulnerable IIS web servers
NIMDA propagates
via open file shares
How NIMDA Works
-
NIMDA prefers to target its neighbors
-
Very rapid propagation
Common Attacks
•
IP Spoofing
•
Session Hijacking
•
WWW Cracking
•
DNS Cache Poisoning
The TCP connection
(“3
-
way Handshake”)
client
Server
SYN
Client sends connection request,
Specifying a port to connect to
On the server.
client
Server
SYN/ACK
Server responds with both an
acknowledgement and a queue
for the connection.
client
Server
ACK
Client returns an acknowledgement
and the circuit is opened.
client
Server
client
Server
client
Server
ACK (Client, ISN+1)
SYN (Server, ISNserver
)
ACK (Server, ISN+1)
SYN (Client, ISNclient)
ISN
--
Initial Sequence Number
The TCP Connection in Depth
The TCP Reset
Student
Server
Evil hacker
RESET
ACK (Student, ISN+1)
SYN (Server, ISNserver
)
SYN (Student, ISNstudent
)
IP Address Spoofing
Student
Server
Evil hacker
ACK (Student, ISN+1)
SYN (Server, ISNserver
)
SYN (Student, ISNstudent
)
ACK (Server, ISNserver+1
)
Guess Server ISN
DOS
PING OF DEATH
IP Address Spoofing
Student
Server
Evil hacker
ACK (Student, ISN+1)
SYN (Server, ISNserver
)
SYN (Student, ISNstudent
)
DOS
Session Hijacking
Student
Server
Evil hacker
TCP Connection Established
Hey, I am
The Student
TCP RESET
SMB
•
Server Message Block (SMB)
--
an application
layer protocol that allows system resources to
be shared across networks
•
An old technology developed by MS and Intel
•
Several versions of authentication over network
–
Plaintext: easy to sniff
–
LanMan: stronger than Plaintext, uses PW hash
–
NTLM: PW Hash Plus ciphertext
SMB Relay
Man
-
in
-
the Middle Attack
CLIENT
SERVER
EVIL
HACKER
Session Request
Session Request
Name OK
Name OK
Dialect
Dialect w/o NT4 security
Dialect Selection, Challenge
Dialect Selection, Challenge
Reply
Reply
Session OK
Session OK
Attacker forces weaker LANMAN authentication!
Windows Authenticaion
LANMAN vs NTLMv2
CLIENT
SERVER
1
Session Request
2
Session Response
--
NETBIOS
name OK
6
All OK
--
Connected
3
Negotiate Dialect
4
Challenge, Dialect Selection
5
Username and Response
WEB CRACKING
Student
Server
Evil hacker
WEB CRACKING
Student
Server
Evil hacker
SSL in Action
CLIENT
SERVER
1
ClientHello
2
ServerHello
3
ServerKey Exchange
4
ServerHelloDone
5
ClientKey Exchange
6
ChangeCiperSpec
7
Finished
SSL in Action
CLIENT
SERVER
4
ServerHelloDone
5
ClientKey Exchange
6
ChangeCiperSpec
7
Finished
8
ChangeCipherSpec
9
Finished
SSL WEB CRACKING
Student
Server
Evil hacker
DNS Cache Poisoning
-
Step 1
Dr. Evil
GOOD DNS
Rich Student
Bank
Bank DNS
Where is Evil ?
Evil DNS
Where is Evil ?
Dr Evil
Stores Query ID
DNS Cache Poisoning
-
Step 2
Dr. Evil
Evil DNS
GOOD DNS
Rich Student
Bank
Bank DNS
Where is Bank?
Are You Bank?
I am Bank
Dr Evil
Uses Stored Query ID
to predict next query ID
DNS Cache Poisoning
-
Step 3
Dr. Evil
Evil DNS
GOOD DNS
Rich Student
Bank
Bank DNS
Where is Bank?
Dr. Evil is Bank
DNS Cache Poisoning
-
Step 4
Dr. Evil
Evil DNS
GOOD DNS
Rich Student
Bank
Bank DNS
Can I Bank With You?
Summary
•
Threat is Real
•
Hard to Detect
•
A little understanding and
situational Awareness can goes a
long way to preventing…and
detecting
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment