Lesson 2 Network Security and Attacks
Jan 04, 2016
Lesson 2Network Security
andAttacks
Computer Security Operational Model
Protection = Prevention + (Detection + Response)
Access ControlsEncryptionFirewalls
Intrusion DetectionIncident Handling
•Intrusion detection
•Firewalls
•Encryption
•Authentication
•Security Design Review
•Security Integration Services
•24 Hr Monitoring Services•Remote Firewall Monitoring
•Vulnerability Assessment Services•Vulnerability Scanners
Security Operational Model
Improve
Monitor
Secure
Evaluate
Protocols
• A protocol is an agreed upon format for exchanging information.
• A protocol will define a number of parameters:–Type of error checking–Data compression method–Mechanisms to signal reception of a
transmission• There are a number of protocols that have
been established in the networking world.
OSI Reference Model• ISO standard describing 7 layers of protocols
– Application: Program-level communication– Presentation: Data conversion functions, data format,
data encryption– Session: Coordinates communication between endpoints.
Session state maintained for security.– Transport: end-to-end transmission, controls data flow – Network: routes data from one system to the next– Data Link: Handles passing of data between nodes– Physical: Manages the transmission media/HW
connections• You only have to communicate with the layer
directly above and below
The OSI Model
Application Layer
Physical Layer
Data-Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Each layer serves only its adjacent layers. Thus the software which implements the Transport Layer receives input from the Session Layer or the Network Layer.
Implemented By Hardware
These Layers Implemented By Software Such as an Operating
System
TCP/IP Protocol Suite• TCP/IP refers to two network protocols
used on the Internet:– Transmission Control Protocol (TCP)– Internet Protocol (IP)
• TCP and IP are only two of a large group of protocols that make up the entire “suite”
• A “real-world” application of the layered concept.
• There is not a one-to-one relationship between the layers in the TCP/IP suite and the OSI Model.
OSI and TCP/IP comparison
OSI Model
Application
Presentation
Session
Transport
Network
Data-link
Physical
TCP/IP Protocol Suite
NFSFTP, Telnet,SSH, SMTP SMBHTTP, NNTP
RPC
TCP,UDP
IP ICMPARP
Physical
Application-levelprotocols
Network-levelprotocols
Communication Between Two Networks Via the Protocol Stack
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Data
Data
Data
Data
Data
Data
DataH H
H
H
H
Data
Data
Data
Data
Data
Data
Data
H
H
H
H
H
Windows Machine on an Ethernet
Linux Machine on a FDDI Network
HH
A Windows Machine Sending data to a linux machine
1 2
1 The Windows machine adds headers as the packet traverses down the TCP/IP Stack from the sending application.
2 The Linux machine removes headers as the packet traverses up the TCP/IP Stack to the receiving application.
EmailPacket is Transmitted Via Network Media
Ethernet FDDI
TCP/IP Protocol Suite
UserProcess
UserProcess
UserProcess
UserProcess
TCP UDP
IP
HWInterface
RARPARP
ICMP IGMP
Media
TCP/IP EncapsulationUser Data
Application
EthernetDriver
IP
TCP or UDP
TCP Header
Application Header
User Data
IP Header
Application Layer
Transport Layer
Network Layer
Data Link Layer
Ethernet
Application Header
User Data
TCP Header
Application Header
User Data
Ethernet Trailer
IP Header
TCP Header
Application Header
User Data
Ethernet Header
Email1
2
3
4
5
IPv4 Header Layout
Identification Flags Offset
TTL Protocol Header Checksum
Version Length TOS Total Length
Source IP Address
Destination IP Address
Options
Data
4 Bytes (32 Bits)
20 Bytes (160 Bits)
IP Packet
Version Length Type of Srvc Total Length
Identification Flags Fragment Offset
Time to live Protocol Header Checksum
Source Address
Destination Address
Options
Data
4 8 16 19 32
TCP Header Layout
Sequence Number
Header Info Window Size
Source Port Destination Port
TCP Checksum Urgent Pointer
Acknowledgement
Options
Data
4 Bytes (32 Bits)
20 Bytes (160 Bits)
TCP packet
Dataoffset
Unused
U A P R S FR C S S Y IG K H T NN
Window
Source Port
Urgent Pointer
Sequence Number
Acknowledgement Number
Options Padding
Data
4 8 16 32
Destination Port
Checksum
Establishment of a TCP connection(“3-way Handshake”)
client ServerSYN
Client sends connection request,Specifying a port to connect toOn the server.
client ServerSYN/ACK
Server responds with both anacknowledgement and a queuefor the connection.
client ServerACK
Client returns an acknowledgementand the circuit is opened.
Ports
Data 1033 80Source Port
Destination Port
Packet One
Data801033Source PortDestination Port
Packet Two
UDP Header Layout
Source Port Destination Port
Length Checksum
Data
4 Bytes (32 Bits)
8 Bytes (64 Bits)
IP
Ethernet 802.5802.4802.3 X.25 Frame
Relay
SLIP
IPX ATM Arcnet Appletalk PPP
Telnet FTP SNMPSMTP NFS DNS TFTP NTP
RIPBGP
802.6
SMDS
Layer 6/7: Applications
Layer 5: Session
Layer 4: Transport
Layer 3: Network
Layer 2 & 1: Data Link &
Physical
RETAILBANKING B2B MEDICAL WHOLESALEl
WindowsX
IGP EGP TCP UDP IGMP ICMP
IP Centric Network... ...
Twenty-six years after the Defense Department created the INTERNET as a means of maintaining vital communications needs in the event of nuclear war, that system has instead become the weak link in the nations defense” USA Today - 5 Jun 1996
True hackers don't give up. They explore every possible way into a network, not just the well known ones.
The hacker Jericho.
By failing to prepare, you are preparing to fail.
Benjamin Franklin
• “Popular” and receive a great deal of media attention.
• Attempt to exploit vulnerabilities in order to:–Access sensitive data (e.g. credit card
#’s)–Deface the web page–Disrupt, delay, or crash the server–Redirect users to a different site
Typical Net-based Attacks -- Web
Typical Net-based attacks -- Sniffing• Essentially eavesdropping on the network• Takes advantage of the shared nature of the
transmission media.• Passive in nature (i.e. just listening, not
broadcasting)• The increased use of switching has made
sniffing more difficult (less productive) but has not eliminated it (e.g. DNS poisoning will allow you to convince target hosts to send traffic to us intended for other systems)
Defeating Sniffer Attacks
• Detecting and Eliminating Sniffers– Possible on a single box if you have control of the
system– Difficult (depending on OS) to impossible (if somebody
splices network and adds hardware) from network perspective
• Safer Topologies– Sniffers capture data from network segment they are
attached to, so – create segments• Encryption
– If you sniff encrypted packets, who cares?• (outside of traffic analysis, of course)
Typical Net-Based Attacks –Spoofing, Hijacking, Replay
• Spoofing attacks involve the attacker pretending to be someone else.
• Hijacking involves the assumption of another systems role in a “conversation” already taking place.
• Replay occurs when the attacker retransmits a series of packets previously sent to a target host.
Typical Net-Based Attacks –Denial of Service
• DOS and Distributed DOS (DDOS) attacks have received much attention in the media in the last year due to some high-profile attacks. Types:–Flooding – sending more data than the
target can process–Crashing – sending data, often
malformed, designed to disable the system or service
–Distributed – using multiple hosts in a coordinated attack effort against a target system.
A Distributed DoS in ActionClient Hacker
BroadcastHost
BroadcastHost
MasterHost
MasterHost
BroadcastHost
BroadcastHost
BroadcastHost
Master ControlPrograms
BroadcastAgents
Registration Phase
*Hello* *Hello*
VerifyRegistration
PONG PONGpng
The Internet
The Attack Phase
Target
Client Hacker
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastAgents
The Internet
AttackTarget
AttackTarget
AttackTarget
UDP FloodAttack
UDP FloodAttack
UDP FloodAttack
UDP FloodAttack
How CODE RED WorksFirst infected system
How CODE RED WorksFirst infected system
100 system probes
Scans to find new victims
How CODE RED WorksFirst infected system
100 system probes
Scans to find new victims
Each new victim scansthe same “random”
address space
How CODE RED Works
- Each new victim starts scanning process over again
- From 20th to EOM, primary target is www.whitehouse.gov
How NIMDA WorksFirst infected system
How NIMDA WorksFirst infected system
Attacking system
tftp Admin.dll from attacking system(contains NIMDA payload)
How NIMDA WorksFirst infected system
Sends infectedemail attachment
NIMDA attachesto web pages on infected server
Infected systemscans network for
vulnerable IIS web servers
NIMDA propagatesvia open file shares
How NIMDA Works
- NIMDA prefers to target its neighbors
- Very rapid propagation
Common Attacks
• IP Spoofing• Session Hijacking• WWW Cracking• DNS Cache Poisoning
The TCP connection(“3-way Handshake”)
client ServerSYN
Client sends connection request,Specifying a port to connect toOn the server.
client ServerSYN/ACK
Server responds with both anacknowledgement and a queuefor the connection.
client ServerACK
Client returns an acknowledgementand the circuit is opened.
client Server
client Server
client Server
ACK (Client, ISN+1)
SYN (Server, ISNserver)
ACK (Server, ISN+1)
SYN (Client, ISNclient)
ISN--Initial Sequence Number
The TCP Connection in Depth
The TCP Reset
Student Server
Evil hacker
RESET
ACK (Student, ISN+1)
SYN (Server, ISNserver)
SYN (Student, ISNstudent)
IP Address Spoofing
Student Server
Evil hacker
ACK (Student, ISN+1)
SYN (Server, ISNserver)
SYN (Student, ISNstudent)
ACK (Server, ISNserver+1)
Guess Server ISN
DOSPING OF DEATH
IP Address Spoofing
StudentServer
Evil hacker
ACK (Student, ISN+1)
SYN (Server, ISNserver)
SYN (Student, ISNstudent)
DOS
Session Hijacking
StudentServer
Evil hacker
TCP Connection Established
Hey, I amThe Student
TCP RESET
SMB
• Server Message Block (SMB)--an application
layer protocol that allows system resources to
be shared across networks• An old technology developed by MS and Intel• Several versions of authentication over network
– Plaintext: easy to sniff– LanMan: stronger than Plaintext, uses PW hash– NTLM: PW Hash Plus ciphertext
SMB RelayMan-in-the Middle Attack
CLIENT SERVEREVIL HACKER
Session Request Session Request
Name OKName OK
Dialect Dialect w/o NT4 security
Dialect Selection, ChallengeDialect Selection, Challenge
Reply Reply
Session OK Session OK
Attacker forces weaker LANMAN authentication!
Windows Authenticaion LANMAN vs NTLMv2
CLIENT SERVER
1Session Request
2Session Response--NETBIOS name OK
6 All OK--Connected
3 Negotiate Dialect
4Challenge, Dialect Selection
5 Username and Response
WEB CRACKING
StudentServer
Evil hacker
WEB CRACKING
StudentServer
Evil hacker
SSL in ActionCLIENT SERVER
1ClientHello
2ServerHello
3ServerKey Exchange
4ServerHelloDone
5
ClientKey Exchange
6ChangeCiperSpec
7Finished
SSL in ActionCLIENT SERVER
4ServerHelloDone
5
ClientKey Exchange
6ChangeCiperSpec
7Finished
8ChangeCipherSpec
9 Finished
SSL WEB CRACKING
StudentServer
Evil hacker
DNS Cache Poisoning-Step 1
Dr. Evil GOOD DNS Rich Student
BankBank DNS
Where is Evil ?
Evil DNS
Where is Evil ?
Dr EvilStores Query ID
DNS Cache Poisoning-Step 2
Dr. Evil
Evil DNS
GOOD DNS Rich Student
BankBank DNS
Where is Bank?
Are You Bank?
I am Bank
Dr EvilUses Stored Query IDto predict next query ID
DNS Cache Poisoning-Step 3
Dr. Evil
Evil DNS
GOOD DNS
Rich Student
BankBank DNS
Where is Bank?
Dr. Evil is Bank
DNS Cache Poisoning-Step 4
Dr. Evil
Evil DNS
GOOD DNS
Rich Student
BankBank DNS
Can I Bank With You?
Summary
• Threat is Real• Hard to Detect• A little understanding and
situational Awareness can goes a long way to preventing…and detecting