The Ultimate Guide to Choosing WordPress Pros and Cons
Lecture2 network attack
1. How-to attack a computer
network
Lecture 2
Raja M. Khurram Shahzad
2. The Internet
The elements of the Internet:
Router PCs, workstation
• A lot of hardware and software
Server Mobile International
Hosts, end-systems ISP
• Millions of interconnected
computing devices all over the Apartments
world (a global network) ë Local ISP
PCs, workstations, servers…
National ISP
PDAs, phones, TV-boxes…
• Hosts runs Network applications
s
WWW
email
Company
file transfer
network
remote login
multimedia
… 2
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
3. The Internet
Routers
Router PCs, workstation
• Interconnects hosts and networks
• switching devices (nodes) Server Mobile International
• forward data packets between ISP
hosts through the networks Apartments
• Store and forward technique Local ISP
Other network nodes: National ISP
• Bridges
• Switches
• Repeaters
Company
• Amplifiers network
• ... different functionality and
degree of intelligence
3
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
4. The Internet
Protocols
• All communicating devices on the
Router PCs, workstation
Internet run protocols
Server Mobile International
• Protocols controls the sending and
ISP
receiving of information
- Ex: TCP, IP, HTTP, FTP… Apartments
• The collection of Internet Local ISP
protocols: TCP/IP
National ISP
- Are implemented in all devices
on the Internet (all or part
of it)
- hosts, routers…
Company
network
ISPs (Internet Service Providers)
• selling communication- and access services
4
to end users and networks
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
5. The Internet
The Internet
• A global “network of networks” Router PCs, workstation
- Both public and private networks of
different technologies and performance International
Server Mobile
IP-protocol: ISP
• carries “everything” (applications/
services) Apartments
• over “anything“ (different network
Local ISP
technologies)
• ..half truth !? (high quality multimedia, National ISP
real-time applications is still a pain!?)
• Packet switching
• no dedicated resources in the network
• …shared! Company
• Best-effort services
network
5
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
6. The Internet
What holds the Internet together? Router PCs, workstation
•The “glue”
Server Mobile International
Addressing
ISP
how to refer to a device
Routing Apartments
how to get there Local ISP
IP-protocol National ISP
what to speak to be understood
Internet standards Company
network
RFC: Request for comments
IETF: Internet Engineering Task Force
6
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
7. The Internet
The structure of Internet
• Loosely hierarchical Router PCs, workstation
• Hosts are connected to local ISPs
through access networks Server Mobile International
- dial phone line: modem, ADSL, ISP
ISDN, cable-modem…
Apartments
- company/campus network
Local ISP
- leased lines
• Local ISPs connected to national ISPs National ISP
• National ISPs connected to international
(global) ISPs
• The main point is :
Company
- new hosts and networks can be
added…without changing the network
existing implementation of Internet
(should scale!?)
7
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
8. Protocols in the TCP/IP Suite
8
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
9.
10.
11. PDUs in TCP/IP
11
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
12. Information Gathering
• Find out initial information
Open Source: general information about a company that anyone can
obtain
whois (unix), sam spade (third-party tool for windows)
nslookup
• Find out address range of the network
ARIN (American registry for Internet numbers) http://www.arin.net
– whois -h rs.arin.net arin-net
Traceroute
• Find active machines:
ping
12
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
13. Information Gathering cont.
• Find open ports or access points:
Nmap http://www.insecure.org/nmap for UNIX
ScanPort http://www.dataset.fr/eng/scanport.html for Windows
War Dialers: Programs that find modems on a network
– THC-Scan for Windows
• Figure out the operating system
Queso
Nmap
13
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
14. Information Gathering cont.
• Map out the network
Cheops http://www.marko.net/cheops/
Visual ping http://www.visualware.com/visualroute/
Traceroute
• Figure out which services are running on each port
Default port and OS
Telnet
Vulnerability scanners: programs that can be run against a site that
give a hacker a list of vulnerabilities on the target host
– SAINT http://www.wwwdsi.com/saint/
– NESSUS http://www.nessus.org
14
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
15. TCP three-way handshake
SYN with ISNa
ACK ISNa and SYN with ISNb
ACK ISNb
Connection
Connection
15
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
16. Types of Nmap scans
• TCP Connect Scan:
Attempts to complete the TCP three-way handshake and set up a connection
Easy to detect
• TCP SYN Scans: “half-open scans”
Sends a SYN to each target port. Target sends SYN-ACK if the port is open.
The attacker send a RESET packet to abort the connection.
Hard to detect, only routers or firewalls will log (if enabled) the attackers IP.
• FIN Scan:
Violate the TCP specification by sending unexpected packets at the start of a
connection
Attacker sends FIN packet, if the target port is closed a RESET packet is
sent back, if open nothing is sent back.
• Ack Scan:
Sends an ACK packet to targets port. If RESET comes back from target
Nmap will classify the port as “unfiltered” otherwise “filtered”
16
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
17. Types of Spoofing
• IP spoofing: An attacker uses an IP address of another computer to
acquire information or gain access
• Email spoofing: In essence, the email looks like it came from John, but
in reality, John didn’t send the email. Someone who was impersonating
John send it.
• Web spoofing: Whenever an entity has to be trusted, the opportunity for
spoofing arises.
• Non-technical spoofing: These types of attacks concentrate on
compromising the human element of a company.This is done through
social engineering techniques.
17
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
18. IP Spoofing.
• The intruder sends messages to a computer with an IP address
indicating that the message is coming from a trusted host.
• A hacker must find an IP address of a trusted host and then modify
the packet headers so that it appears that the packets are coming
from that host.
From ad
dress: 1
Attacker To addre 0.10.20.
ss: 10.1 20
0.5.5
10.40.40.40
Replies sent back to 10.10.20.20
John
Spooft adress 10.10.5.5
10.10.20.20
18
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
19. Denial of Service Attack.
• DoS: A type of attack on a network that is designed to bring the
network to its knees by flooding it with useless traffic.
• Two general types of DoS attacks:
1. Crashing a system or a network:
The attacker can send a victim data or packets it is not expecting
This attack requires little to perform and human interaction to fix
2. Flooding the system or network with so much information that it cannot
respond:
This attack requires more energy from the attacker, recovering requires
minimal human intervention
19
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
20. Distributed Denial of Service Attack.
• DDoS: Several machines are coordinated to launch an attack
against a target machine or network at the same time
Attacker
System in
System in System in
System in Kina
USA Iran
Europe
20
Victim
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
21. DoS
• Ping of Death
• SSPing
• Land
• Smurf
• Win Nuke
• CPU Hog
• SYN Flood
21
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
22. Buffer overflow
#include <stdio.h>
sample_function(char *string){
char buffer[16]; Local buffer can hold 16 characters
strcpy(buffer, string);
strcpy loads characters into buffer until it
return;}
finds the end of the string
main (){ Create buffer that can hold 256 characters
char big_buffer [256]; int i;
for (i=0; i<255; i++){
big_buffer[i]='A'; } Shove the character A into the buffer 255
times
sample_function (big_buffer);
Sent big_buffer to sample_function
22
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
23. Buffer Overflow Attack
• A buffer overflow attack is when an attacker tries to store too much
information in an undersized receptacle.
• Most of the newest exploits are based on buffer overflow attack
• Takes advantage of applications that do not adequately parse input
by stuffing too much data into undersized receptacles.
• Can cause attacks against all three areas to security:
1. Attack against availability
2. Attack against integrity
3. Attack against confidentiality
23
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
24. How does it work?
Fill direction .
.
Bottom .
.
Of memory .
.
Buffer overwritten Machine Code
Buffer with instructions execv /bin/sh
Saved frame PTR Saved frame PTR
Return Pointer New PTR to EXEC code
Return PTR is
overwritten Function Call
Function Call
Arguments
Arguments
.
.
Top .
.
Of memory .
.
24
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
25. Example
• Some different buffer overflow attacks:
NetMeeting Buffer Overflow
Outlook Buffer Overflow
Linuxconf Buffer Overflow
IIS 4.0/5.0 Phone Book Server Buffer Overflow
char shellcode[] =
"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
"x80xe8xdcxffxffxff/bin/sh";
void main() {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;}
25
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
26. Sniffing
• A program that gather traffic from the local network
• Used by both attackers and network administrators
• Gathers packets at the Data Link layer
• An attacker must haven account on a machine in order to run the
sniffer program.
• Sniffing tools available:
tcpdump http://www.tcpdump.com
windump netgroup-serv.polito.it/windump
Wireshark (ethereal)
Dsniff
26
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
27. Passive Sniffing
et
a ck
p
packet
HUB packet
pa
ck
et
27
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
28. Active Sniffing
• Two methods for sniffing data from a switched LAN
1. MAC flooding
2. Spoofed ARP Messages
packet
Switch
packet
Default packet
router Internet
28
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
29. Spoofed ARP Message
Configure IP Forwarding
to send packets to the
default router
Send fake ARP response
to remap default router IP
adressto attacker´s Attacker sniffs the traffic
MAC address
Switch
Packets are forwarded from the
Victim traffic destined
attackers machine to the actual
For the outside world.
default router for delivery to the
Based on the poisoned
outside world
ARP table, traffic is really
sent to the attackers MAC Default
address router Internet
29
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
31. Passwords
• Most common weaknesses in a company
1. weak passwords
2. uncontrolled modems on the network
• Most systems and software have default passwords!
• Characteristics of a strong password
Changes every 45 days
Minimum length of 10 characters
Contain at leas one alpha, one number and one special character
Cannot contain dictionary words
Cannot reuse the previous five passwords
Minimum password age of 10 days
After 5 failed logon attempts, password is locked for serveral hours
31
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
32. Passwords cont.
• System maintain a file that associates a password with each authorised
user.
• Password file can be protected with:
One-way encryption
Access Control
• Techniques for guessing passwords:
Try default passwords.
Try all short words, 1 to 3 characters long.
Try all the words in an electronic dictionary (60,000).
Collect information about the user’s hobbies, family names, birthday, etc.
Try user’s phone number, social security number, street address, etc.
Try all license plate numbers (MUP103).
Use a Trojan horse
Tap the line between a remote user and the host system.
32
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
33. UNIX passwords
• Stored in file /etc/passwd is world readable (any user who was on the
system had access to read the file i.e. more /etc/passwd )
usernamen:password:UID:GID:full name:home directory:shell
sch:OZFGkH258h8yg:1013:10:Stefan Chevul:/home/sch/:/bin/csh
• Latest UNIX versions split the passwd file into 2 files. The /etc/passwd file
still exists, it contains everything except the encrypted passwords. This is
stored in the /etc/shadow file.
usernamen:password:last:min:max:warning:expire:disable
sch:OZFGkH258h8yg:::::::
33
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
36. Salt
• The salt serves three purposes:
Prevents duplicate passwords.
Effectively increases the length of the password.
Prevents the use of hardware implementations of DES
36
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
37. UNIX Password Scheme I
salt password
Password File
12 bits 56 bits User id salt E(pwd, [salt, 0])
•
Load •
crypt (3)
11 characters •
(a) Loading a new password
37
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
39. Passwords cracking
• Password cracking = guessing someone´s password from the
encrypted password
• General algorithm used for automated password cracking:
1. Find valid user IDs
2. Find the encryption algorithm used
3. Obtain encrypted passwords
4. Create a list of possible passwords
5. Encrypt each word
6. See if there is a match for each user ID
7. Repeat steps 1 through 5
39
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
40. Why is Passwords cracking important?
• From a security standpoint, password cracking can help you build
and maintain a more secure system.
• Reasons why password cracking is useful
To audit the strength of passwords
To recover forgotten / unknown passwords
To migrate users
To use as a checks and balance system
• Main types of password cracking attacks:
Dictionary attacks
Brute force attacks
Hybrid attacks
40
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
41. Types of Passwords Attacks
Dictionary Brute Force Hybrid
attack attack attack
Speed of the Fast Slow Medium
attack
Amount of Finds only Finds every Finds only
passwords words password passwords
that have a
cracked dictionary
word as the
base
41
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
42. Passwords cracking programs
• NT password cracking programs:
L0phtcrack
NTSweep
NTCrack
PWDump2
• UNIX password crackers:
Crack
John the Ripper
XIT
Slurpie
42
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
43. Covering the Tracks
• After an attacker has gained access and accomplished what he
wanted to do, one of the last steps he performs is covering his
tracks, hiding evidence that he was ever there.
• To do this there are 4 main areas an attacker is concerned with:
1. Log files
2. File information
3. Additional files
4. Network traffic
43
FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY