lesson 4 network security and attacks

Lesson 4Network Security

andAttacks

Computer Security Operational Model

Protection = Prevention + (Detection + Response)

Access ControlsEncryptionFirewalls

Intrusion DetectionIncident Handling

•Intrusion detection

•Firewalls

•Encryption

•Authentication

•Security Design Review

•Security Integration Services

•24 Hr Monitoring Services•Remote Firewall Monitoring

•Vulnerability Assessment Services•Vulnerability Scanners

Security Operational Model

Improve

Monitor

Secure

Evaluate

Protocols

• A protocol is an agreed upon format for exchanging information.

• A protocol will define a number of parameters:–Type of error checking–Data compression method–Mechanisms to signal reception of a

transmission• There are a number of protocols that have

been established in the networking world.

OSI Reference Model• ISO standard describing 7 layers of protocols

– Application: Program-level communication– Presentation: Data conversion functions, data format,

data encryption– Session: Coordinates communication between endpoints.

Session state maintained for security.– Transport: end-to-end transmission, controls data flow – Network: routes data from one system to the next– Data Link: Handles passing of data between nodes– Physical: Manages the transmission media/HW

connections• You only have to communicate with the layer

directly above and below

The OSI Model

Application Layer

Physical Layer

Data-Link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Each layer serves only its adjacent layers. Thus the software which implements the Transport Layer receives input from the Session Layer or the Network Layer.

Implemented By Hardware

These Layers Implemented By Software Such as an Operating

System

TCP/IP Protocol Suite• TCP/IP refers to two network protocols

used on the Internet:– Transmission Control Protocol (TCP)– Internet Protocol (IP)

• TCP and IP are only two of a large group of protocols that make up the entire “suite”

• A “real-world” application of the layered concept.

• There is not a one-to-one relationship between the layers in the TCP/IP suite and the OSI Model.

OSI and TCP/IP comparison

OSI Model

Application

Presentation

Session

Transport

Network

Data-link

Physical

TCP/IP Protocol Suite

NFSFTP, Telnet,SSH, SMTP SMBHTTP, NNTP

RPC

TCP,UDP

IP ICMPARP

Physical

Application-levelprotocols

Network-levelprotocols

Communication Between Two Networks Via the Protocol Stack

Application

Physical

Data-Link

Network

Transport

Session

Presentation

Data

Data

Data

Data

Data

Data

DataH H

H

H

H

Data

Data

Data

Data

Data

Data

Data

H

H

H

H

H

Windows Machine on an Ethernet

Linux Machine on a FDDI Network

HH

A Windows Machine Sending data to a linux machine

1 2

1 The Windows machine adds headers as the packet traverses down the TCP/IP Stack from the sending application.

2 The Linux machine removes headers as the packet traverses up the TCP/IP Stack to the receiving application.

EmailPacket is Transmitted Via Network Media

EMAIL

EMAIL

Ethernet FDDI

TCP/IP Protocol Suite

UserProcess

UserProcess

UserProcess

UserProcess

TCP UDP

IP

HWInterface

RARPARP

ICMP IGMP

Media

TCP/IP EncapsulationUser Data

Application

EthernetDriver

IP

TCP or UDP

TCP Header

Application Header

User Data

IP Header

Application Layer

Transport Layer

Network Layer

Data Link Layer

Ethernet

Application Header

User Data

TCP Header

Application Header

User Data

Ethernet Trailer

IP Header

TCP Header

Application Header

User Data

Ethernet Header

Email1

2

3

4

5

IPv4 Header Layout

Identification Flags Offset

TTL Protocol Header Checksum

Version Length TOS Total Length

Source IP Address

Destination IP Address

Options

Data

4 Bytes (32 Bits)

20 Bytes (160 Bits)

IP Packet

Version Length Type of Srvc Total Length

Identification Flags Fragment Offset

Time to live Protocol Header Checksum

Source Address

Destination Address

Options

Data

4 8 16 19 32

TCP Header Layout

Sequence Number

Header Info Window Size

Source Port Destination Port

TCP Checksum Urgent Pointer

Acknowledgement

Options

Data

4 Bytes (32 Bits)

20 Bytes (160 Bits)

TCP packet

Dataoffset

Unused

U A P R S FR C S S Y IG K H T NN

Window

Source Port

Urgent Pointer

Sequence Number

Acknowledgement Number

Options Padding

Data

4 8 16 32

Destination Port

Checksum

Establishment of a TCP connection(“3-way Handshake”)

client ServerSYN

Client sends connection request,Specifying a port to connect toOn the server.

client ServerSYN/ACK

Server responds with both anacknowledgement and a queuefor the connection.

client ServerACK

Client returns an acknowledgementand the circuit is opened.

Ports

Data 1033 80Source Port

Destination Port

Packet One

Data801033Source PortDestination Port

Packet Two

UDP Header Layout

Source Port Destination Port

Length Checksum

Data

4 Bytes (32 Bits)

8 Bytes (64 Bits)

IP

Ethernet 802.5802.4802.3 X.25 Frame

Relay

SLIP

IPX ATM Arcnet Appletalk PPP

Telnet FTP SNMPSMTP NFS DNS TFTP NTP

RIPBGP

802.6

SMDS

Layer 6/7: Applications

Layer 5: Session

Layer 4: Transport

Layer 3: Network

Layer 2 & 1: Data Link &

Physical

RETAILBANKING B2B MEDICAL WHOLESALEl

WindowsX

IGP EGP TCP UDP IGMP ICMP

IP Centric Network... ...

Twenty-six years after the Defense Department created the INTERNET as a means of maintaining vital communications needs in the event of nuclear war, that system has instead become the weak link in the nations defense” USA Today - 5 Jun 1996

True hackers don't give up. They explore every possible way into a network, not just the well known ones.

The hacker Jericho.

By failing to prepare, you are preparing to fail.

Benjamin Franklin

• “Popular” and receive a great deal of media attention.

• Attempt to exploit vulnerabilities in order to:–Access sensitive data (e.g. credit card

#’s)–Deface the web page–Disrupt, delay, or crash the server–Redirect users to a different site

Typical Net-based Attacks -- Web

Typical Net-based attacks -- Sniffing• Essentially eavesdropping on the network• Takes advantage of the shared nature of the

transmission media.• Passive in nature (i.e. just listening, not

broadcasting)• The increased use of switching has made

sniffing more difficult (less productive) but has not eliminated it (e.g. DNS poisoning will allow you to convince target hosts to send traffic to us intended for other systems)

Defeating Sniffer Attacks

• Detecting and Eliminating Sniffers– Possible on a single box if you have control of the

system– Difficult (depending on OS) to impossible (if somebody

splices network and adds hardware) from network perspective

• Safer Topologies– Sniffers capture data from network segment they are

attached to, so – create segments• Encryption

– If you sniff encrypted packets, who cares?• (outside of traffic analysis, of course)

Typical Net-Based Attacks –Spoofing, Hijacking, Replay

• Spoofing attacks involve the attacker pretending to be someone else.

• Hijacking involves the assumption of another systems role in a “conversation” already taking place.

• Replay occurs when the attacker retransmits a series of packets previously sent to a target host.

Typical Net-Based Attacks –Denial of Service

• DOS and Distributed DOS (DDOS) attacks have received much attention in the media in the last year due to some high-profile attacks. Types:–Flooding – sending more data than the

target can process–Crashing – sending data, often

malformed, designed to disable the system or service

–Distributed – using multiple hosts in a coordinated attack effort against a target system.

A Distributed DoS in ActionClient Hacker

BroadcastHost

BroadcastHost

MasterHost

MasterHost

BroadcastHost

BroadcastHost

BroadcastHost

Master ControlPrograms

BroadcastAgents

Registration Phase

*Hello* *Hello*

VerifyRegistration

PONG PONGpng

The Internet

The Attack Phase

Target

Client Hacker

BroadcastHost

BroadcastHost

BroadcastHost

BroadcastHost

BroadcastHost

BroadcastAgents

The Internet

AttackTarget

AttackTarget

AttackTarget

UDP FloodAttack

UDP FloodAttack

UDP FloodAttack

UDP FloodAttack

How CODE RED WorksFirst infected system

How CODE RED WorksFirst infected system

100 system probes

Scans to find new victims

How CODE RED WorksFirst infected system

100 system probes

Scans to find new victims

Each new victim scansthe same “random”

address space

How CODE RED Works

- Each new victim starts scanning process over again

- From 20th to EOM, primary target is www.whitehouse.gov

How NIMDA WorksFirst infected system

How NIMDA WorksFirst infected system

Attacking system

tftp Admin.dll from attacking system(contains NIMDA payload)

How NIMDA WorksFirst infected system

Sends infectedemail attachment

NIMDA attachesto web pages on infected server

Infected systemscans network for

vulnerable IIS web servers

NIMDA propagatesvia open file shares

How NIMDA Works

- NIMDA prefers to target its neighbors

- Very rapid propagation

Common Attacks

• IP Spoofing• Session Hijacking• WWW Cracking• DNS Cache Poisoning

The TCP connection(“3-way Handshake”)

client ServerSYN

Client sends connection request,Specifying a port to connect toOn the server.

client ServerSYN/ACK

Server responds with both anacknowledgement and a queuefor the connection.

client ServerACK

Client returns an acknowledgementand the circuit is opened.

client Server

client Server

client Server

ACK (Client, ISN+1)

SYN (Server, ISNserver)

ACK (Server, ISN+1)

SYN (Client, ISNclient)

ISN--Initial Sequence Number

The TCP Connection in Depth

The TCP Reset

Student Server

Evil hacker

RESET

ACK (Student, ISN+1)

SYN (Server, ISNserver)

SYN (Student, ISNstudent)

IP Address Spoofing

Student Server

Evil hacker

ACK (Student, ISN+1)

SYN (Server, ISNserver)

SYN (Student, ISNstudent)

ACK (Server, ISNserver+1)

Guess Server ISN

DOSPING OF DEATH

IP Address Spoofing

StudentServer

Evil hacker

ACK (Student, ISN+1)

SYN (Server, ISNserver)

SYN (Student, ISNstudent)

DOS

Session Hijacking

StudentServer

Evil hacker

TCP Connection Established

Hey, I amThe Student

TCP RESET

SMB

• Server Message Block (SMB)--an application

layer protocol that allows system resources to

be shared across networks• An old technology developed by MS and Intel• Several versions of authentication over network

– Plaintext: easy to sniff– LanMan: stronger than Plaintext, uses PW hash– NTLM: PW Hash Plus ciphertext

SMB RelayMan-in-the Middle Attack

CLIENT SERVEREVIL HACKER

Session Request Session Request

Name OKName OK

Dialect Dialect w/o NT4 security

Dialect Selection, ChallengeDialect Selection, Challenge

Reply Reply

Session OK Session OK

Attacker forces weaker LANMAN authentication!

Windows Authenticaion LANMAN vs NTLMv2

CLIENT SERVER

1Session Request

2Session Response--NETBIOS name OK

6 All OK--Connected

3 Negotiate Dialect

4Challenge, Dialect Selection

5 Username and Response

WEB CRACKING

StudentServer

Evil hacker

WEB CRACKING

StudentServer

Evil hacker

SSL in ActionCLIENT SERVER

1ClientHello

2ServerHello

3ServerKey Exchange

4ServerHelloDone

5

ClientKey Exchange

6ChangeCiperSpec

7Finished

SSL in ActionCLIENT SERVER

4ServerHelloDone

5

ClientKey Exchange

6ChangeCiperSpec

7Finished

8ChangeCipherSpec

9 Finished

SSL WEB CRACKING

StudentServer

Evil hacker

DNS Cache Poisoning

Ref: Check Point Diagram of the Hack (Check Point Security Software)

DNS Cache Poisoning-Step 1

Dr. Evil GOOD DNS Rich Student

BankBank DNS

Where is Evil ?

Evil DNS

Where is Evil ?

Dr EvilStores Query ID

DNS Cache Poisoning-Step 2

Dr. Evil

Evil DNS

GOOD DNS Rich Student

BankBank DNS

Where is Bank?

Are You Bank?

I am Bank

Dr EvilUses Stored Query IDto predict next query ID

DNS Cache Poisoning-Step 3

Dr. Evil

Evil DNS

GOOD DNS

Rich Student

BankBank DNS

Where is Bank?

Dr. Evil is Bank

DNS Cache Poisoning-Step 4

Dr. Evil

Evil DNS

GOOD DNS

Rich Student

BankBank DNS

Can I Bank With You?

Recent Attacks• Conficker• Stuxnet• Flame

What makes each one unique….a real threat?

Summary

• Threat is Real• Hard to Detect• A little understanding and

situational Awareness can goes a long way to preventing…and detecting