coen 252 computer forensics
DESCRIPTION
COEN 252 Computer Forensics. Network Protocols. Network Protocols: Layering. TCP/IP stack has four levels. OSI has seven. Network Protocols: Layering. Network Protocols: Layering. Each layer adds a header. Application TCP IP Link. Link Layer. Network Interface Cards (NIC) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/1.jpg)
COEN 252 Computer Forensics
Network Protocols
![Page 2: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/2.jpg)
Network Protocols: Layering
TCP/IP stack has four levels. OSI has seven.
![Page 3: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/3.jpg)
Network Protocols: Layering
![Page 4: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/4.jpg)
Network Protocols: Layering
Each layer adds a header. Application TCP IP Link
![Page 5: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/5.jpg)
Link Layer
Network Interface Cards (NIC) Unique Medium Access Control
(MAC) number Format 48b written as 6B in hex. NICs either select based on MAC
address or are in promiscuous mode (capture every packet).
![Page 6: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/6.jpg)
Link Layer
Address Resolution Protocol (ARP) Resolves IP addresses to MAC
addresses RFC 826
![Page 7: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/7.jpg)
Link Layer: ARP Resolution Protocol
Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101.
Sends out a broadcast who-has request:00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has
10.10.10.101 All devices on the link capture the packet and
pass it to the IP layer. 10.10.10.101 is the only one to answer:
a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0
A caches the value in its arp cache.
![Page 8: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/8.jpg)
IP
Uses IP addresses of source and destination.
IP datagrams are moved from hop to hop.
“Best Effort” service. Corrupted datagrams are detected
and dropped.
![Page 9: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/9.jpg)
IP
Addresses contain IP address and port number.
IPv4 addresses are 32 bit longs IPv6 addresses are longer.
![Page 10: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/10.jpg)
IP: ICMP
Internet Control Message Protocol Created to deal with non-transient
problems. Fragmentation is necessary, but the No
Frag flag is set. UPD datagram sent to a non-listening
port. Ping.
![Page 11: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/11.jpg)
IP: ICMP
ICMP error messages should not be sent, For any but the first fragment. A source address of broadcast or
loopback address. Are probably malicious, anyway.
![Page 12: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/12.jpg)
IP: ICMP
ICMP errors are not sent, In response to an ICMP error message.
Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-ponging.
A destination broadcast address. Don’t answer with destination unreachable
for a broadcast. Otherwise, this makes it trivial to scan a network.
![Page 13: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/13.jpg)
Transport Layer: TCP and UDP Transmission Control Protocol (TCP)
Reliable Connection-Oriented. Slow
User Datagram Protocol (UDP) Unreliable Connectionless. Fast.
![Page 14: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/14.jpg)
TCP
Only supports unicasting. Full duplex connection. Message numbers to prevent loss
of messages.
![Page 15: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/15.jpg)
TCP:Three Way Handshake
Initiator to responder: Syns
Responder to initator: Acks, Synt
Initiator to responder: Ackt
Sets up two connections with initial message numbers s and t.
![Page 16: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/16.jpg)
TCP:Three Way Handshake
20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF)
20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF)
![Page 17: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/17.jpg)
TCP:Terminating Connections
Graceful shutdown Party 1 to Party 2: Fin Party 2 to Party 1: Ack Party 2 to Party 1: Fin Party 1 to Party 2: Ack
Abrupt shutdown Party 1 to Party 2: Res
![Page 18: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/18.jpg)
TCP:Shutting down a connection
20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF)
20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF)
20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF)
20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF)
20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF)
20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win 16940 (DF)
20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF)
20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767 (DF)
![Page 19: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/19.jpg)
TCPExchanging Data
Each packet has a sequence number. (One for each direction.)
Initial sequence numbers are created during initial three way handshake. NMap uses the creation of these
sequence numbers to determine the OS. OS are now much better with truly
random sequence numbers.
![Page 20: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/20.jpg)
TCP Exchanging Data
Party that receives packet sends an acknowledgement.
Acknowledgement consists in Ack flag. Sequence number of the next
package to be expected.
![Page 21: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/21.jpg)
TCP Exchanging Data
If a package is lost, then the ack number will not change:
“Duplicate acknowledgement” Depending on settings, sender will
resend, after at most three stationary ack numbers.
Also, resend after timeout.
![Page 22: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/22.jpg)
TCP Exchanging Data 20:48:45.087563 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: . ack 4 win 16959 (DF) 20:48:45.087583 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF) 20:48:45.096443 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF) 20:48:45.221851 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) 20:48:45.226300 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) 20:48:45.231650 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF)
20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF)
![Page 23: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/23.jpg)
TCP flags Part of TCP header
F : FIN - Finish; end of session S : SYN - Synchronize; indicates request to start
session R : RST - Reset; drop a connection P : PUSH - Push; packet is sent immediately A : ACK - Acknowledgement U : URG - Urgent E : ECE - Explicit Congestion Notification Echo W : CWR - Congestion Window Reduced
![Page 24: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/24.jpg)
UDP
“Send and pray” No connection. No special header like TCP. Protocol field in the IP header is
0x11 Another field in the IP header
contains UDP specific header information
![Page 25: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/25.jpg)
Fragmentation
IP datagram can come across smaller maximum transmission units than its own size.
Resender chops up the IP datagram into many IP datagrams, the fragments.
![Page 26: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/26.jpg)
Fragmentation Fragments are reassembled at the
destination. Fragments carry:
Fragment identifier Offset in original data portion Length of data payload in fragment Flag that indicates whether or not this
is the final fragment.
![Page 27: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/27.jpg)
Fragmentation
Example Large Echo Request ping -l 1480 129.218.19.198 Assume MTU is 1500
![Page 28: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/28.jpg)
Fragmentation
![Page 29: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/29.jpg)
Fragmentation: First Fragment
![Page 30: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/30.jpg)
Fragmentation: Second Fragment
![Page 31: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/31.jpg)
Fragmentation: Last Fragment
![Page 32: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/32.jpg)
Fragmentationping –l 65500 129.218.19.198
12:02:18.256066 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400 (frag 10712:1472@0+)
12:02:18.257282 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@1472+)12:02:18.258498 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@2944+)12:02:18.258502 IP dhcp-19-115.engr.scu.edu.137 > 129.210.19.255.137: udp 50 12:02:18.259714 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@4416+)12:02:18.261177 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@5888+)12:02:18.262389 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@7360+)12:02:18.263604 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@8832+)12:02:18.264820 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@10304+)12:02:18.266037 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@11776+)12:02:18.267495 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@13248+)12:02:18.268712 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@14720+)
![Page 33: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/33.jpg)
Fragmentation
DF (Don’t Fragment) Flag If forwarding node finds that the
datagram needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable – need to fragment.
Useful to find minimum MTU on a link.
![Page 34: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/34.jpg)
Fragmentation
Stateless firewalls look only at individual packages.
Protocol header is only in the first fragment.
“Stealth attacks / scans” have evil payload only in the second and following fragments.
![Page 35: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/35.jpg)
Fragments:Teardrop and Friends
Teardrop (1997) Fragments with overlapping offset fields. Many contemporary OS crash, hang,
reboot. Jolt2
Single fragment with non-zero offset. Receiving system allocates resources to
reconstruct a datagram that never arrives.
![Page 36: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/36.jpg)
Fragments:Teardrop and Friends
Create fragments that seem to come from a GB datagram. Trusting OS tries to allocate memory and
dies. Ping of Death
Win95 allowed to send a ping that was just a tad too long. Receiving host would crash.
Unnamed Attacks Missing fragments lead to resource
allocation.
![Page 37: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/37.jpg)
ICMP ICMP has no port numbers. No acks, no message delivery
guarantee http://www.iana.org/assignments/icm
p-parameters First Byte Type Second Byte Code
![Page 38: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/38.jpg)
ICMP
Mapping Techniques. Detect up host. Detect OS through responses.
![Page 39: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/39.jpg)
ICMP
Tireless Mapper Sends ICMP echo requests
messages to all possible IP addresses
Many IDS might not capture this scan if the number of packages per hour is small.
Firewalls should filter incoming ping requests.
![Page 40: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/40.jpg)
ICMP
Efficient Mapper Use the ICMP echo request with a
broadcast address. Ping 129.210.19.255
![Page 41: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/41.jpg)
ICMP
Clever Mapper Use a different ICMP message such
as ICMP address mask. Determines the class of the
network
![Page 42: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/42.jpg)
ICMP
Normal messages Host unreachable Port unreachable Admin prohibited Need to fragment Time exceeded in transit
![Page 43: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/43.jpg)
Malicious ICMP: Smurf Attack
Smurf attack on victim 129.219.19.198
Step 1: Send ICMP echo request to a broadcast address with spoofed IP of 129.219.19.198
Step 2: Router allows in ICMP echo request to broadcast address
Step 3: All live hosts respond with ICMP echo reply to real source IP
![Page 44: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/44.jpg)
Malicious ICMP: Smurf Attack
Denial of Service Attack. Effort of Attacker << Effort of
Victim. Uses ICMP replies from network as
an amplifier. Works well if victim has a slow
connection.
![Page 45: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/45.jpg)
Malicious ICMP: Tribal Flood Network
Based on Smurf Creates zombies out of
compromised machines Compromised machines use a
trigger to start bombarding a victim with requests
Many variations on this theme
![Page 46: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/46.jpg)
Malicious ICMP:Winfreeze (obsolete) Uses the ICMP redirect message. Legal use is to update routing
information. Flood of redirect message causes
the victim (Win95 / Win98) to redirect traffic to itself via random hosts.
Victim spends too much time updating routing table.
![Page 47: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/47.jpg)
Malicious ICMP: Loki
Uses ICMP packages for covert channel
A compromised host with a Loki server responds to requests from a Loki client.
Requests are sent via ping messages with data embedded in ICMP pings.
Originally used bytes 6 and 7.
![Page 48: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/48.jpg)
Malicious ICMP: Conclusions
Limit ICMP messages at the firewall.
Leads to inefficiencies, such as trying a TCP connection to a host that is down.
Need to admit path MTU discovery. Log those that are let through.
![Page 49: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/49.jpg)
FTP
Uses TCP Active / Passive FTP Both use port 21 to issue FTP
commands. Active FTP:
Uses port 20 for data. FTP server establishes connection to
client
![Page 50: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/50.jpg)
FTP: Active FTP Example: Command channel between server8.engr.scu.edu.21 and
dhcp-19-211.engr.scu.edu.3268 Dir command creates a new connection between
server8.engr.scu.edu.20 and dhcp-19-211.engr.scu.edu.5003
![Page 51: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/51.jpg)
FTP
The opening of a connection from the outside to an ephemeral port is dangerous.
Passive FTP: The client initiates the data connection to port 20.
![Page 52: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/52.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
SYN flood Goal is to disconnect victim from the
net. Throws hundreds / thousands of SYN
packets Return address is spoofed. Recipient’s stack of connections waiting
to be established is flooded. Still works with DDoS attack.
![Page 53: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/53.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Identify Trust Relationships Extensive network mapping. Nbtstat/finger, showmount, rpcinfo -r,
… Rpcinfo provides information about
the remote procedure call services and their ports
![Page 54: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/54.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Initiate a number of TCP connections to the host. Send SYN packet. Receive SYN/ACK
packet. Send RES so that victim is not flooded.
Observe the sequence number values between different connections.
Can they be predicted?
![Page 55: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/55.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Victim trusts B
B
Attacker
![Page 56: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/56.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker can predict the sequence number that victim expects.
Victim trusts B
B
Attacker
![Page 57: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/57.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker SYN floods B. B cannot respond.
Victim trusts B
B
Attacker
![Page 58: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/58.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker takes over B’s identity. Spoofs packet from B to Victim.
Victim trusts B
B
AttackerSYN
![Page 59: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/59.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Victim responds with SYN / ACK to B.
B does not respond.
Victim trusts B
B
Attacker
ACK / SYN
![Page 60: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/60.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker sends the ACK with the guessed sequence number to victim
Victim trusts B
B
Attacker
ACK
![Page 61: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/61.jpg)
Malicious TCP Use: Mitnick Attack (obsolete) Attacker sends another TCP packet with
payload: rsh victim “echo ++ >> .rhosts”
Victim trusts B
B
AttackerBad stuff
![Page 62: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/62.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Now victim trusts everyone.
Victim trusts everyone.
B
Attacker
![Page 63: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/63.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker terminates connection with a FIN exchange
Victim trusts everyone
B
Attacker
FIN ACK FIN ACK
![Page 64: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/64.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
To wake up B, attacker sends it a bunch of RES to free B from the SYN flood.
Victim trusts everyone
B
Attacker
RES
RES
RES
![Page 65: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/65.jpg)
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker now starts a new connection with the victim.
Victim trusts everyone
B
Attacker
Yak yak yak
![Page 66: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/66.jpg)
Malicious TCP Use: Mitnick Attack Detection Network based intrusion detection (NID)
can find the original site mapping. NID can find the reconnaissance by
finding “finger” “showmount” etc. commands. Directed to the same port (111). This is a dangerous port. Frequent.
![Page 67: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/67.jpg)
Malicious TCP Use: Mitnick Attack Detection
Host scans log instances where a single system accesses multiple hosts at the same time.
Host-based Intrusion Detection (HID) can find access to a single port.
HID / Tripwire could find changes to .rhosts.
![Page 68: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/68.jpg)
Malicious TCP Use: Mitnick Attack Detection
Computer Forensics can detect the attack by
Logging network traffic. Examining MAC of important files
(.rhosts)
![Page 69: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/69.jpg)
Malicious TCP Use: Mitnick Attack Prevention Router-based Firewall blocks certain
type of traffic. Network mapping. SYN flooding. Access to dangerous ports.
Host-based firewall blocks Access to dangerous ports.
Security policy Disallows reconnaissance tools. Enforces better authentication.
![Page 70: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/70.jpg)
Domain Name Servers
Provide mapping from host names to IP addresses.
DNS resolution process Client sends a gethostbyname message
to the local domain name server. Local domain name server sends back
ip address. Uses UDP (almost exclusively)
![Page 71: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/71.jpg)
DNS: Resolution protocol1. Client to local DNS server gethostbyname2. Local DNS server sends forwards request to root server.3. Root server returns with name of remote DNS server.4. Local DNS server queries remote DNS server.5. Remote DNS server answers with IP address.6. Local DNS server gives data to client.
![Page 72: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/72.jpg)
DNS
Use caching to prevent overload by root servers.
DNS records have a TTL Responding DNS server sets TTL. Receiving DNS server caches record
for TTL time.
![Page 73: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/73.jpg)
DNS: Reverse Lookup
IP-address to host-name Query for 1.2.3.4 send to
4.3.2.1.in-addr.arpa
![Page 74: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/74.jpg)
DNS: Master - Slave Name Servers Each domain has a single master
DNS server. Add slaves for redundancy. Slave server periodically contacts
master to see whether there are changes.
Older BIND download all data from domain, even if only one record has changed.
![Page 75: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/75.jpg)
DNSZone Transfer
Slave server restarts zone transfer from master to slave
Uses TCP, port 53. Attackers like zone transfer
Gives all IP addresses and names in subnet.
Newer versions of BIND limit transfers based on IP address.
![Page 76: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/76.jpg)
DNS:Abuse for Reconnaissance nslookup: Get name servers.
![Page 77: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/77.jpg)
DNS:Abuse for Reconnaissance HINFO: host information.
![Page 78: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/78.jpg)
DNS:Abuse for Reconnaissance List the zone map information. > ls –d engr.scu.edu in nslookup
![Page 79: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/79.jpg)
DNS:Abuses and Problems
DNS cache poisoning Affects BIND versions before 8.1.1. Based on lack of authentication Some BIND versions cache every
DNS data they see.
![Page 80: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/80.jpg)
DNS Cache Poisoning
Attack on Hillary Clinton’s Run for Senate Website
Traffic to www.hillary2000.org (IP address 206.245.150.74) redirected to www.hillaryno.com (IP address 206.245.150.74.)
![Page 81: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/81.jpg)
DNS Cache Poisoning Step 1: Evil sends a bogus query to the
victim’s name server that contains data www.hillary2000.org at 206.245.150.74
![Page 82: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/82.jpg)
DNS Cache Poisoning Step 2: Name server accepts the
bogus information (even though it is contained in a query).
Step 3: Victim requests IP address of hillary2000.org and is directed to hillaryno.com.
Vulnerability arises from lack of authentication and of using queries to update entries at the queried server.
![Page 83: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/83.jpg)
DNS Cache Poisoning Birthday Attack Attacker sends large number of queries to a
vulnerable name server asking for hillary2000. Attacker sends an equal number of phony
replies (with the poisoned data). Name server will generate requests to resolve
hillary2000. With high probability, one of the phony
answers will have the same transaction number as the name server’s query.
![Page 84: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/84.jpg)
DNS: The Bind Birthday Attack
![Page 85: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/85.jpg)
DNS Cache Poisoning Redirect traffic to a fake Pay-Pal or other
e-commerce site. Set-up Man in the Middle Attacks Defenses:
Domain Owner has to rely on the DNS system. ISP name server admin needs to protect by
Updating BIND or replacing it with djbdns Two name servers, one for the public domain
information to the outside, another for internal use. End user has to rely on the DNS system.
![Page 86: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/86.jpg)
Routing Local Routing Table: netstat -r
![Page 87: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/87.jpg)
Static Routing
IP Layer searches the routing table in the following order Search for a matching destination
host address Search for a matching destination
network address Search for a default entry
![Page 88: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/88.jpg)
Routing
Static routes are typically added during the boot process.
Administrative changes with a “routing” command.
ICMP routing discovery messages
![Page 89: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/89.jpg)
Routing Changes
A host might have inefficient entries in the routing table.
ICMP Router Discovery Protocol (IRDP) ICMP redirect messages ICMP routing discovery messages
IRDP needs to be enabled.
![Page 90: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/90.jpg)
Routing Changes
ICMP Redirect Message A sends message to D. Routing table says to send to B first.
![Page 91: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/91.jpg)
Routing Changes
ICMP Redirect Message B forwards to C B informs A that there is a direct
route to C ICMP Redirect Message
![Page 92: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/92.jpg)
Routing Changes
ICMP Redirect Message C forwards package to target. A updates routing table.
![Page 93: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/93.jpg)
IRDP DoS Exploit Attacker (E) sends spoofed IRDP message to A A updates routing table to reflect bogus
default value. A looses connectivity
![Page 94: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/94.jpg)
IRDP Windows Exploit Windows (95, 98, 2000) and some Solaris
systems are vulnerable. If a Windows hosts runs a Dynamic Host
Configuration Protocol (DHCP) client, it obtains its default route from the DHCP server.
ICMP router advertisement can be spoofed. First router advertisement is checked for
correct IP address. Second router advertisement is erroneously
not.
![Page 95: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/95.jpg)
IRDP Windows Exploit
Attacker sends two ICMP router advertisements to victim.
Victim updates its default gateway to IP determined by attacker.
Use for man in the middle attacks or DoS.
![Page 96: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/96.jpg)
ARP Poisoning Address resolution protocol associates
MAC addresses with IP addresses. Four Messages
ARP Request: “Who has this IP?” ARP Reply: “I have this IP. My MAC is …” Reverse ARP Request: “Who has that MAC?” Reverse ARP Request Reply: “I have that
MAC, my IP is …”
![Page 97: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/97.jpg)
ARP Poisoning
ARP is very efficient, but does not do any authentication.
Many OS still accept ARP replies even without making an ARP request.
ARP poisoning: Spoofing an ARP package with false ARP data.
![Page 98: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/98.jpg)
ARP Poisoning
Denial of Service: Spoofed ARP message can associate
the default gateway address with a non-existing MAC.
Traffic to the outside is no longer picked up.
![Page 99: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/99.jpg)
ARP Poisoning Man in the Middle
Intercept traffic between devices A and B. A has IP IA and MAC MA. B has IP IB and MAC MB. Attacker has machine C with MAC MC.
Attacker sends an ARP reply to B: IA is at MC. B updates its ARP cache entry: IA is at MC. Attacker sends an ARP reply to A: IB is at MC. A updates its ARP cache entry: IB is at MC. A sends traffic to IB on a level 1 frame to MC. C intercepts the package and forwards it to MB. Traffic from A to B (and vice versa) now flows through C.
![Page 100: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/100.jpg)
ARP Poisoning MAC flooding
Switches maintain a MAC to port table. Traffic only flows to destination. Attacker sends lots of bogus ARP data to
switch. Switch’s ARP table is flooded. Switches either stop functioning (DoS attack)
or drop to hub mode. Switch in hub mode forwards a package to all
ports. Allows traffic to be sniffed.
![Page 101: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/101.jpg)
ARP Poisoning Small networks:
Could use a static ARP table. Disables ARP messaging. All ARP entries need to be put in by hand
and maintained. Will not work with DHCP. Maintenance becomes quickly impossible
with larger size of network. Some Win OS will still accept and use
dynamic ARP updates, even if all routes are statically encoded.
![Page 102: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/102.jpg)
ARP Poisoning
Large Networks Use Port Security features on higher-end
switches. Allow only one MAC address. Prevents hackers from embedding their
MAC address more than once. All networks
Monitor ARP traffic (ARP monitoring tool)
![Page 103: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/103.jpg)
IP Options
IP options enhance the IP protocol. Security Stream Identification Internet Timestamp Loose Source Routing Strict Source Routing Record Route
These are security risks
![Page 104: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/104.jpg)
IP Route Options Loose Source Routing specifies a
route that includes a list of required nodes.
Strict Source Routing specifies the beginning of a route (up to 9 nodes) completely.
Record Route: does not alter the routing but requires that all nodes are recorded.
![Page 105: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/105.jpg)
Detecting IP Source Routing
IP header is larger than 20B IP option field has a hex value of
83: loose source routing 89: strict source routing
ip[0] & 0x0f > 5 and (ip[20] = 0x83 or ip[20] = 89)
![Page 106: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/106.jpg)
Source Route Exploit
Spoofing host requires source routing through a host trusted by the victim.
Victim decides that the traffic comes from a trusted host.
Therefore: firewalls need to disable source-routing or network admin needs to disable trust relationships.
![Page 107: COEN 252 Computer Forensics](https://reader036.vdocuments.site/reader036/viewer/2022062321/56814003550346895dab3b10/html5/thumbnails/107.jpg)
Internet Group Management Protocol (IGMP)
Defined by RFC 1112. IGMP messages use IP Protocol 2 IGMP are used to join and leave
multicast groups.