session layer security lecture 6 supakorn kungpisdan [email protected]

Session Layer Security

Lecture 6Supakorn Kungpisdan

[email protected]

NETE4630 Advanced Network Security and Implementation 2

Outline

Introduction SYN Attack Session Hijacking DNS Poisoning SSH Downgrade Attack Authentication Techniques and Attacks

Introduction

Session layer provides a set of features that contributes to the reliability and usefulness of modern network communications Session Checkpoint Session Adjournment Session Termination Half- and Full-Duplex Operations


Session Checkpoint

TCP acknowledgement (ACK) packets are regularly passed between hosts to identify the last packet that was received

TCP delays the transmission of an ACK packet until either a timeout is reached or a number of packets equal to the TCP window size have been sent

This delays increases the efficiency of the protocol and establishes checkpoints

At any point, TCP can resume transmission from the previous checkpoint if a delivery failure occurs


Session Adjournment

TCP sessions may be adjourned through setting the TCP window to 0 byte. This informs the sending host that no buffer is available to hold

transmitted data and halts communications without losing the connection


Session Termination

TCP provides a means for session termination Graceful and immediate session terminations

Graceful termination occur by setting a finish (FIN) flag that is subsequently acknowledged by the recipient

Immediate termination occur by using packets with the reset (RST) flag set


Half- and Full-Duplex Operations• While TCP operates at full duplex, the session layer allows for both

full- and half-duplex operations

Attacking the Session Layer

Rely primarily on abuses of the TCP and IP headers TCP flags Sequence and Acknowledgement numbers

Newer attacks may focus on higher layer protocols Session Initiation Protocol (SIP) Session Description Protocol (SDP)


SYN (Flood) Attack

Use legitimate TCP functions permits attackers with a small number of hosts to conduct DoS, which can completely saturate the bandwidth of a corporation

The server has to allocate a number of resources (processor and buffer) to handle each connection

A large number of hosts can use this to great effect when attacking a web site


SYN Attack (cont.)

From an attacker’s perspective, this approach is less than ideal:1. Creating multiple connections is extremely inefficient

Every established connection consumes a lot of resources on the server and the attacking client

2. This kind of attack is not anonymous3. Many servers limit the number of connections that they will

accept from a single host


SYN Attack with hping3

Hping3 tool provides a simple means for producing crafted packets Executing a single SYN packet to port 6666 on the victim server

$ hping3 –c 1 –p 6666 –S 10.10.1.9

In this case, we use the attacking machine’s IP as source IP


SYN flag setDest port

Packet count

SYN Attack with hping3 (cont.)



However, the DoS client was stymied by attempts to circumvent its resource consumption

Any TCP stack that meets an unsolicited SYN/ACK packet will respond with an RST

The solution is to spoof a source IP address

$ hping –c 1 –a 10.12.250.250 –p 6666 –S 10.1.1.9


Spoofed IP address



Target keeps sending SYN/ACK to the spoofed source until reaching timeout

Note on SYN Attack

Careful selection of the spoofed IP is necessary to conduct a successful DoS attack

The most successful method to ensure delivery of a spoofed packet is to select an unused IP on the same subnet as the attacking host


Reflective Attack

A variation of SYN attack Sending a large number of SYN packets to a web server

and spoofing source IP as the victim IP The web server responds to the large number of SYN

packets by issuing a flood of traffic back to the spoofed victim’s address


SYN SYN, ACK

Session Hijacking

Session hijacking works by taking advantage of the fact that most communications are protected (by providing credentials) at session setup, but not thereafter.

These attacks generally fall into three categories: Man-in-the-middle (MITM) Blind Hijacking Session Theft


Ref: http://technet.microsoft.com/en-us/magazine/cc160809(TechNet.10).aspx

http://technet.microsoft.com/en-us/magazine/cc160809(TechNet.10).aspx

MITM Attacks

Attacker intercepts all communications between two hosts. With communications between a client and server now flowing

through the attacker, he or she is free to modify their content. Protocols that rely on the exchange of public keys to protect

communications are often the target of these types of attacks


Bob AliceEvan

Blind Hijacking

An attacker injects data such as malicious commands into intercepted communications between two hosts commands like "net.exe localgroup administrators /add EvilAttacker".

This is called Blind Hijacking because the attacker can only inject data into the communications stream, but cannot see the response to that data (such as "The command completed successfully.")

Essentially, the blind hijack attacker is shooting data in the dark, but this method is still very effective


Session Theft Attacks

Attacker neither intercepts nor injects data into existing communications between two hosts.

Instead, the attacker creates new sessions or uses old ones.

This type of session hijacking is most common at the application level, especially Web applications.


Hijacking A TCP Session


Session establishment

Data transfer

Hijacking A TCP Session (cont.)

If the attacker wanted to inject data into the TCP session as the client, he or she would need to: Spoof the client's IP address Determine the correct sequence number that is expected by the server from

the client Inject data into the session before the client sends its next packet

To achieve the third, the attacker could just send the data to inject and hope it is received before the real client does

Or, the attacker could perform a DoS attack on the client, or use ARP spoofing




Listen to seq , ack numbers

seq, ack

seq, ack

Bob Alice

Evan

Blind Injection


When the client receives the ACK packet, it will be confused, either because it did not send any data or because the next expected sequence is incorrect.


Maybe the attacker can send something "nice" like "mv `which emacs` /vmunix && shutdown –r now" and not just a single character)

This confusion can cause a TCP ACK storm, which can disrupt a network

Attackers can automate the session hijacking process with tools such as Juggernaut, Hunt, and Ettercap


Hijacking A UDP Session

Attackers do not have to worry about the overhead of managing sequence numbers and other TCP mechanisms.

Since UDP is connectionless, injecting data into a session without being detected is extremely easy


DNS queries, online games like the Quake series and Half-Life, and peer-to-peer sessions are common protocols that work over UDP; all are popular targets for this kind of session hijacking

Determining Susceptibility

To check if your network is vulnerable to session hijacking is to hijack actual network sessions using common attacker tools e.g. Juggernaut or Hunt (now Ettercap)

Alternatively, try to find out if using transport protocols that do not use cryptographic protection

Protocols such as Telnet and FTP are extremely susceptible to hijacking when not protected inside encrypted tunnels

Countermeasure is to use SSL, SSH, and IPSec


Tricks and Techniques

TCP ACK Storm ARP Table Modification TCP Resynchronizing Remotely Modifying Routing Table


TCP ACK Packet Storm


If neither the attacker nor the client explicitly closes the session, the storm will likely stop itself eventually when ACK packets are lost in the storm.

As the attacker injects more and more data, the size of the ACK storm increases and can quickly degrade network performance.

ARP Table Modification


Finding owner of MAC address Spoofed reply

ARP Table Modification (cont.)


Stopping TCP ACK Storm

TCP Resynchronizing

To hide his/her tracks, an attacker who is finished session hijacking might want to resynchronize the communicating hosts.

The problem is that, after the attack, the two hosts whose session was hijacked will be at different points in the session (different seq and ack numbers). Server might think that it is 40 bytes into the session when the

client might have sent only 29 bytes.


TCP Resynchronizing (cont.)

Since sequence numbers move in only a positive direction, it's not possible to manipulate the server so that its expected sequence number moves downward to match the client's sequence number.

Tools like Hunt try to solve this problem by sending a message to the client

msg from root: power failure – try to type 13 chars


Remotely Modifying Routing Table

Attacker who wants to hijack a session wants to route all communications between a client and server through him or her making it easy to monitor, modify, and inject data into the session, as in MITM attacks.

Attacker modifies the routing table of the host is to forge ICMP Redirect (type 5) packets and advertise them as the route to take when sending data.

To protect Windows® hosts from forged ICMP redirect, set the EnableICMPRedirect value to 0 under the registry key HKLM\System\CurrentControlSet\Services\AFD\Parameters


DNS Poisoning

A more common example of session hijacking is DNS poisoning

DNS poisoning allows you to convince a DNS server that a hostname resolves to an arbitrary IP


DNS Resolution


12

435 6

Client does not query the canonical nameserver because of the efficiency provided by caching at the local nameserver

DNS Poisoning (cont.)

NETE4630 Advanced Network Security and Implementation 36NETE4630

36

12

43 56

Attacker’s nameserver

Spoofed web server

DNS Poisoning (cont.)

Implementing DNS poisoning is difficult Each DNS query contains a 2-byte identification field that

allows responses to be matched to queries An attacker has a 1 in 65,536 (2^16) chance of guessing

the correct identification value Normally an attacker needs to sniff the identification

number of the query in order to successfully spoof a response


DNS Message Format


DNS Poisoning with Ettercap




Bob

Evan

www.it.kmitl.ac.th

203.148.145.240

www.msne.mut.ac.th203.148.145.240

www.it.kmitl.ac.th161.246.38.35

DNS Poisoning with Ettercap


1

2 3

DNS Poisoning with Ettercap (cont.)


45



6

7

8



Ettercap.dns

9

10

SSL Spoofing with Ettercap


SSL MITM Attack (cont.)


Bob

https://www.paypal.com

Paypal.com

SSL SSL

Paypall.com

www.paypall.com

www.mut.ac.th

SSH Downgrade Attack

SSH is the most famous example of a downgrade attack where the attacker forces the client and the server to use the insecure SSH1 protocol.

The client sends a request to establish a SSH link to the server and asks it for the version it supports

The server answers either with: ssh-2.xx The server supports only SSH2 ssh-1.99 The server supports SSH1 and SSH2 ssh-1.51 The server supports only SSH1

This attack occurs at the server that supports both SSH1 and SSH2


Ref: http://openmaniak.com/ettercap_filter.php

http://openmaniak.com/ettercap_filter.php

SSH Downgrade Attack (cont.)


SSH Downgrade Attack with ettercap

1. Configure SSH server to support SSH1 and SSH2#apt-get install openssh-server

#vim /etc/ssh/sshd_config Protocol 1, 2

2. Create a SSH1 key pair#ssh-keygen –t rsa1 –f /etc/ssh/ssh_host_key –N “”

3. Add the key path into sshd_config file:HostKey /etc/ssh/ssh_host_key

4. Try to telnet to server to check if it has SSH1Trying server_ip_address...Connected to server_ip_address.Escape character is '^]'.SSH-1.99-OpenSSH_4.6p1 Debian-5ubuntu0.1


Client’s PuTTY Screen


Version 2 is preferred but not restricted

Ettercap Filter


SSH Downgrade Attack Filter


/usr/share/ettercap/ettercap.filter.ssh

Compiling the Filter


Loading the Compiled Filter


SSH Downgrade Attack Result


Avoiding SSH Downgrade Attack

Never use SSH1 on both server and client At /etc/ssh/sshd_config file

Protocol 2

#telnet server_ip_address 22Trying server_ip_address…

Connected to server_ip_Address.

Escape character is ‘^’.

SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1



SSH Client

Avoiding SSH Downgrade Attack (cont.)

Authentication

Two main categories of authentication: Synchronous and asynchronous authentication protocols

Synchronous authentication protocols provide credentials at the start of the authentication process

Asynchronous authentication involves a challenge-response model


Password Authentication Protocol

Password Authentication Protocol (PAP) is one of the least secure authentication protocol used by PPP

Password and username are sent in cleartext (ASCII) to the authentication server after a connection has been established.

Used as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP

Both entities will try to negotiate and agree upon the most secure method of authentication Start with EAP, CHAP, then PAP


Challenge Handshake Authentication Protocol


Enter password

h(password, challenge)

Compare hash value

NETE4630 Advanced Network Security and Implementation

LM challenge/response

DES

uppercase(password[1..7])

magic word LM_hash[1..8]

DES

uppercase(password[8..14])

magic word LM_hash[9..16]

LM_hash[17..21]

as KEY

as KEY

0000000000

magic word is “KGS!@#$%”[email protected], Cracking NTMLv2 Authentication

62


LM challenge/response (cont.)

DES

00

LM_response[1..8]

DES

00000000

LM_response[9..16]

LM_response[17..24]

LM_hash[1..7]

LM_hash[8..14]

LM_hash[15..21]

DES

challenge code

challenge code

challenge code

as KEY

as KEY

as KEY

[email protected], Cracking NTMLv2 Authentication

63

NT Lan Manager v1 (NTLMv1)


Enter password

R1, R2

Compare hash value

8-byte random number

NTLMv1 (cont.)

User password and challenge are used to calculate LANMAN hash and MD4 hash C = 8-byte random challenge Hash1 = MD4(password) {K1, K2, K3} = {Hash1, 5-byte-0s} R1 = DES(K1, C), DES(K2, C), DES(K3, C) Hash2 = LM-hash(password) {K4, K5, K6} = {Hash2, 5-byte-0s} R2 = DES(K4, C), DES(K5, C), DES(K6, C)

Client sends {R1, R2} as a response to the server



NTLM 2 Authentication

MD4

HMAC_MD5

HMAC_MD5

unicode(password)

as KEYunicode(uppercase(account name)+domain_or_hostname)

as KEY

server_challenge+client_challenge

NTLMv2Response


66

LM, NTLMv1, NTLMv2


LM NTLMv1 NTLMv2

Password case sensitive No Yes Yes

Hash key length 56bit + 56bit - -

Password hash algorithm DES (ECB mode) MD4 MD4

Hash value length 64bit + 64bit 128bit 128bit

C/R key length 56bit + 56bit + 16bit 56bit + 56bit + 16bit 128bit

C/R algorithm DES (ECB mode) DES (ECB mode) HMAC_MD5

C/R value length 64bit + 64bit + 64bit 64bit + 64bit + 64bit 128bit


Attacks Against Password Hashes

Brute Force Attack Iterate through every possible input and hashes it, comparing the

output with the hash value Guaranteed to crack the hash if run long enough

Dictionary Attack Iterate through possible passwords and common substitutions of

these words Not guaranteed to produce results E.g. John The Ripper (or John The Ripper Pro for Commercial

version) available at http://www.openwall.com/john/


Attacks Against Password Hashes (cont.)

Rainbow Table Attack Compute every hash ahead of time, allowing the attacker to

check his/her database of hashes just for one he/she is trying to crack

Several tools can be used for password cracking including windows password in SAM, LM, NTLM password hashes Rainbow Crack, Ophcrack, John the Ripper, Cain and Abel

Rainbow Crack can be used to crack LM, MD5, Office hashes


Rainbow Table

Rainbow tables are sophisticated tables that utilize reduction algorithms to reduce the time needed to crack a password

The only information stored in the table is an initial value and a final value

When the initial value is passed through the algorithm, it produces a hash, when put through a reduction algorithm. The result of the reduction is then used as plaintext for another hash function


Rainbow Table (cont.)


Hash function

Reduction function

Hash function

Reduction function

Hash function

Reduction function

Rainbow table stores only the first and the last value of each chain

Password Cracking with Rainbow Table

1. Given a hash value, apply reduction function to it and query the table for the result

2. If not matched in the current chain, proceed with another chain, then another table, until a match is found

3. When you find a match, recover the initial value for that chain and reconstruct the chain until you are the point where the match occurred

4. When you reach this point, the initial value is the corresponding password


Password Cracking with Rainbow Table (cont.)


Password Cracking with Rainbow Table (cont.)

1. The encrypted password “re3xes” is intercepted. Try to apply reduction to “re3xes”, but it fail to reach either the first or the last value of one chain.

2. Try another chain. Now it matches the last value “linux123” of a chain

3. Try to calculate from the first value of the chain starting with “password”. Now it also reaches “re3xes”.

This guarantees that “re3xes” is decrypted to “password”


Cracking LM Password with Rainbow Crack

1. Dump password hashes using samdump, pwdump, fgdump

2. Install Rainbow Crack3. Before cracking the password, generate the rainbow table

first: LM Configuration#0 – #6

4. Sort the rainbow table using rtsort command5. Crack the password using rcrack command


Ref: http://www.ethicalhacker.net/content/view/94/24/

http://www.ethicalhacker.net/content/view/94/24/

Password Hashes from pwdump

testuser1:"":0F20048EFC645D0A179B4D5D6690BDF3:1120ACB74670C7DD46F1D3F5038A5CE8:::

remote:"":E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:::

joeuser:"":E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:::

averageguy:"":299CCF964D9A359BAAD3B435B51404EE:A5C07214487C87B584E8877DE72DCA0B:::

harderpass:"":B75838F7A57EE67993E28745B8BF4BA6:EC50F8A8149C93EF45AECB8AF96658E6:::

demouser:"":261A6631FE44BA4993E28745B8BF4BA6:371D5760453C1B000BCC016F8E23A83C:::

randy:"":98B5AFEB67293D6AAAD3B435B51404EE:A9F34664151F6360757B31644F37E025:::

Asmith:"":E165F0192EF85EBBAAD3B435B51404EE:E4EBE0E7EF708DC9FD240135D3D43D89:::


Generating Rainbow Table

To generate other configuration, use rtgen command

# rtgen lm alpha-numeric 1 7 0 2400 40000000 all# rtgen lm alpha-numeric 1 7 1 2400 40000000 all# rtgen lm alpha-numeric 1 7 2 2400 40000000 all# rtgen lm alpha-numeric 1 7 3 2400 40000000 all# rtgen lm alpha-numeric 1 7 4 2400 40000000 all


Generating Rainbow Table (cont.)

“1” and “7” are our plaintext ranges. So we want passwords from “A” to “ZZZZZZZ.” If we had put plaintext length range "4-6", "AAAA" and "ZZZZZZ" would be among the

key space

0, 1, 2, 3, 4 are table numbers 2400 is chain length. Chain length increases the success rate per table but

does not increase table size. It computes more hashes per chain but also takes longer to create and search the tab

“8000000” is chain count of each rainbow table. Chain count is simply how many chains you want per table. Increasing this value

produces larger files with higher success rates, but the overall computation time isn’t affected.


Rainbow Table Configuration


Generating Rainbow Table with Winrtgen

Winrtgen (now in Cain and Abel) is a graphical Rainbow Tables Generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384) and SHA-2 (512) hashes.

Winrtgen can generate only rainbow table for LM configuration#0


Generating Rainbow Table with Winrtgen (cont.)


Generating 1 configuration#0 table takes 2 days on P3 1GHz machine

Generating Rainbow Table with Winrtgen (cont.)


Generating 5 configuration#0 tables take 12 days on P3 1GHz machine

Generating Rainbow Table (cont.)

128,000,000 bytes lm_alpha#1-7_0_2100x8000000_all.rt





Sort the rainbow table:

# rtsort lm_alpha#1-7_0_2100x8000000_all.rt






Cracking the PasswordC:\rainbowcrack-1.2-win\rainbowcrack-1.2-win>rcrack

RainbowCrack 1.2 - Making a Faster Cryptanalytic Time-Memory Trade-Off

by Zhu Shuanglei < [email protected] This e-mail address is being protected from spam bots, you need JavaScript enabled to view it >

http://www.antsight.com/zsl/rainbowcrack/

usage: rcrack rainbow_table_pathname -h hash

rcrack rainbow_table_pathname -l hash_list_file

rcrack rainbow_table_pathname -f pwdump_file

rainbow_table_pathname: pathname of the rainbow table(s), wildchar(*, ?) supported

-h hash: use raw hash as input

-l hash_list_file: use hash list file as input, each hash in a line

-f pwdump_file: use pwdump file as input, this will handle LAN Manager hash only

example: rcrack *.rt -h 5d41402abc4b2a76b9719d911017c592

rcrack *.rt -l hash.txt

rcrack *.rt -f hash.txt


mailto:[email protected]

Cracking the Password (cont.)

rcrack c:\rainbowcrack\*.rt -f pwdumpfile.txt rcrack c:\rainbowcrack\*.rt -l justhashlist.txt rcrack c:\rainbowcrack\*.rt –h

213D466DB5B288F0F82E44EC0938F4F4

Where pwdumpfile.txt is the results of using a hash dumping utility like pwdump2, pwdump3, samdump, etc to dump the LAN Manager's passwords.

If your password consists of only letters only, rcrack should be able to crack it with a success rate of 99.9%.


Cracking the Password (cont.)


Limiting physical access Continue to force the use of special characters Use ALT-XXX characters in your passwords Keep up with updates Use Pass phrases Use Multi-factor authentication Password Policy Use NTLM or NTLMv2


Protecting yourself against RainbowCrack attacks and other password attacks

Limiting Physical Access

One common attack if you have physical access to a machine is to use a bootable Linux distro to simply boot into Linux and grab the SAM file off the windows partition.

IronGeek wrote a good tutorial on this method and even has a video you can watch. You can get it here: http://www.irongeek.com/i.php?page=security/localsamcrack2.

Another interesting tool released by Eeye is SysRQ2: http://research.eeye.com/html/tools/RT20060801-8.html.

“SysRq is a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup.”


http://www.irongeek.com/i.php?page=security/localsamcrack2

http://research.eeye.com/html/tools/RT20060801-8.html

Continue to force the use of special characters

Rainbow tables can rip thru a LM password with any type of special character it still takes a large amount of time (1-2 years) to generate them

In LC4 we go from 9-11 hours to brute force alpha-numeric password to 91 days to brute force passwords with the possibility of all special characters (not including ALT-XXX passwords).


Use ALT-XXX characters in your passwords

ALT characters are produced by holding down the ALT key and pressing a three or four digit number sequence on your keypad.

Most password crackers cannot crack passwords with ALT characters.

Most ALT characters also have the added benefit that passwords that have ALT characters in them cannot be stored as LM hashes.

It causes password hashes to disappear


ALT-XXX Characters


Use Passphrases

Easiest and simplest way to protect you network from password cracking.

Use of pass phrases that are greater than 14 characters AND use special characters you can protect yourself from all but the determined attackers.

If your network is Windows 2000 and above you have a maximum length of 127 characters on your password/pass phrase; so sky’s the limit.

A pass phrase like “This is my Stupid Pass Phrase!” is long enough to be stored as NTLM or NTLMv2, has Uppercase, Lowercase, Spaces, and Special Characters, and is easy to remember.

This is a much more secure password than even “@w3cjd$Beu=mDr”.


Question?

Next weekPresentation Layer Security

session layer security lecture 6 supakorn kungpisdan [email protected]

Documents