This document discusses various topics in advanced network security including: 1) Ethical hacking and the phases of hacking including reconnaissance, scanning, gaining access, maintaining access, and erasing clues. 2) Denial of service (DoS) attacks and distributed denial of service (DDoS) attacks which aim to disrupt services by overwhelming targets. 3) Buffer overflow attacks which can corrupt or overwrite data when a program attempts to store more data than a buffer can hold.

1. DILLA UNIVERSITY
COLLEGE OF ENGINEERING & TECHNOLOGY
School of Computing & Informatics
M. Sc in Computer Science & Networking
By
Chapter-05
Dr. Ananda Kumar K S M.Tech, Ph.D
Associate Professor, School of Comp & Info
Email: anandgdk@du.edu.et
1
Course Number CN6122
Course Title Advanced Network Security

2. Advanced Network Security
CHAPTER-05
1. Ethical hacking
2. Denial of Service Attacks(DoS)
3. Distributed denial-of-service (DDoS)
4. Buffer-overflow attack
2

3. 1. HACKING
Hacking has been a part of computing for
almost five decades and it is a very broad
discipline, which covers a wide range of topics.
The first known event of hacking had taken
place in 1960 at MIT and at the same time,
the term "Hacker" was originated.
Hacking is the act of finding the possible
entry points that exist in a computer system
or a computer network and finally entering
into them.
3

4. Cont..
 Hacking is usually done to gain unauthorized
access to a computer system or a computer
network, either to harm the systems or to steal
sensitive information available on the computer.
 Hacking is usually legal as long as it is being
done to find weaknesses in a computer or
network system for testing purpose. This sort of
hacking is what we call Ethical Hacking.
 A computer expert who does the act of
hacking is called a "Hacker".
 Hackers are those who seek knowledge, to
understand how systems operate, how they are
designed, and then attempt to play with these
systems.
4

5. Ethical Vs Unethical
5

6. 6

7. Phases of hacking
 Both the auditor and the cracker follow a
logical sequence of steps when conducting a
hacking. These grouped steps are called phases.
 There is a general consensus among the
entities and information security professionals
that these phases are 5 in the following order:
 Crackers Phases : 1-> Reconnaissance 2->
Scanning 3-> Gaining Access 4-> Maintaining
Access 5-> Erasing Clues
Ethical Hacking Phases: 1-> Reconnaissance 2->
Scanning 3-> Gaining Access 4-> Writing Report
5-> Presenting Report
7

8. Cont..
8

9. Cont..
9

10. Reconnaissance
o This is the first step of Hacking. It is also called as
Footprinting and information gathering Phase.
o This is the preparatory phase where we collect as
much information as possible about the target.
o We usually collect information about three groups,
Network, Host, People involved.
There are two types of Footprinting:
Active: Directly interacting with the target to gather
information about the target.
Eg: Using Nmap tool to scan the target
Passive: Trying to collect the information about the target
without directly accessing the target. This involves
collecting information from social media, public
websites etc.
10

11. Scanning
Three types of scanning are involved:
Port scanning: This phase involves scanning the target for
the information like open ports, Live systems, various
services running on the host.
Vulnerability Scanning: Checking the target for
weaknesses or vulnerabilities which can be exploited.
Usually done with help of automated tools
Network Mapping:
Finding the topology of network, routers, firewalls
servers if any, and host information and drawing a
network diagram with the available information.
This map may serve as a valuable piece of information
throughout the hacking process.
11

12. Gaining Access
This phase is where an attacker breaks into
the system/network using various tools or
methods.
After entering into a system, he has to
increase his privilege to administrator level
so he can install an application he needs or
modify data or hide data.
12

13. Maintaining Access
o Hacker may just hack the system to show it
was vulnerable or he can be so mischievous
that he wants to maintain or persist the
connection in the background without the
knowledge of the user.
o This can be done using Trojans, Rootkits or
other malicious files.
o The aim is to maintain the access to the
target until he finishes the tasks he planned to
accomplish in that target.
13

14. Erasing Clues or Clearing Track
o No thief wants to get caught. An intelligent
hacker always clears all evidence so that in the
later point of time, no one will find any traces
leading to him.
o This involves modifying/corrupting/deleting
the values of Logs, modifying registry values
and uninstalling all applications he used and
deleting all folders he created.
14

15. Cont..
 Usually these phases are represented as a
cycle that is commonly called “the circle of
hacking” (see Figure 1) with the aim of
emphasizing that the cracker can continue the
process over and over again.
 Though, information security auditors who
perform ethical hacking services present a slight
variation in the implementation phases like this:
 1-> Reconnaissance 2-> Scanning 3-> Gaining
Access 4-> Writing the Report 5-> Presenting the
Report
In this way, ethical hackers stop at Phase 3 of the
“circle of hacking” to report their findings and
make recommendations to the client.
15

16. TYPES OF HACKING
 When we execute an ethical hacking is
necessary to establish its scope to develop a
realistic schedule of work and to deliver the
economic proposal to the client.
 To determine the project extent we need to
know at least three basic elements: the type of
hacking that we will conduct, the modality and
the additional services that customers would like
to include with the contracted service.
 Depending on where we execute the
penetration testing, an ethical hacking can be
external or internal.
16

17. Cont..
External pentesting
 This type of hacking is done from the Internet
against the client’s public network infrastructure; that
is, on those computers in the organization that are
exposed to the Internet because they provide a public
service.
 Example of public hosts: router, firewall, web
server, mail server, name server, etc.
Internal pentesting
 As the name suggests, this type of hacking is
executed from the customer’s internal network, from
the point of view of a company employee, consultant,
or business associate that has access to the corporate
network.
17

18. Cont..
since studies show that the majority of
successful attacks come from inside the
company.
To cite an example, in a survey conducted on
computer security to a group of businessmen
in the UK, when they were asked “who the
attackers are”, these figures were obtained:
25% external, 75% internal.
18

19. HACKING MODALITIES
 Depending on the information that the
customer provides to the consultant, an ethical
hacking service could be executed in one of three
modes:
o black-box
o gray-box
o white-box
 The method chosen will affect the cost and
duration of the penetration testing audit, since
the lesser the information received, the greater
the time in research invested by the auditor.
19

20. Black box hacking
 This mode is applicable to external testing
only.
 It is called so because the client only gives the
name of the company to the consultant, so the
auditor starts with no information, the
infrastructure of the organization is a “black box”.
 While this type of audit is considered more
realistic, since the external attacker who chooses
an X victim has no further information to start
that the name of the organization that is going to
attack, it is also true that it requires a greater
investment of time and therefore the cost
incurred is higher too.
20

21. Gray box hacking
This method is often used synonymously to
refer to internal pentestings.
Nevertheless, some auditors also called gray-
box-hacking an external test in which the
client provides limited information on public
computers to be audited.
Example: a list of data such as IP address and
type/function of the equipment (router, web-
server, firewall, etc.).
21

22. White box hacking
White-box hacking is also called transparent hacking.
This method applies only to internal pentestings and is
called this way because the client gives complete
information to the auditor about its networks and
systems.
 This means, that besides providing a connection to
the network and configuration information for the NIC,
the consultant receives extensive information such as
network diagrams, detailed equipment audit list
including names, types, platforms, main services, IP
addresses, information from remote subnets, etc.
 Because the consultant avoids having to find out
this information, this kind of hacking usually takes less
time to execute and therefore also reduces costs.
22

23. Additional hacking services
There are additional services that can be
included with an ethical hacking; among the
popular ones are:
• Social engineering
• Wardialing
• Wardriving
• Stolen equipment simulation
• Physical security
23

24. Social engineering
 Social engineering refers to the act of gathering information
through the manipulation of people, it means that the hacker
acquire confidential data using the well known fact that the
weakest link in the chain of information security is the
human component.
 Examples of social engineering: sending fake emails with
malicious attachments, calls to customer personnel
pretending to be a technician from the ISP, visits to company
premises pretending to be a customer in order to place a
keystroke logger (keylogger), etc.
24

25. Wardialing
 Wardialing or war dialing is a technique to
automatically scan a list of telephone numbers,
usually dialing every number in a local area code
to search for modems, computers, bulletin board
systems and fax machines.
 War dialing is a brute-force method of finding
a back door into an organization's network. It is
particularly effective against a perimeter defense.
 Most organizations have telephone numbers
that are within a specified range and begin with
the same prefix.
25

26. Cont..
26

27. wardriving
 The term wardriving is derived from its
predecessor wardialing, but is applied to wireless
networks.
 The hacker strikes up a wireless war from the
vicinity of the client/victim company, usually from his
parked car with a laptop and a signal booster antenna.
 Wardriving is the act of searching for Wi-Fi wireless
networks, usually from a moving vehicle, using a laptop
or smartphone. Software for wardriving is freely
available on the internet.
 Warbiking, warcycling, warwalking and similar use
the same approach but with other modes of
transportation.
27

28. Stolen equipment simulation
 Here the objective is to verify if the
organization has taken steps to safeguard the
confidential information hosted on mobile
devices that belong to key executives.
 The auditor simulates a theft of the device
and uses tools (HW/SW) and his expertise
with the intention of extracting sensitive
information.
 Due to the sensitivity of the operation, we
should always recommend to our customer to
back up the devices prior to the audit.
28

29. Physical security Audit
 Although physical security is considered by
many experts as an independent subject from
ethical hacking, specialized companies can
integrate it as part of the service.
 This type of audit involves difficulties and
risks that you must be aware with the aim of
avoiding situations that endanger those
involved.
29

30. Simple steps that individuals can take to
be more secure:
– Keep your software up to date
– Install antivirus software
– Use public networks carefully
– Backup your data
– Secure your accounts with two-factor
authentication
– Make your passwords long, unique, and strong
– Be suspicious of strange links and attachments
30

31. Steps to secure your computer
• Keep up with system and software security updates.
• Enable a firewall.
• Adjust your browser settings.
• Install antivirus and anti spyware software.
• Password protect your software and lock your
device.
• Encrypt your data.
• Use a VPN.
31

32. Tools for Information Security
• Authentication
• Access Control
• Encryption
• Passwords
• Backup
• Firewalls
• Virtual Private Networks (VPN)
• Physical Security
• Security Policies
32

33. 2. Denial of Service Attacks
• Denial of Service Attack: an attack on a computer or
network that prevents legitimate use of its resources.
• In computing, a denial-of-service attack (DoS attack)
is a cyber-attack in which the perpetrator seeks to
make a machine or network resource unavailable to
its intended users by temporarily or indefinitely
disrupting services of a host connected to the
Internet.
• DoS Attacks Affect:
– Software Systems
– Network Routers/Equipment/Servers
– Servers and End-User PCs
33

34. Classification of DoS Attacks
Attack Affected Area Example Description
Network Level
Device
Routers, IP
Switches,
Firewalls
Ascend Kill II,
“Christmas Tree Packets”
Attack attempts to exhaust hardware resources
using multiple duplicate packets or a software
bug.
OS Level Equipment Vendor
OS, End-User
Equipment.
Ping of Death,
ICMP Echo Attacks,
Teardrop
Attack takes advantage of the way operating
systems implement protocols.
Application
Level Attacks
Finger Bomb(The
repeated at(@)
character causes finger
to consume excessive
CPU and RAM
resources)
Finger Bomb,
Windows NT RealServer
G2 6.0
Attack a service or machine by using an
application attack to exhaust resources.
Data Flood
(Amplification,
Oscillation, Simple
Flooding)
Host computer or
network
Smurf Attack (amplifier
attack)
UDP Echo (oscillation
attack)
Attack in which massive quantities of data are
sent to a target with the intention of using up
bandwidth/processing resources.
Protocol Feature
Attacks
Servers, Client
PC, DNS Servers
SYN (connection depletion) Attack in which “bugs” in protocol are utilized
to take down network resources. Methods of
attack include: IP address spoofing, and
corrupting DNS server cache. Page 34

35. Countermeasures for DoS Attacks
Attack Countermeasure
Options
Example Description
Network Level
Device
Software patches,
packet filtering
Ingress and Egress
Filtering
Software upgrades can fix known bugs and
packet filtering can prevent attacking traffic
from entering a network.
OS Level SYN Cookies, drop
backlog connections,
shorten timeout time
SYN Cookies Shortening the backlog time and dropping
backlog connections will free up resources.
SYN cookies proactively prevent attacks.
Application Level
Attacks
Intrusion Detection
System
GuardDog, other
vendors.
Software used to detect illicit activity.
Data Flood
(Amplification,
Oscillation, Simple
Flooding)
Replication and Load
Balancing
Akami/Digital
Island provide
content distribution.
Extend the volume of content under attack
makes it more complicated and harder for
attackers to identify services to attack and
accomplish complete attacks.
Protocol Feature
Attacks
Extend protocols to
support security.
IETF standard for
itrace, DNS SEC
(Internet
Engineering Task
Force)
Trace source/destination packets by a means
other than the IP address (blocks against IP
address spoofing). DNSSEC would provide
authorization and authentication on DNS
information.
Page 35

36. 3. Distributed Denial-of-service (DDoS)
 A distributed denial-of-service (DDoS) attack is a
malicious attempt to disrupt the normal traffic of a
targeted server, service or network by overwhelming
the target or its surrounding infrastructure with a flood
of Internet traffic.
 DDoS attacks achieve effectiveness by utilizing
multiple compromised computer systems as sources of
attack traffic.
 Exploited machines can include computers and
other networked resources such as IoT devices. From a
high level, a DDoS attack is like an unexpected traffic
jam clogging up the highway, preventing regular traffic
from arriving at its destination.
36

37. DDoS Architecture
Client Client
Handler Handler Handler Handler
Agents
37

38. Widely Used DDoS Programs
• Trinoo
• Tribe Flood Network
• TFN2K
• stacheldraht (barbed wire)
38

39. 4. What is Buffer Overflow
o A buffer is a temporary area for data
storage. When more data (than was originally
allocated to be stored) gets placed by a
program or system process, the extra data
overflows.
o It causes some of that data to leak out into
other buffers, which can corrupt or overwrite
whatever data they were holding.
39

40. 40
Cont..
• A buffer overflow, or buffer overrun, is an anomalous
condition where a process attempts to store data beyond the
boundaries of a fixed-length buffer.
• The result is that the extra data overwrites adjacent memory
locations.
• The overwritten data may include other buffers, variables and
program flow data, and may result in erratic program behavior,
a memory access exception, program termination (a crash),
incorrect results or ― especially if deliberately caused by a
malicious user ― a possible breach of system security.
• Most common with C/C++ programs

41. Buffer-overflow attack
o In a buffer-overflow attack, the extra data
sometimes holds specific instructions for
actions intended by a hacker or malicious
user; for example, the data could trigger a
response that damages files, changes data or
unveils private information.
o Attacker would use a buffer-overflow
exploit to take advantage of a program that is
waiting on a user’s input.
41

42. Types of buffer overflows
There are two types of buffer overflows:
stack-based and heap-based.
o Heap-based, which are difficult to execute
and the least common of the two, attack an
application by flooding the memory space
reserved for a program.
o Stack-based buffer overflows, which are more
common among attackers, exploit applications
and programs by using what is known as a stack:
memory space used to store user input.
42

43. 43
What is needed to understand Buffer Overflow
• Understanding C functions and the stack.
• Some familiarity with machine code.
• Know how systems calls are made.
• The exec() system call.
• Attacker needs to know which CPU and OS are running on the
target machine.
– Our examples are for x86 running Linux.
– Details vary slightly between CPU’s and OS:
• Stack growth direction.
• big endian vs. little endian.

44. Buffer Overflow Example
44

45. 45
Some unsafe C lib functions
strcpy (char *dest, const char *src)
strcat (char *dest, const char *src)
gets (char *s)
scanf ( const char *format, … )
sprintf (conts char *format, … )

46. 46
Preventing Buffer Overflow Attacks
• Use type safe languages (Java)
• Use safe library functions
• Static source code analysis
• Non-executable stack
• Run time checking
• Address space layout randomization
• Detection deviation of program behavior
• Access control

47. References
Reference Text Books:
1. Karig, David and Ruby Lee. Remote Denial of Service
Attacks and Countermeasures, Princeton University
Department of Electrical Engineering Technical
Report CE-L2001-002, October 2001.
2. C.Easttom, Computer Security Fundamentals, Prentice
Hall, May 2005.
3. D. Russell and G.T. Gangemi, Computer Security Basics,
OReilly& Associates, 1991.
4. M. Bishop, Computer Security: Art and Science,
Addison-Wesley, 2002.
5. S. A. Thomas, SSL and TLS Essentials: Securing the Web,
Wiley, 2000.
47

48. THANK YOU
48