ch04_network-vulnerabilities-and-attacks.pdf

Security+ Guide to Network
Security Fundamentals, Third
Edition
Chapter 4
Network Vulnerabilities and Attacks

Objectives
• Explain the types of network vulnerabilities
• List categories of network attacks
• Define different methods of network attacks
Security+ Guide to Network Security Fundamentals, Third Edition 2

Network Vulnerabilities
• There are two broad categories of network
vulnerabilities:
– Those based on the network transport media
– Those found in the network devices themselves

Media-Based Vulnerabilities
• Monitoring network traffic
– Helps to identify and troubleshoot network problems
– Monitoring traffic can be done in two ways
Use a switch with port mirroring
Security+ Guide to Network Security Fundamentals, Third Edition
• To redirect traffic that occurs on some or all ports to a
designated monitoring port on the switch
Install a network tap (test access point)
• A separate device that can be installed between two
network devices, such as a switch, router, or firewall, to
monitor traffic
4

(continued)

(continued)
• Just as network taps and protocol analyzers can be
used for legitimate purposes
– They also can be used by attackers to intercept and
view network traffic
• Attackers can access the wired network in the
• Attackers can access the wired network in the
following ways:
– False ceilings
– Exposed wiring
– Unprotected RJ-45 jacks
8

(continued)

Network Device Vulnerabilities
• Weak passwords
– A password is a secret combination of letters and
numbers that serves to authenticate (validate) a user
by what he knows
– Password paradox
– Password paradox
• Lengthy and complex passwords should be used and
never written down
• It is very difficult to memorize these types of passwords
– Passwords can be set to expire after a set period of
time, and a new one must be created
12

(continued)
• Characteristics of weak passwords
– A common word used as a password
– Not changing passwords unless forced to do so
– Passwords that are short
– Personal information in a password
– Using the same password for all accounts
– Writing the password down
13

(continued)
• Default account
– A user account on a device that is created
automatically by the device instead of by an
administrator
– Used to make the initial setup and installation of the
– Used to make the initial setup and installation of the
device (often by outside personnel) easier
• Although default accounts are intended to be deleted
after the installation is completed, often they are not
• Default accounts are often the first targets that attackers
seek
14

(continued)

(continued)
• Back door
– An account that is secretly set up without the
administrator’s knowledge or permission, that cannot
be easily detected, and that allows for remote access
to the device
to the device
– Back doors can be created on a network device in two
ways
• The network device can be infected by an attacker using a
virus, worm, or Trojan horse
• A programmer of the software creates a back door on the
device
16

(continued)
• Privilege escalation
– It is possible to exploit a vulnerability in the network
device’s software to gain access to resources that the
user would normally be restricted from obtaining

Categories of Attacks
• Attacks categories
– Denial of service
– Spoofing
– Man-in-the-middle
– Man-in-the-middle
– Replay attacks
18

Denial of Service (DoS)
• Denial of service (DoS) attack
– Attempts to consume network resources so that the
network or its devices cannot respond to legitimate
requests
– DoS attack type:
• SYN flood attack
• Distributed Denial of service (DDoS)
• Wireless Dos attack
19

Denial of Service (DoS) (continued)
• SYN flood attack
Ref: http://en.wikipedia.org/wiki/SYN_flood 20
20
http://
Normal Operation
Of three way handshake
SYN Flood

• Distributed denial of service (DDoS) attack
– A variant of the DoS
– May use hundreds or thousands of zombie
computers in a botnet to flood a device with requests

DDoS attack

• Wireless Dos attack
- Flooding the RF spectrum attack
- Attack takes advantage of CSMA/CA procedure
- Attack uses disassociation frames

• Flooding the RF spectrum attack

• Attack uses disassociation frames

Spoofing
• Spoofing is impersonation
– Pretends to be someone or something else by
presenting false information
• Variety of different attacks use spoofing
– Attacker may spoof her address so that her malicious actions
– Attacker may spoof her address so that her malicious actions
would be attributed to a valid user
– Attacker may spoof his network address with an address of a
known and trusted host
– A fictitious login screen may allow an attacker to capture valid
user credentials
– Attacker can set up his AP device and trick all wireless devices
to communicate with the imposter device
27

Ref: Security+ Guide to Network Security Fundamentals, Second Edition 28

Man-in-the-Middle
• Man-in-the-middle attack
– Intercepts legitimate communication and forges a
fictitious response to the sender
– Common on networks
– Can be active or passive
– Can be active or passive
• Active attacks intercept and alter the contents before
they are sent on to the recipient
29

Man-in-the-Middle (continued)

Replay
• Replay attack
– Similar to a passive man-in-the-middle attack
– Captured data is used at a later time
• A simple replay would involve the man-in-the-middle
• A simple replay would involve the man-in-the-middle
capturing login credentials between the computer and
the server
• A more sophisticated attack takes advantage of the
communications between a device and a server
– Administrative messages that contain specific
network requests are frequently sent between a
network device and a server
Security+ Guide to Network Security Fundamentals 31

Replay (continued)
Sender Attacker File server
1. Sends message 2. Intercepts message
3. Sends message to create
link with the file server
Creates link with
attacker
4. Alters message and sends
to the file server
Reject altered
message
5. Alters message correctly
and send to file server
Accepted correctly
altered message
Security+ Guide to Network Security Fundamentals, Second Edition 32

Methods of Network Attacks
• Network attack methods can be:
- Protocol-based
• Antiquated protcols
• DNS attacks
• ARP poisoning
• TCP/IP hijacking
- Wireless will not be covered
- As well as other methods will not be covered

Protocol-Based Attacks
• Antiquated protocols
– TCP/IP protocols have been updated often to
address security vulnerabilities
– SNMP is example of updated protocol

Protocol-Based Attacks (continued)
• SNMP
– Used for exchanging management information between
networked devices
– And enables system admin to remotely monitor, manage
and configure network devices.
and configure network devices.
– Each SNMP managed device must have an agent that is
protected with the community string.
• The use of community strings in the first two versions
of SNMP, SNMPv1 and SNMPv2, created several
vulnerabilities
• SNMPv3 uses encryption to protect the community
strings

• DNS attacks
– Domain Name System (DNS) is the basis for name
resolution to IP addresses today
– It includes DNS poisoning and DNS transfers attacks.
– It includes DNS poisoning and DNS transfers attacks.
• DNS poisoning
– Substitute a fraudulent IP address so that when a
user enters a symbolic name, she is directed to the
fraudulent computer site
36

• DNS poisoning (continued)
– Substituting a fraudulent IP address can be done in
one of two different locations
• TCP/IP host table name system (See Figure 4-10)
• TCP/IP host table name system (See Figure 4-10)
• External DNS server
– Attack is called DNS poisoning (also called DNS
spoofing)
– See Figure 4-11
– DNS poisoning can be prevented by using the latest
editions of the DNS software, BIND (Berkeley
Internet Name Domain)
38

• DNS transfers
– Almost the reverse of DNS poisoning
– Attacker asks the valid DNS server for a zone
transfer, known as a DNS transfer
transfer, known as a DNS transfer
– Possible for the attacker to map the entire internal
network of the organization supporting the DNS
server
41

• ARP poisoning
– Address Resolution Protocol (ARP)
• Used by TCP/IP on an Ethernet network to find the
MAC address of another device
MAC address of another device
• The IP address and the corresponding MAC address
are stored in an ARP cache for future reference
– An attacker could alter the MAC address in the ARP
cache so that the corresponding IP address would
point to a different computer
42

• TCP/IP hijacking
– Takes advantage of a weakness in the TCP/IP
protocol
– The TCP header consists of two 32-bit fields that are
– The TCP header consists of two 32-bit fields that are
used as packet counters
• Updated as packets are sent and received between
devices
– Packets may arrive out of order
• Receiving device will drop any packets with lower
sequence numbers
44

• TCP/IP hijacking (continued)
– If both sender and receiver have incorrect sequence
numbers, the connection will “hang”
– In a TCP/IP hijacking attack, the attacker creates
– In a TCP/IP hijacking attack, the attacker creates
fictitious (“spoofed”) TCP packets to take advantage
of the weaknesses
45

Summary
• Network vulnerabilities include media-based
vulnerabilities and vulnerabilities in network
devices
• The same tools that network administrators use to
monitor network traffic and troubleshoot network
monitor network traffic and troubleshoot network
problems can also be used by attackers
• Network devices often contain weak passwords,
default accounts, back doors, and vulnerabilities
that permit privilege escalation

Summary (continued)
• Network attacks can be grouped into four
categories
• Protocol-based attacks take advantage of
vulnerabilities in network protocols

ch04_network-vulnerabilities-and-attacks.pdf

More Related Content

Similar to ch04_network-vulnerabilities-and-attacks.pdf

More from abacusgtuc

Recently uploaded

ch04_network-vulnerabilities-and-attacks.pdf