Lecture2 network attack

How-to attack a computer
network
Lecture 2
Raja M. Khurram Shahzad

The Internet
The elements of the Internet:
Router PCs, workstation
• A lot of hardware and software
Server Mobile International
Hosts, end-systems ISP
• Millions of interconnected
computing devices all over the Apartments
world (a global network) ë Local ISP
PCs, workstations, servers…
National ISP
PDAs, phones, TV-boxes…
• Hosts runs Network applications
s
WWW
email
Company
file transfer
network
remote login
multimedia
… 2

FREDRIK ERLANDSSON ET2437 - NETWORK SECURITY

The Internet
Routers
• Interconnects hosts and networks
• switching devices (nodes) Server Mobile International
• forward data packets between ISP
hosts through the networks Apartments
• Store and forward technique Local ISP
Other network nodes: National ISP
• Bridges
• Switches
• Repeaters
Company
• Amplifiers network
• ... different functionality and
degree of intelligence
3


The Internet
Protocols
• All communicating devices on the
Internet run protocols
• Protocols controls the sending and
ISP
receiving of information
- Ex: TCP, IP, HTTP, FTP… Apartments
• The collection of Internet Local ISP
protocols: TCP/IP
National ISP
- Are implemented in all devices
on the Internet (all or part
of it)
- hosts, routers…
Company
network
ISPs (Internet Service Providers)
• selling communication- and access services
4
to end users and networks


The Internet
The Internet
• A global “network of networks” Router PCs, workstation
- Both public and private networks of
different technologies and performance International
Server Mobile
IP-protocol: ISP
• carries “everything” (applications/
services) Apartments
• over “anything“ (different network
Local ISP
technologies)
• ..half truth !? (high quality multimedia, National ISP
real-time applications is still a pain!?)
• Packet switching
• no dedicated resources in the network
• …shared! Company
• Best-effort services
network

5


The Internet

What holds the Internet together? Router PCs, workstation
•The “glue”
Addressing
ISP
how to refer to a device
Routing Apartments

how to get there Local ISP
IP-protocol National ISP
what to speak to be understood

Internet standards Company
network
RFC: Request for comments
IETF: Internet Engineering Task Force
6


The Internet
The structure of Internet
• Loosely hierarchical Router PCs, workstation
• Hosts are connected to local ISPs
through access networks Server Mobile International
- dial phone line: modem, ADSL, ISP
ISDN, cable-modem…
Apartments
- company/campus network
Local ISP
- leased lines
• Local ISPs connected to national ISPs National ISP
• National ISPs connected to international
(global) ISPs
• The main point is :
Company
- new hosts and networks can be
added…without changing the network
existing implementation of Internet
(should scale!?)
7


Protocols in the TCP/IP Suite

8


PDUs in TCP/IP

11


Information Gathering

• Find out initial information
Open Source: general information about a company that anyone can
obtain
whois (unix), sam spade (third-party tool for windows)
nslookup

• Find out address range of the network

ARIN (American registry for Internet numbers) http://www.arin.net
– whois -h rs.arin.net arin-net

Traceroute

• Find active machines:

ping

12


Information Gathering cont.

• Find open ports or access points:

Nmap http://www.insecure.org/nmap for UNIX
ScanPort http://www.dataset.fr/eng/scanport.html for Windows
War Dialers: Programs that find modems on a network
– THC-Scan for Windows

• Figure out the operating system

Queso
Nmap

13


Information Gathering cont.

• Map out the network

Cheops http://www.marko.net/cheops/
Visual ping http://www.visualware.com/visualroute/
Traceroute

• Figure out which services are running on each port

Default port and OS
Telnet
Vulnerability scanners: programs that can be run against a site that
give a hacker a list of vulnerabilities on the target host
– SAINT http://www.wwwdsi.com/saint/
– NESSUS http://www.nessus.org

14


TCP three-way handshake

SYN with ISNa

ACK ISNa and SYN with ISNb

ACK ISNb
Connection
Connection

15


Types of Nmap scans

• TCP Connect Scan:
Attempts to complete the TCP three-way handshake and set up a connection
Easy to detect
• TCP SYN Scans: “half-open scans”
Sends a SYN to each target port. Target sends SYN-ACK if the port is open.
The attacker send a RESET packet to abort the connection.
Hard to detect, only routers or firewalls will log (if enabled) the attackers IP.
• FIN Scan:
Violate the TCP specification by sending unexpected packets at the start of a
connection
Attacker sends FIN packet, if the target port is closed a RESET packet is
sent back, if open nothing is sent back.
• Ack Scan:
Sends an ACK packet to targets port. If RESET comes back from target
Nmap will classify the port as “unfiltered” otherwise “filtered”
16


Types of Spoofing

• IP spoofing: An attacker uses an IP address of another computer to
acquire information or gain access

• Email spoofing: In essence, the email looks like it came from John, but
in reality, John didn’t send the email. Someone who was impersonating
John send it.

• Web spoofing: Whenever an entity has to be trusted, the opportunity for
spoofing arises.

• Non-technical spoofing: These types of attacks concentrate on
compromising the human element of a company.This is done through
social engineering techniques.

17


IP Spoofing.

• The intruder sends messages to a computer with an IP address
indicating that the message is coming from a trusted host.

• A hacker must find an IP address of a trusted host and then modify
the packet headers so that it appears that the packets are coming
from that host.

From ad
dress: 1
Attacker To addre 0.10.20.
ss: 10.1 20
0.5.5
10.40.40.40

Replies sent back to 10.10.20.20

John
Spooft adress 10.10.5.5
10.10.20.20
18


Denial of Service Attack.

• DoS: A type of attack on a network that is designed to bring the
network to its knees by flooding it with useless traffic.

• Two general types of DoS attacks:
1. Crashing a system or a network:
The attacker can send a victim data or packets it is not expecting
This attack requires little to perform and human interaction to fix

2. Flooding the system or network with so much information that it cannot
respond:
This attack requires more energy from the attacker, recovering requires
minimal human intervention

19


Distributed Denial of Service Attack.

• DDoS: Several machines are coordinated to launch an attack
against a target machine or network at the same time

Attacker

System in
System in System in
System in Kina
USA Iran
Europe

20
Victim


DoS

• Ping of Death
• SSPing
• Land
• Smurf
• Win Nuke
• CPU Hog
• SYN Flood

21


Buffer overflow

#include <stdio.h>
sample_function(char *string){
char buffer[16]; Local buffer can hold 16 characters
strcpy(buffer, string);
strcpy loads characters into buffer until it
return;}
finds the end of the string
main (){ Create buffer that can hold 256 characters
char big_buffer [256]; int i;
for (i=0; i<255; i++){
big_buffer[i]='A'; } Shove the character A into the buffer 255
times
sample_function (big_buffer);

Sent big_buffer to sample_function
22


Buffer Overflow Attack

• A buffer overflow attack is when an attacker tries to store too much
information in an undersized receptacle.
• Most of the newest exploits are based on buffer overflow attack

• Takes advantage of applications that do not adequately parse input
by stuffing too much data into undersized receptacles.

• Can cause attacks against all three areas to security:
1. Attack against availability
2. Attack against integrity
3. Attack against confidentiality

23


How does it work?

Fill direction .
.
Bottom .
.
Of memory .
.
Buffer overwritten Machine Code
Buffer with instructions execv /bin/sh

Saved frame PTR Saved frame PTR

Return Pointer New PTR to EXEC code
Return PTR is
overwritten Function Call
Function Call
Arguments
Arguments
.
.
Top .
.
Of memory .
.

24


Example
• Some different buffer overflow attacks:
NetMeeting Buffer Overflow
Outlook Buffer Overflow
Linuxconf Buffer Overflow
IIS 4.0/5.0 Phone Book Server Buffer Overflow

char shellcode[] =
"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
"x80xe8xdcxffxffxff/bin/sh";
void main() {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;}

25


Sniffing

• A program that gather traffic from the local network
• Used by both attackers and network administrators
• Gathers packets at the Data Link layer
• An attacker must haven account on a machine in order to run the
sniffer program.
• Sniffing tools available:
tcpdump http://www.tcpdump.com
windump netgroup-serv.polito.it/windump
Wireshark (ethereal)
Dsniff

26


Passive Sniffing

et
a ck
p

packet
HUB packet

pa
ck
et

27


Active Sniffing

• Two methods for sniffing data from a switched LAN
1. MAC flooding
2. Spoofed ARP Messages

packet
Switch

packet

Default packet
router Internet

28


Spoofed ARP Message
Configure IP Forwarding
to send packets to the
default router
Send fake ARP response
to remap default router IP
adressto attacker´s Attacker sniffs the traffic
MAC address

Switch
Packets are forwarded from the
Victim traffic destined
attackers machine to the actual
For the outside world.
default router for delivery to the
Based on the poisoned
outside world
ARP table, traffic is really
sent to the attackers MAC Default
address router Internet

29


Passwords

• Most common weaknesses in a company
1. weak passwords
2. uncontrolled modems on the network
• Most systems and software have default passwords!
• Characteristics of a strong password
Changes every 45 days
Minimum length of 10 characters
Contain at leas one alpha, one number and one special character
Cannot contain dictionary words
Cannot reuse the previous five passwords
Minimum password age of 10 days
After 5 failed logon attempts, password is locked for serveral hours

31


Passwords cont.

• System maintain a file that associates a password with each authorised
user.
• Password file can be protected with:
One-way encryption
Access Control

• Techniques for guessing passwords:
Try default passwords.
Try all short words, 1 to 3 characters long.
Try all the words in an electronic dictionary (60,000).
Collect information about the user’s hobbies, family names, birthday, etc.
Try user’s phone number, social security number, street address, etc.
Try all license plate numbers (MUP103).
Use a Trojan horse
Tap the line between a remote user and the host system.

32


UNIX passwords

• Stored in file /etc/passwd is world readable (any user who was on the
system had access to read the file i.e. more /etc/passwd )
usernamen:password:UID:GID:full name:home directory:shell
sch:OZFGkH258h8yg:1013:10:Stefan Chevul:/home/sch/:/bin/csh

• Latest UNIX versions split the passwd file into 2 files. The /etc/passwd file
still exists, it contains everything except the encrypted passwords. This is
stored in the /etc/shadow file.
usernamen:password:last:min:max:warning:expire:disable
sch:OZFGkH258h8yg:::::::

33


ypcat passwd

gymsjo:PgiEmZuEHpmY2:3227:3200:STEFAN JOHANSSON:/home/
dogmatix/gym/gymsjo:/usr/local/bin/tcsh

frpe03:EoFPa/t0McqN6:470078:20031:FREDRIK PERSSON:/home/
dogmatix/students/20031/frpe03:/usr/local/bin/tcsh

etmf01:Ck34HVjHPI3gQ:740030:20011:Etienne Mfoumou:/home/
dogmatix/students/20011/etmf01:/usr/local/bin/tcsh

rope05:i/mTnW1jL7vmM:490146:20051:ROBIN PERSSON:/home/
obelix/students/20051/rope05:/usr/local/bin/tcsh

nasc04:HfcXJTuIB7Bh2:500001:20041:Nadzida Saric:/home/obelix/
students/20041/nasc04:/usr/local/bin/tcsh

34


cat passwd

root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
smmsp:x:25:25:SendMail Message Submission Program:/:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:

35


Salt

• The salt serves three purposes:
Prevents duplicate passwords.
Effectively increases the length of the password.
Prevents the use of hardware implementations of DES

36


UNIX Password Scheme I

salt password
Password File
12 bits 56 bits User id salt E(pwd, [salt, 0])

•
Load •
crypt (3)
11 characters •

(a) Loading a new password

37


UNIX Password Scheme II

38

ET2437 - Network Security

Passwords cracking

• Password cracking = guessing someone´s password from the
encrypted password
• General algorithm used for automated password cracking:
1. Find valid user IDs
2. Find the encryption algorithm used
3. Obtain encrypted passwords
4. Create a list of possible passwords
5. Encrypt each word
6. See if there is a match for each user ID
7. Repeat steps 1 through 5

39


Why is Passwords cracking important?

• From a security standpoint, password cracking can help you build
and maintain a more secure system.
• Reasons why password cracking is useful
To audit the strength of passwords
To recover forgotten / unknown passwords
To migrate users
To use as a checks and balance system
• Main types of password cracking attacks:
Dictionary attacks
Brute force attacks
Hybrid attacks

40


Types of Passwords Attacks

Dictionary Brute Force Hybrid
attack attack attack

Speed of the Fast Slow Medium
attack

Amount of Finds only Finds every Finds only
passwords words password passwords
that have a
cracked dictionary
word as the
base

41


Passwords cracking programs

• NT password cracking programs:
L0phtcrack
NTSweep
NTCrack
PWDump2
• UNIX password crackers:
Crack
John the Ripper
XIT
Slurpie

42


Covering the Tracks

• After an attacker has gained access and accomplished what he
wanted to do, one of the last steps he performs is covering his
tracks, hiding evidence that he was ever there.

• To do this there are 4 main areas an attacker is concerned with:
1. Log files
2. File information
3. Additional files
4. Network traffic

43


Lecture2 network attack

More Related Content

What's hot

Viewers also liked

Similar to Lecture2 network attack

More from rajakhurram

Recently uploaded

Lecture2 network attack