SlideShare a Scribd company logo

Lecture7-8-Network Protocls attack in cyber.ppt

Download as PPT, PDF
M
MuhammadSaleemKhan26

These slides are about the network protocols and attacks in cyber space

Data & Analytics
1 of 85
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
Network Attacks & Port Network Attacks & Port Scanning Techniques Scanning Techniques
Types of Network Attacks Types of Network Attacks 1. Passive Attacks 1. Passive Attacks ā–ŗ - Eavesdropping - Eavesdropping ā–ŗ - Traffic Analysis - Traffic Analysis 2. Active Attacks 2. Active Attacks ā–ŗ - Man-in-the-Middle (MitM) - Man-in-the-Middle (MitM) ā–ŗ - Denial-of-Service (DoS) - Denial-of-Service (DoS) ā–ŗ - Session Hijacking - Session Hijacking
3. Insider Attacks 3. Insider Attacks ā–ŗ - Privilege Escalation - Privilege Escalation ā–ŗ - Data Theft - Data Theft ā–ŗ4. Malware-Based Attacks 4. Malware-Based Attacks ā–ŗ - Ransomware - Ransomware ā–ŗ - Worms & Trojans - Worms & Trojans
Classify Security Attacks as Classify Security Attacks as ā–ŗ Passive attacks Passive attacks - - eavesdropping on, or eavesdropping on, or monitoring of, transmissions to: monitoring of, transmissions to: ļ‚§ obtain message contents, or obtain message contents, or ļ‚§ monitor traffic flows monitor traffic flows ā–ŗ Active attacks Active attacks ā€“ modification of data stream ā€“ modification of data stream to: to: ļ‚§ masquerade of one entity as some other of one entity as some other ļ‚§ replay previous messages replay previous messages ļ‚§ modify messages in transit modify messages in transit ļ‚§ denial of service denial of service
Passive Attacks: Release of Message Passive Attacks: Release of Message Contents Contents
Passive Attacks: Traffic Analysis Passive Attacks: Traffic Analysis
Active Attacks: Masquerade Active Attacks: Masquerade
Active Attacks: Replay Active Attacks: Replay
Active Attacks: Modification of Active Attacks: Modification of Messages Messages
Active Attacks: Denial of Service Active Attacks: Denial of Service
Classify Security Attacks as Classify Security Attacks as
Model for Network Security . Model for Network Security .
Model for Network Security Model for Network Security ā–ŗ Using this model requires us to: Using this model requires us to: 1. 1. Design a suitable algorithm for the security Design a suitable algorithm for the security transformation transformation 2. 2. Generate the secret information (keys) used by the Generate the secret information (keys) used by the algorithm algorithm 3. 3. Develop methods to distribute and share the Develop methods to distribute and share the secret information secret information 4. 4. Specify a protocol enabling the principals to use Specify a protocol enabling the principals to use the transformation and secret information for a the transformation and secret information for a security service security service
Model for Network Access Security Model for Network Access Security . .
Model for Network Access Security Model for Network Access Security ā–ŗ Using this model requires us to: Using this model requires us to: 1. 1. select appropriate gatekeeper functions to select appropriate gatekeeper functions to identify users identify users 2. 2. implement security controls to ensure only implement security controls to ensure only authorised users access designated authorised users access designated information or resources information or resources ā–ŗ Trusted computer systems can be used Trusted computer systems can be used to implement this model to implement this model
Methods of Defense Methods of Defense ā–ŗEncryption Encryption ā–ŗSoftware Controls (access limitations in a Software Controls (access limitations in a data base, in operating system protect data base, in operating system protect each user from other users) each user from other users) ā–ŗHardware Controls (smartcard) Hardware Controls (smartcard) ā–ŗPolicies (frequent changes of passwords) Policies (frequent changes of passwords) ā–ŗPhysical Controls Physical Controls
Internet standards and RFCs Internet standards and RFCs ā–ŗThe Internet society The Internet society ļ‚§ Internet Architecture Board (IAB) Internet Architecture Board (IAB) ļ‚§ Internet Engineering Task Force (IETF) Internet Engineering Task Force (IETF) ļ‚§ Internet Engineering Steering Group (IESG) Internet Engineering Steering Group (IESG)
Internet RFC Publication Internet RFC Publication Process Process
Vulnerabilities in Network Vulnerabilities in Network Protocols Protocols
Outline Outline ā–ŗ TCP/IP Layering TCP/IP Layering ā–ŗ Names and Addresses Names and Addresses ā–ŗ Security Considerations for Security Considerations for ļ‚§ Address Resolution Protocol Address Resolution Protocol ļ‚§ Internet Protocol Internet Protocol ļ‚§ Transmission Control Protocol Transmission Control Protocol ļ‚§ FTP,Telnet, SMTP FTP,Telnet, SMTP ļ‚§ Web Security Web Security (Next Lecture) (Next Lecture) ā–ŗ Browser Side Risks Browser Side Risks ā–ŗ Server Side Risks Server Side Risks
TCP/IP Layering TCP/IP Layering
An Example An Example
Encapsulation Encapsulation user data HTTP hdr HTTP client TCP IP Ethernet driver Ethernet TCP hdr IP hdr Eth. hdr tr.
RARP IGMP Demultiplexing Demultiplexing Ethernet driver DNS HTTP FTP TCP UDP IP ICMP ARP SMTP SNMP ā€¦ ā€¦ demuxing based on frame type in the Ethernet header demuxing based on the protocol id in the IP header demuxing based on the port number in the TCP or UDP header
Names and Addresses Names and Addresses
IP Addresses IP Addresses ā–ŗFormat "A.B.C.D" where each letter is a byte Format "A.B.C.D" where each letter is a byte ā–ŗClass A network : A.0.0.0 Class A network : A.0.0.0 ļ‚§Zeroes are used to indicate that any number could be in that Zeroes are used to indicate that any number could be in that position position ā–ŗClass B network: A.B.0.0 Class B network: A.B.0.0 ā–ŗClass C network: A.B.C.0 Class C network: A.B.C.0 ā–ŗBroadcast addresses: Broadcast addresses: ļ‚§255.255.255.255 255.255.255.255 ļ‚§A.B.C.255 A.B.C.255 ā–ŗSpecial case Special case ļ‚§0.0.0.0 and A.B.C.0 can be either treated as a broadcast or discarded 0.0.0.0 and A.B.C.0 can be either treated as a broadcast or discarded
Hardware (MAC) Hardware (MAC) Addresses Addresses ā–ŗ Every interface has a unique and fixed Every interface has a unique and fixed hardware address too hardware address too ā–ŗ Used by the data link layer Used by the data link layer ā–ŗ In case of Ethernet, it is 48 bits long In case of Ethernet, it is 48 bits long ā–ŗ Mapping between IP addresses and MAC Mapping between IP addresses and MAC addresses are done by ARP addresses are done by ARP
Host Names Host Names ā–ŗ Human readable, hierarchical names, such as Human readable, hierarchical names, such as www.uettaxila.edu.pk www.uettaxila.edu.pk ā–ŗ Every host may have several names Every host may have several names ā–ŗ Mapping between names and IP addresses is Mapping between names and IP addresses is done by the Domain Name System (DNS) done by the Domain Name System (DNS)
Address Resolution Protocol Address Resolution Protocol
ARP ā€“ Address Resolution ARP ā€“ Address Resolution Protocol Protocol ā–ŗ Mapping from IP addresses to MAC addresses Mapping from IP addresses to MAC addresses Request 192.168.0 .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 Reply 192.168.0 .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 arp req | target IP: 192.168.0.5 | target eth: ? arp rep | sender IP: 192.168.0.5 | sender eth: 00:00:C0:C2:9B:26
ARP Spoofing ARP Spoofing ā–ŗ An ARP request can be responded by another host An ARP request can be responded by another host Request 192.168.0 .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 Reply 192.168.0 .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 arp req | target IP: 192.168.0.5 | target eth: ? arp rep | sender IP: 192.168.0.5 | sender eth: 00:34:CD:C2:9F:A0 00:34:CD:C2:9F:A0
Switch ARP Spoofing . ARP Spoofing . ā–ŗUsed for sniffing on switched LAN Used for sniffing on switched LAN Outside World 1. Configure IP forwarding 2. Send fake ARP response to map default routerā€™s IP to attackerā€™s MAC 3. Victim sends traffic based on poisoned ARP cache 4. Sniff the traffic from the link 5. Packets are forwarded from attackerā€™s machine to actual default router Default Router Default Router Attacker Attacker Victim Victim
ARP Spoofing Prevention ? ARP Spoofing Prevention ? ā–ŗ Cryptographic protection on the data is the only Cryptographic protection on the data is the only way way ļ‚§ Not allow any untrusted node to read the contents Not allow any untrusted node to read the contents of your traffic of your traffic
Internet Protocol Internet Protocol
IP ā€“ Internet Protocol IP ā€“ Internet Protocol ā–ŗ Provides an unreliable, connectionless datagram Provides an unreliable, connectionless datagram delivery service to the upper layers delivery service to the upper layers ā–ŗ Its main function is routing Its main function is routing ā–ŗ It is implemented in both end systems and It is implemented in both end systems and intermediate systems (routers) intermediate systems (routers) ā–ŗ Routers maintain routing tables that define the next Routers maintain routing tables that define the next hop router towards a given destination (host or hop router towards a given destination (host or network) network) ā–ŗ IP routing uses the routing table and the information in IP routing uses the routing table and the information in the IP header (e.g., the destination IP address) to route the IP header (e.g., the destination IP address) to route a packet a packet
IP Security Problems IP Security Problems ā–ŗ User data in IP packets is not protected in any way User data in IP packets is not protected in any way ļ‚§ Anyone who has access to a router can read Anyone who has access to a router can read and modify the user data in the packets and modify the user data in the packets ā–ŗ IP packets are not authenticated IP packets are not authenticated ļ‚§ It is fairly easy to generate an IP packet with an It is fairly easy to generate an IP packet with an arbitrary source IP address arbitrary source IP address ā–ŗ Traffic analysis Traffic analysis ļ‚§ Even if user data was encrypted, one could Even if user data was encrypted, one could easily determine who is communicating with easily determine who is communicating with whom by just observing the addressing whom by just observing the addressing information in the IP headers information in the IP headers
IP Security Problems IP Security Problems ā–ŗ Information exchanged between routers to Information exchanged between routers to maintain their routing tables is not authenticated maintain their routing tables is not authenticated ļ‚§ Correct routing table updates can be modified Correct routing table updates can be modified or fake ones can be disseminated or fake ones can be disseminated ļ‚§ This may screw up routing completely leading This may screw up routing completely leading to loops or partitions to loops or partitions ļ‚§ It may also facilitate eavesdropping, It may also facilitate eavesdropping, modification, and monitoring of traffic modification, and monitoring of traffic ļ‚§ It may cause congestion of links or routers (i.e., It may cause congestion of links or routers (i.e., denial of service) denial of service)
Transmission Control Transmission Control Protocol Protocol
TCP ā€“ Transmission Control TCP ā€“ Transmission Control Protocol Protocol ā–ŗ Provides a connection oriented, reliable, byte Provides a connection oriented, reliable, byte stream service to the upper layers stream service to the upper layers ā–ŗ Connection oriented: Connection oriented: ļ‚§ Connection establishment phase prior to Connection establishment phase prior to data transfer data transfer ļ‚§ State information (sequence numbers, State information (sequence numbers, window size, etc.) is maintained at both ends window size, etc.) is maintained at both ends
TCP- TCP- Reliability Reliability ā–ŗ Positive acknowledgement scheme Positive acknowledgement scheme (unacknowledged bytes are retransmitted after (unacknowledged bytes are retransmitted after a timeout) a timeout) ā–ŗ Checksum on both header and data Checksum on both header and data ā–ŗ Reordering of segments that are out of order Reordering of segments that are out of order ā–ŗ Detection of duplicate segments Detection of duplicate segments ā–ŗ Flow control (sliding window mechanism) Flow control (sliding window mechanism)
TCP Connection Establishment TCP Connection Establishment Client Server SYNC SYNS, ACKC ACKS Listening Store data Wait Connected
TCP Sequence Numbers TCP Sequence Numbers ā–ŗ TCP uses ISN (Initial Sequence Number) to order the TCP uses ISN (Initial Sequence Number) to order the incoming packets for a connection incoming packets for a connection ā–ŗ Sequence numbers are 32 bits long Sequence numbers are 32 bits long ā–ŗ The sequence number in a data segment identifies the first The sequence number in a data segment identifies the first byte in the segment byte in the segment ā–ŗ Sequence numbers are initialized with a ā€œrandomā€ value Sequence numbers are initialized with a ā€œrandomā€ value during connection setup during connection setup ā–ŗ The RFC suggests that the ISN is incremented by one at The RFC suggests that the ISN is incremented by one at least every 4 least every 4 ļ­ ļ­s s
TCP SYN Attack TCP SYN Attack ā–ŗ An attacker can impersonate a trusted host An attacker can impersonate a trusted host (e.g., in case of (e.g., in case of r commands, authentication , authentication is based on source IP address solely) is based on source IP address solely) ļ‚§ This can be done guessing the sequence number This can be done guessing the sequence number in the ongoing communication in the ongoing communication ļ‚§ The initial sequence numbers are intended to be The initial sequence numbers are intended to be more or less random more or less random
TCP SYN Attack TCP SYN Attack ā–ŗ In Berkeley implementations, the ISN is In Berkeley implementations, the ISN is incremented by a constant amount incremented by a constant amount ļ‚§ 128,000 once per second, and 128,000 once per second, and ļ‚§ further 64,000 each time a connection is initiated further 64,000 each time a connection is initiated ā–ŗ RFC 793 specifies that the 32-bit counter be RFC 793 specifies that the 32-bit counter be incremented by 1 about every 4 incremented by 1 about every 4 ļ­ ļ­s s ļ‚§ the ISN cycles every 4.55 hours the ISN cycles every 4.55 hours ā–ŗ Whatever! It is not hopeless to guess the next ISN to Whatever! It is not hopeless to guess the next ISN to be used by a system be used by a system
Launching a SYN Attack Launching a SYN Attack ā–ŗ The attacker first establishes a valid The attacker first establishes a valid connection with the target to know its ISN. connection with the target to know its ISN. ā–ŗ Next it impersonates itself as trusted host T Next it impersonates itself as trusted host T and sends the connection request with ISN and sends the connection request with ISNx x ā–ŗ The target sends the ACK with its ISN The target sends the ACK with its ISNs s to the to the trusted host T trusted host T ā–ŗ The attacker after the expected time sends The attacker after the expected time sends the ACK with predicted ISN the ACK with predicted ISNs sā€™ ā€™
Launching a SYN Attack Launching a SYN Attack SYN = ISNX, SRC_IP = T SYN = ISNS, ACK(ISNX) ACK(ISNS), SRC_IP = T SRC_IP = T, nasty_data attacker server trusted host (T)
What about the ACK for T? What about the ACK for T? ā–ŗ If the ACK is received by the trusted host T If the ACK is received by the trusted host T ļ‚§ It will reject it, as no request for a connection was made by it It will reject it, as no request for a connection was made by it ļ‚§ RST will be sent and the server drops the connection RST will be sent and the server drops the connection BUT!!! BUT!!! ā–ŗ The attacker can either launch this attack when T is The attacker can either launch this attack when T is down down ā–ŗ Or launch some sort of DoS attack on T Or launch some sort of DoS attack on T ļ‚§ So that it canā€™t reply So that it canā€™t reply
TCP SYN Attack ā€“ How to Guess TCP SYN Attack ā€“ How to Guess ISN ISNS S? ? ļ‚§ ISN ISNS Sā€™ (Attackerā€™s ISN) depends on ISN ā€™ (Attackerā€™s ISN) depends on ISNS S and and ļ„ ļ„t t ļ‚§ ļ„ ļ„t can be estimated from the round trip time t can be estimated from the round trip time ļ‚§ Assume Assume ļ„ ļ„t can be estimated with 10 ms precision t can be estimated with 10 ms precision SYN = ISNX SYN = ISNS , ACK(ISNX ) SYN = ISNXā€™, SRC_IP = T SYN = ISNSā€™, ACK(ISNX) ACK(ISNSā€™), SRC_IP =T attacker server ļ„t
TCP SYN Attack ā€“ How to Guess TCP SYN Attack ā€“ How to Guess ISN ISNS S? ? ā–ŗAttacker has an uncertainty of 1280 in the Attacker has an uncertainty of 1280 in the possible value for ISN possible value for ISNS Sā€™ ā€™ ā–ŗAssume each trial takes 5 s Assume each trial takes 5 s ā–ŗThe attacker has a reasonable likelihood The attacker has a reasonable likelihood of succeeding in 6400 s and a near- of succeeding in 6400 s and a near- certainty within one day! certainty within one day!
How to Prevent it? How to Prevent it? ā–ŗCan be prevented by properly configuring Can be prevented by properly configuring the firewall the firewall ļ‚§ Do not allow any communication from Do not allow any communication from outside using the address of some internal outside using the address of some internal network network
TCP SYN Flood TCP SYN Flood ā–ŗ Attackerā€™s goal is to Attackerā€™s goal is to overwhelm the overwhelm the destination machine destination machine with SYN packets with with SYN packets with spoofed IP spoofed IP ā–ŗ This results in: This results in: ļ‚§ The serverā€™s The serverā€™s connection queue connection queue filling up causing DoS filling up causing DoS Attack Attack ļ‚§ Or even if queue is Or even if queue is large enough, all large enough, all ports will be busy and ports will be busy and the service could not the service could not be provided by the be provided by the server server C S SYNC1 Listening Store data SYNC2 SYNC3 SYNC4 SYNC5
How to Avoid TCP SYN Flood How to Avoid TCP SYN Flood ā–ŗ Decrease the wait time for half open connection Decrease the wait time for half open connection ā–ŗ Do not store the connection information Do not store the connection information ā–ŗ Use SYN cookies as sequence numbers during Use SYN cookies as sequence numbers during connection setup connection setup ā–ŗ SYN cookie is some function applied on SYN cookie is some function applied on ļ‚§ Dest IP, Source IP, Port numbers, Time and a Dest IP, Source IP, Port numbers, Time and a secret number secret number
TCP Congestion Control TCP Congestion Control ā€¢ If packets are lost, assume congestion ā€“ Reduce transmission rate by half, repeat ā€“ If loss stops, increase rate very slowly Design assumes routers blindly obey this policy Source Destination
TCP Congestion Control- TCP Congestion Control- Competition Competition ā€¢ Friendly source A give way to overexcited source B ā€“ Both senders experience packet loss ā€“ Source A backs off ā€“ Source B disobeys protocol, gets better results! Source A Source B Destination Destination
DoS-Denial of Service Attacks DoS-Denial of Service Attacks ā–ŗ Attempts to prevent the victim from being able Attempts to prevent the victim from being able to establish connections to establish connections ā–ŗ Accomplished by involving the victim in heavy Accomplished by involving the victim in heavy processing processing ļ‚§ like sending the TCP SYN packets to all ports like sending the TCP SYN packets to all ports of the victim and avoiding new connection of the victim and avoiding new connection establishment establishment ā–ŗ DoS attacks are much easier to accomplish than DoS attacks are much easier to accomplish than gaining administrative access gaining administrative access
Exploiting Ping Command for Exploiting Ping Command for Smurf DoS Attack Smurf DoS Attack ā€¢ Send ping request to subnet-directed broadcast address with spoofed IP (ICMP Echo Request) ā€¢ Lots of responses: ā€“ Every host on target network generates a ping reply (ICMP Echo Reply) to victim ā€“ Ping reply stream can overload victim gateway DoS Source DoS Target 1 ICMP Echo Req Src: DoS Target Dest: brdct addr 3 ICMP Echo Reply Dest: DoS Target
Smurf DoS Attack Prevention Smurf DoS Attack Prevention ā–ŗ Have adequate bandwidth and redundant Have adequate bandwidth and redundant paths paths ā–ŗ Filter ICMP messages to reject external packets Filter ICMP messages to reject external packets to broadcast address to broadcast address
FTP ā€“ File Transfer Protocol FTP ā€“ File Transfer Protocol user user interface protocol interpreter data transfer function file system protocol interpreter data transfer function file system client server data connection control connection (FTP commands and replies)
FTP ā€“ File Transfer Protocol FTP ā€“ File Transfer Protocol ā–ŗ Typical FTP commands: Typical FTP commands: ļ‚§ RETR RETR filename filename ā€“ retrieve (get) a file from the server ā€“ retrieve (get) a file from the server ļ‚§ STOR filename ā€“ store (put) a file on the server STOR filename ā€“ store (put) a file on the server ļ‚§ TYPE TYPE type type ā€“ specify file type (e.g., A for ASCII) ā€“ specify file type (e.g., A for ASCII) ļ‚§ USER USER username username ā€“ username on server ā€“ username on server ļ‚§ PASS PASS password password ā€“ password on server ā€“ password on server ā–ŗ FTP is a text (ASCII) based protocol FTP is a text (ASCII) based protocol ā€¦
FTP ā€“ File Transfer Protocol FTP ā€“ File Transfer Protocol % ftp www.comsats.edu.pk Connected to www.comsats.edu.pk Name: abc Password: pswd client server <TCP connection setup to port 21 of www.comsats.edu.pk > ā€œ220 www.comsats.edu.pk FTP server (version 5.60) ready.ā€ ā€œUSER abcā€ ā€œ331 Password required for user abc.ā€ ā€œPASS pswdā€ ā€œ230 User abc logged in.ā€
Problems with FTP Problems with FTP ā–ŗ FTP information exchange is in clear text FTP information exchange is in clear text ļ‚§ The attacker can easily eavesdrop and get The attacker can easily eavesdrop and get the secret information the secret information ļ‚§ The attacker can also know the software The attacker can also know the software version of FTP running to exploit the version of FTP running to exploit the vulnerabilities of that particular version vulnerabilities of that particular version
FTP Bounce Scans FTP Bounce Scans ā–ŗ FTP has a feature to open connection with victim machine on the request from attacker machine FTP has a feature to open connection with victim machine on the request from attacker machine ā–ŗ Machine A (Attacker) can request to check for the open ports on the target machine X (Victim) Machine A (Attacker) can request to check for the open ports on the target machine X (Victim) ā–ŗ Newer version of FTP does not support Newer version of FTP does not support this forwarding feature this forwarding feature Attacker FTP Server Victim to be scanned FTP control connection
Telnet Telnet ā–ŗ Provides Provides remote login remote login service to users service to users ā–ŗ Works between hosts that use different Works between hosts that use different operating systems operating systems ā–ŗ Uses option negotiation between client and Uses option negotiation between client and server to determine what features are server to determine what features are supported by both ends supported by both ends
Telnet Telnet Telnet client Telnet server terminal driver TCP/IP pseudo- terminal driver TCP/IP login shell user kernel kernel TCP connection
Telnet Session Example Telnet Session Example ā–ŗSingle character at a time Single character at a time
Telnet Example Telnet Example % telnet ahost.com.pk Connected to ahost.com.pk Escape character is ā€˜^]ā€™. Login: s client server <TCP connection setup to port 23 of ahost.com.pk> <Telnet option negotiation> ā€œUNIX(r) System V Release 4.0ā€ ā€œLogin:ā€ ā€œsā€ ā€œPassword:ā€ ā€¦ Login: st ā€œtā€ Login: student ā€œtā€ Password: c ā€œcā€ ā€¦ Password: cab123 ā€œ3ā€ <OS greetings and shell prompt, e.g., ā€œ%ā€> ā€¦ ā€¦ ā€¦
Problems with Telnet Problems with Telnet ā–ŗ Information exchange is in clear text Information exchange is in clear text ļ‚§ The attacker can easily eavesdrop and get The attacker can easily eavesdrop and get the information like username and the information like username and passwords passwords ļ‚§ The attacker can also know the version to The attacker can also know the version to exploit the vulnerabilities of that particular exploit the vulnerabilities of that particular version version
SMTP ā€“ Simple Mail Transfer SMTP ā€“ Simple Mail Transfer Protocol Protocol user agent local MTA mails to be sent user sending host relay MTA user agent local MTA user mailbox user receiving host relay MTA relay MTA TCP port 25 TCP connection SMTP SMTP SMTP SMTP
SMTP SMTP ā–ŗ SMTP is a text (ASCII) based protocol SMTP is a text (ASCII) based protocol ā–ŗMTA transfers mail from the user to the MTA transfers mail from the user to the destination server destination server ā–ŗMTA relays are used to relay the mail MTA relays are used to relay the mail from other clients from other clients ā–ŗ MTAs use SMTP to talk to each other MTAs use SMTP to talk to each other ā–ŗ All the messages are spooled before sending All the messages are spooled before sending
Ā©Copyright 2004. Amir Qayyum. All rights reserved 70 SMTP Message Flow SMTP Message Flow sending MTA (mail.uettaxila.edu.pk) receiving MTA (smtp.yahoo.com) ā€œHELO mail.uettaxila.edu.pk.ā€ ā€œ250 smtp.yahoo.com Hello mail.uettaxila.edu.pk., pleased to meet youā€ ā€œMAIL from: student1@uettaxila.edu.pkā€ ā€œ250 student1@uettaxila.edu.pk... Sender okā€ ā€œRCPT to: student2@yahoo.comā€ ā€œ250 student2@yahooā€¦ Recipient okā€ ā€œDATAā€ ā€œ354 Enter mail, end with a ā€œ.ā€ on a line by itselfā€ <message to be sent> . <TCP connection establishment to port 25> ā€œ250 Mail acceptedā€ ā€œQUITā€ ā€œ221 smtp.yahoo.com delivering mailā€
SMTP Security Problems SMTP Security Problems ā–ŗ Designed in an era where internet security Designed in an era where internet security was not much of an issue was not much of an issue ļ‚§ No security at the base protocol No security at the base protocol ā–ŗ Designed around the idea of Designed around the idea of ā€œ ā€œcooperation cooperationā€ ā€ and and ā€œ ā€œtrust trustā€ ā€ between servers between servers ļ‚§ Susceptible to DoS attacks Susceptible to DoS attacks ā–ŗSimply flood a mail server with SMTP Simply flood a mail server with SMTP connections or SMTP instructions. connections or SMTP instructions.
SMTP Security Problems SMTP Security Problems ā–ŗ SMTP does not provide any protection of e- SMTP does not provide any protection of e- mail messages mail messages ļ‚§ Does not ask sender to authenticate itself. Does not ask sender to authenticate itself. ļ‚§ Messages can be read and modified by Messages can be read and modified by any of the MTAs involved any of the MTAs involved ļ‚§ Fake messages can easily be generated (e- Fake messages can easily be generated (e- mail forgery) mail forgery) ļ‚§ Does not check what and from whom it is Does not check what and from whom it is relaying the message relaying the message
SMTP Security Problems SMTP Security Problems Example Example % % telnet frogstar.hit.com.pk 25 telnet frogstar.hit.com.pk 25 Trying... Trying... Connected to frogstar.hit.com.pk. Connected to frogstar.hit.com.pk. Escape character is ā€˜^[ā€™. Escape character is ā€˜^[ā€™. 220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6; 220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6; Mon, 10 Feb 2003 14:23:21 +0100 Mon, 10 Feb 2003 14:23:21 +0100 helo abcd.com.pk helo abcd.com.pk 250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet you 250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet you mail from: bill.gates@microsoft.com mail from: bill.gates@microsoft.com 250 2.1.0 bill.gates@microsoft.com... Sender ok 250 2.1.0 bill.gates@microsoft.com... Sender ok rcpt to: user@ebizlab.hit.com.pk rcpt to: user@ebizlab.hit.com.pk 250 2.1.5 user@ebizlab.hit.com.pk... Recipient ok 250 2.1.5 user@ebizlab.hit.com.pk... Recipient ok data data 354 Enter mail, end with "." on a line by itself 354 Enter mail, end with "." on a line by itself Your fake message goes here. Your fake message goes here. . . 250 2.0.0 h1ADO5e21330 Message accepted for delivery 250 2.0.0 h1ADO5e21330 Message accepted for delivery quit quit 221 frogstar.hit.com.pk closing connection 221 frogstar.hit.com.pk closing connection Connection closed by foreign host. Connection closed by foreign host. % %
Be Careful, Though! Be Careful, Though! Return-Path: <bill.gates@microsoft.com> Received: from frogstar.hit.com.pk (root@frogstar.hit.com.pk [152.66.248.44]) by mail.ebizlab.hit.com.pk (8.12.7/8.12.7/Debian-2) with ESMTP id h1ADSsxG022719 for <user@ebizlab.hit.com.pk>; Mon, 10 Feb 2003 14:28:54 +0100 Received: from abcd.com.pk ([152.66.249.32]) by frogstar.hit.com.pk (8.11.6/8.11.6) with SMTP id h1ADO5e21330 for user@ebizlab.hit.com.pk; Mon, 10 Feb 2003 14:25:41 +0100 Date: Mon, 10 Feb 2003 14:25:41 +0100 From: bill.gates@microsoft.com Message-Id: <200302101325.h1ADO5e21330@frogstar.hit.com.pk> To: undisclosed-recipients:; X-Virus-Scanned: by amavis-dc Status: Your fake message goes here.
Domain Name Server Domain Name Server
DNS ā€“ Domain Name Server DNS ā€“ Domain Name Server ā–ŗ The DNS is a distributed database that provides The DNS is a distributed database that provides mapping between hostnames and IP addresses mapping between hostnames and IP addresses ā–ŗ The DNS name space is hierarchical The DNS name space is hierarchical ļ‚§ Top level domains Top level domains gTLDs: com, edu, gov, : com, edu, gov, int, , mil, net, org, mil, net, org, ccTLDs like like ae, ā€¦, , ā€¦, pk, ā€¦ , ā€¦ zw ļ‚§ Top level domains may contain second level Top level domains may contain second level domains domains e.g., edu within pk, co within uk, ā€¦ e.g., edu within pk, co within uk, ā€¦ ļ‚§ Second level domains may contain third level Second level domains may contain third level domains, etc. domains, etc.
Domain Name Server Domain Name Server ā–ŗ Usually (not always) a name server knows the IP Usually (not always) a name server knows the IP address of the top level name servers address of the top level name servers ā–ŗ If a domain contains sub-domains, then the If a domain contains sub-domains, then the name server knows the IP address of the sub- name server knows the IP address of the sub- domain name servers domain name servers ā–ŗ When a new host is added to a domain, the When a new host is added to a domain, the administrator adds the (hostname, IP address) administrator adds the (hostname, IP address) mapping to the database of the local name mapping to the database of the local name server server
DNS ā€“ Domain Name Server DNS ā€“ Domain Name Server ļ‚§ A single DNS reply may include several A single DNS reply may include several (hostname, IP address) mappings (hostname, IP address) mappings (Resource Records) (Resource Records) ļ‚§ Received information is cached by the Received information is cached by the name server name server application local name srv top level name srv name srv in pk name srv in edu.pk name srv in uettaxila.edu.pk authority.uettaxila.edu.pk = ? authority.uettaxila.edu.pk = ? IP of ns in pk IP of ns in edu.pk IP of ns in uettaxila.edu.pk 202.83.173.61 202.83.173.61
DNS spoofing DNS spoofing ā–ŗ The cache of a DNS name server is The cache of a DNS name server is poisoned with false information poisoned with false information ā–ŗ How to do it? How to do it? ļ‚§ Assume that the attacker wants Assume that the attacker wants www.anything.com.pk www.anything.com.pk to map to his own to map to his own IP address 202.83.173.59 IP address 202.83.173.59
DNS Spoofing - Approach 1 DNS Spoofing - Approach 1 ā–ŗAttacker submits a DNS query Attacker submits a DNS query ā€œwww.anything.com.pk=?ā€ to ā€œwww.anything.com.pk=?ā€ to ns.victim.com.pk ns.victim.com.pk ā–ŗA bit later it forges a DNS reply A bit later it forges a DNS reply ā€œwww.anything.com.pk=202.83.173.59 ā€œwww.anything.com.pk=202.83.173.59 ā€ ā€ ā–ŗUDP makes forging easier but the UDP makes forging easier but the attacker must still predict the query ID attacker must still predict the query ID
DNS Spoofing ā€“ Approach 2 DNS Spoofing ā€“ Approach 2 ā–ŗ Attacker has access to ns.attacker.com.pk Attacker has access to ns.attacker.com.pk ļ‚§ The attacker modifies its local name server such that The attacker modifies its local name server such that it responds a query ā€œwww.attacker.com.pk=?ā€ with it responds a query ā€œwww.attacker.com.pk=?ā€ with ā€œwww.anything.com.pk=202.83.173.59ā€ ā€œwww.anything.com.pk=202.83.173.59ā€ ļ‚§ The attacker then submits a query The attacker then submits a query ā€œwww.attacker.com.pk=?ā€ to ns.victim.com.pk ā€œwww.attacker.com.pk=?ā€ to ns.victim.com.pk ļ‚§ ns.victim.com.pk sends the query ns.victim.com.pk sends the query ā€œwww.attacker.com.pk=?ā€ to ns.attacker.com.pk ā€œwww.attacker.com.pk=?ā€ to ns.attacker.com.pk ļ‚§ ns.attacker.com.pk responds with ns.attacker.com.pk responds with ā€œwww.anything.com.pk=202.83.173.59ā€ ā€œwww.anything.com.pk=202.83.173.59ā€
Common Types of Network Common Types of Network Attacks Attacks ā–ŗ1. **DoS & DDoS Attacks** ā€“ Overloading a system with traffic. 1. **DoS & DDoS Attacks** ā€“ Overloading a system with traffic. ā–ŗ2. **Phishing** ā€“ Tricking users into revealing credentials. 2. **Phishing** ā€“ Tricking users into revealing credentials. ā–ŗ3. **SQL Injection** ā€“ Injecting SQL code to exploit databases. 3. **SQL Injection** ā€“ Injecting SQL code to exploit databases. ā–ŗ4. **Cross-Site Scripting (XSS)** ā€“ Injecting scripts into web pages. 4. **Cross-Site Scripting (XSS)** ā€“ Injecting scripts into web pages. ā–ŗ5. **ARP Spoofing** ā€“ Sending fake ARP messages to intercept 5. **ARP Spoofing** ā€“ Sending fake ARP messages to intercept data. data. ā–ŗ6. **DNS Spoofing** ā€“ Redirecting traffic to malicious websites. 6. **DNS Spoofing** ā€“ Redirecting traffic to malicious websites. ā–ŗ7. **Brute Force Attack** ā€“ Repeatedly guessing passwords. 7. **Brute Force Attack** ā€“ Repeatedly guessing passwords. ā–ŗ8. **Zero-Day Attack** ā€“ Exploiting unknown vulnerabilities. 8. **Zero-Day Attack** ā€“ Exploiting unknown vulnerabilities.
Port Scanning Techniques Port Scanning Techniques ā–ŗ1. **TCP Connect Scan** ā€“ Completes 3-way handshake to detect 1. **TCP Connect Scan** ā€“ Completes 3-way handshake to detect open ports. open ports. ā–ŗ2. **SYN Scan (Half-Open Scan)** ā€“ Sends SYN packets but does 2. **SYN Scan (Half-Open Scan)** ā€“ Sends SYN packets but does not complete handshake. not complete handshake. ā–ŗ3. **UDP Scan** ā€“ Sends empty UDP packets and checks response. 3. **UDP Scan** ā€“ Sends empty UDP packets and checks response. ā–ŗ4. **ACK Scan** ā€“ Determines firewall rules. 4. **ACK Scan** ā€“ Determines firewall rules. ā–ŗ5. **FIN Scan** ā€“ Sends a FIN flag to detect closed ports. 5. **FIN Scan** ā€“ Sends a FIN flag to detect closed ports. ā–ŗ6. **XMAS Scan** ā€“ Uses FIN, PSH, and URG flags to exploit TCP 6. **XMAS Scan** ā€“ Uses FIN, PSH, and URG flags to exploit TCP behavior. behavior. ā–ŗ7. **Idle Scan** ā€“ Uses a ā€œzombieā€ system to stealthily scan a 7. **Idle Scan** ā€“ Uses a ā€œzombieā€ system to stealthily scan a target. target.
Port Scanning Tools Port Scanning Tools ā–ŗ1. **Nmap** ā€“ Most widely used port 1. **Nmap** ā€“ Most widely used port scanner. scanner. ā–ŗ2. **Netcat** ā€“ For manual port 2. **Netcat** ā€“ For manual port communication. communication. ā–ŗ3. **Angry IP Scanner** ā€“ GUI-based scanner. 3. **Angry IP Scanner** ā€“ GUI-based scanner. ā–ŗ4. **Masscan** ā€“ High-speed network 4. **Masscan** ā€“ High-speed network scanner. scanner.
Questions Questions ????????????????? ????????????????? ???????????????? ???????????????? ? ?

More Related Content

PPT
network-security_for cybersecurity_experts
abacusgtuc
Ā 
PPT
Vulnerabilities in IP Protocols
babak danyal
Ā 
PDF
vulnerabilities in IP.pdf
MuhammadSufyanAbbasi1
Ā 
PPT
12 tcp-dns
Culverton Blessy
Ā 
PPTX
501 ch 3 network technologies tools
gocybersec
Ā 
DOCX
Chapter 11Networks of NetworksChapter 11 OutlineNetwor.docx
bartholomeocoombs
Ā 
PPTX
Lecture 7 Attacker and there tools.pptx
AsmaaLafi1
Ā 
PPT
Ch13 Protecting Networks with Security Devices
phanleson
Ā 
network-security_for cybersecurity_experts
abacusgtuc
Ā 
Vulnerabilities in IP Protocols
babak danyal
Ā 
vulnerabilities in IP.pdf
MuhammadSufyanAbbasi1
Ā 
12 tcp-dns
Culverton Blessy
Ā 
501 ch 3 network technologies tools
gocybersec
Ā 
Chapter 11Networks of NetworksChapter 11 OutlineNetwor.docx
bartholomeocoombs
Ā 
Lecture 7 Attacker and there tools.pptx
AsmaaLafi1
Ā 
Ch13 Protecting Networks with Security Devices
phanleson
Ā 

Similar to Lecture7-8-Network Protocls attack in cyber.ppt (20)

PPTX
TCP/IP
Rehan ali
Ā 
PPT
Fundamentals of Networking
Israel Marcus
Ā 
PDF
Ch 2: TCP/IP Concepts Review
Sam Bowne
Ā 
PDF
Computer network (2)
NYversity
Ā 
PDF
Network Security & Attacks
Netwax Lab
Ā 
PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
Sam Bowne
Ā 
PPTX
CompTIASecPLUS-Part1 Unlimited Edition- Edited.pptx
mohedkhadar60
Ā 
PPTX
Network security
Sidiq Dwi Laksana
Ā 
PPTX
501 ch 3 network technologies and tools
gocybersec
Ā 
PPT
Hacking Cisco
guestd05b31
Ā 
PPT
TCP/IP basics
SecurityTube.Net
Ā 
PPT
Ch02 TCP/IP Concepts Review
phanleson
Ā 
PDF
4. Communication and Network Security
Sam Bowne
Ā 
PPT
CS10NETWOKSecurityhdhgsfdhsdheahgqergd.ppt
mohammednisath
Ā 
PDF
4. Communication and Network Security
Sam Bowne
Ā 
PDF
Telecommunications and Network Security Presentation
Wajahat Rajab
Ā 
PDF
Ch 13: Network Protection Systems
Sam Bowne
Ā 
PPT
Isys20261 lecture 06
Wiliam Ferraciolli
Ā 
PPT
Tcp ip
Dhani Ahmad
Ā 
PDF
Introduction to networking
Mohsen Sarakbi
Ā 
TCP/IP
Rehan ali
Ā 
Fundamentals of Networking
Israel Marcus
Ā 
Ch 2: TCP/IP Concepts Review
Sam Bowne
Ā 
Computer network (2)
NYversity
Ā 
Network Security & Attacks
Netwax Lab
Ā 
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
Sam Bowne
Ā 
CompTIASecPLUS-Part1 Unlimited Edition- Edited.pptx
mohedkhadar60
Ā 
Network security
Sidiq Dwi Laksana
Ā 
501 ch 3 network technologies and tools
gocybersec
Ā 
Hacking Cisco
guestd05b31
Ā 
TCP/IP basics
SecurityTube.Net
Ā 
Ch02 TCP/IP Concepts Review
phanleson
Ā 
4. Communication and Network Security
Sam Bowne
Ā 
CS10NETWOKSecurityhdhgsfdhsdheahgqergd.ppt
mohammednisath
Ā 
4. Communication and Network Security
Sam Bowne
Ā 
Telecommunications and Network Security Presentation
Wajahat Rajab
Ā 
Ch 13: Network Protection Systems
Sam Bowne
Ā 
Isys20261 lecture 06
Wiliam Ferraciolli
Ā 
Tcp ip
Dhani Ahmad
Ā 
Introduction to networking
Mohsen Sarakbi
Ā 
Ad

Recently uploaded (20)

PDF
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
Ā 
PDF
Mega Projects Data Mega Projects Data
saidsalah8181
Ā 
PDF
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
Ā 
PPT
Reliability_Chapter_ presentation 1221.5784
abobaker13
Ā 
PPTX
Microsoft-Fabric-Unifying-Analytics-for-the-Modern-Enterprise Solution.pptx
Mahesh Reddy
Ā 
PPTX
01_intro xxxxxxxxxxfffffffffffaaaaaaaaaaafg
Vittaya Boon Suwansiri
Ā 
PDF
ā€œGetting Started with Data Analytics Using R ā€“ Concepts, Tools & Case Studiesā€
Nusrat Gulbarga
Ā 
PPTX
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
Ā 
PPTX
Introduction-to-Cloud-ComputingFinal.pptx
testnet29393883
Ā 
PPTX
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
Ā 
PDF
BF and FI - Blockchain, fintech and Financial Innovation Lesson 2.pdf
JamesWilliams752225
Ā 
PPTX
IB Computer Science - Internal Assessment.pptx
agarwal18harsh08
Ā 
PPTX
Introduction to Firewall Analytics - Interfirewall and Transfirewall.pptx
kuthubussaman1
Ā 
PDF
Business Analytics and business intelligence.pdf
khalidisah4750
Ā 
PPTX
Database Infoormation System (DBIS).pptx
TefferiMekonnen2
Ā 
PDF
.pdf is not working space design for the following data for the following dat...
jerinjoy242
Ā 
PPTX
Introduction to Basics of Ethical Hacking and Penetration Testing -Unit No. 1...
AshutoshDeshmukh33
Ā 
PDF
Recruitment and Placement PPT.pdfbjfibjdfbjfobj
Alka392097
Ā 
PDF
22.Patil - Early prediction of Alzheimerā€™s disease using convolutional neural...
ngaviet5
Ā 
PDF
annual-report-2024-2025 original latest.
nityanema19
Ā 
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
Ā 
Mega Projects Data Mega Projects Data
saidsalah8181
Ā 
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
Ā 
Reliability_Chapter_ presentation 1221.5784
abobaker13
Ā 
Microsoft-Fabric-Unifying-Analytics-for-the-Modern-Enterprise Solution.pptx
Mahesh Reddy
Ā 
01_intro xxxxxxxxxxfffffffffffaaaaaaaaaaafg
Vittaya Boon Suwansiri
Ā 
ā€œGetting Started with Data Analytics Using R ā€“ Concepts, Tools & Case Studiesā€
Nusrat Gulbarga
Ā 
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
Ā 
Introduction-to-Cloud-ComputingFinal.pptx
testnet29393883
Ā 
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
Ā 
BF and FI - Blockchain, fintech and Financial Innovation Lesson 2.pdf
JamesWilliams752225
Ā 
IB Computer Science - Internal Assessment.pptx
agarwal18harsh08
Ā 
Introduction to Firewall Analytics - Interfirewall and Transfirewall.pptx
kuthubussaman1
Ā 
Business Analytics and business intelligence.pdf
khalidisah4750
Ā 
Database Infoormation System (DBIS).pptx
TefferiMekonnen2
Ā 
.pdf is not working space design for the following data for the following dat...
jerinjoy242
Ā 
Introduction to Basics of Ethical Hacking and Penetration Testing -Unit No. 1...
AshutoshDeshmukh33
Ā 
Recruitment and Placement PPT.pdfbjfibjdfbjfobj
Alka392097
Ā 
22.Patil - Early prediction of Alzheimerā€™s disease using convolutional neural...
ngaviet5
Ā 
annual-report-2024-2025 original latest.
nityanema19
Ā 
Ad

Lecture7-8-Network Protocls attack in cyber.ppt

  • 1. Network Attacks & Port Network Attacks & Port Scanning Techniques Scanning Techniques
  • 2. Types of Network Attacks Types of Network Attacks 1. Passive Attacks 1. Passive Attacks ā–ŗ - Eavesdropping - Eavesdropping ā–ŗ - Traffic Analysis - Traffic Analysis 2. Active Attacks 2. Active Attacks ā–ŗ - Man-in-the-Middle (MitM) - Man-in-the-Middle (MitM) ā–ŗ - Denial-of-Service (DoS) - Denial-of-Service (DoS) ā–ŗ - Session Hijacking - Session Hijacking
  • 3. 3. Insider Attacks 3. Insider Attacks ā–ŗ - Privilege Escalation - Privilege Escalation ā–ŗ - Data Theft - Data Theft ā–ŗ4. Malware-Based Attacks 4. Malware-Based Attacks ā–ŗ - Ransomware - Ransomware ā–ŗ - Worms & Trojans - Worms & Trojans
  • 4. Classify Security Attacks as Classify Security Attacks as ā–ŗ Passive attacks Passive attacks - - eavesdropping on, or eavesdropping on, or monitoring of, transmissions to: monitoring of, transmissions to: ļ‚§ obtain message contents, or obtain message contents, or ļ‚§ monitor traffic flows monitor traffic flows ā–ŗ Active attacks Active attacks ā€“ modification of data stream ā€“ modification of data stream to: to: ļ‚§ masquerade of one entity as some other of one entity as some other ļ‚§ replay previous messages replay previous messages ļ‚§ modify messages in transit modify messages in transit ļ‚§ denial of service denial of service
  • 5. Passive Attacks: Release of Message Passive Attacks: Release of Message Contents Contents
  • 6. Passive Attacks: Traffic Analysis Passive Attacks: Traffic Analysis
  • 7. Active Attacks: Masquerade Active Attacks: Masquerade
  • 9. Active Attacks: Modification of Active Attacks: Modification of Messages Messages
  • 10. Active Attacks: Denial of Service Active Attacks: Denial of Service
  • 11. Classify Security Attacks as Classify Security Attacks as
  • 12. Model for Network Security . Model for Network Security .
  • 13. Model for Network Security Model for Network Security ā–ŗ Using this model requires us to: Using this model requires us to: 1. 1. Design a suitable algorithm for the security Design a suitable algorithm for the security transformation transformation 2. 2. Generate the secret information (keys) used by the Generate the secret information (keys) used by the algorithm algorithm 3. 3. Develop methods to distribute and share the Develop methods to distribute and share the secret information secret information 4. 4. Specify a protocol enabling the principals to use Specify a protocol enabling the principals to use the transformation and secret information for a the transformation and secret information for a security service security service
  • 14. Model for Network Access Security Model for Network Access Security . .
  • 15. Model for Network Access Security Model for Network Access Security ā–ŗ Using this model requires us to: Using this model requires us to: 1. 1. select appropriate gatekeeper functions to select appropriate gatekeeper functions to identify users identify users 2. 2. implement security controls to ensure only implement security controls to ensure only authorised users access designated authorised users access designated information or resources information or resources ā–ŗ Trusted computer systems can be used Trusted computer systems can be used to implement this model to implement this model
  • 16. Methods of Defense Methods of Defense ā–ŗEncryption Encryption ā–ŗSoftware Controls (access limitations in a Software Controls (access limitations in a data base, in operating system protect data base, in operating system protect each user from other users) each user from other users) ā–ŗHardware Controls (smartcard) Hardware Controls (smartcard) ā–ŗPolicies (frequent changes of passwords) Policies (frequent changes of passwords) ā–ŗPhysical Controls Physical Controls
  • 17. Internet standards and RFCs Internet standards and RFCs ā–ŗThe Internet society The Internet society ļ‚§ Internet Architecture Board (IAB) Internet Architecture Board (IAB) ļ‚§ Internet Engineering Task Force (IETF) Internet Engineering Task Force (IETF) ļ‚§ Internet Engineering Steering Group (IESG) Internet Engineering Steering Group (IESG)
  • 18. Internet RFC Publication Internet RFC Publication Process Process
  • 19. Vulnerabilities in Network Vulnerabilities in Network Protocols Protocols
  • 20. Outline Outline ā–ŗ TCP/IP Layering TCP/IP Layering ā–ŗ Names and Addresses Names and Addresses ā–ŗ Security Considerations for Security Considerations for ļ‚§ Address Resolution Protocol Address Resolution Protocol ļ‚§ Internet Protocol Internet Protocol ļ‚§ Transmission Control Protocol Transmission Control Protocol ļ‚§ FTP,Telnet, SMTP FTP,Telnet, SMTP ļ‚§ Web Security Web Security (Next Lecture) (Next Lecture) ā–ŗ Browser Side Risks Browser Side Risks ā–ŗ Server Side Risks Server Side Risks
  • 24. RARP IGMP Demultiplexing Demultiplexing Ethernet driver DNS HTTP FTP TCP UDP IP ICMP ARP SMTP SNMP ā€¦ ā€¦ demuxing based on frame type in the Ethernet header demuxing based on the protocol id in the IP header demuxing based on the port number in the TCP or UDP header
  • 25. Names and Addresses Names and Addresses
  • 26. IP Addresses IP Addresses ā–ŗFormat "A.B.C.D" where each letter is a byte Format "A.B.C.D" where each letter is a byte ā–ŗClass A network : A.0.0.0 Class A network : A.0.0.0 ļ‚§Zeroes are used to indicate that any number could be in that Zeroes are used to indicate that any number could be in that position position ā–ŗClass B network: A.B.0.0 Class B network: A.B.0.0 ā–ŗClass C network: A.B.C.0 Class C network: A.B.C.0 ā–ŗBroadcast addresses: Broadcast addresses: ļ‚§255.255.255.255 255.255.255.255 ļ‚§A.B.C.255 A.B.C.255 ā–ŗSpecial case Special case ļ‚§0.0.0.0 and A.B.C.0 can be either treated as a broadcast or discarded 0.0.0.0 and A.B.C.0 can be either treated as a broadcast or discarded
  • 27. Hardware (MAC) Hardware (MAC) Addresses Addresses ā–ŗ Every interface has a unique and fixed Every interface has a unique and fixed hardware address too hardware address too ā–ŗ Used by the data link layer Used by the data link layer ā–ŗ In case of Ethernet, it is 48 bits long In case of Ethernet, it is 48 bits long ā–ŗ Mapping between IP addresses and MAC Mapping between IP addresses and MAC addresses are done by ARP addresses are done by ARP
  • 28. Host Names Host Names ā–ŗ Human readable, hierarchical names, such as Human readable, hierarchical names, such as www.uettaxila.edu.pk www.uettaxila.edu.pk ā–ŗ Every host may have several names Every host may have several names ā–ŗ Mapping between names and IP addresses is Mapping between names and IP addresses is done by the Domain Name System (DNS) done by the Domain Name System (DNS)
  • 29. Address Resolution Protocol Address Resolution Protocol
  • 30. ARP ā€“ Address Resolution ARP ā€“ Address Resolution Protocol Protocol ā–ŗ Mapping from IP addresses to MAC addresses Mapping from IP addresses to MAC addresses Request 192.168.0 .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 Reply 192.168.0 .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 arp req | target IP: 192.168.0.5 | target eth: ? arp rep | sender IP: 192.168.0.5 | sender eth: 00:00:C0:C2:9B:26
  • 31. ARP Spoofing ARP Spoofing ā–ŗ An ARP request can be responded by another host An ARP request can be responded by another host Request 192.168.0 .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 Reply 192.168.0 .1 .2 .3 .4 .5 08:00:20:03:F6:42 00:00:C0:C2:9B:26 arp req | target IP: 192.168.0.5 | target eth: ? arp rep | sender IP: 192.168.0.5 | sender eth: 00:34:CD:C2:9F:A0 00:34:CD:C2:9F:A0
  • 32. Switch ARP Spoofing . ARP Spoofing . ā–ŗUsed for sniffing on switched LAN Used for sniffing on switched LAN Outside World 1. Configure IP forwarding 2. Send fake ARP response to map default routerā€™s IP to attackerā€™s MAC 3. Victim sends traffic based on poisoned ARP cache 4. Sniff the traffic from the link 5. Packets are forwarded from attackerā€™s machine to actual default router Default Router Default Router Attacker Attacker Victim Victim
  • 33. ARP Spoofing Prevention ? ARP Spoofing Prevention ? ā–ŗ Cryptographic protection on the data is the only Cryptographic protection on the data is the only way way ļ‚§ Not allow any untrusted node to read the contents Not allow any untrusted node to read the contents of your traffic of your traffic
  • 35. IP ā€“ Internet Protocol IP ā€“ Internet Protocol ā–ŗ Provides an unreliable, connectionless datagram Provides an unreliable, connectionless datagram delivery service to the upper layers delivery service to the upper layers ā–ŗ Its main function is routing Its main function is routing ā–ŗ It is implemented in both end systems and It is implemented in both end systems and intermediate systems (routers) intermediate systems (routers) ā–ŗ Routers maintain routing tables that define the next Routers maintain routing tables that define the next hop router towards a given destination (host or hop router towards a given destination (host or network) network) ā–ŗ IP routing uses the routing table and the information in IP routing uses the routing table and the information in the IP header (e.g., the destination IP address) to route the IP header (e.g., the destination IP address) to route a packet a packet
  • 36. IP Security Problems IP Security Problems ā–ŗ User data in IP packets is not protected in any way User data in IP packets is not protected in any way ļ‚§ Anyone who has access to a router can read Anyone who has access to a router can read and modify the user data in the packets and modify the user data in the packets ā–ŗ IP packets are not authenticated IP packets are not authenticated ļ‚§ It is fairly easy to generate an IP packet with an It is fairly easy to generate an IP packet with an arbitrary source IP address arbitrary source IP address ā–ŗ Traffic analysis Traffic analysis ļ‚§ Even if user data was encrypted, one could Even if user data was encrypted, one could easily determine who is communicating with easily determine who is communicating with whom by just observing the addressing whom by just observing the addressing information in the IP headers information in the IP headers
  • 37. IP Security Problems IP Security Problems ā–ŗ Information exchanged between routers to Information exchanged between routers to maintain their routing tables is not authenticated maintain their routing tables is not authenticated ļ‚§ Correct routing table updates can be modified Correct routing table updates can be modified or fake ones can be disseminated or fake ones can be disseminated ļ‚§ This may screw up routing completely leading This may screw up routing completely leading to loops or partitions to loops or partitions ļ‚§ It may also facilitate eavesdropping, It may also facilitate eavesdropping, modification, and monitoring of traffic modification, and monitoring of traffic ļ‚§ It may cause congestion of links or routers (i.e., It may cause congestion of links or routers (i.e., denial of service) denial of service)
  • 39. TCP ā€“ Transmission Control TCP ā€“ Transmission Control Protocol Protocol ā–ŗ Provides a connection oriented, reliable, byte Provides a connection oriented, reliable, byte stream service to the upper layers stream service to the upper layers ā–ŗ Connection oriented: Connection oriented: ļ‚§ Connection establishment phase prior to Connection establishment phase prior to data transfer data transfer ļ‚§ State information (sequence numbers, State information (sequence numbers, window size, etc.) is maintained at both ends window size, etc.) is maintained at both ends
  • 40. TCP- TCP- Reliability Reliability ā–ŗ Positive acknowledgement scheme Positive acknowledgement scheme (unacknowledged bytes are retransmitted after (unacknowledged bytes are retransmitted after a timeout) a timeout) ā–ŗ Checksum on both header and data Checksum on both header and data ā–ŗ Reordering of segments that are out of order Reordering of segments that are out of order ā–ŗ Detection of duplicate segments Detection of duplicate segments ā–ŗ Flow control (sliding window mechanism) Flow control (sliding window mechanism)
  • 41. TCP Connection Establishment TCP Connection Establishment Client Server SYNC SYNS, ACKC ACKS Listening Store data Wait Connected
  • 42. TCP Sequence Numbers TCP Sequence Numbers ā–ŗ TCP uses ISN (Initial Sequence Number) to order the TCP uses ISN (Initial Sequence Number) to order the incoming packets for a connection incoming packets for a connection ā–ŗ Sequence numbers are 32 bits long Sequence numbers are 32 bits long ā–ŗ The sequence number in a data segment identifies the first The sequence number in a data segment identifies the first byte in the segment byte in the segment ā–ŗ Sequence numbers are initialized with a ā€œrandomā€ value Sequence numbers are initialized with a ā€œrandomā€ value during connection setup during connection setup ā–ŗ The RFC suggests that the ISN is incremented by one at The RFC suggests that the ISN is incremented by one at least every 4 least every 4 ļ­ ļ­s s
  • 43. TCP SYN Attack TCP SYN Attack ā–ŗ An attacker can impersonate a trusted host An attacker can impersonate a trusted host (e.g., in case of (e.g., in case of r commands, authentication , authentication is based on source IP address solely) is based on source IP address solely) ļ‚§ This can be done guessing the sequence number This can be done guessing the sequence number in the ongoing communication in the ongoing communication ļ‚§ The initial sequence numbers are intended to be The initial sequence numbers are intended to be more or less random more or less random
  • 44. TCP SYN Attack TCP SYN Attack ā–ŗ In Berkeley implementations, the ISN is In Berkeley implementations, the ISN is incremented by a constant amount incremented by a constant amount ļ‚§ 128,000 once per second, and 128,000 once per second, and ļ‚§ further 64,000 each time a connection is initiated further 64,000 each time a connection is initiated ā–ŗ RFC 793 specifies that the 32-bit counter be RFC 793 specifies that the 32-bit counter be incremented by 1 about every 4 incremented by 1 about every 4 ļ­ ļ­s s ļ‚§ the ISN cycles every 4.55 hours the ISN cycles every 4.55 hours ā–ŗ Whatever! It is not hopeless to guess the next ISN to Whatever! It is not hopeless to guess the next ISN to be used by a system be used by a system
  • 45. Launching a SYN Attack Launching a SYN Attack ā–ŗ The attacker first establishes a valid The attacker first establishes a valid connection with the target to know its ISN. connection with the target to know its ISN. ā–ŗ Next it impersonates itself as trusted host T Next it impersonates itself as trusted host T and sends the connection request with ISN and sends the connection request with ISNx x ā–ŗ The target sends the ACK with its ISN The target sends the ACK with its ISNs s to the to the trusted host T trusted host T ā–ŗ The attacker after the expected time sends The attacker after the expected time sends the ACK with predicted ISN the ACK with predicted ISNs sā€™ ā€™
  • 46. Launching a SYN Attack Launching a SYN Attack SYN = ISNX, SRC_IP = T SYN = ISNS, ACK(ISNX) ACK(ISNS), SRC_IP = T SRC_IP = T, nasty_data attacker server trusted host (T)
  • 47. What about the ACK for T? What about the ACK for T? ā–ŗ If the ACK is received by the trusted host T If the ACK is received by the trusted host T ļ‚§ It will reject it, as no request for a connection was made by it It will reject it, as no request for a connection was made by it ļ‚§ RST will be sent and the server drops the connection RST will be sent and the server drops the connection BUT!!! BUT!!! ā–ŗ The attacker can either launch this attack when T is The attacker can either launch this attack when T is down down ā–ŗ Or launch some sort of DoS attack on T Or launch some sort of DoS attack on T ļ‚§ So that it canā€™t reply So that it canā€™t reply
  • 48. TCP SYN Attack ā€“ How to Guess TCP SYN Attack ā€“ How to Guess ISN ISNS S? ? ļ‚§ ISN ISNS Sā€™ (Attackerā€™s ISN) depends on ISN ā€™ (Attackerā€™s ISN) depends on ISNS S and and ļ„ ļ„t t ļ‚§ ļ„ ļ„t can be estimated from the round trip time t can be estimated from the round trip time ļ‚§ Assume Assume ļ„ ļ„t can be estimated with 10 ms precision t can be estimated with 10 ms precision SYN = ISNX SYN = ISNS , ACK(ISNX ) SYN = ISNXā€™, SRC_IP = T SYN = ISNSā€™, ACK(ISNX) ACK(ISNSā€™), SRC_IP =T attacker server ļ„t
  • 49. TCP SYN Attack ā€“ How to Guess TCP SYN Attack ā€“ How to Guess ISN ISNS S? ? ā–ŗAttacker has an uncertainty of 1280 in the Attacker has an uncertainty of 1280 in the possible value for ISN possible value for ISNS Sā€™ ā€™ ā–ŗAssume each trial takes 5 s Assume each trial takes 5 s ā–ŗThe attacker has a reasonable likelihood The attacker has a reasonable likelihood of succeeding in 6400 s and a near- of succeeding in 6400 s and a near- certainty within one day! certainty within one day!
  • 50. How to Prevent it? How to Prevent it? ā–ŗCan be prevented by properly configuring Can be prevented by properly configuring the firewall the firewall ļ‚§ Do not allow any communication from Do not allow any communication from outside using the address of some internal outside using the address of some internal network network
  • 51. TCP SYN Flood TCP SYN Flood ā–ŗ Attackerā€™s goal is to Attackerā€™s goal is to overwhelm the overwhelm the destination machine destination machine with SYN packets with with SYN packets with spoofed IP spoofed IP ā–ŗ This results in: This results in: ļ‚§ The serverā€™s The serverā€™s connection queue connection queue filling up causing DoS filling up causing DoS Attack Attack ļ‚§ Or even if queue is Or even if queue is large enough, all large enough, all ports will be busy and ports will be busy and the service could not the service could not be provided by the be provided by the server server C S SYNC1 Listening Store data SYNC2 SYNC3 SYNC4 SYNC5
  • 52. How to Avoid TCP SYN Flood How to Avoid TCP SYN Flood ā–ŗ Decrease the wait time for half open connection Decrease the wait time for half open connection ā–ŗ Do not store the connection information Do not store the connection information ā–ŗ Use SYN cookies as sequence numbers during Use SYN cookies as sequence numbers during connection setup connection setup ā–ŗ SYN cookie is some function applied on SYN cookie is some function applied on ļ‚§ Dest IP, Source IP, Port numbers, Time and a Dest IP, Source IP, Port numbers, Time and a secret number secret number
  • 53. TCP Congestion Control TCP Congestion Control ā€¢ If packets are lost, assume congestion ā€“ Reduce transmission rate by half, repeat ā€“ If loss stops, increase rate very slowly Design assumes routers blindly obey this policy Source Destination
  • 54. TCP Congestion Control- TCP Congestion Control- Competition Competition ā€¢ Friendly source A give way to overexcited source B ā€“ Both senders experience packet loss ā€“ Source A backs off ā€“ Source B disobeys protocol, gets better results! Source A Source B Destination Destination
  • 55. DoS-Denial of Service Attacks DoS-Denial of Service Attacks ā–ŗ Attempts to prevent the victim from being able Attempts to prevent the victim from being able to establish connections to establish connections ā–ŗ Accomplished by involving the victim in heavy Accomplished by involving the victim in heavy processing processing ļ‚§ like sending the TCP SYN packets to all ports like sending the TCP SYN packets to all ports of the victim and avoiding new connection of the victim and avoiding new connection establishment establishment ā–ŗ DoS attacks are much easier to accomplish than DoS attacks are much easier to accomplish than gaining administrative access gaining administrative access
  • 56. Exploiting Ping Command for Exploiting Ping Command for Smurf DoS Attack Smurf DoS Attack ā€¢ Send ping request to subnet-directed broadcast address with spoofed IP (ICMP Echo Request) ā€¢ Lots of responses: ā€“ Every host on target network generates a ping reply (ICMP Echo Reply) to victim ā€“ Ping reply stream can overload victim gateway DoS Source DoS Target 1 ICMP Echo Req Src: DoS Target Dest: brdct addr 3 ICMP Echo Reply Dest: DoS Target
  • 57. Smurf DoS Attack Prevention Smurf DoS Attack Prevention ā–ŗ Have adequate bandwidth and redundant Have adequate bandwidth and redundant paths paths ā–ŗ Filter ICMP messages to reject external packets Filter ICMP messages to reject external packets to broadcast address to broadcast address
  • 58. FTP ā€“ File Transfer Protocol FTP ā€“ File Transfer Protocol user user interface protocol interpreter data transfer function file system protocol interpreter data transfer function file system client server data connection control connection (FTP commands and replies)
  • 59. FTP ā€“ File Transfer Protocol FTP ā€“ File Transfer Protocol ā–ŗ Typical FTP commands: Typical FTP commands: ļ‚§ RETR RETR filename filename ā€“ retrieve (get) a file from the server ā€“ retrieve (get) a file from the server ļ‚§ STOR filename ā€“ store (put) a file on the server STOR filename ā€“ store (put) a file on the server ļ‚§ TYPE TYPE type type ā€“ specify file type (e.g., A for ASCII) ā€“ specify file type (e.g., A for ASCII) ļ‚§ USER USER username username ā€“ username on server ā€“ username on server ļ‚§ PASS PASS password password ā€“ password on server ā€“ password on server ā–ŗ FTP is a text (ASCII) based protocol FTP is a text (ASCII) based protocol ā€¦
  • 60. FTP ā€“ File Transfer Protocol FTP ā€“ File Transfer Protocol % ftp www.comsats.edu.pk Connected to www.comsats.edu.pk Name: abc Password: pswd client server <TCP connection setup to port 21 of www.comsats.edu.pk > ā€œ220 www.comsats.edu.pk FTP server (version 5.60) ready.ā€ ā€œUSER abcā€ ā€œ331 Password required for user abc.ā€ ā€œPASS pswdā€ ā€œ230 User abc logged in.ā€
  • 61. Problems with FTP Problems with FTP ā–ŗ FTP information exchange is in clear text FTP information exchange is in clear text ļ‚§ The attacker can easily eavesdrop and get The attacker can easily eavesdrop and get the secret information the secret information ļ‚§ The attacker can also know the software The attacker can also know the software version of FTP running to exploit the version of FTP running to exploit the vulnerabilities of that particular version vulnerabilities of that particular version
  • 62. FTP Bounce Scans FTP Bounce Scans ā–ŗ FTP has a feature to open connection with victim machine on the request from attacker machine FTP has a feature to open connection with victim machine on the request from attacker machine ā–ŗ Machine A (Attacker) can request to check for the open ports on the target machine X (Victim) Machine A (Attacker) can request to check for the open ports on the target machine X (Victim) ā–ŗ Newer version of FTP does not support Newer version of FTP does not support this forwarding feature this forwarding feature Attacker FTP Server Victim to be scanned FTP control connection
  • 63. Telnet Telnet ā–ŗ Provides Provides remote login remote login service to users service to users ā–ŗ Works between hosts that use different Works between hosts that use different operating systems operating systems ā–ŗ Uses option negotiation between client and Uses option negotiation between client and server to determine what features are server to determine what features are supported by both ends supported by both ends
  • 64. Telnet Telnet Telnet client Telnet server terminal driver TCP/IP pseudo- terminal driver TCP/IP login shell user kernel kernel TCP connection
  • 65. Telnet Session Example Telnet Session Example ā–ŗSingle character at a time Single character at a time
  • 66. Telnet Example Telnet Example % telnet ahost.com.pk Connected to ahost.com.pk Escape character is ā€˜^]ā€™. Login: s client server <TCP connection setup to port 23 of ahost.com.pk> <Telnet option negotiation> ā€œUNIX(r) System V Release 4.0ā€ ā€œLogin:ā€ ā€œsā€ ā€œPassword:ā€ ā€¦ Login: st ā€œtā€ Login: student ā€œtā€ Password: c ā€œcā€ ā€¦ Password: cab123 ā€œ3ā€ <OS greetings and shell prompt, e.g., ā€œ%ā€> ā€¦ ā€¦ ā€¦
  • 67. Problems with Telnet Problems with Telnet ā–ŗ Information exchange is in clear text Information exchange is in clear text ļ‚§ The attacker can easily eavesdrop and get The attacker can easily eavesdrop and get the information like username and the information like username and passwords passwords ļ‚§ The attacker can also know the version to The attacker can also know the version to exploit the vulnerabilities of that particular exploit the vulnerabilities of that particular version version
  • 68. SMTP ā€“ Simple Mail Transfer SMTP ā€“ Simple Mail Transfer Protocol Protocol user agent local MTA mails to be sent user sending host relay MTA user agent local MTA user mailbox user receiving host relay MTA relay MTA TCP port 25 TCP connection SMTP SMTP SMTP SMTP
  • 69. SMTP SMTP ā–ŗ SMTP is a text (ASCII) based protocol SMTP is a text (ASCII) based protocol ā–ŗMTA transfers mail from the user to the MTA transfers mail from the user to the destination server destination server ā–ŗMTA relays are used to relay the mail MTA relays are used to relay the mail from other clients from other clients ā–ŗ MTAs use SMTP to talk to each other MTAs use SMTP to talk to each other ā–ŗ All the messages are spooled before sending All the messages are spooled before sending
  • 70. Ā©Copyright 2004. Amir Qayyum. All rights reserved 70 SMTP Message Flow SMTP Message Flow sending MTA (mail.uettaxila.edu.pk) receiving MTA (smtp.yahoo.com) ā€œHELO mail.uettaxila.edu.pk.ā€ ā€œ250 smtp.yahoo.com Hello mail.uettaxila.edu.pk., pleased to meet youā€ ā€œMAIL from: student1@uettaxila.edu.pkā€ ā€œ250 student1@uettaxila.edu.pk... Sender okā€ ā€œRCPT to: student2@yahoo.comā€ ā€œ250 student2@yahooā€¦ Recipient okā€ ā€œDATAā€ ā€œ354 Enter mail, end with a ā€œ.ā€ on a line by itselfā€ <message to be sent> . <TCP connection establishment to port 25> ā€œ250 Mail acceptedā€ ā€œQUITā€ ā€œ221 smtp.yahoo.com delivering mailā€
  • 71. SMTP Security Problems SMTP Security Problems ā–ŗ Designed in an era where internet security Designed in an era where internet security was not much of an issue was not much of an issue ļ‚§ No security at the base protocol No security at the base protocol ā–ŗ Designed around the idea of Designed around the idea of ā€œ ā€œcooperation cooperationā€ ā€ and and ā€œ ā€œtrust trustā€ ā€ between servers between servers ļ‚§ Susceptible to DoS attacks Susceptible to DoS attacks ā–ŗSimply flood a mail server with SMTP Simply flood a mail server with SMTP connections or SMTP instructions. connections or SMTP instructions.
  • 72. SMTP Security Problems SMTP Security Problems ā–ŗ SMTP does not provide any protection of e- SMTP does not provide any protection of e- mail messages mail messages ļ‚§ Does not ask sender to authenticate itself. Does not ask sender to authenticate itself. ļ‚§ Messages can be read and modified by Messages can be read and modified by any of the MTAs involved any of the MTAs involved ļ‚§ Fake messages can easily be generated (e- Fake messages can easily be generated (e- mail forgery) mail forgery) ļ‚§ Does not check what and from whom it is Does not check what and from whom it is relaying the message relaying the message
  • 73. SMTP Security Problems SMTP Security Problems Example Example % % telnet frogstar.hit.com.pk 25 telnet frogstar.hit.com.pk 25 Trying... Trying... Connected to frogstar.hit.com.pk. Connected to frogstar.hit.com.pk. Escape character is ā€˜^[ā€™. Escape character is ā€˜^[ā€™. 220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6; 220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6; Mon, 10 Feb 2003 14:23:21 +0100 Mon, 10 Feb 2003 14:23:21 +0100 helo abcd.com.pk helo abcd.com.pk 250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet you 250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet you mail from: bill.gates@microsoft.com mail from: bill.gates@microsoft.com 250 2.1.0 bill.gates@microsoft.com... Sender ok 250 2.1.0 bill.gates@microsoft.com... Sender ok rcpt to: user@ebizlab.hit.com.pk rcpt to: user@ebizlab.hit.com.pk 250 2.1.5 user@ebizlab.hit.com.pk... Recipient ok 250 2.1.5 user@ebizlab.hit.com.pk... Recipient ok data data 354 Enter mail, end with "." on a line by itself 354 Enter mail, end with "." on a line by itself Your fake message goes here. Your fake message goes here. . . 250 2.0.0 h1ADO5e21330 Message accepted for delivery 250 2.0.0 h1ADO5e21330 Message accepted for delivery quit quit 221 frogstar.hit.com.pk closing connection 221 frogstar.hit.com.pk closing connection Connection closed by foreign host. Connection closed by foreign host. % %
  • 74. Be Careful, Though! Be Careful, Though! Return-Path: <bill.gates@microsoft.com> Received: from frogstar.hit.com.pk (root@frogstar.hit.com.pk [152.66.248.44]) by mail.ebizlab.hit.com.pk (8.12.7/8.12.7/Debian-2) with ESMTP id h1ADSsxG022719 for <user@ebizlab.hit.com.pk>; Mon, 10 Feb 2003 14:28:54 +0100 Received: from abcd.com.pk ([152.66.249.32]) by frogstar.hit.com.pk (8.11.6/8.11.6) with SMTP id h1ADO5e21330 for user@ebizlab.hit.com.pk; Mon, 10 Feb 2003 14:25:41 +0100 Date: Mon, 10 Feb 2003 14:25:41 +0100 From: bill.gates@microsoft.com Message-Id: <200302101325.h1ADO5e21330@frogstar.hit.com.pk> To: undisclosed-recipients:; X-Virus-Scanned: by amavis-dc Status: Your fake message goes here.
  • 76. DNS ā€“ Domain Name Server DNS ā€“ Domain Name Server ā–ŗ The DNS is a distributed database that provides The DNS is a distributed database that provides mapping between hostnames and IP addresses mapping between hostnames and IP addresses ā–ŗ The DNS name space is hierarchical The DNS name space is hierarchical ļ‚§ Top level domains Top level domains gTLDs: com, edu, gov, : com, edu, gov, int, , mil, net, org, mil, net, org, ccTLDs like like ae, ā€¦, , ā€¦, pk, ā€¦ , ā€¦ zw ļ‚§ Top level domains may contain second level Top level domains may contain second level domains domains e.g., edu within pk, co within uk, ā€¦ e.g., edu within pk, co within uk, ā€¦ ļ‚§ Second level domains may contain third level Second level domains may contain third level domains, etc. domains, etc.
  • 77. Domain Name Server Domain Name Server ā–ŗ Usually (not always) a name server knows the IP Usually (not always) a name server knows the IP address of the top level name servers address of the top level name servers ā–ŗ If a domain contains sub-domains, then the If a domain contains sub-domains, then the name server knows the IP address of the sub- name server knows the IP address of the sub- domain name servers domain name servers ā–ŗ When a new host is added to a domain, the When a new host is added to a domain, the administrator adds the (hostname, IP address) administrator adds the (hostname, IP address) mapping to the database of the local name mapping to the database of the local name server server
  • 78. DNS ā€“ Domain Name Server DNS ā€“ Domain Name Server ļ‚§ A single DNS reply may include several A single DNS reply may include several (hostname, IP address) mappings (hostname, IP address) mappings (Resource Records) (Resource Records) ļ‚§ Received information is cached by the Received information is cached by the name server name server application local name srv top level name srv name srv in pk name srv in edu.pk name srv in uettaxila.edu.pk authority.uettaxila.edu.pk = ? authority.uettaxila.edu.pk = ? IP of ns in pk IP of ns in edu.pk IP of ns in uettaxila.edu.pk 202.83.173.61 202.83.173.61
  • 79. DNS spoofing DNS spoofing ā–ŗ The cache of a DNS name server is The cache of a DNS name server is poisoned with false information poisoned with false information ā–ŗ How to do it? How to do it? ļ‚§ Assume that the attacker wants Assume that the attacker wants www.anything.com.pk www.anything.com.pk to map to his own to map to his own IP address 202.83.173.59 IP address 202.83.173.59
  • 80. DNS Spoofing - Approach 1 DNS Spoofing - Approach 1 ā–ŗAttacker submits a DNS query Attacker submits a DNS query ā€œwww.anything.com.pk=?ā€ to ā€œwww.anything.com.pk=?ā€ to ns.victim.com.pk ns.victim.com.pk ā–ŗA bit later it forges a DNS reply A bit later it forges a DNS reply ā€œwww.anything.com.pk=202.83.173.59 ā€œwww.anything.com.pk=202.83.173.59 ā€ ā€ ā–ŗUDP makes forging easier but the UDP makes forging easier but the attacker must still predict the query ID attacker must still predict the query ID
  • 81. DNS Spoofing ā€“ Approach 2 DNS Spoofing ā€“ Approach 2 ā–ŗ Attacker has access to ns.attacker.com.pk Attacker has access to ns.attacker.com.pk ļ‚§ The attacker modifies its local name server such that The attacker modifies its local name server such that it responds a query ā€œwww.attacker.com.pk=?ā€ with it responds a query ā€œwww.attacker.com.pk=?ā€ with ā€œwww.anything.com.pk=202.83.173.59ā€ ā€œwww.anything.com.pk=202.83.173.59ā€ ļ‚§ The attacker then submits a query The attacker then submits a query ā€œwww.attacker.com.pk=?ā€ to ns.victim.com.pk ā€œwww.attacker.com.pk=?ā€ to ns.victim.com.pk ļ‚§ ns.victim.com.pk sends the query ns.victim.com.pk sends the query ā€œwww.attacker.com.pk=?ā€ to ns.attacker.com.pk ā€œwww.attacker.com.pk=?ā€ to ns.attacker.com.pk ļ‚§ ns.attacker.com.pk responds with ns.attacker.com.pk responds with ā€œwww.anything.com.pk=202.83.173.59ā€ ā€œwww.anything.com.pk=202.83.173.59ā€
  • 82. Common Types of Network Common Types of Network Attacks Attacks ā–ŗ1. **DoS & DDoS Attacks** ā€“ Overloading a system with traffic. 1. **DoS & DDoS Attacks** ā€“ Overloading a system with traffic. ā–ŗ2. **Phishing** ā€“ Tricking users into revealing credentials. 2. **Phishing** ā€“ Tricking users into revealing credentials. ā–ŗ3. **SQL Injection** ā€“ Injecting SQL code to exploit databases. 3. **SQL Injection** ā€“ Injecting SQL code to exploit databases. ā–ŗ4. **Cross-Site Scripting (XSS)** ā€“ Injecting scripts into web pages. 4. **Cross-Site Scripting (XSS)** ā€“ Injecting scripts into web pages. ā–ŗ5. **ARP Spoofing** ā€“ Sending fake ARP messages to intercept 5. **ARP Spoofing** ā€“ Sending fake ARP messages to intercept data. data. ā–ŗ6. **DNS Spoofing** ā€“ Redirecting traffic to malicious websites. 6. **DNS Spoofing** ā€“ Redirecting traffic to malicious websites. ā–ŗ7. **Brute Force Attack** ā€“ Repeatedly guessing passwords. 7. **Brute Force Attack** ā€“ Repeatedly guessing passwords. ā–ŗ8. **Zero-Day Attack** ā€“ Exploiting unknown vulnerabilities. 8. **Zero-Day Attack** ā€“ Exploiting unknown vulnerabilities.
  • 83. Port Scanning Techniques Port Scanning Techniques ā–ŗ1. **TCP Connect Scan** ā€“ Completes 3-way handshake to detect 1. **TCP Connect Scan** ā€“ Completes 3-way handshake to detect open ports. open ports. ā–ŗ2. **SYN Scan (Half-Open Scan)** ā€“ Sends SYN packets but does 2. **SYN Scan (Half-Open Scan)** ā€“ Sends SYN packets but does not complete handshake. not complete handshake. ā–ŗ3. **UDP Scan** ā€“ Sends empty UDP packets and checks response. 3. **UDP Scan** ā€“ Sends empty UDP packets and checks response. ā–ŗ4. **ACK Scan** ā€“ Determines firewall rules. 4. **ACK Scan** ā€“ Determines firewall rules. ā–ŗ5. **FIN Scan** ā€“ Sends a FIN flag to detect closed ports. 5. **FIN Scan** ā€“ Sends a FIN flag to detect closed ports. ā–ŗ6. **XMAS Scan** ā€“ Uses FIN, PSH, and URG flags to exploit TCP 6. **XMAS Scan** ā€“ Uses FIN, PSH, and URG flags to exploit TCP behavior. behavior. ā–ŗ7. **Idle Scan** ā€“ Uses a ā€œzombieā€ system to stealthily scan a 7. **Idle Scan** ā€“ Uses a ā€œzombieā€ system to stealthily scan a target. target.
  • 84. Port Scanning Tools Port Scanning Tools ā–ŗ1. **Nmap** ā€“ Most widely used port 1. **Nmap** ā€“ Most widely used port scanner. scanner. ā–ŗ2. **Netcat** ā€“ For manual port 2. **Netcat** ā€“ For manual port communication. communication. ā–ŗ3. **Angry IP Scanner** ā€“ GUI-based scanner. 3. **Angry IP Scanner** ā€“ GUI-based scanner. ā–ŗ4. **Masscan** ā€“ High-speed network 4. **Masscan** ā€“ High-speed network scanner. scanner.

Editor's Notes

  • #12: In considering the place of encryption, its useful to use the following two models: The first models information flowing over an insecure communications channel, in the presence of possible opponents. Hence an appropriate security transform (encryption algorithm) can be used, with suitable keys, possibly negotiated using the presence of a trusted third party.
  • #14: The second model is concerned with controlled access to information or resources on a computer system, in the presence of possible opponents. Here appropriate controls are needed on the access and within the system, to provide suitable security. Some cryptographic techniques are useful here also.
  • #32: Configures IP forwarding so that packets are forwarded to the default router Fake ARP is sent announcing its MAC address as the default routerā€™s MAC address Victimā€™s ARP cache is poisoned and sends the packets to the Attackerā€™s MAC address Attacker sniffs the traffic After sniffing forwards the packet to default router