UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
CSEC
640
© UMUC 2012 Page 1 of 37
Contents
Topic 1: Analogy
...............................................................................................
............................... 2
Reconnaissance Strategies
...............................................................................................
.......... 2
Topic 2: Module Introduction
...............................................................................................
............ 3
Topic 3: Reconnaissance
.................................................................................. .............
................. 4
What is Reconnaissance?
...............................................................................................
............ 4
Passive Reconnaissance
...............................................................................................
.............. 5
Active Reconnaissance
...............................................................................................
................. 7

Activity: Active Reconnaissance
...............................................................................................
... 9
Topic 4: Scanning
...............................................................................................
........................... 17
What Is Scanning?
...............................................................................................
...................... 17
IP Scanning
...............................................................................................
................................. 18
Port
Scanning.................................................................................
............................................ 19
Types of Port Scans
...............................................................................................
.................... 20
Vulnerability Scanning
...............................................................................................
................ 25
Quiz
...............................................................................................
............................................. 26
Port Scanning Tool: Nmap
...............................................................................................
.......... 28
Topic 5: Enumeration
...............................................................................................
..................... 30
What Is Enumeration?
...............................................................................................
................ 30

Topic 6:
Summary.................................................................................
......................................... 34
Glossary
...............................................................................................
.......................................... 35
CSEC
640
Topic 1: Analogy
The Preattack Phases
CSEC 640 – Module 2
Soldiers often carry out reconnaissance missions in which their
only task is to collect
facts about an enemy target. Doing so helps them prepare an
effective, customized
attack strategy. Similarly, hackers trying to break into protected
networks research their
targets to find ways to carry out an effective attack. Here is an
analogy comparing

military preattack strategies to the preattack exercises carried
out by professional
hackers and penetration testers, or “pentesters.”
Step 1
Military officers conduct scouting to collect information about
their targets before an
attack. Their goals are to make sure the enemy does not see
them coming and to collect
as much data as possible about the enemy, so that the attack is
effective.
Step 2
Reconnaissance is another word for scouting. The U.S. Army's
reconnaissance and
surveillance course trains military personnel in surveillance and
target acquisition. In
reconnaissance, the armed forces research a target to plan the
exact point of contact
with that target.
Step 3
Reconnaissance, however, is not limited to warfare. It is a tactic
used by ordinary people
in everyday life. Hackers, for instance, who want to attack a
particular network or
computer system, perform reconnaissance to learn more about
the target.
Just as soldiers might monitor enemy troops from a distance as
part of a reconnaissance
exercise, hackers might observe activity on a target Web site as
part of their
reconnaissance. The goal remains the same for both: to study
the target and move in
precisely, not randomly.

Step 4
During reconnaissance, hackers use social engineering
techniques and technical tools
to learn about the target systems’ owners, domain names, and IP
addresses, among
other necessary details. Hackers need enough data to ensure that
they are in and out of
a system long before the victim has noticed that important data
has been compromised.
CSEC
640
Before hackers or penetration testers launch an attack against an
organization’s
network, they conduct a preattack exercise. This exercise helps
them gather
information—technical and nontechnical—about the system that
they are targeting. This
information helps attackers decide what type of attack will be
most effective against their
targets.

The first three phases of this preattack exercise are the most
critical and are called
reconnaissance, scanning, and enumeration. Understanding how
these phases work
together gives a clear indication of how attackers progress in
their study of a target and
launch an attack. This module covers active and passive
reconnaissance techniques,
types of scanning, scanning tools and techniques, and
enumeration.
CSEC
640
What Is Reconnaissance?
Reconnaissance
Reconnaissance is the first step in engineering an effective
attack.
Footprinting
Attackers or penetration testers use a process called footprinting
during the
reconnaissance phase. This process helps them to gather

preliminary information about
the network they are targeting. The target network can belong to
an individual, a
corporation, a government, or any public institution.
Data Collection
Though hackers aim to collect as much information as possible,
the data they collect
during this phase is not enough to draw an accurate map of the
target network.
Target
At the end of the reconnaissance phase, attackers manage to
learn about the people
they are targeting and the target network’s IP address.
CSEC
640
Passive Reconnaissance
There are two types of reconnaissance: passive and active.
Passive reconnaissance presents a low level of risk for hackers

because they spy on
victims who are unaware that their moves are being watched.
Through passive
reconnaissance, hackers gather data from sources that are freely
available to the public,
such as open source sites, groups and forums, social engineering
sites, vulnerability
research sites, and people-search sites.
Open Source Sites
To use open source sites to gather data about a target, the
attacker:
1. first looks for a target Web site
2. downloads the target Web site
3. uses various tools to analyze it
One of the most popular Web site downloading tools is the
freely available wget located
at www.gnu.org/software/wget.
Here the wget recursively retrieves the Web pages at
www.umuc.edu. The “-r” option of
wget enables recursive mirroring of all pages on the site.
CSEC
640

Groups and Forums
Many users share information about the vulnerabilities of their
systems and ask for
solutions or answer queries posed by other users. Hackers use
such forums to gather
information about target systems and find vulnerabilities in the
systems.
Social Engineering Techniques
Social engineering is the art of tricking people into giving out
classified data. A common
social engineering technique that hackers use is joining chat
rooms their targets might
use. In these chat rooms, hackers are able to start conversations
through which they can
extract valuable data from targets.
Vulnerability Research Sites
Hackers visit vulnerability research Web sites such as
www.securityfocus.com or
www.hackerstorm.com for the latest attack tools and techniques.
People-Search Sites
To find information such as names of a system administrator,
security engineer, or
network engineer of a target company, hackers visit people-
search Web sites such as
people.yahoo.com or www.peoplefinder.com.
CSEC

640
Active Reconnaissance
In active reconnaissance, attackers use technical tools to probe
the target network for
information. For example, attackers may try to connect to
different port numbers on the
target IP to see which ones are open. In this way, they
determine which software/servers
are running on that IP—some of which might be vulnerable.
Data about a network’s IP addresses is usually found through
the Domain Name System
(DNS). Hackers use several technical tools to query the target
network’s DNS to
discover this data.
During this phase, hackers use technical tools to learn more
about their target.
www.arin.net)
Whois (www.whois.net)
Hackers interrogate the Internet domain name administration
system to locate the
domain name of a target system. Whois allows hackers to query

DNS and obtain
registered information, such as the domain ownership, address,
location, and phone
number.
NSLookup
The NSLookup tool allows anyone to query a DNS server for
information such as host
names and IP addresses. Using the NSLookup tool, a hacker can
perform a DNS zone
transfer and gather a great deal of information about the target.
ARIN (www.arin.net)
The American Registry for Internet Numbers (ARIN) is one of
five worldwide regional
Internet registries (RIR). ARIN oversees public IP addresses for
North America. Hackers
query ARIN to identify the range of IP addresses their target
network uses.
ARIN allows hackers to:
-type searches on its database to locate
information about network-
related handles, subnet masks, and related points of contact
(POC).
y an IP address to help identify how IP addresses are
assigned. For example, a
hacker can enter the Web server IP address of a target network
into the ARIN Web
site, www.arin.net, using Whois to identify the number and the
range of IP addresses
in use.

DIG
Like the NSLookup tool, Domain Information Groper (DIG) is a
flexible tool that performs
DNS lookups. DIG interrogates DNS name servers and displays
the responses that it
receives from the name servers. The responses include data such
as host names, IP
addresses, and e-mail exchanges.
CSEC
640
Traceroute
Hackers use the Traceroute tool to discover the routes or paths,
devices or routers, and
Internet service providers (ISPs) that a data packet must cross
to reach its target host.
Traceroute is based on the Internet Control Message Protocol
(ICMP). This is important
because ICMP packets are blocked by many network devices
such as firewalls. By using
Traceroute or other ICMP-based tools, hackers are able to easily
discover firewalls in
the data path.
DNS and Zone Transfer
A DNS server is responsible for resolving host names to

corresponding IP addresses.
When a host name—for example, www.umuc.edu—is typed into
a Web browser, the
DNS server converts it into an IP address. This is because the
systems running on the
Internet recognize only IP addresses. Every DNS server has a
name space, known as a
zone. A zone can contain one or more domain names.
There are two types of DNS servers organized in a hierarchy: a
master DNS server and
a secondary DNS server. When a DNS zone has to be updated,
the update is executed
within a primary zone on a master server. The updated records
in the database of the
master server are then transferred to the secondary DNS server.
This kind of transfer is
called a zone transfer.
CSEC
640
Activity: Active Reconnaissance

Introduction
Krista Le Saad is a popular gray hat hacker known for her
reconnaissance skills. She
has been given an assignment to find out the IP address of the
administrative system
managing an online bookstore called www.largobooks.com. The
assignment has been
delegated to Krista by a penetration tester, Sean Stasis.
Sean works for a leading IT security firm and needs to find the
loopholes and
vulnerabilities in www.largobooks.com's network. He often
outsources such
assignments to young aspiring hackers. Sean's team is ready to
begin fixing patches on
all vulnerabilities once he gets the results from Krista's
inquiries.
Krista has been given 24 hours to hack into
www.largobooks.com. To meet that
deadline, Krista needs your help. In this activity, you will be
asked to perform three
active reconnaissance steps. You will use tools, commands, and
Web sites, such
as FindRecord and NSLookup, to locate the DNS and IP address
and perform a
zone transfer.
Workspace
To help Krista find the IP address of www.largobooks.com’s
administrative system,
perform the following three steps:
DNS.

CSEC
640
Step 1
To query the DNS of www.largobooks.com, Krista uses a tool
similar to Whois called
FindRecord.
On typing www.largobooks.com in the Record Locator field and
searching the site, she
received the following output.
NOTE: If you use the Whois tool on a Linux OS, type the
command: whois
largobooks.com.
Domain name: largobooks.com
Registrant Contact:
n/a
Alan Carswell ()
Fax:

7704 Morningside Dr. NW
Washington, DC 20012
AF
Administrative Contact:
n/a
Alan Carswell ([email protected])
+1.2028297638
Fax: +1.5555555555
AF
Technical Contact:
n/a
Alan Carswell ([email protected])
+1.2028297638
Fax: +1.5555555555
AF
Status: Locked
Name Servers:
dns1.registrar-servers.com
Creation date: 02 Jul 20XX 11:10:00
Expiration date: 02 Jul 20XX 06:10:00

CSEC
640
Analyze the output and answer the following question.
Step 2
Question: Which of the following information is available in the
FindRecord output?
a. Technical contact
b. Administrative contact
c. Domain name
d. IP address of DNS
e. DNS
Correct answers: Options a, b, c, and e
Feedback for the correct answer:
That’s correct.
The technical contact data, the administrative contact, the
domain name, and the DNS
data showing all the name servers are available in the output.
Feedback for the incorrect or partially correct answer:
Not quite.
The IP address of the DNS is not available in these results. The
domain name,
administrative contact, technical contact, and name servers are
clearly mentioned.
Step 3
Krista can find the IP address of the DNS server by using a tool

such as NSLookup. In
this activity, use the IPAddress Locator to help her.
Activity
The following output was generated on typing largobooks.com
in the IPAddress
Locator.
Server: adedcns01.us.umuc.edu
Address: 131.171.34.194
Non-authoritative answer:
Name: largobooks.com
Address: 199.58.184.57
The IP address of www.largobooks.com DNS is 199.58.184.57.
Note: You can execute NSlookup commands at the Windows
command prompt.
CSEC
640
Step 4
In this step, you perform a zone transfer. The following
commands can be executed at

the Windows command prompt.
Activity 1
On typing nslookup and pressing the Enter key, the following
output is displayed.
The IP address is displayed.
Note: Once nslookup is typed at the Windows command prompt,
the prompt will change
to “>.” This indicates that NSLookup is in the execution mode.
Activity 2
On typing server 8.8.8.8 and pressing the Enter key, the
following output is displayed.
The default DNS has been set as Google DNS.
CSEC
640

Activity 3
On typing set type=any and pressing the Enter key, the
following output is displayed.
This command specifies all types of data.
CSEC
640
Activity 4
On typing largobooks.com and pressing the Enter key, the
following output is
displayed.
Finally, the zone transfer request is sent from your host to
largobooks.com’s DNS
server.
Going beyond the initial search results, the DNS server loads
the zone information and
replies with either a partial or full transfer of the zone to your
host.

View the command you have typed in this step and the
corresponding results. Then,
answer the question.
CSEC
640
Question 2: Which of the following data is available in the
screenshot?
a. Web server IP address
b. FTP server list
c. Domain name servers list
d. Mail exchange servers list
Correct answers: Options a, c, and d
Feedback:
In the output you cannot see the FTP server list. You can see
the Web server's IP
address—199.58.184.57, the list of www.largobooks.com's
domain name servers, and
the mail exchange server's list, which is indicated by the "MX"
that stands for mail

exchange. This list specifies mail servers for a domain.
CSEC
640
Review
A job well done! You’ve helped Krista locate the IP address and
learned to work with
DNS query tools.
While the technical tools are no doubt important and widely
used, nontechnical methods
of reconnaissance are equally important to hackers.
Nontechnical data is gathered by exploiting human
psychology—logic persuasion, need-
based persuasion, and reciprocation-based social engineering.
The infamous hacker
Kevin Mitnick was not only tech-savvy but also a master of
social engineering.
Social Engineering
Social engineering gives the age-old art of lies and
manipulation a technological twist.
Using Web-based technologies, such as chat rooms and online
forums, attackers
persuade or trick strangers into giving up personal information

such as access codes,
log-in names, and passwords.
Since face-to-face interactions are not required in online
conversations, social engineers
can make up an identity to cheat innocent victims they meet
online. This is a social
approach to getting confidential data, as opposed to cracking
system codes through
technological means.
Further Challenges
Visit the Web site www.whois.net and carry out this exercise in
real time using
NSLookup to query the DNS. Then visit www.arin.net and enter
the Web address you
found in this activity. Compare the results you get from these
sites.
CSEC
640
Topic 4: Scanning
What Is Scanning?
In the scanning phase, hackers use different techniques to
discover live systems,

devices, and open ports or services. There are various types of
scanning, such as IP
scanning, port scanning, and vulnerability scanning.
Sometimes, it is not easy to differentiate between the three
preattack phases—
reconnaissance, scanning, and enumeration. Many of the same
information-gathering
techniques are used across these phases. For example, port
scanning can be
considered a part of reconnaissance or a part of the scanning
phase.
Types of Scanning
IP scanning is a technique that can be used to identify the live
systems connected to
a network segment or IP range.
Port scanning is the process of scanning a host to determine
which Transmission
Control Protocol ports (TCPs) or User Datagram Protocol ports
(UDPs) are
accessible.
Vulnerability scanning is the process of automatically assessing
networks or
applications for vulnerabilities.

CSEC
640
Topic 4: Scanning
IP Scanning
IP scanning is used by system administrators to check the
connectivity of the hosts on
the network. The most popular tool for IP scanning is ping. Ping
sends an ICMP request
to test which target hosts are accessible across an IP network.
Target hosts that are live
return ICMP reply messages.
A technique such as ping sweep is used to identify a range of IP
addresses or live port
numbers of the target system. Based on best security practices,
system administrators
typically configure the firewalls or border-routers to block
ICMP requests originating from
outside the network. An IP scanner can be used by an inside
attacker to draw a network
map.

CSEC
640
Topic 4: Scanning
Port Scanning
Meet Philippe Posen, a freelance security analyst. He’s hard at
work performing port
scans. Philippe uses port scanning to search a network host for
open ports. The ports
can be considered open if their related service is available in
the host network. After
successful port scanning, Philippe will be able to identify which
services are provided by
the host network.
There are two different kinds of port scans: horizontal and
vertical scans.
Horizontal and Vertical Scans
CSEC

640
Topic 4: Scanning
Types of Port Scans
Hackers can perform several different types of horizontal or
vertical scans. The type of
scan a hacker uses is based on the type of data the hacker wants.
The types of scans
include the TCP connect scan, SYN stealth scan, NULL scan,
ACK scan, FIN scan, and
Xmas tree scan.
TCP Connect Scan
Connecting via a TCP is the simplest scan technique.
Scenario 1
An attacker tries to establish a connection on a port of the target
system by a three-way
handshake.
The attacker knows the target port is open if the connection is
successfully established.
Scenario 2
The attacker knows that the target port is closed if the packet
with the reset flag (RST
flag) is sent by the target host.

CSEC
640
SYN Stealth Scan
This scan is called a half-open scan because a full TCP
connection is never established.
Scenario 1
An attacker generates an initial SYN packet to the target. If the
port is open, the target
responds with an SYN/ACK.
The attacker does not respond back with the ACK in this case.
Therefore, a full TCP
connection is never established. This is why this type of scan is
sometimes called a half-
open scan.
Scenario 2
Some firewalls only log established connections. Since no
connection is established in
an SYN stealth scan, it can pass through the firewall without
being logged. However, an

SYN stealth scan is not completely stealthy as many firewalls
and IDSs detect SYN
scans.
Scenario 3
If the port is closed, the attacker receives an RST from the
target.
CSEC
640
NULL Scan
From the attacker’s perspective, the NULL scan is not always
reliable since not all hosts
comply with RFC 793.
Scenario 1
An attacker sends a data packet without any flag set. No real
TCP/IP packet exists
without any flag set. If the port is open, the target host ignores
the packet and does not
respond.
Scenario 2

According to RFC 793, when a packet is sent to a port with no
flag set, the target
responds with an RST packet if the port is closed.
Some hosts send an RST packet in response to a null packet,
regardless of whether the
port is open or not. That’s why the NULL scan is considered
unreliable.
FIN Scan
Just like a NULL scan, the FIN scan is not reliable.
CSEC
640
Scenario 1
An attacker sends an FIN (finish) packet to the target. The FIN
packet is able to bypass
firewalls because firewalls try to avoid any errors with
legitimate FIN packets. The target
simply ignores the FIN packet if the port is open.
Scenario 2
The target responds with an RST if the port is closed. Some
hosts will send an RST
packet regardless of the port being open or closed, making the

FIN scan unreliable.
ACK Scan
Attackers use ACK scanning to learn which firewall ports are
filtered and which are
unfiltered.
Scenario 1
An attacker sends an ACK packet to the target port’s firewall.
If there is no response or an “ICMP destination unreachable”
message is returned, then
the port is considered to be filtered.
This means that the firewall is stateful. It knows that no internal
host has initiated any
SYN packet that matches the ACK packet sent by the attacker.
Scenario 2
If the target’s firewall returns an RST, then the port is
unfiltered. Because there is no
firewall rule for that port, the attacker knows that the port is
vulnerable.
CSEC
640

Xmas Tree Scan
This scan gets its name from the fact that all three flag sets that
are sent to the target—
URG, PUSH, and FIN—light up with different colors and flash
on and off like Christmas
tree lights.
Scenario 1
An attacker sends a TCP packet to the remote target with the
URG, PUSH, and FIN flag
set. Similar to the FIN scan, an open port does not respond.
Scenario 2
On the other hand, a closed port responds with an RST packet.
Some hosts send an RST packet in response to a null packet,
regardless of whether the
port is open or not.
CSEC
640

Topic 4: Scanning
Vulnerability Scanning
A vulnerability scan is a computer program that checks target
networks for weaknesses.
Attackers use vulnerability scans to identify all devices on a
network that are open to
known vulnerabilities.
The Nessus tool, located at www.nessus.org, is one of the most
well-known vulnerability
scanners. Nessus begins by probing a range of IP addresses on a
target network to find
active or live hosts. After detecting all known vulnerabilities,
the tool provides a report in
a variety of formats. This report lists services or suggested best
practices that system
administrators can employ to secure the network. Attackers can
use the Nessus tool to
identify vulnerable and weak spots in a target network.
CSEC
640
Topic 4: Scanning

Quiz
Jorge, a black hat hacker, is launching a port-scanning attack on
a Web server with an
IP address of 192.168.195.128.
Question 1: In the packets numbered 9–19, which type of port
scanning is used to
attack the Web server?
a. Xmas tree scan
b. FIN scan
c. SYN stealth scan
Reference: Wireshark product screenshot reprinted with
permission from the Wireshark Foundation.
Correct answer: Option c
Feedback:
If you look at packets 15 and 16, the SYN and SYN+ACK
packets are exchanged by the
attacker and Web server. However, no ACK is sent from the
attacker’s host. Instead, the
attacker sends a new SYN packet to the Web server. This new
SYN packet clearly
indicates that this is an SYN stealth scan.

CSEC
640
Question 2: In the packets numbered 5–15, identify the type of
port scanning used to
attack the Web server.
a. Xmas tree scan
b. NULL scan
c. SYN stealth scan
Correct answer: Option b
Feedback:
The SYN packets do not set a TCP flag. “<NONE>” indicates
that no TCP flag is set.
This identifies a NULL scanning attack.
CSEC
640

Topic 4: Scanning
Port Scanning Tool: Nmap
What Is Nmap?
Nmap is a free open source network-mapping utility that
determines which hosts are
available on the network and lists the services offered by these
hosts. With Nmap, a
system administrator can perform many types of port scans.
Popular Nmap switches, options, and techniques include these:
-sT: TCP connect scan
-sS: SYN stealth scan
-sF: FIN scan
-sX: Xmas tree scan
-sN: NULL scan
-sA: ACK scan
-sI: NULL scan
-v: Verbose mode
-p: an instruction specifying the port numbers to scan
-P0 (or Pn): an instruction to not try to ping the IP addresses.
Some firewalls block
ICMP.
-O: an attempt to detect the operating system
Nmap Example
Here is an example of how Nmap can be used to carry out an
SYN stealth scan on a
Web server.

Reference: Nmap product screenshot reprinted with permission
from Gordon Lyon, the developer of Nmap.
CSEC
640
Target
A Web server with an IP address of 192.168.195.128 is running.
Command
The Nmap command: nmap –sS 192.168.195.128 is entered.
Open Ports
An attacker performs an SYN stealth scan on the Web server
using Nmap. The output
shows that ports 80, 135, 139, 443, 445, and 3306 are open.
CSEC
640

Topic 5: Enumeration
What Is Enumeration?
After performing reconnaissance and scanning, if a hacker still
has not identified the
target system, he or she would launch an enumeration attack on
the target as the final
step in the preattack exercise.
During enumeration, hackers employ a set of techniques to
extract technical information
such as user accounts, operating systems, application names,
and network resources of
target systems.
Using Nmap
A Web server with an IP address of 192.168.195.128 is running.
An attacker uses Nmap
to perform an SYN stealth scan on the Web server. The output
shows that ports 80, 135,
139, 443, 445, and 3306 are open.
1. Target
The attacker learns that the Web server running on the target
network has an IP
address of 192.168.195.128.
2. Nmap Tool
The attacker uses Nmap to fingerprint the target Web server.

The attacker enters the
Nmap command Nmap –sS –p T:1-1023 –O –v –Pn
192.168.195.128 to specify that
the TCP stealth scan is performed with a port range of 1 through
1023 on the host IP
192.168.195.128.
3. OS Switch
The attacker enables the -O switch to attempt to determine the
operating system.
4. Ping
The attacker specifies -Pn, which means that ping is not used.
5. OS Details
Note that the operating system is Microsoft Windows XP 2003
or Microsoft XP
Professional SP2.
6. Result
The results show that the host server with an IP address of
192.168.195.128 has
ports 80, 135, 139, 443, and 445 open and uses Microsoft
Windows XP 2003 as its
operating system.

CSEC
640
Reference: Nmap product screenshot reprinted with permission
from Gordon Lyon, the developer of Nmap.
CSEC
640
Using Telnet
Sometimes a hacker does not even need a sophisticated tool like
Nmap. A hacker can
simply use a Telnet command to grab the HTTP header and
identify the type of
operating system or Web server the target uses.
1. Telnet Command

The attacker types the command telnet www.umuc.edu 80 to
connect to the Web
server www.umuc.edu.
2. HEAD
Then, the attacker types HEAD / HTTP/1.0 to send an HTTP
request to the Web
server.
3. Apache X
The telnet output displays the content of the HTTP response
header received from
the UMUC Web server. The HTTP header shows that the type of
Web server is
Apache powered by PHP.
4. Malformed HTTP Packet
Using another telnet connection—telnet www.umuc.edu—the
attacker sends a
malformed HTTP packet to the Web server, which is an invalid
input as HTTP 3.0 is
not available. The attacker sends a malformed packet because
some targets do not
show any useful information if they are given a valid input.

CSEC
640
However, when the target receives a malformed input, it returns
a useful banner of
information. Therefore, attackers do not always need to send a
valid input to a target
to get useful information. They can give an invalid input and
observe an output.
5. Web Server
The invalid malformed input returns some useful information:
Apache Web server,
HTTP 1.1, and some information that is not that useful, such as
Charset.
CSEC
640
Topic 6: Summary

We have come to the end of Module 2. The key concepts
covered in this module are
listed below.
to study the target they
plan to attack. The first three phases of this preattack exercise—
reconnaissance,
scanning, and enumeration—are the most critical.
and active
reconnaissance. During passive reconnaissance, hackers
research open-source
sites and groups and forums, as well as social engineering sites
to gather
nontechnical data about their targets. During active
reconnaissance, hackers use
technical tools such as Whois, NSLookup, the American
Registry for Internet
Numbers (ARIN), Domain Information Groper (DIG), and
Traceroute to find their
targets’ IP addresses.
hackers are able to find out
the domain name, administrative contact, technical contact, and
name servers of
their target. The IP address of the domain name server is not
revealed until hackers
type the NSLookup command and perform a zone transfer.

live systems,
devices, and open ports in their network. There are three types
of scanning: IP, port,
and vulnerability scanning.
network. Port scanning is
used to find accessible Transmission Control Protocol (TCP)
and User Datagram
Protocol (UDP) ports. Vulnerability scanning is used to assess
networks for
vulnerabilities.
Port scans that help
hackers obtain data—TCP connect scans, SYN scans, NULL
scans, ACK scans, FIN
scans, and Xmas tree scans—can be performed as horizontal or
vertical scans.
-mapping utility that
determines which hosts are
available on the network and lists the services those hosts offer.
With Nmap, a
system administrator can perform many types of port scans.

enumeration attack to
identify the operating systems and user accounts of their
targets. This attack is
carried out using a set of techniques to extract technical
information such as user
accounts, operating systems, application names, and network
resources.
CSEC
640
Glossary
Term Definition
Active Reconnaissance During active reconnaissance, hackers
use technical tools
such as Whois, NSLookup, ARIN, DIG, and Traceroute to
find out their targets’ IP addresses.
ACK Scan

ACK scanning is a type of port scan that tells whether ports
on a firewall are filtered or unfiltered. If the target’s firewall
returns an RST, then the port is unfiltered and vulnerable.
American Registry for
Internet Numbers
The American Registry for Internet Numbers (ARIN) is the
IP address registry for North America. ARIN allows Whois-
type searches on its database to locate information on
networks.
Domain Information
Groper
The DIG command allows attackers to search the DNS
database and find the open name servers attached to a
domain.
Domain Name Service The Domain Name Service (DNS)
translates Internet
domain names, such as www.xyz.com, into Internet
Protocol (IP) addresses.
Domain Name System Domain Name System is an Internet
system that associates
domain names with IP addresses, allowing computers to
communicate over the World Wide Web.
Enumeration Enumeration is the third phase in a hacker’s
preattack
exercise. Hackers use enumeration techniques to learn
technical data—operating systems and user accounts—
about a network system.

FIN Scan
The FIN (finish) scan is a type of port scan that is able to
pass through firewalls. Open ports don’t respond, but
closed ports respond with an RST.
Footprinting A method of processing or gathering information
about a
target system.
Internet Control
Message Protocol
The Internet Control Message Protocol (ICMP) integrates
with the Internet Protocol (IP). It reports error, control, and
informational messages between a host and a gateway.
Nmap The Nmap security scanner is used to discover hosts and
services on a network. Based on the network conditions, it
sends packets with specific information to the target host
and evaluates the responses to create a network map.
NSLookup The NSLookup tool queries a DNS server and
performs a
DNS zone transfer to gather data on a targeted network.
NULL Scan
A NULL scan is a type of port scan in which an attacker
sends a data packet without any flag set. If the packet is
open, the target host ignores the packet.

CSEC
640
Term Definition
Passive
Reconnaissance
During passive reconnaissance, hackers research open-
source sites and groups and forums, as well as social
engineering sites, to gather nontechnical data about their
targets. To do this, hackers use social engineering.
Penetration Testers Penetration testers are security analysts that
perform
penetration tests, or pentests, to assess the security of a
network system.
Ping This utility sends an ICMP echo request (ping) to a target
system and waits for a reply (pong).
Port Scanner Port scanners identify open ports and help an
intruder
identify a target system’s weak access point.
Reconnaissance Reconnaissance is the first phase of the
preattack exercise
carried out by hackers to learn about the people who work
at the target company and the target network’s IP address.
Hackers use a process called footprinting and perform two
types of reconnaissance: passive and active.

RFC 793 RFC (Request for Comments) 793 is a document
which
describes the DoD Standard Transmission Control Protocol
(TCP).
Scanning Scanning is the second preattack phase used by
hackers to
discover live systems, devices, and open ports on a
network. Hackers perform three types of scanning: IP, port,
and vulnerability scanning.
Social Engineering Social engineering is a method of gathering
information,
seeking computer access, or committing fraud by using
manipulation and deceit to get people to reveal confidential
information about themselves or an organization.
SYN Scan
In an SYN stealth scan, the attacker sends an initial SYN
packet to the target. If the port is open, the target responds
with an SYN/ACK.
TCP/IP Transmission Control Protocol/Internet Protocol
(TCP/IP) is
the communication protocol suite for the Internet.
TCP Connect Scan
In a TCP connect scan, an attacker tries to establish a
connection on a port of the target system by a three-way
handshake. The attacker knows the target port is open if the
connection is successfully established.

User Datagram Protocol User Datagram Protocol (UDP) is a
network protocol that
allows computers to exchange messages over an Internet
network without the need for special transmission channels
or data paths.
Vulnerability Scanner Vulnerability scanners analyze, classify,
and identify flaws
and vulnerabilities in the targeted system.
Wget Located at www.gnu.org/software/wget, the wget tool is a
popular and freely available Web site downloading tool.
CSEC
640
Term Definition
Whois A tool that allows hackers to query DNS to obtain
registered
information, such as the domain ownership, address,
location, and phone number.
Xmas Tree Scan
To perform the Xmas tree scan, an attacker sends a TCP
packet to the remote target with the URG, PUSH, and FIN

flag set. As in a FIN scan, open ports don’t respond, but
closed ports respond with an RST.
CSEC 640
Contents
Topic 1: Analogy
...............................................................................................
............................................ 2
Analogy: Network Traffic
...............................................................................................
............................ 2
...............................................................................................
......................... 4
Topic 3: Layer 2 and Switch
Basics.....................................................................................
......................... 5
Layer 2 Technology: Ethernet
...............................................................................................
.................... 5
Layer 2 Switch Operation
...............................................................................................
........................... 7

Topic 4: Layer 2: MAC Attacks
...............................................................................................
.................... 10
MAC Flooding Attacks
...............................................................................................
............................. 10
MAC Spoofing Attacks
...............................................................................................
............................. 12
Activity
...............................................................................................
...................................................... 14
Mitigating MAC Attacks
...............................................................................................
............................ 15
Topic 5: Layer 2: Address Resolution Protocol Exploitation
...................................................................... 16
Address Resolution Protocol
...............................................................................................
.................... 16
ARP Spoofing Attacks
...............................................................................................
.............................. 18
Activity: Try This!
...............................................................................................
...................................... 20
Topic 6: Layer 3: Router Vulnerabilities
...............................................................................................
...... 22
Router Attacks and Vulnerabilities
...............................................................................................
........... 22
Routing Table Modification

...............................................................................................
...................... 23
Preventing Routing Table Modification
...............................................................................................
.... 24
Activity: Routing Updates and MD5 Authentication
................................................................................ 26
Topic 7:
Summary.................................................................................
...................................................... 32
Glossary
...............................................................................................
....................................................... 33
CSEC 640
Topic 1: Analogy
Switching and Routing Vulnerabilities
CSEC 640 – Module 3
Just as we use stop signs and traffic lights to safely guide

vehicles along roads and highways,
computer networks use their own traffic guidance systems. On a
computer network, traffic is
handled using routers and switches that ensure the secure and
efficient exchange of data.
Consider an analogy comparing vehicle traffic with data traffic.
Managing Network Traffic
Slide 1
Imagine you are driving and you come to an intersection with
four stop signs. It takes a while to
cross because everyone has to take turns, and there can be
confusion.
Now imagine what the traffic would be like if there were an
overpass, where one of the roads
went over the other. That way, no one would have to stop. This
model of an overpass is a
simplified way to think of a switch.
Slide 2
A switch does the same thing as a hub and a bridge, but more
effectively.
A switch lets you add computers to your network and makes
virtual connections between
computers that need to "talk" to each other. As soon as the
computers have finished talking to
each other, the virtual connection is broken. Breaking the
connection right away eliminates
collisions in network traffic.
The only shortcoming of a switch is that it will not keep a
broadcast from tying up the
communication lines. When one computer needs to find the

address of another computer, it
sends out a broadcast over the whole network to find the
address. Each computer in the
network receives the broadcast and “looks” to see if it is the
intended recipient.
The broadcast can occupy the network because none of the other
computers can send a
message while it is taking place. Routers solve this problem.
Slide 3
Routers do everything that a switch does, but they use a
different method to address the
packets of information—they use IP addresses. A router acts
like a post office. It decides the
best route that a packet can take to get to different networks.
A router can divide your network into different subnetworks and
contain a broadcast within a
smaller area so that the whole network does not need to receive
the broadcast. The router
keeps your resources from being tied up with unnecessary
network traffic jams.
This process is like taking a city—that is, your network—and
dividing it into neighborhoods.
When the residents in one locality want to publicize a
neighborhood watch meeting, they can tell
CSEC 640

the post office to mail fliers only within that neighborhood so
the post office does not waste
resources sending notices to distant areas.
A router can perform exactly this type of role, if it is so
programmed.
CSEC 640
In the TCP/IP model, the higher layers such as the application
layer, TCP layer, and IP layer are
all based on the Layer 2 (data link layer) technologies.
This module provides a background on Layer 2 technologies,
such as Ethernet, followed by a
look at the operation of Layer 2 switches. The module also
discusses Media Access Control
(MAC) attacks and their mitigation, exploitation of the Address
Resolution Protocol (ARP), and
router (Layer 3) vulnerabilities.

CSEC 640
Topic 3: Layer 2 and Switch Basics
Layer 2 Technology: Ethernet
Ethernet is a group of Layer 2 protocols for local area networks
(LANs). Ethernet is the most
predominant LAN standard. Most often, the term Ethernet is
used to signify IEEE 802.3.
Introduction
The network interface card (NIC) of a host—PC, printer, or
server—is connected to a Layer 2
device, such as a switch or hub. The IEEE 802.3 protocol
specifies how a message is framed
and transmitted on the Layer 1 wire by the NIC.
Like all other hardware in the network, the NIC has a unique
address called a Media Access
Control (MAC) address. MAC addresses are 48-bit-long unique
identifiers written into hardware
devices by their manufacturers. These addresses are expressed
as 12 hexadecimal digits and
used by most Layer 2 technologies including Ethernet. An
example of a MAC address is 5C-26-
0A-35-56-8A.
A user can find the MAC address of a PC by entering the
command ipconfig/all in the Windows

command prompt.
The Ethernet Frame
The Ethernet frame is used to transmit data from a source to a
destination and ranges from 72
to 1,518 bytes in length.
Destination/Source MAC Addresses
The Destination/Source MAC Addresses field specifies the
MAC addresses of the source and
destination hosts. For instance, consider a network with a Host
A PC and a Host B PC. The
MAC addresses of Host A and Host B are 56-34-23-34-9A and
5A-45-56-23-9A, respectively. If
Host A sends a frame to Host B, the source MAC address in the
frame becomes 56-34-23-34-
9A, Host A’s MAC address. The destination MAC address
becomes 5A-45-56-23-9A, or Host
B’s MAC address. A switch routes this frame based on the
source and destination MAC
addresses.
CSEC 640
Type

The Type field indicates the Layer 3 protocol in the Data field.
For instance:
contains an IP packet.
contains an Address
Resolution Protocol (ARP) message.
CSEC 640
Topic 3: Layer 2 and Switch Basics
Layer 2 Switch Operation
Layer 2 devices, such as switches, route an Ethernet frame
based on the source and
destination MAC addresses. A switch relies on a forwarding
table to forward a frame to a
destination MAC address just as a router uses a routing table to
forward an IP packet to a
destination IP address. The forwarding table is called a MAC
address table or a content
addressable memory (CAM) table. This module uses the term
MAC table to refer to the CAM
table.

Initially, the MAC table of a switch is empty; the switch does
not know the MAC address of a
PC, printer, or any other attached device. Consider the
following example: a LAN consists of
Host A with a MAC address of AAAA, Host B with a MAC
address of BBBB, Host C with a MAC
address of CCCC, and a switch.
Note that in the real world, MAC addresses are 48 bits long; the
addresses used here are
shortened to simplify the example. Hosts A, B, and C are
connected to the first, second, and
third Ethernet ports, Fa0/1, Fa0/2, and Fa0/3, respectively.
Assume that the switch’s MAC table
can hold only two entries. In reality, MAC tables have much
larger capacities.
Example
Step 1
Initially, the MAC table is empty. A frame originating from
Host A arrives at the first Ethernet port
on the switch (Fa 0/1). Host A wants to communicate with a
host whose MAC address is BBBB,
the destination address in the frame.
The switch inspects the source MAC address to determine
whether there is already an existing
entry in the table. Since the MAC table is empty, a new entry is
made that records the source
MAC address and the port number. By recording these details in
the MAC table, the switch
specifies where to send a frame when it needs to be sent to the
source MAC address.

CSEC 640
Step 2
Since the switch does not know where the destination MAC
address BBBB is, it simply floods
the frame on all active ports. In other words, the switch sends a
copy of the frame to every port
in the LAN, hoping that the frame will reach the destination
host.
In this example, the switch floods the frame on Fa 0/2 and Fa
0/3. This process is known as
unknown unicast flooding.
Step 3
When Host B, the intended recipient of the frame, receives the
frame, it replies with a response
frame. In this frame, note that the source and destination MAC
addresses are reversed
compared to the original frame that Host A sent.
When the switch receives this frame, it tries once again to
search for a match in its MAC table.

Since there is no match, a new entry is added to the MAC table,
recording the MAC address
BBBB and the port Fa 0/2. In this example, since the MAC table
can hold only two entries, it is
at capacity.
CSEC 640
Step 4
Once the MAC table is full, Host A sends a frame whose source
address is AAAA and
destination address is BBBB. The switch receives the frame and
inspects the destination MAC
address to check for a corresponding entry in the MAC table.
Since the second entry is a match,
the switch forwards the frame to port Fa 0/2 (Host B).

CSEC 640
MAC Flooding Attacks
What Is a MAC Flooding Attack?
When a switch’s MAC table becomes full, the switch begins to
flood frames on all active ports.
In other words, when the switch begins to flood all active ports,
any host on the same LAN can
intercept any other frame regardless of its destination MAC
address.
In a flooding attack, an attacker tries to create a permanently
full MAC table that will force the
switch to flood (broadcast) all traffic on all active ports. The
attack is launched from one of the
ports on a LAN so all communication taking place on that LAN
is visible to the attacker. This
visibility enables the attacker to monitor all frames passed
through the switch and to obtain
useful, sensitive information, including the data in the frame,
the MAC address, and the IP
address of the victim host.
Example: MAC Flooding Attack
Step 1
The attacker generates a continuous set of frames with random
source and destination MAC
addresses using tools such as MACOF, Ettercap, or Yersinia.
Since the MAC table of the switch

has limited storage, it eventually runs out of space and cannot
add new entries.
CSEC 640
Step 2
The victim host tries to communicate with another host.
Step 3
Since there is no corresponding MAC table entry for the
destination host, every frame sent by
the victim host will be flooded to all ports. The attacker can see
all the traffic sent from the victim
host.

CSEC 640
MAC Spoofing Attacks
What Is a MAC Spoofing Attack?
In a MAC spoofing attack, the attacker first identifies the MAC
address of a victim host by
launching a MAC flooding attack on a LAN. The attacker then
generates a fake frame by
entering the victim’s MAC address in the source field of the
fake frame. The switch receives the
fake frame from the attacker’s host and updates its MAC table
accordingly.
Example: MAC Spoofing Attack
Step 1
The attacker’s host performs a MAC flooding attack and obtains
useful information about its
neighboring hosts, such as MAC and IP addresses. The attacker
crafts a frame with the source
MAC address BBBB, the MAC address of Host B.
Step 2
Upon receiving the attacker’s frame, the switch accordingly
updates its MAC table with the MAC

address BBBB and its corresponding interface, Fa 0/3, which
points to the attacker.
CSEC 640
Step 3
The victim sends a frame with a destination MAC address of
BBBB. The switch finds a match in
the MAC table and forwards the frame to the attacker’s host
rather than to the intended host,
Host B.
CSEC 640

Activity
You will now be presented with a few questions based on Layer
2 and MAC attacks.
Question 1: On what basis do Layer 2 devices such as switches
route Ethernet frames?
a. Layer 2 devices route Ethernet frames based on IP addresses.
b. Layer 2 devices route Ethernet frames based on MAC
addresses.
c. Layer 2 devices route Ethernet frames based on the IP
address table.
Feedback:
Layer 2 devices such as switches route Ethernet frames based on
the source and destination
MAC addresses. A switch relies on a MAC table to forward a
frame to a destination MAC
address, just as a router uses a routing table to forward an IP
packet to a destination IP
address.
Question 2: Which of the following scenarios describes
unknown unicast flooding?
a. A switch flooding an Ethernet frame on all active ports when
it cannot locate a source MAC
address
b. A switch attempting to make additional entries in a MAC
table that is at capacity
c. A switch flooding an Ethernet frame on all active ports when
it cannot locate a destination

MAC address
d. Ethernet frames being sent without a destination MAC
address
Correct answer: Option c
Feedback:
In unknown unicast flooding, when a switch cannot locate a
particular destination MAC address,
it will simply flood an Ethernet frame on all active ports,
hoping that the frame will reach the
destination host.
Question 3: Which of the following statements describes a MAC
flooding attack?
a. An attacker tries to create a permanently full MAC table that
will force a switch to flood traffic
on all active ports.
b. An attacker attempts to inject fake or misleading MAC
addresses into a MAC table.
c. An attacker generates a fake frame by entering the victim’s
MAC address in the source field
of the fake frame.
Correct answer: Option a
Feedback:
In a MAC flooding attack, an attacker tries to create a
permanently full MAC table that forces the
switch to flood all traffic on all active ports. The attack is
launched from one of the ports on a
LAN so all communication taking place on that LAN is visible
to the attacker. This visibility
enables the attacker to monitor all frames passed through the

switch and obtain useful
information.
CSEC 640
Mitigating MAC Attacks
Some common ways to prevent or mitigate MAC flooding and
spoofing attacks include
implementing measures such as port security and unicast flood
protection.
Security
Port security ties a given MAC address to a port by preventing
any MAC addresses other
than the preconfigured ones from showing up on a secure port.
Upon detection of an invalid
MAC address, the switch can be configured to block only the
offending MAC or to simply
shut down the port.
For instance, in a Cisco switch, you can assign a secure MAC
address to a secure port

using the command, (config-if) switchport port-security mac-
address
001E.1345.AE32. If an attacker’s machine sends a frame with a
source MAC address other
than 001E.1345.AE32 to the securely configured port, the
switch will block or shut down the
port.
Port security prevents MAC flooding and spoofing attacks.
A switch floods an incoming frame on all active ports if it
cannot find a corresponding entry
in the MAC table or if the MAC table is full. The unicast flood
protection feature allows a
system administrator to set a limit on the number of unicast
floods. When flood protection
detects unknown unicast floods exceeding the predefined limit,
it sends an alert and shuts
down the port that is generating the floods.
CSEC 640

Address Resolution Protocol
Address Resolution Protocol (ARP) is a protocol used to find
the MAC address of a host when
the IP address of the host is known.
How Does ARP Work?
Consider an example to see how ARP works.
Assume that Host A, with the IP address 192.168.1.1/24, needs
to send a frame to a destination
host with the IP address of 192.168.1.3/24.
To send the frame, Host A needs to know the MAC address of
the destination host. By
comparing its own IP address with the destination host’s IP
address, Host A knows that the
destination host is part of the same LAN as itself.
Host A sends an Ethernet broadcast frame. Note that the
standard address for Ethernet
broadcasts is FFFF.FFFF.FFFF.
Upon receiving the broadcast frame, the switch floods the frame
on all ports in the LAN, and all
the hosts in the LAN receive this broadcast frame. This
broadcast frame is known as an ARP
request.
Host B and Host C receive the ARP request from Host A. Host
C sends a solicited ARP reply to
Host A. The ARP reply contains Host C’s MAC address and IP
address.

Upon receiving the ARP reply, Host A knows the MAC address
of the host whose corresponding
IP address is 192.168.1.3.
CSEC 640
What Is Gratuitous ARP?
Consider an example to understand Gratuitous ARP.
Sending a Gratuitous ARP means sending an ARP reply when
no ARP request has been made.
Host C sends an unsolicited ARP reply to the broadcast address
FFFF.FFFF.FFFF to tell its
neighboring hosts in the LAN that its MAC address is CCCC.
CSEC 640

ARP Spoofing Attacks
An ARP spoofing attack, also known as ARP poisoning, enables
an attacker to sniff out all IP
packets sent to the target host. Consider an example of how an
ARP spoofing attack is carried
out.
Step 1
The attack is initiated by a host with the IP address 192.168.1.2.
The attacker’s host machine
sends a fake Gratuitous ARP to Host A. The fake Gratuitous
ARP tells Host A that 192.168.1.3
is tied to the MAC address of BBBB. Note that 192.168.1.3 is
actually tied to Host C, not the
attacker. Upon receiving the ARP request, Host A adds a new
entry to its ARP table, correlating
the MAC address BBBB with the IP address 192.168.1.3.
Step 2
As seen with the frame sent by Host A, all the IP packets
intended for Host C are sent to the
attacker’s MAC address. This is because Host A believes that
Host C’s MAC address is BBBB,
which is actually the attacker’s MAC address.

CSEC 640
Step 3
As soon as the attacker receives the packet from Host A, it
masquerades as Host C by sending
an acknowledgment packet back to Host A.
Step 4
The attacker forwards the packet originally sent by Host A to
Host C. Host C believes that this
packet is from Host A. The attacker has achieved its goal, which
is to intercept and read, or
sniff, the packet originating from Host A.
CSEC 640

Activity: Try This!
Consider an example of a network with an attacker and two
hosts, as shown here in Diagram A
and Diagram B. After the attacker’s host sends a fake
Gratuitous ARP to Host A in Diagram A,
and Step 1 and Step 2 are completed in Diagram B, which of the
following options would
correctly reflect the values in the switch’s MAC table? Assume
that the MAC table is initially
empty.
Diagram A
Diagram B
CSEC 640
a.
MAC Address Interface

1. AAAA Fa 0/1
2. BBBB Fa 0/2
b.
1. BBBB Fa 0/2
2. AAAA Fa 0/1
c.
1. BBBB Fa 0/2
2. CCCC Fa 0/3
Feedback:
The source MAC address of the Gratuitous ARP frame sent to
Host A is BBBB. This frame
originates from the attacker’s host and is forwarded to switch
port Fa0/2. Therefore, the first line
in the MAC table is filled with BBBB as the MAC address and
Fa0/2 as the interface.
When Host A sends an IP packet intended for Host C (Step1 in
Diagram B), the source MAC
address of the frame is AAAA and that frame is sent to switch
port Fa 0/1. As a result, the
second line of the MAC table contains AAAA as the MAC
address and Fa 0/1 as the interface.

CSEC 640
Router Attacks and Vulnerabilities
A router is a network device that routes IP packets across
computer networks. Since a router
deals with IP packets, it is a Layer 3 device. When a packet
arrives at a router, the router
inspects the IP header of the packet. Based on the destination
and source IP addresses, the
router decides to which network device it will forward the
packet. Routers are prone to various
types of attacks.
Routing table modification, also known as a rerouting attack, is
a common vulnerability unique
to routers. This attack involves manipulating router updates to
route traffic to unwanted
destinations.
Other Common Attacks
Other common router attacks include:

exploit known vulnerabilities in
running services such as Hypertext Transfer Protocol (HTTP),
Domain Name System
(DNS), and Dynamic Host Configuration Protocol (DHCP), or
through brute force password
guessing. An attacker may also attempt to exploit known
vulnerabilities in the router’s
operating software or protocols.
perform various types of DoS
attacks.
CSEC 640
Routers exchange information with each other to build their
own routing tables. Attackers use
this act of exchanging information as an opportunity to
destabilize or damage networks.

Introduction
Dynamic routing protocols such as Routing Information
Protocol (RIP), Open Shortest Path First
(OSPF), and Enhanced Interior Gateway Routing Protocol
(EIGRP) help determine the path of a
packet through a network without having to manually configure
it.
Routers build routing tables by exchanging routing information
with each other. When a packet
arrives at a router, it routes the packet based on this table.
Attackers try to inject bogus entries
into routing tables in an attempt to compromise network
stability. If a routing table is inaccurate,
packets could end up being dropped as they are routed to invalid
destinations. This significantly
decreases the stability of the network.
Example: Routing Table Modification
As seen in this diagram, if a router uses the RIP version 1
routing protocol that does not
implement authentication or is not correctly configured, an
attacker can send false routing
update packets to contaminate the routing table.
Without security measures in place, routers send routing
updates in clear text. This enables an
attacker to masquerade as a trusted neighbor, send a bogus
routing update, and pollute the
routing table.

CSEC 640
Preventing Routing Table Modification
Introduction
Network administrators can use routing protocols with
authentication to prevent attacks based
on unauthorized routing changes. Authenticated router updates
ensure that the update
messages come from a legitimate source.
The most commonly used form of authentication for routing
protocol updates is MD5
authentication. This method is used to detect any unauthorized
or false routing messages from
unknown sources. All dynamic routing protocols except RIP
version 1 implement MD5
authentication.
Step 1
Router A uses its routing update along with the preshared key as
an input to the hash function.
Then the hash function produces a keyed hash.

Step 2
Router A sends Router B a packet containing the keyed hash
along with the routing update.
Note that the routing update is clear text.
CSEC 640
Step 3
Router B uses the routing update from Router A as an input to
the hash function and obtains a
keyed hash from the hash function.
Step 4
Router B compares the keyed hash it generated on the routing
update, using the preshared key,
with the keyed hash received from Router A. If the two hash
values match, Router B knows two
things for certain:
(authentication).
not been modified in transit
(integrity).

CSEC 640
Activity: Routing Updates and MD5 Authentication
Introduction
Consider an example of a network that contains two routers:
Router A and Router B. Both
routers are running the dynamic routing protocol RIP version 2.
Network Path Analysis
The diagram shows the routing table of Router B. As seen in the
diagram, the dynamic routing
protocol RIP version 2 is currently running on both routers. RIP
version 2 is an enhanced
version of the RIP version 1 routing protocol. As is the case
with any dynamic routing protocol, a
router needs to send and receive routing updates to and from its
neighboring routers to build a
routing table.

Routing Table Analysis
A routing table contains multiple rows. Each row contains at
least two fields: a destination
address and the name of the interface where the IP packet
should be routed, or the IP address
of another router that will carry the IP packet on its next step
through the network.
For example, consider the routing table of Router B. We can
interpret the line starting with R in
the routing table as “to reach the destination network
172.16.0.0, which is a network behind
Router A, a packet must be forwarded to the interface
10.10.10.1 of Router A.”
To build a routing table, routers must exchange their routing
information with their neighboring
routers. In this example, Router A has only one network,
172.16.0.0/24, attached to itself.
Therefore, when Router A sends its routing update to Router B,
this network address,
172.16.0.0/24, must be included in the update payload.
In addition, when RIP version 2 is configured to support MD5
authentication, a keyed hash (also
called keyed message digest) is also included in Router A’s
routing update, along with the
routing update payload, which is clear text.
CSEC 640

Reference: Cain & Abel product screenshot reprinted with
permission from Massimiliano Montoro, the
developer of Cain & Abel.
CSEC 640
Workspace
Screenshot A
Screenshot B

CSEC 640
Question 1: Which of these screenshots shows an MD5
authenticated routing update sent by
Router A?
a. Screenshot A
b. Screenshot B
Feedback:
The routing update in Screenshot B has an Authentication:
Keyed Message Digest field. This
clearly indicates that this update is sent by Router A, which
supports MD5 authentication.
Question 2: The keyed hash or message digest value used in the
routing update is
54 ee c9 71 a1 dbea 33 ba 22 15 fb 2b af 20 8a.
a. True
b. False
Correct answer: Option a
Feedback:
The keyed hash or message digest value used in the routing
update is54 ee c9 71 a1 dbea 33
ba 22 15 fb 2b af 20 8a.In Screenshot B, you can see the

Authentication: Keyed Message
Digest field. In this authentication field, you can easily observe
a long numerical hash value “54
ee c9 71 a1 dbea 33 ba 22 15 fb 2b af 20 8a”. This hash value is
included in the Authentication
Data Trailer field within the Authentication: Keyed Message
Digest field.
Review
Step 1
Once again, consider the example of Router A and Router B,
both of which are running RIP
version 2. A keyed MD5 hash can also be cracked easily if a
system administrator uses a
simple password or preshared key to generate the keyed hash.
To illustrate the point, assume
that the password "flower" was used when configuring routers A
and B for MD5 authentication.
Also, assume that a packet sniffer, Cain & Abel, is being used
to sniff out a routing update
originating from Router A.
CSEC 640
Step 2

In sniffing mode, Cain & Abel sniffs routing updates and
produces an output as shown in this
screenshot. The fields shown include Router, Version, Auth
Type, and Last Hash. The Router
field contains two IP addresses: 10.10.10.1 and 10.10.10.2,
which belong to routers A and B
respectively, as shown previously in the network diagram. A
value of 2 in the Version field
indicates that RIP version 2 is running on both routers. The
value MD5 in the Auth Type field
implies that MD5 authentication is being used for keyed
hashing. Finally, the Last Hash field
shows the actual hash value being used.
CSEC 640
Step 3
Cain & Abel is first used in sniffing mode and then as a
password-cracking tool. Applying a
dictionary attack, the intruder can easily identify the password

“flower.”
Further Challenges
Measure the performance degradation or average delay time
caused by the MD5 authenticated
routing update with respect to EIGRP, RIP version 2, and OSPF
routing protocols. Which
routing protocol will suffer most from the performance
degradation as the number of routers
participating in routing updates increases?
CSEC 640
Topic 7: Summary
We have come to the end of Module 3. The key concepts

covered in this module are listed
below.
network (LANs). IEEE 802.3
Ethernet is the most predominant LAN standard.
source and destination IP
addresses. Layer 2 devices, such as switches, route an Ethernet
frame based on the
source and destination MAC addresses.
full MAC table that forces
the switch to flood all traffic on all active ports.
the MAC address of a victim
host by launching a MAC flooding attack on a LAN. The
attacker can then generate a
fake frame by putting the victim’s MAC address in the source
field of the fake frame. The
switch receives the fake frame from the attacker’s host and
updates its MAC table
accordingly.
the MAC address of a host,
given that its IP address is known.

e goal of an ARP spoofing attack is to enable the attacker
to sniff out all IP packets
sent to the target host.
table modification, also
known as a rerouting attack, is a common vulnerability unique
to routers. This attack
involves manipulating router updates to route traffic to
unwanted destinations.
protocol updates is MD5
authentication. This form of authentication is used to detect any
unauthorized or false
routing messages from unknown sources. All dynamic routing
protocols except RIP
version 1 implement MD5 authentication.
CSEC 640
Glossary

Term Definition
Address Resolution
Protocol (ARP)
Address Resolution Protocol (ARP) is a protocol used to
find the MAC address of a host when the IP address of the
host is known.
ARP Spoofing Attack An ARP spoofing attack is also known as
ARP poisoning.
The goal of such an attack is to enable the attacker to sniff
out all IP packets sent to the target host.
Content Addressable
Memory (CAM) Table
A switch relies on a forwarding table to forward a frame to a
destination MAC address. The forwarding table is called a
MAC address table or a content addressable memory
(CAM) table.
Denial of Service (DoS) DoS attacks flood a target site with
large volumes of traffic
using “zombie” servers. This flood of traffic consumes all of
the target site’s network or system resources and denies
access to legitimate users.
Dynamic Host
Configuration Protocol
(DHCP)
DHCP enables servers to distribute Internet Protocol (IP)
addresses and configuration data to clients in a network.

Domain Name System
(DNS)
The DNS translates Internet domain names such as
www.xyz.com into Internet Protocol (IP) addresses.
Enhanced Interior
Gateway Routing
Protocol (EIGRP)
EIGRP is an interior gateway protocol that enables efficient
exchange of routing updates between routers.
Ethernet Ethernet is a group of Layer 2 protocols for local area
network (LANs). IEEE 802.3 Ethernet is the most
predominant LAN standard. Usually, the term Ethernet is
used to signify IEEE 802.3.
Ettercap Ettercap is a network tool for carrying out man-in-the-
middle
attacks on a LAN.
Hypertext Transfer
Protocol (HTTP)
HTTP transmits Web pages to clients.
Media Access Control
(MAC) Address
A network interface card (NIC) has a unique address called
a Media Access Control (MAC) address. MAC addresses
are 48-bit long unique identifiers written into hardware
devices by their manufacturers. These addresses are

expressed as 12 hexadecimal digits and used by most
Layer 2 technologies including Ethernet.
MAC Flooding Attack In a MAC flooding attack, the attacker
creates a
permanently full MAC table that forces the switch to flood all
traffic on all active ports.
MACOF MACOF is a tool that can generate random MAC
addresses
to overload the switch of a network and access data
passing through the switch.
CSEC 640
Term Definition
MAC Spoofing Attack In a MAC spoofing attack, the attacker
first finds the MAC
address of a victim host by launching a MAC flooding attack
on a LAN. The attacker can then generate a fake frame by
putting the victim’s MAC address in the source field of the
fake frame. The switch receives the fake frame from the
attacker’s host and updates its MAC table accordingly.
MD5 Authentication The most commonly used form of
authentication for routing
protocol updates is MD5 authentication. This form of
authentication is used to detect any unauthorized or false

routing messages from unknown sources. All dynamic
routing protocols except RIP version 1 implement MD5
authentication.
Network Interface Card
(NIC)
A network interface card is a piece of hardware that is used
to connect a computer to a network.
Open Shortest Path First
(OSPF)
OSPF is a dynamic routing protocol that enables routers to
share routes with other routers.
Port Security Port security ties a given MAC address to a port
by
preventing any MAC addresses other than the
preconfigured ones from showing up on a secure port.
Routing Information
Protocol (RIP)
RIP is a dynamic routing protocol used by local area
homogenous networks to ensure that all hosts in the
network share the same routing path data.
Routing Table
Modification
Routing table modification, also known as a rerouting
attack, is a common vulnerability unique to routers. This
attack involves manipulating router updates to route traffic
to unwanted destinations.

Unicast Flood Protection The unicast flood protection feature
allows a system
administrator to set a limit on the number of unicast floods.
When flood protection detects unknown unicast floods
exceeding the predefined limit, it sends an alert and shuts
down the port that is generating the floods.
Yersinia Yersinia is a network tool designed to exploit
weaknesses in
LAN-based network protocols.
Discuss/describe one or more LAN based attacks (also known as
layer 2 attacks or lower layer attacks) which are not covered in
the Module 3, or share any additional thoughts you may have
on LAN based attacks covered in Module 3
Discuss/describe the port scanning and/or enumeration
techniques (attacks) not covered in Module 2. How can the
attacks you have described be detected and prevented?

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx

More Related Content

Similar to UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx (20)

More from willcoxjanay (20)

Recently uploaded (20)

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx