Examples:those, who hold the keys to the Kingdom: • Jim Allchin, Microsoft's Windows chief said in Oct 2005,” I'd already been through lots of days of personal training on the tools that are used to do hacking.“ • Researcher Dan Kaminsky found him to be quite knowledgeable about Hashing. • Researcher Matt Conover, while talking about a fairly obscure type of problem called a "heap overflow”, asked the audience, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up. (Blue Hat Conference at Redmond in Oct 2005)
Internship: provides learning opportunities Internet and/or telecom protocols • TCP/IP stack • SIP (Session Initiation Protocol) • H.323 (ITU standard to allow telephones, on the public telephone network, to talk to computers, connected to Internet) • Server Message Block/Common Internet File System (CIFS), • Distributed Network Protocol (DNP3) Ref: http://www.dnp.org/ .
Learning Opportunities • Working of Internet communications equipment • how the communications channels, that the Internet communication equipment use, can be modified to compromise the system.
Learning Opportunities • Ruby language and its use in modeling network protocol stacks. • To create protocol implementations in “our” Ruby framework and then to apply protocol mutations to test systems for robustness and security vulnerabilities using an attack surface approach.
Security Threats • RFC 1244 identifies three distinct types of security threats associated with network connectivity: • Unauthorized access • A break-in by an unauthorized person. Break-ins may be an embarrassment that undermine the confidence that others have in the organization. Moreover unauthorized access one of the other threats:-- disclosure of information or --denial of service.
Classification of Security ThreatsReference: RFC 1244 • Disclosure of information • disclosure of valuable or sensitive information to people, who should not have access to the information. • Denial of service • Any problem that makes it difficult or impossible for the system to continue to perform productive work. Do not connect to Internet: • a system with highly classified information, or, • if the risk of liability in case of disclosure is great.
A secure system Intersection of • A system which is able to maintain confidentiality of data; • A system which is able to maintain integrity of data; • A system, which is available, whenever the user require it
Terminology of Hacking • Snooping (also called passive wire-tapping) • Active wire-tapping or man-in-the middle attack • Spoofing or Masquerading of a host or a service-provider (Distinguish it from Delegation) • Repudiation of origin or of creation of some file • Denial of receipt • Usurpation: unauthorized control
Threats for the Internet/ISP • propagate false routing entries (“black holes”) • domain name hijacking • link flooding • packet intercept • Phishing attacks: use e-mails that often appear to come from a legitimate e-mail address and include links to spoofed Web addresses. The receiver responds to the link, which takes the receiver to a site, other than what the receiver thinks he is going to. (announced by MS on 16 Dec 2003, as a problem with Internet Explorer).
Types of Security Threats: Additions • Denial of service • Illegitimate use • Authentication • IP spoofing • Sniffing the password • Playback Attack • Bucket-brigade attack ( when Eve substitutes her own public key for the public key of Bob in a message being sent by Bob to Alice) • Generic threats: Backdoors, Trojan horses, viruses etc
DNS FTP TELNET SMTP RIP OSPF BGP UDP TCP ICMP IP ARP RARP Data Link Layer Physical Layer
Ethernet Type ARP 080616 RARP 803516 IP 080016 IP Protocol OSPF 89 UDP 17 TCP 6 ICMP 1 UDP Ports RIP 520 DNS 53 TCP Ports BGP 179 DNS 53 SMTP 25 TELNET 23 FTP 21 HTTP 80 HTTP PROXY 8080
Session Initiation Protocol (SIP) • a signalling protocol used for establishing sessions in an IP network. • A session may be • a simple two-way telephone call or • a collaborative multi-media conference session.
Uses of SIP • VoIP telephony • voice-enriched e-commerce, • web page click-to-dial, • Instant Messaging with buddy lists References: 1. RFC 3261 2.http://www.sipcenter.com/sip.nsf/html/What+Is+SIP+Introduction
Session Initiation Protocol VoIP uses the following standards and protocols: • to ensure transport (RTP), • to authenticate users (RADIUS, DIAMETER), • to provide directories (LDAP), • to be able to guarantee voice quality (RSVP, YESSIR) and • to inter-work with today's telephone network, many ITU standards
H.323 and H.248 • H.323 (ITU standard to allow telephones, on the public telephone network, to talk to computers, connected to Internet) • used for local area networks (LANs), but was not capable of scaling to larger public networks. • H.248 also called MEGACO: • Media Gateway Control Protocol (Megaco) --- the name used by IETF • H.248 – the name used by ITU-T Study Group 16
H.248/MEGACO • MEGACO: a standard protocol for handling the signaling and session management needed during a multimedia conference. • defines a means of communication between a media gateway, which converts data from the format required for a circuit-switched network to that required for a packet-switched network, and the media gateway controller. References: 1.RFC 3015 2. http:// searchnetworking.techtarget.com/ sDefinition/0,,sid7_ gci817224,00.html as of 12th Oct 2006
Stream Control Transmission Protocol (SCTP) SCTP: • a reliable transport protocol operating on top of IP. • It offers acknowledged error-free non-duplicated transfer of datagrams (messages). • Detection of • data corruption, • loss of data and • duplication of data is achieved by using checksums and sequence numbers. A selective retransmission mechanism is applied to correct loss or corruption of data.
Difference between SCTP and TCP • difference with to TCP: multihoming and the concept of several streams within a connection. Where in TCP a stream is referred to as a sequence of bytes, an SCTP stream represents a sequence of messages (and these may be very short or long). • References: 1. SCTP for beginners http://tdrwww.exp-math.uni-essen.de/inhalt/forschung/sctp_fb/index.html as of Oct 12/2006 • 2. http://www.sctp.org/ 3. RFC2960
DNP3 • Protocols define the rules by which devices talk with each other. • DNP3 is a protocol for transmission of data from point A to point B using serial and IP communications. • used primarily by utilities such as the electric and water companies for SCADA (Supervisory Control and Data Acquisition) applications. • provides rules for remotely located computers (at sub-stations) and master station computers (at operations center) to communicate data and control commands.
Server (or Sessions) Message Block (SMB): A File-sharing protocol • Windows (95, 98, NT), OS/2 and Linux machines (running SAMBA): use SMB • Developed jointly by MS, IBM and Intel • SMB: provides a method for client applications on a computer • to read and to ‘write to’: files on servers in the network • to request services from servers in the network
SMB • SMB: can be used over the • Internet (through the TCP/IP protocol) or • over the local network (through the IPX and the NetBEUI/ NetBIOS protocols); • SMB: Windows equivalent to Sun's Network File System (NFS).
Ports used by SMB on TCP/IP • UDP/137 is used for name resolution and registration • UDP/138 is used for browsing • TCP/139 is used for the main file and print sharing transactions Windows 2000 and XP: port 445 (In/Out): Allows remote administration and monitoring using Windows Management Instrumentation (WMI).
SAMBAReference: Robert Eckstein, David Collier-Brown, and Peter Kelly, Using Samba , O'Reilly and Associates, 1999 • "Samba is a suite of Unix applications that speak the SMB (Server Message Block) protocol.” • Many operating systems, including Windows and OS/2, use SMB to perform client-server networking. • By supporting this protocol, Samba allows Unix servers to get in on the action, communicating with the same networking protocol as Microsoft Windows products. Thus, a Samba-enabled Unix machine can masquerade as a server on your Microsoft network
SAMBAReference: Samba-3 by Example by John H. Terpstra http://us1.samba.org/samba/docs/man/Samba-Guide/preface.html#id2504950 • an open source software • can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. • uses the TCP/IP protocol that is installed on the host server. • help you implement Windows-compatible file and print services.
Using SambaReference: http://www.roseindia.net/linux/tutorial/linux-howto/SMB-HOWTO-2.html One can use Samba to • Share a Linux drive with Windows machines. • Access an SMB share with Linux machines. • Share a Linux printer with Windows machines. • Share a Windows printer with Linux machines. • allow a Linux host to interact with a Microsoft Windows client or server as if the host were a Windows file and print server, when correctly configured.
Services offered by a SAMBA enabled UNIX machine • Share one or more filesystems • Share printers installed on both the server and its clients • Assist clients with Network Neighborhood browsing • Authenticate clients logging onto a Windows domain • Provide or assist with WINS name server resolutionSamba: the brainchild of Andrew Tridgell, Samba development team, Canberra, Australia. Reference: http://us1.samba.org/samba/
References • http://us1.samba.org/samba/docs/SambaIntro.html • http://www.rxn.com/services/faq/smb/using_samba/html/ch03_01.htm • A DNP3 Protocol Primer at http://www.dnp.org/About/DNP3%20Primer%20Rev%20A.pdf • How to of networking • http://tldp.org/HOWTO/HOWTO-INDEX/networking.html
Ports used by Real Time Streaming Protocol (RTSP) • TCP/554 (In/Out): Used for accepting incoming RTSP client connections and for delivering data packets to clients that are streaming by using RTSPT. • UDP/5004 (Out): Used for delivering data packets to clients that are streaming by using RTSPU. • UDP/5005 (In/Out): Used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU.
IP – 5 layer DoD model • Layering – 5 layer DoD model APPLICATION TRANSPORT INTERNET NETWORK INTERFACE PHYSICAL
UDP TCP IP and the Internet Architecture OSI Model Internet Architecture Application Application Presentation Session Transport Internet addressing, routing Network IP Data Link Network Ethernet, Token Ring, etc.Bridging and switching Physical
Ethernet Frame for ARP packet: Ethernet-type for ARP 080616 HA S E N D E R O P E R A T I O N IP Add T A R G E T P A D D I N G IP Add S E ND E R HA T A R G E T P T Y P E P S I Z E H S I Z E H T Y P E T Y P E C R C HA DEST HA SRC 6 2 1 2 6 4 6 4 18 4 6 2 2 1 ARP message
IEEE 802.3 Standard Dest add Src add data preamble type crc 8 6 6 2 46B – 1500B 4 bits 368-12,000 FRAME 16 bits CRC – Cyclic Redundancy Check
Ethernet parameters • Type – • Self-identifying -> e.g. 1. for an ARP message, type=080616 2. For RARP message, type = 803516 3. For an IP message, type = 080016
IP Address Net id Host id Cl-Number of bits in available n/w addresses assnet-ID host-IDlr-limit Upr-limit A 0 7+ 24 0.0.0.0 127.0.0.0 (188.8.131.52)* (184.108.40.206)* B 1 0 14+ 16 220.127.116.11 18.104.22.168 C 1 1 0 21+ 8 192.0.0.0 22.214.171.124 ---------------------------------------------------------------------------------------------------- D 1 1 1 0 m-cast 126.96.36.199 188.8.131.52 (used only as DEST add) E 1 1 1 1 0 reserved 240.0.0.0 255.255.255.254 * After taking into account the addresses Reserved for SPECIAL cases.
IP Addresses (contd) Class Max no of N/W Max no. of Hosts A 126 networks with 16m hosts each (27-2) (224-2=16,777,214) B 16384 networks with 64 k hosts each (64*256)=(214) (216-2=65,534) C 2,097,152 254 (32*256*256)=(221) (28-2=254)
Addresses per class Class No. of Addresses %age A 231=2,147,483,648 50 B 230=1,073,741,824 25 C 229= 536,870,912 12.5 D 228= 268,435,456 6.25 E 228= 268,435,456 6.25
Special IP addresses Net-id host-id Type Purpose All zeroes all zeroes this comp on this n/w bootstrap (SRC add only) specific all zeroes this n/w identifies a n/w (cant be a SRC/DST add) specific all ones directed broadcast on a specific net All ones all ones limited broadcast to on the local net CLASS E (Blocked by Router) all hosts on this n/w 127 any loop-back testing (Blocked by Machine) All zeroes specific specific host on this n/w (Blocked by Router)(DEST address only) 127.x.y.z : loop-back address,not a n/w address.DEST add only. Message does not leave the machine.
Special Multicast cases - • Categories : 224.0.0.x e.g. All Routers which use a particular category. • Conferencing : 224.0.1.x
Free IP addresses for Intranets Private internets : Class net-id no. of nets A 10.0.0.0 1 B 172.16.0.0 to 172.31.0.0 16 C 184.108.40.206 to 220.127.116.11 256
Conventions for IP addressing From the study of special IP addresses: • Net-id cannot begin with 127 • First octet cannot be 255 in a net-id • First octet cannot be 0 in a net id • Group computers by Types / departmets • Address Routers starting with Low numbers and Hosts starting with High numbers
IP Address Net id Host id Cl-Number of bits in available n/w addresses assnet-ID host-IDlr-limit Upr-limit A 0 7+ 24 0.0.0.0 127.0.0.0 (18.104.22.168)* (22.214.171.124)* B 1 0 14+ 16 126.96.36.199 188.8.131.52 C 1 1 0 21+ 8 192.0.0.0 184.108.40.206 ---------------------------------------------------------------------------------------------------- D 1 1 1 0 m-cast 220.127.116.11 18.104.22.168 (used only as DEST add) E 1 1 1 1 reserved 240.0.0.0 255.255.255.254 * After taking into account the addresses Reserved for SPECIAL cases.
0 VERS Version of IP PROTOCOL HLEN LENGTH of HEADER in 32 bit words
VERS version of IP 4 HLEN length of header in 32 bit words TYPE OF SERVICE 0 1 2 3 4 5 6 7 D: Minimize delay R: Maximize Reliability T: Maximize throughput C: Minimize Cost PRECEDENCE 0 for Normal : : 7 for Network Control PRECEDENCE D T R C Unused
Precedence and TOS bits • Precedence (3 bits ): • 000 lowest priority 111 highest priority • (The highest priority may be accorded to the network management messages) • If a Router is congested, it may discard messages of lower precedence. • This is not a required field in Ver.4. • TOS bits: Only one bit ( out of 4 ) can be set at a time.
There are 5 types of services: • 0000 Normal • 0001 Minimize Cost • 0010 Maximize reliability • 0100 Maximize throughput • 1000 Minimize delay • Background activities need minimum costs. • Activities that send bulk data require maximum throughput
Management activities require maximum reliability. • Activities requiring • immediate attention, • activities requiring immediate response and Control/Command messages like Remote Login commands require minimum of delay • IP v4 does not guarantee the TOS requested by a host.
PROTOCOL Informs about the Protocol used by the Upper Layer; tells us about the nature of data • Value of Protocol field in IP datagram: • PROTOCOL VALUE • ICMP 1 • IGMP 2 • IP in IP 4 • TCP 6 • EGP 8 • UDP 17 • IP v6 41 • OS PF 89