application layer security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Application Layer Security PowerPoint Presentation
Download Presentation
Application Layer Security

Loading in 2 Seconds...

play fullscreen
1 / 83

Application Layer Security - PowerPoint PPT Presentation


  • 417 Views
  • Uploaded on

Application Layer Security. Lecture 8 Supakorn Kungpisdan supakorn@mut.ac.th. Outline. FTP Security DNS Security Web Application Security. FTP Security Issues. All traffic is transmitted in clear text Weak configuration on FTP allows brute force and dictionary attacks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Application Layer Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. NETE4630 Application Layer Security Lecture 8 Supakorn Kungpisdan supakorn@mut.ac.th

    2. NETE4630 Outline • FTP Security • DNS Security • Web Application Security

    3. NETE4630 FTP Security Issues • All traffic is transmitted in clear text • Weak configuration on FTP allows brute force and dictionary attacks • Anonymous access may be enabled to FTP server • If file permissions are not set, an anonymous user may be able to read, overwrite, or delete files, leading to loss of confidentiality, integrity, and availability of data • If anonymous access is being used on a server, make sure that the proper restrictions are enforced for this user

    4. NETE4630 Advanced Network Security and Implementation Types of FTP • Active FTP • Control connection is initiated by FTP client • Data connection is initiated by FTP server • Passive FTP • Control connection is initiated by FTP client • Data connection is initiated by FTP client

    5. NETE4630 Active FTP • The client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. The client also sends the FTP command PORT N+1 from port N to port 21 at the FTP server. The client then starts listening to port N+1 • Server returns the response from port 21 to port N at the client • The server will then connect back to the client's specified data port from its local data port (port 20) to the client at port N+1 Ref: http://slacksite.com/other/ftp.html

    6. NETE4630 Active FTP (cont.) debug Client port = (14*256)+178 = 3762 Letters in red shows client input Letters in black shows server output

    7. NETE4630 Active FTP (cont.) • The client's command port contacts the server's command port (port 21) and sends the command PORT 1027 (N+1). • The server sends an ACK back from its port 21 to the client's command port (port 1026  port N). • the server initiates a connection on its local data port (port 20) to the data port the client specified earlier (port 1027). • The client sends an ACK back from port 1027 to the server port 20.

    8. NETE4630 Firewall VS Active FTP • From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: • FTP server's port 21 from anywhere (Client initiates connection) • FTP server's port 21 to ports > 1023 (Server responds to client's control port) • FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port) • FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)

    9. NETE4630 Problems of Active FTP • The FTP client doesn't make the actual connection to the data port of the server • The FTP client simply tells the server what port it is listening on (N+1) and waits for the server to connect back to the specified port on the client. • From the client-side stateful firewall, this appears to be an outside system initiating a connection to an internal client • This connection may be blocked • Because the server initiates the data connection, the server may connects to different client

    10. NETE4630 Passive FTP • To solve the problem of active FTP, use passive FTP • When opening an FTP connection, the client opens two random unprivileged ports locally (N>1023 and N+1). • The port N contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. • The server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. • The client then initiates the connection from port N+1 to port P on the server to transfer data.

    11. NETE4630 Passive FTP (cont.) Client port = (195*256)+149 = 50069 Server specifies port number

    12. NETE4630 Passive FTP • The client contacts the server on the command port (port N=1026) and issues the PASV command. • The server then replies with PORT 2024, telling the client which port it is listening to for the data connection. • The client then initiates the data connection from its data port (N+1=1027) to the specified server data port (port 2024). • The server sends back an ACK (from its port 2024) to the client's data port (port 1027). You can see that client initiates data connection with FTP server  will not be blocked by the firewall

    13. NETE4630 Firewall VS Passive FTP • From the server-side firewall's standpoint, to support passive FTP, the following communication channels need to be opened: • FTP server's port 21 from anywhere (Client initiates connection) • FTP server's port 21 to ports > 1023 (Server responds to client's control port) • FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server) • FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

    14. NETE4630 Problems of Passive FTP • The FTP server needs to allow remote connection to high numbered ports on the server. • Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. • Some FTP clients do (or do not) support passive mode.

    15. NETE4630 FTP Bounce Scan • The FTP bounce attack uses a third workstation to act as a proxy between the nmap host and the destination station. • With passive FTP, a user could send a PORT command to an FTP server that would direct the data towards a completely different host! • The FTP bounce attack takes advantage of these poorly-configured FTP servers (no control over ranges of FTP ports) • The data is BOUNCED from FTP server to target host

    16. NETE4630 FTP Bounce Scan (cont.) Closed port Open port

    17. NETE4630 Advantages of FTP Bounce Scan • FTP bounce attack can scan "through" a firewall. • The FTP bounce attack uses standard FTP functionality. Nmap does not require specialized packet configurations or changes to the FTP protocol. • Therefore, the FTP bounce attack does not require any privileged access.

    18. NETE4630 Disadvantages of FTP Bounce Scan • FTP bounce attack relates to the availability of an FTP server that allows a PORT command to redirect the data connection to a third device. • Most FTP servers have their default configuration to protect against this use of the PORT command

    19. NETE4630 Other FTP Bounce Attack • When using active FTP, a client uses the PORT command to specify the IP address and port number that the server should connect to for data connection • An attacker with access to an FTP server can bounce through the server by specifying someone else’s IP address

    20. NETE4630 Outline • FTP Security • DNS Security • Web Application Security

    21. NETE4630 Domain Name System • DNS is a distributed database that holds information for mapping between host names to IP addresses • DNS uses both UDP and TCP. • UDP is typically used for queries, unless the lookup or response is greater than 512 bytes • TCP is used for lookups and for zone transfer • Integrity and availability of DNS is critical for the health of the Internet. It is used in conjunction with almost every other protocol on the Internet • Availability was considered while designing DNS, however, security was not

    22. NETE4630 DNS Request

    23. NETE4630 DNS Response

    24. NETE4630 DNS Lookup Process 1 2 Host A’s Authoritative name server Host A 1. Host A sends a request to resolver (at host A). It checks the local cache and may check hosts file 2. The resolver at Host A forwards the request to its authoritative name server

    25. NETE4630 DNS Non-recursive Query 1 Host A’s Authoritative name server 2 3 Host B’s Authoritative name server 4 Host A Host B 5 3. Find the address of authoritative name server of the requested domain and returns its address to the resolver

    26. NETE4630 DNS Recursive Query 1 Host A’s Authoritative name server 2 5 Host B’s Authoritative name server 3 Host A Host B 4 3. The server finds the address of authoritative name server of the requested domain, passes the request on to the server, and returns a response to the resolver

    27. NETE4630 Advanced Network Security and Implementation DNS Recursive Query (cont.)

    28. NETE4630 DNS Hierarchy (Recursive Query) .com TLD server 5 4 3 6 7 2 What happens if (2) is recursive query? 1. Recursive query 2. non-recursive query 1 8

    29. NETE4630 DNS Utilities • Most OSes come with a tool called nslookup, capable of querying DNS servers for various types of information • The dig tool coming with UNIX has similar capabilities

    30. NETE4630 Name-to-IP Lookup

    31. NETE4630 MX Lookup with nslookup

    32. NETE4630 DNS Security Issues • DNS is lack of authentication and integrity checking • Due to the lack of authentication, attackers can spoof DNS messages to perform a variety of attacks • Due to the lack of integrity checking, attackers can intercept and modify messages in transit

    33. NETE4630 DNS Zone Transfer • For redundancy, administrators deploy both primary and secondary name servers that contain the same DBs • To keep the DBs synchronized with the primary name server, the secondary name server periodically connects to the primary name server on port 53/TCP and grabs the DNS records • This process is called a Zone Transfer

    34. NETE4630 DNS Information Gathering • DNS can provide a great deal of information about the target network and its hosts • One of the common insecure configurations with DNS is allowing anyone to perform zone transfers on one of a domain’s DNS servers • If an attacker can perform a zone transfer with the primary or secondary name servers for a domain, he/she will be able to view all DNS records for that domain • See a demo at http://www.mindterra.com/blog/?p=179 • Solved by specifying IP address that is allowed to perform the zone transfer or using Transaction Signature (TSIG)

    35. NETE4630 DNS Cache Poisoning • Both DNS client and servers cache responses for a period of time in order to increase performance and reduce network traffic • If an attacker can spoof a response for a DNS request, he/she may be able to contaminate the DNS cache with an incorrect record • This process is known as DNS cache poisoning • The only real defense built into DNS is the use of a randomTransaction ID and source port • Some versions of BIND use Transaction IDs that are not sufficiently random, and some use sequential Transaction IDs • BIND 9 Cache Poisoning

    36. NETE4630 Advanced Network Security and Implementation DNS Cache Poisoning Example http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html

    37. NETE4630 Advanced Network Security and Implementation How to Check for the Vulnerability • To see if one's own DNS server has a DNS cache poisoning vulnerability, the operator should ask three questions. If any of them are positive, the DNS cache server is left unpatched or has a problem in its configuration. • Port number used by DNS queries is not randomized • ID number used for DNS queries is not randomized • DNS server is allowed to reply to recursive DNS queries originated from the outside http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html

    38. NETE4630 Advanced Network Security and Implementation Checking Port Randomness • If randomization of the port number used by DNS queries is insufficient, the risk of the server getting poisoned becomes higher. • Try a web-based DNS Randomness test tool • https://www.dns-oarc.net/oarc/services/dnsentropy http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html

    39. NETE4630 Advanced Network Security and Implementation Web-based DNS Randomness Test

    40. NETE4630 Advanced Network Security and Implementation Web-based DNS Randomness Test (cont.)

    41. NETE4630 Advanced Network Security and Implementation Check Transaction ID Randomness • If randomization of the ID number for DNS queries is insufficient, the risk of the server getting poisoned becomes higher.

    42. NETE4630 Advanced Network Security and Implementation Checking Recursive Query Replies • Essentially, a DNS server (DNS content server) should not reply to recursive DNS queries originated from the outside. • Even if the server also acts as a DNS cache server, it should be limited to those originated within the domain. • The operator could use the “Cross-Pollination Scan” tool by IANA to check the DNS server for the issue C. • Specify the domain name(s) owned by the organization and send a test query • http://recursive.iana.org/ http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html

    43. NETE4630 Advanced Network Security and Implementation Checking Recursive Query Replies

    44. NETE4630 DNS Cache Snooping • Recursion bit tells the DNS server whether it is recursive or non-recursive query • The remote DNS server may answer to queries for 3rd party domains which do not have the recursion bit set. • This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. Ref: www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

    45. NETE4630 Possible Scenario • If an attacker was interested in whether your company utilizes the online services of a particular bank, they can use this attack to build a statistical model regarding company usage of the bank mentioned above. • This attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more... • Two techniques are available: using non-recursive queries and using recursive queries • Some DNS allows both types of queries, but some allows only recursive queries to be made

    46. NETE4630 DNS Cache Snooping with Non-recursive Queries Attacker queries to ns1.tvcabo.pt for www.sidestep.pt ns1.tvcabo.pt does not have the entry in local cache. It returns no answer, but gives a list of .pt TLD name server for further question

    47. NETE4630 DNS Cache Snooping with Non-recursive Queries (cont.) • The fact that ns1.tvcabo.pt does not have the entry in local cache means that all hosts under ns1.tvcabo.pt never communicates with www.sidestep.pt before. • Thus, this organization does not use services provided by www.sidestep.pt

    48. NETE4630 DNS Cache Snooping with Non-recursive Queries (cont.) • If the attacker executes the same query, check the response For this time, ns1.tvcabo.pt caches the entry, so it returns the answer

    49. NETE4630 DNS Cache Snooping with Recursive Queries • Used to determine with some degree of precision (not 100% sure) whether a given record is present in the cache • However, this will pollute the cache • If a given record is not present in the cache, it will be after the first query is made • This is because recursive query will always return the answer for the given record

    50. NETE4630 DNS Cache Snooping with Recursive Queries • Try to see if www.sidestep.pt was cached in ns1.tvcabo.pt • Query ns1.tvcabo.pt for www.sidestep.pt and record the TTL