Presentation Transcript

1. NETWORK ATTTACKS BCIS 4630 Fundamentals of IT Security Dr. Andy Wu
2. Overview Denial of service attacks Flood attack DDoS ARP poisoning Attack process Information gathering Scanning Nmap
3. Network Attacks Attacks that take advantage of inherent flaws in network protocols (e.g., TCP/IP) are launched on the basis of networks, and/or target networked systems as victims. May involve taking programming flaws, such as using buffer overflow to take control of a server.
4. Denial-Oriented Network Attacks Denial-of-service (DoS): attacker sends large number of connection or information requests to a target. Target system cannot handle other, legitimate service requests. May result in system crash or inability to perform ordinary functions. Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously.
5. SYN Flood Goal: to overwhelm the target with SYN packets. Works by taking advantage of the TCP three-way handshake. The attackers initiate a connection with a SYN packet. The target replies with a SYN/ACK packet. The attacker doesn’t reply with an ACK packet.
6. Flood Attacks The basic approach to creating a DoS attack is to consume the limited resources of a computer or a network by transmitting a large number of packets as quickly as possible. A flood attack can occur under the following conditions: Sending connection requests Consuming the bandwidth Consuming target’s local resources
7. SYN Flood The number of connections a system can support is finite. Typically 128 to 1024 “slots” in the connection queue. Once the target sends the SYN/ACK response, it waits for the third step in the handshake to happen. The timeout value often is > 1 min. by default. If the attacker sends requests faster than the time-out period eliminates them, the system is filled with requests. SYN flood creates numerous half-open connections that take up “slots” in the queue. Once the queue is filled up, further requests will be dropped and legitimate users who want to connect to the target system will not be able to do so.
8. SYN Flood Many SYN flood tools send SYN packets using spoofed (fake) source address. To hide the identity of the attacker. To help ensure that the connection queue gets filled. If the address is not assigned to a real host, the target will never receive the ACK packet. If the address is used by a real host, the host whose address was spoofed will receive the SYN/ACK packet from the target. However, since the host never initiated a connection, it will send a RST packet to the target to refuse a connection. Thus attackers prefer bogus addresses.
9. Distributed Denial of Service A DoS attack implemented by staging a DoS attack against a target from multiple systems simultaneously. Takes advantage of the distributed nature of the Internet to create a massive flood of packets against the victim. The attacker first breaks into and gains control of a large number of machines (“zombies”, “bots”, or “agents”). The attacker installs zombie software (“daemon”) on the zombies. Popular programs include: Tribe Flood Network (TFN), Trin00, Stacheldraht. This can be carried out by a worm or virus. Daemons on the zombies wait for commands from a master.
10. Botnets A bot is a program that surreptitiously installs itself on a computer so it can be controlled by an attacker. A botnet is a network of robot, or zombie, computers. Can harness their collective power to do damage Or send out huge amounts of junk e-mail
11. DDoS Raising the Dead The attacker communicates with a small number of “masters” via control software (“client”) installed on those masters. The attacker uses the masters to summon the zombies to life and orders all the zombies to wage an attack simultaneously. The commands are often issued into a shared IRC (Internet Relay Chat) channel used by all of the attacker’s zombies. When the zombies receive their masters’ command, they spring into action and conduct a DoS attack against the target. The two layers of communication (attacker-master, master-zombie) make it difficult to hunt down the attacker.
12. Distributed Denial of Service
13. Man-in-the-Middle Attacks Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network. It is technically possible for the attacker to control what data are sent between the two hosts. Can be achieve by ARP poisoning. The attacker sets up two NICs and sends packets to each host, falsely notifying the host of the other host’s MAC address, which in fact belongs to one of the attacker’s NICs.
14. ARP Poisoning Computers resolve IP addresses to MAC addresses using ARP. The IP-MAC mappings are stored in the ARP cache for a limited amount of time. After it times out, a record is deleted from the cache. Resolution has to be done again if a packet needs to go to that IP. Computers welcome unsolicited updates of the mappings (just like websites and the postal services welcome your unsolicited update on your address).
15. ARP Poisoning An attacker can “poison” a computer’s ARP cache by sending it a bogus record mapping a target’s IP address to the attacker’s MAC address. Packets going from the “duped” computer to the target then will be sent to the attacker.
16. IP Address Spoofing TCP/IP doesn’t have a mechanism to prevent the insertion of a fake source IP address. An attacker can make packets look like they are from a different host than the real originator. Helpful for attackers who don’t want to have their actions traced back. Often used to “impersonate” another (authenticated) host to get around authentication. A Dos attack usually is waged against the real McCoy so that the other party of the communication (the attack target) won’t be alerted.
17. IP Address Spoofing If the attacker’s purpose simply is to obfuscate investigation by faking her identity, such as in the cases of spamming or in a DoS attack, spoofing is relatively easy. The goal is to change the “source IP address” field in the header (blind spoofing). This can be done by: Changing NIC properties (Windows) or ifconfig (*nix) command. Packet crafting tools like Hping2, Nemesis, and NetDude. Works fine when the attacker doesn’t expect a response from the target. Won’t work if the attacker desires an interactive session with the target.
18. Smurf The attacker sends an echo request packet to the broadcast address of a network, e.g., 132.170.255.255. Directed broadcast can be initiated from within or outside the network. When a packet coming from outside a local network is addressed to the network’s broadcast address, the packet is also sent to every machine on the network. The source address of the packet is spoofed and belongs to the target. All other hosts on network will reply with an echo reply packet and send it to the target’s address, inundating the target.
19. Fraggle Similar to a smurf attack, but uses UDP instead of ICMP. Sends packets to a broadcast address with a destination UDP port set to: A service that will generate a response, e.g., echo service (Port 7). When the hosts on the network receive the packet, they will send back a response containing exactly the same data they received. A closed port. Many systems will respond with an ICMP Port Unreachable message. In both cases, the target will receive packets from all the hosts on the network.
20. Hacking Process
21. Reconnaissance Reconnaissance The act of locating targets and developing the methods necessary to attack those targets successfully. May be extremely flexible and creative. Reconnaissance is not by definition illegal. Many reconnaissance techniques are completely legal.
22. Footprinting The act of uncovering and collecting as much information as possible about a target network. Domain name IP address blocks Organization websites Company directory Background info News articles Press releases Etc.
23. Information Gathering Search for company’s information in major search engines, e.g., Google, GoogleMaps, Bing. Using web data extractors, e.g., webextractor.com. Website scraping, e.g., binarypool.com. People search websites, e.g., pipl.com. Social media sites. Reports filed with SEC.
24. Website Copier Tools are available to copy an entire website for later analysis, e.g., httrack.com surfoffline.com pagenest.com keepni.com Archive.org provides archived versions of websites.
25. Social Engineering Social engineering works, for the most part, because people have the innate tendency to help and to avoid confrontation. The success or failure of social engineering depends on the ability of hackers to manipulate human psychology, contacts, and physical workstations.
26. Dumpster Diving Dumpster diving is often the mother lode of sensitive information as well as actual hardware and software. Hackers look specifically for sales receipts and paperwork that contain personal data or credit card information Shredded documents can lead to data leaks. Drafts of letters are routinely left whole in the trash. Company directory sheets, catalog lists, unused or misprinted labels, and policy manuals.
27. WHOIS Lookup WHOIS databases contain personal information of domain owners. They are maintained by regional Internet registries: AfriNIC (Africa) ARIN (America) APNIC (Asia Pacific) LACNIC (Latin America) RIPE NCC (Europe) tools.whois.net
28. DNS Records Domain name service database of a network contains important information about the network hosts, e.g., A – Host MX – Mail server NS – Name server Cname – Canonical names (aliases) SOA – Authority of domain
29. DNS–Based Reconnaissance DNS Lookup Tools help Internet users discover the DNS names of target computers. There are Web sites that provide DNS lookup tools. DNS Zone Transfer Zone transfer is a DNS feature that lets a DNS server update its database with the list in another DNS server. An incorrectly configured DNS server may allow any Internet user to perform a zone transfer. nslookup
30. Network Reconnaissance Network scanning is a technique that discovers live hosts in the network. Port scanning allows you to find: IP addresses and open ports of live hosts Operating systems and system architecture Services running on hosts
31. Host Discovery ping Helps to verify whether a host is active. Command is available for all platforms. Part of ICMP and uses echo request and echo reply messages. ping sweep Is used to determine the live hosts from a range of IP addresses but sending ICMP echo requests to multiple hosts.
32. Host Discovery traceroute (tracert on Windows) A packet from a host makes numerous “hops” before it reaches the destination. Command can track all of the intermediate nodes. Uses the TTL field in the header to work. Nmap (Zenmap) Zenmap is the GUI front of nmap. Use nmap host discovery switch to perform scanning for live hosts.
33. Nmap www.insecure.org A versatile tool whose functionalities include: Host discovery OS fingerprinting Service discovery
34. Fyodor
35. Banner Grabbing Banner grabbing uses Telnet to connect to a port on the remote target and observes the response coming back from it. Different protocols (services) have distinctive responses that can be used to verify the existence of those services on the target. Attacker may be fooled by a honeypot or port emulator. Response may contain OS or service information that may be used to determine the OS running on the target.
36. OS Fingerprinting OS fingerprinting is the method to determine the operating system running on a remote target system. Passive OS fingerprinting use sniffers to capture packets and analyze them for OS information. For example, Windows and Linux systems pad the ping packets differently. By looking in the data portion for the padding characters, the attacker can guess the type of OS.
37. OS Fingerprinting Active OS fingerprinting sends specially crafted packets to the remote target and analyze the response. The response are then compared with a fingerprint database to determine the OS running on the remote machine. Use OS fingerprinting switch in Nmap to perform OS fingerprinting.
38. Service Discovery Each network service is allocated a well-known port number. If the service is running on the server, the port must be open. The reverse is true too – if a port is found open on the server, the attacker can deduce that the server is running the service. The same goes for many registered ports that are related to common applications, e.g., Port 3306 for MySQL.
39. Service Discovery The attacker then will look up whether there are known vulnerabilities in the service. Chances are, some vulnerabilities have been found and reported, and often times, tools have been created to take advantage of those vulnerabilities. If the attacker runs those tools, he/she has a good chance of compromising the target. Service discovery is a critical step in the hacking process.
40. Nmap Switches Basic syntax nmap <target IP address> [port range] [switch(es)] By default, if no other switches are given, Nmap performs host discovery and then performs a SYN port scan.
41. Nmap Switches -sS SYN scan (default) -sT Connect scan -sN Null scan -sX Xmas scan -p Port range -O OS identification
42. “Self-Scanner” netstat Allows all the transmission Control Protocol (TCP), User Datagram Protocol (UDP), and IP connections on a computer to be viewed. Also helps to locate IP address of computers IP addresses of the hosts connected to the computers Port of the host to which a computer is connected