Cyber Security Network Security

ARP Spoofing A computer connected to an IP/Ethernet has two addresses Address of network card (MAC address) Globally unique and unchangeable address stored on the network card. Ethernet header contains the MAC address of the source and the destination computer. IP address Each computer on a network must have a unique IP address to communicate. Virtual and assigned by software

ARP Spoofing IP communicates by constructing packets. Packet are delivered by Ethernet. Adds an Ethernet header for delivery Splits the packets into frames Sends them down the cable to the switch. The switch then decides which port to send the frame to. By comparing the destination address of the frame to an internal table which maps port numbers to MAC addresses.

ARP Spoofing When an Ethernet frame is constructed from an IP packet, it has no idea what the MAC address of the destination machine is. The only information available is the destination IP address. There must be a way to the Ethernet protocol to find the MAC address of the destination machine, given a destination IP. This is where ARP, Address Resolution Protocol, come in.

Address Resolution & Reverse Address Resolution

Encapsulation of ARP

How ARP Works Get IP address of target. Create a request ARP message Fill sender physical address Fill sender IP address Fill target IP address Target physical address is filled with 0 The message is passed to the data link layer where it is encapsulated in a frame. Source address: physical address of the sender. Destination address: broadcast address.

How ARP Works (cont) Every host or router on the LAN receives the frame. All stations pass it to ARP. All machines except the one targeted drop the packet. The target machine replies with an ARP message that contains its physical address. A unicast message. The sender receives the reply message and knows the physical address of the target machine.

How ARP Works (cont)

To avoid having to send an ARP request packet each time, a host can cache the IP and the corresponding host addresses in its ARP table (ARP cache). Each entry in the ARP table is usually “aged” so that the contents are erased if no activity occurs within a certain period. When a computer receives an ARP reply, it will update its ARP cache. ARP is a stateless protocol, most operating systems will update their cache if a reply is received, regardless of whether they have sent out an actual request.

ARP Spoofing Construct spoofed ARP replies. A target computer could be convinced to send frames destined for computer A to instead go to computer B. Computer A will have no idea that this redirection took place. This process of updating a target computer’s ARP cache is referred to as “ARP poisoning”.

ARP Spoofing A IP: MAC:aa:aa:aa:aa B IP: MAC:bb:bb:bb:bb Hacker IP: MAC:cc:cc:cc:cc switch IPMAC bb:bb:bb:bb ARP cache IPMAC aa:aa:aa:aa ARP cache Spoofed ARP reply IP: MAC:cc:cc:cc:cc Spoofed ARP reply IP: MAC:cc:cc:cc:cc Spoofed ARP reply IP: MAC:cc:cc:cc:cc

ARP Spoofing A IP: MAC:aa:aa:aa:aa B IP: MAC:bb:bb:bb:bb Hacker IP: MAC:cc:cc:cc:cc switch IPMAC cc:cc:cc:cc ARP cache IPMAC aa:aa:aa:aa ARP cache A’s cache is poisoned

ARP Spoofing Now all the packets that A intends to send to B will go to the hacker’s machine. Cache entry would expire, so it needs to be updated by sending the ARP reply again. How often? depends on the particular system. Usually every 40s should be sufficient. In addition the hacker may not want his Ethernet driver talk too much Accomplish with ifconfig -arp

ARP Spoofing Complication Some systems would try to update their cache entries by sending a unicast ARP request. Like your wife calling you just to make sure you are there. Such a request can screw things up, because it could change victim’s ARP entry that the hacker just faked. A computer will also cache the MAC address appeared in the ARP request.

ARP Spoofing Prevention is better than cure Accomplished by feeding the “wife” system with replies so that it never has to ask for it. A real packet from B to A will be sent by the hacker’s machine. How often? Again every 40s is usually OK.

ARP Spoofing A IP: MAC:aa:aa:aa:aa B IP: MAC:bb:bb:bb:bb Hacker IP: MAC:cc:cc:cc:cc switch To: cc:cc:cc:cc Spoofed ARP reply IP: MAC:aa:aa:aa:aa Spoofed ARP reply IP: MAC:aa:aa:aa:aa The switch will then think that aa:aa:aa:aa is connected at this port

Port Scanning Attackers wish to discover services they can break into. Security audit: Why are certain ports open? sending a packet to each port, one at a time. Based on the type of response, an attacker knows if the port is used. The used ports can be probed further for weakness.

Port Scanning An abstraction of the OS + Net Stds Part of UDP and TCP packets UDP and TCP port numbers are disjoint Typical to use the same port number for both UDP and TCP service E.g., 80/TCP and 80/UDP for www 16-bit unsigned integer Well Known Ports ( ) Registered Ports ( ) Dynamic and/or Private Ports ( ).

Sockets

28 Socket calls for connection-oriented communication

Sockets 29 socket() bind() sendto() close() socket() bind() recvfrom() sendto() close() blocks until server receives data from client data Server Client recvfrom() Socket calls for connection-oriented communication

Well Known Ports Only root-privileged programs are allowed to open these ports. Examples ftp-data 20/udp ftp 21/tcp ssh 22/tcp telnet 23/tcp Time 37/tcp Time 37/udp Whois 43/tcp Imap 143/tcp

Registered Ports Ordinary programs/users can use these shockwave2 1257/tcp Shockwave 2 shockwave2 1257/udp Shockwave 2 x /tcp X Window System x /udp X Window System

Dynamic/Private Ports Ordinary programs can use these

State of a Port Open A service process is listening at the port. The OS receives packets arriving at this port and gives the messages to the service process. If the OS receives a SYN at an open port, this is the first packet of the three way handshake. Closed No process is listening at the port. If the OS receives a SYN at a closed port, an RST is sent. Filtered A packet filter is listening at the port.

TCP connect(0) scanning Try connect()-ing to every port If the port is listening, connect() will succeed. Otherwise, the port isn’t reachable. No need for any special privileges. Any user can use it. Speed - slow. Scanner can be identified.

TCP SYN scanning Often referred to as half-open scanning. Send a SYN packet Wait for a response. A SYN/ACK indicates the port is listening. If a SYN/ACK is received, send an RST to tear down the connection immediately. Most sites do not log these. Need root privileges to build SYN packets.

TCP FIN scanning Send a FIN packet (without a preceding SYN etc.) FIN packets may pass through firewalls Closed ports reply with RST. Open ports ignore the FIN packet. Some hosts violate RFC. Reply with RST’s regardless of the port state Thus, are not vulnerable to this scan.

TCP reverse identd scanning identd protocol (rfc1413): Disclose the username of the owner of any process connected via TCP, even if that process didn’t initiate the connection. Example: connect to the http port (80), and then use identd to find out whether the server is running as root. Must have full TCP connection to the port.

Fragmentation scanning Not a new scanning method in and of itself. A modification of other techniques. Split the probe packet into IP fragments. By splitting up the TCP header over several packets, it is harder for packet filters to detect a probe.

FTP Bounce Scan A port scanner can exploit this to scan TCP ports form a proxy ftp server. Connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked. If the ftp server allows reading from and writing to a directory (such as /incoming), you can send arbitrary data to ports that you do find open.

FTP Bounce Scan Take advantage of a vulnerability of FTP protocol. Requires support for proxy ftp connections. For example, evil.com can establish a control communication connection to FTP server-PI (protocol interpreter) of target.com. Then it is able to request the server-PI to initiate an active server-DTP (data transfer process) to send a file anywhere on the Internet.

FTP Bounce Scan Use the PORT command (of FTP) to declare that our passive user-DTP is listening on the target box at a certain port number. LIST the current directory, and the results is sent over the server-DTP channel. If our target host is listening on the port, the transfer will be successful. Otherwise, connection will be refused. Then issue another PORT command to try the next port on the target.

FTP Bounce Scan Advantages Harder to trace Potential to bypass firewalls. Disadvantages Slow Many FTP servers have (finally) disabled the proxy feature.

UDP Scans UDP is simpler, but the scanning is more difficult Open ports do not have to send an ACK. Closed ports are not required to send an error packet. Most hosts send an ICMP_PORT_UNREACH error when you send a packet to a closed UDP port. Can find out if a port is NOT open.

UDP Scans Neither UDP packets, nor the ICMP errors are guaranteed to arrive. Slow: the ICMP error message rate is limited. Need to be root for access to raw ICMP socket. Non-root users cannot read port unreachable errors directly.

UDP Scans But users can learn it indirectly. For example, a second write() call to a closed port will usually fail. recvfrom() on non-blocking UDP sockets usually return EAGAIN (try again), if the ICMP error hasn’t been received. It will return ECONNREFUSED (connection refuse), if ICMP error has been received.

Stealth Scan Simple port scanning can be easily logged by the services listening at the ports. E.g. they see an incoming connection with no data, thus they log an error. Stealth scan refers to scanning techniques that can avoid being logged. These techniques include fragmented packets, SYN scanning, FIN scanning etc.

Stealth Scan Scan slowly A port scanner typically scans a host too rapidly Some detectors recognize these “signatures”. So, scanning very slowly (e.g., over several days) is a stealth technique. Firing packets with fake IPs Flood with spoofed scans and embed one scan from the real source (network) address.

Signatures of a port scan Several packets to different destination ports from the same source within a “short period” of time. SYN to a non-listening port

Detection of Port Scanning Open a socket SOCK_RAW mode. protocol type IPPROTO_IP recvfrom() to capture the packets Discovering stealth scans requires kernel level work. A detector can inform us that we have been port-scanned, but the source address may have been spoofed.

Scanner Leaks If the packets we received have an IP TTL of 255, we can conclude that it was sent from or local network, regardless of what the source address field says. if TTL is 250, we can only tell that the attacker was no more than 5 hops away.

Wireshark- Network Protocol Analyzer Computer s/w or h/w, intercepts & logs traffic passing over the network Captures packets, decodes & analyzes contents A network Analyzer is used for Troubleshooting problems on the network Analyzing the performance of a network to discover bottlenecks Network intrusion detection Analyzing the operations of applications

About Wireshark It is a packet sniffer Computer application Functionality is very similar to tcpdump Has a GUI front-end and many more information sorting and filtering options “eWeek” Labs named Wireshark one of "The Most Important Open-Source Apps of All Time" as of May 2, 2007

Graphical Interpretation

Stream Analysis Select Problematic stream-> Click Find Reverse button-> Click Analyze to provided packet by packet look at the stream Lost packets will show up as having the wrong sequence number Also Displays current bandwith,latency and jitter

What Wireshark Can’t Do It cannot be used to map out a network It does not generate network data-Passive tool Only shows detail information about protocols it understand It can only capture data as well as the OS\Interface\Interface driver supports. An example of this is capturing data over wireless networks.

Conclusion Wireshark's wireless analysis features have grown to be a very powerful tool for troubleshooting and analyzing wireless networks. With Wireshark's display filters and powerful protocol dissector features, you can sift through large quantities of wireless traffic Without a doubt, Wireshark is a powerful assessment and analysis tool for wireless networks that should be a part of every auditor, engineer, and consultant toolkit.

Wireshark- Network Protocol Analyzer Computer s/w or h/w, intercepts & logs traffic passing over the network Captures packets, decodes & analyzes contents A network Analyzer is used for Troubleshooting problems on the network Analyzing the performance of a network to discover bottlenecks Network intrusion detection Analyzing the operations of applications