Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 2 Network Security and Attacks

Published byAshlynn York Modified over 7 years ago

Similar presentations

Presentation on theme: "Lesson 2 Network Security and Attacks"— Presentation transcript:

1 Lesson 2 Network Security and Attacks

2 Computer Security Operational Model
Protection = Prevention + (Detection + Response) Access Controls Encryption Firewalls Intrusion Detection Incident Handling

3 Security Operational Model
Vulnerability Assessment Services Vulnerability Scanners Intrusion detection Firewalls Encryption Authentication Improve Monitor Secure Evaluate Security Design Review Security Integration Services 24 Hr Monitoring Services Remote Firewall Monitoring

4 Protocols A protocol is an agreed upon format for exchanging information. A protocol will define a number of parameters: Type of error checking Data compression method Mechanisms to signal reception of a transmission There are a number of protocols that have been established in the networking world.

5 OSI Reference Model ISO standard describing 7 layers of protocols
Application: Program-level communication Presentation: Data conversion functions, data format, data encryption Session: Coordinates communication between endpoints. Session state maintained for security. Transport: end-to-end transmission, controls data flow Network: routes data from one system to the next Data Link: Handles passing of data between nodes Physical: Manages the transmission media/HW connections You only have to communicate with the layer directly above and below

6 The OSI Model Application Layer Physical Layer Data-Link Layer Network Layer Transport Layer Session Layer Presentation Layer Each layer serves only its adjacent layers. Thus the software which implements the Transport Layer receives input from the Session Layer or the Network Layer. Implemented By Hardware These Layers Implemented By Software Such as an Operating System

7 TCP/IP Protocol Suite TCP/IP refers to two network protocols used on the Internet: Transmission Control Protocol (TCP) Internet Protocol (IP) TCP and IP are only two of a large group of protocols that make up the entire “suite” A “real-world” application of the layered concept. There is not a one-to-one relationship between the layers in the TCP/IP suite and the OSI Model.

8 OSI and TCP/IP comparison
OSI Model Application Presentation Session Transport Network Data-link Physical TCP/IP Protocol Suite NFS FTP, Telnet, SSH, SMTP SMB HTTP, NNTP RPC TCP,UDP IP ICMP ARP Physical Application-level protocols Network-level protocols

9 Communication Between Two Networks Via the Protocol Stack
A Windows Machine Sending data to a linux machine Windows Machine on an Ethernet Data Application Physical Data-Link Network Transport Session Presentation Data Linux Machine on a FDDI Network H H E M A I L E M A I L 1 H H 2 H H H H H H H H Ethernet FDDI Packet is Transmitted Via Network Media 1 The Windows machine adds headers as the packet traverses down the TCP/IP Stack from the sending application. 2 The Linux machine removes headers as the packet traverses up the TCP/IP Stack to the receiving application.

10 TCP/IP Protocol Suite User Process User Process User Process User
UDP ICMP IP IGMP HW Interface ARP RARP Media

11 TCP/IP Encapsulation 1 2 3 4 5 User Data Email Application
Application Header User Data Application Layer 2 TCP or UDP TCP Header Application Header User Data Transport Layer Ethernet IP 3 IP Header TCP Header Application Header User Data Network Layer 4 Ethernet Driver Ethernet Trailer IP Header TCP Header Application Header User Data Ethernet Header Data Link Layer 5

12 Destination IP Address
IPv4 Header Layout 4 Bytes (32 Bits) Version Length TOS Total Length 20 Bytes (160 Bits) Identification Flags Offset TTL Protocol Header Checksum Source IP Address Destination IP Address Options Data

13 IP Packet 4 8 16 19 32 Version Length Type of Srvc Total Length
Version Length Type of Srvc Total Length Identification Flags Fragment Offset Time to live Protocol Header Checksum Source Address Destination Address Version: format of header (usually ‘4) Length: header-only length Type of Service: quality of service desired, e.g. high or low delay, normal or high reliability, normal or high throughput… Identification: uniquely identifies this packet so that it can be distinguished from other packets Flags: whether this packet is fragmented and whether this is last fragment Fragment Offset: offset from the start of the original packet, used to rebuild the full message once all fragments received Time to live: how long the datagram will be stored on the network before it is destroyed. Protocol: specifies next level of protocol used in the data portion of the datagram e.g. 1 = Internet Control Message = Internet Group Management 6 = Transmission Control Header Checksum: used to provide error checking on the header itself. Source Address: IP address of the source host on the internet Destination Address: IP address of the destination host on the internet. Options Data

14 TCP Header Layout 4 Bytes (32 Bits) Source Port Destination Port
Sequence Number Acknowledgement Header Info Window Size TCP Checksum Urgent Pointer Options Data

15 TCP packet 4 8 16 32 Source Port Destination Port Sequence Number
Source Port Destination Port Sequence Number Acknowledgement Number Data offset Unused U A P R S F R C S S Y I G K H T NN Window Checksum Urgent Pointer Options Padding Data

16 Establishment of a TCP connection (“3-way Handshake”)
client Server SYN Client sends connection request, Specifying a port to connect to On the server. SYN/ACK Server responds with both an acknowledgement and a queue for the connection. ACK Client returns an acknowledgement and the circuit is opened.

17 Ports Data 1033 80 Data 80 1033 Packet One Source Port
Destination Port Packet One Data 80 1033 Source Port Destination Port Packet Two

18 UDP Header Layout 4 Bytes (32 Bits) Source Port Destination Port
Length Checksum Data

19 IP Centric Network Layer 6/7: Applications Layer 5: Session
... ... BANKING B2B RETAIL MEDICAL WHOLESALEl Layer 5: Session Telnet FTP X SMTP SNMP NFS DNS TFTP NTP Windows BGP RIP Layer 4: Transport IGP EGP TCP UDP IGMP ICMP Layer 3: Network IP Layer 2 & 1: Data Link & Ethernet 802.3 802.4 802.5 802.6 X.25 Frame SLIP SMDS Relay Physical IPX ATM Arcnet Appletalk PPP 1

20 By failing to prepare, you are preparing to fail.
Twenty-six years after the Defense Department created the INTERNET as a means of maintaining vital communications needs in the event of nuclear war, that system has instead become the weak link in the nations defense” USA Today - 5 Jun 1996 True hackers don't give up. They explore every possible way into a network, not just the well known ones. The hacker Jericho. By failing to prepare, you are preparing to fail. Benjamin Franklin

21 Typical Net-based Attacks -- Web
“Popular” and receive a great deal of media attention. Attempt to exploit vulnerabilities in order to: Access sensitive data (e.g. credit card #’s) Deface the web page Disrupt, delay, or crash the server Redirect users to a different site

22 Typical Net-based attacks -- Sniffing
Essentially eavesdropping on the network Takes advantage of the shared nature of the transmission media. Passive in nature (i.e. just listening, not broadcasting) The increased use of switching has made sniffing more difficult (less productive) but has not eliminated it (e.g. DNS poisoning will allow you to convince target hosts to send traffic to us intended for other systems)

23 Defeating Sniffer Attacks
Detecting and Eliminating Sniffers Possible on a single box if you have control of the system Difficult (depending on OS) to impossible (if somebody splices network and adds hardware) from network perspective Safer Topologies Sniffers capture data from network segment they are attached to, so – create segments Encryption If you sniff encrypted packets, who cares? (outside of traffic analysis, of course)

24 Typical Net-Based Attacks – Spoofing, Hijacking, Replay
Spoofing attacks involve the attacker pretending to be someone else. Hijacking involves the assumption of another systems role in a “conversation” already taking place. Replay occurs when the attacker retransmits a series of packets previously sent to a target host.

25 Typical Net-Based Attacks – Denial of Service
DOS and Distributed DOS (DDOS) attacks have received much attention in the media in the last year due to some high-profile attacks. Types: Flooding – sending more data than the target can process Crashing – sending data, often malformed, designed to disable the system or service Distributed – using multiple hosts in a coordinated attack effort against a target system.

26 A Distributed DoS in Action
Client Hacker Broadcast Host Master Master Control Programs Agents Registration Phase Verify Registration *Hello* PONG png The Internet When the Master Control Programs are loaded and run, they just listen at TCP port for any messages coming from the Client Hacker, and they listen at UDP port for any messages coming from the hundreds of Broadcast Agents. Any messages coming from the Client Hacker will require a password, as well, to be accepted by the Master Control Program. When the Broadcast Agents are loaded, they contain a small encrypted list of IP addresses for the locations of all the Master Control Programs. When the Broadcast Agent is first run, it sends a short UDP packet containing the word “*HELLO*” to these IP addresses (port 31335, of course) so they will, in effect, register with the Master Control Program that they are ready. The Master Control Programs will record the IP address of the sender (the location of the Broadcast Agent). The Broadcast Agents then just listen at UDP port for any future commands coming from the Master. Prior to initiating the attack, the Client Hacker can, optionally, send a command to the Master Control Programs to verify that the Broadcast Agents are still ready (and that they have not been discovered or the host taken offline). The Master Control Programs sends a UDP packet containing the word “png” to all the Hundreds of Broadcast Agent IP addresses (at port 27444). Agents that are still active will respond back with the word “PONG” (to port on the Master).

27 The Attack Phase Client Hacker The Internet Agents Target Attack
Broadcast Host Agents Attack Target UDP Flood The Internet When the Hacker is ready to begin the attack, he sends the command, along with the password and list of IP addresses to target, to the Master Control Programs (to TCP port 27665). The Master Control Programs then send the command and IP address list to hundreds of Broadcast Agents they have registered all over the Internet (to UDP port ). The hundreds of Broadcast Agents then begin their attack and flood random ports of the target host(s) with simple UDP packets. Additionally, in the case of stacheldraht, the packets sent have a spoofed source IP address. This way the attacks looks like they are coming from a complete different source, which now involves yet another party in the attack. Trinoo comes with 6 different commands that the Master will accept from the Client Hacker. They include: Setting a timer to begin the attack at a future time Begin DoS attack at one IP target Begin DoS attack at multiple IP targets Kill all Broadcast Agents registered Verify that registered Agents are still ready (the “png”-”pong”) Set size of UDP packet to use in the flood attack

28 How CODE RED Works First infected system
Cod Red exploits the vulnerable index service Internet Service API (ISAPI), a remote buffer overflow vulnerability that affects all versions of Microsoft IIS. First infected systems attempts to connect to other systems via port 80 (web)

29 Scans to find new victims
How CODE RED Works First infected system 100 system probes Scans to find new victims

30 Scans to find new victims
How CODE RED Works First infected system 100 system probes Scans to find new victims Each new victim scans the same “random” address space

31 How CODE RED Works - From the 20th to the EOM, attempts to launch a DOS against ( by sending large junk packets - Each new victim starts scanning process over again - From 20th to EOM, primary target is

32 How NIMDA Works First infected system
NIMDA attempts to infect using the following methods: IIS Extended Unicode Directory Traversal Vulnerability IIS Escaped Character Decoding Command Execution Vulnerability Previous backdoors left by Code Red II and Sadmind infections First infected systems attempts to connect to other systems via port 80 (web)

33 tftp Admin.dll from attacking system (contains NIMDA payload)
How NIMDA Works First infected system tftp Admin.dll from attacking system (contains NIMDA payload) - Once the victim has been infected, it uses the trivial file transfer protocol (similar to ftp) to retrieve “Admin.dll” from the attacking system. Admin.dll contains the NIMDA code. Attacking system

34 vulnerable IIS web servers
How NIMDA Works First infected system Sends infected attachment NIMDA propagates via open file shares Infected system scans network for vulnerable IIS web servers Once infected with NIMDA the victim system will: Scan the network for vulnerable IIS web servers harvests addresses from the Windows address book and sends infected “readme.exe” attachment attaches a copy of NIMDA, named “README.EML” to all web related files (.html, .htm, etc) attempt to copy NIMDA to all open file shares NIMDA attaches to web pages on infected server

35 How NIMDA Works - NIMDA prefers to target its neighbors
NIMDA targets systems in its own IP space; it will only attack a completely random target IP with a 25% probability NIMDA chooses targets having the same first octet (only) with 25% probability NIMDA chooses targets having the same first two octets with 50% probability - NIMDA prefers to target its neighbors - Very rapid propagation

36 Common Attacks IP Spoofing Session Hijacking WWW Cracking
DNS Cache Poisoning

37 The TCP connection (“3-way Handshake”)
Client sends connection request, Specifying a port to connect to On the server. SYN Server client Server responds with both an acknowledgement and a queue for the connection. SYN/ACK Server client Client returns an acknowledgement and the circuit is opened. ACK Server client

38 The TCP Connection in Depth
client SYN (Client, ISNclient) ISN--Initial Sequence Number Server ACK (Client, ISN+1) SYN (Server, ISNserver) Server client ACK (Server, ISN+1) Server client

39 The TCP Reset ACK (Student, ISN+1) SYN (Server, ISNserver) Student
SYN (Student, ISNstudent) Evil hacker

40 IP Address Spoofing ACK (Student, ISN+1) SYN (Server, ISNserver)
SYN (Student, ISNstudent) ACK (Server, ISNserver+1) DOS PING OF DEATH Evil hacker Guess Server ISN

41 IP Address Spoofing ACK (Student, ISN+1) SYN (Server, ISNserver)
SYN (Student, ISNstudent) DOS Evil hacker

42 Session Hijacking TCP Connection Established Student Server Hey, I am
The Student TCP RESET Evil hacker

43 SMB Server Message Block (SMB)--an application
layer protocol that allows system resources to be shared across networks An old technology developed by MS and Intel Several versions of authentication over network Plaintext: easy to sniff LanMan: stronger than Plaintext, uses PW hash NTLM: PW Hash Plus ciphertext

44 SMB Relay Man-in-the Middle Attack
EVIL HACKER Session Request Session Request CLIENT SERVER Name OK Name OK Dialect Dialect w/o NT4 security Dialect Selection, Challenge Dialect Selection, Challenge Reply Reply Session OK Session OK Attacker forces weaker LANMAN authentication!

45 Windows Authenticaion LANMAN vs NTLMv2
CLIENT SERVER 1 Session Request 2 Session Response--NETBIOS name OK 3 Negotiate Dialect 4 Challenge, Dialect Selection Step Action Client send ClientHello message proposing SSL options Server responds with ServerHello message selecting the SSL options (2.0/3.0) Server sends it public key information in ServerKeyExchange message Server concludes its part of the negotiation with ServerHelloDone message Client sends key information (encrypted with server’s public key) in ClientKeyExchange message. Client sends ChangeCipherSpec message to activate the negotiation options for all future messages it will send Client sends Finished message to let the server check the newly activated options. Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send. Server sends Finished message to let the client check the newly activated options 5 Username and Response 6 All OK--Connected

46 WEB CRACKING Student Server Evil hacker

47 WEB CRACKING Student Server Evil hacker

48 SSL in Action CLIENT SERVER ClientHello 1 ServerHello 2 3
ServerKey Exchange 4 ServerHelloDone 5 ClientKey Exchange Step Action Client send ClientHello message proposing SSL options Server responds with ServerHello message selecting the SSL options (2.0/3.0) Server sends it public key information in ServerKeyExchange message Server concludes its part of the negotiation with ServerHelloDone message Client sends key information (encrypted with server’s public key) in ClientKeyExchange message. Client sends ChangeCipherSpec message to activate the negotiation options for all future messages it will send Client sends Finished message to let the server check the newly activated options. Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send. Server sends Finished message to let the client check the newly activated options 6 ChangeCiperSpec 7 Finished

49 SSL in Action CLIENT SERVER ServerHelloDone 4 5 ChangeCiperSpec 6
ClientKey Exchange 6 ChangeCiperSpec 7 Finished Step Action Client send ClientHello message proposing SSL options Server responds with ServerHello message selecting the SSL options (2.0/3.0) Server sends it public key information in ServerKeyExchange message Server concludes its part of the negotiation with ServerHelloDone message Client sends key information (encrypted with server’s public key) in ClientKeyExchange message. Client sends ChangeCipherSpec message to activate the negotiation options for all future messages it will send Client sends Finished message to let the server check the newly activated options. Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send. Server sends Finished message to let the client check the newly activated options 8 ChangeCipherSpec 9 Finished

50 SSL WEB CRACKING Student Server Evil hacker

51 DNS Cache Poisoning-Step 1
Where is Evil ? GOOD DNS Rich Student Dr. Evil Evil DNS Where is Evil ? Dr Evil Stores Query ID Bank Bank DNS

52 DNS Cache Poisoning-Step 2
Where is Bank? GOOD DNS Rich Student I am Bank Dr. Evil Dr Evil Uses Stored Query ID to predict next query ID Are You Bank? Bank Evil DNS Bank DNS

53 DNS Cache Poisoning-Step 3
Rich Student Dr. Evil is Bank Where is Bank? Dr. Evil GOOD DNS Bank Evil DNS Bank DNS

54 DNS Cache Poisoning-Step 4
Rich Student Can I Bank With You? Dr. Evil GOOD DNS Bank Evil DNS Bank DNS

55 Summary Threat is Real Hard to Detect
A little understanding and situational Awareness can goes a long way to preventing…and detecting

Download ppt "Lesson 2 Network Security and Attacks"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
 The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization.

 The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization.
What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host IP treats a computer as an endpoint of communication Best.

What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host IP treats a computer as an endpoint of communication Best.
Process-to-Process Delivery:

Process-to-Process Delivery:
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Presentation on Osi & TCP/IP MODEL

Presentation on Osi & TCP/IP MODEL
Secure Socket Layer (SSL)

Secure Socket Layer (SSL)
Characteristics of Communication Systems

Characteristics of Communication Systems
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

Similar presentations

Ads by Google