Transcript PPT

Network Attacks
CS432 - Security in Computing
Copyright © 2005, 2010 by Scott Orr
and the Trustees of Indiana University
References

Security in Computing, 4th Ed.

Chapter 7 (pgs. 408-440)
Section Overview

Anatomy of an Attack

Denial of Service Attacks

Packet Sniffing

Service Attacks

Spoofing Attacks
Why are Networks Vulnerable?






Reliance on shared resources
System Complexity
Unknown perimeter
Many points of attack
Attacker anonymity
Multiple paths to hosts
Anatomy of an Attack
Footprinting
Scanning
Enumeration
Gaining Access
Denial of Service
Escalating Privilege
Pilfering
Covering Tracks
Creating Back Doors
Source: Hacking Exposed: Network Security: Secrets and Solutions,
by S. McClure, J. Scambray, and G. Kurtz
Denial of Service Attacks




ICMP Redirects
SYN Flooding
Smurf Attacks
Service Bombing


FTP
Finger


Mail Bombing
Service Bugs




Ping o’ Death
WinNuke
Teardrop
Distributed DoS
Targets may be Upstream
SYN Flood Attack
SYN(C, ISNc)
SYN(C, ISNc)
SYN(C, ISNc)
SYN(C, ISNc)
SYN(S, ISNs) ACK(C, ISNc)
Client
SYN(S, ISNs) ACK(C, ISNc)
SYN(S, ISNs) ACK(C, ISNc)
SYN(S, ISNs) ACK(C, ISNc)
Server
Server never gets ACKs to its SYN
Half Open Connections
IP Address Spoofing



Replace actual source address in IP
packets
Prevent packets from being traced back
Exploit IP address-based trust
relationships
Smurf Attacks
Attacker
172.21.0.35
Ping 10.1.1.255
Spoof source: 192.168.1.7
10.1.1.0/24 Network
192.168.1.7
Distributed DoS Attacks
Intruder
Master
Z
Z
Z
Master
Z
Z
Master
Z
Z
Z
Victim
Source: Results of the Distributed
Intruder Tools Workshop
Impersonation Attacks



Social Engineering
Cracked Passwords
Stolen Passwords



Sniffed
Phishing
Berkeley R-Commands
Packet Sniffing

Promiscuous mode





See every packet as it crossed the network
Transparent
Capture account passwords
Read email
Analyze network traffic
Network Hubs vs. Switches
Hub
Everyone can see traffic
Switch
Virtual circuit between pair
Switch Attacks


MAC Flooding – switch will act like hub
ARP Spoofing
Who is 10.0.0.1?
I am (1:2:3:7:8:9)
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
Wireless Networking

Bandwidth (shared)




Modes



802.11b – 11Mbps
802.11g – 54Mbps
802.11n – 600Mbps (coming soon!)
Ad Hoc (Hosts talk directly to each other)
Infrastructure (uses Access Points)
Identified by Set Server ID (SSID) names
Infrastructure Model
Internet
SSID Broadcasts
SSID: Cisco
SSID: belkin54g
SSID: linksys
Default SSIDs
Wireless Network Access Control


Only allow known systems to connect
Every wireless NIC has a unique address





Known as the MAC address
Assigned by vendor
BSSID: MAC address of Access Point
Access Control List
MAC Spoofing?
Wardriving
High Power Mode
450ft = 40 houses, 4 streets
Low Power Mode
150ft = 6 Houses, 1 street
WEP Authentication
Request to Connect
Challenge Plaintext
 Plaintext
Access Granted
WEP
Key
WEP
Key
WEP Frame
Message
CRC

Keystream = RC4 (IV,
IV
ID
Ciphertext
)
WEP Attacks


Initial connection sniffing
IV Reuse





Look for IV collisions
Some APs reset IV to 0 each time system is
(re)initialized
IV Dictionary Attacks
Injection attacks with known plaintext
Wi-fi Protected Access / 802.11i
IV Reuse Occurrences




1% after 582 encrypted frames
10% after 1,881 encrypted frames
50% after 4,823 encrypted frames
99% after 12,430 encrypted frames
Jesse R. Walker
IEEE P802.11 Wireless LANS: Unsafe at any key size
Replay Attacks
ARP Request
ARP
Request
FMS Attack




Scott Fluhrer, Itsik Mantin, Adi Shamir
RC4 Matrix Initialization Weakness
If a key is weak, keystream will contain
some portions of key more than other
combinations
Statistical Analysis to find
Temporal Key Integrity Protocol
TA
Message
CRC

TSC
Base Key
Keystream = RC4 (IV,PK)
Ciphertext
Dictionary Attacks?
Token-based Login Race Attack
Login:
scott
Password:
42356
Guesses last
number and
enters it before
Scott can finish.
Login:
scott
Password:
423569
Resource Sharing


May not need account to access files
Microsoft Shares




Guest Shares
Accounts
NFS Exports
Samba
Service Exploits




Banner Grabbing/Vulnerability Scanners
Stack/Buffer Overflow
Backdoors
File Transfer Programs



Anonymous FTP
TFTP
FTP Bounces
FTP Bounces
Upload
Commands
File
PORT
address, port
RETR file
Attacker
Anonymous FTP Server
with upload area
Target Host
Trusted Hosts increase threat!!!
CGI / Server Side Includes

Extends capabilities of web server






External programs loaded by server
Form processing
Dynamically created pages
Runs with same access as web server
Susceptible to bugs and access exploits
User script dangers
DNS Spoofing



DNS/ARP Cache Poisoning
Pharming
Trust-based access to other machines




Berkeley R Commands
Remote File systems (NFS/SMB)
Web Site Phishing
DNSSEC
Man in the Middle Attack
Buy New CD
Source Routing Attacks
Address set to
Trusted Host
(IP Spoofing)
DoS Trusted Host
Source routed
connection request
Attacker
R
R
R
R
R
R
Trusted Host
R
R
Source routed
response
Trusted Host
Session Hijacking
Destination Host
User Host
Attacker
Attacker watches live sessions to record sequence
numbers
 Attacker DoS’s User Host and IP spoofs packets to
Destination using User Host’s sequence numbers
 Destination continues session as if nothing happened

TCP Sequence Guessing





Attacker DoS’s Trusted Host
Attacker attempts to connect to
target many times and records
sequence numbers
Attacker calculates sequence
numbers which will be assigned
for next connection.
Attacker spoofs address of trusted
host and uses calculated
sequence numbers (router passes
trusted internal address
Target runs command from
spoofed trusted host
Trusted Host
Router
Attacker
Target