Transcript EECS 700: Network Security

ITIS 6167/8167: Network
Security
Weichao Wang
• OS detection through TCP/IP fingerprint
• DNS and its security
2
3
• OS detection through TCP/IP fingerprint
• Reasons to detect OS
– Determine vulnerability of target hosts
– Tailor exploits
– Network inventory
4
Nmap
• Nmap (“Network Mapper”) uses IP packets to
determine what hosts are available on the
networks, what services those hosts are offering
(application name and version), what operating
systems (and OS versions) they are running,
what type of packet filters/firewalls are in use,
and dozens of other characteristics.
• Nmap is free software, available with full source
code at http://www.nmap.org/
5
• NMAP has been used in many movies
6
Host Discovery
• TCP SYN Probe:
– Remote side reply ACK or RST
• TCP ACK Probe
– Remote side return RST
• TCP FIN scan
• UDP Probe
– Use an uncommon UDP port (most time closed)
– Get an ICMP port unreachable report
• ICMP Echo Request/Ping
• ICMP Timestamp Request
• ICMP Netmask Request
7
• ARP Probes
– Why ARP scan? When you use ICMP ping
scan, the OS needs to send out ARP request
to figure out the MAC address
– You are sending millions of ARP request. OS
is not designed for this
– NMAP directly control ARP and send out ARP
requests
8
Intense Discovery!
#
nmap –sP –PE –PP –PS21,22,23,25,80,113,21339
–PA80,113,443,10042 –source-port 53 –n
–T4 –iR 10000
[ … lots of IPs … ]
Host a.b.c.d appears to be up.
Host w.x.y.z appears to be up.
Nmap finished: 10000 IP addresses (699 hosts up)
scanned in 2016.564 seconds
9
NMap – Port Scanner
Purpose of port scanner
•
•
Identify unused/unauthorized services in the
network
Example:
Unauthorized ftp service, Trojan software
Discover unused/rogue devices in the network
Example:
Unauthorized notebook computer
10
NMap – Port Scanner Output
11
NMap – Port Scanner Example
12
NMap – Port Scanner Example
13
• Port scan
– There are many more tools other than TCP
SYN scan
– Be careful of the scan results. Sometime they
are misleading
• Implementation not following the RFC
• OS intentionally confuse scanner
14
• TCP scan
– Send only the SYN packet
• If receive SYN/ACK, the port is open
• If receive RST, non-listener on the port
• If receive no response or ICMP error reports, the
port is filtered
15
• UDP scan
– Many UDP ports are open: DNS, SNMP,
DHCP, etc
– Send an empty UDP header (no data) to
target ports
– Problem of UDP scan
• Too slow. Many OS restrict the speed to send out
ICMP unreachable packets. E.g. Linux and Solaris
are 1 pkt/sec.
• If no response, UDP packets will be resent. This
also takes a long time.
16
TCP NULL, FIN, and Xmas Scan
• Use combinations of TCP flag bits to
distinguish an open port from a closed port
– Null scan
• Does not set any bits
– FIN scan
• Sets just the TCP FIN bit
– Xmas scan
• Sets the FIN, PSH, and URG flags
17
• TCP ACK scan
– Try to tell whether or not the port is filtered
– Just set the ACK bit
– If the port is not filtered (the ack pkt reaches
the port), you will receive a RST
– If ICMP error report is received, label the port
as filtered
18
• TCP Window scan
– Almost the same as the ACK scan
– But look at the window size in the returned
RST packet
• A positive window size shows an open port
• A Zero window size shows the port is closed
19
Idle Scanning
• Uses IPID on a quiet host (zombie) to
check for open ports on other hosts.
• Nmap spoofs as the zombie sending
packets to the victim
• Polls the zombie to see if IPID has
incremented (received RST from victim
when not expecting)
20
21
• FTP bounce scan
– Use FTP proxy connection
– A user connects to server 1, ask files to be
sent to host 2
– Uses the ftp server to scan a host’s port
– Bypassing dynamic packet filtering devices
22
• OS detection
– Send multiple TCP, UDP, and ICMP probes to
open or closed port of the machine
– In TCP packets, the following information is
used:
•
•
•
•
•
Sequence number
TCP options
Window size
Congestion control
MSS size, timestamp
23
• In ICMP packets, the following information
is used:
– Handle of DF bit
– TOS service
– ICMP code
– ICMP identifier
24
• In UDP packet, the following information is
used:
– UDP port number
– Handle of data contents
• In summary, dozens of attributes are used
to fingerprint the OS
25
• OS detection
– Send dozens of ICMP, TCP, UDP packets to
the host
– Analyze every bit of the reply
– Map the results to known fingerprint of OS
26
27
• DNS: Domain name system
• Motivation:
– People cannot remember IP address, they want
something easier to remember
• DNS in early days (ARPANET)
– A flat space without structure
– A centralized site to maintain: a file named hosts.txt at
SRI
– Advantages: short names
– Problem: scalability, conflict, maintain copies
28
• Hierarchical names
– Decentralized name mechanism: delegating authority
and distributing responsibility
– Authoritative name servers for each domain
• can assign other authoritative name servers for their subdomains
– Advantages: distribute, fault tolerant, avoid central
register
– Works like a large company
• Partitioned at every level
• The authority for names in subdivisions is passed to
designed agents
29
• DNS: two things
– Name syntax and rules for delegation
– Ways for implementation so that we can efficiently
map names to IPs
• DNS Syntax
–
–
–
–
Set of labels separated by period
Every level will not be longer than 63 bytes
At most 127 levels
The whole domain name should not longer than 253
bytes
30
• Example
– sis.uncc.edu is a domain
– uncc.edu is also a domain
– Top-level domain is edu
31
• Top level domains
32
• New top level domains
33
• Domain is not necessarily a geo concept:
– Ten hosts with different names under
research.hp.com can be distributed at
different branches
34
• Mapping domain name to address
– Name server: accomplish the translation
– Client: generate the request
– Servers arranged in tree structure
– Given server handle the entire subtree
– There are 13 (maybe more now) root servers
around the world
• Distribute workload
• Improve safety
35
36
• In practice:
– Single server can handle multiple levels of
naming tree
– For example, root server handles all top level
domains
– Circular dependencies and glue records
– DNS can be used to achieve email blacklist
37
• Efficient translation
– Facts:
• Most lookups refer to local names
– In machines, you can set up frequently used suffix
• Name-address maps change infrequently
• User likely to search the same sites
– Initial contact begins with the local DNS
server
38
• Caching: servers cache answers
– Local server maintain caches
– Bindings change infrequently
– TTL for each entry
• Set by the authoritative server
• Negative entries have the TTL of 600 seconds
– Because of caching, not everyone is
necessarily seeing the same thing
39
• Two types of queries
– Recursive: usually used by the client
– Iterative: used by local DNS server
40
• Recursive query:
– A resolver sends a recursive query to a name server.
– The queried name server is obliged to respond with
the requested data or with an error stating that data of
the requested type don't exist or that the domain
name specified doesn't exist.
– The name server can't just refer the querier to a
different name server, because the query was
recursive.
41
• Recursive query:
– If the queried name server isn't authoritative for the data
requested, it will have to query other name servers to find the
answer.
– It could send recursive queries to those name servers, thereby
obliging them to find the answer and return it.
– it could send iterative queries and possibly be referred to other
name servers "closer" to the domain name it's looking for.
– Current implementations are polite and do the latter, following
the referrals until an answer is found.
– The recursive query should contain the whole query, instead of a
shorter version or explicit query. Why
• Efficiency and the server may not existing
– Be careful of the circular dependency
42
• Iterative process:
– In iterative resolution, a name server simply gives the
best answer it already knows back to the querier.
– No additional querying is required.
– The queried name server consults its local data,
looking for the data requested. If it doesn't find the
data there, it makes its best attempt to give the
querier data that will help it continue the resolution
process. Usually these are the domain names and
addresses of the closest known name servers.
43
44
• Inverse mapping:
– Start from IP address, and find out the labels
– Use IP address as part of the domain label
– Use the IP address in the reverse order since
the first byte usually represents more
information
• 222.33.44.3  3.44.33.222.in-addr.arpa
– Many name servers do not support this any
more
45
46
• DNS port number
– TCP and UDP port 53
– Most of the time we use UDP port
– TCP is used for
• Requests with large size (longer than 512 bytes)
• Zone transfer
47
• Resource records:
– Store the domain name data
– Can be of different types:
•
•
•
•
A: address
MX: mail exchanger
NS: name server
Etc
– Wildcard DNS records
48
ISI.EDU.
VENERA.ISI.EDU.
VAXA.ISI.EDU.
MX
MX
A
A
A
A
10
VENERA.ISI.EDU.
10
VAXA.ISI.EDU.
128.9.0.32
10.1.0.52
10.2.0.27
128.9.0.33
49
• The difference b/w domain and zone
– This is important. The name server may know its zone
instead of the whole domain
– A zone consists of a collection of connected nodes
served by an authoritative name server.
– A single name server can host multiple zones
– A zone contains the domain names in this domain,
except for those in delegated subdemains
– A domain contains more information than the name
server would need.
50
• Information defines a zone
– Authoritative data for all nodes within the zone
– Data that defines the top node of the zone
– Data that describes delegated subzones
– Data that allows access to name servers for
subzones: avoid egg-chicken situation
– The servers for a zone do not need to reside
in a host in that domain
– Zones are described by Resource Records
51
• Domain server message format:
– Can ask multiple questions in a single message (need
to identify number of questions)
– You need to identify the domain name, class
(internet), and type
– How to represent domain names:
•
•
•
•
Multiple labels
Each label with a length byte
A length byte 0 identifies the end
May also use a pointer (two bytes)
52
The query would look like:
+----------------------------------------------------------------------+
Header
| OPCODE=SQUERY
|
+-----------------------------------------------------------------------+
Question
| QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A |
+-----------------------------------------------------------------------+
Answer
| <empty>
|
+-----------------------------------------------------------------------+
Authority
| <empty>
|
+-----------------------------------------------------------------------+
Additional
| <empty>
|
+-----------------------------------------------------------------------+
53
The response would look like:
+----------------------------------------------------------------------+
Header
| OPCODE=SQUERY, RESPONSE, AA
|
+-----------------------------------------------------------------------+
Question
| QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A |
+-----------------------------------------------------------------------+
Answer
| SRI-NIC.ARPA. 86400 IN A 26.0.0.73
|
|
Authority
Additional
86400 IN A 10.0.0.51
|
+-----------------------------------------------------------------------+
| <empty>
|
+-----------------------------------------------------------------------+
| <empty>
|
+-----------------------------------------------------------------------+
54
55
• Security problems of DNS
– Protocol based attacks: based on how DNS
works
– Server attacks: based on the bugs of the
programs or machines running DNS
56
57
• Protocol attacks:
– DNS spoofing
– DNS ID hacking
– DNS cache poisoning
• Cache poisoning:
– Map a domain to an attacker’s IP
– Usually through related or unrelated data
attacks
58
• DNS spoofing:
– Answer DNS queries intended to another
server
– May need to guess DNS request identification
(16 bits) and source UDP port number
59
• Unrelated data attack
– The hacker asks the victim DNS for a nonexisting name mapping to a server under its
control. Use “recursive” request to hide itself
– When the victim DNS asks the malicious
server, provide unrelated information to
poison the victim
– Have been fixed now: forbid any unrelated
data
60
61
• Related data attack
– The attack procedure is the same, but have to
make the data related
– Use MX, CNAME, and NS records of the
same domain
– These records do not provide real IP but just
another domain
– Can poison the cache of the victim
– Have been fixed: rejecting any out of zone
data
62
• DNS ID hacking
63
• If the attacker can eavesdrop on the
packet:
– Can easily find the ID and port number
• If not on the same network
– Have to guess the ID and UDP port
– Some DNS server uses continuous numbers
for ID
– How to really do it?
64
• Server attack of DNS
– Buffer overflow of the DNS software
– DoS attacks
• About 33% DNS servers are spoofable
• Attack through zone transfer
65