Lecture 7: Presentation Layer Security

Download Report

Transcript Lecture 7: Presentation Layer Security

Presentation Layer Security
Lecture 7
Supakorn Kungpisdan
[email protected]
NETE4630
1
Roadmap
•
•
•
•
Introduction to Presentation Layer
NetBIOS and SMB
NetBIOS and Enumeration
Sniffing Encrypted Traffic
2
NETE4630
Introduction to Presentation Layer
• Presentation layer deals primarily with data
representation
• If one host supports Extended Binary-coded Decimal
Interchange Code (EBCDIC) for character sets and
another supports ASCII, the presentation layer converts
data according to each hosts’ needs
• Other functionalities include data compression, data
encryption, and manipulating XML objects
3
NETE4630
CIFS (or SMB)
• Common Internet File System (CIFS), aka Server
Message Block (SMB), is a network protocol for file
sharing on a LAN, running at app/presentation layer
• A client-server protocol
• Rely on other protocols for transport
– Most commonly used is NetBIOS over TCP (NBT)
• MS Oses use CIFS for remote file operations (mapping
network drives), browsing (via Network Neighborhood),
authentication (NT, Win2000, 2003), and remote printer
services
• Unix Oses also implement CIFS via the Samba program
4
NETE4630
NetBIOS and SMB VS OSI
5
NETE4630
CIFS History
• In 1984, IBM wrote NetBIOS, an API allowing basic
network communications between hosts on a small
subnet, but it required a transport protocol
• The following year, IBM released a transport protocol
that makes NetBIOS come to life
• Both of them are merged into NetBIOS Enhanced User
Interface (NetBEUI)
• Later, NetBIOS was implemented using various
transport protocols e.g. DECnet, IPX/SPF, and TCP/IP
6
NETE4630
CIFS History (cont.)
• Soon after, MS and Intel created the 1st rendition of the
SMB/CIFS file sharing protocol titled “Core Protocol”
• MS and Intel chose NetBIOS to deliver the upper
protocol CIFS packets
• CIFS using NetBIOS over TCP became standard
network file sharing mechanism for MS Oses
• Several operations have been added to CIFS overtime:
–
–
–
–
File access
File and record locking
Safe file caching
File change notification
- Protocol negotiation
- Extended file attribute handling
- Batched requests
- Unicode support
7
NETE4630
NetBIOS
• NetBIOS runs over many transport protocols, but
recently TCP/IP is the most common transport protocol
used
• Main NetBIOS services:
– Name service
– Session service
– Datagram service
8
NETE4630
NetBIOS Name Service
• NetBIOS names are human readable names assigned to
computers on a network
– Commonly seen in Windows in Network Neighborhood
• Serve the same purpose as the DNS system in TCP/IP,
but different in the method
• Operate on UDP port 137
9
NETE4630
NetBIOS Name Services (cont.)
• Broadcast and/or server based
– Name registration and lookups can be accomplished
by broadcasting to the LAN and/or using a central
NetBIOS name server (NBNS or WINS)
•
•
•
•
Broadcast only (b-node)
NBNS only (p-node)
Broadcast first then NBNS (m-node)
NBNS first then broadcast (h-node)
• Dynamic registration
– With NetBIOS, when a computer boots, it registers its
name/IP combination dynamically
10
NETE4630
NetBIOS Name Services (cont.)
• Two most common NetBIOS name service are name
registration and name query
• Name registration associates a NetBIOS name with an
IP
• Name query determines the IP address associated with
an given name
11
NETE4630
Name Registration (b-node)
1
1
2
1
1. Broadcast name registration
packet containing name and IP
over UDP port 137 three times
(waiting 250 ms each)
2. If a host has already registered
the name, it sends back a
defense packet back
1
2
12
NETE4630
Name Registration (p-node)
1
2
1. Unicast name registration packet
over UDP port 137 directly to
NBNS three times (waiting 250
ms each)
2. If the name is already registered,
NBNS sends back a defense
packet back
2
1
WINS server
13
NETE4630
Name Query (b-node)
1
1
2
1
1. Broadcast name query request
containing name over UDP port
137 three times (waiting 5 s
each)
2. If a host has already registered
the name, it sends back a
defense packet back
1
2
14
NETE4630
Name Query (p-node)
1
2
1. Unicast name query request
over UDP port 137 directly to
NBNS three times (waiting 250
ms each)
2. If the name is already registered,
NBNS sends back a defense
packet back
2
1
WINS server
15
NETE4630
NetBIOS Session Service
• From RFC1001, “A session is a reliable message
exchange, conducted between pair of NetBIOS
applications. Session is full-duplex, sequenced, and
reliable”
• CIFS uses the session service to send and receive all
upper layer commands, including file and printer
operations
• The first step in any CIFS communications is to establish
a NetBIOS session between client and server
16
NETE4630
Session Service Primitives
• Call: Initiate a NetBIOS session
– Create TCP connection and send a NetBIOS call packet
containing the client’s NetBIOS name and the server’s NetBIOS
name
• Listen: Wait for a NetBIOS call command
– Mapped a server waiting on TCP port 139
• Hang up: end a NetBIOS session
– Mapped into TCP by initiating a TCP teardown sequence
• Send: send a message over a NetBIOS session
• Receive: receive a message from a NetBIOS session
• Session status: obtain information about session
17
NETE4630
NetBIOS Datagram Service
• From RFC1001, “The datagram service is unreliable,
non-sequenced, connectionless service”
• Used by NetBIOS application as a fast, broadcastcapable, low-overhead method of transferring data
• Implemented on UDP port 138
• All NetBIOS datagram packets adds a header containing
NetBIOS name and whether or not the NetBIOS
datagram was fragmented to be sent via UDP
• CIFS protocol standard does not implement NetBIOS
datagram server, but CIFS implementations typically use
it for browsing
18
NETE4630
CIFS Properties
• CIFS allows file sharing between network nodes
• Client/server + request/response
– Allow multiple simultaneous requests be assigning
multiplex id (MID) to each request
– The server replies with the same MID
• Command based
– Each packet contains a command field indicating the
packet purpose e.g. login, open a file, read from a file,
or write to a file
– CIFS packet contains a 1-byte command field
allowing 100+ commands available
19
NETE4630
CIFS Properties (cont.)
• Protocol dialects/negotiation
– Allow different variants (dialects) of CIFS to
communicate
– When client wishes to access files on a remote
server, client sends a negotiate protocol packet
containing a list of dialect strings that it is capable of
understanding.
– The server sends back the response containing which
dialect it wishes to communicate
20
NETE4630
SMB Variants (Dialects)
Ref: http://samba.anu.edu.au/cifs/docs/what-is-smb.html
21
NETE4630
CIFS Properties (cont.)
• User/share level security
• User level security
– A client wishing to access the share must provide a
username and a password
– Used in windows 2000 onwards
• Share level security
– The share itself requires only a password, but no
username is required
– Used in windows 95 and 98
22
NETE4630
CIFS Properties (cont.)
• Encryption
– Password entered is sent in an encrypted format to
server
– NTLM and LM
• Command batching
– Many CIFS packets are capable of piggybacking
other CIFS packets to reduce latency and better
utilizing network bandwidth
– This technique is referred as ANDX batching
23
NETE4630
CIFS Properties (cont.)
• Opportunitistic locking (oplock)
– When a CIFS packet specifies to open file, an oplock
can be requested
– If granted by server, no other entities can access the
file
24
NETE4630
CIFS Packet Header
25
NETE4630
CIFS Operations
• Two common CIFS client/server packet
exchanges
– Client initiates contact with a server
– Client requires to open a file and read from it
26
NETE4630
Initial Contact, Login, and Tree Connect
Establish NetBIOS session
Client
Positive NetBIOS session acknowledgement
Server
Negotiate CIFS dialect
Choose CIFS dialect from request list
User login
Indicate User IF or returns error if bad password
Connect to particular resource
Indicate Tree ID or error if share name does not exist
27
NETE4630
File Open and Read
Client
Open a file
Server
Indicate File ID, or error code if problem
Read from a file
Return file data requested
28
NETE4630
SMB and SAMBA
• SAMBA is a project established to provide free
implementations of the SMB protocol for various
platforms.
• The SAMBA project has had to "reverse engineer" the
protocols and continues to work in this manner in order
to keep the software free.
• Despite having released a version of SMB to the X-Open
organization, Microsoft continues to develop the protocol
as a proprietary protocol and details of some of the more
recent versions have not been made freely available.
29
NETE4630
Null User Overview
• At the core of the Windows authentication scheme lies
the 'User' administrative unit.
• When we create users, we assign them rights,
privileges, and policy restrictions to define what they can
and can't do on our networks.
• But in addition to the standard User, Windows supports
a special type of user called the 'Null' user, which is
basically a pseudo-account that has no username or
password, but is allowed to access certain information
on the network
• Some MS OSes and services used to require that you
utilize the null user in order to operate properly
30
NETE4630
Null User Overview (cont.)
• Null user can enumerate account names and shares on
domain controllers, member servers, and workstations
alike.
• Therefore this null user, a user with no credentials, can
be used to glean a tremendous amount of information
from your network without raising any eyebrows
31
NETE4630
Null User Overview (cont.)
• Microsoft's System Management Server uses the null
user to enumerate shares during discovery.
• Even the mundane action of starting a NT workstation or
server creates an initial null user logon to one of your
domain controllers after its NetBIOS name is
successfully registered (before you get the Ctrl + Alt +
Delete logon prompt)
• System account uses the null user to get to remote
resources
32
NETE4630
NetBIOS Enumeration
• Null sessions allow users to communicate via NetBIOS
in order to query any server as the null user
• If this occurs, user’s can enumerate shares, users,
groups, permissions, policies. They can probably brute
force their way into the network
• Many tools can be used to enumerate different aspects
of a Windows server
33
NETE4630
enum
• enum is a console-based Win32 information
enumeration utility.
• Using null sessions, enum can retrieve userlists,
machine lists, sharelists, namelists, group and member
lists, password and LSA policy information.
• enum is also capable of a rudimentary brute force
dictionary attack on individual accounts.
Ref: http://www.cotse.com/tools/netbios.htm
34
NETE4630
enum (cont.)
Get user list
Get password policy
No limit number of logon attempts
35
NETE4630
enum (cont.)
Dictionary attack
36
NETE4630
Exploiting the IPC$ Share
• Windows have hidden administrative shares that have $ at
the end (e.g. C$, ADMIN$, IPC$). The system tells itself to
omit this share from any request for the enumeration of
shares
• Interprocess Communication (IPC$) share is necessary to
make systems work properly
• IPC$ is used for data sharing between processes
• In old versions of Windows (esp NT), users can exploit the
use of IPC$ and other hidden shares through a null session
• Once connected, the user may utilize the net view and net
use command to browse and connect to the hidden shares
on a machine
37
NETE4630
Exploiting the IPC$ Share (cont.)
38
NETE4630
winfo
verbose
C:\winfo\winfo 192.168.1.1 –v -n
Establish a null
session before
dump data
39
NETE4630
Other NetBIOS Issues
• An attacker can generate a fake packet to deny a host
joining the network
• Many vulnerabilities have been fixed in new Windows
OSes, but several organizations still have legacy
systems
• Thus, these types of NetBIOS vulnerability still exist
40
NETE4630
Sniffing Encrypted Traffic
• Obfuscation
– Some utilize encryption and others use one-way
function
– Make it difficult to intercept a transmission of a
message and retrieve it content
• Base64 encoding
– Not suitable for data protection (confidentiality)
– No shared key between encode and decode functions
41
NETE4630
Sniffing Encrypted Traffic (cont.)
• XOR encryption
– Use shared key, provide more protection
42
NETE4630
Sniffing Encrypted Traffic (cont.)
• Message Digest
– MD5 and SHA-1
– Not an encryption algorithm
– The premise for using digests and hashes is to make
it difficult for a collision to occur, computationally
infeasible to reproduce identical digests/hashes from
different input
– Most commonly used to obfuscate passwords
– Vulnerable to brute-force and rainbow table attacks
43
NETE4630
Kerberos
44
NETE4630
Attacking Kerberos
• Communications between C and AS is derived from
user’s password
• Windows computes a one-way function (OWF) against
the password to generate the key
• If the hash value is known, we can run a dictionary
attack against the key  Known ciphertext attack
• Security of Kerberos depends on how strong the
password is
45
NETE4630
Attacking Kerberos (cont.)
Hashed password
46
NETE4630
Attacking Kerberos (cont.)
• Run Kerbsniff, a command-line utility to
capture AS-REQ value to a text file
47
NETE4630
Attacking Kerberos (cont.)
• Run Kerbcrack on the hashed password to recover the
password
Input file Dictionary attack
48
NETE4630
Attacking Weak Protection Schemes
• Many people said that data protection requires strong
cryptographic algorithms that can resist a dictionary or
brute-force attack
• However, much of the problems lies in selecting weak
passwords
• Weak protection scheme reduces the effort an attacker
must take once the hash value is known
49
NETE4630
John the Ripper
Downloaded at http://www.openwall.com/john/
50
NETE4630
Question?
Next week
Application Layer Security
NETE4630
51