Network and Application Attacks

Download Report

Transcript Network and Application Attacks 

Network and Application Attacks
Contributed byChandra Prakash Suryawanshi
CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB)
June 2006
Contents
l Denial of Service Attacks
4 Single Source
4 Distributed
l Fragmentation Attacks
l Spoofing Attacks
l DNS Attacks
l Sniffing Attacks
l FTP Bounce Attack
l Application Attacks
2
Single Source
Denial of Service Attacks
3
Denial of Service Attacks
l TCP SYN Flooding (SYN Attack)
l ICMP_Echo Flooding (Ping Attack)
l ICMP_Echo Flooding (Smurf Attack)
l UDP_Echo Flooding (Fraggle)
l ICMP_ECHO Reply Flooding (Ping of Death)
l Distributed Denial Of Service
3
3
PIRMG
Trinoo
Tribe Flood Network (TFN)
4
SYN Attack
PIRMG
5
TCP CONNECTION
SERVER
CLIENT
Segment 1
THREE-WAY
CONNECTION
Segment 2
Segment 3
THREE-WAY CONNECTION
Segment 1 shows the client sending a SYN segment with an Initial Sequence Number
of 141521. The ISN is randomly generated. This is called an Active Open. The field win
4096 shows the advertised window size of the sending station while the field <mss
1024> shows the receiving maximum segment size specified by the sender. SYN=1,
ACK=0.
Segment 2 shows the server responding with a SYN segment of 181521 and
ACKnowledging the clients ISN with ISN + 1. This is called a Passive Open.
SYN=1,ACK=1
Segment 3 shows the client responding by ACKnowledging the servers ISN with ISN +
1. SYN=0,ACK=1.
Data can now be transmitted.
6
TCP SYN Flooding
Hacker
Target Host
Unreachable
IP Address
Legitimate
Client
Attack Method.
Most hosts will only support 8-16 simultaneous communication channels.
The Hacker sends a sequence of SYN packets.
Each SYN packet (about 120 /second) has a different and unreachable IP address.
This consumes all the communication channels and results in a denial to any TCP based service.
Countermeasure.
Expand the number of ports, reduce the time-out period, validate TCP request packets.
PIRMG
7
PING Attack
PIRMG
8
ICMP ECHO Flooding
Packet 4
Packet 2
Packet 5
Packet n
Packet 1
INTERNET
Packet n
Packet 3
Target
Hacker
128K Link
T-1 Link
Ping Attack
The Hacker sends an ICMP Echo request to the target expecting an ICMP echo reply to
be returned for each request.
The hacker, because of the high bandwidth, can send more requests then the target
can handle.
Countermeasures
No known defense
PIRMG
9
SMURF Attack
PIRMG
10
ICMP ECHO Flooding
Packet 5
Packet n
INTERNET
Hacker
Echo Reply
Target
Echo Reply
Echo Reply
Echo Reply
Echo Request
SMURF Attack
The Hacker sends an ICMP Echo request to the target network with a destination broadcast
address and a spoofed source address of the target.
The network serves as a "bounce site" and returns an Echo Reply for each station on the
network.
The network serves to multiply the effect of the "ping". The Echo Request could be sent
to multiple networks.
Countermeasures
Disable IP-directed broadcasts at your router.
Configure the workstation to not respond to an IP broadcast packet.
11
DoS LAND attack
• In LAND attack a crafted SYN packet is send in
which a source IP address and Port no is same
as of destination IP and port causing some
implementations of TCP/IP to allocate
excessive resources and slow down and
eventually reboot or hang.
PIRMG
12
Ping O' Death
Attack
PIRMG
13
ICMP ECHO Request Attack
Packet > 65,536
INTERNET
Packet > 65,536
Target
Hacker
128K Link
T-1 Link
Ping o' Death Attack
ICMP, an integral part of IP, is utilized to report network errors.
PING (Packet InterNet Grouper) utilizes ICMP Echo and Reply packets to test host reachability.
ICMP messages normally consist of the IP Header and enclosed ICMP data with a default size
of 64 bytes.
If the Hacker sends an ICMP Echo request that is greater than 65,536 this can crash or
reboot the system.
A newer attack method modifies the header to indicate that there is more data in the packet
than there actually is.
Countermeasure
Router updates that check the size of the ICMP packet.
Block PING (ICMP) traffic at the Firewall.
14
Other
DOS Attacks
15
Other DOS Attacks
Papasmurf: A combination of Smurf and Fraggle.
Land: A spoofed packet where:
Source IP = Destination IP
Source Port = Destination Port
Latierra: A Land relative that sends multiple land
packets to multiple
ports.
Jolt2: A stream of packet fragments none of which
have an offset of zero.
Winnuke: Sends out of band packets to port 139 on the victims machine.
16
Distributed
Denial of Service Attacks
- DDoS -
PIRMG
17
General
DOS is designed to bring down a network or a
computer by overloading it with large amounts of
network traffic using TCP, UDP or ICMP.
Past attacks have been from a single source and were relatively
easy to detect.
Current attacks now use distributed system tools such as Trinoo
and TFN
Distributed DOS tools launch simultaneous attacks
from multiple computer systems at individual or
multiple targets.
Almost impossible to track to the source.
PIRMG
18
Common DDoS Types
Trinoo/WinTrinoo
The earliest DDoS.
Initiates a UDP flood attack.
Communicates between Master and Agents with unencrypted TCP/UDP.
Root access is not needed to launch the attack.
Tribal Flood Network (TFN)/TFN2K)
Employs Smurf, UDP, ICMP and TCP SYN floods.
Communicates between Master and Agents with ICMP_ECHO REPLY
Commands are sent as part of the ICMP ID field.
The Agent is silent and does not reply to the Master. The Master sends
commands to the agent.
Agent host root or Administrator privileges are required.
PIRMG
19
packets.
multiple
Fragmentation Attack
Teardrop Attack
Fragment Overflow Attack
PIRMG
20
TearDrop Attack
PIRMG
21
Teardrop Attack
• Teardrop attack involves sending two IP
fragments, the later contained entirely in the
former, causing the server to allocate too
much of memory and crash.
• Many Implementations of TCP/IP cannot
handle this behavior.
22
Teardrop Attack
0
15 16
HLEN
VERS
4 bits
4 bits
31
Total Length
TOS
8 bits
16 bits
Identification
16 bits
Flags
Fragment Offset
3 bits
13 bits
Protocol
TTL
Checksum
17
8 bits
16 bits
IP Header
Source IP Address
32 bits
Destination IP Address
32 bits
IP Options(if any)
32 bits
UDP Destination Port
UDP Source Port
53
53
UDP Message Length
UDP Checksum
UDP Header
Data
. . .
ETHERNET
PREAMBLE
8
DESTINATION
ADDRESS
6
SOURCE
ADDRESS
6
FIELD
TYPE
2
IP
HEADER
UDP
HEADER
DATA
FCS
0-65535
4
Teardrop Attack
0
15 16
VERS
4 bits
HLEN
4 bits
Identification
TTL
8 bits
Hacker
MTU = 1500
31
Total Length
16 bits
TOS
8 bits
Flags
Fragment Offset
Protocol
Checksum
16 bits
8 bits
Source IP Address
32 bits
Destination IP Address
32 bits
IP Options(if any)
32 bits
IP Datagram Data
32 bits
20 bytes
60 bytes
<= 40 bytes
Target
MTU = 512
MTU = 1500
Rec Fragment 1
Fragment 1
TL
ID
DF
MF
OS
512
26313
0
1
0
Fragment 2
TL
ID
DF
MF
OS
32
26313
0
0
1
0
2
Rec Fragment 2
512 bytes
32 bytes
Teardrop Attack Concept
This attack takes advantage of a bug in the IP fragmentation reassembly code. The code
checks for the fragment length that is too large but not for a fragment length that is too
short. The attack is directed toward NT, WIN 95 and Linux boxes
Encapsulate a UDP packet inside an IP packet.
Spoof the source IP address and Port
Create two specially constructed IP fragments
The first packet has the OS = 0, MF = 1 and a size of N.
The second packet has the OS < N, MF = 0 and a size < N.
NT/WIN 95 can normally withstand 5-10 pair attacks before it crashes or reboots.
24
Fixes have been posted by Microsoft.
Fragmentation Overflow
Attack
PIRMG
25
Fragment Overflow Attack
VERS
4 bits
HLEN
4 bits
Total Length
TOS
8 bits
16 bits
Flags
Identification
0
16 bits
TTL
8 bits
D
F
M
F
Protocol
Fragment Offset
13 bits
Checksum
16 bits
8 bits
Source IP Address
32 bits
Destination IP Address
32 bits
IP Options(if any)
(<= 40 bytes)
IP Datagram Data
Attack Method
The IP Data Length field is 16 bits so each datagram can have a maximum size of
65515.
Intermediate routers can fragment the datagram based upon the MTU of the next
network.
The MF flag set to 0 indicates the last packet.
If the receiving station does not receive a last packet it keeps allocating buffer
space
until an overflow occurs and the system crashes.
Countermeasures
No known
PIRMG
defense
26
Spoofing Attacks
PIRMG
27
Spoofing Attacks
IP Spoof.
TCP Sequence Attack.
ARP Spoof.
ICMP Spoof.
RIP Spoof.
PIRMG
28
IP Spoof Attack
The IP attack is really a trust-relationship exploitation. A trusted
relationship only requires IP address based authentication.
The attack is composed of several components.
Identify a host target.
Identify a host with a trusted relationship with the target.
Execute a Denial of Service attack against the trusted
host(eg.A TCP SYN Attack).
Sample and guess the TCP sequence number of the target.
Impersonate the trusted host and attempt a connection that
only requires address based authentication.
PIRMG
29
IP SPOOFING
2. Screening Router is fooled into believing
that this packet is coming from an internal
packet REALLY comes from hacker
address.
Screening Router
NET: 181.10.10.0
Internet
181.10.10.2
1. Hacker assumes source
181.10.10.3
Target
NET: 181.10.13.0
packet APPEARS to come from 181.10.13.1
address 181.10.13.1 in order
to fool the screening Router by
appearing to reside on the
internal network ( a trusted host).
From:181.10.13.1
To: 181.10.10.2
181.10.13.
Countermeasure
1 by
This attack can be defeated
Hacker
filtering on both the input and output
ports of the Firewall.
PIRMG
30
DNS Attacks
PIRMG
31
DNS Attacks
DNS Cache Poisoning
PIRMG
32
DNS Attacks
Internet
Host.Target.Com
DNS.Server.Com
Background
1.The DNS Server:
Translates hostnames into IP addresses.
DNS.Bad.Com
Translates IP addresses into hostnames.
Provides host information, etc.
2. There are three main categories of DNS servers:
Hacker.Bad.Com
primary: There is only one primary server for each domain. All domain data is derived from this
server.
It is loaded by the Domain Administrator. The primary server is authoritative.
secondary: There can be more than one secondary server per domain. It acts as a backup to the
primary.
The domain database is transferred, zone file transfer, from the primary to the secondary on
a scheduled basis.
cache-only: These servers acquire their information from other name servers. It then caches the
information. These servers are non-authoritative.
PIRMG
33
DNS Attacks
Internet
Possible Attacks.
Poison the DNS cache.
Poison the Name Server.
Imitate the Name Server.
Host.Target.Com
DNS.Server.Com
DNS.Bad.Com
Background Contd
3. DNS server does this by maintaining the following files:
named.hosts: The zone file that maps host names into IP addresses. Hacker.Bad.Com
named.rev: The reverse main zone file that maps IP addresses into host names.
named.ca: Addresses pointing to the root domain servers.
named.local: The loop back address - 127.0.0.1.
named.boot:: Contains the named parameters and points to the source of the domain data
base information.
4. The local DNS server maintains a cache of its most recent queries.
It examines this cache first to see if it already knows the answers.
If not it forwards the query to other DNS servers for an answer.
Upon receiving the answer it updates its DNS cache and forwards the response to the
PIRMG
34
client.
Attack 1: DNS Cache Poisoning
(1) What is the IP address of Unknown.Bad.Com?
(3) What is the IP address of www.anyone.com?
(4) The IP address of www.anyone.com is 127.0.0.1!
(2) What is the IP address of www.anyone.com?
Internet
Host.Target.Com
DNS.Server.Com
The Seed
DNS.Bad.Com
1. The hacker.bad.com sends a recursive query to DNS.server.com
requesting the IP address of unknown.bad.com.
2. DNS.server.com is not authoritative for this domain so it queries DNS.bad.com.
Hacker.Bad.Com
The Hacker is monitoring this query to determine the recursive query ID.
The Hacker needs this ID to fool the DNS server into taking the poison.
3. Hacker.bad.com submits a query to DNS.server.com looking for the address of
www.anyone.com.
4. The hacker immediately spoofs the reply with a response of
www.anyone.com =
127.0.0.1.
This seeds the DNS server .
PIRMG
35
The IP address could be any address specified by the Hacker.
Attack 1: DNS Cache Poisoning
What is the IP address of www.anyone.com?
The IP address of www.anyone.com is 127.0.0.1!
Internet
Host.Target.Com
DNS.Server.Com
DNS.Bad.Com
Hacker.Bad.Com
The Spoof
1. Target.good.com sends a query to DNS.server.com wanting to connect to
www.anyone.com.
2. DNS.server.com responds with the address in the poisoned cache.
PIRMG
36
Sniffer Attack
PIRMG
37
Sniffer Attack
Host A
Concept
Ethernet operates in a broadcast mode. Each station
looks for its physical address.
The Hacker can operate a Sniffer on the Ethernet LAN
in the promiscuous mode to look for:
Unencrypted passwords
Encrypted passwords
Private data
Financial information(account numbers)
Low level protocol information
A Sniffer attack is normally a prelude to other type attacks.
Countermeasures
Segment the LANs.
Encrypt the passwords w/ a timestamp.
Zero-knowledge authentication (card, ring38
PIRMG
,etc)
B
Action
Host A Telnets to Host B
with its User Name and
Password.
Hacker steals password
for later use.
B
Host B
Hacker
FTP Bounce Attack
PIRMG
39
FTP CONNECTION EXAMPLE
FTP Client
FTP Server
Port 20
Port 4140
Port 21
Port 4141
:"OK"
Data Channel
:"OK"
Normal FTP Connection
1. The Client opens a FTP command channel to server (Port 21) and tells the server its data
port number (Port 4141).
2. The server acknowledges the request.
3. The server opens the data channel (Port 20) to the clients data channel (Port 4141).
4. The client acknowledges this connection.
The Attack Concept.
1. The PORT command has the form n1,n2,n3,n4,n5,n6.
2. The client IP address(n1.n2.n3.n4) and port(n5 x 256+n6)
PIRMG
40
FTP CONNECTION EXAMPLE Contd
FTP Client
FTP Server
Normal FTP Connection
The Client opens a FTP command
channel to server (Port 21) and
Port 20
tells the server its data port
number (Port 4141).
The server acknowledges the
request.
The server opens the data
channel (Port 20) to the clients
data channel (Port 4141).
The client acknowledges this
connection.
Port 21
Port 4140
"Port 4141"
:"OK"
Data Channel
:"OK"
Port 2266
:"PASV"
:"OK 2266"
Data Channel
:"OK"
PIRMG
Port 4141
41
Passive FTP Connection
The Client opens a FTP
command channel to
server (Port 21) in a
passive mode.
The server
acknowledges the passive
mode and allocates Port
2266 to be the clients
data channel.
The client opens the
data channel from it data
FTP Bounce Attack Concept
A world writable directory is available to
the incoming ftp connection.
The Hacker can open an ftp passive
mode on her server.
Hacker Server
Bounce Server
The Hacker
The Hacker cannot access the Target server.
The hacker can perform the ftp passive mode on
Target Server
her machine.
The Target Server will allow a connection from
the Bounce Server.
PIRMG
42
FTP Bounce Attack - Phase 1
The Hacker opens an ftp connection to her server.
She changes to a writable directory and issues an:
ftp "pasv" command and an
ftp "stor" command
She remembers the IP address and
port(H,H,H,H,P,P) returned by the "pasv"
command.
She constructs a file called "retrvit" containing a
series of ftp commands that will:
Sign onto the Target Server.
Change the directory to the desired file.
Use the FTP Port command to specify the IP address
and port(H,H,H,H,P,P) of the Hacker Server.
PIRMG
43
Hacker Server
The Hacker
FTP Bounce Attack - Phase 2
She opens an ftp command connection to the
Bounce Server, logs in anonymously and changes
to a world writable incoming directory.
She then:
Hacker Server
Bounce Server
Transfer the file "retrevit" to the
Bounce Server,
Opens a port to the target and
issues the command "retrevit"
This series of commands opens a port to
the target server and executes the ftp
commands contained in the "retrivit"
command.
The Hacker
The commands contained within
"retrevit" specifies that a :
Target Server
44
connection should be established to
the IP address and port (H,H,H,H,P,P) of
the Hacker Server and that
the desired fields should be
downloaded to the Hacker Server.
Web Attacks
•
•
•
•
•
Cross Side Scripting
SQL Injection
Directory transversal
Command Injection
Malicious Code Execution
PIRMG
45
Cross Side Scripting
• Cross-site scripting attacks place malicious code in locations where other users see
it. The intention of the attack is to steal cookies that contain user identities and
credentials, or to trick users into supplying their credentials to the attacker.
• Many web sites use cookies to store information about users. Cookies contain
identifying information such as username and password. A hacker may want to
steal cookies in order to illegally use someone else's identity.
• When someone browses to a web site to view a page, they send to the web server
an HTTP request that contains their cookie. The web server usually keeps cookies
for only a short time.
PIRMG
46
XSS
• Many web sites contain forms, which are used to post information such as names
and addresses, or comments on bulletin boards. The hacker can inject scripting
code into the vulnerable web server using the forms.
• Scripting code includes tags such as <SCRIPT>. The code can instruct the server to
send its cookies to another location, such as another web site (hence the name:
Cross Site Scripting), where the hacker can see the cookies. These cookies might
contain the login credentials
PIRMG
47
XSS
• Another variety of Cross-site scripting attack does not steal cookies, but rather
dupes the victim into supplying his or her credentials. The attacker enters scripting
code to a form. When a user accesses that form, the script causes a popup form to
appear that asks the victim to supply his or her details. The form sends those
details to the attacker.
• Instead of targeting holes in your server's operating system or web server software,
the attack works directly against the users of your site. It does this by tricking a
user into submitting web scripting code (JavaScript, Jscript, etc.) to a dynamic form
on the targeted web site. If the web site does not check for this scripting code it
may pass it verbatim back to the user's browser where it can cause all kinds of
damage
PIRMG
48
XSS
• Consider the following URL:
http://www.example.com/search.pl?text=<script>alert(document.cookie)</script>
•
If an attacker can get us to select a link like this and the Web application does not
validate input, then our browser will pop up an alert showing our current set of
cookies. This particular example is harmless; an attacker can do much more
damage, including stealing passwords, resetting your home page, or redirecting
you to another Web site.
PIRMG
49
SQL Injection
• In SQL injection attack the attacker can Execute commands thru forms or as a URL.
• With SQL, the CGI inserts the input data into a string which is then submitted to an
SQL server. The attack is to add characters to the input so that extra SQL commands
are performed or so the action is done on more database entries than expected.
• Example- a web address www.example.com/article.asp/id=2 it has a file, parameter
and value fields.
PIRMG
50
SQL Injection
• In this case a script may use only numeric values. If a letter is sent instead, the
script should reject the request. Not doing so means malicious commands can
make it to the database.
• The commands can be SQL query and based on the result of the query the attacker
can proceed with other queries.
• Also the attacker can bypass login.
PIRMG
51
SQL Injection
• Start with a single quote trick. Input something like:
hi' or 1=1-Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1-- Pass: hi' or 1=1-- http://duck/index.asp?id=hi' or 1=1--
If you must do this with a hidden field, just download the source HTML
from the site, save it in your hard disk, modify the URL and hidden field
accordingly.
PIRMG
52
SQL Injection
• <FORM action=http://duck/Search/search.asp method=post>
<input type=hidden name=A value="hi' or 1=1--">
</FORM>
• If luck is on your side, you will get login without any login name or
password.
PIRMG
53
Command Injection
• Command injection attacks allow a remote attacker to execute operating system
commands disguised as a URL or form input to the web server. A successful system
command execution can provide a remote attacker with administrative access to a
web server. This could result in damage such as defacement of the web site, data
theft or data loss.
• Commands are to be Injected using HTTP request like %20%ls%0x81
PIRMG
54
Directory Transversal
• Attacker try to access files and folders he is not supposed to access and may run
malicious code by just typing deep character crossing root directory like
www.example.com/abc/Newuser?Image=../../database/rbsserv.mdb
• Also can try with encoded characters like
•
http://<HOST< a>>/............/autoexec.bat%5%2%a% etc.
PIRMG
55
Defense
•
•
•
•
•
Block /Script tags
Form input should be validated before passing to database.
Invalid value should not give information about wrong input.
Non ASC II characters should be blocked.
Block some unsafe HTTP methods like Delete, Options, Trace etc.
PIRMG
56
Links
•
•
•
•
•
•
•
•
http://www.antiserver.it/Cisco-Exploit/
http://staff.washington.edu/dittrich/misc/ddos/
http://www.extropia.com/tutorials/sql/toc.html
http://www.l0t3k.org/security/tools/packetgenerator/
http://www.zone-h.org/en/download/category=52/
Some Tools usedHping, SendIP, Retina Scanner, Nmap, Nessus, Nstealth, Web Sleuth, Webinject, Netcat
Some other tools- John-The ripper, Lophtrack, Legion, SubSeven.
PIRMG
57