Network AttacksNetwork Attacks

CS432 - Security in Computing

Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University

ReferencesReferences

Security in Computing, 4Security in Computing, 4thth Ed. Ed. Chapter 7 (pgs. 408-440)Chapter 7 (pgs. 408-440)

Section OverviewSection Overview

Anatomy of an AttackAnatomy of an Attack

Denial of Service AttacksDenial of Service Attacks

Packet SniffingPacket Sniffing

Service AttacksService Attacks

Spoofing AttacksSpoofing Attacks

Why are Networks Why are Networks Vulnerable?Vulnerable?

Reliance on shared resourcesReliance on shared resources System ComplexitySystem Complexity Unknown perimeterUnknown perimeter Many points of attackMany points of attack Attacker anonymityAttacker anonymity Multiple paths to hostsMultiple paths to hosts

Anatomy of an AttackAnatomy of an AttackFootprintingFootprinting

Gaining AccessGaining Access

PilferingPilfering

Escalating PrivilegeEscalating Privilege

Source: Source: Hacking Exposed: Network Security: Secrets and SolutionsHacking Exposed: Network Security: Secrets and Solutions, , by S. McClure, J. Scambray, and G. Kurtzby S. McClure, J. Scambray, and G. Kurtz

ScanningScanning

EnumerationEnumeration

Denial of ServiceDenial of Service

Covering TracksCovering Tracks

Creating Back DoorsCreating Back Doors

Denial of Service AttacksDenial of Service Attacks

ICMP RedirectsICMP Redirects SYN FloodingSYN Flooding Smurf AttacksSmurf Attacks Service BombingService Bombing

FTPFTP FingerFinger

Mail BombingMail Bombing Service BugsService Bugs

Ping o’ DeathPing o’ Death WinNukeWinNuke

TeardropTeardrop Distributed DoSDistributed DoS

Targets may be UpstreamTargets may be Upstream

SYN Flood AttackSYN Flood Attack

SYN(C, ISNSYN(C, ISNcc))

SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))

Server never gets ACKs to its SYN Server never gets ACKs to its SYN Half Open ConnectionsHalf Open Connections

ClientClient

ServerServer

SYN(C, ISNSYN(C, ISNcc))

SYN(C, ISNSYN(C, ISNcc))

SYN(C, ISNSYN(C, ISNcc))

SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))

SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))

SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))

IP Address SpoofingIP Address Spoofing

Replace actual source address in IP Replace actual source address in IP packetspackets

Prevent packets from being traced Prevent packets from being traced backback

Exploit IP address-based trust Exploit IP address-based trust relationshipsrelationships

Smurf AttacksSmurf AttacksPing 10.1.1.255Ping 10.1.1.255Spoof source: 192.168.1.7Spoof source: 192.168.1.7

192.168.1.7192.168.1.7

10.1.1.0/24 Network10.1.1.0/24 Network

AttackerAttacker172.21.0.35172.21.0.35

Distributed DoS AttacksDistributed DoS Attacks

VictimVictim

IntruderIntruder

Source: Results of the Distributed Intruder Tools Workshop

MasterMasterMasterMasterMasterMaster

ZZ ZZ ZZ ZZZZ ZZ ZZ ZZ

Impersonation AttacksImpersonation Attacks

Social EngineeringSocial Engineering Cracked PasswordsCracked Passwords Stolen PasswordsStolen Passwords

SniffedSniffed PhishingPhishing

Berkeley Berkeley RR-Commands-Commands

Packet SniffingPacket Sniffing

Promiscuous modePromiscuous mode See every packet as it crossed the See every packet as it crossed the

networknetwork TransparentTransparent

Capture account passwordsCapture account passwords Read emailRead email Analyze network trafficAnalyze network traffic

Network Hubs vs. SwitchesNetwork Hubs vs. Switches

HubHub SwitchSwitch

Everyone can see trafficEveryone can see traffic Virtual circuit between pairVirtual circuit between pair

Switch AttacksSwitch Attacks

MAC Flooding – switch will act like MAC Flooding – switch will act like hubhub

ARP SpoofingARP Spoofing Who is 10.0.0.1?Who is 10.0.0.1?

10.0.0.110.0.0.1 10.0.0.210.0.0.2 10.0.0.310.0.0.3 10.0.0.410.0.0.4

I am (1:2:3:7:8:9)I am (1:2:3:7:8:9)

Wireless NetworkingWireless Networking

Bandwidth (shared)Bandwidth (shared) 802.11b – 11Mbps 802.11b – 11Mbps 802.11g – 54Mbps802.11g – 54Mbps 802.11n – 600Mbps (coming soon!)802.11n – 600Mbps (coming soon!)

ModesModes Ad Hoc (Hosts talk directly to each other)Ad Hoc (Hosts talk directly to each other) Infrastructure (uses Access Points)Infrastructure (uses Access Points)

Identified by Set Server ID (SSID) namesIdentified by Set Server ID (SSID) names

Infrastructure ModelInfrastructure Model

InternetInternet

SSID BroadcastsSSID Broadcasts

SSID: linksys

SSID: belkin54g

SSID: Cisco

Default SSIDsDefault SSIDs

Wireless Network Access Wireless Network Access ControlControl

Only allow known systems to connectOnly allow known systems to connect Every wireless NIC has a unique Every wireless NIC has a unique

addressaddress Known as the MAC addressKnown as the MAC address Assigned by vendorAssigned by vendor BSSID: MAC address of Access PointBSSID: MAC address of Access Point

Access Control ListAccess Control List MAC Spoofing?MAC Spoofing?

Wardriving

450ft = 40 houses, 4 streets450ft = 40 houses, 4 streets

High Power Mode

150ft = 6 Houses, 1 street150ft = 6 Houses, 1 street

Low Power Mode

WEP AuthenticationWEP Authentication

Request to ConnectRequest to Connect

Challenge PlaintextChallenge Plaintext

PlaintextPlaintext

Access GrantedAccess Granted

WEPWEPKeyKey

WEPWEPKeyKey

WEP FrameWEP Frame

MessageMessage CRCCRC

Keystream = RC4 (IV, ) Keystream = RC4 (IV, )

IVIV IDID CiphertextCiphertext

WEP AttacksWEP Attacks

Initial connection sniffingInitial connection sniffing IV ReuseIV Reuse

Look for IV collisionsLook for IV collisions Some APs reset IV to 0 each time system Some APs reset IV to 0 each time system

is (re)initializedis (re)initialized IV Dictionary AttacksIV Dictionary Attacks

Injection attacks with known plaintextInjection attacks with known plaintext Wi-fi Protected Access / 802.11iWi-fi Protected Access / 802.11i

IV Reuse OccurrencesIV Reuse Occurrences

1% after 582 encrypted frames1% after 582 encrypted frames 10% after 1,881 encrypted frames10% after 1,881 encrypted frames 50% after 4,823 encrypted frames50% after 4,823 encrypted frames 99% after 12,430 encrypted frames99% after 12,430 encrypted frames

Jesse R. WalkerIEEE P802.11 Wireless LANS: Unsafe at any key size

Replay AttacksReplay Attacks

ARP RequestARP Request

ARPARPRequestRequest

FMS AttackFMS Attack

Scott Fluhrer, Itsik Mantin, Adi Scott Fluhrer, Itsik Mantin, Adi ShamirShamir

RC4 Matrix Initialization WeaknessRC4 Matrix Initialization Weakness If a key is weak, keystream will If a key is weak, keystream will

contain some portions of key more contain some portions of key more than other combinationsthan other combinations

Statistical Analysis to findStatistical Analysis to find

TATA TSCTSC

Temporal Key Integrity Temporal Key Integrity Protocol Protocol

Base KeyBase Key

Keystream = RC4 (IV,PK) Keystream = RC4 (IV,PK)

CiphertextCiphertext

MessageMessage CRCCRC

Dictionary Attacks?Dictionary Attacks?

Token-based Login Race AttackToken-based Login Race Attack

Login:

scott

Password:

Login:

scott

Password:

Guesses lastnumber andenters it beforeScott can finish.

42356

423569

Resource SharingResource Sharing

May not need account to access filesMay not need account to access files Microsoft SharesMicrosoft Shares

Guest SharesGuest Shares AccountsAccounts

NFS Exports NFS Exports SambaSamba

Service ExploitsService Exploits

Banner Grabbing/Vulnerability Banner Grabbing/Vulnerability ScannersScanners

Stack/Buffer OverflowStack/Buffer Overflow BackdoorsBackdoors File Transfer ProgramsFile Transfer Programs

Anonymous FTPAnonymous FTP TFTPTFTP

FTP BouncesFTP Bounces

FTP BouncesFTP Bounces

UploadCommands

File

PORTaddress, port

RETR file

Attacker Anonymous FTP Serverwith upload area

Target Host

Trusted Hosts increase threat!!!Trusted Hosts increase threat!!!

CGI / Server Side IncludesCGI / Server Side Includes

Extends capabilities of web serverExtends capabilities of web server External programs loaded by serverExternal programs loaded by server Form processingForm processing Dynamically created pagesDynamically created pages

Runs with same access as web serverRuns with same access as web server Susceptible to bugs and access Susceptible to bugs and access

exploitsexploits User script dangersUser script dangers

DNS SpoofingDNS Spoofing

DNS/ARP Cache PoisoningDNS/ARP Cache Poisoning PharmingPharming Trust-based access to other machinesTrust-based access to other machines

Berkeley Berkeley R R CommandsCommands Remote File systems (NFS/SMB)Remote File systems (NFS/SMB) Web Site PhishingWeb Site Phishing

DNSSECDNSSEC

Man in the Middle AttackMan in the Middle Attack

Buy New CDBuy New CD

Source Routing AttacksSource Routing Attacks

Trusted HostTrusted Host

Trusted HostTrusted Host

AttackerAttacker

DoS Trusted HostDoS Trusted HostAddress set to Address set to Trusted HostTrusted Host(IP Spoofing)(IP Spoofing)

Source routedSource routedresponseresponse

Source routedSource routedconnection requestconnection request

RRRR

RRRR

RRRR

RRRR

Session HijackingSession Hijacking

Attacker watches live sessions to record Attacker watches live sessions to record sequence numberssequence numbers

User HostUser Host Destination HostDestination Host

AttackerAttacker

Attacker DoS’s User Host and IP spoofs Attacker DoS’s User Host and IP spoofs packets to Destination using User Host’s packets to Destination using User Host’s sequence numberssequence numbers Destination continues session as if nothing Destination continues session as if nothing happenedhappened

TCP Sequence GuessingTCP Sequence Guessing

Attacker DoS’s Trusted HostAttacker DoS’s Trusted Host

Trusted HostTrusted Host TargetTarget

AttackerAttacker

Attacker attempts to connect Attacker attempts to connect to target many times and to target many times and records sequence numbersrecords sequence numbers

Attacker Attacker calculates calculates sequence sequence numbers which will be numbers which will be assigned for next connection.assigned for next connection. RouterRouter

Attacker Attacker spoofsspoofs address of address of trusted host and uses trusted host and uses calculated sequence numbers calculated sequence numbers (router passes trusted (router passes trusted internal addressinternal address Target runs command from Target runs command from spoofedspoofed trusted host trusted host