Lesson 2 Network Security and Attacks - PowerPoint PPT Presentation

1 / 55
About This Presentation
Title:

Lesson 2 Network Security and Attacks

Description:

... ( 3-way Handshake ) The TCP Reset IP Address Spoofing IP Address Spoofing Session Hijacking SMB Server Message Block (SMB) ... – PowerPoint PPT presentation

Number of Views:206
Avg rating:3.0/5.0
Slides: 56
Provided by: Kauf
Category:

less

Transcript and Presenter's Notes

Title: Lesson 2 Network Security and Attacks


1
Lesson 2Network SecurityandAttacks
2
Computer Security Operational Model
Protection Prevention
(Detection Response)
Access Controls Encryption Firewalls
Intrusion Detection Incident Handling
3
Security Operational Model
  • Vulnerability Assessment Services
  • Vulnerability Scanners
  • Intrusion detection
  • Firewalls
  • Encryption
  • Authentication
  • Security Design Review
  • Security Integration Services
  • 24 Hr Monitoring Services
  • Remote Firewall Monitoring

4
Protocols
  • A protocol is an agreed upon format for
    exchanging information.
  • A protocol will define a number of parameters
  • Type of error checking
  • Data compression method
  • Mechanisms to signal reception of a transmission
  • There are a number of protocols that have been
    established in the networking world.

5
OSI Reference Model
  • ISO standard describing 7 layers of protocols
  • Application Program-level communication
  • Presentation Data conversion functions, data
    format, data encryption
  • Session Coordinates communication between
    endpoints. Session state maintained for
    security.
  • Transport end-to-end transmission, controls data
    flow
  • Network routes data from one system to the next
  • Data Link Handles passing of data between nodes
  • Physical Manages the transmission media/HW
    connections
  • You only have to communicate with the layer
    directly above and below

6
(No Transcript)
7
TCP/IP Protocol Suite
  • TCP/IP refers to two network protocols used on
    the Internet
  • Transmission Control Protocol (TCP)
  • Internet Protocol (IP)
  • TCP and IP are only two of a large group of
    protocols that make up the entire suite
  • A real-world application of the layered
    concept.
  • There is not a one-to-one relationship between
    the layers in the TCP/IP suite and the OSI Model.

8
OSI and TCP/IP comparison
OSI Model Application Presentation Session Tra
nsport Network Data-link Physical
TCP/IP Protocol Suite NFS FTP, Telnet, SSH,
SMTP SMB HTTP, NNTP RPC TCP,UDP
IP ICMP ARP Physical
Application-level protocols
Network-level protocols
9
Communication Between Two Networks Via the
Protocol Stack
A Windows Machine Sending data to a linux machine
Windows Machine on an Ethernet
Linux Machine on a FDDI Network
H
H
E M A I L
E M A I L
H
H
1
2
H
H
H
H
H
H
H
H
Email
Ethernet
FDDI
Packet is Transmitted Via Network Media
1
The Windows machine adds headers as the packet
traverses down the TCP/IP Stack from the sending
application.
2
The Linux machine removes headers as the packet
traverses up the TCP/IP Stack to the receiving
application.
10
TCP/IP Protocol Suite
User Process
User Process
User Process
User Process
TCP
UDP
IP
ICMP
IGMP
HW Interface
RARP
ARP
Media
11
TCP/IP Encapsulation
User Data
Email
1
Application
Application Header
User Data
Application Layer
2
TCP or UDP
TCP Header
Application Header
User Data
Transport Layer
Ethernet
3
IP
IP Header
TCP Header
Application Header
User Data
Network Layer
4
Ethernet Driver
Data Link Layer
5
12
IPv4 Header Layout
4 Bytes (32 Bits)
Version Length TOS Total Length

20 Bytes (160 Bits)
Identification Flags Offset
TTL Protocol Header Checksum
Source IP Address
Destination IP Address
Options
Data
13
IP Packet
4 8
16 19 32
Version
Length
Type of Srvc
Total Length
Identification
Flags
Fragment Offset
Time to live
Protocol
Header Checksum
Source
Address
Destination
Address

Options


Data

14
TCP Header Layout
4 Bytes (32 Bits)
Source Port
Destination Port
20 Bytes (160 Bits)
Sequence Number
Acknowledgement
Header Info
Window Size
TCP Checksum
Urgent Pointer
Options
Data
15
TCP packet
4 8
16 32
Source Port
Destination Port
Sequence Number

Acknowledgement
Number
Data offset
Unused
U A P R S F R C S S Y I G K H T NN
Window

Urgent Pointer
Checksum
Options
Padding

Data

16
Establishment of a TCP connection(3-way
Handshake)
17
Ports
18
UDP Header Layout
4 Bytes (32 Bits)
Source Port
Destination Port
8 Bytes (64 Bits)
Length
Checksum
Data
19
IP Centric Network
...
Layer 6/7 Applications
...
RETAIL
BANKING
B2B
MEDICAL
WHOLESALEl
Layer 5 Session
X
FTP
SNMP
SMTP
NFS
DNS
TFTP
NTP
Telnet
Windows
BGP
RIP
Layer 4 Transport
IGP
TCP
UDP
IGMP
ICMP
EGP
Layer 3 Network
IP
Layer 2 1 Data Link
Ethernet
802.5
802.4
802.3
X.25
SLIP
802.6
Frame
SMDS
Relay
Physical
IPX
ATM
Arcnet
PPP
Appletalk
20
Twenty-six years after the Defense Department
created the INTERNET as a means of maintaining
vital communications needs in the event of
nuclear war, that system has instead become the
weak link in the nations defense
USA
Today - 5 Jun 1996 True hackers don't give up.
They explore every possible way into a network,
not just the well known ones.
The hacker Jericho. By failing to
prepare, you are preparing to fail.
Benjamin Franklin
21
Typical Net-based Attacks -- Web
  • Popular and receive a great deal of media
    attention.
  • Attempt to exploit vulnerabilities in order to
  • Access sensitive data (e.g. credit card s)
  • Deface the web page
  • Disrupt, delay, or crash the server
  • Redirect users to a different site

22
Typical Net-based attacks -- Sniffing
  • Essentially eavesdropping on the network
  • Takes advantage of the shared nature of the
    transmission media.
  • Passive in nature (i.e. just listening, not
    broadcasting)
  • The increased use of switching has made sniffing
    more difficult (less productive) but has not
    eliminated it (e.g. DNS poisoning will allow you
    to convince target hosts to send traffic to us
    intended for other systems)

23
Defeating Sniffer Attacks
  • Detecting and Eliminating Sniffers
  • Possible on a single box if you have control of
    the system
  • Difficult (depending on OS) to impossible (if
    somebody splices network and adds hardware) from
    network perspective
  • Safer Topologies
  • Sniffers capture data from network segment they
    are attached to, so create segments
  • Encryption
  • If you sniff encrypted packets, who cares?
  • (outside of traffic analysis, of course)

24
Typical Net-Based Attacks Spoofing, Hijacking,
Replay
  • Spoofing attacks involve the attacker pretending
    to be someone else.
  • Hijacking involves the assumption of another
    systems role in a conversation already taking
    place.
  • Replay occurs when the attacker retransmits a
    series of packets previously sent to a target
    host.

25
Typical Net-Based Attacks Denial of Service
  • DOS and Distributed DOS (DDOS) attacks have
    received much attention in the media in the last
    year due to some high-profile attacks. Types
  • Flooding sending more data than the target can
    process
  • Crashing sending data, often malformed,
    designed to disable the system or service
  • Distributed using multiple hosts in a
    coordinated attack effort against a target system.

26
A Distributed DoS in Action
The Internet
27
The Attack Phase
The Internet
28
How CODE RED Works
29
How CODE RED Works
30
How CODE RED Works
31
How CODE RED Works
- Each new victim starts scanning process over
again - From 20th to EOM, primary target is
www.whitehouse.gov
32
How NIMDA Works
33
How NIMDA Works
tftp Admin.dll from attacking system (contains
NIMDA payload)
34
How NIMDA Works
Sends infected email attachment
NIMDA propagates via open file shares
Infected system scans network for vulnerable IIS
web servers
NIMDA attaches to web pages on infected server
35
How NIMDA Works
- NIMDA prefers to target its neighbors - Very
rapid propagation
36
Common Attacks
  • IP Spoofing
  • Session Hijacking
  • WWW Cracking
  • DNS Cache Poisoning

37
The TCP connection(3-way Handshake)
Client sends connection request, Specifying a
port to connect to On the server.
SYN
Server
client
Server responds with both anacknowledgement and
a queuefor the connection.
SYN/ACK
Server
client
Client returns an acknowledgementand the circuit
is opened.
ACK
Server
client
38
The TCP Connection in Depth
Server
Server
client
Server
client
39
The TCP Reset
40
IP Address Spoofing
41
IP Address Spoofing
DOS
42
Session Hijacking
43
SMB
  • Server Message Block (SMB)--an application
  • layer protocol that allows system resources
    to
  • be shared across networks
  • An old technology developed by MS and Intel
  • Several versions of authentication over network
  • Plaintext easy to sniff
  • LanMan stronger than Plaintext, uses PW hash
  • NTLM PW Hash Plus ciphertext

44
SMB RelayMan-in-the Middle Attack
Session Request
Session Request
Name OK
Name OK
Dialect
Dialect w/o NT4 security
Dialect Selection, Challenge
Dialect Selection, Challenge
Reply
Reply
Session OK
Session OK
Attacker forces weaker LANMAN authentication!
45
Windows Authenticaion LANMAN vs NTLMv2
46
WEB CRACKING
47
WEB CRACKING
48
SSL in Action
49
SSL in Action
50
SSL WEB CRACKING
51
DNS Cache Poisoning-Step 1
Dr. Evil
52
DNS Cache Poisoning-Step 2
Dr. Evil
Evil DNS
53
DNS Cache Poisoning-Step 3
Dr. Evil
Evil DNS
54
DNS Cache Poisoning-Step 4
Can I Bank With You?
Dr. Evil
Evil DNS
55
Summary
  • Threat is Real
  • Hard to Detect
  • A little understanding and situational Awareness
    can goes a long way to preventingand detecting
Write a Comment
User Comments (0)
About PowerShow.com