Intro to InfoSec Communication Protocols Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Today Into to new subject – communication protocols Common terminology Most useful protocols Tools of the trade.
Communication Protocols A network is just a bunch of devices communicating. There are all sorts of protocols out there today being used: 3GPP/GSM/SS7, TCP/IP, Ethernet, W/LAN, Bluetooth, ATM, HDMI, USB, etc. All protocols have been designed to serve different purposes, their purpose usually demands their structure and services they provide. Of course the most important of all is the Internet Protocol (IP).
Secured Communication Securing Transfer of Information is a problem of centuries. In the middle ages pigeons with notes were captured in order to intercept communication. Our computer systems are valuable because they can communicate. Can you find a computer disconnected from the internet ? Communications are an essential part of the security trust-base.
Communication compromise types
Communication denial types
Communication compromise types Eavesdropping - information leaves a device it can be intercepted. Man in the middle– communication is routed through a 3 rd party. Man on the side– eavesdropping information is used to for impersonation. Denial of Service (DoS). Distributed Denial of Service (DDoS). In other words, a hackers goals by priority is: o Divert traffic for man in the middle. o Eavesdrop on traffic.
Popular Communication Defenses Firewalls - used to protect against unwanted packets, limiting in advance to a set of rules of acceptable traffic only. VLAN – separate the network into different Virtual LAN, every virtual LAN is a different trust base segment. Needs to be carefully designed. End-to-End encryption, who cares what happens in between its all encrypted and most importantly authenticated/signed, eg. SSH, SSL. Intrusion Detection/Prevention Systems (IDS/IPS) – passively monitors data and looks for signs of “bad” behavior, and can then deny traffic.
Ethernet Destination (Media Acess Control ) MAC Address denotes the target device in the local network. If the MAC Address is FF:FF:FF:FF:FF:FF the message is broadcast to all devices in the local network.
IP
Typical IP Routing Scheme
TCP
Typical TCP Connection A is connecting to B using the 3-way hand-shake A sends a TCP-SYN from a random source port to a specific destination port (eg. Port 80 for HTTP) B replies with TCP-SYN+ACK from the source port 80 to the random destination port. A replies with an ACK. DATA is exchanged. A or B initiate a TCP-FIN to end the connection.
Our tools Wireshark – a spin-off from ethereal which started as a GUI interface for tcpdump. o Wireshark sniffs communications and records them in capture files.cap or.pcap o Has many modules supporting enormous amount of protocol types. o Straight-forward interface. Scapy – Another useful python module. o Also available for perl, don’t tell Itamar. ( o But we’ll use python anyhow.
Demos [Demo sniffing a cookie with wireshark. [Demo using scapy].
Wireshark – setup capture filter
Wireshark – capture filter Capture filter are very fast and tell wireshark which data to record.
Recording data Alternatively you can also record.pcap files with tcpdump. eg.: tcpdump –ni any –s 0 –w out.pcap Reading files is also possible with scapy: o from scapy.all import * o all_packets = rdpcap(“data01.pcap”)