Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Network Attacks Mark Shtern.
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.
1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Examining IP Header Fields
ITIS 6167/8167: Network and Information Security Weichao Wang.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Network Administration
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
Chapter 4: Managing LAN Traffic
Network Layer – Subnetting and Control Protocols Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing,
ARP Scenarios CIS 81 and CST 311 Rick Graziani Fall 2005.
23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.
Introduction to InfoSec – Recitation 09 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)
Exploring the Packet Delivery Process Chapter
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
CCNA 2 Week 8 TCP/IP Suite Error Control Messages.
CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.
5: Link Layer Part Link Layer r 5.1 Introduction and services r 5.2 Error detection and correction r 5.3Multiple access protocols r 5.4 Link-Layer.
CS426Network Security1 Computer Security CS 426 Network Security (1)
1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.
Internet Protocols. Address Resolution IP Addresses are not recognized by hardware. If we know the IP address of a host, how do we find out the hardware.
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
Basic IP Protocol Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
Error and Control An IP datagram travels from node to node on the way to its destination Each router operates autonomously Failures or problems may occur.
TCP/IP bai3110. Topics covered TCP/IP layers TCP UDP IP ICMP Unicast Broadcast Multicast ARP IGMP Sniffing Port scanning.
1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.
© Mike D. Schiffman. Synopsis  Introduction  Overview  Impetus  Internals  Implementation  Risk Mitigation  Futures.
Internet Protocols. ICMP ICMP – Internet Control Message Protocol Each ICMP message is encapsulated in an IP packet – Treated like any other datagram,
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
1 Connectivity with ARP and RARP. 2 There needs to be a mapping between the layer 2 and layer 3 addresses (i.e. IP to Ethernet). Mapping should be dynamic.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Fall  Computer Crimes  Operating System Identification  Firewalking 2.
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
1 Address Resolution Protocol (ARP). 2 Overview 3 Need for Address Translation Note: –The Internet is based on IP addresses –Local area networks use.
An Introduction To ARP Spoofing & Other Attacks
Introduction to Information Security
IP: Addressing, ARP, Routing
Networks Fall 2009.
Exploiting Layer 2 By Balwant Rathore.
MAC Address Tables on Connected Switches
Address Resolution Protocol (ARP)
LAN Vulnerabilities.
ICMP ICMP – Internet Control Message Protocol
COMPUTER NETWORKS CS610 Lecture-33 Hammad Khalid Khan.
Error and Control Messages in the Internet Protocol
Introduction to Networking
Computer Networks 9/17/2018 Computer Networks.
Networking Essentials For Firewall-1 Administrators
Presentation transcript:

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Today ARP in a nutshell ARP Poisoning Ping reflection (smurf attack) MAC Flooding Detecting promiscuous hosts Ping / traceroute using other protocols Firewalking

ARP in a Nutshell ARP = Address Resolution Protocol A bridge between IP and Ethernet, which helps make a local network “work” Most important functionality – translate IP addresses to MAC addresses so we can actually send packets! Two major messages – o ARP request – “Who is at ?” o ARP reply – “ is at A1:B2:C3:D4:E5:F6”

ARP Poisoning To avoid making an ARP request before sending every IP packet, each host has a local cache. Another trick to avoid excessive ARP requests, is that every host will send a broadcast ARP reply when it comes online / every interval, to let everyone know its MAC address (known as “Gratuitous ARP”) Most implementations are state-less by design, and will happily store ARP replies even if they didn’t issue a request (for reasons stated above) Result – everyone on the local network can impersonate any other host, by sending a malicious ARP reply in their name.

ARP Poisoning Attack scenario – Diagram Copyright:

Ping Reflection (“smurf attack”) We want to DoS a host, but we’re not fast enough… So we’ll get everyone else to join! Basic concept – send a ping request to everyone, but put the target’s IP address in the source of the packet. Result - everyone will send a reply to the target, effectively DDoSing it. Diagram copyright: Firewall/Introduction/NetworkAttacks.aspx

No more sniffing… It used to be easy to sniff traffic on the local network All traffic went to everyone behind the same router on a HUB based network Now – switches galore! We still need to sniff traffic… Enter MAC Flooding

Switches 101 Switches know where to route packets by learning which MAC addresses are connected to which port This is done by seeing which source MACs appear on which ports, and storing this information in a fast look-up table (CAM) This table has to be very fast, so it must be limited in size. This is not an issue, since It is highly unlikely to run more than a few 100’s / 1000’s of hosts on the same layer-2 network due to other reasons.

MAC Flooding We’re on a network, but that network uses switches, so we can’t sniff anything interesting… Or can we? What happens if we send out packets with different source MAC addresses? Will the switch refuse to learn new addresses? No! it will just fail-over to operating like a hub – a ‘dumb’ repeater Image Copyright:

Promiscuous mode Normally, the network card will listen to every incoming packet, and discard any packet whose destination MAC address is not its own. When someone is running a sniffer, they’ll want to capture as much information as possible about the network. Network cards can support this by going into what’s called “Promiscuous mode” – where every packet received is sent to the OS for further processing.

Detecting Promiscuous Hosts We want to detect if someone on our network is using a sniffer in promiscuous mode. The trick – Send out a ping request with the wrong destination MAC address, but the right IP target (or broadcast). Regular hosts will discard the packet, but anyone in promiscuous mode will reply, since the IP target was valid

Ping / Tracerout Using Different Protocols Let’s assume TCP SYN / ICMP Echo requests are monitored / blocked but you still want to know if a host is up, and/or what are the network elements between you and the target (traceroute) ARP Ping – o Send an ARP request for a host on the same subnet(can even use broadcast) o If you get a reply – that host is alive TCP Port Scan – o Instead of using a SYN packet, use a TCP data packet, and listen for an RST packet

Ping / Tracerout Using Different Protocols UDP traceroute – o You already found out that the host will send you an ICMP Port Unreachable message when you send a UDP datagram to a certain closed port o But you want to find all the elements in the way o Solution – send and resend the packet, each time with different IP TTL o You will get ICMP errors from many intermediate hosts TCP traceroute – o Same as UDP, and can use SYN on an known open port, arbitrary data packet on a known open port, or data on a known closed port Basically – most services could be used for traceroute / ping given the right scenario

Firewalking We want to learn which ports/subnets are filtered If there is a rule to drop a packet, we’ll get no reply If the packets can reach past the firewall, we still need to get everything else valid… Solution – use TTL! Set packets to TTL of the FW + 1 If we get an ICMP error packet (TTL exceeded) – our packet got through!

This week’s exercise Implement some of these techniques Be careful about affecting your network Don’t abuse on other networks – you are responsible for any damage you create

Questions?

Extra IPv6 – o DHCP  RA o ARP  NDP o Interop / transition – Dual stack Tunneling VLAN Hopping o Switch / trunk spoofing o Double encapsulation Spanning Tree takeover DNS Poisoning

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.