Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University
References Security in Computing, 4th Ed. Chapter 7 (pgs. 408-440)
Section Overview Anatomy of an Attack Denial of Service Attacks Packet Sniffing Service Attacks Spoofing Attacks
Why are Networks Vulnerable? Reliance on shared resources System Complexity Unknown perimeter Many points of attack Attacker anonymity Multiple paths to hosts
Anatomy of an Attack Footprinting Scanning Enumeration Gaining Access Denial of Service Escalating Privilege Pilfering Covering Tracks Creating Back Doors Source: Hacking Exposed: Network Security: Secrets and Solutions, by S. McClure, J. Scambray, and G. Kurtz
Denial of Service Attacks ICMP Redirects SYN Flooding Smurf Attacks Service Bombing FTP Finger Mail Bombing Service Bugs Ping o’ Death WinNuke Teardrop Distributed DoS Targets may be Upstream
Server never gets ACKs to its SYN SYN Flood Attack SYN(C, ISNc) SYN(C, ISNc) SYN(C, ISNc) SYN(C, ISNc) SYN(S, ISNs) ACK(C, ISNc) SYN(S, ISNs) ACK(C, ISNc) Client SYN(S, ISNs) ACK(C, ISNc) SYN(S, ISNs) ACK(C, ISNc) Server Server never gets ACKs to its SYN Half Open Connections
IP Address Spoofing Replace actual source address in IP packets Prevent packets from being traced back Exploit IP address-based trust relationships
Smurf Attacks 10.1.1.0/24 Network Attacker Ping 10.1.1.255 172.21.0.35 Spoof source: 192.168.1.7 10.1.1.0/24 Network 192.168.1.7
Distributed DoS Attacks Intruder Master Master Master Z Z Z Z Z Z Z Z Victim Source: Results of the Distributed Intruder Tools Workshop
Impersonation Attacks Social Engineering Cracked Passwords Stolen Passwords Sniffed Phishing Berkeley R-Commands
Packet Sniffing Promiscuous mode Capture account passwords Read email See every packet as it crossed the network Transparent Capture account passwords Read email Analyze network traffic
Network Hubs vs. Switches Everyone can see traffic Virtual circuit between pair
Switch Attacks MAC Flooding – switch will act like hub ARP Spoofing Who is 10.0.0.1? 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 I am (1:2:3:7:8:9)
Wireless Networking Bandwidth (shared) Modes 802.11b – 11Mbps 802.11g – 54Mbps 802.11n – 600Mbps (coming soon!) Modes Ad Hoc (Hosts talk directly to each other) Infrastructure (uses Access Points) Identified by Set Server ID (SSID) names
Infrastructure Model Internet
SSID Broadcasts SSID: Cisco SSID: belkin54g SSID: linksys
Default SSIDs
Wireless Network Access Control Only allow known systems to connect Every wireless NIC has a unique address Known as the MAC address Assigned by vendor BSSID: MAC address of Access Point Access Control List MAC Spoofing?
Wardriving
High Power Mode 450ft = 40 houses, 4 streets
Low Power Mode 150ft = 6 Houses, 1 street
WEP Authentication Request to Connect Challenge Plaintext Plaintext Access Granted WEP Key WEP Key
WEP Frame Message CRC Keystream = RC4 (IV, ) IV ID Ciphertext
WEP Attacks Initial connection sniffing IV Reuse Look for IV collisions Some APs reset IV to 0 each time system is (re)initialized IV Dictionary Attacks Injection attacks with known plaintext Wi-fi Protected Access / 802.11i
IV Reuse Occurrences 1% after 582 encrypted frames Jesse R. Walker IEEE P802.11 Wireless LANS: Unsafe at any key size
Replay Attacks ARP Request ARP Request
FMS Attack Scott Fluhrer, Itsik Mantin, Adi Shamir RC4 Matrix Initialization Weakness If a key is weak, keystream will contain some portions of key more than other combinations Statistical Analysis to find
Temporal Key Integrity Protocol TA TSC Base Key Hash() Message CRC Keystream = RC4 (IV,PK) Ciphertext Dictionary Attacks?
Token-based Login Race Attack scott Password: 4 2 3 5 6 Login: Guesses last number and enters it before Scott can finish. scott Password: 4 2 3 5 6 9
Resource Sharing May not need account to access files Microsoft Shares Guest Shares Accounts NFS Exports Samba
Service Exploits Banner Grabbing/Vulnerability Scanners Stack/Buffer Overflow Backdoors File Transfer Programs Anonymous FTP TFTP FTP Bounces
Trusted Hosts increase threat!!! FTP Bounces PORT address, port Upload Commands File RETR file Attacker Anonymous FTP Server with upload area Target Host Trusted Hosts increase threat!!!
CGI / Server Side Includes Extends capabilities of web server External programs loaded by server Form processing Dynamically created pages Runs with same access as web server Susceptible to bugs and access exploits User script dangers
DNS Spoofing DNS/ARP Cache Poisoning Pharming Trust-based access to other machines Berkeley R Commands Remote File systems (NFS/SMB) Web Site Phishing DNSSEC
Man in the Middle Attack Buy New CD
Source Routing Attacks DoS Trusted Host Address set to Trusted Host (IP Spoofing) Trusted Host Source routed connection request R R R R Attacker R R R R Source routed response Trusted Host
Session Hijacking Destination Host User Host Attacker Attacker watches live sessions to record sequence numbers Attacker DoS’s User Host and IP spoofs packets to Destination using User Host’s sequence numbers Destination continues session as if nothing happened
TCP Sequence Guessing Attacker DoS’s Trusted Host Attacker attempts to connect to target many times and records sequence numbers Trusted Host Target Attacker calculates sequence numbers which will be assigned for next connection. Router Attacker spoofs address of trusted host and uses calculated sequence numbers (router passes trusted internal address Target runs command from spoofed trusted host Attacker