Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network and System Security Risk Assessment

Published byClifton Byrd Modified over 6 years ago

Similar presentations

Presentation on theme: "Network and System Security Risk Assessment"— Presentation transcript:

1 Network and System Security Risk Assessment
--Network Tools

2 Ask yourself questions:
As a white/black/grey/red hat hacker, how would I collect information? For example, what is the IP address range of our school?

3 Network Tools ifconfig traceroute arp netcat tcpdump wireshark nmap route

4 Ifconfig Network configuration and status
ifconfig – status of all network interfaces ifconfig eth0 – status of ethernet 0 connection ifconfig eth0 down – shuts ethernet 0 down ifconfig eth0 up – starts ethernet 0 ifconfig eth – assigns IP address to ethernet 0 man ifconfig – more info

5 ifconfig output eth1 Link encap:Ethernet HWaddr 00:0A:B7:FE:36:DB
inet addr: Bcast: Mask: inet6 addr: fe80::20a:b7ff:fefe:36db/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5024 errors:1246 dropped:0 overruns:0 frame:1246 TX packets:446 errors:0 dropped:0 overruns:0 carrier:0 collisions:11 txqueuelen:1000 RX bytes: (1.2 MiB) TX bytes:45872 (44.7 KiB) Interrupt:3 Base address:0x100 lo Link encap:Local Loopback inet addr: Mask: inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU: Metric:1 RX packets:157 errors:0 dropped:0 overruns:0 frame:0 TX packets:157 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:43623 (42.6 KiB) TX bytes:43623 (42.6 KiB)

6 route Configure or report status of host's routing table route -n
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface U vmnet8 U lo

7 route Options(Win)

8 route Options(Win) (continued)

9 route Example (Win)

10 Route command man route What will happen if we “route del default”?

11 traceroute host_name Determines connectivity to a remote host Uses UDP
Options -f set initial ttl -F set don't frag bit -I use echo request instead of UDP -t set type of service -v verbose output What if we try ping –m 1 And ping fbbs.ustc.edu.cn –m 1

12 traceroute Example traceroute www.f-prot.com
1 BBCisco-91.sou.edu ( ) ms ms ms 2 scrubber.sou.edu ( ) ms ms ms 3 sou-pop.nero.net ( ) ms ms ms 4 corv-car2-gw.nero.net ( ) ms ms corv-car2-gw.nero.net ( ) ms 5 corv-car1-gw.nero.net ( ) ms ms ms 6 ptld-core1-gw.nero.net ( ) ms ms ms 7 ptld-core2-gw.nero.net ( ) ms ms ms 8 ptck-core1-gw.nero.net ( ) ms ms ms 9 POS6-1.hsipaccess2.Seattle1.Level3.net ( ) ms ms ms 10 ge mp1.Seattle1.level3.net ( ) ms ms ms 11 gig11-1.hsa1.Seattle1.level3.net ( ) ms ms ms 12 core1.Seattle.Teleglobe.net ( ) ms ms ms 13 if-13-0.core2.Sacramento.Teleglobe.net ( ) ms ms ms 14 if-1-0.core2.Sacramento.Teleglobe.net ( ) ms ms ms 15 if-9-0.core2.Chicago3.Teleglobe.net ( ) ms ms ms 16 if-2-0.core3.NewYork.Teleglobe.net ( ) ms ms ms 17 if-10-0.core1.NewYork.Teleglobe.net ( ) ms ms ms 18 if bb6.NewYork.teleglobe.net ( ) ms ms ms 19 ix bb6.NewYork.Teleglobe.net ( ) ms ms ms 20 MultiGigabit-13.backbone-hofdab1.linanet.is ( ) ms ms ms 21 gigabit-1-1.skulagata.linanet.is ( ) ms ms ms 22 customer-gigabit skulagata.linanet.is ( ) ms !X * ms !X

13 Tracert in Windows tracert fbbs.ustc.edu.cn
Tracing route to fbbs.ustc.edu.cn [ ] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms ms ms ms ms ms ms ms ms ms ms ms ms ms ms ms ms ms ms 8 * * * Request timed out. ms ms ms ms ms ms szgz3.cernet.net [ ] ms ms ms hzsh3.cernet.net [ ] ms ms ms ms ms ms bbs.ustc.edu.cn [ ] Trace complete.

14 nslookup nslookup www.baidu.com nslookup www.facebook.com
Very interesting; Different results at different time Different techniques are utilized Very interesting! Nslookup in fact has response; but will be blocked for a while after google is tried; Should cowork with wireshark, illustrating the workflow behind the scene. Try nslookup With wireshark, we can also understand how information is represented in a packet.

15 host Forward and reverse DNS lookups host www.f-prot.com
has address has address has address host in-addr.arpa domain name pointer aula.frisk-software.com. Host still works.

16 Host Interesting Example host fbbs.ustc.edu.cn host 202.38.64.3
host host

17 whois whois is to discover who owns a website or domain name by searching WHOIS database When you register a domain name, the Internet Corporation for Assigned Names and Numbers (ICANN) requires your domain name registrar to submit your personal contact information to the WHOIS database. Then the information will be public. whois whois whois Whois works all right. but fails at But whois with ip works OK.

18

19

20 netstat Example Show the status of all network connections
Shows all listening ports netstat -s statistic netstat -p with pid; netstat -a list all ports; netstat -at list all tcp port; netstat -au list all udp ports; netstat -l list all listening ports; netstat -lt; netstat -lu; netstat -r display routing information; netstat -i interface information; When you are using –p, you may notice that “no all processes will be displayed, non-owned processes’ info can’t be shown, you have to be root to see them all.” Then we can check the secret backdoor process. To display backdoor, we have to use ps –a. ps won’t display backdoor.

21 Netstat - linux

22 netstat Example (Win)

23 tcpdump Packet sniffer Installed with Linux Commonly used
Often used as the data file for GUI backends

24 tcpdump Syntax Syntax: tcpdump (options) –I (interface) –w (dump file)
tcpdump –c 1000 –i eth0 –w etho.dmp

25 tcpdump Options -n do not convert host addresses to names
-nn do not convert protocols and ports to names -i ethn listen on interface eth0, eth1, eth2 -c xx exit after xx packets -e print link level info -f file_name read packets from file file_name -v slightly verbose -vv verbose -vvv very verbose -w file_name write packets to file file_name -x write packets in hex -X write packets in hex and ASCII -S write absolute sequence and acknowledgment numbers

26 netcat Read & write UDP/TCP data
Useful to test networks and performance

27 netcat Copies data across network connections. Uses UDP or TCP.
Reliable and robust. Used directly at the command level. Can be driven by other programs and scripts. Very useful in forensic capture of a live system. Simple paradigm On the remote collecting system open a listening port. On current/compromised system pipe data to remote system. Connection is closed automatically after data transfer has completed.

28 netcat nc the swiss armyknife nc -l 1234  (listen) nc localhost 1234 which will establish a communication tunnel; which is convenient way to talk to each other; when combined with redirection, it can be used to transfer file: nc -l 1234 > test cat file | nc localhost 1234

29 netcat echo -e "GET / HTTP/1.0\n\n" | nc localhost 80 which will show the homepage with header; nc doesn't do https means it will show success with nc -vv localhost 443; but not homepage

30 NMAP Nmap is the most popular scanning tool used on the Internet.
Cretead by Fyodar ( , it was featured in the Matrix Reloaded movie.

31 Is Nmap the best tool? Yes it is It’s free, open and well documented.
Long history of development and support Active user base, used in many products Continuous development and improvements “Industry Standard” port scanner It’s free, open and well documented. Stay current!

32 History of Nmap First released September 1, 1997 in Phrack 51 “The Art of Portscanning” Many updates since then: OS Detection (Phrack 54) Idle scanning Version scanning ARP Scanning

33 …As seen in the movies!

34

35 nmap nmap localhost nmap localhost 192.168.137.221
nmap –O nmap –O

36 ARP

37 TCP/IP Protocol Stack

38 ARP What happens after $: ftp server?

39 Address Resolution Protocol: ARP and RARP
32 bit Internet address ARP RARP 48 bit ethernet address

40 ARP Protocol Flow

41 ARP Protocol Flow Machine A wants to send a packet to B, knowing only B’s IP address Machine A broadcasts ARP request with B’s IP address All machines on the local network receive the broadcast Machine B replies with its physical address Machine A adds B’s address information to its ARP table Machine A deliver packet directly to B

42 ARP Protocol Ethernet Hardware Addresses: Ethernet Frame Format
48-bit unique number; what Ethernet interface card recognizes; addresses used in LAN Ethernet Frame Format Link-level connection among machines Frame types: 0800 IP; 0806 ARP; 8035 RARP;

43 ARP Protocol

44 ARP example Wireshark With rule arp

45 ARP caching To reduce communication cost, ARP maintain a cache of recently acquired IP-to-physical address bindings. Each entry has a timer (usually 20 minutes) Sender’s IP-to-address binding is included in every broadcast; receivers update the IP-to-physical address binding information in the cache before processing ARP packet ARP is stateless: system will update with a reply, regardless of request

46 ARP ARP –a example: Internet Address Physical Address Type
b-cd-d3-6e dynamic e-90-be-ec dynamic b-45-f dynamic

47 ARP poisoning Question: How would you attack given ARP cache works?

48 ARP Poisoning How would you modify a target machine’s ARP cache?
If you poisoned an ARP cache, how can you use this technique to compromise the security of your victim?

49 ARP Cache Poisoning Sending a forged ARP reply, a target system would send frames destined for the victim to the attacker; There are various ways to conduct cache poisoning: broadcast, reply, gratuitous ARP message

50 ARP: an attack example

51 ARP poisoning Attacker impersonates a gateway, intercept the traffic, either send it to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the middle attack) DoS: by associating a nonexistent MAC address to the IP address of the victim’s default gateway

52 Lab: ARP cache poisoning
Environment Setup To conduct the lab, at least 3 machines are needed: attacker, victim, observer Choices: 3 virtual machines or 2 virtual machines and the host

53 Tools to use Netwox Tool to send out network packets of different types and with different contents (Netwag is the GUI version) Netwox consists 222 tools, each with a specific number, some should work with root privilige Netwox number [parameters …]

54 Tools to Use netwox 80 –eth –ip –eth-dst --ip-dst
netwox 72 --help Title: Scan ARP (EthIp spoof) Usage: netwox 72 -i ips [-d device] [-E eth] [-I ip] Parameters: -i|--ips ips list/range of IP addresses { , } -d|--device device spoof device {Eth0} -E|--src-eth eth source ethernet address {0:a:a:a:a:a} -I|--src-ip ip source IP address { } --help display help for advanced parameters netwox 80 –eth –ip –eth-dst --ip-dst

Download ppt "Network and System Security Risk Assessment"

Similar presentations

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Linux network troubleshooting If your network connection is not working..

Linux network troubleshooting If your network connection is not working..
Chapter 13: Troubleshooting network connectivity Unit objectives Identify TCP/IP troubleshooting tools Discuss the Telnet utility and its functions Discuss.

Chapter 13: Troubleshooting network connectivity Unit objectives Identify TCP/IP troubleshooting tools Discuss the Telnet utility and its functions Discuss.
Installing and running FreeS/WAN. What is FreeS/WAN An implementation of IpSec for Linux –Can be found at www.freeswan.org Helps setup encrypted and/or.

Installing and running FreeS/WAN. What is FreeS/WAN An implementation of IpSec for Linux –Can be found at Helps setup encrypted and/or.
Network Management And Debugging

Network Management And Debugging
Network Debugging Organizational Communications and Technologies Prithvi Rao H. John Heinz III School of Public Policy and Management Carnegie Mellon University.

Network Debugging Organizational Communications and Technologies Prithvi Rao H. John Heinz III School of Public Policy and Management Carnegie Mellon University.
Common network diagnostic and configuration utilities A ‘toolkit’ for network users and managers when ‘troubleshooting’ is needed on your network.

Common network diagnostic and configuration utilities A ‘toolkit’ for network users and managers when ‘troubleshooting’ is needed on your network.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Internet Protocol (IP): Addressing and Forwarding Shivkumar Kalyanaraman Rensselaer Polytechnic.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Internet Protocol (IP): Addressing and Forwarding Shivkumar Kalyanaraman Rensselaer Polytechnic.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
Linux Setting up your network. Basic Approaches Configure during installation –Disadvantage -> not able to redo easily –Advantage-> holds your hand Configure.

Linux Setting up your network. Basic Approaches Configure during installation –Disadvantage -> not able to redo easily –Advantage-> holds your hand Configure.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Linux Networking Commands

Linux Networking Commands
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.

TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.
Managing Network connections. Network Cabling Ethernet Topology Bus topology – Connects each node in a line – Has no central connection point Star topology.

Managing Network connections. Network Cabling Ethernet Topology Bus topology – Connects each node in a line – Has no central connection point Star topology.
HALP! Something is in my tubes! Part I by Jason Testart, IST.

HALP! Something is in my tubes! Part I by Jason Testart, IST.

Similar presentations

Ads by Google