Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to InfoSec – Recitation 09 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

Published byChristopher Owen Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to InfoSec – Recitation 09 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)"— Presentation transcript:

1 Introduction to InfoSec – Recitation 09 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

2 Today Network attacks continued Web 101 – o HTTP o Cookies o HTML o PHP o SQL

3 ARP in a Nutshell ARP = Address Resolution Protocol A bridge between IP and Ethernet, which helps make a local network “work” Most important functionality – translate IP addresses to MAC addresses so we can actually send packets! Two major messages – o ARP request – “Who is at 192.168.1.1?” o ARP reply – “192.168.1.1 is at A1:B2:C3:D4:E5:F6”

4 ARP Poisoning To avoid making an ARP request before sending every IP packet, each host has a local cache. Another trick to avoid excessive ARP requests, is that every host will send a broadcast ARP reply when it comes online / every interval, to let everyone know its MAC address (known as “Gratuitous ARP”) Most implementations are state-less by design, and will happily store ARP replies even if they didn’t issue a request (for reasons stated above) Result – everyone on the local network can impersonate any other host, by sending a malicious ARP reply in their name.

5 ARP Poisoning Attack scenario – Diagram Copyright: http://gm.kochar.com/post/WEB-SPOOFING.aspxhttp://gm.kochar.com/post/WEB-SPOOFING.aspx

6 Ping Reflection (“smurf attack”) We want to DoS a host, but we’re not fast enough… So we’ll get everyone else to join! Basic concept – send a ping request to everyone, but put the target’s IP address in the source of the packet. Result - everyone will send a reply to the target, effectively DDoSing it. Diagram copyright: http://onlinehelp.avs4you.com/AVS- Firewall/Introduction/NetworkAttacks.aspx

7 Scapy demos ARP Monitor DNS traceroute (See at home) MAC Flooding

8 Ping / Tracerout Using Different Protocols Let’s assume TCP SYN / ICMP Echo requests are monitored / blocked but you still want to know if a host is up, and/or what are the network elements between you and the target (traceroute) ARP Ping – o Send an ARP request for a host on the same subnet(can even use broadcast) o If you get a reply – that host is alive TCP Port Scan – o Instead of using a SYN packet, use a TCP data packet, and listen for an RST packet

9 Ping / Tracerout Using Different Protocols DNS Traceroute – o DNS Requests are almost always permitted since they are so vital o Contents are rarely checked o Playing with TTL = traceroute! UDP traceroute – o You already found out that the host will send you an ICMP Port Unreachable message when you send a UDP datagram to a certain closed port o But you want to find all the elements in the way o Solution – send and resend the packet, each time with different IP TTL o You will get ICMP errors from many intermediate hosts TCP traceroute – o Same as UDP, and can use SYN on an known open port, arbitrary data packet on a known open port, or data on a known closed port Basically – most services could be used for traceroute / ping given the right scenario

10 No more sniffing… It used to be easy to sniff traffic on the local network All traffic went to everyone behind the same router on a HUB based network Now – switches galore! We still need to sniff traffic… Enter MAC Flooding

11 Switches 101 Switches know where to route packets by learning which MAC addresses are connected to which port This is done by seeing which source MACs appear on which ports, and storing this information in a fast look-up table (CAM) This table has to be very fast, so it must be limited in size. This is not an issue, since It is highly unlikely to run more than a few 100’s / 1000’s of hosts on the same layer-2 network due to other reasons.

12 MAC Flooding We’re on a network, but that network uses switches, so we can’t sniff anything interesting… Or can we? What happens if we send out packets with different source MAC addresses? Will the switch refuse to learn new addresses? No! it will just fail-over to operating like a hub – a ‘dumb’ repeater Image Copyright: http://www.ciscozine.com/2009/01/05/protecting-against-mac-flooding-attack/http://www.ciscozine.com/2009/01/05/protecting-against-mac-flooding-attack/

13 HTTP Hyper Text Transfer Protocol Simple textual protocol over TCP port 80, stateless request- response model Requests – o [METHOD] [URI]\r\n o Headers\r\n\r\n e.g.: “GET /\r\n\r\n” o Headers – Client type – User agent Will the client support compression – Accept Encoding Client language Last valid cache the client has ….

14 HTTP Response Responses – o [Numeric code] [String]\r\n o Headers\r\n\r\n o Data o Codes – 200 OK 302 Redirect 404 Not found 500 Server Error 502 Gateway Error ….

15 Misc HTTP Extra things to know about – o HTTP Keep alive o HTTP Authentication o X-forwarded-for (and X-we-are-hiring…) HTTPS is SSL / TLS transporting regular HTTP

16 Cookies A way for the server to store something in the client’s browser for later use Cookies default to being domain specific Cookies have an expiry date Most authentication schemes use something like – o Client logs in via form o Server authenticates user, sends back an encrypted and hashed cookie, valid for x days o Client browses through the site with no need to re-login for a few days Cookies come in a few flavors – ‘regular’, ‘HTTP only’ and ‘secure’

17 Cookies – cont. Cookies are a valuable commodity – o If I have your cookie – I AM YOU o Cookie stealing used to be very easy (simple Javascript), but now is pretty impossible (thank the SOP – Same Origin Policy)

18 HTML Hyper Text Markup Language XML format representation of the DOM (Document Object Model) The DOM is the tree-like structure of the document You may interact with and modify the DOM via Javascript The browser renders the objects within the document and allows the user to interact with them HTML5 is geared towards the dynamic web, and provides many services (local storage, 3d API, Async calls) CSS is used for design, HTML is used for structure

19 Basic HTML Example My title Big letters! Small letters!

20 Forms and AJAX The two major ways to send user data as part of a web application are HTML forms and AJAX (Async Javascript And XML) HTML Forms – o o o Will send data as POST parameters to target.php upon clicking the submit button AJAX – o Read about JQuery and AsyncHttpRequest()

21 PHP Server-side processing language, commonly used in web applications Hybrid perl & C syntax Once the web server support processing PHP files, all that’s needed is – <?php echo “Hello, world!”; ?>

22 PHP – cont. Headers are sent using header() (all calls to header() must be before sending data) Data is sent via echo / print() calls (or anything that writes to stdout) Input is done via HTTP parameters - $_POST[“var_name”] The body of the request can be had via reading from stdin directly / file_get_contents(php://input) or stream_get_contents(STDIN)

23 PHP – Tips and Tricks Don’t forget the “ ; ” at the end of each line Use the “or die();” syntax to quickly find when your code breaks Errors are hard to spot. Your machines should have error reporting enabled, but don’t expect much May need to revert to “printf debugging” You can run php on a file in a terminal, but understand you won’t have the environment available (There could be better tools out there)

24 SQL Structured Query Language Very powerful interface to relational databases Tables have fields (columns) and rows Actions – o Select – query, return valid row(s) o Insert – Add new row(s) o Update – Change existing row(s) o Maintenance – Create table, Drop table, Add column…. o + Many more operations

25 SQL For each action, you can select which fields to choose by, and which fields to return Examples - o FROM users SELECT * WHERE username = “mitsi” o FROM users SELECT password WHERE username = “mitsi” o UPDATE users SET password=“123456” WHERE username=“mitsi” o INSERT INTO users VALUES (“myuser”, “mypass”)

26 PHP & SQL PHP has support for SQL (MySQL in our case) You’ll need to connect to the DB, and then you may query to your heart’s content Example on next slide Also, see the example within the exercise

27 PHP SQL initialization <?php mysql_connect("your.hostaddress.com", "username", "password") or die(mysql_error()); mysql_select_db("Database_Name") or die(mysql_error()); ?>

28 Further reading & Tools W3Cschools.com, codecademy.com & php.net have everything you need to know Also, Google Firefox Developer tools Fiddler really helps when you want to research an existing site XML verifiers / code beautifiers

29 This week’s exercise Network attacks continued – o Implement some of the techniques presented o Be careful about affecting your network o Don’t abuse any other network – you are responsible for any damage you create Web primer – o First steps with HTML, PHP, SQL o No attacks for now (but don’t worry – next week!)

30 Questions?

Download ppt "Introduction to InfoSec – Recitation 09 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)"

Similar presentations

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
Prepared By E.Musa Alyaman1 Networking Theory Chapter 1.

Prepared By E.Musa Alyaman1 Networking Theory Chapter 1.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Everything. MACIP End-host IP: 10.1.2.3 MAC: 11:11:11:11:11 gateway IP: 10.1.2.1 MAC: 22:22:22:22:22 Google server IP: 201.1.2.3 MACIP MACInterfaceMACInterface.

Everything. MACIP End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: MACIP MACInterfaceMACInterface.
Understanding Networks Charles Zangla. Network Models Before I can explain how connections are made from across the country, I would like to provide you.

Understanding Networks Charles Zangla. Network Models Before I can explain how connections are made from across the country, I would like to provide you.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Similar presentations

Ads by Google