![Page 1: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/1.jpg)
Network AttacksNetwork Attacks
CS432 - Security in Computing
Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University
![Page 2: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/2.jpg)
ReferencesReferences
Security in Computing, 4Security in Computing, 4thth Ed. Ed. Chapter 7 (pgs. 408-440)Chapter 7 (pgs. 408-440)
![Page 3: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/3.jpg)
Section OverviewSection Overview
Anatomy of an AttackAnatomy of an Attack
Denial of Service AttacksDenial of Service Attacks
Packet SniffingPacket Sniffing
Service AttacksService Attacks
Spoofing AttacksSpoofing Attacks
![Page 4: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/4.jpg)
Why are Networks Why are Networks Vulnerable?Vulnerable?
Reliance on shared resourcesReliance on shared resources System ComplexitySystem Complexity Unknown perimeterUnknown perimeter Many points of attackMany points of attack Attacker anonymityAttacker anonymity Multiple paths to hostsMultiple paths to hosts
![Page 5: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/5.jpg)
Anatomy of an AttackAnatomy of an AttackFootprintingFootprinting
Gaining AccessGaining Access
PilferingPilfering
Escalating PrivilegeEscalating Privilege
Source: Source: Hacking Exposed: Network Security: Secrets and SolutionsHacking Exposed: Network Security: Secrets and Solutions, , by S. McClure, J. Scambray, and G. Kurtzby S. McClure, J. Scambray, and G. Kurtz
ScanningScanning
EnumerationEnumeration
Denial of ServiceDenial of Service
Covering TracksCovering Tracks
Creating Back DoorsCreating Back Doors
![Page 6: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/6.jpg)
Denial of Service AttacksDenial of Service Attacks
ICMP RedirectsICMP Redirects SYN FloodingSYN Flooding Smurf AttacksSmurf Attacks Service BombingService Bombing
FTPFTP FingerFinger
Mail BombingMail Bombing Service BugsService Bugs
Ping o’ DeathPing o’ Death WinNukeWinNuke
TeardropTeardrop Distributed DoSDistributed DoS
Targets may be UpstreamTargets may be Upstream
![Page 7: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/7.jpg)
SYN Flood AttackSYN Flood Attack
SYN(C, ISNSYN(C, ISNcc))
SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))
Server never gets ACKs to its SYN Server never gets ACKs to its SYN Half Open ConnectionsHalf Open Connections
ClientClient
ServerServer
SYN(C, ISNSYN(C, ISNcc))
SYN(C, ISNSYN(C, ISNcc))
SYN(C, ISNSYN(C, ISNcc))
SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))
SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))
SYN(S, ISNSYN(S, ISNss) ACK(C, ISN) ACK(C, ISNcc))
![Page 8: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/8.jpg)
IP Address SpoofingIP Address Spoofing
Replace actual source address in IP Replace actual source address in IP packetspackets
Prevent packets from being traced Prevent packets from being traced backback
Exploit IP address-based trust Exploit IP address-based trust relationshipsrelationships
![Page 9: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/9.jpg)
Smurf AttacksSmurf AttacksPing 10.1.1.255Ping 10.1.1.255Spoof source: 192.168.1.7Spoof source: 192.168.1.7
192.168.1.7192.168.1.7
10.1.1.0/24 Network10.1.1.0/24 Network
AttackerAttacker172.21.0.35172.21.0.35
![Page 10: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/10.jpg)
Distributed DoS AttacksDistributed DoS Attacks
VictimVictim
IntruderIntruder
Source: Results of the Distributed Intruder Tools Workshop
MasterMasterMasterMasterMasterMaster
ZZ ZZ ZZ ZZZZ ZZ ZZ ZZ
![Page 11: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/11.jpg)
Impersonation AttacksImpersonation Attacks
Social EngineeringSocial Engineering Cracked PasswordsCracked Passwords Stolen PasswordsStolen Passwords
SniffedSniffed PhishingPhishing
Berkeley Berkeley RR-Commands-Commands
![Page 12: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/12.jpg)
Packet SniffingPacket Sniffing
Promiscuous modePromiscuous mode See every packet as it crossed the See every packet as it crossed the
networknetwork TransparentTransparent
Capture account passwordsCapture account passwords Read emailRead email Analyze network trafficAnalyze network traffic
![Page 13: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/13.jpg)
Network Hubs vs. SwitchesNetwork Hubs vs. Switches
HubHub SwitchSwitch
Everyone can see trafficEveryone can see traffic Virtual circuit between pairVirtual circuit between pair
![Page 14: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/14.jpg)
Switch AttacksSwitch Attacks
MAC Flooding – switch will act like MAC Flooding – switch will act like hubhub
ARP SpoofingARP Spoofing Who is 10.0.0.1?Who is 10.0.0.1?
10.0.0.110.0.0.1 10.0.0.210.0.0.2 10.0.0.310.0.0.3 10.0.0.410.0.0.4
I am (1:2:3:7:8:9)I am (1:2:3:7:8:9)
![Page 15: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/15.jpg)
Wireless NetworkingWireless Networking
Bandwidth (shared)Bandwidth (shared) 802.11b – 11Mbps 802.11b – 11Mbps 802.11g – 54Mbps802.11g – 54Mbps 802.11n – 600Mbps (coming soon!)802.11n – 600Mbps (coming soon!)
ModesModes Ad Hoc (Hosts talk directly to each other)Ad Hoc (Hosts talk directly to each other) Infrastructure (uses Access Points)Infrastructure (uses Access Points)
Identified by Set Server ID (SSID) namesIdentified by Set Server ID (SSID) names
![Page 16: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/16.jpg)
Infrastructure ModelInfrastructure Model
InternetInternet
![Page 17: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/17.jpg)
SSID BroadcastsSSID Broadcasts
SSID: linksys
SSID: belkin54g
SSID: Cisco
![Page 18: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/18.jpg)
Default SSIDsDefault SSIDs
![Page 19: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/19.jpg)
Wireless Network Access Wireless Network Access ControlControl
Only allow known systems to connectOnly allow known systems to connect Every wireless NIC has a unique Every wireless NIC has a unique
addressaddress Known as the MAC addressKnown as the MAC address Assigned by vendorAssigned by vendor BSSID: MAC address of Access PointBSSID: MAC address of Access Point
Access Control ListAccess Control List MAC Spoofing?MAC Spoofing?
![Page 20: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/20.jpg)
Wardriving
![Page 21: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/21.jpg)
450ft = 40 houses, 4 streets450ft = 40 houses, 4 streets
High Power Mode
![Page 22: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/22.jpg)
150ft = 6 Houses, 1 street150ft = 6 Houses, 1 street
Low Power Mode
![Page 23: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/23.jpg)
WEP AuthenticationWEP Authentication
Request to ConnectRequest to Connect
Challenge PlaintextChallenge Plaintext
PlaintextPlaintext
Access GrantedAccess Granted
WEPWEPKeyKey
WEPWEPKeyKey
![Page 24: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/24.jpg)
WEP FrameWEP Frame
MessageMessage CRCCRC
Keystream = RC4 (IV, ) Keystream = RC4 (IV, )
IVIV IDID CiphertextCiphertext
![Page 25: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/25.jpg)
WEP AttacksWEP Attacks
Initial connection sniffingInitial connection sniffing IV ReuseIV Reuse
Look for IV collisionsLook for IV collisions Some APs reset IV to 0 each time system Some APs reset IV to 0 each time system
is (re)initializedis (re)initialized IV Dictionary AttacksIV Dictionary Attacks
Injection attacks with known plaintextInjection attacks with known plaintext Wi-fi Protected Access / 802.11iWi-fi Protected Access / 802.11i
![Page 26: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/26.jpg)
IV Reuse OccurrencesIV Reuse Occurrences
1% after 582 encrypted frames1% after 582 encrypted frames 10% after 1,881 encrypted frames10% after 1,881 encrypted frames 50% after 4,823 encrypted frames50% after 4,823 encrypted frames 99% after 12,430 encrypted frames99% after 12,430 encrypted frames
Jesse R. WalkerIEEE P802.11 Wireless LANS: Unsafe at any key size
![Page 27: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/27.jpg)
Replay AttacksReplay Attacks
ARP RequestARP Request
ARPARPRequestRequest
![Page 28: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/28.jpg)
FMS AttackFMS Attack
Scott Fluhrer, Itsik Mantin, Adi Scott Fluhrer, Itsik Mantin, Adi ShamirShamir
RC4 Matrix Initialization WeaknessRC4 Matrix Initialization Weakness If a key is weak, keystream will If a key is weak, keystream will
contain some portions of key more contain some portions of key more than other combinationsthan other combinations
Statistical Analysis to findStatistical Analysis to find
![Page 29: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/29.jpg)
TATA TSCTSC
Temporal Key Integrity Temporal Key Integrity Protocol Protocol
Base KeyBase Key
Keystream = RC4 (IV,PK) Keystream = RC4 (IV,PK)
CiphertextCiphertext
MessageMessage CRCCRC
Dictionary Attacks?Dictionary Attacks?
![Page 30: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/30.jpg)
Token-based Login Race AttackToken-based Login Race Attack
Login:
scott
Password:
Login:
scott
Password:
Guesses lastnumber andenters it beforeScott can finish.
42356
423569
![Page 31: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/31.jpg)
Resource SharingResource Sharing
May not need account to access filesMay not need account to access files Microsoft SharesMicrosoft Shares
Guest SharesGuest Shares AccountsAccounts
NFS Exports NFS Exports SambaSamba
![Page 32: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/32.jpg)
Service ExploitsService Exploits
Banner Grabbing/Vulnerability Banner Grabbing/Vulnerability ScannersScanners
Stack/Buffer OverflowStack/Buffer Overflow BackdoorsBackdoors File Transfer ProgramsFile Transfer Programs
Anonymous FTPAnonymous FTP TFTPTFTP
FTP BouncesFTP Bounces
![Page 33: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/33.jpg)
FTP BouncesFTP Bounces
UploadCommands
File
PORTaddress, port
RETR file
Attacker Anonymous FTP Serverwith upload area
Target Host
Trusted Hosts increase threat!!!Trusted Hosts increase threat!!!
![Page 34: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/34.jpg)
CGI / Server Side IncludesCGI / Server Side Includes
Extends capabilities of web serverExtends capabilities of web server External programs loaded by serverExternal programs loaded by server Form processingForm processing Dynamically created pagesDynamically created pages
Runs with same access as web serverRuns with same access as web server Susceptible to bugs and access Susceptible to bugs and access
exploitsexploits User script dangersUser script dangers
![Page 35: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/35.jpg)
DNS SpoofingDNS Spoofing
DNS/ARP Cache PoisoningDNS/ARP Cache Poisoning PharmingPharming Trust-based access to other machinesTrust-based access to other machines
Berkeley Berkeley R R CommandsCommands Remote File systems (NFS/SMB)Remote File systems (NFS/SMB) Web Site PhishingWeb Site Phishing
DNSSECDNSSEC
![Page 36: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/36.jpg)
Man in the Middle AttackMan in the Middle Attack
Buy New CDBuy New CD
![Page 37: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/37.jpg)
Source Routing AttacksSource Routing Attacks
Trusted HostTrusted Host
Trusted HostTrusted Host
AttackerAttacker
DoS Trusted HostDoS Trusted HostAddress set to Address set to Trusted HostTrusted Host(IP Spoofing)(IP Spoofing)
Source routedSource routedresponseresponse
Source routedSource routedconnection requestconnection request
RRRR
RRRR
RRRR
RRRR
![Page 38: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/38.jpg)
Session HijackingSession Hijacking
Attacker watches live sessions to record Attacker watches live sessions to record sequence numberssequence numbers
User HostUser Host Destination HostDestination Host
AttackerAttacker
Attacker DoS’s User Host and IP spoofs Attacker DoS’s User Host and IP spoofs packets to Destination using User Host’s packets to Destination using User Host’s sequence numberssequence numbers Destination continues session as if nothing Destination continues session as if nothing happenedhappened
![Page 39: Network Attacks CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University](https://reader033.vdocument.in/reader033/viewer/2022051621/56649f355503460f94c53ad5/html5/thumbnails/39.jpg)
TCP Sequence GuessingTCP Sequence Guessing
Attacker DoS’s Trusted HostAttacker DoS’s Trusted Host
Trusted HostTrusted Host TargetTarget
AttackerAttacker
Attacker attempts to connect Attacker attempts to connect to target many times and to target many times and records sequence numbersrecords sequence numbers
Attacker Attacker calculates calculates sequence sequence numbers which will be numbers which will be assigned for next connection.assigned for next connection. RouterRouter
Attacker Attacker spoofsspoofs address of address of trusted host and uses trusted host and uses calculated sequence numbers calculated sequence numbers (router passes trusted (router passes trusted internal addressinternal address Target runs command from Target runs command from spoofedspoofed trusted host trusted host