j. a. drew hamilton, jr., ph.d. - mississippi state...

Mississippi State University Center for Cyber Innovation 1

J. A. “Drew” Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation

Professor, Computer Science & Engineering

CCI Post Office Box 9627 Mississippi State, MS 39762

Voice: (662) 325-2294 Fax: (662) 325-7692 [email protected]


Section Objectives •  Describe sniffing concepts, including active and

passive sniffing and protocols susceptible to sniffing

•  Describe ethical hacking techniques for Layer 2 traffic

•  Describe sniffing tools and understand their output •  Describe sniffing countermeasures •  Learn about intrusion detection system (IDS),

firewall, and honeypot types, use, and placement •  Describe signature analysis within Snort •  Describe IDS, firewall, and honeypot evasion

techniques


Sniffing and Evasion

Dr. Drew Hamilton Reference: Aarti Dhone, UNR

Reference: Behrouz Forouzan, McGraw-Hill’s TCP/IP Protocol Suite

Reference: Matt Walker All-in-One CEH Certified Ethical Hacker


Active and Passive Security Threats

Passive Threats Active Threats

Traffic Analysis Compromise of Message Contents

Masquerade Replay Denial of Service

Msg Content Modification


Packet Sniffers •  Packet Sniffer Definition:

–  A packet sniffer is a wire-tap device that plugs into computer networks and eavesdrops on the network traffic.

•  Components of a packet sniffer: –  Hardware : standard network adapters . –  Capture Filter : This is the most important part . It

captures the network traffic from the wire, filters it for the particular traffic you want, then stores the data in a buffer.

–  Buffers : used to store the frames captured by the Capture Filter.

–  Real-time analyzer: a module in the packet sniffer program used for traffic analysis and to shift the traffic for intrusion detection

–  Decoder : "Protocol Analysis.”


How does a Sniffer Work?

•  Sniffers also work differently depending on the type of network they are in. –  Shared Ethernet –  Switched Ethernet

•  Detecting a sniffer –  ARP –  Ping –  DNS


Packet Sniffer Mitigation

The following techniques and tools can be used to mitigate sniffers: Authentication—Using strong authentication, such as one-time passwords, is a first option for defense against packet sniffers. Switched infrastructure—Deploy a switched infrastructure to counter the use of packet sniffers in your environment. Antisniffer tools—Use these tools to employ software and hardware designed to detect the use of sniffers on a network. Cryptography—The most effective method for countering packet sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant.

Host A Host BRouter A Router B


Top 11 Packet Sniffers

•  Wireshark•  Kismet•  Tcpdump•  CainandAbel•  E8ercap•  Dsniff•  NetStumbler•  Ntop•  Ngrep•  EtherApe•  KisMAC


What are sniffers used for?

•  Detection of clear-text passwords and usernames from the network.

•  Conversion of data to human readable format so that people can read the traffic.

•  Performance analysis to discover network bottlenecks.

•  Network intrusion detection in order to discover hackers.


Review: IPv4 Packer Header


IPv6 Address Truncation (Prowse) •  Consider IPV6 address

2001:7120:0000:8001:0000:0000:0000:1F10 •  3 parts

–  Global routing prefix: 2001:7120:0000 –  Subnet: 8001 –  Interface ID: 0000:0000:0000:1F10

•  Truncation: –  1st remove any leading zeroes –  2nd any group of 4 zeroes can be truncated down to a

single zero –  3rd one consecutive group of zeroes can be truncated as

a double colon (so 0000:0000:0000 becomes ::) •  2001:7120:0:8001::1F10


IPV6 Addressing notes

•  IPv6 loopback address is 0000.0000.0000.0000.0000.0000.0000.0001 –  Truncates To ::1

•  Double colon can only be used once in an Ipv6 address


Wireless Sniffing

•  If you’re on the wireless web, you’re at risk! –  Hackers can steal…

•  Emails •  Usernames and Passwords •  Credit card numbers •  Anything you type on a website that doesn’t use SSL (HTTPS)

•  Tools of the Trade –  Wireshark

•  Freely available online •  Captures traffic (HTTPS/pop/etc) of everyone on a given

network –  Special Wireless Card

•  Promiscuous Mode •  Inexpensive (~$30)


Wireshark


Exam Notes: Walker •  The IPv4 loopback address (denoting the

software loopback of your own machine) is 127.0.0.1

•  MAC address of broadcast messages is FF:FF:FF:FF:FF:FF

•  The MAC address (a.k.a. physical address) that is burned onto a NICis actually made of two sections. –  The first half of the address, consisting of 3 bytes (24

bits), is known as the organizational unique identifier and is used to identify the card manufacturer.

–  The second half is a unique number burned in at manufacturing to ensure no two cards on any given subnet will have the same address.


WinPcap: the Free Packet Capture Library for Windows

•  WinPcap is an open source library for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.6.2).

•  The packet filter is a device driver that adds to Windows 95, 98, ME, NT, 2000, XP and 2003 the ability to capture and send raw data from a network card, with the possibility to filter and store in a buffer the captured packets.

•  Packet.dll is an API that can be used to directly access the functions of the packet driver, offering a programming interface independent from the Microsoft OS.

•  Wpcap.dll exports a set of high level capture primitives that are compatible with libpcap, the well known Unix capture library. These functions allow to capture packets in a way independent from the underlying network hardware and operating system.

•  WinPcap is released under a BSD-style license.


Nmap – Free Network Scanner for Network Exploration and Security


Snort – The de facto standard for intrusion detection and prevention

•  Simple, Efficient FREE IDS •  Very well-written and maintained, robust

application •  Snort is driven by a set of (community developed)

rules •  Actively (constantly) under development •  Windows and UNIX versions available


Snort •  Alerts generated and/or packets logged when a

"rule" is triggered. •  Very simple rule language for writing your own

rules •  Ability to log alerts to syslog, directories in ascii,

tcpdump format raw data •  Different alert styles from one-line, to verbose •  Modular "plug-in" architecture for adding

functionality •  Many available plug-ins, including SQL and Oracle

database logging, statistical analysis, TCP stream and telnet session reassembly, active response using "sniping"

•  Resistant against some of the newer attacks directed at foiling IDSs


Ethereal – Protocol Analyzer •  Ethereal is used by network professionals

around the world for troubleshooting, analysis, software and protocol development, and education.

•  Its open source license allows talented experts in the networking community to add enhancements.

•  It runs on all popular computing platforms, including Unix, Linux, and Windows.

•  Data can be captured "off the wire" from a live network connection, or read from a capture file.

•  673 protocols can currently be dissected


Ethereal •  Ethereal can read capture files from tcpdump (libpcap), NAI's

Sniffer™ (compressed and uncompressed), Sniffer™ Pro, NetXray™, Sun snoop and atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HP-UX nettl, i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log (pppdump-format), the AG Group's/WildPacket's EtherPeek/TokenPeek/AiroPeek, or Visual Networks' Visual UpTime. It can also read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers, as well as the text output from VMS's TCPIPtrace utility and the DBS Etherwatch utility for VMS. Any of these files can be compressed with gzip and Ethereal will decompress them on the fly.

•  Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms).

•  Captured network data can be browsed via a GUI, or via the TTY-mode "tethereal" program.

•  Capture files can be programmatically edited or converted via command-line switches to the "editcap" program.


Ethe

real


Protocol Sniffing

•  SMTP – Simple Mail Transport Protocol –  SMTP (including V3) sends as plaintext

•  FTP versus SFTP / SCP –  Passes userids and passwords in the clear –  TFTP passes everything in the clear

•  Other protocols with cleartext passwords –  SNMPv1 –  NNTP –  IMAP –  POP3 –  HTTP


Address Mapping

•  The delivery of a packet to a host or a router requires two levels of addressing: logical and physical.

•  We need to be able to map a logical address to its corresponding physical address and vice versa.

•  These can be done using either static or dynamic mapping.


Address Mapping

•  Anytime a host or a router has an IP datagram to send to another host or router, it has the logical (IP) address of the receiver. –  But the IP datagram must be encapsulated in a frame to

be able to pass through the physical network. –  This means that the sender needs the physical address

of the receiver. –  A mapping corresponds a logical address to a physical

address. –  ARP accepts a logical address from the IP protocol,

maps the address to the corresponding physical address and pass it to the data link layer.


ARP Packet


Encapsulation of ARP Packet

DataPreambleand SFD

Destinationaddress

Sourceaddress Type CRC

8 bytes 6 bytes 6 bytes 2 bytes 4 bytes

Type: 0x0806

Mississippi State University Center for Cyber Innovation 28 28

Four Examples of Using ARP


ARP Example

A host with IP address 130.23.43.20 and physical address B2:34:55:10:22:10 has a packet to send to another host with IP address 130.23.43.25 and physical address A4:6E:F4:59:83:AB. The two hosts are on the same Ethernet network. Show the ARP request and reply packets encapsulated in Ethernet frames


ARP Cache Poisoning


ARP Cache Poisoning

•  If victim sends an ARP request and gets and gets an ARP reply, then ARP has no way to verify correctness of IP to MAC mapping.


MAC Flooding

•  All switches know are flooding or forwarding. –  If switch receives a unicast msg it will forward to the

port where the MAC address is connected –  Switches can flood all of its ports. –  Switch uses

•  Modern switches protect against MAC flooding, but may be susceptible to MAC spoofing.

•  Content Addressable Memory (CAM) –  Cached table that maps MAC addresses to switch ports. –  ex. MAC A is on port 1.


MAC Flooding Attack


DHCP Starvation

•  Works by flooding DHCP server to use up all available IP addresses


DHCP Snooping

•  Mitigates DHCP starvation •  DHCP snooping is a layer 2

security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable.

•  The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.


Screened Subnet Architectures

•  Perimeter Network •  Bastion Host •  Interior Router •  Exterior Router

Internal Network

Internet

Exterior Router

Perimeter Network

Bastion Host

Interior Router


What is a Bastion Host? SANS Institute Intrusion Detection FAQ

•  A bastion host is a computer that is fully exposed to attack. •  The system is on the public side of the demilitarized zone

(DMZ), unprotected by a firewall or filtering router. –  Frequently the roles of these systems are critical to the

network security system. Indeed the firewalls and routers can be considered bastion hosts.

–  Due to their exposure a great deal of effort must be put into designing and configuring bastion hosts to minimize the chances of penetration.

–  Other types of bastion hosts include web, mail, DNS, and FTP servers.

–  Some network administrators will also use sacrificial lambs as bastion hosts, these systems are deliberately exposed to potential hackers to both delay and facilitate tracking of attempted break-ins.


Configuring a Bastion Host

•  Effective bastion hosts are configured very differently from typical hosts.

•  Each bastion host fulfills a specific role, all unnecessary services, protocols, programs, and network ports are disabled or removed.

•  Bastion hosts do not share authentication services with trusted hosts within the network so that if a bastion is compromised the intruder will still not have 'the keys to the castle.'

•  A bastion host is hardened to limit potential methods of attack.


Hardening a Bastion Host •  The specific steps to harden a particular bastion host

depend upon the intended role of that host as well as the operating system and software that it will be running. Access Control Lists

•  (ACLs) will be modified on the file system and other system objects; all unnecessary TCP and UDP ports will be disabled; all non-critical services and daemons will be removed; as many utilities and system configuration tools as is practical will also be removed.

•  All appropriate service packs, hot fixes, and patches should be installed.

•  Logging of all security related events need to be enabled and steps need to be taken to ensure the integrity of the logs so that a successful intruder is unable to erase evidence of their visit.

•  Any local user account and password databases should be encrypted if possible.


Proxy Servers – reality and illusion

•  Proxy systems deal with insecurity problems by avoiding user logins on the dual homed host and by forcing connections through controlled software

User’s Illusion

Client

Proxy Server

Bastion Host

User

External Server

External Host


Proxy Servers •  A server that sits between a client application, such as a Web browser,

and a real server. –  It intercepts all requests to the real server to see if it can fulfill the requests

itself. –  If not, it forwards the request to the real server.

•  Proxy servers have two major functions –  Improve Performance: Proxy servers can dramatically improve performance

because proxy servers save the results of all requests for a certain amount of time.

•  Consider the case where both user X and user Y access the WWW through a proxy server.

–  First user X requests a certain Web page, which we'll call Page 1. –  Sometime later, user Y requests the same page. –  Instead of forwarding the request to the Web server where Page 1 resides, which can be a

time-consuming operation, the proxy server simply returns the Page 1 that it already fetched for user X.

•  Since the proxy server is often on the same network as the user, this is a much faster operation. Real proxy servers can support hundreds or thousands of users.

–  Filter Requests: Proxy servers can also be used to filter requests. For example, a company might use a proxy server to prevent its employees from accessing a specific set of Web sites.


Securing the Network Apps •  The last step to securing a bastion host may be the most

difficult: securing whatever network application the host is running.

•  Very often the vendor of a web or streaming media server doesn't consider security risks while developing their product.

•  It is usually up to the system administrator to determine through testing what ACLs they need to modify to lock down the network application as thoroughly as possible without disabling the very features that make is a useful tool.

•  It is also necessary to closely track the latest announcements from the vendor regarding security problems, workarounds, and patches.

•  The more popular network applications also tend to inspire the creation of independent mailing lists, newsgroups, and websites that can be tracked for additional insights.


Network Address Translation (NAT) (Cisco)

•  Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world.

•  NAT has many forms and can work in several ways


Static NAT •  Static NAT - Mapping an unregistered IP address to a

registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. –  unregistered means a host with an IP address but no domain

name registered in the DNS.

In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.


Dynamic NAT •  Dynamic NAT - Maps an unregistered IP address to a

registered IP address from a group of registered IP addresses.

In dynamic NAT, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150.


Overloading •  Overloading - A form of dynamic NAT that maps multiple

unregistered IP addresses to a single registered IP address by using different ports.

•  This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.

In overloading, each computer on the private network is translated to the same IP address (213.18.123.100), but with a different port number assignment.


Overlapping •  Overlapping - When the IP addresses used on your internal network are

registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.

–  It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses as well as translate the "external" registered addresses to addresses that are unique to the private network.

–  This can be done either through static NAT or by using DNS and implementing dynamic NAT.

•  The internal IP range (237.16.32.xx) is also a registered range used by another network.

–  Therefore, the router is translating the addresses to avoid a potential conflict with another network.

–  It will also translate the registered global IP addresses back to the unregistered local IP addresses when information is sent to the internal network.


Firewall Selection

•  Single Purpose Router or a General Purpose Computer? –  Packet filtering should be only activity on the device –  Combinations of proxy servers and/or bastion hosts may be

implemented on routing device •  Serious increase in hardware performance requirements

•  Simple specification of rules –  Packet filtering is complicated to begin with because the

protocols are complex, rule implementation should not add complexity.

•  It should allow rules based on any header or meta-packet criteria –  Header information is in the packet –  Meta-packet information are those things routers recognize

outside of the header


Applying filtering rules

•  Apply rules in the order specified –  Reordering makes it more difficult to analyze what is going on –  Any quirks or bugs in the rule set may be obscured –  Reordering rules can break a rule set that would otherwise work

correctly •  Example

–  Rule A permits the university network to reach your research subnet –  Rule B locks out a hostile subnet at the university out of everything else –  Rule C disallows Internet access to your subnet

•  Rule order ABC –  Packet from hostile subnet allowed to research subnet (rule A)

•  Rule order BAC –  Packet from hostile subnet denied access to research subnet (rule B)

–  Rule may have limited granularity


More packet filtering guidelines

•  Allow rules to be applied separately to incoming and outgoing packets on a per-interface basis –  provide maximum flexibility –  when only outgoing packets can be viewed then:

•  The filtering system is always “outside” of its filters •  More difficult to detect forged packets

–  Forgery is most easily detected when the packet enters from outside the system

–  Routers can generate packets themselves and sometimes process internal packets (due to fixed paths for example).

–  Filtering outgoing packets only is more complicated when the router has multiple ports

•  Allow option to log accepted or dropped packets •  Support good testing and validation capabilities


Honeypots

•  High interaction honeypots simulates all services and applications and is designed to be completely compromised.

•  Low interaction honeypots simulate limited services and cannot ecompletely compromised.


Summary – Section Objectives •  Describe sniffing concepts, including active and

passive sniffing and protocols susceptible to sniffing

•  Describe ethical hacking techniques for Layer 2 traffic

•  Describe sniffing tools and understand their output •  Describe sniffing countermeasures •  Learn about intrusion detection system (IDS),

firewall, and honeypot types, use, and placement •  Describe signature analysis within Snort •  Describe IDS, firewall, and honeypot evasion

techniques

j. a. drew hamilton, jr., ph.d. - mississippi state...

Documents