Embed Size (px)
Citation preview
Chapter 7Chapter 7
Network Devices Network Devices
Discovery Discovery
Detecting Network DevicesDetecting Network Devices
Port ScanningPort Scanning– traceroute, netcat, nmap, and SuperScan traceroute, netcat, nmap, and SuperScan
digdig– An undated replacement for nslookup in An undated replacement for nslookup in
Unix/LinuxUnix/Linux– If it's not installed by default in your Ubuntu, If it's not installed by default in your Ubuntu,
use use apt-get install dnsutilsapt-get install dnsutils
Finding Mail Exchanges with Finding Mail Exchanges with nslookupnslookup
Finding Mail Exchanges with digFinding Mail Exchanges with dig
Types of DNS RecordsTypes of DNS Records
A – maps a hostname to an IPv4 addressA – maps a hostname to an IPv4 addressAAAA - maps a hostname to an IPv6 AAAA - maps a hostname to an IPv6 addressaddressCNAME - CNAME - Canonical nameCanonical name - an alias of - an alias of one name to another one name to another MX - MX - mail exchangemail exchange record record PTR - maps an IPv4 address to the PTR - maps an IPv4 address to the canonical name for that host (allows canonical name for that host (allows reverse DNS lookups)reverse DNS lookups)
Types of DNS RecordsTypes of DNS Records
SOA - SOA - start of authoritystart of authority record – the record – the authoritative DNS server for a domainauthoritative DNS server for a domain
SRV - a generalized SRV - a generalized service locationservice location record, used for VoIP SIP serversrecord, used for VoIP SIP servers– See link Ch 705See link Ch 705
For more about DNS Records, see link Ch For more about DNS Records, see link Ch 704 (Wikipedia)704 (Wikipedia)
dig Countermeasures dig Countermeasures
Secure your DNS infrastructureSecure your DNS infrastructure
Block or restrict zone transfers Block or restrict zone transfers
Leave hosts out of your DNS records Leave hosts out of your DNS records unless you want direct traffic to them from unless you want direct traffic to them from the Internetthe Internet
traceroute traceroute
Tracert in Windows uses ICMP packetsTracert in Windows uses ICMP packetsTraceroute in Unix/Linux uses UDP Traceroute in Unix/Linux uses UDP packetspackets– The packets have low TTLs, starting with 1The packets have low TTLs, starting with 1– When the packet traverses a router, its TTL is When the packet traverses a router, its TTL is
decreased by 1decreased by 1– If the TTL ever hits zero, the packet is If the TTL ever hits zero, the packet is
droppeddropped– A notification is sent back to the originating A notification is sent back to the originating
source host in the form of an ICMP error source host in the form of an ICMP error packet packet
Finding Routing Devices at CCSFFinding Routing Devices at CCSF
Hops 10 and 11 both appear to be routing Hops 10 and 11 both appear to be routing devices on campusdevices on campus
traceroute Countermeasurestraceroute Countermeasures
Stop your routers from responding to TTL-Stop your routers from responding to TTL-exceeded packetsexceeded packets
Deny all traffic specifically addressed to a Deny all traffic specifically addressed to a routerrouter
Permit ICMP only from the LAN, not from Permit ICMP only from the LAN, not from the Internetthe Internet
Autonomous System Lookup Autonomous System Lookup
Autonomous Systems Autonomous Systems
Autonomous System (AS)Autonomous System (AS)– A collection of gateways (routers) that A collection of gateways (routers) that
controlled by one organizationcontrolled by one organization
Autonomous System Number (ASN)Autonomous System Number (ASN)– a numerical identifier for networks a numerical identifier for networks
participating in Border Gateway Protocol participating in Border Gateway Protocol (BGP) (BGP)
Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) – A protocol used to advertise routes worldwideA protocol used to advertise routes worldwide
traceroute with ASN Information traceroute with ASN Information
Run traceroute from a Cisco router participating Run traceroute from a Cisco router participating in BGP to see the ASNsin BGP to see the ASNs
Hop 8 is a T-1; hops 4-9 all same companyHop 8 is a T-1; hops 4-9 all same company
DemoDemo
Public Looking Glass sites let you test Public Looking Glass sites let you test routing from various serversrouting from various servers– See Links 724-727See Links 724-727
show ip bgp show ip bgp
From a From a Cisco router, Cisco router, we can find we can find the other the other possible possible network network pathspaths
Public Newsgroups Public Newsgroups
Careless Postings Careless Postings
Careless admins may announce network Careless admins may announce network vulnerabilities on newsgroupsvulnerabilities on newsgroups
Countermeasures:Countermeasures:– Be wary of what you say and where you say it Be wary of what you say and where you say it
iClicker Questions
Which DNS record type contains the address of an Exchange server?A. AB. CNAMEC. MXD. PTRE. AAAA
1 of 3
Which DNS record type contains an IPv6 address?
A. AB. SOAC. SRVD. PTRE. AAAA
2 of 3
Which part of this tracert line shows the TTL value in the packets that were sent?
A. 15B. 147.144.12.1C. 2152D. 240E. None of the above
3 of 3
ReviewReview
iClicker Questions
Which technique uses the strongest encryption method?
A. PPTPB. L2FC. IKED. IPSecE. L2TP
1 of 4
Which protocol conserves bandwidth, but lowers audio quality?
A. H.323B. SIPC. RTPD. G.711E. G.729
2 of 4
Which DNS record type indicates the target that holds the most complete data for a DNS Zone Transfer?
A. AB. SOAC. SRVD. PTRE. AAAA
3 of 4
Which part of this tracert line identifies the organization that controls the router?
A. 15B. 147.144.12.1C. 2152D. 240E. None of the above
4 of 4
Service Detection Service Detection
Port ScanningPort Scanning
Common ports are known for each deviceCommon ports are known for each device
Nmap ResultsNmap Results
Nmap also does OS detection, as we Nmap also does OS detection, as we discussed in a previous chapterdiscussed in a previous chapter
Familiar PromptsFamiliar Prompts
If Telnet is enabled If Telnet is enabled on a Cisco router, on a Cisco router, you will see this you will see this promptprompt
A Cisco router A Cisco router configured for SSH configured for SSH still shows a banner still shows a banner to Telnetto Telnet
Service Detection Service Detection Countermeasures Countermeasures
Deny all unwanted traffic at network Deny all unwanted traffic at network borders borders
PortSentry will detect port scans and block PortSentry will detect port scans and block traffic from that IPtraffic from that IP– But PortSentry itself could be used to perform But PortSentry itself could be used to perform
a DoS attack if you don't check for spoofed a DoS attack if you don't check for spoofed packetspackets
Network Vulnerability Network Vulnerability
The OSI ModelThe OSI Model
Data UnitsData Units
APDU - Application Protocol Data UnitAPDU - Application Protocol Data Unit
PPDU - Presentation Protocol Data UnitPPDU - Presentation Protocol Data Unit
SPDU - Session Protocol Data UnitSPDU - Session Protocol Data Unit
TPDU - Transport Protocol Data UnitTPDU - Transport Protocol Data Unit– But our focus is on the first 3 layersBut our focus is on the first 3 layers
OSI Layer 1: PhysicalOSI Layer 1: Physical
Physical media that carry data: usually Physical media that carry data: usually copper or fiber opticscopper or fiber optics
Traffic can be intercepted with a physical Traffic can be intercepted with a physical man-in-the-middle attackman-in-the-middle attack
The next slide shows a T1 man-in-the-The next slide shows a T1 man-in-the-middle attack (copper lines)middle attack (copper lines)
Fiber Optic Physical MITM AttackFiber Optic Physical MITM Attack
See link Ch 709See link Ch 709
OSI Layer 2: Data Link OSI Layer 2: Data Link
Layer 2 is the layer where the electrical Layer 2 is the layer where the electrical impulses from Layer 1 have MAC impulses from Layer 1 have MAC addresses associated with themaddresses associated with them
Early Ethernet sent traffic to every node Early Ethernet sent traffic to every node connected to the hub or backboneconnected to the hub or backbone
Modern switched networks don't do that Modern switched networks don't do that
Unswitched EthernetUnswitched Ethernet
Most wired networks use switches instead Most wired networks use switches instead of hubs nowof hubs now
Wi-Fi networks still work this wayWi-Fi networks still work this way
Switched EthernetSwitched Ethernet
Switches make sniffing harderSwitches make sniffing harder
They also make networks fasterThey also make networks faster
Switch Sniffing Switch Sniffing
Some switches allow an administrator to Some switches allow an administrator to monitor all traffic on a special portmonitor all traffic on a special port
ARP cache poisoning is the most common ARP cache poisoning is the most common way to sniff traffic on a switchway to sniff traffic on a switch
ARP Poisoning with CainARP Poisoning with Cain
Easy to doEasy to do
Part of Project X1: SideJacking Gmail in a Part of Project X1: SideJacking Gmail in a Switched NetworkSwitched Network
ARP Poisoning Countermeasures ARP Poisoning Countermeasures
Use static ARP routes, with manually Use static ARP routes, with manually entered MAC addressesentered MAC addresses– This prevents abuse of ARP redirection, but it This prevents abuse of ARP redirection, but it
is a LOT of tedious workis a LOT of tedious work– Every time you change a NIC, you need to Every time you change a NIC, you need to
manually add the new MAC address to the manually add the new MAC address to the tablestables
ARPwatchARPwatch
Monitors ARP cache to detect poisoningMonitors ARP cache to detect poisoning– Windows version crashed on my Win 7Windows version crashed on my Win 7
But But DecaffeinatID DecaffeinatID by Irongeek works by Irongeek works great!great!– Links Ch 729-733Links Ch 729-733
Broadcast Sniffing Broadcast Sniffing
Connect to a portConnect to a port
It doesn't matter what your IP address isIt doesn't matter what your IP address is
Just sniff for broadcast packetsJust sniff for broadcast packets– Using Wireshark or any other snifferUsing Wireshark or any other sniffer
DHCP Packets DHCP Packets Give out IP addresses, and may also contain brand of Give out IP addresses, and may also contain brand of routerrouter
DEMO:DEMO:
Start WiresharkStart Wireshark
Open Command Open Command PromptPrompt
ipconfig /releaseipconfig /release
ipconfig /renewipconfig /renew
ARP PacketsARP Packets
These give you IP addresses and MAC These give you IP addresses and MAC addressesaddresses
WINS PacketsWINS Packets
Note Computer Description field at the end Note Computer Description field at the end "Accounting""Accounting"
Broadcast Sniffing Broadcast Sniffing CountermeasuresCountermeasures
To limit broadcasts, split your network into To limit broadcasts, split your network into different segmentsdifferent segments
Use VLANS – Virtual Local Area NetworksUse VLANS – Virtual Local Area Networks– Switches add a VLAN tag to each frameSwitches add a VLAN tag to each frame– Broadcasts only reach machines on the same Broadcasts only reach machines on the same
VLANVLAN– Link Ch 710Link Ch 710
iClicker Questions
Which OSI layer assigns IP addresses?A. Layer 5 or higherB. Layer 4C. Layer 3D. Layer 2E. Layer 1
1 of 3
Which OSI layer assigns MAC addresses?
A. Layer 5 or higherB. Layer 4C. Layer 3D. Layer 2E. Layer 1
2 of 3
Which frame type is never broadcast?
A. ACKB. ARPC. DHCPD. ICMPE. WINS
3 of 3
VLANsVLANs
Virtual LANs are logically separate LANs Virtual LANs are logically separate LANs on the same physical medium on the same physical medium
Each VLAN has its own VLAN NumberEach VLAN has its own VLAN Number
802.1q is the standard for VLAN Tagging802.1q is the standard for VLAN Tagging
VLAN TaggingVLAN Tagging
– Links Ch 712, 713Links Ch 712, 713
Normal Ethernet Frame
Port-Based VLANsPort-Based VLANs
Each port on the switch is assigned to a Each port on the switch is assigned to a VLAN by the administratorVLAN by the administrator
The clients send in normal Ethernet The clients send in normal Ethernet frames, and the VLAN tag is added by the frames, and the VLAN tag is added by the switchswitch
When tagged frames are received, the When tagged frames are received, the switch removes the VLAN tagsswitch removes the VLAN tags
This is the most secure methodThis is the most secure method
Native VLANsNative VLANs
Suppose you want to use a single network Suppose you want to use a single network link to carry traffic from multiple VLANs?link to carry traffic from multiple VLANs?– For example, a long line connecting two For example, a long line connecting two
buildingsbuildings
One VLAN can be defined as the "Native One VLAN can be defined as the "Native VLAN" or "Management VLAN"VLAN" or "Management VLAN"– Frames belonging to the "Native VLAN" are Frames belonging to the "Native VLAN" are
not modified—no VLAN header is added to not modified—no VLAN header is added to them, or removedthem, or removed
VLAN JumpingVLAN Jumping
This allows an attacker to craft a frame This allows an attacker to craft a frame with two VLAN tagswith two VLAN tags– The first switch removes one tagThe first switch removes one tag– The second switch sees the extra tag, so the The second switch sees the extra tag, so the
frame hops from one VLAN to anotherframe hops from one VLAN to another
VLAN Jumping Countermeasures VLAN Jumping Countermeasures
Don't trust VLANS to enforce network Don't trust VLANS to enforce network security boundariessecurity boundaries
Restrict access to the native VLAN port Restrict access to the native VLAN port (VLAN ID 1)(VLAN ID 1)
We'll skip these sectionsWe'll skip these sections
Internetwork Routing Protocol Attack Suite Internetwork Routing Protocol Attack Suite (IRPAS) and Cisco Discovery Protocol (IRPAS) and Cisco Discovery Protocol (CDP)(CDP)
Spanning Tree Protocol (STP) Attacks Spanning Tree Protocol (STP) Attacks
VLAN Trunking Protocol (VTP) Attacks VLAN Trunking Protocol (VTP) Attacks
OSI Layer 3 OSI Layer 3
Internet Protocol Version 4 (IPv4)Internet Protocol Version 4 (IPv4)– Has no built-in security measuresHas no built-in security measures
TCP Sequence NumbersTCP Sequence Numbers– Example: tcpdump showing a Telnet Example: tcpdump showing a Telnet
connectionconnection
– S = SYN, A = ACK; note increasing Sequence S = SYN, A = ACK; note increasing Sequence and Acknowledgement numbersand Acknowledgement numbers
Demonstration of Sequence Demonstration of Sequence NumbersNumbers
Use UbuntuUse Ubuntu
In one Terminal window: In one Terminal window: – sudo apt-get install tcpdumpsudo apt-get install tcpdump– sudo tcpdump –tnlS | tee capturesudo tcpdump –tnlS | tee capture
(no timestamps, numerical IP addresses, line buffered, (no timestamps, numerical IP addresses, line buffered, absolute sequence numbers )absolute sequence numbers )
In another Terminal window: In another Terminal window: – telnet 147.144.1.2telnet 147.144.1.2
In first Terminal window: In first Terminal window: – pico capturepico capture
Attacks Using Sequence NumbersAttacks Using Sequence Numbers
Attacker on target LANAttacker on target LAN– Sequence numbers can be sniffed Sequence numbers can be sniffed – Session can be hijacked with ARP cache Session can be hijacked with ARP cache
poisoning poisoning
Attacker not on target LANAttacker not on target LAN– If sequence numbers can be predictedIf sequence numbers can be predicted– Attacker can forge packets and hijack a later Attacker can forge packets and hijack a later
session session
Vulnerabilities to ISN PredictionVulnerabilities to ISN Prediction
Windows NT4 SP3Windows NT4 SP3 Attack feasibility: 97.00%Attack feasibility: 97.00%
Windows 98 SEWindows 98 SE Attack feasibility: 100.00%Attack feasibility: 100.00%
Windows 95Windows 95 Attack feasibility: 100.00%Attack feasibility: 100.00%
AIX 4.3 AIX 4.3 Attack feasibility: 100%Attack feasibility: 100%
HPUX11HPUX11 Attack feasibility: 100%Attack feasibility: 100%
Solaris 7Solaris 7 Attack feasability: 66.00%Attack feasability: 66.00%
MacOS 9MacOS 9 Attack feasability: 89.00% Attack feasability: 89.00% – See links Ch 718, 719, 720See links Ch 718, 719, 720
IP Version 6 (IPv6)IP Version 6 (IPv6)
Long addresses like thisLong addresses like this– ABCD:EF01:2345:6789:0123:4567:8FF1:2345ABCD:EF01:2345:6789:0123:4567:8FF1:2345
Native securityNative security
IPSec encryption framework has two modes:IPSec encryption framework has two modes:– Tunnel mode encrypts whole packet (most secure)Tunnel mode encrypts whole packet (most secure)– Transport mode just encrypts the data, not the IP Transport mode just encrypts the data, not the IP
headerheader
Both modes are much more secure than IPv4 Both modes are much more secure than IPv4
Sniffing AttacksSniffing Attacks
Steal passwords or hijack sessionsSteal passwords or hijack sessions
Generally require access to the LANGenerally require access to the LAN
Tools: Wireshark, tcpdump, Cain, ettercap, Tools: Wireshark, tcpdump, Cain, ettercap, hamster, ferrethamster, ferret
Older tools: dsniff, webmitm, mail snarf, Older tools: dsniff, webmitm, mail snarf, webspywebspy
Sniffing CountermeasuresSniffing Countermeasures
Segment network with switches, routers, Segment network with switches, routers, or VLANSor VLANS
Use encrypted protocols like SSL/TLSUse encrypted protocols like SSL/TLS
Cisco VulnerabilitiesCisco Vulnerabilities
Older routers allow anyone on the LAN to Older routers allow anyone on the LAN to download the configuration file with TFTPdownload the configuration file with TFTP
Passwords in the config were weakly Passwords in the config were weakly encryptedencrypted– The newer MD5 hash is stronger, although it The newer MD5 hash is stronger, although it
can still be brute-forced with Caincan still be brute-forced with Cain– See Proj X4: Cracking Cisco PasswordsSee Proj X4: Cracking Cisco Passwords
iClicker Questions
Which technique will best protect passwords from sniffing attacks?
A. Use IPv6B. SwitchesC. VLANsD. Subnetting with routersE. Encrypted protocols
1 of 4
Which attacker can perform a MITM attack with ARP poisoning?
A. Attacker on target VLAN
B. Attacker on target LAN, but different VLAN; or case A
C. Attacker on target LAN, but different subnet; or case A
D. Attacker outside target LAN; or cases A, B, or C
E. None of the above2 of 4
Which attacker can perform a MITM attack with access to the management port on a switch?
A. Attacker on target VLAN
B. Attacker on target LAN, but different VLAN; or case A
C. Attacker on target LAN, but different subnet; or case A
D. Attacker outside target LAN; or cases A, B, or C
E. None of the above3 of 4
Which attacker can perform a MITM attack with ISN prediction?
A. Attacker on target VLAN
B. Attacker on target LAN, but different VLAN; or case A
C. Attacker on target LAN, but different subnet; or case A
D. Attacker outside target LAN; or cases A, B, or C
E. None of the above4 of 4
Not graded
Survey Questions
What portable computing devices do you own?
A. Laptop computerB. Smart phone or
BlackberryC. Both of the aboveD. None of the above
1 of 3
Do you use these social network(s)?
A. MySpace or FacebookB. LinkedInC.TwitterD. More than one of theseE. None of these
2 of 3
Would you like to use Twitter during the lecture?
A. Yes, with my own deviceB. I have my own device to tweet with,
but I'm not sure I'd like to use it in class
C. Yes, if a laptop were loaned to meD. Maybe, if a laptop were loaned to meE. Absolutely not--it would distract me
3 of 3
