Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Mississippi State University Center for Cyber Innovation 1
J. A. “Drew” Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation
Professor, Computer Science & Engineering
CCI Post Office Box 9627 Mississippi State, MS 39762
Voice: (662) 325-2294 Fax: (662) 325-7692 [email protected]
Mississippi State University Center for Cyber Innovation 2
Section Objectives • Describe sniffing concepts, including active and
passive sniffing and protocols susceptible to sniffing
• Describe ethical hacking techniques for Layer 2 traffic
• Describe sniffing tools and understand their output • Describe sniffing countermeasures • Learn about intrusion detection system (IDS),
firewall, and honeypot types, use, and placement • Describe signature analysis within Snort • Describe IDS, firewall, and honeypot evasion
techniques
Mississippi State University Center for Cyber Innovation 3
Sniffing and Evasion
Dr. Drew Hamilton Reference: Aarti Dhone, UNR
Reference: Behrouz Forouzan, McGraw-Hill’s TCP/IP Protocol Suite
Reference: Matt Walker All-in-One CEH Certified Ethical Hacker
Mississippi State University Center for Cyber Innovation 4
Active and Passive Security Threats
Passive Threats Active Threats
Traffic Analysis Compromise of Message Contents
Masquerade Replay Denial of Service
Msg Content Modification
Mississippi State University Center for Cyber Innovation 5
Packet Sniffers • Packet Sniffer Definition:
– A packet sniffer is a wire-tap device that plugs into computer networks and eavesdrops on the network traffic.
• Components of a packet sniffer: – Hardware : standard network adapters . – Capture Filter : This is the most important part . It
captures the network traffic from the wire, filters it for the particular traffic you want, then stores the data in a buffer.
– Buffers : used to store the frames captured by the Capture Filter.
– Real-time analyzer: a module in the packet sniffer program used for traffic analysis and to shift the traffic for intrusion detection
– Decoder : "Protocol Analysis.”
Mississippi State University Center for Cyber Innovation 6
How does a Sniffer Work?
• Sniffers also work differently depending on the type of network they are in. – Shared Ethernet – Switched Ethernet
• Detecting a sniffer – ARP – Ping – DNS
Mississippi State University Center for Cyber Innovation 7
Packet Sniffer Mitigation
The following techniques and tools can be used to mitigate sniffers: Authentication—Using strong authentication, such as one-time passwords, is a first option for defense against packet sniffers. Switched infrastructure—Deploy a switched infrastructure to counter the use of packet sniffers in your environment. Antisniffer tools—Use these tools to employ software and hardware designed to detect the use of sniffers on a network. Cryptography—The most effective method for countering packet sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant.
Host A Host BRouter A Router B
Mississippi State University Center for Cyber Innovation 8
Top 11 Packet Sniffers
• Wireshark• Kismet• Tcpdump• CainandAbel• E8ercap• Dsniff• NetStumbler• Ntop• Ngrep• EtherApe• KisMAC
Mississippi State University Center for Cyber Innovation 9
What are sniffers used for?
• Detection of clear-text passwords and usernames from the network.
• Conversion of data to human readable format so that people can read the traffic.
• Performance analysis to discover network bottlenecks.
• Network intrusion detection in order to discover hackers.
Mississippi State University Center for Cyber Innovation 10
Review: IPv4 Packer Header
Mississippi State University Center for Cyber Innovation 11
IPv6 Address Truncation (Prowse) • Consider IPV6 address
2001:7120:0000:8001:0000:0000:0000:1F10 • 3 parts
– Global routing prefix: 2001:7120:0000 – Subnet: 8001 – Interface ID: 0000:0000:0000:1F10
• Truncation: – 1st remove any leading zeroes – 2nd any group of 4 zeroes can be truncated down to a
single zero – 3rd one consecutive group of zeroes can be truncated as
a double colon (so 0000:0000:0000 becomes ::) • 2001:7120:0:8001::1F10
Mississippi State University Center for Cyber Innovation 12
IPV6 Addressing notes
• IPv6 loopback address is 0000.0000.0000.0000.0000.0000.0000.0001 – Truncates To ::1
• Double colon can only be used once in an Ipv6 address
Mississippi State University Center for Cyber Innovation 13
Wireless Sniffing
• If you’re on the wireless web, you’re at risk! – Hackers can steal…
• Emails • Usernames and Passwords • Credit card numbers • Anything you type on a website that doesn’t use SSL (HTTPS)
• Tools of the Trade – Wireshark
• Freely available online • Captures traffic (HTTPS/pop/etc) of everyone on a given
network – Special Wireless Card
• Promiscuous Mode • Inexpensive (~$30)
Mississippi State University Center for Cyber Innovation 14
Wireshark
Mississippi State University Center for Cyber Innovation 15
Exam Notes: Walker • The IPv4 loopback address (denoting the
software loopback of your own machine) is 127.0.0.1
• MAC address of broadcast messages is FF:FF:FF:FF:FF:FF
• The MAC address (a.k.a. physical address) that is burned onto a NICis actually made of two sections. – The first half of the address, consisting of 3 bytes (24
bits), is known as the organizational unique identifier and is used to identify the card manufacturer.
– The second half is a unique number burned in at manufacturing to ensure no two cards on any given subnet will have the same address.
Mississippi State University Center for Cyber Innovation 16
WinPcap: the Free Packet Capture Library for Windows
• WinPcap is an open source library for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.6.2).
• The packet filter is a device driver that adds to Windows 95, 98, ME, NT, 2000, XP and 2003 the ability to capture and send raw data from a network card, with the possibility to filter and store in a buffer the captured packets.
• Packet.dll is an API that can be used to directly access the functions of the packet driver, offering a programming interface independent from the Microsoft OS.
• Wpcap.dll exports a set of high level capture primitives that are compatible with libpcap, the well known Unix capture library. These functions allow to capture packets in a way independent from the underlying network hardware and operating system.
• WinPcap is released under a BSD-style license.
Mississippi State University Center for Cyber Innovation 17
Nmap – Free Network Scanner for Network Exploration and Security
Mississippi State University Center for Cyber Innovation 18
Snort – The de facto standard for intrusion detection and prevention
• Simple, Efficient FREE IDS • Very well-written and maintained, robust
application • Snort is driven by a set of (community developed)
rules • Actively (constantly) under development • Windows and UNIX versions available
Mississippi State University Center for Cyber Innovation 19
Snort • Alerts generated and/or packets logged when a
"rule" is triggered. • Very simple rule language for writing your own
rules • Ability to log alerts to syslog, directories in ascii,
tcpdump format raw data • Different alert styles from one-line, to verbose • Modular "plug-in" architecture for adding
functionality • Many available plug-ins, including SQL and Oracle
database logging, statistical analysis, TCP stream and telnet session reassembly, active response using "sniping"
• Resistant against some of the newer attacks directed at foiling IDSs
Mississippi State University Center for Cyber Innovation 20
Ethereal – Protocol Analyzer • Ethereal is used by network professionals
around the world for troubleshooting, analysis, software and protocol development, and education.
• Its open source license allows talented experts in the networking community to add enhancements.
• It runs on all popular computing platforms, including Unix, Linux, and Windows.
• Data can be captured "off the wire" from a live network connection, or read from a capture file.
• 673 protocols can currently be dissected
Mississippi State University Center for Cyber Innovation 21
Ethereal • Ethereal can read capture files from tcpdump (libpcap), NAI's
Sniffer™ (compressed and uncompressed), Sniffer™ Pro, NetXray™, Sun snoop and atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HP-UX nettl, i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log (pppdump-format), the AG Group's/WildPacket's EtherPeek/TokenPeek/AiroPeek, or Visual Networks' Visual UpTime. It can also read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers, as well as the text output from VMS's TCPIPtrace utility and the DBS Etherwatch utility for VMS. Any of these files can be compressed with gzip and Ethereal will decompress them on the fly.
• Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms).
• Captured network data can be browsed via a GUI, or via the TTY-mode "tethereal" program.
• Capture files can be programmatically edited or converted via command-line switches to the "editcap" program.
Mississippi State University Center for Cyber Innovation 22
Ethe
real
Mississippi State University Center for Cyber Innovation 23
Protocol Sniffing
• SMTP – Simple Mail Transport Protocol – SMTP (including V3) sends as plaintext
• FTP versus SFTP / SCP – Passes userids and passwords in the clear – TFTP passes everything in the clear
• Other protocols with cleartext passwords – SNMPv1 – NNTP – IMAP – POP3 – HTTP
Mississippi State University Center for Cyber Innovation 24
Address Mapping
• The delivery of a packet to a host or a router requires two levels of addressing: logical and physical.
• We need to be able to map a logical address to its corresponding physical address and vice versa.
• These can be done using either static or dynamic mapping.
Mississippi State University Center for Cyber Innovation 25
Address Mapping
• Anytime a host or a router has an IP datagram to send to another host or router, it has the logical (IP) address of the receiver. – But the IP datagram must be encapsulated in a frame to
be able to pass through the physical network. – This means that the sender needs the physical address
of the receiver. – A mapping corresponds a logical address to a physical
address. – ARP accepts a logical address from the IP protocol,
maps the address to the corresponding physical address and pass it to the data link layer.
Mississippi State University Center for Cyber Innovation 26
ARP Packet
Mississippi State University Center for Cyber Innovation 27
Encapsulation of ARP Packet
DataPreambleand SFD
Destinationaddress
Sourceaddress Type CRC
8 bytes 6 bytes 6 bytes 2 bytes 4 bytes
Type: 0x0806
Mississippi State University Center for Cyber Innovation 28 28
Four Examples of Using ARP
Mississippi State University Center for Cyber Innovation 29
ARP Example
A host with IP address 130.23.43.20 and physical address B2:34:55:10:22:10 has a packet to send to another host with IP address 130.23.43.25 and physical address A4:6E:F4:59:83:AB. The two hosts are on the same Ethernet network. Show the ARP request and reply packets encapsulated in Ethernet frames
Mississippi State University Center for Cyber Innovation 30
ARP Cache Poisoning
Mississippi State University Center for Cyber Innovation 31
ARP Cache Poisoning
• If victim sends an ARP request and gets and gets an ARP reply, then ARP has no way to verify correctness of IP to MAC mapping.
Mississippi State University Center for Cyber Innovation 32
MAC Flooding
• All switches know are flooding or forwarding. – If switch receives a unicast msg it will forward to the
port where the MAC address is connected – Switches can flood all of its ports. – Switch uses
• Modern switches protect against MAC flooding, but may be susceptible to MAC spoofing.
• Content Addressable Memory (CAM) – Cached table that maps MAC addresses to switch ports. – ex. MAC A is on port 1.
Mississippi State University Center for Cyber Innovation 33
MAC Flooding Attack
Mississippi State University Center for Cyber Innovation 34
DHCP Starvation
• Works by flooding DHCP server to use up all available IP addresses
Mississippi State University Center for Cyber Innovation 35
DHCP Snooping
• Mitigates DHCP starvation • DHCP snooping is a layer 2
security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable.
• The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.
Mississippi State University Center for Cyber Innovation 36
Screened Subnet Architectures
• Perimeter Network • Bastion Host • Interior Router • Exterior Router
Internal Network
Internet
Exterior Router
Perimeter Network
Bastion Host
Interior Router
Mississippi State University Center for Cyber Innovation 37
What is a Bastion Host? SANS Institute Intrusion Detection FAQ
• A bastion host is a computer that is fully exposed to attack. • The system is on the public side of the demilitarized zone
(DMZ), unprotected by a firewall or filtering router. – Frequently the roles of these systems are critical to the
network security system. Indeed the firewalls and routers can be considered bastion hosts.
– Due to their exposure a great deal of effort must be put into designing and configuring bastion hosts to minimize the chances of penetration.
– Other types of bastion hosts include web, mail, DNS, and FTP servers.
– Some network administrators will also use sacrificial lambs as bastion hosts, these systems are deliberately exposed to potential hackers to both delay and facilitate tracking of attempted break-ins.
Mississippi State University Center for Cyber Innovation 38
Configuring a Bastion Host
• Effective bastion hosts are configured very differently from typical hosts.
• Each bastion host fulfills a specific role, all unnecessary services, protocols, programs, and network ports are disabled or removed.
• Bastion hosts do not share authentication services with trusted hosts within the network so that if a bastion is compromised the intruder will still not have 'the keys to the castle.'
• A bastion host is hardened to limit potential methods of attack.
Mississippi State University Center for Cyber Innovation 39
Hardening a Bastion Host • The specific steps to harden a particular bastion host
depend upon the intended role of that host as well as the operating system and software that it will be running. Access Control Lists
• (ACLs) will be modified on the file system and other system objects; all unnecessary TCP and UDP ports will be disabled; all non-critical services and daemons will be removed; as many utilities and system configuration tools as is practical will also be removed.
• All appropriate service packs, hot fixes, and patches should be installed.
• Logging of all security related events need to be enabled and steps need to be taken to ensure the integrity of the logs so that a successful intruder is unable to erase evidence of their visit.
• Any local user account and password databases should be encrypted if possible.
Mississippi State University Center for Cyber Innovation 40
Proxy Servers – reality and illusion
• Proxy systems deal with insecurity problems by avoiding user logins on the dual homed host and by forcing connections through controlled software
User’s Illusion
Client
Proxy Server
Bastion Host
User
External Server
External Host
Mississippi State University Center for Cyber Innovation 41
Proxy Servers • A server that sits between a client application, such as a Web browser,
and a real server. – It intercepts all requests to the real server to see if it can fulfill the requests
itself. – If not, it forwards the request to the real server.
• Proxy servers have two major functions – Improve Performance: Proxy servers can dramatically improve performance
because proxy servers save the results of all requests for a certain amount of time.
• Consider the case where both user X and user Y access the WWW through a proxy server.
– First user X requests a certain Web page, which we'll call Page 1. – Sometime later, user Y requests the same page. – Instead of forwarding the request to the Web server where Page 1 resides, which can be a
time-consuming operation, the proxy server simply returns the Page 1 that it already fetched for user X.
• Since the proxy server is often on the same network as the user, this is a much faster operation. Real proxy servers can support hundreds or thousands of users.
– Filter Requests: Proxy servers can also be used to filter requests. For example, a company might use a proxy server to prevent its employees from accessing a specific set of Web sites.
Mississippi State University Center for Cyber Innovation 42
Securing the Network Apps • The last step to securing a bastion host may be the most
difficult: securing whatever network application the host is running.
• Very often the vendor of a web or streaming media server doesn't consider security risks while developing their product.
• It is usually up to the system administrator to determine through testing what ACLs they need to modify to lock down the network application as thoroughly as possible without disabling the very features that make is a useful tool.
• It is also necessary to closely track the latest announcements from the vendor regarding security problems, workarounds, and patches.
• The more popular network applications also tend to inspire the creation of independent mailing lists, newsgroups, and websites that can be tracked for additional insights.
Mississippi State University Center for Cyber Innovation 43
Network Address Translation (NAT) (Cisco)
• Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world.
• NAT has many forms and can work in several ways
Mississippi State University Center for Cyber Innovation 44
Static NAT • Static NAT - Mapping an unregistered IP address to a
registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. – unregistered means a host with an IP address but no domain
name registered in the DNS.
In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.
Mississippi State University Center for Cyber Innovation 45
Dynamic NAT • Dynamic NAT - Maps an unregistered IP address to a
registered IP address from a group of registered IP addresses.
In dynamic NAT, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150.
Mississippi State University Center for Cyber Innovation 46
Overloading • Overloading - A form of dynamic NAT that maps multiple
unregistered IP addresses to a single registered IP address by using different ports.
• This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.
In overloading, each computer on the private network is translated to the same IP address (213.18.123.100), but with a different port number assignment.
Mississippi State University Center for Cyber Innovation 47
Overlapping • Overlapping - When the IP addresses used on your internal network are
registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.
– It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses as well as translate the "external" registered addresses to addresses that are unique to the private network.
– This can be done either through static NAT or by using DNS and implementing dynamic NAT.
• The internal IP range (237.16.32.xx) is also a registered range used by another network.
– Therefore, the router is translating the addresses to avoid a potential conflict with another network.
– It will also translate the registered global IP addresses back to the unregistered local IP addresses when information is sent to the internal network.
Mississippi State University Center for Cyber Innovation 48
Firewall Selection
• Single Purpose Router or a General Purpose Computer? – Packet filtering should be only activity on the device – Combinations of proxy servers and/or bastion hosts may be
implemented on routing device • Serious increase in hardware performance requirements
• Simple specification of rules – Packet filtering is complicated to begin with because the
protocols are complex, rule implementation should not add complexity.
• It should allow rules based on any header or meta-packet criteria – Header information is in the packet – Meta-packet information are those things routers recognize
outside of the header
Mississippi State University Center for Cyber Innovation 49
Applying filtering rules
• Apply rules in the order specified – Reordering makes it more difficult to analyze what is going on – Any quirks or bugs in the rule set may be obscured – Reordering rules can break a rule set that would otherwise work
correctly • Example
– Rule A permits the university network to reach your research subnet – Rule B locks out a hostile subnet at the university out of everything else – Rule C disallows Internet access to your subnet
• Rule order ABC – Packet from hostile subnet allowed to research subnet (rule A)
• Rule order BAC – Packet from hostile subnet denied access to research subnet (rule B)
– Rule may have limited granularity
Mississippi State University Center for Cyber Innovation 50
More packet filtering guidelines
• Allow rules to be applied separately to incoming and outgoing packets on a per-interface basis – provide maximum flexibility – when only outgoing packets can be viewed then:
• The filtering system is always “outside” of its filters • More difficult to detect forged packets
– Forgery is most easily detected when the packet enters from outside the system
– Routers can generate packets themselves and sometimes process internal packets (due to fixed paths for example).
– Filtering outgoing packets only is more complicated when the router has multiple ports
• Allow option to log accepted or dropped packets • Support good testing and validation capabilities
Mississippi State University Center for Cyber Innovation 51
Honeypots
• High interaction honeypots simulates all services and applications and is designed to be completely compromised.
• Low interaction honeypots simulate limited services and cannot ecompletely compromised.
Mississippi State University Center for Cyber Innovation 52
Summary – Section Objectives • Describe sniffing concepts, including active and
passive sniffing and protocols susceptible to sniffing
• Describe ethical hacking techniques for Layer 2 traffic
• Describe sniffing tools and understand their output • Describe sniffing countermeasures • Learn about intrusion detection system (IDS),
firewall, and honeypot types, use, and placement • Describe signature analysis within Snort • Describe IDS, firewall, and honeypot evasion
techniques