Download WinDump Lab

Networks
1
Computer & Network Security
Introduction to Network Security
Text:
The Complete Reference: Network Security, Bragg, Rhodes-Ousley, Strassberg
Chapter 9
Objectives:
The student should be able to:
 Define and describe the purpose of a Demilitarized Zone, DMZ, zone, bastion host, honeypot,
war dialer.
 Interpret output for ARP, IP, TCP, UDP, ICMP on a sniffer: Windump and Ethereal.
Class Time:
Lecture:
Lecture - Protocols
Lab
Lecture – Networks
Total:
1.5 hour
1 hour
0.5 hour
3 hours
Networks
Summary of Networks & Protocols
Protocol Layers of the Internet Stack:
Application:
 SMTP: Simple Mail Transfer Protocol (Email): 25
 HTTP: HyperText Transfer Protocol (Web): 80
 FTP: File Transfer Protocol: 20/21
 SNMP: Simple Network Management Protocol: 161
 DNS: Domain Name Server: 53
 SSL: Secure Socket Layer: 443
Transport:
 TCP: Transport Control Protocol (End-to-End Error control: Retransmission)
 UDP: User Datagram Protocol (Only Port Addressing)
Network:
 IP: Internet Protocol (Routing)
 ICMP: Internet Control Message Protocol (Reports errors, performs tests for IP)
Data Link Layer:
 PPP: Point-to-Point Protocol (WAN)
Medium Access Control (MAC):
 Ethernet Protocol
 ARP: Address Resolution Protocol (Translates IP to MAC addresses)
Physical Layer
Network Topologies
Bus Topology: Nodes attach to a single cable.
 Operates in promiscuous mode: Everyone sees everyone else’s transmissions
Star Topology: All nodes are connected to a central device which forwards packets
 Hub: Packets are forwarded in promiscuous mode
 Switch: Packets are routed only to the destination node by Layer 2 (MAC) address.
 Router: Packets are routed to the destination node by Layer 3 (IP) address
Mesh Topology: Every computer is connected to every other computer
Tree Topology: Cables split into branches of cables (e.g. cable TV)
Ring Topology: Every computer connects to a ring.
 All packets travel unidirectionally around the ring
Discussion: Which topologies are more secure than other topologies, and what kinds of security
problems can arise from the various topologies?
2
Networks
3
High-Level Review of Protocols
Transport Control Protocol (TCP)
TCP is responsible for end-to-end retransmission, and reordering of packets received out-of-order.
 Addresses applications via 16-bit Port number
 Performs error control on an end-to-end basis:
 Reorders out-of-sequence segments
 Retransmits segments when acknowledgements are not received
 Performs flow control on an end-to-end basis (using the window)
 Performs congestion control to ensure network is not overwhelmed
Protocol:
TCP is connection-oriented, which means that it must explicitly establish and break down a
connection before transmission occurs.
 Establishes a connection
 Sends data
 Each side gracefully disconnects
Windump TCP Data Format:
14:54:55.100898 IP 192.168.0.5.23 > 192.168.0.4.1226: F 1330:1330(0) ack 312 win
17209 (DF)
time
prot sourceIP.port > destIP.port: flag begSeq:endSeq(length) ackNr windowSize DF
Where:
Time: Time packet sent/received
Prot: protocol (IP)
SourceIP: Source IP address
DestIP: Destination IP address
Flag: S=SYN, F=FIN, P=PUSH, R=RESET
BegSeq: Beginning Sequence number (byte #)
EndSeq: Ending sequence number (byte #)
Length: Number of bytes
AckNr: Acknowledgment sequence number (=next expected seq #)
WindowSize: Size of empty space in receive buffer (in bytes)
DF: Don’t Fragment
The flags within segments that TCP uses includes:
S=SYN: Request to establish a connection
P=PUSH: Request from application to flush (or force) transmission.
F=FIN: Request to close a transmission - graceful
R=RESET: Notification of aborting of a connection
ack: Contains an ack for previous data
Segments with data in them have a byte count > 0.
Networks
4
Initiate a connection:
SYN 

SYN,ACK
ACK 
Windump of establish connection:
14:54:50.191132 IP 192.168.0.4.1226 > 192.168.0.5.23: S 262694098:262694098(0) win 16384
<mss 1460,nop,nop,sackOK> (DF)
14:54:50.192200 IP 192.168.0.5.23 > 192.168.0.4.1226: S 116356462:116356462(0) ack
262694099 win 17520 <mss 1460,nop,nop,sackOK> (DF)
14:54:50.192249 IP 192.168.0.4.1226 > 192.168.0.5.23: . ack 1 win 17520 (DF)
Send data:
 Each byte of TCP data has a sequence number associated with it.
 The acknowledgment indicates the sequence number of the byte of data expected next
(PUSH)

ACK
Windump of data transmission:
14:54:54.898690 IP 192.168.0.5.23 > 192.168.0.4.1226: P 1300:1315(15) ack 309
win 17212 (DF)
14:54:54.929536 IP 192.168.0.4.1226 > 192.168.0.5.23: P 309:310(1) ack 1315 win
16206 (DF)
Terminate connection:
 Graceful Disconnect: Both sides must disconnect



ACK 
FIN
ACK
FIN
Session Abort:
 Uses Reset
RST

Windump of close connection:
14:54:55.100898
17209 (DF)
14:54:55.100964
14:54:55.101465
16191 (DF)
14:54:55.102295
IP 192.168.0.5.23 > 192.168.0.4.1226: F 1330:1330(0) ack 312 win
IP 192.168.0.4.1226 > 192.168.0.5.23: . ack 1331 win 16191 (DF)
IP 192.168.0.4.1226 > 192.168.0.5.23: F 312:312(0) ack 1331 win
IP 192.168.0.5.23 > 192.168.0.4.1226: . ack 313 win 17209 (DF)
Networks
User Datagram Protocol (UDP)
UDP can be used instead of TCP to address an application
 Does NOT support end-to-end retransmission, reorder out-of-order packets, or perform flow
control or congestion control.
 Addresses applications via 16-bit Port number
Protocol:
UDP is connectionless, which means it sends packets without establishing a connection first. If
packets cannot be successfully sent, there may be no indication of failure.
 Sends data
Windump UDP Data Format:
14:54:55.100898 IP 192.168.0.5.138 > 192.168.0.4.138: UDP, length: 174
Internet Protocol (IP)



Performs routing
Addresses hosts
Performs fragmentation/reassembly
 Security problem: Spoofed fragments replace or confuse real data
 Security problem: Fragmented attacks may not be noticed by firewalls, IDS (depending on
their sophistication)
IP Header Nibbles:
First 8 nibbles:
0-3: IP Version
4-7: Header length (in 32-bit words)
8-15: Type of service
16-31: Total length
Second 8 nibbles:
0-15: Identification (used with fragmentation)
16-18: Flags: More bit, Don’t Fragment
19-31: Fragment offset
Third 8 nibbles:
0-7: Time to live
8-15: Protocol (e.g. TCP, ICMP)
16-31: Header Checksum
Fourth 8 nibbles: Source Address
Fifth 8 nibbles: Destination Address
5
Networks
6
15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request seq 7168 (frag
924:1480@0+)
4500 05dc 039c 2000 8001 902b c0a8 0004
c0a8 0005 0800 2859 0200 1c00 6162 6364
6566 6768 696a 6b6c 6d6e 6f70 7172 7374
7576 7761 6263 6465 6667 6869 6a6b 6c6d
6e6f 7071 7273 7475 7677 6162 6364 6566
6768
Performs fragmentation:
(frag 924:1480@0+):
+=More_Fragments
Datagram ID=924 : Length=1480 @ Offset=0
15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request
seq 7168 (frag 924:1480@0+)
15:19:42.744570 IP 192.168.0.4 > 192.168.0.5: icmp (frag 924:576@1480)
Internet Control Message Protocol (ICMP)



Reports errors (e.g. Destination not reachable)
Replies to requests (routing info)
Test connectivity (ping)
Windump of Ping command:
15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request seq 7168
15:19:42.748241 IP 192.168.0.5 > 192.168.0.4: icmp 1480: echo reply seq 7168
Note: 1480 is the length
15:19:42.748241 IP 192.168.0.5 > 192.168.0.4: 131.210.42.3 udp port 53 unreachable
Address Resolution Protocol (ARP)

Converts an IP Address (192.164.53.25) to a MAC Address (e.g. 0:90:27:1c:50:d0)
Protocol:
 Requester broadcasts to all nodes on subnet: ARP Request (IP_Address)
 Replier (Me) sends: ARP Response (IP_Address, MAC Address)
Windump:
14:54:50.190823 arp who-has 192.168.0.5 tell 192.168.0.4
14:54:50.191108 arp reply 192.168.0.5 is-at 0:90:27:1c:50:d0
Networks
Securing a Network: Introduction
Perimeter: What is the entrance into our network?
 Devices which interface with perimeter: Firewall., Border/Internal Router, Wireless Access
Point, (Dial up) Modems, (Floppy/CD drives)
A business’s private network is divided into zones
Zones of Trust
 Each zone has separate security/protection needs
 Allows networks to scale
 Allows outside users access to specific locations and prohibits access to other areas
 Can have multiple zones: Factory, Administration, External Interface, Development, …
Zones:
Most-Secure Zone: Internal network
 Little or no access from the public
 Private file systems, servers
De-Militarized Zone (DMZ): Access to the public in a controlled way.
 Web pages, Business-2-Business (B2B)
 Segregated from internal network
 Less stringent security compared to most-secure zone
Example: CISCO PIX firewall allows up to 8 zones to be created.
 Low-security zones cannot access high-security zones unless configured to do so.
Bastion Host: Host that is strengthened to face network attacks
 Must be kept current with security patches
 Most tools and configuration utilities are removed from host
 Extensive logging is used
 Assume host may become compromised
 Does not share authentication system with private network
To combat physical attack:
 Redundancy: network links, devices, power supply
 Backups: at physically separate locations
 Restricted Access
 Monitoring cameras
 Physical security audits
7
Networks
8
For the following configurations,
 Which are cheaper?
 Which make the DMZ more secure?
 Which make the private network more secure?
3-Legged Firewall
Private
Network
FW
Internet
Internet
DMZ
DMZ
Internet
FW
Private
Network
Internet
FW
Router
DMZ
DMZ
FW
FW
Private
Network
Private
Network
Dirty DMZ:
Edge Router rejects
requests from DMZ to
FW
Networks
Fault Tolerance
Single Point of Failure: When one part fails, functionality is lost
 Redundancy: If one path fails, routers reconfigure to find an alternative path
 Fully meshed network is fully redundant but expensive
Fault Tolerance: A redundant device takes over when one device fails
 Hot Standby Router Protocol (HSRP)
 Virtual Router Redundancy Protocol (VRRP)
 Failover: Pass control to hot standby
Hot Standby Router Protocol (HSRP):
 Virtual router: When active router fails, a standby owner assumes ownership of the IP address
& MAC address
 Hosts can continue sending with no disruption
 Standby group: Group of routers ready to become active
 Procedure:
 Active and Standby routers send HELLO packets to multicast address 224.0.0.2 containing
their priority
 The highest priority router always becomes active
War Dialers






What telephone numbers allow login into the network?
Does the answering modem provide info via banner of the type of modem?
Auditing Tools: THC Scan, Phone Tag, Modem Scan, Phone Sweep, Sandtrap, Procomm Plus
Be careful – do a test run on 2-3 phones (yours +). Do not include known emergency numbers
Some PBXs and phone networks will recognize sequential war dialing – so beware!
Best-practices exist for dialup modem use. Look them up!
9
Networks
10
WinDump Lab
Before starting the lab:
 Open up the Windows XP VMware according to separate directions.
 Open up my web page notes within Windows XP, at www.cs.uwp.edu/Classes/Cs490 . These
will help you to interpret the packets you see.
 We will be working with Telnet. Enable Telnet as follows:
Start-> Control Panel-> Switch to Classic View-> Administrative Tools-> Services
Scroll down and double click on the Telnet option, Set to Automatic,
Press Start, Apply, OK
 Set the password for the CyberSecStudent to “TelnetMe”
Start-> Control Panel-> User Accounts-> CyberSecStudent-> Create a Password
Set password to “TelnetMe”
 Try having a neighbor telnet into your machine. If it doesn’t work, turn off your firewall.
1) Using IPCONFIG to learn your IP address
Learn your IP address using ipconfig:
Start->Accessories->Command Prompt
> ipconfig
1B) Your IP address is:
2) Getting Familiar with Windump
Windump is a MS Windows tool to monitor what is being transmitted on the LAN. TCPdump is an
equivalent UNIX tool. To start windump execute:
Start->Accessories->Command Prompt
> windump –i2 -n
You are now monitoring all transmissions on Interface 2. You may occasionally see messages
being sent. Your instructor has a translation list of port numbers and services.
2A) Copy down the IP addresses and port numbers/services you see transmissions for.
Networks
11
WINDUMP OPTIONS
To monitor interface 2 without IP address translation (prevents packet loss):
windump –i2 -n
To monitor transmissions sent or received only from your IP address:
windump –i2 -n host 10.1.1.20n
To monitor transmissions except to specific ports and except for arp:
windump –i2 -n tcp port !80 and !443 and !21 and !arp
To monitor only icmp messages:
windump –i2 -n icmp
To monitor headers and data for a particular IP address:
windump –i2 -n -x host 10.1.1.20n
To save what you monitor in readable from to a file:
windump –i2 > savefile.txt
To save output to a file in binary, then reread it:
windump –i2 -w binfile
windump -r binfile
Start up Windump to monitor transmissions to your own host:
> windump –i2 –n host 10.1.1.20m
Or to see data:
> windump –i2 -n -x host 10.1.1.20n
3) Monitoring ARP and ICMP
Next learn which IP addresses are in your ARP cache. The ARP protocol is responsible for
translating IP addresses to MAC addresses. Perform the following command to see your ARP
cache:
> arp -a
Find a machine that is NOT in your arp cache. Open another cmd window and try doing a PING to
the IP address that is not in your arp cache. This will force the ARP protocol to run. Ping uses
ICMP. ICMP is a protocol that provides error messages and implements network tools for IP. Ping
sends an echo request packet to a remote destination and expects an echo reply packet back.
Open a second window to run ping, while the first window runs windump. Select another machine
to ping:
> ping 10.1.1.20q
3A) You should now see both arp and icmp messages. The arp messages provide the MAC
address for the ping messages to use. Copy down the arp sequence. Circle the MAC address.
3B) Now copy down the ping exchange (one request-response sequence) seen in windump.
Networks
12
4) Ethereal
To open Ethereal, click on the Ethereal icon in Windows XP or select as follows:
All programs-> Ethereal
Then open the capture screen, which will allow you to configure capturing:
Capture->Interfaces
We will try each one of the options provided there.
Select “Capture”
4a) What kinds of protocols are being observed?
Now we will try another mode where we can actually see the packets. Select ‘Exit’.
Select “Prepare”
(If asked, select “Continue without saving”)
We need to select a number of options to collect packets and exclude translations, since they take
time and will cause loss of packets:
Select Update list of packets in real time
Clear all Name Resolution boxes (e.g., MAC name resolution, etc.)
We want to see only those packets that are for our host – not part of the regular network noise.
Here are some example Capture Filters that can be used:
tcp port 23 and host 10.0.0.5
tcp src port 42 and not host 10.0.0.5
Enter a filter that monitors only your own IP address (i.e., no broadcast messages).
Once you begin monitoring, connect via the SSH icon and log in to: 10.1.1.128 as ‘Student’ with
password ‘badpass’
4b) What filter did you enter?
4c) Fill in what you see:
Application protocol used (SSH1/SSH2):
Transport protocol used (TCP/UDP):
Source
IP Address
Port Numbers
Destination
Networks
13
5) IP & Fragmentation
This section is optional. Return to this section after learning the Ethereal tool.
IP is responsible for routing. IP version 4 is also responsible for fragmentation and reassembly.
Below we will do a ping message that is so large it requires fragmentation. Windump shows the IP
(and TCP) headers in formatted form. You may also see the headers in unformatted form when
using the -x option with windump. Start windump to show data and do a ping command with a
length of 2048 bytes. Monitor transmissions to/from your IP addresses using Ethereal:
> ping 10.1.1.20q -l 2048
5a) Number of fragments:
5b) Size of each fragment:
5c) Fragment number:
5d) Next fragment number (Are fragment numbers sequential)?
6) TCP
Next we look at TCP. To see a TCP connection via Windump, start up windump with one window
and start up telnet on another.
Start->Accessories->Command Prompt
telnet 10.1.1.20q
You should see the telnet application use TCP.
6A) What port number does the client and server use?
Source
Destination
IP Address
Port Number
Starting Sequence #
6B) On each SYN a Maximum Segment Size (MSS) - or TCP packet length - is specified. What is
the MSS used?
Networks
14
6C) What happens with the connection, both from the user perspective and from the TCP protocol
perspective?
6D) Disable or reenable the firewall by performing the following sequence:
Start-> Control Panel-> Security Center-> Windows Firewall-> Select ‘Off’
Attempt to telnet into your neighbor machine (after they have disabled their firewall). What
happens now?
6E) Using the following windump command to monitor telnet, what text can you see being sent
through telnet? To monitor headers and data for your IP address:
windump –i2 -n -x host 10.1.1.20m