Download Review For Exam notes

Review For Exam 1
(February 8, 2012)
© Abdou Illia – Spring 2012
Introduction to
Systems Security
Attackers
Elite Hackers
Systems attackers
Script Kiddies
Virus writers & releasers
Corporate employees
Cyber vandals
Cyber terrorists
 Hacking
 intentional access without authorization or in excess
of authorization
 Elite Hackers

Characterized by technical expertise and dogged
persistence, not just a bag of tools


Use attack scripts to automate actions, but this is
not the essence of what they do
Could hack to steal info, to do damage, or just to
prove their status
3
Systems attackers
 Elite Hackers (cont.)



Black hat hackers break in for their own purposes
White hat hackers can mean multiple things

Strictest: Hack only by invitation as part of vulnerability testing

Some hack without permission but report vulnerabilities (not for pay)
Ethical hackers

Hired by organizations to perform hacking activities in order to
 Test the performance of systems’ security
 Develop/propose solutions
4
Attackers
Elite Hackers
Systems attackers
Script Kiddies
Virus writers & releasers
Corporate employees
 Script Kiddies

“Kids” that use pre-written attack scripts (kiddie
scripts)

Called “lamers” by elite hackers

Their large number makes them dangerous

Noise of kiddie script attacks masks more
sophisticated attacks
Cyber vandals
Cyber terrorists
5
Attackers
Elite Hackers
Systems attackers
Script Kiddies
Virus writers & releasers
Corporate employees
 Virus Writers and Releasers

Virus writers versus virus releasers

Writing virus code is not a crime

Only releasing viruses is punishable
Cyber vandals
Cyber terrorists
6
Attackers
Elite Hackers
Systems attackers
Script Kiddies
Virus writers & releasers
Corporate employees
 Cyber vandals
Cyber vandals
Cyber terrorists

Use networks to harm companies’ IT infrastructure

Could shut down servers, slowdown eBusiness systems
 Cyber warriors

Massive attacks* by governments on a country’s IT
infrastructure
 Cyber terrorists

Massive attacks* by nongovernmental groups on a
country’s IT infrastructure
 Hackivists

Hacking for political motivation
* Multi-pronged attacks: release virus, active hacking, attacking Internet routers, etc.
7
Framework for Attacks
Attacks
Physical Access
Attacks
-Wiretapping
Server Hacking
Vandalism
Dialog Attacks
-Eavesdropping
Impersonation
Message Alteration
Scanning
(Probing)
Social Engineering
-Opening Attachments
Password Theft
Information Theft
Penetration
Attacks
Break-in
Denial of
Service
Malware
-Viruses
Worms
8
Dialog attack: Eavesdropping
 Intercepting confidential message being transmitted
over the network
Dialog
Hello
Client PC
Bob
Server
Alice
Hello
Attacker (Eve) intercepts
and reads messages
9
Dialog attack: Message Alteration
 Intercepting confidential messages and modifying
their content
Dialog
Balance =
$1
Client PC
Bob
Balance =
$1,000,000
Balance =
$1
Server
Alice
Balance =
$1,000,000
Attacker (Eve) intercepts
and alters messages
10
Dialog attack: Impersonation
I’m Bob
Hi! Let’s talk.
Client PC
Bob
Attacker
(Eve)
Server
Alice
11
Resources Access
Control
Break-in and Dialog attacks:
Security Goal

If eavesdropping, message alteration attacks
succeeded, in which of the following ways the
victims could be affected?
a) Data files stored on hard drives might be deleted
b) Data files stored on hard drives might be altered
c) Corporate trade secret could be stolen
d) Competitors might get the victim company’s licensed info
e) Users might not be able to get network services for a
certain period of time
f)
The network might slow down
Confidentiality = Main goal in implementing defense
systems against eavesdropping and message alteration. 13
Security Goals
 Three main security goals:
Confidentiality of communications and
proprietary information
Integrity of corporate data
Availability of network services and
resources
CIA
14
Brute-force password cracking
 Dictionary cracking vs. hybrid cracking
 Try all possible character combinations
 Longer passwords take longer to crack
 Combining types of characters makes cracking
harder
 Alphabetic,
no case (26 possibilities)
 Alphabetic,
case (52)
 Alphanumeric
 All
(letters and numbers) (62)
keyboard characters (~80)
15
Figure 2-3: Password Length
Password
Length In
Characters
Alphabetic,
No Case
(N=26)
Alphabetic,
Case
(N=52)
Alphanumeric:
Letters &
Digits (N=62)
All Keyboard
Characters
(N=~80)
1
26
52
62
80
2 (N2)
676
2,704
3,844
6,400
4 (N4)
456,976
7,311,616
14,776,336
40,960,000
6
308,915,776
19,770,609,664
56,800,235,584
2.62144E+11
8
2.08827E+11
5.34597E+13
2.1834E+14
1.67772E+15
10
1.41167E+14
1.44555E+17
8.39299E+17
1.07374E+19
Q: Your password policy is: (a) the password must be 6 character long, (b) the password should
include only decimal digits and lower case alphabetic characters. What is the maximum number of
passwords the attacker would try in order to crack a password in your system?
16
Dictionary and Hybrid cracking

Dictionary cracking1




Try common words (“password”, “ouch,” etc.)
There are only a few thousand of these
Cracked very rapidly
Hybrid cracking2


Used when dictionary cracking fails
Common word with one or few digits at end, etc.
1
Also called dictionary attack
2 Also called to as hybrid attack
17
Basic Terminology
 Accidental Association

Wireless device latching onto a neighboring Access Point when turned on.
User may not even notice the association
 Malicious association

Intentionally setting a wireless device to connect to a network
 Installing rogue wireless devices to collecting corporate info
 War driving

Driving around looking for weak unprotected WLAN
18
IEEE 802.11 WLAN standards
Unlicensed Band
802.11b
802.11a
2.4 GHz
5 GHz
802.11g
2.4 GHz 2.4 GHz or 5 GHz
≤11 Mbps ≤ 54 Mbps ≤ 54 Mbps
Rated Speed
Range (Indoor/Outdoor) 35m/100m
# of channels
3
802.11n*
≤ 300 Mbps
25m/75m
25m/75m
50m/125m
12
13
14
* Under development

Infinity

802.11b WLAN: 2.4 GHz-2.4835 GHz


Frequency
Spectrum

AM Radio service band: 535 kHz-1705 kHz


FM Radio service band: 88 MHz-108 MHz
0 Hz

Service band 2.4 - 2.4835 GHz divided
into 13 channels
Each channel is 22 MHz wide
Channels spaced 5 MHz apart
Channel 1 centered on 2412 MHz.
Channel 13 centered on 2472 MHz
Transmissions spread across multiple
channels
802.11b and 802.11g devices use only
Channel 1, 6, 11 to avoid transmission
overlap.
AM radio channels have a 10KHz
bandwidth
FM radio channels: 200KHz bandwidth
19
802.11g uses Orthogonal Frequency Division Multiplexing (OFDM) modulation scheme to achieve higher speed than 802.11b
802.11 Wireless LAN (WLAN)
Security
 Basic Operation:

Main wired network for servers (usually 802.3
Ethernet)

Wireless stations with wireless NICs

Access points for spreading service across
the site

Access points are internetworking devices
that link 802.11 LANs to 802.3 Ethernet LANs
20
802.11 Wireless LAN operation
 802.11 refers to the IEEE Wireless LAN standards
Ethernet
Switch
(2)
802.3 Frame
Containing Packet
(3)
Access
Point
802.11 Frame
Containing Packet
(1)
Server
Client PC
Notebook
With PC Card
Wireless NIC
21
1. If the AP is 802.11n-compliant, it could communicate
with the notebook even if the notebook has a 802.11a NIC.
802.11 Wireless LAN operation
2. The Wireless AP needs to have a 802.3 interface
3. The switch needs to have at least one wireless port.
Ethernet
Switch
T
F
T
T
F
(2)
802.3 Frame
Containing Packet
(1)
802.11 Frame
Containing Packet
Access
Point
(3)
Server
Client PC
4. How many layers should the Wireless AP have to perform its job?
F
Notebook
With PC Card
Wireless NIC
22
Summary Question (1)
 Which of the following is among Wireless
Access Points’ functions?
a) Convert electric signal into radio wave
b) Convert radio wave into electric signal
c) Forward messages from wireless stations to
devices in a wired LAN
d) Forward messages from one wireless station to
another
e) All of the above
f) Only c and d
23
MAC Filtering
 The Access Point could be configured to only allow
mobile devices with specific MAC addresses
 Today, attack programs exist that could sniff MAC
addresses, and then spoof them
MAC Access Control List
O9-2X-98-Y6-12-TR
10-U1-7Y-2J-6R-11
U1-E2-13-6D-G1-90
01-23-11-23-H1-80
……………………..
Access
Point
24
IP Address Filtering
 The Access Point could be configured to only allow
mobile devices with specific IP addresses
 Attacker could


Get IP address by guessing based on companies
range of IP addresses
Sniff IP addresses
IP Address Access Control List
139.67.180.1/24-139.67.180.30/24
139.67.180.75
139.67.180.80
139.67.180.110
……………………..
Access
Point
25
SSID: Apparent 802.11 Security
 Service Set Identifier (SSID)








It’s a “Network name” of up to 32 characters
Access Points come with default SSID. Example:
“tsunami” for Cisco or “linksys” for Linksys
All Access Points in a WLAN have same SSID
Mobile devices must know the SSID to “talk” to the
access points
SSID frequently broadcasted by the access point for
ease of discovery.
SSID in frame headers are transmitted in clear text
SSID broadcasting could be disabled but it’s a weak
security measure
Sniffer programs (e.g. Kismet) can find SSIDs easily
26
Wired Equivalent Privacy (WEP)
 Standard originally intended to make wireless networks
as secure as wired networks
 With WEP, mobile devices need a key used with an
Initialization Vector to create a traffic key

Typical WEP key length: 40-bit, 128-bit, 256-bit
 WEP key is shared by mobile devices and Access
Points
 Problems:
1.
2.
3.
4.
5.

shared keys create a security hole

WEP is not turned-on by default
WEP authentication process
Wireless station sends authentication request to AP
AP sends back a 128 bits challenge text in plaintext
Wireless station encrypts challenge text with its WEP key and sends result to AP
AP regenerate the WEP from received result, then compare WEP to its own WEP
AP sends a success or failure message
Open Source WEP Cracking software
aircrack-ng
weplab
WEPCrack
airsnort
27
802.11i and Temporal Key Integrity
Protocol (TKIP)
 In 2004, the IEEE 802.11 working group developed a
security standard called 802.11i to be implement in
802.11 networks.
 802.11i tightens security through the use of the
Temporal Key Integrity Protocol (TKIP)
 TKIP can be added to existing AP and NICs
 TKIP uses a 128-bit key (that changes) to encrypt
the WEP.
28
Using Authentication server or
Wi-Fi Protected Access (WPA)
 WPA is an early version of the 802.11i and 802.11x security standards
2.
RADIUS Server /
1.
Pass on Request to
WAP Gateway
Authentication
RADIUS Server
Request
Applicant
(Lee)
5. OK
Use
Key XYZ
Access
Point
4. Accept
Applicant Key=XYZ
Directory
Server or
Kerberos
Server
3.
Get User Lee’s Data
(Optional; RADIUS
Server May Store
Authentication Data)

RADIUS is an AAA (Authentication, Authorization, Accounting) protocol

Once user authenticated, AP assigns user individual key, avoiding shared key.
29
Protocols used in WPA
 Authentication and data integrity in 802.11i and
802.11x rely on the Extensible Authentication
Protocol (EAP) which has different options:

Wireless Transport Layer Security (WTLS) protocol
 Server and mobile devices must have digital certificates
 Requires that Public Key Infrastructure (PKI) be installed to
manage digital certificates

Tunneled WTLS
 Digital certificates are installed on the server only
 Once server is securely authenticated to the client via its
Certificate Authority, a secured tunnel is created.
 Server authenticates the client through the tunnel.
 Client could use passwords as mean of authentication
30
Soft Access Point*
 Usually, a soft AP is a laptop loaded with cracking software
 Soft AP allow the hacker to get passwords, MAC address, etc.
Ethernet
Switch
(2)
802.3 Frame
Containing Packet
(3)
Access
Point
(1)
Notebook
With PC Card
Wireless NIC
Server
* Also called Rogue Access Point
Client PC
Soft
AP
31
TCP/IP
Internetworking
Layered Communications:
Encapsulation – De-encapsulation
 Application programs on different computers cannot
communicate directly

There is no direct connection between them!

They need to use an indirect communication system
called layered communications or layer cooperation
Browser
HTTP Request
Web App
Transport
Transport
Internet
Internet
Data Link
Data Link
Physical
User PC
Physical
Webserver
33
Layer Cooperation on the User PC
 Encapsulation on the sending machine

Embedding message received from upper layer in
HTTP
a new message
request
Encapsulation of HTTP
request in data field of
a TCP segment
Application
HTTP req.
Transport
HTTP req.
TCP-H
Internet
HTTP req.
TCP-H IP-H
HTTP req.
TCP-H IP-H PPP-H
Data Link
User PC
PPP-T
Physical
TCP
segment
IP Packet
Frame
34
Layer Cooperation on the Web server
 De-encapsulation

Frame
Other layers pass successive data fields (containing next-lower
layer messages) up to the next-higher layer
HTTP
request
HTTP req.
TCP
segment
HTTP req.
TCP-H
IP Packet
HTTP req.
TCP-H IP-H
PPP-T
HTTP req.
TCP-H IP-H PPP-H
Application
Transmission media
Transport
Internet
Data Link
Webserver
35
Questions
1. What is encapsulation? On what machine does it
occur: sending or receiving machine?
2. If a layer creates a message, does that layer or the
layer below it encapsulate the message?
3. What layer creates frames? Segments? Packets?
4. Which of the following network communication
models is used on the Internet?
a) The OSI model
b) The HTML model
c) The TCP/IP model
d) The IP model
36
IP Packet
Bit 0
0100
IP Version 4 Packet
Header
Version
Length
(4 bits)
(4 bits)
QoS
(8 bits)
Bit 31
Total Length
(16 bits)
Identification (16 bits)
Flags
Time To Live
Protocol (8 bits)
1=ICMP, 6=TCP,17=UDP
(8 bits)
Fragment Offset (13 bits)
Header Checksum (16 bits)
Source IP Address (32 bits)
Destination IP Address (32 bits)
Options (if any)
Padding
Data Field
 QoS: Also called Type of Service, indicates the priority level the packet should have
 Identification tag: to help reconstruct the packet from several fragments
 Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether
more fragments of a packet follow (MF: More Fragments or NF: No More Fragments)
 Fragment offset: identify which fragment this packet is attached to
 TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it.
 Header checksum: to check for errors in the headers only
37
Questions
 What is the main version of the Internet
Protocol in use today? What is the other
version?
 What does a router do with an IP packet if it
decrements its TTL value to zero?
 Assume that a router received an IP packet
with the Protocol in header set to 6. What
Transport layer protocol is used in the
message: TCP, UDP, or ICMP?
38
Subnet
1
IP Fragmentation
Subnet
2
 When a packet arrives at a router, the router selects the port and
subnet to forward the packet to
 If packet too large for the subnet to handle, router fragments the
packet; ie.


Divides packet’s data field into fragments
Gives each fragment same Identification tag value, i.e. the
Identification tag of original packet
 First fragment is given Fragment Offset value of 0
 Subsequent fragments get Fragment Offset values consistent with their
data’s place in original packet
 Last fragment’s Flag is set to “No More Fragments”

Destination host reassemble fragments based on the offsets.
Identification (16 bits)
Flags
Fragment Offset (13 bits)
39
Firewalls and Fragmented IP Packet
 Fragmentation makes it hard for firewalls to filter individual packets

TCP or UDP header appears only in the first fragment
 Firewall might drop the first fragment, but not subsequent fragments
 Some firewalls drop all fragmented packets
Router
2. Second
Fragment
4. TCP Data
IP
Field
Header
Attacker
1.34.150.37
No
TCP Header
1. First
Fragment
TCP Data
Field
IP
Header
3. TCP Header
Only in First
Fragment
5. Firewall
60.168.47.47
Can Only
Filter TCP
Header in
First Fragment
40
TCP Segment
Bit 0
Bit 31
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
Header
Length
(4 bits)
Reserved
(6 bits)
Flag Fields:
ACK, SYN,…
(6 bits)
TCP Checksum (16 bits)
Window Size
(16 bits)
Urgent Pointer (16 bits)
Data
 Port number: identifies sending and receiving application programs.
 Sequence number: Identifies segment’s place in the sequence. Allows receiving
Transport layer to put arriving TCP segments in order.
 Acknowledgement number: identifies which segment is being acknowledged
 Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0
(off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization.
41
Q: If the ACK flag is set to 1, what other field must also be set to allow the receiver know what TCP segment is being acknowledged?
TCP and use of Flags
Flag Fields
(6 bits)
URG ACK
SYN FIN RST
PSH
 TCP is a connection-oriented protocol

Sender and receiver need to establish connection

Sender and receiver need to agree to “talk”

Flags are used for establishing connection

Sender requests connection opening: SYN flag set to 1

If receiver is ready to “talk”, it responds by a SYN/ACK segment

Sender acknowledges the acknowledgment
If PC
sender does not get ACK, it resends the segment
Webserver
Transport Process
Transport Process
1. SYN (Open)

2. SYN, ACK (1) (Acknowledgment of 1)
3. ACK (2)
3-way
Handshake
Note: With connectionless protocols like UDP, there is no flags. Messages are 42
just sent. If part of sent messages not received, there is no retransmission.
Communication during a normal
TCP Session
Q1: How many segments are sent
in a normal TCP communication
opening? ____
Q2: How many segments are sent
in a normal TCP communication
closing? ____
Note: At any time, either
process can send a TCP RST
(reset) segment with RST bit
set to 1 to drop the connection
(i.e. to abruptly end the
connection).
43
SYN/ACK Probing Attack
1. Probe
60.168.47.47
2. No SYN (Open):
Makes No Sense!
SYN/ACK Segment
IP Hdr RST Segment
Attacker
1.34.150.37
5.
60.168.47.47
is Live!
4. Source IP
Addr=
60.168.47.47
Victim
60.168.47.47
3. Go Away!
 Sending SYN/ACK segments helps attackers locate “live” targets
 Older Windows OS could crash when they receive a SYN/ACK probe
44
Source Port Number (16 bits)
Destination Port Number (16 bits)
TCP and use of Port numbers
 Port Number identify applications

Well-known ports (0-1023): used by major server
applications running at root authority.


HTTP web service=80, Telnet=23, FTP=21, SMTP email =25
Registered ports (1024-49151): Used by client and server
applications.

Ephemeral/dynamic/private ports (49152-65535) Not
permanently assigned by ICANN.
Web server applications
www:80 FTP:21 SMTP:25
Operating System
Socket notation:
IP address:Port #
Computer hardware
RAM chip
HD
Processor
45
Questions
 A host sends a TCP segment with source port
number 25 and destination port number
49562.
1)
Is the source host a server or a client? Why?
2)
If the host is a server, what kind of service
does it provide?
3)
Is the destination host a server or a client ?
Why?
46
TCP and Port spoofing
 Attackers set their application to use well-known port despite not being
the service associated with the port
 Most companies set their firewall to accept packet to and from port 80
 Attackers set their client program to use well-know port 80
47
Questions
1. What is IP Fragmentation? Does IP fragmentation
make it easier for firewall to filter incoming packets?
Why?
2. What is SYN/ACK probing attack?
3. What kind of port numbers do major server
applications, such as email service, use?
4. What kind of port numbers do client applications
usually use?
5. What is socket notation?
6. What is port spoofing?
7. How many well-known TCP ports are vulnerable to
being scanned, exploited, or attacked?
48