* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Lecture04: Network Layer Security
Survey
Document related concepts
Extensible Authentication Protocol wikipedia , lookup
Distributed firewall wikipedia , lookup
Wireless security wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Internet protocol suite wikipedia , lookup
Deep packet inspection wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Real-Time Messaging Protocol wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Transcript
Presentation Layer Security Lecture 7 Supakorn Kungpisdan [email protected] NETE4630 1 Outline Introduction to Presentation Layer NetBIOS CIFS or SMB NetBIOS and Enumeration Sniffing Encrypted Traffic NETE4630 2 Introduction to Presentation Layer Presentation layer deals primarily with data representation If one host supports Extended Binary-coded Decimal Interchange Code (EBCDIC) for character sets and another supports ASCII, the presentation layer converts data according to each hosts’ needs Other functionalities include data compression, data encryption, and manipulating XML objects NETE4630 3 Common Internet File System (or SMB) Common Internet File System (CIFS), aka Server Message Block (SMB), is a network protocol for file sharing on a LAN, running at app/presentation layer A client-server protocol Rely on other protocols for transport Most commonly used is NetBIOS over TCP (NBT) MS OSes use CIFS for remote file operations (mapping network drives), browsing (via Network Neighborhood), authentication (NT, Win2000, 2003), and remote printer services Unix OSes also implement CIFS via the SAMBA program NETE4630 4 NetBIOS and SMB VS OSI NETE4630 5 CIFS History In 1984, IBM wrote NetBIOS, an API allowing basic network communications between hosts on a small subnet, but it required a transport protocol In 1985, IBM released a transport protocol for NetBIOS Both of them are merged into NetBIOS Enhanced User Interface (NetBEUI) Later, NetBIOS was implemented using various transport protocols e.g. DECnet, IPX/SPX, and TCP/IP NETE4630 6 CIFS History (cont.) Soon after, MS and Intel created the 1st rendition of the SMB/CIFS file sharing protocol titled “Core Protocol” MS and Intel chose NetBIOS to deliver the upper protocol CIFS packets CIFS using NetBIOS over TCP became standard network file sharing mechanism for MS OSes Several operations have been added to CIFS overtime: File access File and record locking Safe file caching File change notification NETE4630 - Protocol negotiation - Extended file attribute handling - Batched requests - Unicode support 7 Outline Introduction to Presentation Layer NetBIOS CIFS or SMB NetBIOS and Enumeration Sniffing Encrypted Traffic NETE4630 8 NetBIOS NetBIOS runs over many transport protocols, but recently TCP/IP is the most common transport protocol used Main NetBIOS services: 1. Name service 2. Session service 3. Datagram service NETE4630 9 NetBIOS Name Service NetBIOS names are human readable names assigned to computers on a network Commonly seen in Windows in Network Neighborhood Serve the same purpose as the DNS system in TCP/IP, but different in the method Operate on UDP port 137 NETE4630 10 NetBIOS Name Services (cont.) Broadcast and/or server based Name registration and lookups can be accomplished by broadcasting to the LAN and/or using a central NetBIOS name server (NBNS or WINS) Broadcast only (B-node) NBNS only (P-node) Broadcast first then NBNS (M-node) NBNS first then broadcast (H-node) Dynamic registration With NetBIOS, when a computer boots, it registers its name/IP combination dynamically NETE4630 11 NetBIOS Name Services (cont.) Two most common NetBIOS name service are name registration and name query Name registration associates a NetBIOS name with an IP Try c:\nbtstat –a ip-address Name query determines the IP address associated with an given name Try c:\nbtstat –a computer-name NETE4630 12 Name Registration (B-node) 1 1 2 1 1. Broadcast name registration 2 packet containing name and IP over UDP port 137 three times (waiting 250 ms each) 2. If a host has already registered the name, it sends back a defense packet back NETE4630 1 13 Name Registration (P-node) 1 2 1. Unicast name registration packet 2 over UDP port 137 directly to NBNS three times (waiting 250 ms each) 2. If the name is already registered, NBNS sends back a defense packet back NETE4630 1 WINS server 14 NetBIOS Session Service From RFC1001, “A session is a reliable message exchange, conducted between pair of NetBIOS applications. Session is full-duplex, sequenced, and reliable” CIFS uses the session service to send and receive all upper layer commands, including file and printer operations The first step in any CIFS communications is to establish a NetBIOS session between client and server NETE4630 15 Session Service Primitives Primitives Descriptions Call Initiate a NetBIOS session Create TCP connection and send a NetBIOS call packet containing the client’s NetBIOS name and the server’s NetBIOS name Listen Wait for a NetBIOS call command Mapped a server waiting on TCP port 139 Hang Up End a NetBIOS session Mapped into TCP by initiating a TCP teardown sequence Send Send a message over a NetBIOS session Send No ACK Similar to Send, but no acknowledgment required Receive Receive a message from a NetBIOS session Session Status Obtain information about session NETE4630 Advanced Network Security and Implementation 16 NetBIOS Datagram Service From RFC1001, “The datagram service is unreliable, nonsequenced, connectionless service” Used by NetBIOS application as a fast, broadcast-capable, lowoverhead method of transferring data Implemented on UDP port 138 All NetBIOS datagram packets adds a header containing NetBIOS name and whether or not the NetBIOS datagram was fragmented to be sent via UDP CIFS protocol standard does not implement NetBIOS datagram server, but CIFS implementations typically use it for browsing NETE4630 17 NetBIOS Datagram Service Primitives Primitives Send Datagram Descriptions Send Broadcast Datagram send a datagram to all NetBIOS names on the network Receive Datagram wait for a packet to arrive from a Send Datagram operation send a datagram to a remote NetBIOS name Receive Broadcast Datagram wait for a packet to arrive from a Send Broadcast Datagram operation NETE4630 Advanced Network Security and Implementation 18 Outline Introduction to Presentation Layer NetBIOS CIFS or SMB NetBIOS and Enumeration Sniffing Encrypted Traffic NETE4630 19 CIFS Properties CIFS allows file sharing between network nodes Client/server + request/response Allow multiple simultaneous requests be assigning multiplex ID (MID) to each request The server replies with the same MID Command based Each packet contains a command field indicating the packet purpose e.g. login, open a file, read from a file, or write to a file CIFS packet contains a 1-byte command field allowing 100+ commands available NETE4630 20 CIFS Properties (cont.) Protocol dialects/negotiation Allow different variants (dialects) of CIFS to communicate When client wishes to access files on a remote server, client sends a negotiate protocol packet containing a list of dialect strings that it is capable of understanding. The server sends back the response containing which dialect it wishes to communicate List of SMB variants Chosen SMB variant NETE4630 21 SMB Variants (Dialects) Ref: http://samba.anu.edu.au/cifs/docs/what-is-smb.html NETE4630 22 CIFS Properties (cont.) User level security A client wishing to access the share must provide a username and a password Used in windows 2000 onwards Share level security The share itself requires only a password, but no username is required Used in windows 95 and 98 NETE4630 23 CIFS Properties (cont.) Encryption Password entered is sent in an encrypted format to server NTLM and LanMan Opportunitistic locking (oplock) When a CIFS packet specifies to open file, an oplock can be requested If granted by server, no other entities can access the file NETE4630 24 CIFS Packet Header NETE4630 25 CIFS Operations Client initiates contact with a server Client requires to open a file and read from it NETE4630 26 Initial Contact, Login, and Tree Connect Establish NetBIOS session Client Positive NetBIOS session acknowledgement Server Negotiate CIFS dialect Choose CIFS dialect from request list User login Indicate User ID or returns error if bad password Connect to particular resource Indicate Tree ID or error if share name does not exist NETE4630 27 File Open and Read Client Open a file Server Indicate File ID, or error code if problem Read from a file Return file data requested NETE4630 28 SMB and SAMBA SAMBA is a project established to provide free implementations of the SMB protocol for various platforms. The SAMBA project has had to "reverse engineer" the protocols and continues to work in this manner in order to keep the software free. Despite having released a version of SMB to the X-Open organization, Microsoft continues to develop the protocol as a proprietary protocol and details of some of the more recent versions have not been made freely available. NETE4630 29 Null User Overview At the core of the Windows authentication scheme lies the 'User' administrative unit. When we create users, we assign them rights, privileges, and policy restrictions to define what they can and can't do on our networks. But in addition to the standard User, Windows supports a special type of user called the 'Null' user, which is basically a pseudo-account that has no username or password, but is allowed to access certain information on the network Some MS OSes and services used to require that you utilize the null user in order to operate properly NETE4630 30 Null User Overview (cont.) Null user can enumerate account names and shares on domain controllers, member servers, and workstations alike. Therefore this null user, a user with no credentials, can be used to glean a tremendous amount of information from your network without raising any eyebrows NETE4630 31 Null User Overview (cont.) Microsoft's System Management Server uses the null user to enumerate shares during discovery. Even the mundane action of starting a NT workstation or server creates an initial null user logon to one of your domain controllers after its NetBIOS name is successfully registered (before you get the Ctrl + Alt + Delete logon prompt) System account uses the null user to get to remote resources NETE4630 32 NetBIOS Enumeration Null sessions allow users to communicate via NetBIOS in order to query any server as the null user If this occurs, user can enumerate shares, users, groups, permissions, policies. They can probably brute force their way into the network Many tools can be used to enumerate different aspects of a Windows server NETE4630 33 enum enum is a console-based Win32 information enumeration utility. Using null sessions, enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy information. enum is also capable of a rudimentary brute force dictionary attack on individual accounts. Ref: http://www.cotse.com/tools/netbios.htm NETE4630 34 enum (cont.) Get user list Get password policy No limit number of logon attempts NETE4630 35 enum (cont.) Dictionary attack NETE4630 36 Exploiting the IPC$ Share Windows have hidden administrative shares that have $ at the end (e.g. C$, ADMIN$, IPC$). The system tells itself to omit this share from any request for the enumeration of shares InterProcess Communication (IPC$) share is necessary to make systems work properly IPC$ is used for data sharing between processes In old versions of Windows (esp. NT), users can exploit the use of IPC$ and other hidden shares through a null session Once connected, the user may utilize the net view and net use commands to browse and connect to the hidden shares on a machine NETE4630 37 Exploiting the IPC$ Share (cont.) NETE4630 38 winfo verbose C:\winfo\winfo 192.168.1.1 –v -n Establish a null session before dump data NETE4630 39 Other NetBIOS Issues An attacker can generate a fake packet to deny a host joining the network Many vulnerabilities have been fixed in new Windows OSes, but several organizations still have legacy systems Thus, these types of NetBIOS vulnerability still exist NETE4630 40 Sniffing Encrypted Traffic Obfuscation Some utilize encryption and others use one-way function Make it difficult to intercept a transmission of a message and retrieve it content Base64 encoding Not suitable for data protection (confidentiality) No shared key between encode and decode functions NETE4630 41 Sniffing Encrypted Traffic (cont.) XOR encryption Use shared key, provide more protection NETE4630 42 Sniffing Encrypted Traffic (cont.) Message Digest MD5 and SHA-1 Not an encryption algorithm The premise for using digests and hashes is to make it difficult for a collision to occur, computationally infeasible to reproduce identical digests/hashes from different input Most commonly used to obfuscate passwords Vulnerable to brute-force and rainbow table attacks NETE4630 43 Kerberos NETE4630 44 Attacking Kerberos Communications between C and AS is derived from user’s password Windows computes a one-way function (OWF) against the password to generate the key If the hash value is known, we can run a dictionary attack against the key Known ciphertext attack Security of Kerberos depends on how strong the password is NETE4630 45 Attacking Kerberos (cont.) Hashed password NETE4630 46 Attacking Kerberos (cont.) Run Kerbsniff, a command-line utility to capture ASREQ value to a text file NETE4630 47 Attacking Kerberos (cont.) Run Kerbcrack on the hashed password to recover the password Input file Dictionary attack NETE4630 48 Attacking Weak Protection Schemes Many people said that data protection requires strong cryptographic algorithms that can resist a dictionary or brute-force attack However, much of the problems lies in selecting weak passwords Weak protection scheme reduces the effort an attacker must take once the hash value is known NETE4630 49 John the Ripper Downloaded at http://www.openwall.com/john/ NETE4630 50 Question? Next week Application Layer Security NETE4630 51