CSEC 701

data link layer

node-to-node delivery

network layer

host-to-host delivery

transport layer

process-to-process delivery

UDP

unreliable, unlimited transmission, but fast and simple

TCP

reliable byte stream, flow control, congestion control, connection orentied(heavyweight)

TCP connection

three way handshaking, four way termination

HTTP 1.0

1. TCP connection opened

2. at most one object sent over TCP connection

3. TCP connection closed 

HTTP 1.1 (persistant)

1. TCP connection opened to a server

2. multiple objects can be sent over a single TCP connection between client and that server

3. TCP connection closed

HTTP/2

objects divided into frames, frame transmission interleaved

limitations of HTTP/2

recovery from lost packets stalls all object transmissions, vast majority of internet traffic is HTTP+TLS+TCP+IP, can improve performance by combining some of the protocols 

address mapping

domain names to IP addresses (DNS) (DHCP), MAC adresses (ARP), switch ports (CAM table)

MAC flooding attack

when CAM table floods, causing switch to crash, stop accepting more mapping infomraiton, or simply broadcast traffic (acts as a hub)

MAC overflow

manipulates mac-to-port mapping, generates bogus mapping infomration and fills up the switch CAM table 

switch port stealing

attacker sends fake ARP faster than the intended host machine, chnages MAC address binding to attackers machine and they can redirect packets now to his switch port 

DHCP starvation attack

attacker broadcasts forged DHCP requests and tries to lease all of the DHCP addresses available, legitimate users are unable to obtain or renew an IP address requested via DHCP

rouge DHCP server attack

attacker sets a rogue DHCP server in the network and responds to DHCP requests with bogus IP addresses, victim gets wrong IP address, gateway IP address, and DNS server address

IRDP spoofing

attacker sends spoofed IRDP router advertisement message to the host on the subnet, causing it to change its default router to whatever the attacker chooses, used to launch MITM, DDOS, passive sniffing

DNS poisoning

tricks a DNS server or a host into believing that it has received authentic information when it really hasnt, results in substitution of false IP address

intranet DNS spoofing

attacker runs a fake DNS server, sniffs DNS requests, and responds to it with a fake reply(must be connected to LAN)

internet DNS spoofing

attacker infects victim machine with a trojan and changes her DNS IP address to that of the attackers 

proxy server DNS poisoning

attacker sends a trojan to victim machine that changes her proxy server settings in internet explorer to that of the attackers and redirects to fake website

DNS cache poisoning

altering or adding forged DNS records into the DNS resolver cache, redirects to malicious site

DNS spoof vs DNS cache poison

DNS spoof at layer 2, no cache involved, affect is limited to one client

DNS cache at application layer, no sniffing, cache is manipulated, affects all clients of the DNS server

split DNS

defense against DNS spoofing, keeps internal DNS server safe while outsiders query external server 

defense against DNS spoofing

dont accept query responses from outside, use random query ID, configure DNS resolver to use a new random port for each outgoing, implement IDS/firewall & DNSSEC

kaminsky vulnerability

query ID only has 65536 values, randomization can be predictable, can lead to birthday attack

DNS security extensions 

DNS resolver checks digital signature to ensure info is correct, authenticate DNSKEY via a chain of trust from a set of verified public keys for the DNS root zone, domain owners generate their own keys which are signed by the upper level DNS

scanning

an intense and methodical process of uncovering the structure of the network and hosts on it, info gathered here can refine the enumeration process later (ping sweep, port scan, vuln scan)

ping sweep

checks for live machines, sends ICMP echo request to a specified interface on the network and waits for a reply, ensures target computer is operating, can be detected by IDS

ping sweep with nmap

discovers live hosts, services, types of packets/firewalls, OS

TCP/UDP port scanning

used to identify the open and closed ports on a system, allows attacker to locate potential entry points and types of system

port scanning with nmap

sends probe packets with various TCP flags set (SYN, ACK, FIN, etc), if port is closed returns with RST

SYN

used to initiate a connection between two different hosts in order to facilitate communications 

ACK

used to acknowledge the receipt of a packet of information

URG

states that the data contined in the packet should be processed immediately

PSH

instructs the sedning machine to send all buffered data immediately 

FIN

tells the remote system that no more information will be sent, closes connection

RST

reset packet that is used to reset connection

TCP header

source & destination port, sequence number, acknowledgement number, Hlen & reserved & window, checksum & urgent pointer, options

TCP 3 way connection

send SYN, receive SYN ACK, send ACK

TCP 4 way termination

send FIN, receive ACK, receive FIN, send ACK

full open port scan

TCP connect scan, show 3-way handshake, slow and easily detectable by IDS

half open port scan

SYN scan, incomplete 3-way handshake, quicker than connect scan and harder to detect, dont send last ACK but use RST instead

basic packet filtering firewall

allows/denies packets based on port number or IP address, decision is per packet

stateful packet filtering

keeps track of the state of network connections(TCP streams), only packets which match a known connection state will be allowed by the firewall, other rejected

flow

4 or 5-tuple, SIP+DIP+SPort+DPort (96 bits), protocol

firewall

usually blocks incoming SYN packets, allows only outgoing SYN, may allow incoming ACK, FIN, URG, PSH

inverse TCP flag scanning

send TCP packets with a TCP flag or no flag, looks for closed ports that send RST back 

inverse TCP flag scan advantages

SYN packet is carefully monitored by firewall/IDS, othe rpackets may pass through undetected, stealthy

inverse TCP flag scan limitation

only effective on Unix-based OS

XMAS scan

send all 3 flags, if open theres no response, only effective on Unix-based OS

-sF nmap flag

for a scan with only the FIN flag set on probe packets

-sN nmap flag

for a null scan with no TCP flags set on probe packets

-sX nmap flag

for an xmas tree scan with all TCP flags set 

ACK flag probe scan

ACK scanning when combined with SYN scanning reveals whether it is stateful or non-stateful 

non-stateful firewall

doesn’t have a stable state, so it has to accept all incoming ACK packets, in response the host sends a RST

stateful firewalls

discard out of sync ACK packets leading to no response, the port is mark as filtered, if RST is received in response than its marked as unfiltered

normal response to SYN

if open SYN/ACK

if closed RST

normal response to out-of-sync ACK

if open, RST

if closed, RST

idle/IPID scan

stealthy scanning mode, attacker uses the ID field predictability to infer the reply

IP identification field 

used for packet fragmentation to group all fragments together for packet reassembly, has a unique value, if incremental then each packet gets one bigger then the previous 

idle scan

the IP value of the intermediary must be predictable otherwise the ID value will increase unpredictably

UDP scanning

no 3-way handshake, no flags, uses ICMP to reply, if port is open then no reponse, if port is closed then ICMP port unreachable message, (malwares use)

ICMP echo scan

ICMP subnet broadcast, but Windows TCP/IP stack prevents replying to probes to broadcast address

list scan

creates a host list, lists IP addresses in the query, no actual scan (dry run), good for sanity check, resolves DNS name look up

IDS evasion techniques

use fragmented IP packets, spoof your IP address, use source routing, connect to proxy servers or compromised trojaned machine to launch attacks

loose source and route record LSRR

allows the packet to use any number of intermediate gateways to reach the next address in the route 

strict source and route record SSRR

the next address in the source route to be one a directly connected network, if not the delivery fo the packet cant be completed

bypass IDS

the TCP header is split into several packets so that the packet filters are not able to detect what the packets intend to do

IDS signature based 

cannot detect proper signature from a split packet

effect of fragmented packets

rcieving host may not properly resemble them, cause crashes or reboots

tiny fragment attack

break a string into smaller pieces (“cat/etc/p” + “asswd”)

fragment overlap attack

break into pieces and make them overlap to hide original content (“cat/etc/paqxyhs” + “sswd”)

packet reassembly

the fragment with the lowest offset will overwrite others, regardless of arrival time, earliest fragments cant be overlapped

fragroute

the attacker can specify how fragmentation will occur

slow scanning IDS evasion

slow scan to below the IDS threshold, ex: nmap command for one port request ever 1.5 minutes

banner grabbing

(OS fingerprinting), if the OS is known the attacker can find an OS-specific vulnerability and have greater chnace of success

active banner grabbing

send a specifically crafted packets and observe response, RFCs define how TCP/IP stack responds but not how to respond to illegal combinations, sniff packets from the target host to study the signs of an OS

advanced HTTP banner grabbing

HTTp servers have different methods and chnaging names with newer versions, can be used to deduce the type of version of the HTTP server 

banner grabbing tools

netcat/telnet, nmap, Xprobe2, P0f, ID Serve, Netcraft