CSEC 701 Final Study Guide

data link layer

node-to-node delivery

network layer

host-to-host delivery

transport layer

process-to-process delivery

transport layer address=

port numbers

16 bit port space

allows for multiple connections on a single host

network address and port translator NAPT

1. hosts sends datagram to destination IP

2. NAT router changes datagram source address from LAN to WAN and updates table

3. reply arrives to destination

4. NAT router changes datagram destination address

user data protocol UDP

unreliable, unlimited transmission, but very fast and low overhead for small messages

transmission control protocol

reliable byte stream, flow control, congestion control, connection oriented → heavyweight

TCP connection

two way connection established with 3 way handshaking, four way termination

TCP 3 way handshaking

SYN → SYN ACK → ACK

TCP four way termination

1.FIN → 2.ACK & 3.FIN → 4.ACK

DNS application layer

a giant step toward human-friendly internet

database translation

manual translation put them in a host file in each computer, store the entire DB in a single machine, store a section of DB hierarchically

DNS=

application layer and uses either UDP or TCP, the well known port=53, UDP if the size of the response msg<512 bytes, otherwise it is TCP

authoritative DNS servers

organizations DNS servers, providing authoritative hostname to IP mappings for organizations servers

caching

non-authoritative answer, once name server learned mapping it caches mapping, the answer is non-authoritative, TLD server typically cached in local name servers

HTTP/1.0

non-persistent, downloading multiple objects require multiple connections

1. TCP connection opened

2. at most one object sent over TCP connection

3. TCP connection closed

HTTP/1.1

persistent

1. TCP connection opened to a server

2. multiple objects can be sent over SINGLE TCP connection between client and server

3. TCP connection closed

limitations of HTTP 1.1

introduced multiple pipelined GETs over single TCP connection, servers responds in order(FCFS) to GET requests, small objects may have to wait for transmission(HOL blocking) behind large objects, loss recovery stalls object transmissions

HTTP/2 mitigating HOL blocking

objects divided into frames, frame transmission interleaved

limitations of HTTP/2

recovery from packet loss stalls all object transmissions, vast majority of internet traffic is HTTP+TLS+TCP+IP, improve by combining some protocols

HTTP/3

HTTP over QUIC, replaces TLS and TCP, implements reliable transport in an application library, rather than letting the OS’s TCP library handle it

protocols vulnerable to sniffing

HTTP, telnet and Rlogin, POP, IMAP, SMTP, FTP

hub

broadcast, traffic is sent to all ports

switch

unicast, SPAN port

SPAN port

a port which is configured to receive a copy of every packet that passes through a switch

sniffing in data link layer

networking layers in the OSI model are designed to work independently of each other, if sniff in data link layer, the upper OSI layer will not be aware

MAC flooding attack

the switch may crash, stop accepting more mapping information, or simply broadcast trafic when CAM table is full, switch then acts as a hub

Macof

MAC overflow, manipulates MAC-to-port mapping, generates bogus mapping information and fills up the switch CAM table

switch port stealing - redirecting traffic

host A sends an ARP request to host C, attacker B intercepts it, and sends a fake ARP reply faster than host C, switch changes MAC address binding to attackers machine, attacker then able to redirect the packets intended for the target host toward his switch port

gratuitous ARP

a reply to which no request is made, any host can send ARP responses even though no one sends an ARP request, attacker floods switch with forged gratuitous ARP packets w his own MAC address as destination, race condition of attackers flooded packets and target host packets

ARP spoofing

ARP packets can be forged to redirect data to the attackers machine, switch becomes a hub after ARP table is flooded with spoofed ARP replies letting attacker sniff all network packets

ARP cache poisoning

attacker floods a target computers ARP cache with forged entries

defense against ARP poisoning

implement dynamic ARP inspection using DHCP snooping binding table, if the source MAC address does not match MAC address in the DHCP binding table entry, the packet is discarded

DHCP snooping

trusted ports: DHCP server or other SW
untrusted ports: other clients

MAC duplication

by changing the MAC address, attacker can receive traffic destined to other machines, attacker can sniff network for MAC addresses of clients are actively associated with a switch port and reusing one of those addresses

defense against MAC spoofing

use DHCP snooping bidning table, synamic ARP inspection, and IP source guard, encryption, retrieval of MAC address

DHCP process

DHCP servers maintain TCP/IP configuration information in a database

1. DHCPDISCOVER/SOLICIT

2. DHCPOFFER/ADVERTISE

3. DHCPREQUEST/REQUEST

4. DHCPACK/REPLY

DHCP starvation attack

a denial of service attack on the DHCP servers, attacker broadcasts forged DHCP requests and tries to lease all of the DHCP addresses available in the DHCP, in result user is unable to obtain or renew an IP address

rogue DHCP server attack

Attacker sets a rogue DHCP server in the network and responds to DHCP requests with bogus IP addresses

victim gets

1. wrong IP address

2. wrong gateway IP address

3. wrong DNS server address

defense against DHCP attacks

enable port security (configuring MAC limit on switch), enable DHCP snooping that allows switch to accept DHCP transaction coming only from a trusted port

ICMP router discovery

For a host to participate on an internetwork, it needs connectivity to at
least one router on the local network.
Method 1: Manually configure each host with the address of a local router as its
default router (also called a gateway).
• time-consuming to set up, difficult to maintain, and inflexible.
Method 2: Get the info via DHCP. DHCP uses a method called router discovery to automatically discover local routers.

Enables hosts to locate routers on the local subnet and use them to gateway to reach other networks

IRDP spoofing

attacker sends spoofed IRDP router advertisement message to the host on the subnet, causing it to change its default router to whatever the attacker chooses

• used to launch MITM, denial of service, and passive sniffing attacks

intranet DNS spoofing

connected to local network to sniff packets, Attacker runs a fake DNS server, sniffs DNS requests, and responds to it with a fake reply

internet DNS spoofing

Attacker infects victim machine with a Trojan and changes her DNS IP
address to that of the attacker's.

proxy server DNS poisoning

Attacker sends a Trojan to victim machine that changes her
proxy server settings in Internet Explorer to that of the
attacker's and redirects to fake website

DNS cache poisoning

Altering or adding forged DNS records into the DNS resolver cache à
redirected to a malicious site

• cache incorrect entries locally and serve them ot users if cant verify authoritative source

defense against DNS spoofing

1. do not accept query response form outside

2. use split DNS

3. use a random query ID

4. configure DNS resolver to use a new random source port for each outgoing query

5. implement IDS/firewall and deploy them correctly

6. implement DNSSEC

split DNS

internal & external

• Insiders query internal server for inside names

• Insiders query internal server which forwards queries to external server for outside names

• Outsiders query external server

• Internal DNS server will stay clean

kaminsky vulnerability

DNS vulnerability from query ID having only 65536 values, temporary fix by randomizing source port 65536 to 135 million, ultimate solution DNSSec

ping sweep

sending ICMP echo request to a wide range of IP addresses, if the target replies a system is on the network, if it doesn’t the system is not on, or blocking iCMP, can be easily detected by properly configured IDS

TCP/UDP port scanning

used to idenitfy the open and closed ports, allows an attacker to locate potential entry points and idenitfy the types of a system

port scanning with nmap

popular tool that sends probe packets with various TCP flags set to discover open ports, detected by advanced firewalls

XMAS scan

(URG, PSH, FIN)

if port is closed RST is returned

if port is open there is no return

TCP full open scan

connect scan, 3 way handshake, slow and easily detected by IDS

half open scan

SYN scan, incomplete 3 way handshake by not sending last ACK, by tear down by sending RST; quicker than connect scan and harder to detect

basic packet filtering firewall

screening router, allows/denies packets based on port number or IP addresses, decision is per packet

stateful packet filtering firewall

keeps track of the state of network connections, only packets which match a known connection state will be allowed by the firewall, others rejected

firewall

usually block incoming SYN packets, allow only outgoing SYN, may allow incoming ACK, FIN, URG, PSH, responds w RST to unexpected

SYN

open: SYN/ACK

closed: RST

ACK

open: RST

closed: RST

RST

open: no response

closed: no response

FIN/URG/PSH

open: no response

closed: RST/ACK

inverse TCP flag scanning

Send TCP packets with a TCP flag (Known as FIN, URG, PSH scanning) or with no flag(null scanning)

• if open, no repsonse

• if closed, RST comes back

only closed ports can send RST back, inverse scanning looks for closed ports

inverse TCP flag scan advantages

• SYN packet is carefully monitored by firewalls/IDS (including half-open connect
  attempts)

• FIN, URG, PSH packets may pass through without detection

• Stealthy

inverse TCP flag scan disadvantages

• Microsoft ignores the RFC 793 à No RST/ACK response

• Only effective on Unix-based OS

ACK flag probe scanning 1

use TTL value (IP header) and window size (TCP header)

• exploits the vulnerabilities in BSD derived TCP/IP stack

• send ACK packets to different ports

ACK flag probe scanning 2

send ACK packets to different ports, if the window value in a particular port is non-zero then the port is open

X+2

intermediary sent RST so the port is open

is X+1

intermediary didnt send RST so the port is closed

idle scan

The IP value of the intermediary must be predictable. That is, it should not be busy (a zombie machine), otherwise the ID value will increase unpredictably.

IDS evasion techniques

use fragmented IP packets, spoof your IP address, use source routing, connect to proxy servers or comprised trojaned machine to launch attacks

loose source and route record

LSRR, allows the packet to use any number of intermediate gateways to reach the next address in the route

strict source and route record

SSRR, the next address in the source route to be on a directly connected network, if not the delivery packet of the packet cant be completed

SYN/FIN scanning using IP fragments

bypass IDS, many IDS are signature based, effect of fragmented

bypass IDS

The TCP header is split into several packets so that the packet filters are not able to detect what the packets intend to do

tiny fragment attack

break a string into smaller pieces

• cat /etc/p + asswd

fragment overlap attack

break into pieces and make them overlap to hide original content

• cat /etc/paqxyhs + sswd

IDS evasion

Many IDS consider a certain number of port service requests in a defined
number of seconds an attack, solution: slow scan to below the threshold

banner grabbing

OS fingerprinting, active or passive, If the OS is known, attacker can find an OS-specific vulnerability and have a greater chance of success

active banner grabbing

send a specially crafted packets and observe response, RFCs define how stack responds but not how to respond to illegal combinations

passive banner grabbing

Services will sometimes advertise what they are via a “banner

• for Smtp, ftp, telnet, http, etc

• sniff packets from the target host to study the signs of the OS (TTL, DF, ToS, TCP)

• observe the page extension

advanced HTTP banner grabbing

HTTP different methods chnage, have different names as new versions of the HTTP server become available

proxy servers

an intermediary for connecting with other computers

proxy server uses

proxy firewall, filtering out unsuitable traffic, remotely access intranets, NAT, hide source IP for anonymous web browsing

proxy server malicious use

impersonating a fake source

proxy chaining

attacker can increase his anonymity, traffic can be encrypted end-to-end, slow

ToR

onion routing messages are encapsulated in layers of encryption, three types of relays: entry, middle, exit; creates darknet, darkweb, deep web

web manipulation proxy

intercepts the HTTP/HTTPS traffic, let the user verify the content or change them and submit the page, like MITM attack but on the attackers own machine

how web app manipulation proxies do SSL

two SSL connections: broswer shows a warning message that someone is trying to attack

vulnerability scanning

identifies vulnerabilities and weaknesses of a system and network in order to determine how a system can be exploited.

discovers:

• network vulnerabilities

• open ports and running services

• application and services vulnerabilities

• application and services configuration errors

• tools

nessus

most popular vulnerability scanner

the exploit

An arbitrary command (usually shell program) to be executed in the context and with the permissions of the vulnerable program, specific to the target machine and OS

normal stack

buffer 2 → buffer 1 → return pointer → function call arguments

smashed stack

buffer 2 → machine code → new pointer to exec code → function call arguments

stack

a dynamic structure, location of stack frame varies, attacker doesnt know exactly which location the executable code is pushed into

NOP sled

include NOPs before the executable code so if pointer goes to the NOPs then execution will continue down until it gets to your exploit

payload

=shellcode, piece of software that lets you control a computer system after it’s been exploited

exploit

A small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system.

• deliver a payload to the target system to grant the attacker access to the system.

metapsloit

Allows developing new attacks from existing tools, and test the attack
- Extensible model through which payloads, encoders, no-op generators, and exploits can be integrated

Modular interface for exploit, payload and target