J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering

Transcription

1 J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering CCI Post Office Box 9627 Mississippi State, MS Voice: (662) Fax: (662) Mississippi State University Center for Cyber Innovation 1

2 Section Objectives Describe sniffing concepts, including active and passive sniffing and protocols susceptible to sniffing Describe ethical hacking techniques for Layer 2 traffic Describe sniffing tools and understand their output Describe sniffing countermeasures Learn about intrusion detection system (IDS), firewall, and honeypot types, use, and placement Describe signature analysis within Snort Describe IDS, firewall, and honeypot evasion techniques Mississippi State University Center for Cyber Innovation 2

3 Sniffing and Evasion Dr. Drew Hamilton Reference: Aarti Dhone, UNR Reference: Behrouz Forouzan, McGraw- Hill s TCP/IP Protocol Suite Reference: Matt Walker All-in-One CEH Certified Ethical Hacker Mississippi State University Center for Cyber Innovation 3

4 Active and Passive Security Threats Passive Threats Active Threats Traffic Analysis Compromise of Message Contents Masquerade Replay Denial of Service Msg Content Modification Mississippi State University Center for Cyber Innovation 4

5 Packet Sniffers Packet Sniffer Definition: A packet sniffer is a wire-tap device that plugs into computer networks and eavesdrops on the network traffic. Components of a packet sniffer: Hardware : standard network adapters. Capture Filter : This is the most important part. It captures the network traffic from the wire, filters it for the particular traffic you want, then stores the data in a buffer. Buffers : used to store the frames captured by the Capture Filter. Real-time analyzer: a module in the packet sniffer program used for traffic analysis and to shift the traffic for intrusion detection Decoder : "Protocol Analysis. Mississippi State University Center for Cyber Innovation 5

6 How does a Sniffer Work? Sniffers also work differently depending on the type of network they are in. Shared Ethernet Switched Ethernet Detecting a sniffer ARP Ping DNS Mississippi State University Center for Cyber Innovation 6

7 Packet Sniffer Mitigation Host A Router A Router B Host B The following techniques and tools can be used to mitigate sniffers: Authentication Using strong authentication, such as one-time passwords, is a first option for defense against packet sniffers. Switched infrastructure Deploy a switched infrastructure to counter the use of packet sniffers in your environment. Antisniffer tools Use these tools to employ software and hardware designed to detect the use of sniffers on a network. Cryptography The most effective method for countering packet sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant. Mississippi State University Center for Cyber Innovation 7

8 Wireshark Kismet Tcpdump Cain and Abel E8ercap Dsniff NetStumbler Ntop Ngrep EtherApe KisMAC Top 11 Packet Sniffers Mississippi State University Center for Cyber Innovation 8

9 What are sniffers used for? Detection of clear-text passwords and usernames from the network. Conversion of data to human readable format so that people can read the traffic. Performance analysis to discover network bottlenecks. Network intrusion detection in order to discover hackers. Mississippi State University Center for Cyber Innovation 9

10 Review: IPv4 Packer Header Mississippi State University Center for Cyber Innovation 10

11 IPv6 Address Truncation (Prowse) Consider IPV6 address 2001:7120:0000:8001:0000:0000:0000:1F10 3 parts Global routing prefix: 2001:7120:0000 Subnet: 8001 Interface ID: 0000:0000:0000:1F10 Truncation: 1 st remove any leading zeroes 2 nd any group of 4 zeroes can be truncated down to a single zero 3 rd one consecutive group of zeroes can be truncated as a double colon (so 0000:0000:0000 becomes ::) 2001:7120:0:8001::1F10 Mississippi State University Center for Cyber Innovation 11

12 IPV6 Addressing notes IPv6 loopback address is Truncates To ::1 Double colon can only be used once in an Ipv6 address Mississippi State University Center for Cyber Innovation 12

13 Wireless Sniffing If you re on the wireless web, you re at risk! Hackers can steal s Usernames and Passwords Credit card numbers Anything you type on a website that doesn t use SSL (HTTPS) Tools of the Trade Wireshark Freely available online Captures traffic (HTTPS/pop/etc) of everyone on a given network Special Wireless Card Promiscuous Mode Inexpensive (~$30) Mississippi State University Center for Cyber Innovation 13

14 Wireshark Mississippi State University Center for Cyber Innovation 14

15 Exam Notes: Walker The IPv4 loopback address (denoting the software loopback of your own machine) is MAC address of broadcast messages is FF:FF:FF:FF:FF:FF The MAC address (a.k.a. physical address) that is burned onto a NICis actually made of two sections. The first half of the address, consisting of 3 bytes (24 bits), is known as the organizational unique identifier and is used to identify the card manufacturer. The second half is a unique number burned in at manufacturing to ensure no two cards on any given subnet will have the same address. Mississippi State University Center for Cyber Innovation 15

16 WinPcap: the Free Packet Capture Library for Windows WinPcap is an open source library for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.6.2). The packet filter is a device driver that adds to Windows 95, 98, ME, NT, 2000, XP and 2003 the ability to capture and send raw data from a network card, with the possibility to filter and store in a buffer the captured packets. Packet.dll is an API that can be used to directly access the functions of the packet driver, offering a programming interface independent from the Microsoft OS. Wpcap.dll exports a set of high level capture primitives that are compatible with libpcap, the well known Unix capture library. These functions allow to capture packets in a way independent from the underlying network hardware and operating system. WinPcap is released under a BSD-style license. Mississippi State University Center for Cyber Innovation 16

17 Nmap Free Network Scanner for Network Exploration and Security Mississippi State University Center for Cyber Innovation 17

18 Snort The de facto standard for intrusion detection and prevention Simple, Efficient FREE IDS Very well-written and maintained, robust application Snort is driven by a set of (community developed) rules Actively (constantly) under development Windows and UNIX versions available Mississippi State University Center for Cyber Innovation 18

19 Snort Alerts generated and/or packets logged when a "rule" is triggered. Very simple rule language for writing your own rules Ability to log alerts to syslog, directories in ascii, tcpdump format raw data Different alert styles from one-line, to verbose Modular "plug-in" architecture for adding functionality Many available plug-ins, including SQL and Oracle database logging, statistical analysis, TCP stream and telnet session reassembly, active response using "sniping" Resistant against some of the newer attacks directed at foiling IDSs Mississippi State University Center for Cyber Innovation 19

20 Ethereal Protocol Analyzer Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows. Data can be captured "off the wire" from a live network connection, or read from a capture file. 673 protocols can currently be dissected Mississippi State University Center for Cyber Innovation 20

21 Ethereal Ethereal can read capture files from tcpdump (libpcap), NAI's Sniffer (compressed and uncompressed), Sniffer Pro, NetXray, Sun snoop and atmsnoop, Shomiti/Finisar Surveyor, AIX's iptrace, Microsoft's Network Monitor, Novell's LANalyzer, RADCOM's WAN/LAN Analyzer, HP-UX nettl, i4btrace from the ISDN4BSD project, Cisco Secure IDS iplog, the pppd log (pppdumpformat), the AG Group's/WildPacket's EtherPeek/TokenPeek/ AiroPeek, or Visual Networks' Visual UpTime. It can also read traces made from Lucent/Ascend WAN routers and Toshiba ISDN routers, as well as the text output from VMS's TCPIPtrace utility and the DBS Etherwatch utility for VMS. Any of these files can be compressed with gzip and Ethereal will decompress them on the fly. Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE , Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms). Captured network data can be browsed via a GUI, or via the TTYmode "tethereal" program. Capture files can be programmatically edited or converted via command-line switches to the "editcap" program. Mississippi State University Center for Cyber Innovation 21

22 Ethereal Mississippi State University Center for Cyber Innovation 22

23 Protocol Sniffing SMTP Simple Mail Transport Protocol SMTP (including V3) sends as plaintext FTP versus SFTP / SCP Passes userids and passwords in the clear TFTP passes everything in the clear Other protocols with cleartext passwords SNMPv1 NNTP IMAP POP3 HTTP Mississippi State University Center for Cyber Innovation 23

24 Address Mapping The delivery of a packet to a host or a router requires two levels of addressing: logical and physical. We need to be able to map a logical address to its corresponding physical address and vice versa. These can be done using either static or dynamic mapping. Mississippi State University Center for Cyber Innovation 24

25 Address Mapping Anytime a host or a router has an IP datagram to send to another host or router, it has the logical (IP) address of the receiver. But the IP datagram must be encapsulated in a frame to be able to pass through the physical network. This means that the sender needs the physical address of the receiver. A mapping corresponds a logical address to a physical address. ARP accepts a logical address from the IP protocol, maps the address to the corresponding physical address and pass it to the data link layer. Mississippi State University Center for Cyber Innovation 25

26 ARP Packet Mississippi State University Center for Cyber Innovation 26

27 Encapsulation of ARP Packet Type: 0x0806 Preamble and SFD Destination address Source address Type Data CRC 8 bytes 6 bytes 6 bytes 2 bytes 4 bytes Mississippi State University Center for Cyber Innovation 27

28 Four Examples of Using ARP Mississippi State University Center for Cyber Innovation 28 28

29 ARP Example A host with IP address and physical address B2:34:55:10:22:10 has a packet to send to another host with IP address and physical address A4:6E:F4:59:83:AB. The two hosts are on the same Ethernet network. Show the ARP request and reply packets Mississippi State University Center for Cyber Innovation 29 encapsulated in Ethernet frames

30 ARP Cache Poisoning Mississippi State University Center for Cyber Innovation 30

31 ARP Cache Poisoning If victim sends an ARP request and gets and gets an ARP reply, then ARP has no way to verify correctness of IP to MAC mapping. Mississippi State University Center for Cyber Innovation 31

32 MAC Flooding All switches know are flooding or forwarding. If switch receives a unicast msg it will forward to the port where the MAC address is connected Switches can flood all of its ports. Switch uses Modern switches protect against MAC flooding, but may be susceptible to MAC spoofing. Content Addressable Memory (CAM) Cached table that maps MAC addresses to switch ports. ex. MAC A is on port 1. Mississippi State University Center for Cyber Innovation 32

33 MAC Flooding Attack Mississippi State University Center for Cyber Innovation 33

34 DHCP Starvation Works by flooding DHCP server to use up all available IP addresses Mississippi State University Center for Cyber Innovation 34

35 DHCP Snooping Mitigates DHCP starvation DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Mississippi State University Center for Cyber Innovation 35

36 Screened Subnet Architectures Perimeter Network Bastion Host Interior Router Exterior Router Perimeter Network Bastion Host Internet Exterior Router Internal Network Interior Router Mississippi State University Center for Cyber Innovation 36

37 What is a Bastion Host? SANS Institute Intrusion Detection FAQ A bastion host is a computer that is fully exposed to attack. The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router. Frequently the roles of these systems are critical to the network security system. Indeed the firewalls and routers can be considered bastion hosts. Due to their exposure a great deal of effort must be put into designing and configuring bastion hosts to minimize the chances of penetration. Other types of bastion hosts include web, mail, DNS, and FTP servers. Some network administrators will also use sacrificial lambs as bastion hosts, these systems are deliberately exposed to potential hackers to both delay and facilitate tracking of attempted break-ins. Mississippi State University Center for Cyber Innovation 37

38 Configuring a Bastion Host Effective bastion hosts are configured very differently from typical hosts. Each bastion host fulfills a specific role, all unnecessary services, protocols, programs, and network ports are disabled or removed. Bastion hosts do not share authentication services with trusted hosts within the network so that if a bastion is compromised the intruder will still not have 'the keys to the castle.' A bastion host is hardened to limit potential methods of attack. Mississippi State University Center for Cyber Innovation 38

39 Hardening a Bastion Host The specific steps to harden a particular bastion host depend upon the intended role of that host as well as the operating system and software that it will be running. Access Control Lists (ACLs) will be modified on the file system and other system objects; all unnecessary TCP and UDP ports will be disabled; all non-critical services and daemons will be removed; as many utilities and system configuration tools as is practical will also be removed. All appropriate service packs, hot fixes, and patches should be installed. Logging of all security related events need to be enabled and steps need to be taken to ensure the integrity of the logs so that a successful intruder is unable to erase evidence of their visit. Any local user account and password databases should be encrypted if possible. Mississippi State University Center for Cyber Innovation 39

40 Proxy Servers reality and illusion Proxy systems deal with insecurity problems by avoiding user logins on the dual homed host and by forcing connections through controlled software Proxy Server Bastion Host Client External Server User s Illusion User External Host Mississippi State University Center for Cyber Innovation 40

41 Proxy Servers A server that sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. Proxy servers have two major functions Improve Performance: Proxy servers can dramatically improve performance because proxy servers save the results of all requests for a certain amount of time. Consider the case where both user X and user Y access the WWW through a proxy server. First user X requests a certain Web page, which we'll call Page 1. Sometime later, user Y requests the same page. Instead of forwarding the request to the Web server where Page 1 resides, which can be a time-consuming operation, the proxy server simply returns the Page 1 that it already fetched for user X. Since the proxy server is often on the same network as the user, this is a much faster operation. Real proxy servers can support hundreds or thousands of users. Filter Requests: Proxy servers can also be used to filter requests. For example, a company might use a proxy server to prevent its employees from accessing a specific set of Web sites. Mississippi State University Center for Cyber Innovation 41

42 Securing the Network Apps The last step to securing a bastion host may be the most difficult: securing whatever network application the host is running. Very often the vendor of a web or streaming media server doesn't consider security risks while developing their product. It is usually up to the system administrator to determine through testing what ACLs they need to modify to lock down the network application as thoroughly as possible without disabling the very features that make is a useful tool. It is also necessary to closely track the latest announcements from the vendor regarding security problems, workarounds, and patches. The more popular network applications also tend to inspire the creation of independent mailing lists, newsgroups, and websites that can be tracked for additional insights. Mississippi State University Center for Cyber Innovation 42

43 Network Address Translation (NAT) (Cisco) Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways Mississippi State University Center for Cyber Innovation 43

44 Static NAT Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. unregistered means a host with an IP address but no domain name registered in the DNS. In static NAT, the computer with the IP address of will always translate to Mississippi State University Center for Cyber Innovation 44

45 Dynamic NAT Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. In dynamic NAT, the computer with the IP address will translate to the first available address in the range from to Mississippi State University Center for Cyber Innovation 45

46 Overloading Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT. In overloading, each computer on the private network is translated to the same IP address ( ), but with a different port number assignment. Mississippi State University Center for Cyber Innovation 46

47 Overlapping Overlapping - When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses as well as translate the "external" registered addresses to addresses that are unique to the private network. This can be done either through static NAT or by using DNS and implementing dynamic NAT. The internal IP range ( xx) is also a registered range used by another network. Therefore, the router is translating the addresses to avoid a potential conflict with another network. It will also translate the registered global IP addresses back to the unregistered local IP addresses when information is sent to the internal network. Mississippi State University Center for Cyber Innovation 47

48 Firewall Selection Single Purpose Router or a General Purpose Computer? Packet filtering should be only activity on the device Combinations of proxy servers and/or bastion hosts may be implemented on routing device Serious increase in hardware performance requirements Simple specification of rules Packet filtering is complicated to begin with because the protocols are complex, rule implementation should not add complexity. It should allow rules based on any header or meta-packet criteria Header information is in the packet Meta-packet information are those things routers recognize outside of the header Mississippi State University Center for Cyber Innovation 48

49 Applying filtering rules Apply rules in the order specified Reordering makes it more difficult to analyze what is going on Any quirks or bugs in the rule set may be obscured Reordering rules can break a rule set that would otherwise work correctly Example Rule A permits the university network to reach your research subnet Rule B locks out a hostile subnet at the university out of everything else Rule C disallows Internet access to your subnet Rule order ABC Packet from hostile subnet allowed to research subnet (rule A) Rule order BAC Packet from hostile subnet denied access to research subnet (rule B) Rule may have limited granularity Mississippi State University Center for Cyber Innovation 49

50 More packet filtering guidelines Allow rules to be applied separately to incoming and outgoing packets on a per-interface basis provide maximum flexibility when only outgoing packets can be viewed then: The filtering system is always outside of its filters More difficult to detect forged packets Forgery is most easily detected when the packet enters from outside the system Routers can generate packets themselves and sometimes process internal packets (due to fixed paths for example). Filtering outgoing packets only is more complicated when the router has multiple ports Allow option to log accepted or dropped packets Support good testing and validation capabilities Mississippi State University Center for Cyber Innovation 50

51 Honeypots High interaction honeypots simulates all services and applications and is designed to be completely compromised. Low interaction honeypots simulate limited services and cannot ecompletely compromised. Mississippi State University Center for Cyber Innovation 51

52 Summary Section Objectives Describe sniffing concepts, including active and passive sniffing and protocols susceptible to sniffing Describe ethical hacking techniques for Layer 2 traffic Describe sniffing tools and understand their output Describe sniffing countermeasures Learn about intrusion detection system (IDS), firewall, and honeypot types, use, and placement Describe signature analysis within Snort Describe IDS, firewall, and honeypot evasion techniques Mississippi State University Center for Cyber Innovation 52