Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Transcription

1 Lab1 Definition of Sniffing: A program or device that captures vital information from the network traffic specific to a particular network. Passive Sniffing: It is called passive because it is difficult to detect. Passive sniffing means sniffing through a hub. Attacker simply connects the laptop to the hub and starts sniffing. Active Sniffing: Sniffing through a switch. Difficult to sniff. Can easily be detected. Techniques for active sniffing: ARP (Address Resolution protocol) spoofing. MAC flooding. How Does ARP Spoofing (Poisoning) Work? Steps!!

2 MAC Flooding: MAC flooding involves flooding the switch with numerous requests. The switch then acts as a hub by broadcasting packets to all themachines on the network. DHCP Starvation Attack: A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. The network attacker can then set up a rogue DHCP server on his or her system and respond to new DHCP requests from clients on the network. Since DHCP responses typically include default gateway and DNS server information, the network attacker can supply his or her own system as the default gateway and DNS server resulting in a "man-in-the-middle" attack. DNS Poisoning Techniques: DNS poisoning is a technique that tricks a DNS server into believing it has received authentic information when, in reality, it has not and as a result : mapping wrong IP to known domain names/ What is promiscuous mode?

3 Lab2 What is zombie scan? Common Scan types TCP Full Connect scan: This type of scan is the most reliable but also the most detectable. It is easily logged and detected because a full connection is established. Open ports reply with a SYN/ACK; closed ports respond with a RST/ACK. TCP SYN scan: This type of scan is known as half-open, because a full TCP connection is not established. This type of scan was originally developed to be stealthy and evade IDS systems, although most now detect it. Open ports reply with a SYN/ACK; closed ports respond with a RST/ACK. TCP FIN scan: Forget trying to set up a connection; this technique jumps straight to the shutdown. This type of scan sends a FIN packet to the target port. Closed ports should send back an RST. This technique is usually effective only on Unix devices. TCP NULL scan: Sure, there should be some type of flag in the packet, but anull scan sends a packet with no flags set. If the OS has implemented TCP per RFC 793, closed ports will return an RST. TCP XMAS scan: just a port scan that has toggled on the FIN, URG, and PSH flags. Closed ports should return an RST. Scanned ports status The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets

4 on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed.nmap reports the state combinations open filtered and closed filtered when it cannot determine which of the two states describe a port. Lab 3 footprinting, the fine art of gathering information. Footprinting is about scoping out your target of interest, understanding everything there is to know about that target and how it interrelates with everything around it, often without sending a single packet to your target. Why Is Footprinting Necessary? Footprinting is necessary for one basic reason: it gives you a picture of what the hacker sees. And if you know what the hacker sees, you know what potential security exposures you have in your environment. Traceroute idea of work,, with figures

5 Lab 4 Definition of MITM Man-in-the-middle(MITM) attacks occur when the attacker manages to position himself between the legitimate parties to a conversation. The attacker spoofs the opposite legitimate party so that all parties believe they are actually talking to the expected other, legitimate parties. A MITM attack allows the attacker to eavesdrop on the conversation between the parties, or to actively intervene in the conversation to achieve some illegitimate end. MITM attacks are relatively uncommon in the wired Internet, since there are very few places where an attacker can insert itself between two communicating terminals and remain undetected. For wireless links, however, the situation is quite different. Man-in-the-middle attacks can be active or passive. In a passive attack, the attacker captures the data that is being transmitted, records it, and then sends it on to the original recipient without his presence being detected. In an active attack, the contents are intercepted and altered before they are sent on to the recipient. ARP poisoning ARP (Address Resolution Protocol) poisoning is a technique used to corrupt a host sarp table, allowing the hacker to redirect traffic to the attacking machine. The attackcan only be carried out when the attacker is connected to the same local network as thetarget machines.

6 Operation ARP operates by sending out ARP request packets. An ARP request broadcasts thequestion, Whose IP address is x.x.x.x? to all computers on the LAN, even on aswitched network. Each computer examines the ARP request and checks if it iscurrently assigned the specified IP. The machine with the specified IP address returns anarp reply containing its MAC address. To minimize the number of ARP packets being broadcast, operating systems keep a cache of ARP replies. When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association.arp cache poisoning occurs when an attacker sends forged ARP replies. In this case, atarget computer could be convinced to send frames to the attacker s PC instead of thetrusted host. When done properly, the trusted host will have no idea this redirection tookplace. Here is an example of how this would work. First, the attacker would say that the router's IP address is mapped to his MAC address. Second, the victim now attempts to connect to an address outside the subnet. The victim has an ARP mapping showing that the router's IP is mapped to the hacker's MAC; therefore, the physical packets are forwarded through the switch and to the hacker. Finally, the hacker forwards the traffic onto the router. Figure 2 details this process.

7 What is IP Forwarding? MITM Attack Steps in ettercap (important) Lab 5 Overview Intrusion Detection Systems (IDS), firewalls, and honeypots areall security measures used to ensure a hacker is not able to gain access to a network or target system. An IDS and a firewall are both essentially packet filtering devices and are used to monitor traffic based upon a predefined set of rules. A honeypot is a fake target system used to lure hackers away from the more valuable targets. Definition of IDS An intrusion detection system (IDS) gathers and analyzes information from within a computer or a network, to identify possible violations of security policy IDS Types IDS can be divided into two broad categories: network-based intrusion detection systems (NIDSs) and host-based intrusion detection systems (HIDSs). Network-based intrusion detection systems (NIDSs) NIDSs examine packets on the network and look at the data in an attempt to recognize an attack. A NIDS makes use of a computer that has its NIC placed in promiscuous mode. This basically means that the NIC accepts all data packets it sees, not just the ones specifically addressed to it. If the system is operating on a

8 hub, this requires nothing more than plugging the NIDS into the hub. If a switch is being used, a port must be mirrored or spanned. This action configures the switch to direct traffic from either specific ports or a specific virtual LAN (VLAN) to the port you have specified to be used by the IDS. One advantage of a NIDS is that it can support many sensors so that the system can monitor the demilitarized zone (DMZ), the internal network, or specific nodes of the network. The disadvantage of a NIDS is that even if it can see certain types of traffic (e.g., encrypted), it doesn t mean that it knows what the traffic is actually doing. Another disadvantage of a NIDS is that it will not detect attacks against a host made by an intruder who is logged in at the host s terminal. If a network IDS along with some additional support mechanism determines that an attack is being mounted against a host, it is usually not capable of determining the type or effectiveness of the attack being launched. Some examples of a NIDS include Snort( and Cisco Intrusion Detection System. Host-based intrusion detection systems (HIDSs) HIDSs only monitor traffic on one specific system. HIDSs typically do not place the NIC in promiscuous mode, and therefore do not have to deal with the level of traffic that a NIDS would. Promiscuous mode can be CPU-intensive for an older and slower computer. HIDSs looks for unusual events or patterns that may indicate problems. HIDSs excel at detecting unauthorized accesses and activity. As an example, if a word processor starts accessing an program and is sending hundreds of s, the HIDs would be alerted. Some examples ofhidss are: Tripwire Samhain Swatch RealSecure

9 Ways to Detect an Intrusion Intrusion detection engines or techniques can be divided into two distinct types or methods: signature and anomaly. A signature-based or pattern-matching IDS relies on a database of knownattacks. These known attacks are loaded into the system as signatures. As soonas the signatures are loaded into the IDS, it can begin to guard the network.the signatures are usually given a number or name so that the administrator can easily identify an attack when it sets off an alert. Alerts can be triggered for fragmented IP packets, streams of SYN packets (DoS), or malformed ICMPpackets. The alert might be configured to change to the firewall configuration, set off an alarm, or even page the administrator. Figure 1 shows an exampleof how a signature-based IDS works. Figure 1 : Signature based IDS The biggest disadvantage of signature-based systems is that they can triggeronly on signatures that have been loaded. A new or obfuscated attack may goundetected. Snort is a good example of a signature-based IDS. Anomaly-detection systems require the administrator to make use of profiles of authorized activities or place the IDS into a learning mode so that it can learn what constitutes normal activity. Figure 2 shows this overall process. A considerable amount of time needs to be dedicated to make sure that the IDS produces few false negatives. If an attacker can slowly change his activity, over

10 time the IDS may be fooled into thinking that the new behavior is actually acceptable. Anomaly detection is good at spotting behavior that isgreatlydifferent from normal activity. As an example, if a group of users who log in only during the day suddenly start trying to login at 3 a.m., the IDS cantrigger an alert that something is wrong. Figure 2 : Anomaly based IDS Lab 6 Limitation and capabilities of firewall: A firewall defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network. A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system. A firewall is a convenient platform for several Internet functions that are not security related. These include a network address translator(nat), which maps local addresses to Internet addresses A firewall can serve as the platform for IPSec. Firewalls have their limitations, including the following: The firewall cannot protect against attacks that bypass the firewall.

11 The firewall does not protect against internal threats, such as a disgruntled employee or a employee who unwittingly cooperates with an external attacker. The firewall cannot protect against the transfer of virus-infected programs or files. Because of the variety of operating systems and applications supported inside the perimeter, it would be impractical and perhaps impossible for the firewall to scan all incoming files, , and messages for viruses. Lab Experiment (you will have the table attached to the Quiz) Lab 7 Transferring files with Netcat + binding shells for Linux and Command Line for windows (The Commands are required)