Secure Communications Over a Network

Similar documents
CIT 380: Securing Computer Systems. Network Security Concepts

Jackson State University Department of Computer Science CSC 437/539 Computer Security Fall 2013 Instructor: Dr. Natarajan Meghanathan

Expedition. Hardening Guide Version Palo Alto Networks, Inc.

How to Stay Safe on Public Wi-Fi Networks

To see how ARP (Address Resolution Protocol) works. ARP is an essential glue protocol that is used to join Ethernet and IP.

CS 4351/5352 Computer Security, assignment 4. Due date: Sunday, May 18, noon.

COMP 2000 W 2012 Lab no. 3 Page 1 of 11

Chapter 2. Switch Concepts and Configuration. Part II

Manage Mobile Security Incidents Like A Boss

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

Security Handshake Pitfalls

Wireless Security Algorithms

CPSC 467: Cryptography and Computer Security

Post Connection Attacks

AN INTRODUCTION TO ARP SPOOFING

Stunnel Guide for Trevance 19 April 2017

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Endian Proxy / Firewall

ETHICAL HACKING LAB SERIES. Lab 13: Exploitation with IPv6

Hacking Wireless Networks by data

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Linux Local Security about Passwords and Data NZPAPER.BLOGSPOT.COM. Nz Paper Linux and Web Application Security. Zeeshan Khan 4/15/2013

VPN-against-Firewall Lab: Bypassing Firewalls using VPN

Setting up the Apache Web Server

COMPUTER NETWORKS. CPSC 441, Winter 2016 Prof. Mea Wang Department of Computer Science University of Calgary

Managing Certificates

COMP2330 Data Communications and Networking

Computer Security II Lab Network Security

ETHICAL HACKING LAB SERIES. Lab 19: Using Certificates to Encrypt

Wireless Setup Instructions

Man in the middle. Bởi: Hung Tran

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

Linux Network Administration

Computer Security Spring Assignment 4. The purpose of this assignment is to gain experience in network security and network attacks.

Project 3: Network Security

Gns3 You Must Use 'manual Mode' To Connect A Link

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

Crypto Programming with OpenSSL. (Creating Certificates)

InterWorx Server Administrator SSH Guide. by InterWorx LLC

Defeating All Man-in-the-Middle Attacks

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Agility2018-TCPdump Documentation

CPSC 467b: Cryptography and Computer Security

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Practical Magic with SSH. By David F. Skoll Roaring Penguin Software Inc. 1 February

Public-Key Infrastructure (PKI) Lab

P-792H v2. G.SHDSL.bis Broadband Gateway DEFAULT LOGIN DETAILS. Version 3.70 Edition 1, 04/2010

Operating Systems Design Exam 3 Review: Spring 2011

Advanced option settings on the command line. Set the interface and ports for the OpenVPN daemons

Introduction to Linux and security tools

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

IERG Term 2 Tutorial 9

Lab #4 TECH 4281 Spring 2015

Server Certificate Validation

LAN Setup Reflection

Accessing an Extremely Secure LAN Via Remote Access That Was Not Possible With Previous Technologies

Laboration 2 Troubleshooting Switching and First-Hop Redundancy

FileWave 10 Webinar Q&A

Lab Exercise Protocol Layers

The trace is here:

Lab Configure Basic AP Security through IOS CLI

WIRELESS EVIL TWIN ATTACK

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

SSL Custom Application

LAN Setup Reflection. Ask yourself some questions: o Does your VM have the correct IP? o Are you able to ping some locations, internal and external?

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Securing A Basic HTCondor Pool

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

1. Which network design consideration would be more important to a large corporation than to a small business?

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Release Date: October 27, 2017

Web Servers and Security

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Man In The Middle Project completed by: John Ouimet and Kyle Newman

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Instituto Superior Técnico, Universidade de Lisboa Network and Computer Security. Lab guide: Traffic analysis and TCP/IP Vulnerabilities

Problem Set 10 Due: Start of class December 11

Lab #9: Basic Linux Networking

CS 716: Introduction to communication networks. Instructor: Sridhar Iyer Demo by: Swati Patil IIT Bombay

HW/Lab 3: SSL/TLS. CS 336/536: Computer Network Security DUE 11am on Nov 10 (Monday)

Capture The Flag Challenge Prep Class

Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5

ch02 True/False Indicate whether the statement is true or false.

Case Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University

Assignment 2 TCP/IP Vulnerabilities

Network sniffing packet capture and analysis

Analysis of OpenFlow Networks.

Table of Contents. Keyspan:USB Server - User Manual

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

14. Configuring Telnet in Knoppix

Advanced iscsi Management April, 2008

ELEC5616 COMPUTER & NETWORK SECURITY

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

Transcription:

Secure Communications Over a Network Course: MITS:5400G Proffessor: Dr. Xiaodong Lin By: Geoff Vaughan 100309160 March 20th 2012

Abstract The purpose of this experiment is to transmit an encrypted message over a network without the message being able to be read by anyone sniffing the network. For this experiment I will first demonstrate the message being transmitted without encryption, while sniffing the packets to prove that the communication could be intercepted. In the second situation I will set up secure channel to pass my message through using Stunnel. Stunnel uses SSL encryption to route the normal communication ports through its own communications first. The diagram bellow is a good demonstration of how the communication takes place. Image Source: Secure Communication with Stunnel, 2010, Xiaodong Lin,UOIT

System Setup To perform these experiments you need two computers that are accessible through a network. Although it is possible to run this experiment with any 2 computers connected to the Internet it is certainly easier if you have two computers on a local area network. For my setup I used 2 virtual machines running on top of my Mac OS. One of the VM s was running Backtrack and the other was using SELinux. I chose these distributions of Linux as they were known to already have many of the packages and libraries I needed already installed and I already had these VM s set up on my machine. For anyone repeating this experiment I would recommend using 2 VM s running Backtrack as it was just a little easier to setup Backtrack then SELinux. In SELinux I had to chmod a couple file permissions or run as root in order to be allowed to bind to some of the ports I needed. Although my entire setup is running in a Linux environment it is also possible to run this on a windows system or between windows and Linux machines. It just requires a little bit different system setup. Libraries and Software needed OpenSSL - to create your private key and public key certificates Telnet - Installed on one machine (the client) to connect to the other computer Netcat - Installed on the other machine (the server) to listen for the connection request from the first computer Stunnel - Installed on both machines Wireshark - Installed on at least one machine or setup so that it can hear the whole network from a third machine.

Procedures Experiment 1 Establishing an Open Communication Line Between Two Computers 1. First ensure that both machines are properly connected to the local area network. In the virtual machines you need to make sure that network connection is properly bridged or using the host machines network card properly. On the Server (machine 1) 2. From a terminal window ifconfig to get the local IP address and make note of it. The local IP of my server was 192.168.139.128 3. Setup the server to listen on a particular port and wait for a connection using Netcat netcat -l -p 3333 //Sets up sever to listen on port 3333 -l sets up Netcat in listening mode -p assigns Netcat to port 3333 to listen on when its waiting you should just see a cursor flashing

On the Client (machine 2) 4. From a terminal window connect to the server IP address and Port that it is listening on: telnet 192.168.139.128 3333 //connects to ip of server on port 3333 5. Send a greeting message to the server and press enter Hello server how are you today? When you press enter the text should appear on the server Now that this is set up we are free to send messages back and forth between the two computers. What we want to do next is prove that these communications are insecure and could be read by listening in on the line.

Setting up Wireshark to Capture the communication In a typical attack scenario an attacker would likely be listening in from a third computer. This is very easily done over an insecure wireless network however it can be a little more challenging over a wired network or secure wireless system. In these environments the attacker might first need to attack the router with some form of man-in-the middle attack to convince the router to send the packets through to the attackers machine. Although this isn t really that hard its not really the point of this exercise. For this reason I am simply going to set up Wireshark on one of the devices to listen to all the packets between it and the other computer. On my system I was running Wireshark on the server VM. 6. In another window launch Wireshark. From a terminal type: wireshark & 7. Setup Wireshark to start capturing on eth0 or whatever network device you are using. You may be prompted for an admin password on your host machine as you are trying to operate the network adapter in promiscuous mode which requires root privileges. Depending on your Internet traffic you may want to filter down to specific packets between the two computers. When we inspect one of the communications packets we can very clearly see that the message is easy to read in plan text. This proves that the communication being transmitted across this network is insecure.

Experiment 2 Passing an encrypted message through Stunnel In this experiment we are going to encrypt the messages from the previous experiment and monitor the network to ensure that they cannot be intercepted. On Server 1. Generating a private key and public key certificate on the server. Here we are going to use openssl to generate a certificate that we can use to pass to the client so that they can encrypt their messages and send it to us. Use the following openssl command to generate a certificate. You may need to change some of the directories around. Also you will be prompted to input a bunch of information about your company and locations. Just fill out the fields and the certificate will be generated. openssl req -new -x509 -days 365 -nodes -key /root/desktop/ mykey.pem -keyout /root/desktop/mykey2.pem My key and certificate looks like this. 2. Continuing on the server this step needs to be done in order. In a new terminal window setup Netcat to listen on port 8080 with the following command: netcat -l -p 8080 3. With Netcat running in the background we now need to setup Stunnel to take any data it reads off port 8080 and encrypt it and transmit it through port 7777. Stunnel also needs to listen on port 7777 for any computers that are going to connect to it. If a computer is trying

to connect to Stunnel it will reply with its certificate so that the client knows how to encrypt its communications. When the communications come through Stunnel will then decrypt them and forward them to port 8080. In order for Stunnel to know how to do all this it needs to be configured properly. This is done in a configuration file. The Stunnel config file needs to know the location of the certificate, what service and port to listen for, and what port to accept traffic on. Bellow are all the lines I used in my config file. cert =/root/desktop/stunnel.pem #location of private key and certificate debug = 7 #so you can see more stunnel outputs foreground = yes #so it runs in terminal [netcat] #service name to pipe connect = 127.0.0.1:8080 #address that netcat will connect to accept = 7777 #port to listen on for communications 4. With the config file and OpenSSL certificate in place, and Netcat already listening to port 8080 its time to launch Stunnel. Use the following command to launch Stunnel on the server from the directory where the stunnelserver.conf is located. stunnel stunnelserver.conf In debug mode you get a lot of status information but it can be really helpful troubleshooting problems if you run into any. In the image bellow you can see I have Netcat listening with Stunnel running. I also have Wireshark capturing in the background but its not visible in this image.

On Client Similarly on the client we also need to configure Stunnel to listen to a particular port then encrypt and transmit its information to the server. The only thing that is different on the server is that we don t need to generate a certificate. In this situation however you are telling Stunnel which port to expect communications on from Telnet and where on the network to forward that communication which in this case is on the server machine. 5. Setup Stunnel config file (stunnel.conf) for the client as followed: client = yes #specifies client mode debug = 7 #displays connection info for troubleshooting foreground =yes #so you can see it running in current terminal [telnet] #specifies the service name you will run accept=127.0.0.1:7070 #the local port for telnet to connect to connect=192.168.139.128:7777 #specifies the socket that you want to connect to 6. Once you have setup a configuration file, this time you need to initiate Stunnel before you try and connect with telnet. Use: stunnel stunnel.conf 7. With Stunnel running you can now Telnet to Stunnel s listening port (7070) and it will forward it to the server after encrypting it. telnet 127.0.0.1 7070 In the image bellow you can see the the client with Stunnel running and connected to the server via telnet.

Wireshark Having captured all communications on Wireshark we can now have a look to see if we are able to read any of the messages that were passed. The following image is a screen shot from Wireshark showing the message being sent from the client to the server. Judging by the fact that you cannot read anything in the data then it is safe to conclude that the message is encrypted. Conclusions In the first experiment I was able to demonstrate that communicating over an unencrypted method leaves your messages vulnerable to interception. I should also mention that many email servers traditionally operate in an unencrypted environment leaving your mail traffic open to interception. Using OpenSSL and Stunnel I was able to demonstrate how your communication can be protected using encryption and what an attacker might see if they tried to monitor your network activity.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback