Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Similar documents
Switched environments security... A fairy tale.

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

CIT 380: Securing Computer Systems. Network Security Concepts

CSE 565 Computer Security Fall 2018

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

NETWORK SECURITY. Ch. 3: Network Attacks

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

CTS2134 Introduction to Networking. Module 08: Network Security

Network Security. Thierry Sans

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Firewalls, Tunnels, and Network Intrusion Detection

Computer Network Vulnerabilities

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Overview Intrusion Detection Systems and Practices

CSE 565 Computer Security Fall 2018

Man in the middle. Bởi: Hung Tran

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

n Describe sniffing concepts, including active and passive sniffing n Describe sniffing countermeasures n Describe signature analysis within Snort

AN INTRODUCTION TO ARP SPOOFING

ECCouncil Certified Ethical Hacker. Download Full Version :

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Chapter 4. Network Security. Part I

Ethical Hacking and Prevention

CCNP Switch Questions/Answers Securing Campus Infrastructure

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Computer Network Routing Challenges Associated to Tackle Resolution Protocol

HP High-End Firewalls

N exam.420q. Number: N Passing Score: 800 Time Limit: 120 min N CompTIA Network+ Certification

NETGEAR-FVX Relation. Fabrizio Celli;Fabio Papacchini;Andrea Gozzi

Chapter 9. Firewalls

Configuring attack detection and prevention 1

Preview from Notesale.co.uk Page 3 of 36

Configuring attack detection and prevention 1

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

Chapter 2. Switch Concepts and Configuration. Part II

CISNTWK-440. Chapter 5 Network Defenses

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

CIT 480: Securing Computer Systems

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

9. Security. Safeguard Engine. Safeguard Engine Settings

Indicate whether the statement is true or false.

HP High-End Firewalls

Configuring NAT for IP Address Conservation

ELEC5616 COMPUTER & NETWORK SECURITY

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Certified Ethical Hacker (CEH)

Wireless LAN Security (RM12/2002)

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

Endpoint Security - what-if analysis 1

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

ProCurve Network Immunity

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Software Engineering 4C03 Answer Key

2.1 A Primer on Network Sniffing Reconstructing TCP Streams Reconstructing Fragmented Packets 14

Developing the Sensor Capability in Cyber Security

20-CS Cyber Defense Overview Fall, Network Basics

Finding Feature Information

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Application Firewalls

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

Chapter 8 roadmap. Network Security

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Configuring Flood Protection

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Module 19 : Threats in Network What makes a Network Vulnerable?

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

Detecting & Eliminating Rogue Access Point in IEEE WLAN

Define information security Define security as process, not point product.

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Post Connection Attacks

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

Switching & ARP Week 3

Wireless Network Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Network Defenses 21 JANUARY KAMI VANIEA 1

Port Mirroring in CounterACT. CounterACT Technical Note

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Network Security. Course notes. Version

Detecting and Preventing Network Address Spoofing

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

CSC 574 Computer and Network Security. TCP/IP Security

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Hands-On Ethical Hacking and Network Defense 3 rd Edition

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Transcription:

Lab1 Definition of Sniffing: A program or device that captures vital information from the network traffic specific to a particular network. Passive Sniffing: It is called passive because it is difficult to detect. Passive sniffing means sniffing through a hub. Attacker simply connects the laptop to the hub and starts sniffing. Active Sniffing: Sniffing through a switch. Difficult to sniff. Can easily be detected. Techniques for active sniffing: ARP (Address Resolution protocol) spoofing. MAC flooding. How Does ARP Spoofing (Poisoning) Work? Steps!!

MAC Flooding: MAC flooding involves flooding the switch with numerous requests. The switch then acts as a hub by broadcasting packets to all themachines on the network. DHCP Starvation Attack: A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. The network attacker can then set up a rogue DHCP server on his or her system and respond to new DHCP requests from clients on the network. Since DHCP responses typically include default gateway and DNS server information, the network attacker can supply his or her own system as the default gateway and DNS server resulting in a "man-in-the-middle" attack. DNS Poisoning Techniques: DNS poisoning is a technique that tricks a DNS server into believing it has received authentic information when, in reality, it has not and as a result : mapping wrong IP to known domain names/ What is promiscuous mode?

Lab2 What is zombie scan? Common Scan types TCP Full Connect scan: This type of scan is the most reliable but also the most detectable. It is easily logged and detected because a full connection is established. Open ports reply with a SYN/ACK; closed ports respond with a RST/ACK. TCP SYN scan: This type of scan is known as half-open, because a full TCP connection is not established. This type of scan was originally developed to be stealthy and evade IDS systems, although most now detect it. Open ports reply with a SYN/ACK; closed ports respond with a RST/ACK. TCP FIN scan: Forget trying to set up a connection; this technique jumps straight to the shutdown. This type of scan sends a FIN packet to the target port. Closed ports should send back an RST. This technique is usually effective only on Unix devices. TCP NULL scan: Sure, there should be some type of flag in the packet, but anull scan sends a packet with no flags set. If the OS has implemented TCP per RFC 793, closed ports will return an RST. TCP XMAS scan: just a port scan that has toggled on the FIN, URG, and PSH flags. Closed ports should return an RST. Scanned ports status The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets

on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed.nmap reports the state combinations open filtered and closed filtered when it cannot determine which of the two states describe a port. Lab 3 footprinting, the fine art of gathering information. Footprinting is about scoping out your target of interest, understanding everything there is to know about that target and how it interrelates with everything around it, often without sending a single packet to your target. Why Is Footprinting Necessary? Footprinting is necessary for one basic reason: it gives you a picture of what the hacker sees. And if you know what the hacker sees, you know what potential security exposures you have in your environment. Traceroute idea of work,, with figures

Lab 4 Definition of MITM Man-in-the-middle(MITM) attacks occur when the attacker manages to position himself between the legitimate parties to a conversation. The attacker spoofs the opposite legitimate party so that all parties believe they are actually talking to the expected other, legitimate parties. A MITM attack allows the attacker to eavesdrop on the conversation between the parties, or to actively intervene in the conversation to achieve some illegitimate end. MITM attacks are relatively uncommon in the wired Internet, since there are very few places where an attacker can insert itself between two communicating terminals and remain undetected. For wireless links, however, the situation is quite different. Man-in-the-middle attacks can be active or passive. In a passive attack, the attacker captures the data that is being transmitted, records it, and then sends it on to the original recipient without his presence being detected. In an active attack, the contents are intercepted and altered before they are sent on to the recipient. ARP poisoning ARP (Address Resolution Protocol) poisoning is a technique used to corrupt a host sarp table, allowing the hacker to redirect traffic to the attacking machine. The attackcan only be carried out when the attacker is connected to the same local network as thetarget machines.

Operation ARP operates by sending out ARP request packets. An ARP request broadcasts thequestion, Whose IP address is x.x.x.x? to all computers on the LAN, even on aswitched network. Each computer examines the ARP request and checks if it iscurrently assigned the specified IP. The machine with the specified IP address returns anarp reply containing its MAC address. To minimize the number of ARP packets being broadcast, operating systems keep a cache of ARP replies. When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association.arp cache poisoning occurs when an attacker sends forged ARP replies. In this case, atarget computer could be convinced to send frames to the attacker s PC instead of thetrusted host. When done properly, the trusted host will have no idea this redirection tookplace. Here is an example of how this would work. First, the attacker would say that the router's IP address is mapped to his MAC address. Second, the victim now attempts to connect to an address outside the subnet. The victim has an ARP mapping showing that the router's IP is mapped to the hacker's MAC; therefore, the physical packets are forwarded through the switch and to the hacker. Finally, the hacker forwards the traffic onto the router. Figure 2 details this process.

What is IP Forwarding? MITM Attack Steps in ettercap (important) Lab 5 Overview Intrusion Detection Systems (IDS), firewalls, and honeypots areall security measures used to ensure a hacker is not able to gain access to a network or target system. An IDS and a firewall are both essentially packet filtering devices and are used to monitor traffic based upon a predefined set of rules. A honeypot is a fake target system used to lure hackers away from the more valuable targets. Definition of IDS An intrusion detection system (IDS) gathers and analyzes information from within a computer or a network, to identify possible violations of security policy IDS Types IDS can be divided into two broad categories: network-based intrusion detection systems (NIDSs) and host-based intrusion detection systems (HIDSs). Network-based intrusion detection systems (NIDSs) NIDSs examine packets on the network and look at the data in an attempt to recognize an attack. A NIDS makes use of a computer that has its NIC placed in promiscuous mode. This basically means that the NIC accepts all data packets it sees, not just the ones specifically addressed to it. If the system is operating on a

hub, this requires nothing more than plugging the NIDS into the hub. If a switch is being used, a port must be mirrored or spanned. This action configures the switch to direct traffic from either specific ports or a specific virtual LAN (VLAN) to the port you have specified to be used by the IDS. One advantage of a NIDS is that it can support many sensors so that the system can monitor the demilitarized zone (DMZ), the internal network, or specific nodes of the network. The disadvantage of a NIDS is that even if it can see certain types of traffic (e.g., encrypted), it doesn t mean that it knows what the traffic is actually doing. Another disadvantage of a NIDS is that it will not detect attacks against a host made by an intruder who is logged in at the host s terminal. If a network IDS along with some additional support mechanism determines that an attack is being mounted against a host, it is usually not capable of determining the type or effectiveness of the attack being launched. Some examples of a NIDS include Snort(www.snort.org), and Cisco Intrusion Detection System. Host-based intrusion detection systems (HIDSs) HIDSs only monitor traffic on one specific system. HIDSs typically do not place the NIC in promiscuous mode, and therefore do not have to deal with the level of traffic that a NIDS would. Promiscuous mode can be CPU-intensive for an older and slower computer. HIDSs looks for unusual events or patterns that may indicate problems. HIDSs excel at detecting unauthorized accesses and activity. As an example, if a word processor starts accessing an email program and is sending hundreds of emails, the HIDs would be alerted. Some examples ofhidss are: Tripwire Samhain Swatch RealSecure

Ways to Detect an Intrusion Intrusion detection engines or techniques can be divided into two distinct types or methods: signature and anomaly. A signature-based or pattern-matching IDS relies on a database of knownattacks. These known attacks are loaded into the system as signatures. As soonas the signatures are loaded into the IDS, it can begin to guard the network.the signatures are usually given a number or name so that the administrator can easily identify an attack when it sets off an alert. Alerts can be triggered for fragmented IP packets, streams of SYN packets (DoS), or malformed ICMPpackets. The alert might be configured to change to the firewall configuration, set off an alarm, or even page the administrator. Figure 1 shows an exampleof how a signature-based IDS works. Figure 1 : Signature based IDS The biggest disadvantage of signature-based systems is that they can triggeronly on signatures that have been loaded. A new or obfuscated attack may goundetected. Snort is a good example of a signature-based IDS. Anomaly-detection systems require the administrator to make use of profiles of authorized activities or place the IDS into a learning mode so that it can learn what constitutes normal activity. Figure 2 shows this overall process. A considerable amount of time needs to be dedicated to make sure that the IDS produces few false negatives. If an attacker can slowly change his activity, over

time the IDS may be fooled into thinking that the new behavior is actually acceptable. Anomaly detection is good at spotting behavior that isgreatlydifferent from normal activity. As an example, if a group of users who log in only during the day suddenly start trying to login at 3 a.m., the IDS cantrigger an alert that something is wrong. Figure 2 : Anomaly based IDS Lab 6 Limitation and capabilities of firewall: A firewall defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network. A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system. A firewall is a convenient platform for several Internet functions that are not security related. These include a network address translator(nat), which maps local addresses to Internet addresses A firewall can serve as the platform for IPSec. Firewalls have their limitations, including the following: The firewall cannot protect against attacks that bypass the firewall.

The firewall does not protect against internal threats, such as a disgruntled employee or a employee who unwittingly cooperates with an external attacker. The firewall cannot protect against the transfer of virus-infected programs or files. Because of the variety of operating systems and applications supported inside the perimeter, it would be impractical and perhaps impossible for the firewall to scan all incoming files, e-mail, and messages for viruses. Lab Experiment (you will have the table attached to the Quiz) Lab 7 Transferring files with Netcat + binding shells for Linux and Command Line for windows (The Commands are required)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback