review for exam 1 (february 8, 2012) © abdou illia – spring 2012
TRANSCRIPT
Review For Exam 1
(February 8, 2012)
© Abdou Illia – Spring 2012
Introduction to Systems Security
3
Systems attackers
Hacking intentional access without authorization or in excess
of authorization Elite Hackers
Characterized by technical expertise and dogged persistence, not just a bag of tools
Use attack scripts to automate actions, but this is not the essence of what they do
Could hack to steal info, to do damage, or just to prove their status
Attackers
Elite Hackers
Script Kiddies
Virus writers & releasers
Corporate employees
Cyber vandals
Cyber terrorists
4
Systems attackers
Elite Hackers (cont.) Black hat hackers break in for their own purposes White hat hackers can mean multiple things
Strictest: Hack only by invitation as part of vulnerability testing
Some hack without permission but report vulnerabilities (not for pay)
Ethical hackers
Hired by organizations to perform hacking activities in order to
Test the performance of systems’ security
Develop/propose solutions
5
Systems attackers
Script Kiddies “Kids” that use pre-written attack scripts (kiddie
scripts)
Called “lamers” by elite hackers
Their large number makes them dangerous
Noise of kiddie script attacks masks more sophisticated attacks
Attackers
Elite Hackers
Script Kiddies
Virus writers & releasers
Corporate employees
Cyber vandals
Cyber terrorists
6
Systems attackers
Virus Writers and Releasers
Virus writers versus virus releasers
Writing virus code is not a crime
Only releasing viruses is punishable
Attackers
Elite Hackers
Script Kiddies
Virus writers & releasers
Corporate employees
Cyber vandals
Cyber terrorists
7
Systems attackers
Cyber vandals Use networks to harm companies’ IT infrastructure
Could shut down servers, slowdown eBusiness systems
Cyber warriors Massive attacks* by governments on a country’s IT
infrastructure
Cyber terrorists Massive attacks* by nongovernmental groups on a
country’s IT infrastructure
Hackivists Hacking for political motivation
* Multi-pronged attacks: release virus, active hacking, attacking Internet routers, etc.
Attackers
Elite Hackers
Script Kiddies
Virus writers & releasers
Corporate employees
Cyber vandals
Cyber terrorists
8
Framework for Attacks
Attacks
Physical AccessAttacks
--Wiretapping
Server HackingVandalism
Dialog Attacks--
EavesdroppingImpersonation
Message Alteration
PenetrationAttacks
Social Engineering--
Opening AttachmentsOpening AttachmentsPassword Theft
Information Theft
Scanning(Probing) Break-in
Denial ofService
Malware--
VirusesWorms
9
Dialog attack: Eavesdropping
Client PCBob Server
Alice
Dialog
Attacker (Eve) interceptsand reads messages
Hello
Hello
Intercepting confidential message being transmitted over the network
10
Dialog attack: Message Alteration
Client PCBob
ServerAlice
Dialog
Attacker (Eve) interceptsand alters messages
Balance =$1
Balance =$1 Balance =
$1,000,000
Balance =$1,000,000
Intercepting confidential messages and modifying their content
11
Dialog attack: Impersonation
Client PCBob
ServerAlice
Attacker(Eve)
I’m Bob
Hi! Let’s talk.
Resources Access Control
13
Break-in and Dialog attacks: Security Goal If eavesdropping, message alteration attacks
succeeded, in which of the following ways the victims could be affected?
a) Data files stored on hard drives might be deleted
b) Data files stored on hard drives might be altered
c) Corporate trade secret could be stolen
d) Competitors might get the victim company’s licensed info
e) Users might not be able to get network services for a certain period of time
f) The network might slow down
Confidentiality = Main goal in implementing defense systems against eavesdropping and message alteration.
14
Security GoalsThree main security goals:
Confidentiality of communications and proprietary information
Integrity of corporate data
Availability of network services and resources
CIA
15
Brute-force password cracking
Dictionary cracking vs. hybrid cracking
Try all possible character combinations
Longer passwords take longer to crack
Combining types of characters makes cracking harder
Alphabetic, no case (26 possibilities)
Alphabetic, case (52)
Alphanumeric (letters and numbers) (62)
All keyboard characters (~80)
16
Figure 2-3: Password Length
PasswordLength In
Characters
1
2 (N2)
4 (N4)
6
8
10
Alphanumeric:Letters &
Digits (N=62)
62
3,844
14,776,336
56,800,235,584
2.1834E+14
8.39299E+17
All KeyboardCharacters
(N=~80)
80
6,400
40,960,000
2.62144E+11
1.67772E+15
1.07374E+19
Alphabetic,Case
(N=52)
52
2,704
7,311,616
19,770,609,664
5.34597E+13
1.44555E+17
Alphabetic,No Case
(N=26)
26
676
456,976
308,915,776
2.08827E+11
1.41167E+14
Q: Your password policy is: (a) the password must be 6 character long, (b) the password should include only decimal digits and lower case alphabetic characters. What is the maximum number of passwords the attacker would try in order to crack a password in your system?
17
Dictionary and Hybrid cracking
Dictionary cracking1
Try common words (“password”, “ouch,” etc.) There are only a few thousand of these Cracked very rapidly
Hybrid cracking2
Used when dictionary cracking fails Common word with one or few digits at end, etc.
1 Also called dictionary attack2 Also called to as hybrid attack
18
Basic Terminology
Accidental Association Wireless device latching onto a neighboring Access Point when turned on.
User may not even notice the association
Malicious association Intentionally setting a wireless device to connect to a network
Installing rogue wireless devices to collecting corporate info
War driving Driving around looking for weak unprotected WLAN
19
802.11b 802.11a 802.11g
2.4 GHz 5 GHz 2.4 GHzUnlicensed Band
≤11 Mbps ≤ 54 Mbps ≤ 54 MbpsRated Speed
IEEE 802.11 WLAN standards
802.11n*
2.4 GHz or 5 GHz
≤ 300 Mbps
* Under development
0 Hz
FrequencySpectrum
Infinity
AM Radio service band: 535 kHz-1705 kHz
FM Radio service band: 88 MHz-108 MHz
802.11b WLAN: 2.4 GHz-2.4835 GHz
3 12 13# of channels 14
802.11g uses Orthogonal Frequency Division Multiplexing (OFDM) modulation scheme to achieve higher speed than 802.11b
AM radio channels have a 10KHz bandwidth FM radio channels: 200KHz bandwidth
35m/100m 25m/75m 25m/75mRange (Indoor/Outdoor) 50m/125m
Service band 2.4 - 2.4835 GHz divided into 13 channels
Each channel is 22 MHz wide Channels spaced 5 MHz apart Channel 1 centered on 2412 MHz.
Channel 13 centered on 2472 MHz Transmissions spread across multiple
channels 802.11b and 802.11g devices use
only Channel 1, 6, 11 to avoid transmission overlap.
20
802.11 Wireless LAN (WLAN) Security
Basic Operation:
Main wired network for servers (usually 802.3 Ethernet)
Wireless stations with wireless NICs
Access points for spreading service across the site
Access points are internetworking devices that link 802.11 LANs to 802.3 Ethernet LANs
21
802.11 FrameContaining Packet
802.11 Wireless LAN operation
802.11 refers to the IEEE Wireless LAN standards
NotebookWith PC CardWireless NIC
EthernetSwitch
AccessPoint
Server
802.3 FrameContaining Packet
(2)
(3)
Client PC
(1)
22
802.11 Wireless LAN operation
NotebookWith PC CardWireless NIC
EthernetSwitch
AccessPoint
Server
802.11 FrameContaining Packet
802.3 FrameContaining Packet
(2)
(1)
Client PC
(3)
1. If the AP is 802.11n-compliant, it could communicate with the notebook even if the notebook has a 802.11a NIC. T F
2. The Wireless AP needs to have a 802.3 interface T F
3. The switch needs to have at least one wireless port. T F
4. How many layers should the Wireless AP have to perform its job?
23
Summary Question (1)
Which of the following is among Wireless Access Points’ functions?
a) Convert electric signal into radio wave
b) Convert radio wave into electric signal
c) Forward messages from wireless stations to devices in a wired LAN
d) Forward messages from one wireless station to another
e) All of the above
f) Only c and d
24
MAC Filtering
The Access Point could be configured to only allow mobile devices with specific MAC addresses
Today, attack programs exist that could sniff MAC addresses, and then spoof them
AccessPoint
MAC Access Control List
O9-2X-98-Y6-12-TR
10-U1-7Y-2J-6R-11
U1-E2-13-6D-G1-90
01-23-11-23-H1-80
……………………..
25
IP Address Filtering
The Access Point could be configured to only allow mobile devices with specific IP addresses
Attacker could Get IP address by guessing based on companies
range of IP addresses Sniff IP addresses
AccessPoint
IP Address Access Control List
139.67.180.1/24-139.67.180.30/24
139.67.180.75
139.67.180.80
139.67.180.110
……………………..
26
SSID: Apparent 802.11 Security Service Set Identifier (SSID)
It’s a “Network name” of up to 32 characters Access Points come with default SSID. Example:
“tsunami” for Cisco or “linksys” for Linksys All Access Points in a WLAN have same SSID Mobile devices must know the SSID to “talk” to the
access points SSID frequently broadcasted by the access point for
ease of discovery. SSID in frame headers are transmitted in clear text SSID broadcasting could be disabled but it’s a weak
security measure Sniffer programs (e.g. Kismet) can find SSIDs easily
27
Wired Equivalent Privacy (WEP) Standard originally intended to make wireless networks
as secure as wired networks
With WEP, mobile devices need a key used with an Initialization Vector to create a traffic key Typical WEP key length: 40-bit, 128-bit, 256-bit
WEP key is shared by mobile devices and Access Points
Problems: shared keys create a security hole
WEP is not turned-on by default
1. Wireless station sends authentication request to AP2. AP sends back a 128 bits challenge text in plaintext3. Wireless station encrypts challenge text with its WEP key and sends result to AP4. AP regenerate the WEP from received result, then compare WEP to its own WEP5. AP sends a success or failure message
WEP authentication process
aircrack-ngweplabWEPCrack airsnort
Open Source WEP Cracking software
28
802.11i and Temporal Key Integrity Protocol (TKIP)
In 2004, the IEEE 802.11 working group developed a security standard called 802.11i to be implement in 802.11 networks.
802.11i tightens security through the use of the Temporal Key Integrity Protocol (TKIP)
TKIP can be added to existing AP and NICs
TKIP uses a 128-bit key (that changes) to encrypt the WEP.
29
Using Authentication server orWi-Fi Protected Access (WPA)
AccessPoint
1.Authentication
Request
2.Pass on Request to
RADIUS Server
3.Get User Lee’s Data(Optional; RADIUSServer May Store
Authentication Data)
4. AcceptApplicant Key=XYZ 5. OK
UseKey XYZ
DirectoryServer orKerberos
Server
RADIUS Server / WAP Gateway
RADIUS is an AAA (Authentication, Authorization, Accounting) protocol Once user authenticated, AP assigns user individual key, avoiding shared key.
WPA is an early version of the 802.11i and 802.11x security standards
Applicant(Lee)
30
Protocols used in WPA
Authentication and data integrity in 802.11i and 802.11x rely on the Extensible Authentication Protocol (EAP) which has different options: Wireless Transport Layer Security (WTLS) protocol
Server and mobile devices must have digital certificates
Requires that Public Key Infrastructure (PKI) be installed to manage digital certificates
Tunneled WTLS Digital certificates are installed on the server only
Once server is securely authenticated to the client via its Certificate Authority, a secured tunnel is created.
Server authenticates the client through the tunnel.
Client could use passwords as mean of authentication
31
Soft Access Point*
NotebookWith PC CardWireless NIC
EthernetSwitch
AccessPoint
Server
802.3 FrameContaining Packet
(2)
(3)
Client PC
(1)
* Also called Rogue Access Point
SoftAP
Usually, a soft AP is a laptop loaded with cracking software
Soft AP allow the hacker to get passwords, MAC address, etc.
TCP/IP Internetworking
33
Layered Communications: Encapsulation – De-encapsulation Application programs on different computers cannot
communicate directly There is no direct connection between them! They need to use an indirect communication system
called layered communications or layer cooperation
BrowserBrowser
TransportTransport
InternetInternet
Data LinkData Link
PhysicalPhysical
User PC
Web AppWeb App
TransportTransport
InternetInternet
Data LinkData Link
PhysicalPhysical
Webserver
HTTP RequestHTTP Request
34
PPP-TPPP-T
Layer Cooperation on the User PC
Encapsulation on the sending machine Embedding message received from upper layer
in a new message
ApplicationApplication
TransportTransport
InternetInternet
Data LinkData Link
HTTP req.HTTP req.
PhysicalUser PC
HTTP req.HTTP req. TCP-HTCP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H PPP-HPPP-H
IP Packet
TCPsegment
HTTP request
Frame
Encapsulation of HTTPrequest in data field ofa TCP segment
35
Layer Cooperation on the Web server
De-encapsulation Other layers pass successive data fields (containing next-lower layer
messages) up to the next-higher layer
ApplicationApplication
TransportTransport
InternetInternet
Data LinkData Link
Transmission mediaWebserver
PPP-TPPP-T
HTTP req.HTTP req.
HTTP req.HTTP req. TCP-HTCP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H PPP-HPPP-H
IP Packet
TCPsegment
HTTP request
Frame
36
Questions
1. What is encapsulation? On what machine does it occur: sending or receiving machine?
2. If a layer creates a message, does that layer or the layer below it encapsulate the message?
3. What layer creates frames? Segments? Packets?
4. Which of the following network communication models is used on the Internet?
a) The OSI model
b) The HTML model
c) The TCP/IP model
d) The IP model
37
IP Packet
Total Length(16 bits)
Identification (16 bits)
Header Checksum (16 bits)Time To Live
(8 bits)
Flags
Protocol (8 bits)1=ICMP, 6=TCP,17=UDP
Bit 0 Bit 31IP Version 4 Packet
Source IP Address (32 bits)
Fragment Offset (13 bits)
QoS(8 bits)
HeaderLength(4 bits)
Version(4 bits)
Destination IP Address (32 bits)
Options (if any) Padding
Data Field
0100
QoS: Also called Type of Service, indicates the priority level the packet should have Identification tag: to help reconstruct the packet from several fragments Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether more fragments of a packet follow (MF: More Fragments or NF: No More Fragments) Fragment offset: identify which fragment this packet is attached to TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it. Header checksum: to check for errors in the headers only
38
Questions
What is the main version of the Internet Protocol in use today? What is the other version?
What does a router do with an IP packet if it decrements its TTL value to zero?
Assume that a router received an IP packet with the Protocol in header set to 6. What Transport layer protocol is used in the message: TCP, UDP, or ICMP?
39
IP Fragmentation
When a packet arrives at a router, the router selects the port and subnet to forward the packet to
If packet too large for the subnet to handle, router fragments the packet; ie.
Divides packet’s data field into fragments Gives each fragment same Identification tag value, i.e. the
Identification tag of original packet First fragment is given Fragment Offset value of 0
Subsequent fragments get Fragment Offset values consistent with their data’s place in original packet
Last fragment’s Flag is set to “No More Fragments”
Destination host reassemble fragments based on the offsets.
Identification (16 bits) Flags Fragment Offset (13 bits)
Subnet 1
Subnet 2
40
Firewalls and Fragmented IP Packet
5. Firewall 60.168.47.47
Can Only Filter TCP
Header in First Fragment
Attacker 1.34.150.37
2. Second Fragment
4. TCP Data Field
NoTCP Header
IP Header
TCP Data Field
1. First Fragment
IP Header
3. TCP Header Only in First Fragment
Fragmentation makes it hard for firewalls to filter individual packets TCP or UDP header appears only in the first fragment
Firewall might drop the first fragment, but not subsequent fragments Some firewalls drop all fragmented packets
Router
41
TCP Segment
Source Port Number (16 bits) Destination Port Number (16 bits)
Bit 0 Bit 31
Acknowledgment Number (32 bits)
Sequence Number (32 bits)
TCP Checksum (16 bits)
Window Size(16 bits)
Flag Fields:ACK, SYN,…
(6 bits)
Reserved(6 bits)
HeaderLength(4 bits)
Urgent Pointer (16 bits)
Data Port number: identifies sending and receiving application programs. Sequence number: Identifies segment’s place in the sequence. Allows receiving Transport layer to put arriving TCP segments in order. Acknowledgement number: identifies which segment is being acknowledged Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0 (off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization.
Q: If the ACK flag is set to 1, what other field must also be set to allow the receiver know what TCP segment is being acknowledged?
42
TCP and use of Flags TCP is a connection-oriented protocol
Sender and receiver need to establish connection Sender and receiver need to agree to “talk” Flags are used for establishing connection
Sender requests connection opening: SYN flag set to 1 If receiver is ready to “talk”, it responds by a SYN/ACK segment Sender acknowledges the acknowledgment
If sender does not get ACK, it resends the segment
PCTransport Process
WebserverTransport Process
1. SYN (Open)
2. SYN, ACK (1) (Acknowledgment of 1)
3. ACK (2)
Note: With connectionless protocols like UDP, there is no flags. Messages are just sent. If part of sent messages not received, there is no retransmission.
3-way Handshake
Flag Fields(6 bits)
ACK SYN FIN RSTURG PSH
43
Communication during a normal TCP Session
Note: At any time, either process can send a TCP RST (reset) segment with RST bit set to 1 to drop the connection (i.e. to abruptly end the connection).
Q1: How many segments are sent in a normal TCP communication opening? ____
Q2: How many segments are sent in a normal TCP communication closing? ____
44
SYN/ACK Probing Attack
SYN/ACK Segment
Victim 60.168.47.47
Attacker 1.34.150.37
1. Probe 60.168.47.47
5. 60.168.47.47
is Live! 4. Source IP Addr=
60.168.47.473. Go Away!
2. No SYN (Open): Makes No Sense!
IP Hdr RST Segment
Sending SYN/ACK segments helps attackers locate “live” targets
Older Windows OS could crash when they receive a SYN/ACK probe
45
TCP and use of Port numbers Port Number identify applications
Well-known ports (0-1023): used by major server applications running at root authority.
HTTP web service=80, Telnet=23, FTP=21, SMTP email =25
Registered ports (1024-49151): Used by client and server applications.
Ephemeral/dynamic/private ports (49152-65535) Not permanently assigned by ICANN.
Web server applicationswww:80 FTP:21 SMTP:25
Operating System
Computer hardware
HDRAM chip
Processor
Socket notation:IP address:Port #
Source Port Number (16 bits) Destination Port Number (16 bits)
46
Questions
A host sends a TCP segment with source port number 25 and destination port number 49562.
1) Is the source host a server or a client? Why?
2) If the host is a server, what kind of service does it provide?
3) Is the destination host a server or a client ? Why?
47
TCP and Port spoofing
Most companies set their firewall to accept packet to and from port 80
Attackers set their client program to use well-know port 80
Attackers set their application to use well-known port despite not being the service associated with the port
48
Questions
1. What is IP Fragmentation? Does IP fragmentation make it easier for firewall to filter incoming packets? Why?
2. What is SYN/ACK probing attack?
3. What kind of port numbers do major server applications, such as email service, use?
4. What kind of port numbers do client applications usually use?
5. What is socket notation?
6. What is port spoofing?
7. How many well-known TCP ports are vulnerable to being scanned, exploited, or attacked?