Internet Security (1) VU 188.366 Networking Basics: Christian Platzer
Internet Security (1) VU 188.366 Networking Basics: Christian Platzer
Internet Security (1) VU 188.366 Networking Basics: Christian Platzer
VU 188.366
Networking Basics
inetsec@iseclab.org
Administration
• Online registration
– Open until 27.03.2013
• ~ 266 fellow aspirants so far
– TISS import will happen automagically after 21.03.2013
• Exam
- Scheduled for 27th, maybe not enough room
- 26th as backup (18:00)
Internet Security 1 2
Part 1
Internet Security 1 3
Basic terminology
• Who is a “hacker“ ?
Internet Security 1 4
Basic terminology
Information Domain
• Leakage
– acquisition of information by unauthorized recipients. e.g.
Password sniffing
• Tampering:
– unauthorized alteration/creation of information (including
programs)
– e.g. change of electronic money order, installation of a rootkit
Internet Security 1 6
Security threats
Operation Domain
• Resource stealing
– (ab)use of facilities without authorization (e.g. Use a high-
bandwidth infrastructure to issue DDOS attacks)
• Vandalism
– interference with proper operation of a system without gain (e.g.
flash bios with 0x0000)
Internet Security 1 7
Methods of attacking
• Eavesdropping
– getting copies of information without authorization
• Masquerading
– sending messages with other‘s identity
• Message tampering
– change content of message
Internet Security 1 8
Methods of attacking
• Replaying
– store a message and send it again later, e.g. resend a payment
message
• Exploiting
– using bugs in software to get access to a host
• Combinations
– Man in the middle attack
• emulate communication of both attacked partners (e.g., cause havoc
and confusion)
Internet Security 1 9
Social engineering
Internet Security 1 10
Social engineering
Internet Security 1 11
Security 101 : Passwords
• Retina checks are currently not possible, so guard your password ;-)
– NEVER give your password to anyone
• Not even your Girl(Boy-)friend
– Make your password difficult for others to guess
– DO NOT change your password because someone tells you to
Internet Security 1 12
Password examples
• The “Bad”
– acmilan1
– mymusic2
– bermuda6
– Konrad4868
– Master
– God
• The “Good”
– #bdiBuM1a
– Qa56Fge(/
– sdFOiKqw”=
– Somecommonwordsputtogethertoaverylongpassword
– Xkcd: Password Strength (http://xkcd.com/936/)
Internet Security 1 13
Choosing a good password
• Guidelines…
– The longer the better (often not supported!)
– mix of lower- and upper-case chars, numbers, and punctuation marks
– take a phrase and try to squeeze it into eight characters
• e.g., this is an interesting lecture oh yeah == tiailoy
• Throw in a capital letter and a punctuation mark or a number or two (== 0Tiailoy4)
– Use your imagination!
– Never, ever use “security” questions!
• If you have to, put your password there and use a password safe
• Storage
– Password safes (Firefox Master Password, Keychains, etc.) are ok, if encrypted properly.
– Take care about the password-retrieval channel.
• Could involuntary cause an authorization-loop (daisy-chained accounts)
• Example: Epic Hack
Internet Security 1 14
Part 2
Internet Security 1 15
OSI reference model
# Host A Host B
7 Application Layer Application Layer
6 Presentation Layer Presentation Layer
5 Session Layer Session Layer
4 Transport Layer Transport Layer
3 Network Layer Network Layer
2 Data Link Layer Data Link Layer
1 Physical Layer Physical Layer
Internet Security 1 16
OSI reference model
• Physical Layer (1)
– Connect to channel / used to transmit bytes (= network cable)
– Repeater, Hub
Internet Security 1 17
OSI reference model
Internet Security 1 18
Layer 1
Physical layer
Internet Security 1 19
Layer 1
• Hardware
– Twisted Pair
– Coax
– Wireless transceiver
– Optical Cable
– Token Ring
– PLC (Power Line Communication)
Internet Security 1 20
Layer 2
Internet Security 1 21
Layer 2 – Ethernet (II)
dest (48 bits) src (48 bits) type (16) data (46-1500 B) CRC (32)
0x0800 IP Datagram
In Reality:
22
Layer 2 – Ethernet (II)
• Widely used link layer protocol
• Data:
– min 46 bytes payload (padding may be needed), max 1500 bytes
• CRC (4 bytes)
Internet Security 1 23
Tools / commands
• Wireshark (W/U)
– Captures network traffic
Internet Security 1 24
Layer 3
Network layer
Internet Security 1 25
Internet Protocol (IP)
• Attributes of delivery
– Connectionless
– unreliable best-effort datagram
• delivery, integrity, ordering, non-duplication are NOT guaranteed
• i.e., they can be dropped, tampered with, replayed, spoofed, etc. (at
least in IPv4)
Internet Security 1 26
IP Datagram
Internet Security 1 27
IP Header fields
• Version (4 bits):
– current value = 4 (IPv4)
• Type of service
– priority (3 bits), QOS(4), unused bit
Internet Security 1 28
IP Header
• Flags (3) and Offset (13 bits)
– used for fragmentation of datagrams
• Protocol (8bits):
– specifies the type of protocol which is encapsulated in the datagram (TCP, UDP)
Internet Security 1 29
IP Options
• Variable length
Internet Security 1 30
Direct IP delivery
• Problem:
– Link layer uses 48 bit Ethernet addresses
– network layer uses 32 bit IP addresses
– we want to send an IP datagram
– but we only can use the Link Layer to (really) do this
IP Header IP Data
e.g. Ethernet
Internet Security 1 32
Address Resolution Protocol (ARP)
0x0800 IP Datagram
0x0806 ARP
ARP Message Format
192.168.0.7
ff:ff:fa:22:11:87
192.168.0.33
ff:02:a4:12:34:56
Direct IP delivery
ARP Request
192.168.0.7
From: To: ff:ff:fa:22:11:87
fa:02:41:11:11:11 ff:ff:ff:ff:ff:ff
192.168.0.2 192.168.0.7
192.168.0.33
ff:02:a4:12:34:56
Direct IP delivery
ARP Request
192.168.0.7
From: To: ff:ff:fa:22:11:87
fa:02:41:11:11:11 ff:ff:ff:ff:ff:ff
fa:02:41:11:11:11
192.168.0.2 192.168.0.7
192.168.0.2
fa:02:41:11:11:11
192.168.0.33
ff:02:a4:12:34:56
fa:02:41:11:11:11
192.168.0.2
Direct IP delivery
ARP Reply
192.168.0.7
From: To: ff:ff:fa:22:11:87
ff:ff:fa:22:11:87 fa:02:41:11:11:11
fa:02:41:11:11:11
192.168.0.7 192.168.0.2 I have 192.168.0.7! 192.168.0.2
fa:02:41:11:11:11
192.168.0.2
192.168.0.33
ff:02:a4:12:34:56
fa:02:41:11:11:11
192.168.0.2
Direct IP delivery
ARP Reply
192.168.0.7
From: To: ff:ff:fa:22:11:87
ff:ff:fa:22:11:87 fa:02:41:11:11:11
fa:02:41:11:11:11
192.168.0.7 192.168.0.2 I have 192.168.0.7! 192.168.0.2
ff:ff:fa:22:11:87 fa:02:41:11:11:11
192.168.0.7 192.168.0.2
192.168.0.33
ff:02:a4:12:34:56
fa:02:41:11:11:11
192.168.0.2
Direct IP delivery
IP packets
192.168.0.7
From: To: ff:ff:fa:22:11:87
fa:02:41:11:11:11 ff:ff:fa:22:11:87
fa:02:41:11:11:11
192.168.0.2 192.168.0.7
192.168.0.2
ff:ff:fa:22:11:87 fa:02:41:11:11:11
192.168.0.7 192.168.0.2
192.168.0.33
ff:02:a4:12:34:56
fa:02:41:11:11:11
192.168.0.2
Tools / commands
• arp (W/U)
– Lists arp mappings
– Can edit arp cache entries
• ping (W/U)
– Probes a specific IP address
Internet Security 1 43
IP addresses
• If all 232 available IP addresses are in the same network, we are done
– Direct delivery suffices.
Subnetting
Internet Security 1 44
IP subnetting
• Example:
IP: 192.168.1.16 Subnetmask: 255.255.255.0 Gateway: 192.168.1.1
Sends IP Packet to 192.168.1.77
Destination Network = IP AND Subnetmask
For 192.168.1.16 192.168.1.0
Match! (direct delivery)
For 192.168.1.77 192.168.1.0
Otherwise: Send to Gateway
Internet Security 1 45
Special IP addresses
• Broadcasts
– all bits set to 1: local broadcast
– only last bits set to 1: directed broadcast to other Network
Internet Security 1 46
Fragmentation
• If fragmentation would be necessary, but don‘t fragment bit is set -> Error
message (ICMP) is sent to sender
Internet Security 1 47
IP Datagram
Internet Security 1 48
Layer 2/3 Attacks
Network layer
Internet Security 1 49
Fragmentation attacks
Internet Security 1 50
Fragmentation attacks
IP fragment overwrite:
fool the firewall
Internet Security 1 51
Defense
• Fragmentation:
– Re-assemble IP Datagram on Firewall / IDS
• Usually done within the OS stack
– Sanity checks on IP Header
– Fix OS Bugs
Internet Security 1 52
LAN Attacks
• Goals:
– Information Recovery
– Impersonate Host
– Tamper with delivery mechanisms
• Methods:
– Sniffing
– IP Spoofing
– ARP attacks
Internet Security 1 53
Network sniffing
• Eavesdrop on a shared communication medium
Host 2 Sniffer
Host 1 Host 3
(192.168.0.3)
(192.168.0.2) (192.168.0.5)
Internet Security 1 54
Network sniffing
• MAC flooding
– Switch maintains table with MAC address/port mappings
– flooding switch with bogus MAC addresses will overflow table
– switch will revert to hub mode
• MAC duplicating/cloning
– You can reconfigure your NIC’s MAC addresses
– switch will record this in table and sends traffic to you
Internet Security 1 55
Tools / commands
• Wireshark (W)
– Does the sniffing
– Decodes Headers for you
– Reassembles fragmented IP packets etc.
Internet Security 1 56
Countermeasures
• Sniffers
– sniffer attempts to resolve names associated with IP addresses
– trap: generate connection from fake IP => detect DNS traffic
– Latency
• Mac flooding
– Use port security
– Managed switches
Internet Security 1 57
IP Spoofing
1. request
2. faster, faked response from Host2
Internet Security 1 58
Tools / commands
• Packeth
59
ARP Poisoning
60
ARP Poisoning
ARP Request
192.168.0.7
From: To: ff:ff:fa:22:11:87
fa:02:41:11:11:11 ff:ff:ff:ff:ff:ff
192.168.0.99 192.168.0.7
192.168.0.33
ff:02:a4:12:34:56
61
ARP Poisoning
ARP Request
192.168.0.7
From: To: ff:ff:fa:22:11:87
fa:02:41:11:11:11 ff:ff:ff:ff:ff:ff
fa:02:41:11:11:11
192.168.0.99 192.168.0.7
192.168.0.99
192.168.0.33
ff:02:a4:12:34:56
fa:02:41:11:11:11
192.168.0.99
62
ARP Poisoning
ARP Response
192.168.0.7
From: To: ff:ff:fa:22:11:87
ff:ff:fa:22:11:87 fa:02:41:11:11:11
fa:02:41:11:11:11
192.168.0.7 192.168.0.99 Hi, 192.168.0.99! 192.168.0.99
192.168.0.33
ff:02:a4:12:34:56
fa:02:41:11:11:11
192.168.0.99
63
ARP Poisoning
IP Packet
192.168.0.7
From: To: ff:ff:fa:22:11:87
ff:ff:fa:22:11:87 fa:02:41:11:11:11
fa:02:41:11:11:11
192.168.0.7 192.168.0.99 Hi, 192.168.0.99! 192.168.0.99
192.168.0.33
ff:02:a4:12:34:56
fa:02:41:11:11:11
192.168.0.99
64
Hub vs Switch
65
ARP Poisoning: Applications
66
Tools / commands
• ettercap (U)
– ARP poisoning (and sniffing)
– And more crazy LAN things
• nmap (W+U)
– Network mapping
Internet Security 1 67
Countermeasures
• Arp poisoning
– Deny packet delivery if MAC is registered on multiple ports
– Bears the danger of getting DOSed
• DMZ / Subnetting
Internet Security 1 68
Conclusion
• Next lecture:
– We start looking at TCP/IP Protocol Suite and related attacks
– (Even) more technical attacks
Internet Security 1 69