SysSec 9 Network Security Aurélien Francillon francill@eurecom.fr
News of the week 2
3
4
5
Overview • Reconnaissance : discovering topology and servers • Using network tools • Fingerprinting • Offensive • Man In The Middle attacks, Bugs, Attacks on routing • Bypassing network restrictions • Denial of service 6
Network Reconnaissance
Reconnaissance • Network reconnaissance is always a first step • Discovering machines • Understanding what services are running (open/filtered ports) • Identify weak/vulnerable point(s) in target network • “ Collect intelligence” 8
Reconnaissance • Network reconnaissance is always a first step • nmap , hping2 , netcat • Public databases always a good start • domain WHOIS → whois iseclab.org • DNS queries → dig iseclab.org • DNS zone transfers* (if very lucky) → dig axfr ZoneTransfer.me @ns16.zoneedit.com. • IP WHOIS (IRR) → whois 128.130.60.29 9 *see http://www.digininja.org/projects/zonetransferme.php
Reconnaissance • robtex.com → the Internet Swiss-army knife • GeoIP: approximate physical location of an IP address • More accurate solutions exist • Finger directory service to provide information about users • Almost not used anymore 10
Scanning • Basics: Send TCP SYN packet • Closed port: reply with a RST • Open port: reply with SYN/ACK • Filtered port: nothing back or ICMP error packet • nmap -A -T4 scanme.nmap.org • Smarter techniques: • OS detection • Idle Scan 11
Scanning for vulnerabilities directly • Nessus / OpenVAS • Has a list of tests for discovering daemon type, version, kind of service, options set, etc • Has a list of vulnerabilities associated • Will check that automatically and generate reports • Client/server side can be programmed to run regularly • Useful for • Network administrators to check for vulnerabilities on the network • Lazy attackers to find an attack point! 12
Routing • Internet is split into smaller networks called Autonomous Systems (AS) • e.g. Renater, France Telecom, Proxad (free) • They are interconnected by links between their routers • BGP is the protocol that is used to know on which links to send packets depending on their destination (routing) • Some of the BGP/AS information is publicly available • IP WHOIS records (Internet Routing Registries, IRRs) • Looking glass • Live BGP data feeds (RIPE RIS, RouteViews) 13
Internet-connected device search engines • Examples: shodan.io , censys.io • Powered by fast “Internet-scale” scanners • masscan , zmap • Aggregates a lot of information about millions of hosts and networks 14 shodan.io censys.io
Web searches, social media, … • Instead of performing reconnaissance on the network directly… • An attacker can search for another vulnerable point of entry: people • By running simple web searches • By checking for social media accounts • By building profiles of individuals (e.g., employees of the target company) • This intelligence can then be used to mount targeted attacks, e.g., via social engineerings, spear phishing emails, etc 15
Network Attacks
Denial-of-Service Attack (DoS) • DoS is an attack that aims at disrupting a service such that none of the customers can enjoy the services • The consequence of flooding or vulnerability attacks • Flooding : an attack that consumes the application resources at such a rate that the service becomes unresponsive • In a vulnerability attack, a vulnerability cause the application to crash or go to an infinite loop • How common is DoS? Answer: Very common • Research showed ~4,000 reported attacks in a week (and most attacks go unreported) • How likely are you to be victim of DoS? • A report showed 25% of large companies suffer DoS attacks at some point 17
Denial-of-Service Attack (DoS) • DDoS → Distributed Denial-of-Service • Attacking machines are called daemons , slaves , zombies or agents • Zombies are usually poorly secured machines that are exploited • Machines that control and command the zombies are called masters or handlers . • Attacker hides himself behind machines that are called stepping stones → cover his trace 18
19
Denial-of-Service Attack (DoS) • A DoS attacker may look for • Network reflectors • To hide the source of the attack • To prevent blocking it, e.g. ICMP reply to forged source address • Network “amplifiers” • To perform efficient DoS: (1) find a service that replies N packets when 1 packet is sent with forged source that (2) will amplify the DoS • Vulnerable/exploitable devices, e.g., to build a DDoS botnet 20
Denial-of-Service Attack (DoS): Examples • SYN flood • with forged source address • “Smurf” attack • E.g. send a ping packet to a broadcast address ( x.x.x.255 ) • DNS can generate many requests when the server is asked about a record not in cache • DNSSec packets much larger 21
Example: the MIRAI Botnet Architecture 1. Bots scan for vulnerable IoT devices Attacker �� Send command 2. Bots report vulnerable IoT devices 3. Report server Command Report �� Dispatch Loader & Control Server Infrastructure instructs devices �� Relay ��� Load � exploitation � Report 4. Loader exploits devices Devices �� Scan Victim 5. Attacker sends Bots commands 6. C2C server relays � Attack attack commands 7. DDoS attacks are DDoS Target launched 22 Credits: Manos Antonakakis et al., Understanding the Mirai Botnet , USENIX Security, 2017
Example: the MIRAI Botnet DDoS Attack Workflow 1. Bot Master or DDoS for Hire User chooses DDoS target and triggers the attack 1 2. Attack command is passed onto the Command & 3 Control server 4 2 3. Attack command is relayed to the Botnet Nodes 4. Botnet Nodes generate DIRECT DDoS traffic towards the DDoS victim 23 Credits: https://www.incapsula.com/blog/how-to-identify-a-mirai-style-ddos-attack.html, Imperva Incapsula
Denial-of-Service Attacks • Web applications are particularly susceptible to denial of service attacks • A web application can’t easily tell the difference between an attack and ordinary traffic • Because there is no reliable way to tell from whom an HTTP request is coming from, it is very difficult to filter out malicious traffic. • Slashdotted effect • Most web servers can handle several hundred concurrent users under normal use, but a single attacker can still generate enough traffic from a single host to swamp many applications • Defending against denial of service attacks is difficult and only a small number of “limited” solutions exist 24
Who Are the Attackers? • Research has shown that the majority of attacks are launched by script-kiddies • Such attacks are “easier” to detect and defend against • Kids use readily available tools to attack • E.g., LOIC tool, booters/IP stressers (DDoSaaS) • Some (D)DoS attacks, however, are highly sophisticated and very difficult to defend against • Small-scale (targeted) or large-scale (massive) • Hacktivism • Financial gain • Nation-state cyber attacks 25
Denial of Service Attacks: Defenses IP Layer • Firewall • Rate limiting , broadcast packets... • Drop IP connections from a list of IP addresses • Put in list those that send too many SYN • Use BGP to reroute attack traffic to a provider with a lot of bandwidth; e.g. Spamhaus Event: • http://blog.cloudflare.com/the-ddos-that- knocked-spamhaus-offline-and-ho • http://blog.cloudflare.com/the-ddos-that- almost-broke-the-internet 26
Denial of Service Attacks: Defenses HTTP Layer • Change the DNS to a CDN (Content Distribution Network) • With a lot of bandwidth • Caches HTTP requests • Applies filtering rules (OWASP) • e.g., Akamai: http://www.akamai.com/html/solutions/ site_defender.html • Limit complex requests • in complexity • per IP 27
Denial of Service Attacks: Other Defenses • Use a CAPTCHA if a human is expected to interact • But they are annoying and not that hard to guess by machines after all … • Use a Cryptographic Puzzle : • Some challenges are slow to compute by the client fast but to verify by the Server • Sent by the server to the client before handling any further request • Not very efficient against DDoS • Make sure your hosts are patched against DoS vulnerabilities • Anomaly detection and behavioral models • Ingress filtering • Firewall : rate limiting, broadcast packets 28
TCP Connection Hijacking • A bit “old-school” • Was used by Kevin Mitnick in 1995 … • Attack on RSH to gain access on a server • With control of a computer on the network • Principle of the attack: • Impersonate a computer with IP spoofing • TCP sequence number guessing to send packets while ignoring responses • DoS the spoofed machine to avoid the spoofed machine to reset the connection 29
TCP Connection Hijacking: RSH • Remote Shell • “Ancestor” of SSH • Can be configured to allow/deny connection based on • Remote username • IP address • No crypto in place... but hijacking an IP address is not easy 30
TCP Connection Hijacking: TCP 31
TCP Connection Hijacking: TCP 3-way Handshake 32 Source: http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentSequenceNumberSynchroniz-2.htm
Recommend
More recommend
