20 Security in Networks

How attackers attack Network?

• Pinging,Port scanning
• Social enginnering
• Intelligence
• Operating system and application fingerprinting
• Bulletin board and charts
• Availability of documentation

Pinging

• Determine if a host is aliveSocial Engineering
• Social skill and personal interaction is used to get security relevant information and thereafter gets something that permits attack.
• The attacker impersonates someone from inside the organization.
• The victim helped attacker, does not report incident.

Intelligence

• Gather bits of information from various sources, put together.
• “dumpster diving” – looking through items that is discarded in rubbish bins or recycling boxes.
• – attacker may get network diagrams, printouts of security device configurations, system designs and source code.

Operating system and Application Fingerprinting

• Attacker needs to know
• – which commercial server application is running
• – what version
• – which is the underlying operating system and its version
• The network protocols are standard and vendor independent.
• For TCP session, sender and receiver coordinate for sequence number. Some implementation respond with a given sequence number, other respond with the number one greater, some respond with unrelated number..
• Each vendor’s code is implemented independently; there are variations in interpretation and behavior.
• For TCP session, sender and receiver coordinate  for sequence number. Some implementation   respond with a given sequence number, other  respond with the number one greater, some
• New version implement a new feature but old version will reject.
• These peculiarities are called operating system or application fingerprint, can mark the manufacturer and version.
• nmap program to perform an OS fingerprint.nmap –O 192.168.1.1
• The attacker might use a Telnet application to send meaningless messages to another application. Ports such as 80(HTTP),25(SMTP),110(POP), 21(FTP) may respond :Server:Netscape-Commerce/1.12 Your browser sent a non HTTP compliant message  Or  Microsoft ESMTP Mail service. Version:5.0.2195.3779  Reply tells attacker which  application and version are running.
• Discover information related to environment of an organization viz. Internet, intranet, remote access and extranet.
• Includes information about domain name, users and groups, network blocks, network services and applications, system architecture, intrusion detection systems, specific IP addresses, access control mechanisms.
• For websites, Open source footprinting involves – searching through DNS tables, scanning certain IP addresses for open ports, making “whois” requests.
• Check the HTML source code of the web site to look for links, comments, meta tags etc.

Open source footprinting

• A web page
• Yahoo or other directories
• Multiple search engines,
• Use advanced search(AltaVista – where reverse links can be searched to vulnerable sites)
• Dumpster diving
• Physical access(false ID, unauthorized access)
• Whois query

Identify names of the organization and related network. Domain names represent the company’s presence on the internet.

Types of whois query

• Registrar – Displays specific registrar information and associated whois servers
• Organizational – displays all information related to a particular organization
• Domain – Displays all information related to particular domain
• Network – Displays all information related to a particular network or a single IP address
• Point of contact(POC) – Displays all information related to a specific person, the administrative contacts.

NSLOOKUP(DNS query)

• Nslookup queries DNS information for host name resolution.
• Nslookup shows the host name and IP address of the DNS server that is configured for the local system, and then display a command prompt for further query. Public Database Security
• All information obtained are at public disclosure.Regional Internet registeries(RIR) Records
• E-mail addresses listed on RIR records should end with a domain different from your organization’s name.
• RIRs allow use of P.O. box addresses for individual and organizational contacts, personal contact information is not exposed to potential intruders.

Bulletin boards and chats

• Attackers post their exploits and techniques, read what others have done and search for additional information on systems, applications or sites.Internet is open for all, no guarantee of information being reliable or accurate.

Availability of documentation

• Vendors themselves distribute information useful to an attacker.
• Application vendors investigate a Microsoft product through a resource kit produced by Microsoft.

Threats in Transit : Eavesdropping and Wiretapping

Cable-inductance threats

• All signals in an Ethernet or other LAN are available on the cable for anyone to intercept.
• Ordinary wire emit radiation. By a process called inductance an intruder can tap a wire and read radiated signals without making physical contact with cable.
• The equipment needed for picking up signals is inexpensive and easy to obtain.
• Intruder must be close to cable.
• If attacker cannot take advantage of inductance, the attacker intercept a cable by direct cut.
• As a part of repair, attacker attaches a secondary cable and receives copy of all signals along the primary cable.
• The attacker carefully exposes some outer conductor, connect to it, carefully exposes some inner conductor and connect to it. Both operations alter the resistance, called impedance of the cable.

Software based packet sniffer

• A sniffer is a piece of software that captures the traffic flowing into and out of a computer attached to a network.
• Networking is done through Ethernet. The Ethernet protocol, broadcasts packet to all hosts on the network, packet header contains the name of the machine – receiver of the packet. Others ignore the packet.
• Network Interface card configured in promiscuous mode, accepts all packets. Aim is to grab username and password travelling across network. Known as passive attack.Passive sniffing attack
• By compromising the physical security
• Using a Trojan Horse
• Use switched ethernet.
• Switch does not broadcast all information to all systems on the LAN. Regulates the flow of data between its ports by actively monitoring the MAC address on each port.Active sniffing The sniffers inject traffic into LAN. Example – ARP spoofing, MAC flooding

MAC flooding

• In a switched network, ARP table ensures IP addresses are mapped to MAC addresses.
• Change default directed output of switch to broadcast method.
• Flood the network with too many frames that the switch cannot do IP-MAC address mapping and have to do broadcasting.

ARP flooding

• ARP finds MAC adress from the given IP of machine.
• The MAC address to IP address table is stored locally on each computer.
• ARP spoofing involves changing the MAC to IP address entries, causing traffic to be redirected from legitimate system to an unauthorized system of the attacker’s choice.

Impersonation

• Impersonate another person or process
• Guess the identity and authentication details of the target.
• Pick up identity and authentication details of the target from a previous communication or from wiretapping