18 Threats in Network

What makes a Network Vulnerable?

There are two categories of attacks:

• (i) Active v/s passive attack
• (ii) Insider v/s outsider attack

Who attacks Networks?  The attacker attacks for different reasons.

Hactivism and cyberterrorism:

Hactivism involves all kinds of activities with hacking techniques applied to a target’s network. These activities just disrupt routine operations, do not cause serious damage. Cyberterrorism involves all kind of activities (politically motivated) with hacking operations that cause harm including loss of life or economic brekdown.

How attackers gather information?

port scan  pinging  Port Scan: Port Scan can reveal three facts.

1. Which standard ports are up and services are running and answering on the target system.
2. Which operating system is installed on target machine?
3. What applications and their versions are installed?

Pinging: Ping is used to check whether host is alive. Ping, sends ICMP echo request, causing the target to respond with an ICMP reply packet.

Port scanning :For rendering services, TCP/IP protocol suit uses 2 primary protocols

• 1) TCP
• 2) UDP

Every TCP and UDP packet contains information about source port and destination port.Port numbers are given numbers ranging from 0-65535 which requires 16 bits.Port scanning methods –

1. TCP Connect(Not stealth-not secret)

• Uses open system call provided by kernel to connect to specified ports on the target host.
• Opens TCP connection via TCP 3 way handshake.
• 

TCP connect scan finishes the three way handshake, the application listening on the destination port will answer to this request for connection. Application will log the connection attempt.

2. TCP SYN/Half open(stealth): In this method, Scanner sends SYN packet to the target host. If target host is listening on particular port then responds with SYN+ACK. If target host is alive but not listening on a particular port, RST packet will be sent. In this method, Scanning does not complete the 3 way handshake, that is why this method is stealthy because nothing is logged by target host.
3. FIN In this method, FIN packet is sent to target host. If target host alive and not listening on a particular port, then target host will respond with RST packet. If target host is listening on a particular port, it will not respond. Microsoft host sends RST packet in all cases. Host is identified as Microsoft windows host.
4. XMAS In this method, the host sends out a packet with FIN, URG and PUSH flags set. If target host is listening on a particular port, it sends an RST packet back. If target host not listening on that port, does not respond.
5. NULl In this method, the host sends a TCP packet to the destination host with all the flags turned off in the TCP header. If the target host is listening on a particular port, does not respond. If target host is not listening on a particular ports, sends an RST packet.
6. RPC In this method, the host sends NULL commands, to open ports to determine if they are RPC ports. If Open port is RPC port, then which application is bound to that port is checked and information is obtained.
7. ACK  In this method, the host sends ACK packets to target host. Target host does not respond or sends back ICMP unreachable packet, port is filtered by firewall. This method is used to check firewall sets. If target sends back RST packet, port is not filtered by firewall.
8. Window This method detects open, filtered and unfiltered ports on some systems due to reported anomaly in the window sizes of TCP.
9. UDP This method sends UDP packet. If target host is not listening on the port used for communication, an ICMP port unreachable packet is received. If target host is listening on the port used for communication, the sending host does not receive such packet. Scanning with UDP is unreliable as UDP is not connection oriented. ry nmap Download nmap from https:://nmap.orgIn the command tab type:

1) nmap –sS –p 22.25.80.443 192.168.100.0/24

2) nmap – – help

3) Perform ping sweeps nmap –sP nmap -sF 216.58.220.4  ******FIN scanning  Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-11-03 21:15 India Standard Time Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn  Nmap done: 1 IP address (0 hosts up) scanned in 4.03 seconds  nmap -sT 216.58.220.4  ****TCP connect port scan  Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-11-03 21:17 India Standard Time Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn  Nmap done: 1 IP address (0 hosts up) scanned in 4.20 seconds nmap -sX 216.58.220.4

Countermeasure:

1. Block ICMP Configure firewall to drop incoming echo requests and outgoing ICMP echo replies.
2. Prevent TCP ping scans  Use stateful firewall to protect network. Configure firewall to drop all ACK packets if those packets do not belong to the TCP connection established already.
3. Defend against port scan  Configure firewall to drop packets destined for closed ports. Most firewalls and IDSs have the ability to detect port scans. Use stateful firewall.

you can view video on Threats in Network

Suggested Reading:

1. Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
2. Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
3. Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
4. The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
5. Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
6. Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
7. www.snort.org
8. https://nmap.org