10 Networking for Offensive Security IP
-
Upload
cubodebits -
Category
Documents
-
view
214 -
download
0
Transcript of 10 Networking for Offensive Security IP
-
7/29/2019 10 Networking for Offensive Security IP
1/90
2/7/2013 10:59:55 AM networking-for-offensive-security-IP.ppt
1
Outline
Networking Overview for Offensive SecurityNot a comprehensive coverage of networking
But focuses on networking issues related and
relevant to offensive securityToday we will cover the data layer, link layer,
and IP layer
Next time we will cover the TCP layer and
additional topics
-
7/29/2019 10 Networking for Offensive Security IP
2/90
2/7/2013 11:02:31 AM networking-for-offensive-security-IP.ppt
2
The Internet
Designed as a research networkAssumed that entities are basically trusted
It is designed as a network of networks
-
7/29/2019 10 Networking for Offensive Security IP
3/90
-
7/29/2019 10 Networking for Offensive Security IP
4/90
2/7/2013 11:05:44 AM networking-for-offensive-security-IP.ppt
4
TCP/IP Model
-
7/29/2019 10 Networking for Offensive Security IP
5/90
2/7/2013 11:06:14 AM networking-for-offensive-security-IP.ppt
5
Message Mapping to the Layers
SVN update message
Segment 2DP
SP
DP
SP
Segment 1
DP
SP
DP
SP
DA
SA
Packet 1DP
SP
DA
SA
Pack2
Communications bit stream
DPSPDASA Packet1DMSM DPSPDASA Pack2DMSM
L7 App
L4 TCP
L3 IP
L2 Eth
5
-
7/29/2019 10 Networking for Offensive Security IP
6/90
-
7/29/2019 10 Networking for Offensive Security IP
7/90
2/7/2013 11:07:19 AM networking-for-offensive-security-IP.ppt
7
Physical Layer and Its Security
This layer is the physical media, such as thewire, fiber, or air (for wireless) that
information is actually transmitted across
Classical confidentiality problems apply to wiretapping and other issues
With wireless being widely used, wireless
vulnerabilities and security are active topics
-
7/29/2019 10 Networking for Offensive Security IP
8/90
2/7/2013 11:08:00 AM networking-for-offensive-security-IP.ppt
8
Hacking Hardware
Many out-of-the-box settings pose a securitythreat
Eee PC 701 was exploitable out of the box by default
Default passwords are available for a lot of thedevices
Due to a chicken-and-egg problem of how to communicate
the initial device password to the user
An attacker can use a cross-site response forgery to
log in to the router and change the settings to redirect
the users to a malicious DNS and other services
-
7/29/2019 10 Networking for Offensive Security IP
9/90
-
7/29/2019 10 Networking for Offensive Security IP
10/90
-
7/29/2019 10 Networking for Offensive Security IP
11/90
-
7/29/2019 10 Networking for Offensive Security IP
12/90
2/7/2013 11:12:24 AM networking-for-offensive-security-IP.ppt
12
Wireless Security
Most wireless networks today use the IEEE802.11 standard
Known as the wireless fidelity (Wi-Fi)
Wireless networks use ISM radio bands (2.4 GHzand 5.0 GHz)
Each band is divided into channels
Two types of wireless networks: infrastructure
and ad hoc
-
7/29/2019 10 Networking for Offensive Security IP
13/90
2/7/2013 11:17:07 AM networking-for-offensive-security-IP.ppt
13
Basic Wireless Security Mechanisms
MAC Filtering Hidden wireless networks
Responding to broadcast probe requests
Authentication
WPA Pre-Shared Key (WPA-PSK)
WPA Enterprise
Encryption
WEP (Wired Equivalent Privacy) Temporal Key Protocol (TKIP)
AES-CCMP
-
7/29/2019 10 Networking for Offensive Security IP
14/90
-
7/29/2019 10 Networking for Offensive Security IP
15/90
-
7/29/2019 10 Networking for Offensive Security IP
16/90
-
7/29/2019 10 Networking for Offensive Security IP
17/90
-
7/29/2019 10 Networking for Offensive Security IP
18/90
-
7/29/2019 10 Networking for Offensive Security IP
19/90
-
7/29/2019 10 Networking for Offensive Security IP
20/90
-
7/29/2019 10 Networking for Offensive Security IP
21/90
2/7/2013 11:30:25 AM networking-for-offensive-security-IP.ppt
21
IPv6 Header Format
-
7/29/2019 10 Networking for Offensive Security IP
22/90
-
7/29/2019 10 Networking for Offensive Security IP
23/90
-
7/29/2019 10 Networking for Offensive Security IP
24/90
2/7/2013 11:34:53 AM networking-for-offensive-security-IP.ppt
24
IPv4 Addressing
Each entity has at least one address
Addresses divided into subnetwork
Address and mask combination
192.168.1.0/24 or 10.0.0.0/8
192.168.1.0 255.255.255.0 or 10.0.0.0 255.0.0.0
192.168.1.0-192.168.1.255 or 10.0.0.0-10.255.255.255
Addresses in your network are directly connected
Broadcasts should reach them
No need to route packets to them
24
-
7/29/2019 10 Networking for Offensive Security IP
25/90
-
7/29/2019 10 Networking for Offensive Security IP
26/90
2/7/2013 11:35:59 AM networking-for-offensive-security-IP.ppt
26
Address Resolution Protocol (ARP)
Used to discover mapping of neighbouringEthernet MAC to IP addresses.
Need to find MAC for 192.168.1.3 which is in
your interface's subnetworkBroadcast an ARP request on the link
Hopefully receive an ARP reply giving the
correct MAC
The device stores this information in an ARP
cache or ARP table
26
-
7/29/2019 10 Networking for Offensive Security IP
27/90
-
7/29/2019 10 Networking for Offensive Security IP
28/90
2/7/2013 11:37:44 AM networking-for-offensive-security-IP.ppt
28
ARP Cache Poisoning
-
7/29/2019 10 Networking for Offensive Security IP
29/90
-
7/29/2019 10 Networking for Offensive Security IP
30/90
-
7/29/2019 10 Networking for Offensive Security IP
31/90
-
7/29/2019 10 Networking for Offensive Security IP
32/90
-
7/29/2019 10 Networking for Offensive Security IP
33/90
-
7/29/2019 10 Networking for Offensive Security IP
34/90
2/7/2013 12:18:10 PMnetworking-for-offensive-security-IP.ppt 34
BGP DoS
BGP uses TCP connection to communicateroutes and test reachability
Attacks on TCP connections are possible
Send resetLow-resource jamming
Result: cut arbitrary links on the Internet
Easier than cutting cables!
34
-
7/29/2019 10 Networking for Offensive Security IP
35/90
-
7/29/2019 10 Networking for Offensive Security IP
36/90
2/7/2013 12:18:09 PMnetworking-for-offensive-security-IP.ppt 36
IP Options in General
Originally envisioned as a means to add morefeatures to IP later
Most routers drop packets with IP options set
Stance of not passing traffic you dont understand Therefore, IP Option mechanisms never really
took off
In addition to source routing, there aresecurity Options
Used for DNSIX, a MLS network encryption
scheme36
-
7/29/2019 10 Networking for Offensive Security IP
37/90
2/7/2013 12:18:09 PMnetworking-for-offensive-security-IP.ppt 37
Internet Control Message Protocol (ICMP)
Used for diagnostics Destination unreachable
Time exceeded, TTL hit 0
Parameter problem, bad header field
Source quench, throttling mechanism rarely used
Redirect, feedback on potential bad route
Echo Request and Echo reply, ping
Timestamp request and Timestamp reply, performance
ping Packet too big
Can use information to help map out a network
Some people block ICMP from outside domain37
-
7/29/2019 10 Networking for Offensive Security IP
38/90
-
7/29/2019 10 Networking for Offensive Security IP
39/90
2/7/2013 12:18:08 PM
networking-for-offensive-security-IP.ppt 39
Strong ES Model
-
7/29/2019 10 Networking for Offensive Security IP
40/90
-
7/29/2019 10 Networking for Offensive Security IP
41/90
-
7/29/2019 10 Networking for Offensive Security IP
42/90
-
7/29/2019 10 Networking for Offensive Security IP
43/90
-
7/29/2019 10 Networking for Offensive Security IP
44/90
Fi ll
-
7/29/2019 10 Networking for Offensive Security IP
45/90
2/7/2013 12:18:05 PM networking-for-offensive-security-
IP.ppt
45
Firewalls
Sits between two networksUsed to protect one from the other
Places a bottleneck between the networks
All communications must pass through the bottleneckthis gives us a single point of control
-
7/29/2019 10 Networking for Offensive Security IP
46/90
-
7/29/2019 10 Networking for Offensive Security IP
47/90
-
7/29/2019 10 Networking for Offensive Security IP
48/90
-
7/29/2019 10 Networking for Offensive Security IP
49/90
Limitations of Packet Filters
-
7/29/2019 10 Networking for Offensive Security IP
50/90
2/7/2013 12:18:03 PM networking-for-offensive-security-
IP.ppt
50
Limitations of Packet Filters
IP addresses of hosts on the protected side of the filter can bereadily determined by observing the packet traffic on the
unprotected side of the filter
filters cannot check all of the fragments of higher level
protocols (like TCP) as the TCP header information is onlyavailable in the first fragment.
Modern firewalls reconstruct fragments then checks them
filters are not sophisticated enough to check the validity of
the application level protocols imbedded in the TCP packets
-
7/29/2019 10 Networking for Offensive Security IP
51/90
T l ti M d
-
7/29/2019 10 Networking for Offensive Security IP
52/90
2/7/2013 12:17:59 PM networking-for-offensive-security-
IP.ppt
52
Translation Modes
Dynamic Translation (IP Masquerading) large number of internal users share a single external address
Static Translation
a block external addresses are translated to a same size block of
internal addresses
Load Balancing Translation
a single incoming IP address is distributed across a number of
internal servers
Network Redundancy Translation
multiple internet connections are attached to a NAT Firewall that it
chooses and uses based on bandwidth, congestion and availability.
D i T l ti ( )
-
7/29/2019 10 Networking for Offensive Security IP
53/90
2/7/2013 12:17:58 PM networking-for-offensive-security-
IP.ppt
53
Dynamic Translation (IP Masquerading )
Also called Network Address and Port Translation (NAPT) Individual hosts inside the Firewall are identified based on of each
connection flowing through the firewall.
Since a connection doesnt exist until an internal host requests a connection
through the firewall to an external host, and most Firewalls only open ports
only for the addressed host only that host can route back into the internal
network
IP Source routing could route back in; but, most Firewalls block
incoming source routed packets
NAT only prevents external hosts from making connections to internal
hosts.
Some protocols wont work; protocols that rely on separate connections
back into the local network
Theoretical max of 216 connections, actual is much less
Static Translation
-
7/29/2019 10 Networking for Offensive Security IP
54/90
2/7/2013 12:17:58 PM networking-for-offensive-security-
IP.ppt
54
Static Translation
Map a range of external address to the same size block of internaladdresses
Firewall just does a simple translation of each address
Port forwarding - map a specific port to come through the Firewall rather
than all ports; useful to expose a specific service on the internal network
to the public network
Load Balancing
-
7/29/2019 10 Networking for Offensive Security IP
55/90
2/7/2013 12:17:58 PM networking-for-offensive-security-
IP.ppt
55
Load Balancing
A firewall that will dynamically map a request to a pool of identicalclone machines
often done for really busy web sites
each clone must have a way to notify the Firewall of its current load so the
Fire wall can choose a target machine
or the firewall just uses a dispatching algorithm like round robin
Only works for stateless protocols (like HTTP)
-
7/29/2019 10 Networking for Offensive Security IP
56/90
-
7/29/2019 10 Networking for Offensive Security IP
57/90
Services that NAT has problems with
-
7/29/2019 10 Networking for Offensive Security IP
58/90
2/7/2013 12:17:57 PM networking-for-offensive-security-
IP.ppt
58
Services that NAT has problems with
H.323, CUSeeMe, VDO Livevideo teleconferencing applications
XingRequires a back channel
Rshellused to execute command on remote Unix machineback channel
IRCInternet Relay Chatrequires a back channel
PPTPPoint-to-Point Tunneling Protocol
SQLNet2Oracle Database Networking Services FTPMust be RFC-1631 compliant to work
ICMPsometimes embeds the packed address info in the ICMP message
IPSecused for many VPNs
IKEInternet Key Exchange Protocol
ESPIP Encapsulating Security Payload
H ki h h NAT
-
7/29/2019 10 Networking for Offensive Security IP
59/90
2/7/2013 12:17:56 PM networking-for-offensive-security-
IP.ppt
59
Hacking through NAT Static Translation
offers no protection of internal hosts Internal Host Seduction
internals go to the hacker
e-mail attachmentsTrojan Horse virus
peer-to-peer connections
hacker run porn and gambling sites solution = application level proxies
State Table Timeout Problem
hacker could hijack a stale connection before it is timed out
very low probability but smart hacker could do it
Source Routing through NAT if the hacker knows an internal address they can source route a packet to
that host
solution is to not allow source routed packets through the firewall
Proxies
-
7/29/2019 10 Networking for Offensive Security IP
60/90
2/7/2013 12:17:56 PM networking-for-offensive-security-
IP.ppt
60
Proxies
Hides internal users from the external network by hidingthem behind the IP of the proxy
Prevents low level network protocols from going through the
firewall eliminating some of the problems with NAT
Restricts traffic to only the application level protocols beingproxied
proxy is a combination of a client and a server; internal users
send requests to the server portion of the proxy which then
sends the internal users requests out through its client ( keeps
track of which users requested what, do redirect returned
data back to appropriate user)
Proxies
-
7/29/2019 10 Networking for Offensive Security IP
61/90
2/7/2013 12:17:55 PM networking-for-offensive-security-
IP.ppt
61
Proxies
Address seen by the external network is the address of theproxy
Everything possible is done to hide the identity of the
internal user
e-mail addresses in the http headers are not propagated through the
proxy61
Doesnt have to be actual part of the Firewall, any server
sitting between the two networks and be used
-
7/29/2019 10 Networking for Offensive Security IP
62/90
-
7/29/2019 10 Networking for Offensive Security IP
63/90
-
7/29/2019 10 Networking for Offensive Security IP
64/90
Effective Border Security
-
7/29/2019 10 Networking for Offensive Security IP
65/90
2/7/2013 12:17:54 PM networking-for-offensive-security-
IP.ppt
65
Effective Border Security
For an absolute minimum level of Internet security a
Firewall must provide all three basic functions
Packet filtering
Network Address translation
High-level application proxying
Use the Firewall machine just for the firewall Wont have to worry about problems with vulnerabilities of the
application software
If possible use one machine per application level server
Just because a machine has a lot of capacity dont just pile things on it.
Isolate applications, a side benefit of this is if a server goes down youdont lose everything
If possible make the Firewall as anonymous as possible
Hide the product name and version details, especially, from the Internet
Problems Firewalls Cant Fix
-
7/29/2019 10 Networking for Offensive Security IP
66/90
2/7/2013 12:17:54 PM networking-for-offensive-security-
IP.ppt
66
Problems Firewalls Can t Fix
Many e-mail hacks Remember how easy it is to spoof e-mail
Vulnerabilities in application protocols you allow
Ex. Incoming HTTP requests to an IIS server
Modems Dont allow users on the internal network to use a modem in their
machine to connect to and external ISP (AOL) to connect to the
Internet, this exposes everything that user is connected to the external
network
Many users dont like the restrictions that firewalls place on themand will try to subvert those restrictions
-
7/29/2019 10 Networking for Offensive Security IP
67/90
-
7/29/2019 10 Networking for Offensive Security IP
68/90
-
7/29/2019 10 Networking for Offensive Security IP
69/90
Single firewall internal public servers
-
7/29/2019 10 Networking for Offensive Security IP
70/90
2/7/2013 12:17:53 PM networking-for-offensive-security-
IP.ppt
70
Single firewall, internal public servers
Leaves the servers between the internal private network andthe external network exposed
Servers in this area should provide limited functionality
No services/software they dont actually need
These servers are at extreme risk
Vulnerable to service specific hacksHTTP, FTP, Mail,
Vulnerable to low level protocol (IP, ICMP, TCP) hacks and DoS
attacks
DMZ
-
7/29/2019 10 Networking for Offensive Security IP
71/90
2/7/2013 12:17:53 PM networking-for-offensive-security-
IP.ppt
71
DMZ
Internal Private Network DMZ External Public Network
Router Firewall
FTP
Server
Web
Server
Customer
Hacker
Hacker
Server
Server
Client
Bastion Host
-
7/29/2019 10 Networking for Offensive Security IP
72/90
2/7/2013 12:17:53 PM networking-for-offensive-security-
IP.ppt
72
Bastion Host
Many firewalls make use of what is known as abastion host
bastions are a host that is stripped down to have only the
bare fundamentals necessary
no unnecessary services no unnecessary applications
no unnecessary devices
A combination of the bastion and its firewall are
the only things exposed to the internet
Free Firewall Software Packages
-
7/29/2019 10 Networking for Offensive Security IP
73/90
2/7/2013 12:17:53 PM networking-for-offensive-security-
IP.ppt
73
Free Firewall Software Packages
IP Chains & IP Tablescomes with most Linux distributions
SELinux (Security Enabled LinuxNSA)
comes with some Linux distributions Fedora, RedHat
IPCopspecialized linux distribution
Home & Personal Routers
-
7/29/2019 10 Networking for Offensive Security IP
74/90
2/7/2013 12:17:53 PM networking-for-offensive-security-
IP.ppt
74
Home & Personal Routers
Provideconfigurable packet filtering
NAT/DHCP
Linksyssingle board RISC based linux
computer
D-Link
Enterprise Firewalls
-
7/29/2019 10 Networking for Offensive Security IP
75/90
2/7/2013 12:17:52 PM networking-for-offensive-security-
IP.ppt
75
Enterprise Firewalls
Check Point FireWall-1 Cisco PIX (product family)
MS Internet Security & Acceleration Server
GAI Gauntlet
-
7/29/2019 10 Networking for Offensive Security IP
76/90
IKE and ESP/AH
-
7/29/2019 10 Networking for Offensive Security IP
77/90
2/7/2013 9:18:23 AM networking-for-offensive-security-
IP.ppt
77
IKE and ESP/AH
Two parts to IPsec
IKE: Internet Key Exchange
Mutual authentication
Establish shared symmetric key
Two phases
like SSL session/connection
ESP/AH
ESP: Encapsulating Security Payloadfor encryption
and/or integrity of IP packets AH: Authentication Headerintegrity only
-
7/29/2019 10 Networking for Offensive Security IP
78/90
IKE Phase 1 Summary
-
7/29/2019 10 Networking for Offensive Security IP
79/90
2/7/2013 9:18:17 AM networking-for-offensive-security-
IP.ppt
79
IKE Phase 1 Summary
Result of IKE phase 1 isMutual authentication
Shared symmetric key
IKE Security Association(SA) But phase 1 is expensive (in public key
and/or main mode cases)
Developers of IKE thought it would be usedfor lots of thingsnot just IPsec
-
7/29/2019 10 Networking for Offensive Security IP
80/90
-
7/29/2019 10 Networking for Offensive Security IP
81/90
-
7/29/2019 10 Networking for Offensive Security IP
82/90
-
7/29/2019 10 Networking for Offensive Security IP
83/90
IPsec Transport Mode
-
7/29/2019 10 Networking for Offensive Security IP
84/90
2/7/2013 9:18:15 AM networking-for-offensive-security-
IP.ppt
84
IPsec Transport Mode
IPsec Transport Mode
IP header data
IP header ESP/AH data
Transport mode designed for host-to-host
Transport mode is efficient
Adds minimal amount of extra header
The original header remains Passive attacker can see who is talking
-
7/29/2019 10 Networking for Offensive Security IP
85/90
-
7/29/2019 10 Networking for Offensive Security IP
86/90
IPsec Security
-
7/29/2019 10 Networking for Offensive Security IP
87/90
2/7/2013 9:18:13 AM networking-for-offensive-security-
IP.ppt
87
y
What kind of protection?
Confidentiality?
Integrity?
Both?
What to protect?Data?
Header?
Both? ESP/AH do some combinations of these
-
7/29/2019 10 Networking for Offensive Security IP
88/90
AH Header Format (not required for exams)
-
7/29/2019 10 Networking for Offensive Security IP
89/90
2/7/2013 9:18:11 AM networking-for-offensive-security-
IP.ppt
89
IPsec Summary
-
7/29/2019 10 Networking for Offensive Security IP
90/90
y
IPsec is a collection of protocols andmechanisms to provide confidentially,
authentication, message integrity, and replay
detection at the IP layer
It consists of two parts, IKE and ESP/AH
IPsec is complex as it is intended to be used for
many applications
There are also significant security flaws in design