Embed Size (px)
Citation preview
Network and Application Attacks
Contributed by-Chandra Prakash Suryawanshi
CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB)June 2006
Contents
2
Denial of Service Attacks Single Source Distributed
Fragmentation Attacks Spoofing Attacks DNS Attacks Sniffing Attacks FTP Bounce AttackApplication Attacks
3
Single SourceDenial of Service Attacks
PIRMG 4
TCP SYN Flooding (SYN Attack) ICMP_Echo Flooding (Ping Attack) ICMP_Echo Flooding (Smurf Attack) UDP_Echo Flooding (Fraggle) ICMP_ECHO Reply Flooding (Ping of Death) Distributed Denial Of Service
TrinooTribe Flood Network (TFN)
Denial of Service Attacks
PIRMG 5
SYN Attack
6
TCP CONNECTION
SYN=1 ACK=0 141521 win 4096 <mss 1024>
SYN = 1 ACK = 1 181521 141522 win 4096<mss 1024>
SYN = 0 ACK = 1 181522
Segment 1
Segment 2
Segment 3
CLIENT SERVER
THREE-WAYCONNECTION
Segment 1 shows the client sending a SYN segment with an Initial Sequence Number of 141521. The ISN is randomly generated. This is called an Active Open. The field win 4096 shows the advertised window size of the sending station while the field <mss 1024> shows the receiving maximum segment size specified by the sender. SYN=1, ACK=0.
Segment 2 shows the server responding with a SYN segment of 181521 and ACKnowledging the clients ISN with ISN + 1. This is called a Passive Open. SYN=1,ACK=1
Segment 3 shows the client responding by ACKnowledging the servers ISN with ISN + 1. SYN=0,ACK=1.
Data can now be transmitted.
THREE-WAY CONNECTION
PIRMG 7
Attack Method. Most hosts will only support 8-16 simultaneous communication channels. The Hacker sends a sequence of SYN packets.
Each SYN packet (about 120 /second) has a different and unreachable IP address. This consumes all the communication channels and results in a denial to any TCP based
service.Countermeasure.
Expand the number of ports, reduce the time-out period, validate TCP request packets.
TCP SYN Flooding
SYN=1 ACK=0 141521 win 4096 (unreachable address
SYN = 1 ACK = 1 181521 141522 win 4096(unreachable address)
Hacker
SYN = 1 ACK =1 181521 141687 win 4096(unreachable address)
SYN = 1 ACK = 1 181521 141723 win 4096(unreachable address)
SYN=1 ACK=0 141686 win 4096 (unreachable address)SYN=1 ACK=0 141721 win 4096 (unreachable address)
UnreachableIP Address
Legitimate Client is denied access
Legitimate Client
Target Host
PIRMG 8
PING Attack
PIRMG 9
Ping AttackThe Hacker sends an ICMP Echo request to the target expecting an ICMP echo reply
to be returned for each request.The hacker, because of the high bandwidth, can send more requests then the target
can handle.Countermeasures
No known defense
ICMP ECHO Flooding
Hacker
INTERNET
Target
Packet 1
Packet 2
Packet 3
Packet 5
Packet 4
Packet n
128K LinkT-1 Link
Packet n
PIRMG 10
SMURF Attack
11
SMURF Attack The Hacker sends an ICMP Echo request to the target network with a destination
broadcast address and a spoofed source address of the target. The network serves as a "bounce site" and returns an Echo Reply for each station on the
network. The network serves to multiply the effect of the "ping". The Echo Request could be
sent to multiple networks.Countermeasures
Disable IP-directed broadcasts at your router. Configure the workstation to not respond to an IP broadcast packet.
ICMP ECHO Flooding
Hacker
INTERNETTarget
Packet 5
Packet n
Echo Request
Echo Reply
Echo Reply
Echo Reply
Echo Reply
PIRMG 12
DoS LAND attack
• In LAND attack a crafted SYN packet is send in which a source IP address and Port no is same as of destination IP and port causing some implementations of TCP/IP to allocate excessive resources and slow down and eventually reboot or hang.
PIRMG 13
Ping O' Death Attack
14
Ping o' Death Attack ICMP, an integral part of IP, is utilized to report network errors. PING (Packet InterNet Grouper) utilizes ICMP Echo and Reply packets to test host
reachability. ICMP messages normally consist of the IP Header and enclosed ICMP data with a default
size of 64 bytes. If the Hacker sends an ICMP Echo request that is greater than 65,536 this can crash or
reboot the system. A newer attack method modifies the header to indicate that there is more data in the packet
than there actually is.Countermeasure
Router updates that check the size of the ICMP packet. Block PING (ICMP) traffic at the Firewall.
ICMP ECHO Request Attack
Hacker
INTERNET
Target
Packet > 65,536
128K LinkT-1 Link
Packet > 65,536
15
Other
DOS Attacks
16
Other DOS Attacks
Papasmurf: A combination of Smurf and Fraggle. Land: A spoofed packet where:
Source IP = Destination IP Source Port = Destination Port
Latierra: A Land relative that sends multiple land packets to multiple ports.
Jolt2: A stream of packet fragments none of which have an offset of zero.
Winnuke: Sends out of band packets to port 139 on the victims machine.
PIRMG 17
DistributedDenial of Service Attacks
- DDoS -
PIRMG 18
DOS is designed to bring down a network or a computer by overloading it with large amounts of network traffic using TCP, UDP or ICMP.
Past attacks have been from a single source and were relatively easy to detect.
Current attacks now use distributed system tools such as Trinoo and TFN
Distributed DOS tools launch simultaneous attacks from multiple computer systems at individual or multiple targets.
Almost impossible to track to the source.
General
PIRMG 19
Trinoo/WinTrinoo The earliest DDoS. Initiates a UDP flood attack. Communicates between Master and Agents with unencrypted TCP/UDP. Root access is not needed to launch the attack.
Tribal Flood Network (TFN)/TFN2K)
Employs Smurf, UDP, ICMP and TCP SYN floods. Communicates between Master and Agents with ICMP_ECHO REPLY packets.
Commands are sent as part of the ICMP ID field. The Agent is silent and does not reply to the Master. The Master sends
multiple commands to the agent. Agent host root or Administrator privileges are required.
Common DDoS Types
PIRMG 20
Fragmentation Attack
Teardrop Attack Fragment Overflow Attack
PIRMG 21
TearDrop Attack
22
Teardrop Attack
• Teardrop attack involves sending two IP fragments, the later contained entirely in the former, causing the server to allocate too much of memory and crash.• Many Implementations of TCP/IP cannot
handle this behavior.
23
Teardrop Attack
VERS
FCSPREAMBLEDESTINATION
ADDRESSSOURCEADDRESS
FIELDTYPE
ETHERNET
0-655352668 4
HLEN TOS Total Length4 bits 4 bits 8 bits 16 bits
Identification16 bits
Flags3 bits
Fragment Offset13 bits
TTL8 bits
Protocol17
Checksum16 bits
Source IP Address32 bits
Destination IP Address32 bits
IP Options(if any)32 bits
0 15 16 31
IP Header
UDP Header
IPHEADER
UDPHEADER DATA
UDP Source Port
UDP Message Length
Data
UDP Destination Port
UDP Checksum
. . .
53 53
24
Teardrop AttackVERS HLEN TOS Total Length4 bits 4 bits 8 bits 16 bits
Identification Flags Fragment Offset
TTL8 bits
Protocol8 bits
Checksum16 bits
Source IP Address32 bits
Destination IP Address32 bits
IP Options(if any)32 bits
IP Datagram Data32 bits
0 15 16 31
60 bytes
20 bytes
<= 40 bytes
MTU = 1500 MTU = 1500MTU = 512
Fragment 1TL 512ID 26313DF 0MF 1OS 0
Fragment 2TL 32ID 26313DF 0MF 0OS 1
This attack takes advantage of a bug in the IP fragmentation reassembly code. The code checks for the fragment length that is too large but not for a fragment length that is too short. The attack is directed toward NT, WIN 95 and Linux boxes
Encapsulate a UDP packet inside an IP packet. Spoof the source IP address and Port Create two specially constructed IP fragments
The first packet has the OS = 0, MF = 1 and a size of N.The second packet has the OS < N, MF = 0 and a size < N.
NT/WIN 95 can normally withstand 5-10 pair attacks before it crashes or reboots. Fixes have been posted by Microsoft.
Teardrop Attack Concept
0Rec Fragment 1
Hacker Target
Rec Fragment 22
512 bytes32 bytes
PIRMG 25
Fragmentation OverflowAttack
PIRMG 26
Fragment Overflow Attack
Attack Method The IP Data Length field is 16 bits so each datagram can have a maximum size of
65515.Intermediate routers can fragment the datagram based upon the MTU of the next
network. The MF flag set to 0 indicates the last packet.
If the receiving station does not receive a last packet it keeps allocating buffer space until an overflow occurs and the system crashes.
CountermeasuresNo known defense
VERS HLEN TOS Total Length4 bits 4 bits 8 bits 16 bits
Identification16 bits
Flags Fragment Offset13 bits
TTL8 bits
Protocol8 bits
Checksum16 bits
Source IP Address32 bits
Destination IP Address32 bits
IP Options(if any) (<= 40 bytes)
IP Datagram Data
0 D F
F
M
PIRMG 27
Spoofing Attacks
PIRMG 28
Spoofing Attacks
IP Spoof.TCP Sequence Attack.
ARP Spoof. ICMP Spoof. RIP Spoof.
PIRMG 29
IP Spoof Attack
The IP attack is really a trust-relationship exploitation. A trusted relationship only requires IP address based authentication.
The attack is composed of several components.Identify a host target.Identify a host with a trusted relationship with the target.Execute a Denial of Service attack against the trusted
host(eg.A TCP SYN Attack). Sample and guess the TCP sequence number of the target.Impersonate the trusted host and attempt a connection that
only requires address based authentication.
PIRMG 30
IP SPOOFING
Screening Router
181.10.10.2
181.10.10.3
181.10.13.1 Hacker
packet APPEARS to come from 181.10.13.1
1. Hacker assumes source
address 181.10.13.1 in order to fool the screening Router by appearing to reside on the internal network ( a trusted host).
2. Screening Router is fooled into believing that this packet is coming from an internal address.
Internet
From:181.10.13.1To: 181.10.10.2
NET: 181.10.13.0
NET: 181.10.10.0
Target
CountermeasureThis attack can be defeated by filtering on both the input and output ports of the Firewall.
packet REALLY comes from hacker
PIRMG 31
DNS Attacks
PIRMG 32
DNS Attacks
DNS Cache Poisoning
PIRMG 33
DNS Attacks
Background1.The DNS Server:
Translates hostnames into IP addresses.Translates IP addresses into hostnames.Provides host information, etc.
2. There are three main categories of DNS servers: primary: There is only one primary server for each domain. All domain data is derived from this server.
It is loaded by the Domain Administrator. The primary server is authoritative. secondary: There can be more than one secondary server per domain. It acts as a backup to the primary.
The domain database is transferred, zone file transfer, from the primary to the secondary on a scheduled basis.
cache-only: These servers acquire their information from other name servers. It then caches the information. These servers are non-authoritative.
Internet
DNS.Server.Com
Host.Target.Com
Hacker.Bad.Com
DNS.Bad.Com
PIRMG 34
DNS Attacks
Background Contd3. DNS server does this by maintaining the following files:
named.hosts: The zone file that maps host names into IP addresses.named.rev: The reverse main zone file that maps IP addresses into host names.named.ca: Addresses pointing to the root domain servers.named.local: The loop back address - 127.0.0.1.named.boot:: Contains the named parameters and points to the source of the domain data base information.
4. The local DNS server maintains a cache of its most recent queries. It examines this cache first to see if it already knows the answers. If not it forwards the query to other DNS servers for an answer. Upon receiving the answer it updates its DNS cache and forwards the response to the client.
Internet
DNS.Server.Com
Host.Target.Com
Hacker.Bad.Com
DNS.Bad.Com
Possible Attacks.Poison the DNS cache.Poison the Name Server.Imitate the Name Server.
PIRMG 35
Attack 1: DNS Cache Poisoning
1. The hacker.bad.com sends a recursive query to DNS.server.com requesting the IP address of unknown.bad.com.2. DNS.server.com is not authoritative for this domain so it queries DNS.bad.com.
The Hacker is monitoring this query to determine the recursive query ID. The Hacker needs this ID to fool the DNS server into taking the poison.
3. Hacker.bad.com submits a query to DNS.server.com looking for the address of www.anyone.com.4. The hacker immediately spoofs the reply with a response of www.anyone.com = 127.0.0.1.
This seeds the DNS server . The IP address could be any address specified by the Hacker.
The Seed
Internet
DNS.Server.ComHost.Target.Com
Hacker.Bad.Com
DNS.Bad.Com
(1) What is the IP address of Unknown.Bad.Com?
(2) What is the IP address of www.anyone.com?
(3) What is the IP address of www.anyone.com?(4) The IP address of www.anyone.com is 127.0.0.1!
PIRMG 36
Attack 1: DNS Cache Poisoning
Internet
DNS.Server.Com
Host.Target.Com
1. Target.good.com sends a query to DNS.server.com wanting to connect to www.anyone.com.2. DNS.server.com responds with the address in the poisoned cache.
The SpoofHacker.Bad.Com
DNS.Bad.Com
What is the IP address of www.anyone.com?
The IP address of www.anyone.com is 127.0.0.1!
PIRMG 37
Sniffer Attack
PIRMG 38
B
B
Ethernet operates in a broadcast mode. Each station looks for its physical address. The Hacker can operate a Sniffer on the Ethernet LAN in the promiscuous mode to look for:
Unencrypted passwords Encrypted passwords Private data Financial information(account numbers) Low level protocol information
A Sniffer attack is normally a prelude to other type attacks.
Host A
Host B
Hacker Host A Telnets to Host B with its User Name and Password. Hacker steals password for later use.
Concept
Action
Sniffer Attack
Segment the LANs. Encrypt the passwords w/ a timestamp. Zero-knowledge authentication (card, ring ,etc)
Countermeasures
PIRMG 39
FTP Bounce Attack
PIRMG 40
Normal FTP Connection1. The Client opens a FTP command channel to server (Port 21) and tells the server its data
port number (Port 4141).2. The server acknowledges the request.3. The server opens the data channel (Port 20) to the clients data channel (Port 4141).4. The client acknowledges this connection.
The Attack Concept.1. The PORT command has the form n1,n2,n3,n4,n5,n6.2. The client IP address(n1.n2.n3.n4) and port(n5 x 256+n6)
FTP CONNECTION EXAMPLEFTP Server FTP Client
Port 20 Port 21 Port 4140 Port 4141
Port (IP Address, 4141)
:"OK"Data Channel
:"OK"
PIRMG 41
Normal FTP ConnectionThe Client opens a FTP command channel to server (Port 21) and tells the server its data port number (Port 4141). The server acknowledges the request. The server opens the data channel (Port 20) to the clients data channel (Port 4141). The client acknowledges this connection.
FTP CONNECTION EXAMPLE Contd
FTP Server FTP Client
Port 20 Port 21 Port 4140 Port 4141"Port 4141"
:"OK"Data Channel
:"OK"
:"PASV"
:"OK 2266"
Port 2266
Data Channel
:"OK"
Passive FTP Connection
The Client opens a FTP command channel to server (Port 21) in a passive mode. The server acknowledges the passive mode and allocates Port 2266 to be the clients data channel. The client opens the data channel from it data channel (Port 4141 to the servers data channel (Port 2266). The server acknowledges the data connection.
PIRMG 42
FTP Bounce Attack Concept
Hacker Server Bounce Server
The Target Server will allow a connection from the Bounce Server.
The Hacker cannot access the Target server. The hacker can perform the ftp passive mode on
her machine.
A world writable directory is available to the incoming ftp connection.
The Hacker
The Hacker can open an ftp passive mode on her server.
Target Server
PIRMG 43
FTP Bounce Attack - Phase 1
Hacker Server
The Hacker
The Hacker opens an ftp connection to her server.She changes to a writable directory and issues an:
ftp "pasv" command and an ftp "stor" command
She remembers the IP address and port(H,H,H,H,P,P) returned by the "pasv" command.
She constructs a file called "retrvit" containing a series of ftp commands that will:
Sign onto the Target Server. Change the directory to the desired file. Use the FTP Port command to specify the IP address
and port(H,H,H,H,P,P) of the Hacker Server.
44
FTP Bounce Attack - Phase 2
Hacker ServerBounce Server
Target Server
The Hacker
She then: Transfer the file "retrevit" to the
Bounce Server, Opens a port to the target and issues the command "retrevit"
She opens an ftp command connection to the Bounce Server, logs in anonymously and changes to a world writable incoming directory.
This series of commands opens a port to the target server and executes the ftp commands contained in the "retrivit" command.
The commands contained within
"retrevit" specifies that a : connection should be established to
the IP address and port (H,H,H,H,P,P) of the Hacker Server and that
the desired fields should be downloaded to the Hacker Server.
PIRMG 45
Web Attacks
• Cross Side Scripting• SQL Injection• Directory transversal• Command Injection• Malicious Code Execution
PIRMG 46
Cross Side Scripting
• Cross-site scripting attacks place malicious code in locations where other users see it. The intention of the attack is to steal cookies that contain user identities and credentials, or to trick users into supplying their credentials to the attacker.
• Many web sites use cookies to store information about users. Cookies contain identifying information such as username and password. A hacker may want to steal cookies in order to illegally use someone else's identity.
• When someone browses to a web site to view a page, they send to the web server an HTTP request that contains their cookie. The web server usually keeps cookies for only a short time.
PIRMG 47
XSS
• Many web sites contain forms, which are used to post information such as names and addresses, or comments on bulletin boards. The hacker can inject scripting code into the vulnerable web server using the forms.
• Scripting code includes tags such as <SCRIPT>. The code can instruct the server to send its cookies to another location, such as another web site (hence the name: Cross Site Scripting), where the hacker can see the cookies. These cookies might contain the login credentials
PIRMG 48
XSS
• Another variety of Cross-site scripting attack does not steal cookies, but rather dupes the victim into supplying his or her credentials. The attacker enters scripting code to a form. When a user accesses that form, the script causes a popup form to appear that asks the victim to supply his or her details. The form sends those details to the attacker.
• Instead of targeting holes in your server's operating system or web server software, the attack works directly against the users of your site. It does this by tricking a user into submitting web scripting code (JavaScript, Jscript, etc.) to a dynamic form on the targeted web site. If the web site does not check for this scripting code it may pass it verbatim back to the user's browser where it can cause all kinds of damage
PIRMG 49
XSS
• Consider the following URL: http://www.example.com/search.pl?text=<script>alert(document.cookie)</script>
• If an attacker can get us to select a link like this and the Web application does not validate input, then our browser will pop up an alert showing our current set of cookies. This particular example is harmless; an attacker can do much more damage, including stealing passwords, resetting your home page, or redirecting you to another Web site.
PIRMG 50
SQL Injection
• In SQL injection attack the attacker can Execute commands thru forms or as a URL.• With SQL, the CGI inserts the input data into a string which is then submitted to an
SQL server. The attack is to add characters to the input so that extra SQL commands are performed or so the action is done on more database entries than expected.
• Example- a web address www.example.com/article.asp/id=2 it has a file, parameter and value fields.
PIRMG 51
SQL Injection
• In this case a script may use only numeric values. If a letter is sent instead, the script should reject the request. Not doing so means malicious commands can make it to the database.
• The commands can be SQL query and based on the result of the query the attacker can proceed with other queries.
• Also the attacker can bypass login.
PIRMG 52
SQL Injection
• Start with a single quote trick. Input something like: hi' or 1=1-- Into login, or password, or even in the URL. Example: - Login: hi' or 1=1-- - Pass: hi' or 1=1-- - http://duck/index.asp?id=hi' or 1=1-- If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly.
PIRMG 53
SQL Injection
• <FORM action=http://duck/Search/search.asp method=post> <input type=hidden name=A value="hi' or 1=1--"> </FORM>
• If luck is on your side, you will get login without any login name or password.
PIRMG 54
Command Injection
• Command injection attacks allow a remote attacker to execute operating system commands disguised as a URL or form input to the web server. A successful system command execution can provide a remote attacker with administrative access to a web server. This could result in damage such as defacement of the web site, data theft or data loss.
• Commands are to be Injected using HTTP request like %20%ls%0x81
PIRMG 55
Directory Transversal
• Attacker try to access files and folders he is not supposed to access and may run malicious code by just typing deep character crossing root directory like www.example.com/abc/Newuser?Image=../../database/rbsserv.mdb
• Also can try with encoded characters like • http://<HOST< a>>/............/autoexec.bat%5%2%a% etc.
PIRMG 56
Defense
• Block /Script tags• Form input should be validated before passing to database.• Invalid value should not give information about wrong input.• Non ASC II characters should be blocked.• Block some unsafe HTTP methods like Delete, Options, Trace etc.
PIRMG 57
Links
• http://www.antiserver.it/Cisco-Exploit/• http://staff.washington.edu/dittrich/misc/ddos/• http://www.extropia.com/tutorials/sql/toc.html• http://www.l0t3k.org/security/tools/packetgenerator/• http://www.zone-h.org/en/download/category=52/• Some Tools used-• Hping, SendIP, Retina Scanner, Nmap, Nessus, Nstealth, Web Sleuth, Webinject, Netcat• Some other tools- John-The ripper, Lophtrack, Legion, SubSeven.
