Networking & Network Attacks Engineering Secure Software Last - - PowerPoint PPT Presentation

SWEN-331: Engineering Secure Software Benjamin S Meyers

Networking & Network Attacks

Engineering Secure Software

Last Revised: August 28, 2020 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

Why Do We Study Networks?

• Networks scans are the most prevalent method of

understanding an environment, with the intent to use that information to run exploits

• To understand how to protect your system, you have to

understand how the system works!

• Note: In a future lecture, we’ll learn about MITRE ATT&CK, a

taxonomy of tactics/techniques for general pentesting knowledge

○ Discovery: The adversary is trying to figure out your environment

2

SWEN-331: Engineering Secure Software Benjamin S Meyers

How Do Computers Communicate?

3

Source: https://www.electronicdesign.com/unused/article/21800810/whats-the-difference-between-the-osi-sevenlayer-network-model-and-tcpip

The 7 layers of the classic OSI model

SWEN-331: Engineering Secure Software Benjamin S Meyers

OSI Model: Physical Layer

• Responsible for transmission of unstructured raw data

between physical device and transmission medium

○ Converts digital data to electrical/radio/optical signals

• Defines characteristics of voltage levels, data transmission

rates, physical connectors (pin layouts, signal frequency)

• Defines specifications for Bluetooth, Ethernet, and USB

standards

• Controlled Area Network (CAN)

○ Jaguar speed controllers in FIRST Robotics

4

SWEN-331: Engineering Secure Software Benjamin S Meyers

OSI Model: DataLink Layer

• Defines protocols for establishing/terminating physical

connections and controls how data flows between physically connected devices

• Two sublayers

○ Medium Access Control (MAC) -- controls hardware responsible for interaction with wired/optical/wireless transmission mediums

■ Error control (e.g. collisions) ■ MAC addresses for individual network interfaces

○ Logical Link Control (LLC) -- interface between MAC and OSI Network Layer

5

SWEN-331: Engineering Secure Software Benjamin S Meyers

OSI Model: Network Layer

• Responsible for transferring packets between nodes in

different networks

• Routing packets through intermediate nodes

○ IPv4 (32bit) and IPv6 (128bit) ○ Path determination

• IP communication is connectionless (no response necessary)

6

SWEN-331: Engineering Secure Software Benjamin S Meyers

OSI Model: Transport Layer

• Responsible for quality of service and data integrity

○ e.g. packet loss, bit rate, throughput, transmission delay, availability, jitter

• Transmission rates (e.g. phone vs. server)
• Packet splitting (segmentation & desegmentation)
• Retransmission
• User Datagram Protocol (UDP) is faster than TCP, but not as

reliable

• e.g. post office inspections

7

SWEN-331: Engineering Secure Software Benjamin S Meyers

OSI Model: Session Layer

• Responsible for establishing/managing/terminating

connections between local and remote devices

• Remote Procedure Calls (RPC)

○ One form of Inter-Process Communication (IPC)

• Authentication and authorization happen here
• Transmission Control Protocol (TCP) spans the Transport and

Session Layers

• API’s (e.g. NETBIOS)

8

SWEN-331: Engineering Secure Software Benjamin S Meyers

OSI Model: Presentation Layer

• Translates between application-specific data formats and

network packet formats

○ e.g. conversion from packet to XML (and vice versa)

• Sometimes called the “syntax” layer
• Some data compression functionality
• Data encoding

○ ASCII (7-8 bits per character) vs. EBCDIC (8 bits per character) ○ EBCDIC is non-linear ○ Unicode (UTF8, UTF16)

• SSL/TLS

9

SWEN-331: Engineering Secure Software Benjamin S Meyers

OSI Model: Application Layer

• Interacts with applications that implement communication
• Responsible for displaying received data to the user and

sending data from the user to the presentation layer (which then gets sent through the other OSI layers)

• Defines specifications for shared communication protocols

○ e.g. HTTP, FTP, SMTP, DNS ○ Application specific protocols (e.g. RDP, LDAP)

10 10

SWEN-331: Engineering Secure Software Benjamin S Meyers

Crash Course in Network Communication

11 11

Classic Model 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 DataLink 1 Physical OSI 7-Layer Model vs. Modern Network/Internet Model

SWEN-331: Engineering Secure Software Benjamin S Meyers

Crash Course in Network Communication

12 12

Classic Model 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 DataLink 1 Physical

Physical connection, data rates, bit level handling

OSI 7-Layer Model vs. Modern Network/Internet Model

SWEN-331: Engineering Secure Software Benjamin S Meyers

Crash Course in Network Communication

13 13

Classic Model 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 DataLink

Pack/unpack data frame (MAC source/dest) -- unique identifier

1 Physical

Physical connection, data rates, bit level handling

OSI 7-Layer Model vs. Modern Network/Internet Model

SWEN-331: Engineering Secure Software Benjamin S Meyers

Crash Course in Network Communication

14 14

Classic Model 7 Application 6 Presentation 5 Session 4 Transport 3 Network

Packet routing (IP Address source/dest and port) to socket

2 DataLink

Pack/unpack data frame (MAC source/dest) -- unique identifier

1 Physical

Physical connection, data rates, bit level handling

OSI 7-Layer Model vs. Modern Network/Internet Model

SWEN-331: Engineering Secure Software Benjamin S Meyers

Crash Course in Network Communication

15 15

Classic Model 7 Application 6 Presentation 5 Session 4 Transport

Responsible for quality of service and data integrity

3 Network

Packet routing (IP Address source/dest and port) to socket

2 DataLink

Pack/unpack data frame (MAC source/dest) -- unique identifier

1 Physical

Physical connection, data rates, bit level handling

OSI 7-Layer Model vs. Modern Network/Internet Model

SWEN-331: Engineering Secure Software Benjamin S Meyers

Crash Course in Network Communication

16 16

Classic Model 7 Application 6 Presentation 5 Session

Establishes connection between devices (also maintains, authenticates, etc.)

4 Transport

Responsible for quality of service and data integrity

3 Network

Packet routing (IP Address source/dest and port) to socket

2 DataLink

Pack/unpack data frame (MAC source/dest) -- unique identifier

1 Physical

Physical connection, data rates, bit level handling

OSI 7-Layer Model vs. Modern Network/Internet Model

SWEN-331: Engineering Secure Software Benjamin S Meyers

Crash Course in Network Communication

17 17

Classic Model 7 Application 6 Presentation

Ensures compatibility between the data formats from lower to upper layers

5 Session

Establishes connection between devices (also maintains, authenticates, etc.)

4 Transport

Responsible for quality of service and data integrity

3 Network

Packet routing (IP Address source/dest and port) to socket

2 DataLink

Pack/unpack data frame (MAC source/dest) -- unique identifier

1 Physical

Physical connection, data rates, bit level handling

OSI 7-Layer Model vs. Modern Network/Internet Model

SWEN-331: Engineering Secure Software Benjamin S Meyers

Crash Course in Network Communication

18 18

Classic Model 7 Application

Works with applications to provide communications & functions

6 Presentation

Ensures compatibility between the data formats from lower to upper layers

5 Session

Establishes connection between devices (also maintains, authenticates, etc.)

4 Transport

Responsible for quality of service and data integrity

3 Network

Packet routing (IP Address source/dest and port) to socket

2 DataLink

Pack/unpack data frame (MAC source/dest) -- unique identifier

1 Physical

Physical connection, data rates, bit level handling

OSI 7-Layer Model vs. Modern Network/Internet Model

SWEN-331: Engineering Secure Software Benjamin S Meyers

Crash Course in Network Communication

19 19

Classic Model Modern Model 7 Application

Works with applications to provide communications & functions

Applications (FTP, HTTP, SMTP, etc.) 6 Presentation

Ensures compatibility between the data formats from lower to upper layers

5 Session

Establishes connection between devices (also maintains, authenticates, etc.)

4 Transport

Responsible for quality of service and data integrity

TCP 3 Network

Packet routing (IP Address source/dest and port) to socket

IP 2 DataLink

Pack/unpack data frame (MAC source/dest) -- unique identifier

Ethernet 1 Physical

Physical connection, data rates, bit level handling

OSI 7-Layer Model vs. Modern Network/Internet Model

SWEN-331: Engineering Secure Software Benjamin S Meyers

TCP/IP Communications

20 20

Application Transport Network DataLink Network DataLink Network DataLink Application Transport Network DataLink Destination Computer Source Computer Router Router

In a typical network, computers are on subnets; routers transmit between subnets

SWEN-331: Engineering Secure Software Benjamin S Meyers

TCP/IP Communications

21 21

TCP Packet SEQ=1, LEN=700 TCP Packet SEQ=2, LEN=1000 TCP Packet SEQ=20, LEN=250

Client

TCP Packet ACK=1 TCP Packet ACK=2 TCP Packet ACK=20

Server

⋮ ⋮

SWEN-331: Engineering Secure Software Benjamin S Meyers

TCP/IP Communications

22 22

TCP Packet SEQ=1, LEN=700 TCP Packet SEQ=1, LEN=700 TCP Packet SEQ=20, LEN=250

Client

TCP Packet ACK=1 TCP Packet ACK=20

Server

⋮ ⋮

Timeout ➝ Retransmission

SWEN-331: Engineering Secure Software Benjamin S Meyers

Data Formats (TCP)

Down at the low level, packets are organized to tell the nodes on the network who is sending, receiving, etc. These are the data packets that are manipulated to scan networks.

23 23

Source Port Destination Port Sequence Number Ack Number Data Offset Reserved Flags Window Checksum Urgent Options and Padding Data (Variable Size) 4 octets (32 bits) Header (20 octets)

SWEN-331: Engineering Secure Software Benjamin S Meyers

Network Attacks

• Ports are the endpoints of network communications
• Software programs ‘listen’ on numbered ports
• Network attacks target the lower levels of communication

(above DataLink layer) and create low level communications to the ports

○ Packet manipulation is often used to trigger special behavior ○ Scans and attacks understand which ports support what application and how the responses are supposed to be handled ○ They take advantage of how implementation handles packets and tries to bypass or interrogate responses

24 24

SWEN-331: Engineering Secure Software Benjamin S Meyers

Port Scanning

• Network Ports are the connections used to send data packets
• Scanning is a mechanism used to interrogate devices and

networks

• How is this information used by attackers?

○ To detect the live systems running on the network ○ To discover which ports are active/running ○ To discover the operating system running on the target host (fingerprinting) ○ To discover the services running on the target host ○ To discover the IP address of the target host

25 25

SWEN-331: Engineering Secure Software Benjamin S Meyers

Some Types of Scans

• Port Scanning:

○ 65K ports in a computer (1K fixed for system/OS services) ○ Scan for open ports which can be used to attack victim host ○ Port scanning tells us which port to use for a certain attack

• Network Scanning:

○ Procedure for finding active hosts on a network (e.g. is the system standalone or multi-user?) ○ For the purpose of attacking hosts or for network security assessment (e.g. how secure is the network?)

• Vulnerability Scanning:

○ Scan hosts for vulnerabilities (weaknesses in OS, DB, services, apps, etc.) ○ Exploit victim host using vulnerabilities discovered

26 26

SWEN-331: Engineering Secure Software Benjamin S Meyers

Network Scanning Tools

• Many tools available to facilitate scanning computers and

networks

○ WireShark ○ UnicornScan (Kali Linux)

• One of the longest-lived tools is nmap

○ Port scanning, OS detection, version detection, ping sweeps, etc. ○ Able to scan many machines at once ○ Supported by most operating systems (Unix, Windows, Mac) ○ Able to use many types of port scanning techniques

27 27

SWEN-331: Engineering Secure Software Benjamin S Meyers

Zenmap (nmap GUI for Windows)

28 28

SWEN-331: Engineering Secure Software Benjamin S Meyers

Nmap Command Examples

• Basic scan against IP/host:

○ nmap 1.1.1.1

29 29 Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-27 14:59 EDT Nmap scan report for bob.rit.edu (129.22.187.155) Host is up (0.041s latency). Not shown: 984 filtered ports PORT STATE SERVICE 22/tcp open ssh 443/tcp closed https 2020/tcp closed xinupageserver 6000/tcp closed X11 6001/tcp open X11:1 6002/tcp closed X11:2 6003/tcp closed X11:3 6004/tcp closed X11:4 6005/tcp closed X11:5 6006/tcp closed X11:6 6007/tcp closed X11:7 6666/tcp closed irc 8000/tcp closed http-alt 8081/tcp closed blackice-icecap 8082/tcp open blackice-alerts 8181/tcp open intermapper Nmap done: 1 IP address (1 host up) scanned in 4.46 seconds

SWEN-331: Engineering Secure Software Benjamin S Meyers

Nmap Command Examples

• Scan specific ports or an entire port range on a local/remote

server (you can scan multiple addresses/ranges)

○ nmap -p 1-65535 localhost ○ nmap 8.8.8.0-255 or nmap 8.8.8.0/24 ○ This scans 256 IP addresses from 8.8.8.1 to 8.8.8.256

30 30 Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-27 15:02 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.00021s latency). Not shown: 65529 closed ports PORT STATE SERVICE 631/tcp open ipp 1716/tcp open xmsg 5432/tcp open postgresql 5433/tcp open pyrrho 27017/tcp open mongod 39517/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 3.13 seconds

SWEN-331: Engineering Secure Software Benjamin S Meyers

Nmap Command Examples

• Scan most popular ports

○ nmap --top-ports 20 192.168.1.106

31 31 Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-27 15:06 EDT Nmap scan report for jill.rit.edu (129.25.189.221) Host is up (0.038s latency). PORT STATE SERVICE 21/tcp filtered ftp 22/tcp open ssh 23/tcp filtered telnet 25/tcp filtered smtp 53/tcp filtered domain 80/tcp filtered http 110/tcp filtered pop3 111/tcp filtered rpcbind ... 443/tcp closed https ... 995/tcp filtered pop3s 1723/tcp filtered pptp 3306/tcp filtered mysql ... 8080/tcp filtered http-proxy Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds

SWEN-331: Engineering Secure Software Benjamin S Meyers

Nmap Command Examples

• Scan with OS and service detection (quickly)

○ nmap -A -T4 cloudflare.com ○ Using the -A parameter enables you to perform OS and service detection; combining with the -T4 option for fast execution

32 32 Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-30 10:03 EDT Nmap scan report for andy.rit.edu (129.27.184.101) Host is up (0.038s latency). Not shown: 984 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f2:1a:87:3a:d7:04:b7:a8:b1:c5:25:83:c2:16:f1:07 (RSA) | 256 de:86:8b:5a:df:24:bb:71:9b:53:a6:ae:4e:80:11:1f (ECDSA) |_ 256 8f:97:db:c6:72:81:e4:a4:72:bd:bb:57:bb:b4:83:5d (EdDSA) ... 8082/tcp open http Tornado httpd 5.1.1 ... Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 118.82 seconds

SWEN-331: Engineering Secure Software Benjamin S Meyers

Nmap Command Examples

• Detect service/daemon versions

○ nmap -sV localhost

33 33 Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-27 15:10 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.00035s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 631/tcp open ipp CUPS 2.2 5432/tcp open postgresql PostgreSQL DB 9.6.0 or later 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port5432-TCP:V=7.60%I=7%D=8/27%Time=5F480546%P=x86_64-pc-linux-gnu%r(SM SF:BProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20fronten SF:d\x20protocol\x2065363\.19778:\x20server\x20supports\x202\.0\x20to\x203 SF:\.0\0Fpostmaster\.c\0L2065\0RProcessStartupPacket\0\0"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds

SWEN-331: Engineering Secure Software Benjamin S Meyers

Nmap Command Examples

• Malware detection on remote hosts

○ Detect malware and backdoors by running extensive tests on popular OS services (Identd, Proftpd, Vsftpd, IRC, SMB, SMTP) ○ There is also a module to check for signs of common malware inside remote servers ○ Integrates Google’s Safe Browsing and VirusTotal databases ○ nmap -sV --script=http-malware-host 192.168.1.105 ○ nmap -p80 --script=http-google-malware infected.com

34 34

SWEN-331: Engineering Secure Software Benjamin S Meyers

Nmap Command Examples

• CVE detection

○ One of nmap’s greatest features (that a lot of people don’t know about) is the “Nmap Scripting Engine (NSE)” ○ NSE allows use of pre-defined or custom scripts (written in Lua) ○ Using NSE allows you to automate system/vulnerability scans ○ nmap -Pn --script vuln 192.168.1.105

35 35

SWEN-331: Engineering Secure Software Benjamin S Meyers

Nmap Command Examples

• Using the verbosity flag: -v

○ nmap -v -T4 --script ssh-hostkey 1.2.3.4

36 36 Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-30 10:16 EDT NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. ... Nmap scan report for paul.rit.edu (129.24.133.233) Host is up (0.039s latency). Not shown: 984 filtered ports PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 2048 f2:1a:87:3a:d7:04:b7:a8:b1:c5:25:83:c2:16:f1:07 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnBX1anz+PcgdAq/7...vPxOkBGk8JxmdD/Sk1uG3pqqvQX6u5Hs8XDH8MxZvlKClAN9zdkq39S6gOYS | 256 de:86:8b:5a:df:24:bb:71:9b:53:a6:ae:4e:80:11:1f (ECDSA) | ecdsa-sha2-nistp256 2VjZHNhLXNoYTItbmlzdHAyNTYAbHAyNTYAAABBBOSBzc...BhVS5fHW6vd+Net4RouExNKzLlAT8xXx0qiIx8MBY2QHYH1w | 256 8f:97:db:c6:72:81:e4:a4:72:bd:bb:57:bb:b4:83:5d (EdDSA) |_ssh-ed25519 C3NzaC1lZDI1NTE5AAAAIDmN...+9aIa22fCx3y8pmHjyoHsZrz0ZoK2ZGB ... Nmap done: 1 IP address (1 host up) scanned in 5.73 seconds

SWEN-331: Engineering Secure Software Benjamin S Meyers

Nmap Command Examples

• Nmap is one of the most complete and accurate port

scanners used by infosec professionals today

• You can perform simple port scan tasks
• You can use its powerful scripting engine to launch DOS

attacks, detect malware, or run brute force tests on remote/local servers

37 37

SWEN-331: Engineering Secure Software Benjamin S Meyers

How Port Scans Work

• Depending on the packet sent and the flags set, port

scanners look for responses and make guesses on the configuration and state of ports

38 38

Probe Response Assigned State No response received (even after retransmission) Open | Filtered TCP RST packet Closed ICMP unreachable error (type 3; code 1, 2, 3, 9, 10, or 13) Filtered Full response (ack, etc.) Open

SWEN-331: Engineering Secure Software Benjamin S Meyers

Common Ports

• 21: file transfer protocol (ftp)
• 22: ssh
• 23: telnet
• 25: simple mail transfer protocol (smtp)
• 53: domain name system (dns)
• 80: http
• 110: post office protocol (pop3)
• 111: remote procedure call (rpcbind)
• 135: Microsoft rpc (msrpc)
• 139: heavy traffic between hosts (netbios-ssn)

39 39

• 143: internet message access protocol (imap)
• 443: https
• 445: Microsoft directory services (microsoft-ds)
• 993: imaps
• 995: pop3s
• 1723: point-to-point tunneling (pptp)
• 3306: mysql
• 3389: Microsoft terminal server (ms-wbt-server)
• 5900: vnc
• 8080: http-proxy

SWEN-331: Engineering Secure Software Benjamin S Meyers

Nmap Sample Output

root@kali:~# nmap -O 192.168.5.102 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-04 21:16 CET Nmap scan report for 192.168.5.102 Host is up (0.30s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 111/tcp open rpcbind 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds … 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown Device type: general purpose Running: Microsoft Windows 7|2012|XP OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3 OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 153.47 seconds

40 40

Ports are identified and their state is listed

SWEN-331: Engineering Secure Software Benjamin S Meyers

SYN Scan

• The SYN (synchronize) flag is the TCP packet flag used to

initiate a TCP connection

• A packet containing solely a SYN flag is the first part of the

“three-way handshake” (SYN; SYN-ACK; ACK) of TCP connection initiation

○ TCP packet is sent with SYN flag set ○ Response from target is monitored ■ If ACK, then port is open ■ If RST, then port is closed ■ If no response, port might be filtered, closed, or other

41 41

SWEN-331: Engineering Secure Software Benjamin S Meyers

Other Simple Scans

• FIN Scan: FIN scan sends a packet that would never occur in the real world; a

packet with the FIN flag set is sent without establishing a connection to the target host first. If a RST (reset) packet is received back, the port is considered closed; if no packet is received, the port is considered open.

• NULL Scan: NULL scans also send a packet that should never occur in the

real world; a packet with no flags set is sent to the target host. If RST received, port is closed; if no response, port is open.

• ACK Scan: Used to determine whether the host is protected by some kind of

filtering system. An ACK probe packet is sent with a random sequence

• number. If no response, the port is filtered (e.g. a firewall is in place); if RST

response, the port is closed.

• If one type of scan doesn’t work, try something else! (Hackers are very

persistent.) Sometimes special flags (PSH, URG) are used to force responses.

42 42

SWEN-331: Engineering Secure Software Benjamin S Meyers

Christmas Tree Attack Example

• Send a sequence of network packets with alternating special

flags: PSH, URG, FIN

○ Simulates blinking lights on a Christmas tree ○ PSH: skip TCP buffering ○ URG: this packet is urgent

• Attempts Denial-of-Service (DoS) due to higher processing

required for these flags

• Tries to identify open ports

○ Open ports will ignore these packets (illegal flags) and closed ports will respond with RST

43 43

SWEN-331: Engineering Secure Software Benjamin S Meyers

WireShark

• WireShark is the most widely used network monitoring tool
• Invaluable for monitoring, investigating networks, and

network attacks (man-in-the-middle attacks)

• Activity: investigate network trace and look for

clues/conclusions

44 44