4.4 Summarize common networking attacks. Flashcards
Denial of service
Force a service to fail
Take advantage of a design failure or vulnerability
Cause a system to be unavailable
Create a smokescreen for some other exploit
Doesn’t have to be complicated - Turn off the power
A “friendly” DoS
Unintentional DoSing -
Network DoS - Layer 2 loop without STP
Bandwidth DoS - Downloading multi-gigabyte Linux distributions over a DSL line
Distributed Denial of Service (DDoS)
Launch an army of computers to bring down a service
This is why the bad guys have botnets
Asymmetric threat
DDOS amplification
Turn your small attack into a big attack
An increasingly common DDoS technique
Uses protocols with little (if any) authentication or checks - NTP, DNS, ICMP
DNS Amplification
Botnet C&C sends a single message to the botnet
Bots send spoofed DNS requests
DNS revolvers send amplified DNS responses to the Web Server
Effective social engineering
Constantly changing - You never know what’s next
May involve multiple people
May be in person or electronic - email, phone
Social engineering principles
- Authority
- Intimidation
- Consensus / Social proof
- Scarcity
- Urgency
- Familiarity / Liking
- Trust
Authority
The social engineer is in charge• I’m calling from the help desk/office of the CEO/police
Intimidation
There will be bad things if you don’t help
If you don’t help me, the payroll checks won’t be processed
Consensus / Social proof
Convince based on what’s normally expected• Your co-worker Jill did this for me last week
Scarcity
The situation will not be this way for long
Must make the change before time expires
Urgency
Works alongside scarcity - Act quickly, don’t think
Familiarity / Liking
Someone you know, we have common friends
Trust
Someone who is safe
I’m from IT, and I’m here to help
Insider threats
- Significant security issues• Harms reputation
- Critical system disruption
- Loss of confidential or proprietary information
- Innocent employees - Phishing scams, hacking scams
- Disgruntled employees - Someone is out to get you
- Careless employees - Using a laptop for personal use
- Defense in depth - Cover all possible scenarios
Logic Bomb
• Waits for a predefined event
• Often left by someone with grudge
Time bomb• Time or date• User event• Logic bomb• Difficult to identify• Difficult to recover if it goes off
Preventing a logic bomb
Difficult to recognize - Each is unique
• No predefined signatures
• Process and procedures - Formal change contro
l• Electronic monitoring - Alert on changes - Host-based intrusion detection, Tripwire, etc.
• Constant auditing - An administrator can circumvent existing system
Rogue access points
A significant potential backdoor
Very easy to plug in a wireless AP
Schedule a periodic survey
Consider using 802.1X (Network Access Control)
Wireless evil twins
Buy a wireless access point Configure it exactly the same way as an existing network Overpower the existing access points WiFi hotspots are easy to fool You encrypt your communication, right?
Wardriving
Combine WiFi monitoring and a GPS
Huge amount of intel in a short period of time
All of this is free - Kismet, inSSIDer - Wireless Geographic Logging Engine - http://wigle.net
Always an alternative - Warflying, warbiking
Phishing
Often delivered by spam, IM, etc. - Very remarkable when well done
- Check the URL
- Usually there’s something not quite right • Spelling, fonts, graphics • Vishing is done over the phone • Fake security checks or bank updates
Spear phishing
Phishing with inside information
Makes the attack more believable
Whaling
Spear phishing the CEO is “whaling”
Ransomware
Locks your computer “by the police”
The ransom may be avoided
• A security professional may be able to remove these kinds of malware
Crypto-malware
New generation of ransomware
Malware encrypts your data files
You must pay the bad guys to obtain the decryption key
Protecting against ransomware
Always have a backup
Keep your operating & applications system up to date - patches
Keep your anti-virus/anti-malware signatures up to date
DNS Poisoning
-Modify the DNS server
1. User 1 performs a normal DNS query to the DNS server:
-Modify the client host file
2. Bad guy modifies the DNS records and changes the IP address
Send a fake response to a valid DNS request• Requires a redirection of the original request or the resulting response
3. User 2 performs the same DNS query as User 1, but now the poisoned DNS entry is returned:
Spoofing
Pretend to be something you aren’t
Email address spoofing
• The sending address of an email isn’t really the sender• Caller ID spoofing
• The incoming call information is completely fake• Man-in-the-middle attacks
• The person in the middle of the conversation pretends to be both endpoints
MAC spoofing
Your Ethernet device has a MAC address Most drivers allow you to change this Changing the MAC address can be legitimate It might not be legitimate Very difficult to detect
IP address spoofing
Take someone else’s IP address
Can be legitimate
May not be legitimate
Easier to identify than MAC address spoofing
Spoofing cont
A legitimate response to an ARP request is received from the default gateway.The ARP response is cached on the local device
An attacker sends an ARP response that spoofs the IP address of the router and includes the attacker’s MAC address.The malicious ARP information replaces the cached record, completing the ARP poisoning
Wireless Deauthentication
Wireless deauthentication• A significant wireless denial of service (DoS) attack
802.11 management frames
802.11 wireless includes a number of management features
Important for the operation of 802.11 wireless
Original wireless standards did not add protection for management frames
Protecting against disassociation
IEEE has already addressed the problem
802.11w is required for 802.11ac compliance
Brute force
The password is the key
Brute force attacks - Online
• Keep trying the login process
• Very slow
• Most accounts will lockout after a number of failed attempts• Brute force the hash - Offline
• Obtain the list of users and hashes
• Calculate a password hash, compare it to a stored hash
• Large computational resource requirement
Dictionary attacks
People use common words as passwords
If you’re using brute force, you should start with the easy ones
• password, ninja, football
• Many common wordlists available on the ‘net
• Some are customized by language or line of work
• This will catch the low-hanging fruit
• You’ll need some smarter attacks for the smarter people
VLAN hopping
“Hop” to another VLAN - this shouldn’t happen• Two primary methods• Switch spoofing and double tagging
Switch spoofing
Some switches support automatic configuration
There’s no authentication required
can Send and receive from any configured VLAN
Switch administrators should disable trunk negotiation• Administratively configure trunk interfaces and device/access interfaces
Man -in- the-middle
Redirects your traffic • Then passes it on to the destination • You never know your traffic was redirected • ARP poisoning •because ARP has no security
Vulnerabilities and exploits
A weakness in a system
Exploit
Take advantage of a vulnerability
Gain control of a system
Gain control of a systemModify data
Disable a service
Zero-day attacks
Zero-day• The vulnerability has not been detected or published• Zero-day exploits are increasingly common• Common Vulnerabilities and Exposures (CVE)• http://cve.mitre.org/
Device Hardening
Changing default credentials Avoid common passwords Upgrading firmware File hashing Disabling unnecessary services Watching the network Secure protocols - SSH, SFTP ,SNMPv3 ,TLS/SS, IPse Generating new keys Disabling unused TCP and UDP ports Disabling unused interfaces
Mitigation Techniques
IPS signature management -
Device hardening
The native VLAN -Change the native VLAN number (e.g., VLAN 999)
Privileged accounts - Elevated access to one or more systems
FIM (File Integrity Monitoring)
Restricting access via ACLs - device ACLs to limit access
Honeypots - Attract the bad guys - and trap them there
Penetration testing - Simulate an attack
Switch Port Protection
Loop protection BPDU guard Root guard Flood guard DHCP snooping
Loop protection
IEEE standard 802.1D to prevent loops in bridged (switched) networks (1990)• Created by Radia Perlman• Used practically everywhere
BPDU guard
PortFast -Bypass the listening and learning states
If a BPDU frame is seen on a PortFast configured interface (i.e., a workstation), shut down the interface• This shouldn’t happen - Workstations don’t send BPDU (Bridge Protocol Data Unit)
Root guard
Root guard allows you to pick the root
• Cisco feature
• Prevents a rogue root bridge
• If your root bridge receives a superior STP BPDUon a root guard port, root guard changes the interface status to “root-inconsistent” (listening)
• This effectively disables the interface to the rogue root
Flood guard
Configure a maximum number of source MAC addresses on an interface
• You decide how many is too many
• You can also configure specific MAC addresses
• The switch monitors the number of unique MAC addresses
• Maintains a list of every source MAC address
• Once you exceed the maximum, port security activates
• Interface is usually disabled by default
DHCP snooping
IP tracking on a layer 2 device (switch)
Switch watches for DHCP conversations
Filters invalid IP and DHCP information
Network Segmentation
Segmenting the network
Physical segmentation
DMZ
Physical segmentation
Separate Device• Multiple units, separate infrastructure
Logical segmentation with VLANs
Virtual Local Area Networks (VLANs)• Separated logically instead of physically - Cannot communicate between VLANs without a Layer 3 device / router
Network Troubleshooting Methodology
- Identify the problem
- Establish a theory of probable cause
- Test the theory to determine cause
- Establish a plan of action to resolve the problem and identify potential effects
- Implement the solution or escalate as necessary
- Verify full system functionality and, if applicable,implement preventative measures
- Document findings, actions and outcomes
Hardware Tools
- Cable crimper
- Cable tester
- Punch-down Tool
- TDR / OTDR
- Light meter
- Toner Probe
- Loopback plug
- Multimeter
- Spectrum analyzer
Cable crimper
- ”Pinch” the connector onto the wire
- The final step of a cable installation
- Metal prongs push through insulation
Cable tester
Continuity testing
Identify missing pins, crossed wires
Not used for advanced testing
Punch-down Tool
Forces wire into a wiring block
Trims the wires and breaks the insulation
TDR / OTDR
(Optical) Time Domain Reflectometer• Estimate fiber lengths, measure signal loss, determine light reflection, create wire maps• May require additional training
Light meter
Send a light from one side• Measure the light power on the othe
Toner Probe
Puts an analog sound on the wire• Inductive probe doesn’t need to touch the copper
Loopback plug
• Useful for testing physical ports• Serial, Ethernet, T1, fiber• These are not crossover cables
Multimeter
AC/DC voltages• Continuity, wire mapping
Spectrum analyzer
View the frequency spectrum• Identify frequency conflicts
Software Tools
Protocol analyzer
Network / port scanner
Wireless packet analysis
Speed test sites
Protocol analyzer
Capture and display network traffic• Use a physical tap or redirect on the switch
Network / port scanner
• Scan for open ports and IP addresses• Visually map the network• Rogue system detection
Wireless packet analysis
View wireless information• Signal-to-noise ratio, channel information, etc.
Speed test sites
Bandwidth testing• Pre- and post-change analysis• Not all sites are the same
Command Line Tools
- ping - Test reachability
- traceroute - Determine the route a packet takes to a destination
- nslookup and dig - Lookup information from DNS servers
- ipconfig and ifconfig - View and manage IP configuration
- iptables - Packet filtering
- netstat - Display network statistics
- tcpdump
- Nmap
- route - View the device’s routing table
- arp - Address resolution protocol information
ping - Test reachability
• ping - Test reachability to a TCP/IP address• ping -t - Ping until stopped with Ctrl-c• ping -a - Resolve address to a hostname• ping -n - Send # of echo requests• ping -f - Send with Don’t Fragment flag set
traceroute
Takes advantage of ICMP Time to Live Exceeded error message• Not all devices will reply with ICMP Time Exceeded messages• traceroute
nslookup
nslookup • dig
ipconfig and ifconfig
ipconfig - Windows TCP/IP config
• ipconfig /all - Display all IP configuration details
• ipconfig /release - Release the DHCP lease
• ipconfig /renew - Renew the DHCP lease
• ipconfig /flushdns - Flush the DNS resolver cache• ifconfig - Linux interface configuration
iptables - Packet filtering
Linux iptables - filter packets in the kernel
• Simple data blocks - ignores state
• Usually placed on a device or server
netstat - Display network statistics
netstat -a - Show all active connections• netstat -b - Show binaries• netstat -n - Do not resolve names
tcpdump
tcpdumpCapture packets from the command line• Available in most Unix/Linux operating systems• Included with Mac OS X, available for Windows (WinDump)• Apply filters, view in real-time• Written in standard pcap format
pathping - Combination of ping and traceroute
pathping
Nmap
Network mapper - find network devices• Port scan - Find devices and identify open ports• Operating system scan• Discover the OS without logging in to a device• Service scan• What service is available on a device? Name, version, details• Additional scripts• Nmap Scripting Engine (NSE
route - View the device’s routing table
route print - View the Windows routing table
arp
• arp -a - View the local ARP table