CIS 225 Chapter 12
Wireless Networking: 802.11ad
Wireless Gigabyte Alliance—This supports data transmission rates up to 7 Gbps—more than 10 times faster than the highest 802.11n rate.
Wireless Storage Devices
Wireless digital and video cameras Wireless printers with storage capacity Wireless network-attached storage (NAS) devices Tablets and smartphones Wireless digital video recorders (DVRs) Wireless game consoles
Wireless Network Discovery Tools
NetStumbler MacStumbler iStumbler
Snort
Primarily used as an open source intrusion detection system Can function as a robust packet sniffer with a lot of configuration options
HTTP Commands: POST
Request to append to a webpage
HTTP Commands: GET
Request to read a webpage
HTTP Commands: HEAD
Request to read just the head section of a webpage
Well-known ports
0-1023
Registered ports
1024-49151
Dynamic ports
49152-65535
Ports
A number that identifies a channel in which communication can occur 65,635 possible ports Knowing what port a packet was destined for (or coming from) tells you what protocol it was using
Collecting Data
All the traffic going through a firewall is part of a connection. A connection consists of two IP addresses communicating with each other and two port numbers that identify the protocol or service. Attempts on same set of ports from many different Internet sources are usually due to decoy scans Carefully check firewall logs for any sort of connections or attempted connections on those ports Use protocol analysis to determine who attacker is
OSI Model
Application Presentation Session Transport Network Data Link Physical
TCP/IP Model
Application Transport Internet Network access
54320/54321 Important Intruder Ports
BO2K (malware)
31337 Important Intruder Ports
Back Orifice (malware)
6666Important Intruder Ports
Beast(malware)
Application filter
Combines stateful packet inspection with scanning for specific application issues Example: Web Application Firewall (WAF) scans for typical web attacks such as SQL injection and cross-site scripting
HTTP Commands: LINK
Connects two existing resources
Routers in Detail
Determine where to send information from one computer to another Are specialized computers that send your messages and those of every other Internet user to their destinations along thousands of pathways Maintain a routing table to keep track of routes Some routes are programmed manually, many are "learned" automatically by route
stateful packet inspection (SPI) firewall
Examines each and every packet, denying or permitting based on not only the current packet, but also considering previous packets in the conversation Firewall is aware of the context in which a specific packet was sent Are far less susceptible to ping floods, SYN floods, and spoofing
DoS:
Overwhelming a system with requests
Wardriving
Process of driving around an area while a passenger in the vehicle scans for insecure, or weakly secured, wireless networks Participants then attempt to breach the targets they find
show version
Provides a significant amount of hardware and software detail about the router. It displays the platform, operating system version, system image file, any interfaces, the amount of RAM the router has, and the number of network and voice interfaces there are.
3389 Important Intruder Ports
Remote Desktop
Router Forensics
Router is hardware or software device that forwards data packets across a network to a destination network May contain: Read-only memory (ROM) with power-on self test code Flash memory containing the router's operating system Nonvolatile random access memory (RAM) containing configuration information Volatile RAM containing routing tables and log information
993
Secure IMAP or Encrypted IMAP
HTTP Response Messages 500-599
Server-side errors
Network based firewalls
Span an entire network Filter all traffic passing in and out of network or network segment Incorporate enterprise-grade network services VPN Enterprise-class encryption protocols Enterprise-class security services
Packet Filter Firewall
The most basic type of firewall Filters incoming packets and either allows them entrance or denies them passage based on a set of rules Also referred to as a screened firewall Can filter packets based on packet size, protocol used, source IP address, and so on Many routers offer this type of firewall option in addition to their normal routing functions
Wireless Networking: 802.11b
This standard operated at 2.4 GHz and had an indoor range of 125 feet with a bandwidth of 11 megabits per second (Mbps).
Wireless Networking: 802.11n
This standard was a tremendous improvement over preceding wireless networks. It obtained a bandwidth of 100 to 140 Mbps. It operates at frequencies of 2.4 or 5.0 GHz, and has an indoor range of up to 230 feet.
Wireless Networking: 802.11a
This was the first widely used Wi-Fi standard. It operated at 5 GHz and was relatively slow.
Cyclical Redundancy Check (CRC)
almost always in trailer not header Ethernet uses a 32-bit cyclic redundancy check (CRC). The sender calculates the CRC using a very complex calculation on the source address, destination address, length, payload, and pad, if any. The four-octet (32-bit) result is stored in the trailer by the sender and the frame is transmitted. The receiving device repeats the exact same calculation as the sender and compares the result with the value stored in the trailer. If the values match, the frame is good and the frame is processed. But if the values do not match, the receiving device has a decision to make. The decision is made consistently based upon the protocol involved. In the case of Ethernet, the receiver discards the errored frame and sends no indication whatsoever that the frame has been discarded. The receiver usually does, however, update some internal counter, which can be queried to say how many frames were discarded. There is also a counter that says how many frames arrived and passed the CRC check.
Router Attacks-Router table poisoning
an attacker alters the routing data update packets that the routing protocols need, resulting in incorrect entries in the routing table Incorrect router table entries can result in: Artificial congestion The router becoming overwhelmed An attacker being allowed access to data in the compromised network
Ethernet header
has the source and destination MAC address
switch
prevents traffic jams by ensuring that data goes straight from its origin to its proper destination. Switches remember the address of every node on the network and anticipate where data needs to go. A switch operates only with the computers on the same LAN because it operates based on the MAC address in a packet, which is not routable. It cannot send data out to the Internet or across a wide area network (WAN). These functions require a router.
TCP Header Bits, of Interest:RST (1 bit)—
resets the connection
Christmas Tree Scan
sends a TCP packet to target with the URG, PUSH, and FIN flags set alternates bits turned on and off in the flags byte server sends a rst flag
show logging
show router log events
show interfaces
show which interfaces are up
router
similar to a switch, but it can also connect different logical networks or subnets and enable traffic that is destined for the networks on the other side of the router to pass through. Routers utilize the IP address to determine the path of outgoing packets and work at the Network Layer of the OSI model. Modern routers are complex devices. They handle packets, often have firewall and Dynamic Host Configuration Protocol (DHCP) capabilities, are programmable, and maintain logs.
HTTP Response Messages 200-299
"OK" messages, meaning that whatever the browser requested, the server successfully processed
Functions of Data Link Layer
: Framing - The physical layer delivers raw bits from the Source to destination. During transmission, the value of the bits can change. It is also possible that the number of bits received by the receiver may be different from the number of bits sent by the Sender. To resolve this problem, the data link layer organizes the bits into manageable data units called as frames. Physical Addressing - Data link Layer adds header to the frame which contains the physical address of the sender (MAC Address)or receiver. Flow Control - It may happen that the speed at which the sending and receiving nodes operate may differ. The sending node may transmit data at a faster rate but the receiving node may receive it at a slower rate. The rate of data transmission between two nodes should be controlled to keep both the nodes in synchronization. This process is called flow control. Error Control - Another function of the Data Link layer is error control. Error control detects and corrects errors. During transmission, if a frame is lost or corrupted, the data link layer re transmits that frame. It also prevents duplication of frames.
Wireless Networking: 802.11n-2009
This technology gets bandwidth of up to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. It uses multiple-input multiple-output (MIMO), which uses multiple antennas to coherently resolve more information than possible using a single antenna.
Network Packet: Trailer
Contains error-checking data to detect errors that occur during transmission May be part of the Ethernet or Point-to-Point Protocol (PPP) frame or other Layer 2 protocol The TCP (OSI model Layer 4) and IP (OSI model Layer 3) portions of a unit of information transfer contain only a header and payload. However, if the Layer 2 portion of a unit of information transfer is analyzed, then in addition to a header and payload, there is also a part at the end called the trailer.
The payload
Contains the content (data) (variable)
Teardrop Attack
Exploits the reassembly of fragmented IP packets in the fragment offset field that indicates the starting position, or offset, of the data contained in a fragmented packet relative to the data of the original unfragmented packet.
RSA NetWitness
Threat analysis software/protocol analyzer Captures raw packets from wired and wireless interfaces Analyzes real-time data throughout the seven layers Filters by Media Access Control (MAC) address, Internet Protocol (IP) address, user, and more Freely available and threat analysis software
Nmap/ZenMap
Allows the user to map out what ports are open on a target system and what services are running Is a command-line tool, but has a Windows interface called Zenmap Popular with hackers because it can be configured to operate stealthily and determine all open ports on an individual machine, or for all machines in an entire range of IP addresses Popular with administrators because of its ability to discover open ports on the network
Smurf Attack
An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim.
Ping Flood
An attack that uses the Internet Control Message Protocol (ICMP) to flood a victim with packets.
Functions of Session Layer:
Dialog Control - The session layer is responsible for setting up sessions between devices. It allows two devices to enter into dialog (communication process). These dialogs can take place either in half-duplex or full duplex mode. Synchronization - At the session layer, checkpoints (synchronization bits) are added into a stream of data to synchronize the sessions. For example, if a device is sending a file of 1000 pages, then you can insert checkpoints after every 100 pages to ensure that these 100 pages are received without an error and acknowledged independently. If an error occurs while transmitting page 631, the only pages that should be retransmitted are from 601 to 631. Previous pages need not be resent.
23476/23477Important Intruder Ports
Donald Dick (malware)
Functions of Presentation Layer
Encryption - Presentation Layer encrypt the data before it passes to the session layer. Encryption is a process of converting a readable data into unreadable format so that it can protects the information from unauthorized access. On the receiver side, presentation layer is going to decrypt data in the readable format and passes it to the application layer. Compression - Presentation layer compress data in less number of bits (reduce the size of data) So that, it can travel in the network fast with consuming less space. It is important while transmitting multimedia information such as text, audio and video.
TCP Connection Termination
Because a TCP connection is two-way, it needs to be "torn down" in both directions uses four packets. The first system sends a TCP packet with the ACK and FIN flags set requesting termination. The second system sends an ACK response. The second system then sends a packet with ACK and FIN flags set. The first system returns an ACK response.
HTTP Commands: UNLINK
Breaks an existing connection between two resources
Functions of Physical Layer:
Characteristics of media - Defines the characteristics of the interface which is used for connecting the devices. It also defines the type of the transmission media such as copper wires or fiber optic cables. Encoding - Defines the encoding type. Encoding means changing bit stream. Before transmission, physical layer encodes the signal into electrical or optical form depending upon the media. Transmission Rate - Defines the transmission rate of bits. This provides number of bits transmitted per second. It defines how long will the duration of a bit be. Transmission Mode - Defines the transmission mode between two devices. Transmission mode specifies the direction of signal flow. The different types of transmission modes are simplex, half duplex and full duplex. Topology - It is a pattern which defines how devices are get connected in a network. Different types of network topology are: Single Node, Ring, Bus, Mesh, Tree and Hybrid Topology
HTTP Response Messages 400-499
Client errors
Functions of Transport Layer
Connection Control: Transport layer provides either connection-oriented or connection-less service. Flow Control - Data link layer provides flow control of data across a single link. Error Control - Transport layer also performs error checking. It confirms that data reached to the destination without an error.
Network packets
Information that is sent across a network is divided into chunks, called packets. Packets exist in the OSI model at Layer 3 and are typically formatted according to the Internet Protocol—though you may come across many other protocols and their unique formats.
HTTP Response Messages 100-199
Informational; the server is giving your browser some information, most of which will never be displayed to the user
636
Lightweight Directory Access Protocol Secure (LDAPS) (SSL or TLS)
Log Files as Source of Evidence
Log files contain primary records of a person's activities on a system or network Log files can often identify: Source, nature, and time of an attack Specific user account of events related to illicit activities
Types of Logs: Security event
Log files from servers and Windows security event logs on domain controllers, for instance, can attribute activities to a specific user account. This may lead you to the person responsible. Intrusion detection systems (IDSs) record events that match known attack signatures, such as buffer overflows or malicious code execution. Configure an IDS to capture all the network traffic associated with a specific event. In this way, you can discover what commands an attacker ran and what files he or she accessed. You can also determine what files the criminal downloaded, such as malicious code, or uploaded, such as files copied from the system.
Functions of Network Layer
Logical Addressing - The data link layer provides physical addressing which is useful for a local network. When the packet is designed for a device outside the network, we require other addressing scheme to identify source and destination. Network layer adds header to the data that includes the logical address (IP address) of the source and destination. It is a 32-bit address that uniquely identifies the device connected to the network. Routing - It defines the proper path of a packets to reach in its correct destination. Routing can be of two types, static or dynamic. Handling Congestion issues - Any given network has a certain capacity to deliver or handle number of packets. When the packets exceed the handling capacity then the lots congestion occurs. It is the responsibility of the network layer to control such congestion problems. Inter-networking - Inter-networking means connecting two or more computer networks together. The Internet is the best example of inter-networking. There are different types of networks that exist in the real world such as LAN, MAN and WAN.
Network Traffic Analysis
Network Monitoring-the big picture of what is happening on a network Network Analysis-discovers the details of what is happening on a network
Function of Application Layer
Network Virtual Terminal - It is a software version of physical terminal. It allows the user to login to the computer remotely connected in the network. File Transfer Access and Management (FTAM) - It helps user to access files in a remote computer and make changes. User can directly edit the file in the remote computer or they can download it into their local computer. Mail Services - It helps in e-mails forwarding to another device over the internet.
Wireshark
Network protocol analyzer Captures Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and other packets Analyzes real-time and saved data Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and others Supports IPv4 and IPv6 Allows Voice over IP (VoIP) analysis Freely available
Packet Mistreating
Occurs when a compromised router mishandles packets Results in congestion in a part of the network
Types of Logs: Operating system event
Operating systems log certain events, such as the use of devices, errors, and reboots. Operating system logs can be analyzed to identify patterns of activity and unusual events
995
POP3 Secure encrypted POP3
431888 Important Intruder Ports
Reachout (malware)
HTTP Response Messages 300-399
Redirect messages telling the browser to go to another URL
HTTP Commands: DELETE
Remove the webpage
Sniffer
Software or hardware that can intercept and log traffic passing over a digital network Extracts network packets and performs a statistical analysis on the dumped information Commonly applied sniffers include Tcpdump (UNIX platforms and) WinDump
FIN Scan
Sometimes a host may need to terminate a connection quickly, due to a port being unreachable or a timeout, for example. Can send a Reset (RST) packet. Initial SYN packet should never have FIN or RST associated with it. Indicates an attack/malicious attempt to get by your firewall. A packet is sent with the FIN flag turned on. If port is open, this generates an error message. Because there was no prior communication, an error is generated telling the hacker the port is open and in use.
Wireless Networking: 802.11ac
This standard was approved in January 2014. It has throughput of up to 1 Gbps with at least 500 Mbps. It uses up to eight MIMO.
Wireless Networking: 802.11g
There are still many of these wireless networks in operation, but you can no longer purchase new Wi-Fi access points that use it. This standard has an indoor range of 125 feet and a bandwidth of 54 Mbps. It includes backward compatibility with 802.11b
Important Intruder Ports: 407
Timbuktu has any legitimate use. Timbuktu is an open source alternative to PC Anywhere. It allows program users to log on to a remote system and work just like they were sitting in front of the desktop. It is possible that technical support personnel are using Timbuktu to make support calls more efficient. But it is also possible that an intruder is logging on and taking over the system.
TCP Header Bits, of Interest:URG (1 bit)—
Traffic is marked as urgent, though this bit is rarely used. It is more common that the IP precedence bits are used for priority when there is a need
SYN Flood Attack
Type of DoS attack in which the attacker sends multiple SYN messages initializing TCP connections with a target host attacker sends SYN server replies with SYN/ACK attacker sends another SYN server replies with SYN/ACK and continues this pattern taking up all server resources
TCP Header Bits, of Interest:ACK (1 bit
acknowledges the attempt to synchronize communications
Remote-to-local:
attacker does not have a user account but exploits a vulnerability to gain access
Banner grabbing
attempts to connect to a web server on port 23 (Telnet) is evidence of a well-known old hacker trick, which is to attempt to telnet into a web server and grab the server's banner or banners. This allows the hacker to determine the exact operating system and web server running unless the system administrator has modified the banner to avoid this hacker trick.
The IP header
contains the source IP address, the destination IP address, and the protocol number of the protocol in the IP packet's payload. These are critical pieces of information. l
The TCP header
contains the source port, destination port, a sequence number, and several other fields. The sequence number is very important to network traffic; for example, knowing this is packet 4 of 10 is important. The TCP header also has synchronization bits that are used to establish and terminate communications between both communicating parties.
Transport Layer
he fourth layer of the OSI model. It convert the packets received from network layer into segments and then transfer it to the upper layer. The transport layer ensures that the entire message reaches in order and handles error control and flow control at the source-to-destination level.
TCP Header Bits, of Interest:FIN (1 bit)—
indicates there is no more data from the sender
Types of Logs: Application
logs record the time, date, and application identifier. When someone uses an application, it produces a text file on the desktop system containing the application identifier, the date and time the user started the application, and how long that person used the application.
Types of Logs: Authentication
logs show accounts related to a particular event and the authenticated user's IP address. They contain date and timestamps as well as the username and IP address of the requestor.
Types of Logs: Network device
logs, such as firewall and router logs, provide information about the activities that take place on the network. You can also coordinate and synchronize them with logs provided by other systems to create a more complete picture of an attack. For example, a firewall log may show access attempts that the firewall blocked. These attempts may indicate an attack. Log files can show how an attacker entered a network. They can also help find the source of illicit activities.
Ping of Death
packets in excess of 65535 bytes sent targeted machine
UDP header
still has a source and destination port number, but it lacks a sequence number and synchronization bits.
TCP Header Bits, of Interest:SYN (1 bit
synchronizes sequence numbers.
TCP/IP VS OSI
tcp/ip application layer = osi model application/presentation/session tcp/ip transport layer=osi model transport tcp/ip internet layer= osi model network tcp/ip network access layer=osi data link and physical
Network Packet: Payload
the body or information content of a packet Actual content that the packet is delivering to the destination If packet is fixed length, payload may be padded with blank information or a specific pattern to make it the right size
Session Layer
the fifth layer of the OSI model. This layer establishes, manages, synchronizes and terminates connection between the computers. It provides either half duplex or full duplex service.
TCP/IP Network Access Layer
the first layer of the four layer TCP/IP model. Network Access Layer defines details of how data is physically sent through the network, including how bits are electrically or optically signaled by hardware devices that interface directly with a network medium, such as coaxial cable, optical fiber, or twisted pair copper wire. The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc. The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when Ethernet operates in a shared media. An Access Method determines how a host will place data on the medium. IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire when the wire is free from network traffic. When a host wants to place data on the wire, it will check the wire to find whether another host is already using the medium. If there is traffic already in the medium, the host will wait and if there is no traffic, it will place the data in the medium. But, if two systems place data on the medium at the same instance, they will collide with each other, destroying the data. If the data is destroyed during transmission, the data will need to be retransmitted. After collision, each host will wait for a small interval of time and again the data will be retransmitted.
Physical Layer
the first or the bottom most layer of the OSI model where all the physical connectivity of devices takes place in a network. It also defines the electrical and mechanical specifications like cables, connectors and signaling options of the medium. It converts the data into binary bits and then transfer to data link layer.
Data Link Layer
the second layer of the OSI Model. It converts bits received from physical layer into frames and then transfer it to the network layer.
TCP/IP Internet Layer
the second layer of the four layer TCP/IP model. The position of Internet layer is between Network Access Layer and Transport layer. Internet layer pack data into data packets known as IP datagrams, which contain source and destination address (logical address or IP address) information that is used to forward the datagrams between hosts and across networks. The Internet layer is also responsible for routing of IP datagrams. Packet switching network depends upon a connectionless internetwork layer. This layer is known as Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver independently to the destination. At the destination side data packets may appear in a different order than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to proper network applications operating at the Application layer. The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP (Internet Group Management Protoco
Application Layer
the seventh layer of the OSI model. It provides a means for the user to access information on the network using an application. It also supports services such as electronic mail, remote file access and transfer and shared database management.
Presentation Layer
the sixth layer of the OSI model. This layer deals with syntax and semantics of the data exchanged between two devices. It encrypt data to protect from unauthorized access and also compress to reduce the size of data.
Network Layer
the third layer of the OSI model. It converts the frame received from data link layer into packets and then transfer it to the transport layer.
TCP/IP Transport Layer
the third layer of the four layer TCP/IP model. The position of the Transport layer is between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the source and destination hosts to carry on a conversation. Transport layer defines the level of service and status of the connection used when transporting data. The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
TCP/IP: Application Layer
the top most layer of four layer TCP/IP model defines TCP/IP application protocols and how host programs interface with Transport layer services to use the network. includes all the higher-level protocols like DNS (Domain Naming System), HTTP (Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP (Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.
Null Scan
turns off all flags creating a lack of TCP flags in packet (0000000)This would never happen in normal communications results in an error packet being sent again server sends a rst flag
TCP Three-Way Handshake
used by TCP establishes a session between two systems. The first system sends a packet with the SYN flag set. The second system responds with a packet that has the SYN and ACK flags set. The first system responds with a packet with the ACK flag set. The two systems have now started a session.
Foresnic Network Analysis
uses tools and techniques of the network trade. Network monitoring helps get the "big picture" perspective, an insight into how networks and systems behave. Network analysis takes a deeper look at the traces between systems, networks, and intruders. Also referred to as "network forensic analysis." Analysis of network data to reconstruct network activity over a specific period of time Commonly used to: Reconstruct the sequence of events that took place during a network-based security incident Discover the source of security policy violations, vulnerabilities, or information assurance breaches Investigate individuals suspected of crimes
