Internet Security [1]

VU 188.366

Networking Basics

Christian Platzer, Matthias Neugschwandtner,

Markus Kammerstetter and Edgar Weippl

inetsec@iseclab.org
 Administration

• Online registration
– Open until 27.03.2013
• ~ 266 fellow aspirants so far
– TISS import will happen automagically after 21.03.2013

• Lab starts next week

– 21.03.2011
– Challenge 1 will be announced (sniffing, network tools)

• Exam
- Scheduled for 27th, maybe not enough room
- 26th as backup (18:00)

Internet Security 1 2
 Part 1

Part 1: Generic Security Issues

Internet Security 1 3
 Basic terminology

• Who is a “hacker“ ?

• What is a script kiddie?

• Why do people hack into systems?

Internet Security 1 4
 Basic terminology

• Who is a “hacker“ and who is a “cracker“?

• What is a script kiddie?

• Why do people hack into systems?

– Recognition
– Admiration
– Curiosity
– Power & Gain
– Revenge
– M.O.N.E.Y
Internet Security 1 5
 Security threats

Information Domain

• Leakage
– acquisition of information by unauthorized recipients. e.g.
Password sniffing

• Tampering:
– unauthorized alteration/creation of information (including
programs)
– e.g. change of electronic money order, installation of a rootkit

Internet Security 1 6
 Security threats

Operation Domain

• Resource stealing
– (ab)use of facilities without authorization (e.g. Use a high-
bandwidth infrastructure to issue DDOS attacks)

• Vandalism
– interference with proper operation of a system without gain (e.g.
flash bios with 0x0000)

Internet Security 1 7
 Methods of attacking

• Eavesdropping
– getting copies of information without authorization

• Masquerading
– sending messages with other‘s identity

• Message tampering
– change content of message

Internet Security 1 8
 Methods of attacking

• Replaying
– store a message and send it again later, e.g. resend a payment
message

• Exploiting
– using bugs in software to get access to a host

• Combinations
– Man in the middle attack
• emulate communication of both attacked partners (e.g., cause havoc
and confusion)

Internet Security 1 9
 Social engineering

• Popular non-technical attack method

– The art and science of getting someone to comply to your wishes

– Remember the film “Die hard 4”?

– Security is all about trust. Unfortunately, the weakest link, the
user, is often the target. (i.e., “Hit any user to continue” )
– Social engineering by phone
– Dumpster Diving
– Reverse social engineering

Internet Security 1 10
 Social engineering

• Only one solution

– User education
– Raising awareness

• Large companies now start to “attack” their own

employees
– e.g. Microsoft
– Targeted phishing attacks
– Even big players (Apple, Amazon, etc.) still have to learn
• Example follows

Internet Security 1 11
 Security 101 : Passwords

• Retina checks are currently not possible, so guard your password ;-)
– NEVER give your password to anyone
• Not even your Girl(Boy-)friend
– Make your password difficult for others to guess
– DO NOT change your password because someone tells you to

• Crackers might crack the following passwords:

– Words in any dictionary, Your user name, Your name, Names of people you
know, substituting some characters (a 0 (zero) for an o, or a 1 for an l)
– http://www.openwall.com/john/ (John, passwd cracker)

Internet Security 1 12
 Password examples
• The “Bad”
– acmilan1
– mymusic2
– bermuda6
– Konrad4868
– Master
– God

• The “Good”
– #bdiBuM1a
– Qa56Fge(/
– sdFOiKqw”=
– Somecommonwordsputtogethertoaverylongpassword
– Xkcd: Password Strength (http://xkcd.com/936/)

Internet Security 1 13
 Choosing a good password

• Guidelines…
– The longer the better (often not supported!)
– mix of lower- and upper-case chars, numbers, and punctuation marks
– take a phrase and try to squeeze it into eight characters
• e.g., this is an interesting lecture oh yeah == tiailoy
• Throw in a capital letter and a punctuation mark or a number or two (== 0Tiailoy4)
– Use your imagination!
– Never, ever use “security” questions!
• If you have to, put your password there and use a password safe

• Storage
– Password safes (Firefox Master Password, Keychains, etc.) are ok, if encrypted properly.
– Take care about the password-retrieval channel.
• Could involuntary cause an authorization-loop (daisy-chained accounts)
• Example: Epic Hack

Internet Security 1 14
 Part 2

Part 2: Technological Security

Internet Security 1 15
 OSI reference model

• Developed by the ISO to support open systems interconnection

– layered architecture, level n uses service of (n-1)

# Host A Host B
7 Application Layer Application Layer
6 Presentation Layer Presentation Layer
5 Session Layer Session Layer
4 Transport Layer Transport Layer
3 Network Layer Network Layer
2 Data Link Layer Data Link Layer
1 Physical Layer Physical Layer

Internet Security 1 16
 OSI reference model
• Physical Layer (1)
– Connect to channel / used to transmit bytes (= network cable)
– Repeater, Hub

• Data Link Layer (2)

– Error control between adjacent nodes
– Bridge, Switch (unmanaged)

• Network Layer (3)

– Transmission and routing across subnets
– Router

• Transport Layer (4)

– Ordering
– Multiplexing
– Correctness

Internet Security 1 17
 OSI reference model

• Session Layer (5)

– Support for session-based interaction
– e.g. communication parameters/communication state

• Presentation Layer (6)

– Standard data representation
– Encryption

• Application Layer (7)

– Application specific protocols

Internet Security 1 18
 Layer 1

Physical layer

Internet Security 1 19
 Layer 1

• Hardware
– Twisted Pair
– Coax
– Wireless transceiver
– Optical Cable
– Token Ring
– PLC (Power Line Communication)

Nothing you can easily control (physical security)

Internet Security 1 20
 Layer 2

Data link layer

Internet Security 1 21
 Layer 2 – Ethernet (II)

dest (48 bits) src (48 bits) type (16) data (46-1500 B) CRC (32)

0x0800 IP Datagram

In Reality:

22
 Layer 2 – Ethernet (II)
• Widely used link layer protocol

• Carrier Sense, Multiple Access

• Addresses: 48 bits (e.g. 00:38:af:23:34:0f)

– hardwired by the manufacturer
– That’s the MAC Address, every NIC has (LAN, Bluetooth, Wifi..)

• Type (2 bytes): specifies encapsulated protocol

– IP, ARP, RARP

• Data:
– min 46 bytes payload (padding may be needed), max 1500 bytes

• CRC (4 bytes)

Internet Security 1 23
 Tools / commands

• Wireshark (W/U)
– Captures network traffic

• ipconfig / ifconfig (W/U)

– Show interface configuration
– Display interface MAC address
– Change interface MAC address

• iwconfig (Unix only)

– Configure wireless interface
– Push power

Internet Security 1 24
 Layer 3

Network layer

Internet Security 1 25
 Internet Protocol (IP)

• Is the glue between hosts of the Internet

• Standardized in RFC 791

• Attributes of delivery
– Connectionless
– unreliable best-effort datagram
• delivery, integrity, ordering, non-duplication are NOT guaranteed
• i.e., they can be dropped, tampered with, replayed, spoofed, etc. (at
least in IPv4)

Internet Security 1 26
 IP Datagram

Internet Security 1 27
 IP Header fields

• Normal size: 20 bytes

• Version (4 bits):
– current value = 4 (IPv4)

• Header length (4 bits):

– number of 32 bit words in the header, including IP options

• Type of service
– priority (3 bits), QOS(4), unused bit

• Total length: total size of the IP header and data

• Identifier (16): datagram identification

– +1 incremented

Internet Security 1 28
 IP Header
• Flags (3) and Offset (13 bits)
– used for fragmentation of datagrams

• Time To Live (8 bits):

– Allowed number of hops in the delivery process. Initially meant to entitle seconds between hops.

• Protocol (8bits):
– specifies the type of protocol which is encapsulated in the datagram (TCP, UDP)

• Header checksum (16):

– checksum calculated over the IP header.

• Addresses (32+32 bits)

– specify source and destination

Internet Security 1 29
 IP Options

• Variable length

• Identified by first byte

– security and handling restrictions:
– Record route: ip addresses of routers are stored
– Time stamp: each router records its timestamp
– Source route:
• specifies a list of IP addresses that the datagram has to traverse
– loose: prefer these hosts
– strict: only use the specified hosts (route)

Internet Security 1 30
 Direct IP delivery

• Hosts directly connected on a local network

• Problem:
– Link layer uses 48 bit Ethernet addresses
– network layer uses 32 bit IP addresses
– we want to send an IP datagram
– but we only can use the Link Layer to (really) do this

• Encapsulate IP datagram in Ethernet datagram

– need to map destination IP address to Ethernet address
 IP Encapsulation

• How are IP datagrams transferred over a LAN?

Solution: Encapsulation + direct delivery (to MAC)

IP Header IP Data
e.g. Ethernet

Frame header Frame data

Internet Security 1 32
 Address Resolution Protocol (ARP)

• Service at the link-level, RFC 826

– maps network-addresses to link-level addresses

• Host A wants to know the hardware address associated

with IP address of host B
– A broadcasts ARP message on physical link layer including its own
mapping
– B answers A with ARP answer message
 ARP

dest (6 byte) src (6 byte) type (2) data CRC (4)

0x0800 IP Datagram

0x0806 ARP
 ARP Message Format

hardware type (2 byte) protocol type (2 byte)

hw.adr.size (1 prot. adr. size opcode (2 byte)
byte) (1 byte)
sender Ethernet address (6 byte)
sender IP address (4 byte)
target Ethernet address (6 byte)
target IP address (4 byte)
 Sending an IP Packet

• Assume host A wants to send an IP packet to host B and that all

ARP caches are empty

• A sends (broadcast) ARP request for IP-B

– what is the Ethernet address associated with IP-B?
– ARP cache in B is filled with mapping for IP-A

• B sends ARP reply to A

– my Ethernet address is ...!
– ARP cache on A is filled with mapping for IP-B

• A sends encapsulated IP datagram on link level to B

 Direct IP delivery

192.168.0.7
ff:ff:fa:22:11:87

192.168.0.2 switch/ 192.168.0.99

fa:02:41:11:11:11 hub ff:ff:fa:3a:22:10

Who has 192.168.0.7?

192.168.0.33
ff:02:a4:12:34:56
 Direct IP delivery
ARP Request
192.168.0.7
From: To: ff:ff:fa:22:11:87
fa:02:41:11:11:11 ff:ff:ff:ff:ff:ff

192.168.0.2 192.168.0.7

192.168.0.2 switch/ 192.168.0.99

fa:02:41:11:11:11 hub ff:ff:fa:3a:22:10

Who has 192.168.0.7?

192.168.0.33
ff:02:a4:12:34:56
 Direct IP delivery
ARP Request
192.168.0.7
From: To: ff:ff:fa:22:11:87
fa:02:41:11:11:11 ff:ff:ff:ff:ff:ff
fa:02:41:11:11:11
192.168.0.2 192.168.0.7
192.168.0.2

192.168.0.2 switch/ 192.168.0.99

fa:02:41:11:11:11 hub ff:ff:fa:3a:22:10

fa:02:41:11:11:11

Who has 192.168.0.7? 192.168.0.2

192.168.0.33
ff:02:a4:12:34:56

fa:02:41:11:11:11

192.168.0.2
 Direct IP delivery
ARP Reply
192.168.0.7
From: To: ff:ff:fa:22:11:87
ff:ff:fa:22:11:87 fa:02:41:11:11:11
fa:02:41:11:11:11
192.168.0.7 192.168.0.2 I have 192.168.0.7! 192.168.0.2

192.168.0.2 switch/ 192.168.0.99

fa:02:41:11:11:11 hub ff:ff:fa:3a:22:10

fa:02:41:11:11:11

192.168.0.2

192.168.0.33
ff:02:a4:12:34:56

fa:02:41:11:11:11

192.168.0.2
 Direct IP delivery
ARP Reply
192.168.0.7
From: To: ff:ff:fa:22:11:87
ff:ff:fa:22:11:87 fa:02:41:11:11:11
fa:02:41:11:11:11
192.168.0.7 192.168.0.2 I have 192.168.0.7! 192.168.0.2

192.168.0.2 switch/ 192.168.0.99

fa:02:41:11:11:11 hub ff:ff:fa:3a:22:10

ff:ff:fa:22:11:87 fa:02:41:11:11:11

192.168.0.7 192.168.0.2

192.168.0.33
ff:02:a4:12:34:56

fa:02:41:11:11:11

192.168.0.2
 Direct IP delivery
IP packets
192.168.0.7
From: To: ff:ff:fa:22:11:87
fa:02:41:11:11:11 ff:ff:fa:22:11:87
fa:02:41:11:11:11
192.168.0.2 192.168.0.7
192.168.0.2

192.168.0.2 switch/ 192.168.0.99

fa:02:41:11:11:11 hub ff:ff:fa:3a:22:10

ff:ff:fa:22:11:87 fa:02:41:11:11:11

192.168.0.7 192.168.0.2

192.168.0.33
ff:02:a4:12:34:56

fa:02:41:11:11:11

192.168.0.2
 Tools / commands

• ipconfig / ifconfig (W/U)

– Show interface configuration
– Display interface MAC address

• arp (W/U)
– Lists arp mappings
– Can edit arp cache entries

• ping (W/U)
– Probes a specific IP address

Internet Security 1 43
 IP addresses

• IP addresses in IPv4 are 32 bit numbers, represented as dotted-

decimal notation:
– 10000000 10000011 10101100 00000001 = 128.131.172.1

• If all 232 available IP addresses are in the same network, we are done
– Direct delivery suffices. 

• If not, we need to group IP Addresses…

Subnetting

Internet Security 1 44
 IP subnetting

• Subnet Membership is expressed through Subnetmask

– All IP’s in the same Subnet : Direct delivery
– IP’s in foreign Subnet: Send IP Packet to Gateway

• Example:
IP: 192.168.1.16 Subnetmask: 255.255.255.0 Gateway: 192.168.1.1
Sends IP Packet to 192.168.1.77
Destination Network = IP AND Subnetmask
For 192.168.1.16 192.168.1.0
Match! (direct delivery)
For 192.168.1.77 192.168.1.0
Otherwise: Send to Gateway

Internet Security 1 45
 Special IP addresses

• Loopback interface (localhost): 127.0.0.1

• Broadcasts
– all bits set to 1: local broadcast
– only last bits set to 1: directed broadcast to other Network

• Reserved addresses (RFC 1597) - non routable

– 10.0.0.0 - 10.255.255.255
– 172.16.0.0 - 172.31.255.255
– 192.168.0.0 - 192.168.255.255

Internet Security 1 46
 Fragmentation

• Used if encapsulation in lower level protocol demands to split the

datagram into smaller portions
– when datagram size is larger than data link layer MTU
– (=Maximum Transmission Unit)

• Each fragment is delivered as a separate IP datagram

• Controlled using 2 bits IP-flags + 13 bits offset

• If fragmentation would be necessary, but don‘t fragment bit is set -> Error
message (ICMP) is sent to sender

• If one fragment is distorted or lost, the entire datagram is discarded

Internet Security 1 47
 IP Datagram

Internet Security 1 48
 Layer 2/3 Attacks

Network layer

Internet Security 1 49
 Fragmentation attacks

Ping of death (Teardrop attack):

violate maximum IP datagram size

• Ping normally uses 64 bytes payload.

• With fragmentation, an IP packet with size > 65535 could
be sent

Internet Security 1 50
 Fragmentation attacks
IP fragment overwrite:
fool the firewall

• IP datagram containing Layer 4 traffic (like TCP) is fragmented

• Layer 4 header contains allowed port (e.g. 80)
• => firewall lets this packet pass
• data is sent fragmented
• one packet contains frag-offset=1: header, including the port, will
be overwritten (e.g. new port = 23).
• after packet has been reassembled completely, it will be delivered
to the new port

Internet Security 1 51
 Defense

• Fragmentation:
– Re-assemble IP Datagram on Firewall / IDS
• Usually done within the OS stack
– Sanity checks on IP Header
– Fix OS Bugs

Internet Security 1 52
 LAN Attacks

• Goals:
– Information Recovery
– Impersonate Host
– Tamper with delivery mechanisms

• Methods:
– Sniffing
– IP Spoofing
– ARP attacks

Internet Security 1 53
 Network sniffing
• Eavesdrop on a shared communication medium

• Many protocols transfer authentication information in

cleartext => collect username/password etc.

• Particularly worry-some: Wireless networks

Host 2 Sniffer
Host 1 Host 3
(192.168.0.3)
(192.168.0.2) (192.168.0.5)

Internet Security 1 54
 Network sniffing

Is sniffing also possible at switched Ethernet, where the

switch only forwards the right packets to your host? YES!

• MAC flooding
– Switch maintains table with MAC address/port mappings
– flooding switch with bogus MAC addresses will overflow table
– switch will revert to hub mode

• MAC duplicating/cloning
– You can reconfigure your NIC’s MAC addresses
– switch will record this in table and sends traffic to you

• Poll: Honestly, who already did this?

Internet Security 1 55
 Tools / commands

• Wireshark (W)
– Does the sniffing
– Decodes Headers for you
– Reassembles fragmented IP packets etc.

• macof (Unix only)

– Floods a network with random arp messages

• packeth (Unix only)

– GUI interface to craft arbitrary packets

Internet Security 1 56
 Countermeasures

• Sniffers
– sniffer attempts to resolve names associated with IP addresses
– trap: generate connection from fake IP => detect DNS traffic
– Latency

• Mac flooding
– Use port security
– Managed switches

Internet Security 1 57
 IP Spoofing

• Impersonating another host by sending a datagram with a

faked IP-address (Layer 3 attack)
– IP addresses are NOT authenticated
– used to impersonate sources of security-critical info

Host 1 Host 2 Sniffer Server

(192.168.0.2) (192.168.0.3) (192.168.0.5)

1. request
2. faster, faked response from Host2
Internet Security 1 58
 Tools / commands

• Packeth

• or open a RAW socket

– socket(AF_INET, SOCK_RAW, IPPROTO_RAW)

• craft the packet

– with faked IP address
– including all headers with all attributes set correctly
– including data
– including checksums
– send the packet using the RAW socket

59
 ARP Poisoning

• ARP does not provide any means of authentication

• Racing against the queried host is possible

– provide false IP address/link-level address mapping

• Fake ARP queries

– used to store wrong ARP mappings in a host cache

• Both can result in a redirection of traffic to the attacker

– ARP messages are sent continuously to have caches keep the
faked entries

60
 ARP Poisoning
ARP Request
192.168.0.7
From: To: ff:ff:fa:22:11:87
fa:02:41:11:11:11 ff:ff:ff:ff:ff:ff

192.168.0.99 192.168.0.7

192.168.0.2 switch/ 192.168.0.99

fa:02:41:11:11:11 hub ff:ff:fa:3a:22:10

Who has 192.168.0.7?

192.168.0.33
ff:02:a4:12:34:56

61
 ARP Poisoning
ARP Request
192.168.0.7
From: To: ff:ff:fa:22:11:87
fa:02:41:11:11:11 ff:ff:ff:ff:ff:ff
fa:02:41:11:11:11
192.168.0.99 192.168.0.7
192.168.0.99

192.168.0.2 switch/ 192.168.0.99

fa:02:41:11:11:11 hub ff:ff:fa:3a:22:10

Who has 192.168.0.7?

192.168.0.33
ff:02:a4:12:34:56

fa:02:41:11:11:11

192.168.0.99

62
 ARP Poisoning
ARP Response
192.168.0.7
From: To: ff:ff:fa:22:11:87
ff:ff:fa:22:11:87 fa:02:41:11:11:11
fa:02:41:11:11:11
192.168.0.7 192.168.0.99 Hi, 192.168.0.99! 192.168.0.99

192.168.0.2 switch/ 192.168.0.99

fa:02:41:11:11:11 hub ff:ff:fa:3a:22:10

192.168.0.33
ff:02:a4:12:34:56

fa:02:41:11:11:11

192.168.0.99

63
 ARP Poisoning
IP Packet
192.168.0.7
From: To: ff:ff:fa:22:11:87
ff:ff:fa:22:11:87 fa:02:41:11:11:11
fa:02:41:11:11:11
192.168.0.7 192.168.0.99 Hi, 192.168.0.99! 192.168.0.99

192.168.0.2 Switch/ DR 192.168.0.99

fa:02:41:11:11:11 hub OP! ff:ff:fa:3a:22:10

192.168.0.33
ff:02:a4:12:34:56

fa:02:41:11:11:11

192.168.0.99

64
 Hub vs Switch

• Hub is a physical layer device

– has no address
– forwards ALL incoming packets to all other ports

• Switch is a link-layer device

– forwards incoming broadcast packets to all ports
– keeps track of which Ethernet addresses can be reached through
which ports

65
 ARP Poisoning: Applications

• can be used for Man-in-the-Middle attack (MITM)

– impersonate A with B, and B with A
– sniff on a switched network
– filter (modify) traffic

• can be used for Denial-of-Service (DoS):

– map target IP to non-existent MAC address

• can target gateway

– impersonate gateway to filter ALL the traffic
– map gateway IP to non-existent MAC to drop all outgoing traffic

• can be targeted at a single host

– destination Ethernet address specified (instead of broadcast)

66
 Tools / commands

• ettercap (U)
– ARP poisoning (and sniffing)
– And more crazy LAN things

• nmap (W+U)
– Network mapping

Internet Security 1 67
 Countermeasures

• Arp poisoning
– Deny packet delivery if MAC is registered on multiple ports
– Bears the danger of getting DOSed

• Layer 2 encryption for Wireless

– WPA 2

• Physical security for wired networks

• DMZ / Subnetting

Internet Security 1 68
 Conclusion

• In this lecture, we looked at security and networking

basics
– Security threats
– Ethernet
– IP
– ARP

• Next lecture:
– We start looking at TCP/IP Protocol Suite and related attacks
– (Even) more technical attacks

Internet Security 1 69