Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

pptx

advertisement 
Introduction to
InfoSec –
Recitation 09
Nir Krakowski (nirkrako at post.tau.ac.il)
Itamar Gilad (infosec15 at modprobe.net)
Today
• Network attacks continued
• Web 101 –
o HTTP
o Cookies
o HTML
o PHP
o SQL
ARP in a Nutshell
• ARP = Address Resolution Protocol
• A bridge between IP and Ethernet, which
helps make a local network “work”
• Most important functionality – translate IP
addresses to MAC addresses so we can
actually send packets!
• Two major messages –
o ARP request – “Who is at 192.168.1.1?”
o ARP reply – “192.168.1.1 is at
A1:B2:C3:D4:E5:F6”
ARP Poisoning
• To avoid making an ARP request before sending
every IP packet, each host has a local cache.
• Another trick to avoid excessive ARP requests, is
that every host will send a broadcast ARP reply
when it comes online / every interval, to let
everyone know its MAC address (known as
“Gratuitous ARP”)
• Most implementations are state-less by design, and
will happily store ARP replies even if they didn’t
issue a request (for reasons stated above)
• Result – everyone on the local network can
impersonate any other host, by sending a
malicious ARP reply in their name.
ARP Poisoning
• Attack scenario –
Diagram Copyright: http://gm.kochar.com/post/WEB-SPOOFING.aspx
Ping Reflection (“smurf
attack”)
• We want to DoS a host, but we’re not fast enough…
• So we’ll get everyone else to join!
• Basic concept – send a ping request to everyone,
but put the target’s IP address in the source of the
packet.
• Result - everyone
will send a reply to the
target, effectively
DDoSing it.
Diagram copyright: http://onlinehelp.avs4you.com/AVSFirewall/Introduction/NetworkAttacks.aspx
Scapy demos
• ARP Monitor
• DNS traceroute (See at home)
• MAC Flooding
Ping / Tracerout Using
Different Protocols
• Let’s assume TCP SYN / ICMP Echo requests are
monitored / blocked but you still want to know if a
host is up, and/or what are the network elements
between you and the target (traceroute)
• ARP Ping –
o Send an ARP request for a host on the same subnet(can even use
broadcast)
o If you get a reply – that host is alive
• TCP Port Scan –
o Instead of using a SYN packet, use a TCP data packet, and listen for an
RST packet
Ping / Tracerout Using
Different Protocols
•
DNS Traceroute –
o
o
o
•
UDP traceroute –
o
o
o
o
•
You already found out that the host will send you an ICMP Port Unreachable message when you
send a UDP datagram to a certain closed port
But you want to find all the elements in the way
Solution – send and resend the packet, each time with different IP TTL
You will get ICMP errors from many intermediate hosts
TCP traceroute –
o
•
DNS Requests are almost always permitted since they are so vital
Contents are rarely checked
Playing with TTL = traceroute!
Same as UDP, and can use SYN on an known open port, arbitrary data packet on a known open
port, or data on a known closed port
Basically – most services could be used for traceroute / ping
given the right scenario
No more sniffing…
• It used to be easy to sniff traffic on the local
network
• All traffic went to everyone behind the same
router on a HUB based network
• Now – switches galore!
• We still need to sniff traffic…
• Enter MAC Flooding
Switches 101
• Switches know where to route packets by
learning which MAC addresses are connected
to which port
• This is done by seeing which source MACs
appear on which ports, and storing this
information in a fast look-up table (CAM)
• This table has to be very fast, so it must be
limited in size.
• This is not an issue, since It is highly unlikely to run
more than a few 100’s / 1000’s of hosts on the
same layer-2 network due to other reasons.
MAC Flooding
• We’re on a network, but that network uses switches,
so we can’t sniff anything interesting…
• Or can we?
• What happens if we send out packets with different
source MAC addresses? Will the switch refuse to
learn new addresses?
• No! it will just fail-over to operating like a hub – a
‘dumb’ repeater
Image Copyright: http://www.ciscozine.com/2009/01/05/protecting-against-mac-flooding-attack/
HTTP
• Hyper Text Transfer Protocol
• Simple textual protocol over TCP port 80, stateless requestresponse model
• Requests –
o [METHOD] [URI]\r\n
o Headers\r\n\r\n
e.g.: “GET /\r\n\r\n”
o Headers –
• Client type – User agent
• Will the client support compression – Accept
Encoding
• Client language
• Last valid cache the client has
• ….
HTTP Response
• Responses –
o [Numeric code] [String]\r\n
o Headers\r\n\r\n
o Data
o Codes –
• 200 OK
• 302 Redirect
• 404 Not found
• 500 Server Error
• 502 Gateway Error
• ….
Misc HTTP
• Extra things to know about –
o HTTP Keep alive
o HTTP Authentication
o X-forwarded-for (and X-we-are-hiring…)
• HTTPS is SSL / TLS transporting regular HTTP
Cookies
• A way for the server to store something in the
client’s browser for later use
• Cookies default to being domain specific
• Cookies have an expiry date
• Most authentication schemes use something like –
o Client logs in via form
o Server authenticates user, sends back an
encrypted and hashed cookie, valid for x days
o Client browses through the site with no need to
re-login for a few days
• Cookies come in a few flavors – ‘regular’, ‘HTTP
only’ and ‘secure’
Cookies – cont.
• Cookies are a valuable commodity –
o If I have your cookie – I AM YOU
o Cookie stealing used to be very easy
(simple Javascript), but now is pretty
impossible (thank the SOP – Same Origin
Policy)
HTML
• Hyper Text Markup Language
• XML format representation of the DOM (Document
Object Model)
• The DOM is the tree-like structure of the document
• You may interact with and modify the DOM via
Javascript
• The browser renders the objects within the
document and allows the user to interact with them
• HTML5 is geared towards the dynamic web, and
provides many services (local storage, 3d API,
Async calls)
• CSS is used for design, HTML is used for structure
Basic HTML Example
<html>
<head>
<title>My title</title>
</head>
<body>
<h1>Big letters!</h1> <br />
<h6>Small letters!</h6>
</body>
</html>
Forms and AJAX
• The two major ways to send user data as part of a web
application are HTML forms and AJAX (Async Javascript
And XML)
• HTML Forms –
o <form action=“/target.php” method=“post” />
• <input name=“username” type=“text” />
• <input name=“password” type=“password” />
• <input value=“Submit” type=“submit” />
o </form>
o Will send data as POST parameters to target.php
upon clicking the submit button
• AJAX –
o Read about JQuery and AsyncHttpRequest()
PHP
• Server-side processing language,
commonly used in web applications
• Hybrid perl & C syntax
• Once the web server support
processing PHP files, all that’s needed
is –
<?php
echo “Hello, world!”;
?>
PHP – cont.
• Headers are sent using header() (all calls to
header() must be before sending data)
• Data is sent via echo / print() calls (or anything
that writes to stdout)
• Input is done via HTTP parameters $_POST[“var_name”]
• The body of the request can be had via
reading from stdin directly /
file_get_contents(php://input) or
stream_get_contents(STDIN)
PHP – Tips and Tricks
• Don’t forget the “;” at the end of each line
• Use the “or die();” syntax to quickly find when
your code breaks
• Errors are hard to spot. Your machines should
have error reporting enabled, but don’t expect
much
• May need to revert to “printf debugging”
• You can run php on a file in a terminal, but
understand you won’t have the environment
available (There could be better tools out
there)
SQL
• Structured Query Language
• Very powerful interface to relational
databases
• Tables have fields (columns) and rows
• Actions –
o Select – query, return valid row(s)
o Insert – Add new row(s)
o Update – Change existing row(s)
o Maintenance – Create table, Drop table,
Add column….
o + Many more operations
SQL
• For each action, you can select which fields
to choose by, and which fields to return
• Examples o FROM users SELECT * WHERE username =
“mitsi”
o FROM users SELECT password WHERE
username = “mitsi”
o UPDATE users SET password=“123456”
WHERE username=“mitsi”
o INSERT INTO users VALUES (“myuser”,
“mypass”)
PHP & SQL
• PHP has support for SQL (MySQL in our case)
• You’ll need to connect to the DB, and then
you may query to your heart’s content
• Example on next slide
• Also, see the example within the exercise
PHP SQL initialization
<?php
mysql_connect("your.hostaddress.com",
"username", "password") or
die(mysql_error());
mysql_select_db("Database_Name") or
die(mysql_error());
?>
Further reading & Tools
• W3Cschools.com, codecademy.com &
php.net have everything you need to know
• Also, Google 
• Firefox Developer tools
• Fiddler really helps when you want to
research an existing site
• XML verifiers / code beautifiers
This week’s exercise
• Network attacks continued –
o Implement some of the techniques presented
o Be careful about affecting your network
o Don’t abuse any other network – you are
responsible for any damage you create
• Web primer –
o First steps with HTML, PHP, SQL
o No attacks for now (but don’t worry – next
week!)
Questions?
Related documents
PresentationTopicARPattack
PresentationTopicARPattack
Web Design and Database Course Outline and Content F27WD
Web Design and Database Course Outline and Content F27WD
PROFESSIONAL SUMMARY
PROFESSIONAL SUMMARY
STATEMENT OF WORK (SOW)
STATEMENT OF WORK (SOW)
Lab work 6 - Home - Computer Networks Course
Lab work 6 - Home - Computer Networks Course
The Fall 2011 Graduation Plan & DARS Workshop WHEN Friday
The Fall 2011 Graduation Plan & DARS Workshop WHEN Friday
Download
advertisement