Chapter 4

Network Vulnerabilities and Attacks

Objectives
 Explain the types of network vulnerabilities
 List categories of network attacks
 Define different methods of network attacks
Cyberwar and Cyberterrorism
 "Titan Rain" - Attacks on US gov't and military computers
from China breached hundreds of systems in 2005

 In 2007, Estonia was attacked by Russian computers as a

political statement
 Using DDoS (Distributed Denial of Service) with botnets
Media-Based Vulnerabilities
 Monitoring network traffic is an important task for a network
administrator
 Helps to identify and troubleshoot network problems
 such as a network interface card (NIC) adapter that is
defective/ nonfunctioning and is sending out malformed
packets
Monitoring traffic
 Monitoring traffic can be done in two ways
 Use a switch with port mirroring
 Copies all traffic, which happen in all port to, a designated
monitoring port on the switch
 Install a network tap (test access point)
 A device that installed between two network devices, such
as a switch, router, or firewall, to monitor traffic

Security+ Guide to Network Security Fundamentals,

2/4/2009 Third Edition
Port Mirroring
Sniffer
Network Tap
Sniffing Attacks
 Just as network taps and protocol analyzers can be used for
legitimate purposes
 They also can be used by attackers to intercept and view
network traffic
 Attackers can access the wired network in the following
ways:
 False ceilings
 Exposed wiring
 Unprotected RJ-45 jacks
Quiz ?
 What is the difference between sniffing and spoofing ?

Answer:

- Both listen to the data, but the sniffing does not change
while spoofing change the data.
 Just a clarification
 False ceilings —Most buildings use removable tiles instead
of solid ceilings in order to route cable. An attacker could
access the network cable and splice in an RJ-45 connection.
 • Exposed wiring —Sometimes wiring can be accessed as it
enters or exits a building.
 • Unprotected RJ-45 jacks —A vacant/unuseed office may
often have a network jack that is still active.
Ways to Redirect Switched Traffic
Network Device Vulnerabilities
 Passwords
 Passwords should be long and complex
 Should be changed frequently
 Should not be written down
 But that is a difficult task
 Solution: Password Manager Software
Characteristics of Weak Passwords
 A common word used as a password
 Not changing passwords unless forced to do so
 Passwords that are short
 Personal information in a password
 Using the same password for all accounts
 Writing the password down
Network Device Vulnerabilities
 Default account
 A user account on a device that is created automatically by
the device instead of by an administrator
 Used to make the initial setup and installation of the device
(often by outside personnel) easier
 Although default accounts are intended to be deleted after
the installation is completed, often they are not
Default accounts are often the first targets that attackers seek
as usually have simple default passwords
ATM Passwords

 In 2008, these men used default

passwords to reprogram ATM machines
to hand out $20 bills like they were $1
bills
Network Device Vulnerabilities
 Back door
 An account that is secretly set up without the
administrator’s knowledge or permission, that cannot be
easily detected, and that allows for remote access to the
device
 Back doors can be created:
 By a virus, worm, or Trojan horse
 By a programmer of the software on the device
 Built into the hardware chips
Hardware
Trojans
 Military equipment
contains chips from
foreign countries
 Those chips can contain
backdoors or kill
switches
Network Device Vulnerabilities
 Privilege escalation
 Changing a limited user to an Administrator
Denial of Service (DoS)
 Attempts to consume network resources so that the network
or its devices cannot respond to legitimate requests
 Example: SYN flood attack
 See Figure 4-4
 Distributed denial of service (DDoS) attack
 A variant of the DoS
 May use hundreds or thousands of zombie computers in a
botnet to flood a device with requests
Distributed Denial of Service (DDoS)
Exam question ?
 What is zombie?
 What is botnet ?
Real DDoS Attack
Wireless DoS

 Requires a powerful transmitter

An Easier Wireless DoS
Videos: Please see them

https://www.youtube.com/watch?v=suRHkaBDj-M

https://www.youtube.com/watch?v=7dEBvn4eNoA

https://www.youtube.com/watch?v=h76TAOllTK4

https://www.youtube.com/watch?v=aS3KCLinVXc
Spoofing
 Spoofing is impersonation ( ‫)التمثيل‬
 Attacker pretends to be someone else
 Malicious actions would be attributed to another user
 Spoof the network address of a known and trusted host
 Spoof a wireless router to intercept (‫ )اعتراض‬traffic
Man-in-the-Middle Attack
 Passive--attacker reads traffic
 Active--attacker changes traffic
 Common on networks
Replay Attack
 Attacker captures data
 Resends the same data later
 A simple attack: capture passwords and save them
Wall of Sheep
 Captured passwords
projected on the wall at
DEFCON
Sidejacking
 Records cookies and replays them
 This technique breaks into Gmail accounts
 Technical name: Cross Site Request Forgery ( ‫)طلب تزوير‬
 Almost all social networking sites are vulnerable to this
attack
 Facebook, MySpace, Yahoo, etc.
SNMP (Simple Network Management
Protocol)
 Used to manage switches, routers, and other network
devices
 Early versions did not encrypt passwords, and had
other security flaws
 But the old versions are still commonly used
DNS (Domain Name System)
 DNS is used to resolve domain names like
www.ccsf.edu to IP addresses like 147.144.1.254
 DNS has many vulnerabilities
 It was never designed to be secure

Where is www.ccsf.edu?

www.ccsf.edu is at 147.144.1.254
DNS (Domain Name System)
 Please see the following
 https://www.youtube.com/watch?v=2ZUxoi7YNgs&fea
ture=related
 https://www.youtube.com/watch?v=7_LPdttKXPc&fea
ture=related
 https://www.youtube.com/watch?v=WCxvKYC54xk&f
eature=related
 https://www.youtube.com/watch?v=srBQSzRRNF4&fe
ature=related
DNS Poisoning
Local DNS Poisoning
 Put false entries into the Hosts file
 C:\Windows\System32\Drivers\etc\hosts
DNS Cache Poisoning
 Attacker sends many spoofed DNS responses
 Target just accepts the first one it gets

Where is www.ccsf.edu?

www.ccsf.edu is at 147.144.1.254
Sending Extra DNS Records
DNS Transfers

 Intended to let a new DNS server copy the records

from an existing one
 Can be used by attackers to get a list of all the
machines in a company, like a network diagram
 Usually blocked by modern DNS servers
Protection from DNS Attacks
 Antispyware software will warn you when the hosts file is
modified
 Using updated versions of DNS server software prevents
older DNS attacks against the server
 But many DNS flaws (‫)مشاكل‬cannot be patched (‫) تصليح او تثبيت‬
 Eventually: Switch to DNSSEC (Domain Name System
Security Extensions)
 But DNSSEC is not widely deployed yet, and it has its own
problems
ARP (Address Resolution Protocol)
 ARP is used to convert IP addresses like 147.144.1.254
into MAC addresses like 00-30-48-82-11-34

Where is 147.144.1.254?

147.144.1.254 is at 00-30-48-82-11-34
Quiz What is MAC address ?

A Media Access Control address (MAC address) is

a unique identifier assigned to network interfaces for
communications on the physical network segment
ARP Cache Poisoning
 Attacker sends many spoofed ARP responses
 Target just accepts the first one it gets

Where is 147.144.1.254?

147.144.1.254 is at 00-30-48-82-11-34
Results of ARP Poisoning Attacks
TCP/IP Hijacking
 Takes advantage of a weakness in the TCP/IP protocol
 The TCP header contains of two 32-bit fields that are used as
packet counters
 Sequence and Acknowledgement numbers
 Packets may arrive out of order
 Receiver uses the Sequence numbers to put the packets back in
order
Wireless Attacks
 Rogue access points (‫)نقاط الوصول الدخيلة‬
 Employees often set up home wireless routers for convenience
at work

 This allows attackers to bypass all of the network security and

opens the entire network and all users to direct attacks

 An attacker who can access the network through a rogue

(‫)المارقة‬access point is behind the company's firewall
 Can directly attack all devices on the network
Wireless Attacks (continued)
 War driving
 Beaconing (‫)المنارة الراديوية‬
 At regular intervals, a wireless AP sends a beacon frame to
announce its presence and to provide the necessary information for
devices that want to join the network
 Scanning
 Each wireless device looks for those beacon frames
 Unapproved wireless devices can likewise pick up the
beaconing RF transmission
 Formally known as wireless location mapping
Wireless Attacks (continued)
 War driving (continued)
 War driving technically involves using an automobile to search
for wireless signals over a large area

 Tools for conducting war driving:

 Mobile computing device
 Wireless NIC adapters
 Antennas
 Global positioning system receiver
 Software
Wireless Attacks (continued)
 Bluetooth
 A wireless technology that uses short-range RF
transmissions
 Provides for rapid “on the fly” and ad hoc connections
between devices
 Bluesnarfing
 Stealing data through a Bluetooth connection
 E-mails, calendars, contact lists, and cell phone pictures
and videos, …
Null Sessions
Null sessions are unauthenticated connections to a
Microsoft2000 or Windows NT computer that do not require a
username or a password (blank). Using a command such as:

C:\>net use \\192.168.###.###\IPC$ ** /u:

could allow an attacker to connect to open a channel over

which he could gather information about the device, such as a
network information, users, or groups.
Null Sessions
 Cannot be fixed by patches to the operating systems

 Much less of a problem with modern Windows versions,

Win XP SP2, Vista, or Windows 7
Domain Name Kiting
 Check kiting
 A type of fraud that involves the unlawful use of checking
accounts to gain additional time before the fraud is detected
 Domain Name Kiting
Registrars are organizations that are approved by ICANN (Internet
Corporation for Assigned Names and Numbers) to sell and
register Internet domain names
 A five-day Add Grade Period (AGP) permits registrars to
delete any newly registered Internet domain names and
receive a full refund of the registration fee

 Kiting : ‫طيران ورقي‬

 Checking account: ‫) حساب البنكي (الشيكات‬
Domain Name Kiting
 Unscrupulous registrars register thousands of Internet
domain names and then delete them
 Recently expired domain names are indexed by search
engines
 Visitors are directed to a re-registered site
 Which is usually a single page Web with paid advertisement
links
 Visitors who click on these links generate money for the
registrar
 ?
Questions