cyber security · • main goal of port scanning is to find out which ports are open, which are...
Post on 21-Oct-2020
2 Views
Preview:
TRANSCRIPT
-
CYBER SECURITY
Prof. Chintan Patel
chintan.patel@marwadieducation.edu.in
-
• Do You Use “Laptop or Lappy” ?
• Do you use “Mobile or cell” ?
• Do you surf Internet ?
• Do you use WatsAPP ?
• Want to be safe from Cyber Attack ?
• Want to make INDIA, free from Cyber Attack ?
-
• Then…………………….
Let us LEARN ,…………………….
CYBER SECURITY……………..
-
Introduction to Computer Networks and Internet
Prof. Chintan Patel
Chintan.patel@marwadieducation.edu.in
-
Internet
• What is internet ?
– One sentence definition….
• What are nuts & bolts of Internet ?
• Computer Network : Interconnecting hundreds of millions of computing devices
Prof. Chintan Patel
-
Prof. Chintan Patel
-
Hosts
• TVs , Laptops , Gaming Console , Cell phone , web cams , Automobiles ,
environmental sensing devices……
Prof. Chintan Patel
-
Communication Link
• Transmission medium used for transmission of Data in form of Packet with particular transmission rate.
Prof. Chintan Patel
-
Router
• A network device which takes the packet from connected communication link and forward it based on destination.
Prof. Chintan Patel
-
Switch
• Connecting multiple hosts.
Prof. Chintan Patel
-
ISP
• Internet Service Provider
Prof. Chintan Patel
-
Think about Smart Home !!!!!
Prof. Chintan Patel
-
Protocol
A some set of Rules
• Human Protocols
• Defines the format and order of message exchanged as well as actions taken on transmission.
• computer network protocol:
• HTTP
• FTP
• SMTP
• etc……..Prof. Chintan Patel
-
Types of Services
• Connection Oriented Service
– Sending a control packet before transmitting
actual data
– 3 way Handshaking
– Reliable , Flow control , Congestion Control
– TCP : HTTP , FTP , TELNET , SMTP
• Connection Less Service
– No handshaking
– Faster Delivery
– UDP : Media streaming , video conferencing
Prof. Chintan Patel
TCP
-
Prof. Chintan Patel
Physical Media
• Bit: propagates betweentransmitter/rcvr pairs
• physical link: what lies between transmitter & receiver
• guided media:– signals propagate in solid media:
copper, fiber, coax
• unguided media:– signals propagate freely, e.g.,
radio
Twisted Pair (TP)
• two insulated copper wires– Category 3: traditional
phone wires, 10 Mbps Ethernet
– Category 5: 100Mbps Ethernet
-
Prof. Chintan Patel
Physical Media: coax, fiber
Coaxial cable:• two concentric copper
conductors
• bidirectional
• baseband:– single channel on cable
– legacy Ethernet
• broadband:– multiple channels on cable
– HFC
Fiber optic cable: glass fiber carrying light pulses, each
pulse a bit
high-speed operation:
high-speed point-to-point transmission (e.g., 10’s-100’s Gps)
low error rate: repeaters spaced far apart ; immune to electromagnetic noise
-
Prof. Chintan Patel
Protocols of Each Layer
-
Network Port
• A network port is a number that identifies one side of aconnection between two computers.
• Computers use port numbers to determine to which processor application a message should be delivered.
Prof. Chintan Patel
-
Computer Database
• A computer database is, as the name implies, a collection ofdata stored within a computer. It is like an electronic filecabinet full of documents.
• What makes computer databases useful is the ease withwhich the data can be entered, stored and manipulated.
Prof. Chintan Patel
-
History Of Internet
Prof. Chintan Patel
-
Prehistoric
• Smoke signals :
• Talking Drums : – Message can be delivered
100 mules in 1 hour
Prof. Chintan Patel
-
Before Common Era (BCE)
• Pigeons
• Hydraulic Semaphore
Prof. Chintan Patel
-
Prof. Chintan Patel
• 1790’s :
Semaphore
lines
• 1830’s : Electric Telegraph
• 1870’s: Telephone
-
• 1890’s: Radio
• 1920’s: Television
• 1960’s: Satellite
Prof. Chintan Patel
-
Computer Network beginning
• 1960’s:
–Fiber Optics
–Packet switching by Kleinrock
•1969: Four nodes (UCLA, Stanford, UCSB
and Univ. of Utah) connected by 50kbps links
• ARPANET (Advanced Research Projects Agency)
•1972: ARPANET connected 15 nodes, Email was introduced
Prof. Chintan Patel
-
• The 1970’s
•Different networks emerged
– ALOHANet (microwave)
– DARPA Satellite
– BBN Commercial
• 1976: Ethernet by Metcalfe
•Internetwork these networks (Internet)
End of 1970s: TCP/IP by Kahn and Cerf
•1981: 213 hosts on ARPANET
Prof. Chintan Patel
-
1980’s
• 1982: TCP/IP formalized
• 1982: SMTP (Email)
• 1983: Domain Name System (DNS)
• 1986: Internet Engineering Task Force
• 1988 – OSI Reference Model released
• 1989 – Routing Protocols: BGP, RIP
Prof. Chintan Patel
-
Prof. Chintan Patel
-
1990’s
• The 1990’s
• Early 1990’s: Commercialization of Internet (ISPs)
• 1991: World Wide Web (WWW)
• 1995’s: Many new applications
–Instant Messaging, P2P, e-commerce (eBay, Amazon)
• 1998: Google Search
• 1999: WiFi (wireless)
Prof. Chintan Patel
-
2000’s
• 2003: Skype
• 2004: Facebook
• 2005: YouTube
• 2006: Twitter
• 2008: Cloud based services (E.g. Dropbox)
• 2010: Instagram (Photosharing)
• 2011: Google+
Prof. Chintan Patel
-
References
• PPT of Kurose and Ross
• Computer network , Bodhi tree , IIT Bombay
Prof. Chintan Patel
-
Content
• IP Address
• Protocol
• Port
• System Vulnerability
• Types of Vulnerability scanners
-
Internet Protocol Address
• IPv4 Address: it is a 32 bit unique addresswhich is used for to connect with host system
– Class A : 1.xxx.xxx.xxx to 126.xxx.xxx.xxx
– Class B : 128.0.XXX.XXX to 191.0.xxx.xxx
– Class C : 192.0.0.XXX to 223.0.0.xxx
• Loopback Address : 127.XXX.XXX.XXX
-
• IPv6 Address : it is represented by a series of eight 16 bit hexadecimal field separated by colons(:) in the format x.x.x.x.x.x.x.x.
• Total 128 bit address
-
Protocol
A some set of Rules
• Human Protocols
• Defines the format and order of message exchanged as well as actions taken on transmission.
• computer network protocol:
• HTTP
• FTP
• SMTP
• etc……..
-
Types of Services
• Connection Oriented Service
– Sending a control packet before transmitting
actual data
– 3 way Handshaking
– Reliable , Flow control , Congestion Control
– TCP : HTTP , FTP , TELNET , SMTP
• Connection Less Service
– No handshaking
– Faster Delivery
– UDP : Media streaming , video conferencing
TCP
-
Port
• Port is an identity of process or service
• It is 16 bit unsigned integer
• Port no ranges from 0 to 65535
• IANA (Internet Assigned Number Authority) is responsible for assigning port number for Use.
-
Well Known Port
• Port ranges from 0 to 1023 are known as well knownport numbers
• used by system processes that provide networkingservices.
• Famous well known ports :
– 20 , 21 : FTP Data and Control ports
– 22 : SSH (Secure shell) for secure login
– 23 : Telnet for unencrypted text transmission
– 25 : Simple mail transfer protocol
– 53 : Domain Name system
– 520 : Routing information protocol
-
Registered Port
• Ranges from 1024 to 49151
• Assigned by IANA for specific services uponapplications by requesting entity
• User by ordinary users
• Examples :– Proxy servers ports
– Virtual private network ports
– Port requested by IBM , Apple, Oracle and manycompanies for their specific services
-
Dynamic, Private or Ephemeral ports
• Ranges from 49152 – 65535
• Can not be registered with IANA
• Used for private or temporary purposes
-
IP + Port
• IP : To connect with system
• Port : To connect with Process or application
• (IP Address) : (port number)
• If IP Address is a telephone than Port number is extensions.
-
Port Scanner
• A port scanner is a software application designed toprobe a server or host for open ports.
• Used by administrators to verify security policies oftheir networks
• Used by attackers to identify running services on ahost with the view to compromise it.
• Examples : NMAP
-
Port Scanning• Main Goal of Port scanning is to find out which ports are open, which are closed
and which are filtered.
• Open port: port on which application is actively accepting TCP or UDP traffic.
– Finding open port is primary goal of port scanning
– Each open port is an avenue for attack
– Attacker want to exploit the open ports.
– Network administrator wants to protect by some firewall
– Important for non security scan also to identify available services
• Close Port: ports which are accessible but no application listening on it
– Used for Host discovery, OS Detection
– Network administrator want to block it by firewall to reduce its accessibility.
• Filtered port: ports which can not be reached by port scanner
– Can not identify weather its open or close
– Filtering can be from firewall device, routing rules, or firewall software
• Unfiltered port: ports which can be reached by port scanner but can not beidentified weather its open or close
-
• If port is open :
– Send SYN Packet
– Response will be SYN + ACK Packet
• If port is closed :
– Send SYN Packet
– Response will be RST Packet
• If port is Filtered :
– Send SYN Packet
– No response
• If target machine is protected by firewall than its firewall rules that decides what will be the response of machine.
-
Vulnerability scanningor
Weakness scanning
• A vulnerability scanner is a computer program designed to assesscomputers, computer systems, networks or applications for weaknesses.
or
• Vulnerability scanning means searching for security bugs on a singlesystem or across network
• Requirement of Vulnerability scanner :
– Discovering present bugs in network, network firewall
– Discovering new possibility of vulnerabilities
– Discovering systems in network which are vulnerable from outsideattack.
-
• Zero-day vulnerability : weakness which is first time identified in system or network.
• False negative: vulnerability exists but scanner says there is no vulnerability
• False positive: Vulnerability does not exist but scanner says there is vulnerability
• Vulnerability scanner must be able to identify zero-day vulnerability and should not suffer from false positive or false negative
• Vulnerability scanner : Depends on techniques used for
– Host discovery
– Port scanning
– Other vulnerability scanning
-
Types of Vulnerability scanner
• Port scanner
• Network Vulnerability scanner
• Web application security Scanner
• Database Security Scanner
• Host based Vulnerability Scanner
-
Identifying open port and services
• Telnet (Port no 23) is lacking of encryption and any one can read data transferred on this port.
• So for attacker : identify open telnet port
• For Network admin : configure telnet service on any other unknown port no.
-
nmap port scanner
• nmap : network mapping is a open source scanner and whichwas developed by fyodor.
• Most popular port scanner for Linux/Unix machines
• Services by nmap :– Port scanning
– Identify all the running services on network
– Identifying operating system and protocol versions
– TCP Scan , UDP Scan, ICMP Scan
-
Footprinting
• Gathering information about a computersystem and the companies it belongs to.
• www.ping.au
• http://whois.domaintools.com
http://www.ping.au/http://www.ping.au/http://www.ping.au/http://www.ping.au/http://www.ping.au/
-
Banner Grabbing
• After identifying running services let us identify software andversions on which that service is.
• Open command prompt :
– telnet localhost 21
-
Cyber Security
Prof. Chintan Patel
chintan.patel@marwadieducation.edu.in
-
Content • Port scanning
• OpenVAS
• Network Vulnerability scanning
– Netcat
– Socat
• Network sniffers
-
Port scanning
• Port scanner : Software designed to probe server or host for Open ports– Used by administrator to verify security policy
– Used by attacker to identify running services on host
• Port scan : A process that sends a client request to server for finding active ports.
• Open port: Host sends a reply indicating port is active
• Close port: Host sends a reply that connection will be denied.
• Filtered : There was no reply from the host.
• Vulnerability can be with open ports or operating system of running host
-
TCP Flags
• SYN : Synchronize, To initiate a connection
• ACK : Acknowledgment
• FIN : Finished
• RST: Reset
-
NMAP • NMAP (Network Mapping) is a free open source port scanner
available for Unix and Windows
-
Basic Scanning [-sT, -sS]• TCP Connect() : Method to establish connection
– If connection is successful , Connection will be done
– If connection is fail than may be Destination system is offline or port is closed
• Scan –sT : nmap –sT 192.168.12.40– if port is open that you can definitely connect
– Disadvantage of this type of scanning is, it is easily detectable.
• SYN Scan –sS: nmap –sS 192.168.12.40– Send SYN and Receive SYN + ACK from port Means Port is open
– Send SYN and Receive RST from port means Port is closed
– Send SYN and Do not receive any response on port means it is filtered
– Latest intrusion detection system and firewall can detect SYN Scan
-
• -sF scan : Finding Open Filtered Ports
– nmap –sF 127.0.0.1
-
• Ping scanning [-sP]
– Allow you to detect which computers are online in a specified range of IP Addresses.
• For UDP :
• Send ECHO REQUEST, if receives ECHO REPLY : System is up.
• For TCP :
• Send SYN or ACK packet on specific port (Ex. 80), if receives RST or SYN + ACK means Remote system is online
• If no response means either remote system is offline or port is filtered
-
Example
-
• UDP Scan [-sU]
– Send 0 byte UDP packet on target
• If ICMP port unreachable means port is closed else open
– Disadvantages :
• Firewall may create false positive effect means if port is closed also, firewall sends a message port is unreachable
• Slow speed in scanning
– Very rarely used for attack
• Fast scan [-F]
– Do not scan all 65536 ports
– Scan only port listed in nmap system file
-
OpenVASOpen Vulnerability Assessment Scanning
• “The world's most advanced Open Source vulnerability scannerand manager”
• OpenVAS is a combination of several services and tools offeringa comprehensive and powerful vulnerability scanning andvulnerability management solution
• Collects & manages security information for network, device andsystem
• Uses Client – server architecture
• Server will keep track of all different vulnerability results
• Scanner in openVAS will collect information
• Installed in Kali Linux / Backtracking
-
Network vulnerability scanning
• Types of attack :
1. Passive attack : Monitoring network traffic– Traffic analysis
– Monitoring unprotected communication
– Decrypting weekly encrypted traffic
– Capturing authentication information such as password
2. Active Attack : Bypass or break into secured system
– Attempt to break protection features
– Inject malicious code into network
– To steal and modify information
-
• Network vulnerability scanning tools
– NETCAT
– SOCAT
• Netcat: Netcat is a networking program designed to read andwrite data across both Transmission Control Protocol TCP andUser Datagram Protocol (UDP)– Port scanning
– File transferring
– Banner grabbing
– Port listening and redirection
-
• Netcat installation in windows:
– Download file from : www.vulnwatch.org/netcat/nc111nt.zip
– Unzip file at location of your choise
• Open CMD nc –h
http://www.vulnwatch.org/netcat/nc111nt.zip
-
• Netcat used by Network testing manager for testing security of network target system
• Malicious user uses Netcat for gaining access of remote system or target system
• Some antivirus shows it as a “Trojan” or “Hacktool”
• Netcat installation in Linux :
– Most of Linux OS come with installed Netcat
– Type command to check version : nc –h or netcat –h
– If its not installed :
• open terminal
• Type : apt-get install netcat
• Type nc –h to conform installation
-
Netcat Operation Modes
• Client Mode
– connect to somewhere: nc [-options] hostname port[s] [ports] …
– Netcat as a client on your machine to obtain some sort of information from another machine
• Server Mode
• listen for inbound: nc –l –p port [options] [hostname] [port]
• Server mode
• -l means put Netcat into listen mode
-
• nc hostname 20-80
• nc –z 192.168.12.40 20-80
-
Netcat commands
• nc –v 192.168.12.40 80 : HTTP Banner Grabbing using Netcat
• nc –v 192.168.12.40 22 : SSH Banner Grabbing using Netcat
• nc –v –n 192.168.12.40 80 : with nslookup
• nc –v 192.168.12.40 80: without nslookup
• nc –l –p 12345 : Listening server on port 12345
• nc –v –w2 –z 192.168.12.40 1-200 : Finding open TCP ports
• nc –l –p 12345 > dumpfile : Redirecting all output information intodumpfile.
• nc –l –p 12345 > >dumpfile : Also redirect output but it adds output, does not replce current output.
• nc –l –p 12345
-
Example : Chat interface using Netcat
• You can implement in one computer as well as two computer
• Open one terminal and type: nc –l –p 12345
• Open second terminal and type: nc localhost 12345
-
Example : File Transmission using Netcat
• Create hack.txt in Netcat folder
• Open One terminal and type : nc –l –p 1234 > hack.txt
• Open second terminal: nc “Target ip address : 1234” < hack.txt
-
SOCAT• Socket : A socket address is the combination of an IP
address and a port number, much like one end of atelephone connection is the combination of a phonenumber and a particular extension.
• SOCAT is also same like Netcat but with moresecurity and working over various protocols throughTCP Socket , UDP socket
-
• Socat uses as a :
– TCP Port forwarder
– External input provider
– Attacker for weak firewalls
– Security testing and research
• Socat Installation :
– Linux OS : sudo apt – get update && sudo apt –get install socat
• Socat operation Phase :
– Init phase : Logging is initialized
– Open phase : Socat opens a first address and than second address
– Transfer phase: Watches both stream read and write file
-
Network sniffer and Injector
• “Data to built up web page is not a single message that hops onthe highway but it is end result of several packet following theirown path”
• Message transmitted in internet traverse through many differentnetwork core devises like :– Routers
– Switch
– Bridge
– Gateways
– Firewall
• Network sniffers: Tools that monitor the traffic passes fromnetwork core devices
• Network sniffers can not easily identify Encrypted traffic
-
• Network sniffers:
– TCPDump or windump
– Wireshark
– Ettercap
– Hping
– Kismet
-
TCPDump & Windump
• TCPDump : Network sniffer for Unix operating systems
• Windump : Network sniffer for windows operation system
• TCPDump and windump requires privileged access :
– Run with “sudo” in Linux
– Run as a administrator
• TCPDump filters based on:
– Type : Capture traffic by Host or web
– Direction: From/to source
– Protocol: TCP Traffic or UDP Traffic
-
• Filtering based on Type :
– $tcpdump host 192.168.1.100 : Traffic only to/from given IP
– $tcpdump host 192.168.1.100 and port 80
– $tcpdump net 192.168.1.0/24 and port 80
• Filtering based on Direction:
– $tcpdump src host 192.168.1.100 & dst port 80
• Filtering based on protocol:
– $tcpdump src host 192.168.1.100 and udp dst port 53
– $tcpdump arp net 192.168.1.0
-
Wireshark• Adds protocol analysis with traffic analysis
• Can be used for review traffic captured by tcpdump and windump
• Supports windows and Linux os
• Download and install the Wireshark software:
– Go to http://www.wireshark.org/download.html and download and install the Wireshark binary for your computer.
-
Initial wireshark screen
-
Wireshark GUI during packet capture and analysis
-
• Wireshark interface has five major components:
1. The command menus are standard pull down menus located at the top of the window.
• The File menu allows you to save captured packet data or open a file containing previously captured packet data, and exit the Wireshark application.
• The Capture menu allows you to begin packet capture.
2. The packet-listing window displays a one-line summary for each packet captured, including
– the packet number,
– the time at which the packet was captured,
– the packet’s source and destination addresses,
– the protocol type, and protocol-specific information contained in the packet.
– The protocol type field lists the highest-level protocol that sent or received this packet,
-
3. The packet-header details window provides details aboutthe packet selected in the packet-listing window.
4 The packet-contents window displays the entire contents ofthe captured frame, in both ASCII and hexadecimal format.
5 Towards the top of the Wireshark graphical user interface, isthe packet display filter field, into which a protocol name orother information can be entered in order to filter theinformation
-
Example HTTP Traffic captured
-
Ettercap
• Runs on Linux based operating systems
• Unified sniffing : Monitors single interface
• Bridged sniffing : Monitor two interface
-
• Ettercap is an open-source tool written by Alberto Ornaghi andMarco Valleri.
• Ettercap is described by its authors as “a multipurposesniffer/interceptor/logger for switched LANs.
• Ettercap is a versatile network manipulation tool. It uses itsability to easily perform man-in-the-middle (MITM) attacks in aswitched LAN environment as the launch pad for many of itsother functions :– Character Injection
– Packet filtering
– Automatic password collection for many common network protocols
– SSH Support
– HTTPS support
– Kill any connection
-
Ettercap Available plug-in
-
hping
• Ping command was used for to check only ICMP Echo requestwhile hping support TCP, UDP, ICMP and IP Protocols.
• Functions of hping:
– Firewall testing
– Advanced port scanning
– Network testing, using different protocols, TOS, fragmentation
– Manual path MTU discovery
– Advanced traceroute, under all the supported protocols
– Remote OS fingerprinting
– Remote uptime guessing
– TCP/IP stacks auditing
-
hping commands
• hping www.google.com
• hping www.google.com –p 80
• hping www.google.com –p 79
• hping www.google.com -A –p 79
http://www.google.com/http://www.google.com/http://www.google.com/http://www.google.com/
-
Kismet
• Kismet is a network detector, packet sniffer, andintrusion detection system for 802.11 wirelessLANs.
• Kismet will work with any wireless card whichsupports raw monitoring mode, and can sniff802.11a, 802.11b, 802.11g, and 802.11n traffic.
• The program runs under Linux and Mac OS X.
• The client can also run on Microsoft Windows,although, aside from external drones
-
• Installation of KISMET :
– sudo apt-get install kismet
• Configure kismet :
– sudo gedit/etc/kismet/kismet.conf
• Create username for kismet :
– Suiduser = chintan
• Provide source wireless
– Source = wifi_mac_IAP
• Starting a Kismet :
– sudo kismet
-
• Kismet server : For collecting data:
– Sudo kismet_server
• Kismet client : For representation of data to user:
– Kismet_client
top related