CYBER SECURITY

Prof. Chintan Patel

chintan.patel@marwadieducation.edu.in

• Do You Use “Laptop or Lappy” ?

• Do you use “Mobile or cell” ?

• Do you surf Internet ?

• Do you use WatsAPP ?

• Want to be safe from Cyber Attack ?

• Want to make INDIA, free from Cyber Attack ?

• Then…………………….

Let us LEARN ,…………………….

CYBER SECURITY……………..

Introduction to Computer Networks and Internet

Prof. Chintan Patel

Chintan.patel@marwadieducation.edu.in

Internet

• What is internet ?

– One sentence definition….

• What are nuts & bolts of Internet ?

• Computer Network : Interconnecting hundreds of millions of computing devices

Prof. Chintan Patel

Prof. Chintan Patel

Hosts

• TVs , Laptops , Gaming Console , Cell phone , web cams , Automobiles ,

environmental sensing devices……

Prof. Chintan Patel

Communication Link

• Transmission medium used for transmission of Data in form of Packet with particular transmission rate.

Prof. Chintan Patel

Router

• A network device which takes the packet from connected communication link and forward it based on destination.

Prof. Chintan Patel

Switch

• Connecting multiple hosts.

Prof. Chintan Patel

ISP

• Internet Service Provider

Prof. Chintan Patel

Think about Smart Home !!!!!

Prof. Chintan Patel

Protocol

A some set of Rules

• Human Protocols

• Defines the format and order of message exchanged as well as actions taken on transmission.

• computer network protocol:

• HTTP

• FTP

• SMTP

• etc……..Prof. Chintan Patel

Types of Services

• Connection Oriented Service

– Sending a control packet before transmitting

actual data

– 3 way Handshaking

– Reliable , Flow control , Congestion Control

– TCP : HTTP , FTP , TELNET , SMTP

• Connection Less Service

– No handshaking

– Faster Delivery

– UDP : Media streaming , video conferencing

Prof. Chintan Patel

TCP

Prof. Chintan Patel

Physical Media

• Bit: propagates betweentransmitter/rcvr pairs

• physical link: what lies between transmitter & receiver

• guided media:– signals propagate in solid media:

copper, fiber, coax

• unguided media:– signals propagate freely, e.g.,

radio

Twisted Pair (TP)

• two insulated copper wires– Category 3: traditional

phone wires, 10 Mbps Ethernet

– Category 5: 100Mbps Ethernet

Prof. Chintan Patel

Physical Media: coax, fiber

Coaxial cable:• two concentric copper

conductors

• bidirectional

• baseband:– single channel on cable

– legacy Ethernet

• broadband:– multiple channels on cable

– HFC

Fiber optic cable: glass fiber carrying light pulses, each

pulse a bit

high-speed operation:

high-speed point-to-point transmission (e.g., 10’s-100’s Gps)

low error rate: repeaters spaced far apart ; immune to electromagnetic noise

Prof. Chintan Patel

Protocols of Each Layer

Network Port

• A network port is a number that identifies one side of aconnection between two computers.

• Computers use port numbers to determine to which processor application a message should be delivered.

Prof. Chintan Patel

Computer Database

• A computer database is, as the name implies, a collection ofdata stored within a computer. It is like an electronic filecabinet full of documents.

• What makes computer databases useful is the ease withwhich the data can be entered, stored and manipulated.

Prof. Chintan Patel

History Of Internet

Prof. Chintan Patel

Prehistoric

• Smoke signals :

• Talking Drums : – Message can be delivered

100 mules in 1 hour

Prof. Chintan Patel

Before Common Era (BCE)

• Pigeons

• Hydraulic Semaphore

Prof. Chintan Patel

Prof. Chintan Patel

• 1790’s :

Semaphore

lines

• 1830’s : Electric Telegraph

• 1870’s: Telephone

• 1890’s: Radio

• 1920’s: Television

• 1960’s: Satellite

Prof. Chintan Patel

Computer Network beginning

• 1960’s:

–Fiber Optics

–Packet switching by Kleinrock

•1969: Four nodes (UCLA, Stanford, UCSB

and Univ. of Utah) connected by 50kbps links

• ARPANET (Advanced Research Projects Agency)

•1972: ARPANET connected 15 nodes, Email was introduced

Prof. Chintan Patel

• The 1970’s

•Different networks emerged

– ALOHANet (microwave)

– DARPA Satellite

– BBN Commercial

• 1976: Ethernet by Metcalfe

•Internetwork these networks (Internet)

End of 1970s: TCP/IP by Kahn and Cerf

•1981: 213 hosts on ARPANET

Prof. Chintan Patel

1980’s

• 1982: TCP/IP formalized

• 1982: SMTP (Email)

• 1983: Domain Name System (DNS)

• 1986: Internet Engineering Task Force

• 1988 – OSI Reference Model released

• 1989 – Routing Protocols: BGP, RIP

Prof. Chintan Patel

Prof. Chintan Patel

1990’s

• The 1990’s

• Early 1990’s: Commercialization of Internet (ISPs)

• 1991: World Wide Web (WWW)

• 1995’s: Many new applications

–Instant Messaging, P2P, e-commerce (eBay, Amazon)

• 1998: Google Search

• 1999: WiFi (wireless)

Prof. Chintan Patel

2000’s

• 2003: Skype

• 2004: Facebook

• 2005: YouTube

• 2006: Twitter

• 2008: Cloud based services (E.g. Dropbox)

• 2010: Instagram (Photosharing)

• 2011: Google+

Prof. Chintan Patel

References

• PPT of Kurose and Ross

• Computer network , Bodhi tree , IIT Bombay

Prof. Chintan Patel

Content

• IP Address

• Protocol

• Port

• System Vulnerability

• Types of Vulnerability scanners

Internet Protocol Address

• IPv4 Address: it is a 32 bit unique addresswhich is used for to connect with host system

– Class A : 1.xxx.xxx.xxx to 126.xxx.xxx.xxx

– Class B : 128.0.XXX.XXX to 191.0.xxx.xxx

– Class C : 192.0.0.XXX to 223.0.0.xxx

• Loopback Address : 127.XXX.XXX.XXX

• IPv6 Address : it is represented by a series of eight 16 bit hexadecimal field separated by colons(:) in the format x.x.x.x.x.x.x.x.

• Total 128 bit address

Protocol

A some set of Rules

• Human Protocols

• Defines the format and order of message exchanged as well as actions taken on transmission.

• computer network protocol:

• HTTP

• FTP

• SMTP

• etc……..

Types of Services

• Connection Oriented Service

– Sending a control packet before transmitting

actual data

– 3 way Handshaking

– Reliable , Flow control , Congestion Control

– TCP : HTTP , FTP , TELNET , SMTP

• Connection Less Service

– No handshaking

– Faster Delivery

– UDP : Media streaming , video conferencing

TCP

Port

• Port is an identity of process or service

• It is 16 bit unsigned integer

• Port no ranges from 0 to 65535

• IANA (Internet Assigned Number Authority) is responsible for assigning port number for Use.

Well Known Port

• Port ranges from 0 to 1023 are known as well knownport numbers

• used by system processes that provide networkingservices.

• Famous well known ports :

– 20 , 21 : FTP Data and Control ports

– 22 : SSH (Secure shell) for secure login

– 23 : Telnet for unencrypted text transmission

– 25 : Simple mail transfer protocol

– 53 : Domain Name system

– 520 : Routing information protocol

Registered Port

• Ranges from 1024 to 49151

• Assigned by IANA for specific services uponapplications by requesting entity

• User by ordinary users

• Examples :– Proxy servers ports

– Virtual private network ports

– Port requested by IBM , Apple, Oracle and manycompanies for their specific services

Dynamic, Private or Ephemeral ports

• Ranges from 49152 – 65535

• Can not be registered with IANA

• Used for private or temporary purposes

IP + Port

• IP : To connect with system

• Port : To connect with Process or application

• (IP Address) : (port number)

• If IP Address is a telephone than Port number is extensions.

Port Scanner

• A port scanner is a software application designed toprobe a server or host for open ports.

• Used by administrators to verify security policies oftheir networks

• Used by attackers to identify running services on ahost with the view to compromise it.

• Examples : NMAP

Port Scanning• Main Goal of Port scanning is to find out which ports are open, which are closed

and which are filtered.

• Open port: port on which application is actively accepting TCP or UDP traffic.

– Finding open port is primary goal of port scanning

– Each open port is an avenue for attack

– Attacker want to exploit the open ports.

– Network administrator wants to protect by some firewall

– Important for non security scan also to identify available services

• Close Port: ports which are accessible but no application listening on it

– Used for Host discovery, OS Detection

– Network administrator want to block it by firewall to reduce its accessibility.

• Filtered port: ports which can not be reached by port scanner

– Can not identify weather its open or close

– Filtering can be from firewall device, routing rules, or firewall software

• Unfiltered port: ports which can be reached by port scanner but can not beidentified weather its open or close

• If port is open :

– Send SYN Packet

– Response will be SYN + ACK Packet

• If port is closed :

– Send SYN Packet

– Response will be RST Packet

• If port is Filtered :

– Send SYN Packet

– No response

• If target machine is protected by firewall than its firewall rules that decides what will be the response of machine.

Vulnerability scanningor

Weakness scanning

• A vulnerability scanner is a computer program designed to assesscomputers, computer systems, networks or applications for weaknesses.

or

• Vulnerability scanning means searching for security bugs on a singlesystem or across network

• Requirement of Vulnerability scanner :

– Discovering present bugs in network, network firewall

– Discovering new possibility of vulnerabilities

– Discovering systems in network which are vulnerable from outsideattack.

• Zero-day vulnerability : weakness which is first time identified in system or network.

• False negative: vulnerability exists but scanner says there is no vulnerability

• False positive: Vulnerability does not exist but scanner says there is vulnerability

• Vulnerability scanner must be able to identify zero-day vulnerability and should not suffer from false positive or false negative

• Vulnerability scanner : Depends on techniques used for

– Host discovery

– Port scanning

– Other vulnerability scanning

Types of Vulnerability scanner

• Port scanner

• Network Vulnerability scanner

• Web application security Scanner

• Database Security Scanner

• Host based Vulnerability Scanner

Identifying open port and services

• Telnet (Port no 23) is lacking of encryption and any one can read data transferred on this port.

• So for attacker : identify open telnet port

• For Network admin : configure telnet service on any other unknown port no.

nmap port scanner

• nmap : network mapping is a open source scanner and whichwas developed by fyodor.

• Most popular port scanner for Linux/Unix machines

• Services by nmap :– Port scanning

– Identify all the running services on network

– Identifying operating system and protocol versions

– TCP Scan , UDP Scan, ICMP Scan

Footprinting

• Gathering information about a computersystem and the companies it belongs to.

• www.ping.au

• http://whois.domaintools.com

http://www.ping.au/http://www.ping.au/http://www.ping.au/http://www.ping.au/http://www.ping.au/

Banner Grabbing

• After identifying running services let us identify software andversions on which that service is.

• Open command prompt :

– telnet localhost 21

Cyber Security

Prof. Chintan Patel

chintan.patel@marwadieducation.edu.in

Content • Port scanning

• OpenVAS

• Network Vulnerability scanning

– Netcat

– Socat

• Network sniffers

Port scanning

• Port scanner : Software designed to probe server or host for Open ports– Used by administrator to verify security policy

– Used by attacker to identify running services on host

• Port scan : A process that sends a client request to server for finding active ports.

• Open port: Host sends a reply indicating port is active

• Close port: Host sends a reply that connection will be denied.

• Filtered : There was no reply from the host.

• Vulnerability can be with open ports or operating system of running host

TCP Flags

• SYN : Synchronize, To initiate a connection

• ACK : Acknowledgment

• FIN : Finished

• RST: Reset

NMAP • NMAP (Network Mapping) is a free open source port scanner

available for Unix and Windows

Basic Scanning [-sT, -sS]• TCP Connect() : Method to establish connection

– If connection is successful , Connection will be done

– If connection is fail than may be Destination system is offline or port is closed

• Scan –sT : nmap –sT 192.168.12.40– if port is open that you can definitely connect

– Disadvantage of this type of scanning is, it is easily detectable.

• SYN Scan –sS: nmap –sS 192.168.12.40– Send SYN and Receive SYN + ACK from port Means Port is open

– Send SYN and Receive RST from port means Port is closed

– Send SYN and Do not receive any response on port means it is filtered

– Latest intrusion detection system and firewall can detect SYN Scan

• -sF scan : Finding Open Filtered Ports

– nmap –sF 127.0.0.1

• Ping scanning [-sP]

– Allow you to detect which computers are online in a specified range of IP Addresses.

• For UDP :

• Send ECHO REQUEST, if receives ECHO REPLY : System is up.

• For TCP :

• Send SYN or ACK packet on specific port (Ex. 80), if receives RST or SYN + ACK means Remote system is online

• If no response means either remote system is offline or port is filtered

Example

• UDP Scan [-sU]

– Send 0 byte UDP packet on target

• If ICMP port unreachable means port is closed else open

– Disadvantages :

• Firewall may create false positive effect means if port is closed also, firewall sends a message port is unreachable

• Slow speed in scanning

– Very rarely used for attack

• Fast scan [-F]

– Do not scan all 65536 ports

– Scan only port listed in nmap system file

OpenVASOpen Vulnerability Assessment Scanning

• “The world's most advanced Open Source vulnerability scannerand manager”

• OpenVAS is a combination of several services and tools offeringa comprehensive and powerful vulnerability scanning andvulnerability management solution

• Collects & manages security information for network, device andsystem

• Uses Client – server architecture

• Server will keep track of all different vulnerability results

• Scanner in openVAS will collect information

• Installed in Kali Linux / Backtracking

Network vulnerability scanning

• Types of attack :

1. Passive attack : Monitoring network traffic– Traffic analysis

– Monitoring unprotected communication

– Decrypting weekly encrypted traffic

– Capturing authentication information such as password

2. Active Attack : Bypass or break into secured system

– Attempt to break protection features

– Inject malicious code into network

– To steal and modify information

• Network vulnerability scanning tools

– NETCAT

– SOCAT

• Netcat: Netcat is a networking program designed to read andwrite data across both Transmission Control Protocol TCP andUser Datagram Protocol (UDP)– Port scanning

– File transferring

– Banner grabbing

– Port listening and redirection

• Netcat installation in windows:

– Download file from : www.vulnwatch.org/netcat/nc111nt.zip

– Unzip file at location of your choise

• Open CMD nc –h

http://www.vulnwatch.org/netcat/nc111nt.zip

• Netcat used by Network testing manager for testing security of network target system

• Malicious user uses Netcat for gaining access of remote system or target system

• Some antivirus shows it as a “Trojan” or “Hacktool”

• Netcat installation in Linux :

– Most of Linux OS come with installed Netcat

– Type command to check version : nc –h or netcat –h

– If its not installed :

• open terminal

• Type : apt-get install netcat

• Type nc –h to conform installation

Netcat Operation Modes

• Client Mode

– connect to somewhere: nc [-options] hostname port[s] [ports] …

– Netcat as a client on your machine to obtain some sort of information from another machine

• Server Mode

• listen for inbound: nc –l –p port [options] [hostname] [port]

• Server mode

• -l means put Netcat into listen mode

• nc hostname 20-80

• nc –z 192.168.12.40 20-80

Netcat commands

• nc –v 192.168.12.40 80 : HTTP Banner Grabbing using Netcat

• nc –v 192.168.12.40 22 : SSH Banner Grabbing using Netcat

• nc –v –n 192.168.12.40 80 : with nslookup

• nc –v 192.168.12.40 80: without nslookup

• nc –l –p 12345 : Listening server on port 12345

• nc –v –w2 –z 192.168.12.40 1-200 : Finding open TCP ports

• nc –l –p 12345 > dumpfile : Redirecting all output information intodumpfile.

• nc –l –p 12345 > >dumpfile : Also redirect output but it adds output, does not replce current output.

• nc –l –p 12345

Example : Chat interface using Netcat

• You can implement in one computer as well as two computer

• Open one terminal and type: nc –l –p 12345

• Open second terminal and type: nc localhost 12345

Example : File Transmission using Netcat

• Create hack.txt in Netcat folder

• Open One terminal and type : nc –l –p 1234 > hack.txt

• Open second terminal: nc “Target ip address : 1234” < hack.txt

SOCAT• Socket : A socket address is the combination of an IP

address and a port number, much like one end of atelephone connection is the combination of a phonenumber and a particular extension.

• SOCAT is also same like Netcat but with moresecurity and working over various protocols throughTCP Socket , UDP socket

• Socat uses as a :

– TCP Port forwarder

– External input provider

– Attacker for weak firewalls

– Security testing and research

• Socat Installation :

– Linux OS : sudo apt – get update && sudo apt –get install socat

• Socat operation Phase :

– Init phase : Logging is initialized

– Open phase : Socat opens a first address and than second address

– Transfer phase: Watches both stream read and write file

Network sniffer and Injector

• “Data to built up web page is not a single message that hops onthe highway but it is end result of several packet following theirown path”

• Message transmitted in internet traverse through many differentnetwork core devises like :– Routers

– Switch

– Bridge

– Gateways

– Firewall

• Network sniffers: Tools that monitor the traffic passes fromnetwork core devices

• Network sniffers can not easily identify Encrypted traffic

• Network sniffers:

– TCPDump or windump

– Wireshark

– Ettercap

– Hping

– Kismet

TCPDump & Windump

• TCPDump : Network sniffer for Unix operating systems

• Windump : Network sniffer for windows operation system

• TCPDump and windump requires privileged access :

– Run with “sudo” in Linux

– Run as a administrator

• TCPDump filters based on:

– Type : Capture traffic by Host or web

– Direction: From/to source

– Protocol: TCP Traffic or UDP Traffic

• Filtering based on Type :

– $tcpdump host 192.168.1.100 : Traffic only to/from given IP

– $tcpdump host 192.168.1.100 and port 80

– $tcpdump net 192.168.1.0/24 and port 80

• Filtering based on Direction:

– $tcpdump src host 192.168.1.100 & dst port 80

• Filtering based on protocol:

– $tcpdump src host 192.168.1.100 and udp dst port 53

– $tcpdump arp net 192.168.1.0

Wireshark• Adds protocol analysis with traffic analysis

• Can be used for review traffic captured by tcpdump and windump

• Supports windows and Linux os

• Download and install the Wireshark software:

– Go to http://www.wireshark.org/download.html and download and install the Wireshark binary for your computer.

Initial wireshark screen

Wireshark GUI during packet capture and analysis

• Wireshark interface has five major components:

1. The command menus are standard pull down menus located at the top of the window.

• The File menu allows you to save captured packet data or open a file containing previously captured packet data, and exit the Wireshark application.

• The Capture menu allows you to begin packet capture.

2. The packet-listing window displays a one-line summary for each packet captured, including

– the packet number,

– the time at which the packet was captured,

– the packet’s source and destination addresses,

– the protocol type, and protocol-specific information contained in the packet.

– The protocol type field lists the highest-level protocol that sent or received this packet,

3. The packet-header details window provides details aboutthe packet selected in the packet-listing window.

4 The packet-contents window displays the entire contents ofthe captured frame, in both ASCII and hexadecimal format.

5 Towards the top of the Wireshark graphical user interface, isthe packet display filter field, into which a protocol name orother information can be entered in order to filter theinformation

Example HTTP Traffic captured

Ettercap

• Runs on Linux based operating systems

• Unified sniffing : Monitors single interface

• Bridged sniffing : Monitor two interface

• Ettercap is an open-source tool written by Alberto Ornaghi andMarco Valleri.

• Ettercap is described by its authors as “a multipurposesniffer/interceptor/logger for switched LANs.

• Ettercap is a versatile network manipulation tool. It uses itsability to easily perform man-in-the-middle (MITM) attacks in aswitched LAN environment as the launch pad for many of itsother functions :– Character Injection

– Packet filtering

– Automatic password collection for many common network protocols

– SSH Support

– HTTPS support

– Kill any connection

Ettercap Available plug-in

hping

• Ping command was used for to check only ICMP Echo requestwhile hping support TCP, UDP, ICMP and IP Protocols.

• Functions of hping:

– Firewall testing

– Advanced port scanning

– Network testing, using different protocols, TOS, fragmentation

– Manual path MTU discovery

– Advanced traceroute, under all the supported protocols

– Remote OS fingerprinting

– Remote uptime guessing

– TCP/IP stacks auditing

hping commands

• hping www.google.com

• hping www.google.com –p 80

• hping www.google.com –p 79

• hping www.google.com -A –p 79

http://www.google.com/http://www.google.com/http://www.google.com/http://www.google.com/

Kismet

• Kismet is a network detector, packet sniffer, andintrusion detection system for 802.11 wirelessLANs.

• Kismet will work with any wireless card whichsupports raw monitoring mode, and can sniff802.11a, 802.11b, 802.11g, and 802.11n traffic.

• The program runs under Linux and Mac OS X.

• The client can also run on Microsoft Windows,although, aside from external drones

• Installation of KISMET :

– sudo apt-get install kismet

• Configure kismet :

– sudo gedit/etc/kismet/kismet.conf

• Create username for kismet :

– Suiduser = chintan

• Provide source wireless

– Source = wifi_mac_IAP

• Starting a Kismet :

– sudo kismet

• Kismet server : For collecting data:

– Sudo kismet_server

• Kismet client : For representation of data to user:

– Kismet_client