Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 4 Network Vulnerabilities and Attacks

Transcription

1 Security+ Guide to Network Security Fundamentals, Third Edition Chapter 4 Network Vulnerabilities and Attacks

2 Objectives Explain the types of network vulnerabilities List categories of network attacks Define different methods of network attacks Security+ Guide to Network Security Fundamentals, Third Edition 2

3 Network Vulnerabilities There are two broad categories of network vulnerabilities: Those based on the network transport media Those found in the network devices themselves Security+ Guide to Network Security Fundamentals, Third Edition 3

4 Media-Based Vulnerabilities Monitoring network traffic Helps to identify and troubleshoot network problems Monitoring traffic can be done in two ways Use a switch with port mirroring To redirect traffic that occurs on some or all ports to a designated monitoring port on the switch Install a network tap (test access point) A separate device that can be installed between two network devices, such as a switch, router, or firewall, to monitor traffic Security+ Guide to Network Security Fundamentals, Third Edition 4

5 Security+ Guide to Network Security Fundamentals, Third Edition 5

6 Security+ Guide to Network Security Fundamentals, Third Edition 6

7 Media-Based Vulnerabilities (continued) Security+ Guide to Network Security Fundamentals, Third Edition 7

8 Media-Based Vulnerabilities (continued) Just as network taps and protocol analyzers can be used for legitimate purposes They also can be used by attackers to intercept and view network traffic Attackers can access the wired network in the following ways: False ceilings Exposed wiring Unprotected RJ-45 jacks Security+ Guide to Network Security Fundamentals, Third Edition 8

9 9

10 10

11 Media-Based Vulnerabilities (continued) Security+ Guide to Network Security Fundamentals, Third Edition 11

12 Network Device Vulnerabilities Weak passwords A password is a secret combination of letters and numbers that serves to authenticate (validate) a user by what he knows Password paradox Lengthy and complex passwords should be used and never written down It is very difficult to memorize these types of passwords Passwords can be set to expire after a set period of time, and a new one must be created Security+ Guide to Network Security Fundamentals, Third Edition 12

13 Network Device Vulnerabilities (continued) Characteristics of weak passwords A common word used as a password Not changing passwords unless forced to do so Passwords that are short Personal information in a password Using the same password for all accounts Writing the password down Security+ Guide to Network Security Fundamentals, Third Edition 13

14 Network Device Vulnerabilities Default account (continued) A user account on a device that is created automatically by the device instead of by an administrator Used to make the initial setup and installation of the device (often by outside personnel) easier Although default accounts are intended to be deleted after the installation is completed, often they are not Default accounts are often the first targets that attackers seek Security+ Guide to Network Security Fundamentals, Third Edition 14

15 Network Device Vulnerabilities (continued) Security+ Guide to Network Security Fundamentals, Third Edition 15

16 Network Device Vulnerabilities Back door (continued) An account that is secretly set up without the administrator s knowledge or permission, that cannot be easily detected, and that allows for remote access to the device Back doors can be created on a network device in two ways The network device can be infected by an attacker using a virus, worm, or Trojan horse A programmer of the software creates a back door on the device Security+ Guide to Network Security Fundamentals, Third Edition 16

17 Network Device Vulnerabilities Privilege escalation (continued) It is possible to exploit a vulnerability in the network device s software to gain access to resources that the user would normally be restricted from obtaining Security+ Guide to Network Security Fundamentals, Third Edition 17

18 Categories of Attacks Attacks categories Denial of service Spoofing Man-in-the-middle Replay attacks Security+ Guide to Network Security Fundamentals, Third Edition 18

19 Denial of Service (DoS) Denial of service (DoS) attack Attempts to consume network resources so that the network or its devices cannot respond to legitimate requests DoS attack type: SYN flood attack Distributed Denial of service (DDoS) Wireless Dos attack Security+ Guide to Network Security Fundamentals, Third Edition 19

20 Denial of Service (DoS) (continued) SYN flood attack Normal Operation Of three way handshake 20 Ref: 20 SYN Flood

21 Denial of Service (DoS) (continued) Distributed denial of service (DDoS) attack A variant of the DoS May use hundreds or thousands of zombie computers in a botnet to flood a device with requests Security+ Guide to Network Security Fundamentals, Third Edition 21

22 DDoS attack Security+ Guide to Network Security Fundamentals, Third Edition 22

23 Denial of Service (DoS) (continued) Wireless Dos attack - Flooding the RF spectrum attack - Attack takes advantage of CSMA/CA procedure - Attack uses disassociation frames Security+ Guide to Network Security Fundamentals, Third Edition 23

24 Denial of Service (DoS) (continued) Flooding the RF spectrum attack Security+ Guide to Network Security Fundamentals, Third Edition 24

25 Security+ Guide to Network Security Fundamentals, Third Edition 25

26 Denial of Service (DoS) (continued) Attack uses disassociation frames Security+ Guide to Network Security Fundamentals, Third Edition 26

27 Spoofing Spoofing is impersonation Pretends to be someone or something else by presenting false information Variety of different attacks use spoofing Attacker may spoof her address so that her malicious actions would be attributed to a valid user Attacker may spoof his network address with an address of a known and trusted host A fictitious login screen may allow an attacker to capture valid user credentials Attacker can set up his AP device and trick all wireless devices to communicate with the imposter device Security+ Guide to Network Security Fundamentals, Third Edition 27

28 Ref: Security+ Guide to Network Security Fundamentals, Second Edition 28

29 Man-in-the-Middle Man-in-the-middle attack Intercepts legitimate communication and forges a fictitious response to the sender Common on networks Can be active or passive Active attacks intercept and alter the contents before they are sent on to the recipient Security+ Guide to Network Security Fundamentals, Third Edition 29

30 Man-in-the-Middle (continued) Security+ Guide to Network Security Fundamentals, Third Edition 30

31 Replay Replay attack Similar to a passive man-in-the-middle attack Captured data is used at a later time A simple replay would involve the man-in-the-middle capturing login credentials between the computer and the server A more sophisticated attack takes advantage of the communications between a device and a server Administrative messages that contain specific network requests are frequently sent between a network device and a server Security+ Guide to Network Security Fundamentals 31

32 Replay (continued) Sender Attacker File server 1. Sends message 2. Intercepts message 3. Sends message to create link with the file server Creates link with attacker 4. Alters message and sends to the file server Reject altered message 5. Alters message correctly and send to file server Accepted correctly altered message Security+ Guide to Network Security Fundamentals, Second Edition 32

33 Methods of Network Attacks Network attack methods can be: - Protocol-based Antiquated protcols DNS attacks ARP poisoning TCP/IP hijacking - Wireless will not be covered - As well as other methods will not be covered Security+ Guide to Network Security Fundamentals, Third Edition 33

34 Protocol-Based Attacks Antiquated protocols TCP/IP protocols have been updated often to address security vulnerabilities SNMP is example of updated protocol Security+ Guide to Network Security Fundamentals, Third Edition 34

35 Protocol-Based Attacks (continued) SNMP Used for exchanging management information between networked devices And enables system admin to remotely monitor, manage and configure network devices. Each SNMP managed device must have an agent that is protected with the community string. The use of community strings in the first two versions of SNMP, SNMPv1 and SNMPv2, created several vulnerabilities SNMPv3 uses encryption to protect the community strings Security+ Guide to Network Security Fundamentals, Third Edition 35

36 Protocol-Based Attacks (continued) DNS attacks Domain Name System (DNS) is the basis for name resolution to IP addresses today It includes DNS poisoning and DNS transfers attacks. DNS poisoning Substitute a fraudulent IP address so that when a user enters a symbolic name, she is directed to the fraudulent computer site Security+ Guide to Network Security Fundamentals, Third Edition 36

37 Protocol-Based Attacks (continued) Security+ Guide to Network Security Fundamentals, Third Edition 37

38 Protocol-Based Attacks (continued) DNS poisoning (continued) Substituting a fraudulent IP address can be done in one of two different locations TCP/IP host table name system (See Figure 4-10) External DNS server Attack is called DNS poisoning (also called DNS spoofing) See Figure 4-11 DNS poisoning can be prevented by using the latest editions of the DNS software, BIND (Berkeley Internet Name Domain) Security+ Guide to Network Security Fundamentals, Third Edition 38

39 Security+ Guide to Network Security Fundamentals, Third Edition 39

40 Security+ Guide to Network Security Fundamentals, Third Edition 40

41 Protocol-Based Attacks (continued) DNS transfers Almost the reverse of DNS poisoning Attacker asks the valid DNS server for a zone transfer, known as a DNS transfer Possible for the attacker to map the entire internal network of the organization supporting the DNS server Security+ Guide to Network Security Fundamentals, Third Edition 41

42 Protocol-Based Attacks (continued) ARP poisoning Address Resolution Protocol (ARP) Used by TCP/IP on an Ethernet network to find the MAC address of another device The IP address and the corresponding MAC address are stored in an ARP cache for future reference An attacker could alter the MAC address in the ARP cache so that the corresponding IP address would point to a different computer Security+ Guide to Network Security Fundamentals, Third Edition 42

43 Protocol-Based Attacks (continued) Security+ Guide to Network Security Fundamentals, Third Edition 43

44 Protocol-Based Attacks (continued) TCP/IP hijacking Takes advantage of a weakness in the TCP/IP protocol The TCP header consists of two 32-bit fields that are used as packet counters Updated as packets are sent and received between devices Packets may arrive out of order Receiving device will drop any packets with lower sequence numbers Security+ Guide to Network Security Fundamentals, Third Edition 44

45 Protocol-Based Attacks (continued) TCP/IP hijacking (continued) If both sender and receiver have incorrect sequence numbers, the connection will hang In a TCP/IP hijacking attack, the attacker creates fictitious ( spoofed ) TCP packets to take advantage of the weaknesses Security+ Guide to Network Security Fundamentals, Third Edition 45

46 Security+ Guide to Network Security Fundamentals, Third Edition 46

47 Security+ Guide to Network Security Fundamentals, Third Edition 47

48 Security+ Guide to Network Security Fundamentals, Third Edition 48

49 Security+ Guide to Network Security Fundamentals, Third Edition 49

50 Summary Network vulnerabilities include media-based vulnerabilities and vulnerabilities in network devices The same tools that network administrators use to monitor network traffic and troubleshoot network problems can also be used by attackers Network devices often contain weak passwords, default accounts, back doors, and vulnerabilities that permit privilege escalation Security+ Guide to Network Security Fundamentals, Third Edition 50

51 Summary (continued) Network attacks can be grouped into four categories Protocol-based attacks take advantage of vulnerabilities in network protocols Security+ Guide to Network Security Fundamentals, Third Edition 51