Deviation in quality of service: Service providers, DOS
h/w, s/w failures: Equipment failures, bugs
What are the Network Vulnerabilities?
Technology: Transport Protocols, Routing Protocols, Operating System
Configuration: Servers and workstations, Firewalls and Routers, IDS
Policy: Ineffective security policy
What are the classes of attack?
Denial of service attacks
Worms, viruses, and Trojan horses
What are the types of attack?
DoS or DDoS
Application layer attacks
What are the targets of attacks?
System Hacking: Window/Unix/Apple
Network Hacking: Network devices, OSI Layer, Protocols
Software Hacking: Web Server Hacking, Web Applications, Malware, Spyware, viruses
Name some useful Security Websites
Name the three entities in a hackers methodology
What information is aquired through footprinting?
Company web sites -public and private
Phone number, contact names, email addresses, and personal details
Current events (mergers, acquistions, layoff, charity events etc.)
Privacy or security policies and the technical details indicating the types of security and how they are implemented.
Search engines, Usnet and resumes
Other information of Interest
Name some hacking tools and what they do
Google groups: Search for useful emails addresses in newsgroups
Whois: Gather IP and domain information
SamSpade: Gather IP and domain information
Namedroppers: Run a domain name search
Google: Search for web sites and company information
Dig: Performs DNS zone transfers
Netcat: Read and write data to ports over the network
Wget: Retrieves HTTP, HTTPS and ftp over the internet
In the process of Whois and DNS enumeration, what does ICANN provide?
Internet Domain names
Protocol parameter and port numbers
Internet’s root DNS servers.
Name two network reconnaissance tools
What is the purpose of scanning?
If you have an IP address range - to find out which IP addresses are alive
If you have a found a target - to find out which ports are open
What are Ping Sweeps used for?
Identify which IP addresses belong to active hosts
Ping a range of IP addresses
What are the potential problems of ping sweeps?
Computers that are shut down cannot respond
Networks may be configured to block ICMP Echo Requests
Firewalls may filter out ICMP traffic
From RFC 792; what are the primary ICMP type messages?
0: Echo Reply
3: Destination Unreachable
4: Source Quench
8: Echo Request
11: Time Exceeded
12: Parameter problem
14: Timestamp Reply
15: Information Request
16: Information Reply
What does Port Scanning find out?
What is the problem with services?
What ports do you scan?
What do port scanners report about ports?
Port Scanning: Finds out which services are offered by a host and Identifies vulnerabilities
Open services can be used on attacks: Identify a vulnerable port, Launch an exploit
Scan all ports when testing: Not just well-known ports
Port scanning programs report: Open ports, Closed ports, Filtered ports, Best-guess assessment of which OS is running
What are the types of port scans?
SYN scan: Stealthy scan
Connect scan: Completes the three-way handshake
NULL scan: Packet flags are turned off
XMAS scan: FIN, PSH and URG flags are set
ACK scan: Used to past a firewall
FIN scan: Closed port responds with an RST packet
UDP scan: Closed port responds with ICMP “Port Unreachable” message
Name some popular port scanning tools for Unix and Windows
What are the countermeasures to port scanning?
Shut the port
Leave it open
Try to disguise it
Name two operating system failures to deal with Active Stack Fingerprintin (Port) scans
FIN probe: RFC 793 states that the correct response to this flag is not to respond. Windows NT/200/2003 respond with a FIN/ACK
Bogus flag probe: An unidentified TCP flag is set in a TCP header of a SYN packet. Some OS’s like Some OS’s like Linux will respond with that flag set in the response packet.
How to try and detect Active Stack Fingerprinting?
Look for these flags by using some network monitoring software to capture network traffic.
What information does Enumeration hope to extract?
Resources or shares on the network
User names or groups assigned on the network
Last time user logged on
Name some examples of enumeration tools
Port scanning and footprinting: Determine OS being used
NBT (NetBIOS over TCP/IP): Tool for enumerating Microsoft OSs
Using NBTscan: Use nbtscan command to scan a range of IP addresses
Telnet to probe services: banner grabbing, ftp, DNS zone transfers, SMTP and NetBIOS
What type of process is enumeration?
What is the Application Layer?
Front end to the lower-layer protocols
What you can see and touch
What is the Transport Layer?
What common Protocols run on this layer?
On what basis do these protocols work?
What is a three way handshake?
Encapsulates data into segments
Segments can use TCP or UDP to reach a destination host
UDP is a minimal message-oriented
TCP is a connection-oriented protocol
TCP three-way handshake
Computer A sends a SYN packet
Computer B replies with a SYN-ACK packet
Computer A replies with an ACK packet
What are the critical components of TCP Segment Headers and why are they important?
Initial Sequence Number (ISN)
Source and destination port
Important because they are abused by hackers finding vulnerabilities
What are the TCP Flags and what do they do?
URG: indicates that the Urgent pointer is valid.
ACK: indicates that the Acknowledgement number is valid.
PSH: indicates that this segment requests a push (i.e. pass this data to the application as soon as possible).
RST: indicates that the connection should be reset.
SYN: indicates that Initial Sequence Numbers (ISNs) should be synchronised.
FIN: indicates that the sender has finished sending data
What is the initial sequence number (ISN) in TCP?
Tracks packets received
Enables reassembly of large packets
Sent on steps 1 and 2 of the TCP three-way handshake
Describe TCP Ports
What do TCP's contain?
What are the common ports and where can you find information about them?
Port: Logical, not physical, component of a TCP connection
Identifies the service that is running
Example: HTTP uses port 80
A 16-bit number
TCP packets has source and destination port fields
Helps you stop or disable services that are not needed:Open ports are an invitation for an attack
Only the first 1023 ports are considered well-known
List of well-known ports: Available at the Internet Assigned Numbers Authority (IANA) Web site (www.iana.org)
Describe TCP ports 20 and 21
Ports 20 and 21:File Transfer Protocol (FTP)
Use for sharing files over the Internet
Requires a logon name and password
More secure than Trivial File Transfer Protocol (TFTP)
Describe TCP ports 25, 53 and 69
Simple Mail Transfer Protocol (SMTP)
E-mail servers listen on this port
Domain Name Service (DNS)
Helps users connect to Web sites using URLs instead of IP addresses
Trivial File Transfer Protocol
Used for transferring router configurations
Describe TCP ports 80, 110 and 119
Hypertext Transfer Protocol (HTTP)
Used when connecting to a Web server
Post Office Protocol 3 (POP3)
Used for retrieving e-mail
Network News Transfer Protocol
For use with newsgroups
Describe TCP ports 135, 139 and 143
Remote Procedure Call (RPC)
Critical for the operation of Microsoft Exchange Server and Active Directory
Used by Microsoft’s NetBIOS Session Service
Internet Message Access Protocol 4 (IMAP4)
Used for retrieving e-mail
Better than POP3
Describe the User Datagram Protocol (UDP)
Fast but unreliable protocol
Operates on transport layer
Does not need to verify whether the receiver is listening
Higher layers of the TCP/IP stack handle reliability problems
What is the internet layer used for and what protocol does it use?
What is the ICMP?, what is it used for and what are common commands?
Responsible for routing packets to their destination address
Uses a logical address, called an IP address
IP addressing packet delivery is connectionless
Internet Control Message Protocol (ICMP):
Used to send messages related to network operations
Helps in troubleshooting a network
Some commands include:
Name some popular security models
Asset and Risk Based Infosec Lifecycle (ARBIL)
Confidentiality, Integrity and Availability (CIA)
Cisco Security Wheel
Describe Network Security as a Continuous Process
Network security is a continuous process built around a security policy:
Step 1: Secure
Step 2: Monitor
Step 3: Test
Step 4: Improve
With reference to the Cisco security model; describe the secure step.
Implement security solutions to stop or prevent unauthorized access or activities, and to protect information:
With reference to the Cisco security model; describe monitor step
Detects violations to the security policy
Involves system auditing and real-time intrusion detection
Validates the security implementation in Step 1 (secure)
With reference to the Cisco security model; describe testing step
Validates effectiveness of the security policy through system auditing and vulnerability scanning
With reference to the Cisco security model; describe improve step
Use information from the monitor and test phases to make improvements to the security implementation.
Adjust the security policy as security vulnerabilities and risks are identified
What is a security policy?
“A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”
(RFC 2196, Site Security Handbook)
What factors should be taken into consideration when preparing a security policy?
Count the Cost
Identify your assumptions
Control your secrets
Remember human factors
Know your weaknesses
Limit the scope of access
Understand your environment
Limit your trust
Remember physical security
Make security pervasive
Know your enemy
Why should you create a security policy?
To create a baseline of your current security posture
To set the framework for security implementation
To define allowed and not allowed behaviors
To help determine necessary tools and procedures
To communicate consensus and define roles
To define how to handle security incidents
Describe the two sets of security policy elements
Network Design Factors upon which security policy is based:
Basic Internet threat vectors toward which security policies are written to mitigate
Denial of Service
What are the threats to security and what are the counters that should be documented in a security policy?
What are the main Personal threats to Authenticity?
Same log in routine
Username readily available
Thus password becomes the gateway: Or session tickets for inter-resource communication
Often limited in some way: lower & upper case, more than 8 char.
What are the Authenticity Attacks?
Guessing the password
Reuse of old passwords
Capture via Trojan Horses
What are the treats to internal Authenticity?
Main threat is from “spoofing”
Identification of host is by address
The usual assumption is if you say you are a particular address then it must be so.
Structure of internal networks regarding Authenticity
How is the network arranged, what identifies what and how are the able to communicate?
Address conveys information about your setup
IP addresses must be unique
Must reside on correct network unless using “source routing”
Most IP traffic within an organisation is carried over LAN’s
Media Access Control MAC
Address Resolution Protocol (ARP) uses LAN broadcast to ask for MAC address of a particular IP address.
What are the countermeasures to an internal Authenticity Attack?
Static address mapping
Using an APR server
Authentication protocols e.g MD5, Kerberos
What is the problem of exploiting Authenticity from the exterior using a permanent network and what counter measures can be utilised?
Spoofing of an internal address from outside is harder as the traffic which passes though a router will be directed to the appropriate network via the routers internal tables
Main Counter: IP source routing: source host specifies the list of routers the package must pass through.
Secure address mapping
Proper router configuration
How does exploiting a networks authenticity from the exterior using a temporary network work? What are the countermeasures to this attack?
Find the dial-in line and then use brute force attack
Main Counter attack: by dial back or strong authentication
Secure address mapping
Proper router configuration
What are the countermeasures to a masquerade/exterior attack?
Masquerade -> Authenticity
Secure address mapping
Proper router configuration
What are the three different areas of Interception attacks?
What is the structure of interception on a personal level. What different user technologies are employed?
What is the structure in a multi-user system?
single user with optional authentication
file permission scheme: rwx|rwx|rwx
VMS, Netware more permissions and/or user categories
Users may belong to more than one grouping
What are the methods employed to secure data at a personal level to protect against interception attacks?
Your job to ensure that documents are secure:
File encryption: password protection
Key encryption: DES, IDEA, PGP, RSA
What is the structure of interception on a interior level? What would allow a hacker to obtain information? What is a common interception weakness in interior networks?
Where are attacks possible from?
Most LAN’s are broadcast:
Can turn a PC into protocol analyser
Many login/password sequences are sent in clear text
Attacks are possible from:
Legally connected host
Illegally connected host
How do you setup interception on a exterior level, what do you use and what do you want to access?
External connections via say friendly ISP.
Gain access to your monitoring device.
What is that main method utilised for interception attacks?
Eavesdropping, which is the main threat to privacy.
What are the countermeasures to interception attacks?
RADIUS: Remote Authentication Dial-In User Service
TACACS/TACACS+: Terminal Access Controller Access Control System
What are the benefits of using AAA?
Increased flexibility and control of access configuration
Standardized authentication methods, such as RADIUS, TACACS+, Diameter and Kerberos
Multiple backup systems
What is an identity?
An assertion of who we are
Allows us to differentiate between one another
What forms do identities take?
Username and password
Email address: firstname.lastname@example.org
MAC address: 00-01-12-ab-3d-33
IP address: 172.16.48.199
What are identities used for?
Used to grant appropriate authorisations: rights to services within a given domain
What are some popular identity mechanisms
Terminal Access Controller Access Control System(TACAS):
Remote Authentication Dial-In User Service (RADIUS)
Draw an overview of what identity mechanisims provide
What are static passwords? What attacks are the susceptible to? Why are they used?
Remains the same until changed
Susceptible to playback, theft, brute force, eavesdropping
For convenience distributed systems need to have one password to access all resources.
If it is possible to capture the password for off-line guessing then a much larger name space is required
What is password storage site? What are the components?
Individually stored on all the services required.
Authentication Storage node: Central server
Authentication Facilitator node: An intermediary that passes on authentication requests of a central server.
Describe the process for One-Time Passwords, for example S/Key
1. The Client – provides pass phrase
2. The server provides the seed phrase and hash algorithm - MD4, MD5 or SHA-1
3. These are concatenated and passed through the algorithm a number of times. Output folded/reduced to 64 bits each time.
4. On log in client challenged by server who provides seed, sequence number –1 and hash used.
5. Client performs the same as 3 and sends the sequence number -1th password to server.
6. Server passes this through the hash one more time and then compares.
7. Server updates its database with new sequence number and new password.
What are Token Passwords?
How do they work?
A One-Time-Password (OTP) with added security
Time-based: Password loosely synchronised in time to the server.
Challenge-response: Token server sends a random string to remote client. Remote client uses this with stored cryptographic key to produce the “password” which is sent to the server for authentication
What are Digital Signatures?
An encrypted hash appended to a document to confirm identity of the sender and the integrity of the document.
Based on public key encryption and secure one-way hash functions
What are the different technologies utilised by Biometrics?
What is Correct EAP?
Name some of the different varieties of EAP.
Extension of PPP to provide additional authentication features
A flexible protocol used to carry arbitrary authentication information.
Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+
Specified in RFC 2284
Support multiple authentication types:
EAP-MD5: Plain Password Hash (CHAP over EAP). It has little use in a wireless authentication environment.
EAP-TLS: based on X.509 certificates [RFC2716].
EAP-TTLS: Sets up a encrypted TLS-tunnel for safe transport of authentication data.
LEAP (EAP-Cisco Wireless): proprietary protocol developed by Cisco, and is not considered secure
PEAP (Protected EAP): currently an IETF draft
EAP-MSCHAPv2: Requires username/password, and is basically an EAP encapsulation of MS-CHAP-v2
What is a basic login only? What are its weaknesses?
Username and Password sent in clear.
Recipient verifies username and password and communication occurs: No encryption, no integrity checks
What is a Nonce?
A quantity that a protocol only uses once:
Describe the Authentication Protocol Checklist
Learn the contents of the messages between Alice and Bob.
Learn information that would enable Trudy to impersonate either Alice or Bob in subsequent exchanges.
Learn information that would enable Trudy to impersonate Alice to another replica of Bob.
Learn information that would allow Trudy to do an off-line password guessing attack against either Alice or Bob
Pick up a conversation to Bob and convince him that it is Alice.
Trick either into signing or decrypting something.
Use one protocol to mount an attack on another.
Describe the four factors that motivate administrators to install IDS
Most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse; finding and fixing all these deficiencies is not feasible for technical and economic reasons
Existing systems with known flaws are not easily replaced by systems that are more secure-mainly because the systems have attractive features that are missing in the more-secure systems, or else they cannot be replaced for economic reasons
Developing systems that are absolutely secure is extremely difficult, if not generally impossible
Even the most secure systems are vulnerable to abuses by insiders who misuse their privileges.
What are the different IDS Hypothesis detection models?
Attempted Break-in: Recognised by the abnormal number of password failures
Masquerading or successful break-in: Logged in at an unusual time for the legitimate user. Resource usage may be that of browsing directories and executing system status commands.
Penetration by legitimate user: Triggers excessive protection violations. Accessing material not usually used by them.
Leakage by legitimate user: Leaking sensitive documents by routeing data to remote printers not normally used.
Similarly for Trojan horses, virus and DOS
Explain how IDS works, what its architecture is.
Collects, organizes, and analyzes information from any number of network based and host based IDS sensors;
Shows overall status at a glance;
Generates a report hierarchy that allows humans to start their investigation at any level and work up, down, and across as the trail leads;
Enables humans to interact with the system to test their intuitions;
Allows humans to direct further analysis and redirect how data is analyzed;
Is invisible to hackers and is secure, because it is physically isolated from the production network.
Describe some of an IDS characteristics and components.
Network taps: Invisible to hackers. The whole IDS network is physically separate from the production network
One or more IDS sensors to prevent overload
The IDS sensors types perform preliminary analysis.
Central analysis server on the isolated IDS network to collect and allow analysis of the sensors data.
Capability of sensors and central analysis to tools to react in real time.
Outline what a IDS is
Outline what an IPS is and what mechanisms it provides.
Similar to generic packet sniffer.
Compares packets with known attack patterns
Provides the following active defence mechanisms:
Detection: identify attacks
Prevention: stop detected attacks from happening
Reaction: immunise the system from further attacks from a malicious source.
What are the different things which can happen when an IDS/IPS makes a signaure match?
Alarm: sends alarm to a log/email and then forwards package.
Reset: sends packet with a reset flag to session participants.
Drop: immediately drop packet
Block: denies traffic from source attack address
Name the the two types of IDS
Host-Based IDS (HIDS)
Network IDS (NIDS)
Explain the process of Kerberos Authentication
1. Once per kerberous session a client connects to the Autentication Server (AS) to obtain Ticket-Granting Server (TSG) session key and ticket granting ticket (TGT)
2. Once per application session, client connects to TGS to obtain application session key (ASK) and application server's secret key
3. The authenticated client sends its ticket, ASK and encrypted application server's secret key to application server and initiates a connection.