1 / 89

Session Layer Security

Session Layer Security. Lecture 6 Supakorn Kungpisdan supakorn@mut.ac.th. Roadmap. Introduction SYN Attack Session Hijacking DNS Poisoning SSH Downgrade Attack Authentication Techniques and Attacks. Introduction.

ama
Download Presentation

Session Layer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Session Layer Security Lecture 6 Supakorn Kungpisdan supakorn@mut.ac.th NETE4630

  2. Roadmap • Introduction • SYN Attack • Session Hijacking • DNS Poisoning • SSH Downgrade Attack • Authentication Techniques and Attacks NETE4630

  3. Introduction • Session layer provides a set of features that contributes to the reliability and usefulness of modern network communications • Session Checkpoint • Session Adjournment • Session Termination • Half- and Full-Duplex Operations NETE4630

  4. Session Checkpoint • TCP acknowledgement (ACK) packets are regularly passed between hosts to identify the last packet that was received • TCP delays the transmission of an ACK packet until either a timeout is reached or a number of packets equal to the TCP window size have been sent • This delays increases the efficiency of the protocol and establishes checkpoints • At any point, TCP can resume transmission from the previous checkpoint if a delivery failure occurs NETE4630

  5. Session Adjournment • TCP sessions may be adjourned through setting the TCP window to 0 byte. • This informs the sending host that no buffer is available to hold transmitted data and halts communications without losing the connection NETE4630

  6. Session Termination • TCP provides a means for both graceful and immediate session terminations • Graceful termination occur by setting a finish (FIN) flag that is subsequently acknowledged by the recipient • Immediate termination occur by using packets with the reset (RST) flag set Half- and Full-Duplex Operations • While TCP operates at full duplex, the session layer allows for both full- and half-duplex operations NETE4630

  7. Attacking the Session Layer • Rely primarily on abuses of the TCP and IP headers • Several behavior designed into the TCP specification allow a wide variety of attacks • In particular, TCP flags and Sequence and Acknowledgement numbers enable several methods of attack • Newer attacks may focus on higher layer protocol like Session Description Protocol (SDP) and Session Initiation Protocol (SIP) NETE4630

  8. SYN Attack • Using legitimate TCP functions permits attackers with a small number of hosts to conduct DoS, which can completely saturate the bandwidth of a corporation • In TCP three-way handshake, a new source port is selected on the client host for each new connection that is opened to a particular port on a server • The server has to allocate a number of resources to handle each connection • A large number of hosts can use this to great effect when attacking a web site NETE4630

  9. SYN Attack (cont.) • From an attacker’s perspective, this approach is less than ideal: • Creating multiple connections is extremely inefficient • Every established connection consumes a lot of resources on the server and the attacking client • This kind of attack is not anonymous • Many servers limit the number of connections that they will accept from a single host NETE4630

  10. Performing SYN Attack • Our goal is to consume resources on the victim server but not on the DoS client • We want to avoid using any system calls to open network connections NETE4630

  11. SYN Attack with hping2 • Hping2 tool provides a simple means for producing crafted packets • Executing a single SYN packet to port 6666 on the victim server $ hping –c 1 –p 6666 –S 10.10.1.9 • In this case, we use the attacking machine’s IP as source IP NETE4630

  12. SYN Attack with hping2 (cont.) Using real IP (196.254.34.6) as source will immediately terminate SYNACK from target (10.10.1.9) NETE4630

  13. SYN Attack with hping2 (cont.) • However, the DoS client was stymied by attempts to circumvent its resource consumption • Any TCP stack that meets an unsolicited SYN/ACK packet will respond with an RST • The solution is to spoof a source IP address $ hping –c 1 –a 10.12.250.250 –p 6666 –S 10.1.1.9 Spoofed IP address NETE4630

  14. SYN Attack with hping2 (cont.) Target keeps sending SYN/ACK to the spoofed source until reaching timeout NETE4630

  15. SYN Attack with hping2 (cont.) • The victim server attempts to reply to the non-existent host with SYN/ACK • TCP tries to ensure reliable delivery and will continue to complete the handshake until timeout • The DoS client can now produce packets as fast as it can spoof them, while at the same time the victim server attempts to complete handshakes in vain NETE4630

  16. Note on SYN Attack • Careful selection of the spoofed IP is necessary to conduct a successful DoS attack • The most successful method to ensure delivery of a spoofed packet is to select an unused IP on the same subnet as the attacking host NETE4630

  17. Reflective Attack • A variation of SYN attack • Launched by sending a large number of SYN packets to a web server but alters the source address so that it is to match the address of the victim • The web server responds to the large number of SYN packets by issuing a flood of traffic back to the spoofed victim’s address NETE4630

  18. Session Hijacking • Session hijacking works by taking advantage of the fact that most communications are protected (by providing credentials) at session setup, but not thereafter. • These attacks generally fall into three categories: • Man-in-the-middle (MITM) • Blind Hijacking • Session Theft Ref: http://technet.microsoft.com/en-us/magazine/cc160809(TechNet.10).aspx NETE4630

  19. MITM Attacks • Attacker intercepts all communications between two hosts. • With communications between a client and server now flowing through the attacker, he or she is free to modify their content. • Protocols that rely on the exchange of public keys to protect communications are often the target of these types of attacks NETE4630

  20. Blind Hijacking • An attacker injects data such as malicious commands into intercepted communications between two hosts commands like "net.exe localgroup administrators /add EvilAttacker". • This is called blind hijacking because the attacker can only inject data into the communications stream, but cannot see the response to that data (such as "The command completed successfully.") • Essentially, the blind hijack attacker is shooting data in the dark, but this method is still very effective NETE4630

  21. Session Theft Attacks • Attacker neither intercepts nor injects data into existing communications between two hosts. • Instead, the attacker creates new sessions or uses old ones. • This type of session hijacking is most common at the application level, especially Web applications. NETE4630

  22. Hijacking A TCP Session Session establishment Data transfer NETE4630

  23. Hijacking A TCP Session (cont.) • If the attacker wanted to inject data into the TCP session as the client, he or she would need to: • Spoof the client's IP address • Determine the correct sequence number that is expected by the server from the client • Inject data into the session before the client sends its next packet • To achieve the third, the attacker could just send the data to inject and hope it is received before the real client does • Or, the attacker could perform a DoS attack on the client, or use ARP spoofing NETE4630

  24. Blind Injection When the client receives the ACK packet, it will be confused, either because it did not send any data or because the next expected sequence is incorrect. NETE4630

  25. Hijacking A TCP Session (cont.) • Maybe the attacker can send something "nice" like "mv `which emacs` /vmunix && shutdown –r now" and not just a single character) • This confusion can cause a TCP ACK storm, which can disrupt a network • Attackers can automate the session hijacking process with tools such as Juggernaut, Hunt, and Ettercap NETE4630

  26. Hijacking A UDP Session • Attackers do not have to worry about the overhead of managing sequence numbers and other TCP mechanisms. • Since UDP is connectionless, injecting data into a session without being detected is extremely easy DNS queries, online games like the Quake series and Half-Life, and peer-to-peer sessions are common protocols that work over UDP; all are popular targets for this kind of session hijacking NETE4630

  27. Determining Susceptibility • One way to check if your network is vulnerable to session hijacking is to hijack actual network sessions using common attacker tools e.g. Juggernaut or Hunt (now Ettercap) • Alternatively, try to find out if using transport protocols that do not use cryptographic protection • Protocols such as Telnet and FTP are extremely susceptible to hijacking when not protected inside encrypted tunnels • Countermeasure is to use SSL, SSH, and IPSec NETE4630

  28. Tricks and Techniques • TCP ACK Storm • ARP Table Modification • TCP Resynchronizing • Remotely Modifying Routing Table NETE4630

  29. TCP ACK Packet Storm As the attacker injects more and more data, the size of the ACK storm increases and can quickly degrade network performance. If neither the attacker nor the client explicitly closes the session, the storm will likely stop itself eventually when ACK packets are lost in the storm. NETE4630

  30. ARP Table Modification Finding owner of MAC address Spoofed reply NETE4630

  31. ARP Table Modification (cont.) Stopping TCP ACK Storm NETE4630

  32. TCP Resynchronizing • To hide his/her tracks, an attacker who is finished session hijacking might want to resynchronize the communicating hosts. • The problem is that, after the attack, the two hosts whose session was hijacked will be at different points in the session. • In other words, each host will be expecting different sequence numbers. • For example, server might think that it is 40 bytes into the session when the client might have sent only 29 bytes. NETE4630

  33. TCP Resynchronizing (cont.) • Since sequence numbers move in only a positive direction, it's not possible to manipulate the server so that its expected sequence number moves downward to match the client's sequence number. • Tools like Hunt try to solve this problem by sending a message to the client msg from root: power failure – try to type 13 chars NETE4630

  34. Remotely Modifying Routing Table • Attacker who wants to hijack a session wants to route all communications between a client and server through him or her making it easy to monitor, modify, and inject data into the session, as in MITM attacks. • Attacker modifies the routing table of the host is to forge ICMP Redirect (type 5) packets and advertise them as the route to take when sending data. • To protect Windows® hosts from forged ICMP redirect, set the EnableICMPRedirectvalue to 0 under the registry key HKLM\System\CurrentControlSet\Services\AFD\Parameters NETE4630

  35. DNS Poisoning • A more common example of session hijacking is DNS poisoning • DNS poisoning allows you to convince a DNS server that a hostname resolves to an arbitrary IP NETE4630

  36. DNS Resolution Client does not query the canonical nameserver because of the efficiency provided by caching at the local nameserver 4 3 5 6 1 2 NETE4630

  37. DNS Poisoning (cont.) Attacker’s nameserver 4 3 6 7 5 Spoofed web server 1 2 37 NETE4630 NETE4630

  38. DNS Poisoning (cont.) • Implementing DNS poisoning is difficult • Each DNS query contains a 2-byte identification field that allows responses to be matched to queries • An attacker has a 1 in 65,536 (2^16) chance of guessing the correct identification value • Normally an attacker needs to sniff the identification number of the query in order to successfully spoof a response NETE4630

  39. DNS Poisoning with Ettercap 1 3 2 NETE4630

  40. DNS Poisoning with Ettercap (cont.) 4 5 NETE4630

  41. DNS Poisoning with Ettercap (cont.) 6 8 7 NETE4630

  42. DNS Poisoning with Ettercap (cont.) Ettercap.dns 9 10 NETE4630

  43. SSL Spoofing with Ettercap NETE4630

  44. SSH Downgrade Attack • SSH is the most famous example of a downgrade attack where the attacker forces the client and the server to use the insecure SSH1 protocol. • The client sends a request to establish a SSH link to the server and asks it for the version it supports • The server answers either with: • ssh-2.xx The server supports only SSH2 • ssh-1.99 The server supports SSH1 and SSH2 • ssh-1.51 The server supports only SSH1 • This attack occurs at the server that supports both SSH1 and SSH2 Ref: http://openmaniak.com/ettercap_filter.php NETE4630

  45. SSH Downgrade Attack (cont.) NETE4630

  46. SSH Downgrade Attack (cont.) NETE4630

  47. SSH Downgrade Attack with ettercap • Configure SSH server to support SSH1 and SSH2 #apt-get install openssh-server #vim /etc/ssh/sshd_config • Protocol 1, 2 2. Create a SSH1 key pair #ssh-keygen –t rsa1 –f /etc/ssh/ssh_host_key –N “” 3. Add the key path into sshd_config file: HostKey /etc/ssh/ssh_host_key 4. Try to telnet to server to check if it has SSH1 Trying server_ip_address...Connected to server_ip_address.Escape character is '^]'.SSH-1.99-OpenSSH_4.6p1 Debian-5ubuntu0.1 NETE4630

  48. Client’s PuTTY Screen Version 2 is preferred but not restricted NETE4630

  49. Ettercap Filter NETE4630

  50. SSH Downgrade Attack Filter /usr/share/ettercap/ettercap.filter.ssh NETE4630

More Related