Application Layer Security

NETE4630 Application Layer Security Lecture 8 Supakorn Kungpisdan supakorn@mut.ac.th

NETE4630 Outline • FTP Security • DNS Security • Web Application Security

NETE4630 FTP Security Issues • All traffic is transmitted in clear text • Weak configuration on FTP allows brute force and dictionary attacks • Anonymous access may be enabled to FTP server • If file permissions are not set, an anonymous user may be able to read, overwrite, or delete files, leading to loss of confidentiality, integrity, and availability of data • If anonymous access is being used on a server, make sure that the proper restrictions are enforced for this user

NETE4630 Advanced Network Security and Implementation Types of FTP • Active FTP • Control connection is initiated by FTP client • Data connection is initiated by FTP server • Passive FTP • Control connection is initiated by FTP client • Data connection is initiated by FTP client

NETE4630 Active FTP • The client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. The client also sends the FTP command PORT N+1 from port N to port 21 at the FTP server. The client then starts listening to port N+1 • Server returns the response from port 21 to port N at the client • The server will then connect back to the client's specified data port from its local data port (port 20) to the client at port N+1 Ref: http://slacksite.com/other/ftp.html

NETE4630 Active FTP (cont.) debug Client port = (14*256)+178 = 3762 Letters in red shows client input Letters in black shows server output

NETE4630 Active FTP (cont.) • The client's command port contacts the server's command port (port 21) and sends the command PORT 1027 (N+1). • The server sends an ACK back from its port 21 to the client's command port (port 1026  port N). • the server initiates a connection on its local data port (port 20) to the data port the client specified earlier (port 1027). • The client sends an ACK back from port 1027 to the server port 20.

NETE4630 Problems of Active FTP • The FTP client doesn't make the actual connection to the data port of the server • The FTP client simply tells the server what port it is listening on (N+1) and waits for the server to connect back to the specified port on the client. • From the client-side stateful firewall, this appears to be an outside system initiating a connection to an internal client • This connection may be blocked • Because the server initiates the data connection, the server may connects to different client

NETE4630 Passive FTP • To solve the problem of active FTP, use passive FTP • When opening an FTP connection, the client opens two random unprivileged ports locally (N>1023 and N+1). • The port N contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. • The server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. • The client then initiates the connection from port N+1 to port P on the server to transfer data.

NETE4630 Passive FTP (cont.) Client port = (195*256)+149 = 50069 Server specifies port number

NETE4630 Passive FTP • The client contacts the server on the command port (port N=1026) and issues the PASV command. • The server then replies with PORT 2024, telling the client which port it is listening to for the data connection. • The client then initiates the data connection from its data port (N+1=1027) to the specified server data port (port 2024). • The server sends back an ACK (from its port 2024) to the client's data port (port 1027). You can see that client initiates data connection with FTP server  will not be blocked by the firewall

NETE4630 Problems of Passive FTP • The FTP server needs to allow remote connection to high numbered ports on the server. • Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. • Some FTP clients do (or do not) support passive mode.

NETE4630 FTP Bounce Scan • The FTP bounce attack uses a third workstation to act as a proxy between the nmap host and the destination station. • With passive FTP, a user could send a PORT command to an FTP server that would direct the data towards a completely different host! • The FTP bounce attack takes advantage of these poorly-configured FTP servers (no control over ranges of FTP ports) • The data is BOUNCED from FTP server to target host

NETE4630 FTP Bounce Scan (cont.) Closed port Open port

NETE4630 Advantages of FTP Bounce Scan • FTP bounce attack can scan "through" a firewall. • The FTP bounce attack uses standard FTP functionality. Nmap does not require specialized packet configurations or changes to the FTP protocol. • Therefore, the FTP bounce attack does not require any privileged access.

NETE4630 Disadvantages of FTP Bounce Scan • FTP bounce attack relates to the availability of an FTP server that allows a PORT command to redirect the data connection to a third device. • Most FTP servers have their default configuration to protect against this use of the PORT command

NETE4630 Other FTP Bounce Attack • When using active FTP, a client uses the PORT command to specify the IP address and port number that the server should connect to for data connection • An attacker with access to an FTP server can bounce through the server by specifying someone else’s IP address

NETE4630 Outline • FTP Security • DNS Security • Web Application Security

NETE4630 Domain Name System • DNS is a distributed database that holds information for mapping between host names to IP addresses • DNS uses both UDP and TCP. • UDP is typically used for queries, unless the lookup or response is greater than 512 bytes • TCP is used for lookups and for zone transfer • Integrity and availability of DNS is critical for the health of the Internet. It is used in conjunction with almost every other protocol on the Internet • Availability was considered while designing DNS, however, security was not

NETE4630 DNS Request

NETE4630 DNS Response

NETE4630 DNS Lookup Process 1 2 Host A’s Authoritative name server Host A 1. Host A sends a request to resolver (at host A). It checks the local cache and may check hosts file 2. The resolver at Host A forwards the request to its authoritative name server

NETE4630 DNS Non-recursive Query 1 Host A’s Authoritative name server 2 3 Host B’s Authoritative name server 4 Host A Host B 5 3. Find the address of authoritative name server of the requested domain and returns its address to the resolver

NETE4630 DNS Recursive Query 1 Host A’s Authoritative name server 2 5 Host B’s Authoritative name server 3 Host A Host B 4 3. The server finds the address of authoritative name server of the requested domain, passes the request on to the server, and returns a response to the resolver

NETE4630 Advanced Network Security and Implementation DNS Recursive Query (cont.)

NETE4630 DNS Hierarchy (Recursive Query) .com TLD server 5 4 3 6 7 2 What happens if (2) is recursive query? 1. Recursive query 2. non-recursive query 1 8

NETE4630 DNS Utilities • Most OSes come with a tool called nslookup, capable of querying DNS servers for various types of information • The dig tool coming with UNIX has similar capabilities

NETE4630 Name-to-IP Lookup

NETE4630 MX Lookup with nslookup

NETE4630 DNS Security Issues • DNS is lack of authentication and integrity checking • Due to the lack of authentication, attackers can spoof DNS messages to perform a variety of attacks • Due to the lack of integrity checking, attackers can intercept and modify messages in transit

NETE4630 DNS Zone Transfer • For redundancy, administrators deploy both primary and secondary name servers that contain the same DBs • To keep the DBs synchronized with the primary name server, the secondary name server periodically connects to the primary name server on port 53/TCP and grabs the DNS records • This process is called a Zone Transfer

NETE4630 DNS Information Gathering • DNS can provide a great deal of information about the target network and its hosts • One of the common insecure configurations with DNS is allowing anyone to perform zone transfers on one of a domain’s DNS servers • If an attacker can perform a zone transfer with the primary or secondary name servers for a domain, he/she will be able to view all DNS records for that domain • See a demo at http://www.mindterra.com/blog/?p=179 • Solved by specifying IP address that is allowed to perform the zone transfer or using Transaction Signature (TSIG)

NETE4630 DNS Cache Poisoning • Both DNS client and servers cache responses for a period of time in order to increase performance and reduce network traffic • If an attacker can spoof a response for a DNS request, he/she may be able to contaminate the DNS cache with an incorrect record • This process is known as DNS cache poisoning • The only real defense built into DNS is the use of a randomTransaction ID and source port • Some versions of BIND use Transaction IDs that are not sufficiently random, and some use sequential Transaction IDs • BIND 9 Cache Poisoning

NETE4630 Advanced Network Security and Implementation DNS Cache Poisoning Example http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html

NETE4630 Advanced Network Security and Implementation How to Check for the Vulnerability • To see if one's own DNS server has a DNS cache poisoning vulnerability, the operator should ask three questions. If any of them are positive, the DNS cache server is left unpatched or has a problem in its configuration. • Port number used by DNS queries is not randomized • ID number used for DNS queries is not randomized • DNS server is allowed to reply to recursive DNS queries originated from the outside http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html

NETE4630 Advanced Network Security and Implementation Checking Port Randomness • If randomization of the port number used by DNS queries is insufficient, the risk of the server getting poisoned becomes higher. • Try a web-based DNS Randomness test tool • https://www.dns-oarc.net/oarc/services/dnsentropy http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html

NETE4630 Advanced Network Security and Implementation Web-based DNS Randomness Test

NETE4630 Advanced Network Security and Implementation Web-based DNS Randomness Test (cont.)

NETE4630 Advanced Network Security and Implementation Check Transaction ID Randomness • If randomization of the ID number for DNS queries is insufficient, the risk of the server getting poisoned becomes higher.

NETE4630 Advanced Network Security and Implementation Checking Recursive Query Replies • Essentially, a DNS server (DNS content server) should not reply to recursive DNS queries originated from the outside. • Even if the server also acts as a DNS cache server, it should be limited to those originated within the domain. • The operator could use the “Cross-Pollination Scan” tool by IANA to check the DNS server for the issue C. • Specify the domain name(s) owned by the organization and send a test query • http://recursive.iana.org/ http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html

NETE4630 Advanced Network Security and Implementation Checking Recursive Query Replies

NETE4630 DNS Cache Snooping • Recursion bit tells the DNS server whether it is recursive or non-recursive query • The remote DNS server may answer to queries for 3rd party domains which do not have the recursion bit set. • This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. Ref: www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

NETE4630 Possible Scenario • If an attacker was interested in whether your company utilizes the online services of a particular bank, they can use this attack to build a statistical model regarding company usage of the bank mentioned above. • This attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more... • Two techniques are available: using non-recursive queries and using recursive queries • Some DNS allows both types of queries, but some allows only recursive queries to be made

NETE4630 DNS Cache Snooping with Non-recursive Queries Attacker queries to ns1.tvcabo.pt for www.sidestep.pt ns1.tvcabo.pt does not have the entry in local cache. It returns no answer, but gives a list of .pt TLD name server for further question

NETE4630 DNS Cache Snooping with Non-recursive Queries (cont.) • The fact that ns1.tvcabo.pt does not have the entry in local cache means that all hosts under ns1.tvcabo.pt never communicates with www.sidestep.pt before. • Thus, this organization does not use services provided by www.sidestep.pt

NETE4630 DNS Cache Snooping with Non-recursive Queries (cont.) • If the attacker executes the same query, check the response For this time, ns1.tvcabo.pt caches the entry, so it returns the answer

NETE4630 DNS Cache Snooping with Recursive Queries • Used to determine with some degree of precision (not 100% sure) whether a given record is present in the cache • However, this will pollute the cache • If a given record is not present in the cache, it will be after the first query is made • This is because recursive query will always return the answer for the given record

NETE4630 DNS Cache Snooping with Recursive Queries • Try to see if www.sidestep.pt was cached in ns1.tvcabo.pt • Query ns1.tvcabo.pt for www.sidestep.pt and record the TTL

NETE4630 DNS Cache Snooping with Recursive Queries (cont.) • Then query to ns.sidestep.pt (Sidestep.com’s authoritative DNS) for www.sidestep.com and compare TTL

NETE4630 DNS Cache Snooping with Recursive Queries (cont.) • TTL for www.sidestep.pt at ns1.tvcabo.pt (6458) is much lower than the initial TTL (86400) (the TTL at ns.sidestep.pt) • This is a good indicator that the answer was already cached at ns1.tvcabo.pt • Another way to look for cached responses is to observe the time that the query takes to process. • If the query time is approximately equal to the round trip time (RTT) of a packet to the server, then the answer might have been already present in the cache.

Application Layer Security

Application Layer Security

Presentation Transcript

Application Layer Security Protocols

application layer

Application Layer

application layer

Application Layer

Application layer

Application layer

Application Layer

Application Layer

Internet Security CSCE 813 Application Layer Security

Application Layer

Application Layer

Application layer

Application Layer

Application Layer

Application Layer

Application Layer

Application layer

Application Layer

Internet Security CSCE 813 Application Layer Security

APPLICATION LAYER

Application Layer