Content 实验课 课外安排时间, 每周一次 (6~10 周 ) 内容 : 基于安全实验虚拟机, 进行信息搜集 程序安全 网络安全的实验练习, 内容主要参照 SEED 的实验大纲 自愿报名 发邮件到 wyang@njnet.edu.cn 截止时间 : 本周日
Chapter 5 TCP/IP Security WANG YANG wyang@njnet.edu.cn
Content TCP/IP Security Overview Network Layer Security Transport Layer Security Defending Tactics
Security Goals: TCP/IP Security Overview Confidentiality Integrity Source Data Availability Sniffing : Confidentiality Tampering : Integrity DOSing : availability Spoofing : Integrity
TCP/IP Security Overview Network layer: ARP,ICMP,BGP :Spoofing,Sniffing IP :tampering,spoofing,dosing, Transport layer: TCP :Spoofing TCP/UDP :DOSing
Network Layer Security Sniffing/Eavesdropping IPSpoofing ARPSpoofing RouteSpoofing
Sniffing/Eavesdropping How Ethernet :CSMA/CD,broadcast EthernetAddress :6byte(3vendor +3ID) NICmode : Normalmode :onlyreceivetargetedpacketandbroadcast promiscuousmode :receiveanypacketonthewire ARPProtocol:MapIPAddresstoEthernetAddress
Sniffing/Eavesdropping ARP Protocol HTYPE :Ethernet PTYPE :IP HLEN :6 PLEN :4 OP :Request/Reply SenderEthernetAddress SenderIPv4Address TargetEthernetAddress TargetIPv4Address
Sniffing/Eavesdropping ARP Protocol Eachhosthasaarpcache :arp a broadcasemacrequestfortargetip Recordthereplymac/ippairintothecache Record Mac(B)/IP(B) A P 欺骗 : 发 Send Request Send Reply B MAC Record Mac(A)/IP(A)
Sniffing/Eavesdropping Hub vs Switch Hub : Share Network All in one line Switch : Switch Network Point to Point IP_ARP table
Sniffing/Eavesdropping Attack on Switch MacTableFlooding Overflowswitch smac-iptable,forceswitchworksinshare mode MacSpoof (static) Modifythenic Ethernetaddressintovictim saddress ArpSpoof (dynamic) Usingarppacketdomacspoof
Sniffing/Eavesdropping HowtoProgram Library :libpcap,winpcap ConsoleProgram :tcpdump,windump GUIProgram :Wireshark Trafficsniffing Protocoldecoding Streammerging Statistics
IP Spoofing Craft the IP packet header and paylod Spooftheattacker identities NMAP DDecoy_IP Demo CrashtheOS protocolstack Tear-drop CloudflareDDoSEvent (JuniperRouter exploit) Spoofnetworkcondition ICMPHardwareErrorMessage
Recall : Network Basics TCP/IP Packet Structure Payload Header 以太网头部 / 尾部 应用层协议头 传送数据 TCP 协议头 应用层协议头 传送数据 TCP 分段 IP 协议头 TCP 协议头 应用层协议头 传送数据 IP 数据报 以太网帧头 IP 协议头 TCP 协议头应用层协议头传送数据以太网帧尾 以太网
Recall : Network Basics IP Header 0 3 4 7 8 15 16 18 19 31 版本号报头长度服务类型总长度 标识标志分段移位 生存期 协议 校验和 源 IP 地址 目的 IP 地址 选项及填充
IP Spoofing How to Program RawSocket SOCK_RAWsocketsprovideaccesstointernalnetwork protocolsandinterfaces.thetypessock_raw,whichis availableonlytothesuper-user
IP Spoofing How to Program Libnet Libnet 1.1.x protocols Portable for Windows, Linux, Macos, *nix libnet_init(...); libnet_build_tcp(...); libnet_build_ipv4(...); libnet_build_ethernet(...); BGP RPC DNS NTP BOOTP DHCP Other TCP UDP Other VRRP ICMP IGMP CDP 802.1X 802.1Q Application Presentation RIP Network OSPF IPv4 IPv6 GRE ESP AH Other MPLS Session Transport ARP RARP libnet_build_write(...); FDDI Ethernet II 802.3 Token Ring Link 802.2 SNAP Other libnet_destroy(...); Physical
IP Spoofing tcp = libnet_build_tcp( src_prt, /* source port */ dst_prt, /* destination port */ 0x01010101, /* sequence number */ 0x02020202, /* acknowledgement num TH_SYN, /* control flags */ 32767, /* window size */ 0, /* checksum */ 0, /* urgent pointer */ LIBNET_TCP_H + payload_s, /* TCP packet size */ payload, /* payload */ payload_s, /* payload size */ l, /* context */ 0); /* ptag */
IP Spoofing How to Program Netwox/Netwag 233differenttoolsset Sniff/Spoof/Scan/Simulate Example :SpoofaTCPSYNpacket sudonetwox36-d "en1"-a"1:2:3:4:5:6"-b"7:8:9:a:b:c"-l "1.2.3.4"-m"5.6.7.8"-o"1234"-p"80" C
IP Spoofing Example : Spoof a TCP SYN packet sudo netwox 36 -d "en1" -a "1:2:3:4:5:6" -b "7:8:9:a:b:c" -l "1.2.3.4" -m "5.6.7.8" -o "1234" -p "80" C -d interface -a source ethernet address -b dest ethernet addresss -l source ip address -m dest ip address -o source port -p dest port -C SYN flag
ARP Spoofing Spooftheneighbor Spoofthegateway ForgetheARPpacket withmalicioususer macwithgatewayip
ARP Spoofing Demo Host Character MAC address IP Address A user 02:02:01:00:00:01 10.3.0.100 B user 03:02:01:00:00:01 10.3.0.1 C attacker 04:03:03:00:00:01 10.3.0.9 netwox33 den1 b01:02:03:04:05:06 -f04:03:03:00:00:01 g10.3.0.1 -h01:02:03:04:05:06 i10.3.0.100
ARP Spoofing Netwox 33 : -ddevice -bethernetdestaddress -farpsourceethernetaddress -garpsourceipaddress -harpethernetdestaddress -iarpdestipaddress
Route Spoofing ICMP Route Redirect Message Change host route table Bogus BGP Message Changebackbonerouter routetable Facebookblackholeevent
Transport Layer Security TCP Reset Attack TCP Session Hijack TCP SYN Flood
TCP Reset Attack DoSattack ForgeaTCPRSTpacket Focethetcpsessiontoclose Condition RightIPandPort TheSEQnumisinthereceiverwindow SniffandSpoof Scenario :GFW
TCP Reset Attack Demo Usage: netwox 78 [-d device] [-f filter] [-s spoofip] [-i ips] netwox 78 -i "172.*.*.188" 主机 A Host A (172.*.*.188) 172.*.*.188 SEQNUM = X, ACKNUM = Y SEQNUM = Y+1, ACKNUM = X+1 监听 主机 C (172.*.*.178) Host C 172.*.*.178 SRC=172.*.*.188, SEQNUM = X + 2, ACKNUM = Y + 2, RST 主机 Host B (172.*.*.31) 172.*.*.31
TCP Session Hijack Spoofingattack ForgeaTCPDatapacket InjecttheadditionalcontentintoTCPsession Condition RightIPandPort TheSEQnumisinthereceiverwindow SniffandSpoof Scenario :ISPadversary
TCP Session Hijack SYN ACK Victim Telnet Server RST Sniff Forge TCP data Attaker
TCP SYN Flood DOS ForgehugeSYNpacketstothetargetserver Eachpacketwillconsumetheserverresources Handler Memory Backlog Block the regular users access
TCP SYN Flood SYN SYN/ACK Host 主机 1 SYN SYN/ACK Telnet Server Host 主机 2 Host 主机 3 SYN SYN/ACK......
TCP SYN Flood Demo Netwox76 :SYNFlood netwox i targetip p targetport -s spoofip netwox i 202.112.23.167 p 8080 sbest
Defense Tactics Using switch with anti-arp-spoofingfunction Managehostswithvlan 802.1xauthentication Using Security Transport Protocol IPSec TLS/SSL
Defense Tactics Using Firewall Checkpackets Normalizepackets Using Routers Drop dark traffic : check source ip address
Defense Tactics Using Syn-Cookie defend Syn-flood Use a cookie to verify The client purpose Client Legal user will ack the X ACK NUM = X + 1 回 1 SYN SYN/ACK ACK Server Calc a cookie X and send back SEQ NUM = X Verify the ACK NUM, and allocate the resource...
Defense Tactics Using proxy Defend syn-flood attacker proxy server attacker proxy server SYN SYN/ACK ACK SYN SYN SYN SYN SYN/ACK ACK SYN/ACK SYN/ACK SYN/ACK......
Resource and Tools Wireshark :http://www.wireshark.org Libnet :http://packetfactory.openwall.net/projects/libnet/ Netwox :www.laurentconstantin.com/en/netw/netwox/ NetwoxTutorial :http://www.cis.syr.edu/~wedu/teaching/cis758 /netw522/netwox-doc_html/tools/index.html Scapy :http://www.secdev.org/projects/scapy/ SEEDTCP/IPAttack : http://www.cis.syr.edu/~wedu/seed/labs/attacks_tcpip/