Professional Documents
Culture Documents
Information Systems
Security
Refresher
Wireless attacks:
◦ Default SSIDs and Passwords
◦ SSID flaw attack
◦ Sniffing attack
◦ MAC spoofing (wifi)
◦ Fake access point
◦ MAC spoofing: Already covered
Link Layer Security Threats
Wireless network: Refresher
A Wireless Local Area Network (WLAN) is a type of local area
network that uses high frequency radio waves rather than wires to
communicate between network-enabled devices.
WLAN components:
◦ Access Point: a hardware device that allows wireless
communication devices (wireless stations) to connect to a
wireless network. An AP usually connects to a wired network
and facilitate data communication between wireless and wired
devices.
Tool: NetStumbler
Link Layer Security Threats
Sniffing Attack
Access points are usually public and the traffic may not be
encrypted.
To be covered in Chapter 7!
Link Layer Security Threats
WEP vulnerability related attacks
Optional Reading
Shared-key authentication flaw
Crypt-analysis of various categories
Statistical analysis of cipher texts
Link Layer Security Threats
Common hacker tools
• Aircrack-ng
• AirSnort
• Aircrack
• Kismet
• Cain and Abel
• InSSIDer
• NetStumbler
• Airjack: DoS attack
• Recommended assignment: Experiment on one of
the above tools (but do it ethically on your own
wLan)
Network/Transport Layer Security Threats
Host Host
A B
Send SYN seq = n
1. Blind Spoofing
2. Timing
MAC flooding
MAC spoofing
ARP poisoning
ICMP redirects (Optional - Left as an exercise!)
ICMP router advertisements (Optional - Left as an
exercise!)
Network/Transport Layer Security Threats
IP Spoofing – …. Not in the same network
Reading exercise:
Generic attack:
▪ IP fragment overlapped (Teardrop)
▪ IP fragmentation buffer full
▪ IP fragment overrun (Ping of death)
▪ IP fragment overwrite
▪ IP fragment too many datagrams
▪ IP fragment too incomplete datagrams
▪ Tiny fragmentation attack
▪ Etc
Network/Transport Layer Security Threats
IP Fragmentation
1→ More fragments
Optional reading
Network/Transport Layer Security Threats
Routing algorithms related attack: Optional reading
Flooding attack
Sleep deprivation
Impersonation attack
Black hole attack
Node isolation attack
Packet mistreating
Routing table poisoning
Routing table overflow
etc
Upper Layers Security Threats
Application (+ Presentation, Session)
Password cracking
DHCP Starvation
Email spoofing
Phishing
ID Theft: Optional reading
SQL injection:Will be covered in the lab (full coverage is left as an
exercise)
Cross-site scripting
Cross-site request forgery (CSRF): Optional reading
DNS poisoning
Pass the hash: Optional Reading exercise
Path traversal: Optional Reading exercise
Buffer overflow
DDoS: Optional Reading exercise
Upper Layers Security Threats
Password Cracking
Upper Layers Security Threats
Password
On a LAN/Internet
On a dedicate system
On a LAN/Internet
Upper Layers Security Threats
Password: Salt in your Password
Sniffing Attack
“Trojaned” Login
Dictionary Attack
Brute force Attack
Rainbow Table
Social engineering
Upper Layers Security Threats
Sniffing Attack
4
9 6 years 178 years 44530 years
months
Upper Layers Security Threats
BFA Performance Improvements
Faster computers
Distributed computing
Upper Layers Security Threats
Password: Rainbow Tables
FreeRainbowTables.com
rainbowtables.shmoo.com/
ophcrack.sourceforge.net/tables.php
etc
Upper Layers Security Threats
Social Engineering: “The art of human hacking”
Mandatory reading:
“Social engineering attack – A survey”,
By Fatima Salahdine * and Naima Kaabouch
School of Electrical Engineering and Computer Science,
University of North Dakota, Grand Forks, ND 58202, USA
Upper Layers Security Threats
Top Password Crackers and dumpers
1. Cain and Abel
2. John the Ripper
3. THC Hydra
4. Aircrack
5. L0phtcrack
6. Airsnort
7. Pwdump
8. Rainbow Crack
9. Brutus
Upper Layer Security Threats
DHCP Attacks – DHCP Starvation
Dynamic Host Configuration Protocol (DHCP) is a network
protocol that assigns IP addresses, subnet masks, default
gateways, etc. to hosts on a TCP/IP network.
DHCP Starvation attack is flooding the DHCP server with
requests for addresses thus consuming the leasable IP address
space.
After a successful attack, the DHCP server will not be able to
offer new addresses to any future clients that join the network.
Mandatory reading:
“Understanding Phishing Techniques” by Deloitte:
https://www2.deloitte.com/content/dam/Deloitte/
sg/Documents/risk/sea-risk-cyber-101-part10.pdf
Upper Layers Security Threats
DNS (Cache) Poisoning
Supplying a bogus info into the contents of a
DNS cache.
Upper Layers Security Threats
Background
Hostname → IP Address
SANS Top 20
Stack Overflow
Heap Overflow
Upper Layers Security Threats
Stack Overflow
Upper Layers Security Threats
Process Space
Text
Data
Stack
Upper Layers Security Threats
Text
The text region is fixed by the program and includes code
(instructions) and read-only data (ie. constants). This
region corresponds to the text section of the executable
file.
It contains
◦ The parameters to the function
◦ Return values
◦ Its local variables
◦ The control data necessary to recover the previous
stack frame, including the value of the instruction
pointer (EIP) at the time of the function call (ie. the
return address)
Upper Layers Security Threats
Process
When a program is executed, it is run in a
process.
As the process executes the program, it
creates a new stack frame on the stack
each time it gets a function call.
And pushes each new local variable on the
“current” stack.
Upper Layers Security Threats
Registers related to stack
ESP (Stack Pointer): This register always points to the top of the
process stack.
EBP (Base Pointer): Also called Frame Pointer, it points to the base
of the stack frame for the particular function. This register is used to
reference the function parameters and the local variables in the
current stack frame. Ebp is a fixed pointer in the lifetime of a
function (ie. Stack frame)
C035
EBP os
C005
C031
[ECX]
C02D Ret @
3 C001
C029
4 EBP
C025
7
BFFD
C021 String Var
C01D
BFF9
C019 String Var
C015 BFF5
String Var
C011
4
C00D
3
C009
0x0804840b
Upper Layers Security Threats
Immediately after a function is called…
It first saves the ebp of the (F1) calling stack frame on its (F2) stack frame
◦ Pushl %ebp [This automatically makes esp to point at this point in the
current stack frame]
Then it copies esp (see above) into ebp so that ebp points to the base of the
current (F2) stack frame
◦ Movl esp, ebp
Then advances esp a few words “down” to reserve spaces for local
variables
◦ Subl $20, %esp (Note that stack grows in opposite direction to the
memory) [esp = esp – 2x16+0] 32/4 = 8 cells (1 cell = 4 bytes)
[F2 now starts to run its instructions]
Upon termination, the stack is cleaned up again
◦ Leave (equivalent to Mov %ebp, %esp and Pop %ebp)
Finally ret (urn) is executed effectively loading the register eip with the
return address on the calling function
◦ Ret (equivalent to “Pop %eip”)
Upper Layers Security Threats
On the calling side …
The parameters are pushed onto the stack (if any)
◦ Push …
Program successful
Upper Layers Security Threats
Exercise 1: Redirection – Test run 2
Program successful
Note: Sincewe have reserved only 4 bytes for buf1, the string
“Hello” somehow goes beyond the reserved spaces.
Upper Layers Security Threats
Exercise 1: Redirection – Test run 3
> ./smashit HelloFromAddis
CountCapital: 3 [any arbitrary number]
[There is no “Program Successful”]
3. Craft your input to smash the stack and put the beg
@ of countSmall at the return address.
Upper Layers Security Threats
Exercise 1: Redirection - Crafting an input to smash the stack
⚫ It must be in a machine-readable
program.
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\
x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x
8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x6
2\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42
\x42"'`
Note: This shellcode and other similar codes can be found
on the Internet.
Upper Layers Security Threats
BoF: Example vulnerable program – shellcode31.c
DOM-based XSS
Upper Layers Security Threats
Reflected XSS
Reflected XSS exploits a web application feature in which a
message returned from a server is rendered on clients
browser
Example:
http://www.vulnerable.site/error/5/Error.ashx?message=Sorry
%2c+an+error+occurred
The victim, upon clicking the link, will generate a request to
www.vulnerable.site, as follows:
GET
/error/5/Error.ashx?message=Sorry%2c+an+error+occurred
HTTP/1.0
Host: www.vulnerable.site ...
Upper Layers Security Threats
Reflected XSS
And the vulnerable site response would be:
<HTML> <Title>Welcome!</Title>
<p>Sorry, an error occurred.</p>
</HTML>
2. The user sends an http request to the application on the URL fed to him
by the attacker (in 1).
2. The user sends an http request to the application view or read a page as
s/he normally would (say to read the latest comments).
Optional reading!
Malware
Please read the following paper
(distribute by email):