Cyber security and digital

forensics.
Lecture 4
 Network Attacks
 Objectives On completion of this unit, you will be able to:
 ■ Understand the relevance of the OSI model to network technologies and
protocols.
 ■ Describe the function of network sniffers and protocol analyzers.
 ■ Describe procedures and products used to survey and test security systems.
 ■ Describe network attacks, such as scanning, spoofing, Man-in-the-Middle,
replay, and Denial of Service
 Network Fundamentals-OSI model
 Many of the network, transport, and application protocols in use on private
networks and the internet were designed without any regard for security.
 Protocols such as HTTP, FTP, and SMTP are vulnerable to packet sniffing
because they were designed to transmit information in plain text, making it
simple to identify passwords and other confidential data.
 Devices communicating using these protocols do not typically authenticate with
one another, making them vulnerable to spoofing. In most cases, particular
problems have been patched, either by a new version of the protocol or by
inventing a workaround. The alternative is to deploy completely re-engineered
protocols, such as IPv6. However, gaining acceptance for such transitions on a
public network such as the internet is extremely difficult.
 The OSI Model
 In order to understand how attacks can be launched against
networks, you must have a good understanding of network topology,
protocols, and devices.
 The International Organization for Standardization (ISO) developed
the Open Systems Interconnection (OSI) reference model in 1977. It
was designed to aid understanding of how a network system
functions in terms of both the hardware and software components.
 Assignment/course work
till Thursday,1st April 2021
 Explain the OSI model and TCP/IP Protocol Suite as far as
networking is concerned and relate different layers of the
both models to security(concerns/issues/challenges and
security capabilities.)
-point out the attacks,threats,vulnerabilities and the risk over
each network layer.
-point out how attacks can be mitigated or eliminated in any
given layer on the network(over the OSI model and also the
TCP/IP model)- controls or countermeasures
 OSI model cont’d…..
 As the complexity of computer hardware and software increases, the problem of successfully
communicating between these systems becomes more difficult. Dividing these difficult
problems into "sub-tasks" allows them to be readily understood and solved more easily.
 Using this layered approach means that a vendor can work on the design and debugging for a
particular layer without affecting any of the others.
 Each layer performs a different group of tasks required for network communication.
Although not all network systems implement layers using this structure, they all implement
each task in some way.
 The OSI model serves as a functional guideline for network communication and it does not
specify any standard. The model is also useful in terms of analyzing the security properties of
network protocols and devices.
 NETWORK ATTACKS
 Sniffers and Protocol Analyzers
 In order to craft successful attacks on a network, an attacker must learn as much
as possible about it. One of the most important tools in network security (for
attack and defense) is a protocol analyzer. This is the tool that facilitates
eavesdropping.
 A sniffer is a tool that captures frames moving over the network medium. This
might be a cabled or wireless network.
 Often the terms sniffer and protocol analyzer are used interchangeably.
 Sniffer tools
 A simple software-based sniffer will simply interrogate the frames
received by the network adapter by installing a special driver.
 Examples include libpcap (for UNIX and Linux) and its Windows
version winpcap.
 Protocol Analyzer
 A protocol analyzer (or network analyzer) works in conjunction with a sniffer to perform
traffic analysis.
 Protocol analyzers can decode a captured frame to reveal its contents in a readable format.
You can choose to view a summary of the frame or choose a more detailed view that
provides information on the OSI layer, protocol, function, and data. Examples of packet
capture software include:
 ■ Wireshark - network analysis for all the major OS platforms.
 ■ Microsoft Network Monitor - packet capture and analysis on wired and wireless LANs.
 ■ Kismet - Linux-based packet sniffer for WLANs.
 ■ tcpdump - command-line packet capture for UNIX / Linux platforms.
 ■ Dsniff - suite of UNIX / Linux tools for packet capture and penetration testing.
 ■ Ettercap - suite of tools for packet capture and spoofing available for all the major OS
platforms
 Packet Injection
 Some attacks depend on sending forged or spoofed network traffic.
Often network sniffing software libraries also allow frames to be
inserted (or injected) into the network stream.
 There are also tools that allow for different kinds of packets to be
crafted and manipulated. Well-known tools used for packet injection
include; Dsniff , Ettercap , hping , Nemesis and Scapy.
 Preventing Eavesdropping
 Eavesdropping requires physical access to the network and the ability to run the
protocol analyzer software.
 This means that in order to prevent eavesdropping you need to control the use of
this kind of software by making sure that it is only installed and used by
authorized users. You also need to prevent the unauthorized attachment of devices.
 This is typically achieved by configuring some sort of switch port security. You
can also mitigate eavesdropping by ensuring that the network traffic (or at least
confidential information passing over the network) is encrypted.
 Sniffers are also available to eavesdrop on wireless networks. You cannot realistically prevent
these from being used so the only option is to encrypt
 Replay and Man-in-the-Middle Attacks
 A spoofing (or masquerade) attack involves the attacker imitating some sort of
resource that the victim thinks is genuine.
Replay Attack
 A replay attack involves the attacker capturing data packets that contain
authentication data, such as usernames and passwords or cryptographic session
keys. The attacker subsequently resends these packets to try to reenable the
session.
 Replay attacks can be mitigated by time-stamping or sequencing data packets or
authentication information.
 Man-in-the-Middle Attack
 A Man-in-the-Middle (MitM) attack is where the attacker sits between two
communicating hosts, and transparently captures, monitors, and relays all
communication between the hosts.
 A MitM attack could also be used to covertly modify the traffic too. One way to
launch a MitM attack is to use Trojan software to replace some genuine software
on the system. Man-in-the-Middle attacks can also be launched against
antiquated protocols, such as ARP(Address Resolution Protocol) on a local network
or DNS on the web. Another type of MitM attack attempts to subvert the digital
certificates that are supposed to ensure confidentiality, integrity, and
authentication on public networks (PKI).
 IP Spoofing
 At layer 3, networks are connected by routers, so if you can communicate with
a router you can (in theory) launch attacks against it and against the network (or
subnet) it services.
 This could mean that the attacker is "inside" the network (on a computer
connected to a local subnet) or "outside" it (attacking from the internet for
instance). The identifying headers in TCP/IP packets can quite easily be
modified using software. In an IP spoofing attack, the attacker changes the
source and/or destination address recorded in the IP packet. IP spoofing is done
to disguise the real identity of the attacker's host machine.
 The technique is also used in most Denial of Service attacks to mask the origin
of the attack and make it harder for the target system to block packets from the
attacking system.
 TCP/IP Hijacking
 A more complex use of IP spoofing is to launch a type of Man-in-the-Middle attack, where
the attacker intercepts and modifies the communications between two hosts.
 The layer 3 protocol IP is connectionless, but at layer 4 (the transport layer) applications
often work using multiple communications between client and server that must be processed
in a particular order.
 The Transmission Control Protocol (TCP) provides reliable, connectionoriented
communications. It is the session protocol used by most TCP/IP applications.
 A session is established using a three-way handshake:
 1) The client sends a SYN packet to the server.
 2) The server responds with a SYN/ACK packet.
 3) The client responds with an ACK packet.
 4) The server opens a session with the client.
 Network Mappers and Port Scanners
 As mentioned earlier, a successful attack often depends on gathering information about the
target system first. An attacker might do this using social engineering methods - to gather
staff names and possibly even passwords for instance - but there are also a number of
scanning tools that can probe networks and computer systems to give the attacker a great
deal of information about how they are configured.
 In this context, the term footprinting is often used to describe an attack that tries to learn the
configuration of a network (its topology, protocols, numbers of hosts, and its security
systems for instance) while fingerprinting targets a specific host (a computer or router for
instance).
 Footprinting
 Footprinting or network mapping means gathering information about the way the network is
built and configured and the current status of hosts.
The following information is all of use:
 ■ Protocols, services, and applications running on the network.
 ■ Host workstation and server OS types and patch status.
 ■ Network addresses and host names.
 ■ Network interconnect device types and status.
 ■ Network security appliances and software.
 ■ User accounts and groups (especially administrative / root accounts) and passwords.
 Host discovery
 Host discovery can be performed by pinging a range of IP addresses (a ping
sweep) or using ARP broadcasts.
 There are also tools such as Nmap that can perform the same sort of function
stealthily or try to overcome barriers to host discovery, such as blocking ICMP
requests at firewalls, by using non-standard ping commands. Such "dual use"
tools can be used both to prove system security and attack it.
 A network administrator needs to ensure that unauthorized ports are not open
on the network. These could be a sign of some sort of Trojan or backdoor
server. Such tools often try to hide themselves from diagnostic port scans
however.
 Fingerprinting
 Fingerprinting or port scanning specifically aims to enumerate the TCP or
UDP application ports that are "open" on a host. Any application or process
that uses IP for its transport is assigned a unique identification number called a
port.
 Valid port numbers range from 0 to 65,535.
 Port numbers for some server applications are pre-assigned by the Internet
Assigned Numbers Authority (IANA) from the registered port range 0 - 49151.
Numbers 0 through 1023 are described as "well-known" ports and are assigned
to standard TCP/IP application protocols, such as DNS, HTTP, or SMTP.(read
more about ports)
 Port Scanners and the Xmas Attack
 The netstat tool can be used on Windows and Linux to investigate open connections on a local
computer.
 Commonly-used remote port scanning tools include;
Nmap, Nessus, SuperScan, and Atelier Web Security Port Scanner. These identify which ports
are "listening" and therefore which applications are running on the network's external interface.
 These work by using different scanning techniques. Mostly, the software sends a packet with
certain flags set to each port to find out whether the target system responds. The main ones are
SYN, UDP, TCP Null, FIN, and ACK.
 The Xmas Tree attack (or just "Xmas attack") probes a router by setting the FIN, PUSH, and
URG flags in a TCP packet all at once. As this packet is atypical, it is possible to identify the
operating system running on the router from its response. Firewalls and IDS are deployed to
protect networks from eavesdropping, spoofing, and DoS attacks
 Attacks cont’d……
 Related techniques, called "War Dialing" and "War Driving", look for
unsecured modems or wireless access points.
 War dialer software, such as ToneLoc, can scan blocks of numbers looking for
modem dial tones.
 Denial of Service Attacks
 A Denial of Service (DoS) attack causes a service at a given host to fail or to
become unavailable to legitimate users.
Typically, DoS attacks focus on overloading a service. It also possible for DoS
attacks to exploit design failures or other vulnerabilities in application software.
An example of a physical DoS attack would be cutting telephone lines or network
cabling or switching off the power to a server. DoS attacks may simply be
motivated by the malicious desire to cause trouble. They may also be part of a
wider attack, such as precursor to a DNS spoofing attack.
Remember that it is crucial to understand the different motives attackers may have.
 DoS…….
 Most DoS attacks attempt to deny bandwidth to web servers connected to the
internet. They focus on exploiting historical vulnerabilities in the TCP/IP
protocol suite.
 TCP/IP was never designed for security; it assumes that all hosts and networks
are trusted. Other application attacks do not need to be based on consuming
bandwidth or resources.
 Attacks can target known vulnerabilities in software to cause them to crash;
worms and viruses can render systems unusable or choke network bandwidth.
 Distributed DoS Attacks / Botnets
 Distributed DoS Attacks / Botnets
 Most bandwidth-directed DoS attacks are distributed. This means that the
attacks are launched from multiple, compromised computers (referred to as a
botnet). Typically an attacker will compromise one or two machines to use as
"handlers" or "masters" or "herders". The handlers are used to compromise
hundreds or thousands or millions of zombie (agent) PCs with DoS tools (bots)
forming a botnet.
To compromise a computer, the attacker must install a backdoor application that
gives them access to the PC. They can then use the backdoor application to install
DoS software and trigger the zombies to launch the attack at the same time.
 TCP-based DoS Attacks
 A SYN flood attack subverts the TCP handshake process by withholding the client's ACK
packet. Typically, the client's IP address is spoofed, meaning that a random IP is entered so
the server's SYN/ACK packet is misdirected. A server can maintain a queue of pending
connections.
 When it does not receive an ACK packet from the client, it resends the SYN/ACK packet a
number of times before eventually giving up on the connection after a set timeout. The
problem is that a server may only be able to manage a limited number of pending
connections, which the DoS attack quickly fills up. This means that the server is unable to
respond to genuine traffic.
 A more powerful TCP SYN flood attack is a type of Distributed Reflection DoS (DRDoS)
or amplification attack. In this attack, the client spoofs the victim's IP address and attempts
to open connections with multiple servers. Those servers direct their SYN/ACK responses
to the victim server. This rapidly consumes the victim's available bandwidth
 ……………..
 UDP-based DoS Attacks UDP provides unreliable, connectionless
communications.
 An example of a DRDoS attack using UDP packets is the Fraggle attack, a
different version of Smurf.
 In this attack, the attacker spoofs the victim's IP address and uses it to
broadcast UDP packets aimed at obsolete diagnostic ports (echo, chargen, or
discard).
 Review questions
 Answer these questions to test what you have learned in this unit.
 1) Is it possible to eavesdrop on the traffic passing over a company's internal network from
the internet?
 2) Why might an ARP poisoning tool be of use to an eavesdropper?
 3) What type of tool(s) would be used in a footprinting attack?
 4) Is it possible to discover what ports are open on a web server from another computer on
the internet?
 5) How does a replay attack work?
 6) Why are most network DoS attacks distributed?
 7) What can you use to mitigate ARP poisoning attacks?
 8) What is a Fraggle attack?
 Vulnerability Assessments and Pentests
 Vulnerability Assessments and Pentests
 We saw earlier that a necessary part of attacking a network is to gather information about it.
This technique can also be used by security professionals to probe and test their own security
systems. When information gathering is conducted by a "white hat", assessments are usually
classed as either vulnerability scanning or penetration testing.
Vulnerability Scanning
 Vulnerability scanning is the process of auditing a network (or application) for known
vulnerabilities. Recall that a vulnerability is a weakness that could be triggered accidentally or
exploited maliciously by a threat agent to cause a security breach.
 An unpatched software application, a host with no anti-virus software, and an administrator
account with a weak password are examples of vulnerabilities
 Vulnerability scanning..
 Vulnerability scanning generally uses passive techniques. A vulnerability
scanner would probe the network or application to try to discover issues but
would not attempt to exploit any vulnerabilities found.
 Penetration Testing
 A penetration test (pentest) or ethical hacking essentially involves thinking like an attacker
and trying to penetrate the security systems that have been set up.
A pentest might involve the following steps:
 ■ Verify a threat exists - use surveillance, social engineering, network scanners, and
vulnerability assessment tools to identify vulnerabilities that could be exploited.
 ■ Bypass security controls - look for easy ways to attack the system. For example, if the
network is strongly protected by a firewall, is it possible to gain access to a computer in the
building and run malware from a USB stick?
 ■ Actively test security controls - probe controls for configuration weaknesses and errors,
such as weak passwords or software vulnerabilities.
 ■ Exploiting vulnerabilities - prove that a vulnerability is high risk by exploiting it to gain
access to data or install malware.
 …….
 The key difference to passive vulnerability scanning is that an attempt is
made to actively test security controls and exploit any vulnerabilities
discovered.
For example, a vulnerability scan may reveal that an SQL Server has not
been patched to safeguard against a known exploit.
A penetration test would attempt to use the exploit to perform code injection
and compromise the server.
This provides active testing of security controls; even though the exploit
exists, the permissions on the server might prevent an attacker from using it.
 Vulnerability Scanners
 Numerous tools are available to facilitate vulnerability scanning and penetration testing.
Footprinting and fingerprinting tools (and to some extent tools that facilitate attacks such as
spoofing and password cracking) are of the "dual-use" kind that make them useful to both
attackers and defenders. sectools.org is a useful resource for researching the different types
and uses of security assessment tools.
 A vulnerability scanner is a type of network mapper that aims to detect whether the network
is exposed to any threats. To that end, as well as mapping the network for hosts and detecting
running services, they use techniques such as banner grabbing to scan for things such as patch
level, security configuration and policies, network shares, unused accounts, weak passwords,
rogue access points and servers, anti-virus configuration, and so on.
 This provides passive testing of security controls; ideally such scans should be blocked.
 Honeypots and Honeynets
 A honeypot is a computer system set up to attract attackers, with the intention of
analyzing attack strategies and tools, to provide early warning of attack attempts,
or possibly as a decoy to divert attention from actual computer systems.
Another use is to detect internal fraud, snooping, and malpractice.
A honeynet is an entire decoy network.
This may be set up as an actual network or simulated using an emulator.
 Answer these questions to test what you have learned in this unit.

 1) What general precautions should you take before contracting someone to

perform system scanning?
 2) What is meant by a black box pentest?
 3) What are the disadvantages of performing penetration testing against a
simulated test environment?
 4) Why should an ISP be informed before pentesting takes place?
 5) True or false? A honeypot is designed to prevent network attacks by
intercepting them and trapping them within a secure, decoy environment.