Professional Documents
Culture Documents
layer security
Presentation Layer
• The Presentation layer deals primarily with data presentation.
• For instance, if one host uses Extended Binary-coded Decimal Interchange Code (EBCDIC) for
character sets and its communication partner uses American Standard Code for Information
Interchange (ASCII), the Presentation layer converts the data according to each hosts’ needs.
• This is especially helpful when you have a heterogeneous network, because different hosts might
represent data in diverse manners.
• Such functionality alleviates the need for application programmers to embed such code into their
work.
• Other functionality within the Presentation layer includes data compression, data encryption,
manipulating Extensible Markup Language (XML) objects, and other data handling deemed
necessary.
• The Presentation layer provides insulation between the various forms of data representation
encountered in multivendor environments, much like the ASN.1 (Abstract Syntax Notation)
notation employed in the Simple Network Management Protocol (SNMP).
The Structure of NetBIOS and SMB
• Network Basic Input/Output System (NetBIOS) is an application programming
interface (API) that provides the essential network functions that a system needs (e.g.,
identify self, form connections with other hosts, exchange datagrams, and so forth).
• In the 1980s, a company named Sytec, Inc. created NetBIOS for IBM.
• At that time, NetBIOS was a standalone entity embodied by Read-Only Memory
(ROM) functionality built into the original IBM PC local area network (LAN)
adapter, and traversing the wire by itself.
• Today, most implementations utilize NetBIOS over Transmission Control
Protocol/Internet Protocol (TCP/IP) or NETBIOS over TCP/IP (NBT), but it can also
run over Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) or
other transport mechanisms.
• Regardless of the implementation, the functionality remains the same, and irrespective
of how it is implemented—natively or over TCP/IP—the API is the same.
Server Message Block (SMB)
• NetBIOS provides the framework that allows two or more networked hosts to
share objects located on one of the networked hosts.
• Used in conjunction with Server Message Block (SMB), the two most prominent
services that machines offer are file and printer shares.
• Some people think NetBIOS is too “chatty” (e.g., the host announcements that
emanate from Windows machines every 12 minutes, master browser elections,
and so forth), and can generate a considerable amount of broadcast and multicast
traffic.
• However, NetBIOS is just the messenger, and is no more chatty than other
protocols.
How NetBIOS works?
• In order to share programs, machines have to be able to communicate with each other.
• To accomplish this, each machine is given a unique hostname; consequently, there has to be a
way to identify naming conflicts.
• Within NetBIOS there is a functionality called “NetBIOS Names Services,” where associated
communications generally take place over User Datagram Protocol UDP) port 137 (default).
• Because it is over UDP, the service is connectionless; thus, there is no guarantee that packets
will be delivered.
• To avoid any syntactical issues, NetBIOS names are converted to 15 uppercase characters.
• Appended to the name is a 1-byte service value, which is used to identify the type of name,
workstation, workgroup, and so on.
• These names are used to identify the endpoints to one another during an exchange of
information over the network.
Local NetBIOS Name Table
• To join the network, a host must verify that its name is unique on the network.
• To do this, it broadcasts a name registration request out to the network.
• If there is another host on that segment with that name registered, the request is
denied.
• To prevent naming conflicts, each machine maintains an enumeration of unique
names called a “NetBIOS Name Table.”
• Whenever there is a request for an existing host name, a deny request is initiated.
• Essentially, the requestor does not go out and search for a conflict, but rather it
announces its presence and waits for another host to deny it entry.
• If no other hosts deny the request, it is stored in the local NetBIOS Name Table.
Windows Internet Name Service (WINS)
• Clients began utilizing Windows Internet Name Service (WINS) to resolve names to Internet Protocol (IP)
address mappings.
• What is commonly referred to as WINS is Microsoft’s implementation of NetBIOS Name Services (NBNS).
• A server (with WINS running) stored registration information for all of the hosts on the network.
• If a host wanted to communicate with another host, it would query the WINS server for the IP address of the
destination server. Static files are also used in mapping names to IP addresses.
• In all hosts (platform-independent) there is a hosts file.
• On Windows machines, there is also a LAN Manager Host (LMHost) file.
• In addition to machine names, the LMHost file translates other Windows’ networking information.
• These methods can also be used alone or in conjunction with one another.
• The risk in utilizing static (file-based) translation is not receiving an updated host address. Beginning with
Windows 2000, hosts began registering names with Domain Name Services (DNS). (DNS is available to any
host, not just Windows-based clients.)
NetBIOS Threats
• As you will see later, if not properly protected, NetBIOS can give an
attacker easy access to information about networks and hosts (known
as an enumeration attack).
• Another possibility is that an attacker might gain access to the file
system by exploiting vulnerabilities found in some Windows operating
systems administrative shares.
• There is also an opportunity for Denial of Service (DOS) via
NetBIOS.
SMB
• SMB is another interface that offers similar functionality to that provided by NetBIOS.
• In earlier versions of SMB, clients used the NETBIOS over TCP/IP (NBT) transport to
carry SMB packets over the network.
• These days, SMB implementations can use TCP/IP directly as a transport for
communications.
• By default, clients use TCP port 445 for such traffic.
• Again, there is a need for name resolution; SMB can use NetBIOS names, WINS, or
standard DNSes for that service.
• Once name resolution occurs, a host can begin negotiating the protocol and session with
another host.
• After negotiation, the two clients continue a session of requests and responses until one
receives a close request and sends a close response.
Attacking the Presentation Layer
• Presentation layer attack is the act of taking advantage of a vulnerability or weaknesses within the
functionality (code).
• NetBIOS and enumeration relate to null (anonymous) users.
• Some Microsoft operating systems and services used to require that you utilize the null user in
order to operate properly (e.g., in old NT domains, trust relationships utilized null users to
authenticate users [from trusted domains]).
• Unless permissions are specifically changed for a service, they are most likely running the system
account (by default).This isn’t a problem until you consider sharing/using remote resources.
• The system account uses the null user to get to remote resources; however, because the system
account exists on each machine and does not have a password set, it must use the null/anonymous
account to connect to other machines.
• As you can see, there are valid reasons for using null sessions; however, there are also many
reasons to protect your servers from the null session.
Null Session
• Null sessions allow users to communicate via NetBIOS in order to query any server
as the null user.
• If this occurs, user’s can enumerate shares, users, groups, permissions, policies, and
so forth (known as an information disclosure).
• If attackers can enumerate usernames, group memberships, and the password policy
of domain members, they can probably brute force their way into the network,
which (depending on password policies and other controls) may lead to an intrusion.
• There are countless tools to help enumerate different aspects of a Windows server.
One of these tools is enum
• (www.cotse.com/tools/netbios.htm ), which allows you to see the different aspects
without having explicit permissions on the server or in the domain
Admin$ and ipc$ share
• Admin$ is specifically used to deploy software remotely. If you
have ever 'pushed' software to a computer across your network,
then you have used the admin$ share. When software is pushed,
it uses this share to upload the file.
• The Interprocess Communication ipc$ share is a resource
that shares the named pipes that are essential for communication
between programs.
• The ipc$ share is used during remote administration of a
computer and when viewing a computer's shared resources. You
cannot change the share settings, share properties, or ACLs of
the ipc$ share
Exploiting the IPC$ Share
• Windows operating systems have hidden
administrative shares that typically have a $ at the
end (e.g., C$ [or any local drive],ADMIN$, and
IPC$), which are not usually available to generic
users.
• By placing the $ on the end of the share name, the
system tells itself to omit this share from any
request for the enumeration of shares.
• Figure shows all of the shares that are configured
on the server.
• Notice the number of hidden/administrative shares
that exist by default.
• Only the AppShare and FileShare folders were
created by the administrator for explicit sharing.
The Interprocess Communication (IPC$)
• The Interprocess Communication (IPC$) share is necessary in order for systems to work properly.
• There are many different processes that are active on any given machine.
• For this reason, these modules need to communicate with one another.
• A program may need to verify permissions for a remote user.
• The program would have to communicate via IPC.
• In Windows, processes communicate via the IPC$ hidden share.
• In some configurations of Windows (especially NT) users can exploit the use of the IPC$ and other
hidden shares through a null session.
• Once a user connects to a null session, it may then utilize the net view and net use commands within a
console window to browse and connect to the hidden shares on a machine.
• To illustrate this weakness, we use the winfo tool (http://ntsecurity.nu/toolbox/winfo/), which allows you
to connect via the null session to the IPC$ share, and then enumerate all of the hidden/administrative
shares.
• As a user without domain privileges, you can run the utility and recover a complete listing of the
hidden/administrative shares on the target server.
Figure shows the results
of the query.
Other NetBIOS Worries
• Other than null session weakness and IPC$ vulnerability, there are several other
attacks that can be used against the NetBIOS protocol.
• Recall that in order to establish an identity, a new member sends out a packet
notifying the other machines of its desire to establish a unique machine name.
• Because the requestor waits for another machine to deny the request (i.e., the
name is already in use), it’s not difficult to write a utility that denies every request
received.
• The result of this is that all of the machines that are booting into the network will
not be able to join.
• Although this may be of little consequence for some client machines, if it occurs
in combination with another attack on a domain controller (requiring a reboot to
reconcile), the consequences could be dire.
Windows Server OS
• These types of weaknesses only exist in older implementations of
Windows Server operating systems; however, some legacy systems
never change.
• This is especially true in large corporations and in government.
• These organizations are so dependent on these operating systems that
they cannot easily migrate to a more recent application running on a
more recent platform.
• Because of this, these types of NetBIOS vulnerabilities still exist.
• You already know that enum and winfo are good tools; however, there are
numerous other utilities available—some for a fee, and some for free. Some of the
more notable utilities include dumpsec, Hyena (both available at
www.somarsoft.com/), and NBTScan (www.inetcat.org/software/nbtscan.html ).
• For more guidance regarding security tools, a great source can be found at
http://sectools.org/. When you use these tools against the Windows test hosts, you
may receive different results based on which version and operating system you
test.
• Table shows an outbreak of the default settings for Windows operating systems
Other attacks
• Sniffing Encrypted Traffic : some that utilize encryption and others that use
one-way functions. All of these techniques exist to make it difficult to
intercept a transmission and retrieve the contents of the message. In other
words, these mechanisms exist to protect the confidentiality of the transaction.
As well, these same systems may also prevent message modification, thus
protecting the integrity of the message.
• A Maturing Dictionary Attack- looking for passpword table
• Attacking Kerberos- The purpose of the Kerberos Service is to authenticate
users to servers and servers to users. Most networks are diverse with regard to
servers and services, so there is a need for such a capability. Kerberos is
designed to utilize symmetric encryption, meaning it’s based on a shared-key
approach.
Tools Used to Intercept Traffic
• Burp Proxy- (www.portswigger.net/proxy/ ) is a tool that lets you
create a history of packets traversing through the proxy or it allows
you to intercept the traffic, make modifications to the packet (or not),
and then forward it on to the destination. It also allows you to intercept
Hypertext Transfer Protocol Secure sockets (HTTPS) traffic.
• Achilles - (www.mavensecurity.com/achilles ) is another proxy tool
that can be used to capture, modify, and view transactions.
Defending the Presentation Layer
• Encryption
• The use of IPSec protocol
• Tightening NetBIOS Protections
Tightening NetBIOS Protections-
• Increasing the security applied to your local security policy.
• There are two ways to address this issue.
• The first is to modify the registry directly. In this case, you want to set the HKLM\
System\CurrentControlSet\Control\Lsa\RestrictAnonymous value so that these
protections are enabled.This will essentially turn on anonymous restrictions on your
host.
• The other way to enable this option is to modify the local security policy via the user
interface and set the value to “enabled.”
• Either way will stop unauthorized users from connecting to null sessions and
performing NetBIOS enumerations.
• As always, manually editing the registry can be dangerous, so you should backup
your registry before making any changes.
Application Layer
Security
Application Layer
Provides services for an application to send
and recieve data over the network, e.g.,
telnet (port 23), mail (port 25), finger (port 79)
DNS Security
Email Security
Interface to the transport layer
– Operating system dependent
– Socket interface
Server
Once per
service
session
• Applications:
• Terminal access
• File transfer
• Electronic mail
• WWW transactions
• DNS
• Distributed file system
•In general, the e-mail infrastructure consists of a mesh of mail servers, also termed as Message
Transfer Agents (MTAs) and client machines running an e-mail program comprising of User Agent
(UA) and local MTA.
Email Protocols
•The protocols used for e-mail are as follows −
Simple mail Transfer Protocol (SMTP) used for forwarding e-mail
messages.
Post Office Protocol (POP) and Internet Message Access Protocol (IMAP)
are used to retrieve the messages by recipient from the server.
MIME
•Basic Internet e-mail standard was written in 1982 and it describes the format of e-mail
message exchanged on the Internet.
•It mainly supports e-mail message written as text in basic Roman alphabet.
•By 1992, an additional standard Multipurpose Internet Mail Extensions (MIME) was
defined.
•It is a set of extensions to the basic Internet E-mail standard.
•MIME provides an ability to send e-mail using characters other than those of the basic
Roman alphabet such as Cyrillic alphabet (used in Russian), the Greek alphabet, or even
the ideographic characters of Chinese.
•Another need fulfilled by MIME is to send non-text contents, such as images or video clips.
•Due to this features, the MIME standard became widely adopted with SMTP for e-mail
communication.
Email Security
Confidentiality − E-mail message should not be read by anyone but the intended recipient.
Integrity − Assurance to the recipient that the e-mail message has not been altered since it was
transmitted by the sender.
Non-repudiation − E-mail recipient is able to prove to a third party that the sender really did send
the message.
Proof of submission − E-mail sender gets the confirmation that the message is handed to the
mail delivery system.
Proof of delivery − Sender gets a confirmation that the recipient received the message.
•Security services such as privacy, authentication, message integrity, and non-repudiation are usually
provided by using public key cryptography.
Secure E-mail Approaches
• PGP: Pretty good Privacy
• PEM: Privacy-Enhanced Mail
• Secure Multipurpose Internet Mail Extensions (S/MIME)
A 128-bit symmetric key, KS is generated and used to encrypt the compressed message
with IDEA.
KS is encrypted using the public key of the recipient using RSA algorithm and the result is
appended to the encrypted message.
PGP Format
• The format of PGP message is shown in the following diagram.
• The IDs indicate which key is used to encrypt KS and which key is to be used to verify the signature
on the hash.
• In PGP scheme, a message in signed and encrypted, and then MIME is encoded before
transmission.
PGP Certificate
•PGP key certificate is normally established through a chain of trust. For example,
•A’s public key is signed by B using his public key and B’s public key is signed by C using his public
key. As this process goes on, it establishes a web of trust.
•In a PGP environment, any user can act as a certifying authority.
•Any PGP user can certify another PGP user's public key.
•However, such a certificate is only valid to another user if the user recognizes the certifier as a
trusted introducer.
•Several issues exist with such a certification method. It may be difficult to find a chain leading from a
known and trusted public key to desired key.
•Also, there might be multiple chains which can lead to different keys for desired user.
•PGP can also use the PKI infrastructure with certification authority and public keys can be certified by
CA (X.509 certificate).
Confidentiality
Ksession
Ksession(M)
Ksession(M)
E E M
concatenate
M c
E D Ksession
KBpublic (Ksession)
Ksession
KBpublic (Ksession)
K B
public
KBprivate
Receiver B
Sender A
•In a standard DNS scheme, whenever the user wants to connect to any
domain name, his computer contacts the DNS server and looks up the
associated IP address for that domain name.
• Once IP address is obtained, the computer then connects to that IP address.