CYBER SECURITY
Prof. Chintan Patel [email protected]
• Do You Use “Laptop or Lappy” ? • Do you use “Mobile or cell” ? • Do you surf Internet ? • Do you use WatsAPP ?
• Want to be safe from Cyber Attack ?
• Want to make INDIA, free from Cyber Attack ? • Then…………………….
Let us LEARN ,…………………….
CYBER SECURITY……………..
Introduction to Computer Networks and Internet
Prof. Chintan Patel [email protected] Internet
• What is internet ?
– One sentence definition….
• What are nuts & bolts of Internet ?
• Computer Network : Interconnecting hundreds of millions of computing devices
Prof. Chintan Patel Prof. Chintan Patel Hosts
• TVs , Laptops , Gaming Console , Cell phone , web cams , Automobiles , environmental sensing devices……
Prof. Chintan Patel Communication Link
• Transmission medium used for transmission of Data in form of Packet with particular transmission rate.
Prof. Chintan Patel Router
• A network device which takes the packet from connected communication link and forward it based on destination.
Prof. Chintan Patel Switch
• Connecting multiple hosts.
Prof. Chintan Patel ISP
• Internet Service Provider
Prof. Chintan Patel Think about Smart Home !!!!!
Prof. Chintan Patel Protocol
A some set of Rules
• Human Protocols
• Defines the format and order of message exchanged as well as actions taken on transmission.
• computer network protocol: • HTTP • FTP • SMTP • etc……..
Prof. Chintan Patel Types of Services • Connection Oriented Service – Sending a control packet before transmitting actual data – 3 way Handshaking TCP – Reliable , Flow control , Congestion Control – TCP : HTTP , FTP , TELNET , SMTP
• Connection Less Service – No handshaking – Faster Delivery – UDP : Media streaming , video conferencing
Prof. Chintan Patel Physical Media
• Bit: propagates between Twisted Pair (TP) transmitter/rcvr pairs • two insulated copper • physical link: what lies wires between transmitter & – Category 3: traditional receiver phone wires, 10 Mbps • guided media: Ethernet – – signals propagate in solid media: Category 5: copper, fiber, coax 100Mbps Ethernet • unguided media: – signals propagate freely, e.g., radio
Prof. Chintan Patel Physical Media: coax, fiber
Coaxial cable: Fiber optic cable: • two concentric copper glass fiber carrying light pulses, each conductors pulse a bit • bidirectional high-speed operation: • baseband: high-speed point-to-point transmission (e.g., 10’s-100’s – single channel on cable Gps) – legacy Ethernet low error rate: repeaters spaced far • broadband: apart ; immune to electromagnetic – multiple channels on cable noise – HFC
Prof. Chintan Patel Protocols of Each Layer
Prof. Chintan Patel Network Port • A network port is a number that identifies one side of a connection between two computers. • Computers use port numbers to determine to which process or application a message should be delivered.
Prof. Chintan Patel Computer Database
• A computer database is, as the name implies, a collection of data stored within a computer. It is like an electronic file cabinet full of documents. • What makes computer databases useful is the ease with which the data can be entered, stored and manipulated.
Prof. Chintan Patel History Of Internet
Prof. Chintan Patel Prehistoric
• Smoke signals :
• Talking Drums : – Message can be delivered 100 mules in 1 hour
Prof. Chintan Patel Before Common Era (BCE)
• Pigeons
• Hydraulic Semaphore
Prof. Chintan Patel • 1790’s : Semaphore lines
• 1830’s : Electric Telegraph
• 1870’s: Telephone
Prof. Chintan Patel • 1890’s: Radio • 1920’s: Television • 1960’s: Satellite
Prof. Chintan Patel Computer Network beginning
• 1960’s: –Fiber Optics –Packet switching by Kleinrock
•1969: Four nodes (UCLA, Stanford, UCSB and Univ. of Utah) connected by 50kbps links • ARPANET (Advanced Research Projects Agency)
•1972: ARPANET connected 15 nodes, Email was introduced
Prof. Chintan Patel • The 1970’s •Different networks emerged – ALOHANet (microwave) – DARPA Satellite – BBN Commercial
• 1976: Ethernet by Metcalfe •Internetwork these networks (Internet) End of 1970s: TCP/IP by Kahn and Cerf
•1981: 213 hosts on ARPANET
Prof. Chintan Patel 1980’s
• 1982: TCP/IP formalized • 1982: SMTP (Email) • 1983: Domain Name System (DNS) • 1986: Internet Engineering Task Force • 1988 – OSI Reference Model released • 1989 – Routing Protocols: BGP, RIP
Prof. Chintan Patel Prof. Chintan Patel 1990’s • The 1990’s • Early 1990’s: Commercialization of Internet (ISPs) • 1991: World Wide Web (WWW) • 1995’s: Many new applications –Instant Messaging, P2P, e-commerce (eBay, Amazon) • 1998: Google Search • 1999: WiFi (wireless)
Prof. Chintan Patel 2000’s
• 2003: Skype • 2004: Facebook • 2005: YouTube • 2006: Twitter • 2008: Cloud based services (E.g. Dropbox) • 2010: Instagram (Photosharing) • 2011: Google+
Prof. Chintan Patel References
• PPT of Kurose and Ross
• Computer network , Bodhi tree , IIT Bombay
Prof. Chintan Patel Content
• IP Address • Protocol • Port • System Vulnerability • Types of Vulnerability scanners Internet Protocol Address
• IPv4 Address: it is a 32 bit unique address which is used for to connect with host system
– Class A : 1.xxx.xxx.xxx to 126.xxx.xxx.xxx – Class B : 128.0.XXX.XXX to 191.0.xxx.xxx – Class C : 192.0.0.XXX to 223.0.0.xxx
• Loopback Address : 127.XXX.XXX.XXX • IPv6 Address : it is represented by a series of eight 16 bit hexadecimal field separated by colons(:) in the format x.x.x.x.x.x.x.x.
• Total 128 bit address Protocol
A some set of Rules
• Human Protocols
• Defines the format and order of message exchanged as well as actions taken on transmission.
• computer network protocol: • HTTP • FTP • SMTP • etc…….. Types of Services • Connection Oriented Service – Sending a control packet before transmitting actual data – 3 way Handshaking TCP – Reliable , Flow control , Congestion Control – TCP : HTTP , FTP , TELNET , SMTP
• Connection Less Service – No handshaking – Faster Delivery – UDP : Media streaming , video conferencing Port
• Port is an identity of process or service
• It is 16 bit unsigned integer
• Port no ranges from 0 to 65535
• IANA (Internet Assigned Number Authority) is responsible for assigning port number for Use. Well Known Port • Port ranges from 0 to 1023 are known as well known port numbers • used by system processes that provide networking services.
• Famous well known ports : – 20 , 21 : FTP Data and Control ports – 22 : SSH (Secure shell) for secure login – 23 : Telnet for unencrypted text transmission – 25 : Simple mail transfer protocol – 53 : Domain Name system – 520 : Routing information protocol Registered Port • Ranges from 1024 to 49151 • Assigned by IANA for specific services upon applications by requesting entity • User by ordinary users
• Examples : – Proxy servers ports – Virtual private network ports – Port requested by IBM , Apple, Oracle and many companies for their specific services Dynamic, Private or Ephemeral ports • Ranges from 49152 – 65535
• Can not be registered with IANA
• Used for private or temporary purposes IP + Port
• IP : To connect with system • Port : To connect with Process or application • (IP Address) : (port number)
• If IP Address is a telephone than Port number is extensions. Port Scanner
• A port scanner is a software application designed to probe a server or host for open ports. • Used by administrators to verify security policies of their networks • Used by attackers to identify running services on a host with the view to compromise it.
• Examples : NMAP Port Scanning • Main Goal of Port scanning is to find out which ports are open, which are closed and which are filtered.
• Open port: port on which application is actively accepting TCP or UDP traffic. – Finding open port is primary goal of port scanning – Each open port is an avenue for attack – Attacker want to exploit the open ports. – Network administrator wants to protect by some firewall – Important for non security scan also to identify available services • Close Port: ports which are accessible but no application listening on it – Used for Host discovery, OS Detection – Network administrator want to block it by firewall to reduce its accessibility. • Filtered port: ports which can not be reached by port scanner – Can not identify weather its open or close – Filtering can be from firewall device, routing rules, or firewall software • Unfiltered port: ports which can be reached by port scanner but can not be identified weather its open or close • If port is open : – Send SYN Packet – Response will be SYN + ACK Packet
• If port is closed : – Send SYN Packet – Response will be RST Packet
• If port is Filtered : – Send SYN Packet – No response
• If target machine is protected by firewall than its firewall rules that decides what will be the response of machine. Vulnerability scanning or Weakness scanning
• A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. or • Vulnerability scanning means searching for security bugs on a single system or across network
• Requirement of Vulnerability scanner : – Discovering present bugs in network, network firewall – Discovering new possibility of vulnerabilities – Discovering systems in network which are vulnerable from outside attack. • Zero-day vulnerability : weakness which is first time identified in system or network.
• False negative: vulnerability exists but scanner says there is no vulnerability
• False positive: Vulnerability does not exist but scanner says there is vulnerability
• Vulnerability scanner must be able to identify zero-day vulnerability and should not suffer from false positive or false negative
• Vulnerability scanner : Depends on techniques used for – Host discovery – Port scanning – Other vulnerability scanning Types of Vulnerability scanner
• Port scanner • Network Vulnerability scanner • Web application security Scanner • Database Security Scanner • Host based Vulnerability Scanner Identifying open port and services
• Telnet (Port no 23) is lacking of encryption and any one can read data transferred on this port.
• So for attacker : identify open telnet port • For Network admin : configure telnet service on any other unknown port no. nmap port scanner • nmap : network mapping is a open source scanner and which was developed by fyodor. • Most popular port scanner for Linux/Unix machines
• Services by nmap : – Port scanning – Identify all the running services on network – Identifying operating system and protocol versions – TCP Scan , UDP Scan, ICMP Scan Footprinting
• Gathering information about a computer system and the companies it belongs to.
• www.ping.au • http://whois.domaintools.com Banner Grabbing
• After identifying running services let us identify software and versions on which that service is.
• Open command prompt : – telnet localhost 21 Cyber Security
Prof. Chintan Patel [email protected] Content • Port scanning • OpenVAS • Network Vulnerability scanning – Netcat – Socat • Network sniffers Port scanning • Port scanner : Software designed to probe server or host for Open ports – Used by administrator to verify security policy – Used by attacker to identify running services on host • Port scan : A process that sends a client request to server for finding active ports.
• Open port: Host sends a reply indicating port is active • Close port: Host sends a reply that connection will be denied. • Filtered : There was no reply from the host.
• Vulnerability can be with open ports or operating system of running host TCP Flags
• SYN : Synchronize, To initiate a connection • ACK : Acknowledgment • FIN : Finished • RST: Reset NMAP • NMAP (Network Mapping) is a free open source port scanner available for Unix and Windows Basic Scanning [-sT, -sS] • TCP Connect() : Method to establish connection – If connection is successful , Connection will be done – If connection is fail than may be Destination system is offline or port is closed • Scan –sT : nmap –sT 192.168.12.40 – if port is open that you can definitely connect – Disadvantage of this type of scanning is, it is easily detectable.
• SYN Scan –sS: nmap –sS 192.168.12.40 – Send SYN and Receive SYN + ACK from port Means Port is open – Send SYN and Receive RST from port means Port is closed – Send SYN and Do not receive any response on port means it is filtered
– Latest intrusion detection system and firewall can detect SYN Scan • -sF scan : Finding Open Filtered Ports
– nmap –sF 127.0.0.1 • Ping scanning [-sP] – Allow you to detect which computers are online in a specified range of IP Addresses. • For UDP : • Send ECHO REQUEST, if receives ECHO REPLY : System is up. • For TCP : • Send SYN or ACK packet on specific port (Ex. 80), if receives RST or SYN + ACK means Remote system is online • If no response means either remote system is offline or port is filtered Example • UDP Scan [-sU] – Send 0 byte UDP packet on target • If ICMP port unreachable means port is closed else open – Disadvantages : • Firewall may create false positive effect means if port is closed also, firewall sends a message port is unreachable • Slow speed in scanning – Very rarely used for attack
• Fast scan [-F] – Do not scan all 65536 ports – Scan only port listed in nmap system file OpenVAS Open Vulnerability Assessment Scanning
• “The world's most advanced Open Source vulnerability scanner and manager” • OpenVAS is a combination of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution • Collects & manages security information for network, device and system • Uses Client – server architecture • Server will keep track of all different vulnerability results • Scanner in openVAS will collect information • Installed in Kali Linux / Backtracking Network vulnerability scanning
• Types of attack : 1. Passive attack : Monitoring network traffic – Traffic analysis – Monitoring unprotected communication – Decrypting weekly encrypted traffic – Capturing authentication information such as password 2. Active Attack : Bypass or break into secured system – Attempt to break protection features – Inject malicious code into network – To steal and modify information • Network vulnerability scanning tools – NETCAT – SOCAT
• Netcat: Netcat is a networking program designed to read and write data across both Transmission Control Protocol TCP and User Datagram Protocol (UDP) – Port scanning – File transferring – Banner grabbing – Port listening and redirection • Netcat installation in windows: – Download file from : www.vulnwatch.org/netcat/nc111nt.zip – Unzip file at location of your choise
• Open CMD nc –h • Netcat used by Network testing manager for testing security of network target system • Malicious user uses Netcat for gaining access of remote system or target system • Some antivirus shows it as a “Trojan” or “Hacktool”
• Netcat installation in Linux : – Most of Linux OS come with installed Netcat – Type command to check version : nc –h or netcat –h – If its not installed : • open terminal • Type : apt-get install netcat • Type nc –h to conform installation
Netcat Operation Modes
• Client Mode – connect to somewhere: nc [-options] hostname port[s] [ports] … – Netcat as a client on your machine to obtain some sort of information from another machine
• Server Mode • listen for inbound: nc –l –p port [options] [hostname] [port] • Server mode • -l means put Netcat into listen mode
• nc hostname 20-80 • nc –z 192.168.12.40 20-80 Netcat commands
• nc –v 192.168.12.40 80 : HTTP Banner Grabbing using Netcat • nc –v 192.168.12.40 22 : SSH Banner Grabbing using Netcat • nc –v –n 192.168.12.40 80 : with nslookup • nc –v 192.168.12.40 80: without nslookup • nc –l –p 12345 : Listening server on port 12345 • nc –v –w2 –z 192.168.12.40 1-200 : Finding open TCP ports • nc –l –p 12345 > dumpfile : Redirecting all output information into dumpfile. • nc –l –p 12345 > >dumpfile : Also redirect output but it adds output , does not replce current output. • nc –l –p 12345 • You can implement in one computer as well as two computer • Open one terminal and type: nc –l –p 12345 • Open second terminal and type: nc localhost 12345 Example : File Transmission using Netcat • Create hack.txt in Netcat folder • Open One terminal and type : nc –l –p 1234 > hack.txt • Open second terminal: nc “Target ip address : 1234” < hack.txt SOCAT • Socket : A socket address is the combination of an IP address and a port number, much like one end of a telephone connection is the combination of a phone number and a particular extension. • SOCAT is also same like Netcat but with more security and working over various protocols through TCP Socket , UDP socket • Socat uses as a : – TCP Port forwarder – External input provider – Attacker for weak firewalls – Security testing and research • Socat Installation : – Linux OS : sudo apt – get update && sudo apt –get install socat • Socat operation Phase : – Init phase : Logging is initialized – Open phase : Socat opens a first address and than second address – Transfer phase: Watches both stream read and write file Network sniffer and Injector • “Data to built up web page is not a single message that hops on the highway but it is end result of several packet following their own path” • Message transmitted in internet traverse through many different network core devises like : – Routers – Switch – Bridge – Gateways – Firewall • Network sniffers: Tools that monitor the traffic passes from network core devices • Network sniffers can not easily identify Encrypted traffic • Network sniffers: – TCPDump or windump – Wireshark – Ettercap – Hping – Kismet TCPDump & Windump • TCPDump : Network sniffer for Unix operating systems • Windump : Network sniffer for windows operation system • TCPDump and windump requires privileged access : – Run with “sudo” in Linux – Run as a administrator • TCPDump filters based on: – Type : Capture traffic by Host or web – Direction: From/to source – Protocol: TCP Traffic or UDP Traffic • Filtering based on Type : – $tcpdump host 192.168.1.100 : Traffic only to/from given IP – $tcpdump host 192.168.1.100 and port 80 – $tcpdump net 192.168.1.0/24 and port 80 • Filtering based on Direction: – $tcpdump src host 192.168.1.100 & dst port 80 • Filtering based on protocol: – $tcpdump src host 192.168.1.100 and udp dst port 53 – $tcpdump arp net 192.168.1.0 Wireshark • Adds protocol analysis with traffic analysis • Can be used for review traffic captured by tcpdump and windump • Supports windows and Linux os • Download and install the Wireshark software: – Go to http://www.wireshark.org/download.html and download and install the Wireshark binary for your computer. Initial wireshark screen Wireshark GUI during packet capture and analysis • Wireshark interface has five major components: 1. The command menus are standard pull down menus located at the top of the window. • The File menu allows you to save captured packet data or open a file containing previously captured packet data, and exit the Wireshark application. • The Capture menu allows you to begin packet capture. 2. The packet-listing window displays a one-line summary for each packet captured, including – the packet number, – the time at which the packet was captured, – the packet’s source and destination addresses, – the protocol type, and protocol-specific information contained in the packet. – The protocol type field lists the highest-level protocol that sent or received this packet, 3. The packet-header details window provides details about the packet selected in the packet-listing window. 4 The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format. 5 Towards the top of the Wireshark graphical user interface, is the packet display filter field, into which a protocol name or other information can be entered in order to filter the information Example HTTP Traffic captured Ettercap • Runs on Linux based operating systems • Unified sniffing : Monitors single interface • Bridged sniffing : Monitor two interface • Ettercap is an open-source tool written by Alberto Ornaghi and Marco Valleri. • Ettercap is described by its authors as “a multipurpose sniffer/interceptor/logger for switched LANs. • Ettercap is a versatile network manipulation tool. It uses its ability to easily perform man-in-the-middle (MITM) attacks in a switched LAN environment as the launch pad for many of its other functions : – Character Injection – Packet filtering – Automatic password collection for many common network protocols – SSH Support – HTTPS support – Kill any connection Ettercap Available plug-in hping • Ping command was used for to check only ICMP Echo request while hping support TCP, UDP, ICMP and IP Protocols. • Functions of hping: – Firewall testing – Advanced port scanning – Network testing, using different protocols, TOS, fragmentation – Manual path MTU discovery – Advanced traceroute, under all the supported protocols – Remote OS fingerprinting – Remote uptime guessing – TCP/IP stacks auditing hping commands • hping www.google.com • hping www.google.com –p 80 • hping www.google.com –p 79 • hping www.google.com -A –p 79 Kismet • Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. • Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. • The program runs under Linux and Mac OS X. • The client can also run on Microsoft Windows, although, aside from external drones • Installation of KISMET : – sudo apt-get install kismet • Configure kismet : – sudo gedit/etc/kismet/kismet.conf • Create username for kismet : – Suiduser = chintan • Provide source wireless – Source = wifi_mac_IAP • Starting a Kismet : – sudo kismet • Kismet server : For collecting data: – Sudo kismet_server • Kismet client : For representation of data to user: – Kismet_client