Cyber Security

CYBER SECURITY

Prof. Chintan Patel [email protected]

• Do You Use “Laptop or Lappy” ? • Do you use “Mobile or cell” ? • Do you surf Internet ? • Do you use WatsAPP ?

• Want to be safe from Cyber Attack ?

• Want to make INDIA, free from Cyber Attack ? • Then…………………….

Let us LEARN ,…………………….

CYBER SECURITY……………..

Introduction to Computer Networks and Internet

Prof. Chintan Patel [email protected] Internet

• What is internet ?

– One sentence definition….

• What are nuts & bolts of Internet ?

• Computer Network : Interconnecting hundreds of millions of computing devices

Prof. Chintan Patel Prof. Chintan Patel Hosts

• TVs , Laptops , Gaming Console , Cell phone , web cams , Automobiles , environmental sensing devices……

Prof. Chintan Patel Communication Link

• Transmission medium used for transmission of Data in form of Packet with particular transmission rate.

Prof. Chintan Patel Router

• A network device which takes the packet from connected communication link and forward it based on destination.

Prof. Chintan Patel Switch

• Connecting multiple hosts.

Prof. Chintan Patel ISP

• Internet Service Provider

Prof. Chintan Patel Think about Smart Home !!!!!

Prof. Chintan Patel Protocol

A some set of Rules

• Human Protocols

• Defines the format and order of message exchanged as well as actions taken on transmission.

• computer network protocol: • HTTP • FTP • SMTP • etc……..

Prof. Chintan Patel Types of Services • Connection Oriented Service – Sending a control packet before transmitting actual data – 3 way Handshaking TCP – Reliable , Flow control , Congestion Control – TCP : HTTP , FTP , TELNET , SMTP

• Connection Less Service – No handshaking – Faster Delivery – UDP : Media streaming , video conferencing

Prof. Chintan Patel Physical Media

• Bit: propagates between Twisted Pair (TP) transmitter/rcvr pairs • two insulated copper • physical link: what lies wires between transmitter & – Category 3: traditional receiver phone wires, 10 Mbps • guided media: Ethernet – – signals propagate in solid media: Category 5: copper, fiber, coax 100Mbps Ethernet • unguided media: – signals propagate freely, e.g., radio

Prof. Chintan Patel Physical Media: coax, fiber

Coaxial cable: Fiber optic cable: • two concentric copper  glass fiber carrying light pulses, each conductors pulse a bit • bidirectional  high-speed operation: • baseband:  high-speed point-to-point transmission (e.g., 10’s-100’s – single channel on cable Gps) – legacy Ethernet  low error rate: repeaters spaced far • broadband: apart ; immune to electromagnetic – multiple channels on cable noise – HFC

Prof. Chintan Patel Protocols of Each Layer

Prof. Chintan Patel Network Port • A network port is a number that identifies one side of a connection between two computers. • Computers use port numbers to determine to which process or application a message should be delivered.

Prof. Chintan Patel Computer Database

• A computer database is, as the name implies, a collection of data stored within a computer. It is like an electronic file cabinet full of documents. • What makes computer databases useful is the ease with which the data can be entered, stored and manipulated.

Prof. Chintan Patel History Of Internet

Prof. Chintan Patel Prehistoric

• Smoke signals :

• Talking Drums : – Message can be delivered 100 mules in 1 hour

Prof. Chintan Patel Before Common Era (BCE)

• Pigeons

• Hydraulic Semaphore

Prof. Chintan Patel • 1790’s : Semaphore lines

• 1830’s : Electric Telegraph

• 1870’s: Telephone

Prof. Chintan Patel • 1890’s: Radio • 1920’s: Television • 1960’s: Satellite

Prof. Chintan Patel Computer Network beginning

• 1960’s: –Fiber Optics –Packet switching by Kleinrock

•1969: Four nodes (UCLA, Stanford, UCSB and Univ. of Utah) connected by 50kbps links • ARPANET (Advanced Research Projects Agency)

•1972: ARPANET connected 15 nodes, Email was introduced

Prof. Chintan Patel • The 1970’s •Different networks emerged – ALOHANet (microwave) – DARPA Satellite – BBN Commercial

• 1976: Ethernet by Metcalfe •Internetwork these networks (Internet) End of 1970s: TCP/IP by Kahn and Cerf

•1981: 213 hosts on ARPANET

Prof. Chintan Patel 1980’s

• 1982: TCP/IP formalized • 1982: SMTP (Email) • 1983: Domain Name System (DNS) • 1986: Internet Engineering Task Force • 1988 – OSI Reference Model released • 1989 – Routing Protocols: BGP, RIP

Prof. Chintan Patel Prof. Chintan Patel 1990’s • The 1990’s • Early 1990’s: Commercialization of Internet (ISPs) • 1991: World Wide Web (WWW) • 1995’s: Many new applications –Instant Messaging, P2P, e-commerce (eBay, Amazon) • 1998: Google Search • 1999: WiFi (wireless)

Prof. Chintan Patel 2000’s

• 2003: Skype • 2004: Facebook • 2005: YouTube • 2006: Twitter • 2008: Cloud based services (E.g. Dropbox) • 2010: Instagram (Photosharing) • 2011: Google+

Prof. Chintan Patel References

• PPT of Kurose and Ross

• Computer network , Bodhi tree , IIT Bombay

Prof. Chintan Patel Content

• IP Address • Protocol • Port • System Vulnerability • Types of Vulnerability scanners Internet Protocol Address

• IPv4 Address: it is a 32 bit unique address which is used for to connect with host system

– Class A : 1.xxx.xxx.xxx to 126.xxx.xxx.xxx – Class B : 128.0.XXX.XXX to 191.0.xxx.xxx – Class C : 192.0.0.XXX to 223.0.0.xxx

• Loopback Address : 127.XXX.XXX.XXX • IPv6 Address : it is represented by a series of eight 16 bit hexadecimal field separated by colons(:) in the format x.x.x.x.x.x.x.x.

• Total 128 bit address Protocol

A some set of Rules

• Human Protocols

• Defines the format and order of message exchanged as well as actions taken on transmission.

• computer network protocol: • HTTP • FTP • SMTP • etc…….. Types of Services • Connection Oriented Service – Sending a control packet before transmitting actual data – 3 way Handshaking TCP – Reliable , Flow control , Congestion Control – TCP : HTTP , FTP , TELNET , SMTP

• Connection Less Service – No handshaking – Faster Delivery – UDP : Media streaming , video conferencing Port

• Port is an identity of process or service

• It is 16 bit unsigned integer

• Port no ranges from 0 to 65535

• IANA (Internet Assigned Number Authority) is responsible for assigning port number for Use. Well Known Port • Port ranges from 0 to 1023 are known as well known port numbers • used by system processes that provide networking services.

• Famous well known ports : – 20 , 21 : FTP Data and Control ports – 22 : SSH (Secure shell) for secure login – 23 : Telnet for unencrypted text transmission – 25 : Simple mail transfer protocol – 53 : Domain Name system – 520 : Routing information protocol Registered Port • Ranges from 1024 to 49151 • Assigned by IANA for specific services upon applications by requesting entity • User by ordinary users

• Examples : – Proxy servers ports – Virtual private network ports – Port requested by IBM , Apple, Oracle and many companies for their specific services Dynamic, Private or Ephemeral ports • Ranges from 49152 – 65535

• Can not be registered with IANA

• Used for private or temporary purposes IP + Port

• IP : To connect with system • Port : To connect with Process or application • (IP Address) : (port number)

• If IP Address is a telephone than Port number is extensions. Port Scanner

• A port scanner is a software application designed to probe a server or host for open ports. • Used by administrators to verify security policies of their networks • Used by attackers to identify running services on a host with the view to compromise it.

• Examples : NMAP Port Scanning • Main Goal of Port scanning is to find out which ports are open, which are closed and which are filtered.

• Open port: port on which application is actively accepting TCP or UDP traffic. – Finding open port is primary goal of port scanning – Each open port is an avenue for attack – Attacker want to exploit the open ports. – Network administrator wants to protect by some firewall – Important for non security scan also to identify available services • Close Port: ports which are accessible but no application listening on it – Used for Host discovery, OS Detection – Network administrator want to block it by firewall to reduce its accessibility. • Filtered port: ports which can not be reached by port scanner – Can not identify weather its open or close – Filtering can be from firewall device, routing rules, or firewall software • Unfiltered port: ports which can be reached by port scanner but can not be identified weather its open or close • If port is open : – Send SYN Packet – Response will be SYN + ACK Packet

• If port is closed : – Send SYN Packet – Response will be RST Packet

• If port is Filtered : – Send SYN Packet – No response

• If target machine is protected by firewall than its firewall rules that decides what will be the response of machine. Vulnerability scanning or Weakness scanning

• A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. or • Vulnerability scanning means searching for security bugs on a single system or across network

• Requirement of Vulnerability scanner : – Discovering present bugs in network, network firewall – Discovering new possibility of vulnerabilities – Discovering systems in network which are vulnerable from outside attack. • Zero-day vulnerability : weakness which is first time identified in system or network.

• False negative: vulnerability exists but scanner says there is no vulnerability

• False positive: Vulnerability does not exist but scanner says there is vulnerability

• Vulnerability scanner must be able to identify zero-day vulnerability and should not suffer from false positive or false negative

• Vulnerability scanner : Depends on techniques used for – Host discovery – Port scanning – Other vulnerability scanning Types of Vulnerability scanner

• Port scanner • Network Vulnerability scanner • Web application security Scanner • Database Security Scanner • Host based Vulnerability Scanner Identifying open port and services

• Telnet (Port no 23) is lacking of encryption and any one can read data transferred on this port.

• So for attacker : identify open telnet port • For Network admin : configure telnet service on any other unknown port no. nmap port scanner • nmap : network mapping is a open source scanner and which was developed by fyodor. • Most popular port scanner for Linux/Unix machines

• Services by nmap : – Port scanning – Identify all the running services on network – Identifying operating system and protocol versions – TCP Scan , UDP Scan, ICMP Scan Footprinting

• Gathering information about a computer system and the companies it belongs to.

• www.ping.au • http://whois.domaintools.com Banner Grabbing

• After identifying running services let us identify software and versions on which that service is.

• Open command prompt : – telnet localhost 21 Cyber Security

Prof. Chintan Patel [email protected] Content • Port scanning • OpenVAS • Network Vulnerability scanning – Netcat – Socat • Network sniffers Port scanning • Port scanner : Software designed to probe server or host for Open ports – Used by administrator to verify security policy – Used by attacker to identify running services on host • Port scan : A process that sends a client request to server for finding active ports.

• Open port: Host sends a reply indicating port is active • Close port: Host sends a reply that connection will be denied. • Filtered : There was no reply from the host.

• Vulnerability can be with open ports or operating system of running host TCP Flags

• SYN : Synchronize, To initiate a connection • ACK : Acknowledgment • FIN : Finished • RST: Reset NMAP • NMAP (Network Mapping) is a free open source port scanner available for Unix and Windows Basic Scanning [-sT, -sS] • TCP Connect() : Method to establish connection – If connection is successful , Connection will be done – If connection is fail than may be Destination system is offline or port is closed • Scan –sT : nmap –sT 192.168.12.40 – if port is open that you can definitely connect – Disadvantage of this type of scanning is, it is easily detectable.

• SYN Scan –sS: nmap –sS 192.168.12.40 – Send SYN and Receive SYN + ACK from port Means Port is open – Send SYN and Receive RST from port means Port is closed – Send SYN and Do not receive any response on port means it is filtered

– Latest intrusion detection system and firewall can detect SYN Scan • -sF scan : Finding Open Filtered Ports

– nmap –sF 127.0.0.1 • Ping scanning [-sP] – Allow you to detect which computers are online in a specified range of IP Addresses. • For UDP : • Send ECHO REQUEST, if receives ECHO REPLY : System is up. • For TCP : • Send SYN or ACK packet on specific port (Ex. 80), if receives RST or SYN + ACK means Remote system is online • If no response means either remote system is offline or port is filtered Example • UDP Scan [-sU] – Send 0 byte UDP packet on target • If ICMP port unreachable means port is closed else open – Disadvantages : • Firewall may create false positive effect means if port is closed also, firewall sends a message port is unreachable • Slow speed in scanning – Very rarely used for attack

• Fast scan [-F] – Do not scan all 65536 ports – Scan only port listed in nmap system file OpenVAS Open Vulnerability Assessment Scanning

• “The world's most advanced Open Source vulnerability scanner and manager” • OpenVAS is a combination of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution • Collects & manages security information for network, device and system • Uses Client – server architecture • Server will keep track of all different vulnerability results • Scanner in openVAS will collect information • Installed in Kali Linux / Backtracking Network vulnerability scanning

• Types of attack : 1. Passive attack : Monitoring network traffic – Traffic analysis – Monitoring unprotected communication – Decrypting weekly encrypted traffic – Capturing authentication information such as password 2. Active Attack : Bypass or break into secured system – Attempt to break protection features – Inject malicious code into network – To steal and modify information • Network vulnerability scanning tools – NETCAT – SOCAT

• Netcat: Netcat is a networking program designed to read and write data across both Transmission Control Protocol TCP and User Datagram Protocol (UDP) – Port scanning – File transferring – Banner grabbing – Port listening and redirection • Netcat installation in windows: – Download file from : www.vulnwatch.org/netcat/nc111nt.zip – Unzip file at location of your choise

• Open CMD  nc –h • Netcat used by Network testing manager for testing security of network target system • Malicious user uses Netcat for gaining access of remote system or target system • Some antivirus shows it as a “Trojan” or “Hacktool”

• Netcat installation in Linux : – Most of Linux OS come with installed Netcat – Type command to check version : nc –h or netcat –h – If its not installed : • open terminal • Type : apt-get install netcat • Type nc –h to conform installation

Netcat Operation Modes

• Client Mode – connect to somewhere: nc [-options] hostname port[s] [ports] … – Netcat as a client on your machine to obtain some sort of information from another machine

• Server Mode • listen for inbound: nc –l –p port [options] [hostname] [port] • Server mode • -l means put Netcat into listen mode

• nc hostname 20-80 • nc –z 192.168.12.40 20-80 Netcat commands

• nc –v 192.168.12.40 80 : HTTP Banner Grabbing using Netcat • nc –v 192.168.12.40 22 : SSH Banner Grabbing using Netcat • nc –v –n 192.168.12.40 80 : with nslookup • nc –v 192.168.12.40 80: without nslookup • nc –l –p 12345 : Listening server on port 12345 • nc –v –w2 –z 192.168.12.40 1-200 : Finding open TCP ports • nc –l –p 12345 > dumpfile : Redirecting all output information into dumpfile. • nc –l –p 12345 > >dumpfile : Also redirect output but it adds output , does not replce current output. • nc –l –p 12345

• You can implement in one computer as well as two computer • Open one terminal and type: nc –l –p 12345 • Open second terminal and type: nc localhost 12345 Example : File Transmission using Netcat • Create hack.txt in Netcat folder • Open One terminal and type : nc –l –p 1234 > hack.txt • Open second terminal: nc “Target ip address : 1234” < hack.txt

SOCAT • Socket : A socket address is the combination of an IP address and a port number, much like one end of a telephone connection is the combination of a phone number and a particular extension.

• SOCAT is also same like Netcat but with more security and working over various protocols through TCP Socket , UDP socket • Socat uses as a : – TCP Port forwarder – External input provider – Attacker for weak firewalls – Security testing and research

• Socat Installation : – Linux OS : sudo apt – get update && sudo apt –get install socat

• Socat operation Phase : – Init phase : Logging is initialized – Open phase : Socat opens a first address and than second address – Transfer phase: Watches both stream read and write file Network sniffer and Injector

• “Data to built up web page is not a single message that hops on the highway but it is end result of several packet following their own path”

• Message transmitted in internet traverse through many different network core devises like : – Routers – Switch – Bridge – Gateways – Firewall • Network sniffers: Tools that monitor the traffic passes from network core devices • Network sniffers can not easily identify Encrypted traffic • Network sniffers: – TCPDump or windump – Wireshark – Ettercap – Hping – Kismet TCPDump & Windump

• TCPDump : Network sniffer for Unix operating systems • Windump : Network sniffer for windows operation system

• TCPDump and windump requires privileged access : – Run with “sudo” in Linux – Run as a administrator

• TCPDump filters based on: – Type : Capture traffic by Host or web – Direction: From/to source – Protocol: TCP Traffic or UDP Traffic • Filtering based on Type : – $tcpdump host 192.168.1.100 : Traffic only to/from given IP – $tcpdump host 192.168.1.100 and port 80 – $tcpdump net 192.168.1.0/24 and port 80

• Filtering based on Direction: – $tcpdump src host 192.168.1.100 & dst port 80

• Filtering based on protocol: – $tcpdump src host 192.168.1.100 and udp dst port 53 – $tcpdump arp net 192.168.1.0 Wireshark • Adds protocol analysis with traffic analysis • Can be used for review traffic captured by tcpdump and windump • Supports windows and Linux os

• Download and install the Wireshark software: – Go to http://www.wireshark.org/download.html and download and install the Wireshark binary for your computer. Initial wireshark screen Wireshark GUI during packet capture and analysis • Wireshark interface has five major components:

1. The command menus are standard pull down menus located at the top of the window. • The File menu allows you to save captured packet data or open a file containing previously captured packet data, and exit the Wireshark application. • The Capture menu allows you to begin packet capture. 2. The packet-listing window displays a one-line summary for each packet captured, including – the packet number, – the time at which the packet was captured, – the packet’s source and destination addresses, – the protocol type, and protocol-specific information contained in the packet. – The protocol type field lists the highest-level protocol that sent or received this packet, 3. The packet-header details window provides details about the packet selected in the packet-listing window.

4 The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format.

5 Towards the top of the Wireshark graphical user interface, is the packet display filter field, into which a protocol name or other information can be entered in order to filter the information Example HTTP Traffic captured Ettercap • Runs on Linux based operating systems • Unified sniffing : Monitors single interface • Bridged sniffing : Monitor two interface • Ettercap is an open-source tool written by Alberto Ornaghi and Marco Valleri. • Ettercap is described by its authors as “a multipurpose sniffer/interceptor/logger for switched LANs. • Ettercap is a versatile network manipulation tool. It uses its ability to easily perform man-in-the-middle (MITM) attacks in a switched LAN environment as the launch pad for many of its other functions : – Character Injection – Packet filtering – Automatic password collection for many common network protocols – SSH Support – HTTPS support – Kill any connection Ettercap Available plug-in hping

• Ping command was used for to check only ICMP Echo request while hping support TCP, UDP, ICMP and IP Protocols. • Functions of hping: – Firewall testing – Advanced port scanning – Network testing, using different protocols, TOS, fragmentation – Manual path MTU discovery – Advanced traceroute, under all the supported protocols – Remote OS fingerprinting – Remote uptime guessing – TCP/IP stacks auditing hping commands

• hping www.google.com • hping www.google.com –p 80 • hping www.google.com –p 79 • hping www.google.com -A –p 79 Kismet

• Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. • Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. • The program runs under Linux and Mac OS X. • The client can also run on Microsoft Windows, although, aside from external drones

• Installation of KISMET : – sudo apt-get install kismet • Configure kismet : – sudo gedit/etc/kismet/kismet.conf • Create username for kismet : – Suiduser = chintan • Provide source wireless – Source = wifi_mac_IAP • Starting a Kismet : – sudo kismet • Kismet server : For collecting data: – Sudo kismet_server • Kismet client : For representation of data to user: – Kismet_client