DOCSLIB.ORG

Ethical, Scale, and Continuity Concerns for Censorship Measurement

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Ethical, Scale, and Continuity Concerns for Censorship Measurement Ethical, Scale, and Continuity Concerns for Censorship Measurement Roya Ensafi CensoredPlanet.com 1 In my lab, we... develop frameworks to detect network interference, apply these frameworks to understand the behavior of network intermediaries, and use this understanding to defend against interference by building tools that safeguard users. 2 My Group Draws on Diverse Intellectual Methods Networking & Building tools for adversarial measurements Measurement Systems Creating scalable, efficient, and usable tools Analyzing attacks and adversaries, and Security creating defenses to protect users Social & Understanding ethics/impact of research, and Political collaborating with domain experts, NGOs, etc. 3 Reports suggest Internet censorship practices are diverse in their methods, targets, timing, differing by regions, as well as across time. 4 Reports suggest Internet censorship practices are diverse in their methods, targets, timing, differing by regions, as well as across time. Russia attempts to block millions of IP Iraq govt downs Internet in response to addresses in battle against Telegram massive anti-corruption protests, July, app 2018 From Internet Intelligence Map 5 Internet Censorship: A Simplified View DNS query Resolver cnn.com HTTP requests (opt) TLS handshake TCP handshake Company ISP ISP User IP routing Server Techniques for disruptions: - Internet shutdown - IP address blacklisting - RST injection - SNI blocking - HTTP keyword filtering 6 Why Measure Internet Censorship? ● What is censored, when, for which users, by who ● Advocacy and Transparency are important - Inform users about what they are missing user - Help diplomats and others who make policy decisions ● What technical mechanisms and tools (DPIs) are used ? - Can help to improve defense technology - GFW can cause harm → Great Cannon [*] ● Why and how this blocking affects societies Site [*] Analysis of China’s “Great Cannon” by Marczak, Weaver, Dalek, Ensafi, Fifield, McKune, Rey, Scott-Railton, Deibert, and Paxson (In: USENIX FOCI’15) 7 How To Measure Internet Censorship? PROBLEM: - How can we detect whether pairs of hosts around the world can talk to each other? user ? Site 8 How To Measure Internet Censorship? PROBLEM: - How can we detect whether pairs of hosts around the world can talk to each other? user STATE OF THE ART: - Deploy hardware or software at hosts ? (RIPE Atlas, OONI probes) - Ask people on the ground, or use VPNs, or research networks (PlanetLab) THREE KEY CHALLENGES: Site Coverage, ethics, and continuity 9 OONI: Open Observatory of Network Interference OONI network: - Volunteer can install OONI Probe on iOS, Android, Linux & MacOS (web UI) user INTERPRET the DATA: - If Control != Experiment → Possible censorship - Confirm a case of censorship when ? they have detected a block page. [*] Control Key Challenges for Longitudinal Measurement: - Ethics, coverage, and continuity Site [*] from OONI overview slides 10 OONI: Ethical, Coverage and Continuity Challenges EFFORT 1: detailed and honest consent form - They explicitly say: “Anyone monitoring your internet activity (e.g. ISP) will know that you are running OONI Probe.” 11 OONI: Ethical, Coverage and Continuity Challenges EFFORT 1: detailed and honest consent form EFFORT 2: established close relationships with locals and civil society 12 OONI: Ethical, Coverage and Continuity Challenges EFFORT 3: Keep the community of volunteer involved EFFORT 4: Dedicated Focus and Open Source Pledge EFFORT 5: Greate Funders including Open Technology Fund (OTF), M-lab, FREE PRESS,... https://api.ooni.io/stats 13 Thinking Like an “Attacker”… These machines blindly follow Internet protocol rules such as Thinking Like an Attacker... TCP/IP. How can we leverage standard protocol behaviors to detect whether two distant hosts can communicate? 140 million public live IPv4 addresses 14 Measuring Internet Censorship Globally… Remotely! PROBLEM: - How can we detect whether pairs of hosts around the world can talk to each other from somewhere else in the world user ? - Can we identify intermediary machines that arguably constitute “infrastructure” to reduce risk for volunteers? Site 15 Spooky Scan Spooky Scan uses TCP/IP side channels to detect whether a user and a site can communicate (and in which direction packets are blocked) user ? Goal: Detect blocking from off-path ? * TCP Idle Scan Antirez, (Bugtraq 1998) * Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels Site Roya Ensafi, Knockel, Alexander, and Crandall (PAM ’14) * Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking 16 Roya Ensafi, Park, Kapur, and Crandall (Usenix Security 2010) Augur Augur Augur is a follow up system that uses the same TCP/IP side channels to detect blocking from off-path. user ? Goal: Scalable, ethical, and statistically robust ? system to continuously detect blocking. Site * Augur: Internet-Wide Detection of Connectivity Disruption P. Pearce*, R. Ensafi*, F. Li, N. Feamster, V. Paxson (* joint first authors) 17 TCP/IP TCP Handshake: SYN-ACK RST SYN [IP ID:X] Port status is open/closed SYN/ACK [IP ID: Y] ACK [IP ID:X+1] SYN SYN/ACK SYN/ACK SYN/ACK Port status is open 18 Spooky Scan Requirements “User” (Reflector) Site Must maintain a Open port and global value for IP ID retransmitting SYN-ACKs Measurement Machine Must be able to spoof packets 19 Spooky Scan Reflector IP ID Measurement Reflector machine Site 20 Spooky Scan No direction blocked 1 SYN/ACK Reflector IP ID: 7000 Measurement Reflector machine Site 21 Spooky Scan No direction blocked 1 SYN/ACK Reflector IP ID: 2 RST [IP ID: 7000] 7000 Measurement Reflector machine Site 22 Spooky Scan No direction blocked 1 SYN/ACK Reflector IP ID: 2 RST [IP ID: 7000] 7000 Measurement Reflector machine 3 Spoofed SYN [src: Reflector IP] Site 23 Spooky Scan No direction blocked 1 SYN/ACK Reflector IP ID: 2 RST [IP ID: 7000] 7000 Measurement Reflector machine 3 Spoofed SYN [src: Reflector IP] SYN/ACK 4 Site 24 Spooky Scan No direction blocked 1 SYN/ACK Reflector IP ID: 2 RST [IP ID: 7000] 7000 7001 Measurement Reflector machine 3 Spoofed SYN [src: Reflector IP] SYN/ACK 4 5 RST [IP ID: 7001] Site 25 6 SYN/ACK Spooky Scan 7 RST [IP ID: 7002] No direction blocked 1 SYN/ACK Reflector IP ID: 2 RST [IP ID: 7000] 7000 7001 7002 Measurement Reflector machine 3 Spoofed SYN [src: Reflector IP] SYN/ACK 4 5 RST [IP ID: 7001] Site 26 Probe [IP ID: 7003] 6 SYN/ACK Spooky Scan 7 RST [IP ID: 7002] No direction blocked 1 SYN/ACK Reflector IP ID: 2 RST [IP ID: 7000] 7000 7001 7002 Measurement Reflector 7003 machine 3 Spoofed SYN [src: Reflector IP] SYN/ACK 4 5 RST [IP ID: 7001] Site 27 Probe [IP ID: 7002] 5 SYN/ACK Spooky Scan 6 RST [IP ID: 7001] Site-to-Reflector 1 SYN/ACK Reflector IP ID: 2 RST [IP ID: 7000] 7000 Blocked 7001 7002 Measurement Reflector machine 3 Spoofed SYN [src: ClientIP] SYN/ACK 4 Site 28 6 SYN/ACK Spooky Scan 7 RST [IP ID: 7002] Reflector-to-Site 1 SYN/ACK Reflector IP ID: 2 RST [IP ID: 7000] 7000 Blocked 7001 7002 Measurement machine 3 5 RST Spoofed SYN [src: ClientIP] SYN/ACK 4 Site 29 Probe [IP ID: 7004] 6 SYN/ACK Spooky Scan 7 RST [IP ID: 7002] Reflector-to-Site 1 SYN/ACK Reflector IP ID: 2 RST [IP ID: 7000] 7000 Blocked 7001 7002 Measurement 7003 machine 7004 3 5 RST Spoofed SYN [src: ClientIP] SYN/ACK 4 Site 30 Spooky Scan Site-to-Reflector No Direction Reflector-to-Site Blocked Blocked Blocked IP ID1 = 1 IP ID1 = 2 IP ID1 = 2 IP ID2 = 1 IP ID2 = 1 IP ID2 = 2 31 Coping with Reflector IP ID Noise Amplifying the signal Reflector Effect of sending N spoofed SYNs: Site-to-Reflector Blocked No Direction Blocked Reflector-to-Site Blocked IP ID1 = (1 + noise) IP ID1 = (1 + N + noise) IP ID1 = (1 + N + noise) IP ID2 = noise IP ID2 = noise IP ID2 = (1 + N + noise) 32 Coping with Reflector IP ID Noise Amplifying the signal Reflector Effect of sending N spoofed SYNs: Site-to-Reflector Blocked No Direction Blocked Reflector-to-Site Blocked IP ID1 = (1 + noise) IP ID1 = (1 + N + noise) IP ID1 = (1 + N + noise) IP ID2 = noise IP ID2 = noise IP ID2 = (1 + N + noise) Repeating the experiment To eliminate the effects of packet loss, sudden bursts of packets, ... 33 Augur Framework All responsive IPs Reflector selection User input Target Reflector Detection countries Characterization 34 Augur Framework All responsive IPs Reflector selection User input Target Reflector Detection countries Characterization Site Site address characterization 35 Augur Framework All responsive IPs Reflector selection User input Target Reflector Detection countries Characterization Probing Site Site address Scheduler characterization 36 Augur Framework All responsive System output IPs Reflector selection Detection/ User input Ref-to-Site Validation blocking — OR — Target Reflector Detection Site-to-Ref blocking countries Characterization Probing — OR — No blocking — OR — Site Error Site address Scheduler characterization 37 THREE KEY CHALLENGES: Coverage, ethics, and continuity Coverage Scanning IPv4 on port 80: - 22.7 million potential reflectors! Compare: 10,000 in prior work (RIPE Atlas) Challenge: Need global vantage points from which to measure 38 Reflector IP ID: Ethics 1000 1001 1002 Reflector SYN/ACK 4 Challenge: Probing 5 RST banned sites from [IP ID: 1001] users’ machines creates risk Site 39 THREE KEY CHALLENGES: Coverage, ethics, and continuity Ethics Use only infrastructure devices to source probes Internet Challenge: Probing User banned sites from users’ machines Global IP ID 22.7 million 236 countries (and creates
Load more

Recommended publications
  • Inferring TCP/IP-Based Trust Relationships Completely Off-Path
    ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path Xu Zhang Jeffrey Knockel Jedidiah R. Crandall Department of Computer Science Department of Computer Science Department of Computer Science University of New Mexico University of New Mexico University of New Mexico [email protected] [email protected] [email protected] Abstract—We present ONIS, a new scanning technique that researcher in country X who wants to learn if network traffic can perform network measurements such as: inferring TCP/IP- from a host in country Y can connect to a Tor server in country based trust relationships off-path, stealthily port scanning a Z. Performing this measurement off-path is necessary when target without using the scanner’s IP address, detecting off- path packet drops between two international hosts. These tasks vantage points (VPNs, Planet Lab nodes, etc.) are limited or typically rely on a core technique called the idle scan, which is unavailable in some countries. Ensafi et al. detail this off- a special kind of port scan that appears to come from a third path trust relationship testing by using the idle scan in [2]. machine called a zombie. The scanner learns the target’s status Specifically, they measured packet drops from clients to Tor from the zombie by using its TCP/IP side channels. directory servers by using machines with global incrementing Unfortunately, the idle scan assumes that the zombie has IP identifiers (IPIDs) which exhibit the now-discouraged behavior IPIDs as vantage points without those machines being under of being globally incrementing. The use of this kind of IPID their control.
    [Show full text]
  • Hacking Techniques & Intrusion Detection
    Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons “Share Alike” license. • http://creativecommons.org/licenses/by-sa/3.0/ 2 # whoami • Ali Al-Shemery • Ph.D., MS.c., and BS.c., Jordan • More than 14 years of Technical Background (mainly Linux/Unix and Infosec) • Technical Instructor for more than 10 years (Infosec, and Linux Courses) • Hold more than 15 well known Technical Certificates • Infosec & Linux are my main Interests 3 Scanning and Fingerprinting Outline • Diving into Important Network Protocols (TCP, UDP, ICMP, ARP, etc) • Nmap – Intro. • Host Discovery • Tracing the Route • Port Scanning • OS and Service Fingerprinting • Learning Python in 4 Slides • Packet Crafting 5 Diving into Important Network Protocols • Diving into Important Network Protocols: – TCP – UDP – ICMP – ARP – HTTP – etc 6 Nmap • "Network Mapper” is a free and open source utility for network discovery and security auditing. - Fyodor • IMO: #1 tool in your security arsenal! Important Note: A huge difference between running Nmap as a privileged/unprivileged user! 7 Host Discovery • Identifying Live Systems • Also called “Network Sweep” • Nmap ping sweeps: – Ping Only (-sP) – ARP Ping (-PR) – ICMP Echo Request Ping (-PE) – TCP SYN Ping (-PS) – TCP ACK Ping (-PA) – UDP Ping (-PU) DEMO 8 Assignment #1 • Why do host discovery or network sweeping if we already have the target list of IP(s)? 9 Tracing the Route • Nmap --traceroute option • DEMO DEMO 10 Port Scanning • The act of testing a remote
    [Show full text]
  • How to Scan a Network with Hping3
    How To Scan a Network With Hping3 Hping3 Hping3 is a command-line oriented TCP/IP packet assembler and analyser and works like Nmap. The application is able to send customizes TCP/IP packets and display the reply as ICMP echo packets, even more Hping3 supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features like DDOS flooding attacks. Hping3 can be used to perform: OS fingerprinting ICMP pings Traceroute Port scanning Firewall testing Test IDSes Network testing and auditing MTU discovery Exploit and vulnerabilities discovery DDOS and ICMP flooding Hping3 comes pre-installed with Kali Linux but and can also be installed on most Linux distros, also you need to run the commands with sudo privileges. Visit the official documentation at to learn more on how you can use Hping3 http://www.hping.org/documentation.php Useful Options -h Show this help -v Show version -c Packet count -i –interval –flood -V Verbose mode -D Debugging -f Fragment packets -Q Display sequence number -0 RAW IP mode -1 ICMP mode -2 UDP mode -8 SCAN mode -9 listen mode -F Set the FIN flag -S Set the SYN flag -P Set the PUSH flag -A Set the ACK flag -U Set the URG flag Commands Send a ACK packet to a target hping3 –A 192.168.100.11 HPING 192.168.100.11 (eth0 192.168.100.11): A set, 40 headers + 0 data bytes len=46 ip=192.168.100.11 ttl=128 id=29627 sport=0 flags=R seq=0 win=32767 rtt=4.0 ms len=46 ip=192.168.100.11 ttl=128 id=29628 sport=0 flags=R seq=1 win=32767 rtt=2.0 ms len=46 ip=192.168.100.11
    [Show full text]
  • Nmap Tutorial 1/10 2004-10-10 Lätt Redigerad Av Jan-Erik Jonsson
    NMap tutorial 1/10 2004-10-10 Lätt redigerad av Jan-Erik Jonsson Basic Scan Types [-sT, -sS] TCP connect() Scans [-sT] SYN Stealth Scanning [-sS] FIN, Null and Xmas Tree Scans [- sF, -sN, -sX] Ping Scanning [-sP] UDP Scans [-sU] IP Protocol Scans [-sO] Idle Scanning [-sI] ACK Scan [-sA] Window Scan, RPC Scan, List Scan [-sW, -sR, -sL] Timing And Hiding Scans Timing Decoys FTP Bounce Turning Pings Off Fragmenting Idle Scanning http://www.security-forums.com/forum/viewtopic.php?t=7872 NMAP - A Stealth Port Scanner by Andrew J. Bennieston 1 INTRODUCTION ................................................................................................................................................. 2 2 DISCLAIMER...................................................................................................................................................... 2 3 BASIC SCAN TYPES [-ST, -SS] ........................................................................................................................... 2 3.1 TCP connect() Scans [-sT]........................................................................................................................ 2 3.2 SYN Stealth Scanning [-sS]....................................................................................................................... 2 4 FIN, NULL AND XMAS TREE SCANS [-SF, -SN, -SX] ......................................................................................... 3 5 PING SCANNING [-SP] ......................................................................................................................................
    [Show full text]
  • Censored Planet: Global Censorship Observatory
    Censored Planet: Global Censorship Observatory Roya Ensafi University of Michigan Dec 27,2018 In my research lab, we ... develop frameworks to detect network interference, apply these frameworks to understand the behavior of network intermediaries, and use this understanding to defend against interference by building tools that safeguard users. Reports suggest Internet censorship practices are at rise! Network Interference Can Happen on Any Layer 1 A user types www.cnn.com into the browser 2 OS sends a DNS query to learn the IP address 3 Browser fetches the website Authoritative 4 Browser loads third-party resources DNS resolver DNS resolver www.cnn.com Server CDN PoP Home ISP User gateway router ISP router Server Transit Client Side Network Server Side Network Interference Can Happen on Any Layer 1 A user types www.cnn.com into the browser 2 OS sends a DNS query to learn the IP address 3 Browser fetches the website 4 Browser loads third-party resources DNS resolver www.cnn.com Server CDN PoP Home ISP User gateway router ISP router Server Transit Client Side Network Server Side Measuring Censorship is a Complex Problem! Internet censorship practices are diverse in their methods, targets, timing, differing by regions, as well as across time. Why Measure Censorship? NETWORK CENSORSHIP IS ON THE RISE ● Information controls harm citizens ● Spreading beyond the large powers ● Frequently opaque in topic & technique WE NEED DATA TO: ● Support transparency & accountability ● Improve technological defenses ● Inform users & public policy Why Measure
    [Show full text]
  • NMAP - a Stealth Port Scanner
    NMAP - A Stealth Port Scanner Andrew J. Bennieston http://www.nmap-tutorial.com Contents 1 Introduction 4 2 Disclaimer 4 3 Basic Scan Types [-sT, -sS] 4 3.1 TCP connect() Scan [-sT] . 4 3.2 SYN Stealth Scan [-sS] . 5 4 FIN, Null and Xmas Tree Scans [-sF, -sN, -sX] 6 5 Ping Scan [-sP] 7 6 UDP Scan [-sU] 8 7 IP Protocol Scans [-sO] 8 8 Idle Scanning [-sI] 9 9 Version Detection [-sV] 10 10 ACK Scan [-sA] 10 11 Window Scan, RPC Scan, List Scan [-sW, -sR, -sL] 11 12 Timing and Hiding Scans 11 12.1 Timing . 11 12.2 Decoys . 11 12.3 FTP Bounce . 12 12.4 Turning Off Ping . 12 12.5 Fragmenting . 12 12.6 Idle Scanning . 13 13 OS Fingerprinting 13 14 Outputting Logs 13 15 Other Nmap Options 13 15.1 IPv6 . 13 15.2 Verbose Mode . 13 15.3 Resuming . 13 15.4 Reading Targets From A File . 14 15.5 Fast Scan . 14 15.6 Time-To-Live . 14 2 16 Typical Scanning Session 14 17 Frequently Asked Questions 18 17.1 I tried a scan and it appeared in firewall logs or alerts. What else can I do to help hide my scan? . 18 17.2 NMAP seems to have stopped, or my scan is taking a very long while. Why is this? . 19 17.3 Will -sN -sX and -sF work against any host, or just Windows hosts? 20 17.4 How do I find a dummy host for the Idle Scan (-sI)? . 20 17.5 What does ”Host seems down.
    [Show full text]
  • CEH Study Guide
    CEH Study Guide Exam Code 312-50v8 Version 8 Study Guide Provided by TrainACE© The Certified Ethical Hacker Certification covers the fundamentals of hacking, footprinting and scanning. A CEH certification indicates than an individual possess the skills, knowledge and ability to effectively exploit and defend their own systems. This study guide focuses on Trojans, Linux, Servers, Networks and other forms of hacking to equip future Ethical Hackers with the tools to pass the CEHv8 exam and succeed in their field. Study Guide Provided by TrainACE© Q: Robert hopes to start a career in computer security. As a new college-level student, he has just learned the term ethical hacking, which is a key part of secure information systems. Of the below options, choose which will be key areas of expertise for Robert’s future career. Answer is complete. Select more than one answer if applicable. a. Robert needs to gain a large body of knowledge about how computers function, with special regard to networking and programming. b. Operating systems are very important to Robert’s career. Because companies utilize varying operating systems, including Windows (multiple versions), Mac (multiple versions), UNIX, and Linux, he must develop an advanced understanding of each of the major operating systems. c. Robert should gain familiarity with computing and hardware platforms, which are key to software development. d. Robert should be able to write reports related to his field and have great expertise in communication relating to computer security. Solution: All of the above are correct. Breakdown: Each of the above areas is important for Robert’s future career.
    [Show full text]
  • Openbsd DNS Cache Poisoning and Multiple OS Predictable IP ID
    OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability Amit Klein October-November 2007 OpenBSD DNS Cache Poisoning for OpenBSD and Multiple O/S Predictable IP ID Vulnerability Abstract The paper describes a weakness in the pseudo random number generator (PRNG) in use by OpenBSD, Mac OS X, Mac OS X Server, Darwin, NetBSD, FreeBSD and DragonFlyBSD to produce random DNS transaction IDs (OpenBSD) and random IP fragmentation IDs (OpenBSD, Mac OS X, Mac OS X Server, Darwin, NetBSD, FreeBSD and DragonFlyBSD – the latter three only if the kernel flag net.inet.ip.random_id is 1). A technique is disclosed that allows an attacker to detect the algorithm used and predict its next values. This technique can be used to conduct DNS cache poisoning attack on OpenBSD DNS server (which is a modified BIND 9 server) in caching mode. A predictability algorithm is described that typically provides 8-10 possible guesses for the next transaction ID value, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against the OpenBSD DNS server. The net effect is that pharming attacks are feasible against OpenBSD caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs). A similar technique is disclosed to detect the algorithm used for the IP fragmentation ID generation (thereby enabling fingerprinting, traffic analysis and host alias detection for OpenBSD, Mac OS X, Mac OS X Server and Darwin (and NetBSD, FreeBSD, DragonFlyBSD, if the kernel flag net.inet.ip.random_id is 1), as well as detecting “missing” IDs, which can be used in nmap’s IdleScan method (as the “zombie” machine whose IP is used to scan the actual target host).
    [Show full text]
  • Measuring and Circumventing Internet Censorship | 2014:65
    Philipp Winter | Measuring and circumventing Internet censorship | | Measuring Philipp Winter Measuring and circumventing Internet censorship Measuring and An ever increasing amount of governments, organisations, and companies employ Internet censorship in order to filter the free flow of information. These efforts are supported by an equally increasing number of companies focusing on circumventing the development of filtering equipment. Only what these entities consider right can pass the filters. This practice Internet censorship constitutes a violation of the Universal Declaration of Human Rights and hampers progress. This thesis contributes novel techniques to measure and 2014:65 to circumvent Internet censorship. In particular, we 1) analyse how the Great Firewall of China is blocking the Tor network by using active probing techniques Philipp Winter as well as side channel measurements, we 2) propose a concept to involve users in the process of censorship analysis, we 3) discuss the aptitude of a globally- deployed network measurement platform for censorship analysis, and we 4) propose a novel circumvention protocol. We attach particular importance to practicality and usability. Most of the techniques proposed in this thesis were implemented and some of them are deployed and used on a daily basis. ISBN 978-91-7063-605-9 Faculty of Health, Science and Technology ISSN 1403-8099 Computer Science DISSERTATION | Karlstad University Studies | 2014:65 DISSERTATION | Karlstad University Studies | 2014:65 Measuring and circumventing Internet
    [Show full text]
  • Network Security Security Aspects of TCP/IP
    Network Security Security aspects of TCP/IP Radboud University, The Netherlands Spring 2017 A short recap I Within the same subnet, it’s fairly easy to sniff traffic I Hubs distribute data to everyone (but are largely obsolete) I Use ARP cache poisoning on switched Ethernet I Wireless LAN behaves a lot like hubbed Ethernet I Protecting against ARP spoofing is hard: ARP does not support authentication I WiFi is generally easier to access than wired network (no physical protection) I WiFi uses encryption to protect access to the network I WEP (Wired Equivalent Privacy) is broken (aircrack-ng) I WPA (Wireless Protected Access) fixes some problems but still uses weak RC4 (TKIP) I Problems properly solved in WPA2: uses AES (CCMP) instead of RC4 I Most threatening in WPA2: bad passphrases, backwards-compatible TKIP I Additional threat: WiFi Protected Setup (WPS) Network Security – Security aspects of TCP/IP2 How bad is the TKIP problem? I Current attacks do not recover TKIP key I But they do: I Decrypt, re-encrypt and re-use short TKIP packets up to seven times (Becks–Tews, 2009) I ARP spoofing trivially possible I Inject arbitrary amounts of packets, each up to 112 bytes (Vanhoef–Piessens, 2013) I Port scanner against any client using WPA-TKIP I Decryption of arbitrary packets sent to client I Can be used to hijack TCP I Also works when TKIP is used as a group cipher (common setup) I Stop using TKIP I iw dev wlp0s1 scan | grep TKIP Network Security – Security aspects of TCP/IP3 Layers and layers I Recall the 4-layer IP model: I Link layer I Internet
    [Show full text]
  • Chapter Gathering Network and Host Information: Scanning And
    Chapter Gathering Network and Host Information: 3 Scanning and Enumeration CEH EXAM OBJecTIVes COVERED in This CHAPTER: ÛÛDefine the terms port scanning, network scanning, and vulnerability scanning ÛÛUnderstand the CEH scanning methodology ÛÛUnderstand ping sweep techniques ÛÛUnderstand nmap command switches ÛÛUnderstand SYN, stealth, XMAS, NULL, IDLE, and FIN scans ÛÛList TCP communication flag types ÛÛUnderstand war-dialing techniques ÛÛUnderstand banner grabbing and OS fingerprinting techniques ÛÛUnderstand how proxy servers are used in launching an attack ÛÛHow do anonymizers work? ÛÛUnderstand HTTP tunneling techniques ÛÛUnderstand IP spoofing techniques ÛÛWhat is enumeration? ÛÛWhat is meant by null sessions? ÛÛWhat is SNMP enumeration? ÛÛWhat are the steps involved in performing enumeration? 525203c03.indd 63 3/17/10 6:03:20 PM Scanning is the first phase of active hacking and is used to locate target systems or networks for later attack. Enumeration is the follow-on step once scanning is complete and is used to identify computer names, usernames, and shares. Scanning and enumeration are discussed together in this chapter because many hacking tools perform both steps simultaneously. Scanning After the reconnaissance and information-gathering stages have been completed, scanning is performed. It is important that the information-gathering stage be as complete as possi- ble to identify the best location and targets to scan. During scanning, the hacker continues to gather information regarding the network and its individual host systems. Information such as IP addresses, operating system, services, and installed applications can help the hacker determine which type of exploit to use in hacking a system. Scanning is the process of locating systems that are alive and responding on the network.
    [Show full text]
  • Scanning Topics
    CIT 480: Securing Computer Systems Scanning Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting Port Scanning Port scanning is a method of discovering potential input channels on a host by proving the TCP and UDP ports on which services may be listening. nmap TCP connect() scan > nmap -sT scanme.nmap.org Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-26 Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.11s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 1720/tcp filtered H.323/Q.931 9929/tcp open nping-echo done: 1 IP address (1 host up) scanned in 9.92 seconds Scanning Techniques 1. TCP connect() scan 2. TCP SYN scan 3. TCP FIN scan 4. TCP Xmas scan 5. TCP Null scan 6. TCP ACK scan 7. Fragmentation Scan 8. FTP bounce scan 9. Idle Scan 10. UDP scan TCP connect() scan • Use connect() system call on each port, following normal TCP connection protocol (3-way handshake). • connect() will succeed if port is listening. • Advantages: fast, requires no privileges • Disadvantages: easily detectable and blockable. TCP SYN Scan • Send SYN packet and wait for response – SYN+ACK • Port is open • Send RST to tear down connection – RST • Port is closed • Advantage: less likely to be logged or blocked • Disadvantage: requires root privilege TCP FIN scan • Send TCP FIN packet and wait for response – No response • Port is open – RST • Port is closed. • Advantages: more stealthy than SYN scan • Disadvantages: MS Windows doesn’t follow standard (RFC 793) and responds with RST in both cases, requires root privilege.
    [Show full text]