Embed Size (px)
Citation preview
Introduction to
InfoSec –
Recitation 09Nir Krakowski (nirkrako at post.tau.ac.il)
Itamar Gilad (infosec15 at modprobe.net)
Today• Network attacks continued
• Web 101 –
o HTTP
o Cookies
o HTML
o PHP
o SQL
ARP in a Nutshell• ARP = Address Resolution Protocol
• A bridge between IP and Ethernet, which
helps make a local network “work”
• Most important functionality – translate IP
addresses to MAC addresses so we can
actually send packets!
• Two major messages –
o ARP request – “Who is at 192.168.1.1?”
o ARP reply – “192.168.1.1 is at
A1:B2:C3:D4:E5:F6”
ARP Poisoning• To avoid making an ARP request before sending
every IP packet, each host has a local cache.
• Another trick to avoid excessive ARP requests, is
that every host will send a broadcast ARP reply
when it comes online / every interval, to let
everyone know its MAC address (known as
“Gratuitous ARP”)
• Most implementations are state-less by design, and
will happily store ARP replies even if they didn’t
issue a request (for reasons stated above)
• Result – everyone on the local network can
impersonate any other host, by sending a
malicious ARP reply in their name.
ARP Poisoning• Attack scenario –
Diagram Copyright: http://gm.kochar.com/post/WEB-SPOOFING.aspx
Ping Reflection (“smurfattack”)
• We want to DoS a host, but we’re not fast enough…
• So we’ll get everyone else to join!
• Basic concept – send a ping request to everyone,
but put the target’s IP address in the source of the
packet.
• Result - everyone
will send a reply to the
target, effectively
DDoSing it.
Diagram copyright: http://onlinehelp.avs4you.com/AVS-Firewall/Introduction/NetworkAttacks.aspx
Scapy demos• ARP Monitor
• DNS traceroute (See at home)
• MAC Flooding
Ping / Tracerout Using Different Protocols
• Let’s assume TCP SYN / ICMP Echo requests are monitored / blocked but you still want to know if a host is up, and/or what are the network elements between you and the target (traceroute)
• ARP Ping –o Send an ARP request for a host on the same subnet(can even use broadcast)
o If you get a reply – that host is alive
• TCP Port Scan –o Instead of using a SYN packet, use a TCP data packet, and listen for an RST packet
Ping / Tracerout Using Different Protocols
• DNS Traceroute –o DNS Requests are almost always permitted since they are so vital
o Contents are rarely checked
o Playing with TTL = traceroute!
• UDP traceroute –o You already found out that the host will send you an ICMP Port Unreachable message when you
send a UDP datagram to a certain closed port
o But you want to find all the elements in the way
o Solution – send and resend the packet, each time with different IP TTL
o You will get ICMP errors from many intermediate hosts
• TCP traceroute –o Same as UDP, and can use SYN on an known open port, arbitrary data packet on a known open
port, or data on a known closed port
• Basically – most services could be used for traceroute / ping given the right scenario
No more sniffing…• It used to be easy to sniff traffic on the local
network
• All traffic went to everyone behind the same
router on a HUB based network
• Now – switches galore!
• We still need to sniff traffic…
• Enter MAC Flooding
Switches 101• Switches know where to route packets by learning which MAC addresses are connected to which port
• This is done by seeing which source MACs appear on which ports, and storing this information in a fast look-up table (CAM)
• This table has to be very fast, so it must be limited in size.
• This is not an issue, since It is highly unlikely to run more than a few 100’s / 1000’s of hosts on the same layer-2 network due to other reasons.
MAC Flooding• We’re on a network, but that network uses switches,
so we can’t sniff anything interesting…
• Or can we?
• What happens if we send out packets with different
source MAC addresses? Will the switch refuse to
learn new addresses?
• No! it will just fail-over to operating like a hub – a
‘dumb’ repeater
Image Copyright: http://www.ciscozine.com/2009/01/05/protecting-against-mac-flooding-attack/
HTTP• Hyper Text Transfer Protocol
• Simple textual protocol over TCP port 80, stateless request-
response model
• Requests –
o [METHOD] [URI]\r\n
o Headers\r\n\r\n
e.g.: “GET /\r\n\r\n”
o Headers –
• Client type – User agent
• Will the client support compression – Accept
Encoding
• Client language
• Last valid cache the client has
• ….
HTTP Response• Responses –
o [Numeric code] [String]\r\n
o Headers\r\n\r\n
o Data
o Codes –
• 200 OK
• 302 Redirect
• 404 Not found
• 500 Server Error
• 502 Gateway Error
• ….
Misc HTTP
• Extra things to know about –
o HTTP Keep alive
o HTTP Authentication
o X-forwarded-for (and X-we-are-hiring…)
• HTTPS is SSL / TLS transporting regular HTTP
Cookies• A way for the server to store something in the
client’s browser for later use
• Cookies default to being domain specific
• Cookies have an expiry date
• Most authentication schemes use something like –
o Client logs in via form
o Server authenticates user, sends back an
encrypted and hashed cookie, valid for x days
o Client browses through the site with no need to
re-login for a few days
• Cookies come in a few flavors – ‘regular’, ‘HTTP
only’ and ‘secure’
Cookies – cont.• Cookies are a valuable commodity –
o If I have your cookie – I AM YOU
o Cookie stealing used to be very easy
(simple Javascript), but now is pretty
impossible (thank the SOP – Same Origin
Policy)
HTML• Hyper Text Markup Language
• XML format representation of the DOM (Document
Object Model)
• The DOM is the tree-like structure of the document
• You may interact with and modify the DOM via
Javascript
• The browser renders the objects within the
document and allows the user to interact with them
• HTML5 is geared towards the dynamic web, and
provides many services (local storage, 3d API,
Async calls)
• CSS is used for design, HTML is used for structure
Basic HTML Example<html>
<head>
<title>My title</title>
</head>
<body>
<h1>Big letters!</h1> <br />
<h6>Small letters!</h6>
</body>
</html>
Forms and AJAX• The two major ways to send user data as part of a web
application are HTML forms and AJAX (Async Javascript
And XML)
• HTML Forms –
o <form action=“/target.php” method=“post” />
• <input name=“username” type=“text” />
• <input name=“password” type=“password” />
• <input value=“Submit” type=“submit” />
o </form>
o Will send data as POST parameters to target.php
upon clicking the submit button
• AJAX –
o Read about JQuery and AsyncHttpRequest()
PHP• Server-side processing language,
commonly used in web applications
• Hybrid perl & C syntax
• Once the web server support
processing PHP files, all that’s needed
is –
<?php
echo “Hello, world!”;
?>
PHP – cont.• Headers are sent using header() (all calls to header() must be before sending data)
• Data is sent via echo / print() calls (or anything that writes to stdout)
• Input is done via HTTP parameters -$_POST[“var_name”]
• The body of the request can be had via reading from stdin directly / file_get_contents(php://input) or stream_get_contents(STDIN)
PHP – Tips and Tricks• Don’t forget the “;” at the end of each line
• Use the “or die();” syntax to quickly find when your code breaks
• Errors are hard to spot. Your machines should have error reporting enabled, but don’t expect much
• May need to revert to “printf debugging”
• You can run php on a file in a terminal, but understand you won’t have the environment available (There could be better tools out there)
SQL• Structured Query Language
• Very powerful interface to relational
databases
• Tables have fields (columns) and rows
• Actions –
o Select – query, return valid row(s)
o Insert – Add new row(s)
o Update – Change existing row(s)
oMaintenance – Create table, Drop table,
Add column….
o + Many more operations
SQL• For each action, you can select which fields
to choose by, and which fields to return
• Examples -
o FROM users SELECT * WHERE username =
“mitsi”
o FROM users SELECT password WHERE
username = “mitsi”
o UPDATE users SET password=“123456”
WHERE username=“mitsi”
o INSERT INTO users VALUES (“myuser”,
“mypass”)
PHP & SQL• PHP has support for SQL (MySQL in our case)
• You’ll need to connect to the DB, and then
you may query to your heart’s content
• Example on next slide
• Also, see the example within the exercise
PHP SQL initialization<?php
mysql_connect("your.hostaddress.com",
"username", "password") or
die(mysql_error());
mysql_select_db("Database_Name") or
die(mysql_error());
?>
Further reading & Tools• W3Cschools.com, codecademy.com &
php.net have everything you need to know
• Also, Google ☺
• Firefox Developer tools
• Fiddler really helps when you want to
research an existing site
• XML verifiers / code beautifiers
This week’s exercise• Network attacks continued –
o Implement some of the techniques presented
o Be careful about affecting your network
o Don’t abuse any other network – you are
responsible for any damage you create
• Web primer –o First steps with HTML, PHP, SQL
o No attacks for now (but don’t worry – next
week!)
Questions?
