Network Security
networking übersiccht <-- --> networking und TCP/IP
Definition:
Fraud ist der Missbrauch von Produkten oder Dienstleistungen der Telekommunikation
mit dem Ziel deren Kosten zu umgehen oder sich direct oder indirect zu bereichern!
Vorsätzliche Handlung
Bedrohung durch mangelndes Bewusstsein, schwierige Erfassbarkeit, Verbreitung
von Hacker-Info auf dem Internet, Organisationsfehler, Fehlmanipulation
Technischer Fraud:
Endgerät
-> gratis telefonieren, Manipulation von Taxcards, Publifon
Netzwerk
-> billiger telefonieren, Fehlkonfiguration von Zentralen
Verrechnungssystem
-> weniger zahlen, Ausnutzen von Softwarefehlern
Organisatorischer Fraud:
Anmeldung
-> falsche Identität
Service Modification -> Gratis-Service
Kostenpflichtige Nummern -> Für vorgetäuschte Verkehr kassieren (Anschlüsse
mit falscher Identität)
Beschwerden
-> unrechtmässige Rückvergütung, "defekte" Taxcards
Kündigung
-> Spuren verwischen
Fraud: Calling Cards
Kunden telefonieren ab Publifon und werden dabei beobachtet(Kamera), Karten
Nr+Zuganscode, Anschliessend werden die Daten sehr vielen Leuten bekannt gegeben.
Identifizierung von Unregelmässigkeiten:
Plötzlicher Verkehrsanstieg, Verkehr zu ungewöhnlichen Zeiten, Verbindung nur
zu einem Ziel, Extrem lange Verbindung, Extrem kurze Verbindungen(Rückruf),
Anruffrequenzen zu einem Ziel (Pin hacking)
Auswirkungen von Fraud: Imageverlust, Gewinnverlust, Qualitätseinbussen
Peer-to-Peer Networks (workgroup)
Workgroup = collection computers that all reside on
a subnet and subscribe to the same SMB(Server Message Block) group
Structured Networks (Domains)
Domain = workgroup computers with a server acting as
a domain controller
on Primary Domain Controller (PDS)
multiple Backup Domain Controller (BDC)
Server offers files, printers serial ports, communications
abstractions (APIs, named pipes, mail slots)
SMB can be signed digitally
nbstat –A shows Adminstrator and Computer names
Application: SMB Presentation: NetBIOS Session+Transport+Network:
NetBEUI or Session+Transport: NetBIOS Network:IPX or Seesion: NetBIOS Transport:
TCP/UDP Network: IP
NetBIOS (Network Basic Input/Output System)
Windows
Network Resource
Identifier
\\servername\accessname\path
NET command to issue SMB commands
NetBIOS Resource List: NET VIEW [\\Computername [/CACHE]
/DOMAIN[:Domänenname]]
Access a filesystem or resource: NET USE * \\SERVER\SHARE
Share a Resource NET SHARE name=Drive:Path
IPC$ Null Session net use \\123.123.123.123\ipc$”” /user:””
NetBios over TCP Statistics: NBTSTAT -n
Exploit shared resources:
nbstat
–A
{ip-addr}
//get TARGET name list
net view \\TARGET
//see available services
net use * \\SERVER\SHARE
// mount share to free drive letter
Ethical Hacking / Tiger
Team
Hacking in Auftrag
Hardening
Ein System sicher konfigurieren
Lausch
Attacken
Abhören
Spoofing
Täuschen fälschen
Penetration
Eindringen
Denial of Service (DoS) Attack
Authentication (ID,username, password), Authorization(Access),
Accounting (Dates)
Authentication is based on what you know(Password),
What you have (IP-Address), What you are (biological measurment)
Logon Process: username+ password->one way function
-> PW-Hash compare to saved PW-Hash on Server
NT Security Account Manager (SAM) file encryption
Default Algorithm: DES with syskey.exe extension: RC4
NT Passworte max. 14 Zeichen a 16-Bit Unicode mit RSA und MD4 umgewandelt
Unix Passworte: max 8 Zeichen a 7-Bit ASCII
+ PW Hash verschlüsselt
abgelegt in /etc/passwd (user id) und /etc/shadow(password)
LAN Manager Password: PW1(7Bytes)->DES,
MagicNumber + PW2(7bytes)->DES, MagicNumber => MD4 ->= Hash
Kein unterschied zwischen gross und klein Buchstabe
Problems with Logon in Networks : password sniffing, Replay
Attacks
Solution: Challenge-Response: Client send username to
server. server send challenge, client sends response
Password Design:
Use design sentences, meaning of numbers and figures 4=for,
replace and regroup, start character of words in a sentence
Locks, Tags/Cards, special computers, USB tokens, chipcards
Fingerprint, Voiceprint, Iris/Retina scanning, combined(face lip movements + voice)
User-ID/Password not encrypted or base64 codiert. Compare ID/Password with .access file
SAS: Secure Attention Sequence (ALT-CTRL-DEL), Switches to
kernelmode, no fake loginscreen
SAM Datenbank Passwort-Hashes in \system32\config
Typical Attacks on Passwords
- Password guessing
- Password cracking, Dictionary attack(Wordlist),
Exhaustive Search (Brute force)
- Password sniffing
- Keystroke monitoring
- Social engineering
Limit traffic at various ISO-OSI-Model layers:
Application Level Filtering, Firewall: Transport (Stateful
Inspection) Network (Secure Routing), structured cabeling, Sternförmig
Internet ¦ Firewall ¦ DMZ (Demiritalized Zone), Webserver, Mailserver ¦ Firewall
¦ PC’s intranet ¦ Firewall ¦ Interner DNS, DB
Or Firewall as a proxy.
Internet: Public universal access, no security
Intranet: Private, limited acces, Tightly controlled
security
Extranet: Trusted partners, shared security, security
gateways, VPN
Network Address Translation (NAT)
1.Version: der Firewall hat ein paar Adressen, die er nach aussen
zeigt, ports bleiben gleich
2.Version: der Firewall hat eine IP Adresse und tascht
die ports aus
- Allow everything, that’s not explicitly forbidden
- Forbid everything, that’s not explicitly allowed
Configurtation example for ftp
Typ
SourceAddr
DestAddr
SourcePort
Dest.Port
Action
tcp
0.0.0.0/0
127.20.7.20/32
*
20
permit
tcp
0.0.0.0/0
127.20.7.20/32
*
21
permit
IDS: Intrusion Detection System
Security Policy: rules about security
VPN as a concept: Group resource and clients of an open net
into virtual private networks (VPN) safer than a isolated LAN
VPN Protocols: IPSec, PPTP, L2TP (Layer 3)
VPN Flavors:
Remote access, Network separation, Application level tunnel
If the remote workstations are not secure, then VPN’s are
introducing new vulnerabilities into the network!
VPN extends the perimeter (more to control and administrate)
Virtual LAN (VLAN): Hub or Switch ports are spitted up into groups (Layer
1+2)
Dialup zu Remote Access Server (RAS): Benutzername, Passwort,
Call-back
encryption tunnels: Gateway-Gateway, Client-Gateway
encryption and authentication of IP-Packets
Provides Privacy, Integrity and Packet origin authentication
Internet Key Exchange (IKE), Authentication Header (AH):
MD5 Hash or SHA-1, tunneling
Encapsulation Security Payload protocol (ESP): encryption
with DES, tunnelling, symmetric signature MD5, SHA-1
Point –to-Point Tunneling Protocol (PPTP)
PPTP is Microsoft’s solution for remote access VPN, based
on PPP
(control TCP Port 1723, data GRE IP Protocol 47) GRE
= Generic Routing Encapsulation
Point-to-Point Protocol (PPP)
PPP client authentication: Challenge Handshake Authentication
Protocol (CHAP), Password Authentication Protocol (PAP)
PPP encryption: Commpression Control Protocol (CCP),
RSA RC4 standard with session key
Security Association (SA)
- Authentication algorithm and keys for AH
- Encryption algorithm and keys for ESP, cryptographic
synchronization for encryption
- Frequency of key changes, key lifetime
- SA source address
Layer 2 Tunneling Protocol (L2TP)
stack: Data¦IP¦L2TP¦UDP/TCP¦IPSEC¦IP¦PPP
Internet Society (ISOC) highest organisation
Internet Engineering Task Force (IETF), Internet Architecture
Board (IAB): RFC’s,
Internet Assigned Number Authority (IANA): Domain Names,
IP Adresses, Port Nummers, Protokol Nummers
Internet Standardization Process: Request for Comments
(RFC)
Regional Internet Registrars (RIR): Asia-Pacific Network Information
Center(APNIC), Reseau IP Europeens (RIPE NCC), American Registry for Internet
Numbers (ARIN)
Local Internet Registrars (LIR): Switch,..
URL: Host.secondleveldomain.toplevelDomain www.hsr.ch
Generic Top Level Domains (gTLD):
edu,gov,mil,int
com,net,org
Country Code Top Level Domain: au, ca, ch ,de ,us
8 Root Name Server which store responsibility for second level domain
Distributed database:
running on name servers with the Berkeley Internet Name
Domain (BIND)
Contact by UDP port 52(requests and responses) and TCP
port 53 (zone i.e. database transfers)
Zone: file with many resource
records
Authoritative servers: answer queries, keep zone
Non-authorative servers (caching servers): forward queries,
store response in cache
DNS Resource Record: use nslookup to get entries
[A]
IP address
[CNAME] Canonical names
[MX]
Mail exchange records
[LOC]
Location
[SIG]
Cryptographic Signature
Resolve Process: 1. .host file, 2. Cache, 3. query DNS
central registry database
finding e-mail addresses, postal addresses and telephone
numbers of those who have registered “objects”
whois.ripe.net, whois.arin.net
.com Domains: rs.internic.net
.ch-Domains: nic.switch.ch
example: whois hsr.ch
Simple Mail Transfer Protocol (SMTP)
TCP-Port 25, Messages transferred as 7-bit ASCII,
spools or queues
SMTP Commands1: HELO Hostname, MAIL FROM:<sender-adr.>,
RCPT TO:<reciepient-adr>, DATA mailbody, QUIT
SMTP Commands2: RSET (reset), VRFY name (checks local
user), EXPN (list names in local mail list), HELP
Multipurpose Internet Mail Extension (MIME)
MIME-Version, Content-Type, Content-Transfer-Encoding
(base64), optional header
Post Office Protocol (POP3)
TCP-Port 110, fetch messages
POP Comands: USER name, PASS secret, STAT, LIST[msg],
RETR msg, DELE msg, RSET, NOOP, QUIT
Internet Message Access Protocol4 (IMAP4)
TCP-Port 13, mails stored on server
networking übersicht <-- --> networking
und TCP/IP