Network Security Quick Reference Ch1-4

 

A PDF copy of this note can be download freely at : MediaFire

Table of Contents

Chapter 1: Introduction to Network Security    2

Unsecure Behavior:    2

Network Security    2

Assets    2

Objective Security (CIA)    2

CIA Relationship    2

Vulnerability    3

Threat    3

Good guys & Bad Guys    4

Golden Age of Hacking (GOAH)    4

Chapter 2: Authentication    6

Definition:    6

Type of Authentication:    6

Chapter 3: Information Gathering    10

7 basic steps    10

Chapter 4: packet Analysis    11

TCP/IP Structure    11

Quick Facts    11

ICMP    12

UDP    12

TCP    12

Packet Sniffer : Windump or TCPdump    12

TCP Flags    12

Datagram and Packet Analysis    13

Port Scan    17

Reference    18

 

 

 

 

 

Chapter 1: Introduction to Network Security

 

Unsecure Behavior:

  • Compromise Computer and Network
  • Computer infected with malware
  • Someone gain access to unlock room -> Install keylogger
  • Pretending someone you trust and asking for pwd

     

Network Security

  • Computer science that enforce secure behavior for computer operation
  • s/w & h/w preventive action -> protect network infrastructure -> from unauthorized access and modification -> to create secure computing environment.
  • Is a process not end state

     

Assets

  • Hardware
  • Software
  • Data

     

Objective Security (CIA)

  • C = Confidentiality
    • Assets are only accessible
      to authorized person
    • Aka privacy / secrecy
  • I = Integrity
    • Assets can only be modified by authorized person in an authorized ways.
  • A = Availability
    • Assets are accessible to authorized person when they required.

       

CIA Relationship

  • Independent
    • No overlapping at all
    • Strong but unusable
  • Exclusive
    • 2 overlap, 1 excluded
    • Quite strong but not well covered
  • Overlap
    • 3 elements overlap. Weak but well integrate

       

Vulnerability

  • Definition: Weakness in the asset (hw, sw, data) which can be exploits. Result harm and loss.
  • Hardware
    • Damage
    • Mishandle
    • Theft
    • Natural Disaster
  • Software
    • Deletion
      • Format, delete, replace
    • Modification
      • Maliciously modified, malware (virus, trojan), covert application
    • Theft
      • Pirate copy… ehem ehem

         

Threat

  • Definition: A set of condition that has potential to cause loss and ham.
  • Relation with vulnerable:
    • Threat exploits vulnerabilities of the asset to cause damage.
    • Control vulnerability == block threat.
  • Type of threats:
    • Interception : unauthorized person (hacker) gain access to asset
    • Interruption: hacker makes the asset unuseable.
      • Remove or rob hardware
      • Delete program or data (delete SQL)
      • Failure of OS (format OS?)
      • DDoS
    • Modification
      • Hacker gain access and change asset (content)
        • Change database content
        • Modified program so it work wrongly
        • Modified streaming data
    • Fabrication
      • Hacker create a fake or counterfeit asset to fool authorized person or system
        • Hacker inject false message in network communication
        • Hacker add false record in database (for his favor)

           

Good guys & Bad Guys

  • Hacker:
    • Programmers who enjoy programming and good at it. Expert.
    • Love to explore computer technology and programmable system to discover how it works.
    • Doesn’t have intention to do malicious thing.
    • If they discover holes within the system, they will share with developer and the community. It is up to the developer to patch it.
    • 3 hats (white (normally security admin), black (normally cracker) and grey)
  • Cracker:
    • Cyber burglar. Purposely break thru system security (without permission) to do malicious things such as steal information and destroy system or alter data/system.
    • Technical person who mastered the art of breaking computer system.
  • Hactivism
    • Hacking for political reason
      • Defacement at government website
      • Plant logic bomb
    • Purpose: To spread political agenda
  • Script Kiddies
    • Someone who doesn’t possess any hacking skills or knowledge.
    • Use other hacker/cracker tools to help his/her hacking activity
    • n00b

Golden Age of Hacking (GOAH)

  • Some Facts
    • No one is safe when they are connected to the internet
    • DDoS, identity theft (credit card), spam etc
    • Phishing (to steal user info, mainly credit card, password, username)
    • Punish: Max 7 years (only?!?) or RM 100k
  • Reason
    • System are easy to break in
      • Poor security system at company
      • Open port (door).
      • 24/7 connected to the internet.
    • Tools are easy to obtain and use
      • Hacking tools are everywhere. User-friendly too.
      • Free to download
    • Boundless nature of the Internet
      • Hard to trace because it takes time, cross country and there is almost none cooperation with ISP or between ISP unless under court orders.
    • Vast pool of resource
      • Step by step tutorial how to hack
      • So many “hacking for dummy” book or ebook on sale.
    • No one policing the Internet
      • No responsible parties to monitor and policing the internet. No investigator working as public service.
      • Hackers hide in virtual world (cyberspace). Harder to trace.
    • Companies don’t report
      • Bad publicity
      • Ignorance…their security is too weak, they don’t even realize they were under attack..LOL.😄

 

Chapter 2: Authentication

 

Definition:

  • Authentication is a process to determine whether someone is who he/she declared to be.
  • Eg; a system need to know either the person who login into the system is a valid admin or not by enforcing username & password or any authentication mechanism.
  • Purpose: To uniquely identify a person (grant access or not) to the system.

     

Type of Authentication:

Something you KNOW: Password

  • Sequence of characters that is only known (technically) by the authorized person.
  • Problem with password:
    • User Forgot his/her password
    • Written down to non-secure place
    • User not happy with his/her password because too hard to remember
    • When user use default password (user, admin, cisco, 124456)
    • When user use weak password (relate to his/her personal data)
    • When user use password that can be found in dictionary
  • Strong password implementation:
    • Choose password that easy to remember & make you happy
    • So..you don’t have to write it down somewhere else
    • Don’t use password that is default password, word that exist in dictionary and too related to your personal life (d.o.b, name, IC number)
    • Always change your password (30-45 days interval)
    • Minimum length 10 character (y Y 5 @)
    • Don’t reuse password. Cracker keep record you know!
    • Pick phrase & use its initial to make it more complex.
  • Password Policy
    • Set of rules to enhance computer security
    • Encourage users to use strong password.
    • Normally a part of organization IT rules.
  • Password Cracking
    • Process guessing plaintext password.
    • Used by admin to check password validity
    • Used by cracker to gain access into computer system
    • 3 techniques:
      • Dictionary attack
        • Fast but can’t guarantee success
        • Use words in dictionary to guess password
      • Bruteforce attack
        • Slow but can guarantee success at the cost of time
        • Use character combination
      • Hybrid attack
        • Mix of dictionary and bruteforce
        • It may use dictionary word but add some character in front and end of that word.
      • Tools:
        • John The Ripper
          • dictionary : john-386 –wordlist=password.lst aa.txt
          • bruteforce: john-386 –incremental aa.txt
        • Cain and Abel
          • (pwd recovery for Ms OS)
          • Sniffing network, dictionary, bruteforce, recover wifi network key etc
        • Hydra (fast network auth cracker)
        • L0phtCrack
      • Simple password attack
        • Social engineering
          • (he claim he is somebody, you trust and give him your password)
        • Shoulder surfing
          • Watch someone as he type password
        • Dumpster diving
          • Find sensitive information that people throw out.
    • Cracking password is important for admin because:
      • To audit the strength of password
      • To recover forgotten and unknown password
      • To migrate user into new system
    • Encryption
      • Converting plain text (password) into unreadable text (cipher text)
      • Size of cipher text no longer match to original plain text.
    • Protect Your Password
      • Choose strong password
      • Don’t reveal your password & use encryption.

Something you HAVE:

  • Smart Card, Access Card, Security Dongle, Key

Something you ARE: BIOMETRIC

  • Definition
    • Technology and method that able to measure, recognize and analyze human body characteristic or behavior for authentication purpose
  • Type
    • Static (physiological)
      • Based on features (human body) that is constant and always present
      • Fingerprint (may not work if finger dirty)
      • Retinal
        • scan layer of blood vessel at the back of the eyes
        • very expensive, difficult to implement)
      • Iris
        • Scan the pattern of the colored part of the eye surrounding pupil
      • Hand geometry
        • Limited accuracy due to common measurement of people hand.
      • Facial scanning
        • Analyzing facial characteristic.
        • Hard to use because facial features change over time (getting old anyone?)
    • Dynamic
      • Handwritten signature
        • Speed, pressure, shape -> compare to original shape
        • Issue: People can’t sign their name in consistent manner.
      • Voice recognition
        • Voice transforms into text and will be compared with the original one.
        • Issue: background noise can interfere with the scanning.
  • Advantage:
    • Require nothing to remember. It is all there at our body.
    • Convenient, unique and accurate.
  • Disadvantage:
    • Expensive
    • No privacy and safety (what if someone cut your thumb to gain access to your system?)
    • False authentication (false positive and false negative)

       

       

CAPTCHA

  • Completely Automated Public Turing Test to Tell Computers and Human Appart
  • Requires user to enter letter or number from distorted image.
  • Benefit :
    • Protecting website registration
      • Gmail and yahoo mail for example.
      • Only human deserve free email service
      • To protect from bot register thousands of email account per minute.
    • Protecting email address from scrappers
      • Protecting from bot to collect user email information.
      • Human need to enter captcha code to see others email
    • Online polls
      • To protect from bot auto voting
    • Preventing comment spam in blogs
      • To protect blog from bot that spreads spam (to increase their website position in search engine)
    • Preventing dictionary attack
      • To protect from bot automatically enter username and password to crack system or gain access.
      • Better from locking the user account.
    • Search engine bots
      • To prevent bots from crawl and gather information on sensitive page.
    • Worms and Spam (email)

 

 

Chapter 3: Information Gathering

 

7 basic steps

  • Find initial information
    • Open source information (ads, news, blogs, email circulation)
    • Whois (arin-whois.net)
    • Nslookup ( ro find DNS details including IP addresses)

       

  • Find the address range of the network
    • ARIN (whois-arin)
    • Traceroute / Tracert (host within same network normally use same router)
    • Whois (web or command prompt)

       

  • Find the active machines
    • Ping (ping sweep : Nmap -sP)

       

  • Find open ports or access points
    • Nmap (nmap –sS)
    • ScanPort

       

  • Figure out the operating system
    • Nmap (nmap –A –PO)
    • Queso
    • Find outdated OS vurnerability @ the Internet

       

  • Figure out which services are running on each port (1-65535)
    • Default port and OS (1-1023)
    • Telnet ( by telneting, telnet will tell which service is online)
    • Vulnerability scanners (Cisco Secure Scanner, SARA, SAINT)
    • Nmap (nmap –sS –A –v)
    • Find services vulnerability available @ the Internet

       

  • Map out the network
    • Traceroute
    • Visual Ping
    • Cheops

 

 

 

Chapter 4: packet Analysis

 

TCP/IP Structure

 

Quick Facts

  • All packets must begin with IP header, followed by ICMP header, UDP header or TCP header.
  • IP header + TCP/UDP/ICMP Header + Content = IP Datagram
  • Max size of IP datagram is 65535 bytes (64 kB)
  • Header Size & (Protocol Number)
    • IP = 20 bytes    
    • ICMP = 4 bytes (01)
    • UDP = 8 bytes (0x11 or 17)
    • TCP = 20 bytes (06)
  • 1 chunk = 2 bytes (in most packet sniffing display format.) @ xxxx

ICMP

  • Created to handle error and control message because IP is not reliable
  • Ping program was developed by Mike Muus
    • Purpose: to test whether other host is reachable or not.

UDP

  • A transport layer protocol
  • Simpler than TCP
  • Connectionless and unreliable
  • No 3 way handshake
  • No ack or syn. Data send is received by the receiver is unknown.
  • Blazingly fast. Suitable for streaming application (and torrents/p2p)

TCP

  • A transport layer protocol.
  • Complicated than UDP
  • Connection oriented and reliable because it has 3 way handshake
  • Has ACK, therefore data received by receiver is confirm.
  • Suitable to file transfer.

Packet Sniffer : Windump or TCPdump

  • Packet capture tools that print header and contents.
  • It put network interface in promiscuous mode, grab all the packet it sees
  • Windump –i 1 -c 3 -x tcp
    • Dump all tcp packet that you can found from network card 1 and display only the first 3.
    • –xx will print MAC frame as well
    • –X (capital X) will print ASCII translation as well
    • –XX will print MAC frame and ASCII translation as well

TCP Flags

  • xxUAPRSF (Unta Aku Pijak Rumput Sampai Fening)
  • URG : Urgent
    • Urgent data that takes precedence over other data
  • ACK : Acknowledge
    • To acknowledge the receipt of data from sender
  • PSH : Push
    • To push data from sending host to receiving host. Suitable for telnet where response time is a primary concern.
  • RST : Reset
    • To indicate the sender’s intention to abort the existing connection.
  • SYN : Synchronization
    • A request to establish a session in the first part of 3 way handshake.
  • FIN : Finish
    • To indicate the sender’s intention to gracefully terminate existing connection.

Datagram and Packet Analysis

IP Datagram (20 bytes).

 

 

TCP Datagram (20 bytes)

 

TCP Flags:

Reserve 

Reserve 

Urgent 

Ack 

Push 

Reset 

Syn 

Fin 

— 

— 

U 

A 

P 

R 

S 

F 

               

Unta Aku Pijak Rumput Sampai Fitam?!?

8 bit (1 byte).

Example:

  • 0000 0001 = FIN packet. Flags indicate Finish, normally to terminate 3 way handshakes.
  • 0001 0000 = Acknowledge (ACK) packet
  • 0000 0010 = SYN packet
  • 1100 0000 atau 1000 0000 atau 0100 0000 = ERROR. 2 bit paling kiri x boleh pakai.

     

 

ICMP datagram (4 bytes)

 

UDP Datagram (8 bytes)


 

Packet Analysis.

 

 

 

 

Protocol embedded with this IP header = TCP (06)

Services currently running between both system = Telnet (0x17 = 23)

Source Address: 207.174.200.194

Destination Address: 204.187.140.181

Source Port Address: 10 311

Destination Port Address: 17

Which IP address is server IP address? = 204.198.140.181; because receiver port number within 1-1024 which is well known port, therefore the receiver IP address is the Server IP address.

Content of this message (use ASCII table to translate; start after bytes #40 or chunk #20)

 

Chunk Number 

Contain 

5 

Protocol (6 for TCP, 11 for UDP, 1 for ICMP)

7-8 

Sender IP Address 

9-10 

Receiver IP Address 

11 

Sender Port # 

12 

Receiver Port # 

13 

Sequence Number 

14 

Ack Number 

17 

Flag (Unta Aku Pijak Rumput Sampai Fingsan)

xxUAPRSF 

 

Note:

In hexadecimal (windump or tcp dump), 1 chunk = 2 bytes (FF = 1 byte, FFFF = 2 bytes)

Nak tengok protocol apa yg IP nie bawak, tengok chunk yg ke 5 which is byte yg ke 10.

Maximum IP datagram’s size (with option, data etc) is = 65536 bytes

 

Port Scan

  • TCP Connect scan
  • TCP SYN Scan
  • TCP FIN Scan
  • TCP ACK Scan

Invalid Packet

  • When the packet is unable to be recognized by TCP/IP protocol.
  • Wrong implementation of TCP/IP structure & network protocol standard
  • Normally a launching attack
  • Example:
    • Packet size more than 64 kB
    • TCP flags = 0
    • Invalid version number (current std is 4)
    • Destionation address = Source address.
    • TCP Flag reserved bit is SET (2 most left)
    • Padding not exist, IP header do not ends with 32 bit boundry
    • TCP flag,
      • SYN and FIN are set.
      • All flag bits is set
    • Port number > 65535.

 

 

Reference

 

Pn. Nik Mariza Ab Malik : Network Security Notes.

Full credit (Intellectual Property) to Pn Nik Mariza Ab Malik.

 

In case of there is some typos or factual error, feel free to drop me an email at

Arham81 at gmail dot com

 

    • expertester
    • February 21st, 2010

    Kalau susah nak baca, download jer yg pdf tu. Mmg buat utk PDF copy.

    Kalau ada nak tambah (mesti la ada kan😀 ), sila2 lah kita bersumbangsih. Post jer kat comment. Nanti aku add with credit.

  1. contoh raw packet

    udp

    tcp

    icmp

  2. Hello there!
    This is my 1st comment here so I just wanted to give a quick shout out and say I genuinely enjoy reading through
    your blog posts. Can you suggest any other blogs/websites/forums
    that deal with the same subjects?
    Appreciate it!

  3. magnificent issues altogether, you just won a logo new reader.
    What could you suggest about your submit that you simply
    made some days ago? Any certain?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: