How Networks and Network Attacks Work
whats...@gmail.com
To attack a network there is a need to understand fully, the rules and
protocols that a network follows.
Once you have a good understanding of these, you can start to
understand how various attacks work.
When the time comes that you know how these attacks work, then and
only then, can you go about securing it, with a confident
knowledge that you know, what it is you are defending against.
The aim of this paper is to help explain how a network operates and
how various attacks work.
-----------------------------------------------------------------------------------------------------------------------
For a network to operate effectively, there is a requirement for a set
of rules that everything on that network must follow.
It must have its own language that everything on it understands and it
must have it own way of transmitting things in this
language to other parts of its network. However as there are many
networks in many different countries this standard needs to
be a universal one, to allow networks to talk to other networks across
the world.
If someone from England was to phone up someone in Russia the chances
are they wouldn't be able to communicate too well.
But if a network were to send a data packet to a network in Russia, it
would be received and processed in the correct way.
This is because all networks follow protocols defined by what is known
as the Open Systems Interconnection model (OSI)
The OSI Model:
The OSI model provide a set of rules and protocols that enable any
network following them to talk to any other network that
also follows them.
The rules that make up the OSI are arranged into seven different
layers that are all interconnected with each other.
These are:
1) Physical Layer
2) Data Link Layer
3) Network Layer
4) Transport Layer
5) Session Layer
6) Presentation Layer
7) Application Layer
I've always found it easier to look on these as different stages a
data packet must pass through, at each stage something
is added to the packet and when it is received the same thing is taken
away from it by the corresponding stage in the other
network
Physical Layer:
As its name suggests this is the physical connection between two
pieces of hardware. Its major function is to
communicate raw bit streams (The Ones and Zeros). It is responsible
for the activation and deactivation of these bit stream
communications. It is also responsible for the defining of the actual
cable attachments to the NIC's and how they work.
This is the lowest layer.
Data Link:
This layer is what deals with the transfer of the data between two
points on the network. If the Physical layer
is what is used to pass the raw bits, this is what actually sends them
on their way. It also provides error and flow control
of the data packets that are sent and received.
Network Layer:
I will go into more depth on this later on. This layer provides the
addressing and routing of the data and acts as a
kind of middle ground between the upper layers and the lower layers.
Transport Layers:
Again this will be explained in more detail later. This is where TCP
comes into the process by providing a reliable
and stable method of passing the data packet.
Session Layer:
This is what actually establishes the connections between network
applications and then maintains that connection.
Presentation Layer:
This is what translates the data provided by the application in use;
into a format that the rest of the
OSI model understands and can work with and vice versa when the data
is received, it translates it back into a language
for the application to work with. (This layer is not always used in a
network) This is what enables thing like encryption
and compression to be used over a network
Application Layer:
This is used for applications that can support and use network
services such as, DNS, FTP, TELNET, SMTP
and NetBIOS type applications
So when you send a data packet it starts at the application layer,
then the presentation layer wraps its bit of information
around the packet, then the session layer does the same and so on
until the packet reaches the Physical layer where it
is passed to where ever it needs to go.
This whole process is known as Encapsulation.
That's the seven layers of the OSI model.
Now that we know about the methods used to pass data, lets talk about
what it actually is that gets passed around.
When information is getting passed around the network it is
transmitted in small chunk of data called a Packet.
As the packet passes through each layer small bits of data are added
to it or taken away from it depending on if the
packet is being transmitted or received.
A data packet has both a body and a header. The Body obviously
contains the message that is being passed, whilst the
header contains things like: The Source IP address, the destination IP
address, the total data length, what protocols
are being used, checksum information. See here for more info on
headers: http://www.networksorcery.com/enp/protocol/ip.htm
Network Attacks:
To understand how most network attacks operate it is necessary to go
into more detail about some of the layers used.
Network layer:
The rules that govern this layer to ensure that the addressing is
correct and efficient is what's called Internet Protocol (IP)
Everything That is connected to the internet has an IP address. An IP
address is made up of four bytes that can be no
greater than 255. E.g. 100.100.100.100.
They can be no bigger that 255 as this is the highest number that
binary goes to in one byte and all numbers are converted to binary as
far as computers are concerned.
128 ---- 64---- 32---- 16---- 8---- 4---- 2---- 1
-------------------------------------------------------------
--1------- 1----- 1----- 1----- 1----- 1---- 1---- 1
This number 11111111 would be the highest number in binary for one
byte as 1 byte long (8 bits make a byte, so eight 1's make the byte)
If you add the numbers above the ones up, you will see it comes to 255
128 +64 + 32 + 16 + 8 + 4 + 2 + 1 = 255
128 ---- 64---- 32---- 16---- 8---- 4---- 2---- 1
-------------------------------------------------------------
--0------- 0----- 0----- 0----- 0----- 0---- 0---- 1
This would equal the number 1. If there is a zero under the number it
is discounted, only where there is a 1 is the value
added.
128 ---- 64---- 32---- 16---- 8---- 4---- 2---- 1
-------------------------------------------------------------
--0------- 0----- 0----- 0----- 1----- 1---- 1---- 1
So this would equal 15. 8 + 4 + 2 + 1 = 15
A bit off topic there but that is how binary works; hence that is how
an IP address is looked at by your computer.
If you need a number bigger that 255 that is where hex comes in. Hex
will be explained later when we talk about MAC addresses
Anyway, in the network layer, both IP packets and Internet Control
Messaging Protocol (ICMP) packets exist.
IP packets are used for the actual sending of data, whilst the ICMP
packets are there for diagnostic and messaging purposes.
If there is a problem with the delivery or receipt of an IP packet, an
ICMP packet can be sent to tell the other system that
there has been a problem.
ICMP can also be used to test the connectivity of something on the
network in the form of an Echo Request commonly known as
a Ping. This is a quick and easy way to test if a host is up and
running and how latent the connection is between you.
If you get a reply the host is up and if you don't, it generally (but
not always) means the host is down. Unlike TCP There doesn't have to
be an established connection to allow ICMP packets to transmit, so
systems can be configured to ignore ICMP packets
as a security measure.
The final thing to mention on this topic is IP fragmentation.
Most networks have a limit on the size of IP packet that can be
transmitted, so the network layer can break the packet down
like so:
______________________
| Header | DATA DATA DATA |
-----------------------------------
This may be too big to be transmitted, so the network layer will break
it down like so:
______________
| Header | Data 1 |
-------- --------------
______________
| Header | Data 2 |
-------- --------------
______________
| Header | Data 3 |
-------- --------------
It is a simplified explanation of it as in real life Offsets are used
instead of 1 2 and 3.
To reconstruct the packet at the receiving networks Transport layer
all it will do is put them back in order 1,2 and 3 and
pass it on up to the Transport Layer.
Which, strangely enough, brings us nicely on to the transport layer!
The Transport Layer:
The two major set of rules in this layer are the TCP (Transport
Control Protocol) and UDP (User Datagram Protocol) protocols
Most services on a network and on the internet will use the TCP
protocol, these include things such as; HTTP, FTP, SMTP.
Although each one of these is a protocol in its own right, to actually
transfer the data it is being asked to, it will use TCP.
The reason for this is because TCP provides a very reliable, two-way
connection between hosts on a network or Internet.
TCP will ensure that all the data is received and in the correct
order, if packets are missing or corrupted
it will hold on to these packets until they have been re-sent and only
then will it pass it up to the next layer.
To be able to do all this TCP uses a system known as flags.
There are 6 flags in total, they are:
URG....................Urgent....................Used for priority
data
ACK....................Acknowledgment....Acknowledges a connection and
is usually turned on
PSH....................Push........................Tell the recipient
to push the data through rather than
buffer it
RST....................Reset........................Resets the
connection
SYN....................Synchronize..............Synchronizes sequence
numbers at the beginning of the
connection (REMEMBER THIS)
FIN....................Finish.........................Closes a
connection
What makes TCP such a reliable connection is that, unlike UDP it
establishes a connection before sending the data packet.
It does this by way of a three-way handshake using the flag described
above.
Say we have computer 'A' and 'B'. 'A' wants to send something to B,
here is what happens:
First,'A', will send a packet with the SYN flag turned on to 'B'
'B' will then send a packet back with the SYN and ACK flags turned on
Then 'A' will send another packet back with just the ACK flag turned
on.
(After this has been completed every packet will have the ACK flag
turned on.)
This is basically computer 'A' saying to 'B', "Hi, I have a message
for you, do you want it?"
Then 'B' says " OK, im ready send it"
Then 'A' says" OK, here it comes"
There is a little bit more to it than that which we will talk about in
a min, that is just a very simple version of it, in a very simple
nutshell!
The reason that the packets had the SYN flag turned on was to enable
the two machines to Synchronize sequence numbers.
Sequence Numbers:
Sequence numbers are used to ensure that the packets arrive in the
correct order and to determine if any packets have gone missing
somewhere along the line. This is what makes TCP so good.
The First SYN packet that is sent to open a connection, will look like
this:
SYN Packet
Syn = On
Ack = Off
Seq#000001
Ack# 0
Notice the Sequence number (Seq#) is 000001 and the Acknowledgment
Number (Ack#) is 0
So this arrives at 'B' and 'B' now send a SYN/ACK Packet back to 'A',
so called because both the SYN flag and the ACK flag will be turned
on.
SYN/ACK Packet
Syn = On
Ack = On
Seq#111111
Ack# 000002
Now, this bit can get a bit confusing.
The original sequence number from 'A' now becomes 'B's Acknowledgment
number (Ack#) because 'B' sequence number will be different from 'A's.
Don't forget every time one of these computers talk on a network their
sequence number will go up by the amount of bytes in the data part of
the packet.
So when they first start the handshake off the sequence numbers that
the machines are on will be different from each other.
So 'B' has taken 'A's original sequence number added 1 to it so it now
becomes 000002. It now puts this in the acknowledgement field of the
packet and sends it back.
Computer 'A' knows that he sent a packet with a sequence number of
000001 to 'B', so now when the next packet is received from 'B' he
will be expecting it to have and Ack# of 000002. If it has he knows
that it is authentic and from B. Also he now has the sequence number
'B' is on 111111, so the next packet that he sends to 'B' he knows
that he needs to add 1 to it and place this in the ack# field.
So the third and last part of the handshake will be like this:
ACK Packet
Syn = Off
Ack = On
Seq# 00002
Ack# 111112
When 'B' sent back the second packet, he had increased it by 1- that
now becomes 'A's sequence number for the third packet.
Also remember that, 'A' increases 'B's sequence number that was sent
in the second packet and puts it into the Ack# field, so now the next
packet that comes from 'B' should have a seq# of 111112.
I hope that wasn't to confusing. It is important to understand the
sequence number concept for when I move onto TCP/IP Hijacking later
on.
The last layer (and what is used in our first attack) is the Data Link
Layer.
The Data Link Layer
This is where Ethernet comes into the network layers. This layer
provides a standard method of addressing for all Ethernet connected
devices on the network. These address are commonly known a Media
Access Control addresses or MAC addresses.
Every single Ethernet device is assigned a unique MAC address in the
factory where it is made.
Usually the address is in Hex format, i.e. 00-30-BD-07-AC-32
Sometimes the address is also referred to as the Hardware address as
it is unique to each piece of hardware.
The reason for this is so that any hardware on a network will have an
address that will never change, unlike an IP address, which can change
very regularly.
When a data packet is sent over Ethernet it will have in its header
the source address and the destination address.
There is a special address that can be used with Ethernet to broadcast
to all Ethernet devices on the network, this is all the 1's in binary,
11111111 which as we now converts to 255 but remember IP address have
4 bytes in them so the broadcast address will be 255.255.255.255.
On the layer above (the network layer) the addressing system used
there is IP but on this layer we use MAC addresses, now there is a
requirement to tie in these two address to avoid the confusion of have
two separate addresses for one data packet.
This is where a protocol know as the Address Resolution Protocol (ARP)
comes into effect.
This protocol designs a table know as an ARP table to link MAC address
to IP addresses and looks (in an edited version) something similar to
this
192.168.2.2---------------------> 00-30-BD-07-CA-37
192.168.2.3---------------------> 00-20-CA-24-BD-12
192.168.2.4---------------------> 00-30-00-33-30-BD
and so on.
To establish this table ARP messages need to be sent around the
network via the broadcast address 255.255.255.255.
There are two main ARP messages - ARP request and ARP reply.
When a packet comes to this layer, it looks at the header and to see
what the destination IP address is. It will now send out an ARP
request message saying, " Who does the IP address 192.168.2.2 belong
to?"
The computer that is on that network who has that IP address, will
receive the ARP request via the broadcast IP, know it has got the IP
that it is looking for and reply with an ARP reply message, saying
"Yep I have the IP 192.168.2.2, here is my MAC address 00-30-BD-07-
CA-37"
This will now get cached in the ARP table and next time a data packet
come with the destination IP of 192.168.2.2, it will know the correct
MAC address to send it to and send it using this.
The ARP broadcast happens at very regular intervals to keep the table
up to date.
If an ARP reply message comes in with a new MAC address for a certain
IP address, it will overwrite it there and then (unless it has been
marked as permanent) - Even if it didn't send out an ARP request
message!
Can anyone see the security flaw here and potential for a possible
exploit? If not keep reading!
Switched/Unswitched Networks
On the data link layer also exists a method to distinguish between
switched and unswitched networks.
The definition of an unswitched network is that - Every Ethernet
packet will pass through everything on the network. All the hardware
on this network is expected to only look at the destination address to
see if it is meant for them or not. If it is, it will read the data
part of the packet and the layer process will begin. If it is not
meant for it, it should just ignore it.
Again, can anyone see the security flaw here?
If you set a computer on a network to promiscuous mode it will look at
the data part of all packets whether it is addresses to it or not!
This is what programs such as TCPDump utilize.
This method of attacking a network is known, as Sniffing and it can be
a very useful way of gathering information such as Passwords, user
names etc especially with services that don't use encryption by
default - Telnet, POP3 and FTP for example.
In fact there is a program that has been designed especially to sniff
out information such as passwords and user names but that is bordering
on what this site is not about so I wont go into much more detail
about this.
The security implications are quite obvious here and the way to fix
them is to get a switched network.
Switched Networks:
The idea of a switched network is to ensure that only the packet
addresses to a certain computer is sent to it.
This is done by the switch knowing what MAC address is plugged into
which port on the switch and only sending data addressed to it out on
that port
So say the switch has 3 ports, three computers are plugged into it
with three different MAC address, I will use 1 2 and 3 to represent
the Mac's here.
The switch receives a data packet addressed to the MAC address of 1.
(If it were an unswitched network it would now send this data packet
out of all three ports to all three computers.)
But this switch knows that computer with the MAC address of 1 is
plugged into port 2, so it will only send the data packet out of port
2.
Seems like a foolproof way to send data packets, doesn't it? Well
there is a way around it!
Spoofing:
So far the security measures and exploits have been concerned with the
destination IP/MAC address, what they cant verify is if the source
address is correct.
This type of spoofing is simply fooling the switch into thinking that
a data packet has come from somewhere it didn't - normally a device it
trusts.
So if you can send a data packet out and make a switch think it has
come from somewhere else, you have successfully spoofed its source
address.
To spoof an address we need to let the network know that the address
you are going to use, is alive and well on the network and let it know
an IP and MAC address.
Where are these kept? Yep, the ARP table. You may recall me saying
earlier that when an ARP reply arrives with a known IP address but a
different MAC address all it will do is overwrite the old MAC address
with the new one! Even if it has not sent out an ARP request
broadcast!
This is called ARP poisoning.
Say we have to computers on a network, old faithful 'A' and 'B'.
They will each have an ARP cache 'A' will have 'B's IP address and Mac
address and in return 'B' will have 'A's IP and MAC address.
Think back to the three-way switch, we will be the third computer on
that switch.
For the sake of simplicity we will have the MAC addresses of 1,2 and 3
belonging to computers A, B and C respectively. So we will be C with
the MAC of 3.
We will have used a program such as TCPDump to capture all the ARP
messages that have been sent and we can know see the IP addresses and
MAC addresses of 'A' and 'B'. (Failing this, the results of a ping
will add the MAC and IP address to your ARP table, providing you are
on the same network)
What we now need to do now, is make 'A' think we are 'B' and also make
'B' think we are 'A'.
So now matter what, the switch will send all the data packets to us.
So, we send an ARP reply out to 'A' saying that we are 'B' and have a
MAC address of 3 (remember are actual MAC is 3, so the switch will
send all packets out to us) So now any packets that 'A' wants to send
to 'B', he will now address to the MAC of 3. (aka us) as per his ARP
cache. To do this there is an awesome tool called (nemesis v1.4).
The switch will receive a data packet, look at the destination MAC and
send it right on up to us. We now take a look at the data part and
then send it back down to the switch with the destination address of 2
(aka B). We need to ping 'A' and 'B' to ensure the correct MAC and IP
addresses are in our ARP table, otherwise we would not be able to
forward the packets to the correct addresses!
We can now do the same with B and receive any massages that he sends
to 'A'.
What needs to be done with this attack is the regular sending of the
ARP replies to ensure that the relevant ARP caches always have are MAC
address in them.
You can do this for every computer on the network should you so wish,
as far as they are concerned they are sending a data packet addressed
to 3, and the switch will duly oblige and send the data straight to
you.
This site has the best example of ARP poisoning I have ever seen!
http://www.oxid.it/downloads/apr-intro.swf
Imagine what you could do if one of the computers was a gateway for
that sites Internet traffic??!! Read up on nemesis!
Hijacking a TCP/IP Connection.
For this attack you will need to understand how the sequence numbers
work, so if you didn't understand it before, go back and re-read it!
For this to work it is essential the attacker is on the same network
as the victim.
When a packet is received after a connection has been established, it
has to have the correct sequence number, if the number has already
been used the packet will be dropped. If it is higher than what was
expected, it will be stored in case it was from a message that has
been fragmented and may need to be put back together.
If the sending stations sequence number is not what the receiving
station expected and vice versa, all data packets are not passed up
through the layers and you have a form of denial of service. If this
happens the connection will still remain established!!
Here's how this attack works:
We need to sniff all packets coming from the victim computer ('A')
with a utility such as TCPDump.
>From these sniffed packets we can get the sequence number that 'A' is
up to.
Now we send a packet with the source address spoofed to make it looked
like it came from 'A' to 'B' with the correct sequence number.
(TCPDump again)
When 'B' receives this packet, believing it cam from 'A' he will
respond to this data packet, after increasing the sequence number by 1
Wink !
Now 'A' didn't send the packet, we did, so when the packet from 'B'
arrives with the wrong sequence number it will keep it for
reconstruction purposes as the sequence number will be higher but to
all intents and purposes he will ignore it.
But what will happen now, if 'A' sends a packet to 'B'? His sequence
number will be one that has already been used (by us) so 'B' will drop
the packet. So no matter what 'A' sends now, it will always be
ignored. And everything B sends to A will be stored for later use, as
the sequence number will be too high.
But as we sent out the first packet that caused all this, we have the
correct sequence number that 'B' is expecting, so we have in effect
hijacked the connection because we can carry on talking to 'B' and
whatever 'A' sends will be ignored! And we have caused a denial of
service (DoS) between two computers on this network.
There is another similar method whereby you sniff a connection, spoof
get the relevant sequence numbers, spoof the source address and send a
packet with the RST (reset) flag turned on, when you send this you
will reset the connection. Again causing a DoS state that can be
hijacked as long as you have the correct sequence number!
I hope this has been an informative paper and helps people to
understand network protocols and attacks a bit more thoroughly!
Nokia.