Title: Session Layer Security
1Session Layer Security
- Lecture 6
- Supakorn Kungpisdan
- supakorn_at_mut.ac.th
2Roadmap
- Introduction
- SYN Attack
- Session Hijacking
- DNS Poisoning
- SSH Downgrade Attack
- Authentication Techniques and Attacks
3Introduction
- Session layer provides a set of features that
contributes to the reliability and usefulness of
modern network communications - Session Checkpoint
- Session Adjournment
- Session Termination
- Half- and Full-Duplex Operations
4Session Checkpoint
- TCP acknowledgement (ACK) packets are regularly
passed between hosts to identify the last packet
that was received - TCP delays the transmission of an ACK packet
until either a timeout is reached or a number of
packets equal to the TCP window size have been
sent - This delays increases the efficiency of the
protocol and establishes checkpoints - At any point, TCP can resume transmission from
the previous checkpoint if a delivery failure
occurs
5Session Adjournment
- TCP sessions may be adjourned through setting the
TCP window to 0 byte. - This informs the sending host that no buffer is
available to hold transmitted data and halts
communications without losing the connection
6Session Termination
- TCP provides a means for both graceful and
immediate session terminations - Graceful termination occur by setting a finish
(FIN) flag that is subsequently acknowledged by
the recipient - Immediate termination occur by using packets with
the reset (RST) flag set
Half- and Full-Duplex Operations
- While TCP operates at full duplex, the session
layer allows for both full- and half-duplex
operations
7Attacking the Session Layer
- Rely primarily on abuses of the TCP and IP
headers - Several behavior designed into the TCP
specification allow a wide variety of attacks - In particular, TCP flags and Sequence and
Acknowledgement numbers enable several methods of
attack - Newer attacks may focus on higher layer protocol
like Session Description Protocol (SDP) and
Session Initiation Protocol (SIP)
8SYN Attack
- Using legitimate TCP functions permits attackers
with a small number of hosts to conduct DoS,
which can completely saturate the bandwidth of a
corporation - In TCP three-way handshake, a new source port is
selected on the client host for each new
connection that is opened to a particular port on
a server - The server has to allocate a number of resources
to handle each connection - A large number of hosts can use this to great
effect when attacking a web site
9SYN Attack (cont.)
- From an attackers perspective, this approach is
less than ideal - Creating multiple connections is extremely
inefficient - Every established connection consumes a lot of
resources on the server and the attacking client - This kind of attack is not anonymous
- Many servers limit the number of connections that
they will accept from a single host
10Performing SYN Attack
- Our goal is to consume resources on the victim
server but not on the DoS client - We want to avoid using any system calls to open
network connections
11SYN Attack with hping2
- Hping2 tool provides a simple means for producing
crafted packets - Executing a single SYN packet to port 6666 on the
victim server - hping c 1 p 6666 S 10.10.1.9
- In this case, we use the attacking machines IP
as source IP
12SYN Attack with hping2 (cont.)
Using real IP (196.254.34.6) as source will
immediately terminate SYNACK from target
(10.10.1.9)
13SYN Attack with hping2 (cont.)
- However, the DoS client was stymied by attempts
to circumvent its resource consumption - Any TCP stack that meets an unsolicited SYN/ACK
packet will respond with an RST - The solution is to spoof a source IP address
- hping c 1 a 10.12.250.250 p 6666 S 10.1.1.9
Spoofed IP address
14SYN Attack with hping2 (cont.)
Target keeps sending SYN/ACK to the spoofed
source until reaching timeout
15SYN Attack with hping2 (cont.)
- The victim server attempts to reply to the
non-existent host with SYN/ACK - TCP tries to ensure reliable delivery and will
continue to complete the handshake until timeout - The DoS client can now produce packets as fast as
it can spoof them, while at the same time the
victim server attempts to complete handshakes in
vain
16Note on SYN Attack
- Careful selection of the spoofed IP is necessary
to conduct a successful DoS attack - The most successful method to ensure delivery of
a spoofed packet is to select an unused IP on the
same subnet as the attacking host
17Reflective Attack
- A variation of SYN attack
- Launched by sending a large number of SYN packets
to a web server but alters the source address so
that it is to match the address of the victim - The web server responds to the large number of
SYN packets by issuing a flood of traffic back to
the spoofed victims address
18Session Hijacking
- Session hijacking works by taking advantage of
the fact that most communications are protected
(by providing credentials) at session setup, but
not thereafter. - These attacks generally fall into three
categories - Man-in-the-middle (MITM)
- Blind Hijacking
- Session Theft
Ref http//technet.microsoft.com/en-us/magazine/c
c160809(TechNet.10).aspx
19MITM Attacks
- Attacker intercepts all communications between
two hosts. - With communications between a client and server
now flowing through the attacker, he or she is
free to modify their content. - Protocols that rely on the exchange of public
keys to protect communications are often the
target of these types of attacks
20Blind Hijacking
- An attacker injects data such as malicious
commands into intercepted communications between
two hosts commands like "net.exe localgroup
administrators /add EvilAttacker". - This is called blind hijacking because the
attacker can only inject data into the
communications stream, but cannot see the
response to that data (such as "The command
completed successfully.") - Essentially, the blind hijack attacker is
shooting data in the dark, but this method is
still very effective
21Session Theft Attacks
- Attacker neither intercepts nor injects data into
existing communications between two hosts. - Instead, the attacker creates new sessions or
uses old ones. - This type of session hijacking is most common at
the application level, especially Web
applications.
22Hijacking A TCP Session
Session establishment
Data transfer
23Hijacking A TCP Session (cont.)
- If the attacker wanted to inject data into the
TCP session as the client, he or she would need
to - Spoof the client's IP address
- Determine the correct sequence number that is
expected by the server from the client - Inject data into the session before the client
sends its next packet - To achieve the third, the attacker could just
send the data to inject and hope it is received
before the real client does - Or, the attacker could perform a DoS attack on
the client, or use ARP spoofing
24Blind Injection
When the client receives the ACK packet, it will
be confused, either because it did not send any
data or because the next expected sequence is
incorrect.
25Hijacking A TCP Session (cont.)
- Maybe the attacker can send something "nice" like
"mv which emacs /vmunix shutdown r now" and
not just a single character) - This confusion can cause a TCP ACK storm, which
can disrupt a network - Attackers can automate the session hijacking
process with tools such as Juggernaut, Hunt, and
Ettercap
26Hijacking A UDP Session
- Attackers do not have to worry about the overhead
of managing sequence numbers and other TCP
mechanisms. - Since UDP is connectionless, injecting data into
a session without being detected is extremely easy
DNS queries, online games like the Quake series
and Half-Life, and peer-to-peer sessions are
common protocols that work over UDP all are
popular targets for this kind of session hijacking
27Determining Susceptibility
- One way to check if your network is vulnerable to
session hijacking is to hijack actual network
sessions using common attacker tools e.g.
Juggernaut or Hunt (now Ettercap) - Alternatively, try to find out if using transport
protocols that do not use cryptographic
protection - Protocols such as Telnet and FTP are extremely
susceptible to hijacking when not protected
inside encrypted tunnels - Countermeasure is to use SSL, SSH, and IPSec
28Tricks and Techniques
- TCP ACK Storm
- ARP Table Modification
- TCP Resynchronizing
- Remotely Modifying Routing Table
29TCP ACK Packet Storm
As the attacker injects more and more data, the
size of the ACK storm increases and can quickly
degrade network performance.
If neither the attacker nor the client explicitly
closes the session, the storm will likely stop
itself eventually when ACK packets are lost in
the storm.
30ARP Table Modification
Finding owner of MAC address
Spoofed reply
31ARP Table Modification (cont.)
Stopping TCP ACK Storm
32TCP Resynchronizing
- To hide his/her tracks, an attacker who is
finished session hijacking might want to
resynchronize the communicating hosts. - The problem is that, after the attack, the two
hosts whose session was hijacked will be at
different points in the session. - In other words, each host will be expecting
different sequence numbers. - For example, server might think that it is 40
bytes into the session when the client might have
sent only 29 bytes.
33TCP Resynchronizing (cont.)
- Since sequence numbers move in only a positive
direction, it's not possible to manipulate the
server so that its expected sequence number moves
downward to match the client's sequence number. - Tools like Hunt try to solve this problem by
sending a message to the client - msg from root power failure try to type 13
chars
34Remotely Modifying Routing Table
- Attacker who wants to hijack a session wants to
route all communications between a client and
server through him or her making it easy to
monitor, modify, and inject data into the
session, as in MITM attacks. - Attacker modifies the routing table of the host
is to forge ICMP Redirect (type 5) packets and
advertise them as the route to take when sending
data. - To protect Windows hosts from forged ICMP
redirect, set the EnableICMPRedirect value to 0
under the registry key HKLM\System\CurrentControlS
et\Services\AFD\Parameters
35DNS Poisoning
- A more common example of session hijacking is DNS
poisoning - DNS poisoning allows you to convince a DNS server
that a hostname resolves to an arbitrary IP
36DNS Resolution
Client does not query the canonical nameserver
because of the efficiency provided by caching at
the local nameserver
4
3
5
6
1
2
37DNS Poisoning (cont.)
Attackers nameserver
4
3
6
7
5
Spoofed web server
1
2
37
NETE4630
38DNS Poisoning (cont.)
- Implementing DNS poisoning is difficult
- Each DNS query contains a 2-byte identification
field that allows responses to be matched to
queries - An attacker has a 1 in 65,536 (216) chance of
guessing the correct identification value - Normally an attacker needs to sniff the
identification number of the query in order to
successfully spoof a response
39DNS Poisoning with Ettercap
1
3
2
40DNS Poisoning with Ettercap (cont.)
4
5
41DNS Poisoning with Ettercap (cont.)
6
8
7
42DNS Poisoning with Ettercap (cont.)
Ettercap.dns
9
10
43SSL Spoofing with Ettercap
44SSH Downgrade Attack
- SSH is the most famous example of a downgrade
attack where the attacker forces the client and
the server to use the insecure SSH1 protocol. - The client sends a request to establish a SSH
link to the server and asks it for the version it
supports - The server answers either with
- ssh-2.xx The server supports only SSH2
- ssh-1.99 The server supports SSH1 and SSH2
- ssh-1.51 The server supports only SSH1
- This attack occurs at the server that supports
both SSH1 and SSH2
Ref http//openmaniak.com/ettercap_filter.php
45SSH Downgrade Attack (cont.)
46SSH Downgrade Attack (cont.)
47SSH Downgrade Attack with ettercap
- Configure SSH server to support SSH1 and SSH2
- apt-get install openssh-server
- vim /etc/ssh/sshd_config
- Protocol 1, 2
- 2. Create a SSH1 key pair
- ssh-keygen t rsa1 f /etc/ssh/ssh_host_key N
- 3. Add the key path into sshd_config file
- HostKey /etc/ssh/ssh_host_key
- 4. Try to telnet to server to check if it has
SSH1 - Trying server_ip_address...Connected to
server_ip_address.Escape character is
''.SSH-1.99-OpenSSH_4.6p1 Debian-5ubuntu0.1
48Clients PuTTY Screen
Version 2 is preferred but not restricted
49Ettercap Filter
50SSH Downgrade Attack Filter
/usr/share/ettercap/ettercap.filter.ssh
51Compiling the Filter
52Loading the Compiled Filter
53SSH Downgrade Attack Result
54Avoiding SSH Downgrade Attack
- Never use SSH1 on both server and client
- At /etc/ssh/sshd_config file
- Protocol 2
- telnet server_ip_address 22
- Trying server_ip_address
- Connected to server_ip_Address.
- Escape character is .
- SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1
55Avoiding SSH Downgrade Attack (cont.)
SSH Client
56Authentication
- Two main categories of authentication
- Synchronous and asynchronous authentication
protocols - Synchronous authentication protocols provide
credentials at the start of the authentication
process - Asynchronous authentication involves a
challenge-response model
57Password Authentication Protocol
- Password Authentication Protocol (PAP) is one of
the least secure authentication protocol - Password and username are sent in cleartext to
the authentication server after a connection has
been established. - Some systems revert to PAP if they cannot agree
on any other authentication protocol. - Both entities will try to negotiate and agree
upon the most secure method of authentication - Start with EAP, CHAP, then PAP
58Challenge Handshake Authentication Protocol
59NT Lan Manager v1 (NTLMv1)
8-byte random number
Enter password
Compare hash value
R1, R2
60NTLMv1 (cont.)
- User password and challenge are used to calculate
LANMAN hash and MD4 hash - C 8-byte random challenge
- Hash1 MD4(password)
- K1, K2, K3 Hash1, 5-byte-0s
- R1 DES(K1, C), DES(K2, C), DES(K3, C)
- Hash2 LM-hash(password)
- K4, K5, K6 Hash2, 5-byte-0s
- R2 DES(K4, C), DES(K5, C), DES(K6, C)
- Client sends R1, R2 as a response to the server
61LM challenge/response
uppercase(password1..7)
as KEY
magic word
LM_hash1..8
DES
uppercase(password8..14)
as KEY
magic word
LM_hash9..16
DES
LM_hash17..21
00
00
00
00
00
magic word is KGS!_at_
Urity_at_SecurityFriday.com, Cracking NTMLv2
Authentication
62LM challenge/response (cont.)
LM_hash1..7
as KEY
challenge code
DES
LM_response1..8
LM_hash8..14
as KEY
challenge code
LM_response9..16
DES
00
00
00
00
00
LM_hash15..21
as KEY
DES
LM_response17..24
challenge code
Urity_at_SecurityFriday.com, Cracking NTMLv2
Authentication
63NTLM 2 Authentication
unicode(password)
MD4
as KEY
unicode( uppercase(account name) domain_or_hostna
me)
HMAC_MD5
as KEY
NTLMv2 Response
server_challenge client_challenge
HMAC_MD5
Urity_at_SecurityFriday.com, Cracking NTMLv2
Authentication
64LM, NTLMv1, NTLMv2
LM NTLMv1 NTLMv2
Password case sensitive No Yes Yes
Hash key length 56bit 56bit - -
Password hash algorithm DES (ECB mode) MD4 MD4
Hash value length 64bit 64bit 128bit 128bit
C/R key length 56bit 56bit 16bit 56bit 56bit 16bit 128bit
C/R algorithm DES (ECB mode) DES (ECB mode) HMAC_MD5
C/R value length 64bit 64bit 64bit 64bit 64bit 64bit 128bit
Urity_at_SecurityFriday.com, Cracking NTMLv2
Authentication
65Authenticating with Kerberos
- Default authentication mechanism used by Windows
2000, XP, and 2003 hosts when part of an active
directory - Strong protocol, relying on a central server
(normally Active Directory Controller) to grant
access privileges to systems - The main weakness of Kerberos is that all
authentication tokens have a lifespan - Any network using Kerberos must synchronize
clocks on all systems using a protocol e.g.
Network Time Protocol (NTP)
66Attacks Against Password Hashes
- Brute Force Attack
- Iterate through every possible input and hashes
it, comparing the output with the hash value - Guaranteed to crack the hash if run long enough
- Dictionary Attack
- Iterate through possible passwords and common
substitutions of these words - Not guaranteed to produce results
- E.g. John The Ripper (or John The Ripper Pro for
Commercial version) available at
http//www.openwall.com/john/
67Attacks Against Password Hashes (cont.)
- Rainbow Table Attack
- Compute every hash ahead of time, allowing the
attacker to check his/her database of hashes just
for one he/she is trying to crack - Several tools can be used for password cracking
including windows password in SAM, LM, NTLM
password hashes - Rainbow Crack, Ophcrack, John the Ripper, Cain
and Abel - Rainbow Crack can be used to crack LM, MD5,
Office hashes
68Rainbow Table
69Rainbow Table (cont.)
70Cracking LM Password with Rainbow Crack
- Dump password hashes using samdump, pwdump,
fgdump - Install Rainbow Crack
- Before cracking the password, generate the
rainbow table first - LM Configuration0 6
- Sort the rainbow table using rtsort command
- Crack the password using rcrack command
Ref http//www.ethicalhacker.net/content/view/94/
24/
71Password Hashes from pwdump
- testuser1""0F20048EFC645D0A179B4D5D6690BDF31120
ACB74670C7DD46F1D3F5038A5CE8 - remote""E52CAC67419A9A224A3B108F3FA6CB6D8846F7E
AEE8FB117AD06BDD830B7586C - joeuser""E52CAC67419A9A224A3B108F3FA6CB6D8846F7
EAEE8FB117AD06BDD830B7586C - averageguy""299CCF964D9A359BAAD3B435B51404EEA5C
07214487C87B584E8877DE72DCA0B - harderpass""B75838F7A57EE67993E28745B8BF4BA6EC5
0F8A8149C93EF45AECB8AF96658E6 - demouser""261A6631FE44BA4993E28745B8BF4BA6371D5
760453C1B000BCC016F8E23A83C - randy""98B5AFEB67293D6AAAD3B435B51404EEA9F34664
151F6360757B31644F37E025 - Asmith""E165F0192EF85EBBAAD3B435B51404EEE4EBE0E
7EF708DC9FD240135D3D43D89
72Generating Rainbow Table
- To generate other configuration, use rtgen
command - rtgen lm alpha-numeric 1 7 0 2400 40000000
all rtgen lm alpha-numeric 1 7 1 2400 40000000
all rtgen lm alpha-numeric 1 7 2 2400 40000000
all rtgen lm alpha-numeric 1 7 3 2400 40000000
all rtgen lm alpha-numeric 1 7 4 2400 40000000
all
73Generating Rainbow Table (cont.)
- 1 and 7 are our plaintext ranges. So we want
passwords from A to ZZZZZZZ. - If we had put plaintext length range "4-6",
"AAAA" and "ZZZZZZ" would be among the key space - 0, 1, 2, 3, 4 are table numbers
- 2400 is chain length. Chain length increases the
success rate per table but does not increase
table size. - It computes more hashes per chain but also takes
longer to create and search the tab - 8000000 is chain count of each rainbow table.
- Chain count is simply how many chains you want
per table. Increasing this value produces larger
files with higher success rates, but the overall
computation time isnt affected.
74Rainbow Table Configuration
75Generating Rainbow Table with Winrtgen
- Winrtgen (now in Cain and Abel) is a graphical
Rainbow Tables Generator that supports LM,
FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL,
MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160,
MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2
(256), SHA-2 (384) and SHA-2 (512) hashes. - Winrtgen can generate only rainbow table
configuration0
76Generating Rainbow Table with Winrtgen (cont.)
Generating 1 configuration0 table takes 2 days
on P3 1GHz machine
77Generating Rainbow Table with Winrtgen (cont.)
Generating 5 configuration0 tables take 12 days
on P3 1GHz machine
78Generating Rainbow Table (cont.)
- 128,000,000 bytes lm_alpha1-7_0_2100x8000000_a
ll.rt - 128,000,000 bytes lm_alpha1-7_1_2100x8000000_a
ll.rt - 128,000,000 bytes lm_alpha1-7_2_2100x8000000_a
ll.rt - 128,000,000 bytes lm_alpha1-7_3_2100x8000000_a
ll.rt - 128,000,000 bytes lm_alpha1-7_4_2100x8000000_a
ll.rt - Sort the rainbow table
- rtsort lm_alpha1-7_0_2100x8000000_all.rt
- rtsort lm_alpha1-7_1_2100x8000000_all.rt
- rtsort lm_alpha1-7_2_2100x8000000_all.rt
- rtsort lm_alpha1-7_3_2100x8000000_all.rt
- rtsort lm_alpha1-7_4_2100x8000000_all.rt
79Cracking the Password
- C\rainbowcrack-1.2-win\rainbowcrack-1.2-wingtrcrac
k - RainbowCrack 1.2 - Making a Faster Cryptanalytic
Time-Memory Trade-Off - by Zhu Shuanglei lt shuanglei_at_hotmail.com This
e-mail address is being protected from spam bots,
you need JavaScript enabled to view it gt - http//www.antsight.com/zsl/rainbowcrack/
- usage rcrack rainbow_table_pathname -h hash
- rcrack rainbow_table_pathname -l
hash_list_file - rcrack rainbow_table_pathname -f
pwdump_file - rainbow_table_pathname pathname of the rainbow
table(s), wildchar(, ?) supported - -h hash use raw hash as input
- -l hash_list_file use hash list file as input,
each hash in a line - -f pwdump_file use pwdump file as input,
this will handle LAN Manager hash only -
- example rcrack .rt -h 5d41402abc4b2a76b9719d9110
17c592 - rcrack .rt -l hash.txt
- rcrack .rt -f hash.txt
80Cracking the Password (cont.)
- rcrack c\rainbowcrack\.rt -f pwdumpfile.txt
- rcrack c\rainbowcrack\.rt -l justhashlist.txt
- rcrack c\rainbowcrack\.rt h
213D466DB5B288F0F82E44EC0938F4F4 - Where pwdumpfile.txt is the results of using a
hash dumping utility like pwdump2, pwdump3,
samdump, etc to dump the LAN Manager's passwords.
- If your password consists of only letters only,
rcrack should be able to crack it with a success
rate of 99.9.
81Cracking the Password (cont.)
82Cracking the Password (cont.)
- 26 of our 41 hashes found in about 12 minutes.
- Also notice that the hash for the password
password is the same because there is no
salting with the LAN Manager hashing algorithm.
83Protecting yourself against RainbowCrack attacks
and other password attacks
- Limiting physical access
- Continue to force the use of special characters
- Use ALT-XXX characters in your passwords
- Keep up with updates
- Use Pass phrases
- Use Multi-factor authentication
- Password Policy
- Use NTLM or NTLMv2
84Limiting Physical Access
- One common attack if you have physical access to
a machine is to use a bootable Linux distro to
simply boot into Linux and grab the SAM file off
the windows partition. - IronGeek wrote a good tutorial on this method and
even has a video you can watch. You can get it
here http//www.irongeek.com/i.php?pagesecurity/
localsamcrack2. - Another interesting tool released by Eeye is
SysRQ2 http//research.eeye.com/html/tools/RT2006
0801-8.html. - SysRq is a bootable CD image that allows a user
to open a fully privileged (SYSTEM) command
prompt on Windows 2000, Windows XP, and Windows
Server 2003 systems by pressing CtrlShiftSysRq
at any time after startup.
85Continue to force the use of special characters
- Rainbow tables can rip thru a LM password with
any type of special character it still takes a
large amount of time (1-2 years) to generate
them - In LC4 we go from 9-11 hours to brute force
alpha-numeric password to 91 days to brute force
passwords with the possibility of all special
characters (not including ALT-XXX passwords).
86Use ALT-XXX characters in your passwords
- ALT characters are produced by holding down the
ALT key and pressing a three or four digit number
sequence on your keypad. - Most password crackers cannot crack passwords
with ALT characters. - Most ALT characters also have the added benefit
that passwords that have ALT characters in them
cannot be stored as LM hashes. - It causes password hashes to disappear
87ALT-XXX Characters
88Use Passphrases
- Easiest and simplest way to protect you network
from password cracking. - Use of pass phrases that are greater than 14
characters AND use special characters you can
protect yourself from all but the determined
attackers. - If your network is Windows 2000 and above you
have a maximum length of 127 characters on your
password/pass phrase so skys the limit. - A pass phrase like This is my Stupid Pass
Phrase! is long enough to be stored as NTLM or
NTLMv2, has Uppercase, Lowercase, Spaces, and
Special Characters, and is easy to remember. - This is a much more secure password than even
_at_w3cjdBeumDr.
89Question?
- Next week
- Presentation Layer Security