Department of Communication and Operating Systems

Computer and Network Security |

Lecturer : M.Younis Popal

Contact : herat.net.sec@gmail.com

Sunday, July 29, 2018 (Lec04 Network Attacks)

1
2
Content

 Password Cracking
 Social Engineering
 Sniffing
 Denial of Service
 ping of death
 SYN Flooding
 Spamming
 Smurfing

2
3
Password Cracking

 Password cracking is sometimes called a dictionary-based attack.

 Password crackers are programs that decipher password files.
 They are able to decipher password files by utilizing the same algorithm used to create the
encrypted password.
 They generally employ a dictionary of known words or phrases, which are also encrypted with
the password algorithm

3
 4
Password Cracking: Practical Example
john

john --test

4
5
Password Cracking: Practical Example

john /etc/shadow

john --show /etc/shadow

5
6
Social Engineering

 Social engineering, which refers to the nontechnical methods hackers employ to gain access to
systems, can be amazingly effective.
 Social engineering usually refers to the process of convincing a person to reveal information
(such as a password) that enables the hacker to gain access to a system or network.
 Example from book (Fundamental Network Security)
 It is important for every organization to have a policy regarding the disclosure of passwords.

6
7
Sniffing

 Network sniffing or packet sniffing is the process of monitoring a network in an attempt to gather
information that may be useful in an attack.
 With the proper tools a hacker can monitor the network packets to obtain passwords or IP
addresses.
 Many companies produce sniffers for legitimate purposes that can be abused by hackers
 Password sniffing is particularly a threat for users who log into their system remotely and use
non-secure protocols
 telnet
 rlogin
 There are a bunch of sniffers tools
 Wireshark
 Tcpmon
 tcpdump

7
8
Sniffing

 Ping sniffing example with tcpdump

 A bunch of options that can be used with TCPDUMP.

 Tcpdump –w sniffing.log write sniffing info in to a file
 Tcpdump –r sniffing.log read a file with sniffing info
 Tcpdump –D list your system interface
 Tcpdump –i interface name listen specific interface to listen on

8
9
Sniffing

 Ping sniffing example with wireshark

9
10
Sniffing: wireshark Filtering Language

 Wireshark has a filtering language the can be used to seek interested information
 This filtering can be applied in two different situation
 Capturing
 Viewing information
 Example:
 Put following in filer field of Wireshark
 Ip.addr==192.168.1.1 #information contain this ip addr
 Ip.src=192.168.1.1 #info contain this addr as source
 Ip.dst=192.168.1.1 # information contain this addr as dst
 http contains http://facebook.com # information contain this domain
 tcp.port==23. # information contain this port

10
11
Sniffing: wireshark Filtering Language

11
12
Sniffing : modes

 Promiscuous mode
 In a network, promiscuous mode allows a network device to intercept and read each
network packet that arrives in its entirety
 Promiscuous mode is a type of computer networking operational mode in which all network
data packets can be accessed and viewed by all network adapters operating in this mode
 Non-Promiscuous mode:
 Check destination address in data packet

12
13
Denial of Service

 Denial-of-service attacks are designed to shut down or render inoperable a system or network.
 The goal of the denial-of-service attack is to make the server unavailable for users
 It is called a denial-of-service attack, because the end result is to deny legitimate users access to
network services.
 DOS attacks are used for revenge or to punish
‫ﺗﻧﺑﯾﮫ ﻛردن‬/ ‫اﻧﺗﻘﺎم‬
 Unlike real hacking, no need for great experience
 There are many different types of denial-of-service attacks:
 Ping of death
 SYN Flooding
 Spamming
 Smurfing

13
14
Ping of Death

 Is an example of how simple it can be to launch a denial-of-service attack once a vulnerability has
been discovered.
 The ping of death exploited a flaw in many vendors' implementations of ICMP.
 Many operating systems were or are vulnerable to larger-than-normal ICMP packets.
 As a result, specifying a large packet in a ping command can cause an overflow in some systems‘
internals that can result in system crashes.
 Command: ping –l size target

14
15
SYN Flooding

 SYN flooding is a denial-of-service attack that exploits the three-way handshake that TCP/IP uses
to establish a connection.
 Basically, SYN flooding disables a targeted system by creating many half-open connections
 Let see normal flow of three-way handshake

Can You imagine half-open connection here!

15
16
SYN Flooding

 In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted
server, often using a fake IP address.
 The server, unaware of the attack, receives multiple, apparently legitimate requests to establish
communication. It responds to each attempt with a SYN-ACK packet from each open port .
 server under attack will wait for acknowledgement of its SYN-ACK packet for some time.
 Before the connection can time out, another SYN packet will arrive.
 This leaves an increasingly large number of connections half-open
 The server may even malfunction or crash.

16
17
SYN Flooding

 For doing this type attack hping is suitable

 Free packet generator and analyzer
 Command:hping3 –i –S –p 22 target

17
18
Spam

 SPAM is unwanted e-mail. Anyone who has an e-mail account has received SPAM.
 Usually it takes the form of a marketing solicitation from some company trying to sell something
we don't want or need.
 To most of us it is just an annoyance
 but to a server it can also be used as a denial-of-service attack.
 By sending thousands of messages to target system
 SPAM can eat available network bandwidth, overload CPUs, cause log files to grow very large,
and consume all available disk space on a system. Ultimately, it can cause a system to crash.

18
19
ICMP Smurf Attack

 Smurf is a network layer distributed denial of service (DDoS) attack

 Smurf malware is used to generate a fake Echo request containing a spoofed source IP,
which is actually the target server address.
 The request is sent to an intermediate IP broadcast network.
 The request is transmitted to all of the network hosts on the network Each host sends an
ICMP response to the spoofed source address.
 With enough ICMP responses forwarded, the target server is brought down.

19
20
ICMP Smurf Attack

20
21 Assignment #3

 Working on sniffers.
 Use specific kind of sniffer
 Wireshak
 Tcpdump
 Tcpmon
 Ect
 Scenario :
 Setup a network with telnet service enabled.
 Telnet has a drawback regarding of authentication because its authentication is in plain text.
 Try to sniff username and password of telnet server during authentication process
Note: no need for documentation I will evaluate in next session

21
22 Group Division for projects

 Each group can contain only two people

 Select one of the following issues as subject
 Backdoor or trapdoor  ARP Spoofing
 Address spoofing and solution  Overload of MAC table and port
 Sequence Number spoofing  Mac Spoofing Attack
 DNS poisoning  VLAN Hoping
 Man in the middle attack
 DDOS attack and solution
 Smurf Attack and solution
 Phishing and solution
 DHCP Spoofing
 Session hijacking

22
23
Question

23
24
Next

Next Session

Virus Programming

24