Network-Based Attacks

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Hello. After talking about malware,
00:00
let's go ahead and talk about
00:00
attacks that either traverse the network
00:00
>> or take advantage of network vulnerabilities.
00:00
>> The first thing we're going to look at are scans.
00:00
Just an average garden variety port scan uses
00:00
tools that are out there
00:00
that scan to see what ports are open.
00:00
We already talked about malware,
00:00
and that can include backdoor software that
00:00
gets installed and listens on a network port.
00:00
Ports provide pathways into your system.
00:00
If I were an attacker,
00:00
what I'd want to do is scan
00:00
and see what open ports you have.
00:00
There are also other types of scans, like XMAS scans
00:00
that tell an attacker what
00:00
operating system a host is running.
00:00
Every host or operating system response
00:00
to the TCP/IP suite a little differently.
00:00
If I send you a different type of packet or segment,
00:00
the way your host responds tells me
00:00
what operating system your host is running.
00:00
An XMAS scan is a TCP segment
00:00
>> with every flag set to one.
00:00
>> This is out of the ordinary.
00:00
Having every flag set to one is not
00:00
something you would see in normal communications.
00:00
Having every flag set to one is noticeable.
00:00
It is said to be lit up like a Christmas tree.
00:00
That's how it gets its name.
00:00
How your system responds to
00:00
such an anomaly would tell
00:00
me what operating system you are running.
00:00
Another type of attack is
00:00
called a man-in-the-middle attack.
00:00
It's exactly what it sounds like.
00:00
Someone inserts himself in the middle
00:00
of a communication path.
00:00
There are passive and active man-in-the-middle attacks.
00:00
A sniffing in attack is a passive form.
00:00
This is an attack where someone is
00:00
just watching the communication
00:00
with the packet analyzer or network analyzer,
00:00
something like Wireshark,
00:00
just to see what is traversing the network.
00:00
In this type of attack,
00:00
the person isn't doing anything
00:00
>> or causing any problems,
00:00
>> just watching and learning.
00:00
A session hijacking attack is
00:00
an active form of a man-in-the-middle attack.
00:00
This could be a TCP hijack
00:00
or some other session-based hijack.
00:00
Ultimately, it's going to involve
00:00
stealing session ID information,
00:00
or maybe they will disconnect
00:00
one of the participating hosts
00:00
and connect one of their hosts to
00:00
impersonate it using their information.
00:00
You can also see things like
00:00
rogue devices acting as man-in-the-middle attacks.
00:00
For example, they could set up
00:00
a wireless access point on your network and trick you
00:00
into sending your network traffic through
00:00
their Wi-Fi access point instead of the normal one.
00:00
Banner grabbing isn't necessarily
00:00
>> a network-based attack,
00:00
>> but sometimes when you have network utilities running,
00:00
they may show splash screens, or welcome screens,
00:00
>> or just some information
00:00
>> that's returned when you issue a command.
00:00
>> These tell you a little bit
00:00
more than those utility should.
00:00
For example, something as basic as NS lookup.
00:00
If you type NS lookup at a command prompt,
00:00
it will respond and show you who your DNS server is.
00:00
This type of attack simply
00:00
allows an attacker to get this information.
00:00
Now, we'll talk about Smurf attacks
00:00
>> and Fraggle attacks.
00:00
>> These tend to show up on the exam,
00:00
so you wouldn't want to have a good
00:00
idea of what these are.
00:00
The Smurf attack
00:00
as you can see in this diagram,
00:00
the attacker sends a packet to the address 1.1.1.255,
00:00
that's the broadcast address,
00:00
the 1.1.1 network,
00:00
goes through the router,
00:00
and when anybody sends
00:00
a broadcast packet through the router,
00:00
that's called a directed broadcast,
00:00
and that's no good.
00:00
We don't want anybody from the outside to send
00:00
anything to the broadcast address inside our network.
00:00
This is already something bad.
00:00
But if you notice with this attacker is doing,
00:00
he's sending an ICMP echo request or a ping.
00:00
That's what a Smurf attack uses.
00:00
He's sending the ping request across all these devices,
00:00
and sometimes those devices are referred to as
00:00
being bounced devices or part of the bounce site.
00:00
They're acting as zombies or bots.
00:00
He's using them against their wells, so to speak.
00:00
He pings the broadcast address, and
00:00
that ping goes to all the devices on the network,
00:00
but what he has done is spoof the source address.
00:00
It looks like the traffic is coming from
00:00
the victim whose address is 9.9.9.9.
00:00
That's not really the true source of the attack,
00:00
but he spoofs the source address
00:00
so all the devices respond to the victim.
00:00
If the attacker does this enough
00:00
with enough devices in the bounce site,
00:00
he could perform a denial of
00:00
service attack against the victim.
00:00
To mitigate against this,
00:00
you block ICMP or directed broadcasts
00:00
>> into your network.
00:00
>> That solves the problem of Smurf attacks.
00:00
Now, Fraggles work just like Smurfs do.
00:00
The exception is at the Fraggle uses
00:00
a UDP packet instead of an ICMP packet.
00:00
The reason is that ICMP is very frequently
00:00
blocked by routers with
00:00
access control lists or firewalls.
00:00
Very few networks are going to allow
00:00
ICMP from the outside into their network,
00:00
but UDP as we'll talk about later,
00:00
is such a powerful and
00:00
necessary protocol that it's really
00:00
difficult to block UDP without
00:00
losing a lot of desirable services.
00:00
UDP is more likely to
00:00
slip through an organization's firewall,
00:00
but it does the same thing.
00:00
It spoofs the source address,
00:00
and the UDP packet goes to
00:00
the internal devices at the bounce site.
00:00
They respond to the victim,
00:00
>> knocking the victim offline.
00:00
>> That's what Smurfs and Fraggles are.
Up Next