Professional Documents
Culture Documents
technology, Bhopal
Paper presentation on
Network security
ABSTRACT:-
Nat networks
Proxy servers
FIREWALLS:-
Bypassing firewalls
KEYLOGGERS ATTACK:-
How keyloggers work
Securing systems
NETSTAT MADE EASY
Netstat is a program that accesses network related data structures within the kernel
then provides an ascii format at the terminal.netstat can provide reports on the routing
tables,tcp connections,tcp and udp listens and protocol memory management.
You should launch the command line prompt in order to use the netstat command:
Microsoft windows xp[version 5.1.2600]
© copyright 1985-2001 microsoft corp.
We have already seen that using netstat command in which ip address can be found
out by an attacker.hence it has become very important for internet users to implement
techniques of hiding their ip address from malicious users.the two most common
techniques of hidin ip addresses are
The current implementation of ip addressing provides users with a very limited number
of ip addresses that can be used for connectivity purposes.to solve this shortage
problem,a number of organizations have started implementing NAT addressing,which
allows them to use a single public ip addresses for a large number of internal systems
having unique private ip addresses.this allows a organizations to register single public ip
addresses .
In computer networking, network address translation (NAT) is the process of modifying
network address information in datagram packet headers while in transit across a traffic
routing device for the purpose of remapping a given address space into another.
Most often today, NAT is used in conjunction with network masquerading (or IP
masquerading) which is a technique that hides an entire address space, usually consisting
of private network addresses (RFC 1918), behind a single IP address in another, often
public address space. This mechanism is implemented in a routing device that uses
stateful translation tables to map the "hidden" addresses into a single address and then
rewrites the outgoing Internet Protocol (IP) packets on exit so that they appear to
originate from the router. In the reverse communications path, responses are mapped
back to the originating IP address using the rules ("state") stored in the translation tables.
The translation table rules established in this fashion are flushed after a short period
without new traffic refreshing their state.
As described, the method only allows transit traffic through the router when it is
originating in the masqueraded network, since this establishes the translation tables.
However, most NAT devices today allow the network administrator to configure
translation tables entries for permanent use. This feature is often referred to as "static
NAT" or port forwarding and allows traffic originating in the 'outside' network to reach
designated hosts in the masqueraded network.
Because of the popularity of this technique, see below, the term NAT has become
virtually synonymous with the method of IP masquerading.
Network address translation has serious consequences (see below, Drawbacks &
Benefits) on the quality of Internet connectivity and requires careful attention to the
details of its implementation. As a result many methods have been devised to alleviate
the issues encountered, see article on NAT traversal.
Like a restricted cone NAT, but the restriction includes port numbers.
• Each request from the same internal IP address and port to a specific destination
IP address and port is mapped to a unique external source IP address and port.
If the same internal host sends a packet even with the same source address and
port but to a different destination, a different mapping is used.
Only an external host that receives a packet from an internal host can send a packet back
PROXY SERVERS
A proxy server that passes all requests and replies unmodified is usually called a gateway
or sometimes tunneling proxy.
A proxy server can be placed in the user's local computer or at various points between the
user and the destination servers or the Internet.
Schematic representation of a proxy server, where the computer in the middle acts as the
proxy server between the other two.
WINGATE
In the mid to late 1990s, WinGate was almost ubiquitous in homes and small businesses
that needed to share a single Internet connection between multiple networked computers.
The introduction of Internet Connection Sharing in Windows 98 however, combined with
increasing availability of cheap NAT-enabled routers, forced WinGate to evolve to
provide more than just internet connection sharing features. Today, focus for WinGate
users is primarily access control, reporting, bandwidth management and content filtering.
Features
WinGate runs on all versions of Microsoft Windows, from Windows 95 onwards. At its
core, WinGate provides all 3 levels of Internet Access: a stateful packet-level firewall
with NAT, several circuit-level proxies (SOCKS 4/5, and proprietary Winsock
redirector), and multiple proxy servers. This provides a comprehensive access
framework, and allows the maximum level of access control.
WinGate's policy framework allows the creation of specific access rules, based on user
account details, request details, location of user, authentication level and time of day. The
policy framework is based on a user database and user authentication. WinGate allows
use of either WinGate's built-in user database, the Windows user database, or the user
database of an NT domain or Active Directory. Authentication can use integrated
windows usernames and passwords (NTLM) and other authentication schemes. WinGate
can also be used without authentication, or can assume user identity based on IP address
or computer name.
WinGate can also authenticate individual users on a Terminal server, and maintain
separate user contexts to provide user-level control, and for applications that do not
support authentication by using the WinGate Client software.
WinGate provides an integrated Email server (POP3 server and retrieval client, SMTP
server, and IMAP4 server) with message routing features and per-email restrictions. This
can be used to provide company email services, or to provide protection and additional
security (encryption and authentication) for an existing email system.
The WWW Proxy provides a transparent proxy for ease of administration, plus a shared
proxy cache for improved surfing performance. It can also be used to secure access to
internal web servers with either browser-based authentication or a Java-based applet.
Also available for WinGate are optional components that provide Antivirus scanning for
email, web and FTP, and content filtering for web traffic.
FIREWALLS
Function
A firewall's basic task is to regulate some of the flow of traffic between computer
networks of different trust levels. Typical examples are the Internet which is a zone with
no trust and an internal network which is a zone of higher trust. A zone with an
intermediate trust level, situated between the Internet and a trusted internal network, is
often referred to as a "perimeter network" or Demilitarized zone (DMZ).
A firewall's function within a network is similar to firewalls with fire doors in building
construction. In the former case, it is used to prevent network intrusion to the private
network. In the latter case, it is intended to contain and delay structural fire from
spreading to adjacent structures.
Without proper configuration, a firewall can often become worthless. Standard security
practices dictate a "default-deny" firewall ruleset, in which the only network connections
which are allowed are the ones that have been explicitly allowed. Unfortunately, such a
configuration requires detailed understanding of the network applications and endpoints
required for the organization's day-to-day operation. Many businesses lack such
understanding, and therefore implement a "default-allow" ruleset, in which all traffic is
allowed unless it has been specifically blocked. This configuration makes inadvertent
network connections and system compromise much more likely.
Network address translation
Main article: Network address translation
Firewalls often have network address translation (NAT) functionality, and the hosts
protected behind a firewall commonly have addresses in the "private address range", as
defined in RFC 1918. Firewalls often have such functionality to hide the true address of
protected hosts. Originally, the NAT function was developed to address the limited
number of IPv4 routable addresses that could be used or assigned to companies or
individuals as well as reduce both the amount and therefore cost of obtaining enough
public addresses for every computer in an organization. Hiding the addresses of protected
devices has become an increasingly important defense against network reconnaissance.
BYPASSING FIREWALLS\
1. Abstract
-----------
There are ambiguities in implementations of the TCP/IP suite for various operating
systems. Even if this fact has been used since a long time in different software for OS
fingerprinting, no real attempt has been made to identify the security impact of the
differences in the TCP/IP semantics. We have done some research on the TCP/IP
connection open semantics which is of course very important for security of networked
systems. We believe that the flaws we have detected have a big impact on design of
firewalls and packet filters since an improper implementation can easily lead to serious
security problems.
2. Details
----------
The TCP/IP protocol stack offers a three way handshake for connection oriented
communication using the TCP protocol. Basically, a connection can be opened by
sending a synchronization packet to a listening service on a particular host. The host will
respond with a synchronization acknowledgment packet which in turn must be
acknowledged by the requesting host. Then, the connection is considered to be open (at
least at the transport layer) and the two hosts may exchange some data.
The three way handshake is an essential part of the communication using the TCP
protocol. Therefore many packet filter firewalls try to prevent the three way handshake
from completion in order to protect an internal/corporate network from being accessed
from the outside. Of course, statefull firewalls may have some more sophisticated
mechanism.
We have found a very ambiguous behavior of TCP/IP implementations while doing some
research on the connection request phase. Below you will find the findings about various
OSes, however the list should not be considered complete. We have used the
NemesisTCP tool [1] to generate the traffic and tcpdump to capture the responses.
The first host sends a SYN packet from port 12345 to a service on port 9999 and receives
a SYN,ACK
* Linux 2.4.19
The examination of the source code of the TCP engine reveals that a TCP connection can
be opened by any combination of the TCP flags having the SYN bit set and the ACK bit
reset. For example we can open a TCP connection by sending an obviously bogus
SYN,RST packet:
or something called 'Christmas packet' having mostly every TCP flag set (except the
ACK flag of course):
* Solaris 5.8
other combinations don't seem to induce the SynSent state in the TCP/IP stack
* FreeBSD 4.5
as well as with other combinations which don't combine the RST and/or ACK flag with
SYN:
* Windows NT 4.0
As in the case of BSD we can open connections using any combination of TCP flags as
long as we do not set the RST and/or ACK flag (where did they take the code
from...hm...):
Other OSes than those tested above are expected to behave in a similar manner after
obtaining such a discouraging result...
3. Impact
---------
The ambiguities can be used to bypass/tunnel firewalls filtering TCP packets according to
the TCP flags set. Especially stateless firewalls simply comparing the flags field with
some expected value(s) to distinguish between synchronization packets and packet from
an already open connection can be easily bypassed just by sending a bogus
synchronization packet to a listening port. The currently deployed TCP stacks seem to be
highly bogus and lazy implemented.
Administrators of firewall devices should set up some filtering rules to drop bogus TCP
packets as mentioned above. For example on systems using iptables to filter packets
bogus packets can be easily distinguished by following rules:
NETWORK RECONNAISSANCE
PING SWEEPING
A ping is often used to check that a network device is functioning. To disable ping
sweeps on a network, administrators can block ICMP ECHO requests from outside
sources. However, ICMP TIMESTAMP and Address Mask Requests can be used in a
similar manner.
Tools used for ping sweeps include fping, gping, and nmap for Unix systems, and the
Pinger software from Rhino9. Pingers send multiple packets at the same time and allow
the user to resolve host names and save output to a file.
Ping is a widely used technique that can help an attacker in detecting whether your
system is active, which is often the first step an attacker will do, in order to identify
possible targets. Once the ping operation has identified your computer as being active and
connected to the internet, the attacker will likely proceed further to using additional
techniques in order to identify security breaches in your computer system, that can be
exploited in order to gain control over your computer.
The ping operation consists of sending a special network packet to a target computer and
awaiting a response that will actually let the attacker know if the target computer is
active. It is to be mentioned that there are other types of packets that can be used as well,
however the most common operation performed is to send an ICMP ECHO (type 8)
packet towards the target computer, and then the remote machine responds with an ICMP
ECHO_REPLY (type 0) packet. The software residing on the attacket computer usually
has a ping timeout setting, which can be usually set somewhere within a few hundred
miliseconds up to a few seconds. The software awaits for the ICMP ECHO_REPLY
packet to be sent within the chosen timeout, and if a reply packet is received, the target
computer is now known to be active.
Before launching an attack over a remote network, an attacker will likely start by
scanning the network and gathering as much information as possible about the network.
One of the common operations used is ping sweep. During a ping sweep, an attacker uses
a large number of ping operations which are sent to a particular network, usually one per
IP address. In order to efficiently scan hundreds or thousands of remote addresses, the
attacker will probably use a multithreaded ping sweep tool, which allows not only
customizing timeout setting in order to improve efficiency, but also allows multiple ping
operations to be initialized and running at the same time, and therefore maximizing the
number of remote addresses that will be scanned.
Perhaps the most simple protection measure against identifying your computer as active
through the Ping operation, is to disable the ICMP protocol. There are two types of
common configurations that can be found, first is when your computer is directly
connected to the internet (for example if you are using dialup and a regular modem, and
no routers, you are likely to be connected to the internet directly) and in such situation
you need to block the ICMP protocol by configuring the software firewall you are using
on your computer. If you are not using a software firewall in such a situation, then you
should absolutely get and install one as soon as possible, otherwise you are exposed to a
large number of risks - it may take only minutes until an attacker or worm may get into
your computer. Finally, if you are using a gateway computer or router to connect to the
internet, you can disable the ICMP protocol on the gateway/router to protect your public
IP address from being tested via a ping operation.
It is to be mentioned though that the ping operation is an useful one and there are
situations where it should remain active, and therefore ICMP should not be disabled in
such cases. For example, many ISP's are using automated ping operations to monitor their
connections, and if you disable ICMP, your ISP may take measures to correct what they
may believe to be a non-functional connection, like disconnecting the connection, or in
some cases they may even call in to ask what happened because their monitoring
software tells them that the connection is down. There are also cases when certain
software make use of ping operations for their normal functioning and these may believe
that your computer is no longer responding. In such cases, it is advised not to disable
ICMP. Alternatively you may permit ICMP only to a given computer or IP range, for
example in the situation where your ISP needs to monitor your connection via ping
operations, you can call them and ask what are the IP addresses of the monitoring
machine(s) they are using, and then use the IP address or IP range provided to create an
allow rule in your firewall for the ICMP protocol, which should solve the problem as
your computer will respond to ICMP ECHO commands for your ISP, but not for
everyone else.
Passive OS fingerprinting
Passive fingerprinting works because TCP/IP flag settings are specific to various
operating systems. These settings vary from one TCP stack implementation to another
and include the following:
These flags, when combined, provide a unique, 67-bit signature for every operating
system.[1]
Active OS fingerprinting
• ICMP
• TCP
• SNMP
Banner grabbing
• FTP
• TELNET
• HTTP
Port probing
Block all unnecessary outgoing ICMP traffic, especially unusual packet types like
address masks and timestamps. Also, block any ICMP echo replies. Watch for excessive
TCP SYN packets. Be warned that blocking things without knowing exactly what they
are for can very well lead to a broken network; for instance, your network could become
a black hole. Extensive knowledge of TCP/IP networking is recommended before
engaging in traffic blocking.
Fingerprinting tools
KEYLOGGERS
Keystroke logging (often called keylogging) is a method of capturing and recording user
keystrokes. The technique and name came from before the era of the graphical user
interface; loggers nowadays would expect to capture mouse operations too. Keylogging
can be useful to determine sources of errors in computer systems, to study how users
interact and access with systems, and is sometimes used to measure employee
productivity on certain clerical tasks. Such systems are also highly useful for both law
enforcement and law-breaking—for instance, providing a means to obtain passwords or
encryption keys and thus bypassing other security measures. Keyloggers are widely
available on the Internet.
There are currently two types of keylogging methods, hardware and software based.
Application
Keystroke logging can be achieved by both hardware and software means. Hardware key
loggers are commercially available devices which come in three types: inline devices that
are attached to the keyboard cable, devices which can be installed inside standard
keyboards, and actual replacement keyboards that contain the key logger already built-in.
The inline devices have the advantage of being able to be installed instantly on desktop
computers without integrated keyboards.
When used covertly, inline devices are easily detected by a glance at the keyboard
connector plugged into the computer. Of the three types, the most difficult to install is
also the most difficult to detect. The device that installs inside a keyboard (presumably
the keyboard the target has been using all along) requires soldering skill and extended
access to the keyboard to be modified. However, once in place, this type of device is
virtually undetectable unless specifically looked for.
Types of keystroke loggers
1) Local Machine software Keyloggers are software programs that are designed to work
on the target computer’s operating system. From a technical perspective there are four
categories:
2) Remote Access software Keyloggers are local software keyloggers programmed with
an added feature to transmit recorded data out of the target computer and make the data
available to the monitor at a remote location. Remote communication is facilitated by one
of four methods:
Hardware Keyloggers are used for keystroke logging by means of a hardware circuit that
is attached somewhere in between the computer keyboard and the computer. It logs all
keyboard activity to its internal memory, which can subsequently be accessed, for
example, by typing in a secret key. A hardware keylogger has an advantage over a
software solution; because it is not dependent on the computer's operating system, it will
not interfere with any program running on the target machine and hence cannot be
detected by any software, however its physical presence may be detected.
4) Remote Access Hardware Keyloggers, otherwise known as Wireless Hardware
Keyloggers, work in much the same way as regular hardware keyloggers, except they
have the ability to be controlled and monitored remotely by means of a wireless
communication standard.
5) Wireless Keylogger sniffers collect packets of data being transferred from a wireless
keyboard and its receiver and then attempts to crack the encryption key being used to
secure wireless communications between the two devices.
Cracking
Writing software applications for keylogging is trivial, and like any computer program
can be distributed as a trojan horse or as part of a virus. What is not trivial however, is
installing a keystroke logger without getting caught and downloading data that has been
logged without being traced. An attacker that manually connects to a host machine to
download logged keystrokes risks being traced. A trojan that sends keylogged data to a
fixed e-mail address or IP address risks exposing the attacker.
Trojan
Young and Yung devised several methods for solving this problem and presented them in
their 1997 IEEE Security & Privacy paper[3] (their paper from '96 touches on it as well).
They presented a deniable password snatching attack in which the keystroke logging
trojan is installed using a virus (or worm). An attacker that is caught with the virus or
worm can claim to be a victim. The cryptotrojan asymmetrically encrypts the pilfered
login/password pairs using the public key of the trojan author and covertly broadcasts the
resulting ciphertext. They mentioned that the ciphertext can be steganographically
encoded and posted to a public bulletin board (e.g. Usenet).
Ciphertext
Young and Yung also mentioned having the cryptotrojan unconditionally write the
asymmetric ciphertexts to the last few unused sectors of every writable disk that is
inserted into the machine. The sectors remain marked as unused. This can be done using
a USB token. So, the trojan author may be one of dozens or even thousands of people that
are given the stolen information. Only the trojan author can decrypt the ciphertext
because only the author knows the needed private decryption key. This attack is from the
field known as cryptovirology.
The FBI used a keystroke logger to obtain the PGP passphrase of Nicodemo Scarfo, Jr.,
son of mob boss Nicodemo Scarfo. Scarfo Jr. pleaded guilty to running an illegal
gambling operation in 2002.[4] The FBI has also reportedly developed a trojan-horse-
delivered keylogger program known as Magic Lantern.[5]
Some surveillance software has keystroke logging abilities and is advertised to monitor
the internet use of minors. Such software has been criticized on privacy grounds, and
because it can be used maliciously or to gain unauthorized access to users' computer
systems.
Keylogger prevention
Currently there is no easy way to prevent keylogging. In the future, it is believed [who?] that
software with secure I/O will be protected from keyloggers. Until then, however, the best
strategy is to use common sense and a combination of several methods. It is possible to
use software to monitor the connectivity of the keyboard and log the absence as a
countermeasure against physical keyloggers. For a PS/2 keyboard, the timeout bit (BIT6
at port 100) has to be monitored. [6] But this only makes sense when the PC is (nearly)
always on.
Code signing
64-bit versions of Windows Vista and Server 2008 implement mandatory digital signing
of kernel-mode device drivers, thereby restricting the installation of key-logging rootkits.
A user should constantly observe the programs which are installed on his or her machine.
Also, devices connected to PS/2 and USB ports (which can both be hacked) can be used
to secretly install a keylogger and then remove it (along with the user's data) by the
perpetrator.
Anti-spyware
Anti-spyware applications are able to detect many keyloggers and cleanse them.
Responsible vendors of monitoring software support detection by anti-spyware programs,
thus preventing abuse of the software.
Firewall
Enabling a firewall does not stop keyloggers per se, but can possibly prevent transmission
of the logged material over the net if properly configured.
Network monitors
Network monitors (also known as reverse-firewalls) can be used to alert the user
whenever an application attempts to make a network connection. This gives the user the
chance to prevent the keylogger from "phoning home" with his or her typed information.
BIBLIOGRAPHY
Network security-Ankit Fadia
en.wikipedia.org/wiki/Proxy_server
en.wikipedia.org/wiki/Network_address_translation
www.wingate.com
en.wikipedia.org/wiki/OS_fingerprinting
www.hackingmobilephone.com