Training at Datelec

1. IDS Les systèmes de détection d’intrusion

3. Schéma de la salle de test

4. TCP/IP Basics: Transport Layer

5. Transport Layer Protocols

11. The TCP header

13. Acknowledgment number - 32 bits When a data sender receives a new value , it can dispose of data which was held for possible retransmission . The acknowledgment number is valid only if the ACK flag is set . The acknowledgment number is one greater then the octet number of the last in sequence octet received . It is therefore the same as the sequence number that will be in the next segment of immediately useful data . In TCP , it is possible to send a number of segments that have been received correctly, but have not been acknowledged because the critical segment , which is the next in sequence , has failed to arrive . The acknowledgment number cannot advance until this missing segment isn’t retransmitted . Data offset Measures the offset to the start of the application data field .

15. Window - 16 bit The window advertises the amount of buffer space this node allocated to this connection The other node must not send more unacknowledged data than the buffer space indicated . Checksum - 16 bit A basic check on header and data . Urgent pointer - 16 bit Points to the end of data in the data field that is considered urgent . It is valid only if the URG flag is set . Options - variable length Normally there is only 1 option used with TCP and it’s : MMS (Maximum Segment Size) . It tells the destination TCP layer the maximum size of the segment (including TCP header) . Padding If the options field is valid , padding ensures that the data starts on a 32 bit boundary , so that the data offset may correctly point to it .

16. Connections setup phase Node 128.1.0.1 Node 128.1.0.9 SYNSEQ 921 No ACK SYNSEQ 302 ACK 922 SYNSEQ 922 ACK 303 SEQ=921 ACK=? SEQ=922 ACK=303 SEQ=302 ACK=? SEQ=302 ACK=922 SEQ=303 ACK=922

17. TCP ack’s for simple character echo with host Node 128.1.0.1 Node 128.1.0.9 SEQ 92 ACK=109 Data=C SEQ 109 ACK 93 Data=C SEQ 93 ACK 110 User types C Node acknowledges reciept of C (ACK=SEQ+1= 109+1=110) C Host OS echoes back C and acknowledges receipt of C (ACK=SEQ+1=92+1=93) Operating System C

23. Hacking: Outils et méthodes

29. Etablissement d’une session 1. Client initiates a request to the server, “I want to talk.” (SYN) SYN/ACK 2. Server replies, “I’m ready.” (SYN/ACK) ACK Client Server Client Server Client Server I want to talk Let’s go! I’m ready SYN 3. Client sends acknowledgment to establish connection, “ Let’s go!” (ACK)

33. Smurf Broadcast echo address Source address is spoofed to be target’s address Réseau intermédiaire Attaquant Cible Many echo replies are received by the target, since most machines on the intermediary network respond to the broadcast

35. Ping of Death Internet Buffer 65535 Assaillant Cible Fragmentation Réassemblage des fragments A partir d ’un shell Windows 95, « ping -l 65510 cible »

36. Land Il s ’agit d ’une attaque dans laquelle l ’adresse source IP et l ’adresse de destination IP sont identiques, de même que les ports de source et de destination. Pour fonctionner, elle doit être émise sur un port ouvert et avec le flag SYN. A réception de ce type de paquet, certains systèmes stoppent (stack IP) Filtre possible ip[12:4] = ip[16:4] and ip[12:2] = ip[16:2]

37. Teardrop Le « fragment reassembly code » cherche à réaligner les fragments, mais il n ’y a pas assez de data dans le deuxième fragment 1er fragment - 36 bytes 24 35 0 offset end new offset 2nd frag 36 bytes Memcpy (*dest, *src, len) Unsigned int or unsigned long Len=end-newoffset < 0

38. Loki ICMP echo request or echo reply packet Loki data dans le payload Echo request Echo reply Attaquant: peut se logger sur le serveur et lancer des commandes Serveur: Répond aux requêtes du client Note: ce principe de tunneling n’est pas limité à ICMP. Il se retrouve aussi avec HTTP et d ’autres protocoles.

39. Combattre les attaques ICMP Internet Réseau interne 192.168.0.0 ACL 101 ACL 102 Blocage des requêtes écho en entrée et des réponses en sortie access-list 101 deny icmp any 192.168.0.0 0.0.255.255 echo access-list 102 deny icmp 192.168.0.0 0.0.255.255 any echo-reply Acceptation des requêtes écho en sortie et des réponses en entrée access-list 101 permit icmp 192.168.0.0 0.0.255.255 any echo access-list 102 permit icmp any 192.168.0.0 0.0.255.255 echo-reply

40. Distributed denial of service Nouvelle forme de déni de service qui permet de concentrer des attaques depuis n’importe quel point d’internet vers une cible prédéfinie .

46. Scanning TCP port scanning Utilisation d’un logiciel permettant de scanner un réseau afin de détecter les applications disponibles sur les systèmes découverts. HTTP, IMAP, POP3, DNS, Netbios, SOCKS, Telnet, FTP ...

49. Scanning (suite) Methodes de filtrage Filtre sur chaque flag (avec tcpdump par exemple) Byte 13 of the TCP header Syn flag set: tcp[13] & 0x02 != 0 Ack flag set: tcp[13] & 0x10 != 0 Rst flag set: tcp[13] & 0x04 != 0 Fin flag set: tcp[13] & 0x01 != 0 Psh flag set: tcp[13] & 0x08 != 0 Urg flag set: tcp[13] & 0x20 != 0 No flag set: tcp[13] & 0x3f != 0 Exemple de filtrage : tcp and (dst port 80) and (tcp[13] & 0x02 != 0) and (tcp[13] & 0x10 =0) teste le SYN flag (set) et le ACK flag (no set) X U A S F R P X

52. Network mapping Le contenu de cette page sera communiqué ultérieurement

56. Liste non exhaustive Netbus Pro 6400 Netbus 1.x 12346 BackOrifice 31337 Deep Throath 6670 Master Paradise 31 Millenium 20000 Netmonitor 7306 Socket23 30303 Icq Trojen 4950 Vodoo 1245 Stealth Spy 555 Attack FTP 666 Senna Spy 11000 Progenic 11223 Backdoor 1999 Portal of Doom 9875 AOL Trojan 1.1 30029 Illusion Mailer 5521 Bla 20331 Kuang 2 17300 Aujourd’hui des CENTAINES de chevaux de Troie circulent. Il existe même des outils pour en générer sans programmation !!!

71. Vulnérabilités des OS - Labo Le contenu de cette page sera communiqué ultérieurement

77. Après les risques, les mesures de précaution

79. Network based IDS Analyse des données capturées Visualisation - Reporting FW ou routeur Internet Réseau interne Supervision du trafic Principe : Une ou plusieurs sondes qui réfèrent à une console

81. Host based IDS Analyse des données capturées Visualisation - Reporting Internet Réseau interne IDS host agent Principe : Des agents sur les machines sensibles qui réfèrent à une console FW/Router

90. Compléments aux IDS (suite) File integrity checking Labo : Tripwire FIREWALL NETWORK-BASED INTRUSION DETECTION LOG ANALYZER TARGET-BASED FILE INTEGRITY ASSESSMENT

91. How Does Tripwire Work? 10110011000010100 10001001111010100 10011111101000100 10000001011110101 11000100111011001 BeXtw+/deQsQ4EJApaF6RR File content integrity assured using crypto- graphic signatures. Cryptographic algorithms produce a fixed length signature or “hash.”

92. How Does Tripwire Work? From rules defined in a policy file, Tripwire creates a baseline database of the filesystem. It stores this baseline in the database file . Database File Policy File = cryptographic signature

93. =? ? Database File System’s current file structure How Does Tripwire Work? The system can then be checked against the baseline database for any unauthorized changes. = cryptographic signature

94. How Does Tripwire Work? Database File = ! Report Viewer Email containing reports Syslog/ Event Log If a violation is found, reports can be emailed to administrators, dropped to syslog or be viewed from the machine being monitored.

95. Centralized Reporting Specific Reports Specific violations that occurred for each rule Identifies what element changed Different rules within each report

96. Centralized Reporting Violations Report List of violations for all open reports Selection will bring up violation detail in right window

97. Centralized Reporting Search & Filter Violation search based on minimum severity of 66 Selecting will bring up violation detail in right window

98. TEC NT Console Interface List of TEC Agents that are managed by TEC Console Pie chart shows that all the Agents are up and running

100. Questions et réponses Discussion