Department of Communication and Operating Systems

Computer and Network Security |

Lecturer : M.Younis Popal

Contact : herat.net.sec@gmail.com

Sunday, July 29, 2018 Lec03 Network Attacks)

1
2
Content

 Port Scanning
 Spoofs
 IP Address Spoofing
 DNS Spoofing
 MIM
 DNS Posining
 Sequence Number Spoofing
 DHCP Starvation

2
3
Port scanning

 There are two steps for gathering information that are called pre-hacking steps or steps that
should be done before real attack.
 Footprinting
 Scanning
 Portscanning

3
4
Port Scanning

 A hacker will often case a system to gather information that can later be used to attack the system.
 Port scanner program
 A port scanner is a program that listens to well-known port numbers to detect services running on
a system that can be exploited to break into the system.
 Organizations can monitor their system log files to detect port scanning
 SYN packets and half-open connections are type of port scanning that cant be logged in log files
so sometimes detection is difficult.
Example:

4
5
Port Scanning

5
6
Port Scanning

6
7
Port Scanning

7
8
Spoofs

 Spoofs cover a broad category of threats. In general terms, a spoof entails falsifying one's
identity or masquerading as some other individual or entity to gain access to a system or network
or to gain information for some other unauthorized purpose.
 There are many different kinds of spoofs:
 IP Address Spoofing
 DNS Spoofing
 Sequence Number Spoofing
 Session Hijacking
 Replay attack

8
9
IP Address Spoofing

 Every device on a TCP/IP network has a unique IP address.

 IP address spoofing takes advantage of systems and networks that rely on the IP address of the
connecting system or device for authentication.
 packet-filtering in Routers and Firewalls
 If a hacker is able to determine an IP address that is permitted access through the router
 he or she can spoof the address
 The hacker in effect masquerades as someone else
 Best defense against IPAddress spoofing is Encryption

9
10
IP Address Spoofing

Practical work

10
11
Sequence Number Spoofing

 TCP/IP network connections use sequence numbers.

 The sequence numbers are part of each transmission and are exchanged with each transaction.
 Drawback in sequence number
 Predictable because use some algorithm
 A hacker can record the exchange of sequence numbers and predict the next set of sequence
numbers.
 With this information, a hacker can insert himself or herself into the network connection
 The best defense against sequence number spoofing is to encrypt a connection

11
12
DNS (Domain Name Service)

 Domain Name Service (DNS) is a hierarchical name service used with TCP/IP hosts that is
distributed and replicated on servers across the Internet.
 It is used on the Internet and on intranets for translating IP addresses into host names.
 The advantage of DNS is that you don't have to know the IP addresses for all the Internet sites to
access the sites.
 The most commonly deployed DNS server software on the Internet is BIND
 DNS is subject to several different spoofs:
 man in the middle (MIM)
 DNS poisoning

12
13
Man in the Middle Attack
 A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself
into a conversation between two parties.
 Impersonates both parties and gains access to information that the two parties were trying to send
to each other.
 Man-in-the-middle is a type of eavesdropping attack.
 Man-in-the-middle is a form of session hijacking
 Man-in-the-middle attacks can be abbreviated , including MITM, MitM, MiM or MIM.

13
14
Man in the Middle Attack

Ways for preventing MIM attack

 IDS
 VPN

14
15
DNS Poisoning

 Another method that can be used to launch this attack is to compromise a DNS server.
 DNS poisoning
 DNS poisoning exploits a vulnerability in early versions of the Berkeley Internet Name Daemon
(BIND).
 DNS server has table entries contain host name and related IPAddress
 It is possible to "poison" the table entries of a DNS server with false information.
 The result could be that when someone used that DNS server to "resolve" the URL name, he or
she would be directed to the incorrect IP address.

15
16
DNS Poisoning

16
17 DCHP Starvation Attack

 Another type of network attack which is targeted to DHCP servers is known as DHCP starvation
attack.
 an attacker broadcasts large number of DHCP REQUEST messages with spoofed source MAC
addresses.
 If the legitimate DHCP Server in the network start responding to all these bogus DHCP
REQUEST messages, available IP Addresses in the DHCP server scope will be depleted within a
very short span of time

17
18 DCHP Starvation Attack

1 2

18
19 DCHP Starvation Attack

19
20 Assignment #2

 Use scanning desired tools for gathering information like NMAP. Do not use examples mentioned
in lectures
 Note: no need for documentation but have it in your computer I will evaluate next session

20
21
Question

21
22
Next

Next Session

Continue of Network Scanning & Network Attacks

22