okay at the end maybe all right so uh thank you for coming it's Network SEC networking security um so uh announcement uh this Sunday is going to be our last general meeting of the semester so uh to kind of keep things chill we're just doing a hot chocolate social so feel free to show up um and we'll have hot chocolate OB in C CS 1404 forgot to put that down so we'll have the big screen um so if you guys want we can do like a movie We Do jackbox we do switch games you know um whatever uh you guys find fun okay so this is the meeting flag uh there should be a category called networking security uh somewhere on the ctfd so if you uh find the meeting flag challenge uh please do not throw sausage pizza away does anyone know where the flag is that nobody okay well that is a mon it's like a it's like an acronym help you remember uh the OSI model names so P is for physical D is for data n is for Network t for transport s for session P for uh presentation a for application um yeah and then there's your daily xcd as well as mandatory um the slides are also on the uh CMS or on the website so you can go and uh uh view the slides if you want to okay so very broadly what is networking just so we're all on the same page so it's a way for uh in the context of networking and cyber security we're talking about computers sending information to each other um and the internet is only one example of a network right so uh you can have different networks like ATM networks which aren't connected to the internet and so uh and then you can also have sub networks attached to a main Network right so the University Illinois net is an example of a sub Network or it's a it's kind of its own internal network but it's also connected to the internet um through some parts so that kind of makes it a Sub networ sub Network as well and uh we kind of have protocols uh for everything uh when it comes to networking because um you have different devices you know from different manufacturers um you kind of need some sort of protocol so that way they can talk to each other right some sort of standardized language right uh so um as a result there's a lot of different protocols because people like coming up with their own things to make things more efficient or more Niche or specific use case um so there are a lot of protocols there are a lot of acronyms as a result of this um the main uh AC the main way you want to view you networking in general is uh through the OSI model or uh there's also a more basic reduced version of this but um the idea is that you can break uh most computer network traffic into seven different layers um and so each packet that is set on a network will contain um some or all of these layers but uh you'll always start with layer one and work your way up to layer seven and if you want think about it it's kind of like uh you know Russian nesting dolls where you have uh layer one as the outside uh uh encapsulating doll and then you could have multiple layers um on the inside so these are those layers right right so we have U as I mentioned earlier we have the acronym uh PD n tspa uh the the the lowest layer you can get right if you want to send data from one computer to another you have to send actual physical bits right so the physical uh the physical layer is um relating to well this is wrong or well so ethernet in terms of like the actual ethernet cables fiber optics uh binary uh that's the actual physical um layer uh the data link layer is uh how devices know where to get from uh how how how uh it's basically like um figing out how packets can get from one node to another node in a graph right so um every node in a network will have a MAC address and that Mac address is uh like a sort of not technically unique but uh within the network is supposed to be unique um address that traffic can be sent to um so uh this uh D Link layer allows basically traic to reverse your network the network layer which kind of feels like a redundant uh name but uh this is where you have um the ability to send those packets within um larger distances across networks even um so this is where you see the Internet Protocol most commonly being used right um and that allows you to send uh arbitrarily I want to send a packet from my computer to a computer over there and I don't really care how it gets there right so as I mentioned earlier layers don't care about the layer beneath it so as long as the packet gets from destination a to destination B it doesn't care what utter knows it traverses through to get to its destination um and then the transport layer uh TCP and UDP they kind of allow applications to build on top of that uh Network layer and uh they also provide guarantees that messages are sent are sort of or not guarantees that messages sent will have certain properties um and then the the lers Fus seven can kind of just be grouped together which is why they're all highlighted blue um and this is where you'll see protocols um that will add um encryption or if they're not they're not adding encryption it's just HTTP right um and yeah so the application data that you're sending to different programs don't care about how it uh traverses through Network it only cares that the program gets a message um yeah great so going a little more yeah yeah so like looks like two three and four are all through with routing right so routing is actually a layer three device as far as I know and routing is a way to essentially set a source and destination now the routing is basically going to be done upon like layer three in the sense that when I have like an IP address that's currently there in Source the router will be able to acknowledge that IP address along with like the destination that it has to Route it to so it simply forwards and keeps track of that through like what we call a routing table as to like say if I were to have a packet that needs to go to like this guy who do I tell I do a lookup in that routing table and I'm able to tell that so now because it's a layer three protocol and the layers are pretty much like independ from the ones below them the router's job is only to keep track of that mapping so it doesn't need to know the stuff I guess how does it help to have that you already have right so uh the way uh you can sort of think about it is that uh with the data link layer that's deciding uh the uh the physical whole path to take to a destination um so um the site the slight issue with the Mac addresses as well is they're not um they're not designed to be split up uh like if you if you think about Mac address versus an IP address right a MAC address has uh a manufacturer ID for the first three octets or not not octets first first three bytes uh so um there isn't like room to actually do any networking or or like build a sub networks in there so IP addresses exist to allow that to happen and then Mac addresses kind of serve the purpose of being a unique Hardware identifier as opposed to being an address where you can send data uh traffic to right so for example uh a device can have multiple IP addresses right um but it might uh be uh it might be using a single to right uh yeah what is V taging something VLAN tag do you want me to answer seriously or huh know how to answer this by saying that on a particular you don't want to Route traffic of course to a different logical sub so you want to tag it no it's a it's a yeah so it is it's a frame okay yeah to tag the frame ID so that you you know forward tra it to another logical Su but I don't know that for sure you know that something um so so vlans have IDs right so you tag uh you put the ID inside the frame information and um when it's when a device that's operating on layer 2 receives that it knows that it can it can decide whether that packet can be sent to a certain uh to be can be switched to a certain um output right uh so in the case of like you know the the easiest way to describe aans is if you have different departments so you have like uh maybe Mar a marketing and accounting department right you don't necessarily want the marketing department to access like financial data so any traffics that are tagged with you know the marketing B ID when a switch receives that it's going to not send that out to any of the accounting ports even if it's destined for it um it's not going to do it yeah VLAN tagging is a very basic way to implement a form of segmentation at like ler two so that's kind of the main purpose this Lo yeah cool any more questions ask you I'm yeah all right so now going a little more into layer four protocols which are your transport layers uh the two most common ones that you will see are going to be TCP and UDP now in order to really easily tell the difference let's say that you want to Simply call someone now if you want to set up a TCP connection doing TCP would be like say starting a normal conversation so first what will happen is that a will send a request to B saying hello I am a and I would like to talk to you that's essentially some uh way that you will start a connection in TCP now if B is able to receive that connection B will answer like you would in a normal conversation people will say hello a I am B currently talking and then that essentially tells a that B has received the request as far as the TCP analogy here goes now after that has been established a can go and forward any conversation that he wants to tell B with anything so now it goes back into a over to B so this is essentially the way TCP handles starting its connections now UDP does not need to have such a handshake UDP is simply forwarding data so doing something with UDP would be like say sending a voicemail out so in this case a would go to B without any warning saying hey we've been trying to reach you about your car's extended warranty or say your information now UDP does not care whether or not be actually recognizes the data and it's just a single forward Direction so with UDP there is no guarantee or way to know that your request has been sent because it's only sending them outward via the stream so that's one way you could tell the difference between the two no um now uh in in UDP you can actually still you know send like the B can still send a response to a right yes and a like you could use that to basically do a two-way handshake instead so that a knows that b got the message right um uh TCP also uh the this handshake happens automatically for any application that's using TCP uh so you always know that uh the the connection is established before you start sending your application data uh so that's the key difference between UDP so with UDP you can just send your application data right away whereas with TCP um it's kind of like an extra check to make sure hey is the server that I connected to alive and if it is then I can start sending data uh so yeah so to kind of simplify or to kind of formalize this uh previous A to B B to A A to B that is a three-way handshake so um you'll the technical term for those types of messages are a Sin which is synchronize um and then the sin act which is synchronize acknowledge and then app for knowledge uh so uh once these three messages has successfully sent then you can start sending uh data to each other um without worrying about package package tring um uh I this is actually not really uh true it's not really relevant I don't know what this is here honestly this is a this is inaccurate yeah not um this is when I because I made these slides a long time ago so don't don't take don't don't don't listen to that TCP does not necessarily mean it's more secure than VP why why is that well I mean uh it's kind of the same because the security of an application kind of depends on the uh layers that are above what TCP and UDP are right so you have uh like layer five and layer layer five being session right so that actually authenticates uh a user or application data or you can even have presentation where there's cryptography right so the the idea is that um the medium TCP and UDP and IP and data link should sort of be considered as the mediums for which network data uh transfer Su and I wouldn't necessarily consider that as one being more secure than the other it might help but uh yeah yeah and the and the other thing to also note is that the the established connection while it is required the actual individuals being responsible for the connection are not set in stone by TCP so anyone can establish a connection with any which is another thing Poss I guess this a very basic protocol at least this to me it seems like there's at least some Advantage there because in UDP you can just add well you can do the same in TCP as well not really [Music] um yeah you can well I I guess you need to guess this s the correct like yeah you need to guess the correct sequence numbers but like that I I wouldn't really call that like like that isn't really intended for security as we've seen sort of I guess it I guess it does have some security properties but like it's not something I would really rely on right and at the end of the day if I'm like it depends on your use case right like I could send application message over like a Serial line instead of using TCP or GP um so uh the only the only so this might be more secure in the sense of like protocols to choose for that specific layer but if you're building application uh protocols and traffic above that do not like take that face value because this is just I don't know it's it's a very basic guarantee because it's supposed to work levels above but you also have to think about the levels above if you're like declaring something secure and again like standards also that so that's like some what what what we're trying to say is basically just because you picked TCP doesn't mean you should make your application less secure um okay and then yeah and then UDP constant strange data so this has better applications where you need low latency right you don't want to have the overhead of the additional 3-way handshake um so it's good for like video streaming which is why sometimes you know when you're receiving a video you see it sort of uh kind of glitch out right and uh the reason is maybe because there's package drop on the way and because UDP doesn't guarantee that the receiver receives that then it you know because streaming real time it just kind of glitches out um if you had video streaming over TCP right what you probably has a lot of buffering uh because you'd have you know the data the video data getting lost in the way then now the client has to wait for TCP to retry and retransmit the data so it can you know re replay the video so as you have a lot of we Transmissions going on with like TCP that's basically saying that I want to keep establishing and retrying the same packets going in and again so it interrupts so as a result you will get as with UDP you'll just see a small skip because the stream would still continue I don't have to retransmit UDP uh yeah about [Music] RT is just what is rtb about streaming I'm pretty sure r is like the streaming right right well okay that's an application protocol built on top of UDP yeah I believe so yeah I'm pretty sure RTP does use okay RTP typically runs over yeah yeah all right so yeah so RTP is an example of a a video streaming protocol built on top of me when Q PL cool uh so now that we kind of have have a more General understanding of how networking works we want talked about some Network attacks um not MN because we don't have those slides prepared um but we like there are some um pretty interesting other interesting attacks um so the first one which has kind of fallen out of uh any relevance because modern programming is good now for for Network stacks but uh a sin flood as we mentioned earlier so a sin packet is the first packet that sent at the start of a TCB handshake uh so basically the attacker is kind of exploiting how the three-way handshake Works um to basically uh do a denial service attack against a server so if the attacker sends a sin packet to a server right the server sees that and it responds with a syac um because it's establishing connection um but in order for the threeway hand she to complete it uh the the client also needs to send an another acknowledgement right so the server will kind of wait for that uh for that handshake to finish right um but if the attacker never sends it then okay sure um I guess something happened with the other client so I'll just wait a little bit longer and see if uh it finishes a connection um and if not then I'll close out the connection right um and that's fine at all but like what happens if you have a lot of people spamming s packets to the server at the same time right and they never finish a connection they always send the S packet and then they never uh they never respond back with an act so basically what would happen um is that servers would start to handle all these connections right it would start to queue all these connections and it would never receive the acknowledge response and um because the server has all these uh network sockets open um it doesn't have maybe not enough memory to open up a new network socket or also because uh um at this point uh you know it's it's kind of overwhelmed um and the kind of dangerous thing about this attack to is that you didn't even really need like a bot net to Performance attack because you could just send um many connections from the same device uh to Performance attack and it would essentially take down a server um so yeah and then eventually what happens is you know the server will have to start dropping connections and then legitimate traffic can't connect uh which is a problem uh so the way that uh this problem was fixed is using a feature called Sim cookies which basically says um if I don't receive uh the sin act or or if I receive a sin from uh this uh IP right I'm going to remember that and if it sends me a nurse in then I know that uh is basically a cookie like I've seen this IP before the sa ma connection and I currently have a connection that hasn't been established yet so I'm just going to forget about that connection request um so by doing that you essentially limit uh connections to uh one time unless you you can have multiple connections at the same time but the connection has to uh be fully established right as like an Ask um the other thing is that doing a sin flood as you can like tell is pretty guns blazing as far as like attacks go so if you are on like some sort of like forensic side and you were seeing like a lot of sin requests being made like a checkpoint for like a really small amount of time it also raises a lot of suspensions so it's not really used in practice as far as like taking down a server go yeah because you could just block that single IP address call the day you know um postmodern firewalls like like sinl are not remotely applicable to the real world anymore but they're still interesting to talk about because they're exploiting the functionality of the TCP stack um and then the other thing is uh ARP cache poisoning so this is an attack that works on Layer Two um so ARP is the address resolution protocol basically it translates um IP addresses to Mac addresses uh so if uh if I want to send um uh data [Music] to uh to if I want to send basically data to an IP address um I need to know like what Mac address to uh put my packet as and the nearest uh IP the nearest AR resolver will say here you can send the packet to this Mac address and it will arrive at um um the the other um system uh so the way arach poisoning works is that um your device is constantly sending AR requests to figure out where IP addresses are and where it should send which Mac address it should send those uh packets to um so one way that arach poisoning works is that you kind of beat the AR resolver response and say and before it's able to resp uh reply to um the requester you immediately say hey uh I am uh one two 3 four and this is my and this is the MAC address that you can use to send data um and it's actually uh the attacker SMC address so now data can flow through the attacker because uh the client now thinks that oh um I can send packets for 1 2 3 4 or to this Mac address um and so that kind of allows you to manipulate how data is sent through a network um or how how the way that packets are Traverse through a network right um and this is still pretty relevant uh mostly because um again layer 2 is not meant to be is not meant to provide any security guarantees it's simply a medium uh for traffic to send to to traverser um uh and so that kind of leads us to the idea of the man the middle attack right where you have some entity that's running on a node sitting in between Network traffic passing between two other nodes um so you can have a passive man in the middle which is their goal is to read data as it comes through um and maybe spy on uh you know the information that's being sent or you can have active where you modify the packet and retransmit it um in the hopes of you know manipulating the responses uh so any entity that's kind of in between you and your uh destination can sort of be considered a man in the middle right because they're they're handling the data that's uh passing through um so just a quick visualization of how man and M right so let's say you had a direct connection from A to B um using something like AR cache poisoning you can uh trick a into sending its data link packets to the man in the middle and then you can forward them to be or not um but the idea is that you have now inserted yourself in the middle of the network traffic and uh revisiting the O IM model um the you can kind of see how there's different attacks at different layers right so again we talked about um AR cach poisoning another layer 2 attack is where you spoof a mac address so you pretend you either modify your device's Mac address to pretend that you're a different Mac address um this attack is actually pretty cool because uh a lot of basically network uh Dev like Network firewalls will use something called Mac address uh White listing in order to ensure that only a specific device when attached to a network can send traffic on it right so if you attach like if I was you know visiting Purdue and I plugged in my computer and sit our Network right um maybe my my Mac address isn't whisted on produce Network so it won't let me access produce resources right but maybe if I'm a produce student and if I have you know my Mac address registered in your table then now I can send uh traffic to resources so if I knew somebody else's Mac address at Purdue then I could spoof my computer to say to basically trick them into letting me in um this is actually sort of yeah ar ar is there uh so you got the do in FL um application right so that's where most of you know CTF uh challenges are you got web owned um uh cryptography would usually be in the presentation layer um and the reason we call this presentation is because uh the way you actually inter you you present the data in a packet is different from how you act how the application actually receives that data so cryptography is an example of this you encrypt your packets so on a network you know uh you can't see the application layer of data um but when the application actually receives it it gets decrypted and it's presented uh in that way so that's why it's called presentation layer it's kind of a goofy name but yeah does anyone have any questions about more of this OSI model stuff okay um so now a very useful tool that pretty much everyone in the industry relates and networking uses not not even security related is wire shark um basically it's a tool that captures all Network packets being sent to your device or to um some uh monitoring device that you may have and you can analyze packets uh to see all the different information we sent uh in the packets and at each layer uh so this kind of what the interface looks like and this top part is this packet list so you can see all the packets being set at what time to what IP um since uh art since this is a u ARP is actually a layer 3 layer 2 protocol but uh because you art doesn't people that are sending art messages don't know what the IP addresses are or actually sh as Mac addresses instead um and here you can click on a specific packet and you can see information about that packet so you can kind of see the OSI model here you've got frame which is physical ethernet which is layer 2 data link IP which is Network 3 uh user data protocol which is um transport you got session which is a five um and then that was kind of it but there there will be like HTTP here at the bottom for if it was HTP traffic um and then you can also inspect a raw package deves if that makes you happy um and useful very useful you can use a filter so that way you can find only packets matching a specific IP maybe um or you can filter for only UDP traffic or only the web traffic um so for example you can just type HTTP and boom it only shows you HB traffic now or you can filter by specific IP address um and it'll only show you uh IPS um that match that packets which have that IP address uh and you can also again because TCP and UDP are basically uh kind of streams of data so you can follow a specific stream of data by clicking on the packet and it will show you all packets related to that uh conversation which is useful if you have a lot of different Connections in a single packet um yeah in the real world this is also really useful for understanding Communications say through xtion or other methods of like sharing data for example a really common thing that I was was able to uh how many people were here for that yeah so it is possible to also share a lot of data hidden within certain sessions so one thing you could do to be able to like say follow that stream is to just hit TCP follow and then you could see everything related to say that conversation or data exportation to be able to recognize these things so it's really useful foren something I want um and then wi shark is a GUI by default but um it's CI counterpart is TCP dump um and then there's also a tool called t-shark which um is wire Shar but worse well uh it also runs on theal well yeah it runs on the terminal which is why it's useful but it's it's you know you can use it in in B in bash scripts or uh if you're if you don't want to wait for the wi trar gii to load it is technically faster uh high high shark is also a very useful library because it's essentially t-shark but it lets it use in Python scripts so that's kind of nice and has some nice apis um we're not going to talk well okay you could do scaping that that's first that's first meeing okay so um there are some challenges uh almost all of the challenges that we have are going to use wire shark so you'll need to install wi shark or any one of these other tools but recommend using wi shark just because it's easier to get started and all the challenges should be solvable or not not all of them but some of them um so there's layers one to seven challenge uh which is basically like kind of asking you to find information at each of the different layers so it kind of gets you familiar with fire shark and how to interpret network data um there's file the file transfer challenge which is basically uh uh you have FTP data traffic uh traffic data and FTP is file transfer protocol so in this case uh uh FTP is sending data uh sending a file over to the network um and FTP doesn't have uh any real presentation layer it's which means it's not encrypted so you can sort of find that information um using wi shark and its tool um I forgot what pool was uh but you'll you'll uh you'll have fun with that's smv reforce okay hydr trffic and you figure out which one's successful right I I did this right yeah okay so yeah it's been a while since I made these challenges well yeah there was something this was also tunnel vision but slightly um live stream fail is extracting a video stream uh so this uh this slightly challenging because well I mean it it was challenging at the time because I don't think water shark had the proper decoders for it but it might now um for which one live stream fail whoopsie I I'll fix that um and then uh 2b2 T which was my the oldest uh which was my uh a challenge I made for UCT of 2021 and that is basically you have sort of a Minecraft clone which is mind test um uh but and and there's traffic and you have to figure out what it does um but that one's painful yeah it is it is painful um and uh you know that is painful and I I will also say mind test provides the actual package dissector for for wiar so uh application you know application like application data is kind of application traffic is kind of hard to reverse engineer if you don't have you know um references or documentation and all you have is the clients and the server um and you have to interpret the traffic in between or if you don't even have that right and you're just looking at traffic you're kind of trying to make meaning of a bunch of bites um so you know and 2b2 uh mind test is relatively well documented network-wise so the fact that this is kind of difficult you know kind of helps you uh get into reverse engineering Network traffic protocols as well uh yeah again uh next meeting um this Sunday is our last meeting of the semester and we'll do hot chocolate in s Holly movie or games um and OB and C CS sport4 thank you goiing at all no we didn't okay uh so yeah so Wii uh if if anyone is curious would fall under the data link layer um right so that is me I'll go back a few slid so that that would be that or more sorry not not not the link right it would be physical right um because that is the physical media it ends up being a couple it's not yeah it's but it's mainly one find is its own B it ties into like you have to do things whether you're grabbing forward handshake and then cracking it or you're doing Deo like how do you classify that's kind of it's a lot of layers right it it so the the important thing with Wi-Fi is that um those lay those like it like does a lot of like layers that a lot of things that could be classified in these other layers but it's important to note that it's still all encapsulated in layer one because at the end of the day um it doesn't matter like your application data is not going to matter whether you use Wi-Fi or not or where you use Mac interestes doesn't depend on where you use Wi-Fi or not so Wi-Fi falls under the physical technically but it's very complicated because you have you know authentication Network even even like actual like physics behind like antena like if we were talking Wireless transmission from a purely physical daa ler standpoint right it would just be you know an antenna to an um the Wi-Fi will include things like you know authentication with the radio server which is you know something that would be an application right so yeah Wi-Fi is Wick it is really fun I do on for you pois un course also by the way all the installs for the dri are like years out of I'm try I'm trying to fix it this around
2024-12-29 13:54