3. 14.2 Vulnerabilities and Exploits
In this video we want to contrast a couple of terms an exploit and a vulnerability. First consider a vulnerability. A vulnerability is some sort of a weakness or a flaw within a system that is supposed to be secured. An example might be having a weak password to get logged in to a server. Another example might be not applying a patch to an underlying operating system to fix a known issue. And an exploit can take advantage of that vulnerability. If somebody has a weak password, the exploit might be to run some sort of brute force password cracking program that’s going to try a bunch of different passwords until it eventually guesses the right password. Or maybe we have a more advanced exploit, we’re running some sort of a SQL injection.
But an exploit is taking advantage of that vulnerability. And once a vulnerability is discovered, typically the developers, they go to work to try to fix that vulnerability. They want to apply a patch to their operating system or to their application.And of course there are many, many vulnerabilities and exploits out there. The good news is there’s a database that you can access, the minor corporation hosts a website that you see here on screen and they operate the National Cybersecurity federally funded research and development center.
And this program that they run catalogs known vulnerabilities and exploits. And if you want to go visit it yourself and look around you can go to CVE mitre. org. And another term I want you to know related to a vulnerability is a zero day attack. If a vulnerability has just been discovered and the developer has not had an opportunity to patch it yet, then it is open to an exploit. So a zero day attack is when an attacker launches an exploit against a brand new vulnerability that has not yet been patched. And again the big takeaway from this video is I want you to distinguish between a vulnerability, a weakness in a system and an exploit. Something that takes advantage of that vulnerability.
4. 14.3 Denial of Service Attacks
A denial of service attack is trying to make a service unavailable. We want to deny that service to the users. And one way of doing that is to just overwhelm the target server, the victim with a ton of traffic and it’s going to slow them down so much they cannot do their regular job. Here’s an example. Let’s say that we have this attacker on the left and they want to launch a Dos or a Dot attack, a denial of service attack against the victim whose IP address is 109 202123. Well, this denial of service attack is going to flood that victim computer with so much traffic that it’s going to be too busy dealing with all those incoming packets. It’s not going to be able to do its job. And there are different types of Dos attacks and we’re going to be considering a few in this video. But as a simple example, let’s say that the attacker sends a directed broadcast to this subnet.
You see up at the top of the screen, we’ve got this subnet of 198 51 124. Now, I’m only showing you four computers here, but we could have a couple of hundred or so computers in that subnet and the attacker spoofs their IP address. They lie about who they are. They claim to be 109 202123. They claim to be the victim’s IP address and they send a ping to a directed broadcast address of 198 51 100 255. Remember, a directed broadcast goes to everyone within a subnet. So this is going to go to all active hosts in that subnet, all of which are going to simultaneously reply to that victim computer. Even though the victim didn’t ask for the ping replies, the attacker lied and said that they were the victim’s IP address. So this unsuspecting victim gets flooded with all this traffic. An even more damaging type of denial of service attack is a DDoS attack or a distributed denial of service attack.
This is where over time devices out on the Internet get infected. We have malware that gets installed on these computers literally around the world and there could be thousands or tens of thousands of these computers and they form what is called a botnet. Now, the users of these computers, they’re probably unaware that anything is going on. Everything seems to be working just fine. Little do those thousands of users know that their computers can be summoned by a command and control server that will talk to the malware that’s been installed. So the attacker, they can send an initiation command to the command and control server. It’s going to reach out to this botnet of infected devices. Again, I’m just showing you four on screen. But it could be thousands or tens of thousands of infected devices around the internet and they simultaneously start attacking that victim, which is just going to overwhelm that victim computer and they’re not going to be able to do their job. Now, let’s take a look at a few examples of Dos and DDoS attacks. One is a send flood attack. Do you remember how a TCP session gets set up? We talked about a three way handshake. I want to talk to you, so I send you a synchronization message or an syn or a sin for short. And if you want to talk to me, and you’re willing for me to talk to you, you’ll send me a sin AK back. You’re sending me an AK, you’re acknowledging my sin, and you’re sending me a sin, a synchronization of your own, saying, yeah, I’d like to talk to you as well. And when I get that, I’ll send you an ACK to respond and say, yes, you may talk to me. That’s the three way handshake. Part one is a sin that I send to you. Part two is the sin act that you send back to me.
And part three is the act that I send back to you. But what an attacker might do is they can send a bunch of sins, a bunch of synchronization messages into the target system saying, hey, let’s start a conversation. And when those synchronization messages go into the victim computer, it’s going to have to allocate resources to start talking back on all these different sessions, and it will respond with a syntax. And we just ignore them, we ghost them, and we don’t reply. We could have thousands of these open TCP sessions consuming resources on that victim computer. Another type of Dos attack is a UDP flood attack. Here we are just bombarding the victim’s computer with a bunch of UDP segments. And the thing that makes UDP unique from TCP is that UDP is connectionless.
So the victim does not have a way to verify the sender’s identity. In other words, it cannot identify the sender’s address. Or an attacker might be doing a Dos attack against a specific service on a server. Maybe we’re trying to attack the Web service on a server. We could do an Http flood where we’re sending a bunch of Http verbs, these commands that are used when we’re interacting with Web pages. We could send a flood of Get commands or a flood of post commands. Those are just a couple of examples of the verbs we can use. Another type of attack is a DNS reflected attack. Here, once again, the attacker is lying about their IP address.
They’re claiming to be the IP address of the victim computer. And they send a bunch of DNS requests out to the Internet, out to publicly available DNS servers. And when those DNS servers on the Internet respond, they’re not responding to the attacker, they’re responding to the victim machine. And we could get a lot of information flooding into that victim machine from all those DNS replies, making it unusable. And that’s a look at Dos in DDoS attacks.
5. 14.4 On-Path Attacks
In this video, we want to consider what is called an onpath attack. And an onpath attack is also known as a man in the middle of attack. Sometimes you see that abbreviated as M-I-T-M maninthemiddle. They’re really talking about the same thing. This is where a malicious user injects themselves somehow between the source and destination of a data flow, where they can intercept and monitor that traffic or maybe alter that traffic. You see, normally we’ve got these two devices, and they can talk directly back and forth between one another. And the switch sitting in the middle is going to learn the Mac addresses of these devices, and it’s only going to send traffic out of appropriate ports, ports off of which the destination Mac address lives.
So if an attacker were to plug into that same switch, how would they be able to get some of that traffic flowing to them when it’s really supposed to go just between those two different devices? Well, if they could do that, they could eavesdrop in or maybe even alter that traffic. Here are some examples of ways that that attacker could launch an on path or a man in the middle attack. One approach and we’ll talk about all these in this video, but one approach is a Mac flood. This is where the attacker is going to fill up the Mac address table of the switch. Remember that a switch is going to keep track of what Mac addresses live off of which ports. Well, it’s going to put that information in a Mac address table. What if that Mac address table is full? Well, at that point, the switch starts to act like an Ethernet hub where it receives a frame and says, I have no idea where this destination Mac address lives. I want to make sure it gets to its intended party. So I’m going to flood it out all ports other than the port on which it was received.
This means that any newly connected device to that switch after the switch’s Mac address table is full, it’s not going to be learned, and any traffic going to that newly attached device. It’s going to be sent out of all ports, including the attacker’s port. We could do an ARP poisoning attack where the attacker convinces the sender that its Mac address is the Mac address of the default gateway, and the victim sends their traffic to the attacker on the way out to the Internet. We’ll see how that works. And finally, we’ll talk about a rogue DHCP server. After all, if a victim’s computer boots up and learns information from the attacker’s DHCP server, we could be convinced to send our traffic to a different default gateway and use a different DNS server.
But first, let’s consider that Mac flooding attack we talked about. The goal of the attacker is to fill up the Mac address table of a switch so that any newly attached device will not be learned by that switch, causing all traffic destined for that newly attached device to go everywhere, including the port off of which the attacker is attached. What they’re going to do is send a frame into the switch with a source Mac address of something and then it’s going to change it to something else. We’re going to keep changing the Mac address to something different and different and different, and over a period of just a few seconds, we can fully populate the Mac address table. And a utility to do this that a lot of attackers use is Macof for Mac address table overflow.
And please do not use this utility for bad purposes to hurt anybody else’s system. You only want to use this on systems that you have administrative control of legitimately, but I want you to be aware of it because it’s something you need to defend against. But what we’re doing here is at a Kali Linux prompt we’re giving the command sudo for super user do Mac o f space minus I space e zero. That’s our Ethernet interface. And it is going to send a flood of frames into the switch claiming to come from different Mac addresses. And shortly after it does that, I took a look at the Mac address table of this switch and we went from having over 8000 Mac address entries available to zero. Notice it says the total Mac address space available is zero.
That happened in about 10 seconds or less. One way to protect yourself from that is to set a maximum number of Mac addresses that can be learned off of a single switch port on Cisco catalyst switches. You can use their port security feature to do that. Another way that an on path or a man in the middle attack might be initiated is through ARP poisoning. Let’s say that this PC wants to get out to the Internet and it just learned from its DHCP server that the default gateway that it’s going to use to get out to the Internet, it has an IP address of ten one one. However, the PC has not yet talked to that IP address. So it doesn’t know its Mac address.
How does it learn the Mac address? It’s going to send an R for broadcast saying, hey, does anybody know the Mac address for ten one one? And that’s going to be sent to routerrr one. And everybody else on that subnet router R one says, yeah, that’s me, I’ve got a Mac address of all A’s. We’re pretending that goes back to PC one and it makes that entry in its ARP cache. Now, when it wants to send traffic to its default gateway, it knows that that Ethernet frame needs to be destined for the all A’s Mac address. So now the PC is going to send traffic out to the Internet through router R one and the return traffic comes back. Everything is working as desired. Now, the attacker comes along, the attacker plugs into the same switch to which the PC is attached. And the attacker has a different IP address than Router R One. It’s got ten 1123, it’s got a different Mac address. It’s got the old B’s mac address. And what the attacker is going to do, it’s going to send an rply to PC One. PC One did not ask for another rply.
PC One is perfectly happy with its existing ARP cache, but the attacker says, by the way, the Mac address for ten one one, it’s really the All BS Mac address. And that’s going to make its way to PC One and it’s going to say, oh, thanks for updating me. I was confused. I thought it was the all a’s Mac address. Let me update my ARP cache and put the All B’s Mac address in there. So now when PC One wants to get out to the Internet, it thinks it’s going to go to its default gateway by sending an Ethernet frame to the All B’s Mac address. But really that goes to the attacker, which might capture or alter the packet. Then the attacker sends it out through R One out to the Internet.
After all, we don’t want PC One to be suspicious that anything’s going on, but that’s a way that ARP poisoning can allow an attacker to intercept traffic. How do we better protect ourselves from that? Well, the solution might vary vendor to vendor, but Cisco Systems, they have something called IP ARP Inspection and it’s going to be able to monitor DHCP traffic and it’s going to see which Mac addresses live off of which ports and what IP addresses they’re associated with. So if somebody sends false information other than that DHCP information that its Eaves dropped in on, it’s going to say, no, I don’t believe it and it’s going to disallow that packet. And another way we said that an on path attack might be launched is by having a rogue DHCP server. Let’s remind ourselves how DHCP works. When a client boots up, it goes through a four step process called Dora.
The memory aid I always use is the old Nickelodeon show Dora the Explorer. Do you remember that one with backpack and map? My girls used to watch that when they were little. But I think of Dora the Explorer when I think of DHCP because Dora Dora, that reminds me of the four step DHCP process. The Dndora reminds me of the Discover broadcast where the client is going to send out a broadcast saying, hey, are there any DHCP servers out there? That’s done in the Discover message and a server will hear that, hopefully, and it’s going to respond with the Oundora and offer saying, yes, I’m a DHCP server and here’s my IP address. Then the or indoor is we request IP address information and the A indoor is we get that IP address information in an Acknowledgment message. That’s the way it normally works. However, when that Discover Broadcast was sent out, it went everywhere within the subnet. After all, it’s a broadcast.
What if the attacker also were connected to our subnet? They would also receive that Discover broadcast and a percentage of the time, if they had their machine configured as a rogue DHCP server, there’s a percentage of the time where it might answer that Discover Broadcast first. In other words, its offer message reached the client quicker than the offer message from the corporate DHCP server. In a case like that, our DHCP client would believe information from the rogue DHCP server. And it might be pointing to the attacker’s computer as the default gateway. And it might be pointing to the attacker’s DNS server, which could redirect it somewhere else if we tried to go to a website, like maybe Facebook. com. So how do we protect ourselves against that? Again, the solution might vary vendor to vendor, but Cisco Systems has a feature called DHCP snooping.
In fact, DHCP snooping is required for the dynamic ARP inspection I just talked about. This is how we’re building that table of information about what IP addresses and what Mac addresses live off of different ports. So what we can do with DHCP snooping is we can say which port is trusted, and we can say all other ports are untrusted. Now, trusted means we’re willing to accept a DHCP offer message coming into that port. So if we go through this scenario again, the DHCP client sends out a broadcast saying, hey, are there any DHCP servers out there? Both servers respond. But the offer message from the rogue DHCP server, it hits an untrusted port, and it is discarded. And that’s a look at a few ways that an attacker might launch an onpath attack, also known as a man in the middle attack.
