WEBVTT

00:00.000 --> 00:03.180
>> Hello. After
talking about malware,

00:03.180 --> 00:04.560
let's go ahead and talk about

00:04.560 --> 00:06.690
attacks that either
traverse the network

00:06.690 --> 00:10.319
>> or take advantage of
network vulnerabilities.

00:10.319 --> 00:13.530
>> The first thing we're
going to look at are scans.

00:13.530 --> 00:16.650
Just an average garden
variety port scan uses

00:16.650 --> 00:17.730
tools that are out there

00:17.730 --> 00:19.950
that scan to see
what ports are open.

00:19.950 --> 00:21.945
We already talked about malware,

00:21.945 --> 00:24.150
and that can include
backdoor software that

00:24.150 --> 00:27.000
gets installed and listens
on a network port.

00:27.000 --> 00:30.270
Ports provide pathways
into your system.

00:30.270 --> 00:32.100
If I were an attacker,

00:32.100 --> 00:33.800
what I'd want to do is scan

00:33.800 --> 00:35.895
and see what open
ports you have.

00:35.895 --> 00:39.680
There are also other types
of scans, like XMAS scans

00:39.680 --> 00:40.880
that tell an attacker what

00:40.880 --> 00:43.070
operating system a
host is running.

00:43.070 --> 00:45.920
Every host or operating
system response

00:45.920 --> 00:48.940
to the TCP/IP suite a
little differently.

00:48.940 --> 00:52.085
If I send you a different
type of packet or segment,

00:52.085 --> 00:54.110
the way your host
responds tells me

00:54.110 --> 00:57.245
what operating system
your host is running.

00:57.245 --> 00:59.990
An XMAS scan is a TCP segment

00:59.990 --> 01:01.884
>> with every flag set to one.

01:01.884 --> 01:04.240
>> This is out of the ordinary.

01:04.240 --> 01:06.680
Having every flag
set to one is not

01:06.680 --> 01:09.320
something you would see
in normal communications.

01:09.320 --> 01:12.445
Having every flag set
to one is noticeable.

01:12.445 --> 01:15.170
It is said to be lit up
like a Christmas tree.

01:15.170 --> 01:16.909
That's how it gets its name.

01:16.909 --> 01:18.770
How your system responds to

01:18.770 --> 01:20.300
such an anomaly would tell

01:20.300 --> 01:23.090
me what operating
system you are running.

01:23.090 --> 01:24.920
Another type of attack is

01:24.920 --> 01:26.630
called a
man-in-the-middle attack.

01:26.630 --> 01:28.490
It's exactly what
it sounds like.

01:28.490 --> 01:30.380
Someone inserts
himself in the middle

01:30.380 --> 01:32.060
of a communication path.

01:32.060 --> 01:35.075
There are passive and active
man-in-the-middle attacks.

01:35.075 --> 01:37.915
A sniffing in attack
is a passive form.

01:37.915 --> 01:39.740
This is an attack
where someone is

01:39.740 --> 01:41.285
just watching the communication

01:41.285 --> 01:44.600
with the packet analyzer
or network analyzer,

01:44.600 --> 01:46.355
something like Wireshark,

01:46.355 --> 01:49.070
just to see what is
traversing the network.

01:49.070 --> 01:50.705
In this type of attack,

01:50.705 --> 01:52.400
the person isn't doing anything

01:52.400 --> 01:54.514
>> or causing any problems,

01:54.514 --> 01:57.030
>> just watching and learning.

01:58.000 --> 02:00.680
A session hijacking attack is

02:00.680 --> 02:03.085
an active form of a
man-in-the-middle attack.

02:03.085 --> 02:05.270
This could be a TCP hijack

02:05.270 --> 02:07.900
or some other
session-based hijack.

02:07.900 --> 02:09.890
Ultimately, it's
going to involve

02:09.890 --> 02:12.110
stealing session ID information,

02:12.110 --> 02:13.760
or maybe they will disconnect

02:13.760 --> 02:15.000
one of the participating hosts

02:15.000 --> 02:16.580
and connect one
of their hosts to

02:16.580 --> 02:19.100
impersonate it using
their information.

02:19.100 --> 02:20.840
You can also see things like

02:20.840 --> 02:24.289
rogue devices acting as
man-in-the-middle attacks.

02:24.289 --> 02:26.450
For example, they could set up

02:26.450 --> 02:29.270
a wireless access point on
your network and trick you

02:29.270 --> 02:30.830
into sending your
network traffic through

02:30.830 --> 02:34.890
their Wi-Fi access point
instead of the normal one.

02:35.650 --> 02:38.480
Banner grabbing
isn't necessarily

02:38.480 --> 02:39.994
>> a network-based attack,

02:39.994 --> 02:42.665
>> but sometimes when you have
network utilities running,

02:42.665 --> 02:45.350
they may show splash
screens, or welcome screens,

02:45.350 --> 02:46.550
>> or just some information

02:46.550 --> 02:49.179
>> that's returned when
you issue a command.

02:49.179 --> 02:50.900
>> These tell you a little bit

02:50.900 --> 02:53.075
more than those utility should.

02:53.075 --> 02:57.020
For example, something
as basic as NS lookup.

02:57.020 --> 02:59.690
If you type NS lookup
at a command prompt,

02:59.690 --> 03:03.005
it will respond and show
you who your DNS server is.

03:03.005 --> 03:05.030
This type of attack simply

03:05.030 --> 03:08.190
allows an attacker to
get this information.

03:08.710 --> 03:11.690
Now, we'll talk
about Smurf attacks

03:11.690 --> 03:13.204
>> and Fraggle attacks.

03:13.204 --> 03:15.245
>> These tend to
show up on the exam,

03:15.245 --> 03:16.310
so you wouldn't
want to have a good

03:16.310 --> 03:18.390
idea of what these are.

03:18.680 --> 03:20.825
The Smurf attack

03:20.825 --> 03:22.595
as you can see in this diagram,

03:22.595 --> 03:27.320
the attacker sends a packet
to the address 1.1.1.255,

03:27.320 --> 03:29.150
that's the broadcast address,

03:29.150 --> 03:31.090
the 1.1.1 network,

03:31.090 --> 03:32.670
goes through the router,

03:32.670 --> 03:33.680
and when anybody sends

03:33.680 --> 03:35.795
a broadcast packet
through the router,

03:35.795 --> 03:38.045
that's called a
directed broadcast,

03:38.045 --> 03:39.680
and that's no good.

03:39.680 --> 03:42.515
We don't want anybody
from the outside to send

03:42.515 --> 03:45.820
anything to the broadcast
address inside our network.

03:45.820 --> 03:48.550
This is already something bad.

03:48.550 --> 03:51.140
But if you notice with
this attacker is doing,

03:51.140 --> 03:55.610
he's sending an ICMP
echo request or a ping.

03:55.610 --> 03:58.645
That's what a Smurf attack uses.

03:58.645 --> 04:02.430
He's sending the ping request
across all these devices,

04:02.430 --> 04:04.940
and sometimes those
devices are referred to as

04:04.940 --> 04:08.590
being bounced devices or
part of the bounce site.

04:08.590 --> 04:11.515
They're acting as
zombies or bots.

04:11.515 --> 04:14.860
He's using them against
their wells, so to speak.

04:14.860 --> 04:17.250
He pings the broadcast
address, and

04:17.250 --> 04:19.785
that ping goes to all the
devices on the network,

04:19.785 --> 04:23.070
but what he has done is
spoof the source address.

04:23.070 --> 04:25.100
It looks like the
traffic is coming from

04:25.100 --> 04:28.625
the victim whose
address is 9.9.9.9.

04:28.625 --> 04:31.370
That's not really the true
source of the attack,

04:31.370 --> 04:33.789
but he spoofs the source address

04:33.789 --> 04:36.640
so all the devices
respond to the victim.

04:36.640 --> 04:38.540
If the attacker does this enough

04:38.540 --> 04:40.595
with enough devices
in the bounce site,

04:40.595 --> 04:42.110
he could perform a denial of

04:42.110 --> 04:44.765
service attack
against the victim.

04:44.765 --> 04:46.835
To mitigate against this,

04:46.835 --> 04:49.790
you block ICMP or
directed broadcasts

04:49.790 --> 04:50.974
>> into your network.

04:50.974 --> 04:53.955
>> That solves the
problem of Smurf attacks.

04:53.955 --> 04:57.965
Now, Fraggles work
just like Smurfs do.

04:57.965 --> 05:00.410
The exception is at
the Fraggle uses

05:00.410 --> 05:03.770
a UDP packet instead
of an ICMP packet.

05:03.770 --> 05:07.010
The reason is that ICMP
is very frequently

05:07.010 --> 05:08.180
blocked by routers with

05:08.180 --> 05:10.730
access control
lists or firewalls.

05:10.730 --> 05:12.935
Very few networks
are going to allow

05:12.935 --> 05:15.785
ICMP from the outside
into their network,

05:15.785 --> 05:18.800
but UDP as we'll
talk about later,

05:18.800 --> 05:20.030
is such a powerful and

05:20.030 --> 05:22.100
necessary protocol
that it's really

05:22.100 --> 05:23.840
difficult to block UDP without

05:23.840 --> 05:26.545
losing a lot of
desirable services.

05:26.545 --> 05:28.670
UDP is more likely to

05:28.670 --> 05:31.115
slip through an
organization's firewall,

05:31.115 --> 05:33.745
but it does the same thing.

05:33.745 --> 05:36.345
It spoofs the source address,

05:36.345 --> 05:37.970
and the UDP packet goes to

05:37.970 --> 05:40.280
the internal devices
at the bounce site.

05:40.280 --> 05:41.900
They respond to the victim,

05:41.900 --> 05:44.289
>> knocking the victim offline.

05:44.289 --> 05:47.620
>> That's what Smurfs
and Fraggles are.