Intro to InfoSec Communication

Protocols Nir Krakowski (nirkrako at post.tau.ac.il)

Itamar Gilad (infosec15 at modprobe.net)

Today • Into to new subject – communication protocols

• Common terminology

• Most useful protocols

• Tools of the trade.

Communication Protocols • A network is just a bunch of devices

communicating.

• There are all sorts of protocols out there today

being used: 3GPP/GSM/SS7, TCP/IP, Ethernet,

W/LAN, Bluetooth, ATM, HDMI, USB, etc.

• All protocols have been designed to serve different

purposes, their purpose usually demands their

structure and services they provide.

• Of course the most important of all is the Internet

Protocol (IP).

Secured Communication • Securing Transfer of Information is a problem of

centuries. In the middle ages pigeons with notes

were captured in order to intercept

communication.

• Our computer systems are valuable because they

can communicate. Can you find a computer

disconnected from the internet ?

• Communications are an essential part of the

security trust-base.

Communication compromise types

Communication denial types

Communication compromise

types • Eavesdropping - information leaves a device it can

be intercepted.

• Man in the middle– communication is routed through a 3rd party.

• Man on the side– eavesdropping information is used to for impersonation.

• Denial of Service (DoS).

• Distributed Denial of Service (DDoS).

• In other words, a hackers goals by priority is: o Divert traffic for man in the middle.

o Eavesdrop on traffic.

o Disturb traffic.

Popular Communication Defenses

• Firewalls - used to protect against unwanted packets, limiting in advance to a set of rules of acceptable traffic only.

• VLAN – separate the network into different Virtual LAN, every virtual LAN is a different trust base segment. Needs to be carefully designed.

• End-to-End encryption, who cares what happens in between

its all encrypted and most importantly authenticated/signed, eg. SSH, SSL.

• Intrusion Detection/Prevention Systems (IDS/IPS) – passively monitors data and looks for signs of “bad” behavior, and can then deny traffic.

Ethernet • Destination (Media Acess Control) MAC Address

denotes the target device in the local network.

• If the MAC Address is FF:FF:FF:FF:FF:FF the message is

broadcast to all devices in the local network.

IP

Typical IP Routing Scheme

TCP

Typical TCP Connection • A is connecting to B using the 3-way hand-shake

• A sends a TCP-SYN from a random source port to a

specific destination port (eg. Port 80 for HTTP)

• B replies with TCP-SYN+ACK from the source port 80

to the random destination port.

• A replies with an ACK.

• DATA is exchanged.

• A or B initiate a TCP-FIN to end the connection.

Our tools • Wireshark – a spin-off from ethereal which started as

a GUI interface for tcpdump. o Wireshark sniffs communications and records them in capture files .cap or

.pcap

o Has many modules supporting enormous amount of protocol types.

o Straight-forward interface.

• Scapy – Another useful python module. o Also available for perl, don’t tell Itamar.

(http://sylv1.tuxfamily.org/projects/scaperl.html)

o But we’ll use python anyhow.

Demos • [Demo sniffing a cookie with wireshark.

• [Demo using scapy].

Wireshark – setup capture filter

Wireshark – capture filter • Capture filter are very fast and tell wireshark which

data to record.

Recording data • Alternatively you can also record .pcap files with

tcpdump.

• eg.: tcpdump –ni any –s 0 –w out.pcap

• Reading files is also possible with scapy: o from scapy.all import *

o all_packets = rdpcap(“data01.pcap”)