presentation layer security
DESCRIPTION
Presentation Layer Security. Lecture 7 Supakorn Kungpisdan [email protected]. Roadmap. Introduction to Presentation Layer NetBIOS and SMB NetBIOS and Enumeration Sniffing Encrypted Traffic. Introduction to Presentation Layer. Presentation layer deals primarily with data representation - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/2.jpg)
NETE46302
Roadmap
• Introduction to Presentation Layer• NetBIOS and SMB• NetBIOS and Enumeration• Sniffing Encrypted Traffic
![Page 3: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/3.jpg)
Introduction to Presentation Layer
• Presentation layer deals primarily with data representation
• If one host supports Extended Binary-coded Decimal Interchange Code (EBCDIC) for character sets and another supports ASCII, the presentation layer converts data according to each hosts’ needs
• Other functionalities include data compression, data encryption, and manipulating XML objects
NETE46303
![Page 4: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/4.jpg)
CIFS (or SMB)
• Common Internet File System (CIFS), aka Server Message Block (SMB), is a network protocol for file sharing on a LAN, running at app/presentation layer
• A client-server protocol• Rely on other protocols for transport
– Most commonly used is NetBIOS over TCP (NBT)
• MS Oses use CIFS for remote file operations (mapping network drives), browsing (via Network Neighborhood), authentication (NT, Win2000, 2003), and remote printer services
• Unix Oses also implement CIFS via the Samba program
NETE46304
![Page 5: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/5.jpg)
NetBIOS and SMB VS OSI
NETE46305
![Page 6: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/6.jpg)
CIFS History
• In 1984, IBM wrote NetBIOS, an API allowing basic network communications between hosts on a small subnet, but it required a transport protocol
• The following year, IBM released a transport protocol that makes NetBIOS come to life
• Both of them are merged into NetBIOS Enhanced User Interface (NetBEUI)
• Later, NetBIOS was implemented using various transport protocols e.g. DECnet, IPX/SPF, and TCP/IP
NETE46306
![Page 7: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/7.jpg)
CIFS History (cont.)
• Soon after, MS and Intel created the 1st rendition of the SMB/CIFS file sharing protocol titled “Core Protocol”
• MS and Intel chose NetBIOS to deliver the upper protocol CIFS packets
• CIFS using NetBIOS over TCP became standard network file sharing mechanism for MS Oses
• Several operations have been added to CIFS overtime:– File access– File and record locking– Safe file caching– File change notification
NETE46307
- Protocol negotiation
- Extended file attribute handling
- Batched requests
- Unicode support
![Page 8: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/8.jpg)
NetBIOS
• NetBIOS runs over many transport protocols, but recently TCP/IP is the most common transport protocol used
• Main NetBIOS services:– Name service– Session service– Datagram service
NETE46308
![Page 9: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/9.jpg)
NetBIOS Name Service
• NetBIOS names are human readable names assigned to computers on a network– Commonly seen in Windows in Network Neighborhood
• Serve the same purpose as the DNS system in TCP/IP, but different in the method
• Operate on UDP port 137
NETE46309
![Page 10: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/10.jpg)
NetBIOS Name Services (cont.)
• Broadcast and/or server based– Name registration and lookups can be accomplished
by broadcasting to the LAN and/or using a central NetBIOS name server (NBNS or WINS)
• Broadcast only (b-node)• NBNS only (p-node)• Broadcast first then NBNS (m-node)• NBNS first then broadcast (h-node)
• Dynamic registration– With NetBIOS, when a computer boots, it registers its
name/IP combination dynamically
NETE463010
![Page 11: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/11.jpg)
NetBIOS Name Services (cont.)
• Two most common NetBIOS name service are name registration and name query
• Name registration associates a NetBIOS name with an IP
• Name query determines the IP address associated with an given name
NETE463011
![Page 12: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/12.jpg)
Name Registration (b-node)
NETE463012
11
1
1
2
21. Broadcast name registration
packet containing name and IP over UDP port 137 three times (waiting 250 ms each)
2. If a host has already registered the name, it sends back a defense packet back
![Page 13: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/13.jpg)
Name Registration (p-node)
NETE463013
1
2
21. Unicast name registration packet
over UDP port 137 directly to NBNS three times (waiting 250 ms each)
2. If the name is already registered, NBNS sends back a defense packet back
WINS server
1
![Page 14: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/14.jpg)
Name Query (b-node)
NETE463014
11
1
1
2
21. Broadcast name query request
containing name over UDP port 137 three times (waiting 5 s each)
2. If a host has already registered the name, it sends back a defense packet back
![Page 15: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/15.jpg)
Name Query (p-node)
NETE463015
1
2
21. Unicast name query request
over UDP port 137 directly to NBNS three times (waiting 250 ms each)
2. If the name is already registered, NBNS sends back a defense packet back
WINS server
1
![Page 16: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/16.jpg)
NetBIOS Session Service
• From RFC1001, “A session is a reliable message exchange, conducted between pair of NetBIOS applications. Session is full-duplex, sequenced, and reliable”
• CIFS uses the session service to send and receive all upper layer commands, including file and printer operations
• The first step in any CIFS communications is to establish a NetBIOS session between client and server
NETE463016
![Page 17: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/17.jpg)
Session Service Primitives
• Call: Initiate a NetBIOS session– Create TCP connection and send a NetBIOS call packet
containing the client’s NetBIOS name and the server’s NetBIOS name
• Listen: Wait for a NetBIOS call command– Mapped a server waiting on TCP port 139
• Hang up: end a NetBIOS session– Mapped into TCP by initiating a TCP teardown sequence
• Send: send a message over a NetBIOS session• Receive: receive a message from a NetBIOS session• Session status: obtain information about session
NETE463017
![Page 18: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/18.jpg)
NetBIOS Datagram Service
• From RFC1001, “The datagram service is unreliable, non-sequenced, connectionless service”
• Used by NetBIOS application as a fast, broadcast-capable, low-overhead method of transferring data
• Implemented on UDP port 138• All NetBIOS datagram packets adds a header containing
NetBIOS name and whether or not the NetBIOS datagram was fragmented to be sent via UDP
• CIFS protocol standard does not implement NetBIOS datagram server, but CIFS implementations typically use it for browsing
NETE463018
![Page 19: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/19.jpg)
CIFS Properties
• CIFS allows file sharing between network nodes• Client/server + request/response
– Allow multiple simultaneous requests be assigning multiplex id (MID) to each request
– The server replies with the same MID
• Command based– Each packet contains a command field indicating the
packet purpose e.g. login, open a file, read from a file, or write to a file
– CIFS packet contains a 1-byte command field allowing 100+ commands available
NETE463019
![Page 20: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/20.jpg)
CIFS Properties (cont.)
• Protocol dialects/negotiation– Allow different variants (dialects) of CIFS to
communicate– When client wishes to access files on a remote
server, client sends a negotiate protocol packet containing a list of dialect strings that it is capable of understanding.
– The server sends back the response containing which dialect it wishes to communicate
NETE463020
![Page 21: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/21.jpg)
SMB Variants (Dialects)
NETE463021
Ref: http://samba.anu.edu.au/cifs/docs/what-is-smb.html
![Page 22: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/22.jpg)
CIFS Properties (cont.)
• User/share level security• User level security
– A client wishing to access the share must provide a username and a password
– Used in windows 2000 onwards
• Share level security– The share itself requires only a password, but no
username is required– Used in windows 95 and 98
NETE463022
![Page 23: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/23.jpg)
CIFS Properties (cont.)
• Encryption– Password entered is sent in an encrypted format to
server– NTLM and LM
• Command batching– Many CIFS packets are capable of piggybacking
other CIFS packets to reduce latency and better utilizing network bandwidth
– This technique is referred as ANDX batching
NETE463023
![Page 24: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/24.jpg)
CIFS Properties (cont.)
• Opportunitistic locking (oplock)– When a CIFS packet specifies to open file, an oplock
can be requested– If granted by server, no other entities can access the
file
NETE463024
![Page 25: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/25.jpg)
CIFS Packet Header
NETE463025
![Page 26: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/26.jpg)
CIFS Operations
• Two common CIFS client/server packet exchanges– Client initiates contact with a server– Client requires to open a file and read from it
NETE463026
![Page 27: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/27.jpg)
Initial Contact, Login, and Tree Connect
NETE463027
Establish NetBIOS session
Positive NetBIOS session acknowledgement
Negotiate CIFS dialect
Choose CIFS dialect from request list
User login
Indicate User IF or returns error if bad password
Connect to particular resource
Indicate Tree ID or error if share name does not exist
Client Server
![Page 28: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/28.jpg)
File Open and Read
NETE463028
Open a file
Indicate File ID, or error code if problem
Read from a file
Return file data requested
Client Server
![Page 29: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/29.jpg)
SMB and SAMBA
• SAMBA is a project established to provide free implementations of the SMB protocol for various platforms.
• The SAMBA project has had to "reverse engineer" the protocols and continues to work in this manner in order to keep the software free.
• Despite having released a version of SMB to the X-Open organization, Microsoft continues to develop the protocol as a proprietary protocol and details of some of the more recent versions have not been made freely available.
NETE463029
![Page 30: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/30.jpg)
Null User Overview
• At the core of the Windows authentication scheme lies the 'User' administrative unit.
• When we create users, we assign them rights, privileges, and policy restrictions to define what they can and can't do on our networks.
• But in addition to the standard User, Windows supports a special type of user called the 'Null' user, which is basically a pseudo-account that has no username or password, but is allowed to access certain information on the network
• Some MS OSes and services used to require that you utilize the null user in order to operate properly
NETE463030
![Page 31: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/31.jpg)
Null User Overview (cont.)
• Null user can enumerate account names and shares on domain controllers, member servers, and workstations alike.
• Therefore this null user, a user with no credentials, can be used to glean a tremendous amount of information from your network without raising any eyebrows
NETE463031
![Page 32: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/32.jpg)
Null User Overview (cont.)
• Microsoft's System Management Server uses the null user to enumerate shares during discovery.
• Even the mundane action of starting a NT workstation or server creates an initial null user logon to one of your domain controllers after its NetBIOS name is successfully registered (before you get the Ctrl + Alt + Delete logon prompt)
• System account uses the null user to get to remote resources
NETE463032
![Page 33: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/33.jpg)
NetBIOS Enumeration
• Null sessions allow users to communicate via NetBIOS in order to query any server as the null user
• If this occurs, user’s can enumerate shares, users, groups, permissions, policies. They can probably brute force their way into the network
• Many tools can be used to enumerate different aspects of a Windows server
NETE463033
![Page 34: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/34.jpg)
enum
• enum is a console-based Win32 information enumeration utility.
• Using null sessions, enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy information.
• enum is also capable of a rudimentary brute force dictionary attack on individual accounts.
NETE463034
Ref: http://www.cotse.com/tools/netbios.htm
![Page 35: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/35.jpg)
enum (cont.)
NETE463035
No limit number of logon attempts
Get user list
Get password policy
![Page 36: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/36.jpg)
enum (cont.)
NETE463036
Dictionary attack
![Page 37: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/37.jpg)
Exploiting the IPC$ Share
• Windows have hidden administrative shares that have $ at the end (e.g. C$, ADMIN$, IPC$). The system tells itself to omit this share from any request for the enumeration of shares
• Interprocess Communication (IPC$) share is necessary to make systems work properly
• IPC$ is used for data sharing between processes
• In old versions of Windows (esp NT), users can exploit the use of IPC$ and other hidden shares through a null session
• Once connected, the user may utilize the net view and net use command to browse and connect to the hidden shares on a machine
NETE463037
![Page 38: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/38.jpg)
Exploiting the IPC$ Share (cont.)
NETE463038
![Page 39: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/39.jpg)
winfo
NETE463039
C:\winfo\winfo 192.168.1.1 –v -n
Establish a null session before dump data
verbose
![Page 40: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/40.jpg)
Other NetBIOS Issues
• An attacker can generate a fake packet to deny a host joining the network
• Many vulnerabilities have been fixed in new Windows OSes, but several organizations still have legacy systems
• Thus, these types of NetBIOS vulnerability still exist
NETE463040
![Page 41: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/41.jpg)
Sniffing Encrypted Traffic
• Obfuscation– Some utilize encryption and others use one-way
function– Make it difficult to intercept a transmission of a
message and retrieve it content
• Base64 encoding – Not suitable for data protection (confidentiality)– No shared key between encode and decode functions
NETE463041
![Page 42: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/42.jpg)
Sniffing Encrypted Traffic (cont.)
• XOR encryption– Use shared key, provide more protection
NETE463042
![Page 43: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/43.jpg)
Sniffing Encrypted Traffic (cont.)
• Message Digest– MD5 and SHA-1– Not an encryption algorithm– The premise for using digests and hashes is to make
it difficult for a collision to occur, computationally infeasible to reproduce identical digests/hashes from different input
– Most commonly used to obfuscate passwords– Vulnerable to brute-force and rainbow table attacks
NETE463043
![Page 44: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/44.jpg)
Kerberos
NETE463044
![Page 45: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/45.jpg)
Attacking Kerberos
• Communications between C and AS is derived from user’s password
• Windows computes a one-way function (OWF) against the password to generate the key
• If the hash value is known, we can run a dictionary attack against the key Known ciphertext attack
• Security of Kerberos depends on how strong the password is
NETE463045
![Page 46: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/46.jpg)
Attacking Kerberos (cont.)
NETE463046
Hashed password
![Page 47: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/47.jpg)
Attacking Kerberos (cont.)
• Run Kerbsniff, a command-line utility to capture AS-REQ value to a text file
NETE463047
![Page 48: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/48.jpg)
Attacking Kerberos (cont.)
• Run Kerbcrack on the hashed password to recover the password
NETE463048
Dictionary attackInput file
![Page 49: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/49.jpg)
Attacking Weak Protection Schemes
• Many people said that data protection requires strong cryptographic algorithms that can resist a dictionary or brute-force attack
• However, much of the problems lies in selecting weak passwords
• Weak protection scheme reduces the effort an attacker must take once the hash value is known
NETE463049
![Page 50: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/50.jpg)
John the Ripper
NETE463050
Downloaded at http://www.openwall.com/john/
![Page 51: Presentation Layer Security](https://reader035.vdocuments.mx/reader035/viewer/2022070410/568145ea550346895db2ee40/html5/thumbnails/51.jpg)
NETE4630 51
Question?
Next week
Application Layer Security