Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
CCNA Security 210-260 Certification Guide

You're reading from   CCNA Security 210-260 Certification Guide Build your knowledge of network security and pass your CCNA Security exam (210-260)

Arrow left icon
Product type Paperback
Published in Jun 2018
Publisher Packt
ISBN-13 9781787128873
Length 518 pages
Edition 1st Edition
Tools
Arrow right icon
Authors (3):
Arrow left icon
Glen D. Singh Glen D. Singh
Author Profile Icon Glen D. Singh
Glen D. Singh
Vijay Anandh Vijay Anandh
Author Profile Icon Vijay Anandh
Vijay Anandh
Michael Vinod Michael Vinod
Author Profile Icon Michael Vinod
Michael Vinod
Arrow right icon
View More author details
Toc

Table of Contents (19) Chapters Close

Preface 1. Exploring Security Threats FREE CHAPTER 2. Delving into Security Toolkits 3. Understanding Security Policies 4. Deep Diving into Cryptography 5. Implementing the AAA Framework 6. Securing the Control and Management Planes 7. Protecting Layer 2 Protocols 8. Protecting the Switch Infrastructure 9. Exploring Firewall Technologies 10. Cisco ASA 11. Advanced ASA Configuration 12. Configuring Zone-Based Firewalls 13. IPSec – The Protocol that Drives VPN 14. Configuring a Site-to-Site VPN 15. Configuring a Remote-Access VPN 16. Working with IPS 17. Application and Endpoint Security 18. Other Books You May Enjoy

Introduction to an attack

An attack is the process of attempting to steal data, destroy data, gain unauthorized access to a device, or even shut down/disable a system, preventing legitimate users from accessing the resources. An attack can be local, where a malicious user has physical access to the system and either executes a malicious payload or is attempting to gain access into the device. A remote attack requires the malicious user to send a payload over a network connection to the victim device in the hope that the attack would be successful and it would either gain control of the victim device or cause service interruptions (denial of service).

Attacks are mainly distinguished as either:

  • Passive attacks
  • Active attacks

Passive attacks

In a passive attack, the attacker is considered to be in a learning (monitoring) state to understand the details about the potential victim's device, how it performs and operates. This allows the attacker to have a better attack strategy. An example of a passive attack is where an attacker is sniffing the network traffic between a victim machine and its default gateway.

Types of passive attack:

  • Sniffing: Capturing packets unknown to users on the network. The goal is to obtain any sensitive information sent across the network.
  • Port scanning: Checking for open TCP and UDP ports. This will aid the attacker in determining the services running on the target/victim machine.

Active attacks

In an active attack, the attacker may have already done enough reconnaissance on the target device and is ready to execute its exploit against the victim. Sometimes, the attack can be a direct attack, meaning the exploit is sent from the attacker's machine to the target, or an indirect attack, where the attacker compromises another machine, making it a zombie, and using the zombie to pivot all the attacks through it. Therefore, the zombie would seem to be the attacker machine from the view of the victim.

Examples of active attacks include:

  • Denial of Service: This attack focuses on exhausting the resources of a system, therefore legitimate users are not given access to the resource
  • Botnet: The attacker sets up a Command and Control (CnC) server to control all its infected machines (zombies) to carry out malicious activities

Spoofing attacks

In a spoofing attack, the attacker uses false information to pretend to be a legitimate or authorized user/machine. When an attacker attempts to exploit a system or deliver a payload, they have to try to trick the user into falling victim to the attack. Sometimes, changing the source IP address and source MAC address of the packets originating from the attacking machine may trick the potential victim into thinking it's from a legitimate user and may disguise the attack's origins.

Internet protocol – the heart of internet communication

Internet Protocol (IP) is a connection protocol that exists at the Network layer (layer 3) of the Open Systems Interconnection (OSI) reference model. Internet protocol is used to assist routers or any layer 3 devices to forward packets to their corresponding destinations. One main characteristic of internet protocol is its nature of being a connectionless protocol, which means it provides delivery using best effort and is not guaranteed to be delivered to the recipient. Since IP is said to be connectionless, it depends on the upper layers to assist with the delivery of data. The layer above the Network layer is known as the Transport layer. There are two sub protocols, which are used primarily for delivery; these are known as the User Datagram Protocol (UDP) and the Transmission Control Protocol (TCP). An IP packet contains the following: source and destination IP addresses, version (IPv4 or IPv6), Time to Live (TTL) value, protocol (TCP, UDP, or ICMP), and flags.

It is through the forging of this source address that hackers are able to break into the network and mislead communication between the source and the destination. Almost all networks use routers as intermediate devices for the transmission of data. When the data is sent via routers, they identify the destination IP address from the header of the IP datagram to forward the packets to that destination. The source address is ignored by the routers. The source address is used only by the destination machine when a reply is sent back for the received packets.

How is an IP datagram spoofed?

In an IP packet/datagram, the header contains the addressing information, such as the sender's source and the destination's IP address. An IP packet is usually unencrypted, therefore if someone is sniffing the traffic between the sender and the receiver, the contents of the packet and its header information are captured. A malicious user or an attacker can modify the IP address on the IP packets originating from the attacker machine, making it seem to originate from somewhere else, which is known as IP spoofing. It tricks a potential victim into believing the IP packet came from a legitimate or trusted source, but is actually from a malicious user. The operating system has no way of determining whether the IP addresses actually belong to the legitimate machine or not. When the internet protocol was built, security was not a concern at the time, hence IP lacks security features.

There are different types of spoofing attacks:

  • Address Resolution Protocol spoofing
  • DNS spoofing

IP spoofing

Using the following scenario, an attacker sends a specially crafted packet to the web server (200.1.1.1). Within the IP header of the specially crafted packet, it has a source IP address of 203.155.182.1, which belongs to the potential victim machine and not the real IP address of the attacker. When the web server receives the packet and has to respond, it sees the sender's IP address is 203.155.182.1 and sends its response to the victim machine instead of the attacker:

Attackers primarily use IP spoofing as a technique to bypass any filters, access lists, or even security appliances that act as countermeasures for spoofing attacks. The goal is to find a way into a network by tricking the system into believing it's a legit packet.

In this method, the attacker creates IP packets with a fake source IP address to hide the identity of the sender. Attackers use IP spoofing to overcome security measures, such as authentication-based IP networks. Attackers use randomly chosen IP address and spoof the original IP address to perform the DoS attack.

When two computers communicate, information about the IP address is placed on the source field of the packet. In an IP spoofing attack, the source IP address in the packet is not the original IP address of the source computer. By modifying the source IP address, the original sender can make the victim machine think the message originated from another source and therefore the sending machine or the attacker will be protected from being tracked.

Various options where IP spoofing can be used:

  • Scanning
  • Hijacking an online session
  • Flooding

Scanning

Scanning is a process in which a malicious user sends probes to a victim machine to determine TCP/UDP open ports, the type of operating system and version, services running on the victim machine, and vulnerabilities:

During the scanning phase, the attack may notice whether port 80 is open or not on the target device. If port 80 is open, we can determine there is a web server daemon running on the target device. The attacker can then use the Telnet protocol to perform banner-grabbing on the victim using port 80 as the destination port. This will determine the type and version of the web server, whether it's Microsoft IIS, Apache, or even nginx. Knowing this information will aid the attacker in fine-tuning their payload for the target device.

Hijacking an online session

In a session hijacking attack, an attacker can capture the cookie from a user who has logged on to a website and uses data found inside the cookie to also log on to the same website without having to enter a username and password combination. This would allow the attacker to gain access to the user (victim) account details.

The cookie can be captured using either sniffing or man-in-the-middle (MITM) attacks.

Flooding

In a flooding attack, the attacker sends unsolicited packets to the target continuously until the target is overwhelmed. The target will need to process each packet it receives, but due to the high influx of packets received, the target would eventually be unable to respond to a legitimate request from users or perform any further action.

ARP spoofing attacks

In an ARP spoofing attack, the attacker tries to map the MAC address with the IP address of a victim. The attacker can then intercept, steal, or delete the data. An ARP spoofing attack targets the nodes, layer 2 switches, and routers by disturbing the ARP caches of the connected systems:

Hosts A, B, and C are connected to the switch. Host A broadcasts a request (ARP) asking for the MAC address of host B, after host A sends data to host B. The switch receives the broadcast and forwards the request, and when host B receives the ARP request, it fills the ARP cache with the ARP entry and the IP address of host A (10.1.1.1 ) and the MAC address of A (aaaa.aaaa.aaaa.aaaa). When host B replies, host A fills their ARP cache with the IP address of host B (10.1.1.2) and the MAC address of B (bbbb.bbbb.bbbb.bbbb). At the same time, host C tries to poison the ARP cache of hosts A and B by sending some fake ARP messages with the IP address of B and the MAC address of host C (cccc.cccc.cccc.cccc).

Now the ARP cache is poisoned and it uses the destination MAC address of host C (cccc.cccc.cccc.cccc) for the traffic intended for host B. The attacker on host C interrupts the traffic flow between host A and host B, as host C knows the MAC addresses of host A and host B.

Mitigating ARP spoofing attacks

ARP attacks cannot be mitigated straightforwardly; however, proactive measures can be taken against ARP-cache poisoning on your network.

Statically mapping the MAC addresses to the IP address is one approach against the unsolicited dynamic ARP requests sent by an attacker. You can see the ARP cache of a Windows system by simply opening a Command Prompt and typing the arp -a command, as shown:

In situations where network arrangements do not change often, static ARP entries can still be used. This will guarantee that devices will depend on their local ARP cache, as opposed to depending on ARP requests and responses:

  • Monitoring ARP traffic: The other method of protecting against the ARP cache is monitoring the network traffic of hosts. This should be possible with a couple of interruption-based identification frameworks and utilities.
  • Dynamic ARP inspection: This is one of the security features that verifies the ARP packet. Dynamic ARP inspection verifies, stores log information, and rejects all the invalid ARP bindings. Dynamic ARP inspection will be explained in more depth in the following chapters.
You have been reading a chapter from
CCNA Security 210-260 Certification Guide
Published in: Jun 2018
Publisher: Packt
ISBN-13: 9781787128873
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime