1. Computer & Network Hacker Exploits Step-by step Part 2

3. IP Fragmentation Attacks

5. Attacker Firewall IP=10.1.1.1 IP=10.2.1.10 Port 80 Port 23 IDS Penetration – IP Fragments Server

7. tcp ip ip Normal IP Fragmentation Penetration – IP Fragments To support different transmission media, IP allows for the breaking up of single large packets into smaller packets, called fragments. The higher‑level protocol carried in IP (usually TCP or UDP) is split up among the various fragments. ip tcp ip tcp ip tcp ip tcp ip tcp ip tcp

8. Tiny Fragment Attack Penetration – IP Fragments tcp ip ip Make a fragment small enough so that the TCP header is split between two fragments. The port number will be in the second fragment. ip tcp ip tcp ip tcp ip tcp ip tcp ip tcp ip

11. Attacker Firewall IDS Penetration – IP Fragments Fragment 1 (part of tcp header) Fragment 2(rest of tcp header) Tcp port unknown All IP fragments are re-assembled Server ip tcp ip tcp

13. Attacker Firewall IDS Penetration – IP Fragments Fragment 1 (Packet is for port 80) Tcp port 80. OK! All IP fragments are re-assembled Fragment Overlap attack ‑ In the second fragment, lie about the offset from the first fragment. When the packet is reconstructed at the protected server, the port number will be overwritten. Fragment 2 (Packet says is for port 80), however, I have an offset, say 12, and After overlaying, the TCP header will read port 23! Second IP fragment was just a fragment of the first. That is OK too! Server ip tcp ip tcp

16. Sniffers

19. HUB Blah, blah , blah Blah, blah , blah Blah, blah , blah Blah, blah , blah BROADCAST ETHERNET

20. HUB Blah, blah , blah Blah, blah , blah Blah, blah , blah Blah, blah , blah BROADCAST ETHERNET

21. SWITCH Blah blah blah Blah, blah , blah SWITCHED ETHERNET

28. Session Hijacking HUNT

31. Alice Eve Alice telnets to do some work.. Eve is on a segment of the lan where she can sniff, or on a point in the path. Bob

32. Alice Eve Alice telnets to do some work.. Attacker can monitor and generate packets with the same sequence number. “ Hi, I am Alice” Eve uses a session hijacking tool to observe the session. at Eve's command, the session hijacking tool jumps in and continues the session with Bob. Attacker can kick Alice off and make any changes on B. The logs will show that Alice made the changes Bob

33. Alice Eve Session Hijacking: Ack Storms If the attacker just jumps in on a session, starting to spoof packets, the sequence numbers between the two sides will get out of synch As the two sides try to resynchronize, they will resend SYNs and ACKs back and forth trying to figure out what's wrong, resulting in an ACK storm SYN (A, SNa) ACK (SNb) SYN (B, SNb) ACK (SLNa) SYN(A,Sna) ACK(SNb) Bob

37. Alice Eve MAC=CC.CC “ ARP w.x.y.z is at DD.DD” “ ARP a.b.c.d is at EE.EE” Ip=w.x.y.z MAC=BB.BB Ip=a.b.c.d MAC=AA.AA Eve send a Gratuitous ARP broadcast message Bob

43. Domain Name System (DNS) Cache Poisoning

45. www.ebay.com www.ebay.com www.ebay.com www.ebay.com Client Local Nameserver Root Name Server .com Name Server ebay.com Name Server Referral to .com Referral to ebay.com The Answer! 216.32.120.133 Clients use a "resolver" to access DNS servers Most common DNS server is BIND, Berkeley Internet Name Domain DNS servers query each other

48. Alice, a happy bank customer Evil Attacker Dns.bank.com name server Alice wants to access. Dsn.good.com Alice’s unsuspecting DNS Server Dns.evil.com, Evil’s DNS server owned by evil www.bank.com, Alice’s online bank.

49. DNS Cache Poisoning Alice Dsn.good.com Evil Dns.evil.com www.bank.com Dns.bank.com STEP 1: Any.evil.com STEP 2: Any.evil.com STEP 3: store the query ID

50. DNS Cache Poisoning Alice Dsn.good.com Evil Dns.evil.com www.bank.com Dns.bank.com STEP 4: www.bank.com STEP 6: Spoofed ans: www.bank.com=w.x.y.z STEP 5: www.bank.com STEP 7: www.bank.com= w.x.y.z

51. DNS Cache Poisoning Alice Dsn.good.com Evil Dns.evil.com www.bank.com Dns.bank.com STEP 8: www.bank.com? In Cache: www.bank.com= w.x.y.z STEP 9: w.x.y.z STEP 10: Let’s Bank!!!!

55. Rootkits