Network Attacks and Defenses A Hands-on Approach OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Asset Protection through Security FISMA Principles and Best Practices: Awareness Beyond Compliance Tyler Justin Speed Patrick D. Howard ISBN 978-1-4398-0982-2 ISBN 978-1-4200-7829-9 The CISO Handbook: A Practical Guide Information Security Governance to Securing Yuor Company Simplified: From the Boardroom to Michael Gentile, Ron Collette, and the Keyboard Thomas D. August Todd Fitzgerald ISBN 978-0-8493-1952-5 ISBN 978-1-4398-1163-4 CISO’s Guide to Penetration Testing: Information Technology Control A Framework to Plan, Manage, and and Audit, Fourth Edition Maximize Benefits Sandra Senft, Frederick Gallegos, and James S. Tiller Aleksandra Davis Request ISBN 978-1-4398-8027-2 ISBN 978-1-4398-9320-3 Cybersecurity: Public Sector Threats Managing the Insider Threat: and Responses No Dark Corners Kim J. Andreasson, Editor Nick Catrantzos ISBN 9781-4398-4663-6 ISBN 978-1-4398-7292-5 Cyber Security Essentials Noiseless Steganography: James Graham, Editor The Key to Covert Communications ISBN 978-1-4398-5123-4 Abdelrahman Desoky Cybersecurity for Industrial Control ISBN 978-1-4398-4621-6 Systems: SCADA, DCS, PLC, HMI, Secure and Resilient Software: and SIS Requirements, Test Cases, and Tyson Macaulay and Bryan L. Singer Testing Methods ISBN 978-1-4398-0196-3 Mark S. Merkow Cyberspace and Cybersecurity ISBN 978-1-4398-6621-4 George Kostopoulos Request ISBN 978-1-4665-0133-1 Security De-Engineering: Solving the Problems in Information Risk Data Mining Tools for Malware Management Detection Ian Tibble Mehedy Masud, Latifur Khan, and ISBN 978-1-4398-6834-8C Bhavani Thuraisingham ISBN 978-1-4398-5454-9 The Security Risk Assessment Handbook: A Complete Guide Defense against the Black Arts: How for Performing Security Risk Hackers Do What They Do and How to Assessments, Second Edition Protect against It Jesse Varsalone and Matthew McFadden Douglas Landoll ISBN 978-1-4398-2119-0 ISBN 978-1-4398-2148-0 Digital Forensics for Handheld Devices The 7 Qualities of Highly Secure Eamon P. Doherty Software ISBN 978-1-4398-9877-2 Mano Paul ISBN 978-1-4398-1446-8 Electronically Stored Information: The Complete Guide to Management, Smart Grid Security: An End-to-End Understanding, Acquisition, Storage, View of Security in the New Search, and Retrieval Electrical Grid David R. Matthews Gilbert N. Sorebo and Michael C. Echols ISBN 978-1-4398-7726-5 ISBN 978-1-4398-5587-4 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected] Network Attacks and Defenses A Hands-on Approach Zouheir Trabelsi • Kadhim Hayawi Arwa Al Braiki • Sujith Samuel Mathew CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2013 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20120827 International Standard Book Number-13: 978-1-4665-1797-4 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor- age or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a pho- tocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Introduction................................................................xxv 1 Switch’s.CAM.Table.Poisoning.Attack......................1 1.1 Introduction ..............................................................1 1.2 Lab Exercise 1.1: Switch’s CAM Table Poisoning .....3 1.2.1 Outcome ......................................................3 1.2.2 Description ...................................................3 1.2.3 Experiment ...................................................5 1.2.3.1 Step 1: Assign Static IP Addresses to the Network Hosts ..........................................5 1.2.3.2 Step 2: View the Contents of the CAM Table ......................6 1.2.3.3 Step 3: Generate a Malicious Packet to Corrupt the CAM Table ..........................................8 1.2.3.4 MAC Flood Attack for Traffic Sniffing ...........................9 1.3 Lab Exercise 1.2: Prevention of CAM Table Poisoning Attack ......................................................10 1.3.1 Outcome .....................................................10 1.3.2 Description ..................................................10 1.3.3 Experiment ..................................................11 1.3.3.1 Step 1: Assign Static IP Addresses to the Network’s Hosts .........................................11 v vi ◾ Contents 1.3.3.2 Step 2: Configure the Restrict Mode Security Port in the Switch ............................11 1.3.3.3 Step 3: Generate a Malicious Packet to Corrupt the CAM Table .........................................12 1.3.3.4 Step 4: Configure the Shutdown Mode Security Port in the Switch .....................14 1.4 Chapter Summary ....................................................15 2 ARP.Cache.Poisoning-Based.MiM. and DoS Attacks.....................................................17 2.1 Introduction .............................................................17 2.1.1 Address Resolution Protocol (ARP) ............17 2.1.2 ARP Cache ..................................................18 2.2 Lab 2.1: ARP Cache Poisoning Attack .....................20 2.2.1 Outcome .....................................................20 2.2.2 Description ..................................................20 2.2.3 Static ARP Cache Update............................21 2.2.4 Experiment ..................................................25 2.2.4.1 Network Architecture ...............25 2.2.4.2 Step 1: Assign Static IP Addresses to the Network’s Hosts .........................................26 2.2.4.3 Step 2: View the ARP Caches of the Hosts .................26 2.2.4.4 Build a Malicious ARP Request Packet to Corrupt a Target Host’s ARP Cache .........26 2.3 Lab 2.2: DoS Attack Based on ARP Cache Poisoning ................................................................28 2.3.1 Outcome ....................................................28 2.3.2 DoS Attack Based on ARP Cache Poisoning ...................................................28 Contents ◾ vii 2.3.3 Experiment ..................................................30 2.3.3.1 Step 1: Assign Static IP Addresses to the Network’s Hosts .........................................30 2.3.3.2 Step 2: View Host A’s ARP Cache ........................................30 2.3.3.3 Step 3: Build the Malicious ARP Request Packet 31 2.3.3.4 Step 4: Test the DoS Attack ......32 2.4 Lab 2.3: MiM Attack Based on ARP Cache Poisoning .................................................................33 2.4.1 Outcome .....................................................33 2.4.2 MiM Attack Based on ARP Cache Poisoning ....................................................33 2.4.3 Experiment ..................................................36 2.4.3.1 Step 1: Assign Static IP Addresses to the Network’s Hosts .........................................37 2.4.3.2 Step 2: Enable IP Routing at Host C .......................................37 2.4.3.3 Step 3: View the ARP Caches of Host A and Host B ..39 2.4.3.4 Step 4: Build Two Malicious ARP Request Packets ...............39 2.4.3.5 Step 5: Test the MiM Attack .....41 2.4.3.6 Step 6: Sniff and Analyze the Traffic between Hosts A and B ........................................41 2.5 Chapter Summary ...................................................44 3 Abnormal.ARP.Traffic.Detection.and.Prevention.....45 3.1 Introduction .............................................................45 3.2 Abnormal ARP Packets ........................................... 46 3.3 Experiments .............................................................51 3.3.1 Cross-Layers ARP Inspection .....................55 3.3.2 ARP Stateful Inspection ..............................55 viii ◾ Contents 3.3.3 ARP Request Storm and ARP Scan ............56 3.3.3.1 ARP Request Storm ..................56 3.3.3.2 ARP Scan ..................................56 3.3.4 Experimental Results Analysis ...................57 3.4 Lab 3.1: Abnormal ARP Traffic Detection ...............58 3.4.1 Outcome .....................................................58 3.4.2 XArp 2 Detection Tool ...............................58 3.4.3 Experiment ..................................................59 3.4.3.1 Network Architecture ...............59 3.4.3.2 Step 1: Assign Static IP Addresses to the Network’s Hosts .........................................60 3.4.3.3 Step 2: Install the XArp 2 Tool ..........................................60 3.4.3.4 Step 3: Configure a SPAN Port in the Cisco Switch ...........61 3.4.3.5 Step 4: Generate and Detect Abnormal ARP Packets ............61 3.5 Lab 3.2: Abnormal ARP Traffic Prevention Using Dynamic ARP Inspection for a Non-DHCP Network Environment ..........................69 3.5.1 Outcome .....................................................69 3.5.2 Dynamic ARP Inspection ...........................69 3.5.3 Experiment ..................................................70 3.5.3.1 Network Architecture ...............70 3.5.3.2 Step 1: Assign Static IP Addresses to the Network’s Hosts .........................................71 3.5.3.3 Step 2: Configure Dynamic ARP Inspection for a Non- DHCP Environment in a Cisco Catalyst 3560 Switch .......71 3.5.3.4 Step 3: Generate and Prevent Abnormal ARP Packets ......................................74 Contents ◾ ix 3.6 Lab 3.3: Abnormal ARP Traffic Prevention Using Dynamic ARP Inspection and DHCP Snooping for a DHCP Environment ........................82 3.6.1 Outcome .....................................................82 3.6.2 DHCP Snooping ..........................................82 3.6.3 Experiment ..................................................83 3.6.3.1 Network Architecture ...............83 3.6.3.2 Step 1: Enable DHCP Snooping .................................84 3.6.3.3 Step 2: Configure Dynamic ARP Inspection for a DHCP Environment .............................85 3.6.3.4 Step 3: Generate and Prevent Abnormal ARP Packet .............86 3.7 Chapter Summary ...................................................88 4 Network.Traffic.Sniffing.and.Promiscuous. Mode.Detection.......................................................89 4.1 Introduction .............................................................89 4.2 Lab 4.1: Promiscuous Mode Detection ...................94 4.2.1 Outcome .....................................................94 4.2.2 Description ..................................................94 4.2.3 Tests ............................................................95 4.2.4 Promiscuous Mode Detection Tools ........101 4.2.5 Experiment ................................................103 4.2.6 Network Architecture ...............................103 4.2.7 Experiment ................................................103 4.2.7.1 Step 1: Assign Static IP Addresses to the Network’s Hosts .......................................103 4.2.7.2 Step 2: Run Host B’s NIC in Promiscuous Mode ................104 4.2.7.3 Step 3: Generate Trap ARP Request Packets ......................104 4.2.7.4 Step 4: Analyze the ARP Response Packets ...................106 x ◾ Contents 4.2.8 Wireless Network Sniffing ........................110 4.2.8.1 WEP Key Cracking and Network Traffic Decryption ...111 4.3 Chapter Summary ..................................................116 5 IP-Based.Denial-of-Service.Attacks......................117 5.1 Introduction ...........................................................117 5.1.1 Distributed Denial-of-Service (DDoS) Attack ........................................................118 5.2 Lab 5.1: Land Attack ..............................................120 5.2.1 Outcome ...................................................120 5.2.2 Description ................................................120 5.2.3 Experiment ................................................120 5.2.3.1 Step 1: Configure the Network Interfaces in the Juniper Networks Device .......121 5.2.3.2 Step 2: Set the Security Policies (Filtering Rules) .........122 5.2.3.3 Step 3: Enable Protection against the Land Attack .........122 5.2.3.4 Step 4: Build Land Attack Packets ....................................123 5.2.3.5 Step 5: Sniff the Generated Traffic ......................................124 5.2.3.6 Step 6: View Results in the Log File of the Juniper Networks Device ....................125 5.3 Lab 5.2: SYN Flood Attack ....................................126 5.3.1 Outcome ...................................................126 5.3.2 Description ................................................126 5.3.3 Experiment ................................................127 5.3.3.1 Step 3: Enable Protection against the SYN Flood Attack 128 5.3.3.2 Step 4: Build SYN Flood Attack Packets ........................128