Sunday, September 27, 2015

Are physical cables attacks practical?

Is it practical to carry out an attack that requires physical access to a cable?

It is extremely practical, depending on the value of the target or ease of access. Practicality is based on cost versus reward, just like risk is based on value vs likelihood. CISSP resources discuss qualitative assessments for computing risk where a damage ranking is low, medium, or high. (Gregg, 2005) Using a response based on those rankings, a data integrity or confidentiality attack would represent a high reward for an attacker. Since the yield value is high, a high cost can be invested in it. According to Mandiant, remote attackers persist in an infected network for over two hundred days before detection. (Mandiant, 2014) The physical cable attack by the United States under the Sea of Okhotsk lasted for most of the 1970s until its existence was exposed to the Soviets by a defector. (Drew & Drew, 2008) Ronald Pelton was the spy that turned over that tap to the Soviets, which was collected in 1981. (Warner, 2012) What is a mere 200 days of information if an attacker can suck up data for a decade?

Who might exploit a physical access attack?

  • Random individual (in the accidental case)

  • Disgruntled insider (or former employee)

  • Financially-motivated criminals

  • (Maybe) ideologically-motivated actors ("terrorists")

  • (Or even) state-sponsored professionals ("spies") (Sauver, 2011, p5)

On the side of spies, the United States carried out another instance of this sort of attack against East Germany with the CIA in Operation REGAL. (NSA, 1988) A tunnel was dug to grant access to telecommunications lines and a physical layer tap was applied. In pop culture, ideologically motivated attackers demonstrated the value of a physical attack when a hacker social engineered his way into a secure storage facility and spliced a Raspberry Pi system into the network, which used a wireless card to provide a remote access backdoor. (Giles, 2015)

On the denial of service side, the ease of the attack once access is available means that it can be combined with other attacks. In 1969 the ritualistic murder of Sharon Tate by the Charles Manson family was accompanied by cutting the phone line. (Gardella, 1969) It is both effective and cheap, which has led to it being a staple in pop culture across many mediums. (TVTropes, n.d.)

When considering that cleaning jobs and private building security jobs are fairly low paid, getting hired or paying off an existing worker would not be much of a stretch for a motivated attacker. (PayScale, 2015) If the attacker is a disgruntled insider then they already have convenient access to cabling and time to plan and carry out the act, so pretty much all of the 'practicality' of the attack is already free.

Drew, C., Sontag, S., & Drew, A. L. (2008). Blind Man's Bluff: The Untold Story of American Submarine Espionage. PublicAffairs.

Gardella, K. (1969, August 10). Actress and 4 slain in ritual. Sunday News. Retrieved September 27, 2015

Giles, M. (2015). Mr. Robot Recap: Casualties in Every Revolution. Vulture. Retrieved September 27, 2015 from

Gregg, M. (2005, October 28). Risk Assessment. Pearson. Retrieved September 27, 2015 from

Mandiant. (2014). Beyond the Breach. M Trends. Retrieved September 27, 2015 from

NSA. (1988). Operation REGAL: The Berlin Tunnel. National Security Agency. Retrieved September 27, 2015 from

PayScale. (2015). Maid or Housekeeping Cleaner Salary. Retrieved September 27, 2015 from

Sauver, J. (2011). Physical Security of Advanced Network and Systems Infrastructure. Internet2. Retrieved September 27, 2015 from

TVTropes. (n.d.) Cut Phone Lines. Retrieved September 27, 2015 from

Warner, M. (2012). Cybersecurity: a pre-history. Intelligence and National Security, 27(5), 781-799.

Thursday, September 24, 2015

SNMP Enumeration

Discuss/describe the port scanning and/or enumeration techniques (attacks) not covered in Module 2.

How can the attacks you have described be detected and prevented?

Enhance and elaborate on the port scanning and/or enumeration techniques (attacks) covered in Module 2.

Share any additional thoughts you may have on them and explain how they can be detected and/or prevented.

A legacy protocol for performing network management, dating back to RFC 1067 from 1988, is Simple Network Management Protocol. (Case, Fedor, Schoffstall, Davin, 1988) Because the goals of this protocol was to be low in cost to develop the management software, be remotely accessible, impose few restrictions on the form of management tools, and be simply understood by developers, SNMP does succeed in being simple. (Case, Fedor, Schoffstall, Davin, 1990) This caused SNMP to become highly utilized for its ease of use for network management of "routers, switches, hubs, prints, workstations, and servers." (Jiang, 2002, p2)

SNMP network agents receive communication and commands from the management tool over UDP 161, and answer asynchronous traps on UDP 162.(Jiang, 2002) Thus, these devices can be detected through Module 2 scanning for UDP; Agents on port 161 and management devices on port 162. Once the device is located, vulnerabilities in the protocol and device implementation can be leveraged to perform the next layer of enumeration and potential attacks. As SNMP is layered on UDP, agents and management systems have to accept requests or traps without the protection of previously established or authenticated sessions.(Jiang, 2002) There is a single shared secret, the SNMP community name, which identifies both that the request is valid and what the access mode of it is, read-only or read-write. (Case et al., 1990) Unfortunately, a significant number of devices default to having "public" as a read-only community and "private" as a read-write community, which opens these devices up for remote management by any scanner.(Jiang, 2002)

SNMP Enumeration

Once a listening UDP 161 port is discovered on a network and the public community is in use, then attackers are able to extract information about network resources and network configuration information. (EC-Council, 2011) Potential types of resources that can be enumerated are devices, hosts, shares, and servers.(EC-Council, 2011) Network configuration information such as tables like ARP and routing information, statistics about traffic, or specialized device information.(EC-Council, 2011) Since some devices respond to broadcast packets this enumeration can even occur without the UDP discovery as an attacker can just send out a public request on the network broadcast address and have the vulnerable devices answer back. (Jiang, 2002)

SNMP Protection Solutions

Jiang recommends using firewalls and routers to block UDP 161 and 162 traffic, inbound and outbound, to prevent SNMP enumeration or exploitation from outside of the network. (2002) Doing so will complicate legitimate remote use, but that can be mitigated by VPNing into the network first and then performing your management through the tunnel.

Network administrators should use tools such as the SANS developed SNMPing to discover the SNMP machines that they didn't know were on their network. (Jiang, 2002) Other useful tools include OpUtils, SNScan from McAfee, and Spiceworks. (EC-Council, 2011) Nobody wants to have their network pwnd because the new printer they bought lets a hacker in via the public and private communities.

Case, J., Fedor, M., Schoffstall, M., Davin, J. (1988, August). A Simple Network Management Protocol. Network Working Group. Retrieved from

Case, J., Fedor, M., Schoffstall, M., Davin, J. (1990, August). A Simple Network Management Protocol (SNMP). Network Working Group. Retrieved from

EC-Council. (2011). Ethical Hacking and Countermeasures v8.

Jiang, G. (2002). Multiple vulnerabilities in SNMP. Computer, 35(4), 2-4.

Layer 1 network attacks

Discuss/describe one or more LAN based attacks (also known as layer 2 attacks or lower layer attacks) which are not covered in the Module 3, or share any additional thoughts you may have on LAN based attacks covered in Module 3.

Discuss the security measures or methods used to prevent or mitigate the LAN based attacks you presented in Question A.

Layer 1 of the OSI network model is the physical layer. (Ruh, 2009) All three legs of the security triad can be attacked at layer 1: confidentiality, integrity, and availability.

  • Confidentiality: Ethernet - The first Wi-Fi encryption was called Wired Equivalent Privacy, which is fairly appropriate since WEP is almost trivially broken. (Wójtowicz & Belka, 2014) Wired Ethernet is entirely unprotected at Layer 1 and traffic can be recorded if an attacker can get a hook into the wires. Today an attacker doesn't need to be able to strip and splice your network cables if they have the access to replace the cable that they want to attack with two cables. For just $10 and the cost of two lengths of CAT5 cabling the attacker can place a commercially available Throwing Star LAN Tap. (HakShop, 2015) That small device, sold for penetration testers, copies all traffic crossing it onto two listening ports.
  • Integrity: Wi-Fi - To provide the best user experience with the least configuration, Wi-Fi establishes a connection to an SSID network by connecting to the strongest signal it can find for an access point advertising that SSID. If a stronger connection becomes available then a client system will switch to communicating with that access point. In legitimate networks this occurs for load balancing and supporting mobile clients, but it can also happen if a rogue access point begins advertising the victim network. Once the rogue access point is the client's route to the network then all traffic crossing it is available for manipulation. For $100 an enterprising attacker can buy a preconfigured miniature computer that will automatically listen for SSIDs in use and able to be hijacked and start advertising them. It can then be used to launch various attacks on the traffic such as man in the middle attacking secure connections or returning maliciously manipulated DNS answers. This product is the Wi-Fi Pineapple. (HAK5 2015)
  • Availability:
    • Ethernet - Given only physical access to an Ethernet network, an attacker is able to trivially launch a destructive denial of service attack. Ethernet networks require electrical pulses to be sent along metal wires inside of the cable, so severing the cable with something like a pair of Diagonal Pliers will terminate the connection. It is as simple as placing the cable inside the pliers and squeezing, though it is recommended that the attacker "place the wire to be cut as near as possible to the joint. This increases the leverage and considerably reduces the manual effort when cutting.".(KNIPEX-Werk, 2014) These kind of attacks were lauched on backbone fiber in California earlier this year. (Kravets, 2015)
    • Wi-Fi - Since Wi-Fi is carried on radio signals it is vulnerable to jamming by "by emitting radio frequency waves that prevent the targeted device from establishing or maintaining a connection" (Pittman, 2011, p.2) In the United States this is illegal and falls under the jurisdiction of the FCC, but attackers rarely avoid attacks based on the legality of the technique.

Security measures that protect against these attacks

Ethernet: Since Ethernet attacks relay on access to the Layer 1 medium, the cables, this means the best defense is to prevent such access. Keeping infrastructure nodes such as switches and routers in locked, access controlled spaces stops tools like the Throwing Star from being deployed to critical lines without having to modify cables. Actual backbone cables, such as connections from the network to the Internet, should be entirely protected by secured cable runs, being buried, or inside walls. Cable integrity should be checked periodically to mitigate any attacks that had been launched successfully.

Wi-Fi: Being wireless and transmitted over radio waves, the distances involved end up being a combination of transmitter strength, antenna quality, weather, other traffic on and near the frequency, and objects in the way. With so many variables involved, the best courses of defense is a combination of monitoring for rogue access points and keeping your wireless network inside of your facility, while keeping foreign signals out.

  • Electromagnetic signals can be stopped through global shielding, where the entire facility is protected in the perimeter walls, floor, and ceiling. (Herndon, 1990) Wireless networks inside the shielding will be unable to be sniffed from outside, and rogue access points will not be able to be connected to from inside.
  • Wardriving, traveling around scanning for wireless networks, can be used to periodically check for rogue access points broadcasting your SSID. (Etter, 2002) Additionally wireless intrusion prevention systems can be deployed to automate such monitoring. (Zhang et. al., 2010)

Etter, A. (2002). A Guide to Wardriving and detecting wardrivers. SANS Institute, Retrieved 23 September 2015 from

HAK5. (2015) WiFi Pineapple. Retrieved 23 September 2015 from

HakShop. (2015). THROWING STAR LAN TAP. Retrieved 23 September 2015 from

Herndon, R. L. (1990, December 31). ELECTROMAGNETIC PULSE (EMP) AND TEMPEST PROTECTION FOR FACILITIES. U.S. Army Corps of Engineers

Kravets, D. (2015, Jul 1) California fiber optic cable vandalism continues unabated. Ars Technica. Retrieved 23 September 2015 from

KNIPEX-Werk. (2014). The Diagonal Cutters. Retrieved 23 September 2015 from

Pittman, K. (2011) GPS, Wi-Fi, and Cell Phone Jammers. FCC, Retrieved 23 September 2015 from

Ruh, Larry (2009). Open Systems Interconnection Reference Model Retrieved 27 January 2012 from:

Wójtowicz, S., & Belka, R. (2014, November). Analysis of selected methods for the recovery of encrypted WEP key. In Symposium on Photonics Applications in Astronomy, Communications, Industry and High-Energy Physics Experiments (pp. 92902Z-92902Z). International Society for Optics and Photonics.

Zhang, Y., Chen, G., Weng, W., & Wang, Z. (2010, June). An overview of wireless intrusion prevention systems. In Communication Systems, Networks and Applications (ICCSNA), 2010 Second International Conference on (Vol. 1, pp. 147-150). IEEE.

Sunday, September 13, 2015

Advanced Traceroute: Firewalk

The module for class this week describes using IP packet time to live, TTL, values to map out a route across the network that you are sending data to reach your destination. Modern operating systems come default with tools do perform this sort of diagnostic, with Windows utilizing ICMP Echo Request packets while UNIX and Linux using high port UDP. (UMUC, 2012)

Sending a packet with a TTL of one to have the first hop in the route respond with an ICMP error of type 11, Time Exceeded, and code 0, time to live exceeded in transit. (Postel, 1981) Next, send successively higher TTL values until the destination responds. By recording the sender information from the ICMP error messages, you make a list of nodes where the sender for TTL N is N hops away. As long as network gateways allow in your tracer packets and allow out the ICMP errors, that is.

Firewall devices may drop tracer packets because they only allow specific traffic services through. An advanced traceroute technique accounts for this and uses the firewall distance plus one TTL to map the allowed services on that firewall, a technique known as firewalking. (Irby, 2000) It works because the traceroute operates at the IP level and therefore leaves the encapsulated protocol up for spoofing. TCP, UDP, ICMP or any transport layer protocol can be tested. If a Windows traceroute times out at a hop but a UDP port 53, DNS, gets responded to then that device is dropping ICMP Echo Requests but allows DNS traffic. (Irby, 2000)

Irby, D. (2000). Firewalk: Can Attackers See Through Your Firewall. SANS

Postel, J. (1981). RFC 792: Internet control message protocol. InterNet Network Working Group.

UMUC. (2012) Advanced TCP/IP, CSEC-640 – Module 1. Retrieved from:

Thursday, September 10, 2015

TCP Discussion

A vital aspect of TCP which is conveniently abstracted away from normal use is the TCP window size. Because endpoints of various levels of speed, capability, and memory operate across networks, reliability can only be achieved efficiently if endpoints have “a means for the receiver to govern the amount of data sent by the sender”, as is described in RFC 793 (Postel, 2003). Windows are the size of buffers maintained by network TCP stacks and fill with incoming data and empty as that data is consumed by the networking application.

TCP Flow control lessons learned from programming network tools:
If you are watching a TCP session, such as in Wireshark, and the TCP window suddenly starts shrinking then it means that the endpoint has stopped calling recv. This is a likely sign that the receiving application is blocking on the thread processing inbound data, and probably blocking inappropriately. Check for waits or even premature thread termination. This problem will occur also if the inbound data thread has exited without triggering a closure of the socket.

Man, I hate it when comedians tell jokes about TCP. They just keep repeating it until you laugh! This is because, as a protocol, TCP guarantees reliability through Positive Acknowledgement with Retransmission. (Vacca, 2009, pg 298) Data packets are retransmitted until they are acknowledged.

Postel, J. (2003). RFC 793: Transmission control protocol, September 1981.Status: Standard, 88.

UMUC. (2012) Advanced TCP/IP, CSEC-640 – Module 1. Retrieved from:

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman