Ethical Hacking and Countermeasures - Sniffing PDF
Document Details
Uploaded by SmartestSeries3481
Tags
Related
- Chapter 8 - 04 - Discuss Ethical Hacking Concepts - 01_ocred.pdf
- Chapter 8 - 04 - Discuss Ethical Hacking Concepts - 02_ocred_fax_ocred.pdf
- Ethical Hacking Notes PDF
- Week-12 PDF - Ethical Hacking Lecture Notes
- Ethical Hacking Past Paper PDF Week 1 & 2
- CEH v10 Certified Ethical Hacker Study Guide PDF
Summary
This document provides an overview of network sniffing. It discusses packet sniffing, how sniffers work, and how attackers use sniffers. It also covers ethical hacking practices associated with this topic.
Full Transcript
# Module 08: Sniffing ## Ethical Hacking and Countermeasures - Sniffing ### Network Sniffing #### Packet Sniffing - Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. - It allows an attacker...
# Module 08: Sniffing ## Ethical Hacking and Countermeasures - Sniffing ### Network Sniffing #### Packet Sniffing - Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. - It allows an attacker to observe and access the entire network traffic from a given point. - Packet sniffing allows an attacker to gather sensitive information such as Telnet passwords, email traffic, syslog traffic, router configuration, web traffic, DNS traffic, FTP passwords, chat sessions, and account information. #### How a Sniffer Works - A sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment. ### Packet Sniffing - Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. - Sniffing is straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that segment. - However, most networks today work on switches. - A switch is an advanced computer networking device. - The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. - A MAC address is a hardware address that uniquely identifies each node of a network. #### Attacker and Packet Sniffing - An attacker needs to manipulate the functionality of the switch to see all the traffic passing through it. - A packet sniffing program (also known as a sniffer) can capture data packets only from within a given subnet, which means that it cannot sniff packets from another network. - Often, any laptop can plug into a network and gain access to it. - Many enterprises' switch ports are open. - A packet sniffer placed on a network in promiscuous mode can therefore capture and analyze all the network traffic. - Sniffing programs turn off the filter employed by Ethernet network interface cards (NICs) to prevent the host machine from seeing other stations' traffic. - Thus, sniffing programs can monitor all traffic. #### Packet Sniffing with Switches - Although most networks today employ switch technology, packet sniffing is still useful. - This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy. - It allows an attacker to observe and access the entire network traffic from one point. - Packet sniffers can capture data packets containing sensitive information such as passwords, account information, syslog traffic, router configuration, DNS traffic, email traffic, web traffic, chat sessions, and FTP passwords. #### Packet Sniffing Scenario - The following diagram depicts an attacker sniffing the data packets between two legitimate network users: - **Switch** - **Smith** - **Lena** - **Attacker** #### How a Sniffer Works - Ethernet - The most common way of networking computers is through an Ethernet connection. - A computer connected to a local area network (LAN) has two addresses: a MAC address and an Internet Protocol (IP) address. - A MAC address uniquely identifies each node in a network and is stored on the NIC itself. - The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. - The data link layer of the OSI model uses an Ethernet header with the MAC address of the destination machine instead of the IP address. - The network layer is responsible for mapping IP network addresses to the MAC address as required by the data link protocol. - It initially looks for the MAC address of the destination machine in a table, usually called the Address Resolution Protocol (ARP) cache. - If there is no entry for the IP address, an ARP broadcast of a request packet goes out to all machines on the local sub- network. - The machine with that particular address responds to the source machine with its MAC address. - The source machine's ARP cache adds this MAC address to the table. - The source machine, in all its communications with the destination machine, then uses this MAC address. #### Ethernet Environments - There are two basic types of Ethernet environments, and sniffers work differently in each. **Shared Ethernet:** - In a shared Ethernet environment, a single bus connects all the hosts that compete for bandwidth. - In this environment, all the other machines receive packets meant for one machine. - Thus, when machine 1 wants to talk to machine 2, it sends a packet out on the network with the destination MAC address of machine 2, along with its own source MAC address. - The other machines in the shared Ethernet (machines 3 and 4) compare the frame's destination MAC address with their own and discard the unmatched frame. - However, a machine running a sniffer ignores this rule and accepts all the frames. - Sniffing in a shared Ethernet environment is passive and, hence, difficult to detect. **Switched Ethernet:** - In a switched Ethernet environment, the hosts connect with a switch instead of a hub. - The switch maintains a table that tracks each computer's MAC address and the physical port on which that MAC address is connected, and then delivers packets destined for a particular machine. - The switch is a device that sends packets to the destined computer only; furthermore, it does not broadcast them to all the computers on the network. - This results in better utilization of the available bandwidth and improved security. - Hence, the process of putting a machine NIC into promiscuous mode to gather packets does not work. - As a result, many people think that switched networks are secure and immune to sniffing. - However, this is not true. #### Switch Security - Although a switch is more secure than a hub, sniffing the network is possible using the following methods: **ARP Spoofing:** - ARP is stateless. - A machine can send an ARP reply even without asking for it; furthermore, it can accept such a reply. - When a machine wants to sniff the traffic originating from another system, it can ARP spoof the gateway of the network. - The ARP cache of the target machine will have an incorrect entry for the gateway. - Thus, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address. **MAC Flooding:** - Switches maintain a translation table that maps various MAC addresses to the physical ports on the switch. - As a result, they can intelligently route packets from one host to another. - However, switches have a limited memory. - MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up. - Once this happens to a switch, it will enter fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch. - Once that happens, it becomes easy to perform sniffing. #### Sniffing and NICs - Once a switch turns into a hub, it starts broadcasting all packets it receives to all the computers in the network. - By default, promiscuous mode is turned off in network machines; therefore, the NICS accept only those packets that are addressed to a user's machine and discard the packets sent to the other machines. - A sniffer turns the NIC of a system to promiscuous mode so that it listens to all the data transmitted on its segment. - A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packets. - Attackers configure the NIC in their machines to run in promiscuous mode so that the card starts accepting all the packets. - Thus, the attacker can view all the packets that are being transmitted in the network. ### Types of Sniffing #### Passive Sniffing - Passive sniffing involves sending packet. - It simply captures and monitors the packets flowing in the network. - A packet sniffer alone is not preferred for an attack because it works only in a common collision domain. - A common collision domain is the sector of the network that is not switched or bridged (i.e., connected through a hub). - Common collision domains are present in hub environments. - A network that uses hubs to connect systems uses passive sniffing. - In such networks, all hosts in the network can see all the traffic. - Hence, it is easy to capture traffic through the hub using passive sniffing. #### Active Sniffing - Active sniffing is used to sniff a switch-based network. - Active sniffing involves injecting Address Resolution Packets (ARP) into the network to flood the switch's Content Addressable Memory (CAM) table, which keeps track of host-port connections. #### Active Sniffing Techniques - **MAC Flooding** - **DHCP Attacks** - **DNS Poisoning** - **Switch Port Stealing** - **ARP Poisoning** - **Spoofing Attack** ### Types of Sniffing - Attackers - Attackers run sniffers to convert the host system's NIC to promiscuous mode. - As discussed earlier, the NIC in promiscuous mode can then capture packets addressed to the specific network. - There are two types of sniffing. - Each is used for different types of networks. **Passive Sniffing:** - Passive sniffing involves sending no packets. - It simply captures and monitors the packets flowing in the network. - A packet sniffer alone is not preferred for an attack because it works only in a common collision domain. - A common collision domain is the sector of the network that is not switched or bridged (i.e., connected through a hub). - Common collision domains are present in hub environments. - A network that uses hubs to connect systems uses passive sniffing. - In such networks, all hosts in the network can see all the traffic. - Hence, it is easy to capture traffic through the hub using passive sniffing. **Active Sniffing:** - Active sniffing searches for traffic on a switched LAN by actively injecting traffic into it. - Active sniffing also refers to sniffing through a switch. - In active sniffing, the switched Ethernet does not transmit information to all the systems connected through LAN as it does in a hub-based network. - For this reason, a passive sniffer is unable to sniff data on a switched network. - It is easy to detect these sniffer programs and highly difficult to perform this type of sniffing. - Switches examine data packets for source and destination addresses and then transmit them to the appropriate destinations. - Therefore, it is cumbersome to sniff switches. - However, attackers can actively inject ARP traffic into a LAN to sniff around a switched network and capture the traffic. - Switches maintain their own ARP cache in Content Addressable Memory (CAM). - CAM is a special type of memory that maintains a record of which host is connected to which port. - A sniffer records all the information visible on the network for future review. - An attacker can see all the information in the packets, including data that should remain hidden. - To summarize the types of sniffing: passive sniffing does not send any packets; it only monitors the packets sent by others. - Active sniffing involves sending out multiple network probes to identify access points. #### Active Sniffing Techniques - **MAC flooding** - **DNS poisoning** - **ARP poisoning** - **DHCP attacks** - **Switch port stealing** - **Spoofing attack** ### Attackers and Passive Sniffing - Attackers use the following passive sniffing methods to gain control over a target network: **Compromising physical security:** - An attacker who succeeds in compromising the physical security of a target organization can walk into the organization with a laptop and try to plug into the network and capture sensitive information about the organization. **Using a Trojan horse:** - Most Trojans have in-built sniffing capability. - An attacker can install these on a victim's machine to compromise it. - After compromising the victim's machine, the attacker can install a packet sniffer and perform sniffing. ### Sniffing and Switching - Most modern networks use switches instead of hubs. - A switch eliminates the risk of passive sniffing. - However, a switch is still vulnerable to active sniffing. ### Active Sniffing - Active sniffing searches for traffic on a switched LAN by actively injecting traffic into it. - Active sniffing also refers to sniffing through a switch. - In active sniffing, the switched Ethernet does not transmit information to all the systems connected through LAN as it does in a hub-based network. - For this reason, a passive sniffer is unable to sniff data on a switched network. - It is easy to detect these sniffer programs and highly difficult to perform this type of sniffing. - Switches examine data packets for source and destination addresses and then transmit them to the appropriate destinations. - Therefore, it is cumbersome to sniff switches. - However, attackers can actively inject ARP traffic into a LAN to sniff around a switched network and capture the traffic. - Switches maintain their own ARP cache in Content Addressable Memory (CAM). - CAM is a special type of memory that maintains a record of which host is connected to which port. - A sniffer records all the information visible on the network for future review. - An attacker can see all the information in the packets, including data that should remain hidden. - To summarize the types of sniffing: passive sniffing does not send any packets; it only monitors the packets sent by others. - Active sniffing involves sending out multiple network probes to identify access points. #### Active Sniffing Techniques - **MAC flooding** - **DNS poisoning** - **ARP poisoning** - **DHCP attacks** - **Switch port stealing** - **Spoofing attack** ### Attackers and Sniffers #### How an Attacker Hacks the Network Using Sniffers - Attackers use sniffing tools to sniff packets and monitor network traffic on a target network. - The steps that an attacker follows to make use of sniffers to hack a network are illustrated below: 1. **Step 1:** An attacker who decides to hack a network first discovers the appropriate switch to access the network and connects a system or laptop to one of the ports on the switch. 2. **Step 2:** An attacker who succeeds in connecting to the network tries to determine network information such as the topology of the network by using network discovery tools. 3. **Step 3:** By analyzing the network topology, the attacker identifies the victim's machine to target his/her attacks. 4. **Step 4:** An attacker who identifies a target machine uses ARP spoofing techniques to send fake (spoofed) Address Resolution Protocol (ARP) messages. 5. **Step 5:** The previous step helps the attacker to divert all the traffic from the victim's computer to the attacker's computer. This is a typical man-in-the-middle (MITM) type of attack. 6. **Step 6:** Now, the attacker can see all the data packets sent and received by the victim. The attacker can now extract sensitive information from the packets, such as passwords, usernames, credit card details, and PINs. ### Protocols Vulnerable to Sniffing - The following protocols are vulnerable to sniffing. - The main reason for sniffing these protocols is to acquire passwords. **Telnet and Rlogin:** - Telnet is a protocol used for communicating with a remote host (via port 23) on a network using a command-line terminal. - rlogin enables an attacker to log into a network machine remotely via a TCP connection. - Neither of these protocols provides encryption; therefore, data traveling between clients connected through any of these protocols are in plaintext and vulnerable to sniffing. - Attackers can sniff keystrokes, including usernames and passwords. **HTTP:** - Due to vulnerabilities in the default version of HTTP, websites implementing HTTP transfer user data across the network in plaintext, which attackers can read to steal user credentials. **SNMP:** - Simple Network Management Protocol (SNMP) is a TCP/IP-based protocol used for exchanging management information between devices connected on a network. - The first version of SNMP (SNMPv1) does not offer strong security, which leads to the transfer of data in a cleartext format. - Attackers exploit the vulnerabilities in this version to acquire passwords in plaintext. **SMTP:** - Simple Mail Transfer Protocol (SMTP) is used for transmitting email messages over the Internet. - In most implementations, SMTP messages are transmitted in cleartext, which enables attackers to capture plaintext passwords. - Further, SMTP does not provide any protection against sniffing attacks. **NNTP:** - Network News Transfer Protocol (NNTP) distributes, inquires into, retrieves, and posts news articles using a reliable stream-based transmission of news among the ARPA- Internet community. - However, this protocol fails to encrypt the data, which allows attackers to sniff sensitive information. **POP:** - Post Office Protocol (POP) allows a user's workstation to access mail from a mailbox server. - A user can send mail from the workstation to the mailbox server via SMTP. - Attackers can easily sniff the data flowing across a POP network in cleartext because of the protocol's weak security implementations. **FTP:** - File Transfer Protocol (FTP) enables clients to share files between computers in a network. - This protocol fails to provide encryption; therefore, attackers can sniff data, including user credentials, by running tools such as Cain & Abel. **IMAP:** - Internet Message Access Protocol (IMAP) allows a client to access and manipulate electronic mail messages on a server. - This protocol offers inadequate security, which allows attackers to obtain data and user credentials in cleartext. # Module 10: Denial-of-Service ## Ethical Hacking and Countermeasures - Denial-of-Service ### What is a DoS Attack? - Denial-of-Service (DoS) is an attack on a computer or network that reduces, restricts, or prevents accessibility of system resources to its legitimate users. - In a DoS attack, attackers flood the victim system with non-legitimate service requests or traffic to overload its resources. ### What is a DoS Attack? - A DoS attack is an attack on a computer or network that reduces, restricts, or prevents access to system resources for legitimate users. - In a DoS attack, attackers flood a victim's system with nonlegitimate service requests or traffic to overload its resources and bring down the system, leading to the unavailability of the victim's website or at least significantly reducing the victim's system or network performance. - The goal of a DoS attack is to keep legitimate users from using the system, rather than to gain unauthorized access to a system or to corrupt data. #### Types of DoS Attacks - The following are examples for types of DoS attacks: 1. **Flooding the victim's system with more traffic than it can handle** 2. **Flooding a service (e.g., Internet Relay Chat (IRC)) with more events than it can handle** 3. **Crashing a TCP/IP stack by sending corrupt packets** 4. **Crashing a service by interacting with it in an unexpected manner** 5. **Hanging a system by causing it to go into an infinite loop** ### DoS Attacks - Forms and Targets - DoS attacks have various forms and target various services. - The attacks may cause the following: 1. **Consumption of resources** - Consumption of bandwidth, disk space, CPU time, or data structures 2. **Actual physical destruction or alteration of network components** 3. **Destruction of programming and files in a computer system** #### DoS Attacks - Network Resources - In general, DoS attacks target network bandwidth or connectivity. - Bandwidth attacks overflow the network with a high volume of traffic by using existing network resources, thereby depriving legitimate users of these resources. - Connectivity attacks overflow a system with a large number of connection requests, consuming all available OS resources to prevent the system from processing legitimate user requests. #### DoS Attack Scenario - Consider a food catering company that conducts much of its business over the phone. - If an attacker wants to disrupt this business, they need to find a way to block the company's phone lines, which would make it impossible for the company to do business. - A DoS attack works along the same lines-the attacker uses up all the ways to connect to the victim's system, making legitimate business impossible. #### DoS Attacks - Impacts - DoS attacks are a kind of security breach that does not generally result in the theft of information. - However, these attacks can harm the target in terms of time and resources. - Furthermore, security failure might cause the loss of a service such as email. - In the worst-case scenario, a DoS attack can cause the accidental destruction of the files and programs of millions of people who were connected to the victim's system at the time of the attack. ### What is a DDoS Attack? - Distributed denial-of-service (DDoS) is a coordinated attack that involves a multitude of compromised systems (Botnet) attacking a single target, thereby denying service to users of the targeted system. #### DDoS Attack Impacts - The impacts of DDoS include the loss of goodwill, disabled networks, financial losses, and disabled organizations. #### DDoS Attack Workings - In a DDoS attack, many applications barrage a target browser or network with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable. #### How DDoS Attacks Work - The attacker initiates the DDoS attack by sending a command to zombie agents, which are Internet-connected computers compromised by an attacker through malware programs to perform various malicious activities through a command and control (C&C) server. - These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim, which causes the reflector systems to presume that these requests originate from the victim's machine instead of the zombie agents. - Hence, the reflector systems send the requested information (response to the connection request) to the victim. - Consequently, the victim's machine is flooded with unsolicited responses from several reflector computers simultaneously, which may either reduce the performance or cause the victim's machine to shut down completely. ### Basic Categories of DoS/DDoS Attack Vectors - DDoS attacks mainly aim to diminish the network bandwidth by exhausting network, application, or service resources, thereby restricting legitimate users from accessing system or network resources. - In general, DoS/DDoS attack vectors are categorized as follows: **Volumetric Attacks** - These attacks exhaust the bandwidth either within the target network/service or between the target network/service and the rest of the Internet to cause traffic blockage, preventing access to legitimate users. - The attack magnitude is measured in bits per second (bps). **Protocol Attacks** - Consume other types of resources like connection state tables present in network infrastructure components such as load-balancers, firewalls, and application servers. - The magnitude of attack is measured in packets-per-second (pps). **Application Layer Attacks** - Consume the resources or services of an application, thereby making the application unavailable to other legitimate users. - The magnitude of attack is measured in requests-per-second (rps). #### Volumetric Attacks - Volumetric DDoS attacks generally target protocols such as the Network Time Protocol (NTP), Domain Name System (DNS), and Simple Service Discovery Protocol (SSDP), which are stateless and do not have built-in congestion avoidance features. - The generation of a large number of packets can cause the consumption of the entire bandwidth on the network. - A single machine cannot make enough requests to overwhelm network equipment. - Hence, in DDoS attacks, the attacker uses several computers to flood a victim. - In this case, the attacker can control all the machines and instruct them to direct traffic to the target system. - DDoS attacks flood a network, causing a significant statistical change in network traffic that overwhelms network equipment such as switches and routers. - Attackers use the processing power of a large number of geographically distributed machines to generate huge traffic directed at the victim, which is why such an attack is called a DDoS attack. #### Bandwidth Depletion Attacks - There are two types of bandwidth depletion attacks: 1. **Flood attack:** Zombies send large volumes of traffic to the victim's systems to exhaust the bandwidth of these systems. 2. **Amplification attack:** The attacker or zombies transfer messages to a broadcast IP address. This method amplifies malicious traffic that consumes the bandwidth of the victim's systems. #### Volumetric Attack Techniques - Attackers use botnets and perform DDoS attacks by flooding the network. - The entire bandwidth is used up by attackers, and no bandwidth remains for legitimate use. - The following are examples for volumetric attack techniques: 1. **User Datagram Protocol (UDP) flood attack** 2. **Internet Control Message Protocol (ICMP) flood attack** 3. **Ping of Death (PoD) attack** 4. **Smurf attack** 5. **Pulse wave attack** 6. **Zero-day attack** 7. **Malformed IP packet flood attack** 8. **Spoofed IP packet flood attack** #### Protocol Attacks - Attackers can also prevent access to a target by consuming types of resources other than bandwidth, such as connection state tables. - Protocol DDoS attacks exhaust resources available on the target or on a specific device between the target and the Internet.. - These attacks consume the connection state tables present in network infrastructure devices such as load balancers, firewalls, and application servers. - Consequently, no new connections will be allowed, because the device will be waiting for existing connections to close or expire. - In this case, the attack magnitude is measured in packets per second (pps) or connections per second (cps). - These attacks can even take over the state of millions of connections maintained by high-capacity devices. #### Protocol Attacks - Examples - The following are examples for protocol attack techniques: 1. **Synchronize (SYN) flood attack** 2. **Fragmentation attack** 3. **Spoofed session flood attack** 4. **Acknowledgement (ACK) flood attack** 5. **SYN-ACK flood attack** 6. **ACK and PUSH ACK flood attack** 7. **TCP connection flood attack** 8. **TCP state exhaustion attack** 9. **RST attack** #### How Application Layer Attacks Work - In these attacks, the attacker attempts to exploit vulnerabilities in the application layer protocol or in the application itself to prevent legitimate users from accessing the application. - Attacks on unpatched, vulnerable systems do not require as much bandwidth as protocol or volumetric DDoS attacks for succeeding. - In application DDoS attacks, the application layer or application resources are consumed by opening connections and leaving them open until no new connections can be made. - These attacks destroy a specific aspect of an application or service and can be effective with one or a few attacking machines that produce a low traffic rate. - Furthermore, these attacks are very difficult to detect and mitigate. - The magnitude of attack is measured in requests per second (rps). #### Application Layer Attacks - Impacts - Application-level flood attacks result in the loss of services of a particular network, such as emails and network resources, or the temporary shutdown of applications and services. - Through this attack, attackers exploit weaknesses in programming source code to prevent the application from processing legitimate requests. #### Application Layer Attacks - Methods - Several kinds of DoS attacks rely on software-related exploits such as buffer overflows. - A buffer overflow attack sends excessive data to an application that either shuts down the application or forces the data sent to the application to run on the host system. - The attack crashes a vulnerable system remotely by sending excessive traffic to an application. #### Application Layer Attacks - Additional Techniques - Occasionally, attackers can also execute arbitrary code on the remote system via a buffer overflow. - Sending too much data to an application overwrites the data that controls the program, enabling the hacker to run their code instead. #### Application Layer Attacks - Examples - Using application-level flood attacks, attackers attempt to do the following: 1. **Flood web applications with legitimate user traffic** 2. **Disrupt service to a specific system or person by, for example, blocking a user's access through repeated invalid login attempts** 3. **Jam the application database connection by crafting malicious Structured Query Language (SQL) queries** #### Application Layer Attacks - Outcomes - Application-level flood attacks can result in a substantial loss of money, service, and reputation for organizations. - These attacks occur after the establishment of a connection. - Because a connection is established and the traffic entering the target appears to be legitimate, it is difficult to detect these attacks. - However, if the user identifies the attack, they can stop it and trace it back to its source more easily than other types of DDoS attacks. #### Application Layer Attack Techniques - The following are examples for application layer attack techniques: 1. **Hypertext Transfer Protocol (HTTP) flood attack** 2. **Slowloris attack** 3. **UDP application layer flood attack** ### DoS/DDoS Attack Techniques - Next, the following DoS/DDoS attack techniques will be discussed: 1. **UDP flood attack** 2. **ICMP flood attack** 3. **PoD attack** 4. **Smurf attack** 5. **Pulse wave attack** 6. **Zero-day attack** 7. **SYN flood attack** 8. **Fragmentation attack** 9. **ACK flood attack** 10. **TCP state exhaustion attack** 11. **Spoofed session flood attack** 12. **HTTPS GET/POST attack** 13. **Slowloris attack** 14. **UDP application layer flood attack** 15. **Multi-vector attack** 16. **Peer-to-peer attack** 17. **Permanent DoS (PDOS) attack** 18. **Distributed reflection DoS (DRDOS) attack** # Module 15: SQL Injection ## Ethical Hacking and Countermeasures - SQL Injection ### What is SQL Injection? - SQL injection is a technique used to take advantage of un-sanitized input vulnerabilities to pass SQL commands through a web application for execution by a backend database. - SQL injection is a basic attack used to either gain unauthorized access to a database or retrieve information directly from the database. - It is a flaw in web applications and not a database or web server issue. ### Why Bother About SQL Injection? - Based on the use of applications and the way they process user supplied data, SQL injections can be used to implement the following types of attacks: 1. **Authentication and Authorization Bypass** 2. **Information Disclosure** 3. **Compromised Integrity and Availability of Data** 4. **Remote Code Execution** ### What is SQL Injection? - Structured Query Language (SQL) is a textual language used by a database server. - SQL commands used to perform operations on the database include INSERT, SELECT, UPDATE, and DELETE. - These commands are used to manipulate data in the database server. ### SQL Injection - Programmers - Programmers use sequential SQL commands with client-supplied parameters, making it easier for attackers to inject commands. - SQL injection is a technique used to take advantage of unsanitized input vulnerabilities to pass SQL commands through a web application for execution by a backend database. - In this technique, the attacker injects malicious SQL queries into the user input form either to gain unauthorized access to a database or to retrieve information directly from the database. - Such attacks are possible because of a flaw in web applications and not because of any issue with the database or the web server. ### SQL Injection - Application Attack - SQL injection attacks use a series of malicious SQL queries or SQL statements to manipulate the database directly. - An application often uses SQL statements to authenticate users to the application, validate roles and access levels, store and obtain information for the application and user, and link to other data sources. - SQL injection attacks work because the application does not properly validate an input before passing it to an SQL statement. ### Why Bother About SQL Injection? - SQL injection is a major issue for database-driven websites. - An attack can be attempted on any normal website or software package based on how it is used and how it processes user-supplied data. - SQL injection can be used to implement the following attacks: 1. **Authentication Bypass:** Using this attack, an attacker logs onto an application without providing a valid username and password, and gains administrative privileges. 2. **Authorization Bypass:** Using this attack, an attacker alters authorization information stored in the database by exploiting an SQL injection vulnerability. 3. **Information Disclosure:** Using this attack, an attacker obtains sensitive information that is stored in the database. 4. **Compromised Data Integrity:** Using this attack, an attacker defaces a web page, inserts malicious content into web pages, or alters the contents of a database. 5. **Compromised Availability of Data:** Using this attack, an attacker deletes the database information, delete logs, or audit information stored in a database. 6. **Remote Code Execution:** Using this attack, an attacker compromises the host OS. ### SQL Injection and Server-side Technologies - Powerful server-side technologies like ASP.NET and database servers allow developers to create dynamic, data-driven websites and web applications with incredible ease. - These technologies implement business logic on the server side, which then serves incoming requests from clients. - The server-side technology smoothly accesses, delivers, stores, and restores information. - Various server-side technologies include ASP, ASP.Net, Cold Fusion, JSP, PHP, Python, Ruby on Rails, and so on. - Some of these technologies are prone to SQL injection vulnerabilities, and applications developed using these technologies are vulnerable to SQL injection attacks. - Web applications use various database technologies as part of their functionality. - Some relational databases used for developing web applications include Microsoft SQL Server, Oracle, IBM DB2, and the open-source MySQL. - Developers sometimes unknowingly ignore secure coding practices when using these technologies, which makes the applications and relational databases vulnerable to SQL injection attacks. - These attacks do not exploit a specific software's vulnerability; instead, they target websites and web applications that do not follow secure coding practices to access and manipulate the data stored in a relational database. ### Understanding HTTP POST Request - When a user provides information and clicks Submit, the browser submits a string to the web server that contains the user's credentials. - This string is visible in the body of the HTTP or HTTPS POST request as - `select * from Users where (username = 'smith' and password = 'simpson');` ### Understanding Normal SQL Query - A query is an SQL command. - Programmers write and execute SQL code in the form of query statements. - SQL queries include selecting data, retrieving data, inserting/updating data, and creating data objects such as databases and tables. - Queries are used in server-side technologies to communicate with an application's database. - A user request supplies parameters to replace placeholders that may be used in the server-side language. - From this, a query is constructed and then executed to fetch data or perform other tasks on the database. ### Understanding an SQL Injection Query - An SQL injection query exploits the normal execution of SQL. - An attacker submits a request with values that will execute normally but return data from the database that the attacker seeks. - The attacker can submit these malicious values because of the inability of the application to filter them before processing. - If the values submitted by the users are not properly validated, then the application can potentially be targeted by an SQL injection attack. #### SQL Injection Example - An HTML form that receives and passes information posted by the user to the Active Server Pages (ASP) script running on an IIS web server is the best example of SQL injection. - The information passed is the username and password. - To create an SQL injection query, an attacker may submit the following values in application input fields, such as the username and password fields. - `Username: Blah' or 1=1` - `Password: Springfield` #### SQL Injection Query Execution - As part of the normal execution of the query, these input values will replace placeholders, and the query will appear as follows: - ` SELECT Count(*) FROM Users WHERE UserName='Blah' or 1=1' AND Password=' Springfield';` #### SQL Injection Logic - A close examination of this query reveals that the condition in the where clause will always be true. - This query successfully executes as there is no syntax error, and it does not violate the normal execution of the query. - The diagram below shows a typical SQL injection query.