April 27, 2001

Improving our network knowledge to defeat crackers

Author: JT Smith

Laurent Constantin writes "
The most serious vulnerabilities are software or application bugs.
Network insecurities are generally less important because they do not
permit to gain privileges on systems under attack. However, an
internet hacker has to use the network to reach vulnerable systems.
So, a good network configuration can complicate or prevent an
intrusion, by forbidding access to vulnerable systems.

None the less, several enterprises are unsecured against simple
network attacks. Perhaps, system administrators forgot these attacks.
The aim of this article is not to show how to protect a network (it
would otherwise be far too long) but to list ideas and tools which
can be deeply examined.

Before learning hacker's methods, system administrators should ensure
they understand their underlying network infrastructure.

For example, regarding IP over Ethernet :

- what's Ethernet

- what's IP

- when/why use ARP/RARP

- how do UDP/TCP/ICMP are encapsulated into IP packets

- does Ethernet goes through hubs/switches/routers

- how IP routing is working

- how IP fragmentation is working

- what's the usage of the various ICMP error messages

- etc.

Once administrators know basic skills, they can deal with network
attacks. Amongst common used methods, there are :

- Ethernet sniffing (to intercept other's sessions)

- ARP flooding (flood a switch)

- ARP redirect (redirect flow through a computer)

- ARP ping (ARP Request/Reply)

- IP spoofing (access restrictions)

- IP options (record route, source routing, etc.)

- Broadcast IP spoofing (denial of service, forced replies)

- IP fragmentation (various kinds)

- ICMP redirect (redirect flow through a computer)

- TCP hijacking (man in the middle)

- TCP seqnum prediction (blind TCP spoofing)

- TCP state blocking (various kinds)

- TCP reset (denial of service)

- local TCP client port spoofing (ftp data port)

- etc.

Several docs and tools are available on internet concerning every
presented point.

You might want to use the free tool lcrzoex to improve your skills.
Lcrzoex contains over 150 functionnalities to test an Ethernet/IP
network (sniff, spoof, configuration, clients, servers, etc.).

Lcrzo is the free network library which permitted to create lcrzoex.
It can be used to easily create our testing programs.

More informations and last version of lcrzoex/lcrzo are available at :
http://www.laurentconstantin.com/us/lcrzo/ [main server]

http://go.to/laurentconstantin/us/lcrzo/ [backup server]

http://laurentconstantin.est-la.com/us/lcrzo/ [backup server]

Depending on time we can afford spending learning and practicing,
this knowledge then helps us to decide :

- which security level to reach

- what's the best architecture for the network

- what are the best products fitting the needs

- how to configure devices

- etc.

As a conclusion, absolute security doesn't exist but can be approached
using the various ways to protect an information system : we should
never forget to secure our network against simple attacks."


  • Linux
Click Here!