Presentation Layer Security

1
Presentation Layer Security

• Lecture 7
• Supakorn Kungpisdan
• supakorn_at_mut.ac.th

2
Roadmap

• Introduction to Presentation Layer
• NetBIOS and SMB
• NetBIOS and Enumeration
• Sniffing Encrypted Traffic

3
Introduction to Presentation Layer

• Presentation layer deals primarily with data
  representation
• If one host supports Extended Binary-coded
  Decimal Interchange Code (EBCDIC) for character
  sets and another supports ASCII, the presentation
  layer converts data according to each hosts
  needs
• Other functionalities include data compression,
  data encryption, and manipulating XML objects

4
CIFS (or SMB)

• Common Internet File System (CIFS), aka Server
  Message Block (SMB), is a network protocol for
  file sharing on a LAN, running at
  app/presentation layer
• A client-server protocol
• Rely on other protocols for transport
• Most commonly used is NetBIOS over TCP (NBT)
• MS Oses use CIFS for remote file operations
  (mapping networtk drives), browsing (via Network
  Neighborhood), authentication (NT, Win2000,
  2003), and remote printer services
• Unix Oses also implement CIFS via the Samba
  program

5
NetBIOS and SMB VS OSI
6
CIFS History

• In 1984, IBM wrote NetBIOS, an API allowing basic
  network communications between hosts on a small
  subnet, but it required a transport protocol
• The following year, IBM released a transport
  protocol that makes NetBIOS come to life
• Both of them are merged into NetBIOS Enhanced
  User Interface (NetBEUI)
• Later, NetBIOS was implemented using various
  transport protocols e.g. DECnet, IPX/SPF, and
  TCP/IP

7
CIFS History (cont.)

• Soon after, MS and Intel created the 1st
  rendition of the SMB/CIFS file sharing protocol
  titled Core Protocol
• MS and Intel chose NetBIOS to deliver the upper
  protocol CIFS packets
• CIFS using NetBIOS over TCP became standard
  network file sharing mechanism for MS Oses
• Several operations have been added to CIFS
  overtime
• File access
• File and record locking
• Safe file caching
• File change notification

• Protocol negotiation
• Extended file attribute handling
• Batched requests
• Unicode support

8
NetBIOS

• NetBIOS runs over many transport protocols, but
  recently TCP/IP is the most common transport
  protocol used
• Main NetBIOS services
• Name service
• Session service
• Datagram service

9
NetBIOS Name Service

• NetBIOS names are human readable names assigned
  to computers on a network
• Commonly seen in Windows in Network Neighborhood
• Serve the same purpose as the DNS system in
  TCP/IP, but different in the method

10
NetBIOS Naming Properties

• Broadcast and/or server based
• Name registration and lookups can be accomplished
  by broadcasting to the LAN and/or using a central
  NetBIOS name server (NBNS or WINS)
• Broadcast only (b-node)
• NBNS only (p-node)
• Broadcast first then NBNS (m-node)
• NBNS first then broadcast (h-node)
• Dynamic registration
• With NetBIOS, when a computer boots, it registers
  its name/IP combination dynamically

11
NetBIOS Common Procedure

• Two most common NetBIOS name service are name
  registration and name query
• Name registration associates a NetBIOS name with
  an IP
• Name query determines the IP address associated
  with an given name

12
NetBIOS and SMB

• The original NetBIOS protocol was developed to
  become the NetBIOS Frames Protocol (NFB) often
  referred to as NetBEUI or just NetBIOS.
• NBF or NetBEUI provides a datagram delivery and
  session service that can be used for a variety of
  network applications.
• The above protocol is often encapsulated in other
  (routable) protocols such as IPX/SPX (which
  Microsoft refers to as NBIPX) or TCP/IP (which
  Microsoft refers to as NBT).

13
NetBIOS and SMB (cont.)

• Although NBF (either in encapsulated form or "on
  the wire") can be used for a variety of
  applications, it is often used as a foundation
  for the Server Message Block (SMB) protocol.
• One of the most widely used network
  configurations is SMB running over NetBIOS over
  TCP/IP.
• SMB has been developed to become the Common
  Internet File System (CIFS).
• Recently CIFS has been implemented directly on
  TCP/IP without requiring the NetBIOS over TCP/IP
  layer.

14
SMB and SAMBA

• SAMBA is a project has been established to
  provide free implementations of the SMB protocol
  and file and printing sharing facilities for
  various platforms.
• The SAMBA project has had to "reverse engineer"
  the protocols and continues to work in this
  manner in order to keep the software free.
• Despite having released a version of SMB to the
  X-Open organization, Microsoft continues to
  develop the protocol as a proprietary protocol
  and details of some of the more recent versions
  have not been made freely available.

15
Name Registration (b-node)
1
1
2
1
1

1. Broadcast name registration packet containing
   name and IP over UDP port 137 three times
   (waiting 250 ms each)
2. If a host has already registered the name, it
   sends back a defense packet back

2
16
Name Registration (p-node)
1
2

1. Unicast name registration packet over UDP port
   137 directly to NBNS three times (waiting 250 ms
   each)
2. If the name is already registered, NBNS sends
   back a defense packet back

1
2
WINS server
17
Name Query (b-node)
1
1
2
1
1

1. Broadcast name query request containing name
   over UDP port 137 three times (waiting 5 s each)
2. If a host has already registered the name, it
   sends back a defense packet back

2
18
Name Query (p-node)
1
2

1. Unicast name query request over UDP port 137
   directly to NBNS three times (waiting 250 ms
   each)
2. If the name is already registered, NBNS sends
   back a defense packet back

1
2
WINS server
19
Session Service

• RFC1001 A session is a reliable message
  exchange, conducted between pair of NetBIOS
  applications. Session is full-duplex, sequenced,
  and reliable
• CIFS uses the session service to send and receive
  all upper layer commands, including file and
  printer operations
• The first step in any CIFS communications is to
  establish a NetBIOS session between client and
  server

20
Session Service Primitives

• Call Initiate a NetBIOS session
• Create TCP connection and send a NetBIOS call
  packet containing the clients NetBIOS name and
  the servers NetBIOS name
• Listen Wait for a NetBIOS call command
• Mapped a server waiting on TCP port 139
• Hang up end a NetBIOS session
• Mapped into TCP by initiating a TCP teardown
  sequence
• Send send a message over a NetBIOS session
• Receive receive a message from a NetBIOS session
• Session status obtain information about session

21
Datagram Service

• RFC1001 The datagram service is unreliable,
  non-sequenced, connectionless service
• Used by NetBIOS application as a fast,
  broadcast-capable, low-overhead method of
  transferring data
• Implemented on UDP port 138
• All NetBIOS datagram packets adds a header
  containing NetBIOS name and whether or not the
  NetBIOS datagram was fragmented to be sent via
  UDP
• CIFS protocol standard does not implement NetBIOS
  datagram server, but CIFS implementations
  typically use it for browsing

22
CIFS Internals

• CIFS allows file sharing between network nodes
• Client-server design
• Each packet contains a command field indicating
  the packet purpose e.g. Login, open a file, read
  from a file, or write to a file

23
CIFS Properties

• Client/server request/response
• Allow multiple simultaneous requests be assigning
  multiplex id (MID) to each request
• The server replies with the same MID
• Command based
• CIFS packet contains a 1-byte command field
  allowing 100 commands available

24
CIFS Properties

• Protocol dialects/negotiation
• Allow different variants (dialects) of CIFS to
  communicate
• When client wishes to access files on a remote
  server, client sends a negotiate protocol packet
  containing a list of dialect strings that it is
  capable of understanding. The server sends back
  the response containing which dialect it wishes
  to communicate

25
SMB Variants
Ref http//samba.anu.edu.au/cifs/docs/what-is-smb
.html
26
CIFS Properties (cont.)

• User/share level security
• User level security
• A client wishing to access the share must provide
  a username and a password
• Used in windows 2000 onwards
• Share level security
• The share itself requires a password, but no
  username is required
• Used in windows 95 and 98

27
CIFS Properties (cont.)

• Encryption
• Password entered is sent in an encrypted format
  to server
• NTLM and LM
• Command batching
• Many CIFS packets are capable of piggybacking
  other CIFS packets to reduce latency and better
  utilizing network bandwidth
• This technique is referred as ANDX batching

28
CIFS Properties (cont.)

• Opportunitistic locking (oplock)
• When a CIFS packet specifies to open file, an
  oplock can be requested
• If granted by server, no other entities can
  access the file

29
CIFS Packet Header
30
CIFS Operations

• Two common CIFS client/server packet exchanges
• Client initiates contact with a server
• Client requires to open a file and read from it

31
Initial Contact, Login, and Tree Connect
32
File Open and Read
33
Null User Overview

• At the core of the Windows authentication scheme
  lies the 'User' administrative unit.
• When we create users, we assign them rights,
  privileges, and policy restrictions to define
  what they can and can't do on our networks.
• But in addition to the standard User, Windows
  supports a special type of user called the 'Null'
  user, which is basically a pseudo-account that
  has no username or password, but is allowed to
  access certain information on the network
• Some MS Oses and services used to require that
  you utilize the null user in order to operate
  properly

34
Null User Overview (cont.)

• Null user can enumerate account names and shares
  on domain controllers, member servers, and
  workstations alike.
• Therefore this Null user, a user with no
  credentials, can be used to glean a tremendous
  amount of information from your network without
  raising any eyebrows

35
Why would we ever support null user?

• Null user account is used by IPC (Interprocess
  Communications) all the time.
• For instance, in a multi-domain model where
  one-way trusts are created, the Null user is used
  when permissions for resources in the trusting
  domain need to be granted to user accounts in the
  trusted domain.
• After all, the users needing to choose from a
  list of available accounts are not trusted, so
  someone has to be able to enumerate the users

36
Why would we ever support null user? (cont.)

• Microsoft's System Management Server uses the
  Null user to enumerate shares during discovery.
• Even the mundane action of starting a NT
  workstation or server creates an initial Null
  user logon to one of your domain controllers
  after its NetBIOS name is successfully registered
  (before you get the Ctrl Alt Delete logon
  prompt)
• System account uses the null user to get to
  remote resources

37
NetBIOS Enumeration

• Null sessions allow users to communicate via
  NetBIOS in order to query any server as the null
  user
• If this occurs, users can enumerate shares,
  users, groups, permissions, policies. They can
  probably brute force their way into the network
• Many tools can be used to enumerate different
  aspects of a Windows server

38
enum

• enum is a console-based Win32 information
  enumeration utility.
• Using null sessions, enum can retrieve userlists,
  machine lists, sharelists, namelists, group and
  member lists, password and LSA policy
  information.
• enum is also capable of a rudimentary brute force
  dictionary attack on individual accounts.

Ref http//www.cotse.com/tools/netbios.htm
39
enum (cont.)
No limit number of logon attempts
40
enum (cont.)
41
Exploiting the IPC Share

• Windows have hidden administrative shares that
  have at the end (e.g. C, ADMIN, IPC). The
  system tells itself to omit this share from any
  request for the enumeration of shares
• Interprocess Communication (IPC) share is
  necessary to make systems work properly
• IPC is used for data sharing between processes
• In Old versions of Windows (esp NT), users can
  exploit the use of IPC and other hidden shares
  through a null session
• Once connected, the user may utilize the net view
  and net use command to browse and connect to the
  hidden shares on a machine

42
Exploiting the IPC Share (cont.)
43
winfo
verbose
C\winfo\winfo 192.168.1.1 v -n
Establish a null session before dump data
44
Other NetBIOS Issues

• An attacker can generate a fake packet to deny a
  host joining the network
• Many vulnerabilities have been fixed in new
  Windows OSes, but several organizations still
  have legacy systems
• Thus, these types of NetBIOS vulnerability still
  exist

45
Default NetBIOS Options
46
Sniffing Encrypted Traffic

• Obfuscation
• Some utilize encryption and others use one-way
  function
• Make it difficult to intercept a transmission of
  a message and retrieve it content
• Base64 encoding
• Not suitable for data protection
  (confidentiality)
• No shared key between encode and decode functions

47
Sniffing Encrypted Traffic (cont.)

• XOR encryption
• Use shared key, provide more protection

48
Sniffing Encrypted Traffic (cont.)

• Message Digest
• MD5 and SHA-1
• Not an encryption algorithm
• The premise for using digests and hashes is to
  make it difficult for a collision to occur,
  computationally infeasible to reproduce identical
  digests/hashes from different input
• Most commonly used to obfuscate passwords
• Vulnerable to brute-force and rainbow table
  attacks

49
Attacking Kerberos
50
Attacking Kerberos (cont.)

• Communications between C and AS is derived from
  users password
• Windows computes a one-way function (OWF) against
  the password to generate the key
• If the hash value is known, we can run a
  dictionary attack against the key
• Known ciphertext attack ? if the ciphertext and
  algorithm are known, we can perform computations
  with known plaintext until the ciphertext is
  matched
• Security of Kerberos depends on how strong the
  password is

51
Attacking Kerberos (cont.)
Hashed password
52
Attacking Kerberos (cont.)

• Run Kerbsniff, a command-line utility to capture
  AS-REQ value to a text file

53
Attacking Kerberos (cont.)

• Run Kerbcrack on the hashed password to recover
  the password

Dictionary attack
Input file
54
Attacking Weak Protection Schemes

• Many people said that data protection requires
  strong cryptographic algorithms that can resist a
  dictionary or brute-force attack
• However, much of the problems lies in selecting
  weak password
• Weak protection scheme reduces the effort an
  attacker must take once the hash value is known

55
John the Ripper
56
Question?

• Next week
• Presentation Layer Security