Network security

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract:

The use of networks is growing continuously, constantly increasing the vulnerability of the computer systems that can use them. Current solutions for network security such as firewalls cannot support sophisticated trust relationship with external entities and lack a comprehensive approach to security. This work deals with the design and implementation of a more comprehensive and flexible network security architecture that enforces a mandatory access control policy on network related operations on a network traffic.

Introduction:

From the given network dump it is clear that the packets given are based on TCP Three Way Hand Shake, NetBios and SMB (Server Message Block). Further analysis explains that the first three packets are TCP Three Way Hand Shake structures , packets 4 and 5 are based on NETBIOS Session Services and the remaining packets 6 to 11 are Server Message Blocks structures.

TCP THREE WAY HAND SHAKE:

The TCP Three way Hand Shake is the process for establishing a TCP connection. A conversation is started with a three way hand shake. In the first step of this process, the initiator of the conversation send packet to the other host requesting that they start a conversation. In the second step, the destination host sends back an acknowledgement that agrees to set up the communication. In the final step, the initiator sends back one more packet that is a confirmation of the connection. The Three way Hand Shake is used to set up the TCP/IP communication

The TCP level of the TCP/IP protocol is connection oriented. Connection oriented is that before and data can be transmitted, a reliable connection must be obtained and acknowledged. TCP level data transmissions, connection establishment, and connection termination maintain specific control parameters that govern the entire process. The control bits of Transmission Control Protocol are:

URG: Urgent Pointer field Significant

ACK: Acknowledgement field significant

PSH: Push function

SYN: Synchronize sequence numbers

FIN: No more data from sender.

The two scenarios where a Three way handshake will take place are Establishing a Connection (an active open) and Terminating a Connection (an active close).

Packet 1:

In the first packet, it is clear that a TCP SYN packet was sent from a source system 193.63.129.192 on port 1843 to a destination system 193.63.129.187 on port 139 with TCP types of service with routine precedence, normal delay, normal throughput, normal reliability and TCP option Maximum Segment Size (MSS) set to 1460 bytes which is used for negotiating the size. Analyzing the first packet it is clear that TCP was assigned with a sequence number 0XF1908361 and acknowledgement as 0x0. The source system is communicating with port 139 on the destination system on a windows system for inter resource sharing using NETBIOS protocol.

Packet 2:

In the second packet a SYN-ACK packet from destination system 193.63.129.187 from port 139 was sent to the source system 193.63.129.192 from port 1843 with Maximum Segment Size (MSS) set to 1460 bytes. The destination system that have received a SYN ACK packet acknowledges that the synchronization request by sending synchronized acknowledged packet back. The Maximum Segment Size that has been set to 1460 bytes indicates that MSS size negotiation has been accepted with the source system to the requested size. Analyzing this packet it has been assigned with a sequence number 0X7CFB7BBA and acknowledge with 0XF1908362. As in TCP Three Way Hand shake it defines that the packet that has been sent by the destination system the sequence number increases by one, in this SYN-ACK packet the sequence number of the destination system is increased by one.

Packet 3:

In the third packet TCP ACK packet from the source system with address 193.63.129.192 with port 1843 has been sent to destination system with address 193.63.129.187 on port 139 with Maximum Segment Size(MSS) set to 1460. Analyzing this packet it is clear that this process uses a sequence number 0XF1908362 and acknowledgment 0X7CFB7BBB increased by one which acknowledges confirming the establishment of a complete TCP connection completing the Three way handshake communication process. Considering the above three packets it is clear that a complete TCP Three Way Hand Shake has been communicated between two source and destination systems with address 193.63.129.192 and 193.63.129.187 with ports 1843 and 139 which indicates that the packets from source system is using NETBIOS Session Service on the destination system.

NETBIOS:

NETBIOS Session service is one way of the two ways by which applications may communicate with each other, the alternative being the NETBIOS datagram service. NETBIOS Session service is for connection oriented communications. NETBIOS Session service makes two computers establish a connection for conversation, allows larger messages to be handled and provides error detection and recovery. The bulk of all NETBIOS traffic generated on network occurs using NETBIOS session service which utilizes TCP port 139. The computer with which the session is to be established will respond with a “Positive Session Response” indicating that a session can be established or a “Negative Session Response” indicating that no session can be established. File and printer services are the primary user of the NETBIOS Session service. Another common use for NBSS is the networked application, Service manager, User manager, Event Viewer, Registry Editor and Performance monitor.

The NETBIOS session packets can be of the following general structure

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

TYPE

FLAGS

LENGTH

…..(Packet Type Dependent)

The Type, Flags, length fields are present in every session packets. The LENGTH field is the number of bytes following the LENGTH field. One of the bits of the FLAGS field acts as an additional, high order bit for LENGTH field.

The TYPE field of NetBIOS Session services are:

0x00 - SESSION MESSAGE

0x81 - SESSION REQUEST

0x82 - POSITIVE SESSION RESPONSE

0x83 - NEGATIVE SESSION RESPONSE

0x84 - RETARGET SESSION RESPONSE

0x85 - SESSION KEEP ALIVE

Bit definition of FLAGS field can be represented as

0 1 2 3 4 5 6 7

0

0

0

0

0

0

0

E

Symbol ‘E' represents the Length extension used as additional high order bit on the LENGTH Field. The remaining first bits 0 - 6 are reserved and must be zero (0).

The Session Request packet can be represented as:

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

TYPE

FLAGS

LENGTH

CALLED NAME

CALLING NAME

The TYPE field, FLAGS field are 1 byte and LENGTH field is of 2 bytes whereas CALLED NAME and CALLING NAME are 4 bytes and can be decoded using mangle algorithm.

The POSITIVE SESSION RESPONSE packet format can be represented as:

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

TYPE

FLAGS

LENGTH

The NEGATIVE SESSION RESPONSE packet can be represented as :

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

TYPE

FLAGS

LENGTH

ERROR CODE

The NEGATIVE SESSION RESPONSE packets error code values are:

0x80 - Not listening on called name

0x81 - Not listening for calling name

0x 82 - Called name not present

0x83 - Called name present, but insufficient resources

0x8F - Unspecified error

SESSION MESSAGE PACKET can be represented as:

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

TYPE

FLAGS

LENGTH

USER DATA

Packet 4:

Analyzing the fourth packet it is clear that NETBIOS Session Request packet has been sent by source system with address 193.63.129.192 to the destination system with address 193.63.129.187. This indicates that a NETBIOS Session Request as it is identified by 0x81. Analyzing the packet with the above defined structure provides with the CALLED NAMES and CALLING NAMES which are mangled using M$ mangle algorithm. After decoding the result can represented as:

CALLED NAME

J4-ITRL-14

CALLING NAME

J4-ITRL-19

Where the CALLED NAME j4-ITRL-14 is a device with IP address 193.63.129.187 and CALLING NAME J4-ITRL-19 is device with IP address 193.63.129.192.

Packet 5:

Analyzing the fifth packet, NETBIOS POSITIVE RESPONSE Packet has been sent from source system 193.63.129.187 (J4-ITRL-14) to destination system (J4-ITRL-19) indicating that a NETBIOS POSITIVE RESPONSE Packet structure has been established successfully.

SMB:

Server Message Block is the protocol that supports the network integrated tools of the windows user interface. SMB is used to operate different protocol systems and TCP/IP. SMB resides above the NetBIOS layer, which interfaces to the transport layer protocols and provides services related to resource naming and location.

Every Session begins with a preliminary exchange of information, in which an SMB dialect is negotiated and a client is authenticated and logged on to the server. When two machines comes into network contact they negotiate the dialect to be used. The details of the authentication process vary depending on the operating system and the configuration.

Packet 6:

In this packet, it is identified as SMB Negotiate Request has been sent from J4-ITRL-19 to J4-ITRL-14, based on SMB header with SMB command 0x72 which is SMB Negotiate command.

1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Word Count

Byte Count

Dialect Name

……..

Analyzing the Flags fields it can be identified that a request message has been sent from client to server. From the SMB Negotiation Request, it is clear that there are eight dialects that can be offered and also their index numbers.

Index

Dialect Name

0

PC Network program 1.0

1

Xenix Core

2

Microsoft Network 1.03

3

LANMAN 1.0

4

Windows For Workgroups 3.1a

5

LM1.2X002

6

LANMAN2.1

7

NT LM 0.12

This packet is SMB Negotiate, which is client's initial packet used for dialect and capabilities negotiations. This provides the list of SMB dialects with which the dialect can communicate to the server and responds by selects an appropriate dialect for communication and returns the selected dialect index to the client.

Packet 7:

This packet is the response for Negotiate request from J4-ITRL to J4-ITRL-19.

1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 01

WordCount

DialectIndex

SecurityMode

Max Buffer Size

Max Raw Size

Session Key

Capabilities

SystemTimeLow

SystemTimehigh

ServerTimeZone

EncryptionKeylength

ByteCount

EncryptionKey

OemDomainName

Analyzing this packet on the structure described as SMB Negotiation Response it can be identified as Dialect Index which is NTLM 0.12. This field in SMB Negotiation Response Structure are System Time which defines the system time and location of server and OemDomainName determines the domain.

DialectIndex

7(NT LM 0.12)

System Time( based on location and time zone)

16/08/02 03:27:17 pm

OemDomainName

SOC_SECURITY

Packet 8:

Analyzing this packet it is clear that this is used for setting up SMB Session functions.

This is identified as SMB Session Setup AndX with the command field value as 0x73. This function can be used for user authentication on the server.

1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

WordCount

AndXCommand

AndXReserved

AndXOffset

...

MaxBufferSize

MaxMpxCount

...

VcNumber

SessionKey

...

CaseInsensitivePasswordLength

CaseSensitivePasswordLength

Reserved

...

Capabilities

...

ByteCount

AccountPassword (variable)

AccountName (variable)

PrimaryDomain (variable)

NativeOS (variable)

NativeLanMan (variable)

SMB Session Setup AndX request and response have AndXCommand and AndXOffset fields are used for passing additional SMB Commands with the SMB Session Setup AndX. From this packet it can be analyzed that it is a request sent from J4-ITRL-19 to J4-ITRL-14 and illustrates that Andx Command to be 0x75 which is SMB Tree Connect Andx with operating system as Native Lanman Windows NT 4.0 and windows NT 1381.

AndXCommand

0x75 (SMB Tree Connect Andx)

NativeOS

Windows NT 1381

NativeLanMan

Windows NT 4.0

It identifies SMB Tree Connect and the operating system of the source system as Windows NT 1381. With the SMB Tree Connect structure the path is identified as \J4-ITRL-14\ and service is requested as IPC. The path is the name of the resource to which the client wants to access and service indicate the type of service the client intends to access, where IPC is used for accessing named pipes.

Packet 9:

From this packet it is clear that it also uses SMB Session Setup functions.

1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

WordCount

AndXCommand

AndXReserved

AndXOffset

...

Action

ByteCount

...

NativeOS (variable)

NativeLanMan (variable)

PrimaryDomain (variable)

This packet is SMB Session Setup AndX Response with AndX commands as 0x75(SMB Tree Connect AndX ) giving information about the destination system Native LANMAN as NT LAN Manager 4.0, Operating System Windows NT 4.0 and Primary Domain of the network on which the server is located as SOC_SECURITY.

Native LANMAN

NT LAN Manager 4.0

Native OS

Windows NT 4.0

Primary Domain

SOC_SECURITY

This Packet with the data as the second command SMB Tree Connect Andx response as allowing access requested service that is IPC. This IPC Named pipes allows existing Windows services to execute remote API calls on remote machine.

Packet 10:

Analyzing this packet this is SMB Transaction which performs symbolically named transaction including named pipes and mail slots identified by the SMB command value as 0x25.

The SMB Transactions setup information and parameters are special functions which are not identified by the protocol but by client and server implementations. This Transaction is used to call and retrieve the results.

Illustrating this packet the transaction request represents the name of the transaction in this packet it as “\PIPE\LANMAN\” which is assigned by REMOTE ADMINISTRATION PROTOCOL (RAP). Each RAP (Remote Administration Protocol) is transmitted in the parameter section of SMB Transaction request. In this packet the parameter count to be 26 and Data count to be 0.

1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 01

RAPOpcode (0x0068)

ParamDesc (variable)

...

DataDesc (variable)

InfoLevel

ReceiveBufferSize

ServerType

Domain (variable)

From the above analysis provides RAPOpecode as 0x0068 which is RAP NETServerEnum2Request. The value field of this request are found to be Infolevel as 0x0001, ReservedBufferSize as 4200 and ServerType as 0xFFFFFFFF .

InfoLevel

0x0001

ReservedBufferSize

4200

ServerType

0xFFFFFFFF

Packet 11:

In this packet SMB Command as 0x25 can be found and it is clear that this is the response from the SMB Flags. Further analyzing the parameters field data as RAP NetServerEnum2Response structure provides EntriesReturned as 4 and EntriesAvailable as 4.

The number of server information records available in the packet is defined by the EntriesReturned. The number of server information available in the server is defined by the EntriesAvailable. These information records are returned in Data field of the SMB Transaction Response. The record is the form of fixed size NetServerInfo0 or NetServerInfo1 whereas this packet records are of NetServerInfo1 because the Infolevel parameter in the request is set to 0x001.

MajorVersion

MinorVersion

ServerName

Servertype

4

0

J4-ITRL-14

0x0004100B

4

0

J4-ITRL-15

0x00011003

4

0

J4-ITRL-18

0x00011003

4

0

J4-ITRL-19

0x00031003

It is clear that all the servers are running the workstation and Server services and all are of Windows NT, Windows 2000, Windows XP, or Windows Server 2003 Operating systems. J4-ITRL-14 acts as the primary domain controller and running the master browser service. Servers that can run the browser service are J4-ITRL-15, J4-ITRL-18 and J4-ITRL-19 are running a browser service as backup.

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.