# 行動網路資安弱點
### call DOSS attack(design problem)
- attacker use ghost call dos attack callees
### concurrent Ghost Calls(design problem)
- for social engineering
- attack many victim simultaneously
## cryptographic tools
### confidentiality with symmetric encryption
- secure requirements
- strong encryption algo.
- secure key
- attacking sysmmetric Encryption
- cryptanalytic attack
- brute force
- DES
- plaintext:64 bit
- key:56 bit
- 2^56=7.2*10^6 possible
- crack
- brute force:DES cracker
- computer counting ability upgrade
- solve
- 3DES
- 3 time 3 keys
- key:112 or 168 bit
- sluggish
- block size still 64 bit
- ECB
- mutiple block encryption
- each block encrypt by same key
- CBC(cipher block chaining)
- encrypt the xor for former cipher and next plaintext by chain
- stream cipher
- for stream
- encrypt each byte
- message authenticatiom
- message authenticatiom code(MAC)
- secret key to generate a small block of data(MAC block)
- combind message and MAC block
- still need encrypt(slow)
- one-way hash function
- collision problem
- public-key certificate
- trusted third party,CA
- X.509 standard:IPSec,TLS,SSH...
## DOS attack
- Denial-of-Service Attacksㄎㄎ
- ICMP
- clearly identified
- waste sam bandwidth as victim
- solve:forging source address
- forging source address
- Impose filtering on routers to ensure it
- SYN spoofing
- fulfill victim's syn table
- waste victim's memory resource
- application based
- sip invite
- HTTP Flood
- download a large file
- Spidering
- keep access different data/link
- slowloris
- sending HTTP requests that never complete
- can't recieve another request
- 
- reflection attack
- small traffic to reflect large traffic
- port:7
- amplification attack
- broadcast address
- TCP services cannot be used
- UDP,ICMP
- solve:Blocking spoofed source addresses
- DoS Attack Defenses
- High traffic volumes may be legitimate
- slashdotted(flash crowd):popular link or website
- prevention,detection,identification,reaction
- DoS Attack Prevention
- flooding attack
- Blocking spoofed source addresses
- filter nearby router
- SYN spoofing
- Selective drop
- Modifying parameters: table size and timeout period
## malware
### Classification
- Propagation: how it spreads or propagates to reach the desired targets
- Infection of existing content by viruses
- Exploit of software vulnerabilities by worms or drive-by-downloads
- Social engineering attacks
- Payloads: how it performs once a target is reached
- Corruption
- Theft of service: make the system a zombie agent
- Theft of information
- Stealing/hiding its presence on the system
- independnt
- yes:worms,Trojan,bot
- no(need host):virus
- replicate
- Yes: viruses and worms
- No: Trojans and spam e-mail
- APT
- Well-resourced, persistent threats
- virus
- need host
- part of machine code
- component
- infection mechanism
- trigger
- payload
- phases
- dormant
- propagation
- triggering
- execution
- compression virus
- same size as original
- avoid to be discover
- boot sector infector
- file infector
- macro virus
- multipartite virus
- encrypted virus
- stealth virus
- code mutation
- compression
- rootkit techniques
- polymorphic virus
- change apperarence
- metamorphic
- change action
- worm
- Exploiting software vulnerabilities
- Spreading
- network connections
- shared media
- RCE
- Email
## Internet security protocols and standard
### Secure E-mail
- MIME
- plaintext
- old RFC 822
- S/MIME
- message encrypted only
- sending and recieving must use S/MIME
- Function
- Envelope Data
- encrypted content and associated keys
- Signed data
- Clear-signed data
- Signed and envelope data
- Public-key infrastructure
- M->AES(M)->AES(M)+RSA(K)
- M:message K:pseudorandom secret key
### DomainKeys identified Mail
- DKIM
### SSL&TLS
- RFC 4346
- for TCP
- handshake protocol
- alert protocal
- heartbeat protocal
- check for risistent
-
### HTTPS
- HTTP+TLS
### IPV4,IPV6
- IPsec
- network layer
- tunnel between branch office
- secure remote access
- resistent to bypass at a firewall
- routing
- router advertisement from an authorized router
- tunnel under trust
- prevent from fake router advertisement
- scope
- ESP
- IKEv2
- VPN
- AH(suspend)
- security association
-
### VoWifi Hijacking
- IPsec for security connect to core network
- PRACK (only for VoWi-Fi)
## mobile network system and security
### evolution
- a decade as period
- standard rule by 3GPP
- 2G
- circuit switching
- 3G
- circuit switching
- packet switching
- 4G
- packet switching
- IP based
## security threat in 4GVoLTE call services
### VoLTE
- IMS(IP Multimedia subsystem)
- bearer:QoS concepted
- (9)data
- (1)Signaling:build call,persistent
- (2)Voice
- guaranteed-bit-rate
- RTP
- Ipsec to protect VoLTE
- threat
- use signaling bearer transport packet
- use voice bearer transport spamming
## security threats in VoWiFi
### VoWiFi
- larger attack surface:Software
- security aspects
- Can the VoWiFi signaling sessions be hijacked?
- Does the IMS prevent abnormal call operations?
- Does the IMS prevent faults in the call state machine?
- Two Security Threats from Three Vulnerabilities
- Hijacking VoWiFi signaling session
- V1: No app-level data-origin authentication
- Manipulating IMS call service operations
- V2: No prohibition of concurrent call attempts
- V3: Abusing reliability of provision
## 5G seecurity introduction
### 5G
- enhance mobile broadband
- extrem capacity
- extrem data rates
- deep awareness
- mission critical control
- extreme user mobility
- internet of car
- internet on the high speed rail
- ultra-low latency
- online concert
- ultra-high reliability
- strong security
- massive IOT
- deep coverage
- ultra-low energy
- ultra-law complexity
- save energy
- ultra-high density
- a lot of IOT
## (0420-1)實作一-DNS反射及放大攻擊
:::info
vm:host2(nemu/nctu)
:::
- 概念
- 開啟docker(vm2以此類推)
`docker start vm1`
`docker exec -it vm1 bash`
- 使用wireshark監看any
host2:
`nslookup 8.8.8.8`
- vm1修改dns.c main.c
- dns.c參考正常DNS請求封包填入參數
- main.c填入正確參數
- `make`編譯成執行檔,完成後下指令攻擊
- 達到放大攻擊效果
- 偽造的DNS query,內容由dns.c填入參數組成
- dns server的response
:::warning
為甚麼會形成放大攻擊
原理:
在query的封包內指定type為255(ANY),就會向server請求所有可獲得資訊
:::
## (0420-2)實作二-勒索病毒傳播
:::info
vm:csc2022-attacker(csc2022/csc2022),csc2022-victim(csc2022/csc2022)
:::
- 概念
- 設定網卡(attacker.2 victim.3)
- `sudo ip addr add 192.168.56.2/24 brd
192.168.56.255 dev enp0s3`
- `sudo ip link set
enp0s3 up`
- attacker nmap 掃描受害者,找到受害者IP
- 完成~/csc2022/worm_server/rsa_encrypt.py
- attacker 啟動worm_server.py
- attacker 用工具crack_attack攻擊victim(破解ssh密碼並植入病毒)
- victim 觸發條件(使用cat)
- attacker 收到連線,傳送加密檔案勒索victim電腦
- victim 交付贖金後,傳送解密檔給victim
- victim 操作解密檔解密
## (0420-3)實作三-蠕蟲散播及偵測
:::info
vm:host3(victim/victim),host4(victim/nctu)
:::
- 於host3執行worm_sample,並排除
- 刪除排程中可疑部分
- 移除可疑資料夾
- 已確實移除
- 假設攻擊者事先知道host4的帳號密碼、IP,首先要做SSH免密登入,以防victim後續更改密碼
- 在host3生產id_rsa
- 完成免密登入
- 傳播worm並遠端執行
- host4 under attack
## (0421-1)實作四-資料流之認證安全漏洞檢測-IP偽造攻擊
:::info
vm:host2(nemu/nctu)
:::
- vm1使用工具假造ICMP封包(vm2->host2)
## (0421-2)實作五-VoLTE免費資料傳輸漏洞檢測
:::info
vm:host1(nemu/nctu),host2(nemu/nctu)
:::
- icmp-tunnel開通前
- 開通
- server端 
- client端
- 成功免費上網
## (0421-3)實作六-IPSec 連線劫持攻擊
:::info
vm:victim(victim/nctu),server(server/nctu)
:::
- 建立victim和server的ipsec tunnel
- 啟動連線
- 依照指示填入關鍵參數
- replay.c
- esp.c
依照封包組成順序排列
- 執行 pc_cal_sim
## (0427-1)實作七-如何解密行動網路加密之SMS封包
:::info
vm:host2(nemu/nctu)
:::
- host2 中的./schat/intercept是一段節訊息的封包,封包經過TLS加密,沒辦法看懂
- 透過找出./schat/example中的正確的key解密
- 在protocol preference中選擇RSA keys list
- 找到正確的key(06.key)就會出現decrypted SSL
- 網址
- 密碼
- 下載
- 輸入密碼成功解開
## (0427-2)實作八-ARP欺騙攻擊
:::info
vm:host3(victim/victim),host4(victim/nctu)
:::
- host3,4要設定為NatNetwork
- 修改/etc/ettercap/etter.conf
- 修改/etc/ettercap/etter.dns
- 使用ettercap攻擊
- unified sniffing
- scan for host
- hosts list
- 10.0.2.1(route)add to target1
10.0.2.5(host4) add to target2
- arp poisoning
sniff remote connections
- host4 連上網站,輸入帳號密碼
- host3的wireshark看到密碼
- 注意!ettercap先關mitm再關sniffing
## (0427-3)實作九-SSL_TLS連線中間人攻擊
- sudo apt install sslsplit
- 產生私鑰和自簽憑證
- 確認憑證內容
- 傳送憑證至host4
- 載入憑證
- 實作8再做一遍
- 使用sslsplit 進行封包轉發
- 檢視nattable
- 攔截封包
- ettercap 實施arp poisioning
- host4登入網頁
- 檢視sslsplit.log檔,發現明文密碼
- 確認網頁使用攻擊者憑證
Sign in with Wallet
Connect another wallet