|
|
Application for performing man-in-the-middle IPv6 attacks
Kadlec, Branislav ; Jeřábek, Jan (referee) ; Phan, Viet Anh (advisor)
Tato práce představuje vývoj aplikace v jazyce Python určené k provádění útoků Man-in-the-Middle (MITM) ve virtuální síti IPv6. Cílem tohoto výzkumu, motivovaného hlubokým zájmem o informační bezpečnost, sítě a programování, je vytvořit univerzální nástroj, který integruje různé metody útoků do jediného uceleného řešení. Mezi cíle patří vývoj kódu v jazyce Python s využitím knihovny Scapy, důkladné pochopení protokolů IPv6, ICMPv6 a DHCPv6 a vytvoření aplikace, která se zaměřuje na tři hlavní vektory útoku: falešný server DNS, falešný server DHCP a falešnou výchozí bránu. Kritéria hodnocení budou hodnotit výkon a výhody aplikace ve srovnání se stávajícími specializovanými nástroji. Metodicky je použita knihovna Scapy a pro komplexní testování je pečlivě navrženo virtuální síťové prostředí. Etické úvahy zdůrazňují zodpovědnost uživatele při využívání takovýchto nástrojů a vyvozují analogie s dvojúčelovými nástroji, jako jsou nože. Rozsah práce zahrnuje teoretické základy, návrh aplikace, nastavení virtuální sítě, metodiku testování a analýzu výsledků. Cílem je přispět k cenným poznatkům o útocích MITM a zároveň poskytnout univerzální nástroj pro bezpečnostní praktiky. Výzkum zkoumá průsečík programování v jazyce Python, síťových protokolů a kybernetické bezpečnosti a nabízí důkladný průzkum dynamické oblasti útoků Man-in-the-Middle.
|
|
|
Generate ICMPv6 and IPv6 packets for load testing using JMeter tool
Šulka, Samuel ; Člupek, Vlastimil (referee) ; Dvořák, Jan (advisor)
The Bachelor Thesis deals with flood attacks using generating of ICMPv6 packets in an environment without IPv4 protocol. A Trafgen configuration file was created, which had the task of sending ICMPv6 packets. For other attacks was used Scapy in Python. A plug-in modul for software Apache JMeter was created for each scenario. Scenarios were tested on real device and the results were documented in write and visual form.
|
|
|
Eliminating IPv4 in a dual-stack network
Vrábel, Ondrej ; Radek,, ZAJÍC (referee) ; Ondrák, Viktor (advisor)
The bachelor's thesis focuses on the implementation of the IPv6 protocol in the computer network of the Sobotište Elementary School, with the aim of deploying IPv6-only and IPv6-mostly with NAT64 and DNS64. The thesis describes the theoretical basis and analyzes the current state of the network. The output is proposed solutions, their practical application and practical findings.
|
|
| |
|
|
Construction of IPv6 covert channels and their impact in the information system
Lohunkov, Ivan ; Jeřábek, Jan (referee) ; Phan, Viet Anh (advisor)
This thesis focuses on the issue of covert channels using IPv6 and ICMPv6 protocols. To transmit packets between devices, we need an application written in Python and also running IDS software on the receiver side. The theoretical part treats the issues of IPv6, ICMPv6 protocols and the possibility of hidden channel transmission in them. It deals with the details of their design and possible implementations. The practical part discusses a scenario that describes how the communication between the sender of packets and their receiver will take place. It also describes how to create a hidden channel and how to send it correctly. It also describes the structure of the application, both for sending the covert channel and for decrypting it. The final chapter describes programs for creating and decrypting covert channels, their communication behavior, and their strengths and weaknesses. According to the analysis of this thesis, it can be concluded that covert channels in IPv6/ICMPv6 are not yet so well understood that they are almost non-existent. This is especially true for extension headers, which are barely used in normal communication. They may be the very source, for the transmission of hidden information. The Suricata IDS has also been able to pass most packets to the receiver without alerting the receiver that the packet is suspicious.
|
|
|
SRv6 protocol and its use in education
Považan, Martin ; Zeman, Václav (referee) ; Slavíček, Karel (advisor)
SRv6 je protokol novej generácie, ktorý kombinuje segmentové smerovanie a IPv6 pomocou flexibilných rozširujúcich hlavičiek IPv6. SRv6 je plynulo implementovaný v súčasných chrbticových sieťach poskytovateľov služieb a jeho cieľom je stať sa nástupcom v súčasnosti používaného protokolu MPLS. Táto bakalárska práca analyzuje protokol SRv6 a opisuje jeho možnosti zabezpečenia a emulácie. Protokol SRv6 je analyzovaný a porovnávaný s protokolom MPLS z hľadiska kybernetickej bezpečnosti. V praktickej časti bolo navrhnuté laboratórne cvičenie demonštrujúce vlastnosti protokolu SRv6 s využitím emulátora siete Containerlab.
|
|
|
Security testing of IPv6 family protocols and related vulnerabilities
Vopálka, Matěj ; Phan, Viet Anh (referee) ; Jeřábek, Jan (advisor)
This thesis discusses the Internet Protocol version 6 (IPv6), especially the secure deployment of the protocol. The thesis deals with the shortcomings of IPv4 protocol and reason of development of IPv6 protocol. It covers topics like IPv6 addressing, structure of frames, the initial types of IPv6 extension headers. Additionally, the thesis explores related protocols to IPv6, such as NDP, SLAAC, adn DHCPv6. The thesis provides an introduction to penetration testing, describes the basic types of hackers and gives a general overview of information security attacks. The practical part is devoted to the development of an application for automatic vulnerability testing of IPv6 networks Penvuhu6. The tool is developed in Python programming language using Scapy library. Penvuhu6 has been tested in an emulated network environment with the GNS3 program. Three test scenarios were developed for the tool focusing on testing the passage of repetitive and misaligned headers, overlapping fragments, and Router advertisement and DHCPv6 advertisement messages. Penvuhu6 was tested on an emulated RouterOS device with basic and restrictive configurations.
|
|
|
Advanced Segmentation of a Simulated Network
Slávik, Mark ; Komosný, Dan (referee) ; Benedikt, Jan (advisor)
The diploma thesis deals with the simulation of available routing protocols in the NS3 simulator and in the Quagga module. The functions of simulated routing protocols are described in the theoretical part. In the practical part, the functionality of the NS3 simulator and the RIP, OLSR and OSPF, BGP routing protocols from the Quagga module are introduced using a simple topology. Finally, the network is extended and several subnets are added. Using available analysis tools, the network is subsequently analyzed and evaluated with different scenarios.
|
|
|
Testing the response of operating systems to different IPv6 flows
Ruiner, Michal ; Polák, Ladislav (referee) ; Jeřábek, Jan (advisor)
The aim of the thesis is to create an array of virtual machines and research their response to the IPv6 protocol. Another significant part is to utilize the provided tool for generating and sniffing IPv6 traffic and verify its correct functionality. For such purpose, the GNS3 open-source software is selected. A~reader is familiarized with the concepts of virtualization, GNS3 functionality and various methods of software testing together with the implemented practical models. The IPv6 protocol is introduced in detail as well as the packet format, address types and several IPv6 protocols useful for the thesis. The practical part is discussed in the Numerical results chapter. The topology is established and connectivity verified using IPv4. Configuration of static IPv6 addresses is performed on the devices as well as configuration of router to distribute particular prefixes. 5 testing scenarios are proposed that increase the input load to the tool in sense of higher number of addresses for the 3 different modes - passive, active and aggressive. 3 scripts were developed. Performance testing script measures utilization of computational resources. The other 2 scripts perform packet capturing and further analysis to compare the results of proposed scripts with provided tool. The comparison is done utilizing passive and aggressive modes. Active mode is used to observe the response of various operating systems to different IPv6 flows. Specifically, multiple Windows 10 builds, Linux distributions, Windows XP, 7, 11, macOS and Android.
|
|
|
Advanced tool for generating modern Slow DoS attacks
Hrůza, Tomáš ; Člupek, Vlastimil (referee) ; Sikora, Marek (advisor)
In today’s world, cyber threats are becoming increasingly sophisticated. Those threats include SDoS (Slow Denial of Service) and SDDoS (Slow Distributed Denial of Service) attacks, which employ advanced methods to disrupt normal service operations. These attacks are particularly difficult to detect and are effective because they simulate the behavior of legitimate users with slow internet connections. The topic of SDoS attacks is relatively new and not thoroughly documented. To respond to potentially newly devel- oped attacks, it is necessary to understand the principles of currently known attacks and have the practical capability to create them in order to develop effective countermeasures in the future. This thesis focuses on the development of an advanced tool for generating modern SDoS attacks. The main contribution of this work is the enhancement of the generator to create distributed attacks, the creation of an intuitive interface, and more options for monitoring the progress of individual attacks. The theoretical part introduces the topic of internet connection establishment and explains the properties of TCP and IP protocols in detail. It then clarifies the theory of secure communication over the internet using the HTTPS protocol and provides a comparison of currently used web servers. The final theoretical section addresses the topic of denial of service, discussing some types of currently known SDoS attacks, the tools that generate these attacks, and their shortcomings. Next chapter details the implementation of functionalities, which includes performance enhancements of the tool through the use of multiple processes. The developed tool features Slow Read, Slow Next, and Slow Drop attacks, as well as the ability to combine these attacks. This is followed by a description of how a local network of virtual machines was created for the purpose of testing the implemented tool. The final chapter presents the results and effectiveness of the tool in conducting SDDoS attacks against Apache and NGINX web servers in a local network.
|
guest ::
