Network Intruders

1
Network Intruders
Masquerader A person who is not authorized to
use a computer, but gains access appearing to be
someone with authorization (steals services,
violates the right to privacy, destroys data,
...) Misfeasor A person who has limited
authorization to use a computer, but misuses that
authorization (steals services, violates the
right to privacy, destroys data,
...) Clandestine User A person who seizes
supervisory control of a computer and proceeds to
evade auditing and access controls.
1
2
Access Control
Today almost all systems are protected only by a
simple password that is typed in, or sent over a
network in the clear.Techniques for guessing
passwords 1. Try default passwords. 2. Try all
short words, 1 to 3 characters long. 3. Try all
the words in an electronic dictionary(60,000). 4.
Collect information about the users hobbies,
family names, birthday, etc. 5. Try users phone
number, social security number, street address,
etc. 6. Try all license plate numbers
(123XYZ). Prevention Enforce good password
selection (c0p31an6)
2
3
Password Gathering
Look under keyboard, telephone etc. Look in the
Rolodex under X and Z Call up pretending to
from micro-support, and ask for it. Snoop a
network and watch the plaintext passwords go
by. Tap a phone line - but this requires a very
special modem. Use a Trojan Horse program to
record key stokes.
3
4
UNIX Passwords
Users password ( should be required to have 8
characters, some non-letters)
Random 12-bit number (Salt)
DES Encrypted to 11 viewable characters
4
5
Storing UNIX Passwords
Until a few years ago, UNIX passwords were kept
in in a publicly readable file, /etc/passwords.
Now they are kept in a shadow directory only
visible by root. Salt prevents duplicate
passwords from being easily seen as such.
prevents use of standard reverse-lookup
dictionaries ( a different diction would have to
be generated for each value of Salt). does not
effectively increase the length of the password.
5
6
The Stages of a Network Intrusion
1. Scan the network to locate which IP
addresses are in use, what operating system
is in use, what TCP or UDP ports are open
(being listened to by Servers). 2. Run
Exploit scripts against open ports 3. Get
access to Shell program which is suid (has
root privileges). 4. Download from Hacker Web
site special versions of systems files that will
let Cracker have free access in the future
without his cpu time or disk storage space being
noticed by auditing programs. 5. Use IRC
(Internet Relay Chat) to invite friends to the
feast.
6
7
Protection from a Network Intrusion
1. Use a Firewall between the local area
network and the world-wide Internet to limit
access (Chapter 10). 2. Use an IDS (Intrusion
Detection System) to detect Cracker during the
scanning stage (lock out the IP address, or
monitor and prosecute). 3. Use a program like
TripWire on each host to detect when systems
files are altered, and email an alert to Sys
Admin. 4. On Microsoft PCs, a program like
BlackIce is easier to install than learning how
to reset default parameters to make the system
safe (and fun besides).
7
8
8
9
9
10
10
11
Type "A" Probes The first three UDP probes,
which started my investigation, had a single
character in the data field, an 'A'. The UDP
port numbers were identical, 31790-gt31789. They
stimulate the 1500-byte ICMP Echo-Request packet
and the normal 58-byte ICMP Destination_Unreachab
le-Port Packets. The Echo-Request is never
answered. Date Time EST Source IP
(Place) Destination (Place) 1999-12-28
1840 151.21.82.251 (Italy) to 24.88.48.47
(Atlanta, GA) 1999-12-10 1828 152.169.145.206
( AOL ) to 24.88.48.47 (Atlanta, GA) 1999-12-16
0334 212.24.231.131 (Saudi Arabia) to
24.88.48.47 (Atlanta, GA) UDP packets with an
empty data field, like those generated by the
"nmap" scan program, do not stimulate the
1500-byte ICMP packets from an OS-9 Macintosh.
11
12
Type "Double-zero" Probes (James Bond, 007,
"00" -gt "license to kill") I have now seen 3 UDP
type "00" probes, and had another "00" probe
reported from Kansas. These probes use a single
UDP packet, two bytes of data (ascii zeroes) and
identical UDP port numbers, 60000-gt2140. They
stimulate the 1500-byte ICMP Echo-Request packet
and the normal 58-byte ICMP Destination_Unreachab
le-Port Packets. The Echo-Request is never
answered. 1999-12-20 0704 195.229.024.212
(Arab Emirates) to 24.88.48.47 (Atlanta,
GA) 1999-12-21 0804 195.229.024.213 (Arab
Emirates) to 24.88.48.47 (Atlanta, GA)
DNS name
cwa129.emirates.net.ae 1999-12-25 0939
212.174.198.29 (Turkey) to 24.94.xxx.xxx
(Wichita, Kansas)
DNS none 1999-12-31 0535 195.99.56.179
(Manchester, UK) to 14.88.xx.xx (Atlanta, GA)
DNS name
manchester_nas11.ida.bt.net 2000-01-04 0508
24.94.80.152 (Road Runner, Hawaii) to
24.94.xxx.xxx (Wichita, Kansas)
DNS name a24b94n80client152.ha
waii.rr.com 2000-01-06 0448 195.44.201.41
(cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA)
DNS name
ad11-s16-201-41.cwci.net
12
13
Traceroute to find location of IP Address
Start 11/21/99 110740 PM Find route from
24.88.48.47 to www.orbicom.com.
(196.28.160.129), Max 30 hops, 40 byte
packets Host Names truncated to 32 bytes 1
24.88.48.1 (24.88.48.1
) 17ms 17ms 16ms 2 24.88.3.21
(24.88.3.21 ) 18ms
19ms 18ms 3 24.93.64.69
(24.93.64.69 ) 17ms 18ms
17ms 4 24.93.64.61
(24.93.64.61 ) 19ms 17ms 18ms
5 24.93.64.57 (24.93.64.57
) 25ms 25ms 23ms 6
sgarden-sa-gsr.carolina.rr.com. (24.93.64.30
) 26ms 27ms 27ms 7
roc-gsr-greensboro-gsr.carolina. (24.93.64.17
) 28ms 28ms 30ms 8
roc-asbr-roc-gsr.carolina.rr.com (24.93.64.6
) 30ms 32ms 30ms 9
12.127.173.205 (12.127.173.205
) 40ms 39ms 39ms 10
gbr2-a30s1.wswdc.ip.att.net. (12.127.1.30
) 38ms 40ms 39ms 11
gr2-p3110.wswdc.ip.att.net. (12.123.8.246
) 278ms 40ms 39ms 12
att-gw.washdc.teleglobe.net. (192.205.32.94
) 41ms 43ms 42ms 13
if-7-2.core1.newyork.teleglobe.n (207.45.222.145
) 45ms 46ms 45ms 14
if-0-0-0.bb3.newyork.teleglobe.n (207.45.221.69
) 45ms 47ms 49ms 15
ix-1-1-1.bb3.newyork.teleglobe.n (207.45.199.202
) 50ms 46ms 50ms 16
196.30.121.243 (196.30.121.243
) 44ms 48ms 45ms 17
fe0-0.cr3.ndf.iafrica.net. (196.31.17.26
) 635ms 632ms 633ms 18
atm6-0sub300.cr1.vic.iafrica.net (196.30.121.81
) 641ms 640ms 644ms 19
196.30.200.6 (196.30.200.6
) 643ms 640ms 643ms 20
196.4.162.86 (196.4.162.86
) 662ms 659ms 664ms 21
www.orbicom.com. (196.28.160.129
) 663ms 658ms 664ms Trace
completed 11/21/99 110825 PM
13