Computer Crimes Examples of Network Security Attacks

About This Presentation

Title:

Computer Crimes Examples of Network Security Attacks

Description:

Introduced in August 1998 by Cult of the Dead Cow (cDc); Free from http://www.cultdeadcow.com ... gather passwords: dialup, network access, screensaver ... – PowerPoint PPT presentation

Number of Views:307

Avg rating:3.0/5.0

Slides: 44

Provided by: romanma7

Category:

more less

Transcript and Presenter's Notes

Title: Computer Crimes Examples of Network Security Attacks

1
Computer CrimesExamples of Network Security
Attacks

Roman Markowski
IS Manager
Northeast Parallel Architectures Center
Syracuse University
March 1999
http//www.npac.syr.edu/users/roman/

2
Computer crimes (1)

Computer crimes
First network attack 1988 (Worm Robert Morris,
Cornell)
Attackers hackers vs. crackers (vandals, spies)
hacker are proud of what they are doing and
publish their achievements crackers - hacking
for profit
US companies lose 7.5 billion annually
Attacks
Social engineering method (obtaining username and
password from another person)
Trojan Horses and system modifications (modified
login, su, telnet, in.telnetd, ftp, ls, ps,
netstat, ifconfig, find, du, df, libc, sync,
inetd, and syslogd)

3
Computer crimes (2)

Attacks
Denial of service - some servers or services stop
running
SYNC Flood, Ping o'Death
IP Spoofing - a hacker poses as a legitimate host
using a fabricated IP address
Session hijacking - stealing sessions
Web spoofing - creating fake Web sites
DNS hijacking - redirect DNS
Password Sniffing - there are some tools like TCP
Grab or Passfinder
CGI PHF (Packet Handling Function) can be used to
extract password file (Crack)
Holes in commercial and public domain software
(sendmail, flexlm, yppasswd, ftpd, various
servers)

4
Computer crimes (3)

Attacks
Hostile Java applets
Invasion of privacy - access and modification to
private data
viruses (for Windows and Unix)- annoying,
destructive
There is no such thing as a 100 secure computer
network
Only 5 of crackers write their own code most
cracker tools is publicly available
Large majority of attacks are INTERNAL ( altering
data stealing source code damaging computer
systems revealing confidential information)

5
Typical Scenario

gain access to an account
default or ease to guess passwords social
engineering
exploit a vulnerabilities in an operating systems
- Unix services are particularly vulnerable
(sendmail /IMAP/POP, NFS, NIS, DNS/BIND, FTP,
TFTP, SYSLOG)
use "crack" to break more user passwords
obtain superuser privileges
install "back doors" (Trojan Horses)
install sniffers (packet and password grabbers)
to obtain more password and site information

6
Typical Scenario - collecting tools

Strobe - excellent port scanner
http//rootshell.connectnet.com/
Mscan - powerful scanner
http//rootshell.connectnet.com/
Scotty - protocol agent
http//wwwsnmp.cs.utwente.nl/schoenw/scotty/
Jizz - DNS poison server
http//rootshell.connectnet.com/
Nmap - many types of scans
http//www.insecure.org/nmap/index.html
RootKit - OS centric tools
http//rootshell.connectnet.com/
QueSO - OS identification
ftp//apostols.org/AposTools/snapshots/
SATAN - exposure assessment
ftp//ftp.win.tue.nl/pub/security
SAINT - based on SATAN
http//32bit.bhs.com/

7
Typical Scenario - data gathering

IP space, names, mail servers, contact
information
whois, nslookup
management, topology and gateway data
(scotty) discover -smtp icmp
ping, traceroute
information about hosts
strobe -b1 -e1024 host
nslookup host
satan (tcp_scan, udp_scan),saint, mscan, scotty,
netcat, queso, nmap, dig, etc. etc

8
Typical Scenario - research

Information about vulnerabilities
http//www.cert.org/
http//www.dejanews.com/
http//www.geek-girl.com/bugtraq/
http//www.zdnet.com/
http//wwwrootshell.connectnet.com/
http//www.hackersclub.com/
http//www.ntsecurity.com/
vendors Microsoft, Sun, SGI, Netscape, IBM, HP,
..
Newsgroups alt.hacker
Attack

9
Threats

Hacker attacks (vandalism, springboard)
Denial of service (competition)
Theft (software, ideas, money)
Damage to public image (companies, people)

10
Trends

Cracker tools getting easier to use (GUI) and
easily distributed (hacker groups as distribution
houses)
High quality, extremely functional hacker tools
lots of good tools
Attack from multiple sources simultaneously at
Christmas time, New Years Eve, etc
New hacks all the time
The attacks are getting more sophisticated
Various hacks are combined

11
Denial of Service Attacks (1)

Against companies to make their computers
unusable damage the company image
Takes systems attention from real attack
There are countless DoS attacks out there today
ftp//info.cert.org/pub/tech_tips/denial_of_servic
e
Various forms
SYN Flooding
Land and similar
Teardrop and similar
Smurf, papasmurf
Ping of Death

12
Denial of Service Attacks (2)

SYN Flood
SynFloods (Fall 1996) and Shake The Net ( 1997)
TCP is subject to SynFlood
TCP based on 3-way handshake (ISN - initial
sequence number)
A ------SYN(A,ISNa)----------------- ------B
A
A ------ACK(B,ISNb)------------------------B
Systems must allocate resources for each SYN to
come in
Attacker sends several SYN packets to a victim
from a spoofed (fake), unanswering machine
SYN(X,ISNx). Connection cannot be ACK and waits
for timeout. The queue will fill up and the
machine is going down or does not serve more
requests. Some systems (IRIX 5.3, SunOS 4.1.3
allow for 8 simultaneous connections
timeoutseveral minutes)

13
Denial of Service Attacks (3)

SYN Flood - Defense
increase size of connection queue (LISTEN-Q in
kernel)
(Solaris) ndd /dev/tcp tcp_conn_req_max
decrease timeout period
(Solaris) ndd /dev/tcp tcp_conn_grace_period
remember it is per port, NOT per host
deny service to any IP address that sends too
many requests in a short period of time
RFC 2267 (1998, January) configure routers to
block packets with spoofed source addresses.
This should be implemented by ISPs. They can
prevent packets with spoofed source addresses
from leaving their own network

14
Denial of Service Attacks (4)

Land Attack
November 1997
affects many Unix,Windows NT/95, routers and
switches
uses poorly implemented TCP/IP stack
send a TCP SYNC packet
destination IP address source IP address
victims IP address
source port destination port available port
on victims machine
Packet is sent back to itself result machine
crashes
Defense
vendor patches
anti-spoof filters

15
Denial of Service Attacks (5)

Teardrop Attack (summer 1997 )
use a bug in the implementation of IP packet
fragmentation
send 2 specially fragmented IP datagrams
(overlapping fragments)
the first 0 offset fragment with the payload of
size N MF bit on
the second positive offset less than NMF0
the offset is shorter then previous fragment
reassembly procedure creates negative number,
which is treated by system as s very large
positive number
Linux, Win95, WinNT will crash because the copy
operation overwrites the memory
variants bonk (affects port 53), newtear
(UDP-based)
Defense
vendor patches
http//www.cert.org/advisories/CA-97.28.Teardrop_L
and.html

16
Denial of Service Attacks (6)

Smurf Attack
summer 1997 (smurf tool)- http//www.rootshell.com
smurf sends many spoofed ICMP echo request
(ping) to a broadcast address on a victims
network
the victims (spoofed) machine gets too many
responses from every host on the network,
consuming all available bandwidth
attack based on spoofing source IP address
papasmurf - an improved, optimized version of
smurf UDP based
Defense
filter out ICMP messages on a router this can
harm your ability to monitor the network
router configuration option no IP
directed-broadcast (cisco)

17
Denial of Service Attacks (7)

Ping of Death
IP packets limited to 64 K bytes (RFC 791)
some implementations allow to send larger packets
some target hosts will overflow counters and
crash NT 3.51 will crash, NT 4.0 will not
http//www.cert.org/advisories/CA-96.26.ping.html
http//www.pp.asu.edu/support/ping-o-death.html

18
DNS Cache Poisoning (1)

DNS - Domain Name Service - critical component of
the Internet maps names to IP addresses mail
exchanger
Clients use resolver to access DNS servers
BIND - Berkeley Internet Name Domain - most
common DNS
DNS servers query each other to resolve names
(QueryID)
To lower traffic requirements, DNS servers will
cache answers

Root DNS
www.company.com
COM DNS
Local DNS
Client
Company DNS
19
DNS Cache Poisoning (2)
DNS evil
(3) store Query ID
(2) any.evil.com ?
(7) Cache www.bank.com x.y.z.w
DNS good
(1) any.evil.com ?
Evil x.y.z.w
(4) www.bank.com ?
(6) spoof answer
www.bank.comx.y.z.w
(5) www.bank.com ?
(9) x.y.z.w
DNS bank
(8) www.bank.com ?
Good
Www bank
(10) bank transaction
20
DNS Cache Poisoning (3)

DNS cache attack affects all versions of BIND and
Windows NT Server DNS
Defense
decrease TTL (and performance)
use hard to predict Query ID
digitally sign DNS records
use SSL / HTTPS for important transactions
protect DNS server
use suspicious activity detection software

21
Port Scanners (1)

Help to identify openings on a system and the
type of the system
Understand what services are running where
Direct
TCP connect (strobe, SATAN-tcp_scan, netcat)
UDP connect (SATAN-udp_scan,netcat)
service protocols, application level (MSCAN)
Indirect
tunneling (NMAP-FTP Bounce)

22
Port Scanners (2)

Scan all 65,535 TCP ports and 65,535 UDP ports
80/tcp - http, 23/tcp - telnet, 53/udp - DNS,
6000/tcp X server
Examples network scans
ping www.company.com
traceroute www.company.com
discover -snmp 20.10.213 (SCOTTY OS
identification)
discover -icmp 20.10.213 (SCOTTY host
identification)
Examples port scans
strobe 127.0.0.1
tcp_scan 127.0.0.1 1-1024
udp_scan 127.0.0.1 1-1024
mscan -h target

23
Port Scanners (3)

MSCAN
http//rootshell.connectnet.com/
powerful, application level scanner
current popular vulnerabilities (statd, IMAP/POP,
IRIX LP, BIND buffer overflow, NSF, Xserver,
cgi-bin)
lots of attention in http//www.cert.org/incident_
notes/
SCOTTY
http//wwwsnmp.cs.utwente.nl/schoenw/scotty/
management and topology discovery

24
Port Scanners (4)

NMAP - http//www.insecure.org/nmap
TCP scans - connect to every port with 3-way
handshake
UDP scans SYN scans using IP fragments
ACK and FIN scans
designed to by-pass firewalls and intrusion
detection tools
QueSO - http//www.apostols.org/projectz/queso
TCP scans with various combinations of TCP flags
SYN, SYNACK,FIN, FINACK,SYNFIN
can determine various types of the operating
systems, kernel versions

25
Port Scanners (5)

NMAP - FTP bounce
we can tell an anonymous ftp server to connect to
machines inside its firewall
ping 20.10.1.17 (host behind a firewall)
ICMP Host Unreachable
ping 128.70.21.256
128.70.21.256 is alive
nmap -ports 20-32 anonymousfoobar_at_128.70.21.256
20.10.1.17
connection to ftp//anonymousfoobar_at_128.70.21.256
21
TCP ftp bounce scan against 20.10.1.17
list of ports, protocols, services

26
Back Orifice (1)

Allows remote control of Win 95 and Win 98
Backdoor allows attacker to bypass system
security
Gives remote access to File system, registry,
passwords, operating system, network, processes,
screen and keyboard
Introduced in August 1998 by Cult of the Dead Cow
(cDc) Free from http//www.cultdeadcow.com
BO2K (Back Orifice 2000) on the way!
Contains integrated services HTTP server, packet
sniffer, keyboard monitor for logging keystrokes,
connection and application redirection

27
Back Orifice (2)

Works in Client - Server model client and server
communicate over UDP port 31337 port can be
changed
Server must be installed on the victim machine
trivial to install does not show up in the task
list
Client runs on hackers machine
Very nice GUI there is also command line
interface

28
Back Orifice (3)

Capabilities
examines key strokes, get detailed system
information
lock and reboot the machine
gather passwords dialup, network access,
screensaver
Registry list, create,delete,set keys and values
Processes List, kill, and spawn processes
network view all accessible network resources
file system copy, rename, delete, view,
compress, search files and directories
packet redirection redirect any incoming TCP and
UDP port to any other address and port

29
Back Orifice (4)

Capabilities
remotely control video input devices (like a
Quickcam)
Plugins defines interface between BO and various
additional tools. Available plugins
Sniffer - gathers all network traffic
Satan Wrap - installs BO and runs an application
(e.g. game)
Trumpet - e-mails BO server address upon
activation
. . . . Other . . .

30
Back Orifice (5)

Defense
ToiletPaper v 1.0
www.sinnerz.com/tp.html
BoDetect 1.0
www.spiritone.com/cbenson/current_projects/backor
ifice/bodetect.htm
C\WINDOWS\SYSTEM\WINDLL.DLL
AntiVirus tools
never accept unsigned ActiveX controls
NT is not immune
NetBus 2.0 released in January 1999 Back Orifice
like functionality for Windows NT
http//www.netbus.org

31
Session Hijacking (1)

Allows an attacker to steal, share, terminate,
monitor and log any terminal session that is in
progress
Session stolen across the network
HUNT, session hijacking tool written in November
1998 http//www.rootshell.com allows insertion
of commands or takeover of session
What can be hijacked telnet, rlogin, rsh, ftp

32
Session Hijacking (2)

Session hijacking scenario
A telnets to B to get some work done
Attacker resets connection to A
Attacker kicks off A and takes over the session
to B. The logs will show that A made all changes
Other tools Juggernout, TTYWatcher, IPWatcher
Defenses use strong authentication (SSH), do not
telnet to critical computers

33
A Social Engineering Attack

It is an attempt by a computer hacker to persuade
a legitimate system user to reveal information,
allowing the hacker to break through the system
security
most common way hackers break into systems
the most common attack through the telephone
If you give me your logon ID and password, I
can fix it in a few minutes, you can change your
password when I am done
hacker takes advantage of the organization size -
people do not know each other
if you receive a suspicious phone call, ask for a
phone number and call the person back.

34
Web Spoofing

URL rewriting
The attacker creates false copy of a the
entire Web
attacker takes selected pages, the rest is
available on-line
attacker web server is between a victim and the
rest of the Web (DNS poisoning, registering false
URL in a search engine)
if you see http//www.bad.com/http//www.good.com
you are under attack works even with secure
connection
You can ask for it http//www.anonymizer.com/
he can intercept and modify data
capture passwords, credit card information, etc
Defense
disable JavaScript (prevents attacker from hiding
URLs)
Display URL and look at it

35
Frame Spoofing

The attacker inserts a frame into a web page
developed in December 1998 and January 1999
one of user frames can be controlled by an
attacker while all others are normal
the attacker frame can be used to gather
passwords, credit card information, or display
misleading information
exploits implementation vulnerability on most
browsers
http//www.secureexperts.com/framespoof
attacker web server is between a victim and the
rest of the Web
web and frame spoofing creates a BIG opportunity
Defense
patch your browsers
use dynamic frame names for sensitive screens

36
Web Exposures

When PHF script exist
http//your.host/cgi-bin/phf?Qaliasx0Acat20/etc
/passwd
0A -new line 20 - space
Most Web applications are never tested for
penetration vulnerabilities (input handling
issues)
cgi script may be able to use files outside of
server area
unexpected arguments
Web servers have well-known bugs in most cases
requires ability to find, read and recreate
exploits
various exploits described at
http//www.cert.org/advisories/
Most popular replace web pages with new ones
put additional contents

37
Sneakin

Runs under Unix operating system
My network allows outgoing telnet (src port
1024, destination port 23)
Attacker installs a sneaking daemon on our
network and sends a few pings from outside.
Daemon responses telneting out and the session
is established
When connection made, sneakin client and server
reverse the connection
Available from http//www.rootshell.com
Defense strong internal host security and
Principle Of Least Privileges (open absolutely
minimal amount of services)

38
Loki

Think of it as a telnet over ICMP (ping) gives
the ability to tunnel shell sessions over ICMP or
UDP port 53 (looks like DNS)
Offers a command line shell to the attacker on
the victim machine
Works in a client-server model first server must
be installed on the victims machine
http//www.phrack.com/Archives/phrack51.tgz
Defense know what should be running on your
system

39
Crack / L0phtCrack

Software that attempts to guess passwords for an
account for Unix and NT (directory entries, brute
force, User Id variations)
Requires /etc/passwd (can be stolen using phf
in cgi-bin) and somebodyelses account
attacker runs Crack against the stolen passwd
file on his own computer
Crack functionality guess password, encrypt,
check if match, try again
Crack v 5.0 for Unix released in 1996
L0phtcrack ver 2.5.2 for Windows NT updated
December 1998
dictionary and brute force password cracking

40
Java-based attacks

SNARF
a classic Trojan Horse login implemented in Java
displays window requesting user id and
password
obtained info is send to the evil web server
Denial of Service applets
Noisy Bear, Applet Killer, Blue Screen of
Death
Resource Consumer
Defense
encrypt sensitive data
know what web sites you are visiting
use latest versions of browser use latest
security patches
turn Java off, do not use Java-enabled web browser

41
Cookies

Stores information on browser client
Are cookies secure ?
Cant read your hard drive
Cant be read by another domain
Are text files, not executable
can remember what ads you read
can help to profile users
more privacy than security concern

42
Unix vs. Windows NT

Unix since 1969 never intended to be secure
trusted (C2 and up) versions available better
knowledge what is going on more mature easier
than NT to setup security
Windows NT - relatively new many unknown
security issues (black box) very unsecure