Computer - PowerPoint PPT Presentation


PPT – Computer PowerPoint presentation | free to view - id: 3e520-OGExO


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation



so we can implement effective defense strategies. We must protect our systems ... then use meta search engines (like,, ... – PowerPoint PPT presentation

Number of Views:95
Avg rating:3.0/5.0
Slides: 111
Provided by: leonard2


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Computer

Computer Network Hacker Exploits
  • Step-by step

Stages of An Attack
  • Target Selection
  • Reconnaissance
  • Penetration
  • Internal operations, Keeping the connection

  • Reconnaissance
  • Scanning
  • War dialers
  • Port scanning and mapping
  • Firewall filters and Firewalk
  • Vulnerability Scanners

  • Exploit the System
  • Gaining Access
  • DOS tools
  • Application level Attacks
  • Keeping Access
  • BO2K
  • Rootkits
  • Knark

  • Covering Your Tracks
  • Covering your tracks in UNIX Windows
  • Reverse Shell
  • Loki

  • The purpose of this part of the course is to
    understand attack methods ... we can
    implement effective defense strategies
  • We must protect our systems
  • How can we create effective defenses?
  • That's the real reason we're here
  • Why these tools techniques?
  • Because they are in widespread use right now
  • They provide us fundamental information about the
    principles the attackers are employing.
  • They illustrate what we need to do to defend
  • Some of them are pretty Kewl! Some are VERY

  • To the extent possible, platform independents is
  • Individual tools may run on UNIX or Windows...
  • We will cover attack concepts that can be applied
    against Windows NT, UNIX, or other platforms
    (Novell, VAX, MVS, etc.)
  • I've included links to tools -- Use at your own
  • They could harm your network in unexpected ways
  • Review the source code... Is this legit?
  • Experiment on a test network, separated from
    production and office or campus systems

General Trends of Exploits
  • What are we seeing in the wild?
  • Hacker tools are getting easier to use and more
    easily distributed
  • The rise of Hacker groups as distribution houses
    for software
  • The LOpht and Cult of the Dead Cow
  • High-quality, extremely functional hacker tools
  • Better quality than from some major software

General Trends
  • Excellent communication through the computer
    underground to Chat, web, informal grouping, and
    hacker Computer and Network Conferences
  • With the rise of these hacker groups, a lot more
    information about security is available to the
    general public. The less-informed attackers
    (often called "script kiddies" or "ankle biters")
    will use this information in attacks. We must use
    this information to defend ourselves. I've
    included several references at the end of the
    handouts to help you stay informed.

General Trends
  • Used to be many different types of systems out
    there (the computer room)
  • Now, we have a smaller number of systems types
    (Windows, Linux, MacOS, SunOS, FreeBSD, Palm,
  • They are distributed everywhere!
  • Less experience users and administrators
  • One virus or attack can jeopardize vast number of
    systems (Morris worm, Melissa Virus, I LOVE YOU)
  • Home Laboratories are easy to set up for the

  • YOUR

Your Adversaries Advantages
  • He can use multiple sources for his attack
  • His attack can be timed to be inconvenient for
    you (Friday before a 3-day holiday, Christmas
    Eve, During your company picnic,)
  • He has the ability to corral greater media
  • Increased sense of hero complex when a hacker
    brings down a large company.

Two Attack Forms
  • Zero-Knowledge Attack
  • No knowledge from the inside of your organization
    is know before the attempt is made to target your
    company (your assets, intellectual property,
    finances, or other)
  • Knowledgeable, perhaps by use of an inside, or
    from an insider
  • An inside, either implanted or home grown has
    decided to gather information to be used for
    targeting your organization.

  • An attacker will gather as much information as he
    can about you, your company, your people, your
    computers, your network, and your physical
  • Your network
  • You may not know it, but there is already much
    information about you out there.
  • An adversary will use all data mining possible.

Open information
  • American Registry for Internet Numbers
  • Who owns particular IP address (Whois)
  • (http//
  • DNS Interrogation (use nslookup)
  • Targets own web site (crawl it a lot of info
    can be gathered by crawling names, e-mail
    address, phone numbers, branches of the
    organization, trusted relationships)
  • programs Websnake, Webzip, curl
  • Search Engines, web searches
  • can show trusted relations (for example, you may
    show up on a customer list, your web designer may
    use you as a reference)

Open Information
  • Usenet news postings (
  • FlippingRelated pages which link use
    altavista, and search for
  • (Hotbot
  • Example on altavista, AND
    titleresume if you are looking for resumes of
    cisco engineers.

Open Information
  • X-Raying finding areas in a company web page not
    normally accessable. How? In Altavista, host or
    url followed by keywords or names.
  • Example and business

Open Information
  • Peeling many times there is more information
    embedded within really long URLs. Peel off some
    of the junk and look for web addresses or
    secondary addresses, and unique areas.
  • Example http//
  • http//

Open Information
  • Anchor Searches Anchor labels may be informative
    in searching for targets.
  • Example You can search the anchors by using a
    search engine and using anchor view resumes
  • Harvesting pick out and use keywords in related
    documents then use meta search engines (like,,

Open Information
  • Peer searches once you find specific information
    or specific people, conduct peer searches using
    the Meta search engines.
  • Example Jon Doe bank manager
  • use dogpile and look for all other references to
  • Might turn up doej is into drag racing and a
    common dialog could be established.

Open Information
  • Open a phony e-mail account. Send e-mail to
    insiders. (The return e-mail headers can tell
    you loads of info about the inside systems!)
  • DATA-MINING!!!! Company, people, trusted
    relationships, mailing lists
  • Capability to connect to company DNS server (pull
    down all registered domains at a site!)

  • finding weak points

WAR Dialing
  • Named for the dialer in the movie Wargames
  • An attacker is trying to find a backdoor into
    your network. A modem which is used for remote
  • This might be the easiest point of penetration!
  • The telephone numbers gathered in the recon phase
    are a good starting point!
  • Phreaking is looking for voice back doors,
    whereas hacking is looking for network access

WAR Dialing
  • War dialers dial a sequence of telephone numbers
    attempting to locate modem carriers or a
    secondary dial tone
  • demon Dialers is another name
  • Phone Numbers come from
  • Phone book, InterNIC data, WebCrawl, mailing
    lists, newsgroups, social engineering I am from
    the phone company and I need to verify what
    numbers you folks are using for data lines

Scanning WAR Dialers
WAR Dialer Software
  • The Hackers Choice 2.0
  • A-DIAL (Auto Dial) by VeXaTiOn, 1995
  • Deluxe Fone-Code Hacker by The Sorceress KHAIAH
  • Dialing Demon version 1.05 by Tracy McKibben 1988
  • Doo Tools version 1.10, by Phantom Photon 1991
  • PBX Scanner Version 5.0, by Great White 1989
  • SuperDialer 1.03 by Evan Anderson 1990
  • ToneLoc 1.10 by Minor Threat Mucho Maas 1994
  • X-DialerR by ICiKl 1996
  • Z-Hacker 3.21, by BIackBeard 1991

Scanning WAR Dialers
The Hackers Choice 2.0
  • THC-Scan 2.0 The Hacker's Choice (THC)
  • Written by Van Hauser released 12/98
  • Essentially an updated to the very venerable
    ToneLoc (by Mucho Maas and Minor Threat, 1994)
  • Available at hftp//
  • THC-Scan is one of the most full featured,
    non-commercial, war dialing tools available

Scanning WAR Dialers
The Hackers Choice 2.0
  • Need a screenshot here

Scanning WAR Dialers
The Hackers Choice 2.0
  • Note that the screen shows a nice real-time
    inventory of detected lines.
  • A convenient statistic is the number of lines
    dialed per hour. With a single machine and a
    single modem, we typically do 100 to 125 lines
    per hour. This is a useful metric in determining
    how long it will take to dial large numbers of
    lines (also, it helps you to see what your
    consultants really are charging you if you
    outsource this!)

Scanning WAR Dialers
THC 2.0 Features
  • Carrier Mode and Tone Mode (open PBX allows you
    to dial another number)
  • Dial random, sequential, or a list of numbers
  • Scanning through a modem out-dial
  • Break up work across multiple machines
  • Or multiple instances of THC-Scan on one system,
    each with its own modem
  • Supports a separate dialing program (THC-Scan
    supplies the telephone number to the dialer

Scanning WAR Dialers
THC 2.0 Features
  • Nudging
  • Nudging refers to sending a pre-defined string of
    characters to a discovered modem. The war dialer
    "nudges" the target, to get it to respond with
    possibly useful information banners, login
    prompts, etc
  • Random waits between calls (to lower chance of
  • Rudimentary jamming detection (counts number of
    busy signals)

Scanning WAR Dialers
Ok, I found the numbers
  • You found a number of modems. What do you do
  • Review the war dialer logs and look for familiar
    login prompts or even warning banners
  • Connect to each discovered modem
  • Often times, you will find a system without a
  • PCAnywhere for a clueless user -- you're in,
  • Old, neglected machine still on the network
  • A Router!!!!!
  • If there is a userID/password prompt, guess
  • Make it an educated guess, based on the system
  • What are default accounts/passwords?
  • What are common things associated with the target?

Scanning WAR Dialers
  • THC has released a powerful scripting language
    for hacking login prompts Login Hacker
  • It is a tool for password guessing
  • Many systems tell you what platform they are
    (e.g., "Hi, I'm AIX!"). For others, you can
    determine this information from the nature of the
    prompt. UNIX boxes and Cisco router prompts are
    particularly easy to identify.
  • While guessing passwords is a time-consuming
    process, keep in mind that time is the single
    greatest resource your adversaries have.

Scanning WAR Dialers
Try these Username/passwords!
  • Root
  • sync
  • bin
  • nobody
  • operator
  • manager
  • Admin
  • Administrator
  • System
  • days of the week
  • Custom dictionaries built from company keywords
    and acronyms

Scanning WAR Dialers
WAR Dialer Defense
  • An effective dial-up line and modem policy is
  • Inventory all dial-up lines with a business need
  • Activate scanning detection functionality in your
    PBX, if available
  • Telewalls A firewall for phones
  • Conduct war dialing exercises against your own
  • reconcile your findings to the inventory
  • Utilize a commercial war dialer
  • Sandstorm's Phonesweep or ISS's Telephony Scanner
  • Toneloc or THCScan (Free)
  • Conduct periodic desk-to-desk checks in the
  • Use two people for this (buddy system)

Scanning WAR Dialers
Some concerns
  • When war dialing against your own network, how do
    you determine which numbers to dial?
  • you should get a list of all analog lines at
    your PBX. You may also want to consider dialing
    digital lines, because inexpensive digital line
    modem adapters are readily available.

Scanning WAR Dialers
Some concerns
  • A major concern involves numbers not accessible
    through your PBX (i.e., direct lines from the
    telco). The best, although not ideal, approach
    for finding these is to follow the money - get
    the telephone bills from the telco. Ask your
    telco to give you a copy of all bills being
    mailed to a given address, or, if possible, all
    bills for lines at a certain address.

Scanning WAR Dialers
Some concerns
  • When you do desk-to-desk checks, you should
    always employ the the buddy system. With an
    explicit two-person team checking for
    unwanted/unregistered modems, you will not be
    subject to claims of unfairness or worse yet,
    theft from people's desks. If a single person
    checks for modems late at night, and something
    turns up missing from someone's desk, you may
    have significant problems.

Scanning WAR Dialers
Port Scanning

TCP/IP Handshake
  • TCP/IP 3-way Handshake establishes a connection
    to a port

Scanning Port Scanning

All legitimate Transmission Control Protocol
(TCP) connections (e.g., HTTP, telnet, ftp, etc.)
are established through a three-way handshake.
65,535 TCP ports, 65,535 UDP ports (no 3-way with
Three Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
The handshake allows for the establishment of
sequence numbers (x or y are ISN Initial
Sequence Number) between the two systems. These
sequence numbers are used so that TCP can provide
for reliable packet delivery in sequential order.
Sequence numbers are used for sequencing and
Port Scanners
  • Scan all 65,535 (times 2) ports
  • Find tcp 80, web server
  • Find tcp 23, telnet server
  • Find udp 53, DNS server
  • Find tcp 6000, X Window server
  • etc.
  • Nmap is a very useful tool with advanced scanning
  • Available at hftp//

Scanning Port Scanning
Port Scanners
  • By scanning each port, we can determine what is
    listening on the box, and find ways to get in.
    Tools like Nmap allow us to inventory open ports
    in a variety of ways. Numerous other port
    scanners are available, including
  • strobe
  • Probe
  • etcp
  • Nmap is the most fully featured of all of these
  • The ISS and CyberCop commercial scanners also
    include port scanning capabilities.

Scanning Port Scanning
Open Port Information
  • With a list of open ports, the attacker can get
    an idea of which services are in use by
    consulting RFC 1700. Also, particular exploits
    for these services can be found at
  • http//
  • the attacker can devise his/her own exploits!
  • http//

Scanning Port Scanning
An NMAP scan
  • Allows for conducting numerous types of scans
  • "Vanilla" TCP scans
  • Connect to every port, with 3-way handshake
  • SYN scans (aka "half-open" scans)
  • Only do initial SYN
  • Harder to detect and much quicker
  • FIN scans
  • Stealthy and bypass some filters
  • SYN scan using IP fragments
  • Bypass some packet filters... Yes!
  • UDP Scanning
  • FTP Proxy "Bounce Attack" Scanning
  • RPC Scanning
  • TCP Sequence prediction test
  • ACK scanning
  • Xmas Tree
  • NULL scan

Scanning Port Scanning
NMAP scan FTP Proxy Bounce
  • FTP Proxy "Bounce Attacks" utilize an ancient
    feature of FTP servers. These servers allow a
    user to tell the server to send the file to
    another system. Using this capability, an
    attacker can bounce an NMAP port scan off of
    someone's FTP server, to help obscure the source
    of the attack.
  • You should make sure that you disable the FTP
    Bounce capability from your public FTP servers.

Scanning Port Scanning
NMAP TCP Stack Fingerprinting
  • Attempts to determine the operating system of
    target by sending various packet types and
    measuring the response
  • This concept originated with a tool called QueSO,
    available at hftp//

Scanning Port Scanning
NMAP TCP Stack Fingerprinting
  • Nmap does various types of tests to determine the
  • TCP Sequence Prediction
  • SYN packet to open port
  • NULL packet to open port
  • SYNFINURGPSH packet to open port
  • ACK packet to open port
  • SYN packet to closed port
  • ACK packet to closed port
  • FINPSHURG packet to closed port
  • UDP packet to closed port

Scanning Port Scanning
NMAP TCP Stack Fingerprinting
  • In addition to finding out what ports are open on
    a system, an attacker also wants to determine
    which platform (Operating system and hardware)
    the system is based on.
  • By determining the platform, the attacker can
    further research the system to determine the
    particular vulnerabilities it is subject to.
  • For example, if the system is a Windows NT Server
    4.0 box, the attacker can utilize
    http// or http//xforce.iss.n
  • to focus the attack.

Scanning Port Scanning
TCP Stack Fingerprinting
  • Note that each TCP stack implementation may have
    a very unique signature to how it behaves,
    particularly when confronted with various illegal
    combinations of TCP flags and packets!
  • This information is used to identify the target
  • NMAP has a data base of how various systems
    respond to these illegal flags. NMAP can
    determine what system you are running!!!

Scanning Port Scanning
TCP Stack Fingerprinting
  • Based on the TCP stack response, Nmap can
    identify over 386 types and versions of systems,
  • Windows 3.1, 3.11, 95, 98, NT (SP 1-4 or 5-6)
  • Win2000
  • Solaris 2.x AIX
  • Cisco IOS
  • Linux
  • 3Com products

Scanning Port Scanning
  • NetBSD, FreeBSD
  • MacOS
  • VAX/VMS / Open VMS
  • HP/JetDirect
  • HP-UX
  • IRIX

TCP Stack Fingerprinting
  • Customizable database so the hacker can add his
    own information signatures
  • Using this information, an attacker can focus an
  • An NT Portscanner -- SuperScan

Scanning Port Scanning
Scanning Port Scanning
  • Superscanner demo

Port Scanner Defense
  • Close All unused ports!
  • Unix /etc/inetd.conf also /etc/rc3.d (xinetd
  • Windows NT disable all unnecessary services by
    uninstalling them or shutting them off in the
    services control panel
  • Windows 2000 restrict ports, shut off services

Scanning Port Scanning
Port Scanner Defense
  • Utilize an Intrusion Detection System (IDS)
  • Commercial
  • ISS RealSecure
  • Cisco NetRanger
  • Network Flight Recorder
  • More
  • Freeware
  • Snort

Scanning Port Scanning
Firewall Attacks
  • Firewalk allows an attacker to determine which
    ports on a (packet filter) firewall are open
  • Written by David Goldsmith and Michael Schiffman,
    October 1998, and available at http//packetstorm.
  • Based on ideas originally used in traceroute, a
    tool that determines the path of packets using
    the IP Time-To-Live (TTL) field

Scanning -- FireWalk
  • Firewalk is a network auditing tool that attempts
    to determine what transport protocols a given
    gateway will pass.
  • Firewalk works by sending out TCP or UDP packets
    with a TTL one greater then the targeted gateway.
    If the gateway allows the traffic, it will
    forward the packets to the next hop where they
    will expire and elicit an ICMP_TIME_EXCEEDED
  • If the gateway host does not allow the traffic,
    it will likely drop the packets on the floor and
    it will see no response.

Scanning -- FireWalk

Knowing which ports are open through your
firewall is incredibly useful information for an
attacker. Each of these open ports offers a
possible entryway into your network. Nmap is used
to send packets to an end system to determine
which ports are listening on a given machine.
Firewalk is used to send packets through a packet
filter device (firewall or router) to determine
which ports are open through it. Nmap cannot
differentiate between what is open on an end
machine and what is being firewalled. Firewalk
can determine if a given port is allowed through
a firewall.
Scanning -- FireWalk
Time to Live Exceeded
Time to Live Exceeded
What Does Firewalk give the attacker?
  • An attacker will use this information to probe
    your DMZ and internal systems through the proper
    ports. If you allow port 23 through your
    firewall, but nothing is listening on your DMZ on
    port 23, you might feel safe. An attacker can
    verify that port 23 is open through your firewall
    with Firewalk, even though nothing on your DMZ
    has that port open.
  • Once discovering the open port through the
    firewall, an attacker can easily set up a script
    to check if any DMZ systems suddenly have telnetd
    enabled. You might periodically enable it for
    some administrative functions. If so, the
    attacker can jump in and gain access

Scanning -- FireWalk

Scanning -- FireWalk
  • Works for TCP or UDP, since time-to-live is at
    the IP-layer
  • Firewalk requires two inputs
  • The IP address of the gateway before firewall
    filtering takes place (e.g.,
  • An ultimate destination on the other side of the
    firewall (e.g.,

Scanning -- FireWalk
(No Transcript)
(No Transcript)
(No Transcript)
  • Firewalk utilizes the Time-To-Live (TTL) field of
    the IP header. Therefore, it can function to
    determine which ports are filtered for either UDP
    or TCP, which ride on top of IP.

Scanning -- FireWalk
Ext IP10.1.1.1
Protected server
  • Firewalk determines the filtering rules
    associated with packet filters (either for a
    host-based packet filter firewall or router
    access control lists). Firewalk does not work
    against pure proxy-based firewalls, because
    proxies do not forward packets. Instead, a proxy
    application absorbs packets on one side of the
    gateway and regenerates packets on the other
    side. Packet filters actually forward the same
    packets, after applying filtering rules.

Scanning -- FireWalk
  • The two inputs for firewalk serve to bound the
  • The first IP address is of the firewall itself,
    so the tool can try to "walk" through it by
    incrementing the TTL during a port scan.
  • The second IP address is of the ultimate
    destination machine, so that all packets will
    have this single destination (although the TTL
    will be too small for any packets to actually get
    there). The next slide describes the process of
    firewalking in more detail.

Scanning -- FireWalk
Firewalk phases
  • Given this info, firewalk operates in two phases
  • Network Discovery Phase
  • Scanning Phase
  • The Network Discovery Phase essentially does a
    traceroute to determine the hop count to the last
    gateway (router) before the filtering takes place

Scanning -- FireWalk
Time to Live Exceeded
Time to Live Exceeded
Time to Live Exceeded
Time to Live Exceeded
During the network discovery phase, Firewalk
sends packets with incrementing TTLs to determine
how many network hops exist between the tool and
the firewall. When a packet reaches its maximum
TTL (which is decremented by each hop), the final
gateway sends back a Time-to-live exceeded
This is essentially the same function as
traceroute, used to determine the hop count. Once
this number is determined, the tool can conduct
the scanning phase.
TTL4, TCP Port 1
TTL4, TCP Port 2
TTL4, TCP Port 3
TTL4, TCP Port 4
TTL4, TCP Port 80
Time to Live Exceeded!!!
Port 80 is unfiltered!!!!!
  • The Scanning Phase is very simple. A port scan is
    done with packets whose time to live is set
    beyond the last gateway before filtering
  • Based on response, we can determine filtering
  • If a Time-To-Live exceeded message comes back,
    the port is open, because the packet got through
  • If nothing comes back, the port is filtered

Scanning -- FireWalk
  • For the scanning phase, the TTL is set to one
    greater than the hop count to the filtering
    device. If a packet gets through the filter, a
    Time-To-Live exceeded message will be sent by the
    system immediately on the other side of the
    filter. If a Time-To-Live exceeded message comes
    back, that port is open through the firewall. If
    nothing comes back (or a port unreachable
    message), the port is filtered by the firewall.
  • By conducting a scan of all TCP and UCP ports,
    the attacker can get a very accurate idea of the
    filtering rules.

Scanning -- FireWalk
Firewalk Defenses
  • 1) Just live with it accept the fact that
    someone could map your network and determine your
    firewall filtering rules
  • 2) Disallow ICMP TTL Exceeded messages from
    leaving your internal network May cause
    problems! Network diagnostics may not work, and
    your users may want to traceroute(quite a
    reasonable idea for sensitive networks), NAT
  • 3) Use a proxy server instead of a packet filter
  • Packet filters have IP forwarding on, so the
    packets traverse them and "live on
  • Proxies are an end point of the connection the
    packets are not forwarded, so their life ends
    upon reaching the proxy
  • Possible performance implications

Scanning -- FireWalk
Vulnerability Scanners

(No Transcript)
Vulnerability Scanners
  • SATAN is the granddaddy of these tools (saint,
    sara SANTASATAN)
  • Many commercial derivatives
  • ISS's scanner
  • Network Associates' CyberCop
  • Cisco's NetSonar
  • These are all tools to help to map a network,
    scan for open ports, and find various
  • They generate nice looking reports for
  • The tools test against a list of known exploits
  • What about the unknown?
  • That's why we want to have security in-depth!
  • Use a multi-layered, sound architecture

Vulnerability Scanning
  • SATAN is rather old, and does not include a
    mountain of vulnerabilities that have been
    discovered since its release. The commercial
    tools are fairly easy to use, with
    point-and-click GUIs. If you are going to use
    them, please make sure that you know what you are
  • Tip disable Denial of Service (DoS) attacks,
    unless you specifically want them. You dont
    want to disrupt your own network productivity

Vulnerability Scanning
More Tips
  • Be careful with password guessing modules. They
    may lock out legitimate users! You may want to
    disable these modules from running across the
    network and use password cracking software on the
    local system files to find weak passwords.Use
    L0pht cracker or others Look on your CD under
    password crackers.

Vulnerability Scanning
Scanner Limitations
  • Vulnerability scanning tools are extremely useful
    because they automate security checks across a
    large number of systems over the network.
    However, please understand their limitations!
  • The tools only check for vulnerabilities that
    they know. They cannot find vulnerabilities that
    they don't understand.
  • The tools tend to be very dumb and flat -- they
    look for vulnerabilities.
  • A real attacker will apply a great deal of
    intelligence to try to reverse engineer your
  • Instead of just looking at the outside
    interfaces, the intelligent attacker will try to
    understand what's going on behind them.

Vulnerability Scanning
  • Nessus is a free, open-source general
    vulnerability scanner
  • It is used by the white hat community (security
    folks) and the black hats (malicious hacker)
  • Facts
  • Project started by Renaud Deraison
  • Available at hftp//
  • Consists of a client and server, with modular
    plugins for individual tests

Vulnerability Scanning
  • Nessus is a very useful tool, and has some
    advantages over the commercial tools
  • You can review the source-code of the main tool
    and any of the security checks to make sure that
    nothing "fishy" is going on.
  • You can write your own tests and incorporate them
    into the tool
  • A large group of developers is involved around
    the world creating new tests
  • The price! US 0.00
  • DEMO!

Vulnerability Scanning
Configure and monitor
Vulnerability Scanning
Server has numerous plug-ins with various tests
(No Transcript)
  • The client and server can be on the same machine.
    (you can put it all on a laptop)
  • Information between the client and the server can
    be encrypted
  • Large number of plug-ins available for the
    server, each testing for specific vulnerabilities
    in the target.

Vulnerability Scanning
Nessus - Platform
  • Server
  • FreeBSD, Linux, and Solaris
  • Client
  • FreeBSD, Linux, Solaris
  • Windows 95/98/NT 2000
  • Java (can run on Macs, anything)
  • Remember, both Client and Server can be on the
    same machine.
  • For serious work with Nessus, use Nessus on Unix

Vulnerability Scanning
Nessus - Plugins
  • Separate plug-in for each type of attack
  • There is a defined API for writing Nessus
  • Currently, plug-ins written in C
  • Or, plugins can be written in the Nessus Attack
    Scripting Language (NASL)
  • One plugin is in charge of doing one attack and
    to report the result to the nessus server
  • Each plugin can use some functions of the Nessus
    library, called libnessus.
  • CVS version and daily snapshots are available.
  • As of November, 2000
  • Over 300 UNIX plug-ins
  • 90 Windows NT plug-ins
  • Make sure you check those MD5 hashes!!! (so you
    dont load a Trojan plugin!!!!!)
  • A very nice capability of Nessus is the ability
    to write your own plug-ins, a capability not
    supported in the major commercial scanners.

Vulnerability Scanning
Nessus GUI
You can configure -port for the client to server
comm -Encryption algorithms -Target
systems -which plugins to use -port ranges and
types of scans -email address for report
Vulnerability Scanning
Vulnerability Scanners - Defense
  • Close all unused ports Shut off all unneeded
  • In Windows NT, stop or delete services in
    services control panel
  • In UNIX, edit /etc/inetd.conf and rc.d files
  • Apply all system patches
  • Keep up to date!
  • Utilize an Intrusion Detection System
  • Network-based IDS
  • Commercial ISS ReaISecure, Cisco NetRanger,
    Network Flight Recorder, Dragon, etc.
  • Freeware Snort

Vulnerability Scanning
Exploiting Systems
  • Gaining Access
  • Denial of Service
  • Application Level Attacks
  • Stealthy Attacks

Gaining Access
  • IP Address Spoofing
  • IP Fragmentation Attacks, FragRouter
  • Sniffing (Sniffit)
  • Session Hijacking (Hunt)
  • DNS Cache Poisining (Jizz)
  • Web Hijacking
  • Netcat and other Hack tools

Exploiting Systems
IP Address Spoofing
  • Spoofing Pretending to be someone else
  • IP address spoofing is quite common in a number
    of attacks
  • Foiling systems that utilize IP addresses for
  • Router access control lists
  • Firewalls
  • Trust relationships (particularly, UNIX
  • Denial of Service
  • Logs

Exploiting Systems
IP Spoofing
  • IP Spoofing can be trivial or very complex
  • Option 1 Change the IP address
  • Option 2 IP Address Spoofing and Trust
    Relationship Attacks
  • Option 3 IP Address Spoofing and Source Routing

Exploiting Systems
IP Spoofing
  • One of the most common types of attack building
    blocks involves changing or disguising your IP
    address, commonly called "IP Address Spoofing".
    After all, an attacker doesn't want to have
    his/her actions traced. Furthermore, IP address
    spoofing can be used to undermine various
    applications, particularly those that
    (dangerously) rely only on IP addresses for
    authentication or filtering. The UNIX
    "r-commands" (e.g., rlogin, rsh, rcp, etc.) are
    examples of tools that support authentication
    based on IP address.

Exploiting Systems
Option 1
  • I can change my IP address to anything I want...
  • UNIX ifconfig eth0 w.x.y.z
  • Windows use network control panel
  • Yes, but... You won't get responses to your
    messages, because the network won't route the
    responses back to you you
  • Also, the TCP 3-way handshake will cause you
  • You'll get a RESET message from the real system,
    unless ....

Exploiting Systems IP Spoofing
Recall the Three Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
The handshake allows for the establishment of
sequence numbers (x or y are ISN Initial
Sequence Number) between the two systems. These
sequence numbers are used so that TCP can provide
for reliable packet delivery in sequential order.
Sequence numbers are used for sequencing and
Option 1 Simple SpoofingChange Address
When the spoofee sends the 2nd leg of the 3-way
handshake, the system who's address is being
spoofed will send a RESET message. The RESET
message says, essentially, "Hey! I'm not having a
conversation with you .... Leave me alone!"
SYN ( A, ISNa)
Option 1 Simple SpoofingChange Address
  • An attacker can use simple IP address spoofing to
    cover his/her tracks in a simple Denial of
    Service attack (which we'll discuss later).
    However, it's not too useful beyond that.
  • So, simple address spoofing is of limited use.
    You cannot have true interactive sessions with a
    host using this technique (unless you are on the
    same LAN segment .... If Eve were on the same LAN
    as Bob, the response from Bob could be
    intercepted by Eve, allowing for interactive

Exploiting Systems IP Spoofing
Option 2 Exploit Trust
  • We can take over a system with IP Address
    spoofing by Eve exploiting the UNIX trust
  • A variant of this attack was used by Kevin
    Mitnick against Tsutomu Shimomura in December,
  • Sadly, it's still a useful technique today
  • Mostly on intranets, because properly implemented
    firewalls have helped to stop this attack across
    the Internet

Exploiting Systems IP Spoofing
Option 2 Exploit Trust
  • Assume machine Bob trusts machine Alice (e.g.,
    Alice's name is in Bob's /etc/hosts.equiv file or
    in a user's /.rhosts file)
  • These trust relationships essentially mean that
    once a user logs in to Alice, the user can access
    Bob without supplying a password. This access is
    allowed, because Bob trusts Alice to do the
    authentication properly. These trust
    relationships are essentially using IP addresses
    to support (or substitute for) authentication.

Exploiting Systems IP Spoofing
Option 2 Exploit Trust
  • Trust relationships are widely used in the UNIX
    world, particularly for system administration. We
    frequently see environments where a single
    administrator is responsible for dozens or even
    hundreds of systems. To move from system to
    system, they often use trust relationships and
    UNIX r-commands for access so that they do not
    have to retype the password again and again and
    can easily send commands via rsh. This is a major
    security concern, because these trust
    relationships can be undermined as described on
    the next slide

Exploiting Systems IP Spoofing
Exploit Trust
  • The "random" sequence number sent by Bob (ISNb)
    is often predictable
  • Eve can interact with Bob and, based on careful
    timing, predict future sequence numbers with some
    level of accuracy
  • This gives Eve a one-way channel to Bob
  • And Bob will think Eve is Alice!!! That's a
  • Great!!! But... What about Alice's RESET?
  • You take Alice out of the picture for a while...
    Denial of Service

Exploiting Systems IP Spoofing
Eve can have an open channel to Bob. She can
quickly reconfigure Bob so that Eve has full
access, without spoofing.
IP Sequence Prediction
  • Step 0 Eve interacts with Bob by connecting to
    one or more of his open ports. These connections
    allow Eve to determine the approximate rate at
    which Bob's ISNs are changing. This information
    will be used to predict the ISN to use in Step 4.
  • Step 1 Eve launches a Denial of Service attack
    against Alice. Alice is dead for a period of
  • Step 2 Eve initiates a connection to Bob, using
    Alice's address (Eve will likely try to utilize a
    command like rsh). The first part of the 3-way
    handshake is done.
  • Step 3 Bob dutifully responds with the 2nd part
    of the 3-way handshake. This packet is routed to
    Alice, who is dead and cannot respond with a
  • Step 4 Using the information gathered in Step 0,
    Eve sends the ACK to Bob, again spoofing Alice's

Exploiting Systems IP Spoofing
Option 2 Exploit Trust
  • Now Eve has an open channel to Bob
  • Eve (posing as Alice) can feed commands to Bob
  • Eve can use rsh command to add the real Eve to
    the trust relationship of Bob. How? Concatenate
    to /etc/hosts.equiv or simply add her name.
    UNIX only.
  • Eve will see no replies from Bob, however, Alice
    cannot respond (due to DoS)
  • For a short time, Eve looks like Alice to Bob
  • Eve must fly blind, but can re-configure Bob.

Exploiting Systems IP Spoofing
Option 3 Source Routing
  • this attack is simpler than option 2... and
    platform independent (Option 2 required UNIX
    trust relationships)
  • Just use source routing ....
  • With a source that appears to come from the
    spoofed address
  • ...and a path that includes the "spoofer" --
    (i.e., the attacker)
  • All packets will follow the path
  • And responses will, too
  • This method for IP address spoofing is based on
    source routing. Source routing is an option in IP
    that allows the source of a packet to specify the
    path it will take on the network. Each router hop
    is included in the packet's header.

Exploiting Systems IP Spoofing
Source Routing
For this attack, Eve generates a source-routed
packet that appears to come from Alice (that's
the spoof). The packet contains a fake route list
that includes Eve's address. Note that the route
list is correct for all routers between Even and
Bob. Routers before Eve are irrelevant. Eve sends
this packet on the network. If the network allows
source routed traffic, the packet will follow
Eve's specified path to deliver the packet to
poor Bob. Bob will take action on the packet
(complete the TCP 3-way handshake, or whatever)
and send the response, source routed back to
Eve. Eve will intercept the packet, rather than
transmitting it back to Alice .... There you go!
Eve can get the responses from Bob while spoofing
Alice's address.
Route 1.Alice2.Router X3.Eve4.Router
Route 1.Bob2.Router Y3.Eve4.Router
IP Address Spoofing Defenses
  • Make the Initial Sequence Numbers truly random
    Need to install patches for TCP/IP stacks
  • Be careful with trust relationships Do not extend
    trust outside of firewall
  • Either UNIX or Windows NT trust relationships
  • Don't base authentication on IP addresses
  • Utilize passwords, crypto, or other techniques
  • Replace very weak r-commands with stronger
  • ssh, or its freeware cousins (lsh)
  • Utilize anti-spoof filters at routers and
  • Do not allow source routed packets through
    network gateways
  • Internet gateways (firewalls) and business
    partner connections

Exploiting Systems IP Spoofing
Never use source routing in Firewalls, routers,
or any gateway system!