Computer - PowerPoint PPT Presentation

Loading...

PPT – Computer PowerPoint presentation | free to view - id: 3e520-OGExO



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Computer

Description:

so we can implement effective defense strategies. We must protect our systems ... then use meta search engines (like alltheweb.com, mamma.com, dogpile.com) ... – PowerPoint PPT presentation

Number of Views:95
Avg rating:3.0/5.0
Slides: 111
Provided by: leonard2
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Computer


1
Computer Network Hacker Exploits
  • Step-by step

2
Stages of An Attack
  • Target Selection
  • Reconnaissance
  • Penetration
  • Internal operations, Keeping the connection

3
Overview
  • Reconnaissance
  • Scanning
  • War dialers
  • Port scanning and mapping
  • Firewall filters and Firewalk
  • Vulnerability Scanners

4
Overview
  • Exploit the System
  • Gaining Access
  • DOS tools
  • Application level Attacks
  • Keeping Access
  • BO2K
  • Rootkits
  • Knark

5
Overview
  • Covering Your Tracks
  • Covering your tracks in UNIX Windows
  • Reverse Shell
  • Loki

6
Purpose
  • The purpose of this part of the course is to
    understand attack methods ... ...so we can
    implement effective defense strategies
  • We must protect our systems
  • How can we create effective defenses?
  • That's the real reason we're here
  • Why these tools techniques?
  • Because they are in widespread use right now
  • They provide us fundamental information about the
    principles the attackers are employing.
  • They illustrate what we need to do to defend
    ourselves
  • Some of them are pretty Kewl! Some are VERY
    NASTY!

7
Note!
  • To the extent possible, platform independents is
    assumed
  • Individual tools may run on UNIX or Windows...
  • We will cover attack concepts that can be applied
    against Windows NT, UNIX, or other platforms
    (Novell, VAX, MVS, etc.)
  • I've included links to tools -- Use at your own
    risk!
  • They could harm your network in unexpected ways
  • Review the source code... Is this legit?
  • Experiment on a test network, separated from
    production and office or campus systems
  • Also, DONT USE YOUR WORK OR BUSINESS ACCOUNT TO
    DOWNLOAD THE TOOLS OR SURF THE HACKER SITES! Why?

8
General Trends of Exploits
  • What are we seeing in the wild?
  • Hacker tools are getting easier to use and more
    easily distributed
  • The rise of Hacker groups as distribution houses
    for software
  • The LOpht and Cult of the Dead Cow
  • High-quality, extremely functional hacker tools
  • Better quality than from some major software
    houses

9
General Trends
  • Excellent communication through the computer
    underground to Chat, web, informal grouping, and
    hacker Computer and Network Conferences
  • With the rise of these hacker groups, a lot more
    information about security is available to the
    general public. The less-informed attackers
    (often called "script kiddies" or "ankle biters")
    will use this information in attacks. We must use
    this information to defend ourselves. I've
    included several references at the end of the
    handouts to help you stay informed.

10
General Trends
  • Used to be many different types of systems out
    there (the computer room)
  • Now, we have a smaller number of systems types
    (Windows, Linux, MacOS, SunOS, FreeBSD, Palm,
    etc)
  • They are distributed everywhere!
  • Less experience users and administrators
  • One virus or attack can jeopardize vast number of
    systems (Morris worm, Melissa Virus, I LOVE YOU)
  • Home Laboratories are easy to set up for the
    hacker!

11
NEVER
  • UNDERESTIMATE
  • YOUR
  • ADVERSARY!!!

12
Your Adversaries Advantages
  • He can use multiple sources for his attack
  • His attack can be timed to be inconvenient for
    you (Friday before a 3-day holiday, Christmas
    Eve, During your company picnic,)
  • He has the ability to corral greater media
    attention
  • Increased sense of hero complex when a hacker
    brings down a large company.

13
Two Attack Forms
  • Zero-Knowledge Attack
  • No knowledge from the inside of your organization
    is know before the attempt is made to target your
    company (your assets, intellectual property,
    finances, or other)
  • Knowledgeable, perhaps by use of an inside, or
    from an insider
  • An inside, either implanted or home grown has
    decided to gather information to be used for
    targeting your organization.

14
Reconnaissance
15
Reconnaissance
  • An attacker will gather as much information as he
    can about you, your company, your people, your
    computers, your network, and your physical
    security.
  • Your network
  • You may not know it, but there is already much
    information about you out there.
  • An adversary will use all data mining possible.

Reconnaissance
16
Open information
  • American Registry for Internet Numbers
  • Who owns particular IP address (Whois)
  • (http//www.arin.net/whois/arinwhois.html)
  • DNS Interrogation (use nslookup)
  • Targets own web site (crawl it a lot of info
    can be gathered by crawling names, e-mail
    address, phone numbers, branches of the
    organization, trusted relationships)
  • programs Websnake, Webzip, curl
  • Search Engines, web searches
  • can show trusted relations (for example, you may
    show up on a customer list, your web designer may
    use you as a reference)

Reconnaissance
17
Open Information
  • Usenet news postings (WWW.Deja.com)
  • FlippingRelated pages which link use
    altavista, and search for linkwww.target.com
  • (Hotbot linkdomainwww.target.com)
  • Example on altavista, linkcisco.com AND
    titleresume if you are looking for resumes of
    cisco engineers.

Reconnaissance
18
Open Information
  • X-Raying finding areas in a company web page not
    normally accessable. How? In Altavista, host or
    url followed by keywords or names.
  • Example hostlucent.com and business
    development

Reconnaissance
19
Open Information
  • Peeling many times there is more information
    embedded within really long URLs. Peel off some
    of the junk and look for web addresses or
    secondary addresses, and unique areas.
  • Example http//www.lucent.com/web1.lucent.com/re
    sumes/kramerz.html
  • http//anon.free.anonymizer.com/http//www.snowmap
    s.com

Reconnaissance
20
Open Information
  • Anchor Searches Anchor labels may be informative
    in searching for targets.
  • Example You can search the anchors by using a
    search engine and using anchor view resumes
  • Harvesting pick out and use keywords in related
    documents then use meta search engines (like
    alltheweb.com, mamma.com, dogpile.com)

Reconnaissance
21
Open Information
  • Peer searches once you find specific information
    or specific people, conduct peer searches using
    the Meta search engines.
  • Example Jon Doe bank manager doej_at_bank.com
  • use dogpile and look for all other references to
    doej_at_bank.com
  • Might turn up doej is into drag racing and a
    common dialog could be established.

Reconnaissance
22
Open Information
  • Open a phony e-mail account. Send e-mail to
    insiders. (The return e-mail headers can tell
    you loads of info about the inside systems!)
  • DATA-MINING!!!! Company, people, trusted
    relationships, mailing lists
  • Capability to connect to company DNS server (pull
    down all registered domains at a site!)

Reconnaissance
23
Scanning
  • finding weak points

24
WAR Dialing
  • Named for the dialer in the movie Wargames
  • An attacker is trying to find a backdoor into
    your network. A modem which is used for remote
    access.
  • This might be the easiest point of penetration!
  • The telephone numbers gathered in the recon phase
    are a good starting point!
  • Phreaking is looking for voice back doors,
    whereas hacking is looking for network access
    backdoors.

Scanning
25
WAR Dialing
  • War dialers dial a sequence of telephone numbers
    attempting to locate modem carriers or a
    secondary dial tone
  • demon Dialers is another name
  • Phone Numbers come from
  • Phone book, InterNIC data, WebCrawl, mailing
    lists, newsgroups, social engineering I am from
    the phone company and I need to verify what
    numbers you folks are using for data lines

Scanning WAR Dialers
26
WAR Dialer Software
  • The Hackers Choice 2.0
  • A-DIAL (Auto Dial) by VeXaTiOn, 1995
  • Deluxe Fone-Code Hacker by The Sorceress KHAIAH
    1985
  • Dialing Demon version 1.05 by Tracy McKibben 1988
  • Doo Tools version 1.10, by Phantom Photon 1991
  • PBX Scanner Version 5.0, by Great White 1989
  • SuperDialer 1.03 by Evan Anderson 1990
  • ToneLoc 1.10 by Minor Threat Mucho Maas 1994
  • X-DialerR by ICiKl 1996
  • Z-Hacker 3.21, by BIackBeard 1991

Scanning WAR Dialers
27
The Hackers Choice 2.0
  • THC-Scan 2.0 The Hacker's Choice (THC)
  • Written by Van Hauser released 12/98
  • Essentially an updated to the very venerable
    ToneLoc (by Mucho Maas and Minor Threat, 1994)
  • Available at hftp//thc.infemo.tusculum.edu
  • THC-Scan is one of the most full featured,
    non-commercial, war dialing tools available
    today.

Scanning WAR Dialers
28
The Hackers Choice 2.0
  • Need a screenshot here

Scanning WAR Dialers
29
The Hackers Choice 2.0
  • Note that the screen shows a nice real-time
    inventory of detected lines.
  • A convenient statistic is the number of lines
    dialed per hour. With a single machine and a
    single modem, we typically do 100 to 125 lines
    per hour. This is a useful metric in determining
    how long it will take to dial large numbers of
    lines (also, it helps you to see what your
    consultants really are charging you if you
    outsource this!)

Scanning WAR Dialers
30
THC 2.0 Features
  • Carrier Mode and Tone Mode (open PBX allows you
    to dial another number)
  • Dial random, sequential, or a list of numbers
  • Scanning through a modem out-dial
  • Break up work across multiple machines
  • Or multiple instances of THC-Scan on one system,
    each with its own modem
  • Supports a separate dialing program (THC-Scan
    supplies the telephone number to the dialer
    program)

Scanning WAR Dialers
31
THC 2.0 Features
  • Nudging
  • Nudging refers to sending a pre-defined string of
    characters to a discovered modem. The war dialer
    "nudges" the target, to get it to respond with
    possibly useful information banners, login
    prompts, etc
  • Random waits between calls (to lower chance of
    detection)
  • Rudimentary jamming detection (counts number of
    busy signals)

Scanning WAR Dialers
32
Ok, I found the numbers
  • You found a number of modems. What do you do
    now??
  • Review the war dialer logs and look for familiar
    login prompts or even warning banners
  • Connect to each discovered modem
  • Often times, you will find a system without a
    password
  • PCAnywhere for a clueless user -- you're in,
    baby!
  • Old, neglected machine still on the network
  • A Router!!!!!
  • If there is a userID/password prompt, guess
  • Make it an educated guess, based on the system
  • What are default accounts/passwords?
  • What are common things associated with the target?

Scanning WAR Dialers
33
Notes
  • THC has released a powerful scripting language
    for hacking login prompts Login Hacker
    (hftp//thc.inferno.tusculum.edu/)
  • It is a tool for password guessing
  • Many systems tell you what platform they are
    (e.g., "Hi, I'm AIX!"). For others, you can
    determine this information from the nature of the
    prompt. UNIX boxes and Cisco router prompts are
    particularly easy to identify.
  • While guessing passwords is a time-consuming
    process, keep in mind that time is the single
    greatest resource your adversaries have.

Scanning WAR Dialers
34
Try these Username/passwords!
  • Root
  • sync
  • bin
  • nobody
  • operator
  • manager
  • Admin
  • Administrator
  • System
  • days of the week
  • COMPANY NAME
  • COMPANY PRODUCT
  • Custom dictionaries built from company keywords
    and acronyms

Scanning WAR Dialers
35
WAR Dialer Defense
  • An effective dial-up line and modem policy is
    crucial
  • Inventory all dial-up lines with a business need
  • Activate scanning detection functionality in your
    PBX, if available
  • Telewalls A firewall for phones
  • Conduct war dialing exercises against your own
    network
  • reconcile your findings to the inventory
  • Utilize a commercial war dialer
  • Sandstorm's Phonesweep or ISS's Telephony Scanner
  • Toneloc or THCScan (Free)
  • Conduct periodic desk-to-desk checks in the
    evenings
  • Use two people for this (buddy system)

Scanning WAR Dialers
36
Some concerns
  • When war dialing against your own network, how do
    you determine which numbers to dial?
  • you should get a list of all analog lines at
    your PBX. You may also want to consider dialing
    digital lines, because inexpensive digital line
    modem adapters are readily available.

Scanning WAR Dialers
37
Some concerns
  • A major concern involves numbers not accessible
    through your PBX (i.e., direct lines from the
    telco). The best, although not ideal, approach
    for finding these is to follow the money - get
    the telephone bills from the telco. Ask your
    telco to give you a copy of all bills being
    mailed to a given address, or, if possible, all
    bills for lines at a certain address.

Scanning WAR Dialers
38
Some concerns
  • When you do desk-to-desk checks, you should
    always employ the the buddy system. With an
    explicit two-person team checking for
    unwanted/unregistered modems, you will not be
    subject to claims of unfairness or worse yet,
    theft from people's desks. If a single person
    checks for modems late at night, and something
    turns up missing from someone's desk, you may
    have significant problems.

Scanning WAR Dialers
39
Port Scanning

40
TCP/IP Handshake
  • TCP/IP 3-way Handshake establishes a connection
    to a port

Scanning Port Scanning

All legitimate Transmission Control Protocol
(TCP) connections (e.g., HTTP, telnet, ftp, etc.)
are established through a three-way handshake.
65,535 TCP ports, 65,535 UDP ports (no 3-way with
UDP)
41
Three Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
The handshake allows for the establishment of
sequence numbers (x or y are ISN Initial
Sequence Number) between the two systems. These
sequence numbers are used so that TCP can provide
for reliable packet delivery in sequential order.
Sequence numbers are used for sequencing and
retransmissions.
42
Port Scanners
  • Scan all 65,535 (times 2) ports
  • Find tcp 80, web server
  • Find tcp 23, telnet server
  • Find udp 53, DNS server
  • Find tcp 6000, X Window server
  • etc.
  • Nmap is a very useful tool with advanced scanning
    capabilities
  • Available at hftp//www.insecure.org/nmap

Scanning Port Scanning
43
Port Scanners
  • By scanning each port, we can determine what is
    listening on the box, and find ways to get in.
    Tools like Nmap allow us to inventory open ports
    in a variety of ways. Numerous other port
    scanners are available, including
  • strobe
  • Probe
  • etcp
  • Nmap is the most fully featured of all of these
    tools.
  • The ISS and CyberCop commercial scanners also
    include port scanning capabilities.

Scanning Port Scanning
44
Open Port Information
  • With a list of open ports, the attacker can get
    an idea of which services are in use by
    consulting RFC 1700. Also, particular exploits
    for these services can be found at
  • http//www.technotronic.com.
  • the attacker can devise his/her own exploits!
  • http//www.iana.org

Scanning Port Scanning
45
An NMAP scan
NMAP
  • Allows for conducting numerous types of scans
  • "Vanilla" TCP scans
  • Connect to every port, with 3-way handshake
  • SYN scans (aka "half-open" scans)
  • Only do initial SYN
  • Harder to detect and much quicker
  • FIN scans
  • Stealthy and bypass some filters
  • SYN scan using IP fragments
  • Bypass some packet filters... Yes!
  • UDP Scanning
  • FTP Proxy "Bounce Attack" Scanning
  • RPC Scanning
  • TCP Sequence prediction test
  • ACK scanning
  • Xmas Tree
  • NULL scan

Scanning Port Scanning
46
NMAP scan FTP Proxy Bounce
NMAP
  • FTP Proxy "Bounce Attacks" utilize an ancient
    feature of FTP servers. These servers allow a
    user to tell the server to send the file to
    another system. Using this capability, an
    attacker can bounce an NMAP port scan off of
    someone's FTP server, to help obscure the source
    of the attack.
  • You should make sure that you disable the FTP
    Bounce capability from your public FTP servers.

Scanning Port Scanning
47
NMAP TCP Stack Fingerprinting
NMAP
  • Attempts to determine the operating system of
    target by sending various packet types and
    measuring the response
  • This concept originated with a tool called QueSO,
    available at hftp//www.apostols.org/projectz/que
    so

Scanning Port Scanning
48
NMAP TCP Stack Fingerprinting
NMAP
  • Nmap does various types of tests to determine the
    platform
  • TCP Sequence Prediction
  • SYN packet to open port
  • NULL packet to open port
  • SYNFINURGPSH packet to open port
  • ACK packet to open port
  • SYN packet to closed port
  • ACK packet to closed port
  • FINPSHURG packet to closed port
  • UDP packet to closed port

Scanning Port Scanning
49
NMAP TCP Stack Fingerprinting
NMAP
  • In addition to finding out what ports are open on
    a system, an attacker also wants to determine
    which platform (Operating system and hardware)
    the system is based on.
  • By determining the platform, the attacker can
    further research the system to determine the
    particular vulnerabilities it is subject to.
  • For example, if the system is a Windows NT Server
    4.0 box, the attacker can utilize
    http//www.technotronic.com or http//xforce.iss.n
    et/
  • to focus the attack.

Scanning Port Scanning
50
TCP Stack Fingerprinting
NMAP
  • Note that each TCP stack implementation may have
    a very unique signature to how it behaves,
    particularly when confronted with various illegal
    combinations of TCP flags and packets!
  • This information is used to identify the target
    system.
  • NMAP has a data base of how various systems
    respond to these illegal flags. NMAP can
    determine what system you are running!!!

Scanning Port Scanning
51
TCP Stack Fingerprinting
NMAP
  • Based on the TCP stack response, Nmap can
    identify over 386 types and versions of systems,
    including
  • Windows 3.1, 3.11, 95, 98, NT (SP 1-4 or 5-6)
  • Win2000
  • Solaris 2.x AIX
  • Cisco IOS
  • Linux
  • 3Com products

Scanning Port Scanning
  • NetBSD, FreeBSD
  • MacOS
  • VAX/VMS / Open VMS
  • HP/JetDirect
  • HP-UX
  • SCO UNIX
  • IRIX

52
TCP Stack Fingerprinting
NMAP
  • Customizable database so the hacker can add his
    own information signatures
  • Using this information, an attacker can focus an
    attack!!!
  • An NT Portscanner -- SuperScan

Scanning Port Scanning
53
NMAP Demo
Scanning Port Scanning
  • Superscanner demo

54
Port Scanner Defense
  • Close All unused ports!
  • Unix /etc/inetd.conf also /etc/rc3.d (xinetd
    daemon)
  • Windows NT disable all unnecessary services by
    uninstalling them or shutting them off in the
    services control panel
  • Windows 2000 restrict ports, shut off services

Scanning Port Scanning
55
Port Scanner Defense
  • Utilize an Intrusion Detection System (IDS)
  • Commercial
  • ISS RealSecure
  • Cisco NetRanger
  • Network Flight Recorder
  • More
  • Freeware
  • Snort

Scanning Port Scanning
56
Firewall Attacks
FireWalk
  • Firewalk allows an attacker to determine which
    ports on a (packet filter) firewall are open
  • Written by David Goldsmith and Michael Schiffman,
    October 1998, and available at http//packetstorm.
    securify.com/UNIX/audit/firewalk
  • Based on ideas originally used in traceroute, a
    tool that determines the path of packets using
    the IP Time-To-Live (TTL) field

Scanning -- FireWalk
57
  • Firewalk is a network auditing tool that attempts
    to determine what transport protocols a given
    gateway will pass.
  • Firewalk works by sending out TCP or UDP packets
    with a TTL one greater then the targeted gateway.
    If the gateway allows the traffic, it will
    forward the packets to the next hop where they
    will expire and elicit an ICMP_TIME_EXCEEDED
    message.
  • If the gateway host does not allow the traffic,
    it will likely drop the packets on the floor and
    it will see no response.

Scanning -- FireWalk
58

Knowing which ports are open through your
firewall is incredibly useful information for an
attacker. Each of these open ports offers a
possible entryway into your network. Nmap is used
to send packets to an end system to determine
which ports are listening on a given machine.
Firewalk is used to send packets through a packet
filter device (firewall or router) to determine
which ports are open through it. Nmap cannot
differentiate between what is open on an end
machine and what is being firewalled. Firewalk
can determine if a given port is allowed through
a firewall.
Scanning -- FireWalk
59
TTL1
Time to Live Exceeded
TTL2
Time to Live Exceeded
60
What Does Firewalk give the attacker?
  • An attacker will use this information to probe
    your DMZ and internal systems through the proper
    ports. If you allow port 23 through your
    firewall, but nothing is listening on your DMZ on
    port 23, you might feel safe. An attacker can
    verify that port 23 is open through your firewall
    with Firewalk, even though nothing on your DMZ
    has that port open.
  • Once discovering the open port through the
    firewall, an attacker can easily set up a script
    to check if any DMZ systems suddenly have telnetd
    enabled. You might periodically enable it for
    some administrative functions. If so, the
    attacker can jump in and gain access

Scanning -- FireWalk
61

Scanning -- FireWalk
62
  • Works for TCP or UDP, since time-to-live is at
    the IP-layer
  • Firewalk requires two inputs
  • The IP address of the gateway before firewall
    filtering takes place (e.g., 10.1.1.1)
  • An ultimate destination on the other side of the
    firewall (e.g., 10.2.1.10)

Scanning -- FireWalk
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
  • Firewalk utilizes the Time-To-Live (TTL) field of
    the IP header. Therefore, it can function to
    determine which ports are filtered for either UDP
    or TCP, which ride on top of IP.

Scanning -- FireWalk
Ext IP10.1.1.1
IP10.2.1.10
Protected server
67
  • Firewalk determines the filtering rules
    associated with packet filters (either for a
    host-based packet filter firewall or router
    access control lists). Firewalk does not work
    against pure proxy-based firewalls, because
    proxies do not forward packets. Instead, a proxy
    application absorbs packets on one side of the
    gateway and regenerates packets on the other
    side. Packet filters actually forward the same
    packets, after applying filtering rules.

Scanning -- FireWalk
68
  • The two inputs for firewalk serve to bound the
    scan.
  • The first IP address is of the firewall itself,
    so the tool can try to "walk" through it by
    incrementing the TTL during a port scan.
  • The second IP address is of the ultimate
    destination machine, so that all packets will
    have this single destination (although the TTL
    will be too small for any packets to actually get
    there). The next slide describes the process of
    firewalking in more detail.

Scanning -- FireWalk
69
Firewalk phases
  • Given this info, firewalk operates in two phases
  • Network Discovery Phase
  • Scanning Phase
  • The Network Discovery Phase essentially does a
    traceroute to determine the hop count to the last
    gateway (router) before the filtering takes place

Scanning -- FireWalk
70
TTL4
Time to Live Exceeded
TTL3
Time to Live Exceeded
Attacker
IP10.2.1.10
TTL1
Firewall
Time to Live Exceeded
TTL2
IP10.1.1.1
Time to Live Exceeded
71
During the network discovery phase, Firewalk
sends packets with incrementing TTLs to determine
how many network hops exist between the tool and
the firewall. When a packet reaches its maximum
TTL (which is decremented by each hop), the final
gateway sends back a Time-to-live exceeded
message.
Attacker
IP10.2.1.10
This is essentially the same function as
traceroute, used to determine the hop count. Once
this number is determined, the tool can conduct
the scanning phase.
Firewall
IP10.1.1.1
72
TTL4, TCP Port 1
TTL4, TCP Port 2
TTL4, TCP Port 3
TTL4, TCP Port 4
TTL4, TCP Port 80
Time to Live Exceeded!!!
Attacker
IP10.2.1.10
Port 80 is unfiltered!!!!!
Firewall
IP10.1.1.1
73
Firewalk
  • The Scanning Phase is very simple. A port scan is
    done with packets whose time to live is set
    beyond the last gateway before filtering
  • Based on response, we can determine filtering
    rules
  • If a Time-To-Live exceeded message comes back,
    the port is open, because the packet got through
  • If nothing comes back, the port is filtered

Scanning -- FireWalk
74
Firewalk
  • For the scanning phase, the TTL is set to one
    greater than the hop count to the filtering
    device. If a packet gets through the filter, a
    Time-To-Live exceeded message will be sent by the
    system immediately on the other side of the
    filter. If a Time-To-Live exceeded message comes
    back, that port is open through the firewall. If
    nothing comes back (or a port unreachable
    message), the port is filtered by the firewall.
  • By conducting a scan of all TCP and UCP ports,
    the attacker can get a very accurate idea of the
    filtering rules.

Scanning -- FireWalk
75
Firewalk Defenses
  • 1) Just live with it accept the fact that
    someone could map your network and determine your
    firewall filtering rules
  • 2) Disallow ICMP TTL Exceeded messages from
    leaving your internal network May cause
    problems! Network diagnostics may not work, and
    your users may want to traceroute(quite a
    reasonable idea for sensitive networks), NAT
  • 3) Use a proxy server instead of a packet filter
  • Packet filters have IP forwarding on, so the
    packets traverse them and "live on
  • Proxies are an end point of the connection the
    packets are not forwarded, so their life ends
    upon reaching the proxy
  • Possible performance implications

Scanning -- FireWalk
76
Vulnerability Scanners

77
(No Transcript)
78
Vulnerability Scanners
  • SATAN is the granddaddy of these tools (saint,
    sara SANTASATAN)
  • Many commercial derivatives
  • ISS's scanner
  • Network Associates' CyberCop
  • Cisco's NetSonar
  • These are all tools to help to map a network,
    scan for open ports, and find various
    vulnerabilities
  • They generate nice looking reports for
    management
  • The tools test against a list of known exploits
  • What about the unknown?
  • That's why we want to have security in-depth!
  • Use a multi-layered, sound architecture

Vulnerability Scanning
79
SATAN
  • SATAN is rather old, and does not include a
    mountain of vulnerabilities that have been
    discovered since its release. The commercial
    tools are fairly easy to use, with
    point-and-click GUIs. If you are going to use
    them, please make sure that you know what you are
    doing!
  • Tip disable Denial of Service (DoS) attacks,
    unless you specifically want them. You dont
    want to disrupt your own network productivity

Vulnerability Scanning
80
More Tips
  • Be careful with password guessing modules. They
    may lock out legitimate users! You may want to
    disable these modules from running across the
    network and use password cracking software on the
    local system files to find weak passwords.Use
    L0pht cracker or others Look on your CD under
    password crackers.

Vulnerability Scanning
81
Scanner Limitations
  • Vulnerability scanning tools are extremely useful
    because they automate security checks across a
    large number of systems over the network.
    However, please understand their limitations!
  • The tools only check for vulnerabilities that
    they know. They cannot find vulnerabilities that
    they don't understand.
  • The tools tend to be very dumb and flat -- they
    look for vulnerabilities.
  • A real attacker will apply a great deal of
    intelligence to try to reverse engineer your
    network.
  • Instead of just looking at the outside
    interfaces, the intelligent attacker will try to
    understand what's going on behind them.

Vulnerability Scanning
82
Nessus
  • Nessus is a free, open-source general
    vulnerability scanner
  • It is used by the white hat community (security
    folks) and the black hats (malicious hacker)
  • Facts
  • Project started by Renaud Deraison
  • Available at hftp//www.nessus.org
  • Consists of a client and server, with modular
    plugins for individual tests

Vulnerability Scanning
83
Nessus
  • Nessus is a very useful tool, and has some
    advantages over the commercial tools
  • You can review the source-code of the main tool
    and any of the security checks to make sure that
    nothing "fishy" is going on.
  • You can write your own tests and incorporate them
    into the tool
  • A large group of developers is involved around
    the world creating new tests
  • The price! US 0.00
  • DEMO!

Vulnerability Scanning
84
Configure and monitor
Vulnerability Scanning
scan
Server has numerous plug-ins with various tests
85
(No Transcript)
86
Nessus
  • The client and server can be on the same machine.
    (you can put it all on a laptop)
  • Information between the client and the server can
    be encrypted
  • Large number of plug-ins available for the
    server, each testing for specific vulnerabilities
    in the target.

Vulnerability Scanning
87
Nessus - Platform
  • Server
  • FreeBSD, Linux, and Solaris
  • Client
  • FreeBSD, Linux, Solaris
  • Windows 95/98/NT 2000
  • Java (can run on Macs, anything)
  • Remember, both Client and Server can be on the
    same machine.
  • For serious work with Nessus, use Nessus on Unix

Vulnerability Scanning
88
Nessus - Plugins
  • Separate plug-in for each type of attack
  • There is a defined API for writing Nessus
    plug-ins
  • Currently, plug-ins written in C
  • Or, plugins can be written in the Nessus Attack
    Scripting Language (NASL)
  • One plugin is in charge of doing one attack and
    to report the result to the nessus server
    (nessusd).
  • Each plugin can use some functions of the Nessus
    library, called libnessus.
  • CVS version and daily snapshots are available.
  • As of November, 2000
  • Over 300 UNIX plug-ins
  • 90 Windows NT plug-ins
  • Make sure you check those MD5 hashes!!! (so you
    dont load a Trojan plugin!!!!!)
  • A very nice capability of Nessus is the ability
    to write your own plug-ins, a capability not
    supported in the major commercial scanners.

Vulnerability Scanning
89
Nessus GUI
You can configure -port for the client to server
comm -Encryption algorithms -Target
systems -which plugins to use -port ranges and
types of scans -email address for report
Vulnerability Scanning
90
Vulnerability Scanners - Defense
  • Close all unused ports Shut off all unneeded
    services
  • In Windows NT, stop or delete services in
    services control panel
  • In UNIX, edit /etc/inetd.conf and rc.d files
  • Apply all system patches
  • Keep up to date!
  • Utilize an Intrusion Detection System
  • Network-based IDS
  • Commercial ISS ReaISecure, Cisco NetRanger,
    Network Flight Recorder, Dragon, etc.
  • Freeware Snort

Vulnerability Scanning
91
Exploiting Systems
  • Gaining Access
  • Denial of Service
  • Application Level Attacks
  • Stealthy Attacks

92
Gaining Access
  • IP Address Spoofing
  • IP Fragmentation Attacks, FragRouter
  • Sniffing (Sniffit)
  • Session Hijacking (Hunt)
  • DNS Cache Poisining (Jizz)
  • Web Hijacking
  • Netcat and other Hack tools

Exploiting Systems
93
IP Address Spoofing
  • Spoofing Pretending to be someone else
  • IP address spoofing is quite common in a number
    of attacks
  • Foiling systems that utilize IP addresses for
    control
  • Router access control lists
  • Firewalls
  • Trust relationships (particularly, UNIX
    r-commands)
  • Denial of Service
  • Logs

Exploiting Systems
94
IP Spoofing
  • IP Spoofing can be trivial or very complex
  • Option 1 Change the IP address
  • Option 2 IP Address Spoofing and Trust
    Relationship Attacks
  • Option 3 IP Address Spoofing and Source Routing

Exploiting Systems
95
IP Spoofing
  • One of the most common types of attack building
    blocks involves changing or disguising your IP
    address, commonly called "IP Address Spoofing".
    After all, an attacker doesn't want to have
    his/her actions traced. Furthermore, IP address
    spoofing can be used to undermine various
    applications, particularly those that
    (dangerously) rely only on IP addresses for
    authentication or filtering. The UNIX
    "r-commands" (e.g., rlogin, rsh, rcp, etc.) are
    examples of tools that support authentication
    based on IP address.

Exploiting Systems
96
Option 1
  • I can change my IP address to anything I want...
  • UNIX ifconfig eth0 w.x.y.z
  • Windows use network control panel
  • Yes, but... You won't get responses to your
    messages, because the network won't route the
    responses back to you you
  • Also, the TCP 3-way handshake will cause you
    problems
  • You'll get a RESET message from the real system,
    unless ....

Exploiting Systems IP Spoofing
97
Recall the Three Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
The handshake allows for the establishment of
sequence numbers (x or y are ISN Initial
Sequence Number) between the two systems. These
sequence numbers are used so that TCP can provide
for reliable packet delivery in sequential order.
Sequence numbers are used for sequencing and
retransmissions.
98
Option 1 Simple SpoofingChange Address
When the spoofee sends the 2nd leg of the 3-way
handshake, the system who's address is being
spoofed will send a RESET message. The RESET
message says, essentially, "Hey! I'm not having a
conversation with you .... Leave me alone!"
SYN ( A, ISNa)
Eve
ACK(A, ISNa) SYN(B, ISNb)
RESET!!
99
Option 1 Simple SpoofingChange Address
  • An attacker can use simple IP address spoofing to
    cover his/her tracks in a simple Denial of
    Service attack (which we'll discuss later).
    However, it's not too useful beyond that.
  • So, simple address spoofing is of limited use.
    You cannot have true interactive sessions with a
    host using this technique (unless you are on the
    same LAN segment .... If Eve were on the same LAN
    as Bob, the response from Bob could be
    intercepted by Eve, allowing for interactive
    sessions).

Exploiting Systems IP Spoofing
100
Option 2 Exploit Trust
  • We can take over a system with IP Address
    spoofing by Eve exploiting the UNIX trust
    relationships
  • A variant of this attack was used by Kevin
    Mitnick against Tsutomu Shimomura in December,
    1994
  • Sadly, it's still a useful technique today
  • Mostly on intranets, because properly implemented
    firewalls have helped to stop this attack across
    the Internet

Exploiting Systems IP Spoofing
101
Option 2 Exploit Trust
  • Assume machine Bob trusts machine Alice (e.g.,
    Alice's name is in Bob's /etc/hosts.equiv file or
    in a user's /.rhosts file)
  • These trust relationships essentially mean that
    once a user logs in to Alice, the user can access
    Bob without supplying a password. This access is
    allowed, because Bob trusts Alice to do the
    authentication properly. These trust
    relationships are essentially using IP addresses
    to support (or substitute for) authentication.

Exploiting Systems IP Spoofing
102
Option 2 Exploit Trust
  • Trust relationships are widely used in the UNIX
    world, particularly for system administration. We
    frequently see environments where a single
    administrator is responsible for dozens or even
    hundreds of systems. To move from system to
    system, they often use trust relationships and
    UNIX r-commands for access so that they do not
    have to retype the password again and again and
    can easily send commands via rsh. This is a major
    security concern, because these trust
    relationships can be undermined as described on
    the next slide

Exploiting Systems IP Spoofing
103
Exploit Trust
  • The "random" sequence number sent by Bob (ISNb)
    is often predictable
  • Eve can interact with Bob and, based on careful
    timing, predict future sequence numbers with some
    level of accuracy
  • This gives Eve a one-way channel to Bob
  • And Bob will think Eve is Alice!!! That's a
    spoof!
  • Great!!! But... What about Alice's RESET?
  • You take Alice out of the picture for a while...
    Denial of Service

Exploiting Systems IP Spoofing
Eve can have an open channel to Bob. She can
quickly reconfigure Bob so that Eve has full
access, without spoofing.
104
IP Sequence Prediction
105
Step-by-step
  • Step 0 Eve interacts with Bob by connecting to
    one or more of his open ports. These connections
    allow Eve to determine the approximate rate at
    which Bob's ISNs are changing. This information
    will be used to predict the ISN to use in Step 4.
  • Step 1 Eve launches a Denial of Service attack
    against Alice. Alice is dead for a period of
    time.
  • Step 2 Eve initiates a connection to Bob, using
    Alice's address (Eve will likely try to utilize a
    command like rsh). The first part of the 3-way
    handshake is done.
  • Step 3 Bob dutifully responds with the 2nd part
    of the 3-way handshake. This packet is routed to
    Alice, who is dead and cannot respond with a
    RESET.
  • Step 4 Using the information gathered in Step 0,
    Eve sends the ACK to Bob, again spoofing Alice's
    address

Exploiting Systems IP Spoofing
106
Option 2 Exploit Trust
  • Now Eve has an open channel to Bob
  • Eve (posing as Alice) can feed commands to Bob
  • Eve can use rsh command to add the real Eve to
    the trust relationship of Bob. How? Concatenate
    to /etc/hosts.equiv or simply add her name.
    UNIX only.
  • Eve will see no replies from Bob, however, Alice
    cannot respond (due to DoS)
  • For a short time, Eve looks like Alice to Bob
  • Eve must fly blind, but can re-configure Bob.

Exploiting Systems IP Spoofing
107
Option 3 Source Routing
  • this attack is simpler than option 2... and
    platform independent (Option 2 required UNIX
    trust relationships)
  • Just use source routing ....
  • With a source that appears to come from the
    spoofed address
  • ...and a path that includes the "spoofer" --
    (i.e., the attacker)
  • All packets will follow the path
  • And responses will, too
  • This method for IP address spoofing is based on
    source routing. Source routing is an option in IP
    that allows the source of a packet to specify the
    path it will take on the network. Each router hop
    is included in the packet's header.

Exploiting Systems IP Spoofing
108
Source Routing
For this attack, Eve generates a source-routed
packet that appears to come from Alice (that's
the spoof). The packet contains a fake route list
that includes Eve's address. Note that the route
list is correct for all routers between Even and
Bob. Routers before Eve are irrelevant. Eve sends
this packet on the network. If the network allows
source routed traffic, the packet will follow
Eve's specified path to deliver the packet to
poor Bob. Bob will take action on the packet
(complete the TCP 3-way handshake, or whatever)
and send the response, source routed back to
Eve. Eve will intercept the packet, rather than
transmitting it back to Alice .... There you go!
Eve can get the responses from Bob while spoofing
Alice's address.
Route 1.Alice2.Router X3.Eve4.Router
Y5.Bob PACKET CONTENTS
Eve
Route 1.Bob2.Router Y3.Eve4.Router
X5.Alice PACKET CONTENTS
109
IP Address Spoofing Defenses
  • Make the Initial Sequence Numbers truly random
    Need to install patches for TCP/IP stacks
  • Be careful with trust relationships Do not extend
    trust outside of firewall
  • Either UNIX or Windows NT trust relationships
  • Don't base authentication on IP addresses
  • Utilize passwords, crypto, or other techniques
  • Replace very weak r-commands with stronger
    commands
  • ssh, or its freeware cousins (lsh)
  • Utilize anti-spoof filters at routers and
    firewalls
  • Do not allow source routed packets through
    network gateways
  • Internet gateways (firewalls) and business
    partner connections

Exploiting Systems IP Spoofing
110
NEVER
Never use source routing in Firewalls, routers,
or any gateway system!
About PowerShow.com