Networks and Security - PowerPoint PPT Presentation


PPT – Networks and Security PowerPoint presentation | free to download - id: 6e9b8d-NDQ3Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Networks and Security


Networks and Security – PowerPoint PPT presentation

Number of Views:134
Avg rating:3.0/5.0
Slides: 160
Provided by: webe150


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Networks and Security

Networks and Security
How Real is the Threat?
  • 88 of IT staff polled in the US recently said
    their organizations had been affected by Internet
    viruses or worms in the past year even though 90
    of firms have an IT security system in place.
    Information Security Magazine, 2001

Worm Threats
  • NIMDA and Code Red generated the majority of
    attack activity accounting for 63 of recorded
  • Each worm attacked known problems with available
  • New zero-day worms that hit vulnerabilities not
  • Future worms will morph

  • 39 seemed to be targeted to breech a specific
    system or company
  • 61 seemed opportunistic with the attacker
    scanning and looking to exploit what was found
  • 42 of the attacks were aimed at large
    corporations of 1,000 or more employees
  • This suggests, higher profile corporations are
    bigger targets than lower profile

Majority of Attacks Are Launched From a Small
Number of Countries
  • Ten countries account for 70 of attacks
  • 30 United States
  • 9 South Korea
  • 8 China
  • The largest number of attacks per IP address was

Attacks and Ports
Current Attacks
Most Probed Ports
Windows service for conversion Of IP addresses to
names in file sharing apps First step in a scan
to hit file shares
Open when a web server installed
Used by MS-SQL server for remote Clients to query
for network connections
  • The industries with the highest attacks rates
  • Education
  • High Tech
  • Financial Services
  • Media/Entertainment
  • Power and energy companies
  • Each averaged more than 700 attacks per company
    in the last six months
  • Power and energy companies suffered attacks from
    the Mid East at twice the mean of other companies
  • High Tech and Financial companies suffered
    attacks from Asia at a rate that was 50 higher
    than the mean for other companies

Top Ten Attacks
  • 47.8 M.S. IIS Server ISAPI overflow
  • 25.1 (Code Red) Generic Root Request Attack of
    root.exe in /scripts directory.
  • 23.5 M.S. IIS Server Traversal Attack
  • 17 M.S. IIS Server Arbitrary Code Attack (code
    URL twice)
  • 16.5 (Code Red) "cmd.exe" Attack
  • 5 Scan for 27374 port for SubSeven (2600
  • 3.8 Scan for vulnerable or mis-configured FTP
  • 2.8 Scans for RPC enabled
  • 1.3 Scans for ssh (Exploit)
  • 1.2 Scans for LPD (Exploit) (Source RipTech)

General Types of Hackers
  • Kiddie Scripters
  • Black hats
  • Network-savvy employees
  • Government Entities

Kiddie Scripters
  • Run scripts from hacker sites
  • Rarely recompile to change ports or affect attack
  • Poor resources - usually tied to an ISP
  • Usually want a quick hit or break-in and are
    largely indiscriminate about targets
  • Leave behind lots of evidence

Take Your Pick of Hacker Groups
Places for Evil
Know Your Enemy--Places to Visit
  • http//
  • http//
  • http//
  • http//
  • http//
  • http//hackersplayground
  • http//
  • http//

Black Hats
  • Re-compile code of others to change attack
  • Write programs that may or may not be shared
  • Moderate resources - usually tied to an ISP but
    can have own domains and domain servers
  • Much more cautious and attacks may be spread over
  • Mafia organizational models key talented hackers
    with high skills are generally isolated by layers
    of kiddie scripters for protection

Look for a file that Doesnt exist on a
web Server 404 error will Reveal server and
Network-Savvy Employees
  • Never share or use code of others unless it is an
    intentional deception
  • Inside knowledge of infrastructure enables more
    sophisticated approach

  • Attacks and coordinated probes may stretch over a
    period of months or years and are calculated to
    bypass the best IDS
  • Launched as part of policy
  • Has direct access to tier 1 Internet service
    providers (ISP) or uses government resources
  • Able to manipulate domain, WHOIS databases, and
    root server and Internet routing paths
  • May be recruited from Black hats or federal

Nuisance Threats
  • These individuals may evolve from online trespass
    and vandalism to more criminal activity such as
    theft of information, extortion, and credit card
  • In addition, this group is a pool of potential
    resources for more traditional criminal elements
    to exploit either directly or indirectly

Low Level Threats
  • On-line Trespass
  • Vandalism
  • Script Kiddies compile existing hacker code
  • Existing vulnerabilities

Malicious Threats
  • Launch virus or self-propagating bots that
    harvest e-mail addresses, credit card numbers, or
    other valuable data
  • Identity theft is big business

Doomsday Threats
  • After key financial information that can be
    leveraged for money
  • Scan likely unfriendly nations for critical
    infrastructure weak points
  • Characterized by long term stealth (not noisy)
    scans and probes
  • Access to resources
  • Undetectable

Criminal Activity Categories
  • Extortion
  • Organized Crime
  • Political Groups (Terrorists)
  • Industrial Espionage and Sabotage
  • International Intrusions

Criminal Activity
  • 49 of information security professionals'
    companies have had personnel who have physically
    destroyed or stole computing equipment -- up from
    42 in 2000. Industry Survey from Information
    Security Magazine, 2001. See http//

Hacker Pattern Reuse
  • Each hacker has a signature for attack
  • It is often possible to describe each separate
    attacker by their trademark styles and choice of
    tools and exploits
  • Once they find a sequence or type of attack that
    works they use the same choice of tools each time

Seven Step Attack Profile Overview
  • Reconnaissance gathering information on your
  • Foot printing get the network details.
  • Port Scanning find the actual services
  • Enumeration - Promising targets are identified in
    more detail.
  • Gaining Access - choose an informed hack/crack.
  • Escalating Privileges - elevate to system access.
  • Pilfering - Grab any interesting/profitable data.
  • Covering Tracks - Hide interlopers machine romp

  • Objective
  • Gathering information about the organization
  • Technique
  • Web searches, public documents, and legal
  • Web browsers most public or legally available
    information is now available on line

Sniffers Are Your Friend and Foe
  • Everything that touches your machine from a data
    network can be seen on a sniffer Passwords,
    account names, social security numbers, birth
    dates, and other personal information
  • Hackers frequently use sniffers to ply their
  • Sniffers also help the good guys by catching
    issues that IDS and firewall logs will miss

Network Associates (NAI) Sniffer
Network Associates (NAI) Sniffer
  • Premier network diagnostic program available to
    network professionals
  • A great number of hacker sniffers tend to
    concentrate on capturing and logging targeted
    information such as user names, passwords and
  • dsniff is a package of password grabs including
    mailsnarf an e-mail grabber

Sniffer Exploits
  • Sniffers are programs that use promiscuous
  • These specialized drivers allow network
    information to be sniffed off of the local
    network segment
  • In segments that utilize Ethernet hubs, as
    opposed to switches, the attacker can log every
    users information off the network

Dsniff De-encrypting Password Sniffer
  • dsniff listens patiently for passwords to come
  • It will decode NETBios-based Windows, IMAP, POP3,
    SNMP, and many other types of passwords
  • If you are using the network diagram programs
    like Visio, TGV (Computer Associates) and HP
    OpenView with the read/read-write SMP password
    you are giving it away to attackers

Sniffer Defenses
  • Ethernet switches are not a security panacea
  • Flooding the switch with bogus MAC addresses can
    flood the bridge table and cause one of two of
    the following switch behaviors to users
  • 30 of the time switch starts forwarding ALL
    packet to ALL ports (hub behavior)
  • 70 of the time the switch crashes

Sniffer Defense
  • Monitor your switch reboots with simple
    networking management protocol (SNMP)
  • Send SNMP traps to your central security
    monitoring console when switches reboot or have
    switch table full error events
  • It is also very valuable to centrally log switch
    and router SNMP AUTH events which send login
    authorization failures!

Sniffer Defense
  • _at_stake, makes a sniffer detector AntiSniff
    available for trial and sale
  • Promiscuous drivers take notably longer to
    process network requests
  • This detector makes detection available based on
    the noted delays in the surrounding IP client
    software on hosts

L0PHT (_at_stake) antisniff
Foot Printing
  • Objective
  • Get address range, namespace details, contacts,
    and reverse domain info
  • Technique
  • Open source info, DNS, iterative reverse DNS or
    zone transfer
  • Tools
  • nslookup, dig, whois, ARIN whois, etc.,
  • Plain old HTTP lookups on their favorite search
    engine, Google, Altavista

Foot printing
  • whois
  • nslookup
  • http//
  • Department of Defense
  • RIPE
  • Web Search Engines
  • Google

Domain Name Service (DNS)
  • Domain name services (DNS) map text strings by a
    hierarchical directory to a specific IP address
    that the computer application can use
  • Domain name servers are also called name servers

Domain Name Services (DNS)
  • DNS servers use forward and reverse zone text
    files that contain domain entries
  • Forward files include INFO records
  • INFO type A records for IP addresses
  • INFO HINFO records for software and platform
  • INFO CNAME or canonical names for aliases
  • INFO MX or mail exchange records for email

  • Domain Lookup
  • http//
  • http//

DNS Exploit Information Grabbing
  • Programs like Sam Spade and whois reveal an
    enormous amount of information about your company
    Internet connections, managers, and
    administrative contacts.

Sam Spade
Sam Spade
Sam Spade
DNS Exploit Information Grabbing
  • Defense
  • Use two DNS servers, one inside your network, and
    another outside. This is called the split
    domain name server architecture.
  • By blocking the inside name server that has all
    the network information from outside access it
    is possible to hide inner host information from
  • Allow only the most essential information to be
    available to the general Internet.
  • Secure the servers the Internet knows about.

Split Domain Servers
Denial of Service Exploit
  • Lots of connections entering the open TCP state
    with the host machines sending SYN packets to
    synchronize sequence numbers
  • During the open state the host machine consumes
    CPU time allocating memory buffers consuming
    limited resources on the host machine
  • Host machine may many times be sending replies
    back to a spoofed attacker address
  • If enough TCP open states are started on the
    target machine . . .
  • It runs out of memory or CPU resources and stops
    accepting new connections or crashes

Denial of Service Defense
  • Specialized intrusion detection systems recognize
    DoS attacks and issue RST packets to either the
    sender or destination or both and kill the
    network connection
  • The host machine immediately releases resources
    upon receipt of a packet with the RST flag set

Denial of Service Defense
  • Reduce the TCP wait timer on your servers from
    the default 600 seconds to about 3
  • This times out the connection state and allows
    your server to recoup its resources faster and
    resist this attack
  • Increase the server resources-- Memory is cheap
  • Allocate additional memory buffers to handle the
    attack-- Bumping from 10 to 200 should do it

Logical Data Network Structure
  • Networks are made up of network devices that pass
    packets based on addresses and network paths
  • Routers and switches keep track of these
    addresses and routes in internal tables
  • What are some examples of these internal tables?

Logical Data Network Structure
  • Switch tables
  • Switch mappings associated with a physical
  • ARP table layer 3 network addresses associated
    with a L2 address and usually a physical interface

Logical Data Network Structure
  • Layer 3 network route mappings associated with a
    L1 (physical) interface

Internet Command and Management Protocol (ICMP)
  • Routers that become congested return an ICMP
    source quench message as a simple form of flow
  • Some routers send an ICMP source quench if
    their communication buffers get full
  • ICMP is the traffic cop for IP networks

  • RARP (earlier slide) - given the MAC (L2) address
    give me the network (L3) address
  • BOOTP - an improvement on RARP that gave us
    automated IP addresses, automated boot images,
    gateway addresses, etc.,
  • DHCP - Dual host configuration protocol - a later
    protocol (Microsoft) that added user specified
    fields, and advanced abilities such as redundancy

Crafted Packets Exploit
  • Build what you want and create a hack - a
    thousand different ways.
  • if ( (packet malloc(1500)) NULL )
    perror("malloc ") exit(-1)
  • if ( (sock libnet_open_raw_sock(IPPROTO_RAW))
    -1 ) perror("socket ") exit(-1)
  • libnet_build_ip(len, / Size
    of the payload /
  • / ICMP Header for Parameter Problem
  • ---------------------------------------------
  • Type (12) Code (0) Checksum
  • ---------------------------------------------
  • Pointer unused
  • ---------------------------------------------
  • Internet Header 64 bits of original datagram
  • /
  • / Need to embed an IP packet within the ICMP /
  • ip (struct ip ) (packet IP_H 8) / 8
    icmp header /
  • ip-gtip_v 0x4 / IPV4
  • ip-gtip_hl 0xf / Some
    IP Options /
  • ip-gtip_tos 0xa3 /
    Whatever /
  • ip-gtip_len htons(data_len) / Length
    of packet /
  • ip-gtip_id 30241 /
    Whatever /

DNS Exploit Cache Poisoning
  • DNS queries are heavily cached on servers. What
    if an attacker could craft a packet that
    poisons the DNS cache with the wrong
  • Could a hacker/cracker redirect domain name
    server queries to the wrong machine?

What Else Could Crafted Packets Do?
  • Distribute bad route to your core date network
    routers dumping much of your network traffic
  • Foul up switched networks with bogus bridge data
    unit (BDU) packets that would switch off network
  • Block router IP interfaces with bad ARP replies

Crafted Packets Defense
  • Turn everything off!
  • Do not require or allow ICMP features like
    gateway redirection, source quench, or router
  • Turn off spanning tree algorithm (STA) where it
    makes sense
  • Use the authenticated and encrypted versions of
    any available protocols i.e., OSPF not RIP ver. I
  • Tie your routers together with access control
    lists (ACLs) to control inbound broadcasts
  • Dont do it by the book. Cisco design
    principles are wrong as they value speed of the
    network over security. Application server speed
    is king and people on LANSs dont perceive LAN
    speed optimization as delays

  • netcat, the swiss army knife of hacking.
  • Can attach to an arbitrary client port to
    listen for data
  • Can be set up to send out crafted packet data to
    an arbitrary port
  • Usually after capturing traffic into a hex file,
    the data is edited, and sent out to the same
    network it came from

Netcat options scary!!!
Netcat listener
Netcat Listener Receiving Test Text
Port Scanning
  • Target ID and assessment for attack
  • What looks most promising?
  • Technique
  • ICMP sweep, TCP/UDP scans, OS detection. What
    is the version of Windows they are running?
    What are the publicly available hacks/cracks for
    this version?
  • Tools
  • fping, hping, nmap, ncat -p, fscan, queso

Ports or Service Addresses
  • Service or port, is a 16 bit base 10 number
    Example 31337
  • Port addresses allow the program to know what
    application the data packet is intended
  • Popular service addresses or ports are 80 for
    http, 23 for telnet, 20 and 21 for file transfer
    protocol, 22 for remote shell

How Do I Know What Services Are Running?
UDP Packet Ports
TCP Addresses
How Do Hackers Generate Port Scans?
lt O.S. Guess!
How do hackers generate port scans?
Features of TCP Packets
  • Sequence Numbers what packet is this in a
    sequence or flow of packets?
  • Windows Size - how many IP packets do I send at a
    time before requiring an acknowledgement packet?
  • Flags -
  • RST - set, for errors, may be used as a session
    stopper in active intrusion detection.
  • SYN - set to synchronize sequence numbers
  • ACK - acknowledges data and session information

TCP A Connection Oriented Protocol
  • The TCP protocol for IP packets (TCP/IP) has
    features which enable TCP packets to keep track
  • How many packets need to be sent?
  • How many packets have been sent?
  • How many packets are left to be sent?
  • If there is an error, which packets are needed to
    be sent again?

Man in the Middle Attacks
  • There exist TCP session grabbing programs, such
    as Juggernaut and Hunt, that if attackers are
    at a place on the network where they can
    eavesdrop both sides of the data connection, they
    can intercept one end of the conversation and
    take it over.

TCP Sequence Prediction
  • Yes, it is possible to do whats called TCP
    sequence prediction and pick up another session
    even if you cant eavesdrop.
  • Hunt and Juggernaut are two programs that connect
    to a computer, usually a server, and by
    interacting with it characterize the type of TCP
    sequence that the machine expects in connections.
    It then tries to break into another connection
    that machine may be having with another user.
  • Normally, you will detect Juggernaut, and its big
    brother Hunt, trying to break into established
    web site connections to other customers to steal
    personal information or identities.

  • Objective
  • Promising targets are identified in more detail.
  • Technique
  • List user accounts, trusts, find IP addresses to
    attack, file shares, ID apps, etc. Are campus
    wide directories available? LDAP?
  • Tools
  • LDAP directories, Legion, NIS, DumpACL, sid2user,
    Onsite, etc.,

Address Resolution Protocol Table Entries
  • Address resolution protocol (ARP) is an internal
    table within routers that associates IP addresses
    to the PCs ethernet address and also to a
    physical interface.
  • ARP Table Entries
  • 00-0c-34-23-af-bc intf0
  • 00-0c-34-23-af-bc intf0
  • 00-0c-34-23-af-bc intf0
  • 00-0c-34-23-af-bc intf1

If an attacker could get your networks ARP
information they would have the keys to your
Arpwatch Very Common In Unix
  • Monitors the address resolution protocol as the
    network works to capture and send to the user (or
    attacker) the IP and ethernet address information
    of your network
  • This can give an attacker all the specific
    information they need to cull a sheep out the

Firewalls Definition
  • What are they?
  • Firewalls are network devices that pass or drop
    packets based on a programmed rule set
  • Firewall rule sets are based on physical port, IP
    address, transport address (port) or other

Firewalls Definition
  • Firewalls are generally categorized into three
  • State less, does not maintain state or track
    packet history
  • State full, maintains state, is able to
    defragment packets
  • Proxy, may redirect traffic to other machines
    based on FW policy. Typically used to redirect
    e-mail through virus scanning software.

Basic Firewall Platforms
  • Types
  • Packet dropping filters (stateless) commonly
    seen as access control lists (ACLS) in routers.
    Cisco dominates this market.
  • Complex or state-full firewalls generally seen
    in firewall appliances, Lucent Brick, Cisco PIX,
    Check Point and Nokia all have entries in this

Firewalls Network Based
Firewalls -- Bridge Based
Bridging Firewalls are Better
  • Why?
  • Because routing firewalls depend on IP address
    gateways to route packets.
  • Any external IP addresses are subject to attack
    and may limit your data when they are attacked.
  • Bridge based firewalls have no external IP
    addresses that are required to route packets and
    as such do not have routing interfaces that can
    be attacked!

FW May Block Based On IP Address
FW May Block Based On Port Address
What Does A Basic Firewall Setup Look Like?
Firewalls come in other flavors
  • The market is full of smart firewalls.
  • A layer 7 or application layer firewall acts to
    block packet streams from certain applications
    such as peer-to-peer media sharing programs like
  • These are also known as traffic shaping devices
  • Traffic shaping firewalls can block MP3 (audio)
    even if the data is using a common well known
    service (WKS) port such as FTP or HTTP. They
    detect the type of data not just the IP address
    and port that is being used.

Host Based Firewalls
  • Excellent protection one host at a time.
  • Software running under the operating system
  • Many host software firewalls also use intrusion
    detection algorithms in tune with the firewall to
    protect the host
  • Commercial software such as Norton, McAfee, Black
    Ice Defender, and Zone Alarm dominate this market

Host Based Firewalls Black Ice Defender
Host Based Firewalls Black Ice Defender
Host Based Firewalls Norton
Host Based Firewalls Tiny Firewall
Network Address Translation (NAT)
  • Firewalls that hide multiple IP addresses
    behind a single IP address!
  • This has the effect of confusing attackers. In
    particular, an nmap O scan which will
    determine the operating system will be all over
    the map and genrally fail through NAT with
    multiple machines.
  • The NAT algorithm is easily modified to control
    or block inbound versus outbound connections

Network Address Translation (NAT)
FW Rule Sets - Examples
  • Loose (Higher Education)
  • Accept all, specifically deny dangerous ports
  • Moderate (Corporate)
  • Deny all except for well know services on known
  • Tight (Defense)
  • Deny all except the generals to

  • Sub 7 Trojan BOTH GI064A pass
  • Quake and Derivatives BOTH GI064B pass
  • Hack-a-Tack BOTH GI068A pass
  • Sub 7 Artifact BOTH GI035A pass
  • Sub 7 Trojan BOTH GI034B pass
  • NetSphere Trojan BOTH GI064B pass
  • SANs Russian Trojan SD423439 Host Blocks This
    one was mine!
  • BOTH GI021A pass
  • mstream DoS attack BOTH GI087g pass
    Interesting port to monitor.
  • GNUTELLA BOTH GI086 pass Peer to peer
    stuff. Season to your taste.
  • Deep Throat Trojan Back Door SANs
  • BOTH GI085 pass

GRC.COMs IPAgent Scan (free)
IPAgent is a small program that works with a
server at the web site and does a quick
service scan on your Internet web address and
then gives the results to you in a web page.
Very cool and a good way to get a good nights
Cryptographic Signatures for Log Files
  • cd /var/log
  • md5 ltfilegt gt files.signed
  • (Results on next slide.)
  • What should happen to the cryptographic log

Cryptographic Signatures for Log Files
  • MD5 (DumpACL.bmp) 605a3a25509ae2544be6226d80f03f
  • MD5 (Google on 1.2.doc) 754ca03e3d9ebda8417a6077
  • MD5 (L0PHTAntiSniff.bmp) bf103290401593b6facd734
  • MD5 (L0PHTCrack3init.jpg) 7ed453ee8e3dfb49109deb
  • MD5 (LANguard01.bmp) 4a5b1d9ebb705a40d692e771bd3
  • MD5 (LANguard02.bmp) 0d9e0bcac7996e5aebe194e99be
  • MD5 (LANguard03.bmp) 112069b54acf47e638987f02b77
  • MD5 (LANguard04.bmp) 2596984869bb792735c34ae8aa2
  • MD5 (LANguard05.bmp) 2b662e5ef494a4bc7aff0b983a5
  • MD5 (LANguard06.bmp) c97ccaef49926c77fb2bc62c44f
  • MD5 (NAISniffer.bmp) cf0e4cbd7569718e284a71f4a7b
  • MD5 (SamSpade.bmp) fb918f4fceb8b6c97c97255583241
  • MD5 (SamSpade2.bmp) 52c0d752b7dd4661466a9a011232
  • MD5 (SamSpade3.bmp) c49ecd049e47135b481166abbf67
  • MD5 (inzider2.jpg) eb0fb6b0f8df47f7c63ba7b8d15eb
  • MD5 (md5.txt) d41d8cd98f00b204e9800998ecf8427e
  • MD5 (netstata.txt) 35642c009d287a329fb783b6ab1a9
  • MD5 (nmap.txt) d663bb68fbf4a215fb9daa30f33b0aba

Firewall Logs
Firewall Logs
  • Incredible amounts of information is available
    from FW logs!
  • Napster_Sharing, 8888,"c\xxx old
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\09_The Making of Brain
    Salad Surgery.mp3"
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\Copy of Bob Dylan -Like
    A Rolling Stone.mp3"
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\Tenacious D - With
    Karate Ill Kick Your Ass.mp3"
  • Napster_Sharing,8888,"c\xxx old drive\program
  • Napster_Sharing,8888,"c\xxx old
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\Copy of Bob Dylan -Like
    A Rolling Stone.mp3"
  • Napster_Sharing,8888,"c\xxx old drive\program
    files\napster\incomplete\Tenacious D - With
    Karate Ill Kick Your Ass.mp3"

Honey Pots
  • PCs that wait for the hacker to connect.
  • Port connection detection
  • Shell Scripts that span small programs that
    answer in a predefined manner on popular ports
    typical of standard operating systems.
  • Operating system sensors
  • Psionic Port Sentry for Linux (Unix)
  • Windows operating system based connection

Honey pots?
Intrusion Detection Systems
  • PCs that monitor network traffic looking for
    specific data packet patterns indicative of
    harmful network traffic such as
  • Trojans hidden remote access programs.
  • Software viruses
  • E-mail subject and attachments types and content.
  • Suspicious FTP/TFTP transfers.
  • ssh and scp versions and session information.
  • Peer-to-Peer program login information.
  • Service scans or attacks of hackers.

Intrusion Detection Logging
Event Severity Levels
  • 95 Informational/False Positives
  • Network-wide Port Scans
  • 4 Warning
  • Per host scans - but no compromise
  • lt.1 Critical
  • Continuous attack from one IP address
  • lt.01 Emergency
  • Successful exploit of system

Intrusion Detection Systems
  • Long Term Database Queries
  • Packet databases against which SQL queries can
    answer the question who issued a single ping in
    the last six months not associated with any web,
    e-mail, FTP or ssh connections?
  • This technique is predicated on a large database
    comprised of suspicious packets
  • Can discover complex relationships over a number
    of months
  • This is a method to discover the talented or
    professional attackers!

Intrusion Detection Market
Network Associates 13
Axent 3
Others 10
L3 4
Internet Security Systems 71
Source IDC and ISS
Port Scans
  • nmap is the preferred tool along with fping
    and hping.
  • Src Host Src Port Dst Host Dst Port Pcol Service
  • 3486 143 TCP imap
  • 3487 110 TCP pop3
  • 3488 111 TCP 6/111/34
  • 3489 6000 TCP x11
  • 3490 79 TCP finger
  • 3491 53 TCP dns
  • 3492 31337 TCP 6/3133
  • 3493 2766 TCP 6/2766/
  • 3494 139 TCP netbios-
  • 3495 25 TCP smtp
  • 3496 21 TCP ftp
  • 3497 22 TCP ssh
  • 3498 1114 TCP 6/1114/
  • 3499 1 TCP 6/1/3499
  • 3500 80 TCP http
  • 3501 23 TCP telnet
  • 3502 143 TCP imap

Intrusion Detection System Logs
  • Severity (icon), Time, Attack, Intruder, Count,
  • 1, 02/12/01 145601, UDP port probe,, 6
  • 1, 02/16/01 111100, DNS port probe,, 1
  • 2, 02/23/01 110941, SNMP discovery broadcast,
    WS10060926, 1
  • 1, 02/25/01 201812, DNS port probe,, 2
  • 2, 02/26/01 004330, SNMP discovery broadcast,, 9
  • 1, 02/26/01 112242, HTTP port probe,, 5
  • 1, 02/28/01 110158, TCP port probe,, 127
  • 2, 02/28/01 110223, TCP SYN flood,, 13
  • 2, 02/28/01 110409, TCP port scan,, 59
  • 1, 02/28/01 110409, TCP port scan,, 5531
  • 1, 02/28/01 110412, UDP port probe,, 2
  • 2, 02/28/01 110412, TCP OS fingerprint,, 6
  • 1, 02/28/01 110412, TCP ACK ping,, 4
  • 2, 02/28/01 110412, NMAP OS fingerprint,, 4
  • 2, 03/06/01 164110, UDP port scan,, 1
  • 1, 03/07/01 100000, DNS port probe,, 1
  • 1, 03/07/01 122300, FTP port probe,, 3
  • 3, 03/14/01 134009, PPTP malformed,, 1

Gaining Access
  • Objective
  • To compile enough knowledge to choose an informed
  • Technique
  • Back doors, social engineering, buffer overflows,
    promiscuous password grabs, hacks, etc.,
  • Tools
  • Telephone, war dialing, crack, Legion, pwdump2,
    bind and LPR hacks, etc.,

Gaining Access
  • The NULL session. Microsofts master key to any
    Windows box under WIN2K
  • Buffer overflows to known port services might do

Buffer Overflows
  • Diagram - typical buffer overflow

Mechanics of Buffer Overflows
  • Goal Exploit buffer overflow vulnerability to
    perform malicious function on a target system.
  • Identify open port or local access is available
  • Test the input string types and boundaries
    accepted by the program
  • Construct an input value that will perform the
    malicious function when executing with the
    programs privileges in the hosts programs space
  • Execute the program so that it jumps to
    additional the malicious code

Buffer Overflows Fuel Network Based Worms
  • Recent worm attacks
  • L1on Linux worm
  • SQL Slammer
  • Ramen Linux Worm
  • Code Red worm for Windows
  • Nimda Windows worm

Windows Processes
Unix processes (ps ex or ps auwx)
Inzider2 What Your Mother Didnt Tell You
  • Attackers routinely bypass operating system
    memory and process management to hide trojan
  • inzider2 does a brute force memory check for
    processes. Its important for virus checkers to
    look in memory for viruses and not just on disk.

Forensic Analysis of Packets
  • Hackers hidden? No, the evidence is on the
  • TCP, UDP, and ICMP packets hold numerous clues!
  • Sequence numbers
  • window size
  • target and source ports
  • IP addresses
  • flags and more offer an insight into your

Forensic Analysis of Packets
  • Lets try it! Whats going on in the following
    capture? Polymorphic destination and timing.
  • 2000/03/23 08 20 00 18 OUT ping_resp none 10 1120
  • 2000/03/23 07 36 32 18 OUT ping_resp none 7 784
  • 2000/03/23 08 31 51 18 OUT ping_resp none 9 1008
  • 2000/03/23 07 46 15 18 OUT 1/3/3 none 6 576
  • 2000/03/23 07 40 48 18 OUT 1/3/3 none 2 224
  • 2000/03/23 07 32 35 18 OUT 1/3/3 none 6 672
  • 2000/03/23 07 50 43 18 OUT 1/3/3 none 2 224
  • 2000/03/23 07 59 27 18 OUT 1/3/3 none 6 672
  • 2000/03/23 08 07 28 18 OUT 1/3/3 none 6 672
  • 2000/03/23 07 32 48 18 OUT 1/3/3 none 2 224
  • 2000/03/23 07 50 23 18 OUT 1/3/3 none 4 448
  • 2000/03/23 07 59 40 18 OUT 1/3/3 none 2 224

Polymorphism and Distracters
  • Polymorphic destinations, sources, and ports.
    Whats an IDS to do?
  • 2000/03/30 14 21 53 2 IN 6/13643/1971 1 40
  • 2000/03/30 14 21 54 2 IN 6/65457/47868 1 40
  • 2000/03/30 14 21 57 2 IN 6/20443/11946 1 40
  • 2000/03/30 14 22 04 2 IN 6/64071/7698 1 40
  • 2000/03/30 14 22 08 2 IN 6/56431/28396 1 40
  • 2000/03/30 14 22 11 2 IN 6/11602/9082 1 40
  • 2000/03/30 14 22 11 2 IN 6/23201/49700 1 40
  • 2000/03/30 14 22 17 2 IN 6/59299/63684 1 40
  • 2000/03/30 14 22 18 2 IN 6/43377/65316 1 40
  • 2000/03/30 14 22 19 2 IN 6/59932/28865 1 40
  • 2000/03/30 14 22 22 2 IN 6/19822/61999 1 40
  • 2000/03/30 14 22 22 2 IN 6/46531/28491 1 40
  • 2000/03/30 14 22 23 2 IN 6/65448/43557 1 40
  • 2000/03/30 14 22 24 2 IN 6/64904/14091 1 40
  • 2000/03/30 14 22 31 2 IN netbios gm 5 1145
  • 2000/03/30 14 22 34 2 IN 6/8463/38040 1 40

Escalating Privileges
  • Objective
  • If user access - elevate to system access.
  • Technique
  • Password cracking, known exploits. Buffer
    overflows in known user level programs
  • Tools
  • L0PHTcrack, john, getadmin, sechole, lc_messages,
    etc. Sendmail had numerous hacks to raise
    privilege to root. Getadmin is a user level
    program designed to raise an unprivileged user to
    admin on Windows 95 and 98

  • Objective
  • Grab any interesting/profitable data on machine
  • Technique
  • Evaluate trusts, look for clear text passwords
  • Tools
  • cat, type, rhosts, search e-mail, LSA secrets,
    user data, config files, and registry data.

Covering Tracks
  • Objective
  • Hide interlopers machine romp
  • Technique
  • Clear or modify logs, hide tools, install "root"
    kits and trojans
  • Tools
  • zap, rm .log, B.O., SubSeven, NetBus, etc.,

  • I want to come back and show the others in my
  • Trojans BackOrifice, NetBus, and SubSeven.
  • If you find a trojan make sure you understand
    how it got there!

Covering Tracks
  • Generally, but not always, a malicious exit.
  • Crash the server.

Password Cracking
  • L0PHT Crack III (LC4)

Case Study Nimda Worm
  • Worm self-replicating malicious code
  • Discovered September 18, 2001
  • Derivative of Code Red worm (June 2001)
  • Affects all Windows platforms
  • Estimated 500 million downtime and clean up cost
    in first 24 hours
  • Unique in its variety of propagation techniques

Intrusion Detection Hits on NIMDA
First sign - explosive TFTP activity.
Intrusion Detection Hits on NIMDA
Second sign, all the same File transferred!
(No Transcript)
Nimda Lessons Learned
  • Mimics and automates attacker behavior
  • Threats are not confined to high profile targets
  • There is no silver bullet
  • Depth and diversity of defense is required
  • Strong methodology is only proven way to address
    complex security challenges

Nimda Lessons Learned
Use patches to address vulnerabilities
Update policy to require hardening of servers and
  • Security Web Sites and Alerts Lists
  • http//
  • http//
  • http//
  • http//
  • http//
  • http//
  • http//
  • http//

  • Security Web Sites
  • http//
  • http//
  • ftp//
  • http//
  • http//

  • Security Vulnerabilitieshttp//

  • Security Toolshttp//

  • Securing Wireless Ethernet
  • http//c\CISO_CDROM\Protecting 802.11b

  • Encryptionhttp// - GNU Privacy
    Guard (pgp replacement)http// -
    OpenSSL (Free SSL toolkit)http// -
    PGP (International)http// - PGP
    (US)http// - SSH Communicaitons
    http// - psst - gnu's ssh
    replacementhttp// - ssleay (use
    OpenSSL now)

  • Conferences
  • http//
  • http//
  • http//
  • http//
  • http//

  • Security Trends
  • http//c\CISO_CDROM\Hack Attacks Global
  • http//
  • http//C\CISO_CDROM\Managing the CyberThreat.htm
    , Control Risks Group.
  • http//
  • http//, See http//C\CSO_CDROM\Thre

  • Security Trends
  • http//
  • http//
  • Software Description
  • http//c\CISO_CDROM\Software Description.html

  • Covert TCP Connections
  • http//c\CISO_CDROM\Covert.txt covert.tcp.tar
  • Firewall Information
  • http//
  • Intrusion Detection Information
  • http//

  • Denial of Service
  • http//c\CISO_CDROM\DoS_trends.pdf
  • http//c\CISO_CDROM\grc.txt
  • http//media.grc.com8080/files/grcdos.pdf
  • http\\c\CISO_CDROM\DDoS //c\CISO_CDROM\E-mail
    Log (raw).txt
  • http//
  • SMTP Body Parts http//

  • Setting Security Standards
  • http//
  • http//
  • http//
  • http//
    ode280.html (IEEE)
  • http//
    ode278.html (CCIT)
  • http//
    ode279.html (ECMA)

  • Threats
  • Known Exploits and Prevention
  • http//,
  • http//hackersplayground,
  • http//
  • http//

  • Daemon9, aka Route. "Project Neptune." (Phrack
    48, Article 13, 1996)
  • Irwin, Vicki and Pomeranz, Hal. "Advanced
    Intrusion Detection and Packet Filtering." (SANS
    Network Security 99, 1999)
  • Newsham, Tim, and Ptacek, Tom. "Insertion,
    Evasion, and Denial of Service Eluding Network
    Intrusion Detection." (Secure Networks, Inc.,
  • Northcutt, Stephen. Network Intrusion Detection
    An Analyst's Handbook. (Indianapolis, Indiana
    New Riders, 1999)
  • Postel, Jon (ed.). "RFC 793 Transmission
    Control Protocol. (Defense Advanced Research
    Projects Agency, 1981)
  • Stevens, W. Richard. TCP/IP Illustrated, Volume
    1 The Protocols. (Reading, Massachusetts
    Addison-Wesley, 1994)

Windows O.S. Security How Tos
  • http//
  • Get help securing your corporate network with
    these step-by-step How-To guides. Windows 2000

System Security in Windows 2000
  • Apply Predefined Security Templates in Windows
  • Change the Policy Settings for a Certification
    Authority (CA) in Windows 2000
  • Configure a Certificate Authority to Issue Smart
    Card Certificates in Windows 2000
  • Configure a Domain EFS Recovery Policy in Windows
  • Configure Certificate Trust Lists in Internet
    Information Services 5.0
  • Configure Security for a Simple Network
    Management Protocol Service in Windows 2000
  • Configure Windows 2000 Server to Notify You When
    a Security Breach Is Being Attempted
  • Control Access to a Database on a Web Server in
    Windows 2000
  • Create Automatic Certificate Requests with Group
    Policy in Windows
  • Define Security Templates in the Security
    Templates Snap-in in Windows 2000
  • Disable the Automatic L2TP/IPSec Policy
  • Enforce a Remote Access Security Policy in
    Windows 2000

Windows 2000
  • Export Certificates in Windows 2000
  • Find and Clean Up Duplicate Security Identifiers
    with Ntdsutil in Windows 2000
  • Get a Certificate Signed by an Off-Network Root
    Authority in Windows 2000
  • Harden the TCP/IP Stack Against Denial of Service
    Attacks in Windows 2000
  • Install a Smart Card Reader in Windows 2000
  • Keep Domain Group Policies from Applying to
    Administrator Accounts and Selected Users in
    Windows 2000
  • Prevent the Last Logged-On User Name from Being
    Displayed in Windows 2000
  • Publish a Certificate Revocation List in Windows
  • Use Group Policy to Apply Security Patches in
    Windows 2000
  • Use IPSec Policy to Secure Terminal Services
    Communications in Windows 2000
  • Use the Directory Services Store Tool to Add a
    Non-Windows 2000 Certification Authority (CA) to
    the PKI in Windows 2000
  • Back Up Your Encrypting File System Private Key
    in Windows 2000

Windows 2000 Server
  • Configure a Primary Internet Authentication
    Service Server on a Domain Controller
  • Configure Remote Access Client Account Lockout in
    Windows 2000
  • Configure Security for Files and Folders on a
    Network (Domain) in Windows 2000
  • Monitor for Unauthorized User Access in Windows
  • Prevent Users From Changing a Password Except
    When Required in Windows 2000
  • Prevent Users From Submitting Alternate Logon
    Credentials in Windows 2000
  • Restore an Encrypting File System Private Key for
    Encrypted Data Recovery in Windows 2000

Windows 2000 Server
  • Perform Security Planning for Internet
    Information Services 5.0
  • Configure the Security for a Server That Uses
    Microsoft NNTP Service in Windows 2000
  • Configure User and Group Access on an Intranet in
    Windows NT 4.0 or Windows 2000
  • Provide Secure Point-to-Point Communications
    Across the Internet in Windows 2000
  • Safely Connect Your Company to the Internet in
    Windows 2000
  • Set SMTP Security Options in Windows 2000
  • Use IPSec Monitor in Windows 2000
  • Deploy
  • Enable SSL for All Customers Who Interact with
    Your Web Site in Internet Information Services
  • View or Change Authentication Methods in IIS
  • Operate
  • View or Change Authentication Methods in IIS
  • Prevent Users from Accessing Unauthorized Web
    Sites in ISA Server
  • Provide Internet Access Through a Firewall in
    Internet Security and Acceleration Server
  • Add an Authorized Page Warning in Windows 2000

Windows 2000 Server
  • Configure IIS 5.0 Web Site Authentication in
    Windows 2000
  • Install Imported Certificates on a Web Server in
    Windows 2000
  • Prevent Mail Relay in the IIS 5.0 SMTP Server in
    Windows 2000
  • Prevent Web Caching in Windows 2000
  • Secure XML Web Services with Secure Socket Layer
    in Windows 2000
  • Set Secure NTFS Permissions on IIS 5.0 Log Files
    and Virtual Directories in Windows 2000
  • Use Internet Protocol Security to Secure Network
    Traffic Between Two Hosts in Windows 2000
  • Use NTFS Security to Protect a Web Page Running
    on IIS 4.0 or 5.0

Windows XP
  • Access an EFI Partition in Windows XP 64-Bit
  • Audit User Access of Files, Folders, and Printers
    in Windows XP
  • Change the Logon Window and the Shutdown
    Preferences in Windows XP
  • Configure a Preshared Key for Use with Layer 2
    Tunneling Protocol Connections in Windows XP
  • Create and Disable Administrative Shares on
    Windows XP
  • Delegate Security for a Printer in Windows XP
  • Disable the Local Administrator Account in
  • Encrypt a File in Windows XP
  • Encrypt a Folder in Windows XP
  • Encrypt Offline Files to Secure Data in Windows
  • Manage Stored User Names and Passwords on a
    Computer in a Domain in Windows XP
  • Manage Stored User Names and Passwords on a
    Computer That Is Not in a Domain in Windows XP
  • Prevent a User From Running or Stopping a
    Scheduled Process in Windows XP
  • Remove File Encryption in Windows XP

Windows XP
  • Set Up a .NET Passport Account in Windows XP
  • Set WMI Namespace Security in Windows XP
  • Set, View, Change, or Remove File and Folder
    Permissions in Windows XP
  • Set, View, Change, or Remove Special Permissions
    for Files and Folders in Windows XP
  • Share Access to an Encrypted File in Windows XP
  • Turn On Remote Desktop Automatic Logon in Windows
  • Use Cipher.exe to Overwrite Deleted Data in
  • Use the Autologon Feature in the Remote Desktop
    Connection in Windows XP
  • Use the Group Policy Editor to Manage Local
    Computer Policy in Windows XP
  • Use the Microsoft Personal Security Advisor Web
    Site in Windows
  • Internet Security and Acceleration Server
  • Configure Logging in Internet Security and
    Acceleration Server
  • Set Up and Allocate Bandwidth in ISA Server
  • Configure the ISA Server 2000 HTTP Redirector
    Filter in Windows 2000
  • Enable Reporting in Internet Security and
    Acceleration Server 2000
  • Filter ISA Server Web Proxy Cache Entries in
    Windows 2000

Windows XP
  • Monitor Server Activity in Internet Security and
    Acceleration Server 2000
  • Securely Publish Multiple Web Sites by Using ISA
    Server in Windows 2000
  • Set Bandwidth Configuration in Microsoft Internet
    Security and Acceleration Server