Slideshow Transcript

1. Slide 1: The Fundamentals of Hacking: An 0/3r/!3vv Jen Johnson Miria Grunick
2. Slide 2: Five Phases of an Attack • Phase 1: Reconnaissance • Phase 2: Scanning • Phase 3: Gaining Access • Phase 4: Maintaining Access • Phase 5: Covering Attacks and Hiding
3. Slide 3: Phase 1: Reconnaissance • Takes place before the attack. • Investigate the target using publicly available information • Types: Low-Technology Reconnaissance, Searching the Web, Whois Databases, Using the DNS, and General Purpose Tools
4. Slide 4: Low-Technology Reconnaissance • Social Engineering: An attacker calls the target organization and fools an employee into revealing sensitive information. Often, the attacker calls and pretends to be a new employee, customer, system administrator, or business partner.
5. Slide 5: Low-Technology Reconnaissance • Physical Break-In: Physically breaking into the building to try to gain access to the network from the inside. This is often accomplished by walking into the building with a group of employees or being hired as an employee or temp.
6. Slide 6: Low-Technology Reconnaissance • Dumpster Diving: Going through an organization’s discarded documents to find sensitive information. Often, employees will throw out papers that reveal critical information (i.e. – old Post-It® notes with user ID’s and passwords).
7. Slide 7: Searching the Web • Organization’s Web Site: Can reveal important information, such as the employees’ contact information, clues about the corporate culture and language, business partners, recent mergers and acquisitions, and what technologies the organization uses.
8. Slide 8: Searching the Web • Search Engines: Can reveal information about the company’s history, current events, future plans, financial status, business partners, technologies in use. • Usenet: Employees may submit questions to technical newsgroups that reveal information about the particular products that the organization uses.
9. Slide 9: Whois Databases • Whois databases contain information about the assignment of Internet addresses, domain names, registrars, and individual contacts. • First, find out who the registrar is. The Internet Network Information Center (InterNIC) whois database system lists the registrars of websites based on the organization’s name or domain name for sites with the .net, .org or .com extensions. The InterNIC whois database is avaliable online at: www.internic.net/whois.html
10. Slide 10: Whois Databases • If you are researching an organization without the .com, .net, or .org extensions (i.e. – international websites), try the Allwhois site at: www.allwhois.com/home.html • Once you have the registrar’s name, you can go to the registrar’s site and get more information, such as names and numbers of administrators, email and postal addresses, registration dates, and the addresses of the organization’s DNS servers.
11. Slide 11: American Registry for Internet Numbers (ARIN) • Contains all IP addresses assigned to a particular organization. Search by company or domain names. • For North American, South American, Caribbean, and sub-Saharan African organizations: www.arin.net/whois/arinwhois.html • For European organizations: www.ripe.net • For Asian organizations: www.apnic.net
12. Slide 12: Domain Name System (DNS) • DNS – a world-wide hierarchical database that stores information about domain names and IP addresses. This database is searched to get information about a given domain name, most commonly the corresponding IP address. • Once an attacker knows one of the DNS servers, the attacker can begin interrogating the name servers.
13. Slide 13: DNS • To interrogate DNS servers, first invoke a nslookup program on any UNIX or Windows NT/2000 environment by typing nslookup at the command prompt. • Try to do a zone transfer. In a zone transfer, the nslookup program asks the DNS server to transmit all information it has about a given domain.
14. Slide 14: DNS • To do a zone transfer, the nslookup must be instructed to use the target’s DNS server, using the server [target_DNS_server] command • Next, specify to search for any type of DNS record by typing set type=any • Initiate the zone transfer by typing ls –d [target_domain] • Output can give useful information, such as system names, IP addresses of the systems, and sometimes even operating system types. • More information about nslookup: www.zoneedit.com/doc/nslookup.html
15. Slide 15: General Reconnaissance Tools • Sam Spade (freeware avaliable at www.samspade.org/ssw/ ) • Many reconnaissance tools in one: ping, whois, IP block whois, nslookup, dig, DNS zone transfer, traceroute, finger, SMTP VRFY, Web browser. • Other general-purpose reconnaissance tools: CyberKit, NetScan Tools, iNetTools
16. Slide 16: Web-Based Reconnaissance Tools • Research and Attack portals: sites that allow a user to enter the target site and research or initiate an attack against the target (via denial- of-service attacks or vulnerability scans) • Difference between Web-based tools and general reconnaissance tools: now the traffic comes from the Web server, not the attacker machine. Thus, the attacker can remain more anonymous.
17. Slide 17: Web-Based Reconnaissance Tools • Examples: www.network-tools.com privacy.net/analyze
18. Slide 18: Phase 2: Scanning The premise of scanning is to probe as many ports as possible, keeping track of open and useful ports that would be receptive to hacking. Scanners send multiple packets over a communication medium then listen and record each response. The following are techniques for inspecting ports and protocols.
19. Slide 19: War Dialing • War Dialing: Dialing large pools of telephone numbers in an effort to find unprotected modems. Done with an automated tool, such as THC-Scan 2.0, available at: www.thc.org/releases.php. • This tool will return a list of all of the modems discovered in the range of the phone numbers it was given. • The hacker can then check all of the modems and see if any have no passwords, allowing them access to the network.
20. Slide 20: FIN Probe • A FIN packet is sent (Or any packet without an ACK or SYN flag) to an open port and one waits for a response. • The correct RFC793 behavior is to not respond. Many broken implementations (i.e MS Windows) send a RESET back.
21. Slide 21: Network Mapping • A hacker first tries to determine which addresses have active hosts by pinging all possible addresses in the network. • Once a hacker knows which hosts are alive, he or she will try to determine the network topology. This is done by a method called tracerouting.
22. Slide 22: Network Mapping • Tracerouting: Send a series of packets with different Time-To-Live (TTL) values in the IP header and check the source address of the Time Exceeded message returned. • Example: Send a packet with a TTL of 1. The Time Exceeded message will have the source address of the first router. Now send a packet with a TTL of 2. The Time Exceeded message returned will have the source address of the second router, and so on.
23. Slide 23: Tracerouting
24. Slide 24: Network Mapping • Windows 2000/NT and UNIX have tools that do this for us • Windows 2000/NT: tracert • UNIX: traceroute • Another network mapping tool: Cheops (available at: www.marko.net/cheops ) This tool does the ping sweep and traceroute and draws a picture of the topology of the network.
25. Slide 25: Screenshot of Cheops
26. Slide 26: How Cheops Works • Sequentially send ARP messages to every IP address in the range. • Traceroute to every IP address that responds to the ARP message.
27. Slide 27: Scanning Involves 3 Steps • Locating Nodes • Performing Service Discoveries • Testing Services for Known Security Holes
28. Slide 28: TCP Port Scanning • Most basic form of scanning. Attempts to open a full TCP port connection to determine if that port is active. • This method leaves an easier to spot trail than partial open scanning.
29. Slide 29: Stealth Port Scanning • All the operating systems now honor the tradition of permitting only the super-user to open the ports numbered 0 to 1023. These standard ports are assigned to services by the IANA (Internet Assigned Numbers Authority, www.iana.org). • Attempts to open a port in the range of 0..1023 by an unprivileged user program will fail. A user program can open any unallocated port higher than 1023.
30. Slide 30: • On Unix, the text file named /etc/ services (on Windows 2000 the file named %windir% system32 drivers etc services) lists these service names and the ports they use. Here are a few lines extracted from this file:
31. Slide 31: echo 7/tcp Echo ftp-data 20/udp File Transfer (default) ftp 21/tcp File Transfer (control) ssh 22/tcp SSH Remote Login Protocol telnet 23/tcp Telnet domain 53/udp Domain Name Server www-http 80/tcp WWW HTTP
32. Slide 32: Non Standard Ports wins 1512/tcp Microsoft Windows Internet Name Service Radius 1812/udp RaDIUS authentication protocol yahoo 5010 Yahoo! Messenger X11 6000-6063/tcp X Window System
33. Slide 33: Stealth Scanning Includes Some/All of the Following • Setting individual flags (ACK, FIN, RST, .. ) • NULL flags set • All flags set • Bypassing filters, firewalls, routers • Appearing as casual network traffic • Varied packet dispersal rates
34. Slide 34: Fragmented Packets • The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules.
35. Slide 35: • Some packet filters and firewalls do queue all IP fragments (e.g., the CONFIG _IP _ALWAYS _DEFRAG option in Linux enables it in the kernel), but many networks cannot afford the performance loss caused by the queuing.
36. Slide 36: TCP Fragmenting • TCP fragmenting is not a scan method so to speak, although it employs a method to obscure scanning implementations by splitting the TCP header into smaller fragments.
37. Slide 37: • A minimally allowable fragmented TCP header must contain a destination and source port for the first packet (8 octect, 64 bit), typically the initialized flags in the next, allowing the remote host to reassemble the packet upon arrival.
38. Slide 38: • The actual reassembly is established through an IPM (internet protocol module) that identifies the fragmented packets by the field equivalent values of: – source – destination – protocol – identification
39. Slide 39: Using TCP Fragmenting - FragRouter • Program which fragments TCP packets – 35 different ways to fragment • Called a router because it is a software implementation of a router – data from other programs is sent through the FragRouter • FragRouter fragments the packets and then forwards the packets to their destination
40. Slide 40: SYN Scanning • Also called half-open scanning, as TCP connection is not completed. • A SYN packet is sent and the target host responds with a SYN+ACK, indicating the port is listening • RST indicates a non-listener • The server process is never informed by the TCP layer because the connection did not complete.
41. Slide 41: A demonstration of this technique is necessary to show a half open transaction: client -> SYN server -> SYN|ACK client -> RST
42. Slide 42: • This example has shown the target port was open, since the server responded with SYN|ACK flags. • The RST bit is kernel oriented, that is, the client need not send another packet with this bit, since the kernel's TCP/IP stack code automates this.
43. Slide 43: Inversely, a closed port will respond with RST|ACK. client -> SYN server -> RST|ACK This combination of flags is indicative of a non- listening port.
44. Slide 44: FIN Scanning • The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports.
45. Slide 45: • The scanner sends a FIN packet, which should close a connection that is open. Closed ports reply to a FIN packet with a RST. Open ports, on the other hand, ignore the packet in question. • If no service is listening at the target port, the operating system will generate an error message. • If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port.
46. Slide 46: This is the negotiation for open/closed port recognition client -> FIN server -> - No reply signaled by the server is iconic of an open port. The server's operating system silently dropped the incoming FIN packet to the service running on that port.
47. Slide 47: RST Reply • Opposing this is the RST reply by the server upon a closed port reached. • Since, no service is bound on that port, issuing a FIN invokes a reset (RST) response from the server. client -> FIN server -> RST
48. Slide 48: • Other techniques that have been used consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans, and it becomes important to identify the OS and even its version and patch level.
49. Slide 49: Reverse Ident Scanning • This technique involves issuing a response to the ident/auth daemon, usually port 113 to query the service for the owner of the running process. • The main reason behind this is to find daemons running as root, this result would entice an intruder to find a vulnerable overflow and instigate other suspicious activities involving this port.
50. Slide 50: • Alternatively, a daemon running as user nobody (httpd) may not be as attractive to a user because of limited access privileges. • identd could release miscellaneous private information such as: – user info – entities – objects – processes
51. Slide 51: FTP Bounce
52. Slide 52: Background • FTP session consists of two connections between the client and the server. • The high port server connection is enabled by the client that allows the FTP server to send data to the client. • When the client wants to transfer data to or from the server, it issues a PORT command. The PORT command instructs the server to open a data connection which is used to transfer the data.
53. Slide 53: Problem • An outside attacker can use the FTP server to open connections which appear to originate from the server. This could be used to bypass the access control restrictions.
54. Slide 55: How To Use FTP Bounce Attacks
55. Slide 56: Port Scanning • An attacker can run the attck from a third-party FTP server acting as a stage for the scan. The victim site sees the scan as coming from the FTP server rather than the true source (the FTP client). • When the victim site is on the same subnet as the FTP server, or when it does not filter traffic from the FTP server, the attacker can use the server machine as the source of the port scan rather than the client machine
56. Slide 57: Bypassing Basic Packet Filtering Devices • An attacker may bypass a firewall in certain network configurations. – Example; a site has its anonymous FTP server behind a firewall. Using the technique above, an attacker determines that an internal web server at that site is available on port 8080, a port normally blocked by a firewall.
57. Slide 58: • By connecting to the public FTP server at the site, the attacker initiates a further connection between the FTP server and an arbitrary port on a non-public machine at that site . • (for instance the internal web server at port 8080). • As a result, the attacker establishes a connection to a machine that would otherwise be protected by the firewall.
58. Slide 59: Bypassing Dynamic Packet Filtering Devices • Example – victim site houses all of its systems behind a firewall that uses dynamic packet filters – person at victim site browses web pages and downloads a Java applet constructed by attacker. – Java applet then opens an outbound FTP connection to attacker's machine. – applet then issues an FTP PORT command, instructing server machine to open a connection to some otherwise protected system behind the victim firewall.
59. Slide 60: • Dynamic packet filtering firewall examines outbound packets to determine if any action is required on its part. • It notes the PORT command and allows an incoming connection from the remote web server to the telnet port on the victim machine. • This connection was allowed in this case because the PORT command was issued by the client.
60. Slide 61: Scanning Packages Available Commercially • CyberCop • JAKAL • NetRecon • NMap
61. Slide 62: CyberCop • Intrusion detection system that safeguards corporate assets by performing real-time surveillance of network traffic. The CyberCop system protects networks from external and internal attacks by providing a "high tech burglar alarm" capable of alerting companies when the security of their networks is breached by unauthorized intruders.
62. Slide 63: JAKAL • Developed on UNIX to test UNIX hosts. Jakal is interesting because of its possibilities: it is designed for stealth and to go through most firewalls. Usually it doesn't leave any trace of its activity, except for some messages (SYN|ACK).
63. Slide 64: NetRecon • Scans multiple operating systems, including UNIX, Linux, Windows 2000, Windows NT, Windows 95/98 and NetWare. • Scans using many Windows NT/2000 network protocols such as TCP/IP, IPX/SPX, and NetBEUI.
64. Slide 65: Nmap • Most popular scanner to date • Free utility for network exploration or security auditing. Designed to rapidly scan large networks. Uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use. • http://www.insecure.org/nmap/idlescan.html
65. Slide 66: Scan Types Supported by Nmap
66. Slide 67: Type of Scan Command-Line Summary of Option Characteristics TCP Connect -sT Completes the 3- way handshake with each scanned port. TCP SYN -sS Only sends the initial SYN and awaits the SYN-ACK response. TCP FIN -sF Sends a TCP FIN to each port. Reset indicates port is closed.
67. Slide 68: TCP Xmas Tree -sX Sends packet with the FIN, URG and PUSH code bits set. Reset indicates port is closed. Null -sN Sends packets with no code bits set. Reset indicates port is closed. TCP ACK -sA Sends packet with the ACK code bit set to each target port. Window -sW Similar to ACK, but focuses on TCP Window size to determine if ports are
68. Slide 69: FTP Bounce -b Bounces a TCP scan off of an FTP server, obscuring the originator of the scan. UDP Scanning -sU Sends a UDP packet to target ports to determine if a UDP service is listening. Ping -sP Sends ICMP echo request packets to every machine on target network. RPC Scanning -sR Scans RPC services using all discovered to open TCP/UDP ports on the target to send RPC Null commands.
69. Slide 70: Determining Firewall Filter Rules • One disadvantage of Nmap – it cannot differentiate what is open on an end machine and what is being firewalled. • It is also important to determine what ports are available through the firewall or router. One tool that can do this is Firewalk (avaliable: www.packetfactory.net/projects/firewalk/firewalk-5.0.tgz • Firewalk can determine which types of packets are permitted through and which ports are accessible through the firewall. • Note: Firewalk is only useful for packet-filtering devices, not proxy-based firewalls.
70. Slide 71: How Firewalk Works • Determines the number of hops between the tool and the firewall • Sends UDP and TCP packets with TTL one greater than the hop count to the filtering device. – If ICMP Time Exceeded message is returned, the port is available through the firewall – If ICMP Port Unreachable message or nothing is returned, the port is most likely being filtered by the firewall. • Unlike Nmap, Firewalk can determine what kind of packets are allowed through the firewall for each specific port and which ports allow new connections.
71. Slide 72: Vulnerability Scanning • Use an automated tool that checks for common configuation errors, default configuration errors, and well-known system vulnerabilities. • Generally made up of multiple parts: vulnerability database, user configuration tool, scanning engine, knowledge base of current active scan, and results repository and report generation tool.
72. Slide 73: Vulnerability Scanner
73. Slide 74: Nessus • The most popular of the vulnerability scanners. (Available: www.nessus.com) • Also allows the user to write their own vulernability checks and include them in the tool. • Has a variety of plug-ins, such as checking for vulnerabilities that allow a shell to be gained remotely and checking to see if the target system already has backdoor tools installed.
74. Slide 75: Port, Socket & Service Vulnerability Penetrations Once a breach has been uncovered during the discovery phase, different vulnerability penetrations are used to take advantage and possibly gain control of computers, servers and internetworking equipment. More on exploiting these vulnerabilities in Phase 3……
75. Slide 76: Operating System Fingerprinting with Nmap
76. Slide 77: TCP ISN Sampling • The idea here is to find patterns in the initial sequence numbers chosen by TCP implementations when responding to a connection request. • Categorized into groups such as traditional 64K, random increments and true random, (Linux 2.0)
77. Slide 78: Don’t Fragment Bit • Trend of operating systems to set the IP “Don’t Fragment” bit on some of the packets they send. • By paying attention to this bit, one can glean information on the target OS.
78. Slide 79: TCP Initial Window • Simply involves checking the window size on returned packets. • Gives quite a lot of information since some operating systems can be uniquely identified by the window alone.
79. Slide 80: TCP Option • Excellent means of gaining access to leaked information. • Can discover if a host is implementing them by sending a query with an option set: target shows support of the option by setting it on the reply. • Can stuff many options on one packet to test everything at once.
80. Slide 81: SYN Flood Resistance • If too many forged SYN packets are sent to some operating systems, they will stop accepting new connections. • Many operating systems can only handle 8 packets. • By sending 8 forged packets to an open port and then trying to establish a connection, you can learn about the operating system used. • This is easier to detect on the target side than other methods, however.
81. Slide 82: Name Purpose Platform Where to get it Comments Whois database Gives the registrar’s (For .com, .net, .org) Web-based database name when given a www.internic.net/whois.html company’s name or (For other domains) domain name www.allwhois.com/home.html IP Address Gives all IP addresses (North and South America, Web-based database Lookup assigned to an Caribbean, sub-Saharan African) organization or domain www.arin.net/whois/arinwhois.html name (Europe) www.ripe.net (Asia) www.apnic.net DNS Lookup Gives DNS information Built into Windows and Linux More information: about a corresponding (nslookup) www.zoneedit.com/doc/ IP address nslookup.html Sam Spade Ping, Whois, IP block Windows www.samspade.org/ssw/ Note that all of the operations can be traced back to lookup, DNS lookup, the system running the program dig, zone transfer, traceroute, finger, STMP verify, web browser Web-Based Tools Traceroute, lookup, www.network-tools.com/ Web based, so it can’t be traced back to you ping, dns lookup, DNS privacy.net/analyze records, email validation THC-Scan 2.0 War dialer Windows www.thc.org/releases.php Lots of other useful tools on this site Cheops Pingsweep, traceroute, Linux www.marko.net/cheops First need to download glib10-1.0.6-6.i386.rpm and draws a visual gtk+10-1.0.6-6.i386.rpm (available at representation of the rpmfind.net/linux/RPM/redhat/6.2 network /i386 Traceroute Determine network Windows Built into Windows and Linux Windows command: tracert [IP addr.] topology Linux Linux Command: traceroute [IP addr.] Nmap Port scanner and Windows www.insecure.org/nmap/ network mapper Linux idlescan.html Firewalk Able to determine if Linux www.packetfactory.net/projects Only for packet-filtering firewalls. Need to ports are available /firewalk/firewalk-5.0.tgz download the 3 libraries, libnet and libpcap from through a firewall or the site, and libdnet (for Fedora 2 from rpmfind.net router /linux/rpm2html/ search.php?query=libdnet) Nessus Vulnerability Scanner Windows www.nessus.com Can test multiple hosts at the same time, Allows the Linux user to write plug-ins Stack Based Using stack overflow to Windows packetstormsecurity.org/docs/hack/ Text document explaining the process Buffer Overflow get a target machine to Linux Smashstack.txt Attack execute code Pwdump Extracts hashed Windows packetstormsecurity.org/Crackers/N
82. Slide 83: Random Clipart
83. Slide 84: Pre-Phase 3 Understanding Filters, Firewalls and the IDS
84. Slide 85: Packet Filter • First line of defense. • Checks each packet against a policy or rule before routing it to the destined node or network destination. • Most reject SYN/ACK, ICMP, and incoming UDP packets that initiate inward security.
85. Slide 86: Example • Cisco Series Access Router • If router is configured to pass a particular protocol, external hosts can use that protocol to establish a direct connection to internal hosts. • The router will produce an audit log with features to generate alarms when hostile behavior is detected.
86. Slide 87: Enhanced Version Stateful Filter
87. Slide 88: Stateful Filter • Provides same functionality as previous version, but also keeps track of state information, such as TCP sequence numbers. • Uses the analysis of data within the lowest levels of the protocol stack to compare the current session to previous ones for the purpose of detecting suspicious activity. • Uses specific rules determined by the user.
88. Slide 89: Downside • Does not recognize specific applications, therefore, is unable to apply dissimilar rules to different applications.
89. Slide 90: Proxy Firewall
90. Slide 91: • Simple server with duel NICs that has routing or packet forwarding deactivated, utilizing a proxy server daemon instead. • Gateway is a term used as a synonym for proxy server. • Gathers all internet requests, forwards them to internet servers, receives responses and forwards them to the original requestor within the company.
91. Slide 92: Enhanced Version Application Proxy Gateway
92. Slide 93: Application Proxy Gateway • Contains integrated modules that check every request and response. • Example: – An FTP stream may only be allowed to download data.
93. Slide 94: Application Gateways look at data on the application layer of the protocol stack and serve as proxies for outside users. Thus, outside users never really have a direct connection to anything beyond the proxy gateway.
94. Slide 95: Implementing a Backdoor Method 4 Actions Take Place • Seizing a virtual connection; this involves hijacking a remote telnet session, a VPN tunnel or a secure-ID session. • Planting an insider; User, engineer or socially engineered (swindled) person. – Can also spoof an employee with an e mail with a remote access Trojan attached.
95. Slide 96: • Manipulating an internal vulnerability; attacks on demilitarized zones, such as E-mail, domain name resolution, telnet or FTP. • Manipulating an external vulnerability; involves penetrating through external mail server, HTTP server daemon and/or telnet service on an external boundary gateway.
96. Slide 97: Intrusion Detection System
97. Slide 98: Scanning Intrusion Detection Systems • Detects statistical anomalies. Measures a "baseline" of such stats as CPU utilization, disk activity, user logins, file activity, and so forth. Then, the system can trigger when there is a deviation from this baseline. • Can detect the anomalies without having to understand the underlying cause behind them.
98. Slide 99: Signature Recognition • The majority of commercial products are based upon examining the traffic looking for well- known patterns of attack. • Classic example is to example every packet on the wire for the pattern "/cgi-bin/phf?", which might indicate somebody attempting to access this vulnerable CGI script on a web-server.
99. Slide 100: How does a NIDS match signatures with incoming traffic? • 1. Protocol stack verification A number of intrusions, such as "Ping-O-Death" and "TCP Stealth Scanning" use violations of the underlying IP, TCP, UDP, and ICMP protocols in order to attack the machine. A simple verification system can flag invalid packets. This can include valid, by suspicious, behavior such as severally fragmented IP packets.
100. Slide 101: • 2. Application protocol verification A number of intrusions use invalid protocol behavior, such as "WinNuke", which uses invalid NetBIOS protocol or DNS cache poisoning, which has a valid, but unusually signature. In order to effectively detect these intrusions, a NIDS must re- implement a wide variety of application- layer protocols in order to detect suspicious or invalid behavior.
101. Slide 102: 3. Creating new loggable events A NIDS can be used to extend the auditing capabilities of your network management software. For example, a NIDS can simply log all the application layer protocols used on a machine. Downstream event log systems (WinNT Event, UNIX syslog, SNMP TRAPS, etc.) can then correlate these extended events with other events on the network.
102. Slide 103: Other countermeasures besides IDS • Firewalls: These are to protect from external attacks; most intrusions are committed by employees inside the firewall, and it should therefore be considered a last line of defense.
103. Slide 104: Authentication • Scanners should be run that automate the finding of open accounts. • One should enforce automatically strict policies for passwords (7 character minimum, including numbers, dual-case, and punctuation) using crack or built in policy checkers (WinNT native, add-on for UNIX).
104. Slide 105: Virtual Private Networks • Create secure connections over the Internet for remote access. • VPN’s actually decrease corporate security. While the pipe itself is secure (authenticated, encrypted), either end of the pipe are wide open. • A home machine compromised with a backdoor rootkit allows a hacker to subvert the VPN connection, allow full, undetectable access to the other side of the firewall.
105. Slide 106: IDS Setup Locations
106. Slide 107: • Network Hosts: Although network intrusion detection systems have traditionally been used as probes, they can also be placed on hosts. • Network perimeter: IDS is most effective on the network perimeter, such as on both sides of the firewall, near the dial-up server, and on links to partner networks. These links tend to be low-bandwidth (T1 speeds) such that an IDS can keep up with the traffic.
107. Slide 108: • Servers are often placed on their own network, connected to switches. The problem these servers have, though, is that IDS systems cannot keep up with high-volume traffic. • Server Farms: For extremely important servers, you may be able to install dedicated IDS systems that monitor just the individual server's link. Also, application servers tend to have lower traffic than file servers, so they are better targets for IDS systems.
108. Slide 109: Phase 3 Penetration
109. Slide 110: Stack Based Overflow Attack • Overwrite the return pointer stored in the stack by overflowing the stack. When the return pointer is copied into the IP, the IP tries to fetch the data of the new address that was pushed into the return pointer by overflowing the stack. • Example: Overflow the stack with a series of ‘A’ ‘s. When the value of the return pointer is copied into the IP, the IP address will fetch the instruction from the all ‘A’ address (address 41414141h)
110. Slide 111: • Important to overflow buffer with meaningful information – i.e. – machine language code containing commands we want executed • Difficult to overwrite return pointer to hit exactly at beginning of code – Place a bunch of NOP or NOP equivalents (called a NOP sled) at beginning of code. – When overwriting return pointer, have to aim to overwrite to a range of values rather than a specific value.
111. Slide 112: • Once the stack is smashed, there are many things an attacker can do. Most likely, the attacker will try to create a back door to the target system. • Creating a backdoor with Inetd: Add a line to the /etc/inetd.conf file, which will spawn a command shell each time anyone tries to connect to a port defined by the attacker. Run this line in the stack to get a command shell to open on a given port: /bin/sh –c “echo [port #] stream tcp nopwait root /bin/sh sh –I” >> /etc/inetd.conf; killall –HUP inetd
112. Slide 113: • Creating a backdoor with TFTP and Netcat: Get the target to execute the TFTP client. Load the Netcat program onto the target system. Configure Netcat to push a command shell from the target machine to the attacker’s machine. • A good document on Stack Based Buffer Overflow Attacks: “Smashing the Stack for Fun and Profit” by Aleph One, available at: packetstormsecurity.org/docs/hack/ smashstack.txt
113. Slide 114: Password Attacks • Two kinds: Password Guessing and Password Cracking • Password Guessing: Attempt to guess the password for a particular user ID. This process is rarely successful, time consuming, and generates a lot of network traffic. Also, some accounts are locked out after a set number of unsuccessful guesses. Many password-guessing tools can be found at Packet Storm’s Site: packetstormsecurity.org
114. Slide 115: • Password Cracking: Steal the file with the encrypted passwords and use a password cracking program to recover the original passwords. • Stealing the file: Win – use a Pwdump program ( packetstormsecurity.nl/Crackers/NT/), or sniff them from the network (more on sniffing later) UNIX – gain root-level access and steal the /etc/shadow or /etc/secure file if shadow passwords are used, otherwise steal the /etc/passwd file.
115. Slide 116: • Password Cracking Software: • Windows: L0phtCrack (available: www.atstake.com/products/lc/ ) This tool includes other options, such as a sniffer and a pwdump program • UNIX: John the Ripper (available: www. openwall.com/john/ )
116. Slide 117: Web Application Attacks • Can still be conducted, even if the target site uses SSL. • Account Harvesting, Undermining Session- Tracking Mechanisms, SQL Piggybacking • Account Harvesting: Works for applications that have different error messages for an incorrect user ID and an incorrect password. By looking at the error messages, the attacker can determine valid user ID’s, sometimes even passwords.
117. Slide 118: • Here, although the web pages look identical for each type of error, notice that the URL has changed, giving any hackers a hint about incorrect user ID’s vs. incorrect passwords.
118. Slide 119: Undermining Web Application Session Tracking • Three ways Session ID’s are implemented: URL session tracking, hidden form elements, and cookies. • The attacker will first login to the site multiple times to see how the session ID’s are generated. • To change a session ID in a URL, simply type a different user’s session ID (or a generated one) over the original user’s ID in the URL.
119. Slide 120: • To change the session ID in a site with hidden form elements, view the source of the page, modify the ID number and reload it into the browser. • To edit the session ID in a site that uses cookies, use a program called Achilles (available: www.mavensecurity.com/achilles). Achilles is a web proxy that intercepts the per- session cookies and allows the attacker to modify them.
120. Slide 121: SQL Piggybacking • Extending an application’s SQL statement to extract or update information that the attacker is not authorized to access. • Rainforest Puppy has a paper about SQL Piggybacking: “How I Hacked Packetstorm” (available: www.opennet.ru/base/cgi/22.txt.html ) • Begin by exploring how the Web application interacts with the database.
121. Slide 122: • The attacker may extend the SQL query – Example • Use SELECT * FROM account WHERE (userid=‘10001’ and number = ‘11111111111’ or userid=‘10002’) • instead of SELECT * FROM account WHERE (userid=‘10001’ and number = ‘11111111111’) to get information on 10002
122. Slide 123: Sniffing • Sniffer: Gathers packets from the local network and allows the user to view the data being transmitted. • Two ways of sniffing: Passive (network built with a hub) and Active (network built with a switch)
123. Slide 124: Passive Sniffing • Passively listens and collects packets. • Snort (available: www.snort.org ) – A good passive sniffer that can be used as an IDS. Can sift through the network and look for attack signatures. • Sniffit (avalaible: reptile.rug.ac.be/~coder /sniffit/sniffit.html) – has an interactive mode that shows all active sessions and allows the attacker to see all keystrokes of the victim.
124. Slide 125: • Dsniff – one of the more versatile sniffing tools. It is several programs in one, but is most known as a sniffer. It can interpret a number of different protocols, like FTP, HTTP, AIM, ICQ, Napster, Microsoft SQL, etc. Available: www.monkey.org/~dugsong/dsniff
125. Slide 126: Active Sniffing • Need to fool the switch into sending the packets to the system with the sniffer • Different methods: MAC Flooding and Spoofing ARP Messages • MAC Flooding: Send a flood of traffic with random MAC addresses until the switch’s memory is full. Some switches will then forward packets to all links on the switch (done with the Dsniff program Macof).
126. Slide 127: Spoofing ARP Messages: • Arpspoof, a Dsniff feature, allows attackers to change the ARP traffic on local networks. – Attacker configures his or her system to forward any traffic it receives to the router. – Arpspoof program is activated, which sends fake ARP replies – Fake ARP replies change the target’s ARP table. – Any traffic from the target machine is sent to the attacker’s machine before being transferred to the local network.
127. Slide 128: Spoofing ARP Messages
128. Slide 129: Other Methods of Redirecting Traffic • Spoofing DNS: – DNSspoof, a Dsniff feature, allows attackers to send the target machine false DNS information, making the victim access the attacker’s machine when they intend to access a different system. • The attacker starts the dnsspoof program and waits for the target to send a DNS query for a specific host. • Once the query is received, the attacker then sends a false DNS response. • When the target tries to access the intended host, the system is now accessing the attacker’s machine.
129. Slide 130: Spoofing DNS
130. Slide 131: • Sniffing HTTPS: – Attacker runs webmitm feature on Dsniff and doing DNS spoof – All HTTP and HTTPS traffic is proxied by webmitm – Target connects to attacker’s machine and SSL connection is established. – Attacker’s system establishes a SSL connection with the server the target is attempting to access. – Webmitm acts as proxy with two connections • From the target’s system to the attacker’s machine • From the attacker’s machine to the actual server the target was trying to reach – Note: the target receives attacker’s certificate, not the certificate of the server the target is trying to reach.
131. Slide 132: Sniffing HTTPS
132. Slide 133: • The user will receive a warning that the certificate is not signed by a trusted Certificate Authority. Webmitm will then display the contents of the SSL session on the attacker’s screen. • Sniffing SSH: This is done in a similar manner as sniffing HTTPS, except the sshmitm (another Dsniff feature) is used instead of the webmitm feature. Note: Sshmitm only allows for sniffing of SSH protocol version 1.
133. Slide 134: Is your machine running a sniffer? • Detecting the process that does the sniffing is difficult, because the name of that process can be disguised as something innocent. • The only way to detect the sniffer is to check if the network interface is in promiscuous mode. If the network interface is in promiscuous mode, this means that it listens for all packets on the network and not only for packets destined to that machine. • Another method is to run: ifconfig -a. This will list the available network interfaces, and show all the information about them. The word PROMISC means that the interface is in promiscuous mode.
134. Slide 135: How to avoid packet sniffers altogether • Active hubs only send packets to the intended machines. This can disable the sniffer since it will not receive packets not intended for that specific machine. Cisco, HP and 3Com have such active hubs.
135. Slide 136: Detecting other sniffers on the network • Detecting other sniffers on other machines is very difficult, but detecting whether a Linux machine is doing the sniffing is possible. • This can be done by exploiting a weakness in the TCP/IP stack implementation of Linux. • When Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its IP address even if the MAC address on that packet is wrong. • Therefore, sending TCP/IP packets to all the IP addresses on the subnet, where the MAC address contains wrong information, will tell you which machines are Linux machines in promiscuous mode .
136. Slide 137: IP Address Spoofing • Used to disguise the IP address of a system. • Three ways an IP address can be spoofed: changing the IP address, undermining UNIX r- commands, and spoofing with source routing • Changing the IP address: The attacker can either reconfigure the whole system to have a different IP address or use a tool (Nmap or Dsniff) to change the source address of outgoing packets. Limitation: the attacker cannot receive any responses.
137. Slide 138: • Undermining UNIX r-Commands: – Attacker finds two computers with a trust relationship • Send a bunch of TCP SYN packets to target and see how the initial sequence numbers change • A DoS attack is sent to other system • Attacker initializes a connection with target system, using the IP address of the other system • Target system sends TCP SYN and ACK packets to other system, which is dead • Attacker estimates initial sequence number of other system and sends TCP ACK packet back – If initial sequence numbe