Ch03 Network and Computer Attacks

1,633 views

Published on

Network and Computer Attacks

Published in: Education, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,633
On SlideShare
0
From Embeds
0
Number of Embeds
211
Actions
Shares
0
Downloads
130
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Ch03 Network and Computer Attacks

  1. 1. Hands-On EthicalHands-On Ethical Hacking and NetworkHacking and Network DefenseDefense Chapter 3Chapter 3 Network and Computer AttacksNetwork and Computer Attacks
  2. 2. 2 ObjectivesObjectives Describe the different types of maliciousDescribe the different types of malicious softwaresoftware Describe methods of protecting againstDescribe methods of protecting against malware attacksmalware attacks Describe the types of network attacksDescribe the types of network attacks Identify physical security attacks andIdentify physical security attacks and vulnerabilitiesvulnerabilities
  3. 3. 3 Malicious Software (Malware)Malicious Software (Malware) Network attacks prevent a business fromNetwork attacks prevent a business from operatingoperating Malicious software (Malware) includesMalicious software (Malware) includes  VirusVirus  WormsWorms  Trojan horsesTrojan horses GoalsGoals  Destroy dataDestroy data  Corrupt dataCorrupt data  Shutdown a network or systemShutdown a network or system
  4. 4. 4 VirusesViruses Virus attaches itself to an executable fileVirus attaches itself to an executable file Can replicate itself through an executableCan replicate itself through an executable programprogram  Needs a host program to replicateNeeds a host program to replicate No foolproof method of preventing themNo foolproof method of preventing them
  5. 5. 5 Antivirus SoftwareAntivirus Software Detects and removes virusesDetects and removes viruses Detection based on virus signaturesDetection based on virus signatures Must update signature database periodicallyMust update signature database periodically Use automatic update featureUse automatic update feature
  6. 6. 6
  7. 7. 7 Base 64 EncodingBase 64 Encoding Used to evade anti-spam tools, and toUsed to evade anti-spam tools, and to obscure passwordsobscure passwords Encodes six bits at a time (0 – 64) with aEncodes six bits at a time (0 – 64) with a single ASCII charactersingle ASCII character  A - Z:A - Z: 0 – 250 – 25  a – z:a – z: 26 – 5126 – 51  1 – 9:1 – 9: 52 – 6152 – 61  + and -+ and - 62 and 6362 and 63 See links Ch 3a, 3bSee links Ch 3a, 3b
  8. 8. 8 Viruses (continued)Viruses (continued) Commercial base 64 decodersCommercial base 64 decoders ShellShell  Executable piece of programming codeExecutable piece of programming code  Should not appear in an e-mail attachmentShould not appear in an e-mail attachment
  9. 9. 9 Macro VirusesMacro Viruses Virus encoded as a macroVirus encoded as a macro MacroMacro  Lists of commandsLists of commands  Can be used in destructive waysCan be used in destructive ways Example: MelissaExample: Melissa  Appeared in 1999Appeared in 1999  It is very simple – see link Ch 3c for sourceIt is very simple – see link Ch 3c for source codecode
  10. 10. 10 Writing VirusesWriting Viruses Even nonprogrammersEven nonprogrammers can create macro virusescan create macro viruses  Instructions posted onInstructions posted on Web sitesWeb sites  Virus creation kits available forVirus creation kits available for download (see link Ch 3d)download (see link Ch 3d) Security professionals can learnSecurity professionals can learn from thinking like attackersfrom thinking like attackers  But don’t create and release a virus!But don’t create and release a virus! People get long prison terms for that.People get long prison terms for that.
  11. 11. 11 WormsWorms WormWorm  Replicates and propagates without a hostReplicates and propagates without a host Infamous examplesInfamous examples  Code RedCode Red  NimdaNimda Can infect every computer in the world inCan infect every computer in the world in a short timea short time  At least in theoryAt least in theory
  12. 12. 12 ATM Machine WormsATM Machine Worms  Cyberattacks against ATM machinesCyberattacks against ATM machines  Slammer and Nachi wormsSlammer and Nachi worms  Trend produces antivirus for ATM machinesTrend produces antivirus for ATM machines See links Ch 3g, 3h, 3iSee links Ch 3g, 3h, 3i  Nachi was written to clean up damage causedNachi was written to clean up damage caused by the Blaster worm, but it got out of controlby the Blaster worm, but it got out of control See link Ch 3jSee link Ch 3j  Diebold was criticized for using Windows forDiebold was criticized for using Windows for ATM machines, which they also use on votingATM machines, which they also use on voting machinesmachines
  13. 13. 13
  14. 14. 14
  15. 15. 15 Trojan ProgramsTrojan Programs Insidious attack against networksInsidious attack against networks Disguise themselves as useful programsDisguise themselves as useful programs  Hide malicious content in programHide malicious content in program BackdoorsBackdoors RootkitsRootkits  Allow attackers remote accessAllow attackers remote access
  16. 16. 16 FirewallsFirewalls Identify traffic on uncommon portsIdentify traffic on uncommon ports Can block this type of attack, if yourCan block this type of attack, if your firewall filters outgoing trafficfirewall filters outgoing traffic  Windows XP SP2’s firewall does not filterWindows XP SP2’s firewall does not filter outgoing trafficoutgoing traffic  Vista’s firewall doesn’t either (by default),Vista’s firewall doesn’t either (by default), according to link Ch 3l and 3maccording to link Ch 3l and 3m Trojan programs can use known ports toTrojan programs can use known ports to get through firewallsget through firewalls  HTTP (TCP 80) or DNS (UDP 53)HTTP (TCP 80) or DNS (UDP 53)
  17. 17. 17
  18. 18. 18 Trojan DemonstrationTrojan Demonstration Make a file withMake a file with command-line Windowscommand-line Windows commandscommands Save it asSave it as C:Documents and SettingsC:Documents and Settings usernameusernamecmd.batcmd.bat Start, Run, CMD will execute this fileStart, Run, CMD will execute this file instead ofinstead of C:WindowsSystem32Cmd.exeC:WindowsSystem32Cmd.exe
  19. 19. 19 Improved TrojanImproved Trojan Resets the administrator passwordResets the administrator password Almost invisible to userAlmost invisible to user Works in Win XP, but not so easy in VistaWorks in Win XP, but not so easy in Vista
  20. 20. 20 SpywareSpyware Sends information from the infected computer toSends information from the infected computer to the attackerthe attacker  Confidential financial dataConfidential financial data  PasswordsPasswords  PINsPINs  Any other stored dataAny other stored data Can register each keystroke entered (keylogger)Can register each keystroke entered (keylogger) Prevalent technologyPrevalent technology Educate users about spywareEducate users about spyware
  21. 21. 21 Deceptive Dialog BoxDeceptive Dialog Box
  22. 22. 22 AdwareAdware Similar to spywareSimilar to spyware  Can be installed without the user being awareCan be installed without the user being aware Sometimes displays a bannerSometimes displays a banner Main goalMain goal  Determine user’s online purchasing habitsDetermine user’s online purchasing habits  Tailored advertisementTailored advertisement Main problemMain problem  Slows down computersSlows down computers
  23. 23. 23 Protecting Against MalwareProtecting Against Malware AttacksAttacks Difficult taskDifficult task New viruses, worms, Trojan programsNew viruses, worms, Trojan programs appear dailyappear daily Antivirus programs offer a lot of protectionAntivirus programs offer a lot of protection Educate your users about these types ofEducate your users about these types of attacksattacks
  24. 24. 24
  25. 25. 25
  26. 26. 26 Educating Your UsersEducating Your Users Structural trainingStructural training  Most effective measureMost effective measure  Includes all employees and managementIncludes all employees and management E-mail monthly security updatesE-mail monthly security updates  Simple but effective training methodSimple but effective training method Update virus signature databaseUpdate virus signature database automaticallyautomatically
  27. 27. 27 Educating Your UsersEducating Your Users SpyBot and Ad-AwareSpyBot and Ad-Aware  Help protect against spyware and adwareHelp protect against spyware and adware  Windows Defender is excellent tooWindows Defender is excellent too FirewallsFirewalls  Hardware (enterprise solution)Hardware (enterprise solution)  Software (personal solution)Software (personal solution)  Can be combinedCan be combined Intrusion Detection System (IDS)Intrusion Detection System (IDS)  Monitors your network 24/7Monitors your network 24/7
  28. 28. 28 FUDFUD Fear, Uncertainty and DoubtFear, Uncertainty and Doubt  Avoid scaring users into complying with securityAvoid scaring users into complying with security measuresmeasures  Sometimes used by unethical security testersSometimes used by unethical security testers  Against the OSSTMM’s Rules of EngagementAgainst the OSSTMM’s Rules of Engagement Promote awareness rather than instillingPromote awareness rather than instilling fearfear  Users should be aware of potential threatsUsers should be aware of potential threats  Build on users’ knowledgeBuild on users’ knowledge
  29. 29. 29 Intruder Attacks on NetworksIntruder Attacks on Networks and Computersand Computers AttackAttack  Any attempt by an unauthorized person to access orAny attempt by an unauthorized person to access or use network resourcesuse network resources Network securityNetwork security  Security of computers and other devices in a networkSecurity of computers and other devices in a network Computer securityComputer security  Securing a standalone computer--not part of a networkSecuring a standalone computer--not part of a network infrastructureinfrastructure Computer crimeComputer crime  Fastest growing type of crime worldwideFastest growing type of crime worldwide
  30. 30. 30 Denial-of-Service AttacksDenial-of-Service Attacks Denial-of-Service (DoS) attackDenial-of-Service (DoS) attack  Prevents legitimate users from accessingPrevents legitimate users from accessing network resourcesnetwork resources  Some forms do not involve computers, likeSome forms do not involve computers, like feeding a paper loop through a fax machinefeeding a paper loop through a fax machine DoS attacks do not attempt to accessDoS attacks do not attempt to access informationinformation  Cripple the networkCripple the network  Make it vulnerable to other type of attacksMake it vulnerable to other type of attacks
  31. 31. 31 Testing for DoS VulnerabilitiesTesting for DoS Vulnerabilities Performing an attack yourself is not wisePerforming an attack yourself is not wise  You only need to prove that an attack couldYou only need to prove that an attack could be carried outbe carried out
  32. 32. 32 Distributed Denial-of-ServiceDistributed Denial-of-Service AttacksAttacks Attack on a host from multiple servers orAttack on a host from multiple servers or workstationsworkstations Network could be flooded with billions ofNetwork could be flooded with billions of requestsrequests  Loss of bandwidthLoss of bandwidth  Degradation or loss of speedDegradation or loss of speed Often participants are not aware they areOften participants are not aware they are part of the attackpart of the attack  Attacking computers could be controlled usingAttacking computers could be controlled using Trojan programsTrojan programs
  33. 33. 33 Buffer Overflow AttacksBuffer Overflow Attacks Vulnerability in poorly written codeVulnerability in poorly written code  Code does not check predefined size of inputCode does not check predefined size of input fieldfield GoalGoal  Fill overflow buffer with executable codeFill overflow buffer with executable code  OS executes this codeOS executes this code  Can elevate attacker’s permission toCan elevate attacker’s permission to Administrator or even KernelAdministrator or even Kernel Programmers need special training toProgrammers need special training to write secure codewrite secure code
  34. 34. 34
  35. 35. 35
  36. 36. 36 Ping of Death AttacksPing of Death Attacks Type of DoS attackType of DoS attack Not as common as during the late 1990sNot as common as during the late 1990s How it worksHow it works  Attacker creates a large ICMP packetAttacker creates a large ICMP packet More than 65,535 bytesMore than 65,535 bytes  Large packet is fragmented at source networkLarge packet is fragmented at source network  Destination network reassembles large packetDestination network reassembles large packet  Destination point cannot handle oversize packet andDestination point cannot handle oversize packet and crashescrashes  Modern systems are protected from this (Link Ch 3n)Modern systems are protected from this (Link Ch 3n)
  37. 37. 37 Session HijackingSession Hijacking Enables attacker to join a TCP sessionEnables attacker to join a TCP session Attacker makes both parties think he orAttacker makes both parties think he or she is the other partyshe is the other party
  38. 38. 38 Addressing Physical SecurityAddressing Physical Security Protecting a network also requiresProtecting a network also requires physical securityphysical security Inside attacks are more likely than attacksInside attacks are more likely than attacks from outside the companyfrom outside the company
  39. 39. 39 KeyloggersKeyloggers Used to capture keystrokes on a computerUsed to capture keystrokes on a computer  HardwareHardware  SoftwareSoftware SoftwareSoftware  Behaves like Trojan programsBehaves like Trojan programs HardwareHardware  Easy to installEasy to install  Goes between the keyboard and the CPUGoes between the keyboard and the CPU  KeyKatcher and KeyGhostKeyKatcher and KeyGhost
  40. 40. 40
  41. 41. 41
  42. 42. 42 Keyloggers (continued)Keyloggers (continued) ProtectionProtection  Software-basedSoftware-based AntivirusAntivirus  Hardware-basedHardware-based Random visual testsRandom visual tests Look for added hardwareLook for added hardware Superglue keyboard connectors inSuperglue keyboard connectors in
  43. 43. 43 Behind Locked DoorsBehind Locked Doors Lock up your serversLock up your servers  Physical access means they can hack inPhysical access means they can hack in  Consider Ophcrack – booting to a CD-basedConsider Ophcrack – booting to a CD-based OS will bypass almost any securityOS will bypass almost any security
  44. 44. 44 LockpickingLockpicking Average person can pick deadbolt locks inAverage person can pick deadbolt locks in less than five minutesless than five minutes  After only a week or two of practiceAfter only a week or two of practice Experienced hackers can pick deadboltExperienced hackers can pick deadbolt locks in under 30 secondslocks in under 30 seconds Bump keys are even easier (Link Ch 3o)Bump keys are even easier (Link Ch 3o)
  45. 45. 45 Card Reader LocksCard Reader Locks Keep a log of whoKeep a log of who enters and leaves theenters and leaves the roomroom Security cards can beSecurity cards can be used instead of keysused instead of keys for better securityfor better security  Image from link Ch 3pImage from link Ch 3p

×