More Related Content



  1. DILLA UNIVERSITY COLLEGE OF ENGINEERING & TECHNOLOGY School of Computing & Informatics M. Sc in Computer Science & Networking By Chapter-05 Dr. Ananda Kumar K S M.Tech, Ph.D Associate Professor, School of Comp & Info Email: 1 Course Number CN6122 Course Title Advanced Network Security
  2. Advanced Network Security CHAPTER-05 1. Ethical hacking 2. Denial of Service Attacks(DoS) 3. Distributed denial-of-service (DDoS) 4. Buffer-overflow attack 2
  3. 1. HACKING Hacking has been a part of computing for almost five decades and it is a very broad discipline, which covers a wide range of topics. The first known event of hacking had taken place in 1960 at MIT and at the same time, the term "Hacker" was originated. Hacking is the act of finding the possible entry points that exist in a computer system or a computer network and finally entering into them. 3
  4. Cont..  Hacking is usually done to gain unauthorized access to a computer system or a computer network, either to harm the systems or to steal sensitive information available on the computer.  Hacking is usually legal as long as it is being done to find weaknesses in a computer or network system for testing purpose. This sort of hacking is what we call Ethical Hacking.  A computer expert who does the act of hacking is called a "Hacker".  Hackers are those who seek knowledge, to understand how systems operate, how they are designed, and then attempt to play with these systems. 4
  5. Ethical Vs Unethical 5
  6. 6
  7. Phases of hacking  Both the auditor and the cracker follow a logical sequence of steps when conducting a hacking. These grouped steps are called phases.  There is a general consensus among the entities and information security professionals that these phases are 5 in the following order:  Crackers Phases : 1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Maintaining Access 5-> Erasing Clues Ethical Hacking Phases: 1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Writing Report 5-> Presenting Report 7
  8. Cont.. 8
  9. Cont.. 9
  10. Reconnaissance o This is the first step of Hacking. It is also called as Footprinting and information gathering Phase. o This is the preparatory phase where we collect as much information as possible about the target. o We usually collect information about three groups, Network, Host, People involved. There are two types of Footprinting: Active: Directly interacting with the target to gather information about the target. Eg: Using Nmap tool to scan the target Passive: Trying to collect the information about the target without directly accessing the target. This involves collecting information from social media, public websites etc. 10
  11. Scanning Three types of scanning are involved: Port scanning: This phase involves scanning the target for the information like open ports, Live systems, various services running on the host. Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities which can be exploited. Usually done with help of automated tools Network Mapping: Finding the topology of network, routers, firewalls servers if any, and host information and drawing a network diagram with the available information. This map may serve as a valuable piece of information throughout the hacking process. 11
  12. Gaining Access This phase is where an attacker breaks into the system/network using various tools or methods. After entering into a system, he has to increase his privilege to administrator level so he can install an application he needs or modify data or hide data. 12
  13. Maintaining Access o Hacker may just hack the system to show it was vulnerable or he can be so mischievous that he wants to maintain or persist the connection in the background without the knowledge of the user. o This can be done using Trojans, Rootkits or other malicious files. o The aim is to maintain the access to the target until he finishes the tasks he planned to accomplish in that target. 13
  14. Erasing Clues or Clearing Track o No thief wants to get caught. An intelligent hacker always clears all evidence so that in the later point of time, no one will find any traces leading to him. o This involves modifying/corrupting/deleting the values of Logs, modifying registry values and uninstalling all applications he used and deleting all folders he created. 14
  15. Cont..  Usually these phases are represented as a cycle that is commonly called “the circle of hacking” (see Figure 1) with the aim of emphasizing that the cracker can continue the process over and over again.  Though, information security auditors who perform ethical hacking services present a slight variation in the implementation phases like this:  1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Writing the Report 5-> Presenting the Report In this way, ethical hackers stop at Phase 3 of the “circle of hacking” to report their findings and make recommendations to the client. 15
  16. TYPES OF HACKING  When we execute an ethical hacking is necessary to establish its scope to develop a realistic schedule of work and to deliver the economic proposal to the client.  To determine the project extent we need to know at least three basic elements: the type of hacking that we will conduct, the modality and the additional services that customers would like to include with the contracted service.  Depending on where we execute the penetration testing, an ethical hacking can be external or internal. 16
  17. Cont.. External pentesting  This type of hacking is done from the Internet against the client’s public network infrastructure; that is, on those computers in the organization that are exposed to the Internet because they provide a public service.  Example of public hosts: router, firewall, web server, mail server, name server, etc. Internal pentesting  As the name suggests, this type of hacking is executed from the customer’s internal network, from the point of view of a company employee, consultant, or business associate that has access to the corporate network. 17
  18. Cont.. since studies show that the majority of successful attacks come from inside the company. To cite an example, in a survey conducted on computer security to a group of businessmen in the UK, when they were asked “who the attackers are”, these figures were obtained: 25% external, 75% internal. 18
  19. HACKING MODALITIES  Depending on the information that the customer provides to the consultant, an ethical hacking service could be executed in one of three modes: o black-box o gray-box o white-box  The method chosen will affect the cost and duration of the penetration testing audit, since the lesser the information received, the greater the time in research invested by the auditor. 19
  20. Black box hacking  This mode is applicable to external testing only.  It is called so because the client only gives the name of the company to the consultant, so the auditor starts with no information, the infrastructure of the organization is a “black box”.  While this type of audit is considered more realistic, since the external attacker who chooses an X victim has no further information to start that the name of the organization that is going to attack, it is also true that it requires a greater investment of time and therefore the cost incurred is higher too. 20
  21. Gray box hacking This method is often used synonymously to refer to internal pentestings. Nevertheless, some auditors also called gray- box-hacking an external test in which the client provides limited information on public computers to be audited. Example: a list of data such as IP address and type/function of the equipment (router, web- server, firewall, etc.). 21
  22. White box hacking White-box hacking is also called transparent hacking. This method applies only to internal pentestings and is called this way because the client gives complete information to the auditor about its networks and systems.  This means, that besides providing a connection to the network and configuration information for the NIC, the consultant receives extensive information such as network diagrams, detailed equipment audit list including names, types, platforms, main services, IP addresses, information from remote subnets, etc.  Because the consultant avoids having to find out this information, this kind of hacking usually takes less time to execute and therefore also reduces costs. 22
  23. Additional hacking services There are additional services that can be included with an ethical hacking; among the popular ones are: • Social engineering • Wardialing • Wardriving • Stolen equipment simulation • Physical security 23
  24. Social engineering  Social engineering refers to the act of gathering information through the manipulation of people, it means that the hacker acquire confidential data using the well known fact that the weakest link in the chain of information security is the human component.  Examples of social engineering: sending fake emails with malicious attachments, calls to customer personnel pretending to be a technician from the ISP, visits to company premises pretending to be a customer in order to place a keystroke logger (keylogger), etc. 24
  25. Wardialing  Wardialing or war dialing is a technique to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for modems, computers, bulletin board systems and fax machines.  War dialing is a brute-force method of finding a back door into an organization's network. It is particularly effective against a perimeter defense.  Most organizations have telephone numbers that are within a specified range and begin with the same prefix. 25
  26. Cont.. 26
  27. wardriving  The term wardriving is derived from its predecessor wardialing, but is applied to wireless networks.  The hacker strikes up a wireless war from the vicinity of the client/victim company, usually from his parked car with a laptop and a signal booster antenna.  Wardriving is the act of searching for Wi-Fi wireless networks, usually from a moving vehicle, using a laptop or smartphone. Software for wardriving is freely available on the internet.  Warbiking, warcycling, warwalking and similar use the same approach but with other modes of transportation. 27
  28. Stolen equipment simulation  Here the objective is to verify if the organization has taken steps to safeguard the confidential information hosted on mobile devices that belong to key executives.  The auditor simulates a theft of the device and uses tools (HW/SW) and his expertise with the intention of extracting sensitive information.  Due to the sensitivity of the operation, we should always recommend to our customer to back up the devices prior to the audit. 28
  29. Physical security Audit  Although physical security is considered by many experts as an independent subject from ethical hacking, specialized companies can integrate it as part of the service.  This type of audit involves difficulties and risks that you must be aware with the aim of avoiding situations that endanger those involved. 29
  30. Simple steps that individuals can take to be more secure: – Keep your software up to date – Install antivirus software – Use public networks carefully – Backup your data – Secure your accounts with two-factor authentication – Make your passwords long, unique, and strong – Be suspicious of strange links and attachments 30
  31. Steps to secure your computer • Keep up with system and software security updates. • Enable a firewall. • Adjust your browser settings. • Install antivirus and anti spyware software. • Password protect your software and lock your device. • Encrypt your data. • Use a VPN. 31
  32. Tools for Information Security • Authentication • Access Control • Encryption • Passwords • Backup • Firewalls • Virtual Private Networks (VPN) • Physical Security • Security Policies 32
  33. 2. Denial of Service Attacks • Denial of Service Attack: an attack on a computer or network that prevents legitimate use of its resources. • In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. • DoS Attacks Affect: – Software Systems – Network Routers/Equipment/Servers – Servers and End-User PCs 33
  34. Classification of DoS Attacks Attack Affected Area Example Description Network Level Device Routers, IP Switches, Firewalls Ascend Kill II, “Christmas Tree Packets” Attack attempts to exhaust hardware resources using multiple duplicate packets or a software bug. OS Level Equipment Vendor OS, End-User Equipment. Ping of Death, ICMP Echo Attacks, Teardrop Attack takes advantage of the way operating systems implement protocols. Application Level Attacks Finger Bomb(The repeated at(@) character causes finger to consume excessive CPU and RAM resources) Finger Bomb, Windows NT RealServer G2 6.0 Attack a service or machine by using an application attack to exhaust resources. Data Flood (Amplification, Oscillation, Simple Flooding) Host computer or network Smurf Attack (amplifier attack) UDP Echo (oscillation attack) Attack in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources. Protocol Feature Attacks Servers, Client PC, DNS Servers SYN (connection depletion) Attack in which “bugs” in protocol are utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache. Page 34
  35. Countermeasures for DoS Attacks Attack Countermeasure Options Example Description Network Level Device Software patches, packet filtering Ingress and Egress Filtering Software upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network. OS Level SYN Cookies, drop backlog connections, shorten timeout time SYN Cookies Shortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks. Application Level Attacks Intrusion Detection System GuardDog, other vendors. Software used to detect illicit activity. Data Flood (Amplification, Oscillation, Simple Flooding) Replication and Load Balancing Akami/Digital Island provide content distribution. Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks. Protocol Feature Attacks Extend protocols to support security. IETF standard for itrace, DNS SEC (Internet Engineering Task Force) Trace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information. Page 35
  36. 3. Distributed Denial-of-service (DDoS)  A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.  DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic.  Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination. 36
  37. DDoS Architecture Client Client Handler Handler Handler Handler Agents 37
  38. Widely Used DDoS Programs • Trinoo • Tribe Flood Network • TFN2K • stacheldraht (barbed wire) 38
  39. 4. What is Buffer Overflow o A buffer is a temporary area for data storage. When more data (than was originally allocated to be stored) gets placed by a program or system process, the extra data overflows. o It causes some of that data to leak out into other buffers, which can corrupt or overwrite whatever data they were holding. 39
  40. 40 Cont.. • A buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. • The result is that the extra data overwrites adjacent memory locations. • The overwritten data may include other buffers, variables and program flow data, and may result in erratic program behavior, a memory access exception, program termination (a crash), incorrect results or ― especially if deliberately caused by a malicious user ― a possible breach of system security. • Most common with C/C++ programs
  41. Buffer-overflow attack o In a buffer-overflow attack, the extra data sometimes holds specific instructions for actions intended by a hacker or malicious user; for example, the data could trigger a response that damages files, changes data or unveils private information. o Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting on a user’s input. 41
  42. Types of buffer overflows There are two types of buffer overflows: stack-based and heap-based. o Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program. o Stack-based buffer overflows, which are more common among attackers, exploit applications and programs by using what is known as a stack: memory space used to store user input. 42
  43. 43 What is needed to understand Buffer Overflow • Understanding C functions and the stack. • Some familiarity with machine code. • Know how systems calls are made. • The exec() system call. • Attacker needs to know which CPU and OS are running on the target machine. – Our examples are for x86 running Linux. – Details vary slightly between CPU’s and OS: • Stack growth direction. • big endian vs. little endian.
  44. Buffer Overflow Example 44
  45. 45 Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, … ) sprintf (conts char *format, … )
  46. 46 Preventing Buffer Overflow Attacks • Use type safe languages (Java) • Use safe library functions • Static source code analysis • Non-executable stack • Run time checking • Address space layout randomization • Detection deviation of program behavior • Access control
  47. References Reference Text Books: 1. Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001. 2. C.Easttom, Computer Security Fundamentals, Prentice Hall, May 2005. 3. D. Russell and G.T. Gangemi, Computer Security Basics, OReilly& Associates, 1991. 4. M. Bishop, Computer Security: Art and Science, Addison-Wesley, 2002. 5. S. A. Thomas, SSL and TLS Essentials: Securing the Web, Wiley, 2000. 47
  48. THANK YOU 48