Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacking Fundamentals - Jen Johnson , Miria Grunick


Published on

The fundamentals of Hacking - Jen Johnson , Miria Grunick

Published in: Business, Technology
  • Hi there! Get Your Professional Job-Winning Resume Here - Check our website!
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi nice presentation, can you mail it to You
    Are you sure you want to  Yes  No
    Your message goes here
  • Excellent presentation. Could you mail it to ? Thank You
    Are you sure you want to  Yes  No
    Your message goes here
  • hi,

    can u please email me the latest version of this ppt to
    Are you sure you want to  Yes  No
    Your message goes here
  • exxellent work and presentation..
    Would you mind sharing the ppt with me?
    plz send it to
    Are you sure you want to  Yes  No
    Your message goes here

Hacking Fundamentals - Jen Johnson , Miria Grunick

  1. 1. The Fundamentals of Hacking: An 0/3r/!3vv Jen Johnson Miria Grunick
  2. 2. Five Phases of an Attack <ul><li>Phase 1 : Reconnaissance </li></ul><ul><li>Phase 2 : Scanning </li></ul><ul><li>Phase 3 : Gaining Access </li></ul><ul><li>Phase 4 : Maintaining Access </li></ul><ul><li>Phase 5 : Covering Attacks and Hiding </li></ul>
  3. 3. Phase 1: Reconnaissance <ul><li>Takes place before the attack. </li></ul><ul><li>Investigate the target using publicly available information </li></ul><ul><li>Types: Low-Technology Reconnaissance, Searching the Web, Whois Databases, Using the DNS, and General Purpose Tools </li></ul>
  4. 4. Low-Technology Reconnaissance <ul><li>Social Engineering : An attacker calls the target organization and fools an employee into revealing sensitive information. Often, the attacker calls and pretends to be a new employee, customer, system administrator, or business partner. </li></ul>
  5. 5. Low-Technology Reconnaissance <ul><li>Physical Break-In : Physically breaking into the building to try to gain access to the network from the inside. This is often accomplished by walking into the building with a group of employees or being hired as an employee or temp. </li></ul>
  6. 6. Low-Technology Reconnaissance <ul><li>Dumpster Diving : Going through an organization’s discarded documents to find sensitive information. Often, employees will throw out papers that reveal critical information (i.e. – old Post-It ® notes with user ID’s and passwords). </li></ul>
  7. 7. Searching the Web <ul><li>Organization’s Web Site : Can reveal important information, such as the employees’ contact information, clues about the corporate culture and language, business partners, recent mergers and acquisitions, and what technologies the organization uses. </li></ul>
  8. 8. Searching the Web <ul><li>Search Engines : Can reveal information about the company’s history, current events, future plans, financial status, business partners, technologies in use. </li></ul><ul><li>Usenet : Employees may submit questions to technical newsgroups that reveal information about the particular products that the organization uses. </li></ul>
  9. 9. Whois Databases <ul><li>Whois databases contain information about the assignment of Internet addresses, domain names, registrars, and individual contacts. </li></ul><ul><li>First, find out who the registrar is. The Internet Network Information Center (InterNIC) whois database system lists the registrars of websites based on the organization’s name or domain name for sites with the .net, .org or .com extensions. The InterNIC whois database is avaliable online at: </li></ul>
  10. 10. Whois Databases <ul><li>If you are researching an organization without the .com, .net, or .org extensions (i.e. – international websites), try the Allwhois site at: </li></ul><ul><li>Once you have the registrar’s name, you can go to the registrar’s site and get more information, such as names and numbers of administrators, email and postal addresses, registration dates, and the addresses of the organization’s DNS servers. </li></ul>
  11. 11. American Registry for Internet Numbers (ARIN) <ul><li>Contains all IP addresses assigned to a particular organization. Search by company or domain names. </li></ul><ul><li>For North American, South American, Caribbean, and sub-Saharan African organizations: </li></ul><ul><li>For European organizations: </li></ul><ul><li>For Asian organizations: </li></ul>
  12. 12. Domain Name System (DNS) <ul><li>DNS – a world-wide hierarchical database that stores information about domain names and IP addresses. This database is searched to get information about a given domain name, most commonly the corresponding IP address. </li></ul><ul><li>Once an attacker knows one of the DNS servers, the attacker can begin interrogating the name servers. </li></ul>
  13. 13. DNS <ul><li>To interrogate DNS servers, first invoke a nslookup program on any UNIX or Windows NT/2000 environment by typing nslookup at the command prompt. </li></ul><ul><li>Try to do a zone transfer. In a zone transfer, the nslookup program asks the DNS server to transmit all information it has about a given domain. </li></ul>
  14. 14. DNS <ul><li>To do a zone transfer, the nslookup must be instructed to use the target’s DNS server, using the server [target_DNS_server] command </li></ul><ul><li>Next, specify to search for any type of DNS record by typing set type=any </li></ul><ul><li>Initiate the zone transfer by typing ls –d [target_domain] </li></ul><ul><li>Output can give useful information, such as system names, IP addresses of the systems, and sometimes even operating system types. </li></ul><ul><li>More information about nslookup: </li></ul>
  15. 15. General Reconnaissance Tools <ul><li>Sam Spade (freeware avaliable at ) </li></ul><ul><li>Many reconnaissance tools in one: ping, whois, IP block whois, nslookup, dig, DNS zone transfer, traceroute, finger, SMTP VRFY, Web browser. </li></ul><ul><li>Other general-purpose reconnaissance tools: CyberKit, NetScan Tools, iNetTools </li></ul>
  16. 16. Web-Based Reconnaissance Tools <ul><li>Research and Attack portals: sites that allow a user to enter the target site and research or initiate an attack against the target (via denial-of-service attacks or vulnerability scans) </li></ul><ul><li>Difference between Web-based tools and general reconnaissance tools: now the traffic comes from the Web server, not the attacker machine. Thus, the attacker can remain more anonymous. </li></ul>
  17. 17. Web-Based Reconnaissance Tools <ul><li>Examples: </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  18. 18. Phase 2: Scanning The premise of scanning is to probe as many ports as possible, keeping track of open and useful ports that would be receptive to hacking. Scanners send multiple packets over a communication medium then listen and record each response. The following are techniques for inspecting ports and protocols.
  19. 19. War Dialing <ul><li>War Dialing: Dialing large pools of telephone numbers in an effort to find unprotected modems. Done with an automated tool, such as THC-Scan 2.0, available at: . </li></ul><ul><li>This tool will return a list of all of the modems discovered in the range of the phone numbers it was given. </li></ul><ul><li>The hacker can then check all of the modems and see if any have no passwords, allowing them access to the network. </li></ul>
  20. 20. FIN Probe <ul><li>A FIN packet is sent (Or any packet without an ACK or SYN flag) to an open port and one waits for a response. </li></ul><ul><li>The correct RFC793 behavior is to not respond. Many broken implementations (i.e MS Windows) send a RESET back. </li></ul>
  21. 21. Network Mapping <ul><li>A hacker first tries to determine which addresses have active hosts by pinging all possible addresses in the network. </li></ul><ul><li>Once a hacker knows which hosts are alive, he or she will try to determine the network topology. This is done by a method called tracerouting. </li></ul>
  22. 22. Network Mapping <ul><li>Tracerouting : Send a series of packets with different Time-To-Live (TTL) values in the IP header and check the source address of the Time Exceeded message returned. </li></ul><ul><li>Example: Send a packet with a TTL of 1. The Time Exceeded message will have the source address of the first router. Now send a packet with a TTL of 2. The Time Exceeded message returned will have the source address of the second router, and so on. </li></ul>
  23. 23. Tracerouting
  24. 24. Network Mapping <ul><li>Windows 2000/NT and UNIX have tools that do this for us </li></ul><ul><li>Windows 2000/NT: tracert </li></ul><ul><li>UNIX: traceroute </li></ul><ul><li>Another network mapping tool: Cheops (available at: ) This tool does the ping sweep and traceroute and draws a picture of the topology of the network. </li></ul>
  25. 25. Screenshot of Cheops
  26. 26. How Cheops Works <ul><li>Sequentially send ARP messages to every IP address in the range. </li></ul><ul><li>Traceroute to every IP address that responds to the ARP message. </li></ul>
  27. 27. Scanning Involves 3 Steps <ul><li>Locating Nodes </li></ul><ul><li>Performing Service Discoveries </li></ul><ul><li>Testing Services for Known Security Holes </li></ul>
  28. 28. TCP Port Scanning <ul><li>Most basic form of scanning. Attempts to open a full TCP port connection to determine if that port is active. </li></ul><ul><li>This method leaves an easier to spot trail than partial open scanning. </li></ul>
  29. 29. Stealth Port Scanning <ul><li>All the operating systems now honor the tradition of permitting only the super-user to open the ports numbered 0 to 1023.  These standard ports are assigned to services by the IANA (Internet Assigned Numbers Authority, www. iana .org ).   </li></ul><ul><li>Attempts to open a port in the range of 0..1023 by an unprivileged user program will fail. A user program can open any unallocated port higher than 1023. </li></ul>
  30. 30. <ul><li>On Unix, the text file named </li></ul><ul><li>/etc/ services </li></ul><ul><li>(on Windows 2000 the file named %windir% system32 drivers etc services) </li></ul><ul><li>lists these service names and the ports they use.  Here are a few lines extracted from this file: </li></ul>
  31. 31. WWW HTTP 80/tcp www-http Domain Name Server 53/udp domain Telnet 23/tcp telnet SSH Remote Login Protocol 22/tcp ssh File Transfer (control) 21/tcp ftp File Transfer (default) 20/udp ftp-data Echo 7/tcp echo
  32. 32. Non Standard Ports X Window System 6000-6063/tcp X11 Yahoo! Messenger 5010 yahoo RaDIUS authentication protocol 1812/udp Radius Microsoft Windows Internet Name Service 1512/tcp wins
  33. 33. Stealth Scanning Includes Some/All of the Following <ul><li>Setting individual flags (ACK, FIN, RST, .. ) </li></ul><ul><li>NULL flags set </li></ul><ul><li>All flags set </li></ul><ul><li>Bypassing filters, firewalls, routers </li></ul><ul><li>Appearing as casual network traffic </li></ul><ul><li>Varied packet dispersal rates </li></ul>
  34. 34. Fragmented Packets <ul><li>The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules.  </li></ul>
  35. 35. <ul><li>Some packet filters and firewalls do queue all IP fragments (e.g.,  the CONFIG _IP _ALWAYS _DEFRAG option in Linux enables it in the kernel), but many networks cannot afford the performance loss caused by the queuing. </li></ul>
  36. 36. TCP Fragmenting <ul><li>TCP fragmenting is not a scan method so to speak, although it employs a method to obscure scanning implementations by splitting the TCP header into smaller fragments. </li></ul>
  37. 37. <ul><li>A minimally allowable fragmented TCP header must contain a destination and source port for the first packet (8 octect, 64 bit), typically the initialized flags in the next, allowing the remote host to reassemble the packet upon arrival. </li></ul>
  38. 38. <ul><li>The actual reassembly is established through an IPM (internet protocol module) that identifies the fragmented packets by the field equivalent values of: </li></ul><ul><ul><li>source </li></ul></ul><ul><ul><li>destination </li></ul></ul><ul><ul><li>protocol </li></ul></ul><ul><ul><li>identification </li></ul></ul>
  39. 39. Using TCP Fragmenting - FragRouter <ul><li>Program which fragments TCP packets </li></ul><ul><ul><li>35 different ways to fragment </li></ul></ul><ul><li>Called a router because it is a software implementation of a router – data from other programs is sent through the FragRouter </li></ul><ul><li>FragRouter fragments the packets and then forwards the packets to their destination </li></ul>
  40. 40. SYN Scanning <ul><li>Also called half-open scanning, as TCP connection is not completed. </li></ul><ul><li>A SYN packet is sent and the target host responds with a SYN+ACK, indicating the port is listening </li></ul><ul><li>RST indicates a non-listener </li></ul><ul><li>The server process is never informed by the TCP layer because the connection did not complete. </li></ul>
  41. 41. A demonstration of this technique is necessary to show a half open transaction: <ul><li>client -> SYN </li></ul><ul><li>server -> SYN|ACK </li></ul><ul><li>client -> RST </li></ul>
  42. 42. <ul><li>This example has shown the target port was open, since the server responded with SYN|ACK flags. </li></ul><ul><li>The RST bit is kernel oriented, that is, the client need not send another packet with this bit, since the kernel's TCP/IP stack code automates this. </li></ul>
  43. 43. Inversely, a closed port will respond with RST|ACK. <ul><li>client -> SYN </li></ul><ul><li>server -> RST|ACK </li></ul><ul><li>This combination of flags is indicative of a non- listening port. </li></ul>
  44. 44. FIN Scanning <ul><li>The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports.  </li></ul>
  45. 45. <ul><li>The scanner sends a FIN packet, which should close a connection that is open.  Closed ports reply to a FIN packet with a RST. Open ports, on the other hand, ignore the packet in question. </li></ul><ul><li>If no service is listening at the target port, the operating system will generate an error message. </li></ul><ul><li>If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port. </li></ul>
  46. 46. This is the negotiation for open/closed port recognition <ul><li>client -> FIN </li></ul><ul><li>server -> - </li></ul><ul><li>No reply signaled by the server is iconic of an open port. The server's operating system silently dropped the incoming FIN packet to the service running on that port. </li></ul>
  47. 47. RST Reply <ul><li>Opposing this is the RST reply by the server upon a closed port reached. </li></ul><ul><li>Since, no service is bound on that port, issuing a FIN invokes a reset (RST) response from the server. </li></ul><ul><li>client -> FIN </li></ul><ul><li>server -> RST </li></ul>
  48. 48. <ul><li>Other techniques that have been used consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans, and it becomes important to identify the OS and even its version and patch level. </li></ul>
  49. 49. Reverse Ident Scanning <ul><li>This technique involves issuing a response to the ident/auth daemon, usually port 113 to query the service for the owner of the running process. </li></ul><ul><li>The main reason behind this is to find daemons running as root, this result would entice an intruder to find a vulnerable overflow and instigate other suspicious activities involving this port. </li></ul>
  50. 50. <ul><li>Alternatively, a daemon running as user nobody (httpd) may not be as attractive to a user because of limited access privileges. </li></ul><ul><li>identd could release miscellaneous private information such as: </li></ul><ul><ul><li>user info </li></ul></ul><ul><ul><li>entities </li></ul></ul><ul><ul><li>objects </li></ul></ul><ul><ul><li>processes </li></ul></ul>
  51. 51. FTP Bounce
  52. 52. Background <ul><li>FTP session consists of two connections between the client and the server. </li></ul><ul><li>The high port server connection is enabled by the client that allows the FTP server to send data to the client. </li></ul><ul><li>When the client wants to transfer data to or from the server, it issues a PORT command. The PORT command instructs the server to open a data connection which is used to transfer the data. </li></ul>
  53. 53. Problem <ul><li>An outside attacker can use the FTP server to open connections which appear to originate from the server. This could be used to bypass the access control restrictions. </li></ul>
  54. 55. How To Use FTP Bounce Attacks
  55. 56. Port Scanning <ul><li>An attacker can run the attck from a third-party FTP server acting as a stage for the scan. The victim site sees the scan as coming from the FTP server rather than the true source (the FTP client). </li></ul><ul><li>When the victim site is on the same subnet as the FTP server, or when it does not filter traffic from the FTP server, the attacker can use the server machine as the source of the port scan rather than the client machine </li></ul>
  56. 57. Bypassing Basic Packet Filtering Devices <ul><li>An attacker may bypass a firewall in certain network configurations. </li></ul><ul><ul><li>Example; a site has its anonymous FTP server behind a firewall. Using the technique above, an attacker determines that an internal web server at that site is available on port 8080, a port normally blocked by a firewall. </li></ul></ul>
  57. 58. <ul><li>By connecting to the public FTP server at the site, the attacker initiates a further connection between the FTP server and an arbitrary port on a non-public machine at that site . </li></ul><ul><ul><ul><li>(for instance the internal web server at port 8080). </li></ul></ul></ul><ul><li>As a result, the attacker establishes a connection to a machine that would otherwise be protected by the firewall. </li></ul>
  58. 59. Bypassing Dynamic Packet Filtering Devices <ul><li>Example </li></ul><ul><ul><li>victim site houses all of its systems behind a firewall that uses dynamic packet filters </li></ul></ul><ul><ul><li>person at victim site browses web pages and downloads a Java applet constructed by attacker. </li></ul></ul><ul><ul><li>Java applet then opens an outbound FTP connection to attacker's machine. </li></ul></ul><ul><ul><li>applet then issues an FTP PORT command, instructing server machine to open a connection to some otherwise protected system behind the victim firewall. </li></ul></ul>
  59. 60. <ul><li>Dynamic packet filtering firewall examines outbound packets to determine if any action is required on its part. </li></ul><ul><li>It notes the PORT command and allows an incoming connection from the remote web server to the telnet port on the victim machine. </li></ul><ul><li>This connection was allowed in this case because the PORT command was issued by the client. </li></ul>
  60. 61. Scanning Packages Available Commercially <ul><li>CyberCop </li></ul><ul><li>JAKAL </li></ul><ul><li>NetRecon </li></ul><ul><li>NMap </li></ul>
  61. 62. CyberCop <ul><li>Intrusion detection system that safeguards corporate assets by performing real-time surveillance of network traffic. The CyberCop system protects networks from external and internal attacks by providing a &quot;high tech burglar alarm&quot; capable of alerting companies when the security of their networks is breached by unauthorized intruders. </li></ul>
  62. 63. JAKAL <ul><li>Developed on UNIX to test UNIX hosts. Jakal is interesting because of its possibilities: it is designed for stealth and to go through most firewalls. Usually it doesn't leave any trace of its activity, except for some messages (SYN|ACK). </li></ul>
  63. 64. NetRecon <ul><li>Scans multiple operating systems, including UNIX, Linux, Windows 2000, Windows NT, Windows 95/98 and NetWare. </li></ul><ul><li>Scans using many Windows NT/2000 network protocols such as TCP/IP, IPX/SPX, and NetBEUI. </li></ul>
  64. 65. Nmap <ul><li>Most popular scanner to date </li></ul><ul><li>Free utility for network exploration or security auditing. Designed to rapidly scan large networks. Uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use. </li></ul><ul><li>http:// nmap / idlescan .html </li></ul>
  65. 66. Scan Types Supported by Nmap
  66. 67. Sends a TCP FIN to each port. Reset indicates port is closed. -sF TCP FIN Only sends the initial SYN and awaits the SYN-ACK response. -sS TCP SYN Completes the 3-way handshake with each scanned port. -sT TCP Connect Summary of Characteristics Command-Line Option Type of Scan
  67. 68. Similar to ACK, but focuses on TCP Window size to determine if ports are open or closed. -sW Window Sends packet with the ACK code bit set to each target port. -sA TCP ACK Sends packets with no code bits set. Reset indicates port is closed. -sN Null Sends packet with the FIN, URG and PUSH code bits set. Reset indicates port is closed. -sX TCP Xmas Tree
  68. 69. Scans RPC services using all discovered to open TCP/UDP ports on the target to send RPC Null commands. -sR RPC Scanning Sends ICMP echo request packets to every machine on target network. -sP Ping Sends a UDP packet to target ports to determine if a UDP service is listening. -sU UDP Scanning Bounces a TCP scan off of an FTP server, obscuring the originator of the scan. -b FTP Bounce
  69. 70. Determining Firewall Filter Rules <ul><li>One disadvantage of Nmap – it cannot differentiate what is open on an end machine and what is being firewalled. </li></ul><ul><li>It is also important to determine what ports are available through the firewall or router. One tool that can do this is Firewalk (avaliable: </li></ul><ul><li>Firewalk can determine which types of packets are permitted through and which ports are accessible through the firewall. </li></ul><ul><li>Note: Firewalk is only useful for packet-filtering devices, not proxy-based firewalls. </li></ul>
  70. 71. How Firewalk Works <ul><li>Determines the number of hops between the tool and the firewall </li></ul><ul><li>Sends UDP and TCP packets with TTL one greater than the hop count to the filtering device. </li></ul><ul><ul><li>If ICMP Time Exceeded message is returned, the port is available through the firewall </li></ul></ul><ul><ul><li>If ICMP Port Unreachable message or nothing is returned, the port is most likely being filtered by the firewall. </li></ul></ul><ul><li>Unlike Nmap, Firewalk can determine what kind of packets are allowed through the firewall for each specific port and which ports allow new connections. </li></ul>
  71. 72. Vulnerability Scanning <ul><li>Use an automated tool that checks for common configuation errors, default configuration errors, and well-known system vulnerabilities. </li></ul><ul><li>Generally made up of multiple parts: vulnerability database, user configuration tool, scanning engine, knowledge base of current active scan, and results repository and report generation tool. </li></ul>
  72. 73. Vulnerability Scanner
  73. 74. Nessus <ul><li>The most popular of the vulnerability scanners. (Available: ) </li></ul><ul><li>Also allows the user to write their own vulernability checks and include them in the tool. </li></ul><ul><li>Has a variety of plug-ins, such as checking for vulnerabilities that allow a shell to be gained remotely and checking to see if the target system already has backdoor tools installed. </li></ul>
  74. 75. Port, Socket & Service Vulnerability Penetrations <ul><li>Once a breach has been uncovered during the discovery phase, different vulnerability penetrations are used to take advantage and possibly gain control of computers, servers and internetworking equipment. </li></ul><ul><li>More on exploiting these vulnerabilities in Phase 3…… </li></ul>
  75. 76. Operating System Fingerprinting with Nmap
  76. 77. TCP ISN Sampling <ul><li>The idea here is to find patterns in the initial sequence numbers chosen by TCP implementations when responding to a connection request. </li></ul><ul><li>Categorized into groups such as traditional 64K, random increments and true random, (Linux 2.0) </li></ul>
  77. 78. Don’t Fragment Bit <ul><li>Trend of operating systems to set the IP “Don’t Fragment” bit on some of the packets they send. </li></ul><ul><li>By paying attention to this bit, one can glean information on the target OS. </li></ul>
  78. 79. TCP Initial Window <ul><li>Simply involves checking the window size on returned packets. </li></ul><ul><li>Gives quite a lot of information since some operating systems can be uniquely identified by the window alone. </li></ul>
  79. 80. TCP Option <ul><li>Excellent means of gaining access to leaked information. </li></ul><ul><li>Can discover if a host is implementing them by sending a query with an option set: target shows support of the option by setting it on the reply. </li></ul><ul><li>Can stuff many options on one packet to test everything at once. </li></ul>
  80. 81. SYN Flood Resistance <ul><li>If too many forged SYN packets are sent to some operating systems, they will stop accepting new connections. </li></ul><ul><li>Many operating systems can only handle 8 packets. </li></ul><ul><li>By sending 8 forged packets to an open port and then trying to establish a connection, you can learn about the operating system used. </li></ul><ul><li>This is easier to detect on the target side than other methods, however. </li></ul>
  81. 83. Random Clipart
  82. 84. Pre-Phase 3 Understanding Filters, Firewalls and the IDS
  83. 85. Packet Filter <ul><li>First line of defense. </li></ul><ul><li>Checks each packet against a policy or rule before routing it to the destined node or network destination. </li></ul><ul><li>Most reject SYN/ACK, ICMP, and incoming UDP packets that initiate inward security. </li></ul>
  84. 86. Example <ul><li>Cisco Series Access Router </li></ul><ul><li>If router is configured to pass a particular protocol, external hosts can use that protocol to establish a direct connection to internal hosts. </li></ul><ul><li>The router will produce an audit log with features to generate alarms when hostile behavior is detected. </li></ul>
  85. 87. Enhanced Version Stateful Filter
  86. 88. Stateful Filter <ul><li>Provides same functionality as previous version, but also keeps track of state information, such as TCP sequence numbers. </li></ul><ul><li>Uses the analysis of data within the lowest levels of the protocol stack to compare the current session to previous ones for the purpose of detecting suspicious activity. </li></ul><ul><li>Uses specific rules determined by the user. </li></ul>
  87. 89. Downside <ul><li>Does not recognize specific applications, therefore, is unable to apply dissimilar rules to different applications. </li></ul>
  88. 90. Proxy Firewall
  89. 91. <ul><li>Simple server with duel NICs that has routing or packet forwarding deactivated, utilizing a proxy server daemon instead. </li></ul><ul><li>Gateway is a term used as a synonym for proxy server. </li></ul><ul><li>Gathers all internet requests, forwards them to internet servers, receives responses and forwards them to the original requestor within the company. </li></ul>
  90. 92. Enhanced Version Application Proxy Gateway
  91. 93. Application Proxy Gateway <ul><li>Contains integrated modules that check every request and response. </li></ul><ul><li>Example: </li></ul><ul><ul><li>An FTP stream may only be allowed to download data. </li></ul></ul>
  92. 94. Application Gateways look at data on the application layer of the protocol stack and serve as proxies for outside users. Thus, outside users never really have a direct connection to anything beyond the proxy gateway.
  93. 95. Implementing a Backdoor Method 4 Actions Take Place <ul><li>Seizing a virtual connection; this involves hijacking a remote telnet session, a VPN tunnel or a secure-ID session. </li></ul><ul><li>Planting an insider; User, engineer or socially engineered (swindled) person. </li></ul><ul><ul><li>Can also spoof an employee with an e mail with a remote access Trojan attached. </li></ul></ul>
  94. 96. <ul><li>Manipulating an internal vulnerability; attacks on demilitarized zones, such as </li></ul><ul><li>E-mail, domain name resolution, telnet or FTP. </li></ul><ul><li>Manipulating an external vulnerability; involves penetrating through external mail server, HTTP server daemon and/or telnet service on an external boundary gateway. </li></ul>
  95. 97. Intrusion Detection System
  96. 98. Scanning Intrusion Detection Systems <ul><li>Detects statistical anomalies. Measures a &quot;baseline&quot; of such stats as CPU utilization, disk activity, user logins, file activity, and so forth. Then, the system can trigger when there is a deviation from this baseline. </li></ul><ul><li>Can detect the anomalies without having to understand the underlying cause behind them. </li></ul>
  97. 99. Signature Recognition <ul><li>The majority of commercial products are based upon examining the traffic looking for well-known patterns of attack. </li></ul><ul><li>Classic example is to example every packet on the wire for the pattern &quot;/cgi-bin/phf?&quot;, which might indicate somebody attempting to access this vulnerable CGI script on a web-server. </li></ul>
  98. 100. How does a NIDS match signatures with incoming traffic? <ul><li>1. Protocol stack verification A number of intrusions, such as &quot;Ping-O-Death&quot; and &quot;TCP Stealth Scanning&quot; use violations of the underlying IP, TCP, UDP, and ICMP protocols in order to attack the machine. A simple verification system can flag invalid packets. This can include valid, by suspicious, behavior such as severally fragmented IP packets. </li></ul>
  99. 101. <ul><li>2. Application protocol verification A number of intrusions use invalid protocol behavior, such as &quot;WinNuke&quot;, which uses invalid NetBIOS protocol or DNS cache poisoning, which has a valid, but unusually signature. In order to effectively detect these intrusions, a NIDS must re-implement a wide variety of application-layer protocols in order to detect suspicious or invalid behavior. </li></ul>
  100. 102. <ul><li>3. Creating new loggable events A NIDS can be used to extend the auditing capabilities of your network management software. For example, a NIDS can simply log all the application layer protocols used on a machine. Downstream event log systems (WinNT Event, UNIX syslog, SNMP TRAPS, etc.) can then correlate these extended events with other events on the network. </li></ul>
  101. 103. Other countermeasures besides IDS <ul><li>Firewalls: These are to protect from external attacks; most intrusions are committed by employees inside the firewall, and it should therefore be considered a last line of defense. </li></ul>
  102. 104. Authentication <ul><li>Scanners should be run that automate the finding of open accounts. </li></ul><ul><li>One should enforce automatically strict policies for passwords (7 character minimum, including numbers, dual-case, and punctuation) using crack or built in policy checkers (WinNT native, add-on for UNIX). </li></ul>
  103. 105. Virtual Private Networks <ul><li>Create secure connections over the Internet for remote access. </li></ul><ul><li>VPN’s actually decrease corporate security. While the pipe itself is secure (authenticated, encrypted), either end of the pipe are wide open. </li></ul><ul><li>A home machine compromised with a backdoor rootkit allows a hacker to subvert the VPN connection, allow full, undetectable access to the other side of the firewall. </li></ul>
  104. 106. IDS Setup Locations
  105. 107. <ul><li>Network Hosts: Although network intrusion detection systems have traditionally been used as probes, they can also be placed on hosts. </li></ul><ul><li>Network perimeter: IDS is most effective on the network perimeter, such as on both sides of the firewall, near the dial-up server, and on links to partner networks. These links tend to be low-bandwidth (T1 speeds) such that an IDS can keep up with the traffic. </li></ul>
  106. 108. <ul><li>Servers are often placed on their own network, connected to switches. The problem these servers have, though, is that IDS systems cannot keep up with high-volume traffic. </li></ul><ul><li>Server Farms: For extremely important servers, you may be able to install dedicated IDS systems that monitor just the individual server's link. Also, application servers tend to have lower traffic than file servers, so they are better targets for IDS systems. </li></ul>
  107. 109. Phase 3 Penetration
  108. 110. Stack Based Overflow Attack <ul><li>Overwrite the return pointer stored in the stack by overflowing the stack. When the return pointer is copied into the IP, the IP tries to fetch the data of the new address that was pushed into the return pointer by overflowing the stack. </li></ul><ul><li>Example: Overflow the stack with a series of </li></ul><ul><li>‘ A’ ‘s. When the value of the return pointer is copied into the IP, the IP address will fetch the instruction from the all ‘A’ address (address 41414141h) </li></ul>
  109. 111. <ul><li>Important to overflow buffer with meaningful information </li></ul><ul><ul><li>i.e. – machine language code containing commands we want executed </li></ul></ul><ul><li>Difficult to overwrite return pointer to hit exactly at beginning of code </li></ul><ul><ul><li>Place a bunch of NOP or NOP equivalents (called a NOP sled ) at beginning of code. </li></ul></ul><ul><ul><li>When overwriting return pointer, have to aim to overwrite to a range of values rather than a specific value. </li></ul></ul>
  110. 112. <ul><li>Once the stack is smashed, there are many things an attacker can do. Most likely, the attacker will try to create a back door to the target system. </li></ul><ul><li>Creating a backdoor with Inetd: Add a line to the /etc/inetd.conf file, which will spawn a command shell each time anyone tries to connect to a port defined by the attacker. Run this line in the stack to get a command shell to open on a given port: </li></ul><ul><li>/bin/sh –c “echo [port #] stream tcp nopwait root /bin/sh sh –I” </li></ul><ul><li>>> /etc/inetd.conf; killall –HUP inetd </li></ul>
  111. 113. <ul><li>Creating a backdoor with TFTP and Netcat: Get the target to execute the TFTP client. Load the Netcat program onto the target system. Configure Netcat to push a command shell from the target machine to the attacker’s machine. </li></ul><ul><li>A good document on Stack Based Buffer Overflow Attacks: “Smashing the Stack for Fun and Profit” by Aleph One, available at: </li></ul><ul><li>smashstack.txt </li></ul>
  112. 114. Password Attacks <ul><li>Two kinds: Password Guessing and Password Cracking </li></ul><ul><li>Password Guessing : Attempt to guess the password for a particular user ID. This process is rarely successful, time consuming, and generates a lot of network traffic. Also, some accounts are locked out after a set number of unsuccessful guesses. Many password-guessing tools can be found at Packet Storm’s Site: </li></ul>
  113. 115. <ul><li>Password Cracking : Steal the file with the encrypted passwords and use a password cracking program to recover the original passwords. </li></ul><ul><li>Stealing the file: Win – use a Pwdump program ( packetstormsecurity . nl /Crackers/NT/ ), or sniff them from the network (more on sniffing later) UNIX – gain root-level access and steal the /etc/shadow or /etc/secure file if shadow passwords are used, otherwise steal the /etc/passwd file. </li></ul>
  114. 116. <ul><li>Password Cracking Software: </li></ul><ul><li>Windows: L0phtCrack (available: ) This tool includes other options, such as a sniffer and a pwdump program </li></ul><ul><li>UNIX: John the Ripper (available: www. openwall .com/john/ ) </li></ul>
  115. 117. Web Application Attacks <ul><li>Can still be conducted, even if the target site uses SSL. </li></ul><ul><li>Account Harvesting, Undermining Session-Tracking Mechanisms, SQL Piggybacking </li></ul><ul><li>Account Harvesting : Works for applications that have different error messages for an incorrect user ID and an incorrect password. By looking at the error messages, the attacker can determine valid user ID’s, sometimes even passwords. </li></ul>
  116. 118. <ul><li>Here, although the web pages look identical for each type of error, notice that the URL has changed, giving any hackers a hint about incorrect user ID’s vs. incorrect passwords. </li></ul>
  117. 119. Undermining Web Application Session Tracking <ul><li>Three ways Session ID’s are implemented: URL session tracking, hidden form elements, and cookies. </li></ul><ul><li>The attacker will first login to the site multiple times to see how the session ID’s are generated. </li></ul><ul><li>To change a session ID in a URL, simply type a different user’s session ID (or a generated one) over the original user’s ID in the URL. </li></ul>
  118. 120. <ul><li>To change the session ID in a site with hidden form elements, view the source of the page, modify the ID number and reload it into the browser. </li></ul><ul><li>To edit the session ID in a site that uses cookies, use a program called Achilles (available: ). Achilles is a web proxy that intercepts the per-session cookies and allows the attacker to modify them. </li></ul>
  119. 121. SQL Piggybacking <ul><li>Extending an application’s SQL statement to extract or update information that the attacker is not authorized to access. </li></ul><ul><li>Rainforest Puppy has a paper about SQL Piggybacking: “How I Hacked Packetstorm” (available: ) </li></ul><ul><li>Begin by exploring how the Web application interacts with the database. </li></ul>
  120. 122. <ul><li>The attacker may extend the SQL query </li></ul><ul><ul><li>Example </li></ul></ul><ul><ul><ul><li>Use SELECT * FROM account WHERE (userid=‘10001’ and number = ‘11111111111’ or userid=‘10002’) </li></ul></ul></ul><ul><ul><ul><li>instead of SELECT * FROM account WHERE (userid=‘10001’ and number = ‘11111111111’) </li></ul></ul></ul><ul><ul><ul><li>to get information on 10002 </li></ul></ul></ul>
  121. 123. Sniffing <ul><li>Sniffer: Gathers packets from the local network and allows the user to view the data being transmitted. </li></ul><ul><li>Two ways of sniffing: Passive (network built with a hub) and Active (network built with a switch) </li></ul>
  122. 124. Passive Sniffing <ul><li>Passively listens and collects packets. </li></ul><ul><li>Snort (available: ) – A good passive sniffer that can be used as an IDS. Can sift through the network and look for attack signatures. </li></ul><ul><li>Sniffit (avalaible: </li></ul><ul><li>/sniffit/sniffit.html ) – has an interactive mode that shows all active sessions and allows the attacker to see all keystrokes of the victim. </li></ul>
  123. 125. <ul><li>Dsniff – one of the more versatile sniffing tools. It is several programs in one, but is most known as a sniffer. It can interpret a number of different protocols, like FTP, HTTP, AIM, ICQ, Napster, Microsoft SQL, etc. Available: </li></ul>
  124. 126. Active Sniffing <ul><li>Need to fool the switch into sending the packets to the system with the sniffer </li></ul><ul><li>Different methods: MAC Flooding and Spoofing ARP Messages </li></ul><ul><li>MAC Flooding : Send a flood of traffic with random MAC addresses until the switch’s memory is full. Some switches will then forward packets to all links on the switch (done with the Dsniff program Macof). </li></ul>
  125. 127. <ul><li>Spoofing ARP Messages : </li></ul><ul><li>Arpspoof, a Dsniff feature, allows attackers to change the ARP traffic on local networks. </li></ul><ul><ul><li>Attacker configures his or her system to forward any traffic it receives to the router. </li></ul></ul><ul><ul><li>Arpspoof program is activated, which sends fake ARP replies </li></ul></ul><ul><ul><li>Fake ARP replies change the target’s ARP table. </li></ul></ul><ul><ul><li>Any traffic from the target machine is sent to the attacker’s machine before being transferred to the local network. </li></ul></ul>
  126. 128. Spoofing ARP Messages
  127. 129. Other Methods of Redirecting Traffic <ul><li>Spoofing DNS : </li></ul><ul><ul><li>DNSspoof, a Dsniff feature, allows attackers to send the target machine false DNS information, making the victim access the attacker’s machine when they intend to access a different system. </li></ul></ul><ul><ul><ul><li>The attacker starts the dnsspoof program and waits for the target to send a DNS query for a specific host. </li></ul></ul></ul><ul><ul><ul><li>Once the query is received, the attacker then sends a false DNS response. </li></ul></ul></ul><ul><ul><ul><li>When the target tries to access the intended host, the system is now accessing the attacker’s machine. </li></ul></ul></ul>
  128. 130. Spoofing DNS
  129. 131. <ul><li>Sniffing HTTPS : </li></ul><ul><ul><li>Attacker runs webmitm feature on Dsniff and doing DNS spoof </li></ul></ul><ul><ul><li>All HTTP and HTTPS traffic is proxied by webmitm </li></ul></ul><ul><ul><li>Target connects to attacker’s machine and SSL connection is established. </li></ul></ul><ul><ul><li>Attacker’s system establishes a SSL connection with the server the target is attempting to access. </li></ul></ul><ul><ul><li>Webmitm acts as proxy with two connections </li></ul></ul><ul><ul><ul><li>From the target’s system to the attacker’s machine </li></ul></ul></ul><ul><ul><ul><li>From the attacker’s machine to the actual server the target was trying to reach </li></ul></ul></ul><ul><ul><li>Note: the target receives attacker’s certificate, not the certificate of the server the target is trying to reach. </li></ul></ul>
  130. 132. Sniffing HTTPS
  131. 133. <ul><li>The user will receive a warning that the certificate is not signed by a trusted Certificate Authority. Webmitm will then display the contents of the SSL session on the attacker’s screen. </li></ul><ul><li>Sniffing SSH : This is done in a similar manner as sniffing HTTPS, except the sshmitm (another Dsniff feature) is used instead of the webmitm feature. Note: Sshmitm only allows for sniffing of SSH protocol version 1. </li></ul>
  132. 134. Is your machine running a sniffer? <ul><li>Detecting the process that does the sniffing is difficult, because the name of that process can be disguised as something innocent. </li></ul><ul><li>The only way to detect the sniffer is to check if the network interface is in promiscuous mode. If the network interface is in promiscuous mode, this means that it listens for all packets on the network and not only for packets destined to that machine. </li></ul><ul><li>Another method is to run: ifconfig -a . This will list the available network interfaces, and show all the information about them. The word PROMISC means that the interface is in promiscuous mode. </li></ul>
  133. 135. How to avoid packet sniffers altogether <ul><li>Active hubs only send packets to the intended machines. This can disable the sniffer since it will not receive packets not intended for that specific machine. Cisco, HP and 3Com have such active hubs. </li></ul>
  134. 136. Detecting other sniffers on the network <ul><li>Detecting other sniffers on other machines is very difficult, but detecting whether a Linux machine is doing the sniffing is possible. </li></ul><ul><li>This can be done by exploiting a weakness in the TCP/IP stack implementation of Linux. </li></ul><ul><li>When Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its IP address even if the MAC address on that packet is wrong. </li></ul><ul><li>Therefore, sending TCP/IP packets to all the IP addresses on the subnet, where the MAC address contains wrong information, will tell you which machines are Linux machines in promiscuous mode . </li></ul>
  135. 137. IP Address Spoofing <ul><li>Used to disguise the IP address of a system. </li></ul><ul><li>Three ways an IP address can be spoofed: changing the IP address, undermining UNIX r- commands, and spoofing with source routing </li></ul><ul><li>Changing the IP address : The attacker can either reconfigure the whole system to have a different IP address or use a tool (Nmap or Dsniff) to change the source address of outgoing packets. Limitation: the attacker cannot receive any responses. </li></ul>
  136. 138. <ul><li>Undermining UNIX r- Commands : </li></ul><ul><ul><li>Attacker finds two computers with a trust relationship </li></ul></ul><ul><ul><ul><li>Send a bunch of TCP SYN packets to target and see how the initial sequence numbers change </li></ul></ul></ul><ul><ul><ul><li>A DoS attack is sent to other system </li></ul></ul></ul><ul><ul><ul><li>Attacker initializes a connection with target system, using the IP address of the other system </li></ul></ul></ul><ul><ul><ul><li>Target system sends TCP SYN and ACK packets to other system, which is dead </li></ul></ul></ul><ul><ul><ul><li>Attacker estimates initial sequence number of other system and sends TCP ACK packet back </li></ul></ul></ul><ul><ul><ul><ul><li>If initial sequence numbers match, attacker has successfully gained one-way access to the target. </li></ul></ul></ul></ul>
  137. 139. Undermining UNIX r- Commands
  138. 140. <ul><li>Spoofing with Source Routing : The attacker creates packets that have system A’s source address, with the attacker’s address in the source route. The attacker sends the packet to system B. Any replies are sent to the attacker’s machine. Note that the attacker does not forward them to system A because the connection would be reset. </li></ul>
  139. 141. Session Hijacking <ul><li>A combination of sniffing and spoofing that allows an attacker to steal the session from the user, given that after the initial authentication the session is not encrypted. The attacker’s system lies somewhere on the route between the two communicating machines (A and B). The attacker observes the traffic, monitoring the TCP sequence numbers. The attacker can then send spoofed packets with system A’s IP address as the source so that system B will obey the commands. </li></ul>
  140. 142. <ul><li>Problem: When the attacker sends system B packets with system A’s IP address, system A will notice that the TCP sequence numbers are out of order and send ACK packets to resynchronize the numbers. This continual retransmission of ACK packets is known as an ACK storm. </li></ul><ul><li>Most hijacking tools cannot cope with the ACK storm and the connection will be dropped. </li></ul>
  141. 143. <ul><li>Tool: Hunt (available: www. packetstormsecurity .org/ sniffers /hunt ) </li></ul><ul><li>Hunt uses ARP spoofing to prevent the connection from being dropped. </li></ul><ul><li>Unlike other tools, Hunt can also resynchronize the connection. It does this by sending a message to system A saying: msg from root: power failure – try to type 88 characters , (where 88 is the number of chars. that the attacker typed during the hijacking) which will increment the sequence number of system A’s TCP stack to where it should be. </li></ul><ul><li>Two new ARP spoof messages are then sent, restoring the correct MAC addresses. </li></ul>
  142. 145. Netcat – The Networking Swiss Army Knife <ul><li>Used for multiple purposes, Netcat basically moves data over any TCP or UDP port. It can either act as a client or a listener. Available: </li></ul><ul><li>network_utilities </li></ul><ul><li>For File Transfers : Set up a Netcat client on the source system and a Netcat listener on the destination system. The source system initiates a connection and pushes the file to the destination system. </li></ul>
  143. 146. <ul><li>For Port Scanning : Netcat will connect with every port and display a list of open ports. </li></ul><ul><li>For Making Connections to Open Ports : Use Netcat in client mode to connect to open ports and see what the listening service sends back. Better to use than Telnet because it is easier to force Netcat to drop a connection, Netcat can make UDP connections, and Netcat only returns the pure data from the open ports, not any other data like environment variables. </li></ul>
  144. 147. Denial-of-Service (DoS) Attacks <ul><li>Used to prevent access by legitimate users. </li></ul><ul><li>Two options: Stop services and exhaust resources. This can be done either remotely or locally. </li></ul>
  145. 148. Stopping Local Services <ul><li>Must have an account on the local system. </li></ul><ul><li>Three methods: Process Killing, System Reconfiguration, and Process Crashing </li></ul><ul><li>Process Killing : When an attacker has root privileges, he or she can simply kill the local processes. </li></ul>
  146. 149. <ul><li>System Reconfiguration : An attacker with root privileges can reconfigure the system so that it does not offer certain services or filters on the machine. </li></ul><ul><li>Process Crashing : Crashing processes by exploiting vulnerabilities in the system (i.e. – use stack based buffer overflow with a local process, causing the process to crash). </li></ul>
  147. 150. Locally Exhausting Resources <ul><li>Running a program from an account on the target system that grabs the system resources. </li></ul><ul><li>Three methods: Filling up the process table, filling up the file system, and sending outbound traffic that fills up the communication link. </li></ul>
  148. 151. <ul><li>Filling up the process table : Running a recursive program that forks processes in an attempt to fill up the process table so no other users can run processes. </li></ul><ul><li>Filling up the file system : Continuously writing data to the file system, preventing other users from writing files. </li></ul><ul><li>Sending outbound traffic that fills up the communication link : Running program that sends large amounts of bogus network traffic, consuming the processor and bandwith. </li></ul>
  149. 152. Remotely Stopping Services <ul><li>Send a malformed packet. Different platforms may be susceptible to different types of malformed packets. </li></ul><ul><li>These packets have structures that the TCP/IP stacks cannot anticipate, causing the system to crash. </li></ul><ul><li>Malformed packet suites available at: </li></ul>
  150. 153. Remotely Exhausting Resources <ul><li>Accomplished by a packet flood </li></ul><ul><li>Three common ways: SYN flood, Smurf attacks, and Distributed Denial of Service Attacks (DDoS) </li></ul><ul><li>SYN Flood : Overwhelm the target machine with SYN packets. This fills the connection queue so that no new connections can be made on the target machine. </li></ul>
  151. 154. <ul><li>Smurf Attacks : Repeatedly sends a ping to a broadcast IP address of a network that can receive and respond to directed broadcast messages (called a smurf amplifier), with the target machine as the source of the ping. The target’s bandwidth is filled with these packets. Tools: Smurf (ICMP), Fraggle (UDP), and Papasmurf (ICMP and UDP) (available: ). List of Smurf Amplifiers: www. netscan .org </li></ul>
  152. 155. <ul><li>DDoS Attacks : Attacker takes over victim machines (called Zombies) and installs software that waits for commands from the attacker. The attacker can then tell the zombies to start a DoS attack on the target. Tool: TFN2K (available: www. packetstormsecurity . nl /groups/ mixter / </li></ul><ul><li> index2.html ) This tool allows the attacker to choose which type of packet to use in the DDoS attack. It also allows IP spoofing, communication via Echo Reply packets, and running a single command simultaneously on all zombies. </li></ul>
  153. 156. Phase 4: Maintaining Access
  154. 157. Backdoor Kits <ul><li>Active: Used by an intruder at any time that they wish. </li></ul><ul><li>Passive: Set to trigger themselves according to a predetermined time or system event. </li></ul>
  155. 158. Backdoor Kit Selection <ul><li>This is dependant upon the type of network security in place. </li></ul><ul><li>Two basic architectural categories: </li></ul><ul><ul><li>Packet filter </li></ul></ul><ul><ul><li>Proxy firewall </li></ul></ul>
  156. 159. Trojan Horses <ul><li>A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves. </li></ul><ul><li>Used to integrate a hole or backdoor into a system’s security countenance. </li></ul><ul><li>Trojans spread due to the technological necessity to use ports; lower ports are used by Trojans that steal passwords while higher ports are used by remote-access Trojans that can be reached over the Internet, network, VPN or dial-up access. </li></ul>
  157. 160. Trojan Horse Backdoor Tools Back Orifice
  158. 161. Back Orifice Remote Administration System which allows an intruder to control a computer across a TCP/IP connection using a simple console or GUI application. Gives its user more control of the target computer than the person at the actual keyboard has.
  159. 162. Back Orifice Server Functionality <ul><li>Get detailed system information, including: </li></ul><ul><li>current user </li></ul><ul><li>cpu type </li></ul><ul><li>windows version </li></ul><ul><li>memory usage </li></ul><ul><li>mounted disks and information for those drives </li></ul><ul><li>screensaver password </li></ul><ul><li>passwords cached by the user </li></ul>
  160. 163. Controls and Abilities <ul><li>File system control Copy, rename, delete, view, and search files and directories. File compression and decompression. </li></ul><ul><li>Process control List, kill, and spawn processes. </li></ul><ul><li>Registry control List, create, delete and set keys and values in the registry. </li></ul>
  161. 164. <ul><li>Multimedia control Play wav files, capture screen shots, and capture video or still frames from any video input device (like a Quickcam). </li></ul><ul><li>Network control View all accessible network resources, all incoming and outgoing connections, list, create and delete network connections, list all exported resources and their passwords, create and delete exports. </li></ul>
  162. 165. <ul><li>Packet redirection Redirect any incoming TCP or UDP port to any other address & port. Application redirection Spawn most console applications (such as on any TCP port, allowing control of applications via a telnet session. </li></ul><ul><li>HTTP server Upload and download files on any port using a www client such as Netscape. </li></ul><ul><li>Integrated packet sniffer Monitor network packets, logging any plaintext passwords that pass. </li></ul><ul><li>Plugin interface Write your own plugins and execute the native code of your choice in BO's hidden system process. </li></ul>
  163. 166. NetCat <ul><li>A simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. </li></ul><ul><li>Designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. </li></ul><ul><li>Part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions. </li></ul>
  164. 167. It provides access to the following main features: <ul><li>Outbound or inbound connections, TCP or UDP, to or from any ports </li></ul><ul><li>Full DNS forward/reverse checking, with appropriate warnings </li></ul><ul><li>Ability to use any local source port </li></ul><ul><li>Ability to use any locally-configured network source address </li></ul><ul><li>Built-in port-scanning capabilities, with randomizer </li></ul><ul><li>Built-in loose source-routing capability </li></ul><ul><li>Can read command line arguments from standard input </li></ul><ul><li>Slow-send mode, one line every N seconds </li></ul><ul><li>Hex dump of transmitted and received data </li></ul><ul><li>Optional ability to let another program service established connections </li></ul><ul><li>Optional telnet-options responder </li></ul>
  165. 168. Port-Scanning <ul><li>Netcat accepts its commands with options first, then the target host, and everything thereafter is interpreted as port names or numbers, or ranges of ports in M-N syntax. </li></ul><ul><li>For each range of ports specified, scanning is normally done downward within that range. </li></ul><ul><li>If the -r switch is used, scanning hops randomly around within that range and reports open ports as it finds them. </li></ul>
  166. 169. Traditional Root Kits
  167. 170. Root Kits <ul><li>Used by an intruder to prevent his/her detection on the system he/she has compromised. </li></ul><ul><li>Generally contains network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities such as ps, netstat, ifconfig, and killall. </li></ul><ul><li>Installs a backdoor remote-access daemon, such as a modified version of telnetd or sshd. These will often run on a different port than the one that these daemons listen on by default. </li></ul><ul><li>Most rootkits also come with modified system binaries that replace the existing ones on the target system. </li></ul>
  168. 171. /bin/login Replacement <ul><li>When logging onto a UNIX machine, the /bin/login program runs. </li></ul><ul><ul><li>Used to gather and check user ID and password </li></ul></ul><ul><li>The Rootkit replaces the /bin/login with a modified version that includes a backdoor password. </li></ul>
  169. 172. Detecting Backdoors: Example <ul><li>System Administrator runs the /bin/login routine through strings. </li></ul><ul><ul><li>Strings: a UNIX program that shows all sequences of consecutive characters in a file. </li></ul></ul><ul><li>If an unfamiliar sequence is found, it may be a backdoor. </li></ul>
  170. 173. Sniffers <ul><li>Are used to gather passwords for other systems and listen to traffic for sensitive information. </li></ul><ul><li>Rootkits set the promiscuous mode on the target machine's network interface card, enabling the sniffer to listen to a variable-sized network. </li></ul>
  171. 174. Hidden Sniffers <ul><li>Ifconfig shows information such as IP addresses, network mask and MAC addresses. </li></ul><ul><li>By running ifconfig, one can detect a sniffer by looking for the PROMISC flag. </li></ul><ul><ul><li>This prevents the System Administer from detecting the RootKit. </li></ul></ul>
  172. 175. Kernel-Level Rootkit <ul><li>the most severe threat to system security that can be caused by a rootkit comes from those that deploy LKM (Loadable Kernel Module) trojans. </li></ul><ul><li>LKMs are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation. </li></ul><ul><li>Kernel rootkits do not replace system binaries, they subvert them through the kernel. </li></ul>
  173. 176. Subverting the kernel <ul><li>There are two ways that a rootkit can subvert the kernel to perform actions on behalf of an intruder: </li></ul><ul><ul><li>Loading a kernel module </li></ul></ul><ul><ul><ul><li>The Linux kernel (and many other operating systems) can load kernel modules at runtime. This allows an intruder to insert a module that overrides kernel syscalls in order to return incorrect values </li></ul></ul></ul><ul><ul><li>Writing to /dev/kmem </li></ul></ul><ul><ul><ul><li>By writing to /dev/kmem it is possible to overwrite the kernel at runtime, and thus perform any arbitrary modification. </li></ul></ul></ul>
  174. 177. Atypical Methods to Subvert the Kernel <ul><li>Adore-ng by Stealth employs the Virtual FileSystem layer of the kernel. This works by replacing the existing handler routines for providing directory listings of the /proc and the / filesystems, and registering its own routines instead. Userspace programs use the /proc filesystem to obtain information on running processes. In this way both processes and files can be hidden. </li></ul>
  175. 178. Detecting Kernel Rootkits <ul><li>To get a list of kernel modules, two standard methods can be used: </li></ul><ul><ul><li>bash$ lsmod </li></ul></ul><ul><ul><li>bash$ cat /proc/modules </li></ul></ul><ul><li>Unfortunately, being a kernel module, an LKM rootkit can easily defeat such efforts by a variety of methods. </li></ul>
  176. 179. Programs <ul><li>This is a non-exhaustive list of programs that are useful for the detection of kernel modifications in a running system. </li></ul><ul><ul><li>kern_check.c (PGP signature: kern_check.c.asc ) is a small command-line utility (for Linux 2.2.x, 2.4.x) that will compare your against your kernels syscall table and warn about any inconsistencies. </li></ul></ul><ul><ul><li>In case of compilation failure, you may want to make sure that your kernel headers are found using: </li></ul></ul><ul><ul><ul><li>bash$ gcc -O2 -Wall -I/usr/src/mykernel/include -o kern_check kern_check.c </li></ul></ul></ul>
  177. 180. CheckIDT <ul><li>CheckIDT is a utility that can be used to list the Interrupt Descriptor Table and save the current state to check its integrity later on. Currently there is no published real rootkit that uses the IDT, only proof-of-concept code. </li></ul>
  178. 181. Check-ps <ul><li>Utility that can detect hidden processes if the killscan option is used. It will only work if there are processes that are hidden by the rootkit. It will not detect a rootkit that is lying dormant, waiting for someone who uses a backdoor provided by the rootkit. </li></ul>
  179. 182. Phase 5 Covering Tracks and Hiding
  180. 183. Altering Event Logs <ul><li>Deleting specific event from the log files to avoid detection. </li></ul><ul><li>In Windows NT/2000 : Could just delete the log files, but that would look suspicious. Instead, there are tools that can be used to change the log files, like WinZapper (available: </li></ul><ul><li>toolbox/winzapper ). </li></ul>
  181. 184. <ul><li>In UNIX : </li></ul><ul><ul><li>Check the syslogd file configuration to see where log files are kept </li></ul></ul><ul><ul><li>Since log file is written in ASCII, attacker can use any text editor to change contents. </li></ul></ul><ul><ul><li>To alter the accounting files (utmp, wtmp, and lastlog), attacker must use a tool that can read and edit the special binary format the files are saved in (tools available at: ). </li></ul></ul><ul><ul><li>UNIX shell history files contain a list of all of commands entered into the command line (may be edited with a text editor). </li></ul></ul>
  182. 185. Creating Hidden Files and Directories <ul><li>In UNIX : Begin the file name with a period. The ls command will not display files whose name begins with a (“.”) period. Also, name the file either “. “ or “.. “ so that the user mistakes it for the current or parent directories. </li></ul>
  183. 186. <ul><li>In Windows NT/2000 : Right click the file, and view the properties. Check the box that says hidden. Another method is to add a stream to a file that already exists by using the cp program in the Windows NT Resource Kit: C:>cp stuff.txt notepad.exe:data Thus, the stuff.txt file is tacked on to the end of the notepad.exe file. </li></ul>
  184. 187. Covert Channels <ul><li>Disguised communication methods that an attacker uses to connect to a system with a backdoor across a network. The client must be on the attacker’s machine and the server must be on the target machine. </li></ul><ul><li>Methods: Tunneling, Using the TCP and IP Headers to Carry Data </li></ul>
  185. 188. Tunneling <ul><li>Allowing one protocol to be carried over another </li></ul><ul><li>Tools: Loki (available: www. phrack .com ) and Reverse WWW Shell (available: www. thc .org/releases ) </li></ul>
  186. 189. <ul><li>Loki : can provide shell access over ICMP, making the connection difficult to detect. Client puts commands in ICMP packets and sends them to servers, which decode the packets. In the network, this just looks like a bunch of ICMP packets: Ping, Ping Response, Ping, Ping Response, etc. Note: will not show up on a port scan. </li></ul>
  187. 190. <ul><li>Reverse WWW Shell : provides shell access over HTTP </li></ul><ul><ul><li>Attacker must get Reverse WWW Shell server on target machine </li></ul></ul><ul><ul><ul><li>Server goes to the client, pulls commands, executes them, and pushes the results </li></ul></ul></ul><ul><ul><ul><li>Attacker is able to pull a command shell </li></ul></ul></ul><ul><ul><li>From the network perspective, it appears that the target is just surfing the Web </li></ul></ul><ul><ul><li>Useless when the user must authenticate to access the internet. </li></ul></ul>
  188. 191. Using the TCP and IP Headers to Carry Data <ul><li>Store data in unused fields of protocol headers. Tool: Covert_TCP (available: www.firstmonday </li></ul><ul><li>.dk/issues/issue2_5/rowland ) </li></ul><ul><li>Covert_TCP enters data into the IP identification, TCP sequence number, and the TCP acknowledgement number. The program can be either client or server and the attacker can specify which data field should be used to transmit the information. </li></ul>