Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best!

2,895 views

Published on

  • Be the first to comment

Best!

  1. 1. Computer & Network Hacker Exploits Step-by step Part 2
  2. 2. Stages of An Attack <ul><li>Target Selection </li></ul><ul><li>Reconnaissance </li></ul><ul><li>Penetration </li></ul><ul><li>Internal operations, Keeping the connection </li></ul>
  3. 3. IP Fragmentation Attacks
  4. 4. IP Fragmentation <ul><li>Useful in getting around packet filters in routers and firewalls </li></ul><ul><li>Also useful in avoiding detection by network‑based Intrusion Detection Systems (IDSs) </li></ul><ul><li>Recall how packet filtering (firewall) works... </li></ul><ul><ul><li>It allows tcp source_address to destination_address using a specific port number </li></ul></ul><ul><ul><li>implicitly denies all other </li></ul></ul>Penetration – IP Fragments
  5. 5. Attacker Firewall IP=10.1.1.1 IP=10.2.1.10 Port 80 Port 23 IDS Penetration – IP Fragments Server
  6. 6. IP Fragmentation Attacks <ul><li>IP allows packets to be broken down into fragments for more efficient transport across various media </li></ul><ul><li>The TCP packet (and its header) are carried in the IP packet </li></ul><ul><li>Two attacks possible: </li></ul><ul><ul><li>Tiny fragment attack </li></ul></ul><ul><ul><li>Fragment Overlap attack </li></ul></ul>Penetration – IP Fragments tcp ip ip
  7. 7. tcp ip ip Normal IP Fragmentation Penetration – IP Fragments To support different transmission media, IP allows for the breaking up of single large packets into smaller packets, called fragments. The higher‑level protocol carried in IP (usually TCP or UDP) is split up among the various fragments. ip tcp ip tcp ip tcp ip tcp ip tcp ip tcp
  8. 8. Tiny Fragment Attack Penetration – IP Fragments tcp ip ip Make a fragment small enough so that the TCP header is split between two fragments. The port number will be in the second fragment. ip tcp ip tcp ip tcp ip tcp ip tcp ip tcp ip
  9. 9. Tiny Fragment Attack <ul><li>The tiny fragment attack is designed to fool a firewall or packet filter by creating an initial fragment that is very small. It is so small, in fact, that it does not contain the TCP port number. Instead, the TCP port number follows in the second packet. </li></ul><ul><li>Because the packet filter is looking for the port number to make filtering decisions, it may allow the tiny initial fragment to pass through. Also, it may allow the second fragment (which includes the rest of the TCP header, including the port number) through. Furthermore, an IDS may not process the fragments properly and therefore may not notice the attack. </li></ul>Penetration – IP Fragments
  10. 10. Tiny Fragment Attack <ul><li>When the packets are reassembled at the Protected Server, they will go to a port that should be filtered by the packet filter system (e.g., telnetd on listening port 23). </li></ul><ul><li>Some packet filters avoid this problem by dropping fragments so small that they do not include the TCP Header port number. </li></ul>Penetration – IP Fragments
  11. 11. Attacker Firewall IDS Penetration – IP Fragments Fragment 1 (part of tcp header) Fragment 2(rest of tcp header) Tcp port unknown All IP fragments are re-assembled Server ip tcp ip tcp
  12. 12. IP Fragment Overlap Attack <ul><li>A more insidious fragment attack is the Fragment Overlap attack . For this scenario, the attacker creates two fragments for each IP packet. One fragment has the TCP header, including the port number for a service allowed by the filter (e.g., http, TCP port 80). The second fragment has an offset value that is a lie. The offset is too small, so that when the fragments are reassembled, the second fragment overwrites part of the first, particularly the part of the first fragment including the port number. </li></ul>tcp ip ip Penetration – IP Fragments ip tcp ip tcp
  13. 13. Attacker Firewall IDS Penetration – IP Fragments Fragment 1 (Packet is for port 80) Tcp port 80. OK! All IP fragments are re-assembled Fragment Overlap attack ‑ In the second fragment, lie about the offset from the first fragment. When the packet is reconstructed at the protected server, the port number will be overwritten. Fragment 2 (Packet says is for port 80), however, I have an offset, say 12, and After overlaying, the TCP header will read port 23! Second IP fragment was just a fragment of the first. That is OK too! Server ip tcp ip tcp
  14. 14. IP Fragment Attack Tools <ul><li>Fragrouter -- can be used to create nasty fragmentation attacks </li></ul><ul><ul><li>Written by Dug Song </li></ul></ul><ul><ul><li>http://www.anzen.com/research/nidsbench </li></ul></ul><ul><ul><li>With fragrouter, all packets entering one interface go out the other interface fragmented </li></ul></ul><ul><ul><li>The attacker can specify how fragmentation will occur </li></ul></ul><ul><ul><li>Helps bypass some packet filters and avoid intrusion detection systems (IDSs) </li></ul></ul><ul><ul><li>You can also send the packets through a multi-network named host, so the packets appear to be coming from multiple hosts! </li></ul></ul>Penetration – IP Fragments
  15. 15. Fragrouter <ul><ul><li>Numerous fragment attack types are supported by fragrouter: </li></ul></ul><ul><ul><li>frag‑1 : Send data in ordered 8‑byte IP fragments. </li></ul></ul><ul><ul><li>frag‑2 : Send data in ordered 24‑byte IP fragments. </li></ul></ul><ul><ul><li>frag‑3 : Send data in ordered 8‑byte IP fragments, with one fragment sent out of order. </li></ul></ul><ul><ul><li>tcp‑1 : Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1‑byte segments. </li></ul></ul><ul><ul><li>tcp‑5 : Complete TCP handshake, send data in ordered 2‑byte segments, preceding each segment with a 1‑byte null data segment that overlaps the latter half of it. This amounts to the forward‑overlapping 2‑byte segment rewriting the null data back to the real attack. </li></ul></ul><ul><ul><li>tcp‑7 : Complete TCP handshake, send data in ordered 1‑byte segments interleaved with 1‑byte null segments for the same connection but with drastically different sequence numbers. </li></ul></ul>Penetration – IP Fragments
  16. 16. Sniffers
  17. 17. Sniffers <ul><li>Sniffers gather all information transmitted across a line For broadcast media (ethernet), allows an attacker to gather passwords, etc. For ethernet, all data is broadcast on the LAN segment </li></ul><ul><li>Switched ethernet limits data to a specific source and destination port on a switch </li></ul><ul><li>Sniffers are among the most common of hacker tools. They gather traffic off of the network, which an attacker can read in real time, or squirrel away in a file. </li></ul>
  18. 18. Sniffers <ul><li>Many attacks are discovered only when a sniffer log consumes all available file space. </li></ul><ul><li>When an ethernet interface is gathering all traffic, it is said to be in &quot;promiscuous mode&quot;. </li></ul><ul><li>Traditional ethernet, usually implemented in a hub, is a broadcast medium, which broadcasts all data to all systems connected to the LAN segment. Therefore, traditional ethernet is inherently sniffable. </li></ul>
  19. 19. HUB Blah, blah , blah Blah, blah , blah Blah, blah , blah Blah, blah , blah BROADCAST ETHERNET
  20. 20. HUB Blah, blah , blah Blah, blah , blah Blah, blah , blah Blah, blah , blah BROADCAST ETHERNET
  21. 21. SWITCH Blah blah blah Blah, blah , blah SWITCHED ETHERNET
  22. 22. Sniffers <ul><li>Switched ethernet does not broadcast all information to all links of the LAN segment. Instead, the switch is more intelligent than the hub, and, by looking at the destination MAC address, will only send the data to the required port on the switch. Switched ethernet is only sniffable in limited ways. </li></ul>
  23. 23. Snifferz <ul><li>There are countless examples of sniffers out there </li></ul><ul><ul><li>es ‑ freeware (ships with SunOS, Solaris RootKits) </li></ul></ul><ul><ul><li>Linsniff ‑ freeware (ships with Linux Rootkits) </li></ul></ul><ul><ul><li>Websniff ‑ freeware </li></ul></ul><ul><ul><li>tcpdump ‑ freeware </li></ul></ul><ul><ul><li>snoop ‑ distributed with Solaris </li></ul></ul><ul><ul><li>Network Associates ‑ commercial </li></ul></ul><ul><ul><li>Shomiti Surveyor ‑ commercial </li></ul></ul><ul><li>Another very good sniffer is snort, by Martin Roesch </li></ul><ul><ul><li>hftp://www.clark.net/‑roesch/security.html </li></ul></ul><ul><ul><li>Very powerful scripting capabilities </li></ul></ul><ul><ul><li>Doubles as a lightweight Intrusion Detection System </li></ul></ul>
  24. 24. Used by hackers <ul><li>Sniffers are particularly useful in what is known as an &quot;Island Hopping Attack&quot;, named after the U.S. strategy in the Pacific theater during WWII. Island Hopping attacks involve an attacker taking over a single machine through some exploit (e.g., a hole found in sendmail, a weak CGI script, etc.). Then, the attacker installs a sniffer on this victim machine. </li></ul>
  25. 25. Sniffer uses in attack <ul><li>With the sniffer on the first victim, the attacker observes users and administrators logging on to other systems on the same LAN segment or other segments of the network. The sniffer gathers these userlDs and passwords, allowing the attacker to take over more machines. By installing sniffers on these additional machines, more and more passwords can be captured. By installing a sniffer on a single system, the attacker can then take over many systems. </li></ul>
  26. 26. Sniffit <ul><li>Written by Brecht Claerhout, available at: </li></ul><ul><ul><li>http://reptile.rug.ac.be/‑coder/sniffit/sniffit.html </li></ul></ul><ul><li>Runs on Linux, Solaris, IRIX, FreeBSD, and SunOS </li></ul><ul><li>Interactive interface, or it can run in the background </li></ul><ul><li>You must be root to run it </li></ul><ul><li>Gathers an inventory of connections and lets you &quot;zoom in&quot; on particular sessions </li></ul><ul><li>Filtering capabilities </li></ul><ul><ul><li>Based on IP, port numbers, etc. </li></ul></ul><ul><li>You can configure it to gather just telnet or ftp userlDs </li></ul>
  27. 27. Sniffer Defense <ul><li>Keep attackers off the box in the first place </li></ul><ul><li>Use Switched Ethernet on critical segments </li></ul><ul><ul><li>DMZ!!! </li></ul></ul><ul><ul><li>PKI system </li></ul></ul><ul><ul><li>Sensitive internal networks </li></ul></ul><ul><li>Antisniff (www.l0pht.com) </li></ul><ul><ul><li>Can detect sniffers across the network by analyzing changes in latency, etc. </li></ul></ul>
  28. 28. Session Hijacking HUNT
  29. 29. Session Hijacking <ul><li>Tools which allow an attacker to: </li></ul><ul><ul><li>Steal, share, terminate, monitor, or log any terminal session that is in progress </li></ul></ul><ul><li>Allow attacker to move around the network with ease </li></ul><ul><li>Sessions are stolen across network </li></ul><ul><li>Session stolen at originating machine </li></ul><ul><ul><li>Bypass all forms of strong authentication and Virtual Private Network </li></ul></ul>
  30. 30. Session Hijacking <ul><li>Session hijacking tools are particularly nasty. They allow an attacker to grab an interactive login session (e.g., telnet, rlogin, ftp, etc.). The victim usually notices that his/her session disappears (&quot;Darn network trouble!&quot;). The users will likely just try to login again, not knowing that their session wasn't dropped; it was just stolen. </li></ul>
  31. 31. Alice Eve Alice telnets to do some work.. Eve is on a segment of the lan where she can sniff, or on a point in the path. Bob
  32. 32. Alice Eve Alice telnets to do some work.. Attacker can monitor and generate packets with the same sequence number. “ Hi, I am Alice” Eve uses a session hijacking tool to observe the session. at Eve's command, the session hijacking tool jumps in and continues the session with Bob. Attacker can kick Alice off and make any changes on B. The logs will show that Alice made the changes Bob
  33. 33. Alice Eve Session Hijacking: Ack Storms If the attacker just jumps in on a session, starting to spoof packets, the sequence numbers between the two sides will get out of synch As the two sides try to resynchronize, they will resend SYNs and ACKs back and forth trying to figure out what's wrong, resulting in an ACK storm SYN (A, SNa) ACK (SNb) SYN (B, SNb) ACK (SLNa) SYN(A,Sna) ACK(SNb) Bob
  34. 34. ACK Storm <ul><li>Alice and Bob will get very confused, however, when they notice that their sequence numbers get out of synch. Alice will continue to resend messages again and again, consuming a good deal of bandwidth in what is known as an &quot;ACK storm&quot;. </li></ul><ul><li>Eve can still interact with Bob using the spoofed address during the ACK storm, but performance will suffer as Alice and Bob thrash over the sequence number issue. Eve can prevent this by launching a denial of service against Alice so that there is no thrashing over sequence numbers, and hence no ACK storm. </li></ul>
  35. 35. Session Hijacking Tools <ul><li>Hunt </li></ul><ul><ul><li>Very well written </li></ul></ul><ul><ul><li>Authored by Kra (Pavel Krauz) </li></ul></ul><ul><ul><li>Automatically sniffs connections </li></ul></ul><ul><ul><li>Allows insertion of commands... </li></ul></ul><ul><ul><li>...or just plain takeover of session </li></ul></ul><ul><li>it handles ACK storms </li></ul><ul><li>http://lin.fsid.cvut.cz/~kra/index.html </li></ul>
  36. 36. HUNT’s ARP Spoofing <ul><li>To avoid the ACK storm: Eve either does a denial of service attack against Alice Or, more interestingly, </li></ul><ul><li>Hunt allows for Address Resolution Protocol (ARP) spoofing, to mask the fact that the systems have gotten out of synch!! Very clever! </li></ul><ul><li>Hunt lets the attacker set his/her machine up as a relay for all traffic going between Alice and Bob, using ARP Spoofing. </li></ul>
  37. 37. Alice Eve MAC=CC.CC “ ARP w.x.y.z is at DD.DD” “ ARP a.b.c.d is at EE.EE” Ip=w.x.y.z MAC=BB.BB Ip=a.b.c.d MAC=AA.AA Eve send a Gratuitous ARP broadcast message Bob
  38. 38. Other Session Hijacking Tools <ul><li>Juggernaut </li></ul><ul><ul><li>Allows for monitoring of connections, insertion of single command, or takeover </li></ul></ul><ul><ul><li>Very similar to Hunt, but much more buggy </li></ul></ul><ul><ul><li>http://www.rootshell.com </li></ul></ul><ul><li>TTYWatcher </li></ul><ul><ul><li>Many advanced features (log, steal, watch, etc.) </li></ul></ul><ul><ul><li>Runs at the end host </li></ul></ul><ul><ul><li>User friendly </li></ul></ul><ul><ul><li>ftp://coast.cs.purdue.edu/pub/tools/unix/ftywatcher </li></ul></ul>
  39. 39. Other Session Hijacking Tools <ul><li>IPWatcher </li></ul><ul><ul><li>Commercial software (http://www.engarde.com) </li></ul></ul><ul><ul><li>But the crackers steal it </li></ul></ul><ul><ul><li>Nice graphical interface </li></ul></ul>
  40. 41. Session Hijacking Defenses <ul><li>Encrypt session and use strong authentication. </li></ul><ul><li>Unfortunately, if originating host is compromised, strong authentication and encrypted paths do not help, because session is stolen at originating machine! </li></ul><ul><li>Defense: Be very careful with incoming connections Be even more careful with management sessions to your critical infrastructure components </li></ul><ul><ul><li>Firewalls!!! Don't telnet to the firewall </li></ul></ul><ul><ul><li>PKI!!! Don't telnet to the CA </li></ul></ul><ul><li>Utilize strong authentication and an encrypted path for such management </li></ul><ul><ul><li>Secure Shell (ssh) or Virtual Private Network </li></ul></ul>
  41. 42. Where to get secure shell? <ul><li>ftp://ftp.replay.com To prevent ARP poisoning, use static ARP tables on sensitive systems </li></ul><ul><li>Solaris can have 20 minute “no overwrite” set on ARP caches. </li></ul><ul><li>Always use a secure session to talk to your security components, your infrastructure (routers,etc) </li></ul>
  42. 43. Domain Name System (DNS) Cache Poisoning
  43. 44. DSN Cache Poisoning <ul><li>The Domain Name System (DNS) </li></ul><ul><ul><li>Critical component of the Internet </li></ul></ul><ul><ul><li>Maps names to addresses, among other things </li></ul></ul><ul><ul><ul><li>www.saic.com = 199.106.240.15 </li></ul></ul></ul><ul><ul><ul><li>Mail server for SAIC? </li></ul></ul></ul><ul><ul><ul><li>mx.east.saic.com Internet address =198.151.13.22 </li></ul></ul></ul><ul><li>Is this important? </li></ul><ul><li>• YOU BET IT IS! </li></ul><ul><li>&quot;Almost all business that gets done over the Internet wouldn't get done without DNS“ </li></ul><ul><ul><li>» Paul Albitz & Cricket Liu, authors of DNS & BIND </li></ul></ul>
  44. 45. www.ebay.com www.ebay.com www.ebay.com www.ebay.com Client Local Nameserver Root Name Server .com Name Server ebay.com Name Server Referral to .com Referral to ebay.com The Answer! 216.32.120.133 Clients use a &quot;resolver&quot; to access DNS servers Most common DNS server is BIND, Berkeley Internet Name Domain DNS servers query each other
  45. 46. DNS Cache Poisoning <ul><li>Additional notes on DNS: </li></ul><ul><ul><li>Each DNS query has a Query ID </li></ul></ul><ul><ul><li>This Query ID is often predictable based on earlier Query Ids </li></ul></ul><ul><ul><li>Also, to lower traffic requirements, DNS servers will cache answers </li></ul></ul><ul><li>Poor man's DNS attack </li></ul><ul><ul><li>www.nasa.com </li></ul></ul><ul><ul><li>www.algore.org </li></ul></ul><ul><ul><li>Gee, that's not very fun! </li></ul></ul><ul><ul><li>Let's look at something more interesting </li></ul></ul>
  46. 47. DNS Cache Poisoning <ul><li>The tool &quot;jizz&quot; allows for a more elaborate DNS attack </li></ul><ul><ul><li>DNS Caches poisoning </li></ul></ul><ul><li>http://www.rootshell.com </li></ul>
  47. 48. Alice, a happy bank customer Evil Attacker Dns.bank.com name server Alice wants to access. Dsn.good.com Alice’s unsuspecting DNS Server Dns.evil.com, Evil’s DNS server owned by evil www.bank.com, Alice’s online bank.
  48. 49. DNS Cache Poisoning Alice Dsn.good.com Evil Dns.evil.com www.bank.com Dns.bank.com STEP 1: Any.evil.com STEP 2: Any.evil.com STEP 3: store the query ID
  49. 50. DNS Cache Poisoning Alice Dsn.good.com Evil Dns.evil.com www.bank.com Dns.bank.com STEP 4: www.bank.com STEP 6: Spoofed ans: www.bank.com=w.x.y.z STEP 5: www.bank.com STEP 7: www.bank.com= w.x.y.z
  50. 51. DNS Cache Poisoning Alice Dsn.good.com Evil Dns.evil.com www.bank.com Dns.bank.com STEP 8: www.bank.com? In Cache: www.bank.com= w.x.y.z STEP 9: w.x.y.z STEP 10: Let’s Bank!!!!
  51. 52. DNS Cache Poisoning Defense <ul><li>Use a hard‑to‑predict Query ID </li></ul><ul><ul><li>Upgrade BIND </li></ul></ul><ul><ul><li>Available, but not widely deployed yet </li></ul></ul><ul><li>Use split split (yes, that's split split) DNS </li></ul><ul><ul><li>Have a different DNS server resolve names for insiders, and not respond to outside queries at all </li></ul></ul><ul><ul><li>Use a separate DNS server for responding to queries for externally accessible stuff </li></ul></ul><ul><ul><li>The best current solution </li></ul></ul><ul><li>Digitally sign DNS records </li></ul><ul><ul><li>The (likely) eventual solution ‑ DNSSec ‑ will be deployed some day </li></ul></ul>
  52. 53. DNS Cache Poisoning Defense <ul><li>Use SSL with server‑side authentication for important transactions HTTPS Involves user education </li></ul><ul><li>Although not part of this exploit, protect your DNS server, for goodness sakes! Harden the OS Cryptographically sign DNS database files Use suspicious activity detection software </li></ul><ul><li>Use Tripwire or MD5 hashing on your DNS Server database. </li></ul>
  53. 55. Rootkits

×