Intruders

About This Presentation

Title:

Intruders

Description:

Intruders. Panom Navanukroh CISSP, CISA, CISM. Outline ... Predictable IP ID Idle Scans in Nmap. SYN. SYN-ACK, with IP ID = X. 1. 2. 3. Remember IP ID = X ... – PowerPoint PPT presentation

Number of Views:208

Avg rating:3.0/5.0

Slides: 92

Provided by: V260

Category:

more less

Transcript and Presenter's Notes

Title: Intruders

1

Intruders

Panom Navanukroh CISSP, CISA, CISM
2
Outline

Get the whole picture
Intrusion techniques
Intrusion detection
Password management
Email attack
Denial of Service Attacks

Get the whole picture

4
Presentation Outline

Purpose General Trends
Step 1 Reconnaissance
Step 2 Scanning
Step 3 Gaining Access
Step 4 Maintaining Access
Step 5 Covering the Tracks
Conclusions

5
A Quote from One of Historys Greatest Hackers

If you know the enemy and know yourself, you need
not fear the result of a hundred battles.
If you know yourself but not the enemy, for every
victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you
will succumb in every battle.
Sun Tzu, The Art of War

6
Purpose

Were not here to teach you how to hack.
However, to defend yourself, you must understand
your adversaries strategies and tactics
We will discuss prominent recent advances in
computer attack techniques
To gain an understanding of how to defend
against new attacks
We are not endorsing these attack tools
But you have to be ready to defend against them
We will also discuss a variety of useful
defensive tools but check to make sure you have
permission to use them! Talk to the system
owners

7
General Trends The Storm after the Quiet

For six months, we saw a major drop in the
release of new vulnerabilities and attack tools
after September 11, 2001
Shock over terrorism
Fear of law enforcement and PATRIOT Act
Concern about DMCA

Sept 11, 2001
March 2002
Now
The gloves are off! Major new attacks and tools
Relatively quiet
8
General Trends Software Distro Site Attacks

Trojaning software distribution sites
Hack into web/ftp site and alter software to
include backdoor
Everyone who downloads and uses the tool is
impacted!
May, 2002 issri.org - IRC client compromised
May 17-24, 2002 Monkey.org - Dsniff, Fragroute,
and Fragrouter hacking tools compromised
July 30 August 1, 2002 Openssh.org, OpenSSH
security tool compromised
Sept 28 - Oct 6, 2002 ftp.sendmail.org, sendmail
mail server compromised
Nov 11-13, 2002 tcpdump.org, tcpdump sniffer and
libpcap
Some pretty big names have fallen to this attack!
What to do?
Check hashes across multiple mirrors
Dont put new software directly into production
test first!

9
Tcpdump Trojan
10
Tcpdump Trojan Horse Details

Interesting Notes
A, D, and M for commands where do those
characters come from?
Why TCP port 1963?
Similarity to sendmail Trojan and others
Shoveling shell, pushing out a connection that is
really incoming command shell access
More easily gets through firewalls
The sniffer itself wont show traffic destined
for the backdoor (OUCH!)

11
Presentation Outline

Purpose General Trends
Step 1 Reconnaissance
Step 2 Scanning
Step 3 Gaining Access
Step 4 Maintaining Access
Step 5 Covering the Tracks
Conclusions

12
Reconnaissance

Many Script Kiddies skip this step
The best attackers do comprehensive
reconnaissance
Adrian Lamo claims that Google is is favorite
hacking tool
Useful public information is plentiful
Admin names, addresses, phone numbers, financial
info, business partners
Job requisitions
Technologies in use, IP addresses, DNS servers,
network topology, open ports, etc
Portals for reconnaissance and attacks
www.allwhois.com - Registration data for over 66
countries
www.samspade.org - Ping, DNS, traceroute, etc.
www.attackportal.net - Misc. recon and attack
tools

13
Reconnaissance Defenses

Look for information leakage from your systems
before the bad guys find it
Conduct reconnaissance against your own
environment
Use the same tools as the bad guys but be
careful!
If you use their web sites or tools for searches,
they could monitor your actions
Probably best not to do this from your production
network
Do it from a separate ISP

14
Presentation Outline

Purpose General Trends
Step 1 Reconnaissance
Step 2 Scanning
Step 3 Gaining Access
Step 4 Maintaining Access
Step 5 Covering the Tracks
Conclusions

15
Why Port Scanning?

TCP and UDP each have ports
Servers listen on ports
They act like doors - Data goes out one port and
into another port
Attacker wants to know which ports are open
Lets focus on TCP port scanning
Most common protocol on top of IP its used by
HTTP, telnet, FTP, and many other services
TCP uses the three-way handshake

SYN
B
A
SYN-ACK
ACK
Connection
16
Normal Port Scanning

Attackers send SYN packets, and watch for SYN-ACK
responses to indicate a listening port
Downside for attacker The scan can be traced
back to the attackers machine using the source
IP address

SYN to TCP Port 1
TARGET
SYN to TCP Port 2
SYN to TCP Port 3
Eureka! Port 3 is Listening!
SYN-ACK from Port 3
17
What if Attacker Spoofs Source Address?
Syn to TCP Port 1
Syn to TCP Port 2
TARGET
Syn to TCP Port 3

Not very useful, because SYN-ACK responses dont
come back to attacker
The attacker cant figure out if the port is open
or closed, so the port scan is a waste of time

SYN-ACK from Port 3
RESET!!!
Response goesto the address the attacker is
spoofing.
18
IP Identification Field Predictability

The IP Identification field in the IP Header is
used for packet fragmentation
Used to group all fragments together for packet
reassembly
If there are no fragments, theIP stack assigns
some value to this field
When some systems send packets, they just
increment the IP ID fieldby one for each packet
Each packet gets an IP ID valuethat is one
bigger than previouspackets value

19
Predictable IP ID Idle Scans in Nmap
TARGET
3
Remember IP ID X
2
SYN-ACK, with IP ID X
1
SYN
Machine That Gets Framed
20
IP Identification Scanning(A.K.A. Idle
Scanning)
Spoofed Syn to TCP Port 3
TARGET
4
7
5
SYN
6
SYN-ACK from Port 3
RESET, IP ID X1
8
Machine That Gets Framed

ANALYZE STEP 8!
If IP ID of step 8 is X2, the port is listening.
If IP ID of step 8 is X1, the port is closed.

SYN-ACK
21
Scanning - Paketto Keiretsu

Suite of tools for doing TCP/IP tricks
By Dan Kaminsky
Released October 8, 2002
Available at http//www.doxpara.com/
One capability Very rapid port scanning
Separate the packet sender process from receiver
Sender transmits packets as quickly as network
will carry them
Receiver sniffs responses
Sender and receiver out of synch, but thats ok
The idea could be extended

Attacker
Sndr
Rcvr
SYN- ACKs
SYNs
22
Port Scanning Defenses

Action item
Run netstat na to see whats listening (on UNIX
and Windows)
Alternatively, use Fport on Windows and Lsof on
UNIX
For those services you dont need, close unused
ports
Disable unneeded services
In Windows Check Start?Programs?Administrative
Tools?Services
In UNIX Check /etc/rc.d/init.d and /etc/xinetd
For incident handling, realize that these scans
are possible

23
Presentation Outline

Purpose General Trends
Step 1 Reconnaissance
Step 2 Scanning
Step 3 Gaining Access
Step 4 Maintaining Access
Step 5 Covering the Tracks
Conclusions

24
Gaining Access Detailed Code Analysis Tools

Consider recent months major holes in Apache,
Internet Explorer, OpenSSL, OpenSSH, Sendmail,
Snort the list keeps growing!
Weve seen a recent revolution in detailed
vulnerability analysis tools
Used to find buffer overflows, heap overflows,
etc.
Think of these tools as X-Rays or microscopes to
look inside executable code at a fine grained
level
Look for common mistakes that let an attacker
take over a system
Step through machine language code, line by line
To learn more about such tools, check out the
Honeynet Project Reverse Challenge at
http//www.honeynet.org/reverse/

25
Code Analysis Tools - Windows
26
Code Analysis Tools - UNIX
27
Code Analysis Tools - Both

People used to say that closed source was more
secure because attackers couldnt analyze it as
much
This is increasingly less true because of tools
like these!

28
SQL Slammer

So, how are they propagating their exploits?
Increasingly, they are using worms
Remember SQL Slammer?
January, 2003 Fast-spreading worm on the rampage
Patch SQL Server!
Am I running it?
Very hard to tell
Many products use it, and Microsoft doesnt make
it easy to detect

29
SQL Slammer Impact

Took much of South Korea off of the Internet for
several hours
Ironically, this limited its spread
By clogging links, the worm couldnt spread as
quickly to the outside world
One Emergency 911 call center was taken off line
Over 13,000 ATM (Money Machines) offline in North
America
Some airlines cancelled a few flights

30
SQL Slammer Characteristics

Why did SQL Slammer cause such damage?
People didnt know they were running the
Microsoft SQL service
Fast spread via small size and UDP
Only 376 bytes
Attacked Microsoft SQL Service which uses UDP

31
Worm Efficiencies and TCP vs. UDP

To establish sequence numbers, TCP uses a
three-way handshake to initiate a connection
UDP doesnt

SYN
SYN-ACK
ACK
Connection
Packet
A
Packet
32
UDP-based Worms
Three-way Handshake
Worm Spread via TCP
Worm Spread via UDP

Analogy Spreading a cold in Grand Central
Station
TCP Shake everyones hand
UDP Lob infected ping pong balls

33
Defenses Against Code Flaws Worms

Keep your systems patched, with a well-defined
process for
Learning about new patch availability
Acquiring and authenticating patches
Testing patches in a non-production environment
Rolling patches into production
Write secure code!
Education of software developers
Good book for Windows Writing Secure Code, by
Howard and Leblanc
Good stuff for UNIX http//www.dwheeler.com/secur
e-programs/ by D. Wheeler
Automated software checking tools
ITS4 www.cigital.com/its4/download.html
RATS www.securesoftware.com/rats.php
Flawfinder www.dwheeler.com/flawfinder/

34
Presentation Outline

Purpose General Trends
Step 1 Reconnaissance
Step 2 Scanning
Step 3 Gaining Access
Step 4 Maintaining Access
Step 5 Covering the Tracks
Conclusions

35
Trojan Horse Backdoors
Traditional RootKit
Kernel-level RootKit
Application-level
good login
good ps
good ifconfig
good tripwire
Evil App
Trojan login
Trojan ps
Trojan ifconfig
good tripwire
good program
good program
good program
good program
Kernel
Trojan Kernel Module
Kernel
Kernel
36
Maintaining Access Trojan Horse Backdoors

New even stealthier Application-Level Trojan
Horse Backdoors
Setiri Written by Roelof Temmingh and Haroon Meer
Code shown August, 2002 no release scheduled
Standard functions
Upload file, execute program, download file
Uses invisible IE browser window and OLE to
communicate with browser to send data to attacker
over HTTPS
If personal firewall allows browser to send
traffic to the Internet, backdoor can communicate
with attacker
Also gets through NAT, proxies, and stateful
firewalls

37
Setiri Architecture
HTTPS
HTTPS
Connection Broker (Web Server with Attackers CGIs
)
Anony- mizer
Anony- mizer
HTTPS
HTTPS
..
Firewall
STEP 1 Attacker somehow installs Setiri on
victim machine
Victim
Attacker
38
Kernel Level RootKits

An area that continues to get attackers
attention is the kernel-level RootKit
By operating in the kernel, the attacker has
complete control of the target machine
Hidden processes
Hidden files
Hidden network use (sniffing and port listeners)
Execution redirection
Three ways of implementing
Loadable Kernel Module
Patch kernel image on hard drive
Alter kernel in memory on running system!
Yikes!!!

39
Maintaining Access Defenses

Block access to Anonymizer.com
Works for base Setiri tool and relatives, but
attacker could use another anonymous proxy or
connection broker
Still, its a pretty reasonable idea
Anti-virus tools
Look for signatures in near future
Browser vendors (ahem) possibly looking at
limiting actions of invisible browser
Additionally, protect your kernel!
St. Michael for Linux, by Tim Lawless, at
www.sourceforge.net
Okena and Entercept for Windows and Solaris

40
Presentation Outline

Purpose General Trends
Step 1 Reconnaissance
Step 2 Scanning
Step 3 Gaining Access
Step 4 Maintaining Access
Step 5 Covering the Tracks
Conclusions

41
Covering Tracks withThe Defilers Toolkit

Forensics now faces anti-forensics
The Coroners Toolkit is very popular, along with
its descendent, TASK (www.atstake.com)
The Defilers Toolkit attempt to confuse
forensics investigations
Targets Linux Ext2fs file system, but ideas could
be extended to other platforms
By anonymous, released July, 2002
Available at http//www.phrack.com/show.php?p59a
6

42
Defilers Toolkit

Data hiding
Bad blocks in ode points to blocks that dont
function properly
Attacker associates good blocks with the bad
block inode and stores data there
Carve out a segment of your hard drive and label
it bad
Drive appears smaller, but TCT wont look in the
bad blocks
Data destruction with Necrofile
Undelete tools remove just the data, not the
meta-data (inodes and directory entries)
Necrofile scrubs inodes clean, based on
deletion time criteria
Data destruction with Klismafile
Directory entries show deleted filenames and
sizes
Klismafile searches for these entries and scrubs
them

43
Defending Against The Defilers Toolkit

The Coroners Toolkit, as cool as it was, is a
bit outdated
Turn toward a more recent descendant of TCT, TASK
to get a better look at forensics data
In investigations, dont forget to look in blocks
marked bad!
There could be some very useful data hidden in
there

44
Presentation Outline

Purpose General Trends
Step 1 Reconnaissance
Step 2 Scanning
Step 3 Gaining Access
Step 4 Maintaining Access
Step 5 Covering the Tracks
Conclusions

45
Conclusions

Remember good ol Sun Tzu
Attackers keep improving their capabilities and
tools
Dont get discouraged
We must keep up with them
Understand their techniques
Deploy, maintain, and update effective defenses
Consider it an intellectual challenge with job
security
Just remember It is the Golden Age
By remaining diligent, we can secure our systems!

Intrusion Techniques

47
Intruders

Three classes of intruders (hackers or crackers)
Masquerader unauthorized person exploiting a
legitimate users account
Misfeasor authorized user accessing unautorized
objects or misusing privileges
Clandestine user a person seizing supervisory
control of the system

48
Password Related Intrusion

System maintain a file that associates a password
with each authorized user. Intruder shall try to
access passwords in the file!
Password file can be protected with
One-way encryption non-revesible!
Access Control file should not be accessible
directly

49
Password Guessing

Techniques for guessing passwords
Try default passwords.
Try all short words, 1 to 3 characters long.
Try all the words in an electronic dictionary
(60,000).
Collect information about the users hobbies,
family names, birthday, etc.
Try users phone number, social security number,
street address, etc.
Try all license plate numbers (MUP103).
Use a Trojan horse
Tap the line between a remote user and the host
system.
Prevention Enforce good password selection!

50
Typical Stages of Network Intrusion

1. Scan the network to
locate which IP addresses are in use,
what operating system is in use,
what TCP or UDP ports are open (being
listened to by Servers).
2. Run Exploit scripts against open ports
3. Get access to Shell program which is suid
(has root privileges).
4. Download from Hacker Web site special versions
of systems files that will let Cracker have free
access in the future without his CPU time or disk
storage space being noticed by auditing programs.
5. Usually, try to boast about the
accomplishment, e.g. use IRC (Internet Relay
Chat) to invite friends to the feast.

Intrusion Detection

52
Intusion Detection

The intruder can (hopefully) be identified and
ejected from the system.
An effective intrusion detection can prevent
intrusions.
Intrusion detection enables the collection of
information about intrusion techniques that can
be used to strengthen the intrusion prevention
facility.

53
Intrusion Detection Statistical

Statistical anomaly detection collecting data on
behavior of legitimate users, then statistical
tests are applied to observed data
Threshold detection defining thresholds
independent of users
Profile based a profile of each user is
developed and used to detect changes in behavior

54
Profiles of Behavior of Intruders and Authorized
Users
55
Intrusion Detection Rule-based

Rule based detection defining a set of rules to
decide if a given behavior is of an intruder
Anomaly detection developing rules to detect
deviation from previous usage patterns use past
behaviors
Penetration identification using an expert
system approach to search for suspicious behavior
use experts knowledge (on exploits, etc.)

56
(Some) Measurements Usable for Intrusion
Detection

Login frequency by day and time.
Frequency of login at different locations.
Time since last login.
Password failures at login.
Execution frequency.
Execution denials.
Read, write, create, delete frequency.
Failure count for read, write, create and delete.

57
(No Transcript)
58
(No Transcript)
59
The Base-Rate Fallacy

Practically an intrusion detection system needs
to detect a substantial percentage of intrusions
with few false alarms
if too few intrusions detected -gt false (sense
of) security
if too many false alarms -gt ignore / waste time
This is very hard to do due to the nature of
probabilities involved!

60
Bayes' Theorem

When we have mutually exclusive events E1, E2, ,
En, and an arbitrary event A, we have
Bayes' theorem can then be stated as

61
The Base-Rate Fallacy Demonstration

Given the accuracy of an IDS of 90 and the
incidence of intrusion in our system being 10,
what is the rate of false alarm?

62
Distributed Intrusion Detection
Developed at University of California at Davis
63
Distributed Intrusion Detection
64
Honeypots

Decoy systems
to lure attackers away from accessing critical
systems
to collect information of their activities
to encourage attacker to stay on system so
administrator can respond
are filled with fabricated information
are instrumented to collect detailed information
on attackers activities
may be a single machine or multiple networked
systems ? Honeynet

Intrusion Techniques

66
Password Management

A password is needed to accompany a user id in
order for a legitimate user to gain access to
his/her system.
Need to protect the passwords from falling in the
hands of bad guys!
Password guessing
Password capturing
Social engineering
This protection must be done both on the system
and by the users!

67
Windows -Password Representations

LM hashes
Old technology used on LAN Manager
NT hashes
A.k.a., Unicode password or MD4 hash
Used for authentication on more recent Windows
systems
Cached credentials
Derivation of NT hash
Stored User Names and Passwords
Calling application decides on representation

68
LM Hash Generation

Padded with NULL to 14 characters
Converted to upper case
Separated into two 7 character strings

SEATTLE
1
Seattle1

Key
Key
DES
DES
Constant
Constant
LM Hash
Concatenate
69
LM Hash Considerations

Its not a hash
Limited character set
Common alphanumeric set only
Case insensitive
142 symbols
Padded to exactly 14 characters
Actually two seven-character passwords
Maximum number of passwords 6.81012
Unsalted

70
Salting

Prevents deriving passwords from password file
Stored representation differs
Side effect defeats pre-computed hash attacks

Alicerootb4ef213ba4303ce24a83fe0317608de02bf38d
Bobroota9c4fa3282abd0308323ef0349dc7232c349ac
Cecilroot209be1a483b303c23af34761de02be038fde08
Same Password
71
NT Hash Generation

Hash the password
Store it

MD4
unicode Pwd
Seattle1
72
NT Hash Considerations

Case preserving
65,535 symbols
Maximum length 127 characters
Number of 14-character passwords, same char set
as LM hash 4.61025
Number of 14-character password (full char set)
2.71067
Number of 127-character passwords 4.910611
Unsalted

73
Cached Credentials Generation

Stored at logon
Managed by LSA
Hash of a hash

Unicode Pwd
Username
MD4
Concatenate
Cached Creds.
74
UNIX Password Scheme
Loading a new password
75
UNIX Password Scheme
Verifying a password file
76
Storing UNIX Passwords

UNIX passwords were kept in in a publicly
readable file, etc/passwords.
Now they are kept in a shadow directory and
only visible by root.

77
Salt

The salt serves three purposes
Prevents duplicate passwords from showing up the
same in the encrypted form.
Effectively increases the length of the password.
Prevents the use of hardware implementations of
DES in cracking the password since Unix uses a
modified DES with salt called cryp(3) function
which does the encryption 25 times.

78
(No Transcript)
79
Four Types of Attack