Ch 4 Hacking Exposed

About This Presentation

Title:

Ch 4 Hacking Exposed

Description:

– PowerPoint PPT presentation

Number of Views:588

Avg rating:3.0/5.0

Slides: 116

Provided by: alex139

Category:

more less

Transcript and Presenter's Notes

Title: Ch 4 Hacking Exposed

1
Ch 4 Hacking Exposed
2
Contents (I)

Part I
Type of threats structured and unstructured
Source of threats internal and external
Types of hackers Hacker, Cracker and Script
Kiddie
Hacking processes Reconnaissance, Exploiting the
System, Uploading Programs, Downloading Data,
Keeping Access and Covering Tracks

3
Contents (II)

Part II Email attack
Typical email attacks
Factors that make virus spread
Types of Virus
Types of Worm
How to protect email clients
How to protect email

4
Contents (III)

Part 3 TCP/IP Hacking
Sniffing
Spoofing
Hijacking
ARP attacks
RARP attacks

5
Contents (IV)

Part 4 Measures to mitigate attacks
Types of malicious codes
Others attacks
Countermeasures Anti-virus, Scanner, apply
patches, user awareness education

6
Types of threats in infoSec

There are basically two types of threats
Structured threats
Unstructured threats
There are two sources of threats
internal threats
external threats
In recent survey conducted by the Computer
Security Institute (CSI), 70 of organizations
polled stated that their network security
defenses had been invaded. Amongst these attacks,
60 of the incidents came from within the
organizations.

7
Structured threats

Structured threats come from attackers that are
highly motivated and technical competent.
These attackers have the technical proficiency to
understand existing tool, adapt current hacking
tools, and create new custom tools.

8
Unstructured threats

Most unstructured attackers are moderately
skilled attackers
driven by personal gratification.
A small percentage of these attacks are malicious
in nature, but the impact can be significant.
Numerous hacking tools and scripts available on
Internet sites
Intellectual curiosity drives many novice hackers
to download these tools and experiment with them
Others get a moment of excitement by breaking
into computers.

9
External threats

External threats are carried out by those outside
an organization through intentional or
unintentional activities such as the followings
Thrill seeker
Competitors
Enemies
Thieves
Spies
Hostile former employees
Others

10
Internal threats

Internal threats are perpetrated by those inside
an organization through intentional or
unintentional activities such as the following
Current employee with malicious intention
Current employee with unintentional activities
Employees who mis-manage the environment
employees who do not use safe passwords or who
mis-configure network equipment out of ignorance
Legitimate users accessing networked services
that would normally be restricted to them (i.e.
log-on abuse)

11
Threats to Information System
12
Hacker, Cracker and Script Kiddie

We refer to an individual who attempts to access
network or computer resources without
authorization as network intruder, or intruder.
The intruder can be further classified a hacker,
a cracker or Script Kiddies
Hacker a person who investigates the integrity
and security of an OS or network. Hacker usually
is a person uses advanced knowledge of hardware
and software to hack system. The hacker often
shares his knowledge with others, usually over
the Internet. The hacker does not have malicious
intent.
Cracker a person who use advanced knowledge of
networks to probe or compromise network security
without authorization. The cracker usually has
malicious intent.
Script Kiddies - crackers who use scripts and
program written by others to perform their
intrusion

13
White Hat and Black Hat

Hacker people breaks into system or tried to
crash the system
White Hat Hackers with skills to do the right
thing
Black Hat Hackers referred as the bad guys with
criminal intent
Grey Hat someone in between white and black
usually without criminal intent
Others definition
White Hat hacker
Black Hat cracker
Grey Hat script kiddies (someone do some damage
without criminal intent)
Hacktivism - hacking for political reasons

14
Skills that hackers need

Programming language
C, C, Java, perl, JavaScript
Operation system Linux, MS-Windows
e.g kernels function, process and daemon, MS
Components Object Model (COM)
LAN and Internet Technology
IP address, subnetting, NFS etc
Network protocol
TCP/IP, SMTP, POP3, IMAP etc

15
Attackers physical routes

There are ways for a hacker to access a
network/system
by using a compromised computer within the
network, that is, within the network
by connecting over the Internet - get more
popular due to popularity of Internet, as well as
the speed.
by dialing in via a Remote Access Server (RAS) -
getting less common as company are using VPN.
by connecting via a non-secure wireless network
unsecure physical protect, such as unlock sever
room, unsecure bacup-tapes etc

16
Attackers logical routes

TCP/IP ports
TCP / IP is weak in security
Weak password
due to human nature
Social Engineering
due to people do not take information security
seriously
Covert Channels
human is the weakest link in all information
security

17
Attackers Route (Ports)

Some of the ports that interest attackers are
21 FTP
23 Telnet
25 SMTP
53 DNS
79 Finger
80 HTTP
110 POP
111 Sun RPC
137-139 NETBIOS

18
Attackers Route (Password)

Problems
Employees generally have very weak passwords.
E.g. girl friends name, birthday.
Ever worse, passwords are never changed and old
account are not deleted.
All these factors make passwords attack one of
the easiest way for an attacker to breach a
company.
On the other hand, passwords are one of the
easiest thing to secure as it is already built
into the system.

19
Attackers Route(Password)
Password cn7XhlYn

Strong password characteristics
Change every 45 days.
Minimum length of 10 character.
Contains at least one alpha, one number, and one
special character.
Alpha, number, and special characters must be
mixed up and not appended to the end.
E.g. oazcn56 is bad, n7aodfnk is good
Cannot contain dictionary words
Cannot reuse the previous five passwords
Minimum password age of ten days
After five failed logon attempts, password is
locked for several hours.

20
Attackers Route(Social Engineering)

One of the most easily cheated element in system
security is human.
Social Engineering is basically convince people
to give you information they normally would not.
Usually you pretending to be someone else. E.g.
network administrator.

21
Social engineering - 1

The art and science of getting people to comply
to your wishes.
Not a form of mind control
Lots of groundwork
Information-gathering
Idle chit-chat
Amusing accents
Most of the work is in preparation

22
Social engineering - 2

Is the highest form of hacking
Can be very easy
Often yields largest rewards
Natural human desire to help leaves us vulnerable
And can undermine all technical countermeasures

23
Social engineering - 3

Categories of exploits
Direct request
Usually the least likely to succeed
Contrived situation
Additional factors the target must consider
Dressing the part
Service person, employee, carry clipboard
Personal persuasion
Increase voluntary compliance
Make target believe he/she is in control

24
Attackers Route(Covert Channels)

It involves a trusted insider who is sending
information to an unauthorized outsider in a
covert fashion.

25
Hackers Process

The ways a hacker break in a system may varies,
but usually consist of the following 5 stages
target selection
information gathering
Passive Reconnaissance
Active Reconnaissance
attack
gaining Access
denial of Services
keeping access
get away covering tracks
Sometimes known as 5Ps
probe, penetrate, persist, propagate and paralyze

26
Target selection information gathering

Target selection
gather information from network without sending a
single packet
IP address range, or business assets
tools WHOIS, ARIN and DNS lookup
http//www.arin.net http//www.networksolutions.c
om/whois
Passive Reconnaissance
The most popular type of passive attacks through
network is sniffing
Not necessarily through the network
e.g. Listen to people talking about their
companys business and policy in coffee-shop.

27
Target selection information gathering (2)

Active Reconnaissance
gathering information in a more forceful active
way
A typical example is port scanning
Counter-measure
This is a critical moment to detect the intruder
as active action usually expose his trace.
Logging (e.g. firewall data logging, data access
logging) is the key component in opposing this
type of attack

Port scanning software, in its most basic state,
simply sends out a request to connect to the
target computer on each port sequentially and
makes a note of which ports responded or seem
open to more in-depth probing.

29
Target selection information gathering (3)

Some of key information that interest most
hackers are
Accessible host
Locations of Routers and Firewall
Operating system running on key system
Ports that are open
Services that are running
Versions of applications that are running

30
Attacks

There are two major types of attacks
Gaining Access
elevating privileges
download data
upload program/data via Trojan Horse program or
worm
Denial of Services
methods
Ping of Death
floods (e.g. syn-floods)
buffer over-flow

31
Attacks - Gaining Access - 1

There are several ways of gaining access to a
system
Operating System Attacks
Most operating system are non-secure after
install by default
Application-Level Attacks
Many software are not well tested before release
because of the very tight schedule.
Script and sample program attacks
More common in UNIX platform
Mis-configuration attacks
Remove any unneeded services or software.
Concentrate in secure remaining core components

32
Attacks - Gaining Access - 2

Gain root or administrator privilege by gaining a
minimal amount of access
e.g. login with guest account and then elevate
that to full access
tools password cracking utility
John the Ripper, L0phtcrack, etc to decrypt
password files

33
Attacks - Uploading Program

Usually the attackers will upload two kinds of
software to the target computers
in a form of Trojan Horse
Increase access
E.g. After gaining access to a system as normal
user, upload and run a program that can exploit a
weakness in the OS so as to gain root privilege.
Tools that will be used to compromise other
systems.
E.g. launch attack to another computer through
the victim machine so as to increase the
difficulty of being traced.
Some of the tools used by hacker requires
significant processing power.

34
Attacks - Download Data

Usually, information is the ultimate goal of
attacks.
Target
commercial secret, common in corporate espionage
user account file that may contained encrypted
passwords etc
If you cannot detect an attacker when he is
downloading the data, usually you have no chance
of stopping the attack after the data has been
downloaded. The remainder of the attack (e.g.
analysis of the captured password files) can be
done offline.

35
Attacks - Denial of Service (DoS)

As its name implied, this attack aims at denying
legitimate users access to a network resource.
e.g block users from reaching a particular web
sit.
eBay, Yahoo and many large web services were
brought down in Feb 2000
since then, many commercial IDS has large number
of signatures help to detect and stop this type
of attacks
Sometimes, advanced hackers use these types of
attacks to cover their more complicated attacks
e.g. Disable the service of a the DNS server and
replace it with another fake DNS server so as to
redirect the users to fake site so as to get the
users password.)

It is much easier to disrupt a system than to
gain access
A DoS attack can be done by overwhelming any of
the following
Network
Disk space
CPU cycles
Memory buffers

37
Attacks - DoS Floods

Floods are the simplest type of DoS that simply
using up network/computer resource such as BW and
CPU power, for example
SYN-Floods
exploit the connection mechanism of TCP.
When a TCP session is opened, the requesting
client transmits a SYN message to the hosts
requesting service, and the receiving server
responds with a SYN-ACK message accepting the
connection

38
Attacks - DoS Floods

The client then finishes establishing the
connection by responding with an ACK message.
The connection between the client and the server
is then open, and the service-specific data can
be exchanged between the client and the server

39
Attacks - DoS Floods

The potential for abuse arises at the point where
the server system has sent an acknowledgment
(SYN-ACK) back to client but has not yet received
the ACK message.
This is what we mean by half-open connection.
The server has built in its system memory a data
structure describing all pending connections.
This data structure is of finite size, and it can
be made to overflow by intentionally creating too
many partially-open connections.
Creating half-open connections is easily
accomplished with IP spoofing.

40
Keeping Access

Put a back door so that the attacker can return
whenever he want.
Ways of putting a back door
Adding an account to the system
Overwrite a system file with one that has a
hidden feature. Usually referred to as Trojan
Versions.
Running a Trojan Horse Program every time the
victim start the machine.

41
Get away covering tracks

In some case like the corporate espionage, they
dont need step 4 very often.
It is more important for hackers to cover his
tracks
Methods
Clean up the log files
Note only those items relating to the attack.
Turn off logging as soon as the attacker gain
access to the machine.

42
Summary of hacker activities -1

target selection information gathering
Passive Reconnaissance sniffing packet
Active Reconnaissance port scanning
attack - exploiting the System
download (trade secret) and upload data (web
page)
Gaining Access, Denial of Services
keeping access (plant a torjan)
get away covering tracks (erase log)

43
Summary of hacker activities -2

Attackers physical route
Internet, LAN, RAS (via PSTN), WLAN, weak door
lock
Attackers logical route
Ports (common port are opened which may attract
hackers)
Password (length of password, dictionary attack)
Social engineering (divulgation and infiltration)
Covert Channels

44
Part 2 Malicious software attack

Typical email attacks
Factors that make virus spread
Types of Virus
Types of Worm
How to protect email clients
How to protect email server

45
email attacks

Internet is very much prone to attack
Worm is able to spread because many system
blindly trusted each other
Internal software components of each server also
blindly trust each other
application that make things simple can cause
problem. Automatically open attachment with
attachment panes
unchecked system bugs

46
typical email attacks virus - 1

binary file that requires human intervention in
order to spread (e.g. download, double-click or
transfer with floppy-disk)
RFC 1135 state A virus is a piece of code that
inserts itself into a host, including OS, to
propagate. It cannot run independently. It
requires that its host program be executed to
activate it.

47
typical email attacks virus - 2

Here are some examples of virus
File virus Most viruses fall into this
category. A virus attaches itself to a file,
usually a program file.
Boot sector virus These viruses infect floppy
and hard drives. The virus program will load
first, before the operating system.
Macro Virus This is a new type of virus that
use an application's own macro programming
feature to distribute themselves. Unlike other
viruses, macro viruses do not infect programs
they infect documents.

48
typical email attacks worm

Worm
spreads to other system with little or no user
intervention. Spread itself upon activation once.
RFC 1135 states A worm is a program that can
run independently, will consume the resources of
its host and/or network from within in order to
maintain itself, and can propagate a complete
working version of itself on to other machines.
current anti-virus software classify worm as
worm as code propagates between host
virus as code propagates only within a single
host
Note there are malicious do both!!

49
Recent virus / worm attacks - 1

Email virus W32/Mydoom (alias W32.Novarg.A_at_MM,
WORM_Mimail.R_at_MM)
It is a mass mailing worm and it spreads itself
via infected email attachments in emails with a
spoofed sender address.
The virus will arrive in a file attachment with
file extensions of .zip, .bat, .cmd, .exe, .pif
and .scr.
Once infected, the virus will start sending
infection emails with a spoofed email address
from the local PC.
Email virus W32/Bagle
it is a mass mailing worm
it spreads itself via infected email attachments
in emails with a spoofed sender address
once infected, the virus will start sending
infection emails with a spoofed email address
from the local PC.

50
Recent virus / worm attacks - 2

Email virus W32/SoBig.F,
One of the most widespread virus in the world
It had created massive email outages globally
since it was found.
The virus spreads itself via infected email
attachments in emails with a "spoofed" sender
address.
Total amount of infected emails seen in the
Internet since this attack started is close to
100 million.
CodeRed took about 13 hours to infect hundred of
thousands (actual figure not known).
SQL Slammer only took 10min to reach the same
effect as CodeRed
based on 404-byte UDP packet

51
Factors that make virus spread

single network make it easier to spread (vs.
heterogeneous network)
network with standard mail user agent (e.g. MS
outlook is now installed application in MS
Windows)
Operation System with facilities that users
configurable features, such as Component Object
Model.
Ubiquitous Network that use TCP/IP
Other attacks Blaster, Nachi that exploited the
vulnerability of RPC services of Windows System
required access of TCP port 135-139
not usually open for Internet but via VPN

52
Other attacks Trojan

code disguised as innocent program but behave in
an unexpected, usually malicious manner
example electronics greeting cards, chain letter
strictly speaking, a trojan horse is NOT a virus
because it does not replicate like ordinary
viruses do.
limitation user needs to be convinced to
accept/run them
defense dont run programs that you dont know

53
Common Trojan - 1

Back Orifice 2000
BO2K allows outsiders to access and modify any
information on a Windows 95, 98 and NT machines
through an invisible server program installed by
the program.
Back Orifice
allows an intruder to monitor and tamper with
Windows 95 and Windows 98 computers over the
Internet. There is no easy way for a computer
user to know the attack is taking place, and
there is no easy way to stop the attack once Back
Orifice has installed itself on the computer.

54
Common Trojan - 2

NetBus
NetBus is a remote administration tool, much like
the infamous Back Orifice tool.
However, Netbus predates Back Orifice by several
months and is also capable of working under
Windows NT in addition to Windows 95 and 98.
Netbus allows a hacker to access data and gain
control over some Windows functions on remote
computer system.

55
Anatomy of malicious code

two components
propagation
delivery mechanism is the method the code spreads
itself. In old days, floppy disk, now Internet
via email or web-pages
payload
code that executed if triggered.
e.g. Michelangelo virus
delete your hard-disk partition tables
some virus have no payload, or have no harmful
code for that machine, it only infect and spread

56
Types of virus

Boot sector virus
Move data within the boot sector or overwrite the
sector with new information
Stealth virus
Hides the modifications that it has made to files
or boot records.
Polymorphic virus
Produces varied but operational copies of itself.
Multipart virus
Infects both the boot sector of a hard drive and
executable files.
Self-garbling virus
Attempts to hide from antivirus software by
garbling its own code. As the virus spreads, it
changes the way its code is encoded.
also known as polymorphism or virus mutating

57
Types of Worm - 1

True worm
requires no human intervention to spread.
function only on a homogeneous network
require worm to be written with programming
language same as the email server.
rare, as it requires high skills

58
Types of Worm - 2

Protocol worm
uses a transport protocol, such as TCP/IP to
spread
Spread without human intervention
e.g. Morris worm (1988)
name after its creator Robert Morris
exploited a buffer overflow in fingerd and used
debug commands in sendmail to break into system
running Berkeley UNIX

59
Types of Worm (3)

Hybrid worm
requires a low level of user intervention to
spread, but also acts like a virus
behave like viruses in that they deliver a
payload
exhibits worm behavior, able to spread
automatically from system to system
e.g. Melissa (1998) and and its loveletter
variants, bubbleBoy and lifeStages
a macro in Word Document_open()
when user open infected word document
it will check if email application is Outlook, if
so, composing a list of the first 50 email
addressed found in the users address book, and
send the email using victims name.
attach itself to the email in one-line

60
Clues for Malicious Code

File size increase
Many unexpected disk accesses
Change in file update or modified timestamp
Sudden decrease in hard drive space
Unexpected and strange activity by applications

61
How to protect email clients

should have a corporate strategy and security
policy
at various levels for anti-spamming and
anti-virus
Purchasing an anti-virus package
scanning attachments can take time and processor
speed
may not able to find new virus if application is
not updated regularly.
Obtaining a personal firewall
tell you the IP address and/or resolved IP
address
filter out TCP/IP related packet
Disable a system from sending and/or receiving
email
Disable a system to forward email
encrypting your email transmission install
applications such as PGP

62
How to protect email server

Hardening the email servers OS
lock down unnecessary port, upgrading your system
using latest, stable server patches and bug
fixes change default settings
Place your system behind a firewall
disallow email relaying
configuring the sever to allow connections from
certain host only
email-scanning
scan the body of email message help to protect
email users, MTA and MDA
attachment scanning
scan all attachment. Applications to block out
attachment suspect contain virus. For conscious
admin, the option is to disallow email attachment.

63
Part 3 TCP/IP Hacking
64
Special IP Addresses

As source and destination address
Loopback interface 127.X.X.X (usually 127.0.0.1)
As source address
netid0, hostid0 or hostidXXX this host on
this net (used in special cases such as booting
procedures)
As destination address
All bits set to 1 local broadcast
netid hostid with all bits set to 1
net-directed broadcast to netid
Reserved private addresses (RFC 1597)
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

65
Local Area Network Attacks

A number of kinds of attack in LAN
Sniffing
Spoofing
Hijacking
ARP attacks
RARP attacks

66
Why Sniffing?

Many protocols (TELNET, FTP, POP, HTTP) transfer
authentication information in the clear text
By sniffing the traffic, it is possible to
collect usernames/passwords, files, mail, etc.

67
Why Spoofing?

IP spoofing is used to impersonate sources of
security-critical information (e.g., a DNS server
or a NIS server)
IP spoofing is used to exploit address-based
authentication
it is a common way to launch DoS attack

68
Hijacking

Sniffing/Spoofing is the base for hijacking
The attacker waits for an client request
Races against legitimate host when producing a
reply
ARP-, UDP-, and TCP-based variations of this
attack exist

69
Detecting Sniffers on your Network

Sniffers are typically passive programs
They put the network interface in promiscuous
mode and listen for traffic
They can be detected by programs / commands such
as
ifconfig
eth0 Link encapEthernet HWaddr 00104BE2F64C
inet addr192.168.1.20 Bcast192.168.1.255
Mask255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU1500
Metric1
RX packets1016 errors0 dropped0 overruns0
frame0
TX packets209 errors0 dropped0 overruns0
carrier0
collisions0 txqueuelen100

70
ARP , RARP -1

The address resolution protocol (ARP) is a
protocol used by the Internet Protocol (IP) to
map IP network addresses to the hardware
addresses used by a data link protocol. It is
used when IP is used over Ethernet.
Physical machine in a local area network can
request to learn its IP address from a gateway
server's Address Resolution Protocol (ARP) table
or cache.

71
ARP , RARP -2

A network administrator creates a table in a
local area network's gateway router that maps the
physical machine (or Media Access Control - MAC
address) addresses to corresponding Internet
Protocol addresses.
When a new machine is set up, its RARP client
program requests from the RARP server on the
router to be sent its IP address.
Assuming that an entry has been set up in the
router table, the RARP server will return the IP
address to the machine which can store it for
future use.
RARP is available for Ethernet

72
Attacks to ARP

ARP does not provide any means of authentication
Racing against the queried host, it is possible
to provide a false IP address/datalink-level
address mapping
Fake ARP queries can be used to store wrong ARP
mappings in a host cache
In both cases, the net effect is the redirection
of traffic to the attacker (at least for the
lifetime of the cache entry)
Used in denial-of service and spoofing attacks
In Windows, use arp -a to display ARP entries

73
Attacks to ARP
74
Attacks to ARP (2)

Since ARP is stateless it is possible to
provide a fake reply even if a request has not
been sent

75
Attacks to RARP

RARP, as ARP, does not provide any authentication
mechanisms
An attacker can race against legitimate servers
by sending fake replies
By doing this, an attacker can assign the IP
address of an existing host to a particular
diskless workstation cutting out the victim host
from traffic

76
Other network based hacking techniques - 1

MAC flooding (switched LAN) gt allow sniffing
Blind IP Spoofing gt a typical DoS
Man-in-the-middle Attacks
Fragmentation - Ping of death

77
Other network based hacking techniques - 2

Other fragmentation attacks
Stealth Traffic
Teardrop Attack
Overlapping Fragment Attack
Unnamed Attack
Network layer attack ICMP
Echo Attacks, Smurf Attacks, Redirect Attacks
Transport layer attack UDP attack
spoofing, hijack and storm attack

78
MAC flooding

Switched Ethernet does not allow direct sniffing
ARP spoofing with forwarding can be used to
bypass this protection
MAC flooding
Switches maintain a table with MAC address/port
mappings
Flooding the switch with bogus MAC address will
overflow table memory and revert the behavior
from switch to hub

79
Overview of Routing
80
Blind IP Spoofing

A attacker sends an IP datagram with the address
of some other host as the source address
The host replies to the legitimate host
Usually the attacker does not have access to the
reply traffic
it is a common DoS technique

attacker
81
Man-in-the-middle Attacks

An attacker that has control a gateway used in
the delivery process, it can
Sniff the traffic
Intercept/block traffic
Modify traffic

attacker
82
Fragmentation attack - overview

When a datagram is encapsulated in lower level
protocols (e.g., Ethernet) it may be necessary to
split the IP datagram in smaller portions
This happens when the datagram size is bigger
than the data link layer MTU (Maximum
Transmission Unit)
Fragmentation can be performed at the source host
or in an intermediate step in datagram delivery
If the datagram has the do not fragment flag
set an ICMP error message is sent back to the
originator

83
Fragmentation (IP Datagram)
84
Fragmentation attack-overview (2)

If the datagram can be fragmented
The header is copied in each fragment
In particular, the datagram id is copied in
each fragment
The more fragments flag is set with the
exception of the last fragment
The fragmentation offset field contains the
position of the fragment with respect to the
original datagram expressed in 8 byte units
The total length field is changed to match the
size of the fragment
Each fragment is then delivered as a separate
datagram
If one fragment is lost the entire datagram is
discarded after a timeout

85
Fragmentation attack - Ping of Death - 1

Ping of Death is an oversized ICMP packet that
causes system to lock up
exploits the bugs / weakness of operation system
based on Fragmentation Attacks
Ping of Death was one of most popular attack in
UNIX
The offset of the last segment is modified such
that the total size of the reassembled datagram
is bigger than the maximum allowed size a kernel
static buffer is overflowed causing a kernel panic

86
Fragmentation attack - Ping of Death - 2

It is a threat in the past, most firewall discard
such malformed packet automatically
Other new variants
malicious attack based on service pack update of
popular OS
reverse engineering within 2 weeks
attack systems not yet deploy such service pack

87
Ping of Death - fragmentation

230106.266646 lt 128.111.48.69 gt 128.111.48.70
icmp echo request (frag 43211480_at_0)
230106.421261 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_1480)
230106.575953 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_2960)
230106.730065 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_4440)
230106.884625 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_5920)
230107.038801 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_7400)
230107.193403 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_8880)
230107.348185 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_10360)
230107.502326 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_11840)
...
230112.451121 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_59200)
230112.605235 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_60680)
230112.759927 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_62160)
230112.917811 lt 128.111.48.69 gt 128.111.48.70
(frag 43211480_at_63640)
230113.090936 lt 128.111.48.69 gt 128.111.48.70
(frag 4321398_at_65120)
Total 65120 398 65518 20 bytes of header
65538 gt 65535!

88
Fragmentation Attacks Tiny Fragment Attack

also known as Stealth Traffic attack
Firewalls and intrusion detection systems analyze
incoming datagrams using the information
contained in both the datagram header and the
datagram payload (TCP ports, UDP ports, SYN and
ACK flags in the TCP header)
An attacker may use fragmentation to avoid
detection
an attack try to hidden itself
e.g. some IDS do not reassemble datagrams

89
Fragmentation AttacksThe Teardrop Attack

This is also a denial of service attack that can
cause the victim host to hang crash or reboot, as
was the Ping of Death attack.
The teardrop attack utilizes the weakness of the
IP protocol reassembly process. The teardrop
attack is a UDP attack, which uses overlapping
offset fields in an attempt to bring down the
victim host.
Fragmentation attack comparisons
ICMP attack ping of death
TCP attack Tiny Fragment attack
UDP attack teardrop attack
variants Overlapping Fragment Attack, unnamed
Attack

90
Fragmentation AttacksThe Overlapping Fragment
Attack

Another variation on the teardrop attack that
also uses overlapping fragments.
The datagram is deliberately fragmented by the
attacker
Some of the fragment are re-sent with different
contents so that they will overwrite the original
contents
The first fragment specifies a begin TCP
destination port for the TCP packet (e.g., 80)
The fragment is allowed to go through the filter
and no check is performed on the following ones
The attacker sends a fragment that, using a
non-null offset, overwrites the TCP destination
port with a different, blocked one (e.g., 23)
When the datagram is reassembled it will be
delivered tothe new port

91
Fragmentation AttacksThe Unnamed Attack

This attack is yet another variation on the
teardrop attack that attempts to cause a denial
of service to the victim host.
This time however the fragments are not
overlapping but are created in such a way that
there is a gap created in the fragments.
This is done by manipulating the offset values to
ensure there are parts of the fragment, which
have been skipped.
Some operating systems may behave unreliably when
this exploit is used upon them.

92
ICMP Echo Request / Reply - Overview

Used by the ping program
ping 192.168.1.1PING 192.168.1.1
(192.168.1.1) from 192.168.1.100 56(84) bytes
of data.64 bytes from 192.168.1.1 icmp_seq0
ttl64 time1.049 msec64 bytes from 192.168.1.1
icmp_seq1 ttl64 time660 usec64 bytes from
192.168.1.1 icmp_seq2 ttl64 time597 usec64
bytes from 192.168.1.1 icmp_seq3 ttl64
time548 usec64 bytes from 192.168.1.1
icmp_seq4 ttl64 time601 usec64 bytes from
192.168.1.1 icmp_seq5 ttl64 time592 usec64
bytes from 192.168.1.1 icmp_seq6 ttl64
time547 usec--- 192.168.1.1 ping statistics
---7 packets transmitted, 7 packets received, 0
packet lossround-trip min/avg/max/mdev
0.547/0.656/1.049/0.165 ms

93
ICMP Echo Attacks

ICMP Echo Request messages can be used to map the
hosts of a network (pingscan or ipsweep)
ICMP echo datagrams are sent to all the hosts in
a subnetwork
The attacker collects the replies and determines
which hosts are actually alive
Starting nmap V. 2.12 by Fyodor (fyodor_at_dhp.com,
www.insecure.org/nmap/)Host cisco-sales.ns.com
(195.121.31.11) appears to be up.Host
sales1.ns.com (195.121.31.19) appears to be
up.Host sales4.ns.com (195.121.31.22) appears to
be up.Host sales2.ns.com (195.121.31.43) appears
to be up.Host sales3.ns.com (195.121.31.181)
appears to be up.Nmap run completed -- 256 IP
addresses (5 hosts up) scanned in 1 second
ICMP Echo Request can be used to perform a denial
ofservice attack (smurf)

94
ICMP Attack Smurf - 1

The infamous Smurf - ICMP echo requests to a
network broadcast with a spoofed source address
of the victim.
Hence the victim obtains several potentially
thousands of replies...tying up the victims
network resources

95
ICMP Attack Smurf - 2
96
ICMP Redirect Attacks

ICMP redirect messages can be used to re-route
traffic on specific routes or to a specific host
(victim) that is not a router at all
The attack is performed sending to a host a
spoofed ICMP redirect message that appears to
come from the hosts default gateway
The attack can be used to
Hijack traffic
Perform a denial-of-service attack

97
ICMP Redirect Attacks

arp -n
Address HWtype HWaddress
192.168.1.1 ether 002078CA7EAE (original
gateway)
192.168.1.10 ether 0001031D98B8 (original
gw for 1.0)
192.168.1.100 ether 0800460704A3 (victim)
C\WINDOWSgtroute PRINT
Active Routes
Network Address Netmask Gateway Address
Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1
192.168.1.10 1
127.0.0.0 255.0.0.0 127.0.0.1
127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.10
192.168.1.10 1
192.168.1.10 255.255.255.255 127.0.0.1
127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.10
192.168.1.10 1
tcpdump -n
804674a3 0131d98b8 0800 70 192.168.1.1
gt 192.168.1.10
icmp redirect 128.111.48.69 to host 192.168.1.100

98
ICMP Redirect Attacks

C\WINDOWSgtroute PRINTActive RoutesNetwork
Address Netmask Gateway Address Interface
Metric0.0.0.0 0.0.0.0
192.168.1.1 192.168.1.10 1127.0.0.0
255.0.0.0 127.0.0.1 127.0.0.1
1128.111.48.69 255.255.255.255 192.168.1.100
192.168.1.10 1192.168.1.0 255.255.255.0
192.168.1.10 192.168.1.10 1192.168.1.10
255.255.255.255 127.0.0.1 127.0.0.1
1192.168.1.255 255.255.255.255 192.168.1.10
192.168.1.10 1
C\WINDOWSgtping 128.111.48.690131d98b8
804674a3 0800 74 192.168.1.10 gt
128.111.48.69icmp echo request0131d98b8
804674a3 0800 74 192.168.1.10 gt
128.111.48.69icmp echo request...

99
ICMP Destination Unreachable

ICMP message used by gateways to state that the
datagram cannot be delivered
Many subtypes
Network unreachable
Host unreachable
Protocol unreachable
Port unreachable
Fragmentation needed but dont fragment bit set
Destination host unknown
Destination network unknown
...

100
Destination Unreachable Attacks

Forged destination unreachable messages can cut
out nodes from the network (denial of service)

101
Attacks Comparisons

ICMP
Smurf attack
redirection attack
destination unreachable attack
UDP
spoofing at transport fraggle
hi-jack
storm - use of chargen

102
ICMP Time Exceeded

It is not an attack itself, but used by attacker
to learn the properties of the network
Used when
TTL becomes zero (code 0)
The reassembling of a fragmented datagram times
out (code 1)

103
Traceroute

ICMP Time Exceeded messages are used by the
traceroute program to determine the path used to
deliver a datagram
A series of IP datagrams are sent to the
destination node
Each datagram has an increasing TTL field
(starting at 1)
From the ICMP Time exceeded messages returned by
the intermediate gateways it is possible to
reconstruct the route from the source to the
destination
Note traceroute allows one to specify loose
source routing (-g option)
Tools immensely useful (topology mapping)

104
Traceroute

traceroute to res-server.ns.com (195.121.32.42),
30 hops max, 38 byte packets 1
csworld48 (128.111.48.2) 1.077 ms 0.827 ms 1.051
ms 2engr-gw-lo.ucsb.edu (128.111.51.1) 1.479 ms
0.855 ms 1.222 ms 3border1.ucsb.edu
(128.111.1.83) 1.224 ms 1.375 ms 1.222 ms
4gsr-g-1-0.commserv.ucsb.edu (128.111.252.150)
1.357 ms 1.383 ms 1.642 ms 5USC--ucsb.ATM.calren2
.net (198.32.248.73) 3.876 ms 4.493 ms 3.913 ms
6ISI--USC.POS.calren2.net (198.32.248.26) 4.401
ms 4.533 ms 4.261 ms 7UCLA--ISI.POS.calren2.net
(198.32.248.30) 4.933 ms 4.897 ms 5.002 ms
8UCLA-7507--UCLA.POS.calren2.net
(198.32.248.118) 5.429 ms 5.530 ms 5.384 ms
9corerouter2-serial6-0-0.Bloomington.cw.net
(166.63.131.129) 8.562 ms 8.244 ms 7.857 ms
10corerouter1.SanFrancisco.cw.net (204.70.9.131)
17.563 ms 17.861 ms 17.941 ms11bordercore1.SanFra
ncisco.cw.net (166.48.12.1) 18.108 ms 18.269 ms
17.945 ms12frontier-comm.SanFrancisco.cw.net
(166.48.13.242) 19.164 ms 18.749 ms 20.472 ms
13pos4-1-155M.cr2.SNV.gblx.net (206.132.150.233)
19.664 ms 18.666 ms 18.503 ms 14cisco-ns.ns.com
(195.121.39.51) 19.481 ms 18.014 ms 20.472 ms
15res-server.ns.com (195.121.32.42) 20.401 ms
20.962 ms 19.641 ms 16

105
UDP Spoofing

Basically, it is a form of IP spoofing but at
transport layer
With the aid of hacking tool, it is very easy to
perform

106
UDP Hijacking

Variation of the UDP spoofing attack

107
UDP Storms

A spoofed UDP datagram is sent to the echo
service (7)
The source port is set to the chargen service
(19)
The reply of the echo service is interpreted as a
request by the chargen service
The reply of the chargen service is interpreted
as a request by the echo service
...
The same attack can be carried out using two echo
services

108
Part 4 Measures to mitigate attacks

Countermeasures
Anti-virus scanner, enterprise virus protection,
apply patches, user awareness education

109
Methods of detecting malicious code - 1

Anti-virus software
regularly scan system looking for known
signatures
need to update anti-virus software as frequently
as possible
anti-virus vendors can update signatures in a
matter of hours after the new virus had been
detected
recent approach heuristic method
detect code if it look alike a malicious (such as
un-reasonable access)

110
Methods of detecting malicious code - 2

Application programs such as personal firewall,
scanner, sniffer to give alarms (or display logs)
File size increase
Many unexpected disk accesses
Change in update or modified timestamps
Broadcast / multicast storm
Important factor Alarm Threshold
false trigger cause unnecessary panic

111
Enterprise virus protection - 1

On each client computer
client-based virus protection
On servers
Server-side scanners are normally run
periodically to search for viruses, prior to the
daily or weekly backup.
does not disinfect clients, so it alone is not
sufficient for total virus project.
On email gateways (servers)
virus scanning at email servers can prevent
widespread transmission of a virus
also help to reduce email spamming
Modern email scanners are even capable of
unzipping compressed attachments

112
Enterprise virus protection - 2

On firewalls
some modern firewalls include a virus-scanning
function
scans all inbound communication streams for
viruses
terminates the session if a virus signature is
found
can prevent infection via email and Internet
downloads.

113
Methods to secure against malicious code

Cover security holes in Web browser
web surfing is high risk in security
secure web browser to stop executable contents
avoid active script, JavaScript, ActiveX, Java
etc
Cover security holes in Operation System and
other applications programs.
apply patches
User awareness and education
new virus cannot be detected by anti-virus
software
only the vigilance of users (and administrators)
is the best approach
Adopt Information Security management system
(ISMS)
a systematic, document system that address ALL
issues concerning the CIA of information. e.g.
BS7799