Ch 4 Hacking Exposed - PowerPoint PPT Presentation

1 / 115
About This Presentation
Title:

Ch 4 Hacking Exposed

Description:

– PowerPoint PPT presentation

Number of Views:589
Avg rating:3.0/5.0
Slides: 116
Provided by: alex139
Category:
Tags: exposed | hacking

less

Transcript and Presenter's Notes

Title: Ch 4 Hacking Exposed


1
Ch 4 Hacking Exposed
2
Contents (I)
  • Part I
  • Type of threats structured and unstructured
  • Source of threats internal and external
  • Types of hackers Hacker, Cracker and Script
    Kiddie
  • Hacking processes Reconnaissance, Exploiting the
    System, Uploading Programs, Downloading Data,
    Keeping Access and Covering Tracks

3
Contents (II)
  • Part II Email attack
  • Typical email attacks
  • Factors that make virus spread
  • Types of Virus
  • Types of Worm
  • How to protect email clients
  • How to protect email

4
Contents (III)
  • Part 3 TCP/IP Hacking
  • Sniffing
  • Spoofing
  • Hijacking
  • ARP attacks
  • RARP attacks

5
Contents (IV)
  • Part 4 Measures to mitigate attacks
  • Types of malicious codes
  • Others attacks
  • Countermeasures Anti-virus, Scanner, apply
    patches, user awareness education

6
Types of threats in infoSec
  • There are basically two types of threats
  • Structured threats
  • Unstructured threats
  • There are two sources of threats
  • internal threats
  • external threats
  • In recent survey conducted by the Computer
    Security Institute (CSI), 70 of organizations
    polled stated that their network security
    defenses had been invaded. Amongst these attacks,
    60 of the incidents came from within the
    organizations.

7
Structured threats
  • Structured threats come from attackers that are
    highly motivated and technical competent.
  • These attackers have the technical proficiency to
    understand existing tool, adapt current hacking
    tools, and create new custom tools.

8
Unstructured threats
  • Most unstructured attackers are moderately
    skilled attackers
  • driven by personal gratification.
  • A small percentage of these attacks are malicious
    in nature, but the impact can be significant.
  • Numerous hacking tools and scripts available on
    Internet sites
  • Intellectual curiosity drives many novice hackers
    to download these tools and experiment with them
  • Others get a moment of excitement by breaking
    into computers.

9
External threats
  • External threats are carried out by those outside
    an organization through intentional or
    unintentional activities such as the followings
  • Thrill seeker
  • Competitors
  • Enemies
  • Thieves
  • Spies
  • Hostile former employees
  • Others

10
Internal threats
  • Internal threats are perpetrated by those inside
    an organization through intentional or
    unintentional activities such as the following
  • Current employee with malicious intention
  • Current employee with unintentional activities
  • Employees who mis-manage the environment
    employees who do not use safe passwords or who
    mis-configure network equipment out of ignorance
  • Legitimate users accessing networked services
    that would normally be restricted to them (i.e.
    log-on abuse)

11
Threats to Information System
12
Hacker, Cracker and Script Kiddie
  • We refer to an individual who attempts to access
    network or computer resources without
    authorization as network intruder, or intruder.
    The intruder can be further classified a hacker,
    a cracker or Script Kiddies
  • Hacker a person who investigates the integrity
    and security of an OS or network. Hacker usually
    is a person uses advanced knowledge of hardware
    and software to hack system. The hacker often
    shares his knowledge with others, usually over
    the Internet. The hacker does not have malicious
    intent.
  • Cracker a person who use advanced knowledge of
    networks to probe or compromise network security
    without authorization. The cracker usually has
    malicious intent.
  • Script Kiddies - crackers who use scripts and
    program written by others to perform their
    intrusion

13
White Hat and Black Hat
  • Hacker people breaks into system or tried to
    crash the system
  • White Hat Hackers with skills to do the right
    thing
  • Black Hat Hackers referred as the bad guys with
    criminal intent
  • Grey Hat someone in between white and black
    usually without criminal intent
  • Others definition
  • White Hat hacker
  • Black Hat cracker
  • Grey Hat script kiddies (someone do some damage
    without criminal intent)
  • Hacktivism - hacking for political reasons

14
Skills that hackers need
  • Programming language
  • C, C, Java, perl, JavaScript
  • Operation system Linux, MS-Windows
  • e.g kernels function, process and daemon, MS
    Components Object Model (COM)
  • LAN and Internet Technology
  • IP address, subnetting, NFS etc
  • Network protocol
  • TCP/IP, SMTP, POP3, IMAP etc

15
Attackers physical routes
  • There are ways for a hacker to access a
    network/system
  • by using a compromised computer within the
    network, that is, within the network
  • by connecting over the Internet - get more
    popular due to popularity of Internet, as well as
    the speed.
  • by dialing in via a Remote Access Server (RAS) -
    getting less common as company are using VPN.
  • by connecting via a non-secure wireless network
  • unsecure physical protect, such as unlock sever
    room, unsecure bacup-tapes etc

16
Attackers logical routes
  • TCP/IP ports
  • TCP / IP is weak in security
  • Weak password
  • due to human nature
  • Social Engineering
  • due to people do not take information security
    seriously
  • Covert Channels
  • human is the weakest link in all information
    security

17
Attackers Route (Ports)
  • Some of the ports that interest attackers are
  • 21 FTP
  • 23 Telnet
  • 25 SMTP
  • 53 DNS
  • 79 Finger
  • 80 HTTP
  • 110 POP
  • 111 Sun RPC
  • 137-139 NETBIOS

18
Attackers Route (Password)
  • Problems
  • Employees generally have very weak passwords.
  • E.g. girl friends name, birthday.
  • Ever worse, passwords are never changed and old
    account are not deleted.
  • All these factors make passwords attack one of
    the easiest way for an attacker to breach a
    company.
  • On the other hand, passwords are one of the
    easiest thing to secure as it is already built
    into the system.

19
Attackers Route(Password)
Password cn7XhlYn
  • Strong password characteristics
  • Change every 45 days.
  • Minimum length of 10 character.
  • Contains at least one alpha, one number, and one
    special character.
  • Alpha, number, and special characters must be
    mixed up and not appended to the end.
  • E.g. oazcn56 is bad, n7aodfnk is good
  • Cannot contain dictionary words
  • Cannot reuse the previous five passwords
  • Minimum password age of ten days
  • After five failed logon attempts, password is
    locked for several hours.

20
Attackers Route(Social Engineering)
  • One of the most easily cheated element in system
    security is human.
  • Social Engineering is basically convince people
    to give you information they normally would not.
    Usually you pretending to be someone else. E.g.
    network administrator.

21
Social engineering - 1
  • The art and science of getting people to comply
    to your wishes.
  • Not a form of mind control
  • Lots of groundwork
  • Information-gathering
  • Idle chit-chat
  • Amusing accents
  • Most of the work is in preparation

22
Social engineering - 2
  • Is the highest form of hacking
  • Can be very easy
  • Often yields largest rewards
  • Natural human desire to help leaves us vulnerable
  • And can undermine all technical countermeasures

23
Social engineering - 3
  • Categories of exploits
  • Direct request
  • Usually the least likely to succeed
  • Contrived situation
  • Additional factors the target must consider
  • Dressing the part
  • Service person, employee, carry clipboard
  • Personal persuasion
  • Increase voluntary compliance
  • Make target believe he/she is in control

24
Attackers Route(Covert Channels)
  • It involves a trusted insider who is sending
    information to an unauthorized outsider in a
    covert fashion.

25
Hackers Process
  • The ways a hacker break in a system may varies,
    but usually consist of the following 5 stages
  • target selection
  • information gathering
  • Passive Reconnaissance
  • Active Reconnaissance
  • attack
  • gaining Access
  • denial of Services
  • keeping access
  • get away covering tracks
  • Sometimes known as 5Ps
  • probe, penetrate, persist, propagate and paralyze

26
Target selection information gathering
  • Target selection
  • gather information from network without sending a
    single packet
  • IP address range, or business assets
  • tools WHOIS, ARIN and DNS lookup
  • http//www.arin.net http//www.networksolutions.c
    om/whois
  • Passive Reconnaissance
  • The most popular type of passive attacks through
    network is sniffing
  • Not necessarily through the network
  • e.g. Listen to people talking about their
    companys business and policy in coffee-shop.

27
Target selection information gathering (2)
  • Active Reconnaissance
  • gathering information in a more forceful active
    way
  • A typical example is port scanning
  • Counter-measure
  • This is a critical moment to detect the intruder
    as active action usually expose his trace.
  • Logging (e.g. firewall data logging, data access
    logging) is the key component in opposing this
    type of attack

28
  • Port scanning software, in its most basic state,
    simply sends out a request to connect to the
    target computer on each port sequentially and
    makes a note of which ports responded or seem
    open to more in-depth probing.

29
Target selection information gathering (3)
  • Some of key information that interest most
    hackers are
  • Accessible host
  • Locations of Routers and Firewall
  • Operating system running on key system
  • Ports that are open
  • Services that are running
  • Versions of applications that are running

30
Attacks
  • There are two major types of attacks
  • Gaining Access
  • elevating privileges
  • download data
  • upload program/data via Trojan Horse program or
    worm
  • Denial of Services
  • methods
  • Ping of Death
  • floods (e.g. syn-floods)
  • buffer over-flow

31
Attacks - Gaining Access - 1
  • There are several ways of gaining access to a
    system
  • Operating System Attacks
  • Most operating system are non-secure after
    install by default
  • Application-Level Attacks
  • Many software are not well tested before release
    because of the very tight schedule.
  • Script and sample program attacks
  • More common in UNIX platform
  • Mis-configuration attacks
  • Remove any unneeded services or software.
  • Concentrate in secure remaining core components

32
Attacks - Gaining Access - 2
  • Gain root or administrator privilege by gaining a
    minimal amount of access
  • e.g. login with guest account and then elevate
    that to full access
  • tools password cracking utility
  • John the Ripper, L0phtcrack, etc to decrypt
    password files

33
Attacks - Uploading Program
  • Usually the attackers will upload two kinds of
    software to the target computers
  • in a form of Trojan Horse
  • Increase access
  • E.g. After gaining access to a system as normal
    user, upload and run a program that can exploit a
    weakness in the OS so as to gain root privilege.
  • Tools that will be used to compromise other
    systems.
  • E.g. launch attack to another computer through
    the victim machine so as to increase the
    difficulty of being traced.
  • Some of the tools used by hacker requires
    significant processing power.

34
Attacks - Download Data
  • Usually, information is the ultimate goal of
    attacks.
  • Target
  • commercial secret, common in corporate espionage
  • user account file that may contained encrypted
    passwords etc
  • If you cannot detect an attacker when he is
    downloading the data, usually you have no chance
    of stopping the attack after the data has been
    downloaded. The remainder of the attack (e.g.
    analysis of the captured password files) can be
    done offline.

35
Attacks - Denial of Service (DoS)
  • As its name implied, this attack aims at denying
    legitimate users access to a network resource.
  • e.g block users from reaching a particular web
    sit.
  • eBay, Yahoo and many large web services were
    brought down in Feb 2000
  • since then, many commercial IDS has large number
    of signatures help to detect and stop this type
    of attacks
  • Sometimes, advanced hackers use these types of
    attacks to cover their more complicated attacks
  • e.g. Disable the service of a the DNS server and
    replace it with another fake DNS server so as to
    redirect the users to fake site so as to get the
    users password.)

36
  • It is much easier to disrupt a system than to
    gain access
  • A DoS attack can be done by overwhelming any of
    the following
  • Network
  • Disk space
  • CPU cycles
  • Memory buffers

37
Attacks - DoS Floods
  • Floods are the simplest type of DoS that simply
    using up network/computer resource such as BW and
    CPU power, for example
  • SYN-Floods
  • exploit the connection mechanism of TCP.
  • When a TCP session is opened, the requesting
    client transmits a SYN message to the hosts
    requesting service, and the receiving server
    responds with a SYN-ACK message accepting the
    connection

38
Attacks - DoS Floods
  • The client then finishes establishing the
    connection by responding with an ACK message.
  • The connection between the client and the server
    is then open, and the service-specific data can
    be exchanged between the client and the server

39
Attacks - DoS Floods
  • The potential for abuse arises at the point where
    the server system has sent an acknowledgment
    (SYN-ACK) back to client but has not yet received
    the ACK message.
  • This is what we mean by half-open connection.
  • The server has built in its system memory a data
    structure describing all pending connections.
  • This data structure is of finite size, and it can
    be made to overflow by intentionally creating too
    many partially-open connections.
  • Creating half-open connections is easily
    accomplished with IP spoofing.

40
Keeping Access
  • Put a back door so that the attacker can return
    whenever he want.
  • Ways of putting a back door
  • Adding an account to the system
  • Overwrite a system file with one that has a
    hidden feature. Usually referred to as Trojan
    Versions.
  • Running a Trojan Horse Program every time the
    victim start the machine.

41
Get away covering tracks
  • In some case like the corporate espionage, they
    dont need step 4 very often.
  • It is more important for hackers to cover his
    tracks
  • Methods
  • Clean up the log files
  • Note only those items relating to the attack.
  • Turn off logging as soon as the attacker gain
    access to the machine.

42
Summary of hacker activities -1
  • target selection information gathering
  • Passive Reconnaissance sniffing packet
  • Active Reconnaissance port scanning
  • attack - exploiting the System
  • download (trade secret) and upload data (web
    page)
  • Gaining Access, Denial of Services
  • keeping access (plant a torjan)
  • get away covering tracks (erase log)

43
Summary of hacker activities -2
  • Attackers physical route
  • Internet, LAN, RAS (via PSTN), WLAN, weak door
    lock
  • Attackers logical route
  • Ports (common port are opened which may attract
    hackers)
  • Password (length of password, dictionary attack)
  • Social engineering (divulgation and infiltration)
  • Covert Channels

44
Part 2 Malicious software attack
  • Typical email attacks
  • Factors that make virus spread
  • Types of Virus
  • Types of Worm
  • How to protect email clients
  • How to protect email server

45
email attacks
  • Internet is very much prone to attack
  • Worm is able to spread because many system
    blindly trusted each other
  • Internal software components of each server also
    blindly trust each other
  • application that make things simple can cause
    problem. Automatically open attachment with
    attachment panes
  • unchecked system bugs

46
typical email attacks virus - 1
  • binary file that requires human intervention in
    order to spread (e.g. download, double-click or
    transfer with floppy-disk)
  • RFC 1135 state A virus is a piece of code that
    inserts itself into a host, including OS, to
    propagate. It cannot run independently. It
    requires that its host program be executed to
    activate it.

47
typical email attacks virus - 2
  • Here are some examples of virus
  • File virus Most viruses fall into this
    category. A virus attaches itself to a file,
    usually a program file.
  • Boot sector virus These viruses infect floppy
    and hard drives. The virus program will load
    first, before the operating system.
  • Macro Virus This is a new type of virus that
    use an application's own macro programming
    feature to distribute themselves. Unlike other
    viruses, macro viruses do not infect programs
    they infect documents.

48
typical email attacks worm
  • Worm
  • spreads to other system with little or no user
    intervention. Spread itself upon activation once.
  • RFC 1135 states A worm is a program that can
    run independently, will consume the resources of
    its host and/or network from within in order to
    maintain itself, and can propagate a complete
    working version of itself on to other machines.
  • current anti-virus software classify worm as
  • worm as code propagates between host
  • virus as code propagates only within a single
    host
  • Note there are malicious do both!!

49
Recent virus / worm attacks - 1
  • Email virus W32/Mydoom (alias W32.Novarg.A_at_MM,
    WORM_Mimail.R_at_MM)
  • It is a mass mailing worm and it spreads itself
    via infected email attachments in emails with a
    spoofed sender address.
  • The virus will arrive in a file attachment with
    file extensions of .zip, .bat, .cmd, .exe, .pif
    and .scr.
  • Once infected, the virus will start sending
    infection emails with a spoofed email address
    from the local PC.
  • Email virus W32/Bagle
  • it is a mass mailing worm
  • it spreads itself via infected email attachments
    in emails with a spoofed sender address
  • once infected, the virus will start sending
    infection emails with a spoofed email address
    from the local PC.

50
Recent virus / worm attacks - 2
  • Email virus W32/SoBig.F,
  • One of the most widespread virus in the world
  • It had created massive email outages globally
    since it was found.
  • The virus spreads itself via infected email
    attachments in emails with a "spoofed" sender
    address.
  • Total amount of infected emails seen in the
    Internet since this attack started is close to
    100 million.
  • CodeRed took about 13 hours to infect hundred of
    thousands (actual figure not known).
  • SQL Slammer only took 10min to reach the same
    effect as CodeRed
  • based on 404-byte UDP packet

51
Factors that make virus spread
  • single network make it easier to spread (vs.
    heterogeneous network)
  • network with standard mail user agent (e.g. MS
    outlook is now installed application in MS
    Windows)
  • Operation System with facilities that users
    configurable features, such as Component Object
    Model.
  • Ubiquitous Network that use TCP/IP
  • Other attacks Blaster, Nachi that exploited the
    vulnerability of RPC services of Windows System
    required access of TCP port 135-139
  • not usually open for Internet but via VPN

52
Other attacks Trojan
  • code disguised as innocent program but behave in
    an unexpected, usually malicious manner
  • example electronics greeting cards, chain letter
  • strictly speaking, a trojan horse is NOT a virus
    because it does not replicate like ordinary
    viruses do.
  • limitation user needs to be convinced to
    accept/run them
  • defense dont run programs that you dont know

53
Common Trojan - 1
  • Back Orifice 2000
  • BO2K allows outsiders to access and modify any
    information on a Windows 95, 98 and NT machines
    through an invisible server program installed by
    the program.
  • Back Orifice
  • allows an intruder to monitor and tamper with
    Windows 95 and Windows 98 computers over the
    Internet. There is no easy way for a computer
    user to know the attack is taking place, and
    there is no easy way to stop the attack once Back
    Orifice has installed itself on the computer.

54
Common Trojan - 2
  • NetBus
  • NetBus is a remote administration tool, much like
    the infamous Back Orifice tool.
  • However, Netbus predates Back Orifice by several
    months and is also capable of working under
    Windows NT in addition to Windows 95 and 98.
  • Netbus allows a hacker to access data and gain
    control over some Windows functions on remote
    computer system.

55
Anatomy of malicious code
  • two components
  • propagation
  • delivery mechanism is the method the code spreads
    itself. In old days, floppy disk, now Internet
    via email or web-pages
  • payload
  • code that executed if triggered.
  • e.g. Michelangelo virus
  • delete your hard-disk partition tables
  • some virus have no payload, or have no harmful
    code for that machine, it only infect and spread

56
Types of virus
  • Boot sector virus
  • Move data within the boot sector or overwrite the
    sector with new information
  • Stealth virus
  • Hides the modifications that it has made to files
    or boot records.
  • Polymorphic virus
  • Produces varied but operational copies of itself.
  • Multipart virus
  • Infects both the boot sector of a hard drive and
    executable files.
  • Self-garbling virus
  • Attempts to hide from antivirus software by
    garbling its own code. As the virus spreads, it
    changes the way its code is encoded.
  • also known as polymorphism or virus mutating

57
Types of Worm - 1
  • True worm
  • requires no human intervention to spread.
  • function only on a homogeneous network
  • require worm to be written with programming
    language same as the email server.
  • rare, as it requires high skills

58
Types of Worm - 2
  • Protocol worm
  • uses a transport protocol, such as TCP/IP to
    spread
  • Spread without human intervention
  • e.g. Morris worm (1988)
  • name after its creator Robert Morris
  • exploited a buffer overflow in fingerd and used
    debug commands in sendmail to break into system
    running Berkeley UNIX

59
Types of Worm (3)
  • Hybrid worm
  • requires a low level of user intervention to
    spread, but also acts like a virus
  • behave like viruses in that they deliver a
    payload
  • exhibits worm behavior, able to spread
    automatically from system to system
  • e.g. Melissa (1998) and and its loveletter
    variants, bubbleBoy and lifeStages
  • a macro in Word Document_open()
  • when user open infected word document
  • it will check if email application is Outlook, if
    so, composing a list of the first 50 email
    addressed found in the users address book, and
    send the email using victims name.
  • attach itself to the email in one-line

60
Clues for Malicious Code
  • File size increase
  • Many unexpected disk accesses
  • Change in file update or modified timestamp
  • Sudden decrease in hard drive space
  • Unexpected and strange activity by applications

61
How to protect email clients
  • should have a corporate strategy and security
    policy
  • at various levels for anti-spamming and
    anti-virus
  • Purchasing an anti-virus package
  • scanning attachments can take time and processor
    speed
  • may not able to find new virus if application is
    not updated regularly.
  • Obtaining a personal firewall
  • tell you the IP address and/or resolved IP
    address
  • filter out TCP/IP related packet
  • Disable a system from sending and/or receiving
    email
  • Disable a system to forward email
  • encrypting your email transmission install
    applications such as PGP

62
How to protect email server
  • Hardening the email servers OS
  • lock down unnecessary port, upgrading your system
    using latest, stable server patches and bug
    fixes change default settings
  • Place your system behind a firewall
  • disallow email relaying
  • configuring the sever to allow connections from
    certain host only
  • email-scanning
  • scan the body of email message help to protect
    email users, MTA and MDA
  • attachment scanning
  • scan all attachment. Applications to block out
    attachment suspect contain virus. For conscious
    admin, the option is to disallow email attachment.

63
Part 3 TCP/IP Hacking
64
Special IP Addresses
  • As source and destination address
  • Loopback interface 127.X.X.X (usually 127.0.0.1)
  • As source address
  • netid0, hostid0 or hostidXXX this host on
    this net (used in special cases such as booting
    procedures)
  • As destination address
  • All bits set to 1 local broadcast
  • netid hostid with all bits set to 1
    net-directed broadcast to netid
  • Reserved private addresses (RFC 1597)
  • 10.0.0.0 - 10.255.255.255
  • 172.16.0.0 - 172.31.255.255
  • 192.168.0.0 - 192.168.255.255

65
Local Area Network Attacks
  • A number of kinds of attack in LAN
  • Sniffing
  • Spoofing
  • Hijacking
  • ARP attacks
  • RARP attacks

66
Why Sniffing?
  • Many protocols (TELNET, FTP, POP, HTTP) transfer
    authentication information in the clear text
  • By sniffing the traffic, it is possible to
    collect usernames/passwords, files, mail, etc.

67
Why Spoofing?
  • IP spoofing is used to impersonate sources of
    security-critical information (e.g., a DNS server
    or a NIS server)
  • IP spoofing is used to exploit address-based
    authentication
  • it is a common way to launch DoS attack

68
Hijacking
  • Sniffing/Spoofing is the base for hijacking
  • The attacker waits for an client request
  • Races against legitimate host when producing a
    reply
  • ARP-, UDP-, and TCP-based variations of this
    attack exist

69
Detecting Sniffers on your Network
  • Sniffers are typically passive programs
  • They put the network interface in promiscuous
    mode and listen for traffic
  • They can be detected by programs / commands such
    as
  • ifconfig
  • eth0 Link encapEthernet HWaddr 00104BE2F64C
  • inet addr192.168.1.20 Bcast192.168.1.255
    Mask255.255.255.0
  • UP BROADCAST RUNNING PROMISC MULTICAST MTU1500
    Metric1
  • RX packets1016 errors0 dropped0 overruns0
    frame0
  • TX packets209 errors0 dropped0 overruns0
    carrier0
  • collisions0 txqueuelen100

70
ARP , RARP -1
  • The address resolution protocol (ARP) is a
    protocol used by the Internet Protocol (IP) to
    map IP network addresses to the hardware
    addresses used by a data link protocol. It is
    used when IP is used over Ethernet.
  • Physical machine in a local area network can
    request to learn its IP address from a gateway
    server's Address Resolution Protocol (ARP) table
    or cache.

71
ARP , RARP -2
  • A network administrator creates a table in a
    local area network's gateway router that maps the
    physical machine (or Media Access Control - MAC
    address) addresses to corresponding Internet
    Protocol addresses.
  • When a new machine is set up, its RARP client
    program requests from the RARP server on the
    router to be sent its IP address.
  • Assuming that an entry has been set up in the
    router table, the RARP server will return the IP
    address to the machine which can store it for
    future use.
  • RARP is available for Ethernet

72
Attacks to ARP
  • ARP does not provide any means of authentication
  • Racing against the queried host, it is possible
    to provide a false IP address/datalink-level
    address mapping
  • Fake ARP queries can be used to store wrong ARP
    mappings in a host cache
  • In both cases, the net effect is the redirection
    of traffic to the attacker (at least for the
    lifetime of the cache entry)
  • Used in denial-of service and spoofing attacks
  • In Windows, use arp -a to display ARP entries

73
Attacks to ARP
74
Attacks to ARP (2)
  • Since ARP is stateless it is possible to
    provide a fake reply even if a request has not
    been sent

75
Attacks to RARP
  • RARP, as ARP, does not provide any authentication
    mechanisms
  • An attacker can race against legitimate servers
    by sending fake replies
  • By doing this, an attacker can assign the IP
    address of an existing host to a particular
    diskless workstation cutting out the victim host
    from traffic

76
Other network based hacking techniques - 1
  • MAC flooding (switched LAN) gt allow sniffing
  • Blind IP Spoofing gt a typical DoS
  • Man-in-the-middle Attacks
  • Fragmentation - Ping of death

77
Other network based hacking techniques - 2
  • Other fragmentation attacks
  • Stealth Traffic
  • Teardrop Attack
  • Overlapping Fragment Attack
  • Unnamed Attack
  • Network layer attack ICMP
  • Echo Attacks, Smurf Attacks, Redirect Attacks
  • Transport layer attack UDP attack
  • spoofing, hijack and storm attack

78
MAC flooding
  • Switched Ethernet does not allow direct sniffing
  • ARP spoofing with forwarding can be used to
    bypass this protection
  • MAC flooding
  • Switches maintain a table with MAC address/port
    mappings
  • Flooding the switch with bogus MAC address will
    overflow table memory and revert the behavior
    from switch to hub

79
Overview of Routing
80
Blind IP Spoofing
  • A attacker sends an IP datagram with the address
    of some other host as the source address
  • The host replies to the legitimate host
  • Usually the attacker does not have access to the
    reply traffic
  • it is a common DoS technique

attacker
81
Man-in-the-middle Attacks
  • An attacker that has control a gateway used in
    the delivery process, it can
  • Sniff the traffic
  • Intercept/block traffic
  • Modify traffic

attacker
82
Fragmentation attack - overview
  • When a datagram is encapsulated in lower level
    protocols (e.g., Ethernet) it may be necessary to
    split the IP datagram in smaller portions
  • This happens when the datagram size is bigger
    than the data link layer MTU (Maximum
    Transmission Unit)
  • Fragmentation can be performed at the source host
    or in an intermediate step in datagram delivery
  • If the datagram has the do not fragment flag
    set an ICMP error message is sent back to the
    originator

83
Fragmentation (IP Datagram)
84
Fragmentation attack-overview (2)
  • If the datagram can be fragmented
  • The header is copied in each fragment
  • In particular, the datagram id is copied in
    each fragment
  • The more fragments flag is set with the
    exception of the last fragment
  • The fragmentation offset field contains the
    position of the fragment with respect to the
    original datagram expressed in 8 byte units
  • The total length field is changed to match the
    size of the fragment
  • Each fragment is then delivered as a separate
    datagram
  • If one fragment is lost the entire datagram is
    discarded after a timeout

85
Fragmentation attack - Ping of Death - 1
  • Ping of Death is an oversized ICMP packet that
    causes system to lock up
  • exploits the bugs / weakness of operation system
  • based on Fragmentation Attacks
  • Ping of Death was one of most popular attack in
    UNIX
  • The offset of the last segment is modified such
    that the total size of the reassembled datagram
    is bigger than the maximum allowed size a kernel
    static buffer is overflowed causing a kernel panic

86
Fragmentation attack - Ping of Death - 2
  • It is a threat in the past, most firewall discard
    such malformed packet automatically
  • Other new variants
  • malicious attack based on service pack update of
    popular OS
  • reverse engineering within 2 weeks
  • attack systems not yet deploy such service pack

87
Ping of Death - fragmentation
  • 230106.266646 lt 128.111.48.69 gt 128.111.48.70
    icmp echo request (frag 43211480_at_0)
  • 230106.421261 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_1480)
  • 230106.575953 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_2960)
  • 230106.730065 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_4440)
  • 230106.884625 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_5920)
  • 230107.038801 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_7400)
  • 230107.193403 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_8880)
  • 230107.348185 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_10360)
  • 230107.502326 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_11840)
  • ...
  • 230112.451121 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_59200)
  • 230112.605235 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_60680)
  • 230112.759927 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_62160)
  • 230112.917811 lt 128.111.48.69 gt 128.111.48.70
    (frag 43211480_at_63640)
  • 230113.090936 lt 128.111.48.69 gt 128.111.48.70
    (frag 4321398_at_65120)
  • Total 65120 398 65518 20 bytes of header
    65538 gt 65535!

88
Fragmentation Attacks Tiny Fragment Attack
  • also known as Stealth Traffic attack
  • Firewalls and intrusion detection systems analyze
    incoming datagrams using the information
    contained in both the datagram header and the
    datagram payload (TCP ports, UDP ports, SYN and
    ACK flags in the TCP header)
  • An attacker may use fragmentation to avoid
    detection
  • an attack try to hidden itself
  • e.g. some IDS do not reassemble datagrams

89
Fragmentation AttacksThe Teardrop Attack
  • This is also a denial of service attack that can
    cause the victim host to hang crash or reboot, as
    was the Ping of Death attack.
  • The teardrop attack utilizes the weakness of the
    IP protocol reassembly process. The teardrop
    attack is a UDP attack, which uses overlapping
    offset fields in an attempt to bring down the
    victim host.
  • Fragmentation attack comparisons
  • ICMP attack ping of death
  • TCP attack Tiny Fragment attack
  • UDP attack teardrop attack
  • variants Overlapping Fragment Attack, unnamed
    Attack

90
Fragmentation AttacksThe Overlapping Fragment
Attack
  • Another variation on the teardrop attack that
    also uses overlapping fragments.
  • The datagram is deliberately fragmented by the
    attacker
  • Some of the fragment are re-sent with different
    contents so that they will overwrite the original
    contents
  • The first fragment specifies a begin TCP
    destination port for the TCP packet (e.g., 80)
  • The fragment is allowed to go through the filter
    and no check is performed on the following ones
  • The attacker sends a fragment that, using a
    non-null offset, overwrites the TCP destination
    port with a different, blocked one (e.g., 23)
  • When the datagram is reassembled it will be
    delivered tothe new port

91
Fragmentation AttacksThe Unnamed Attack
  • This attack is yet another variation on the
    teardrop attack that attempts to cause a denial
    of service to the victim host.
  • This time however the fragments are not
    overlapping but are created in such a way that
    there is a gap created in the fragments.
  • This is done by manipulating the offset values to
    ensure there are parts of the fragment, which
    have been skipped.
  • Some operating systems may behave unreliably when
    this exploit is used upon them.

92
ICMP Echo Request / Reply - Overview
  • Used by the ping program
  • ping 192.168.1.1PING 192.168.1.1
    (192.168.1.1) from 192.168.1.100 56(84) bytes
    of data.64 bytes from 192.168.1.1 icmp_seq0
    ttl64 time1.049 msec64 bytes from 192.168.1.1
    icmp_seq1 ttl64 time660 usec64 bytes from
    192.168.1.1 icmp_seq2 ttl64 time597 usec64
    bytes from 192.168.1.1 icmp_seq3 ttl64
    time548 usec64 bytes from 192.168.1.1
    icmp_seq4 ttl64 time601 usec64 bytes from
    192.168.1.1 icmp_seq5 ttl64 time592 usec64
    bytes from 192.168.1.1 icmp_seq6 ttl64
    time547 usec--- 192.168.1.1 ping statistics
    ---7 packets transmitted, 7 packets received, 0
    packet lossround-trip min/avg/max/mdev
    0.547/0.656/1.049/0.165 ms

93
ICMP Echo Attacks
  • ICMP Echo Request messages can be used to map the
    hosts of a network (pingscan or ipsweep)
  • ICMP echo datagrams are sent to all the hosts in
    a subnetwork
  • The attacker collects the replies and determines
    which hosts are actually alive
  • Starting nmap V. 2.12 by Fyodor (fyodor_at_dhp.com,
    www.insecure.org/nmap/)Host cisco-sales.ns.com
    (195.121.31.11) appears to be up.Host
    sales1.ns.com (195.121.31.19) appears to be
    up.Host sales4.ns.com (195.121.31.22) appears to
    be up.Host sales2.ns.com (195.121.31.43) appears
    to be up.Host sales3.ns.com (195.121.31.181)
    appears to be up.Nmap run completed -- 256 IP
    addresses (5 hosts up) scanned in 1 second
  • ICMP Echo Request can be used to perform a denial
    ofservice attack (smurf)

94
ICMP Attack Smurf - 1
  • The infamous Smurf - ICMP echo requests to a
    network broadcast with a spoofed source address
    of the victim.
  • Hence the victim obtains several potentially
    thousands of replies...tying up the victims
    network resources

95
ICMP Attack Smurf - 2
96
ICMP Redirect Attacks
  • ICMP redirect messages can be used to re-route
    traffic on specific routes or to a specific host
    (victim) that is not a router at all
  • The attack is performed sending to a host a
    spoofed ICMP redirect message that appears to
    come from the hosts default gateway
  • The attack can be used to
  • Hijack traffic
  • Perform a denial-of-service attack

97
ICMP Redirect Attacks
  • arp -n
  • Address HWtype HWaddress
  • 192.168.1.1 ether 002078CA7EAE (original
    gateway)
  • 192.168.1.10 ether 0001031D98B8 (original
    gw for 1.0)
  • 192.168.1.100 ether 0800460704A3 (victim)
  • C\WINDOWSgtroute PRINT
  • Active Routes
  • Network Address Netmask Gateway Address
    Interface Metric
  • 0.0.0.0 0.0.0.0 192.168.1.1
    192.168.1.10 1
  • 127.0.0.0 255.0.0.0 127.0.0.1
    127.0.0.1 1
  • 192.168.1.0 255.255.255.0 192.168.1.10
    192.168.1.10 1
  • 192.168.1.10 255.255.255.255 127.0.0.1
    127.0.0.1 1
  • 192.168.1.255 255.255.255.255 192.168.1.10
    192.168.1.10 1
  • tcpdump -n
  • 804674a3 0131d98b8 0800 70 192.168.1.1
    gt 192.168.1.10
  • icmp redirect 128.111.48.69 to host 192.168.1.100

98
ICMP Redirect Attacks
  • C\WINDOWSgtroute PRINTActive RoutesNetwork
    Address Netmask Gateway Address Interface
    Metric0.0.0.0 0.0.0.0
    192.168.1.1 192.168.1.10 1127.0.0.0
    255.0.0.0 127.0.0.1 127.0.0.1
    1128.111.48.69 255.255.255.255 192.168.1.100
    192.168.1.10 1192.168.1.0 255.255.255.0
    192.168.1.10 192.168.1.10 1192.168.1.10
    255.255.255.255 127.0.0.1 127.0.0.1
    1192.168.1.255 255.255.255.255 192.168.1.10
    192.168.1.10 1
  • C\WINDOWSgtping 128.111.48.690131d98b8
    804674a3 0800 74 192.168.1.10 gt
    128.111.48.69icmp echo request0131d98b8
    804674a3 0800 74 192.168.1.10 gt
    128.111.48.69icmp echo request...

99
ICMP Destination Unreachable
  • ICMP message used by gateways to state that the
    datagram cannot be delivered
  • Many subtypes
  • Network unreachable
  • Host unreachable
  • Protocol unreachable
  • Port unreachable
  • Fragmentation needed but dont fragment bit set
  • Destination host unknown
  • Destination network unknown
  • ...

100
Destination Unreachable Attacks
  • Forged destination unreachable messages can cut
    out nodes from the network (denial of service)

101
Attacks Comparisons
  • ICMP
  • Smurf attack
  • redirection attack
  • destination unreachable attack
  • UDP
  • spoofing at transport fraggle
  • hi-jack
  • storm - use of chargen

102
ICMP Time Exceeded
  • It is not an attack itself, but used by attacker
    to learn the properties of the network
  • Used when
  • TTL becomes zero (code 0)
  • The reassembling of a fragmented datagram times
    out (code 1)

103
Traceroute
  • ICMP Time Exceeded messages are used by the
    traceroute program to determine the path used to
    deliver a datagram
  • A series of IP datagrams are sent to the
    destination node
  • Each datagram has an increasing TTL field
    (starting at 1)
  • From the ICMP Time exceeded messages returned by
    the intermediate gateways it is possible to
    reconstruct the route from the source to the
    destination
  • Note traceroute allows one to specify loose
    source routing (-g option)
  • Tools immensely useful (topology mapping)

104
Traceroute
  • traceroute to res-server.ns.com (195.121.32.42),
    30 hops max, 38 byte packets 1
  • csworld48 (128.111.48.2) 1.077 ms 0.827 ms 1.051
    ms 2engr-gw-lo.ucsb.edu (128.111.51.1) 1.479 ms
    0.855 ms 1.222 ms 3border1.ucsb.edu
    (128.111.1.83) 1.224 ms 1.375 ms 1.222 ms
    4gsr-g-1-0.commserv.ucsb.edu (128.111.252.150)
    1.357 ms 1.383 ms 1.642 ms 5USC--ucsb.ATM.calren2
    .net (198.32.248.73) 3.876 ms 4.493 ms 3.913 ms
    6ISI--USC.POS.calren2.net (198.32.248.26) 4.401
    ms 4.533 ms 4.261 ms 7UCLA--ISI.POS.calren2.net
    (198.32.248.30) 4.933 ms 4.897 ms 5.002 ms
    8UCLA-7507--UCLA.POS.calren2.net
    (198.32.248.118) 5.429 ms 5.530 ms 5.384 ms
    9corerouter2-serial6-0-0.Bloomington.cw.net
    (166.63.131.129) 8.562 ms 8.244 ms 7.857 ms
    10corerouter1.SanFrancisco.cw.net (204.70.9.131)
    17.563 ms 17.861 ms 17.941 ms11bordercore1.SanFra
    ncisco.cw.net (166.48.12.1) 18.108 ms 18.269 ms
    17.945 ms12frontier-comm.SanFrancisco.cw.net
    (166.48.13.242) 19.164 ms 18.749 ms 20.472 ms
    13pos4-1-155M.cr2.SNV.gblx.net (206.132.150.233)
    19.664 ms 18.666 ms 18.503 ms 14cisco-ns.ns.com
    (195.121.39.51) 19.481 ms 18.014 ms 20.472 ms
    15res-server.ns.com (195.121.32.42) 20.401 ms
    20.962 ms 19.641 ms 16

105
UDP Spoofing
  • Basically, it is a form of IP spoofing but at
    transport layer
  • With the aid of hacking tool, it is very easy to
    perform

106
UDP Hijacking
  • Variation of the UDP spoofing attack

107
UDP Storms
  • A spoofed UDP datagram is sent to the echo
    service (7)
  • The source port is set to the chargen service
    (19)
  • The reply of the echo service is interpreted as a
    request by the chargen service
  • The reply of the chargen service is interpreted
    as a request by the echo service
  • ...
  • The same attack can be carried out using two echo
    services

108
Part 4 Measures to mitigate attacks
  • Countermeasures
  • Anti-virus scanner, enterprise virus protection,
    apply patches, user awareness education

109
Methods of detecting malicious code - 1
  • Anti-virus software
  • regularly scan system looking for known
    signatures
  • need to update anti-virus software as frequently
    as possible
  • anti-virus vendors can update signatures in a
    matter of hours after the new virus had been
    detected
  • recent approach heuristic method
  • detect code if it look alike a malicious (such as
    un-reasonable access)

110
Methods of detecting malicious code - 2
  • Application programs such as personal firewall,
    scanner, sniffer to give alarms (or display logs)
  • File size increase
  • Many unexpected disk accesses
  • Change in update or modified timestamps
  • Broadcast / multicast storm
  • Important factor Alarm Threshold
  • false trigger cause unnecessary panic

111
Enterprise virus protection - 1
  • On each client computer
  • client-based virus protection
  • On servers
  • Server-side scanners are normally run
    periodically to search for viruses, prior to the
    daily or weekly backup.
  • does not disinfect clients, so it alone is not
    sufficient for total virus project.
  • On email gateways (servers)
  • virus scanning at email servers can prevent
    widespread transmission of a virus
  • also help to reduce email spamming
  • Modern email scanners are even capable of
    unzipping compressed attachments

112
Enterprise virus protection - 2
  • On firewalls
  • some modern firewalls include a virus-scanning
    function
  • scans all inbound communication streams for
    viruses
  • terminates the session if a virus signature is
    found
  • can prevent infection via email and Internet
    downloads.

113
Methods to secure against malicious code
  • Cover security holes in Web browser
  • web surfing is high risk in security
  • secure web browser to stop executable contents
  • avoid active script, JavaScript, ActiveX, Java
    etc
  • Cover security holes in Operation System and
    other applications programs.
  • apply patches
  • User awareness and education
  • new virus cannot be detected by anti-virus
    software
  • only the vigilance of users (and administrators)
    is the best approach
  • Adopt Information Security management system
    (ISMS)
  • a systematic, document system that address ALL
    issues concerning the CIA of information. e.g.
    BS7799

114
Summary - 1
  • Type of threats structured and unstructured
  • Source of threats internal and external
  • type of hackers
  • hacker, cracker and script kiddie
  • white hat, grey hat, bad hat
  • Reconnaissance
  • Passive sniffing
  • Activeport-scanning
  • Ways to exploit the System
  • Gaining Access
  • Elevation of Privileges
  • Denial of Services

115
Summary - 2
  • Countermeasures
  • Anti-virus scanner, enterprise virus protection,
    apply patches, user awareness education
Write a Comment
User Comments (0)
About PowerShow.com