Adversarial Threats to Your Information System - PowerPoint PPT Presentation

1 / 172
About This Presentation
Title:

Adversarial Threats to Your Information System

Description:

... USE YOUR WORK OR BUSINESS ACCOUNT TO DOWNLOAD THE TOOLS OR SURF THE HACKER SITES! ... Tools like Nmap allow us to inventory open ports in a variety of ways. ... – PowerPoint PPT presentation

Number of Views:487
Avg rating:3.0/5.0
Slides: 173
Provided by: ecs4
Category:

less

Transcript and Presenter's Notes

Title: Adversarial Threats to Your Information System


1
Adversarial Threats to Your Information System
  • Dr. Leonard Popyack
  • Syracuse University
  • 2002

Popyack_at_rl.af.mil
2
A malicious hacker or adversary has many items
working in his favor. What are some of the
threats he poses to you and your information
systems? You may be surprised at how many of
these threats are controllable by your INFOSEC
team. This seminar takes the perspective of an
adversary and shows some immediate and long term
remedies for each threat. In some cases there is
no easy solution, but it is important for you to
recognize these threats. We will explore all
phases of an attack and show how wireless LANs
play a part in these attacks.
3
Stages of An Attack
  • Target Selection
  • Reconnaissance
  • Penetration
  • Internal operations, Keeping the connection

4
Overview
  • Reconnaissance
  • Scanning
  • War dialers War Driving
  • Port scanning and mapping
  • Firewall filters and Firewalk
  • Vulnerability Scanners

5
Overview
  • Exploit the System
  • Gaining Access
  • Denial Of Service (DOS) tools
  • Application level Attacks
  • Keeping Access
  • BO2K
  • Rootkits
  • Knark
  • Covert Channels Backdoors

6
Purpose
  • The purpose of this lecture is to understand
    certain attack methods ... ...so we can implement
    effective defense strategies
  • We must protect our systems
  • How can we create effective defenses?
  • That's the real reason we're here
  • Why these look at these tools techniques?
  • Because they are in widespread use right now
  • They provide us fundamental information about the
    principles the attackers are employing.
  • They illustrate what we need to do to defend
    ourselves
  • Some of them are pretty Kewl! Some are VERY
    NASTY!

7
Note!
  • Individual tools may run on UNIX or Windows...
  • We will cover attack concepts that can be applied
    against Windows NT, UNIX, or other platforms
    (Novell, VAX, MVS, etc.)
  • I've included links to tools -- Use at your own
    risk!
  • They could harm your network in unexpected ways
  • Review the source code... Is this legit?
  • Experiment on a test network, separated from
    production and office or campus systems. This is
    not hard to do!
  • Also, DONT USE YOUR WORK OR BUSINESS ACCOUNT TO
    DOWNLOAD THE TOOLS OR SURF THE HACKER SITES! Why?

8
General Trends of Exploits
  • What are we seeing in the wild?
  • Hacker tools are getting easier to use and more
    easily distributed
  • The rise of Hacker groups as distribution houses
    for software
  • The LOpht and Cult of the Dead Cow
  • High-quality, extremely functional hacker tools
  • Better quality than from some major software
    houses

9
General Trends
  • Excellent communication through the computer
    underground to Chat, web, informal grouping, and
    hacker Computer and Network Conferences
  • With the rise of these hacker groups, a lot more
    information about security is available to the
    general public. The less-informed attackers
    (often called "script kiddies" or "ankle biters")
    will use this information in attacks. We must use
    this information to defend ourselves. I've
    included several references at the to help you
    stay informed.

10
General Trends
  • Used to be many different types of systems out
    there (the computer room)
  • Now, we have a smaller number of systems types
    (Windows, Linux, MacOS, SunOS, FreeBSD, Palm,
    etc)
  • They are distributed everywhere!
  • Less experience users and administrators
  • One virus or attack can jeopardize vast number of
    systems (Morris worm, Melissa Virus, I LOVE YOU,
    Nimda)
  • Home Laboratories are easy and inexpensive to set
    up for the hacker!

11
NEVER
  • UNDERESTIMATE
  • YOUR
  • ADVERSARY!!!

12
Your Adversaries Advantages
  • He can use multiple sources for his attack
  • His attack can be timed to be inconvenient for
    you (Friday before a 3-day holiday, Christmas
    Eve, During your company picnic,)
  • He has the ability to corral greater media
    attention
  • Increased sense of hero complex when a hacker
    brings down a large company.

13
Two Attack Forms
  • Zero-Knowledge Attack
  • No knowledge from the inside of your organization
    is know before the attempt is made to target your
    company (your assets, intellectual property,
    finances, or other)
  • Knowledgeable, perhaps by use of an inside, or
    from an insider
  • An inside, either implanted or home grown has
    decided to gather information to be used for
    targeting your organization.

14
Reconnaissance
15
Reconnaissance
  • An attacker will gather as much information as he
    can about you, your company, your people, your
    computers, your network, and your physical
    security.
  • Your network
  • You may not know it, but there is already much
    information about you out there.
  • An adversary will use all data mining possible.

Reconnaissance
16
Open information
  • American Registry for Internet Numbers
  • Who owns particular IP address (Whois)
  • (http//www.arin.net/whois/arinwhois.html)
  • DNS Interrogation (use nslookup)
  • Targets own web site (crawl it a lot of info
    can be gathered by crawling names, e-mail
    address, phone numbers, branches of the
    organization, trusted relationships)
  • programs Websnake, Webzip, curl
  • Search Engines, web searches
  • can show trusted relations (for example, you may
    show up on a customer list, your web designer may
    use you as a reference)

Reconnaissance
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
Open Information
  • Usenet news postings (Deja.com) GOOGLE
  • FlippingRelated pages which link use
    altavista, and search for linkwww.target.com
  • (Hotbot linkdomainwww.target.com)
  • Example on altavista, linkcisco.com AND
    titleresume if you are looking for resumes of
    cisco engineers.

Reconnaissance
24
Open Information
  • X-Raying finding areas in a company web page not
    normally accessible. How? In Altavista, host or
    url followed by keywords or names.
  • Example hostlucent.com and business
    development

Reconnaissance
25
Open Information
  • Peeling many times there is more information
    embedded within really long URLs. Peel off some
    of the junk and look for web addresses or
    secondary addresses, and unique areas.
  • Example http//www.lucent.com/web1.lucent.com/re
    sumes/kramerz.html
  • http//anon.free.anonymizer.com/http//www.snowmap
    s.com

Reconnaissance
26
Open Information
  • Anchor Searches Anchor labels may be informative
    in searching for targets.
  • Example You can search the anchors by using a
    search engine and using anchor view resumes
  • Harvesting pick out and use keywords in related
    documents then use meta search engines (like
    alltheweb.com, mamma.com, dogpile.com)

Reconnaissance
27
Open Information
  • Peer searches once you find specific information
    or specific people, conduct peer searches using
    the Meta search engines.
  • Example Jon Doe bank manager doej_at_bank.com
  • use dogpile and look for all other references to
    doej_at_bank.com
  • Might turn up doej is into drag racing and a
    common dialog could be established.

Reconnaissance
28
Open Information
  • Open a phony e-mail account. Send e-mail to
    insiders. (The return e-mail headers can tell
    you loads of info about the inside systems!)
  • DATA-MINING!!!! Company, people, trusted
    relationships, mailing lists
  • Capability to connect to company DNS server (pull
    down all registered domains at a site!)

Reconnaissance
29
Scanning
  • finding weak points

30
WAR Dialing
  • Named for the dialer in the movie Wargames
  • An attacker is trying to find a backdoor into
    your network. A modem which is used for remote
    access.
  • This might be the easiest point of penetration!
  • The telephone numbers gathered in the recon phase
    are a good starting point!
  • Phreaking is looking for voice back doors,
    whereas hacking is looking for network access
    backdoors.

Scanning
31
WAR Dialing
  • War dialers dial a sequence of telephone numbers
    attempting to locate modem carriers or a
    secondary dial tone
  • demon Dialers is another name
  • Phone Numbers come from
  • Phone book, InterNIC data, WebCrawl, mailing
    lists, newsgroups, social engineering I am from
    the phone company and I need to verify what
    numbers you folks are using for data lines

Scanning WAR Dialers
32
WAR Dialer Software
  • The Hackers Choice 2.0
  • A-DIAL (Auto Dial) by VeXaTiOn, 1995
  • Deluxe Fone-Code Hacker by The Sorceress KHAIAH
    1985
  • Dialing Demon version 1.05 by Tracy McKibben 1988
  • Doo Tools version 1.10, by Phantom Photon 1991
  • PBX Scanner Version 5.0, by Great White 1989
  • SuperDialer 1.03 by Evan Anderson 1990
  • ToneLoc 1.10 by Minor Threat Mucho Maas 1994
  • X-DialerR by ICiKl 1996
  • Z-Hacker 3.21, by BIackBeard 1991

Scanning WAR Dialers
33
The Hackers Choice 2.0
  • THC-Scan 2.0 The Hacker's Choice (THC)
  • Written by Van Hauser released 12/98
  • Essentially an updated to the very venerable
    ToneLoc (by Mucho Maas and Minor Threat, 1994)
  • Available at http//thc.infemo.tusculum.edu
  • THC-Scan is one of the most full featured,
    non-commercial, war dialing tools available
    today.

Scanning WAR Dialers
34
The Hackers Choice 2.0
  • A convenient statistic is the number of lines
    dialed per hour. With a single machine and a
    single modem, we typically do 100 to 125 lines
    per hour. This is a useful metric in determining
    how long it will take to dial large numbers of
    lines.

Scanning WAR Dialers
35
Ok, I found the numbers
  • You found a number of modems. What do you do
    now??
  • Review the war dialer logs and look for familiar
    login prompts or even warning banners
  • Connect to each discovered modem
  • Often times, you will find a system without a
    password
  • PCAnywhere for a clueless user -- you're in,
    baby!
  • Old, neglected machine still on the network
  • A Router!!!!!
  • If there is a userID/password prompt, guess
  • Make it an educated guess, based on the system
  • What are default accounts/passwords?
  • What are common things associated with the target?

Scanning WAR Dialers
36
Try these Username/passwords!
  • Root
  • sync
  • bin
  • nobody
  • operator
  • manager
  • Admin
  • Administrator
  • System
  • days of the week
  • COMPANY NAME
  • COMPANY PRODUCT
  • Custom dictionaries built from company keywords
    and acronyms

Scanning WAR Dialers
37
WAR Dialer Defense
  • An effective dial-up line and modem policy is
    crucial
  • Inventory all dial-up lines with a business need
  • Activate scanning detection functionality in your
    PBX, if available
  • Telewalls A firewall for phones
  • Conduct war dialing exercises against your own
    network
  • reconcile your findings to the inventory
  • Utilize a commercial war dialer
  • Sandstorm's Phonesweep or ISS's Telephony Scanner
  • Toneloc or THCScan (Free)
  • Conduct periodic desk-to-desk checks in the
    evenings
  • Use two people for this (buddy system)

Scanning WAR Dialers
38
WAR Driving
  • IEEE 802.11b Wireless Networks

39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
(No Transcript)
50
(No Transcript)
51
Port Scanning

52
TCP/IP Handshake
  • TCP/IP 3-way Handshake establishes a connection
    to a port

Scanning Port Scanning

All legitimate Transmission Control Protocol
(TCP) connections (e.g., HTTP, telnet, ftp, etc.)
are established through a three-way handshake.
65,535 TCP ports, 65,535 UDP ports (no 3-way with
UDP)
53
Three Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
The handshake allows for the establishment of
sequence numbers (x or y are ISN Initial
Sequence Number) between the two systems. These
sequence numbers are used so that TCP can provide
for reliable packet delivery in sequential order.
Sequence numbers are used for sequencing and
retransmissions.
54
Port Scanners
  • Scan all 65,535 (times 2) ports
  • Find tcp 80, web server
  • Find tcp 23, telnet server
  • Find udp 53, DNS server
  • Find tcp 6000, X Window server
  • etc.
  • Nmap is a very useful tool with advanced scanning
    capabilities
  • Available at hftp//www.insecure.org/nmap

Scanning Port Scanning
55
Port Scanners
  • By scanning each port, we can determine what is
    listening on the box, and find ways to get in.
    Tools like Nmap allow us to inventory open ports
    in a variety of ways. Numerous other port
    scanners are available, including
  • strobe
  • Probe
  • etcp
  • Nmap is the most fully featured of all of these
    tools.
  • The ISS and CyberCop commercial scanners also
    include port scanning capabilities.

Scanning Port Scanning
56
Open Port Information
  • With a list of open ports, the attacker can get
    an idea of which services are in use by
    consulting RFC 1700. Also, particular exploits
    for these services can be found at
  • http//www.technotronic.com.
  • the attacker can devise his/her own
  • exploits!
  • http//www.iana.org

Scanning Port Scanning
57
An NMAP scan
NMAP
  • Allows for conducting numerous types of scans
  • "Vanilla" TCP scans
  • Connect to every port, with 3-way handshake
  • SYN scans (aka "half-open" scans)
  • Only do initial SYN
  • Harder to detect and much quicker
  • FIN scans
  • Stealthy and bypass some filters
  • SYN scan using IP fragments
  • Bypass some packet filters... Yes!
  • UDP Scanning
  • FTP Proxy "Bounce Attack" Scanning
  • RPC Scanning
  • TCP Sequence prediction test
  • ACK scanning
  • Xmas Tree
  • NULL scan

Scanning Port Scanning
58
NMAP scan FTP Proxy Bounce
NMAP
  • FTP Proxy "Bounce Attacks" utilize an ancient
    feature of FTP servers. These servers allow a
    user to tell the server to send the file to
    another system. Using this capability, an
    attacker can bounce an NMAP port scan off of
    someone's FTP server, to help obscure the source
    of the attack.
  • You should make sure that you disable the FTP
    Bounce capability from your public FTP servers.

Scanning Port Scanning
59
NMAP TCP Stack Fingerprinting
NMAP
  • Attempts to determine the operating system of
    target by sending various packet types and
    measuring the response
  • This concept originated with a tool called QueSO,
    available at hftp//www.apostols.org/projectz/que
    so

Scanning Port Scanning
60
NMAP TCP Stack Fingerprinting
NMAP
  • Nmap does various types of tests to determine the
    platform
  • TCP Sequence Prediction
  • SYN packet to open port
  • NULL packet to open port
  • SYNFINURGPSH packet to open port
  • ACK packet to open port
  • SYN packet to closed port
  • ACK packet to closed port
  • FINPSHURG packet to closed port
  • UDP packet to closed port

Scanning Port Scanning
61
TCP Stack Fingerprinting
NMAP
  • Note that each TCP stack implementation may have
    a very unique signature to how it behaves,
    particularly when confronted with various illegal
    combinations of TCP flags and packets!
  • This information is used to identify the target
    system.
  • NMAP has a data base of how various systems
    respond to these illegal flags. NMAP can
    determine what system you are running!!!

Scanning Port Scanning
62
TCP Stack Fingerprinting
NMAP
  • Based on the TCP stack response, Nmap can
    identify over 400 types and versions of systems,
    including
  • Windows 3.1, 3.11, 95, 98, NT (SP 1-4 or 5-6)
  • Win2000
  • Solaris 2.x AIX
  • Cisco IOS
  • Linux
  • 3Com products

Scanning Port Scanning
  • NetBSD, FreeBSD
  • MacOS
  • VAX/VMS / Open VMS
  • HP/JetDirect
  • HP-UX
  • SCO UNIX
  • IRIX

63
TCP Stack Fingerprinting
NMAP
  • Customizable database so the hacker can add his
    own information signatures
  • Using this information, an attacker can focus an
    attack!!!
  • An NT Portscanner -- SuperScan

Scanning Port Scanning
64
NMAP Demo
Scanning Port Scanning
  • Superscanner demo

65
NMAP Scans
bash-2.04 sudo nmap Nmap V. 2.54BETA29 Usage
nmap Scan Type(s) Options lthost or net
listgt Some Common Scan Types ('' options require
root privileges) -sT TCP connect() port scan
(default) -sS TCP SYN stealth port scan (best
all-around TCP scan) -sU UDP port scan -sP
ping scan (Find any reachable machines)
-sF,-sX,-sN Stealth FIN, Xmas, or Null scan
(experts only) -sR/-I RPC/Identd scan (use with
other scan types) Some Common Options (none are
required, most can be combined) -O Use TCP/IP
fingerprinting to guess remote operating system
-p ltrangegt ports to scan. Example range
'1-1024,1080,6666,31337' -F Only scans ports
listed in nmap-services -v Verbose. Its use is
recommended. Use twice for greater effect. -P0
Don't ping hosts (needed to scan
www.microsoft.com and others)
-Ddecoy_host1,decoy2,... Hide scan using many
decoys -T ltParanoidSneakyPoliteNormalAggress
iveInsanegt General timing policy -n/-R Never
do DNS resolution/Always resolve default
sometimes resolve -oN/-oX/-oG ltlogfilegt Output
normal/XML/grepable scan logs to ltlogfilegt -iL
ltinputfilegt Get targets from file Use '-' for
stdin -S ltyour_IPgt/-e ltdevicenamegt Specify
source address or network interface
--interactive Go into interactive mode (then
press h for help) Example nmap -v -sS -O
www.my.com 192.168.0.0/16 '192.88-90..' SEE THE
MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND
EXAMPLES
66
bash-2.04 sudo nmap -sS -O -v www.snowmaps.com S
tarting nmap V. 2.54BETA29 ( www.insecure.org/nmap
/ ) Host (207.198.14.42) appears to be up ...
good. Initiating SYN Stealth Scan against
(207.198.14.42) Adding open port 25/tcp Adding
open port 53/tcp Adding open port 80/tcp Adding
open port 22/tcp Adding open port 3306/tcp Adding
open port 110/tcp The SYN Stealth Scan took 8
seconds to scan 1548 ports. For OSScan assuming
that port 22 is open and port 1 is closed and
neither are firewalled
www.snowmaps.com
67
Interesting ports on (207.198.14.42) (The 1542
ports scanned but not shown below are in state
closed) Port State Service 22/tcp
open ssh 25/tcp open
smtp 53/tcp open domain 80/tcp
open http 110/tcp open
pop-3 3306/tcp open mysql Remote
operating system guess FreeBSD 2.2.1 - 4.1 TCP
Sequence Prediction Classrandom positive
increments
Difficulty34067 (Worthy challenge) IPID Sequence
Generation Incremental Nmap run completed -- 1
IP address (1 host up) scanned in 10
seconds bash-2.04
www.snowmaps.com
68
bash-2.04 sudo nmap -sS -O -v 24.49.192.77 Start
ing nmap V. 2.54BETA29 ( www.insecure.org/nmap/
) Host ny-utica3b-77.aburny.adelphia.net
(24.49.192.77) appears to be up ...
good. Initiating SYN Stealth Scan against
ny-utica3b-77.aburny.adelphia.net
(24.49.192.77) The SYN Stealth Scan took 594
seconds to scan 1548 ports. Warning OS
detection will be MUCH less reliable because we
did not find at least 1 open and 1 closed TCP
port All 1548 scanned ports on ny-utica3b-77.aburn
y.adelphia.net (24.49.192.77) are filtered Too
many fingerprints match this host for me to give
an accurate OS guess TCP/IP fingerprint SInfo(V2
.54BETA29Pi686-pc-linux-gnuD11/5Time3BE6CB47
O-1C-1) T5(RespN) T6(RespYDFNW0ACKOFl
agsROps) T7(RespN) PU(RespN) Nmap run
completed -- 1 IP address (1 host up) scanned in
633 seconds bash-2.04
24.49.192.77
69
bash-2.04 sudo nmap -sS -O -P0 -v
24.24.27.115 Starting nmap V. 2.54BETA29 (
www.insecure.org/nmap/ ) Host syr-24-24-27-115.twc
ny.rr.com (24.24.27.115) appears to be up ...
good. Initiating SYN Stealth Scan against
syr-24-24-27-115.twcny.rr.com (24.24.27.115) The
SYN Stealth Scan took 2008 seconds to scan 1548
ports. Warning OS detection will be MUCH less
reliable because we did not find at lea st 1 open
and 1 closed TCP port All 1548 scanned ports on
syr-24-24-27-115.twcny.rr.com (24.24.27.115) are
filt ered Too many fingerprints match this host
for me to give an accurate OS guess TCP/IP
fingerprint SInfo(V2.54BETA29Pi686-pc-linux-gn
uD11/5Time3BE6DB03O-1C-1) T5(RespN) T6(Re
spN) T7(RespN) PU(RespN) Nmap run completed
-- 1 IP address (1 host up) scanned in 2192
seconds bash-2.04
24.24.27.115
70
bash-2.04 sudo nmap -sS -O -v www.webtag.net Sta
rting nmap V. 2.54BETA29 ( www.insecure.org/nmap/
)Host (206.74.229.14) appears to be up ...
good.Initiating SYN Stealth Scan against
(206.74.229.14)Adding open port 80/tcpAdding
open port 110/tcpAdding open port 21/tcpAdding
open port 106/tcpAdding open port 53/tcpAdding
open port 23/tcpAdding open port 25/tcpAdding
open port 1112/tcpAdding open port
513/tcpAdding open port 79/tcpAdding open port
514/tcpThe SYN Stealth Scan took 26 seconds to
scan 1548 ports.For OSScan assuming that port 21
is open and port 1 is closed and neither are
firewalled Interesting ports on
(206.74.229.14)(The 1536 ports scanned but not
shown below are in state closed) Port
State Service21/tcp open
ftp23/tcp open telnet25/tcp open
smtp53/tcp open domain79/tcp
open finger80/tcp open
http106/tcp open pop3pw110/tcp
open pop-3139/tcp filtered
netbios-ssn513/tcp open login514/tcp
open shell1112/tcp open msql
Remote operating system guess Solaris 2.6 -
2.7Uptime 1.453 days (since Sun Nov 4 035609
2001)TCP Sequence Prediction Classrandom
positive increments
Difficulty22872 (Worthy challenge) IPID Sequence
Generation Incremental Nmap run completed -- 1
IP address (1 host up) scanned in 37
seconds bash-2.04
www.webtag.net
71
(No Transcript)
72
Port Scanner Defense
  • Close All unused ports!
  • Unix /etc/inetd.conf also /etc/rc3.d (xinetd
    daemon)
  • Windows NT disable all unnecessary services by
    uninstalling them or shutting them off in the
    services control panel
  • Windows 2000 restrict ports, shut off services

Scanning Port Scanning
73
Port Scanner Defense
  • Utilize an Intrusion Detection System (IDS)
  • Commercial
  • ISS RealSecure
  • Cisco NetRanger
  • Network Flight Recorder
  • More
  • Freeware
  • Snort

Scanning Port Scanning
74
Firewall Attacks
FireWalk
  • Firewalk allows an attacker to determine which
    ports on a (packet filter) firewall are open
  • Written by David Goldsmith and Michael Schiffman,
    October 1998, and available at http//packetstorm.
    securify.com/UNIX/audit/firewalk
  • Based on ideas originally used in traceroute, a
    tool that determines the path of packets using
    the IP Time-To-Live (TTL) field

Scanning -- FireWalk
75

Scanning -- FireWalk
76
(No Transcript)
77
(No Transcript)
78
(No Transcript)
79
  • Firewalk determines the filtering rules
    associated with packet filters (either for a
    host-based packet filter firewall or router
    access control lists). Firewalk does not work
    against pure proxy-based firewalls, because
    proxies do not forward packets. Instead, a proxy
    application absorbs packets on one side of the
    gateway and regenerates packets on the other
    side. Packet filters actually forward the same
    packets, after applying filtering rules.

Scanning -- FireWalk
80
Firewalk phases
  • Given this info, firewalk operates in two phases
  • Network Discovery Phase
  • Scanning Phase
  • The Network Discovery Phase essentially does a
    traceroute to determine the hop count to the last
    gateway (router) before the filtering takes place

Scanning -- FireWalk
81
TTL4
Time to Live Exceeded
TTL3
Time to Live Exceeded
Attacker
IP10.2.1.10
TTL1
Firewall
Time to Live Exceeded
TTL2
IP10.1.1.1
Time to Live Exceeded
82
During the network discovery phase, Firewalk
sends packets with incrementing TTLs to determine
how many network hops exist between the tool and
the firewall. When a packet reaches its maximum
TTL (which is decremented by each hop), the final
gateway sends back a Time-to-live exceeded
message.
Attacker
IP10.2.1.10
This is essentially the same function as
traceroute, used to determine the hop count. Once
this number is determined, the tool can conduct
the scanning phase.
Firewall
IP10.1.1.1
83
TTL4, TCP Port 1
TTL4, TCP Port 2
TTL4, TCP Port 3
TTL4, TCP Port 4
TTL4, TCP Port 80
Time to Live Exceeded!!!
Attacker
IP10.2.1.10
Port 80 is unfiltered!!!!!
Firewall
IP10.1.1.1
84
Firewalk Defenses
  • 1) Just live with it accept the fact that
    someone could map your network and determine your
    firewall filtering rules
  • 2) Disallow ICMP TTL Exceeded messages from
    leaving your internal network May cause
    problems! Network diagnostics may not work, and
    your users may want to traceroute(quite a
    reasonable idea for sensitive networks), NAT
  • 3) Use a proxy server instead of a packet filter
  • Packet filters have IP forwarding on, so the
    packets traverse them and "live on
  • Proxies are an end point of the connection the
    packets are not forwarded, so their life ends
    upon reaching the proxy
  • Possible performance implications

Scanning -- FireWalk
85
Vulnerability Scanners

86
(No Transcript)
87
Vulnerability Scanners
  • SATAN is the granddaddy of these tools (saint,
    sara SANTASATAN)
  • Many commercial derivatives
  • ISS's scanner
  • Network Associates' CyberCop
  • Cisco's NetSonar
  • These are all tools to help to map a network,
    scan for open ports, and find various
    vulnerabilities
  • They generate nice looking reports for
    management
  • The tools test against a list of known exploits
  • What about the unknown?
  • That's why we want to have security in-depth!
  • Use a multi-layered, sound architecture

Vulnerability Scanning
88
More Tips
  • Be careful with password guessing modules. They
    may lock out legitimate users! You may want to
    disable these modules from running across the
    network and use password cracking software on the
    local system files to find weak passwords.Use
    L0pht cracker or others Look on your CD under
    password crackers.

Vulnerability Scanning
89
Scanner Limitations
  • Vulnerability scanning tools are extremely useful
    because they automate security checks across a
    large number of systems over the network.
    However, please understand their limitations!
  • The tools only check for vulnerabilities that
    they know. They cannot find vulnerabilities that
    they don't understand.
  • The tools tend to be very dumb and flat -- they
    look for vulnerabilities.
  • A real attacker will apply a great deal of
    intelligence to try to reverse engineer your
    network.
  • Instead of just looking at the outside
    interfaces, the intelligent attacker will try to
    understand what's going on behind them.

Vulnerability Scanning
90
Nessus
  • Nessus is a free, open-source general
    vulnerability scanner
  • It is used by the white hat community (security
    folks) and the black hats (malicious hacker)
  • Facts
  • Project started by Renaud Deraison
  • Available at hftp//www.nessus.org
  • Consists of a client and server, with modular
    plugins for individual tests

Vulnerability Scanning
91
Nessus
  • Nessus is a very useful tool, and has some
    advantages over the commercial tools
  • You can review the source-code of the main tool
    and any of the security checks to make sure that
    nothing "fishy" is going on.
  • You can write your own tests and incorporate them
    into the tool
  • A large group of developers is involved around
    the world creating new tests
  • The price! US 0.00

Vulnerability Scanning
92
Configure and monitor
Vulnerability Scanning
scan
Server has numerous plug-ins with various tests
93
(No Transcript)
94
Nessus
  • The client and server can be on the same machine.
    (you can put it all on a laptop)
  • Information between the client and the server can
    be encrypted
  • Large number of plug-ins available for the
    server, each testing for specific vulnerabilities
    in the target.

Vulnerability Scanning
95
Nessus - Platform
  • Server
  • FreeBSD, Linux, and Solaris
  • Client
  • FreeBSD, Linux, Solaris
  • Windows 95/98/NT 2000
  • Java (can run on Macs, anything)
  • Remember, both Client and Server can be on the
    same machine.
  • For serious work with Nessus, use Nessus on Unix

Vulnerability Scanning
96
Nessus - Plugins
  • Separate plug-in for each type of attack
  • There is a defined API for writing Nessus
    plug-ins
  • Currently, plug-ins written in C
  • Or, plugins can be written in the Nessus Attack
    Scripting Language (NASL)
  • One plugin is in charge of doing one attack and
    to report the result to the nessus server
    (nessusd).
  • Each plugin can use some functions of the Nessus
    library, called libnessus.
  • CVS version and daily snapshots are available.
  • As of November, 2000
  • Over 300 UNIX plug-ins
  • 90 Windows NT plug-ins
  • Make sure you check those MD5 hashes!!! (so you
    dont load a Trojan plugin!!!!!)
  • A very nice capability of Nessus is the ability
    to write your own plug-ins, a capability not
    supported in the major commercial scanners.

Vulnerability Scanning
97
Nessus GUI
You can configure -port for the client to server
comm -Encryption algorithms -Target
systems -which plugins to use -port ranges and
types of scans -email address for report
Vulnerability Scanning
98
Nessuss report of Test server before Attack
99
Vulnerability Scanners - Defense
  • Close all unused ports Shut off all unneeded
    services
  • In Windows NT, stop or delete services in
    services control panel
  • In UNIX, edit /etc/inetd.conf and rc.d files
  • Apply all system patches
  • Keep up to date!
  • Utilize an Intrusion Detection System
  • Network-based IDS
  • Commercial ISS ReaISecure, Cisco NetRanger,
    Network Flight Recorder, Dragon, etc.
  • Freeware Snort

Vulnerability Scanning
100
Exploiting Systems
  • Gaining Access
  • Denial of Service
  • Application Level Attacks
  • Stealthy Attacks

101
Gaining Access
  • IP Address Spoofing
  • IP Fragmentation Attacks, FragRouter
  • Sniffing (Sniffit)
  • Session Hijacking (Hunt)
  • DNS Cache Poisining (Jizz)
  • Web Hijacking
  • Netcat and other Hack tools

Exploiting Systems
102
IP Address Spoofing
  • Spoofing Pretending to be someone else
  • IP address spoofing is quite common in a number
    of attacks
  • Foiling systems that utilize IP addresses for
    control
  • Router access control lists
  • Firewalls
  • Trust relationships (particularly, UNIX
    r-commands)
  • Denial of Service
  • Logs

Exploiting Systems
103
IP Spoofing
  • IP Spoofing can be trivial or very complex
  • Option 1 Change the IP address
  • Option 2 IP Address Spoofing and Trust
    Relationship Attacks
  • Option 3 IP Address Spoofing and Source Routing

Exploiting Systems
104
Option 1
  • I can change my IP address to anything I want...
  • UNIX ifconfig eth0 w.x.y.z
  • Windows use network control panel
  • Yes, but... You won't get responses to your
    messages, because the network won't route the
    responses back to you you
  • Also, the TCP 3-way handshake will cause you
    problems
  • You'll get a RESET message from the real system,
    unless ....

Exploiting Systems IP Spoofing
105
Recall the Three Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
The handshake allows for the establishment of
sequence numbers (x or y are ISN Initial
Sequence Number) between the two systems. These
sequence numbers are used so that TCP can provide
for reliable packet delivery in sequential order.
Sequence numbers are used for sequencing and
retransmissions.
106
Option 1 Simple SpoofingChange Address
When the spoofee sends the 2nd leg of the 3-way
handshake, the system who's address is being
spoofed will send a RESET message. The RESET
message says, essentially, "Hey! I'm not having a
conversation with you .... Leave me alone!"
SYN ( A, ISNa)
Eve
ACK(A, ISNa) SYN(B, ISNb)
RESET!!
107
Option 2 Exploit Trust
  • We can take over a system with IP Address
    spoofing by Eve exploiting the UNIX trust
    relationships
  • A variant of this attack was used by Kevin
    Mitnick against Tsutomu Shimomura in December,
    1994
  • Sadly, it's still a useful technique today
  • Mostly on intranets, because properly implemented
    firewalls have helped to stop this attack across
    the Internet

Exploiting Systems IP Spoofing
108
Exploit Trust
  • The "random" sequence number sent by Bob (ISNb)
    is often predictable
  • Eve can interact with Bob and, based on careful
    timing, predict future sequence numbers with some
    level of accuracy
  • This gives Eve a one-way channel to Bob
  • And Bob will think Eve is Alice!!! That's a
    spoof!
  • Great!!! But... What about Alice's RESET?
  • You take Alice out of the picture for a while...
    Denial of Service

Exploiting Systems IP Spoofing
Eve can have an open channel to Bob. She can
quickly reconfigure Bob so that Eve has full
access, without spoofing.
109
IP Sequence Prediction
110
Option 2 Exploit Trust
  • Now Eve has an open channel to Bob
  • Eve (posing as Alice) can feed commands to Bob
  • Eve can use rsh command to add the real Eve to
    the trust relationship of Bob. How? Concatenate
    to /etc/hosts.equiv or simply add her name.
    UNIX only.
  • Eve will see no replies from Bob, however, Alice
    cannot respond (due to DoS)
  • For a short time, Eve looks like Alice to Bob
  • Eve must fly blind, but can re-configure Bob.

Exploiting Systems IP Spoofing
111
Option 3 Source Routing
  • this attack is simpler than option 2... and
    platform independent (Option 2 required UNIX
    trust relationships)
  • Just use source routing ....
  • With a source that appears to come from the
    spoofed address
  • ...and a path that includes the "spoofer" --
    (i.e., the attacker)
  • All packets will follow the path
  • And responses will, too
  • This method for IP address spoofing is based on
    source routing. Source routing is an option in IP
    that allows the source of a packet to specify the
    path it will take on the network. Each router hop
    is included in the packet's header.

Exploiting Systems IP Spoofing
112
Source Routing
For this attack, Eve generates a source-routed
packet that appears to come from Alice (that's
the spoof). The packet contains a fake route list
that includes Eve's address. Note that the route
list is correct for all routers between Even and
Bob. Routers before Eve are irrelevant. Eve sends
this packet on the network. If the network allows
source routed traffic, the packet will follow
Eve's specified path to deliver the packet to
poor Bob. Bob will take action on the packet
(complete the TCP 3-way handshake, or whatever)
and send the response, source routed back to
Eve. Eve will intercept the packet, rather than
transmitting it back to Alice .... There you go!
Eve can get the responses from Bob while spoofing
Alice's address.
Route 1.Alice2.Router X3.Eve4.Router
Y5.Bob PACKET CONTENTS
Eve
Route 1.Bob2.Router Y3.Eve4.Router
X5.Alice PACKET CONTENTS
113
IP Address Spoofing Defenses
  • Make the Initial Sequence Numbers truly random
    Need to install patches for TCP/IP stacks
  • Be careful with trust relationships Do not extend
    trust outside of firewall
  • Either UNIX or Windows NT trust relationships
  • Don't base authentication on IP addresses
  • Utilize passwords, crypto, or other techniques
  • Replace very weak r-commands with stronger
    commands
  • ssh, or its freeware cousins (lsh)
  • Utilize anti-spoof filters at routers and
    firewalls
  • Do not allow source routed packets through
    network gateways
  • Internet gateways (firewalls) and business
    partner connections

Exploiting Systems IP Spoofing
114
NEVER
Never use source routing in Firewalls, routers,
or any gateway system!
115
IP Fragmentation Attacks

116
IP Fragmentation
  • Useful in getting around packet filters in
    routers and firewalls
  • Also useful in avoiding detection by
    network-based Intrusion Detection Systems (IDSs)
  • Recall how packet filtering (firewall) works...
  • It allows tcp source_address to
    destination_address using a specific port number
  • implicitly denies all other

Penetration IP Fragments
117
Port 23
Attacker
Port 80
Penetration IP Fragments
IP10.2.1.10
IDS
Firewall
IP10.1.1.1
118
IP Fragmentation Attacks
  • IP allows packets to be broken down into
    fragments for more efficient transport across
    various media
  • The TCP packet (and its header) are carried in
    the IP packet
  • Two attacks possible
  • Tiny fragment attack
  • Fragment Overlap attack

Penetration IP Fragments
tcp
ip
ip
119
Normal IP Fragmentation
tcp
ip
ip
Penetration IP Fragments
To support different transmission media, IP
allows for the breaking up of single large
packets into smaller packets, called fragments.
The higher-level protocol carried in IP (usually
TCP or UDP) is split up among the various
fragments.
120
Tiny Fragment Attack
tcp
ip
ip
Penetration IP Fragments
Make a fragment small enough so that the TCP
header is split between two fragments. The port
number will be in the second fragment.
121
All IP fragments are re-assembled
Attacker
Tcp port unknown
Penetration IP Fragments
Fragment 1 (part of tcp header)
Fragment 2(rest of tcp header)
IDS
Firewall
122
IP Fragment Overlap Attack
  • A more insidious fragment attack is the Fragment
    Overlap attack. For this scenario, the attacker
    creates two fragments for each IP packet. One
    fragment has the TCP header, including the port
    number for a service allowed by the filter (e.g.,
    http, TCP port 80). The second fragment has an
    offset value that is a lie. The offset is too
    small, so that when the fragments are
    reassembled, the second fragment overwrites part
    of the first, particularly the part of the first
    fragment including the port number.

Penetration IP Fragments
tcp
ip
ip
123
Fragment Overlap attack - In the second fragment,
lie about the offset from the first fragment.
When the packet is reconstructed at the protected
server, the port number will be overwritten.
All IP fragments are re-assembled
Attacker
Tcp port 80. OK!
Penetration IP Fragments
Second IP fragment was just a fragment of the
first. That is OK too!
Fragment 1 (Packet is for port 80)
IDS
Firewall
Fragment 2 (Packet says is for port 80),
however, I have an offset, say 12, and After
overlaying, the TCP header will read port 23!
124
IP Fragment Attack Tools
  • Fragrouter -- can be used to create nasty
    fragmentation attacks
  • Written by Dug Song
  • http//www.anzen.com/research/nidsbench
  • With fragrouter, all packets entering one
    interface go out the other interface fragmented
  • The attacker can specify how fragmentation will
    occur
  • Helps bypass some packet filters and avoid
    intrusion detection systems (IDSs)
  • You can also send the packets through a
    multi-network named host, so the packets appear
    to be coming from multiple hosts!

Penetration IP Fragments
125
Sniffers

126
Sniffers
  • Sniffers gather all information transmitted
    across a line For broadcast media (ethernet),
    allows an attacker to gather passwords, etc. For
    ethernet, all data is broadcast on the LAN
    segment
  • Switched ethernet limits data to a specific
    source and destination port on a switch
  • Sniffers are among the most common of hacker
    tools. They gather traffic off of the network,
    which an attacker can read in real time, or
    squirrel away in a file.

127
Sniffers
  • Many attacks are discovered only when a sniffer
    log consumes all available file space.
  • When an ethernet interface is gathering all
    traffic, it is said to be in "promiscuous mode".
  • Traditional ethernet, usually implemented in a
    hub, is a broadcast medium, which broadcasts all
    data to all systems connected to the LAN segment.
    Therefore, traditional ethernet is inherently
    sniffable.

128
Blah, blah, blah
Blah, blah, blah
Blah, blah, blah
HUB
Blah, blah, blah
BROADCAST ETHERNET
129
Blah, blah, blah
Blah, blah, blah
Blah, blah, blah
HUB
Blah, blah, blah
BROADCAST ETHERNET
130
Blah
SWITCH
blah
Blah, blah, blah
blah
SWITCHED ETHERNET
131
Sniffers
  • Switched ethernet does not broadcast all
    information to all links of the LAN segment.
    Instead, the switch is more intelligent than the
    hub, and, by looking at the destination MAC
    address, will only send the data to the required
    port on the switch. Switched ethernet is only
    sniffable in limited ways.

132
Snifferz
  • There are countless examples of sniffers out
    there
  • es - freeware (ships with SunOS, Solaris
    RootKits)
  • Linsniff - freeware (ships with Linux Rootkits)
  • Websniff - freeware
  • tcpdump - freeware
  • snoop - distributed with Solaris
  • Network Associates - commercial
  • Shomiti Surveyor - commercial
  • Another very good sniffer is snort, by Martin
    Roesch
  • hftp//www.clark.net/-roesch/security.html
  • Very powerful scripting capabilities
  • Doubles as a lightweight Intrusion Detection
    System

133
Used by hackers
  • Sniffers are particularly useful in what is known
    as an "Island Hopping Attack", named after the
    U.S. strategy in the Pacific theater during WWII.
    Island Hopping attacks involve an attacker taking
    over a single machine through some exploit (e.g.,
    a hole found in sendmail, a weak CGI script,
    etc.). Then, the attacker installs a sniffer on
    this victim machine.

134
Sniffer uses in attack
  • With the sniffer on the first victim, the
    attacker observes users and administrators
    logging on to other systems on the same LAN
    segment or other segments of the network. The
    sniffer gathers these userlDs and passwords,
    allowing the attacker to take over more machines.
    By installing sniffers on these additional
    machines, more and more passwords can be
    captured. By installing a sniffer on a single
    system, the attacker can then take over many
    systems.

135
Sniffit
  • Written by Brecht Claerhout, available at
  • http//reptile.rug.ac.be/-coder/sniffit/sniffit.ht
    ml
  • Runs on Linux, Solaris, IRIX, FreeBSD, and SunOS
  • Interactive interface, or it can run in the
    background
  • You must be root to run it
  • Gathers an inventory of connections and lets you
    "zoom in" on particular sessions
  • Filtering capabilities
  • Based on IP, port numbers, etc.
  • You can configure it to gather just telnet or ftp
    userlDs

136
Sniffer Defense
  • Keep attackers off the box in the first place
  • Use Switched Ethernet on critical segments
  • DMZ!!!
  • PKI system
  • Sensitive internal networks
  • Antisniff (www.l0pht.com)
  • Can detect sniffers across the network by
    analyzing changes in latency, etc.

137
Session Hijacking
  • HUNT

138
Session Hijacking
  • Tools which allow an attacker to
  • Steal, share, terminate, monitor, or log any
    terminal session that is in progress
  • Allow attacker to move around the network with
    ease
  • Sessions are stolen across network
  • Session stolen at originating machine
  • Bypass all forms of strong authentication and
    Virtual Private Network

139
Session Hijacking
  • Session hijacking tools are particularly nasty.
    They allow an attacker to grab an interactive
    login session (e.g., telnet, rlogin, ftp, etc.).
    The victim usually notices that his/her session
    disappears ("Darn network trouble!"). The users
    will likely just try to login again, not knowing
    that their session wasn't dropped it was just
    stolen.

140
Alice telnets to do some work..
Alice
Eve is on a segment of the lan where she can
sniff, or on a point in the path.
Eve
141
Eve uses a session hijacking tool to observe the
session. at Eve's command, the session hijacking
tool jumps in and continues the session with
Bob. Attacker can kick Alice off and make any
changes on B. The logs will show that Alice made
the changes
Alice telnets to do some work..
Alice
Hi, I am Alice
Attacker can monitor and generate packets with
the same sequence number.
Eve
142
Session Hijacking Ack Storms
If the attacker just jumps in on a session,
starting to spoof packets, the sequence numbers
between the two sides will get out of synch As
the two sides try to resynchronize, they will
resend SYNs and ACKs back and forth trying to
figure out what's wrong, resulting in an ACK storm
SYN (A, SNa) ACK (SNb) SYN (B, SNb) ACK (SLNa)
Alice
SYN(A,Sna) ACK(SNb)
Eve
143
ACK Storm
  • Alice and Bob will get very confused, however,
    when they notice that their sequence numbers get
    out of synch. Alice will continue to resend
    messages again and again, consuming a good deal
    of bandwidth in what is known as an "ACK storm".
  • Eve can still interact with Bob using the spoofed
    address during the ACK storm, but performance
    will suffer as Alice and Bob thrash over the
    sequence number issue. Eve can prevent this by
    launching a denial of service against Alice so
    that there is no thrashing over sequence numbers,
    and hence no ACK storm.

144
Session Hijacking Tools
  • Hunt
  • Very well written
  • Authored by Kra (Pavel Krauz)
  • Automatically sniffs connections
  • Allows insertion of commands...
  • ...or just plain takeover of session
  • it handles ACK storms
  • http//lin.fsid.cvut.cz/kra/index.html

145
HUNTs ARP Spoofing
  • To avoid the ACK storm Eve either does a denial
    of service attack against Alice Or, more
    interestingly,
  • Hunt allows for Address Resolution Protocol (ARP)
    spoofing, to mask the fact that the systems have
    gotten out of synch!! Very clever!
  • Hunt lets the attacker set his/her machine up as
    a relay for all traffic going between Alice and
    Bob, using ARP Spoofing.

146
Eve send a Gratuitous ARP broadcast message
Ipw.x.y.zMACBB.BB
Ipa.b.c.dMACAA.AA
Alice
ARP w.x.y.z is at DD.DD
ARP a.b.c.d is at EE.EE
Eve MACCC.CC
147
Other Session Hijacking Tools
  • Juggernaut
  • Allows for monitoring of connections, insertion
    of single command, or takeover
  • Very similar to Hunt, but much more buggy
  • http//www.rootshell.com
  • TTYWatcher
  • Many advanced features (log, steal, watch, etc.)
  • Runs at the end host
  • User friendly
  • ftp//coast.cs.purdue.edu/pub/tools/unix/ftywatche
    r

148
Other Session Hijacking Tools
  • IPWatcher
  • Commercial software (http//www.engarde.com)
  • But the crackers steal it
  • Nice graphical interface

149
(No Transcript)
150
Session Hijacking Defenses
  • Encrypt session and use strong authentication.
  • Unfortunately, if originating host is
    compromised, strong authentication and encrypted
    paths do not help, because session is stolen at
    originating machine!
  • Defense Be very careful with incoming
    connections Be even more careful with management
    sessions to your critical infrastructure
    components
  • Firewalls!!! Don't telnet to the firewall
  • PKI!!! Don't telnet to the CA
  • Utilize strong authentication and an encrypted
    path for such management
  • Secure Shell (ssh) or Virtual Private Network

151
Where to get secure shell?
  • ftp//ftp.replay.comTo prevent ARP poisoning,
    use static ARP tables on sensitive systems
  • Solaris can have 20 minute no overwrite set on
    ARP caches.
  • Always use a secure session to talk to your
    security components, your infrastructure
    (routers,etc)

152
Domain Name System (DNS) Cache Poisoning

153
DSN Cache Poisoning
  • The Domain Name System (DNS)
  • Critical component of the Internet
  • Maps names to addresses, among other things
  • www.saic.com 199.106.240.15
  • Mail server for SAIC?
  • mx.east.saic.com Internet address 198.151.13.22
  • Is this important?
  • YOU BET IT IS!
  • "Almost all business that gets done over the
    Internet wouldn't get done without DNS
  • Paul Albitz Cricket Liu, authors of DNS
    BIND

154
Clients use a "resolver" to access DNS
servers Most common DNS server is BIND, Berkeley
Internet Name Domain DNS servers query each other
RootNameServer
www.ebay.com
Local Nameserver
Referral to .com
.comNameServer
www.ebay.com
www.ebay.com
Referral to ebay.com
www.ebay.com
Client
ebay.comNameServer
The Answer! 216.32.120.133
155
DNS Cache Poisoning
  • Additional notes on DNS
  • Each DNS query has a Query ID
  • This Query ID is often predictable based on
    earlier Query Ids
  • Also, to lower traffic requirements, DNS servers
    will cache answers
  • Poor man's DNS attack
  • www.nasa.com
  • www.algore.org
  • Gee, that's not very fun!
  • Let's look at something more interesting

156
DNS Cache Poisoning
  • The tool "jizz" allows for a more elaborate DNS
    attack
  • DNS Caches poisoning
  • http//www.rootshell.com

157
Alice, a happy bank customer
Dsn.good.comAlices unsuspecting DNS Server
Evil Attacker
Dns.evil.com, Evils DNS server owned by evil
www.bank.com, Alices online bank.
Dns.bank.comname server Alice wants to access.

158
DNS Cache Poisoning
STEP 1 Any.evil.com
Evil
STEP 2 Any.evil.com
STEP 3 store the query ID
Dsn.good.com
Dns.evil.com
Dns.bank.com
Alice
www.bank.com
159
DNS Cache Poisoning
STEP 4 www.bank.com
STEP 7 www.bank.comw.x.y.z
Evil
STEP 6 Spoofed answww.bank.comw.x.y.z
Dsn.good.com
STEP 5 www.bank.com
Dns.evil.com
Dns.bank.com
Alice
www.bank.com
160
DNS Cache Poisoning
STEP 10 Lets Bank!!!!
In Cache www.bank.comw.x.y.z
Evil
Dsn.good.com
Dns.evil.com
STEP 8 www.bank.com?
STEP 9 w.x.y.z
Dns.bank.com
Alice
www.bank.com
161
DNS Cache Poisoning Defense
  • Use a hard-to-predict Query ID
  • Upgrade BIND
  • Available, but not widely deployed yet
  • Use split split (yes, that's split split) DNS
  • Have a different DNS server resolve names for
    insiders, and not respond to outside queries at
    all
  • Use a separate DNS server for responding to
    queries for externally accessible stuff
  • The best current solution
  • Digitally sign DNS records
  • The (likely) eventual solution - DNSSec - will be
    deployed some day

162
DNS Cache Poisoning Defense
  • Use SSL with server-side authentication for
    important transactions HTTPS Involves user
    education
  • Although not part of this exploit, protect your
    DNS server, for goodness sakes! Harden the OS
    Cryptographically sign DNS database files Use
    suspicious activity detection software
  • Use Tripwire or MD5 hashing on your DNS Server
    database.

163
Back Orifice 2000
  • demo

http//www.bo2k.com/indexnews.html
164
bo2k
  • One of a class of advanced Trojans
  • www.bo2k.com
  • Creates a client/server relation
  • Developed by hackers/crackers. Presented at
    DEFCON VI July 1999
  • Billed as a network administrators tool
  • Many plug-ins

165
properties
  • Win 95/98 server (and NT)
  • Configurable, can be attached to a host program
    for infection (silk rope)
  • Can use UDP protocol (immunity from packet port
    scanners)
  • Can use various encryption plug-ins
  • Source available!
Write a Comment
User Comments (0)
About PowerShow.com