CSS481 Spring 2003 - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

CSS481 Spring 2003

Description:

... not discussed in the 'hacking' literature, but important ... Jerusalem virus on Friday the 13th. caused concern for some years afterwards. CSS481 Spring 2003 ... – PowerPoint PPT presentation

Number of Views:93
Avg rating:3.0/5.0
Slides: 42
Provided by: Steve57
Category:
Tags: 13th | css481 | friday | spring | the

less

Transcript and Presenter's Notes

Title: CSS481 Spring 2003


1
Hacking Exploits and Malicious Code
  • How people break into systems, and what they do
    once they get there.
  • Questions we might ask
  • why does somebody want to break in?
  • what are the possible points of entry?
  • what happens once they get in?

2
Motivations for Breaking In
  • Often not discussed in the hacking literature,
    but important to know your enemy
  • So why break in?
  • for the fun of it
  • to cause damage
  • hurt the competition
  • steal trade secrets (customers, designs, ...)
  • collect email addresses
  • use the resources
  • hide identity
  • ... more ... ?

3
Planning and Executing a Breakin
  • Reconnaissance
  • find your targets
  • learn as much about them as possible
  • Scanning
  • look for vulnerabilities
  • Application and Operating System Attacks
  • Viruses and Other Replicating Programs

4
Reconnaissance
  • Potential targets
  • IP addresses
  • Blocks of IP addresses
  • Hosts with certain characteristics (banks,
    e-commerce sites, data warehouses)
  • Information about a particular target
  • people
  • hosts
  • information about infrastructure

5
Low-Tech Solutions
  • Remember, people are a hackers best friend
  • Make a phone call and ask for
  • a password
  • or a reference to another employee
  • or some information about their workstation
  • a voicemail box
  • Common social engineering pretexts
  • new employee calls help desk wanting information
    on how to do a task
  • manager calls an employee demanding password, or
    a reset
  • SA asks employee for a password
  • employee calls another employee to get phone or
    personal information about an employee

6
Low-Tech Solutions (cont.)
  • Why call, when a visit is so much more personal?
  • grab some passwords
  • bring a floppy and insert some code on the system
  • grab a hard drive and take it out
  • Its (not) surprisingly easy to do even in a
    fairly secure environment
  • everybody opens doors for you
  • not uncommon to be badgeless
  • And dont forget to take out the trash
  • notes with passwords
  • design documents
  • phone lists
  • (and dont think that people actually use
    shredders)

7
The Internet is Your Friend
  • A surprising amount of information is available
  • Employee information
  • many organizations refuse to give any information
    out about the employees
  • but an employees signature file contains work
    phone number and email address
  • and the email headers may reveal names of servers
    and other resources
  • Corporate culture
  • give yourself credibility when you visit
  • Information about the infrastructure
  • what database, web server, etc. is the company
    running
  • Usenet groups are incredibly rich sources of
    information
  • tech people are not typically very security
    conscious
  • especially when dealing with other tech people

8
Internet Domain Names and Addresses
  • Given a domain name, find out its primary IP
    address
  • and vice versa
  • Get contact information for the company
  • Get IP address blocks
  • Look at the Sam Spade tool

9
Summary of the Reconnaissance Phase
  • What are you looking for?
  • information about a specific organization
  • information about a potential target
  • In three basic categories
  • information about people
  • information about systems
  • information about the organization itself
  • Techniques
  • low-tech approaches (personal, phone, dumpsters)
  • information on the web
  • information from the web itself

10
The Scanning Phase
  • Suppose the attacker has a target and some
    preliminary information
  • a few phone numbers
  • domain names / IP addresses
  • In scanning the attacker is looking for
    vulnerabilities that will allow access to
  • information
  • systems

11
The First Line of Attack Modems
  • The victim desktop computer connected to modem
    for home use
  • theyre there
  • theyre insecure (often not even any password
    control!)
  • they allow wide access
  • Another nice find repeat dial tones
  • allow free long distance
  • affords anonymity
  • War dialers give them a block of numbers, they
    give you
  • which lines had carriers (and which are likely to
    be voice)
  • what the server said (more information about the
    system on the other end) (nudges)
  • (at a rate of about 100 numbers per hour,
    automatically)

12
Defense Against War Dialing
  • Use a centralized modem pool, which can be
    monitored and audited more easily
  • also hides information about the individual
    systems on the network
  • Allow dial-out access only for phones physically
    connected to computers
  • Attack your own site periodically

13
Mapping the Network
  • Finding live hosts
  • given a block of IP addresses
  • send a PING to a host (whats a PING?)
  • send messages to common services (HTTP, SMTP)
  • Finding routers and network topology using
    traceroute
  • And of course this can all be automated to build
    a network topology graph
  • Defense against network scans use firewalls to
    allow only the traffic you really need
  • no pings from the outside world (except external
    servers)
  • filter ICMP time exceeded messages

14
Identifying Services on a Machine Port Scanning
  • There are 65535 possible ports for TCP services,
    and the same number available for UDP service

The latest IANA port assignments can be gotten
from http//www.iana.org/assignments/port-
numbers The Well Known Ports are those from 0
through 1023. The Registered Ports are those
from 1024 through 49151 The Dynamic and/or
Private Ports are those from 49152 through
65535 Each line describes one service, and is
of the form service-name port/protocol
aliases ... comment tcpmux
1/tcp TCP port
service multiplexer tcpmux 1/udp
TCP port service
multiplexer rje 5/tcp
Remote Job Entry rje
5/udp Remote Job
Entry echo 7/tcp echo 7/udp
15
Port Scanning
  • Can look through common ports or through all
    ports
  • Makes a service request and sees if anything
    responds
  • If it does respond (and especially if its a
    well-known service), the scan can yield
    information about the responding service
  • Next slide is output from SuperScan, probing
    cssgate

16
(No Transcript)
17
Ethical / Legal Implications of Using These Tools
  • Please read and refer to the UW Computing
    Guidelines at
  • http//www.washington.edu/computing/rules/guidelin
    es.html
  • The following practices are prohibited
  • Attempting to test security flaws yourself.
  • Attempting to disrupt operation of any system or
    network.
  • Altering any data, software, or directories other
    than your own without proper authorization.
  • Probing or connecting to any computers without a
    legitimate reason to do so.
  • Attempting to gain root access on any of the UW
    systems unless you have been given authorization
    by the system administrator.
  • Using UW systems or networks as a staging ground
    to crack other systems or networks.

18
Different Types of Scans
  • Polite the TCP connect
  • recall the three-step handshake, the connect scan
    completes the handshake
  • this will result in either a SYN-ACK response, no
    response, a RESET response, or an MCMP Port
    Unreachable response
  • this might provide some additional information
  • if you get a SYN-ACK, send the final ACK, then
    FIN
  • its time consuming, and logged
  • SYN scans
  • just send the first SYN, and see if theres a
    response, but dont send the final ACK or FIN
  • fast, not logged, and (arguably) a DoS attack
  • Even more broken versions
  • send a FIN initially to obey the protocol, a
    closed port should send a RESET, an open port
    should send nothing

19
Other Things to Look At
  • UDP ports
  • UDP is a lighter-weight protocol, not having the
    handshake, sequenced packets, etc.
  • PING is the most common UDP service
  • OS Fingerprint what operating system is
    running?
  • this isnt generally available, but can be
    inferred
  • sometimes the services will give it away
  • otherwise, try to predict it from the way the OS
    responds to TCP requests
  • the protocol specifies the response in the case
    of valid uses of the protocol, but not in the
    case of invalid uses (e.g. a NULL packet to begin
    a handshake)
  • and as such, operating systems tend to respond in
    idiosyncratic ways

20
Intrusion Detection Systems
  • IDSs sit on the LAN and collect packets, looking
    for attacks, and notifying an administrator if
    they think an attack is in progress
  • The problem is how to infer an attack from a
    bunch of network traffic
  • just traffic (DoS attack)
  • certain patterns of activity (e.g. a port scan)
  • Evading the IDS
  • dont make the scan traffic like a pattern in the
    database
  • dont flood the network
  • or really flood the network (DoS on the IDS
    itself)

21
Protecting against Network Scans and Attacks
  • Close down all ports not in use
  • RPC ports and X windows for example
  • Use firewalls to restrict packets in and out of
    the LAN to whatever extent possible
  • Use most up-to-date version of IDS software
  • Use both host-based and network-based IDS systems

22
Summary of the Scanning Phase
  • What you know going in
  • some cursory information about the site domain
    names and/or IP addresses
  • What you want to know coming out
  • all the machines and routers on the network
  • what software each is running (operating system
    and services, including version)
  • what services are provided by which machines, and
    which versions
  • Tools
  • network scanners (PINGing and tracing)
  • port scanners
  • IDEs
  • What comes next
  • knowing the system knowing the vulnerabilities
  • identify vulnerable software and try to gain
    entry (penetration)

23
Application and OS Attacks
  • This is the access phase. How do you get in,
    and what do you do when you get there?
  • OS Attacks contrasted with
  • network attacks (1 minute explanation)
  • viruses (wait for it ...)
  • The main attacks covered in the book are
  • buffer overflow attacks
  • SQL attacks
  • password harvesting
  • web application attacks (session hijacking)
  • How are these similar and/or different from each
    other?

24
Basic Structure of Application Attacks
  • If you can get your instructions into the
    application
  • And you can get the application to execute it
  • Then you can do some damage, depending on
  • the language (machine code, SQL, VB, Javascript)
  • the privilege level of the application
  • The "OS" aspect is secondary you get some
    application to execute code for you, and it might
    or might not be the OS
  • but some applications allow "escapes" to the OS
  • and interacting with the OS gives you broader
    power

25
Stack Overflow Attacks
  • Your instructions are written in the actual
    machine code of the host OS
  • which means a certain lack of portability
  • Getting it into the application is accomplished
    by
  • providing longer input than the application
    expects (no bounds checking)
  • the compiler / application allowing you to
    overflow a buffer
  • Executing the machine code is accomplished by
  • the fact that data and code can be mixed on the
    stack
  • careful manipulation of the input so the
    operating system executes the first instruction
    in your code
  • What you then can do
  • you have the operating systems attention, so you
    have access to the file system, other processes
    and services, etc
  • youre limited only by your privilege level (but
    many services run as root)

26
Stack/Buffer Overflow Attacks (cont.)
  • This is more a means of access than a particular
    exploit
  • The components
  • a running service or daemon
  • input from a client (read over a port)
  • input exceeds declared array bounds, and program
    doesn't detect an error (bad programming!)
  • accepting variable is stored on the stack
  • therefore machine code gets inserted on the stack
  • careful / lucky manipulation of the code causes a
    GOTO into the new code on the stack
  • operating system allows executing code from the
    stack (can be turned off)
  • Lots of examples various Linux services (FTP),
    various Windows services (IIS, SQL Server)

27
What To Do When You've Installed Your Code
  • Just do some damage
  • Exec an interactive shell or Xterm (so now the
    daemon is still serving your port, but now it's
    acting as a root-owned remote shell for you)
  • Configuration changes that make subsequent
    entries possible (i.e. unlock the door from the
    inside)
  • entries in rhosts, rusers
  • Clean up log files to hide the attack
  • Install client code that "reverses the direction"
    of the packets, with the hope that this will
    evade IDS systems

28
SQL Application Attacks
  • (What was the example we heard about in class?)
  • An application (e.g. web browser)
  • accepts user input
  • builds a SQL query from that input
  • submits it to a SQL query engine
  • The essence of the exploit is in
  • unexpected user input
  • careless checking of the input

29
SQL Attacks (cont.)
  • Example, website search by product ID
  • program is expecting at most 10 alphanumeric
    characters
  • it constructs SELECT TITLE FROM PRODUCTS WHERE
    ID "id"
  • this input would have some interesting side
    effects AAA" "" DELETE FROM PRODUCTS WHERE
    11
  • What caused the problem here?
  • bad input checking (that is not a valid product
    ID!)
  • implicitly providing information about how the
    input is processed before being sent to the query
    engine
  • maybe it's done on the client side (e.g. using
    Javascript), in which case you really have a
    goldmine on your hands!
  • maybe it's implicitly available via error pages
    (web server allows web browser to surface SQL
    error messages)
  • The lessons (here and elsewhere)
  • input is your enemy
  • be aware of and careful with error handling
    (control the information going from server to
    client)
  • (these are simply good programming practices)

30
Password Attacks
  • How/why are these fundamentally different from
    stack or SQL attacks?
  • Rely on the fact that
  • reconnaissance has provided you with some user
    IDs
  • people choose predictable passwords
  • Online versus offline attacks
  • online just challenging the login process
    repeatedly
  • time consuming, easy to detect
  • offline get a copy of the password file, and
    challenge it repeatedly
  • (And of course another line of attack is simply
    to try to get people to give you their passwords
    directly via web forms.)

31
Web Attacks Session Spoofing
  • The basic problem HTTP is a "stateless"
    protocol
  • every HTTP request must communicate all relevant
    information to the server
  • at the same time, most web sites want to provide
    continuity from page serve to page serve
  • therefore each HTTP request must contain
    information identifying the user / session
  • The exploit if you can discover somebody else's
    session ID, you can pretend to be them
  • at least for a while
  • at least for some class of operations

32
Session Spoofing (cont.)
  • What you can and cannot do about it (in designing
    a website protocol)
  • First, you don't have the luxury of keeping
    session IDs secret
  • since they are transmitted over the network,
    somebody will see them
  • Three things you can do
  • make them unpredictable, so seeing your own ID
    doesn't provide too much information about
    others' IDs
  • choose random numbers, encrypt or hash the values
  • send only part of the session ID at every page
    serve (Amazon's UBID and session ID)
  • require authentication every time session wants
    to do something dangerous (buy something, access
    account information)

33
Other Exploits Viruses, Worms, Trojan Horses
  • What's a virus / worm / Trojan Horse, and how do
    they differ from the code we've already seen
  • Virus
  • infects another program
  • replicates
  • Worm
  • replicates and spreads over a network
  • not parasitic on another program
  • Trojan Horse
  • doesn't infect another program
  • no provision for self-replication or spreading
  • has some unexpected side-effect (doesn't do what
    it purports to do)
  • One real difference is that this kind of Malware
    spreads automatically, as opposed to the exploits
    we've seen before which are directed by humans.
  • this introduces several other technical issues
    like mutation / polymorphism and other methods
    for evading detection, which aids in the
    spreading process

34
The Main Structural Components of a Virus
  • Infection how does the virus spread?
  • Payload what does the virus do apart from
    replicate infect?
  • Trigger what decides when the payload is
    delivered?
  • Replication how does the virus get to other
    machines?

35
Means of Infection
  • Buffer overflows and its friends
  • we've already seen how a program can "get in" to
    a system through buffer overflow vulnerabilities
    and the like
  • no reason that Malware can't use the same vector
  • Inviting it in
  • the classic a hyperlink in an email message
    that executes a program
  • similarly macro-viruses in documents that are
    automatically executed when the document is
    opened
  • Boot-sector viruses
  • virus infects the boot sector of a floppy disc,
    which in turn infects the hard drive etc.

36
Payloads
  • There isn't always a payload
  • SQL Slammer infected the SQL server memory
    image, then aggressively sought to infect other
    servers. (DoS attack)
  • From the annoying to the fatal
  • display annoying popups
  • freeze the system
  • change the registry
  • destroy permanent storage

37
Trigger
  • Often triggers immediately, but at one point it
    was fashionable to trigger on a particular date
  • Jerusalem virus on Friday the 13th
  • caused concern for some years afterwards

38
Important Malware Through History
  • Lehigh (1987)
  • infected floppy disks through overwriting slack
    space at the end of COMMAND.COM
  • triggered by DOS commands, and wrote the virus to
    other COMMAND.COM files
  • after four infections, would overwrite some files
  • no attempt to obscure itself
  • CHRISTMA EXEC (1987)
  • first virus transmitted through email? (social
    engineering)
  • drew a Christmas tree on screen and mailed itself
    to everybody in the account holder's address book
  • Morris Worm (1988)
  • spread via vulnerabilities in Sendmail and Finger
  • also tried some password cracking
  • damage was (only) through degradation of service

39
Wave II Malware
  • WM/Concept (1995)
  • first widely disseminated macro virus (actually
    shipped in production documents)
  • very little payload (displays a dialog box when
    an infected document is opened)
  • but a very scary proof of concept
  • ShareFun (1997)
  • combination of macro virus and email transmission
  • sent copies to three randomly selected entries in
    the user's address book

40
Wave III Malware
  • Melissa
  • PrettyPark (1999)
  • spread via an executable in an email attachment
  • mails copies to address-book entries
  • publishes itself to some IRC servers
  • installs itself first in the application
    execution order, making it harder to implement a
    "point and click disinfect" solution
  • Love Bug (2000)
  • attachment with name LOVE-LETTER-FOR-YOU .TXT.vbs
  • installed copies in some system directories,
    which were executed on startup
  • overwrote many image and audio files with copies
    of the virus
  • use the address book to send copies
  • tried to send password information to a web site
    in the Philippenes
  • script file was widely modified and re-deployed
  • SQL Slammer Worm (2003)
  • most notable for its speed in replicating
    (doubling every 8.5 seconds)
  • infected 90 of vulnerable hosts (100K) within
    10 minutes

41
Summary
  • The main components
  • infection
  • payload
  • trigger
  • Many examples, but variations on a few themes
  • boot-sector / floppies (less recently)
  • payload stored in documents (macros) or
  • transmission via chain letters through address
    books
  • obfuscation via registry changes
  • propagation via service vulnerabilities (more
    recently)
Write a Comment
User Comments (0)
About PowerShow.com