Circumventing Security - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Circumventing Security

Description:

Security-oriented TCP programs do a two-way lookup to authorize machines: Forward lookup (name to IP address) Reverse lookup (IP address to name) ... – PowerPoint PPT presentation

Number of Views:234
Avg rating:3.0/5.0
Slides: 34
Provided by: ericn3
Category:

less

Transcript and Presenter's Notes

Title: Circumventing Security


1
Circumventing Security
  • Lecture 14
  • November 15, 2000

2
Some Terms
  • Spoofing- an active security attack where one
    machine masquerades as another.
  • Sniffing- use of the network interface to receive
    data not intended for the host machine in which
    the interface resides.
  • Exploit- a documented bug/hole in the software
    that usually allows for a user to remotely or
    locally gain access to the machine.

3
Types of Attacks
  • The different types of attacks can be divided
    into two categories.
  • Local (Physical) attacks
  • Less common
  • More difficult to determine if compromised
  • Remote attacks
  • More common
  • Generally easier to determine if compromised
  • Many attacks are a combination of both a local
    and remote attack!

4
Simple Local Attacks
  • Removing a computer from service
  • Turning off the power
  • Unplugging a computer
  • Cutting or unplugging a network connection
  • Attacking a computer from the terminal
  • Using known exploits at the keyboard to access
    the machine.
  • Removing a screensaver password Reboot and
    change it before screensaver turns on.

5
Common Remote Attacks
  • Most remote exploits have a common path
  • Use a known exploit to gain remote access to the
    machine (BIND, FTPD).
  • Download a copy of the /etc/passwd file.
  • Run a password cracking program on the local
    machine until the root password is compromised.
  • Gain access to the machine (telnet, ssh, exploit,
    etc).
  • Change to the root user with the cracked password.

6
Spoofing Attacks
  • Spoofing attacks are a combination of both local
    and remote attacks.
  • Hardware address spoofing
  • ARP spoofing
  • IP route spoofing
  • ICMP spoofing
  • RIP spoofing
  • Other protocol spoofing
  • DNS spoofing
  • TCP/IP datagram spoofing

7
Hardware Address Spoofing
  • Most software does not modify the source field in
    an Ethernet frame leaving the interface.
  • When a packet is received on Ethernet, the source
    address is assumed to be valid.
  • However, most NICs have the ability to use
    software-controlled hardware addresses, so an
    address can be faked.
  • 01-01-01-01-01-01 or 12-34-56-78-90-AB
  • Consider the possibility of one machine trusting
    a secure connection based on the hardware address!

8
Hardware Spoofing (cont.)
  • Consider the functionality of a bridge
  • A packet from machine A on segment 1 arrives at
    the bridge, destined for machine B on segment 2.
  • The bridge will modify the source address of the
    packet to C and then send to machine B on segment
    2.
  • A/B combination is transformed to C/B.

9
Hardware Spoofing (cont.)
  • Since a bridge is basically a PC, all PCs have
    the ability to modify Ethernet frames.
  • Trusting a machine based only on the hardware
    address is NOT recommended!

10
ARP Spoofing
  • Most ARP spoofing attacks are accidental than
    intentional!
  • If two machines have the same IP address, they
    will both respond to the same ARP request!
  • Depending on the operating system, one of two
    things could happen
  • The slowest (last) ARP reply to arrive will be
    cached until the ARP entry expires.
  • The first ARP reply to arrive will be cached, and
    any further ARP replies will be ignored (until
    ARP entry expires).

11
ARP Spoofing (cont.)
  • Depending on the situation, the attacker will
    have to have the ARP request arrive first or last
    depending on what target system they are trying
    to compromise.

12
ARP Spoofing (cont.)
  • An attacker has a few options to ARP spoof
  • Turn off the legitimate machine use its IP
    address
  • Power it down locally
  • Shut it down remotely (in Unix, halt)
  • Throw the circuit breaker for that machine, etc
  • Reconfigure target machine with a new IP address,
    and hijack the old for the attackers machine.

13
Preventing ARP Spoofing
  • A true target of an ARP spoof is the machine
    attempting to deceive, not the machine that one
    hijacks!
  • Stop using ARP! All shares based on IP addresses
    should use permanent entries in the ARP cache
  • Use an ARP server (but the server can still be
    deceived!)

14
Route Spoofing
  • Route spoofing is where one attempts to redirect
    IP datagrams to a location that is not the true
    destination.
  • Route spoofing, like ARP spoofing, can lead to a
    Denial of Service (DoS) attack.
  • Denial of Service- some action taken to prevent a
    target machine from properly communicating
    (sending, receiving, both) with the network.

15
Route Spoofing (cont.)
  • With sophisticated software, one use both route
    spoofing and ARP spoofing to give the illusion
    that the network is functioning properly, while
    removing the target machine from the
    communication!
  • If two routers exist on a network, only one can
    be the default router.

16
Route Spoofing (cont.)
  • Heres how a route spoof can occur
  • A machine always sends a transmission to the
    default router first.
  • If the default router is not the best choice for
    the transmission, it sends an ICMP redirect
    message back to the host on the same network
    segment, and forwards the datagram to the
    appropriate router.
  • The redirect message basically says it would be
    best to send datagrams to a router with IP
    address A.B.C.D for network W.X.Y.Z
  • Host machine updates its routing table so it
    doesnt make the mistake again.

17
ICMP-Based Route Spoofing
  • A machine can create ICMP redirect messages and
    send them to any other machine in the network!
  • The routing table could be unusable. DoS attack.
  • A machine could send an ICMP redirect with its
    own IP address, and pose as a router, therefore
    filtering ALL traffic!
  • Simplest way to avoid ICMP spoofing is disable
    ICMP redirect messages, in both the hosts and the
    routers!
  • But if you kept ICMP redirects, one could
    validate the redirect source address as another
    level of security.

18
Domain Name System Spoofing
  • Overview A machine (nameserver) holds a mapping
    between IP addresses and names (www.cnn.com, for
    example).
  • A client sends a request to the nameserver for
    the IP address of www.cnn.com, and the nameserver
    replies with the address.

19
Domain Name Spoofing (cont.)
  • Hosts commonly trust other machines based on
    their names.
  • If the nameserver is compromised, then the domain
    names are subsequently compromised.
  • Security-oriented TCP programs do a two-way
    lookup to authorize machines
  • Forward lookup (name to IP address)
  • Reverse lookup (IP address to name)
  • If both match, then machine is authorized.

20
Domain Name Spoofing (cont.)
  • In order to make attackers lives more difficult,
    administrators commonly put the forward zone
    and the reverse zone on two separate machines,
    so BOTH must be compromised.
  • Also DNS records commonly exist on two separate
    authoritative nameservers, so multiple queries to
    differing nameservers is also another level of
    authentication.

21
TCP Spoofing
  • An attacker only needs to estimate the sequence
    number to be assigned to the next data byte to be
    sent by the legitimate user.
  • If the correct next-sequence number is guessed,
    the attacker can send a forged datagram
    containing the tainted data that will be
    processed as valid data by the receiver.
  • If the attacker sends tainted data after the
    legitimate data, the target machine may
    completely discard the forged datagram if it
    contains less data than the legitimate datagram.

22
TCP Spoofing (cont.)
  • If the tainted datagram contains more data than
    the legitimate datagram, only the length of the
    legitimate datagram is rejected. The rest of the
    tainted transmission would be accepted as being
    valid.
  • On the other hand, if the forged datagram arrives
    before the legitimate datagram, the forgery will
    be discarded.

23
TCP Spoofing (cont.)
  • If the attacker guesses a number thats a bit too
    high, the receiver will take the datagram and put
    in in the buffer.
  • Some of the bytes at the end of the datagram may
    be discarded because they may not fit in the
    space allocated by the window advertisement.
  • Later, the legitimate datagram will arrive and
    fill the wholes in the entire transmission.

24
A TCP Spoofing Example
  • Consider a user logging into a timesharing
    machine and leaving the session idle.
  • An attacker merely has to guess the total data
    bytes that the user sent to the server. Usually,
    the username, password, and a few commands are
    sent before the connection lies idle.
  • If the attacker estimates within 100 bytes, they
    are usually close enough to hit the advertisement
    window.
  • All the attacker has to do is send a forged
    datagram with a sequence of bytes that correspond
    to a command, and it will be executed as if the
    logged in user typed it!

25
TCP Spoofing Example (cont.)
  • Since the TCP forgery occurs as the regular user,
    only user commands can be executed.
  • rm rf for example

26
Reducing TCP Spoofing Risks
  • Log out of unused terminals and open new ones
    only when necessary.
  • Use a interactive protocol (telnet, rlogin) that
    adds overhead to make guessing the sequence
    number more difficult.
  • Use encrypted-based terminal sessions (ssh).

27
Common Vulnerabilities
  • IP Spoofing
  • Weak passwords
  • Default/Guest accounts
  • Network snooping/sniffing
  • Viruses/Trojan Horses

28
Common Exploits
  • Most common exploits involve buffer overruns.
  • If the target software runs as a privileged user,
    then the attacker can run commands as a
    privileged user!
  • Exploits vary from operating system to operating
    system.
  • Windows NT 4.0 71 vul.
  • Windows NT 2000 58 vul.
  • RedHat Linux 6.2 i386 34 vul.
  • Windows 98 31 vul.
  • Windows 95 28 vul.

29
Common Exploits (cont.)
  • Buffer Overflow Exploits
  • CERT CA-99-03 FTP buffer overflow
  • CERT CA-99-08 qpopper (mail)
  • CERT CA-99-09 IMAPD (mail)
  • CERT CA-99-12 mountd (partition mounting)
  • POP3 USER buffer overflow
  • POP3 PASS buffer overflow
  • Finger services
  • BIND NXT vulnerability (DNS)
  • And many, many more!

30
Discovering Vulnerabilities
  • Disclaimer This sort of unauthorized activity
    may go against your AUP. Do this at your own
    risk!
  • riggswages telnet mail.eece.maine.edu 21
  • Trying 130.111.113.34...
  • Connected to rainier.eece.maine.edu.
  • Escape character is ''.
  • 220 rainier FTP server (Version wu-2.6.0(1) Thu
    Oct 21 122700 EDT 1999) ready.

31
Discovering (cont.)
  • Then, you take the information that the server is
    running wu-2.6.0(1) and you then look on the
    common bug tracking sites to see if there are any
    vulnerabilities.
  • No common bugs exist for this FTP server.
  • Lets look at another possibility, the SMTP
    server software on port 25.

32
Discovering (cont.)
  • riggswages telnet mail.eece.maine.edu 25
  • Trying 130.111.113.34...
  • Connected to rainier.eece.maine.edu.
  • Escape character is ''.
  • 220 rainier.eece.maine.edu ESMTP Sendmail
    8.9.3/8.9.3/Marc v3.1 (09/04/98) Tue, 14 Nov
    2000 234819 0500
  • No known exploits for Sendmail 8.9.3
  • Lets look at the POP server next

33
Discovering (cont.)
  • riggswages telnet mail.eece.maine.edu 110
  • Trying 130.111.113.34...
  • Connected to rainier.eece.maine.edu.
  • Escape character is ''.
  • OK POP3 rainier v7.52 server ready
  • No known exploits for this server.
  • Port scanners
  • IP scanners
Write a Comment
User Comments (0)
About PowerShow.com