COEN 250 - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

COEN 250

Description:

Sam Spade (www.samspade.org/ssw/), CyberKit, NetScanTools, ... Search Engine. Usenet postings ... ARIN: American Registry for Interent Numbers (www.arin.net ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 28
Provided by: thomass155
Learn more at: http://www.cse.scu.edu
Category:
Tags: coen | spade

less

Transcript and Presenter's Notes

Title: COEN 250


1
COEN 250
  • Security Threats

2
Network Based Exploits
  • Phases of an Attack
  • Reconnaissance
  • Scanning
  • Gaining Access
  • Expanding Access
  • Covering Tracks

3
Reconnaissance
  • Social Engineering
  • I cannot access my email. What do I do?
  • Dumpster Diving (especially useful when people
    move)
  • Search the Web
  • Sam Spade (www.samspade.org/ssw/), CyberKit,
    NetScanTools, ...
  • Search Engine
  • Usenet postings
  • Whois

4
Reconnaissance
  • Databases
  • To research .com , .net, and .org domain
    namesInterNIC whois feature www.internic.net/who
    is.html allwhois, network soultions, ...
  • ARIN American Registry for Interent Numbers
    (www.arin.net/whoiis/arin-whois.html)
  • RIPE (Europe) www.ripe.net
  • APNIC (Asia Pacific) www.apnic.net

5
Reconnaissance Scanning
  • Once we have a target, we need to get to know it
    better.
  • Methods
  • War Dialing (to find out modem access)
  • Network Mapping
  • Vulnerability Scanning
  • War Driving

6
Scanning War Dialing
  • Purpose Find a modem connection.
  • Many users in a company install remote PC
    software such as PCAnywhere without setting the
    software up correctly.
  • War Dialer finds these numbers by going through a
    range of phone numbers listening for a modem.
  • Demon Dialer tries a brute force password attack
    on a found connection.
  • Typically war dialing will find an unsecured
    connection.

7
Scanning Network Mapping
  • Ping
  • ping is implemented using the Internet Control
    Message Protocol (ICMP) Echo Request.
  • A receiving station answers back to the sender.
  • Used by system administrators to check status of
    machines and connections.

8
Scanning Network Mapping
  • Traceroute
  • Pings a system with ICMP echo requests with
    varying life spans ( of hops allowed).
  • A system that receives a package with expired
    numbers of hops sends an error message back to
    sender.
  • Traceroute uses this to find the route to a given
    system.
  • Useful for System Administration

9
Scanning Network Mapping
  • Cheops
  • Network Scanner
  • (UNIX based)
  • (Uses traceroute and other tools to map a
    network.)
  • Cheops et Co. are the reason that firewalls
    intercept pings.

10
Reconnaissance Port Scans
  • Applications on a system use ports to listen for
    network traffic or send it out.
  • 216 ports available, some for known services such
    as http (80), ftp, ...
  • Port scans send various type of IP packages to
    target on different ports.
  • Reaction tells them whether the port is open (an
    application listens).

11
Reconnaissance Nmap
  • Uses different types of packets to check for open
    ports.
  • Can tell from the reaction what OS is running,
    including patch levels.
  • Can run in stealth mode, in which it is not
    detected by many firewalls.

12
Reconnaissance Webserver Information Leakage
  • Most webservers leak information
  • HTTP answers
  • Identify webserver
  • URLs
  • Have forms peculiar to certain webservers
  • Extensions
  • ASP pages Probably IIS
  • http//search.barnesandnoble.com/booksearch/resul
    ts.asp?WRDOxfordhistoryzycds2Pid9481
  • htm Probably windows
  • Format of query string
  • Cookies

13
Reconnaissance Webserver Information Leakage
  • Most webservers leak information
  • Error Messages
  • Identify webserver technology by name and version
    number.
  • Sometimes send debug information to browser.
  • Can be provoked by changing query strings or
    asking for non-existing resources.
  • Sometimes, possible to get a message from the
    database engine.

14
Reconnaissance Prevention
  • Firewalls can make it very difficult to scan from
    the outside.
  • Drop scan packets.
  • Patched OS do not have idiosyncratic behavior
    that allows OS determination.
  • IDS can detect internal scans and warn against
    them.

15
Gaining Access
  • Gain access using application and OS attacks.
  • Gain access using network attack.

16
Gaining Access through Apps and OS
  • Trends
  • Modularized super-tools
  • The Metasploit Project
  • multiple attacks
  • multiple payloads
  • easily updated
  • Buffer Overflow Attacks
  • Stack
  • Heap
  • Dynamic Memory Attacks
  • Format Vulnerabilities
  • Integer Overflow
  • Password Attacks
  • Web Application Attacks

17
Gaining AccessWeb Application Attacks
  • The URL not only contains the web address of a
    site, but also input
  • http//www.google.com/search?hlenieUTF-8oeUTF
    -8qwebapplicationattack
  • A poorly written webpage allows the viewer to
    input data in an uncontrolled fashion. If the
    webpage contains SQL, the user might execute SQL
    commands.

18
Gaining Access through Network Attacks Sniffing
  • Sniffer Gathers traffic from a LAN.
  • Examples Snort www.snort.org, Sniffit
    reptile.rug.ac.be/coder/sniffit/sniffit.html
  • To gain access to packages, use spoofed ARP
    (Address Resolution Protocol) to reroute traffic.

19
Gaining Access Session Hijacking
  • IP Address Spoofing Send out IP packages with
    false IP addresses.
  • If an attacker sits on a link through which
    traffic between two sites flows, the attacker can
    inject spoofed packages to hijack the session.
  • Attacker inserts commands into the connection.
  • Details omitted.

20
Exploiting and Maintaining Access
  • After successful intrusion, an attacker should
  • Use other tools to gain root or administrator
    privileges.
  • Erase traces (e.g. change log entries).
  • Take measures to maintain access.
  • Erase security holes so that no-one else can gain
    illicit access and do something stupid to wake up
    the sys. ad.

21
Maintaining Access Trojans
  • A program with an additional, evil payload.
  • Running MS Word also reinstalls a backdoor.
  • ps does not display the installed sniffer.

22
Maintaining Access Backdoors
  • Bypass normal security measures.
  • Example netcat
  • Install netcat on victim with the
    GAPING_SECURITY_HOLE option.
  • C\ nc -1 p 12345 e cmd.sh
  • In the future connect to port 12345 and start
    typing commands.

23
Maintaining Access Backdoors
  • BO2K (Back Orifice 2000) runs in stealth mode
    (you cannot discover it by looking at the
    processes tab in the TASK MANAGER.
  • Otherwise, it is a remote control program like
    pcAnyWhere, that allows accessing a computer over
    the net.

24
Maintaining Access Backdoors
  • RootKit
  • A backdoor built as a Trojan of system
    executables such as ipconfig.
  • Kernel-Level RootKit
  • Changes the OS, not only system executables.

25
Covering Tracks
  • Altering logs.
  • Create difficult to find files and directories.
  • Covert Channels through Networks
  • Loki uses ICMP messages as the carrier.
  • Use WWW traffic.
  • Use unused fields in TCP/IP headers.

26
Hacker Damage
  • Releasing Information
  • Releasing Software
  • By circumventing copying protection.
  • Through IP theft
  • Consuming Unused(?) Resources
  • Discover and Document Vulnerabilities
  • Compromise Systems and Increase their
    Vulnerabilities
  • Website Vandalism

27
Hacking Profile
  • Shift to for-profit motiv
  • Shift to underground economy
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "COEN 250" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!