The Fundamentals of Hacking: An 0\/3r\/!3vv - PowerPoint PPT Presentation

1 / 195
About This Presentation
Title:

The Fundamentals of Hacking: An 0\/3r\/!3vv

Description:

This could be used to bypass the access control restrictions. How To Use FTP Bounce ... at that site is available on port 8080, a port normally blocked by a firewall. ... – PowerPoint PPT presentation

Number of Views:276
Avg rating:3.0/5.0
Slides: 196
Provided by: ezra7
Category:

less

Transcript and Presenter's Notes

Title: The Fundamentals of Hacking: An 0\/3r\/!3vv


1
The Fundamentals of HackingAn 0\/3r\/!3vv
  • Jen Johnson
  • Miria Grunick

2
Five Phases of an Attack
  • Phase 1 Reconnaissance
  • Phase 2 Scanning
  • Phase 3 Gaining Access
  • Phase 4 Maintaining Access
  • Phase 5 Covering Attacks and Hiding

3
Phase 1 Reconnaissance
  • Takes place before the attack.
  • Investigate the target using publicly available
    information
  • Types Low-Technology Reconnaissance, Searching
    the Web, Whois Databases, Using the DNS, and
    General Purpose Tools

4
Low-Technology Reconnaissance
  • Social Engineering An attacker calls the target
    organization and fools an employee into revealing
    sensitive information. Often, the attacker calls
    and pretends to be a new employee, customer,
    system administrator, or business partner.

5
Low-Technology Reconnaissance
  • Physical Break-In Physically breaking into the
    building to try to gain access to the network
    from the inside. This is often accomplished by
    walking into the building with a group of
    employees or being hired as an employee or temp.

6
Low-Technology Reconnaissance
  • Dumpster Diving Going through an organizations
    discarded documents to find sensitive
    information. Often, employees will throw out
    papers that reveal critical information (i.e.
    old Post-It notes with user IDs and passwords).

7
Searching the Web
  • Organizations Web Site Can reveal important
    information, such as the employees contact
    information, clues about the corporate culture
    and language, business partners, recent mergers
    and acquisitions, and what technologies the
    organization uses.

8
Searching the Web
  • Search Engines Can reveal information about the
    companys history, current events, future plans,
    financial status, business partners, technologies
    in use.
  • Usenet Employees may submit questions to
    technical newsgroups that reveal information
    about the particular products that the
    organization uses.

9
Whois Databases
  • Whois databases contain information about the
    assignment of Internet addresses, domain names,
    registrars, and individual contacts.
  • First, find out who the registrar is. The
    Internet Network Information Center (InterNIC)
    whois database system lists the registrars of
    websites based on the organizations name or
    domain name for sites with the .net, .org or .com
    extensions. The InterNIC whois database is
    avaliable online at www.internic.net/whois.html

10
Whois Databases
  • If you are researching an organization without
    the .com, .net, or .org extensions (i.e.
    international websites), try the Allwhois site
    at www.allwhois.com/home.html
  • Once you have the registrars name, you can go to
    the registrars site and get more information,
    such as names and numbers of administrators,
    email and postal addresses, registration dates,
    and the addresses of the organizations DNS
    servers.

11
American Registry for Internet Numbers (ARIN)
  • Contains all IP addresses assigned to a
    particular organization. Search by company or
    domain names.
  • For North American, South American, Caribbean,
    and sub-Saharan African organizations
    www.arin.net/whois/arinwhois.html
  • For European organizations www.ripe.net
  • For Asian organizations www.apnic.net

12
Domain Name System (DNS)
  • DNS a world-wide hierarchical database that
    stores information about domain names and IP
    addresses. This database is searched to get
    information about a given domain name, most
    commonly the corresponding IP address.
  • Once an attacker knows one of the DNS servers,
    the attacker can begin interrogating the name
    servers.

13
DNS
  • To interrogate DNS servers, first invoke a
    nslookup program on any UNIX or Windows NT/2000
    environment by typing nslookup at the command
    prompt.
  • Try to do a zone transfer. In a zone transfer,
    the nslookup program asks the DNS server to
    transmit all information it has about a given
    domain.

14
DNS
  • To do a zone transfer, the nslookup must be
    instructed to use the targets DNS server, using
    the server target_DNS_server command
  • Next, specify to search for any type of DNS
    record by typing set typeany
  • Initiate the zone transfer by typing ls d
    target_domain
  • Output can give useful information, such as
    system names, IP addresses of the systems, and
    sometimes even operating system types.
  • More information about nslookup
    www.zoneedit.com/doc/nslookup.html

15
General Reconnaissance Tools
  • Sam Spade (freeware avaliable at
    www.samspade.org/ssw/ )
  • Many reconnaissance tools in one ping, whois, IP
    block whois, nslookup, dig, DNS zone transfer,
    traceroute, finger, SMTP VRFY, Web browser.
  • Other general-purpose reconnaissance tools
    CyberKit, NetScan Tools, iNetTools

16
Web-Based Reconnaissance Tools
  • Research and Attack portals sites that allow a
    user to enter the target site and research or
    initiate an attack against the target (via
    denial-of-service attacks or vulnerability scans)
  • Difference between Web-based tools and general
    reconnaissance tools now the traffic comes from
    the Web server, not the attacker machine. Thus,
    the attacker can remain more anonymous.

17
Web-Based Reconnaissance Tools
  • Examples
  • www.network-tools.com
  • privacy.net/analyze

18
Phase 2 Scanning
The premise of scanning is to probe as many ports
as possible, keeping track of open and useful
ports that would be receptive to
hacking. Scanners send multiple packets over a
communication medium then listen and record each
response. The following are techniques for
inspecting ports and protocols.
19
War Dialing
  • War Dialing Dialing large pools of telephone
    numbers in an effort to find unprotected modems.
    Done with an automated tool, such as THC-Scan
    2.0, available at www.thc.org/releases.php.
  • This tool will return a list of all of the modems
    discovered in the range of the phone numbers it
    was given.
  • The hacker can then check all of the modems and
    see if any have no passwords, allowing them
    access to the network.

20
FIN Probe
  • A FIN packet is sent (Or any packet without an
    ACK or SYN flag) to an open port and one waits
    for a response.
  • The correct RFC793 behavior is to not respond.
    Many broken implementations (i.e MS Windows) send
    a RESET back.

21
Network Mapping
  • A hacker first tries to determine which addresses
    have active hosts by pinging all possible
    addresses in the network.
  • Once a hacker knows which hosts are alive, he or
    she will try to determine the network topology.
    This is done by a method called tracerouting.

22
Network Mapping
  • Tracerouting Send a series of packets with
    different Time-To-Live (TTL) values in the IP
    header and check the source address of the Time
    Exceeded message returned.
  • Example Send a packet with a TTL of 1. The Time
    Exceeded message will have the source address of
    the first router. Now send a packet with a TTL of
    2. The Time Exceeded message returned will have
    the source address of the second router, and so
    on.

23
Tracerouting
24
Network Mapping
  • Windows 2000/NT and UNIX have tools that do this
    for us
  • Windows 2000/NT tracert
  • UNIX traceroute
  • Another network mapping tool Cheops (available
    at www.marko.net/cheops ) This tool does the
    ping sweep and traceroute and draws a picture of
    the topology of the network.

25
Screenshot of Cheops
26
How Cheops Works
  • Sequentially send ARP messages to every IP
    address in the range.
  • Traceroute to every IP address that responds to
    the ARP message.

27
Scanning Involves 3 Steps
  • Locating Nodes
  • Performing Service Discoveries
  • Testing Services for Known Security Holes

28
TCP Port Scanning
  • Most basic form of scanning. Attempts to open a
    full TCP port connection to determine if that
    port is active.
  • This method leaves an easier to spot trail than
    partial open scanning.

29
Stealth Port Scanning
  • All the operating systems now honor the tradition
    of permitting only the super-user to open the
    ports numbered 0 to 1023.  These standard ports
    are assigned to services by the IANA (Internet
    Assigned Numbers Authority, www.iana.org).  
  • Attempts to open a port in the range of 0..1023
    by an unprivileged user program will fail. A user
    program can open any unallocated port higher than
    1023.

30
  • On Unix, the text file named
  • /etc/ services
  • (on Windows 2000 the file named windir\
    system32\ drivers\ etc\ services)
  • lists these service names and the ports they
    use.  Here are a few lines extracted from this
    file

31
echo 7/tcp Echo
ftp-data 20/udp File Transfer (default)
ftp 21/tcp File Transfer (control)
ssh 22/tcp SSH Remote Login Protocol
telnet 23/tcp Telnet
domain 53/udp Domain Name Server
www-http 80/tcp WWW HTTP
32
Non Standard Ports
wins 1512/tcp Microsoft Windows Internet Name Service
Radius 1812/udp RaDIUS authentication protocol
yahoo 5010 Yahoo! Messenger
X11 6000-6063/tcp X Window System
33
Stealth Scanning Includes Some/All of the
Following
  • Setting individual flags (ACK, FIN, RST, .. )
  • NULL flags set
  • All flags set
  • Bypassing filters, firewalls, routers
  • Appearing as casual network traffic
  • Varied packet dispersal rates

34
Fragmented Packets
  • The scanner splits the TCP header into several IP
    fragments. This bypasses some packet filter
    firewalls because they cannot see a complete TCP
    header that can match their filter rules. 

35
  • Some packet filters and firewalls do queue all IP
    fragments (e.g.,  the CONFIG _IP _ALWAYS _DEFRAG
    option in Linux enables it in the kernel), but
    many networks cannot afford the performance loss
    caused by the queuing.

36
TCP Fragmenting
  • TCP fragmenting is not a scan method so to speak,
    although it employs a method to obscure scanning
    implementations by splitting the TCP header into
    smaller fragments.

37
  • A minimally allowable fragmented TCP header must
    contain a destination and source port for the
    first packet (8 octect, 64 bit), typically the
    initialized flags in the next, allowing the
    remote host to reassemble the packet upon
    arrival.

38
  • The actual reassembly is established through an
    IPM (internet protocol module) that identifies
    the fragmented packets by the field equivalent
    values of
  • source
  • destination
  • protocol
  • identification

39
Using TCP Fragmenting - FragRouter
  • Program which fragments TCP packets
  • 35 different ways to fragment
  • Called a router because it is a software
    implementation of a router data from other
    programs is sent through the FragRouter
  • FragRouter fragments the packets and then
    forwards the packets to their destination

40
SYN Scanning
  • Also called half-open scanning, as TCP connection
    is not completed.
  • A SYN packet is sent and the target host
    responds with a SYNACK, indicating the port is
    listening
  • RST indicates a non-listener
  • The server process is never informed by the TCP
    layer because the connection did not complete.

41
A demonstration of this technique is necessary to
show a half open transaction
  • client -gt SYN
  • server -gt SYNACK
  • client -gt RST

42
  • This example has shown the target port was open,
    since the server responded with SYNACK flags.
  • The RST bit is kernel oriented, that is, the
    client need not send another packet with this
    bit, since the kernel's TCP/IP stack code
    automates this.

43
Inversely, a closed port will respond with
RSTACK.
  • client -gt SYN
  • server -gt RSTACK
  • This combination of flags is indicative of a
    non- listening port.

44
FIN Scanning
  • The typical TCP scan attempts to open connections
    (at least part way). Another technique sends
    erroneous packets at a port, expecting that open
    listening ports will send back different error
    messages than closed ports. 

45
  • The scanner sends a FIN packet, which should
    close a connection that is open.  Closed ports
    reply to a FIN packet with a RST. Open ports, on
    the other hand, ignore the packet in question.
  • If no service is listening at the target port,
    the operating system will generate an error
    message.
  • If a service is listening, the operating system
    will silently drop the incoming packet.
    Therefore, silence indicates the presence of a
    service at the port.

46
This is the negotiation for open/closed port
recognition
  • client -gt FIN
  • server -gt -
  • No reply signaled by the server is iconic of an
    open port. The server's operating system silently
    dropped the incoming FIN packet to the service
    running on that port.

47
RST Reply
  • Opposing this is the RST reply by the server upon
    a closed port reached.
  • Since, no service is bound on that port, issuing
    a FIN invokes a reset (RST) response from the
    server.
  • client -gt FIN
  • server -gt RST

48
  • Other techniques that have been used consist of
    XMAS scans where all flags in the TCP packet are
    set, or NULL scans where none of the bits are
    set. However, different operating systems respond
    differently to these scans, and it becomes
    important to identify the OS and even its version
    and patch level.

49
Reverse Ident Scanning
  • This technique involves issuing a response to the
    ident/auth daemon, usually port 113 to query the
    service for the owner of the running process.
  • The main reason behind this is to find daemons
    running as root, this result would entice an
    intruder to find a vulnerable overflow and
    instigate other suspicious activities involving
    this port.

50
  • Alternatively, a daemon running as user nobody
    (httpd) may not be as attractive to a user
    because of limited access privileges.
  • identd could release miscellaneous private
    information such as
  • user info
  • entities
  • objects
  • processes

51
FTP Bounce
52
Background
  • FTP session consists of two connections between
    the client and the server.
  • The high port server connection is enabled by the
    client that allows the FTP server to send data to
    the client.
  • When the client wants to transfer data to or from
    the server, it issues a PORT command. The PORT
    command instructs the server to open a data
    connection which is used to transfer the data.

53
Problem
  • An outside attacker can use the FTP server to
    open connections which appear to originate from
    the server. This could be used to bypass the
    access control restrictions.

54
(No Transcript)
55
How To Use FTP BounceAttacks
56
Port Scanning
  • An attacker can run the attck from a third-party
    FTP server acting as a stage for the scan. The
    victim site sees the scan as coming from the FTP
    server rather than the true source (the FTP
    client).
  • When the victim site is on the same subnet as the
    FTP server, or when it does not filter traffic
    from the FTP server, the attacker can use the
    server machine as the source of the port scan
    rather than the client machine

57
Bypassing Basic Packet Filtering Devices
  • An attacker may bypass a firewall in certain
    network configurations.
  • Example a site has its anonymous FTP server
    behind a firewall. Using the technique above, an
    attacker determines that an internal web server
    at that site is available on port 8080, a port
    normally blocked by a firewall.

58
  • By connecting to the public FTP server at the
    site, the attacker initiates a further connection
    between the FTP server and an arbitrary port on a
    non-public machine at that site .
  • (for instance the internal web server at port
    8080).
  • As a result, the attacker establishes a
    connection to a machine that would otherwise be
    protected by the firewall.

59
Bypassing Dynamic Packet Filtering Devices
  • Example
  • victim site houses all of its systems behind a
    firewall that uses dynamic packet filters
  • person at victim site browses web pages and
    downloads a Java applet constructed by attacker.
  • Java applet then opens an outbound FTP connection
    to attacker's machine.
  • applet then issues an FTP PORT command,
    instructing server machine to open a connection
    to some otherwise protected system behind the
    victim firewall.

60
  • Dynamic packet filtering firewall examines
    outbound packets to determine if any action is
    required on its part.
  • It notes the PORT command and allows an incoming
    connection from the remote web server to the
    telnet port on the victim machine.
  • This connection was allowed in this case because
    the PORT command was issued by the client.

61
Scanning Packages Available Commercially
  • CyberCop
  • JAKAL
  • NetRecon
  • NMap

62
CyberCop
  • Intrusion detection system that safeguards
    corporate assets by performing real-time
    surveillance of network traffic. The CyberCop
    system protects networks from external and
    internal attacks by providing a "high tech
    burglar alarm" capable of alerting companies when
    the security of their networks is breached by
    unauthorized intruders.

63
JAKAL
  • Developed on UNIX to test UNIX hosts. Jakal is
    interesting because of its possibilities it is
    designed for stealth and to go through most
    firewalls. Usually it doesn't leave any trace of
    its activity, except for some messages (SYNACK).

64
NetRecon
  • Scans multiple operating systems, including UNIX,
    Linux, Windows 2000, Windows NT, Windows 95/98
    and NetWare.
  • Scans using many Windows NT/2000 network
    protocols such as TCP/IP, IPX/SPX, and NetBEUI.

65
Nmap
  • Most popular scanner to date
  • Free utility for network exploration or security
    auditing. Designed to rapidly scan large
    networks. Uses raw IP packets to determine what
    hosts are available on the network, what services
    (application name and version) those hosts are
    offering, what operating systems (and OS
    versions) they are running, what type of packet
    filters/firewalls are in use.
  • http//www.insecure.org/nmap/idlescan.html

66
Scan Types Supported by Nmap
67
Type of Scan Command-Line Option Summary of Characteristics
TCP Connect -sT Completes the 3-way handshake with each scanned port.
TCP SYN -sS Only sends the initial SYN and awaits the SYN-ACK response.
TCP FIN -sF Sends a TCP FIN to each port. Reset indicates port is closed.
68
TCP Xmas Tree -sX Sends packet with the FIN, URG and PUSH code bits set. Reset indicates port is closed.
Null -sN Sends packets with no code bits set. Reset indicates port is closed.
TCP ACK -sA Sends packet with the ACK code bit set to each target port.
Window -sW Similar to ACK, but focuses on TCP Window size to determine if ports are open or closed.
69
FTP Bounce -b Bounces a TCP scan off of an FTP server, obscuring the originator of the scan.
UDP Scanning -sU Sends a UDP packet to target ports to determine if a UDP service is listening.
Ping -sP Sends ICMP echo request packets to every machine on target network.
RPC Scanning -sR Scans RPC services using all discovered to open TCP/UDP ports on the target to send RPC Null commands.
70
Determining Firewall Filter Rules
  • One disadvantage of Nmap it cannot
    differentiate what is open on an end machine and
    what is being firewalled.
  • It is also important to determine what ports are
    available through the firewall or router. One
    tool that can do this is Firewalk (avaliable
    www.packetfactory.net/projects/firewalk/firewalk-5
    .0.tgz
  • Firewalk can determine which types of packets are
    permitted through and which ports are accessible
    through the firewall.
  • Note Firewalk is only useful for
    packet-filtering devices, not proxy-based
    firewalls.

71
How Firewalk Works
  • Determines the number of hops between the tool
    and the firewall
  • Sends UDP and TCP packets with TTL one greater
    than the hop count to the filtering device.
  • If ICMP Time Exceeded message is returned, the
    port is available through the firewall
  • If ICMP Port Unreachable message or nothing is
    returned, the port is most likely being filtered
    by the firewall.
  • Unlike Nmap, Firewalk can determine what kind of
    packets are allowed through the firewall for each
    specific port and which ports allow new
    connections.

72
Vulnerability Scanning
  • Use an automated tool that checks for common
    configuation errors, default configuration
    errors, and well-known system vulnerabilities.
  • Generally made up of multiple parts
    vulnerability database, user configuration tool,
    scanning engine, knowledge base of current active
    scan, and results repository and report
    generation tool.

73
Vulnerability Scanner
74
Nessus
  • The most popular of the vulnerability scanners.
    (Available www.nessus.com)
  • Also allows the user to write their own
    vulernability checks and include them in the
    tool.
  • Has a variety of plug-ins, such as checking for
    vulnerabilities that allow a shell to be gained
    remotely and checking to see if the target system
    already has backdoor tools installed.

75
Port, Socket Service Vulnerability Penetrations
  • Once a breach has been uncovered during the
    discovery phase, different vulnerability
    penetrations are used to take advantage and
    possibly gain control of computers, servers and
    internetworking equipment.
  • More on exploiting these vulnerabilities in Phase
    3

76
Operating System Fingerprinting with Nmap
77
TCP ISN Sampling
  • The idea here is to find patterns in the initial
    sequence numbers chosen by TCP implementations
    when responding to a connection request.
  • Categorized into groups such as traditional 64K,
    random increments and true random, (Linux 2.0)

78
Dont Fragment Bit
  • Trend of operating systems to set the IP Dont
    Fragment bit on some of the packets they send.
  • By paying attention to this bit, one can glean
    information on the target OS.

79
TCP Initial Window
  • Simply involves checking the window size on
    returned packets.
  • Gives quite a lot of information since some
    operating systems can be uniquely identified by
    the window alone.

80
TCP Option
  • Excellent means of gaining access to leaked
    information.
  • Can discover if a host is implementing them by
    sending a query with an option set target shows
    support of the option by setting it on the reply.
  • Can stuff many options on one packet to test
    everything at once.

81
SYN Flood Resistance
  • If too many forged SYN packets are sent to some
    operating systems, they will stop accepting new
    connections.
  • Many operating systems can only handle 8 packets.
  • By sending 8 forged packets to an open port and
    then trying to establish a connection, you can
    learn about the operating system used.
  • This is easier to detect on the target side than
    other methods, however.

82
(No Transcript)
83
Random Clipart
84
Pre-Phase 3
  • Understanding Filters, Firewalls and the IDS

85
Packet Filter
  • First line of defense.
  • Checks each packet against a policy or rule
    before routing it to the destined node or network
    destination.
  • Most reject SYN/ACK, ICMP, and incoming UDP
    packets that initiate inward security.

86
Example
  • Cisco Series Access Router
  • If router is configured to pass a particular
    protocol, external hosts can use that protocol to
    establish a direct connection to internal hosts.
  • The router will produce an audit log with
    features to generate alarms when hostile behavior
    is detected.

87
Enhanced Version
  • Stateful Filter

88
Stateful Filter
  • Provides same functionality as previous version,
    but also keeps track of state information, such
    as TCP sequence numbers.
  • Uses the analysis of data within the lowest
    levels of the protocol stack to compare the
    current session to previous ones for the purpose
    of detecting suspicious activity.
  • Uses specific rules determined by the user.

89
Downside
  • Does not recognize specific applications,
    therefore, is unable to apply dissimilar rules to
    different applications.

90
Proxy Firewall
91
  • Simple server with duel NICs that has routing or
    packet forwarding deactivated, utilizing a proxy
    server daemon instead.
  • Gateway is a term used as a synonym for proxy
    server.
  • Gathers all internet requests, forwards them to
    internet servers, receives responses and forwards
    them to the original requestor within the company.

92
Enhanced Version
  • Application Proxy Gateway

93
Application Proxy Gateway
  • Contains integrated modules that check every
    request and response.
  • Example
  • An FTP stream may only be allowed to download
    data.

94
Application Gateways look at data on the
application layer of the protocol stack and serve
as proxies for outside users. Thus, outside
users never really have a direct connection to
anything beyond the proxy gateway.
95
Implementing a Backdoor Method4 Actions Take
Place
  • Seizing a virtual connection this involves
    hijacking a remote telnet session, a VPN tunnel
    or a secure-ID session.
  • Planting an insider User, engineer or socially
    engineered (swindled) person.
  • Can also spoof an employee with an e mail with a
    remote access Trojan attached.

96
  • Manipulating an internal vulnerability attacks
    on demilitarized zones, such as
  • E-mail, domain name resolution, telnet or FTP.
  • Manipulating an external vulnerability involves
    penetrating through external mail server, HTTP
    server daemon and/or telnet service on an
    external boundary gateway.

97
Intrusion Detection System
98
Scanning Intrusion Detection Systems
  • Detects statistical anomalies. Measures a
    "baseline" of such stats as CPU utilization, disk
    activity, user logins, file activity, and so
    forth. Then, the system can trigger when there is
    a deviation from this baseline.
  • Can detect the anomalies without having to
    understand the underlying cause behind them.

99
Signature Recognition
  • The majority of commercial products are based
    upon examining the traffic looking for well-known
    patterns of attack.
  • Classic example is to example every packet on the
    wire for the pattern "/cgi-bin/phf?", which might
    indicate somebody attempting to access this
    vulnerable CGI script on a web-server.

100
How does a NIDS match signatures with incoming
traffic?
  • 1. Protocol stack verification A number of
    intrusions, such as "Ping-O-Death" and "TCP
    Stealth Scanning" use violations of the
    underlying IP, TCP, UDP, and ICMP protocols in
    order to attack the machine. A simple
    verification system can flag invalid packets.
    This can include valid, by suspicious, behavior
    such as severally fragmented IP packets.

101
  • 2. Application protocol verification A number of
    intrusions use invalid protocol behavior, such as
    "WinNuke", which uses invalid NetBIOS protocol
    or DNS cache poisoning, which has a valid, but
    unusually signature. In order to effectively
    detect these intrusions, a NIDS must re-implement
    a wide variety of application-layer protocols in
    order to detect suspicious or invalid behavior.

102
  • 3. Creating new loggable events A NIDS can be
    used to extend the auditing capabilities of your
    network management software. For example, a NIDS
    can simply log all the application layer
    protocols used on a machine. Downstream event log
    systems (WinNT Event, UNIX syslog, SNMP TRAPS,
    etc.) can then correlate these extended events
    with other events on the network.

103
Other countermeasures besides IDS
  • Firewalls These are to protect from external
    attacks most intrusions are committed by
    employees inside the firewall, and it should
    therefore be considered a last line of defense.

104
Authentication
  • Scanners should be run that automate the finding
    of open accounts.
  • One should enforce automatically strict policies
    for passwords (7 character minimum, including
    numbers, dual-case, and punctuation) using crack
    or built in policy checkers (WinNT native, add-on
    for UNIX).

105
Virtual Private Networks
  • Create secure connections over the Internet for
    remote access.
  • VPNs actually decrease corporate security. While
    the pipe itself is secure (authenticated,
    encrypted), either end of the pipe are wide open.
  • A home machine compromised with a backdoor
    rootkit allows a hacker to subvert the VPN
    connection, allow full, undetectable access to
    the other side of the firewall.

106
IDS
  • Setup Locations

107
  • Network Hosts Although network intrusion
    detection systems have traditionally been used as
    probes, they can also be placed on hosts.
  • Network perimeter IDS is most effective on the
    network perimeter, such as on both sides of the
    firewall, near the dial-up server, and on links
    to partner networks. These links tend to be
    low-bandwidth (T1 speeds) such that an IDS can
    keep up with the traffic.

108
  • Servers are often placed on their own network,
    connected to switches. The problem these servers
    have, though, is that IDS systems cannot keep up
    with high-volume traffic.
  • Server Farms For extremely important servers,
    you may be able to install dedicated IDS systems
    that monitor just the individual server's link.
    Also, application servers tend to have lower
    traffic than file servers, so they are better
    targets for IDS systems.

109
Phase 3
  • Penetration

110
Stack Based Overflow Attack
  • Overwrite the return pointer stored in the stack
    by overflowing the stack. When the return pointer
    is copied into the IP, the IP tries to fetch the
    data of the new address that was pushed into the
    return pointer by overflowing the stack.
  • Example Overflow the stack with a series of
  • A s. When the value of the return pointer
    is copied into the IP, the IP address will fetch
    the instruction from the all A address (address
    41414141h)

111
  • Important to overflow buffer with meaningful
    information
  • i.e. machine language code containing commands
    we want executed
  • Difficult to overwrite return pointer to hit
    exactly at beginning of code
  • Place a bunch of NOP or NOP equivalents (called a
    NOP sled) at beginning of code.
  • When overwriting return pointer, have to aim to
    overwrite to a range of values rather than a
    specific value.

112
  • Once the stack is smashed, there are many things
    an attacker can do. Most likely, the attacker
    will try to create a back door to the target
    system.
  • Creating a backdoor with Inetd Add a line to the
    /etc/inetd.conf file, which will spawn a command
    shell each time anyone tries to connect to a port
    defined by the attacker. Run this line in the
    stack to get a command shell to open on a given
    port
  • /bin/sh c echo port stream tcp
    nopwait root /bin/sh sh I
  • gtgt /etc/inetd.conf killall HUP inetd

113
  • Creating a backdoor with TFTP and Netcat Get the
    target to execute the TFTP client. Load the
    Netcat program onto the target system. Configure
    Netcat to push a command shell from the target
    machine to the attackers machine.
  • A good document on Stack Based Buffer Overflow
    Attacks Smashing the Stack for Fun and Profit
    by Aleph One, available at packetstormsecurity.or
    g/docs/hack/
  • smashstack.txt

114
Password Attacks
  • Two kinds Password Guessing and Password
    Cracking
  • Password Guessing Attempt to guess the password
    for a particular user ID. This process is rarely
    successful, time consuming, and generates a lot
    of network traffic. Also, some accounts are
    locked out after a set number of unsuccessful
    guesses. Many password-guessing tools can be
    found at Packet Storms Site packetstormsecurity.
    org

115
  • Password Cracking Steal the file with the
    encrypted passwords and use a password cracking
    program to recover the original passwords.
  • Stealing the file Win use a Pwdump program
    (packetstormsecurity.nl/Crackers/NT/), or sniff
    them from the network (more on sniffing later)
    UNIX gain root-level access and steal the
    /etc/shadow or /etc/secure file if shadow
    passwords are used, otherwise steal the
    /etc/passwd file.

116
  • Password Cracking Software
  • Windows L0phtCrack (available
    www.atstake.com/products/lc/ ) This tool includes
    other options, such as a sniffer and a pwdump
    program
  • UNIX John the Ripper (available
    www.openwall.com/john/ )

117
Web Application Attacks
  • Can still be conducted, even if the target site
    uses SSL.
  • Account Harvesting, Undermining Session-Tracking
    Mechanisms, SQL Piggybacking
  • Account Harvesting Works for applications that
    have different error messages for an incorrect
    user ID and an incorrect password. By looking at
    the error messages, the attacker can determine
    valid user IDs, sometimes even passwords.

118
  • Here, although the web pages look identical for
    each type of error, notice that the URL has
    changed, giving any hackers a hint about
    incorrect user IDs vs. incorrect passwords.

119
Undermining Web Application Session Tracking
  • Three ways Session IDs are implemented URL
    session tracking, hidden form elements, and
    cookies.
  • The attacker will first login to the site
    multiple times to see how the session IDs are
    generated.
  • To change a session ID in a URL, simply type a
    different users session ID (or a generated one)
    over the original users ID in the URL.

120
  • To change the session ID in a site with hidden
    form elements, view the source of the page,
    modify the ID number and reload it into the
    browser.
  • To edit the session ID in a site that uses
    cookies, use a program called Achilles
    (available www.mavensecurity.com/achilles).
    Achilles is a web proxy that intercepts the
    per-session cookies and allows the attacker to
    modify them.

121
SQL Piggybacking
  • Extending an applications SQL statement to
    extract or update information that the attacker
    is not authorized to access.
  • Rainforest Puppy has a paper about SQL
    Piggybacking How I Hacked Packetstorm
    (available www.opennet.ru/base/cgi/22.txt.html )
  • Begin by exploring how the Web application
    interacts with the database.

122
  • The attacker may extend the SQL query
  • Example
  • Use SELECT FROM account WHERE
    (userid10001 and number 11111111111 or
    userid10002)
  • instead of SELECT FROM account WHERE
    (userid10001 and number 11111111111)
  • to get information on 10002

123
Sniffing
  • Sniffer Gathers packets from the local network
    and allows the user to view the data being
    transmitted.
  • Two ways of sniffing Passive (network built with
    a hub) and Active (network built with a switch)

124
Passive Sniffing
  • Passively listens and collects packets.
  • Snort (available www.snort.org ) A good
    passive sniffer that can be used as an IDS. Can
    sift through the network and look for attack
    signatures.
  • Sniffit (avalaible reptile.rug.ac.be/coder
  • /sniffit/sniffit.html) has an interactive
    mode that shows all active sessions and allows
    the attacker to see all keystrokes of the victim.

125
  • Dsniff one of the more versatile sniffing
    tools. It is several programs in one, but is most
    known as a sniffer. It can interpret a number of
    different protocols, like FTP, HTTP, AIM, ICQ,
    Napster, Microsoft SQL, etc. Available
    www.monkey.org/dugsong/dsniff

126
Active Sniffing
  • Need to fool the switch into sending the packets
    to the system with the sniffer
  • Different methods MAC Flooding and Spoofing ARP
    Messages
  • MAC Flooding Send a flood of traffic with random
    MAC addresses until the switchs memory is full.
    Some switches will then forward packets to all
    links on the switch (done with the Dsniff program
    Macof).

127
  • Spoofing ARP Messages
  • Arpspoof, a Dsniff feature, allows attackers to
    change the ARP traffic on local networks.
  • Attacker configures his or her system to forward
    any traffic it receives to the router.
  • Arpspoof program is activated, which sends fake
    ARP replies
  • Fake ARP replies change the targets ARP table.
  • Any traffic from the target machine is sent to
    the attackers machine before being transferred
    to the local network.

128
Spoofing ARP Messages
129
Other Methods of Redirecting Traffic
  • Spoofing DNS
  • DNSspoof, a Dsniff feature, allows attackers to
    send the target machine false DNS information,
    making the victim access the attackers machine
    when they intend to access a different system.
  • The attacker starts the dnsspoof program and
    waits for the target to send a DNS query for a
    specific host.
  • Once the query is received, the attacker then
    sends a false DNS response.
  • When the target tries to access the intended
    host, the system is now accessing the attackers
    machine.

130
Spoofing DNS
131
  • Sniffing HTTPS
  • Attacker runs webmitm feature on Dsniff and doing
    DNS spoof
  • All HTTP and HTTPS traffic is proxied by webmitm
  • Target connects to attackers machine and SSL
    connection is established.
  • Attackers system establishes a SSL connection
    with the server the target is attempting to
    access.
  • Webmitm acts as proxy with two connections
  • From the targets system to the attackers
    machine
  • From the attackers machine to the actual server
    the target was trying to reach
  • Note the target receives attackers certificate,
    not the certificate of the server the target is
    trying to reach.

132
Sniffing HTTPS
133
  • The user will receive a warning that the
    certificate is not signed by a trusted
    Certificate Authority. Webmitm will then display
    the contents of the SSL session on the attackers
    screen.
  • Sniffing SSH This is done in a similar manner as
    sniffing HTTPS, except the sshmitm (another
    Dsniff feature) is used instead of the webmitm
    feature. Note Sshmitm only allows for sniffing
    of SSH protocol version 1.

134
Is your machine running a sniffer?
  • Detecting the process that does the sniffing is
    difficult, because the name of that process can
    be disguised as something innocent.
  • The only way to detect the sniffer is to check if
    the network interface is in promiscuous mode. If
    the network interface is in promiscuous mode,
    this means that it listens for all packets on the
    network and not only for packets destined to that
    machine.
  • Another method is to run ifconfig -a. This will
    list the available network interfaces, and show
    all the information about them. The word PROMISC
    means that the interface is in promiscuous mode.

135
How to avoid packet sniffers altogether
  • Active hubs only send packets to the intended
    machines. This can disable the sniffer since it
    will not receive packets not intended for that
    specific machine. Cisco, HP and 3Com have such
    active hubs.

136
Detecting other sniffers on the network
  • Detecting other sniffers on other machines is
    very difficult, but detecting whether a Linux
    machine is doing the sniffing is possible.
  • This can be done by exploiting a weakness in the
    TCP/IP stack implementation of Linux.
  • When Linux is in promiscuous mode, it will answer
    to TCP/IP packets sent to its IP address even if
    the MAC address on that packet is wrong.
  • Therefore, sending TCP/IP packets to all the IP
    addresses on the subnet, where the MAC address
    contains wrong information, will tell you which
    machines are Linux machines in promiscuous mode .

137
IP Address Spoofing
  • Used to disguise the IP address of a system.
  • Three ways an IP address can be spoofed changing
    the IP address, undermining UNIX r-commands, and
    spoofing with source routing
  • Changing the IP address The attacker can either
    reconfigure the whole system to have a different
    IP address or use a tool (Nmap or Dsniff) to
    change the source address of outgoing packets.
    Limitation the attacker cannot receive any
    responses.

138
  • Undermining UNIX r-Commands
  • Attacker finds two computers with a trust
    relationship
  • Send a bunch of TCP SYN packets to target and see
    how the initial sequence numbers change
  • A DoS attack is sent to other system
  • Attacker initializes a connection with target
    system, using the IP address of the other system
  • Target system sends TCP SYN and ACK packets to
    other system, which is dead
  • Attacker estimates initial sequence number of
    other system and sends TCP ACK packet back
  • If initial sequence numbers match, attacker has
    successfully gained one-way access to the target.

139
Undermining UNIX r-Commands
140
  • Spoofing with Source Routing The attacker
    creates packets that have system As source
    address, with the attackers address in the
    source route. The attacker sends the packet to
    system B. Any replies are sent to the attackers
    machine. Note that the attacker does not forward
    them to system A because the connection would be
    reset.

141
Session Hijacking
  • A combination of sniffing and spoofing that
    allows an attacker to steal the session from the
    user, given that after the initial authentication
    the session is not encrypted. The attackers
    system lies somewhere on the route between the
    two communicating machines (A and B). The
    attacker observes the traffic, monitoring the TCP
    sequence numbers. The attacker can then send
    spoofed packets with system As IP address as the
    source so that system B will obey the commands.

142
  • Problem When the attacker sends system B packets
    with system As IP address, system A will notice
    that the TCP sequence numbers are out of order
    and send ACK packets to resynchronize the
    numbers. This continual retransmission of ACK
    packets is known as an ACK storm.
  • Most hijacking tools cannot cope with the ACK
    storm and the connection will be dropped.

143
  • Tool Hunt (available www.packetstormsecurity.org
    /sniffers/hunt )
  • Hunt uses ARP spoofing to prevent the connection
    from being dropped.
  • Unlike other tools, Hunt can also resynchronize
    the connection. It does this by sending a message
    to system A saying msg from root power failure
    try to type 88 characters, (where 88 is the
    number of chars. that the attacker typed during
    the hijacking) which will increment the sequence
    number of system As TCP stack to where it should
    be.
  • Two new ARP spoof messages are then sent,
    restoring the correct MAC addresses.

144
(No Transcript)
145
Netcat The Networking Swiss Army Knife
  • Used for multiple purposes, Netcat basically
    moves data over any TCP or UDP port. It can
    either act as a client or a listener. Available
    www.atstake.com/research/tools/
  • network_utilities
  • For File Transfers Set up a Netcat client on the
    source system and a Netcat listener on the
    destination system. The source system initiates a
    connection and pushes the file to the destination
    system.

146
  • For Port Scanning Netcat will connect with every
    port and display a list of open ports.
  • For Making Connections to Open Ports Use Netcat
    in client mode to connect to open ports and see
    what the listening service sends back. Better to
    use than Telnet because it is easier to force
    Netcat to drop a connection, Netcat can make UDP
    connections, and Netcat only returns the pure
    data from the open ports, not any other data like
    environment variables.

147
Denial-of-Service (DoS) Attacks
  • Used to prevent access by legitimate users.
  • Two options Stop services and exhaust resources.
    This can be done either remotely or locally.

148
Stopping Local Services
  • Must have an account on the local system.
  • Three methods Process Killing, System
    Reconfiguration, and Process Crashing
  • Process Killing When an attacker has root
    privileges, he or she can simply kill the local
    processes.

149
  • System Reconfiguration An attacker with root
    privileges can reconfigure the system so that it
    does not offer certain services or filters on the
    machine.
  • Process Crashing Crashing processes by
    exploiting vulnerabilities in the system (i.e.
    use stack based buffer overflow with a local
    process, causing the process to crash).

150
Locally Exhausting Resources
  • Running a program from an account on the target
    system that grabs the system resources.
  • Three methods Filling up the process table,
    filling up the file system, and sending outbound
    traffic that fills up the communication link.

151
  • Filling up the process table Running a recursive
    program that forks processes in an attempt to
    fill up the process table so no other users can
    run processes.
  • Filling up the file system Continuously writing
    data to the file system, preventing other users
    from writing files.
  • Sending outbound traffic that fills up the
    communication link Running program that sends
    large amounts of bogus network traffic, consuming
    the processor and bandwith.

152
Remotely Stopping Services
  • Send a malformed packet. Different platforms may
    be susceptible to different types of malformed
    packets.
  • These packets have structures that the TCP/IP
    stacks cannot anticipate, causing the system to
    crash.
  • Malformed packet suites available at
    www.packetstormsecurity.org/DoS

153
Remotely Exhausting Resources
  • Accomplished by a packet flood
  • Three common ways SYN flood, Smurf attacks, and
    Distributed Denial of Service Attacks (DDoS)
  • SYN Flood Overwhelm the target machine with SYN
    packets. This fills the connection queue so that
    no new connections can be made on the target
    machine.

154
  • Smurf Attacks Repeatedly sends a ping to a
    broadcast IP address of a network that can
    receive and respond to directed broadcast
    messages (called a smurf amplifier), with the
    target machine as the source of the ping. The
    targets bandwidth is filled with these packets.
    Tools Smurf (ICMP), Fraggle (UDP), and Papasmurf
    (ICMP and UDP) (available www.packetstormsecurity
    .org/new-exploits/ ). List of Smurf Amplifiers
    www.netscan.org

155
  • DDoS Attacks Attacker takes over victim machines
    (called Zombies) and installs software that waits
    for commands from the attacker. The attacker can
    then tell the zombies to start a DoS attack on
    the target. Tool TFN2K (available
    www.packetstormsecurity.nl/groups/mixter/
  • index2.html ) This tool allows the attacker to
    choose which type of packet to use in the DDoS
    attack. It also allows IP spoofing, communication
    via Echo Reply packets, and running a single
    command simultaneously on all zombies.

156
Phase 4 Maintaining Access
157
Backdoor Kits
  • Active Used by an intruder at any time that they
    wish.
  • Passive Set to trigger themselves according to a
    predetermined time or system event.

158
Backdoor Kit Selection
  • This is dependant upon the type of network
    security in place.
  • Two basic architectural categories
  • Packet filter
  • Proxy firewall

159
Trojan Horses
  • A destructive program that masquerades as a
    benign application. Unlike viruses, Trojan horses
    do not replicate themselves.
  • Used to integrate a hole or backdoor into a
    systems security countenance.
  • Trojans spread due to the technological necessity
    to use ports lower ports are used by Trojans
    that steal passwords while higher ports are used
    by remote-access Trojans that can be reached over
    the Internet, network, VPN or dial-up access.

160
Trojan Horse Backdoor Tools
  • Back Orifice

161
Back Orifice
Remote Administration System which allows an
intruder to control a computer across a TCP/IP
connection using a simple console or GUI
application. Gives its user more control of the
target computer than the person at the actual
keyboard has.
162
Back Orifice ServerFunctionality
  • Get detailed system information, including
  • current user
  • cpu type
  • windows version
  • memory usage
  • mounted disks and information for those drives
  • screensaver password
  • passwords cached by the user

163
Controls and Abilities
  • File system controlCopy, rename, delete, view,
    and search files and directories. File
    compression and decompression.
  • Process controlList, kill, and spawn processes.
  • Registry controlList, create, delete and set
    keys and values in the registry.

164
  • Multimedia controlPlay wav files, capture screen
    shots, and capture video or still frames from any
    video input device (like a Quickcam).
  • Network controlView all accessible network
    resources, all incoming and outgoing connections,
    list, create and delete network connections, list
    all exported resources and their passwords,
    create and delete exports.

165
  • Packet redirectionRedirect any incoming TCP or
    UDP port to any other address port.
    Application redirectionSpawn most console
    applications (such as command.com) on any TCP
    port, allowing control of applications via a
    telnet session.
  • HTTP server Upload and download files on any
    port using a www client such as Netscape.
  • Integrated packet snifferMonitor network
    packets, logging any plaintext passwords that
    pass.
  • Plugin interfaceWrite your own plugins and
    execute the native code of your choice in BO's
    hidden system process.

166
NetCat
  • A simple Unix utility which reads and writes data
    across network connections, using TCP or UDP
    protocol.
  • Designed to be a reliable back-end tool that can
    be used directly or easily driven by other
    programs and scripts.
  • Part of the Red Hat Power Tools collection and
    comes standard on SuSE Linux, Debian Linux,
    NetBSD and OpenBSD distributions.

167
It provides access to the following main
features
  • Outbound or inbound connections, TCP or UDP, to
    or from any ports
  • Full DNS forward/reverse checking, with
    appropriate warnings
  • Ability to use any local source port
  • Ability to use any locally-configured network
    source address
  • Built-in port-scanning capabilities, with
    randomizer
  • Built-in loose source-routing capability
  • Can read command line arguments from standard
    input
  • Slow-send mode, one line every N seconds
  • Hex dump of transmitted and received data
  • Optional ability to let another program service
    established connections
  • Optional telnet-options responder

168
Port-Scanning
  • Netcat accepts its commands with options first,
    then the target host, and everything thereafter
    is interpreted as port names or numbers, or
    ranges of ports in M-N syntax.
  • For each range of ports specified, scanning is
    normally done downward within that range.
  • If the -r switch is used, scanning hops randomly
    around within that range and reports open ports
    as it finds them.

169
Traditional Root Kits
170
Root Kits
  • Used by an intruder to prevent his/her detection
    on the system he/she has compromised.
  • Generally contains network sniffers, log-cleaning
    scripts, and trojaned replacements of core system
    utilities such as ps, netstat, ifconfig, and
    killall.
  • Installs a backdoor remote-access daemon, such as
    a modified version of telnetd or sshd. These will
    often run on a different port than the one that
    these daemons listen on by default.
  • Most rootkits also come with modified system
    binaries that replace the existing ones on the
    target system.

171
/bin/login Replacement
  • When logging onto a UNIX machine, the /bin/login
    program runs.
  • Used to gather and check user ID and password
  • The Rootkit replaces the /bin/login with a
    modified version that includes a backdoor
    password.

172
Detecting Backdoors Example
  • System Administrator runs the /bin/login routine
    through strings.
  • Strings a UNIX program that shows all sequences
    of consecutive characters in a file.
  • If an unfamiliar sequence is found, it may be a
    backdoor.

173
Sniffers
  • Are used to gather passwords for other systems
    and listen to traffic for sensitive information.
  • Rootkits set the promiscuous mode on the target
    machine's network interface card, enabling the
    sniffer to listen to a variable-sized network.

174
Hidden Sniffers
  • Ifconfig shows information such as IP addresses,
    network mask and MAC addresses.
  • By running ifconfig, one can detect a sniffer by
    looking for the PROMISC flag.
  • This prevents the System Administer from
    detecting the RootKit.

175
Kernel-Level Rootkit
  • the most severe threat to system security that
    can be caused by a rootkit comes from those that
    deploy LKM (Loadable Kernel Module) trojans.
  • LKMs are a mechanism for adding functionality to
    an operating-system kernel without requiring a
    kernel recompilation.
  • Kernel rootkits do not replace system binaries,
    they subvert them through the kernel.

176
Subverting the kernel
  • There are two ways that a rootkit can subvert the
    kernel to perform actions on behalf of an
    intruder
  • Loading a kernel module
  • The Linux kernel (and many other operating
    systems) can load kernel modules at runtime. This
    allows an intruder to insert a module that
    overrides kernel syscalls in order to return
    incorrect values
  • Writing to /dev/kmem
  • By writing to /dev/kmem it is possible to
    overwrite the kernel at runtime, and thus perform
    any arbitrary modification.

177
Atypical Methods to Subvert the Kernel
  • Adore-ng by Stealth employs the Virtual
    FileSystem layer of the kernel. This works by
    replacing the existing handler routines for
    providing directory listings of the /proc and the
    / filesystems, and registering its own routines
    instead. Userspace programs use the /proc
    filesystem to obtain information on running
    processes. In this way both processes and files
    can be hidden.

178
Detecting Kernel Rootkits
  • To get a list of kernel modules, two standard
    methods can be used
  • bash lsmod
  • bash cat /proc/modules
  • Unfortunately, being a kernel module, an LKM
    rootkit can easily defeat such efforts by a
    variety of methods.

179
Programs
  • This is a non-exhaustive list of programs that
    are useful for the detection of kernel
    modifications in a running system.
  • kern_check.c (PGP signature kern_check.c.asc) is
    a small command-line utility (for Linux 2.2.x,
    2.4.x) that will compare your System.map against
    your kernels syscall table and warn about any
    inconsistencies.
  • In case of compilation failure, you may want to
    make
Write a Comment
User Comments (0)
About PowerShow.com