The Fundamentals of Hacking: An 0\/3r\/!3vv

1
The Fundamentals of HackingAn 0\/3r\/!3vv

• Jen Johnson
• Miria Grunick

2
Five Phases of an Attack

• Phase 1 Reconnaissance
• Phase 2 Scanning
• Phase 3 Gaining Access
• Phase 4 Maintaining Access
• Phase 5 Covering Attacks and Hiding

3
Phase 1 Reconnaissance

• Takes place before the attack.
• Investigate the target using publicly available
  information
• Types Low-Technology Reconnaissance, Searching
  the Web, Whois Databases, Using the DNS, and
  General Purpose Tools

4
Low-Technology Reconnaissance

• Social Engineering An attacker calls the target
  organization and fools an employee into revealing
  sensitive information. Often, the attacker calls
  and pretends to be a new employee, customer,
  system administrator, or business partner.

5
Low-Technology Reconnaissance

• Physical Break-In Physically breaking into the
  building to try to gain access to the network
  from the inside. This is often accomplished by
  walking into the building with a group of
  employees or being hired as an employee or temp.

6
Low-Technology Reconnaissance

• Dumpster Diving Going through an organizations
  discarded documents to find sensitive
  information. Often, employees will throw out
  papers that reveal critical information (i.e.
  old Post-It notes with user IDs and passwords).

7
Searching the Web

• Organizations Web Site Can reveal important
  information, such as the employees contact
  information, clues about the corporate culture
  and language, business partners, recent mergers
  and acquisitions, and what technologies the
  organization uses.

8
Searching the Web

• Search Engines Can reveal information about the
  companys history, current events, future plans,
  financial status, business partners, technologies
  in use.
• Usenet Employees may submit questions to
  technical newsgroups that reveal information
  about the particular products that the
  organization uses.

9
Whois Databases

• Whois databases contain information about the
  assignment of Internet addresses, domain names,
  registrars, and individual contacts.
• First, find out who the registrar is. The
  Internet Network Information Center (InterNIC)
  whois database system lists the registrars of
  websites based on the organizations name or
  domain name for sites with the .net, .org or .com
  extensions. The InterNIC whois database is
  avaliable online at www.internic.net/whois.html

10
Whois Databases

• If you are researching an organization without
  the .com, .net, or .org extensions (i.e.
  international websites), try the Allwhois site
  at www.allwhois.com/home.html
• Once you have the registrars name, you can go to
  the registrars site and get more information,
  such as names and numbers of administrators,
  email and postal addresses, registration dates,
  and the addresses of the organizations DNS
  servers.

11
American Registry for Internet Numbers (ARIN)

• Contains all IP addresses assigned to a
  particular organization. Search by company or
  domain names.
• For North American, South American, Caribbean,
  and sub-Saharan African organizations
  www.arin.net/whois/arinwhois.html
• For European organizations www.ripe.net
• For Asian organizations www.apnic.net

12
Domain Name System (DNS)

• DNS a world-wide hierarchical database that
  stores information about domain names and IP
  addresses. This database is searched to get
  information about a given domain name, most
  commonly the corresponding IP address.
• Once an attacker knows one of the DNS servers,
  the attacker can begin interrogating the name
  servers.

13
DNS

• To interrogate DNS servers, first invoke a
  nslookup program on any UNIX or Windows NT/2000
  environment by typing nslookup at the command
  prompt.
• Try to do a zone transfer. In a zone transfer,
  the nslookup program asks the DNS server to
  transmit all information it has about a given
  domain.

14
DNS

• To do a zone transfer, the nslookup must be
  instructed to use the targets DNS server, using
  the server target_DNS_server command
• Next, specify to search for any type of DNS
  record by typing set typeany
• Initiate the zone transfer by typing ls d
  target_domain
• Output can give useful information, such as
  system names, IP addresses of the systems, and
  sometimes even operating system types.
• More information about nslookup
  www.zoneedit.com/doc/nslookup.html

15
General Reconnaissance Tools

• Sam Spade (freeware avaliable at
  www.samspade.org/ssw/ )
• Many reconnaissance tools in one ping, whois, IP
  block whois, nslookup, dig, DNS zone transfer,
  traceroute, finger, SMTP VRFY, Web browser.
• Other general-purpose reconnaissance tools
  CyberKit, NetScan Tools, iNetTools

16
Web-Based Reconnaissance Tools

• Research and Attack portals sites that allow a
  user to enter the target site and research or
  initiate an attack against the target (via
  denial-of-service attacks or vulnerability scans)
• Difference between Web-based tools and general
  reconnaissance tools now the traffic comes from
  the Web server, not the attacker machine. Thus,
  the attacker can remain more anonymous.

17
Web-Based Reconnaissance Tools

• Examples
• www.network-tools.com
• privacy.net/analyze

18
Phase 2 Scanning
The premise of scanning is to probe as many ports
as possible, keeping track of open and useful
ports that would be receptive to
hacking. Scanners send multiple packets over a
communication medium then listen and record each
response. The following are techniques for
inspecting ports and protocols.
19
War Dialing

• War Dialing Dialing large pools of telephone
  numbers in an effort to find unprotected modems.
  Done with an automated tool, such as THC-Scan
  2.0, available at www.thc.org/releases.php.
• This tool will return a list of all of the modems
  discovered in the range of the phone numbers it
  was given.
• The hacker can then check all of the modems and
  see if any have no passwords, allowing them
  access to the network.

20
FIN Probe

• A FIN packet is sent (Or any packet without an
  ACK or SYN flag) to an open port and one waits
  for a response.
• The correct RFC793 behavior is to not respond.
  Many broken implementations (i.e MS Windows) send
  a RESET back.

21
Network Mapping

• A hacker first tries to determine which addresses
  have active hosts by pinging all possible
  addresses in the network.
• Once a hacker knows which hosts are alive, he or
  she will try to determine the network topology.
  This is done by a method called tracerouting.

22
Network Mapping

• Tracerouting Send a series of packets with
  different Time-To-Live (TTL) values in the IP
  header and check the source address of the Time
  Exceeded message returned.
• Example Send a packet with a TTL of 1. The Time
  Exceeded message will have the source address of
  the first router. Now send a packet with a TTL of
  2. The Time Exceeded message returned will have
  the source address of the second router, and so
  on.

23
Tracerouting
24
Network Mapping

• Windows 2000/NT and UNIX have tools that do this
  for us
• Windows 2000/NT tracert
• UNIX traceroute
• Another network mapping tool Cheops (available
  at www.marko.net/cheops ) This tool does the
  ping sweep and traceroute and draws a picture of
  the topology of the network.

25
Screenshot of Cheops
26
How Cheops Works

• Sequentially send ARP messages to every IP
  address in the range.
• Traceroute to every IP address that responds to
  the ARP message.

27
Scanning Involves 3 Steps

• Locating Nodes
• Performing Service Discoveries
• Testing Services for Known Security Holes

28
TCP Port Scanning

• Most basic form of scanning. Attempts to open a
  full TCP port connection to determine if that
  port is active.
• This method leaves an easier to spot trail than
  partial open scanning.

29
Stealth Port Scanning

• All the operating systems now honor the tradition
  of permitting only the super-user to open the
  ports numbered 0 to 1023.  These standard ports
  are assigned to services by the IANA (Internet
  Assigned Numbers Authority, www.iana.org).  
• Attempts to open a port in the range of 0..1023
  by an unprivileged user program will fail. A user
  program can open any unallocated port higher than
  1023.

30

• On Unix, the text file named
• /etc/ services
• (on Windows 2000 the file named windir\
  system32\ drivers\ etc\ services)
• lists these service names and the ports they
  use.  Here are a few lines extracted from this
  file

31
echo 7/tcp Echo
ftp-data 20/udp File Transfer (default)
ftp 21/tcp File Transfer (control)
ssh 22/tcp SSH Remote Login Protocol
telnet 23/tcp Telnet
domain 53/udp Domain Name Server
www-http 80/tcp WWW HTTP
32
Non Standard Ports
wins 1512/tcp Microsoft Windows Internet Name Service
Radius 1812/udp RaDIUS authentication protocol
yahoo 5010 Yahoo! Messenger
X11 6000-6063/tcp X Window System
33
Stealth Scanning Includes Some/All of the
Following

• Setting individual flags (ACK, FIN, RST, .. )
• NULL flags set
• All flags set
• Bypassing filters, firewalls, routers
• Appearing as casual network traffic
• Varied packet dispersal rates

34
Fragmented Packets

• The scanner splits the TCP header into several IP
  fragments. This bypasses some packet filter
  firewalls because they cannot see a complete TCP
  header that can match their filter rules. 

35

• Some packet filters and firewalls do queue all IP
  fragments (e.g.,  the CONFIG _IP _ALWAYS _DEFRAG
  option in Linux enables it in the kernel), but
  many networks cannot afford the performance loss
  caused by the queuing.

36
TCP Fragmenting

• TCP fragmenting is not a scan method so to speak,
  although it employs a method to obscure scanning
  implementations by splitting the TCP header into
  smaller fragments.

37

• A minimally allowable fragmented TCP header must
  contain a destination and source port for the
  first packet (8 octect, 64 bit), typically the
  initialized flags in the next, allowing the
  remote host to reassemble the packet upon
  arrival.

38

• The actual reassembly is established through an
  IPM (internet protocol module) that identifies
  the fragmented packets by the field equivalent
  values of
• source
• destination
• protocol
• identification

39
Using TCP Fragmenting - FragRouter

• Program which fragments TCP packets
• 35 different ways to fragment
• Called a router because it is a software
  implementation of a router data from other
  programs is sent through the FragRouter
• FragRouter fragments the packets and then
  forwards the packets to their destination

40
SYN Scanning

• Also called half-open scanning, as TCP connection
  is not completed.
• A SYN packet is sent and the target host
  responds with a SYNACK, indicating the port is
  listening
• RST indicates a non-listener
• The server process is never informed by the TCP
  layer because the connection did not complete.

41
A demonstration of this technique is necessary to
show a half open transaction

• client -gt SYN
• server -gt SYNACK
• client -gt RST

42

• This example has shown the target port was open,
  since the server responded with SYNACK flags.
• The RST bit is kernel oriented, that is, the
  client need not send another packet with this
  bit, since the kernel's TCP/IP stack code
  automates this.

43
Inversely, a closed port will respond with
RSTACK.

• client -gt SYN
• server -gt RSTACK
• This combination of flags is indicative of a
  non- listening port.

44
FIN Scanning

• The typical TCP scan attempts to open connections
  (at least part way). Another technique sends
  erroneous packets at a port, expecting that open
  listening ports will send back different error
  messages than closed ports. 

45

• The scanner sends a FIN packet, which should
  close a connection that is open.  Closed ports
  reply to a FIN packet with a RST. Open ports, on
  the other hand, ignore the packet in question.
• If no service is listening at the target port,
  the operating system will generate an error
  message.
• If a service is listening, the operating system
  will silently drop the incoming packet.
  Therefore, silence indicates the presence of a
  service at the port.

46
This is the negotiation for open/closed port
recognition

• client -gt FIN
• server -gt -
• No reply signaled by the server is iconic of an
  open port. The server's operating system silently
  dropped the incoming FIN packet to the service
  running on that port.

47
RST Reply

• Opposing this is the RST reply by the server upon
  a closed port reached.
• Since, no service is bound on that port, issuing
  a FIN invokes a reset (RST) response from the
  server.
• client -gt FIN
• server -gt RST

48

• Other techniques that have been used consist of
  XMAS scans where all flags in the TCP packet are
  set, or NULL scans where none of the bits are
  set. However, different operating systems respond
  differently to these scans, and it becomes
  important to identify the OS and even its version
  and patch level.

49
Reverse Ident Scanning

• This technique involves issuing a response to the
  ident/auth daemon, usually port 113 to query the
  service for the owner of the running process.
• The main reason behind this is to find daemons
  running as root, this result would entice an
  intruder to find a vulnerable overflow and
  instigate other suspicious activities involving
  this port.

50

• Alternatively, a daemon running as user nobody
  (httpd) may not be as attractive to a user
  because of limited access privileges.
• identd could release miscellaneous private
  information such as
• user info
• entities
• objects
• processes

51
FTP Bounce
52
Background

• FTP session consists of two connections between
  the client and the server.
• The high port server connection is enabled by the
  client that allows the FTP server to send data to
  the client.
• When the client wants to transfer data to or from
  the server, it issues a PORT command. The PORT
  command instructs the server to open a data
  connection which is used to transfer the data.

53
Problem

• An outside attacker can use the FTP server to
  open connections which appear to originate from
  the server. This could be used to bypass the
  access control restrictions.

54
(No Transcript)
55
How To Use FTP BounceAttacks
56
Port Scanning

• An attacker can run the attck from a third-party
  FTP server acting as a stage for the scan. The
  victim site sees the scan as coming from the FTP
  server rather than the true source (the FTP
  client).
• When the victim site is on the same subnet as the
  FTP server, or when it does not filter traffic
  from the FTP server, the attacker can use the
  server machine as the source of the port scan
  rather than the client machine

57
Bypassing Basic Packet Filtering Devices

• An attacker may bypass a firewall in certain
  network configurations.
• Example a site has its anonymous FTP server
  behind a firewall. Using the technique above, an
  attacker determines that an internal web server
  at that site is available on port 8080, a port
  normally blocked by a firewall.

58

• By connecting to the public FTP server at the
  site, the attacker initiates a further connection
  between the FTP server and an arbitrary port on a
  non-public machine at that site .
• (for instance the internal web server at port
  8080).
• As a result, the attacker establishes a
  connection to a machine that would otherwise be
  protected by the firewall.

59
Bypassing Dynamic Packet Filtering Devices

• Example
• victim site houses all of its systems behind a
  firewall that uses dynamic packet filters
• person at victim site browses web pages and
  downloads a Java applet constructed by attacker.
• Java applet then opens an outbound FTP connection
  to attacker's machine.
• applet then issues an FTP PORT command,
  instructing server machine to open a connection
  to some otherwise protected system behind the
  victim firewall.

60

• Dynamic packet filtering firewall examines
  outbound packets to determine if any action is
  required on its part.
• It notes the PORT command and allows an incoming
  connection from the remote web server to the
  telnet port on the victim machine.
• This connection was allowed in this case because
  the PORT command was issued by the client.

61
Scanning Packages Available Commercially

• CyberCop
• JAKAL
• NetRecon
• NMap

62
CyberCop

• Intrusion detection system that safeguards
  corporate assets by performing real-time
  surveillance of network traffic. The CyberCop
  system protects networks from external and
  internal attacks by providing a "high tech
  burglar alarm" capable of alerting companies when
  the security of their networks is breached by
  unauthorized intruders.

63
JAKAL

• Developed on UNIX to test UNIX hosts. Jakal is
  interesting because of its possibilities it is
  designed for stealth and to go through most
  firewalls. Usually it doesn't leave any trace of
  its activity, except for some messages (SYNACK).
  

64
NetRecon

• Scans multiple operating systems, including UNIX,
  Linux, Windows 2000, Windows NT, Windows 95/98
  and NetWare.
• Scans using many Windows NT/2000 network
  protocols such as TCP/IP, IPX/SPX, and NetBEUI.

65
Nmap

• Most popular scanner to date
• Free utility for network exploration or security
  auditing. Designed to rapidly scan large
  networks. Uses raw IP packets to determine what
  hosts are available on the network, what services
  (application name and version) those hosts are
  offering, what operating systems (and OS
  versions) they are running, what type of packet
  filters/firewalls are in use.
• http//www.insecure.org/nmap/idlescan.html

66
Scan Types Supported by Nmap
67
Type of Scan Command-Line Option Summary of Characteristics
TCP Connect -sT Completes the 3-way handshake with each scanned port.
TCP SYN -sS Only sends the initial SYN and awaits the SYN-ACK response.
TCP FIN -sF Sends a TCP FIN to each port. Reset indicates port is closed.
68
TCP Xmas Tree -sX Sends packet with the FIN, URG and PUSH code bits set. Reset indicates port is closed.
Null -sN Sends packets with no code bits set. Reset indicates port is closed.
TCP ACK -sA Sends packet with the ACK code bit set to each target port.
Window -sW Similar to ACK, but focuses on TCP Window size to determine if ports are open or closed.
69
FTP Bounce -b Bounces a TCP scan off of an FTP server, obscuring the originator of the scan.
UDP Scanning -sU Sends a UDP packet to target ports to determine if a UDP service is listening.
Ping -sP Sends ICMP echo request packets to every machine on target network.
RPC Scanning -sR Scans RPC services using all discovered to open TCP/UDP ports on the target to send RPC Null commands.
70
Determining Firewall Filter Rules

• One disadvantage of Nmap it cannot
  differentiate what is open on an end machine and
  what is being firewalled.
• It is also important to determine what ports are
  available through the firewall or router. One
  tool that can do this is Firewalk (avaliable
  www.packetfactory.net/projects/firewalk/firewalk-5
  .0.tgz
• Firewalk can determine which types of packets are
  permitted through and which ports are accessible
  through the firewall.
• Note Firewalk is only useful for
  packet-filtering devices, not proxy-based
  firewalls.

71
How Firewalk Works

• Determines the number of hops between the tool
  and the firewall
• Sends UDP and TCP packets with TTL one greater
  than the hop count to the filtering device.
• If ICMP Time Exceeded message is returned, the
  port is available through the firewall
• If ICMP Port Unreachable message or nothing is
  returned, the port is most likely being filtered
  by the firewall.
• Unlike Nmap, Firewalk can determine what kind of
  packets are allowed through the firewall for each
  specific port and which ports allow new
  connections.

72
Vulnerability Scanning

• Use an automated tool that checks for common
  configuation errors, default configuration
  errors, and well-known system vulnerabilities.
• Generally made up of multiple parts
  vulnerability database, user configuration tool,
  scanning engine, knowledge base of current active
  scan, and results repository and report
  generation tool.

73
Vulnerability Scanner
74
Nessus

• The most popular of the vulnerability scanners.
  (Available www.nessus.com)
• Also allows the user to write their own
  vulernability checks and include them in the
  tool.
• Has a variety of plug-ins, such as checking for
  vulnerabilities that allow a shell to be gained
  remotely and checking to see if the target system
  already has backdoor tools installed.

75
Port, Socket Service Vulnerability Penetrations

• Once a breach has been uncovered during the
  discovery phase, different vulnerability
  penetrations are used to take advantage and
  possibly gain control of computers, servers and
  internetworking equipment.
• More on exploiting these vulnerabilities in Phase
  3

76
Operating System Fingerprinting with Nmap
77
TCP ISN Sampling

• The idea here is to find patterns in the initial
  sequence numbers chosen by TCP implementations
  when responding to a connection request.
• Categorized into groups such as traditional 64K,
  random increments and true random, (Linux 2.0)

78
Dont Fragment Bit

• Trend of operating systems to set the IP Dont
  Fragment bit on some of the packets they send.
• By paying attention to this bit, one can glean
  information on the target OS.

79
TCP Initial Window

• Simply involves checking the window size on
  returned packets.
• Gives quite a lot of information since some
  operating systems can be uniquely identified by
  the window alone.

80
TCP Option

• Excellent means of gaining access to leaked
  information.
• Can discover if a host is implementing them by
  sending a query with an option set target shows
  support of the option by setting it on the reply.
• Can stuff many options on one packet to test
  everything at once.

81
SYN Flood Resistance

• If too many forged SYN packets are sent to some
  operating systems, they will stop accepting new
  connections.
• Many operating systems can only handle 8 packets.
• By sending 8 forged packets to an open port and
  then trying to establish a connection, you can
  learn about the operating system used.
• This is easier to detect on the target side than
  other methods, however.

82
(No Transcript)
83
Random Clipart
84
Pre-Phase 3

• Understanding Filters, Firewalls and the IDS

85
Packet Filter

• First line of defense.
• Checks each packet against a policy or rule
  before routing it to the destined node or network
  destination.
• Most reject SYN/ACK, ICMP, and incoming UDP
  packets that initiate inward security.

86
Example

• Cisco Series Access Router
• If router is configured to pass a particular
  protocol, external hosts can use that protocol to
  establish a direct connection to internal hosts.
• The router will produce an audit log with
  features to generate alarms when hostile behavior
  is detected.

87
Enhanced Version

• Stateful Filter

88
Stateful Filter

• Provides same functionality as previous version,
  but also keeps track of state information, such
  as TCP sequence numbers.
• Uses the analysis of data within the lowest
  levels of the protocol stack to compare the
  current session to previous ones for the purpose
  of detecting suspicious activity.
• Uses specific rules determined by the user.

89
Downside

• Does not recognize specific applications,
  therefore, is unable to apply dissimilar rules to
  different applications.

90
Proxy Firewall
91

• Simple server with duel NICs that has routing or
  packet forwarding deactivated, utilizing a proxy
  server daemon instead.
• Gateway is a term used as a synonym for proxy
  server.
• Gathers all internet requests, forwards them to
  internet servers, receives responses and forwards
  them to the original requestor within the company.

92
Enhanced Version

• Application Proxy Gateway

93
Application Proxy Gateway

• Contains integrated modules that check every
  request and response.
• Example
• An FTP stream may only be allowed to download
  data.

94
Application Gateways look at data on the
application layer of the protocol stack and serve
as proxies for outside users. Thus, outside
users never really have a direct connection to
anything beyond the proxy gateway.
95
Implementing a Backdoor Method4 Actions Take
Place

• Seizing a virtual connection this involves
  hijacking a remote telnet session, a VPN tunnel
  or a secure-ID session.
• Planting an insider User, engineer or socially
  engineered (swindled) person.
• Can also spoof an employee with an e mail with a
  remote access Trojan attached.

96

• Manipulating an internal vulnerability attacks
  on demilitarized zones, such as
• E-mail, domain name resolution, telnet or FTP.
• Manipulating an external vulnerability involves
  penetrating through external mail server, HTTP
  server daemon and/or telnet service on an
  external boundary gateway.

97
Intrusion Detection System
98
Scanning Intrusion Detection Systems

• Detects statistical anomalies. Measures a
  "baseline" of such stats as CPU utilization, disk
  activity, user logins, file activity, and so
  forth. Then, the system can trigger when there is
  a deviation from this baseline.
• Can detect the anomalies without having to
  understand the underlying cause behind them.

99
Signature Recognition

• The majority of commercial products are based
  upon examining the traffic looking for well-known
  patterns of attack.
• Classic example is to example every packet on the
  wire for the pattern "/cgi-bin/phf?", which might
  indicate somebody attempting to access this
  vulnerable CGI script on a web-server.

100
How does a NIDS match signatures with incoming
traffic?

• 1. Protocol stack verification A number of
  intrusions, such as "Ping-O-Death" and "TCP
  Stealth Scanning" use violations of the
  underlying IP, TCP, UDP, and ICMP protocols in
  order to attack the machine. A simple
  verification system can flag invalid packets.
  This can include valid, by suspicious, behavior
  such as severally fragmented IP packets.

101

• 2. Application protocol verification A number of
  intrusions use invalid protocol behavior, such as
  "WinNuke", which uses invalid NetBIOS protocol
  or DNS cache poisoning, which has a valid, but
  unusually signature. In order to effectively
  detect these intrusions, a NIDS must re-implement
  a wide variety of application-layer protocols in
  order to detect suspicious or invalid behavior.

102

• 3. Creating new loggable events A NIDS can be
  used to extend the auditing capabilities of your
  network management software. For example, a NIDS
  can simply log all the application layer
  protocols used on a machine. Downstream event log
  systems (WinNT Event, UNIX syslog, SNMP TRAPS,
  etc.) can then correlate these extended events
  with other events on the network.

103
Other countermeasures besides IDS

• Firewalls These are to protect from external
  attacks most intrusions are committed by
  employees inside the firewall, and it should
  therefore be considered a last line of defense.

104
Authentication

• Scanners should be run that automate the finding
  of open accounts.
• One should enforce automatically strict policies
  for passwords (7 character minimum, including
  numbers, dual-case, and punctuation) using crack
  or built in policy checkers (WinNT native, add-on
  for UNIX).

105
Virtual Private Networks

• Create secure connections over the Internet for
  remote access.
• VPNs actually decrease corporate security. While
  the pipe itself is secure (authenticated,
  encrypted), either end of the pipe are wide open.
  
• A home machine compromised with a backdoor
  rootkit allows a hacker to subvert the VPN
  connection, allow full, undetectable access to
  the other side of the firewall.

106
IDS

• Setup Locations

107

• Network Hosts Although network intrusion
  detection systems have traditionally been used as
  probes, they can also be placed on hosts.
• Network perimeter IDS is most effective on the
  network perimeter, such as on both sides of the
  firewall, near the dial-up server, and on links
  to partner networks. These links tend to be
  low-bandwidth (T1 speeds) such that an IDS can
  keep up with the traffic.

108

• Servers are often placed on their own network,
  connected to switches. The problem these servers
  have, though, is that IDS systems cannot keep up
  with high-volume traffic.
• Server Farms For extremely important servers,
  you may be able to install dedicated IDS systems
  that monitor just the individual server's link.
  Also, application servers tend to have lower
  traffic than file servers, so they are better
  targets for IDS systems.

109
Phase 3

• Penetration

110
Stack Based Overflow Attack

• Overwrite the return pointer stored in the stack
  by overflowing the stack. When the return pointer
  is copied into the IP, the IP tries to fetch the
  data of the new address that was pushed into the
  return pointer by overflowing the stack.
• Example Overflow the stack with a series of
• A s. When the value of the return pointer
  is copied into the IP, the IP address will fetch
  the instruction from the all A address (address
  41414141h)

111

• Important to overflow buffer with meaningful
  information
• i.e. machine language code containing commands
  we want executed
• Difficult to overwrite return pointer to hit
  exactly at beginning of code
• Place a bunch of NOP or NOP equivalents (called a
  NOP sled) at beginning of code.
• When overwriting return pointer, have to aim to
  overwrite to a range of values rather than a
  specific value.

112

• Once the stack is smashed, there are many things
  an attacker can do. Most likely, the attacker
  will try to create a back door to the target
  system.
• Creating a backdoor with Inetd Add a line to the
  /etc/inetd.conf file, which will spawn a command
  shell each time anyone tries to connect to a port
  defined by the attacker. Run this line in the
  stack to get a command shell to open on a given
  port
• /bin/sh c echo port stream tcp
  nopwait root /bin/sh sh I
• gtgt /etc/inetd.conf killall HUP inetd

113

• Creating a backdoor with TFTP and Netcat Get the
  target to execute the TFTP client. Load the
  Netcat program onto the target system. Configure
  Netcat to push a command shell from the target
  machine to the attackers machine.
• A good document on Stack Based Buffer Overflow
  Attacks Smashing the Stack for Fun and Profit
  by Aleph One, available at packetstormsecurity.or
  g/docs/hack/
• smashstack.txt

114
Password Attacks

• Two kinds Password Guessing and Password
  Cracking
• Password Guessing Attempt to guess the password
  for a particular user ID. This process is rarely
  successful, time consuming, and generates a lot
  of network traffic. Also, some accounts are
  locked out after a set number of unsuccessful
  guesses. Many password-guessing tools can be
  found at Packet Storms Site packetstormsecurity.
  org

115

• Password Cracking Steal the file with the
  encrypted passwords and use a password cracking
  program to recover the original passwords.
• Stealing the file Win use a Pwdump program
  (packetstormsecurity.nl/Crackers/NT/), or sniff
  them from the network (more on sniffing later)
  UNIX gain root-level access and steal the
  /etc/shadow or /etc/secure file if shadow
  passwords are used, otherwise steal the
  /etc/passwd file.

116

• Password Cracking Software
• Windows L0phtCrack (available
  www.atstake.com/products/lc/ ) This tool includes
  other options, such as a sniffer and a pwdump
  program
• UNIX John the Ripper (available
  www.openwall.com/john/ )

117
Web Application Attacks

• Can still be conducted, even if the target site
  uses SSL.
• Account Harvesting, Undermining Session-Tracking
  Mechanisms, SQL Piggybacking
• Account Harvesting Works for applications that
  have different error messages for an incorrect
  user ID and an incorrect password. By looking at
  the error messages, the attacker can determine
  valid user IDs, sometimes even passwords.

118

• Here, although the web pages look identical for
  each type of error, notice that the URL has
  changed, giving any hackers a hint about
  incorrect user IDs vs. incorrect passwords.

119
Undermining Web Application Session Tracking

• Three ways Session IDs are implemented URL
  session tracking, hidden form elements, and
  cookies.
• The attacker will first login to the site
  multiple times to see how the session IDs are
  generated.
• To change a session ID in a URL, simply type a
  different users session ID (or a generated one)
  over the original users ID in the URL.

120

• To change the session ID in a site with hidden
  form elements, view the source of the page,
  modify the ID number and reload it into the
  browser.
• To edit the session ID in a site that uses
  cookies, use a program called Achilles
  (available www.mavensecurity.com/achilles).
  Achilles is a web proxy that intercepts the
  per-session cookies and allows the attacker to
  modify them.

121
SQL Piggybacking

• Extending an applications SQL statement to
  extract or update information that the attacker
  is not authorized to access.
• Rainforest Puppy has a paper about SQL
  Piggybacking How I Hacked Packetstorm
  (available www.opennet.ru/base/cgi/22.txt.html )
• Begin by exploring how the Web application
  interacts with the database.

122

• The attacker may extend the SQL query
• Example
• Use SELECT FROM account WHERE
  (userid10001 and number 11111111111 or
  userid10002)
• instead of SELECT FROM account WHERE
  (userid10001 and number 11111111111)
• to get information on 10002

123
Sniffing

• Sniffer Gathers packets from the local network
  and allows the user to view the data being
  transmitted.
• Two ways of sniffing Passive (network built with
  a hub) and Active (network built with a switch)

124
Passive Sniffing

• Passively listens and collects packets.
• Snort (available www.snort.org ) A good
  passive sniffer that can be used as an IDS. Can
  sift through the network and look for attack
  signatures.
• Sniffit (avalaible reptile.rug.ac.be/coder
• /sniffit/sniffit.html) has an interactive
  mode that shows all active sessions and allows
  the attacker to see all keystrokes of the victim.

125

• Dsniff one of the more versatile sniffing
  tools. It is several programs in one, but is most
  known as a sniffer. It can interpret a number of
  different protocols, like FTP, HTTP, AIM, ICQ,
  Napster, Microsoft SQL, etc. Available
  www.monkey.org/dugsong/dsniff

126
Active Sniffing

• Need to fool the switch into sending the packets
  to the system with the sniffer
• Different methods MAC Flooding and Spoofing ARP
  Messages
• MAC Flooding Send a flood of traffic with random
  MAC addresses until the switchs memory is full.
  Some switches will then forward packets to all
  links on the switch (done with the Dsniff program
  Macof).

127

• Spoofing ARP Messages
• Arpspoof, a Dsniff feature, allows attackers to
  change the ARP traffic on local networks.
• Attacker configures his or her system to forward
  any traffic it receives to the router.
• Arpspoof program is activated, which sends fake
  ARP replies
• Fake ARP replies change the targets ARP table.
• Any traffic from the target machine is sent to
  the attackers machine before being transferred
  to the local network.

128
Spoofing ARP Messages
129
Other Methods of Redirecting Traffic

• Spoofing DNS
• DNSspoof, a Dsniff feature, allows attackers to
  send the target machine false DNS information,
  making the victim access the attackers machine
  when they intend to access a different system.
• The attacker starts the dnsspoof program and
  waits for the target to send a DNS query for a
  specific host.
• Once the query is received, the attacker then
  sends a false DNS response.
• When the target tries to access the intended
  host, the system is now accessing the attackers
  machine.

130
Spoofing DNS
131

• Sniffing HTTPS
• Attacker runs webmitm feature on Dsniff and doing
  DNS spoof
• All HTTP and HTTPS traffic is proxied by webmitm
• Target connects to attackers machine and SSL
  connection is established.
• Attackers system establishes a SSL connection
  with the server the target is attempting to
  access.
• Webmitm acts as proxy with two connections
• From the targets system to the attackers
  machine
• From the attackers machine to the actual server
  the target was trying to reach
• Note the target receives attackers certificate,
  not the certificate of the server the target is
  trying to reach.

132
Sniffing HTTPS
133

• The user will receive a warning that the
  certificate is not signed by a trusted
  Certificate Authority. Webmitm will then display
  the contents of the SSL session on the attackers
  screen.
• Sniffing SSH This is done in a similar manner as
  sniffing HTTPS, except the sshmitm (another
  Dsniff feature) is used instead of the webmitm
  feature. Note Sshmitm only allows for sniffing
  of SSH protocol version 1.

134
Is your machine running a sniffer?

• Detecting the process that does the sniffing is
  difficult, because the name of that process can
  be disguised as something innocent.
• The only way to detect the sniffer is to check if
  the network interface is in promiscuous mode. If
  the network interface is in promiscuous mode,
  this means that it listens for all packets on the
  network and not only for packets destined to that
  machine.
• Another method is to run ifconfig -a. This will
  list the available network interfaces, and show
  all the information about them. The word PROMISC
  means that the interface is in promiscuous mode.

135
How to avoid packet sniffers altogether

• Active hubs only send packets to the intended
  machines. This can disable the sniffer since it
  will not receive packets not intended for that
  specific machine. Cisco, HP and 3Com have such
  active hubs.

136
Detecting other sniffers on the network

• Detecting other sniffers on other machines is
  very difficult, but detecting whether a Linux
  machine is doing the sniffing is possible.
• This can be done by exploiting a weakness in the
  TCP/IP stack implementation of Linux.
• When Linux is in promiscuous mode, it will answer
  to TCP/IP packets sent to its IP address even if
  the MAC address on that packet is wrong.
• Therefore, sending TCP/IP packets to all the IP
  addresses on the subnet, where the MAC address
  contains wrong information, will tell you which
  machines are Linux machines in promiscuous mode .

137
IP Address Spoofing

• Used to disguise the IP address of a system.
• Three ways an IP address can be spoofed changing
  the IP address, undermining UNIX r-commands, and
  spoofing with source routing
• Changing the IP address The attacker can either
  reconfigure the whole system to have a different
  IP address or use a tool (Nmap or Dsniff) to
  change the source address of outgoing packets.
  Limitation the attacker cannot receive any
  responses.

138

• Undermining UNIX r-Commands
• Attacker finds two computers with a trust
  relationship
• Send a bunch of TCP SYN packets to target and see
  how the initial sequence numbers change
• A DoS attack is sent to other system
• Attacker initializes a connection with target
  system, using the IP address of the other system
• Target system sends TCP SYN and ACK packets to
  other system, which is dead
• Attacker estimates initial sequence number of
  other system and sends TCP ACK packet back
• If initial sequence numbers match, attacker has
  successfully gained one-way access to the target.

139
Undermining UNIX r-Commands
140

• Spoofing with Source Routing The attacker
  creates packets that have system As source
  address, with the attackers address in the
  source route. The attacker sends the packet to
  system B. Any replies are sent to the attackers
  machine. Note that the attacker does not forward
  them to system A because the connection would be
  reset.

141
Session Hijacking

• A combination of sniffing and spoofing that
  allows an attacker to steal the session from the
  user, given that after the initial authentication
  the session is not encrypted. The attackers
  system lies somewhere on the route between the
  two communicating machines (A and B). The
  attacker observes the traffic, monitoring the TCP
  sequence numbers. The attacker can then send
  spoofed packets with system As IP address as the
  source so that system B will obey the commands.

142

• Problem When the attacker sends system B packets
  with system As IP address, system A will notice
  that the TCP sequence numbers are out of order
  and send ACK packets to resynchronize the
  numbers. This continual retransmission of ACK
  packets is known as an ACK storm.
• Most hijacking tools cannot cope with the ACK
  storm and the connection will be dropped.

143

• Tool Hunt (available www.packetstormsecurity.org
  /sniffers/hunt )
• Hunt uses ARP spoofing to prevent the connection
  from being dropped.
• Unlike other tools, Hunt can also resynchronize
  the connection. It does this by sending a message
  to system A saying msg from root power failure
  try to type 88 characters, (where 88 is the
  number of chars. that the attacker typed during
  the hijacking) which will increment the sequence
  number of system As TCP stack to where it should
  be.
• Two new ARP spoof messages are then sent,
  restoring the correct MAC addresses.

144
(No Transcript)
145
Netcat The Networking Swiss Army Knife

• Used for multiple purposes, Netcat basically
  moves data over any TCP or UDP port. It can
  either act as a client or a listener. Available
  www.atstake.com/research/tools/
• network_utilities
• For File Transfers Set up a Netcat client on the
  source system and a Netcat listener on the
  destination system. The source system initiates a
  connection and pushes the file to the destination
  system.

146

• For Port Scanning Netcat will connect with every
  port and display a list of open ports.
• For Making Connections to Open Ports Use Netcat
  in client mode to connect to open ports and see
  what the listening service sends back. Better to
  use than Telnet because it is easier to force
  Netcat to drop a connection, Netcat can make UDP
  connections, and Netcat only returns the pure
  data from the open ports, not any other data like
  environment variables.

147
Denial-of-Service (DoS) Attacks

• Used to prevent access by legitimate users.
• Two options Stop services and exhaust resources.
  This can be done either remotely or locally.

148
Stopping Local Services

• Must have an account on the local system.
• Three methods Process Killing, System
  Reconfiguration, and Process Crashing
• Process Killing When an attacker has root
  privileges, he or she can simply kill the local
  processes.

149

• System Reconfiguration An attacker with root
  privileges can reconfigure the system so that it
  does not offer certain services or filters on the
  machine.
• Process Crashing Crashing processes by
  exploiting vulnerabilities in the system (i.e.
  use stack based buffer overflow with a local
  process, causing the process to crash).

150
Locally Exhausting Resources

• Running a program from an account on the target
  system that grabs the system resources.
• Three methods Filling up the process table,
  filling up the file system, and sending outbound
  traffic that fills up the communication link.

151

• Filling up the process table Running a recursive
  program that forks processes in an attempt to
  fill up the process table so no other users can
  run processes.
• Filling up the file system Continuously writing
  data to the file system, preventing other users
  from writing files.
• Sending outbound traffic that fills up the
  communication link Running program that sends
  large amounts of bogus network traffic, consuming
  the processor and bandwith.

152
Remotely Stopping Services

• Send a malformed packet. Different platforms may
  be susceptible to different types of malformed
  packets.
• These packets have structures that the TCP/IP
  stacks cannot anticipate, causing the system to
  crash.
• Malformed packet suites available at
  www.packetstormsecurity.org/DoS

153
Remotely Exhausting Resources

• Accomplished by a packet flood
• Three common ways SYN flood, Smurf attacks, and
  Distributed Denial of Service Attacks (DDoS)
• SYN Flood Overwhelm the target machine with SYN
  packets. This fills the connection queue so that
  no new connections can be made on the target
  machine.

154

• Smurf Attacks Repeatedly sends a ping to a
  broadcast IP address of a network that can
  receive and respond to directed broadcast
  messages (called a smurf amplifier), with the
  target machine as the source of the ping. The
  targets bandwidth is filled with these packets.
  Tools Smurf (ICMP), Fraggle (UDP), and Papasmurf
  (ICMP and UDP) (available www.packetstormsecurity
  .org/new-exploits/ ). List of Smurf Amplifiers
  www.netscan.org

155

• DDoS Attacks Attacker takes over victim machines
  (called Zombies) and installs software that waits
  for commands from the attacker. The attacker can
  then tell the zombies to start a DoS attack on
  the target. Tool TFN2K (available
  www.packetstormsecurity.nl/groups/mixter/
• index2.html ) This tool allows the attacker to
  choose which type of packet to use in the DDoS
  attack. It also allows IP spoofing, communication
  via Echo Reply packets, and running a single
  command simultaneously on all zombies.

156
Phase 4 Maintaining Access
157
Backdoor Kits

• Active Used by an intruder at any time that they
  wish.
• Passive Set to trigger themselves according to a
  predetermined time or system event.

158
Backdoor Kit Selection

• This is dependant upon the type of network
  security in place.
• Two basic architectural categories
• Packet filter
• Proxy firewall

159
Trojan Horses

• A destructive program that masquerades as a
  benign application. Unlike viruses, Trojan horses
  do not replicate themselves.
• Used to integrate a hole or backdoor into a
  systems security countenance.
• Trojans spread due to the technological necessity
  to use ports lower ports are used by Trojans
  that steal passwords while higher ports are used
  by remote-access Trojans that can be reached over
  the Internet, network, VPN or dial-up access.

160
Trojan Horse Backdoor Tools

• Back Orifice

161
Back Orifice
Remote Administration System which allows an
intruder to control a computer across a TCP/IP
connection using a simple console or GUI
application. Gives its user more control of the
target computer than the person at the actual
keyboard has.
162
Back Orifice ServerFunctionality

• Get detailed system information, including
• current user
• cpu type
• windows version
• memory usage
• mounted disks and information for those drives
• screensaver password
• passwords cached by the user

163
Controls and Abilities

• File system controlCopy, rename, delete, view,
  and search files and directories. File
  compression and decompression.
• Process controlList, kill, and spawn processes.
  
• Registry controlList, create, delete and set
  keys and values in the registry.

164

• Multimedia controlPlay wav files, capture screen
  shots, and capture video or still frames from any
  video input device (like a Quickcam).
• Network controlView all accessible network
  resources, all incoming and outgoing connections,
  list, create and delete network connections, list
  all exported resources and their passwords,
  create and delete exports.

165

• Packet redirectionRedirect any incoming TCP or
  UDP port to any other address port.
  Application redirectionSpawn most console
  applications (such as command.com) on any TCP
  port, allowing control of applications via a
  telnet session.
• HTTP server Upload and download files on any
  port using a www client such as Netscape.
• Integrated packet snifferMonitor network
  packets, logging any plaintext passwords that
  pass.
• Plugin interfaceWrite your own plugins and
  execute the native code of your choice in BO's
  hidden system process.

166
NetCat

• A simple Unix utility which reads and writes data
  across network connections, using TCP or UDP
  protocol.
• Designed to be a reliable back-end tool that can
  be used directly or easily driven by other
  programs and scripts.
• Part of the Red Hat Power Tools collection and
  comes standard on SuSE Linux, Debian Linux,
  NetBSD and OpenBSD distributions.

167
It provides access to the following main
features

• Outbound or inbound connections, TCP or UDP, to
  or from any ports
• Full DNS forward/reverse checking, with
  appropriate warnings
• Ability to use any local source port
• Ability to use any locally-configured network
  source address
• Built-in port-scanning capabilities, with
  randomizer
• Built-in loose source-routing capability
• Can read command line arguments from standard
  input
• Slow-send mode, one line every N seconds
• Hex dump of transmitted and received data
• Optional ability to let another program service
  established connections
• Optional telnet-options responder

168
Port-Scanning

• Netcat accepts its commands with options first,
  then the target host, and everything thereafter
  is interpreted as port names or numbers, or
  ranges of ports in M-N syntax.
• For each range of ports specified, scanning is
  normally done downward within that range.
• If the -r switch is used, scanning hops randomly
  around within that range and reports open ports
  as it finds them.

169
Traditional Root Kits
170
Root Kits

• Used by an intruder to prevent his/her detection
  on the system he/she has compromised.
• Generally contains network sniffers, log-cleaning
  scripts, and trojaned replacements of core system
  utilities such as ps, netstat, ifconfig, and
  killall.
• Installs a backdoor remote-access daemon, such as
  a modified version of telnetd or sshd. These will
  often run on a different port than the one that
  these daemons listen on by default.
• Most rootkits also come with modified system
  binaries that replace the existing ones on the
  target system.

171
/bin/login Replacement

• When logging onto a UNIX machine, the /bin/login
  program runs.
• Used to gather and check user ID and password
• The Rootkit replaces the /bin/login with a
  modified version that includes a backdoor
  password.

172
Detecting Backdoors Example

• System Administrator runs the /bin/login routine
  through strings.
• Strings a UNIX program that shows all sequences
  of consecutive characters in a file.
• If an unfamiliar sequence is found, it may be a
  backdoor.

173
Sniffers

• Are used to gather passwords for other systems
  and listen to traffic for sensitive information.
• Rootkits set the promiscuous mode on the target
  machine's network interface card, enabling the
  sniffer to listen to a variable-sized network.

174
Hidden Sniffers

• Ifconfig shows information such as IP addresses,
  network mask and MAC addresses.
• By running ifconfig, one can detect a sniffer by
  looking for the PROMISC flag.
• This prevents the System Administer from
  detecting the RootKit.

175
Kernel-Level Rootkit

• the most severe threat to system security that
  can be caused by a rootkit comes from those that
  deploy LKM (Loadable Kernel Module) trojans.
• LKMs are a mechanism for adding functionality to
  an operating-system kernel without requiring a
  kernel recompilation.
• Kernel rootkits do not replace system binaries,
  they subvert them through the kernel.

176
Subverting the kernel

• There are two ways that a rootkit can subvert the
  kernel to perform actions on behalf of an
  intruder
• Loading a kernel module
• The Linux kernel (and many other operating
  systems) can load kernel modules at runtime. This
  allows an intruder to insert a module that
  overrides kernel syscalls in order to return
  incorrect values
• Writing to /dev/kmem
• By writing to /dev/kmem it is possible to
  overwrite the kernel at runtime, and thus perform
  any arbitrary modification.

177
Atypical Methods to Subvert the Kernel

• Adore-ng by Stealth employs the Virtual
  FileSystem layer of the kernel. This works by
  replacing the existing handler routines for
  providing directory listings of the /proc and the
  / filesystems, and registering its own routines
  instead. Userspace programs use the /proc
  filesystem to obtain information on running
  processes. In this way both processes and files
  can be hidden.

178
Detecting Kernel Rootkits

• To get a list of kernel modules, two standard
  methods can be used
• bash lsmod
• bash cat /proc/modules
• Unfortunately, being a kernel module, an LKM
  rootkit can easily defeat such efforts by a
  variety of methods.

179
Programs

• This is a non-exhaustive list of programs that
  are useful for the detection of kernel
  modifications in a running system.
• kern_check.c (PGP signature kern_check.c.asc) is
  a small command-line utility (for Linux 2.2.x,
  2.4.x) that will compare your System.map against
  your kernels syscall table and warn about any
  inconsistencies.
• In case of compilation failure, you may want to
  make