Dial-up, VPN and Network Devices hacking - PowerPoint PPT Presentation

About This Presentation
Title:

Dial-up, VPN and Network Devices hacking

Description:

Port Scanning: Use Nmap or SuperScan and WUPS to scan TCP and UDP ports. In linux use dig to obtain information: e.g. dig -t mx ubalt.edu Routers ports ... – PowerPoint PPT presentation

Number of Views:29
Avg rating:3.0/5.0
Slides: 7
Provided by: Dr1803
Learn more at: http://home.ubalt.edu
Category:
Tags: vpn | devices | dial | hacking | network | nmap

less

Transcript and Presenter's Notes

Title: Dial-up, VPN and Network Devices hacking


1
Dial-up, VPN and Network Devices hacking
2
Dial-up hacking
  • Phone number footprinting phone directories
    (on-line and CD-ROM)
  • Wardialing (scanning) automatically dialing a
    range of numbers, like in telemarketing, using a
    hardware/software combination.
  • PC with serial ports and modems it is all that is
    needed
  • Software ToneLoc, THC-Scan (free) and Phone
    Sweep (commercial). See book.
  • Typically one modem can wardial 10,000 numbers
    in 7 days of 24 hours.
  • Telcos take this seriously and in many areas this
    is illegal (ping sweep is not).
  • Penetration Domains once logs are obtained the
    connections can be classified as (see book for
    examples in QBASIC)
  • LHF - easily guessed or commonly used passwords
    for known systems
  • Single authentication, unlimited attempts
  • Single authentication, limited attempts
  • Dual authentication, unlimited attempts
  • Dual authentication, limited attempts
  • Basic countermeasures Inventory and consolidate
    modem lines, use at least dual authentication
    with limited attempts, put in DMZ.

3
PBX, Voicemail, VPN
  • PBX most PBX are no longer electro-mechanic
    machines, but rather computers with IP numbers,
    graphical interfaces, etc.
  • Types Octel, Williams, Meridian, ROLM, ATT --
    all with specific ways to login (some very easy
    to hack, see book).
  • Basic countermeasure only turn modem on when
    maintenance is needed, turn off most of the time.
  • Voicemail low impact, brute force attempts, but
    no logs (voice answers).
  • VPN tunneling private data through the Internet
    with encryption, reducing WAN costs, and
    supporting modern electronic commerce.
  • Tunneling involves encapsulation of a datagram
    within another, be it IP within IP (IPSec) or PPP
    within GRE (PPTP)
  • IPSec (replaces PPTP) and Layer 2 Tunneling
    Protocol - L2TP (replaces L2F) are the most used
    VPN standards.

4
VPN Hacking
  • Microsoft PPTP originally had a weak encryption
    function, algorithm (RSA), the TCP port (1723)
    used for connection control was vulnerable to DoS
    attacks, only the data was encrypted. NT Service
    Pack 4 closed these vulnerabilities, Win 9x
    clients should be upgraded to DUN 1.3 to use
    these improvements.
  • Win 2k, XP, 7 came with IPSec support as we saw
    previously. See VPN with Single Sign On in
    Windows 7.
  • IPSec very difficult to understand, even by
    experts.
  • Hackers do not seem to have figured it out yet,
    what is good.
  • Schneier and Ferguson (renowned experts)
    conclusion IPSec is too complex to be secure,
    but it is better than any other security protocol
    in existence.
  • Different implementations VPN requires the use
    of VPN gateways in the server side. Read this
    article to see a comparison of these types.
  • VOIP hacking sniffing and enumeration. New
    tools potential.

5
Network Devices
  • Detection use traceroute to find the border
    router.
  • Port Scanning Use Nmap or SuperScan and WUPS to
    scan TCP and UDP ports. In linux use dig to
    obtain information e.g. dig -t mx ubalt.edu
  • Routers ports (book page 398). If no ports found
    means security is in place.
  • If you find ports open you may be able to
    identify the type of device (routers, switches,
    hubs) and their manufacturers.
  • OS Identification using Nmap and other tools
    seen previously.
  • Penetration Once telnet or shell ports are found
    we can connect and use the data base of passwords
    to login if the administrator failed to change
    the default password, but brute force also can be
    used.
  • SNMP allow to check status, configuration and
    change the configuration. You should restrict its
    use, if allowing it at all through your border
    router.
  • BackDoors accounts meant for vendors to enable
    them to bypass a locked-out administrator, but
    which offer hackers a back door. Vendors like
    3Com,Bay, Cisco, Shiva have created these
    accounts. Change the defaults!! See also more
    details in the book, if you manage one of these
    devices.

6
Other vulnerabilities
  • Specific vulnerabilities Cisco and Ascend write
    MIB. Cisco weak password encryption. TFTP (most
    routers). Bay config file is clear text.
  • Shared vs Switched shared media broadcasts to
    all nodes. Switched media builds a table of MAC
    addresses and send the messages to a specific
    MAC.
  • Use Snmpsniff in Linux to sniff in shared media
    networks.
  • Packet sniffing was developed for the shared
    media environment, but
  • There are now packet-sniffing tools for switches.
    Dsniff is easily installed in Ubuntu use sudo
    apt-get install dsniff. Use sudo to run it. There
    is a FAQ to help you with its use. See example.
  • Basic countermeasure use encryption in all your
    traffic, such as PKI (1,2). You can also use VPN
    to create more secure connections.
  • Arp redirect arp redirect is part of the dsniff
    package (traffic goes through an attacker
    machine).
  • RIP spoofing Again use WUPS or NMAP to scan port
    520 (RIP). A C program rprobe was written to
    demonstrate how to spoof/redirect.
Write a Comment
User Comments (0)
About PowerShow.com