Networks and Security

About This Presentation

Title:

Networks and Security

Description:

Networks and Security – PowerPoint PPT presentation

Number of Views:328

Avg rating:3.0/5.0

Slides: 160

Provided by: webe150

Category:

more less

Transcript and Presenter's Notes

Title: Networks and Security

1
Networks and Security
2
How Real is the Threat?

88 of IT staff polled in the US recently said
their organizations had been affected by Internet
viruses or worms in the past year even though 90
of firms have an IT security system in place.
Information Security Magazine, 2001

3
Worm Threats

NIMDA and Code Red generated the majority of
attack activity accounting for 63 of recorded
attacks
Each worm attacked known problems with available
patches
New zero-day worms that hit vulnerabilities not
posted
Future worms will morph

4
Trends

39 seemed to be targeted to breech a specific
system or company
61 seemed opportunistic with the attacker
scanning and looking to exploit what was found
42 of the attacks were aimed at large
corporations of 1,000 or more employees
This suggests, higher profile corporations are
bigger targets than lower profile

5
Majority of Attacks Are Launched From a Small
Number of Countries

Ten countries account for 70 of attacks
30 United States
9 South Korea
8 China
The largest number of attacks per IP address was
Israel

6
Attacks and Ports
7
Current Attacks
8
Most Probed Ports
Windows service for conversion Of IP addresses to
names in file sharing apps First step in a scan
to hit file shares
Open when a web server installed
Used by MS-SQL server for remote Clients to query
for network connections
9
Trends

The industries with the highest attacks rates
are
Education
High Tech
Financial Services
Media/Entertainment
Power and energy companies
Each averaged more than 700 attacks per company
in the last six months
Power and energy companies suffered attacks from
the Mid East at twice the mean of other companies
High Tech and Financial companies suffered
attacks from Asia at a rate that was 50 higher
than the mean for other companies

10
Top Ten Attacks

47.8 M.S. IIS Server ISAPI overflow
25.1 (Code Red) Generic Root Request Attack of
root.exe in /scripts directory.
23.5 M.S. IIS Server Traversal Attack
17 M.S. IIS Server Arbitrary Code Attack (code
URL twice)
16.5 (Code Red) "cmd.exe" Attack
5 Scan for 27374 port for SubSeven (2600
Magazine)
3.8 Scan for vulnerable or mis-configured FTP
servers.
2.8 Scans for RPC enabled
1.3 Scans for ssh (Exploit)
1.2 Scans for LPD (Exploit) (Source RipTech)

11
General Types of Hackers

Kiddie Scripters
Black hats
Network-savvy employees
Government Entities

12
Kiddie Scripters

Run scripts from hacker sites
Rarely recompile to change ports or affect attack
signatures
Poor resources - usually tied to an ISP
Usually want a quick hit or break-in and are
largely indiscriminate about targets
Leave behind lots of evidence

13
Take Your Pick of Hacker Groups
14
Places for Evil
15
Know Your Enemy--Places to Visit

http//www.hacktech.org/
http//surf.to/damage_inc
http//www.oninet.es/usuarios/darknode/
http//b0iler.eyeonsecurity.org/tutorials/index.ht
ml
http//ist-it-true.org/pt
http//hackersplayground
http//packetstorm.widexs.nl/exploits20.shtm
http//astalavista.box.sk.

16
Black Hats

Re-compile code of others to change attack
signatures
Write programs that may or may not be shared
Moderate resources - usually tied to an ISP but
can have own domains and domain servers
Much more cautious and attacks may be spread over
weeks
Mafia organizational models key talented hackers
with high skills are generally isolated by layers
of kiddie scripters for protection

17
Reconnaissance
Look for a file that Doesnt exist on a
web Server 404 error will Reveal server and
version
18
Network-Savvy Employees

Never share or use code of others unless it is an
intentional deception
Inside knowledge of infrastructure enables more
sophisticated approach

19
Governments

Attacks and coordinated probes may stretch over a
period of months or years and are calculated to
bypass the best IDS
Launched as part of policy
Has direct access to tier 1 Internet service
providers (ISP) or uses government resources
Able to manipulate domain, WHOIS databases, and
root server and Internet routing paths
May be recruited from Black hats or federal
agencies

20
Nuisance Threats

These individuals may evolve from online trespass
and vandalism to more criminal activity such as
theft of information, extortion, and credit card
fraud
In addition, this group is a pool of potential
resources for more traditional criminal elements
to exploit either directly or indirectly

21
Low Level Threats

On-line Trespass
Vandalism
Script Kiddies compile existing hacker code
Existing vulnerabilities

22
Malicious Threats

Launch virus or self-propagating bots that
harvest e-mail addresses, credit card numbers, or
other valuable data
Identity theft is big business

23
Doomsday Threats

After key financial information that can be
leveraged for money
Scan likely unfriendly nations for critical
infrastructure weak points
Characterized by long term stealth (not noisy)
scans and probes
Access to resources
Undetectable

24
Criminal Activity Categories

Extortion
Organized Crime
Political Groups (Terrorists)
Industrial Espionage and Sabotage
International Intrusions

25
Criminal Activity

49 of information security professionals'
companies have had personnel who have physically
destroyed or stole computing equipment -- up from
42 in 2000. Industry Survey from Information
Security Magazine, 2001. See http//www.vectec.org
/researchcenter/stats.html?category9

26
Hacker Pattern Reuse

Each hacker has a signature for attack
methodologies
It is often possible to describe each separate
attacker by their trademark styles and choice of
tools and exploits
Once they find a sequence or type of attack that
works they use the same choice of tools each time

27
Seven Step Attack Profile Overview

Reconnaissance gathering information on your
organization
Foot printing get the network details.
Port Scanning find the actual services
available.
Enumeration - Promising targets are identified in
more detail.
Gaining Access - choose an informed hack/crack.
Escalating Privileges - elevate to system access.
Pilfering - Grab any interesting/profitable data.
Covering Tracks - Hide interlopers machine romp

28
Profiling

Objective
Gathering information about the organization
Technique
Web searches, public documents, and legal
databases
Web browsers most public or legally available
information is now available on line

29
Sniffers Are Your Friend and Foe

Everything that touches your machine from a data
network can be seen on a sniffer Passwords,
account names, social security numbers, birth
dates, and other personal information
Hackers frequently use sniffers to ply their
trade
Sniffers also help the good guys by catching
issues that IDS and firewall logs will miss

30
Network Associates (NAI) Sniffer
31
Network Associates (NAI) Sniffer

Premier network diagnostic program available to
network professionals
A great number of hacker sniffers tend to
concentrate on capturing and logging targeted
information such as user names, passwords and
commands
dsniff is a package of password grabs including
mailsnarf an e-mail grabber

32
dsniff
33
Sniffer Exploits

Sniffers are programs that use promiscuous
drivers
These specialized drivers allow network
information to be sniffed off of the local
network segment
In segments that utilize Ethernet hubs, as
opposed to switches, the attacker can log every
users information off the network

34
Dsniff De-encrypting Password Sniffer

dsniff listens patiently for passwords to come
along
It will decode NETBios-based Windows, IMAP, POP3,
SNMP, and many other types of passwords
If you are using the network diagram programs
like Visio, TGV (Computer Associates) and HP
OpenView with the read/read-write SMP password
you are giving it away to attackers

35
Sniffer Defenses

Ethernet switches are not a security panacea
Flooding the switch with bogus MAC addresses can
flood the bridge table and cause one of two of
the following switch behaviors to users
30 of the time switch starts forwarding ALL
packet to ALL ports (hub behavior)
70 of the time the switch crashes

36
Sniffer Defense

Monitor your switch reboots with simple
networking management protocol (SNMP)
Send SNMP traps to your central security
monitoring console when switches reboot or have
switch table full error events
It is also very valuable to centrally log switch
and router SNMP AUTH events which send login
authorization failures!

37
Sniffer Defense

_at_stake, makes a sniffer detector AntiSniff
available for trial and sale
Promiscuous drivers take notably longer to
process network requests
This detector makes detection available based on
the noted delays in the surrounding IP client
software on hosts

38
L0PHT (_at_stake) antisniff
39
Foot Printing

Objective
Get address range, namespace details, contacts,
and reverse domain info
Technique
Open source info, DNS, iterative reverse DNS or
zone transfer
Tools
nslookup, dig, whois, ARIN whois, etc.,
Plain old HTTP lookups on their favorite search
engine, Google, Altavista

40
Foot printing

whois
nslookup
http//www.arin.net/whois/index.html
Department of Defense
RIPE
APNIC
Web Search Engines
Google

41
Domain Name Service (DNS)

Domain name services (DNS) map text strings by a
hierarchical directory to a specific IP address
that the computer application can use
Domain name servers are also called name servers

42
Domain Name Services (DNS)

DNS servers use forward and reverse zone text
files that contain domain entries
Forward files include INFO records
INFO type A records for IP addresses
INFO HINFO records for software and platform
information
INFO CNAME or canonical names for aliases
INFO MX or mail exchange records for email

43
Whois

Domain Lookup
http//www.arin.net/whois/index.html
http//www.geektools.com/cgi-bin/proxy.cgi

44
Geektools.com
45
DNS Exploit Information Grabbing

Programs like Sam Spade and whois reveal an
enormous amount of information about your company
Internet connections, managers, and
administrative contacts.

46
Sam Spade
47
Sam Spade
48
Sam Spade
49
DNS Exploit Information Grabbing

Defense
Use two DNS servers, one inside your network, and
another outside. This is called the split
domain name server architecture.
By blocking the inside name server that has all
the network information from outside access it
is possible to hide inner host information from
interlopers
Allow only the most essential information to be
available to the general Internet.
Secure the servers the Internet knows about.

50
Split Domain Servers
51
Denial of Service Exploit

Lots of connections entering the open TCP state
with the host machines sending SYN packets to
synchronize sequence numbers
During the open state the host machine consumes
CPU time allocating memory buffers consuming
limited resources on the host machine
Host machine may many times be sending replies
back to a spoofed attacker address
If enough TCP open states are started on the
target machine . . .
It runs out of memory or CPU resources and stops
accepting new connections or crashes

52
Denial of Service Defense

Specialized intrusion detection systems recognize
DoS attacks and issue RST packets to either the
sender or destination or both and kill the
network connection
The host machine immediately releases resources
upon receipt of a packet with the RST flag set

53
Denial of Service Defense

Reduce the TCP wait timer on your servers from
the default 600 seconds to about 3
This times out the connection state and allows
your server to recoup its resources faster and
resist this attack
Increase the server resources-- Memory is cheap
Allocate additional memory buffers to handle the
attack-- Bumping from 10 to 200 should do it

54
Logical Data Network Structure

Networks are made up of network devices that pass
packets based on addresses and network paths
Routers and switches keep track of these
addresses and routes in internal tables
What are some examples of these internal tables?

55
Logical Data Network Structure

Switch tables
Switch mappings associated with a physical
interface
ARP table layer 3 network addresses associated
with a L2 address and usually a physical interface

56
Logical Data Network Structure

Layer 3 network route mappings associated with a
L1 (physical) interface

57
Internet Command and Management Protocol (ICMP)

Routers that become congested return an ICMP
source quench message as a simple form of flow
control
Some routers send an ICMP source quench if
their communication buffers get full
ICMP is the traffic cop for IP networks

58
RARP, BOOTP, and DHCP

RARP (earlier slide) - given the MAC (L2) address
give me the network (L3) address
BOOTP - an improvement on RARP that gave us
automated IP addresses, automated boot images,
gateway addresses, etc.,
DHCP - Dual host configuration protocol - a later
protocol (Microsoft) that added user specified
fields, and advanced abilities such as redundancy

59
Crafted Packets Exploit

Build what you want and create a hack - a
thousand different ways.
if ( (packet malloc(1500)) NULL )
perror("malloc ") exit(-1)
if ( (sock libnet_open_raw_sock(IPPROTO_RAW))
-1 ) perror("socket ") exit(-1)
libnet_build_ip(len, / Size
of the payload /
/ ICMP Header for Parameter Problem
---------------------------------------------
--------------
Type (12) Code (0) Checksum
---------------------------------------------
--------------
Pointer unused
---------------------------------------------
--------------
Internet Header 64 bits of original datagram
data....
/
/ Need to embed an IP packet within the ICMP /
ip (struct ip ) (packet IP_H 8) / 8
icmp header /
ip-gtip_v 0x4 / IPV4
/
ip-gtip_hl 0xf / Some
IP Options /
ip-gtip_tos 0xa3 /
Whatever /
ip-gtip_len htons(data_len) / Length
of packet /
ip-gtip_id 30241 /
Whatever /

60
DNS Exploit Cache Poisoning

DNS queries are heavily cached on servers. What
if an attacker could craft a packet that
poisons the DNS cache with the wrong
information?
Could a hacker/cracker redirect domain name
server queries to the wrong machine?

61
What Else Could Crafted Packets Do?

Distribute bad route to your core date network
routers dumping much of your network traffic
Foul up switched networks with bogus bridge data
unit (BDU) packets that would switch off network
interfaces
Block router IP interfaces with bad ARP replies

62
Crafted Packets Defense

Turn everything off!
Do not require or allow ICMP features like
gateway redirection, source quench, or router
advertisement
Turn off spanning tree algorithm (STA) where it
makes sense
Use the authenticated and encrypted versions of
any available protocols i.e., OSPF not RIP ver. I
Tie your routers together with access control
lists (ACLs) to control inbound broadcasts
Dont do it by the book. Cisco design
principles are wrong as they value speed of the
network over security. Application server speed
is king and people on LANSs dont perceive LAN
speed optimization as delays

63
netcat

netcat, the swiss army knife of hacking.
Can attach to an arbitrary client port to
listen for data
Can be set up to send out crafted packet data to
an arbitrary port
Usually after capturing traffic into a hex file,
the data is edited, and sent out to the same
network it came from

64
Netcat options scary!!!
65
Netcat listener
66
Netcat Listener Receiving Test Text
67
Port Scanning

Target ID and assessment for attack
What looks most promising?
Technique
ICMP sweep, TCP/UDP scans, OS detection. What
is the version of Windows they are running?
What are the publicly available hacks/cracks for
this version?
Tools
fping, hping, nmap, ncat -p, fscan, queso

68
Ports or Service Addresses

Service or port, is a 16 bit base 10 number
Example 31337
Port addresses allow the program to know what
application the data packet is intended
Popular service addresses or ports are 80 for
http, 23 for telnet, 20 and 21 for file transfer
protocol, 22 for remote shell

69
How Do I Know What Services Are Running?
netstat!
70
UDP Packet Ports
71
TCP Addresses
72
How Do Hackers Generate Port Scans?
nmap
lt O.S. Guess!
73
How do hackers generate port scans?
nmapfe
74
Features of TCP Packets

Sequence Numbers what packet is this in a
sequence or flow of packets?
Windows Size - how many IP packets do I send at a
time before requiring an acknowledgement packet?
Flags -
RST - set, for errors, may be used as a session
stopper in active intrusion detection.
SYN - set to synchronize sequence numbers
ACK - acknowledges data and session information

75
TCP A Connection Oriented Protocol

The TCP protocol for IP packets (TCP/IP) has
features which enable TCP packets to keep track
of
How many packets need to be sent?
How many packets have been sent?
How many packets are left to be sent?
If there is an error, which packets are needed to
be sent again?

76
Man in the Middle Attacks

There exist TCP session grabbing programs, such
as Juggernaut and Hunt, that if attackers are
at a place on the network where they can
eavesdrop both sides of the data connection, they
can intercept one end of the conversation and
take it over.

77
TCP Sequence Prediction

Yes, it is possible to do whats called TCP
sequence prediction and pick up another session
even if you cant eavesdrop.
Hunt and Juggernaut are two programs that connect
to a computer, usually a server, and by
interacting with it characterize the type of TCP
sequence that the machine expects in connections.
It then tries to break into another connection
that machine may be having with another user.
Normally, you will detect Juggernaut, and its big
brother Hunt, trying to break into established
web site connections to other customers to steal
personal information or identities.

78
Enumeration

Objective
Promising targets are identified in more detail.
Technique
List user accounts, trusts, find IP addresses to
attack, file shares, ID apps, etc. Are campus
wide directories available? LDAP?
Tools
LDAP directories, Legion, NIS, DumpACL, sid2user,
Onsite, etc.,

79
Address Resolution Protocol Table Entries

Address resolution protocol (ARP) is an internal
table within routers that associates IP addresses
to the PCs ethernet address and also to a
physical interface.
ARP Table Entries
00-0c-34-23-af-bc 128.12.43.44 intf0
00-0c-34-23-af-bc 128.12.43.44 intf0
00-0c-34-23-af-bc 128.12.43.44 intf0
00-0c-34-23-af-bc 128.12.43.44 intf1

If an attacker could get your networks ARP
information they would have the keys to your
network.
80
Arpwatch Very Common In Unix

Monitors the address resolution protocol as the
network works to capture and send to the user (or
attacker) the IP and ethernet address information
of your network
This can give an attacker all the specific
information they need to cull a sheep out the
herd

81
Firewalls Definition

What are they?
Firewalls are network devices that pass or drop
packets based on a programmed rule set
Firewall rule sets are based on physical port, IP
address, transport address (port) or other
parameters

82
Firewalls Definition

Firewalls are generally categorized into three
groups
State less, does not maintain state or track
packet history
State full, maintains state, is able to
defragment packets
Proxy, may redirect traffic to other machines
based on FW policy. Typically used to redirect
e-mail through virus scanning software.

83
Basic Firewall Platforms

Types
Packet dropping filters (stateless) commonly
seen as access control lists (ACLS) in routers.
Cisco dominates this market.
Complex or state-full firewalls generally seen
in firewall appliances, Lucent Brick, Cisco PIX,
Check Point and Nokia all have entries in this
market.

84
Firewalls Network Based
85
Firewalls -- Bridge Based
86
Bridging Firewalls are Better

Why?
Because routing firewalls depend on IP address
gateways to route packets.
Any external IP addresses are subject to attack
and may limit your data when they are attacked.
Bridge based firewalls have no external IP
addresses that are required to route packets and
as such do not have routing interfaces that can
be attacked!

87
FW May Block Based On IP Address
88
FW May Block Based On Port Address
89
What Does A Basic Firewall Setup Look Like?
90
Firewalls come in other flavors

The market is full of smart firewalls.
A layer 7 or application layer firewall acts to
block packet streams from certain applications
such as peer-to-peer media sharing programs like
Gnutella.
These are also known as traffic shaping devices
Traffic shaping firewalls can block MP3 (audio)
even if the data is using a common well known
service (WKS) port such as FTP or HTTP. They
detect the type of data not just the IP address
and port that is being used.

91
Host Based Firewalls

Excellent protection one host at a time.
Software running under the operating system
Many host software firewalls also use intrusion
detection algorithms in tune with the firewall to
protect the host
Commercial software such as Norton, McAfee, Black
Ice Defender, and Zone Alarm dominate this market

92
Host Based Firewalls Black Ice Defender
93
Host Based Firewalls Black Ice Defender
94
Host Based Firewalls Norton
95
Host Based Firewalls Tiny Firewall
96
Network Address Translation (NAT)

Firewalls that hide multiple IP addresses
behind a single IP address!
This has the effect of confusing attackers. In
particular, an nmap O scan which will
determine the operating system will be all over
the map and genrally fail through NAT with
multiple machines.
The NAT algorithm is easily modified to control
or block inbound versus outbound connections

97
Network Address Translation (NAT)
98
FW Rule Sets - Examples

Loose (Higher Education)
Accept all, specifically deny dangerous ports
(services)
Moderate (Corporate)
Deny all except for well know services on known
machines
Tight (Defense)
Deny all except the generals to nba.com.

Sub 7 Trojan BOTH GI064A pass
Quake and Derivatives BOTH GI064B pass
Hack-a-Tack BOTH GI068A pass
Sub 7 Artifact BOTH GI035A pass
Sub 7 Trojan BOTH GI034B pass
NetSphere Trojan BOTH GI064B pass
SANs Russian Trojan SD423439 Host Blocks This
one was mine!
BOTH GI021A pass
mstream DoS attack BOTH GI087g pass
Interesting port to monitor.
GNUTELLA BOTH GI086 pass Peer to peer
stuff. Season to your taste.
Deep Throat Trojan Back Door SANs
BOTH GI085 pass

100
GRC.COMs IPAgent Scan (free)
IPAgent is a small program that works with a
server at the grc.com web site and does a quick
service scan on your Internet web address and
then gives the results to you in a web page.
Very cool and a good way to get a good nights
Sleep.
101
Cryptographic Signatures for Log Files

cd /var/log
md5 ltfilegt gt files.signed
(Results on next slide.)
What should happen to the cryptographic log
signature?

102
Cryptographic Signatures for Log Files

MD5 (DumpACL.bmp) 605a3a25509ae2544be6226d80f03f
88
MD5 (Google on 1.2.doc) 754ca03e3d9ebda8417a6077
ca6a0d01
MD5 (L0PHTAntiSniff.bmp) bf103290401593b6facd734
8af8e8176
MD5 (L0PHTCrack3init.jpg) 7ed453ee8e3dfb49109deb
48bc3e49ad
MD5 (LANguard01.bmp) 4a5b1d9ebb705a40d692e771bd3
008be
MD5 (LANguard02.bmp) 0d9e0bcac7996e5aebe194e99be
6be06
MD5 (LANguard03.bmp) 112069b54acf47e638987f02b77
bd3f3
MD5 (LANguard04.bmp) 2596984869bb792735c34ae8aa2
94ff2
MD5 (LANguard05.bmp) 2b662e5ef494a4bc7aff0b983a5
48d46
MD5 (LANguard06.bmp) c97ccaef49926c77fb2bc62c44f
06e9b
MD5 (NAISniffer.bmp) cf0e4cbd7569718e284a71f4a7b
30ef6
MD5 (SamSpade.bmp) fb918f4fceb8b6c97c97255583241
27a
MD5 (SamSpade2.bmp) 52c0d752b7dd4661466a9a011232
59cf
MD5 (SamSpade3.bmp) c49ecd049e47135b481166abbf67
ffb9
MD5 (inzider2.jpg) eb0fb6b0f8df47f7c63ba7b8d15eb
dfc
MD5 (md5.txt) d41d8cd98f00b204e9800998ecf8427e
MD5 (netstata.txt) 35642c009d287a329fb783b6ab1a9
fbd
MD5 (nmap.txt) d663bb68fbf4a215fb9daa30f33b0aba

103
Firewall Logs
104
Firewall Logs

Incredible amounts of information is available
from FW logs!
Napster_Sharing, 8888,"c\xxx old
drive\corel\suite8\movies\Currency.avi"
Napster_Sharing,8888,"c\xxx old drive\program
files\napster\incomplete\09_The Making of Brain
Salad Surgery.mp3"
Napster_Sharing,8888,"c\xxx old drive\program
files\napster\incomplete\Copy of Bob Dylan -Like
A Rolling Stone.mp3"
Napster_Sharing,8888,"c\xxx old drive\program
files\napster\incomplete\Tenacious D - With
Karate Ill Kick Your Ass.mp3"
Napster_Sharing,8888,"c\xxx old drive\program
files\napster\incomplete\TechnoSm_Trax_-_Got_the
_Groove.mp3"
Napster_Sharing,8888,"c\xxx old
drive\corel\suite8\movies\Currency.avi"
Napster_Sharing,8888,"c\xxx old drive\program
files\napster\incomplete\Copy of Bob Dylan -Like
A Rolling Stone.mp3"
Napster_Sharing,8888,"c\xxx old drive\program
files\napster\incomplete\Tenacious D - With
Karate Ill Kick Your Ass.mp3"

105
Honey Pots

PCs that wait for the hacker to connect.
Port connection detection
Shell Scripts that span small programs that
answer in a predefined manner on popular ports
typical of standard operating systems.
Operating system sensors
Psionic Port Sentry for Linux (Unix)
Windows operating system based connection

106
Honey pots?
107
Intrusion Detection Systems

PCs that monitor network traffic looking for
specific data packet patterns indicative of
harmful network traffic such as
Trojans hidden remote access programs.
Software viruses
E-mail subject and attachments types and content.
Suspicious FTP/TFTP transfers.
ssh and scp versions and session information.
Peer-to-Peer program login information.
Service scans or attacks of hackers.

108
Intrusion Detection Logging
109
Event Severity Levels

95 Informational/False Positives
Network-wide Port Scans
4 Warning
Per host scans - but no compromise
lt.1 Critical
Continuous attack from one IP address
lt.01 Emergency
Successful exploit of system

110
Intrusion Detection Systems

Long Term Database Queries
Packet databases against which SQL queries can
answer the question who issued a single ping in
the last six months not associated with any web,
e-mail, FTP or ssh connections?
This technique is predicated on a large database
comprised of suspicious packets
Can discover complex relationships over a number
of months
This is a method to discover the talented or
professional attackers!

111
Intrusion Detection Market
Network Associates 13
Axent 3
Others 10
L3 4
Internet Security Systems 71
Source IDC and ISS
112
Port Scans

nmap is the preferred tool along with fping
and hping.
Src Host Src Port Dst Host Dst Port Pcol Service
212.177.241.99 3486 137.190.3.212 143 TCP imap
212.177.241.99 3487 137.190.3.212 110 TCP pop3
212.177.241.99 3488 137.190.3.212 111 TCP 6/111/34
88
212.177.241.99 3489 137.190.3.212 6000 TCP x11
212.177.241.99 3490 137.190.3.212 79 TCP finger
212.177.241.99 3491 137.190.3.212 53 TCP dns
212.177.241.99 3492 137.190.3.212 31337 TCP 6/3133
7/3492
212.177.241.99 3493 137.190.3.212 2766 TCP 6/2766/
3493
212.177.241.99 3494 137.190.3.212 139 TCP netbios-
ssn
212.177.241.99 3495 137.190.3.212 25 TCP smtp
212.177.241.99 3496 137.190.3.212 21 TCP ftp
212.177.241.99 3497 137.190.3.212 22 TCP ssh
212.177.241.99 3498 137.190.3.212 1114 TCP 6/1114/
3498
212.177.241.99 3499 137.190.3.212 1 TCP 6/1/3499
212.177.241.99 3500 137.190.160.2 80 TCP http
212.177.241.99 3501 137.190.160.2 23 TCP telnet
212.177.241.99 3502 137.190.160.2 143 TCP imap

113
Intrusion Detection System Logs

Severity (icon), Time, Attack, Intruder, Count,
1, 02/12/01 145601, UDP port probe,
204.113.234.2, 6
1, 02/16/01 111100, DNS port probe,
213.69.97.66, 1
2, 02/23/01 110941, SNMP discovery broadcast,
WS10060926, 1
1, 02/25/01 201812, DNS port probe,
cr644852-a.rchrd1.on.wave.home.com, 2
2, 02/26/01 004330, SNMP discovery broadcast,
wsuidrive.weber.edu, 9
1, 02/26/01 112242, HTTP port probe,
204.113.234.2, 5
1, 02/28/01 110158, TCP port probe,
204.113.234.2, 127
2, 02/28/01 110223, TCP SYN flood,
204.113.234.2, 13
2, 02/28/01 110409, TCP port scan,
204.113.234.2, 59
1, 02/28/01 110409, TCP port scan,
204.113.234.2, 5531
1, 02/28/01 110412, UDP port probe,
204.113.234.2, 2
2, 02/28/01 110412, TCP OS fingerprint,
204.113.234.2, 6
1, 02/28/01 110412, TCP ACK ping,
204.113.234.2, 4
2, 02/28/01 110412, NMAP OS fingerprint,
204.113.234.2, 4
2, 03/06/01 164110, UDP port scan,
kappa.weber.edu, 1
1, 03/07/01 100000, DNS port probe,
integrex.colo.magmom.net, 1
1, 03/07/01 122300, FTP port probe,
cr330368-a.etob1.on.wave.home.com, 3
3, 03/14/01 134009, PPTP malformed,
pipeline1.weber.edu, 1

114
Gaining Access

Objective
To compile enough knowledge to choose an informed
hack/crack
Technique
Back doors, social engineering, buffer overflows,
promiscuous password grabs, hacks, etc.,
Tools
Telephone, war dialing, crack, Legion, pwdump2,
bind and LPR hacks, etc.,

115
Gaining Access

The NULL session. Microsofts master key to any
Windows box under WIN2K
Buffer overflows to known port services might do
it

116
Buffer Overflows

Diagram - typical buffer overflow

117
Mechanics of Buffer Overflows

Goal Exploit buffer overflow vulnerability to
perform malicious function on a target system.
Identify open port or local access is available
Test the input string types and boundaries
accepted by the program
Construct an input value that will perform the
malicious function when executing with the
programs privileges in the hosts programs space
Execute the program so that it jumps to
additional the malicious code

118
Buffer Overflows Fuel Network Based Worms

Recent worm attacks
L1on Linux worm
SQL Slammer
Ramen Linux Worm
Code Red worm for Windows
Nimda Windows worm

119
Windows Processes
120
Unix processes (ps ex or ps auwx)
121
Inzider2 What Your Mother Didnt Tell You

Attackers routinely bypass operating system
memory and process management to hide trojan
programs.
inzider2 does a brute force memory check for
processes. Its important for virus checkers to
look in memory for viruses and not just on disk.

122
Forensic Analysis of Packets

Hackers hidden? No, the evidence is on the
wire!
TCP, UDP, and ICMP packets hold numerous clues!
Sequence numbers
window size
target and source ports
IP addresses
flags and more offer an insight into your
attacker

123
Forensic Analysis of Packets

Lets try it! Whats going on in the following
capture? Polymorphic destination and timing.
2000/03/23 08 20 00 18 OUT 192.72.120.74
204.113.223.234 ping_resp none 10 1120
2000/03/23 07 36 32 18 OUT 192.72.120.74
204.113.34.112 ping_resp none 7 784
2000/03/23 08 31 51 18 OUT 192.72.120.74
204.113.79.122 ping_resp none 9 1008
2000/03/23 07 46 15 18 OUT 195.238.2.19
204.113.86.205 1/3/3 none 6 576
2000/03/23 07 40 48 18 OUT 195.238.2.19
204.113.81.71 1/3/3 none 2 224
2000/03/23 07 32 35 18 OUT 195.238.2.19
204.113.81.71 1/3/3 none 6 672
2000/03/23 07 50 43 18 OUT 195.238.2.19
204.113.58.18 1/3/3 none 2 224
2000/03/23 07 59 27 18 OUT 195.238.2.19
204.113.58.24 1/3/3 none 6 672
2000/03/23 08 07 28 18 OUT 195.238.2.19
204.113.58.24 1/3/3 none 6 672
2000/03/23 07 32 48 18 OUT 195.238.2.19
204.113.81.71 1/3/3 none 2 224
2000/03/23 07 50 23 18 OUT 195.238.2.19
204.113.58.18 1/3/3 none 4 448
2000/03/23 07 59 40 18 OUT 195.238.2.19
204.113.58.24 1/3/3 none 2 224

124
Polymorphism and Distracters

Polymorphic destinations, sources, and ports.
Whats an IDS to do?
2000/03/30 14 21 53 2 IN 192.41.60.38
204.113.124.89 6/13643/1971 1 40
2000/03/30 14 21 54 2 IN 209.252.122.37
204.113.169.21 6/65457/47868 1 40
2000/03/30 14 21 57 2 IN 130.49.68.73
204.113.230.81 6/20443/11946 1 40
2000/03/30 14 22 04 2 IN 145.101.193.19
204.113.147.45 6/64071/7698 1 40
2000/03/30 14 22 08 2 IN 209.252.122.37
204.113.144.80 6/56431/28396 1 40
2000/03/30 14 22 11 2 IN 209.252.122.37
204.113.119.121 6/11602/9082 1 40
2000/03/30 14 22 11 2 IN 208.28.236.81
204.113.110.4 6/23201/49700 1 40
2000/03/30 14 22 17 2 IN 192.41.60.38
204.113.112.82 6/59299/63684 1 40
2000/03/30 14 22 18 2 IN 199.183.9.105
204.113.234.88 6/43377/65316 1 40
2000/03/30 14 22 19 2 IN 199.183.9.105
204.113.230.106 6/59932/28865 1 40
2000/03/30 14 22 22 2 IN 209.252.122.37
204.113.202.17 6/19822/61999 1 40
2000/03/30 14 22 22 2 IN 209.247.108.212
204.113.205.71 6/46531/28491 1 40
2000/03/30 14 22 23 2 IN 208.28.236.81
204.113.253.118 6/65448/43557 1 40
2000/03/30 14 22 24 2 IN 194.47.143.229
204.113.43.81 6/64904/14091 1 40
2000/03/30 14 22 31 2 IN 204.113.53.34
204.113.63.255 netbios gm 5 1145
2000/03/30 14 22 34 2 IN 209.247.108.212
204.113.250.115 6/8463/38040 1 40

125
Escalating Privileges

Objective
If user access - elevate to system access.
Technique
Password cracking, known exploits. Buffer
overflows in known user level programs
Tools
L0PHTcrack, john, getadmin, sechole, lc_messages,
etc. Sendmail had numerous hacks to raise
privilege to root. Getadmin is a user level
program designed to raise an unprivileged user to
admin on Windows 95 and 98

126
Pilfering

Objective
Grab any interesting/profitable data on machine
Technique
Evaluate trusts, look for clear text passwords
Tools
cat, type, rhosts, search e-mail, LSA secrets,
user data, config files, and registry data.

127
Covering Tracks

Objective
Hide interlopers machine romp
Technique
Clear or modify logs, hide tools, install "root"
kits and trojans
Tools
zap, rm .log, B.O., SubSeven, NetBus, etc.,

128
Trojans

I want to come back and show the others in my
clan!
Trojans BackOrifice, NetBus, and SubSeven.
If you find a trojan make sure you understand
how it got there!

129
Covering Tracks

Generally, but not always, a malicious exit.
Crash the server.

130
Password Cracking

L0PHT Crack III (LC4)

131
Case Study Nimda Worm

Worm self-replicating malicious code
Discovered September 18, 2001
Derivative of Code Red worm (June 2001)
Affects all Windows platforms
Estimated 500 million downtime and clean up cost
in first 24 hours
Unique in its variety of propagation techniques

132
Intrusion Detection Hits on NIMDA
First sign - explosive TFTP activity.
133
Intrusion Detection Hits on NIMDA
Second sign, all the same File transferred!
Admin.dll
134
(No Transcript)
135
Nimda Lessons Learned

Mimics and automates attacker behavior
Threats are not confined to high profile targets
There is no silver bullet
Depth and diversity of defense is required
Strong methodology is only proven way to address
complex security challenges

136
Nimda Lessons Learned
Use patches to address vulnerabilities
Update policy to require hardening of servers and
desktops
137
References

Security Web Sites and Alerts Lists
http//nsi.org
http//www.cs.purdue.edu/coast/
http//www.telstra.com.au/info/security.html
http//www.nsi.org/Compsec.html
http//www.securityportal.com/
http//www.ntbugtraq.com/
http//www.icsa.net/
http//www.phrack.com/

138
References

Security Web Sites
http//www.2600.com/
http//www.securityfocus.com/
ftp//ftp.porcupine.org/pub/security/index.html
http//www.l0pht.com/
http//www.ibiblio.org/matusiak/bkmrk.html/

139
References

Security Vulnerabilitieshttp//xforce.iss.net/ht
tp//seclab.cs.ucdavis.edu/projects/vulnerabilitie
s/database/http//www.cerias.purdue.edu/coast/pr
ojects/vdb.htmlhttp//www.rootshell.com/

140
References

Security Toolshttp//packetstorm.securify.com/ft
p//ciac.llnl.gov/pub/ciac/sectools/unix/ftp//co
ast.cs.purdue.edu/pub/tools/ftp//ftp.cert.org/pu
b/tools/ftp//ftp.win.tue.nl/pub/security/ftp//
ftp.funet.fp/pub/unix/security/

141
References

Securing Wireless Ethernet
http//c\CISO_CDROM\Protecting 802.11b
Networks.txt

142
References

Encryptionhttp//www.gnupg.org/ - GNU Privacy
Guard (pgp replacement)http//www.openssl.org/ -
OpenSSL (Free SSL toolkit)http//www.pgpi.com/ -
PGP (International)http//www.pgp.com/ - PGP
(US)http//www.ssh.fi/ - SSH Communicaitons
http//net.lut.ac.uk/psst/ - psst - gnu's ssh
replacementhttp//www.ssleay.org/ - ssleay (use
OpenSSL now)

143
Resources

Conferences
http//www.sans.org/newlook/home.php
http//www.gocsi.com/wkshop.shtml/
http//www.nsa.gov/isso/programs/coeiae/index.htm
http//www.misti.com/
http//csrc.nist.gov/ATE/

144
References

Security Trends
http//c\CISO_CDROM\Hack Attacks Global
Concern.html
http//www.vnunet.com/News/1126993.html
http//C\CISO_CDROM\Managing the CyberThreat.htm
, Control Risks Group.
http//www.esat.kuleuven.ac.be/cosic/news-981028.h
tml
http//www.sans.org/, See http//C\CSO_CDROM\Thre
ats.htm

145
References

Security Trends
http//www.vectec.org/researchcenter/stats.html?ca
tegory9
http//www.securitysoftwaretech.com/antisniff/purp
ose.html
Software Description
http//c\CISO_CDROM\Software Description.html

146
References

Covert TCP Connections
http//c\CISO_CDROM\Covert.txt covert.tcp.tar
Firewall Information
http//www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.
html
Intrusion Detection Information
http//www.snort.org

147
References

Denial of Service
http//c\CISO_CDROM\DoS_trends.pdf
http//c\CISO_CDROM\grc.txt
http//media.grc.com8080/files/grcdos.pdf
http\\c\CISO_CDROM\DDoS //c\CISO_CDROM\E-mail
Log (raw).txt
http//www.silicondefense.com/software/snortsnarf/
SMTP Body Parts http//www.cis.ohio-state.edu/cgi
-bin/rfc/rfc821.html

148
References

Setting Security Standards
http//www.gcn.com/vol19_no6/news/1564-1.html
http//csrc.nist.gov/csrc/maillist.html
http//csrc.nist.gov/csrc/standards.html
http//csrc.nist.gov/publications/nistpubs/800-7/n
ode280.html (IEEE)
http//csrc.nist.gov/publications/nistpubs/800-7/n
ode278.html (CCIT)
http//csrc.nist.gov/publications/nistpubs/800-7/n
ode279.html (ECMA)

149
References

Threats
Known Exploits and Prevention
http//ist-it-true.org/pt,
http//hackersplayground,
http//packetstorm.widexs.nl/exploits20.shtml
http//astalavista.box.sk.

150
References

Daemon9, aka Route. "Project Neptune." (Phrack
48, Article 13, 1996)
Irwin, Vicki and Pomeranz, Hal. "Advanced
Intrusion Detection and Packet Filtering." (SANS
Network Security 99, 1999)
Newsham, Tim, and Ptacek, Tom. "Insertion,
Evasion, and Denial of Service Eluding Network
Intrusion Detection." (Secure Networks, Inc.,
1998)
Northcutt, Stephen. Network Intrusion Detection
An Analyst's Handbook. (Indianapolis, Indiana
New Riders, 1999)
Postel, Jon (ed.). "RFC 793 Transmission
Control Protocol. (Defense Advanced Research
Projects Agency, 1981)
Stevens, W. Richard. TCP/IP Illustrated, Volume
1 The Protocols. (Reading, Massachusetts
Addison-Wesley, 1994)

151
Windows O.S. Security How Tos

http//www.microsoft.com/technet/itsolutions/howto
/sechow.asp
Get help securing your corporate network with
these step-by-step How-To guides. Windows 2000
Professional

152
System Security in Windows 2000

Apply Predefined Security Templates in Windows
2000
Change the Policy Settings for a Certification
Authority (CA) in Windows 2000
Configure a Certificate Authority to Issue Smart
Card Certificates in Windows 2000
Configure a Domain EFS Recovery Policy in Windows
2000
Configure Certificate Trust Lists in Internet
Information Services 5.0
Configure Security for a Simple Network
Management Protocol Service in Windows 2000
Configure Windows 2000 Server to Notify You When
a Security Breach Is Being Attempted
Control Access to a Database on a Web Server in
Windows 2000
Create Automatic Certificate Requests with Group
Policy in Windows
Define Security Templates in the Security
Templates Snap-in in Windows 2000
Disable the Automatic L2TP/IPSec Policy
Enforce a Remote Access Security Policy in
Windows 2000

153
Windows 2000

Export Certificates in Windows 2000
Find and Clean Up Duplicate Security Identifiers
with Ntdsutil in Windows 2000
Get a Certificate Signed by an Off-Network Root
Authority in Windows 2000
Harden the TCP/IP Stack Against Denial of Service
Attacks in Windows 2000
Install a Smart Card Reader in Windows 2000
Keep Domain Group Policies from Applying to
Administrator Accounts and Selected Users in
Windows 2000
Prevent the Last Logged-On User Name from Being
Displayed in Windows 2000
Publish a Certificate Revocation List in Windows
2000
Use Group Policy to Apply Security Patches in
Windows 2000
Use IPSec Policy to Secure Terminal Services
Communications in Windows 2000
Use the Directory Services Store Tool to Add a
Non-Windows 2000 Certification Authority (CA) to
the PKI in Windows 2000
Back Up Your Encrypting File System Private Key
in Windows 2000

154
Windows 2000 Server

Configure a Primary Internet Authentication
Service Server on a Domain Controller
Configure Remote Access Client Account Lockout in
Windows 2000
Configure Security for Files and Folders on a
Network (Domain) in Windows 2000
Monitor for Unauthorized User Access in Windows
2000
Prevent Users From Changing a Password Except
When Required in Windows 2000
Prevent Users From Submitting Alternate Logon
Credentials in Windows 2000
Restore an Encrypting File System Private Key for
Encrypted Data Recovery in Windows 2000

155
Windows 2000 Server

Perform Security Planning for Internet
Information Services 5.0
Configure the Security for a Server That Uses
Microsoft NNTP Service in Windows 2000
Configure User and Group Access on an Intranet in
Windows NT 4.0 or Windows 2000
Provide Secure Point-to-Point Communications
Across the Internet in Windows 2000
Safely Connect Your Company to the Internet in
Windows 2000
Set SMTP Security Options in Windows 2000
Use IPSec Monitor in Windows 2000
Deploy
Enable SSL for All Customers Who Interact with
Your Web Site in Internet Information Services
View or Change Authentication Methods in IIS
Operate
View or Change Authentication Methods in IIS
Prevent Users from Accessing Unauthorized Web
Sites in ISA Server
Provide Internet Access Through a Firewall in
Internet Security and Acceleration Server
Add an Authorized Page Warning in Windows 2000

156
Windows 2000 Server

Configure IIS 5.0 Web Site Authentication in
Windows 2000
Install Imported Certificates on a Web Server in
Windows 2000
Prevent Mail Relay in the IIS 5.0 SMTP Server in
Windows 2000
Prevent Web Caching in Windows 2000
Secure XML Web Services with Secure Socket Layer
in Windows 2000
Set Secure NTFS Permissions on IIS 5.0 Log Files
and Virtual Directories in Windows 2000
Use Internet Protocol Security to Secure Network
Traffic Between Two Hosts in Windows 2000
Use NTFS Security to Protect a Web Page Running
on IIS 4.0 or 5.0

157
Windows XP

Access an EFI Partition in Windows XP 64-Bit
Edition
Audit User Access of Files, Folders, and Printers
in Windows XP
Change the Logon Window and the Shutdown
Preferences in Windows XP
Configure a Preshared Key for Use with Layer 2
Tunneling Protocol Connections in Windows XP
Create and Disable Administrative Shares on
Windows XP
Delegate Security for a Printer in Windows XP
Disable the Local Administrator Account in
Windows
Encrypt a File in Windows XP
Encrypt a Folder in Windows XP
Encrypt Offline Files to Secure Data in Windows
XP
Manage Stored User Names and Passwords on a
Computer in a Domain in Windows XP
Manage Stored User Names and Passwords on a
Computer That Is Not in a Domain in Windows XP
Prevent a User From Running or Stopping a
Scheduled Process in Windows XP
Remove File Encryption in Windows XP

158
Windows XP

Set Up a .NET Passport Account in Windows XP
Set WMI Namespace Security in Windows XP
Set, View, Change, or Remove File and Folder
Permissions in Windows XP
Set, View, Change, or Remove Special Permissions
for Files and Folders in Windows XP
Share Access to an Encrypted File in Windows XP
Turn On Remote Desktop Automatic Logon in Windows
XP
Use Cipher.exe to Overwrite Deleted Data in
Windows
Use the Autologon Feature in the Remote Desktop
Connection in Windows XP
Use the Group Policy Editor to Manage Local
Computer Policy in Windows XP
Use the Microsoft Personal Security Advisor Web
Site in Windows
Internet Security and Acceleration Server
Configure Logging in Internet Security and
Acceleration Server
Set Up and Allocate Bandwidth in ISA Server
Configure the ISA Server 2000 HTTP Redirector
Filter in Windows 2000
Enable Reporting in Internet Security and
Acceleration Server 2000
Filter ISA Server Web Proxy Cache Entries in
Windows 2000

159
Windows XP

Monitor Server Activity in Internet Security and
Acceleration Server 2000
Securely Publish Multiple Web Sites by Using ISA
Server in Windows 2000
Set Bandwidth Configuration in Microsoft Internet
Security and Acceleration Server

Write a Comment

User Comments (0)

About PowerShow.com

Networks and Security - PowerPoint PPT Presentation

Networks and Security

Networks and Security – PowerPoint PPT presentation