How and Why the Hackers Do It - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

How and Why the Hackers Do It

Description:

As technologies evolve their capabilities must be explored on both sides ... Raise the security level to stop the amateurs. Use logs and examine logs. Train Employees ... – PowerPoint PPT presentation

Number of Views:90
Avg rating:3.0/5.0
Slides: 40
Provided by: johnmc1
Category:
Tags: amateurs | hackers

less

Transcript and Presenter's Notes

Title: How and Why the Hackers Do It


1
How and Why the Hackers Do It
  • TSM 352

2
Good Guys vs Bad Guys
  • New technologies provide new capabilities for
    both the trustworthy and the un-trustworthy
  • As technologies evolve their capabilities must be
    explored on both sides
  • The good guys develop techniques for defending
    and the bad guys develop techniques for attacking
  • Then they both adjust to compensate for the other
  • We see this in all forms of crime when
    fingerprinting was discovered, criminals started
    wearing gloves.

3
Know Thine Enemy
  • In order to develop techniques to fight crime,
    the good guys must understand the crimes and how
    they are perpetrated.
  • Learn hacking tools in order to learn how to
    defend against them
  • Some hacker tools are more complex than the
    defense.
  • Hackers continue to evolve their tools. There is
    no defense that is guaranteed against all future
    attacks. The only thing you can do is to adopt a
    solid defense strategy and NOT ASSUME you are
    safe.
  • Never become complacent always watch for
    tell-tale signs.

4
A Hackers Mecca
  • The Internet was developed in a trusting
    environment it was never intended for the
    masses.
  • Obviously, that has changed because...
  • It became a way to generate a lot of revenue
    whenever money is involved the masses will come
  • It has received a lot of publicity
  • Security is behind..
  • Rapid deployment of the Internet
  • Lack of a governing body
  • The Legal profession is even further behind

5
Internet Security gets Attention
  • Its every man for himself. So, the Internet
    criminal is living large.
  • This is all starting to change. The main reason
    is that the Internet crime is hitting where it
    hurts in the pocketbook of global commerce.
  • Network administrators are learning about the
    threats and starting to make adjustments.
  • A whole new market niche is appearing for network
    and computer-security products as well as
    professionals.

6
Current Situation
  • Security has become a major issue protocols are
    starting to evolve and new, more robust protocols
    are being developed.
  • Most systems are easy to break into
  • There are a tremendous number of vulnerabilities,
    as well as exploits for those vulnerabilities
    that are easy to get and easy to use
  • Companies dont realize they are being attacked
  • Companies dont report crimes for fear of
    embarrassment and lost reputation/business
  • Companies have no policies which can be
    incorporated into network security
  • Security through obscurity is still widely
    employed

7
Changes in the Wind
  • Security awareness is climbing
  • New defense techniques are emerging
  • The security professional of the next 5 years
    will look very good
  • There will be big money increases in security
    products and professionals over the next 5 years.
  • The network security specialist will become a
    profession
  • The hardest job of the security specialist will
    not be learning the technology it will be
    convincing the CEOs to spend money on security.

8
What is the Minimum?
  • Invest in Prevention and Detection (in that
    order)
  • Close the biggest holes first
  • Raise the security level to stop the amateurs
  • Use logs and examine logs
  • Train Employees

9
Word of Caution
  • You will be learning to use a number of exploit
    tools in this course.
  • These tools should only be used in the lab
    environment not on systems/network for which
    you do not have approval.
  • As a side note - it is much easier to learn about
    an exploit in a controlled environment

10
What is an Exploit?
  • Gaining Access to a machine for which you do not
    have authorization
  • Setting up a system to provide/simplify such
    access
  • Taking a system offline
  • Desensitizing Sensitive information (dumpster
    diving)

11
The Attack Process
12
Overview of the Attack Process
  • Passive Reconnaissance listening/looking
  • Active reconnaissance asking/probing
  • Exploiting
  • Gaining access through..
  • OS attacks
  • Application-level attacks
  • Scripts
  • Mis-configuration attacks
  • Elevating of privileges
  • Denial of Service
  • Uploading programs Downloading Data
  • Keeping access
  • Backdoors
  • New accounts
  • Covering tracks

13
Passive Reconnaissance
  • Information Gathering
  • Company Web Sites
  • Whois
  • DNS Queries
  • Chat rooms and BBSs
  • Physical presence
  • Dumpster Diving
  • Sniffing

14
Passive Recon Defense
  • Do not underestimate the amount of information
    that can be acquired this way
  • The attacker does not really give clues to his
    investigation during passive recon
  • The only defense possible at this point is to
    hope that too much information is not available.
  • It is important that a company review what
    information is allowed to leak. This is one of
    the places where policy comes in.

15
Active Reconnaissance
  • Active Probing
  • ICMP Sweeps
  • Scanning
  • Port Scanning
  • OS Fingerprinting
  • Service software/version/patch level
    determination
  • Network mapping
  • This is the stage where the target can begin to
    react since the attacker is actively probing,
    there will be signs. Therefore the target has his
    first evidence

16
Exploiting
  • Gaining access
  • Elevation of Privileges
  • Denial of Service (DoS)

17
Exploiting - Gaining Access
  • Operating System Attacks
  • Application-level attacks
  • Scripts and sample program attacks
  • Mis-configuration attacks
  • The Key to defense here is to minimize each of
    these weaknesses

18
Operating System Attacks
  • Default installs have too much enabled.
  • This is a convenience to the software provider
    less calls to the help desk.
  • The user does a default install and everything is
    already up and running.
  • Even worse when user does an install everything
    which is probably the most common install.
  • With improved security awareness, admins at least
    are not taking the full install approach

19
Application-level Attacks
  • Take advantage of no/poor security found in most
    of todays application software.
  • Programmers are pressed to release working code.
    Until just recently, consumers were not concerned
    with security of code just if it works.
  • The most common in-security in a program is
    caused by failure to do two things
  • Input Filtering to determine if information
    provided by the user is valid
  • Error checking to avoid crashing

20
Scripts and Sample Program Attacks
  • Scripts are used to perform minor tasks some
    sort of setup or initialization on a program.
  • Sample files are often included on an install
    to provide an example for the user to work from.
    Web servers are notorious for this.
  • The scripts and sample files are more of an
    afterthought than a detailed programming
    endeavor. Therefore they almost never consider
    security.
  • A hacker can often use these scripts and sample
    files to help gain access to a system.
  • Obviously, a secure installation would remove all
    such scripts and files.

21
Misconfiguration Attacks
  • Service setup is often difficult
  • Admin may make several stabs at it before being
    successful.
  • Once working (for whatever reason), the admin is
    often off to another task rather than analyzing
    exactly what he has done, and even starting over
    to get it right.
  • Always remove any un-needed services or software
    that way configuration of those items is not an
    issue
  • Adequately estimate your time to accomplish an
    install/configure. Insure that you have been
    given adequate time.
  • Misconfiguration is often a result of users being
    in a hurry to have something up and working and
    pressuring the network admin to get it up.

22
Elevating Privleges
  • This is the technique of increasing your
    capabilities once access has been acquired.
  • Often, it is a users account that is
    compromised. The idea is to elevate that user to
    a more capable account.

23
Denial of Service (DoS)
  • Often the last resort for a frustrated hacker
  • May be used directly to accomplish a couple of
    things
  • Remove the system from online in order to pose as
    that system or perform an operation that the
    system wouldnt otherwise allow (if it was
    working properly)
  • Prevent the system from offering/accessing
    network services. This is often just a spite or
    vandal action, but could also be used by a
    competitor.
  • DoSs are difficult to prevent, but their impact
    can be subdued with proper techniques.

24
Uploading Programs
  • Means hacker-to-target
  • Provides future access keeping access
  • Provides technique for gathering more information
    (like an installed sniffer that reports back to
    you)
  • Provides a platform to launch more attacks
    (locally or remotely)

25
Downloading Data
  • Means target-to-hacker
  • This is the theft category.
  • Most often downloaded are password files
  • This allows the hacker to work offline

26
Covering Tracks
  • At this point the admin is starting to lose any
    chance of discovering the hackers identity or
    even the damage in many cases
  • Logging is the key to discovering hacker
    activity. It is one of the first things that a
    good hacker will disable.
  • Checksums are a good defense.

27
Types of Attacks
28
Session Hijacking
  • It is easier to sneak in as a legitimate user
    than to break in
  • Find an established session and take over it
    after user has gained access
  • Simple in idea, but complex in practice
    extremely difficult over the Internet a little
    easier on a LAN

29
Spoofing
  • The act of impersonating or assuming an identity
  • Could be at a number of levels login, MAC
    address, IP address, even service or application
  • Used for exploiting trust relationships which
    are often based on something the user has or
    knows. Has would be their IP address for
    example. Knows would be their password or other
    key information. Spoofing is usually reserved for
    the knows.

30
Relaying
  • Where an attacker relays or bounces his traffic
    through a third partys machine to disguise the
    attack.
  • This could be to indirectly attack the relay
    agent or simply to shield the attack on the end
    point.
  • Typical example is email relaying to avoid the
    true return address going in the email.

31
Viruses and Trojan Horses
  • Any program that has affects other than those
    expected by the end user is really a virus. A
    Trojan Horse is just a special case of a virus.
  • Trojan horses are probably the easiest and one of
    the most powerful exploits to use.
  • Require target to run a program on their machine,
    should be detected by AV software. Unfortunately,
    MOST users are quite stupid when it comes to
    this.
  • Client web software is a threat Outlook
    Express, for example
  • Emphasizes the importance of running AV and
    keeping it current.

32
Sniffing
  • One of the most powerful hacking techniques
    available.
  • Limited to local traffic.
  • Encryption is the only defense for sniffing.
  • Sniffing Programs
  • Vary from extremely simple, to very advanced.
  • Most are also protocol analyzers and/or have
    specific purposes to sniff out a particular
    protocol, character string, or application. For
    example, there are password sniffers that
    simply look for passwords in the traffic.
  • The simplest sniffer merely captures the traffic
    bit for bit and puts it into a file. This file
    can then be later analyzed.
  • Work on the premise of putting the NIC into
    promiscuous mode. There are anti-sniff
    utilities available, but they do not absolutely
    identify a sniffer. Anti-sniffers generate
    traffic that the promiscuous mode NIC will
    respond to when it shouldnt

33
Broadcasts
  • Limited to local networks.
  • However, it is possible with some misconfigured
    routers to use one of these types of attacks over
    the Internet.
  • The idea is to utilize the function of the
    broadcast address an address to which all
    machines are supposed to respond.
  • ping
  • The attacker would couple this with a spoof of
    the return address, so that all the replies would
    go to the target machine a type of DoS.
  • Most TCP/IP stacks today are set to not respond
    to a ping broadcast address. However, any
    broadcast must be at least processed by all
    machines. Therefore, any broadcast (layer 2 or
    layer 3) will cause some sort of resource usage.

34
Resource Sharing Attacks
  • For Windows, this is handled with SMB (server
    message block) protocol. With Linux/Unix it is
    handled with NIS/NFS. The two OSs can share
    together if xNix runs Samba.
  • Includes printer sharing as well.
  • These file sharing vulnerabilities can be
    exploited over the Internet, but the firewall
    should definitely block those ports which lead to
    file sharing services (135-139, and 445 on
    windows), 111, 513, 600x, etc on linux.
  • Normally vulnerable due to poor passwords or IP
    trust relationships

35
Remote Control
  • Remote control is just another term used to
    talk about Trojan Horses.
  • Remote control programs typically use
    non-standard ports, which means the firewalls
    will block most traffic. On the other hand, most
    remote control exploits allow the attacker to
    specify a port, and he can merely chose a port
    that the firewall has open.

36
Local Attacks
  • Shoulder Surfing
  • Unlocked terminals
  • Written passwords
  • Unplugging machines - DoS (either power or
    network)
  • Local logon

37
Offline Hacking
  • Hackers often do most of their work offline. As
    long as they are offline, there is no chance that
    their activities will be noticed. They can work
    on information and files they have gathered
    during their online time
  • Cracking password files (very time consuming)
  • Cracking other encrypted files
  • Studying the results from information gathering

38
Social Engineering
  • Inference channel is a fancy term meaning that
    conclusions have been inferred from observations.
    Author gives a couple of examples, but basically
    it works like this you combine what you observe
    with what you already know to come to
    conclusions.
  • Covert channel involves a trusted insider (a
    spy), who is providing the hacker with
    information, and/or access.

39
Three Basic Security Goals
  • Confidentiality preventing disclosure of
    information
  • Integrity preventing modifications of
    information
  • Availability staying online
Write a Comment
User Comments (0)
About PowerShow.com