The current state of the Internet

1
The current state of the Internet

• An unprotected computer on the Internet WILL BE
  EXPLOITED within 24 hours!
• Richard Treece, ISS, 15 April 2002

2
Hacker Techniques

• Find and attack the weakest link
• Reconnaissance
• Gain access to first machine
• Use acquired access to gain further access

3
Disclaimer

• Hacking is illegal!
• Some actual organizations and computers are used
  in the examples,
• but only to provide realism
• Do not hack the examples!

4
The Stages of a Network Intrusion

• 1. Scan
• IP addresses in use,
• operating system is in use,
• open TCP or UDP ports
• 2. Exploit
• Denial of Service (DoS)
• scripts against open ports
• Gain Root Privilege
• Buffer Overflows
• Get Root/Administrator Password
• 4. Install Back Door
• 5. Use IRC (Internet Relay Chat)

4
5
Reconnaissance

• Public information
• www
• news postings
• Network Scanning
• Operating System Detection
• War-dialing

6
Public Info www.internic.net

• Domain Name GATECH.EDU
• Registrant
• Georgia Institute of Technology, 258 4TH St,
  Atlanta, GA 30332
• Contacts
• Administrative Contact Herbert Baines III
• GA Institute of Tech (GATECH-DOM), 258 4TH St.,
  Atlanta, GA 30332
• (404) 894-0226, herbert.baines_at_oit.gatech.edu
• Technical Contact OIT, Georgia Tech 258 Fourth
  Street Atlanta, GA 30332
• (404) 894-0226, hostmaster_at_gatech.edu
• Name Servers
• TROLL-GW.GATECH.EDU 130.207.244.251
• GATECH.EDU 130.207.244.244
• NS1.USG.EDU 198.72.72.10

7
Public Information news postings

• Author rajeshb
• Date 1998/12/07
• Forum comp.unix.solaris
• author posting history
• Hi,
• Could someone tell me how to configure anonymous
  ftp for
• multiple IP addresses. Basically we are running
  virtual web
• servers on one server. We need to configure
  anonymous ftp
• for each virtual web account. I appreciate it if
  someone can
• help me as soon as possible. I know how to
  configure an
• anonymous ftp for single IP.
• Thanks,
• Rajesh.

8
Network Scanning

• Identifies
• accessible machines
• servers (ports) on those machines

9
Network Scanning (contd)

• nmap -t -v hack.me.com
• 21 tcp ftp
• 23 tcp telnet
• 37 tcp time
• 53 tcp domain
• 70 tcp gopher
• 79 tcp finger
• 80 tcp http
• 109 tcp pop-2
• 110 tcp pop-3
• 111 tcp sunrpc
• 113 tcp auth
• 143 tcp imap
• 513 tcp login
• 514 tcp shell
• 635 tcp unknown

10
Operating System Detection

• Stack fingerprinting
• OS vendors often interpret specific RFC guidance
  differently when implementing their versions of
  TCP/IP stack.
• Probing for these differences gives educated
  guess about the OS
• e.g., FIN probe, dont fragment it
• nmap -O

11
War-dialing

• Find the organizations modems,
• by calling all of its phone numbers
• www.fbi.gov (202) 324-3000
• Reverse Business Phone 202-324-3
• All Listings
• Government Offices-US
• US Field Ofc 202-324-3000
• 1900 Half St Sw
• Washington, DC

12
The Stages of a Network Intrusion

• 1. Scan
• IP addresses in use,
• operating system is in use,
• open TCP or UDP ports
• 2. Exploit
• Denial of Service (DoS)
• scripts against open ports
• Gain Root Privilege
• Buffer Overflows
• Get Root/Administrator Password
• 4. Install Back Door
• 5. Use IRC (Internet Relay Chat)

12
13
Denial of Service (DOS) (Source Chapter 14
Network Intrusion Detection An Analysts
Handbook, Second Edition, Northcutt and Novak)

• SMURF ICMP echos
• ECHO-CHARGEN UDP port 7 is echo UDP port 19 is
  character generator.
• Spoof a source address and two victims pound
  each other
• TEARDROP Send fragments with offset too small
• source.40909 target.3826 udp 28 (frag 242
  36 _at_ 0)
• source.40909 target.3826 28 (frag 242 4 _at_
  24))
• fragment ID 242 with 36 bytes of data
  starting at offset 0
• fragment ID 242 with 4 bytes of data starting
  at offset 24
• but this means we must back up from 36 bytes
  already received to 24 where
• this goes.
• Negative numbers may look like large positive
  numbers, put in other programs
• section of memory
• If intrusion detection system (IDS) does not
  support packet reassembly check,

14
Denial of Service (DOS)
4) PING OF DEATH On a windows NT box type
ping L 65510 This
creates a packet when reassembled that is larger
than the max size of 65,535 that is
allowed. Causes system crash. - Max IP
packet size allowed 65535 - ICMP echo
has a pseudo header consisting of 8 bytes of
ICMP header info - Next in the ICMP
packet is the ping data that is sent -
Maximum amount of data can send is
65535 20 IP 8 ICMP 65507 - We sent
65510 which is too large
5) LAND ATTACK Source IP address/Port equals
Dest IP Address/Port
15
Denial of Service (DOS)

• 6) NMAP Scans looking for open ports. You may
  download from www.insecure.org
• Can crash unpatched systems
• Can use many modes
• Vanilla TCP connect scanning
• TCP SYN (half open scanning)
• TCP FIN, xmas, or null (stealth) scanning
• TCP ftp proxy (bounce attack) scanning (uses ftp
  port 20 to connect even though
• not established by connection to port 21 as is
  normal procedure)
• SYN FIN Scanning using IP fragments
• UDP raw ICMP port unreachable scanning
• ICMP scanning (ping-sweep)
• TCP Ping Scanning
• Remote OS identification by TCP/IP Finger Printing

16
Distributed Denial of Service (DDOS)

• Client machine used to coordinate attack
• Master or Handler controls subservient
  computers
• Agents or Daemons Actually do the attack
• TRINOO Sends UDP floods to random destination
  port numbers on victim
• TFN Sends UDP flood, TCP SYN Flood, ICMP Echo
  Flood, or a SMURF Attack
• Master communicates to daemon using ICMP echo
  reply, changes IP identification
• number and payload of ICMP echo reply to
  identify type of attack to launch.
• 3) TFN2k First DDOS for windows.
  Communication between master and agents
• can be encrypted over TCP, UDP, or ICMP with no
  identifying ports
• 4) STACHELDRAHT - Combination of Trinoo and
  TFN
• If you are a DDOS victim, at present this is very
  little you can do about it!!!

17
The Stages of a Network Intrusion

• 1. Scan
• IP addresses in use,
• operating system is in use,
• open TCP or UDP ports
• 2. Exploit
• Denial of Service (DoS)
• scripts against open ports
• Gain Root Privilege
• Buffer Overflows
• Get Root/Administrator Password
• 4. Install Back Door
• 5. Use IRC (Internet Relay Chat)

17
18
The Holy Grail

• Hackers seek Superuser /Root Privilege (SUID) on
  the machine they are exploiting
• With SUID privilege, the own the machine
• They can use the resources available for their
  own purposes (e.g.. crack passwords) or destroy
  data on the machine

19
Gaining SUID privilege

• 1. Easiest way
• trying default manufacturer password settings
• Next Easiest Social Engineering
• Impersonate Tech Support
• Hide trojan software inside free games,
  screensavers, etc. (e.g.. Anna Kournikova)
• More Difficult Buffer Overflow Attack
• Must be a skilled programmer

20
Gain access to first machine

• Configuration errors
• System-software errors

21
Configuration errors NFS

• showmount -e hack.me.com
• export list for hack.me.com
• /home (everyone)

22
Config errors anonymous ftp (1)

• ftp hack.me.com
• Connected to hack.me.com.
• 220 xyz FTP server (SunOS) ready.
• Name (hack.me.comjjyuill) anonymous
• 331 Guest login ok, send ident as password.
• Password
• 230 Guest login ok, access restrictions apply.
• ftp get /etc/passwd
• /etc/passwd Permission denied
• ftp cd ../etc
• 250 CWD command successful.
• ftp ls
• 200 PORT command successful.
• 150 ASCII data connection for /bin/ls
  (152.1.75.170,32871) (0 bytes).
• 226 ASCII Transfer complete.

23
Config errors anonymous ftp (2)

• ftp get passwd
• 200 PORT command successful.
• 150 ASCII data connection for passwd
  (152.1.75.170,32872) (23608 bytes).
• 226 ASCII Transfer complete.
• local passwd remote passwd
• 23962 bytes received in 0.14 seconds (1.7e02
  Kbytes/s)
• ftp quit
• 221 Goodbye.

24
Config errors anonymous ftp (3)

• less passwd
• sam0Ke0ioGWcUIFg10010NetAdm/home/sam/bin/csh
  
• bobm4ydEoLScDlqg10110bob/home/bob/bin/csh
• chrisiOD0dwTBKkeJw10210chris/home/chris/bin/
  csh
• sueA981GnNzq.AfE10310sue/home/sue/bin/csh
• Crack passwd
• Guessed sam sam
• Guessed sue hawaii

25
System-software errors imapd (1)

• imapd buffer-overflow
• telnet hack.me.com 143
• Trying hack.me.com...
• Connected to hack.me.com
• Escape character is ''.
• OK hack.me.com IMAP4rev1 v10.205 server ready
• AUTHKERBEROS

26
System-software errors imapd (2)

• sizeof(mechanism)2048
• sizeof(tmp)256
• char mail_auth (char mechanism,
• authresponse_t resp,int argc,char argv)
• char tmpMAILTMPLEN
• AUTHENTICATOR auth
• / make upper case copy of mechanism name /
• ucase (strcpy (tmp,mechanism))

27
Get further access (1)

• If user access, try to gain root
• usually via a bug in a command which runs as root
• e.g. lprm for RedHat 4.2 (4/20/98)
• Run crack on /etc/passwd
• users often have the same password on multiple
  machines

28
Get further access (2)

• Exploit misconfigured file permissions in users
  home directory
• e.g. echo .rhosts
• Format of entries - host - user
• If root, install rootkits
• Trojans, backdoors, sniffers, log cleaners
• Packet Sniffing
• ftp and telnet passwords
• e-mail
• Lotus Notes
• Log cleaners
• Start with syslog.conf, edit log files, Wzap wtmp
  file
• Edit shell history file (or disable shell history)

29
The Stages of a Network Intrusion

• 1. Scan
• IP addresses in use,
• operating system is in use,
• open TCP or UDP ports
• 2. Exploit
• Denial of Service (DoS)
• scripts against open ports
• Gain Root Privilege
• Buffer Overflows
• Get Root/Administrator Password
• 4. Install Back Door
• 5. Use IRC (Internet Relay Chat)

29
30
Back Doors

• Allows hackers to come back at their leisure.
• Can exist at application level
• Back Orifice
• Can exist at system level
• Replace dlls in NT system
• Replace functions in Linux/Unix e.g. login, ps,
  etc.
• Can exist at root level
• Most difficult to detect
• 5. Some root kits increase the security of a
  system and are used by network administrators on
  their own systems!

31
Packet Sniffing
32
Sniffing Captured Passwords
Source IP.port
Destination IP.port
333.22.112.11.3903-333.22.111.15.23 login
root 333.22.112.11.3903-333.22.111.15.23
password sysadm1 333.22.112.11.3710-333.22.111
.16.23 login root 333.22.112.11.3710-333.22.111
.16.23 password sysadm1 333.22.112.91.1075-33
3.22.112.94.23 login lester 333.22.112.91.1075-
333.22.112.94.23 password l2rz721 333.22.112.6
4.1700-444.333.228.48.23 login
rcsproul 333.22.112.64.1700-444.333.228.48.23
password truck
33
The Stages of a Network Intrusion

• 1. Scan
• IP addresses in use,
• operating system is in use,
• open TCP or UDP ports
• 2. Exploit
• Denial of Service (DoS)
• scripts against open ports
• Gain Root Privilege
• Buffer Overflows
• Get Root/Administrator Password
• 4. Install Back Door
• 5. Use IRC (Internet Relay Chat)

33
34
Internet Relay Chat

• Some hackers, when they exploit a system,
  announce it to the hacker community.
• This is normally done by script kiddies as
  bragging rights.
• A sophisticated hacker on the other hand, will
  most likely cover his/her tracks so that you will
  never know that they got into your systems.

35
Hacker Resources

• Web sites with hacker tools
• Kevin Kotas favorite sites
• http//technotronic.com/
• http//security.pine.nl/
• http//astalavista.box.sk/
• http//Freshmeat.net/
• http//www.rootshell.com
• http//oliver.efri.hr/crv/security/bugs/list.html
  
• http//www.phrack.com/
• http//www.securityfocus.com/
• click on forums, then bugtraq
• http//main.succeed.net/kill9/hack/tools/trojans/
  
• IRC
• hacker

36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
Hacker Techniques

• Find and attack the weakest link
• Reconnaissance
• Gain access to first machine,
• Use acquired access to gain further access

42
How to protect your computer

• Make sure your software is current and up to date
  (i.e. all current patches are installed)
• Run Firewall software
• http//www.zonealarm.com
• Run a Hardware firewall
• Run Intrusion Detection Software
• SNORT http//www.snort.org
• Run Tripwire (change tracking software)
• http//www.tripwire.com

43
Honeynets
44
Honeypots

• A security resource whos value lies in being
  probed, attacked or compromised.
• Has no production value, anything going to or
  from a honeypot is likely a probe, attack or
  compromise.

45
Advantages / Disadvantages

• Advantages
• Reduce false negatives and false positives
• Collect little data, but data of high value
• Minimal resources
• Conceptually simple
• Disadvantages
• Single point of failure
• Risk

46
What is a Honeynet

• High-interaction honeypot
• Used primarily to learn about the bad guys.
• Network of production systems.
• Once compromised, the data collected is used to
  learn the tools, tactics, and motives of the
  blackhat community.

47
How it works

• A highly controlled network where every packet
  entering or leaving is monitored, captured, and
  analyzed.
• Any traffic entering or leaving the Honeynet is
  suspect by nature.

http//project.honeynet.org/papers/honeynet/
48
(No Transcript)
49
Risk

• Honeynets are highly complex, requiring extensive
  resources and manpower to properly maintain.
• Honeynets are a high risk technology. As a high
  interaction honeypot, they can be used to attack
  or harm other non-Honeynet systems.

50
Legal Issues

• Privacy
• Entrapment
• Liability

51
Privacy

• No single statute concerning privacy
• Electronic Communication Privacy Act (18 USC
  2701-11)
• Federal Wiretap Statute (Title III, 18 USC
  2510-22)
• The Pen/Trap Statute (18 USC 3121-27)

52
Entrapment

• Used only by defendant to avoid conviction.
• Cannot be held criminally liable for
  entrapment.
• Applies only to law enforcement
• Even then, most legal authorities consider
  Honeynets non-entrapment.

53
Upstream liability

• Any organization may be liable if a Honeynet
  system is used to attack or damage other
  non-Honeynet systems.
• Decided at state level, not federal
• Civil issue, not criminal
• This is why the Honeynet Project focuses so much
  attention on Data Control.