Adversarial Threats to Your Information System

About This Presentation

Title:

Adversarial Threats to Your Information System

Description:

... USE YOUR WORK OR BUSINESS ACCOUNT TO DOWNLOAD THE TOOLS OR SURF THE HACKER SITES! ... Tools like Nmap allow us to inventory open ports in a variety of ways. ... – PowerPoint PPT presentation

Number of Views:486

Avg rating:3.0/5.0

Slides: 173

Provided by: ecs4

Category:

more less

Transcript and Presenter's Notes

Title: Adversarial Threats to Your Information System

1
Adversarial Threats to Your Information System

Dr. Leonard Popyack
Syracuse University
2002

Popyack_at_rl.af.mil
2
A malicious hacker or adversary has many items
working in his favor. What are some of the
threats he poses to you and your information
systems? You may be surprised at how many of
these threats are controllable by your INFOSEC
team. This seminar takes the perspective of an
adversary and shows some immediate and long term
remedies for each threat. In some cases there is
no easy solution, but it is important for you to
recognize these threats. We will explore all
phases of an attack and show how wireless LANs
play a part in these attacks.
3
Stages of An Attack

Target Selection
Reconnaissance
Penetration
Internal operations, Keeping the connection

4
Overview

Reconnaissance
Scanning
War dialers War Driving
Port scanning and mapping
Firewall filters and Firewalk
Vulnerability Scanners

5
Overview

Exploit the System
Gaining Access
Denial Of Service (DOS) tools
Application level Attacks
Keeping Access
BO2K
Rootkits
Knark
Covert Channels Backdoors

6
Purpose

The purpose of this lecture is to understand
certain attack methods ... ...so we can implement
effective defense strategies
We must protect our systems
How can we create effective defenses?
That's the real reason we're here
Why these look at these tools techniques?
Because they are in widespread use right now
They provide us fundamental information about the
principles the attackers are employing.
They illustrate what we need to do to defend
ourselves
Some of them are pretty Kewl! Some are VERY
NASTY!

7
Note!

Individual tools may run on UNIX or Windows...
We will cover attack concepts that can be applied
against Windows NT, UNIX, or other platforms
(Novell, VAX, MVS, etc.)
I've included links to tools -- Use at your own
risk!
They could harm your network in unexpected ways
Review the source code... Is this legit?
Experiment on a test network, separated from
production and office or campus systems. This is
not hard to do!
Also, DONT USE YOUR WORK OR BUSINESS ACCOUNT TO
DOWNLOAD THE TOOLS OR SURF THE HACKER SITES! Why?

8
General Trends of Exploits

What are we seeing in the wild?
Hacker tools are getting easier to use and more
easily distributed
The rise of Hacker groups as distribution houses
for software
The LOpht and Cult of the Dead Cow
High-quality, extremely functional hacker tools
Better quality than from some major software
houses

9
General Trends

Excellent communication through the computer
underground to Chat, web, informal grouping, and
hacker Computer and Network Conferences
With the rise of these hacker groups, a lot more
information about security is available to the
general public. The less-informed attackers
(often called "script kiddies" or "ankle biters")
will use this information in attacks. We must use
this information to defend ourselves. I've
included several references at the to help you
stay informed.

10
General Trends

Used to be many different types of systems out
there (the computer room)
Now, we have a smaller number of systems types
(Windows, Linux, MacOS, SunOS, FreeBSD, Palm,
etc)
They are distributed everywhere!
Less experience users and administrators
One virus or attack can jeopardize vast number of
systems (Morris worm, Melissa Virus, I LOVE YOU,
Nimda)
Home Laboratories are easy and inexpensive to set
up for the hacker!

11
NEVER

UNDERESTIMATE
YOUR
ADVERSARY!!!

12
Your Adversaries Advantages

He can use multiple sources for his attack
His attack can be timed to be inconvenient for
you (Friday before a 3-day holiday, Christmas
Eve, During your company picnic,)
He has the ability to corral greater media
attention
Increased sense of hero complex when a hacker
brings down a large company.

13
Two Attack Forms

Zero-Knowledge Attack
No knowledge from the inside of your organization
is know before the attempt is made to target your
company (your assets, intellectual property,
finances, or other)

Knowledgeable, perhaps by use of an inside, or
from an insider
An inside, either implanted or home grown has
decided to gather information to be used for
targeting your organization.

14
Reconnaissance
15
Reconnaissance

An attacker will gather as much information as he
can about you, your company, your people, your
computers, your network, and your physical
security.
Your network
You may not know it, but there is already much
information about you out there.
An adversary will use all data mining possible.

Reconnaissance
16
Open information

American Registry for Internet Numbers
Who owns particular IP address (Whois)
(http//www.arin.net/whois/arinwhois.html)
DNS Interrogation (use nslookup)
Targets own web site (crawl it a lot of info
can be gathered by crawling names, e-mail
address, phone numbers, branches of the
organization, trusted relationships)
programs Websnake, Webzip, curl
Search Engines, web searches
can show trusted relations (for example, you may
show up on a customer list, your web designer may
use you as a reference)

Reconnaissance
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
Open Information

Usenet news postings (Deja.com) GOOGLE
FlippingRelated pages which link use
altavista, and search for linkwww.target.com
(Hotbot linkdomainwww.target.com)
Example on altavista, linkcisco.com AND
titleresume if you are looking for resumes of
cisco engineers.

Reconnaissance
24
Open Information

X-Raying finding areas in a company web page not
normally accessible. How? In Altavista, host or
url followed by keywords or names.
Example hostlucent.com and business
development

Reconnaissance
25
Open Information

Peeling many times there is more information
embedded within really long URLs. Peel off some
of the junk and look for web addresses or
secondary addresses, and unique areas.
Example http//www.lucent.com/web1.lucent.com/re
sumes/kramerz.html
http//anon.free.anonymizer.com/http//www.snowmap
s.com

Reconnaissance
26
Open Information

Anchor Searches Anchor labels may be informative
in searching for targets.
Example You can search the anchors by using a
search engine and using anchor view resumes
Harvesting pick out and use keywords in related
documents then use meta search engines (like
alltheweb.com, mamma.com, dogpile.com)

Reconnaissance
27
Open Information

Peer searches once you find specific information
or specific people, conduct peer searches using
the Meta search engines.
Example Jon Doe bank manager doej_at_bank.com
use dogpile and look for all other references to
doej_at_bank.com
Might turn up doej is into drag racing and a
common dialog could be established.

Reconnaissance
28
Open Information

Open a phony e-mail account. Send e-mail to
insiders. (The return e-mail headers can tell
you loads of info about the inside systems!)
DATA-MINING!!!! Company, people, trusted
relationships, mailing lists
Capability to connect to company DNS server (pull
down all registered domains at a site!)

Reconnaissance
29
Scanning

finding weak points

30
WAR Dialing

Named for the dialer in the movie Wargames
An attacker is trying to find a backdoor into
your network. A modem which is used for remote
access.
This might be the easiest point of penetration!
The telephone numbers gathered in the recon phase
are a good starting point!
Phreaking is looking for voice back doors,
whereas hacking is looking for network access
backdoors.

Scanning
31
WAR Dialing

War dialers dial a sequence of telephone numbers
attempting to locate modem carriers or a
secondary dial tone
demon Dialers is another name
Phone Numbers come from
Phone book, InterNIC data, WebCrawl, mailing
lists, newsgroups, social engineering I am from
the phone company and I need to verify what
numbers you folks are using for data lines

Scanning WAR Dialers
32
WAR Dialer Software

The Hackers Choice 2.0
A-DIAL (Auto Dial) by VeXaTiOn, 1995
Deluxe Fone-Code Hacker by The Sorceress KHAIAH
1985
Dialing Demon version 1.05 by Tracy McKibben 1988
Doo Tools version 1.10, by Phantom Photon 1991
PBX Scanner Version 5.0, by Great White 1989
SuperDialer 1.03 by Evan Anderson 1990
ToneLoc 1.10 by Minor Threat Mucho Maas 1994
X-DialerR by ICiKl 1996
Z-Hacker 3.21, by BIackBeard 1991

Scanning WAR Dialers
33
The Hackers Choice 2.0

THC-Scan 2.0 The Hacker's Choice (THC)
Written by Van Hauser released 12/98
Essentially an updated to the very venerable
ToneLoc (by Mucho Maas and Minor Threat, 1994)
Available at http//thc.infemo.tusculum.edu
THC-Scan is one of the most full featured,
non-commercial, war dialing tools available
today.

Scanning WAR Dialers
34
The Hackers Choice 2.0

A convenient statistic is the number of lines
dialed per hour. With a single machine and a
single modem, we typically do 100 to 125 lines
per hour. This is a useful metric in determining
how long it will take to dial large numbers of
lines.

Scanning WAR Dialers
35
Ok, I found the numbers

You found a number of modems. What do you do
now??
Review the war dialer logs and look for familiar
login prompts or even warning banners
Connect to each discovered modem
Often times, you will find a system without a
password
PCAnywhere for a clueless user -- you're in,
baby!
Old, neglected machine still on the network
A Router!!!!!
If there is a userID/password prompt, guess
Make it an educated guess, based on the system
What are default accounts/passwords?
What are common things associated with the target?

Scanning WAR Dialers
36
Try these Username/passwords!

Root
sync
bin
nobody
operator
manager
Admin
Administrator

System
days of the week
COMPANY NAME
COMPANY PRODUCT
Custom dictionaries built from company keywords
and acronyms

Scanning WAR Dialers
37
WAR Dialer Defense

An effective dial-up line and modem policy is
crucial
Inventory all dial-up lines with a business need
Activate scanning detection functionality in your
PBX, if available
Telewalls A firewall for phones
Conduct war dialing exercises against your own
network
reconcile your findings to the inventory
Utilize a commercial war dialer
Sandstorm's Phonesweep or ISS's Telephony Scanner
Toneloc or THCScan (Free)
Conduct periodic desk-to-desk checks in the
evenings
Use two people for this (buddy system)

Scanning WAR Dialers
38
WAR Driving

IEEE 802.11b Wireless Networks

39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
(No Transcript)
50
(No Transcript)
51
Port Scanning

52
TCP/IP Handshake

TCP/IP 3-way Handshake establishes a connection
to a port

Scanning Port Scanning

All legitimate Transmission Control Protocol
(TCP) connections (e.g., HTTP, telnet, ftp, etc.)
are established through a three-way handshake.
65,535 TCP ports, 65,535 UDP ports (no 3-way with
UDP)
53
Three Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
The handshake allows for the establishment of
sequence numbers (x or y are ISN Initial
Sequence Number) between the two systems. These
sequence numbers are used so that TCP can provide
for reliable packet delivery in sequential order.
Sequence numbers are used for sequencing and
retransmissions.
54
Port Scanners

Scan all 65,535 (times 2) ports
Find tcp 80, web server
Find tcp 23, telnet server
Find udp 53, DNS server
Find tcp 6000, X Window server
etc.
Nmap is a very useful tool with advanced scanning
capabilities
Available at hftp//www.insecure.org/nmap

Scanning Port Scanning
55
Port Scanners

By scanning each port, we can determine what is
listening on the box, and find ways to get in.
Tools like Nmap allow us to inventory open ports
in a variety of ways. Numerous other port
scanners are available, including
strobe
Probe
etcp
Nmap is the most fully featured of all of these
tools.
The ISS and CyberCop commercial scanners also
include port scanning capabilities.

Scanning Port Scanning
56
Open Port Information

With a list of open ports, the attacker can get
an idea of which services are in use by
consulting RFC 1700. Also, particular exploits
for these services can be found at
http//www.technotronic.com.
the attacker can devise his/her own
exploits!
http//www.iana.org

Scanning Port Scanning
57
An NMAP scan
NMAP

Allows for conducting numerous types of scans
"Vanilla" TCP scans
Connect to every port, with 3-way handshake
SYN scans (aka "half-open" scans)
Only do initial SYN
Harder to detect and much quicker
FIN scans
Stealthy and bypass some filters

SYN scan using IP fragments
Bypass some packet filters... Yes!
UDP Scanning
FTP Proxy "Bounce Attack" Scanning
RPC Scanning
TCP Sequence prediction test
ACK scanning
Xmas Tree
NULL scan

Scanning Port Scanning
58
NMAP scan FTP Proxy Bounce
NMAP

FTP Proxy "Bounce Attacks" utilize an ancient
feature of FTP servers. These servers allow a
user to tell the server to send the file to
another system. Using this capability, an
attacker can bounce an NMAP port scan off of
someone's FTP server, to help obscure the source
of the attack.
You should make sure that you disable the FTP
Bounce capability from your public FTP servers.

Scanning Port Scanning
59
NMAP TCP Stack Fingerprinting
NMAP

Attempts to determine the operating system of
target by sending various packet types and
measuring the response
This concept originated with a tool called QueSO,
available at hftp//www.apostols.org/projectz/que
so

Scanning Port Scanning
60
NMAP TCP Stack Fingerprinting
NMAP

Nmap does various types of tests to determine the
platform
TCP Sequence Prediction
SYN packet to open port
NULL packet to open port
SYNFINURGPSH packet to open port
ACK packet to open port
SYN packet to closed port
ACK packet to closed port
FINPSHURG packet to closed port
UDP packet to closed port

Scanning Port Scanning
61
TCP Stack Fingerprinting
NMAP

Note that each TCP stack implementation may have
a very unique signature to how it behaves,
particularly when confronted with various illegal
combinations of TCP flags and packets!
This information is used to identify the target
system.
NMAP has a data base of how various systems
respond to these illegal flags. NMAP can
determine what system you are running!!!

Scanning Port Scanning
62
TCP Stack Fingerprinting
NMAP

Based on the TCP stack response, Nmap can
identify over 400 types and versions of systems,
including
Windows 3.1, 3.11, 95, 98, NT (SP 1-4 or 5-6)
Win2000
Solaris 2.x AIX
Cisco IOS
Linux
3Com products

Scanning Port Scanning

NetBSD, FreeBSD
MacOS
VAX/VMS / Open VMS
HP/JetDirect
HP-UX
SCO UNIX
IRIX

63
TCP Stack Fingerprinting
NMAP

Customizable database so the hacker can add his
own information signatures
Using this information, an attacker can focus an
attack!!!
An NT Portscanner -- SuperScan

Scanning Port Scanning
64
NMAP Demo
Scanning Port Scanning

Superscanner demo

65
NMAP Scans
bash-2.04 sudo nmap Nmap V. 2.54BETA29 Usage
nmap Scan Type(s) Options lthost or net
listgt Some Common Scan Types ('' options require
root privileges) -sT TCP connect() port scan
(default) -sS TCP SYN stealth port scan (best
all-around TCP scan) -sU UDP port scan -sP
ping scan (Find any reachable machines)
-sF,-sX,-sN Stealth FIN, Xmas, or Null scan
(experts only) -sR/-I RPC/Identd scan (use with
other scan types) Some Common Options (none are
required, most can be combined) -O Use TCP/IP
fingerprinting to guess remote operating system
-p ltrangegt ports to scan. Example range
'1-1024,1080,6666,31337' -F Only scans ports
listed in nmap-services -v Verbose. Its use is
recommended. Use twice for greater effect. -P0
Don't ping hosts (needed to scan
www.microsoft.com and others)
-Ddecoy_host1,decoy2,... Hide scan using many
decoys -T ltParanoidSneakyPoliteNormalAggress
iveInsanegt General timing policy -n/-R Never
do DNS resolution/Always resolve default
sometimes resolve -oN/-oX/-oG ltlogfilegt Output
normal/XML/grepable scan logs to ltlogfilegt -iL
ltinputfilegt Get targets from file Use '-' for
stdin -S ltyour_IPgt/-e ltdevicenamegt Specify
source address or network interface
--interactive Go into interactive mode (then
press h for help) Example nmap -v -sS -O
www.my.com 192.168.0.0/16 '192.88-90..' SEE THE
MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND
EXAMPLES
66
bash-2.04 sudo nmap -sS -O -v www.snowmaps.com S
tarting nmap V. 2.54BETA29 ( www.insecure.org/nmap
/ ) Host (207.198.14.42) appears to be up ...
good. Initiating SYN Stealth Scan against
(207.198.14.42) Adding open port 25/tcp Adding
open port 53/tcp Adding open port 80/tcp Adding
open port 22/tcp Adding open port 3306/tcp Adding
open port 110/tcp The SYN Stealth Scan took 8
seconds to scan 1548 ports. For OSScan assuming
that port 22 is open and port 1 is closed and
neither are firewalled
www.snowmaps.com
67
Interesting ports on (207.198.14.42) (The 1542
ports scanned but not shown below are in state
closed) Port State Service 22/tcp
open ssh 25/tcp open
smtp 53/tcp open domain 80/tcp
open http 110/tcp open
pop-3 3306/tcp open mysql Remote
operating system guess FreeBSD 2.2.1 - 4.1 TCP
Sequence Prediction Classrandom positive
increments
Difficulty34067 (Worthy challenge) IPID Sequence
Generation Incremental Nmap run completed -- 1
IP address (1 host up) scanned in 10
seconds bash-2.04
www.snowmaps.com
68
bash-2.04 sudo nmap -sS -O -v 24.49.192.77 Start
ing nmap V. 2.54BETA29 ( www.insecure.org/nmap/
) Host ny-utica3b-77.aburny.adelphia.net
(24.49.192.77) appears to be up ...
good. Initiating SYN Stealth Scan against
ny-utica3b-77.aburny.adelphia.net
(24.49.192.77) The SYN Stealth Scan took 594
seconds to scan 1548 ports. Warning OS
detection will be MUCH less reliable because we
did not find at least 1 open and 1 closed TCP
port All 1548 scanned ports on ny-utica3b-77.aburn
y.adelphia.net (24.49.192.77) are filtered Too
many fingerprints match this host for me to give
an accurate OS guess TCP/IP fingerprint SInfo(V2
.54BETA29Pi686-pc-linux-gnuD11/5Time3BE6CB47
O-1C-1) T5(RespN) T6(RespYDFNW0ACKOFl
agsROps) T7(RespN) PU(RespN) Nmap run
completed -- 1 IP address (1 host up) scanned in
633 seconds bash-2.04
24.49.192.77
69
bash-2.04 sudo nmap -sS -O -P0 -v
24.24.27.115 Starting nmap V. 2.54BETA29 (
www.insecure.org/nmap/ ) Host syr-24-24-27-115.twc
ny.rr.com (24.24.27.115) appears to be up ...
good. Initiating SYN Stealth Scan against
syr-24-24-27-115.twcny.rr.com (24.24.27.115) The
SYN Stealth Scan took 2008 seconds to scan 1548
ports. Warning OS detection will be MUCH less
reliable because we did not find at lea st 1 open
and 1 closed TCP port All 1548 scanned ports on
syr-24-24-27-115.twcny.rr.com (24.24.27.115) are
filt ered Too many fingerprints match this host
for me to give an accurate OS guess TCP/IP
fingerprint SInfo(V2.54BETA29Pi686-pc-linux-gn
uD11/5Time3BE6DB03O-1C-1) T5(RespN) T6(Re
spN) T7(RespN) PU(RespN) Nmap run completed
-- 1 IP address (1 host up) scanned in 2192
seconds bash-2.04
24.24.27.115
70
bash-2.04 sudo nmap -sS -O -v www.webtag.net Sta
rting nmap V. 2.54BETA29 ( www.insecure.org/nmap/
)Host (206.74.229.14) appears to be up ...
good.Initiating SYN Stealth Scan against
(206.74.229.14)Adding open port 80/tcpAdding
open port 110/tcpAdding open port 21/tcpAdding
open port 106/tcpAdding open port 53/tcpAdding
open port 23/tcpAdding open port 25/tcpAdding
open port 1112/tcpAdding open port
513/tcpAdding open port 79/tcpAdding open port
514/tcpThe SYN Stealth Scan took 26 seconds to
scan 1548 ports.For OSScan assuming that port 21
is open and port 1 is closed and neither are
firewalled Interesting ports on
(206.74.229.14)(The 1536 ports scanned but not
shown below are in state closed) Port
State Service21/tcp open
ftp23/tcp open telnet25/tcp open
smtp53/tcp open domain79/tcp
open finger80/tcp open
http106/tcp open pop3pw110/tcp
open pop-3139/tcp filtered
netbios-ssn513/tcp open login514/tcp
open shell1112/tcp open msql
Remote operating system guess Solaris 2.6 -
2.7Uptime 1.453 days (since Sun Nov 4 035609
2001)TCP Sequence Prediction Classrandom
positive increments
Difficulty22872 (Worthy challenge) IPID Sequence
Generation Incremental Nmap run completed -- 1
IP address (1 host up) scanned in 37
seconds bash-2.04
www.webtag.net
71
(No Transcript)
72
Port Scanner Defense

Close All unused ports!
Unix /etc/inetd.conf also /etc/rc3.d (xinetd
daemon)
Windows NT disable all unnecessary services by
uninstalling them or shutting them off in the
services control panel
Windows 2000 restrict ports, shut off services

Scanning Port Scanning
73
Port Scanner Defense

Utilize an Intrusion Detection System (IDS)
Commercial
ISS RealSecure
Cisco NetRanger
Network Flight Recorder
More
Freeware
Snort

Scanning Port Scanning
74
Firewall Attacks
FireWalk

Firewalk allows an attacker to determine which
ports on a (packet filter) firewall are open
Written by David Goldsmith and Michael Schiffman,
October 1998, and available at http//packetstorm.
securify.com/UNIX/audit/firewalk
Based on ideas originally used in traceroute, a
tool that determines the path of packets using
the IP Time-To-Live (TTL) field

Scanning -- FireWalk
75

Scanning -- FireWalk
76
(No Transcript)
77
(No Transcript)
78
(No Transcript)
79

Firewalk determines the filtering rules
associated with packet filters (either for a
host-based packet filter firewall or router
access control lists). Firewalk does not work
against pure proxy-based firewalls, because
proxies do not forward packets. Instead, a proxy
application absorbs packets on one side of the
gateway and regenerates packets on the other
side. Packet filters actually forward the same
packets, after applying filtering rules.

Scanning -- FireWalk
80
Firewalk phases

Given this info, firewalk operates in two phases
Network Discovery Phase
Scanning Phase
The Network Discovery Phase essentially does a
traceroute to determine the hop count to the last
gateway (router) before the filtering takes place

Scanning -- FireWalk
81
TTL4
Time to Live Exceeded
TTL3
Time to Live Exceeded
Attacker
IP10.2.1.10
TTL1
Firewall
Time to Live Exceeded
TTL2
IP10.1.1.1
Time to Live Exceeded
82
During the network discovery phase, Firewalk
sends packets with incrementing TTLs to determine
how many network hops exist between the tool and
the firewall. When a packet reaches its maximum
TTL (which is decremented by each hop), the final
gateway sends back a Time-to-live exceeded
message.
Attacker
IP10.2.1.10
This is essentially the same function as
traceroute, used to determine the hop count. Once
this number is determined, the tool can conduct
the scanning phase.
Firewall
IP10.1.1.1
83
TTL4, TCP Port 1
TTL4, TCP Port 2
TTL4, TCP Port 3
TTL4, TCP Port 4
TTL4, TCP Port 80
Time to Live Exceeded!!!
Attacker
IP10.2.1.10
Port 80 is unfiltered!!!!!
Firewall
IP10.1.1.1
84
Firewalk Defenses

1) Just live with it accept the fact that
someone could map your network and determine your
firewall filtering rules
2) Disallow ICMP TTL Exceeded messages from
leaving your internal network May cause
problems! Network diagnostics may not work, and
your users may want to traceroute(quite a
reasonable idea for sensitive networks), NAT
3) Use a proxy server instead of a packet filter
Packet filters have IP forwarding on, so the
packets traverse them and "live on
Proxies are an end point of the connection the
packets are not forwarded, so their life ends
upon reaching the proxy
Possible performance implications

Scanning -- FireWalk
85
Vulnerability Scanners

86
(No Transcript)
87
Vulnerability Scanners

SATAN is the granddaddy of these tools (saint,
sara SANTASATAN)
Many commercial derivatives
ISS's scanner
Network Associates' CyberCop
Cisco's NetSonar
These are all tools to help to map a network,
scan for open ports, and find various
vulnerabilities
They generate nice looking reports for
management
The tools test against a list of known exploits
What about the unknown?
That's why we want to have security in-depth!
Use a multi-layered, sound architecture

Vulnerability Scanning
88
More Tips

Be careful with password guessing modules. They
may lock out legitimate users! You may want to
disable these modules from running across the
network and use password cracking software on the
local system files to find weak passwords.Use
L0pht cracker or others Look on your CD under
password crackers.

Vulnerability Scanning
89
Scanner Limitations

Vulnerability scanning tools are extremely useful
because they automate security checks across a
large number of systems over the network.
However, please understand their limitations!
The tools only check for vulnerabilities that
they know. They cannot find vulnerabilities that
they don't understand.
The tools tend to be very dumb and flat -- they
look for vulnerabilities.
A real attacker will apply a great deal of
intelligence to try to reverse engineer your
network.
Instead of just looking at the outside
interfaces, the intelligent attacker will try to
understand what's going on behind them.

Vulnerability Scanning
90
Nessus

Nessus is a free, open-source general
vulnerability scanner
It is used by the white hat community (security
folks) and the black hats (malicious hacker)
Facts
Project started by Renaud Deraison
Available at hftp//www.nessus.org
Consists of a client and server, with modular
plugins for individual tests

Vulnerability Scanning
91
Nessus

Nessus is a very useful tool, and has some
advantages over the commercial tools
You can review the source-code of the main tool
and any of the security checks to make sure that
nothing "fishy" is going on.
You can write your own tests and incorporate them
into the tool
A large group of developers is involved around
the world creating new tests
The price! US 0.00

Vulnerability Scanning
92
Configure and monitor
Vulnerability Scanning
scan
Server has numerous plug-ins with various tests
93
(No Transcript)
94
Nessus

The client and server can be on the same machine.
(you can put it all on a laptop)
Information between the client and the server can
be encrypted
Large number of plug-ins available for the
server, each testing for specific vulnerabilities
in the target.

Vulnerability Scanning
95
Nessus - Platform

Server
FreeBSD, Linux, and Solaris
Client
FreeBSD, Linux, Solaris
Windows 95/98/NT 2000
Java (can run on Macs, anything)
Remember, both Client and Server can be on the
same machine.
For serious work with Nessus, use Nessus on Unix

Vulnerability Scanning
96
Nessus - Plugins

Separate plug-in for each type of attack
There is a defined API for writing Nessus
plug-ins
Currently, plug-ins written in C
Or, plugins can be written in the Nessus Attack
Scripting Language (NASL)
One plugin is in charge of doing one attack and
to report the result to the nessus server
(nessusd).
Each plugin can use some functions of the Nessus
library, called libnessus.
CVS version and daily snapshots are available.
As of November, 2000
Over 300 UNIX plug-ins
90 Windows NT plug-ins
Make sure you check those MD5 hashes!!! (so you
dont load a Trojan plugin!!!!!)
A very nice capability of Nessus is the ability
to write your own plug-ins, a capability not
supported in the major commercial scanners.

Vulnerability Scanning
97
Nessus GUI
You can configure -port for the client to server
comm -Encryption algorithms -Target
systems -which plugins to use -port ranges and
types of scans -email address for report
Vulnerability Scanning
98
Nessuss report of Test server before Attack
99
Vulnerability Scanners - Defense

Close all unused ports Shut off all unneeded
services
In Windows NT, stop or delete services in
services control panel
In UNIX, edit /etc/inetd.conf and rc.d files
Apply all system patches
Keep up to date!
Utilize an Intrusion Detection System
Network-based IDS
Commercial ISS ReaISecure, Cisco NetRanger,
Network Flight Recorder, Dragon, etc.
Freeware Snort

Vulnerability Scanning
100
Exploiting Systems

Gaining Access
Denial of Service
Application Level Attacks
Stealthy Attacks

101
Gaining Access

IP Address Spoofing
IP Fragmentation Attacks, FragRouter
Sniffing (Sniffit)
Session Hijacking (Hunt)
DNS Cache Poisining (Jizz)
Web Hijacking
Netcat and other Hack tools

Exploiting Systems
102
IP Address Spoofing

Spoofing Pretending to be someone else
IP address spoofing is quite common in a number
of attacks
Foiling systems that utilize IP addresses for
control
Router access control lists
Firewalls
Trust relationships (particularly, UNIX
r-commands)
Denial of Service
Logs

Exploiting Systems
103
IP Spoofing

IP Spoofing can be trivial or very complex
Option 1 Change the IP address
Option 2 IP Address Spoofing and Trust
Relationship Attacks
Option 3 IP Address Spoofing and Source Routing

Exploiting Systems
104
Option 1

I can change my IP address to anything I want...
UNIX ifconfig eth0 w.x.y.z
Windows use network control panel
Yes, but... You won't get responses to your
messages, because the network won't route the
responses back to you you
Also, the TCP 3-way handshake will cause you
problems
You'll get a RESET message from the real system,
unless ....

Exploiting Systems IP Spoofing
105
Recall the Three Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
The handshake allows for the establishment of
sequence numbers (x or y are ISN Initial
Sequence Number) between the two systems. These
sequence numbers are used so that TCP can provide
for reliable packet delivery in sequential order.
Sequence numbers are used for sequencing and
retransmissions.
106
Option 1 Simple SpoofingChange Address
When the spoofee sends the 2nd leg of the 3-way
handshake, the system who's address is being
spoofed will send a RESET message. The RESET
message says, essentially, "Hey! I'm not having a
conversation with you .... Leave me alone!"
SYN ( A, ISNa)
Eve
ACK(A, ISNa) SYN(B, ISNb)
RESET!!
107
Option 2 Exploit Trust

We can take over a system with IP Address
spoofing by Eve exploiting the UNIX trust
relationships
A variant of this attack was used by Kevin
Mitnick against Tsutomu Shimomura in December,
1994
Sadly, it's still a useful technique today
Mostly on intranets, because properly implemented
firewalls have helped to stop this attack across
the Internet

Exploiting Systems IP Spoofing
108
Exploit Trust

The "random" sequence number sent by Bob (ISNb)
is often predictable
Eve can interact with Bob and, based on careful
timing, predict future sequence numbers with some
level of accuracy
This gives Eve a one-way channel to Bob
And Bob will think Eve is Alice!!! That's a
spoof!
Great!!! But... What about Alice's RESET?
You take Alice out of the picture for a while...
Denial of Service

Exploiting Systems IP Spoofing
Eve can have an open channel to Bob. She can
quickly reconfigure Bob so that Eve has full
access, without spoofing.
109
IP Sequence Prediction
110
Option 2 Exploit Trust

Now Eve has an open channel to Bob
Eve (posing as Alice) can feed commands to Bob
Eve can use rsh command to add the real Eve to
the trust relationship of Bob. How? Concatenate
to /etc/hosts.equiv or simply add her name.
UNIX only.
Eve will see no replies from Bob, however, Alice
cannot respond (due to DoS)
For a short time, Eve looks like Alice to Bob
Eve must fly blind, but can re-configure Bob.

Exploiting Systems IP Spoofing
111
Option 3 Source Routing

this attack is simpler than option 2... and
platform independent (Option 2 required UNIX
trust relationships)
Just use source routing ....
With a source that appears to come from the
spoofed address
...and a path that includes the "spoofer" --
(i.e., the attacker)
All packets will follow the path
And responses will, too
This method for IP address spoofing is based on
source routing. Source routing is an option in IP
that allows the source of a packet to specify the
path it will take on the network. Each router hop
is included in the packet's header.

Exploiting Systems IP Spoofing
112
Source Routing
For this attack, Eve generates a source-routed
packet that appears to come from Alice (that's
the spoof). The packet contains a fake route list
that includes Eve's address. Note that the route
list is correct for all routers between Even and
Bob. Routers before Eve are irrelevant. Eve sends
this packet on the network. If the network allows
source routed traffic, the packet will follow
Eve's specified path to deliver the packet to
poor Bob. Bob will take action on the packet
(complete the TCP 3-way handshake, or whatever)
and send the response, source routed back to
Eve. Eve will intercept the packet, rather than
transmitting it back to Alice .... There you go!
Eve can get the responses from Bob while spoofing
Alice's address.
Route 1.Alice2.Router X3.Eve4.Router
Y5.Bob PACKET CONTENTS
Eve
Route 1.Bob2.Router Y3.Eve4.Router
X5.Alice PACKET CONTENTS
113
IP Address Spoofing Defenses

Make the Initial Sequence Numbers truly random
Need to install patches for TCP/IP stacks
Be careful with trust relationships Do not extend
trust outside of firewall
Either UNIX or Windows NT trust relationships
Don't base authentication on IP addresses
Utilize passwords, crypto, or other techniques
Replace very weak r-commands with stronger
commands
ssh, or its freeware cousins (lsh)
Utilize anti-spoof filters at routers and
firewalls
Do not allow source routed packets through
network gateways
Internet gateways (firewalls) and business
partner connections

Exploiting Systems IP Spoofing
114
NEVER
Never use source routing in Firewalls, routers,
or any gateway system!
115
IP Fragmentation Attacks

116
IP Fragmentation

Useful in getting around packet filters in
routers and firewalls
Also useful in avoiding detection by
network-based Intrusion Detection Systems (IDSs)
Recall how packet filtering (firewall) works...
It allows tcp source_address to
destination_address using a specific port number
implicitly denies all other

Penetration IP Fragments
117
Port 23
Attacker
Port 80
Penetration IP Fragments
IP10.2.1.10
IDS
Firewall
IP10.1.1.1
118
IP Fragmentation Attacks

IP allows packets to be broken down into
fragments for more efficient transport across
various media
The TCP packet (and its header) are carried in
the IP packet
Two attacks possible
Tiny fragment attack
Fragment Overlap attack

Penetration IP Fragments
tcp
ip
ip
119
Normal IP Fragmentation
tcp
ip
ip
Penetration IP Fragments
To support different transmission media, IP
allows for the breaking up of single large
packets into smaller packets, called fragments.
The higher-level protocol carried in IP (usually
TCP or UDP) is split up among the various
fragments.
120
Tiny Fragment Attack
tcp
ip
ip
Penetration IP Fragments
Make a fragment small enough so that the TCP
header is split between two fragments. The port
number will be in the second fragment.
121
All IP fragments are re-assembled
Attacker
Tcp port unknown
Penetration IP Fragments
Fragment 1 (part of tcp header)
Fragment 2(rest of tcp header)
IDS
Firewall
122
IP Fragment Overlap Attack

A more insidious fragment attack is the Fragment
Overlap attack. For this scenario, the attacker
creates two fragments for each IP packet. One
fragment has the TCP header, including the port
number for a service allowed by the filter (e.g.,
http, TCP port 80). The second fragment has an
offset value that is a lie. The offset is too
small, so that when the fragments are
reassembled, the second fragment overwrites part
of the first, particularly the part of the first
fragment including the port number.

Penetration IP Fragments
tcp
ip
ip
123
Fragment Overlap attack - In the second fragment,
lie about the offset from the first fragment.
When the packet is reconstructed at the protected
server, the port number will be overwritten.
All IP fragments are re-assembled
Attacker
Tcp port 80. OK!
Penetration IP Fragments
Second IP fragment was just a fragment of the
first. That is OK too!
Fragment 1 (Packet is for port 80)
IDS
Firewall
Fragment 2 (Packet says is for port 80),
however, I have an offset, say 12, and After
overlaying, the TCP header will read port 23!
124
IP Fragment Attack Tools

Fragrouter -- can be used to create nasty
fragmentation attacks
Written by Dug Song
http//www.anzen.com/research/nidsbench
With fragrouter, all packets entering one
interface go out the other interface fragmented
The attacker can specify how fragmentation will
occur
Helps bypass some packet filters and avoid
intrusion detection systems (IDSs)
You can also send the packets through a
multi-network named host, so the packets appear
to be coming from multiple hosts!

Penetration IP Fragments
125
Sniffers

126
Sniffers

Sniffers gather all information transmitted
across a line For broadcast media (ethernet),
allows an attacker to gather passwords, etc. For
ethernet, all data is broadcast on the LAN
segment
Switched ethernet limits data to a specific
source and destination port on a switch
Sniffers are among the most common of hacker
tools. They gather traffic off of the network,
which an attacker can read in real time, or
squirrel away in a file.

127
Sniffers

Many attacks are discovered only when a sniffer
log consumes all available file space.
When an ethernet interface is gathering all
traffic, it is said to be in "promiscuous mode".
Traditional ethernet, usually implemented in a
hub, is a broadcast medium, which broadcasts all
data to all systems connected to the LAN segment.
Therefore, traditional ethernet is inherently
sniffable.

128
Blah, blah, blah
Blah, blah, blah
Blah, blah, blah
HUB
Blah, blah, blah
BROADCAST ETHERNET
129
Blah, blah, blah
Blah, blah, blah
Blah, blah, blah
HUB
Blah, blah, blah
BROADCAST ETHERNET
130
Blah
SWITCH
blah
Blah, blah, blah
blah
SWITCHED ETHERNET
131
Sniffers

Switched ethernet does not broadcast all
information to all links of the LAN segment.
Instead, the switch is more intelligent than the
hub, and, by looking at the destination MAC
address, will only send the data to the required
port on the switch. Switched ethernet is only
sniffable in limited ways.

132
Snifferz

There are countless examples of sniffers out
there
es - freeware (ships with SunOS, Solaris
RootKits)
Linsniff - freeware (ships with Linux Rootkits)
Websniff - freeware
tcpdump - freeware
snoop - distributed with Solaris
Network Associates - commercial
Shomiti Surveyor - commercial
Another very good sniffer is snort, by Martin
Roesch
hftp//www.clark.net/-roesch/security.html
Very powerful scripting capabilities
Doubles as a lightweight Intrusion Detection
System

133
Used by hackers

Sniffers are particularly useful in what is known
as an "Island Hopping Attack", named after the
U.S. strategy in the Pacific theater during WWII.
Island Hopping attacks involve an attacker taking
over a single machine through some exploit (e.g.,
a hole found in sendmail, a weak CGI script,
etc.). Then, the attacker installs a sniffer on
this victim machine.

134
Sniffer uses in attack

With the sniffer on the first victim, the
attacker observes users and administrators
logging on to other systems on the same LAN
segment or other segments of the network. The
sniffer gathers these userlDs and passwords,
allowing the attacker to take over more machines.
By installing sniffers on these additional
machines, more and more passwords can be
captured. By installing a sniffer on a single
system, the attacker can then take over many
systems.

135
Sniffit

Written by Brecht Claerhout, available at
http//reptile.rug.ac.be/-coder/sniffit/sniffit.ht
ml
Runs on Linux, Solaris, IRIX, FreeBSD, and SunOS
Interactive interface, or it can run in the
background
You must be root to run it
Gathers an inventory of connections and lets you
"zoom in" on particular sessions
Filtering capabilities
Based on IP, port numbers, etc.
You can configure it to gather just telnet or ftp
userlDs

136
Sniffer Defense

Keep attackers off the box in the first place
Use Switched Ethernet on critical segments
DMZ!!!
PKI system
Sensitive internal networks
Antisniff (www.l0pht.com)
Can detect sniffers across the network by
analyzing changes in latency, etc.

137
Session Hijacking

HUNT

138
Session Hijacking

Tools which allow an attacker to
Steal, share, terminate, monitor, or log any
terminal session that is in progress
Allow attacker to move around the network with
ease
Sessions are stolen across network
Session stolen at originating machine
Bypass all forms of strong authentication and
Virtual Private Network

139
Session Hijacking

Session hijacking tools are particularly nasty.
They allow an attacker to grab an interactive
login session (e.g., telnet, rlogin, ftp, etc.).
The victim usually notices that his/her session
disappears ("Darn network trouble!"). The users
will likely just try to login again, not knowing
that their session wasn't dropped it was just
stolen.

140
Alice telnets to do some work..
Alice
Eve is on a segment of the lan where she can
sniff, or on a point in the path.
Eve
141
Eve uses a session hijacking tool to observe the
session. at Eve's command, the session hijacking
tool jumps in and continues the session with
Bob. Attacker can kick Alice off and make any
changes on B. The logs will show that Alice made
the changes
Alice telnets to do some work..
Alice
Hi, I am Alice
Attacker can monitor and generate packets with
the same sequence number.
Eve
142
Session Hijacking Ack Storms
If the attacker just jumps in on a session,
starting to spoof packets, the sequence numbers
between the two sides will get out of synch As
the two sides try to resynchronize, they will
resend SYNs and ACKs back and forth trying to
figure out what's wrong, resulting in an ACK storm
SYN (A, SNa) ACK (SNb) SYN (B, SNb) ACK (SLNa)
Alice
SYN(A,Sna) ACK(SNb)
Eve
143
ACK Storm

Alice and Bob will get very confused, however,
when they notice that their sequence numbers get
out of synch. Alice will continue to resend
messages again and again, consuming a good deal
of bandwidth in what is known as an "ACK storm".
Eve can still interact with Bob using the spoofed
address during the ACK storm, but performance
will suffer as Alice and Bob thrash over the
sequence number issue. Eve can prevent this by
launching a denial of service against Alice so
that there is no thrashing over sequence numbers,
and hence no ACK storm.

144
Session Hijacking Tools

Hunt
Very well written
Authored by Kra (Pavel Krauz)
Automatically sniffs connections
Allows insertion of commands...
...or just plain takeover of session
it handles ACK storms
http//lin.fsid.cvut.cz/kra/index.html

145
HUNTs ARP Spoofing

To avoid the ACK storm Eve either does a denial
of service attack against Alice Or, more
interestingly,
Hunt allows for Address Resolution Protocol (ARP)
spoofing, to mask the fact that the systems have
gotten out of synch!! Very clever!
Hunt lets the attacker set his/her machine up as
a relay for all traffic going between Alice and
Bob, using ARP Spoofing.

146
Eve send a Gratuitous ARP broadcast message
Ipw.x.y.zMACBB.BB
Ipa.b.c.dMACAA.AA
Alice
ARP w.x.y.z is at DD.DD
ARP a.b.c.d is at EE.EE
Eve MACCC.CC
147
Other Session Hijacking Tools

Juggernaut
Allows for monitoring of connections, insertion
of single command, or takeover
Very similar to Hunt, but much more buggy
http//www.rootshell.com
TTYWatcher
Many advanced features (log, steal, watch, etc.)
Runs at the end host
User friendly
ftp//coast.cs.purdue.edu/pub/tools/unix/ftywatche
r

148
Other Session Hijacking Tools

IPWatcher
Commercial software (http//www.engarde.com)
But the crackers steal it
Nice graphical interface

149
(No Transcript)
150
Session Hijacking Defenses

Encrypt session and use strong authentication.
Unfortunately, if originating host is
compromised, strong authentication and encrypted
paths do not help, because session is stolen at
originating machine!
Defense Be very careful with incoming
connections Be even more careful with management
sessions to your critical infrastructure
components
Firewalls!!! Don't telnet to the firewall
PKI!!! Don't telnet to the CA
Utilize strong authentication and an encrypted
path for such management
Secure Shell (ssh) or Virtual Private Network

151
Where to get secure shell?

ftp//ftp.replay.comTo prevent ARP poisoning,
use static ARP tables on sensitive systems
Solaris can have 20 minute no overwrite set on
ARP caches.
Always use a secure session to talk to your
security components, your infrastructure
(routers,etc)

152
Domain Name System (DNS) Cache Poisoning

153
DSN Cache Poisoning

The Domain Name System (DNS)
Critical component of the Internet
Maps names to addresses, among other things
www.saic.com 199.106.240.15
Mail server for SAIC?
mx.east.saic.com Internet address 198.151.13.22
Is this important?
YOU BET IT IS!
"Almost all business that gets done over the
Internet wouldn't get done without DNS
Paul Albitz Cricket Liu, authors of DNS
BIND

154
Clients use a "resolver" to access DNS
servers Most common DNS server is BIND, Berkeley
Internet Name Domain DNS servers query each other
RootNameServer
www.ebay.com
Local Nameserver
Referral to .com
.comNameServer
www.ebay.com
www.ebay.com
Referral to ebay.com
www.ebay.com
Client
ebay.comNameServer
The Answer! 216.32.120.133
155
DNS Cache Poisoning

Additional notes on DNS
Each DNS query has a Query ID
This Query ID is often predictable based on
earlier Query Ids
Also, to lower traffic requirements, DNS servers
will cache answers
Poor man's DNS attack
www.nasa.com
www.algore.org
Gee, that's not very fun!
Let's look at something more interesting

156
DNS Cache Poisoning

The tool "jizz" allows for a more elaborate DNS
attack
DNS Caches poisoning
http//www.rootshell.com

157
Alice, a happy bank customer
Dsn.good.comAlices unsuspecting DNS Server
Evil Attacker
Dns.evil.com, Evils DNS server owned by evil
www.bank.com, Alices online bank.
Dns.bank.comname server Alice wants to access.

158
DNS Cache Poisoning
STEP 1 Any.evil.com
Evil
STEP 2 Any.evil.com
STEP 3 store the query ID
Dsn.good.com
Dns.evil.com
Dns.bank.com
Alice
www.bank.com
159
DNS Cache Poisoning
STEP 4 www.bank.com
STEP 7 www.bank.comw.x.y.z
Evil
STEP 6 Spoofed answww.bank.comw.x.y.z
Dsn.good.com
STEP 5 www.bank.com
Dns.evil.com
Dns.bank.com
Alice
www.bank.com
160
DNS Cache Poisoning
STEP 10 Lets Bank!!!!
In Cache www.bank.comw.x.y.z
Evil
Dsn.good.com
Dns.evil.com
STEP 8 www.bank.com?
STEP 9 w.x.y.z
Dns.bank.com
Alice
www.bank.com
161
DNS Cache Poisoning Defense

Use a hard-to-predict Query ID
Upgrade BIND
Available, but not widely deployed yet
Use split split (yes, that's split split) DNS
Have a different DNS server resolve names for
insiders, and not respond to outside queries at
all
Use a separate DNS server for responding to
queries for externally accessible stuff
The best current solution
Digitally sign DNS records
The (likely) eventual solution - DNSSec - will be
deployed some day

162
DNS Cache Poisoning Defense

Use SSL with server-side authentication for
important transactions HTTPS Involves user
education
Although not part of this exploit, protect your
DNS server, for goodness sakes! Harden the OS
Cryptographically sign DNS database files Use
suspicious activity detection software
Use Tripwire or MD5 hashing on your DNS Server
database.

163
Back Orifice 2000