Computer

About This Presentation

Title:

Computer

Description:

... then use meta search engines (like alltheweb.com, mamma.com, dogpile.com) ... use dogpile and look for all other references to doej_at_bank.com ... – PowerPoint PPT presentation

Number of Views:98

Avg rating:3.0/5.0

Slides: 130

Provided by: leonard2

Category:

more less

Transcript and Presenter's Notes

Title: Computer

1
Computer Network Hacker Exploits

Step-by step
Dr. Leonard Popyack
Syracuse University 2001

2
Stages of An Attack

Target Selection
Reconnaissance
Penetration
Internal operations, Keeping the connection

3
Overview

Reconnaissance
Scanning
War dialers War Driving
Port scanning and mapping
Firewall filters and Firewalk
Vulnerability Scanners

4
Overview

Exploit the System
Gaining Access
DOS tools
Application level Attacks
Keeping Access
BO2K
Rootkits
Knark
Covert Channels Backdoors

5
Overview

Covering Your Tracks
Covering your tracks in UNIX Windows
Reverse Shell
Loki

6
Purpose

The purpose of this part of the course is to
understand attack methods ... ...so we can
implement effective defense strategies
We must protect our systems
How can we create effective defenses?
That's the real reason we're here
Why these tools techniques?
Because they are in widespread use right now
They provide us fundamental information about the
principles the attackers are employing.
They illustrate what we need to do to defend
ourselves
Some of them are pretty Kewl! Some are VERY
NASTY!

7
Note!

To the extent possible, platform independents is
assumed
Individual tools may run on UNIX or Windows...
We will cover attack concepts that can be applied
against Windows NT, UNIX, or other platforms
(Novell, VAX, MVS, etc.)
I've included links to tools -- Use at your own
risk!
They could harm your network in unexpected ways
Review the source code... Is this legit?
Experiment on a test network, separated from
production and office or campus systems
Also, DONT USE YOUR WORK OR BUSINESS ACCOUNT TO
DOWNLOAD THE TOOLS OR SURF THE HACKER SITES! Why?

8
General Trends of Exploits

What are we seeing in the wild?
Hacker tools are getting easier to use and more
easily distributed
The rise of Hacker groups as distribution houses
for software
The LOpht and Cult of the Dead Cow
High-quality, extremely functional hacker tools
Better quality than from some major software
houses

9
General Trends

Excellent communication through the computer
underground to Chat, web, informal grouping, and
hacker Computer and Network Conferences
With the rise of these hacker groups, a lot more
information about security is available to the
general public. The less-informed attackers
(often called "script kiddies" or "ankle biters")
will use this information in attacks. We must use
this information to defend ourselves. I've
included several references at the end of the
handouts to help you stay informed.

10
General Trends

Used to be many different types of systems out
there (the computer room)
Now, we have a smaller number of systems types
(Windows, Linux, MacOS, SunOS, FreeBSD, Palm,
etc)
They are distributed everywhere!
Less experience users and administrators
One virus or attack can jeopardize vast number of
systems (Morris worm, Melissa Virus, I LOVE YOU,
Nimda)
Home Laboratories are easy and inexpensive to set
up for the hacker!

11
NEVER

UNDERESTIMATE
YOUR
ADVERSARY!!!

12
Your Adversaries Advantages

He can use multiple sources for his attack
His attack can be timed to be inconvenient for
you (Friday before a 3-day holiday, Christmas
Eve, During your company picnic,)
He has the ability to corral greater media
attention
Increased sense of hero complex when a hacker
brings down a large company.

13
Two Attack Forms

Zero-Knowledge Attack
No knowledge from the inside of your organization
is know before the attempt is made to target your
company (your assets, intellectual property,
finances, or other)

Knowledgeable, perhaps by use of an inside, or
from an insider
An inside, either implanted or home grown has
decided to gather information to be used for
targeting your organization.

14
Reconnaissance
15
Reconnaissance

An attacker will gather as much information as he
can about you, your company, your people, your
computers, your network, and your physical
security.
Your network
You may not know it, but there is already much
information about you out there.
An adversary will use all data mining possible.

Reconnaissance
16
Open information

American Registry for Internet Numbers
Who owns particular IP address (Whois)
(http//www.arin.net/whois/arinwhois.html)
DNS Interrogation (use nslookup)
Targets own web site (crawl it a lot of info
can be gathered by crawling names, e-mail
address, phone numbers, branches of the
organization, trusted relationships)
programs Websnake, Webzip, curl
Search Engines, web searches
can show trusted relations (for example, you may
show up on a customer list, your web designer may
use you as a reference)

Reconnaissance
17
Open Information

Usenet news postings (Deja.com) GOOGLE
FlippingRelated pages which link use
altavista, and search for linkwww.target.com
(Hotbot linkdomainwww.target.com)
Example on altavista, linkcisco.com AND
titleresume if you are looking for resumes of
cisco engineers.

Reconnaissance
18
Open Information

X-Raying finding areas in a company web page not
normally accessable. How? In Altavista, host or
url followed by keywords or names.
Example hostlucent.com and business
development

Reconnaissance
19
Open Information

Peeling many times there is more information
embedded within really long URLs. Peel off some
of the junk and look for web addresses or
secondary addresses, and unique areas.
Example http//www.lucent.com/web1.lucent.com/re
sumes/kramerz.html
http//anon.free.anonymizer.com/http//www.snowmap
s.com

Reconnaissance
20
Open Information

Anchor Searches Anchor labels may be informative
in searching for targets.
Example You can search the anchors by using a
search engine and using anchor view resumes
Harvesting pick out and use keywords in related
documents then use meta search engines (like
alltheweb.com, mamma.com, dogpile.com)

Reconnaissance
21
Open Information

Peer searches once you find specific information
or specific people, conduct peer searches using
the Meta search engines.
Example Jon Doe bank manager doej_at_bank.com
use dogpile and look for all other references to
doej_at_bank.com
Might turn up doej is into drag racing and a
common dialog could be established.

Reconnaissance
22
Open Information

Open a phony e-mail account. Send e-mail to
insiders. (The return e-mail headers can tell
you loads of info about the inside systems!)
DATA-MINING!!!! Company, people, trusted
relationships, mailing lists
Capability to connect to company DNS server (pull
down all registered domains at a site!)

Reconnaissance
23
Scanning

finding weak points

24
WAR Dialing

Named for the dialer in the movie Wargames
An attacker is trying to find a backdoor into
your network. A modem which is used for remote
access.
This might be the easiest point of penetration!
The telephone numbers gathered in the recon phase
are a good starting point!
Phreaking is looking for voice back doors,
whereas hacking is looking for network access
backdoors.

Scanning
25
WAR Dialing

War dialers dial a sequence of telephone numbers
attempting to locate modem carriers or a
secondary dial tone
demon Dialers is another name
Phone Numbers come from
Phone book, InterNIC data, WebCrawl, mailing
lists, newsgroups, social engineering I am from
the phone company and I need to verify what
numbers you folks are using for data lines

Scanning WAR Dialers
26
WAR Dialer Software

The Hackers Choice 2.0
A-DIAL (Auto Dial) by VeXaTiOn, 1995
Deluxe Fone-Code Hacker by The Sorceress KHAIAH
1985
Dialing Demon version 1.05 by Tracy McKibben 1988
Doo Tools version 1.10, by Phantom Photon 1991
PBX Scanner Version 5.0, by Great White 1989
SuperDialer 1.03 by Evan Anderson 1990
ToneLoc 1.10 by Minor Threat Mucho Maas 1994
X-DialerR by ICiKl 1996
Z-Hacker 3.21, by BIackBeard 1991

Scanning WAR Dialers
27
The Hackers Choice 2.0

THC-Scan 2.0 The Hacker's Choice (THC)
Written by Van Hauser released 12/98
Essentially an updated to the very venerable
ToneLoc (by Mucho Maas and Minor Threat, 1994)
Available at hftp//thc.infemo.tusculum.edu
THC-Scan is one of the most full featured,
non-commercial, war dialing tools available
today.

Scanning WAR Dialers
28
The Hackers Choice 2.0

Need a screenshot here

Scanning WAR Dialers
29
The Hackers Choice 2.0

Note that the screen shows a nice real-time
inventory of detected lines.
A convenient statistic is the number of lines
dialed per hour. With a single machine and a
single modem, we typically do 100 to 125 lines
per hour. This is a useful metric in determining
how long it will take to dial large numbers of
lines (also, it helps you to see what your
consultants really are charging you if you
outsource this!)

Scanning WAR Dialers
30
THC 2.0 Features

Carrier Mode and Tone Mode (open PBX allows you
to dial another number)
Dial random, sequential, or a list of numbers
Scanning through a modem out-dial
Break up work across multiple machines
Or multiple instances of THC-Scan on one system,
each with its own modem
Supports a separate dialing program (THC-Scan
supplies the telephone number to the dialer
program)

Scanning WAR Dialers
31
THC 2.0 Features

Nudging
Nudging refers to sending a pre-defined string of
characters to a discovered modem. The war dialer
"nudges" the target, to get it to respond with
possibly useful information banners, login
prompts, etc
Random waits between calls (to lower chance of
detection)
Rudimentary jamming detection (counts number of
busy signals)

Scanning WAR Dialers
32
Ok, I found the numbers

You found a number of modems. What do you do
now??
Review the war dialer logs and look for familiar
login prompts or even warning banners
Connect to each discovered modem
Often times, you will find a system without a
password
PCAnywhere for a clueless user -- you're in,
baby!
Old, neglected machine still on the network
A Router!!!!!
If there is a userID/password prompt, guess
Make it an educated guess, based on the system
What are default accounts/passwords?
What are common things associated with the target?

Scanning WAR Dialers
33
Notes

THC has released a powerful scripting language
for hacking login prompts Login Hacker
(hftp//thc.inferno.tusculum.edu/)
It is a tool for password guessing
Many systems tell you what platform they are
(e.g., "Hi, I'm AIX!"). For others, you can
determine this information from the nature of the
prompt. UNIX boxes and Cisco router prompts are
particularly easy to identify.
While guessing passwords is a time-consuming
process, keep in mind that time is the single
greatest resource your adversaries have.

Scanning WAR Dialers
34
Try these Username/passwords!

Root
sync
bin
nobody
operator
manager
Admin
Administrator

System
days of the week
COMPANY NAME
COMPANY PRODUCT
Custom dictionaries built from company keywords
and acronyms

Scanning WAR Dialers
35
WAR Dialer Defense

An effective dial-up line and modem policy is
crucial
Inventory all dial-up lines with a business need
Activate scanning detection functionality in your
PBX, if available
Telewalls A firewall for phones
Conduct war dialing exercises against your own
network
reconcile your findings to the inventory
Utilize a commercial war dialer
Sandstorm's Phonesweep or ISS's Telephony Scanner
Toneloc or THCScan (Free)
Conduct periodic desk-to-desk checks in the
evenings
Use two people for this (buddy system)

Scanning WAR Dialers
36
Some concerns

When war dialing against your own network, how do
you determine which numbers to dial?
you should get a list of all analog lines at
your PBX. You may also want to consider dialing
digital lines, because inexpensive digital line
modem adapters are readily available.

Scanning WAR Dialers
37
Some concerns

A major concern involves numbers not accessible
through your PBX (i.e., direct lines from the
telco). The best, although not ideal, approach
for finding these is to follow the money - get
the telephone bills from the telco. Ask your
telco to give you a copy of all bills being
mailed to a given address, or, if possible, all
bills for lines at a certain address.

Scanning WAR Dialers
38
Some concerns

When you do desk-to-desk checks, you should
always employ the the buddy system. With an
explicit two-person team checking for
unwanted/unregistered modems, you will not be
subject to claims of unfairness or worse yet,
theft from people's desks. If a single person
checks for modems late at night, and something
turns up missing from someone's desk, you may
have significant problems.

Scanning WAR Dialers
39
WAR Driving

IEEE 802.11b Wireless Networks

40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
(No Transcript)
50
(No Transcript)
51
Port Scanning

52
TCP/IP Handshake

TCP/IP 3-way Handshake establishes a connection
to a port

Scanning Port Scanning

All legitimate Transmission Control Protocol
(TCP) connections (e.g., HTTP, telnet, ftp, etc.)
are established through a three-way handshake.
65,535 TCP ports, 65,535 UDP ports (no 3-way with
UDP)
53
Three Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
The handshake allows for the establishment of
sequence numbers (x or y are ISN Initial
Sequence Number) between the two systems. These
sequence numbers are used so that TCP can provide
for reliable packet delivery in sequential order.
Sequence numbers are used for sequencing and
retransmissions.
54
Port Scanners

Scan all 65,535 (times 2) ports
Find tcp 80, web server
Find tcp 23, telnet server
Find udp 53, DNS server
Find tcp 6000, X Window server
etc.
Nmap is a very useful tool with advanced scanning
capabilities
Available at hftp//www.insecure.org/nmap

Scanning Port Scanning
55
Port Scanners

By scanning each port, we can determine what is
listening on the box, and find ways to get in.
Tools like Nmap allow us to inventory open ports
in a variety of ways. Numerous other port
scanners are available, including
strobe
Probe
etcp
Nmap is the most fully featured of all of these
tools.
The ISS and CyberCop commercial scanners also
include port scanning capabilities.

Scanning Port Scanning
56
Open Port Information

With a list of open ports, the attacker can get
an idea of which services are in use by
consulting RFC 1700. Also, particular exploits
for these services can be found at
http//www.technotronic.com.
the attacker can devise his/her own exploits!
http//www.iana.org

Scanning Port Scanning
57
An NMAP scan
NMAP

Allows for conducting numerous types of scans
"Vanilla" TCP scans
Connect to every port, with 3-way handshake
SYN scans (aka "half-open" scans)
Only do initial SYN
Harder to detect and much quicker
FIN scans
Stealthy and bypass some filters

SYN scan using IP fragments
Bypass some packet filters... Yes!
UDP Scanning
FTP Proxy "Bounce Attack" Scanning
RPC Scanning
TCP Sequence prediction test
ACK scanning
Xmas Tree
NULL scan

Scanning Port Scanning
58
NMAP scan FTP Proxy Bounce
NMAP

FTP Proxy "Bounce Attacks" utilize an ancient
feature of FTP servers. These servers allow a
user to tell the server to send the file to
another system. Using this capability, an
attacker can bounce an NMAP port scan off of
someone's FTP server, to help obscure the source
of the attack.
You should make sure that you disable the FTP
Bounce capability from your public FTP servers.

Scanning Port Scanning
59
NMAP TCP Stack Fingerprinting
NMAP

Attempts to determine the operating system of
target by sending various packet types and
measuring the response
This concept originated with a tool called QueSO,
available at hftp//www.apostols.org/projectz/que
so

Scanning Port Scanning
60
NMAP TCP Stack Fingerprinting
NMAP

Nmap does various types of tests to determine the
platform
TCP Sequence Prediction
SYN packet to open port
NULL packet to open port
SYNFINURGPSH packet to open port
ACK packet to open port
SYN packet to closed port
ACK packet to closed port
FINPSHURG packet to closed port
UDP packet to closed port

Scanning Port Scanning
61
NMAP TCP Stack Fingerprinting
NMAP

In addition to finding out what ports are open on
a system, an attacker also wants to determine
which platform (Operating system and hardware)
the system is based on.
By determining the platform, the attacker can
further research the system to determine the
particular vulnerabilities it is subject to.
For example, if the system is a Windows NT Server
4.0 box, the attacker can utilize
http//www.technotronic.com or http//xforce.iss.n
et/
to focus the attack.

Scanning Port Scanning
62
TCP Stack Fingerprinting
NMAP

Note that each TCP stack implementation may have
a very unique signature to how it behaves,
particularly when confronted with various illegal
combinations of TCP flags and packets!
This information is used to identify the target
system.
NMAP has a data base of how various systems
respond to these illegal flags. NMAP can
determine what system you are running!!!

Scanning Port Scanning
63
TCP Stack Fingerprinting
NMAP

Based on the TCP stack response, Nmap can
identify over 386 types and versions of systems,
including
Windows 3.1, 3.11, 95, 98, NT (SP 1-4 or 5-6)
Win2000
Solaris 2.x AIX
Cisco IOS
Linux
3Com products

Scanning Port Scanning

NetBSD, FreeBSD
MacOS
VAX/VMS / Open VMS
HP/JetDirect
HP-UX
SCO UNIX
IRIX

64
TCP Stack Fingerprinting
NMAP

Customizable database so the hacker can add his
own information signatures
Using this information, an attacker can focus an
attack!!!
An NT Portscanner -- SuperScan

Scanning Port Scanning
65
NMAP Demo
Scanning Port Scanning

Superscanner demo

66
NMAP Scans
bash-2.04 sudo nmap Nmap V. 2.54BETA29 Usage
nmap Scan Type(s) Options lthost or net
listgt Some Common Scan Types ('' options require
root privileges) -sT TCP connect() port scan
(default) -sS TCP SYN stealth port scan (best
all-around TCP scan) -sU UDP port scan -sP
ping scan (Find any reachable machines)
-sF,-sX,-sN Stealth FIN, Xmas, or Null scan
(experts only) -sR/-I RPC/Identd scan (use with
other scan types) Some Common Options (none are
required, most can be combined) -O Use TCP/IP
fingerprinting to guess remote operating system
-p ltrangegt ports to scan. Example range
'1-1024,1080,6666,31337' -F Only scans ports
listed in nmap-services -v Verbose. Its use is
recommended. Use twice for greater effect. -P0
Don't ping hosts (needed to scan
www.microsoft.com and others)
-Ddecoy_host1,decoy2,... Hide scan using many
decoys -T ltParanoidSneakyPoliteNormalAggress
iveInsanegt General timing policy -n/-R Never
do DNS resolution/Always resolve default
sometimes resolve -oN/-oX/-oG ltlogfilegt Output
normal/XML/grepable scan logs to ltlogfilegt -iL
ltinputfilegt Get targets from file Use '-' for
stdin -S ltyour_IPgt/-e ltdevicenamegt Specify
source address or network interface
--interactive Go into interactive mode (then
press h for help) Example nmap -v -sS -O
www.my.com 192.168.0.0/16 '192.88-90..' SEE THE
MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND
EXAMPLES
67
bash-2.04 sudo nmap -sS -O -v www.snowmaps.com S
tarting nmap V. 2.54BETA29 ( www.insecure.org/nmap
/ ) Host (207.198.14.42) appears to be up ...
good. Initiating SYN Stealth Scan against
(207.198.14.42) Adding open port 25/tcp Adding
open port 53/tcp Adding open port 80/tcp Adding
open port 22/tcp Adding open port 3306/tcp Adding
open port 110/tcp The SYN Stealth Scan took 8
seconds to scan 1548 ports. For OSScan assuming
that port 22 is open and port 1 is closed and
neither are firewalled
www.snowmaps.com
68
Interesting ports on (207.198.14.42) (The 1542
ports scanned but not shown below are in state
closed) Port State Service 22/tcp
open ssh 25/tcp open
smtp 53/tcp open domain 80/tcp
open http 110/tcp open
pop-3 3306/tcp open mysql Remote
operating system guess FreeBSD 2.2.1 - 4.1 TCP
Sequence Prediction Classrandom positive
increments
Difficulty34067 (Worthy challenge) IPID Sequence
Generation Incremental Nmap run completed -- 1
IP address (1 host up) scanned in 10
seconds bash-2.04
www.snowmaps.com
69
bash-2.04 sudo nmap -sS -O -v 24.49.192.77 Start
ing nmap V. 2.54BETA29 ( www.insecure.org/nmap/
) Host ny-utica3b-77.aburny.adelphia.net
(24.49.192.77) appears to be up ...
good. Initiating SYN Stealth Scan against
ny-utica3b-77.aburny.adelphia.net
(24.49.192.77) The SYN Stealth Scan took 594
seconds to scan 1548 ports. Warning OS
detection will be MUCH less reliable because we
did not find at least 1 open and 1 closed TCP
port All 1548 scanned ports on ny-utica3b-77.aburn
y.adelphia.net (24.49.192.77) are filtered Too
many fingerprints match this host for me to give
an accurate OS guess TCP/IP fingerprint SInfo(V2
.54BETA29Pi686-pc-linux-gnuD11/5Time3BE6CB47
O-1C-1) T5(RespN) T6(RespYDFNW0ACKOFl
agsROps) T7(RespN) PU(RespN) Nmap run
completed -- 1 IP address (1 host up) scanned in
633 seconds bash-2.04
24.49.192.77
70
bash-2.04 sudo nmap -sS -O -P0 -v
24.24.27.115 Starting nmap V. 2.54BETA29 (
www.insecure.org/nmap/ ) Host syr-24-24-27-115.twc
ny.rr.com (24.24.27.115) appears to be up ...
good. Initiating SYN Stealth Scan against
syr-24-24-27-115.twcny.rr.com (24.24.27.115) The
SYN Stealth Scan took 2008 seconds to scan 1548
ports. Warning OS detection will be MUCH less
reliable because we did not find at lea st 1 open
and 1 closed TCP port All 1548 scanned ports on
syr-24-24-27-115.twcny.rr.com (24.24.27.115) are
filt ered Too many fingerprints match this host
for me to give an accurate OS guess TCP/IP
fingerprint SInfo(V2.54BETA29Pi686-pc-linux-gn
uD11/5Time3BE6DB03O-1C-1) T5(RespN) T6(Re
spN) T7(RespN) PU(RespN) Nmap run completed
-- 1 IP address (1 host up) scanned in 2192
seconds bash-2.04
24.24.27.115
71
bash-2.04 sudo nmap -sS -O -v www.webtag.net Sta
rting nmap V. 2.54BETA29 ( www.insecure.org/nmap/
)Host (206.74.229.14) appears to be up ...
good.Initiating SYN Stealth Scan against
(206.74.229.14)Adding open port 80/tcpAdding
open port 110/tcpAdding open port 21/tcpAdding
open port 106/tcpAdding open port 53/tcpAdding
open port 23/tcpAdding open port 25/tcpAdding
open port 1112/tcpAdding open port
513/tcpAdding open port 79/tcpAdding open port
514/tcpThe SYN Stealth Scan took 26 seconds to
scan 1548 ports.For OSScan assuming that port 21
is open and port 1 is closed and neither are
firewalled Interesting ports on
(206.74.229.14)(The 1536 ports scanned but not
shown below are in state closed) Port
State Service21/tcp open
ftp23/tcp open telnet25/tcp open
smtp53/tcp open domain79/tcp
open finger80/tcp open
http106/tcp open pop3pw110/tcp
open pop-3139/tcp filtered
netbios-ssn513/tcp open login514/tcp
open shell1112/tcp open msql
Remote operating system guess Solaris 2.6 -
2.7Uptime 1.453 days (since Sun Nov 4 035609
2001)TCP Sequence Prediction Classrandom
positive increments
Difficulty22872 (Worthy challenge) IPID Sequence
Generation Incremental Nmap run completed -- 1
IP address (1 host up) scanned in 37
seconds bash-2.04
www.webtag.net
72
(No Transcript)
73
Port Scanner Defense

Close All unused ports!
Unix /etc/inetd.conf also /etc/rc3.d (xinetd
daemon)
Windows NT disable all unnecessary services by
uninstalling them or shutting them off in the
services control panel
Windows 2000 restrict ports, shut off services

Scanning Port Scanning
74
Port Scanner Defense

Utilize an Intrusion Detection System (IDS)
Commercial
ISS RealSecure
Cisco NetRanger
Network Flight Recorder
More
Freeware
Snort

Scanning Port Scanning
75
Firewall Attacks
FireWalk

Firewalk allows an attacker to determine which
ports on a (packet filter) firewall are open
Written by David Goldsmith and Michael Schiffman,
October 1998, and available at http//packetstorm.
securify.com/UNIX/audit/firewalk
Based on ideas originally used in traceroute, a
tool that determines the path of packets using
the IP Time-To-Live (TTL) field

Scanning -- FireWalk
76

Firewalk is a network auditing tool that attempts
to determine what transport protocols a given
gateway will pass.
Firewalk works by sending out TCP or UDP packets
with a TTL one greater then the targeted gateway.
If the gateway allows the traffic, it will
forward the packets to the next hop where they
will expire and elicit an ICMP_TIME_EXCEEDED
message.
If the gateway host does not allow the traffic,
it will likely drop the packets on the floor and
it will see no response.

Scanning -- FireWalk
77

Knowing which ports are open through your
firewall is incredibly useful information for an
attacker. Each of these open ports offers a
possible entryway into your network. Nmap is used
to send packets to an end system to determine
which ports are listening on a given machine.
Firewalk is used to send packets through a packet
filter device (firewall or router) to determine
which ports are open through it. Nmap cannot
differentiate between what is open on an end
machine and what is being firewalled. Firewalk
can determine if a given port is allowed through
a firewall.
Scanning -- FireWalk
78
TTL1
Time to Live Exceeded
TTL2
Time to Live Exceeded
79
What Does Firewalk give the attacker?

An attacker will use this information to probe
your DMZ and internal systems through the proper
ports. If you allow port 23 through your
firewall, but nothing is listening on your DMZ on
port 23, you might feel safe. An attacker can
verify that port 23 is open through your firewall
with Firewalk, even though nothing on your DMZ
has that port open.
Once discovering the open port through the
firewall, an attacker can easily set up a script
to check if any DMZ systems suddenly have telnetd
enabled. You might periodically enable it for
some administrative functions. If so, the
attacker can jump in and gain access

Scanning -- FireWalk
80

Scanning -- FireWalk
81

Works for TCP or UDP, since time-to-live is at
the IP-layer
Firewalk requires two inputs
The IP address of the gateway before firewall
filtering takes place (e.g., 10.1.1.1)
An ultimate destination on the other side of the
firewall (e.g., 10.2.1.10)

Scanning -- FireWalk
82
(No Transcript)
83
(No Transcript)
84
(No Transcript)
85

Firewalk utilizes the Time-To-Live (TTL) field of
the IP header. Therefore, it can function to
determine which ports are filtered for either UDP
or TCP, which ride on top of IP.

Scanning -- FireWalk
Ext IP10.1.1.1
IP10.2.1.10
Protected server
86

Firewalk determines the filtering rules
associated with packet filters (either for a
host-based packet filter firewall or router
access control lists). Firewalk does not work
against pure proxy-based firewalls, because
proxies do not forward packets. Instead, a proxy
application absorbs packets on one side of the
gateway and regenerates packets on the other
side. Packet filters actually forward the same
packets, after applying filtering rules.

Scanning -- FireWalk
87

The two inputs for firewalk serve to bound the
scan.
The first IP address is of the firewall itself,
so the tool can try to "walk" through it by
incrementing the TTL during a port scan.
The second IP address is of the ultimate
destination machine, so that all packets will
have this single destination (although the TTL
will be too small for any packets to actually get
there). The next slide describes the process of
firewalking in more detail.

Scanning -- FireWalk
88
Firewalk phases

Given this info, firewalk operates in two phases
Network Discovery Phase
Scanning Phase
The Network Discovery Phase essentially does a
traceroute to determine the hop count to the last
gateway (router) before the filtering takes place

Scanning -- FireWalk
89
TTL4
Time to Live Exceeded
TTL3
Time to Live Exceeded
Attacker
IP10.2.1.10
TTL1
Firewall
Time to Live Exceeded
TTL2
IP10.1.1.1
Time to Live Exceeded
90
During the network discovery phase, Firewalk
sends packets with incrementing TTLs to determine
how many network hops exist between the tool and
the firewall. When a packet reaches its maximum
TTL (which is decremented by each hop), the final
gateway sends back a Time-to-live exceeded
message.
Attacker
IP10.2.1.10
This is essentially the same function as
traceroute, used to determine the hop count. Once
this number is determined, the tool can conduct
the scanning phase.
Firewall
IP10.1.1.1
91
TTL4, TCP Port 1
TTL4, TCP Port 2
TTL4, TCP Port 3
TTL4, TCP Port 4
TTL4, TCP Port 80
Time to Live Exceeded!!!
Attacker
IP10.2.1.10
Port 80 is unfiltered!!!!!
Firewall
IP10.1.1.1
92
Firewalk

The Scanning Phase is very simple. A port scan is
done with packets whose time to live is set
beyond the last gateway before filtering
Based on response, we can determine filtering
rules
If a Time-To-Live exceeded message comes back,
the port is open, because the packet got through
If nothing comes back, the port is filtered

Scanning -- FireWalk
93
Firewalk

For the scanning phase, the TTL is set to one
greater than the hop count to the filtering
device. If a packet gets through the filter, a
Time-To-Live exceeded message will be sent by the
system immediately on the other side of the
filter. If a Time-To-Live exceeded message comes
back, that port is open through the firewall. If
nothing comes back (or a port unreachable
message), the port is filtered by the firewall.
By conducting a scan of all TCP and UCP ports,
the attacker can get a very accurate idea of the
filtering rules.

Scanning -- FireWalk
94
Firewalk Defenses

1) Just live with it accept the fact that
someone could map your network and determine your
firewall filtering rules
2) Disallow ICMP TTL Exceeded messages from
leaving your internal network May cause
problems! Network diagnostics may not work, and
your users may want to traceroute(quite a
reasonable idea for sensitive networks), NAT
3) Use a proxy server instead of a packet filter
Packet filters have IP forwarding on, so the
packets traverse them and "live on
Proxies are an end point of the connection the
packets are not forwarded, so their life ends
upon reaching the proxy
Possible performance implications

Scanning -- FireWalk
95
Vulnerability Scanners

96
(No Transcript)
97
Vulnerability Scanners

SATAN is the granddaddy of these tools (saint,
sara SANTASATAN)
Many commercial derivatives
ISS's scanner
Network Associates' CyberCop
Cisco's NetSonar
These are all tools to help to map a network,
scan for open ports, and find various
vulnerabilities
They generate nice looking reports for
management
The tools test against a list of known exploits
What about the unknown?
That's why we want to have security in-depth!
Use a multi-layered, sound architecture

Vulnerability Scanning
98
SATAN

SATAN is rather old, and does not include a
mountain of vulnerabilities that have been
discovered since its release. The commercial
tools are fairly easy to use, with
point-and-click GUIs. If you are going to use
them, please make sure that you know what you are
doing!
Tip disable Denial of Service (DoS) attacks,
unless you specifically want them. You dont
want to disrupt your own network productivity

Vulnerability Scanning
99
More Tips

Be careful with password guessing modules. They
may lock out legitimate users! You may want to
disable these modules from running across the
network and use password cracking software on the
local system files to find weak passwords.Use
L0pht cracker or others Look on your CD under
password crackers.

Vulnerability Scanning
100
Scanner Limitations

Vulnerability scanning tools are extremely useful
because they automate security checks across a
large number of systems over the network.
However, please understand their limitations!
The tools only check for vulnerabilities that
they know. They cannot find vulnerabilities that
they don't understand.
The tools tend to be very dumb and flat -- they
look for vulnerabilities.
A real attacker will apply a great deal of
intelligence to try to reverse engineer your
network.
Instead of just looking at the outside
interfaces, the intelligent attacker will try to
understand what's going on behind them.

Vulnerability Scanning
101
Nessus

Nessus is a free, open-source general
vulnerability scanner
It is used by the white hat community (security
folks) and the black hats (malicious hacker)
Facts
Project started by Renaud Deraison
Available at hftp//www.nessus.org
Consists of a client and server, with modular
plugins for individual tests

Vulnerability Scanning
102
Nessus

Nessus is a very useful tool, and has some
advantages over the commercial tools
You can review the source-code of the main tool
and any of the security checks to make sure that
nothing "fishy" is going on.
You can write your own tests and incorporate them
into the tool
A large group of developers is involved around
the world creating new tests
The price! US 0.00
DEMO!

Vulnerability Scanning
103
Configure and monitor
Vulnerability Scanning
scan
Server has numerous plug-ins with various tests
104
(No Transcript)
105
Nessus

The client and server can be on the same machine.
(you can put it all on a laptop)
Information between the client and the server can
be encrypted
Large number of plug-ins available for the
server, each testing for specific vulnerabilities
in the target.

Vulnerability Scanning
106
Nessus - Platform

Server
FreeBSD, Linux, and Solaris
Client
FreeBSD, Linux, Solaris
Windows 95/98/NT 2000
Java (can run on Macs, anything)
Remember, both Client and Server can be on the
same machine.
For serious work with Nessus, use Nessus on Unix

Vulnerability Scanning
107
Nessus - Plugins

Separate plug-in for each type of attack
There is a defined API for writing Nessus
plug-ins
Currently, plug-ins written in C
Or, plugins can be written in the Nessus Attack
Scripting Language (NASL)
One plugin is in charge of doing one attack and
to report the result to the nessus server
(nessusd).
Each plugin can use some functions of the Nessus
library, called libnessus.
CVS version and daily snapshots are available.
As of November, 2000
Over 300 UNIX plug-ins
90 Windows NT plug-ins
Make sure you check those MD5 hashes!!! (so you
dont load a Trojan plugin!!!!!)
A very nice capability of Nessus is the ability
to write your own plug-ins, a capability not
supported in the major commercial scanners.

Vulnerability Scanning
108
Nessus GUI
You can configure -port for the client to server
comm -Encryption algorithms -Target
systems -which plugins to use -port ranges and
types of scans -email address for report
Vulnerability Scanning
109
Vulnerability Scanners - Defense

Close all unused ports Shut off all unneeded
services
In Windows NT, stop or delete services in
services control panel
In UNIX, edit /etc/inetd.conf and rc.d files
Apply all system patches
Keep up to date!
Utilize an Intrusion Detection System
Network-based IDS
Commercial ISS ReaISecure, Cisco NetRanger,
Network Flight Recorder, Dragon, etc.
Freeware Snort

Vulnerability Scanning
110
Exploiting Systems

Gaining Access
Denial of Service
Application Level Attacks
Stealthy Attacks

111
Gaining Access

IP Address Spoofing
IP Fragmentation Attacks, FragRouter
Sniffing (Sniffit)
Session Hijacking (Hunt)
DNS Cache Poisining (Jizz)
Web Hijacking
Netcat and other Hack tools

Exploiting Systems
112
IP Address Spoofing

Spoofing Pretending to be someone else
IP address spoofing is quite common in a number
of attacks
Foiling systems that utilize IP addresses for
control
Router access control lists
Firewalls
Trust relationships (particularly, UNIX
r-commands)
Denial of Service
Logs

Exploiting Systems
113
IP Spoofing

IP Spoofing can be trivial or very complex
Option 1 Change the IP address
Option 2 IP Address Spoofing and Trust
Relationship Attacks
Option 3 IP Address Spoofing and Source Routing

Exploiting Systems
114
IP Spoofing

One of the most common types of attack building
blocks involves changing or disguising your IP
address, commonly called "IP Address Spoofing".
After all, an attacker doesn't want to have
his/her actions traced. Furthermore, IP address
spoofing can be used to undermine various
applications, particularly those that
(dangerously) rely only on IP addresses for
authentication or filtering. The UNIX
"r-commands" (e.g., rlogin, rsh, rcp, etc.) are
examples of tools that support authentication
based on IP address.

Exploiting Systems
115
Option 1

I can change my IP address to anything I want...
UNIX ifconfig eth0 w.x.y.z
Windows use network control panel
Yes, but... You won't get responses to your
messages, because the network won't route the
responses back to you you
Also, the TCP 3-way handshake will cause you
problems
You'll get a RESET message from the real system,
unless ....

Exploiting Systems IP Spoofing
116
Recall the Three Way Handshake
1 Send SYN seqx
2 Send SYN seqy, ACK x1
3 Send ACK y1
The handshake allows for the establishment of
sequence numbers (x or y are ISN Initial
Sequence Number) between the two systems. These
sequence numbers are used so that TCP can provide
for reliable packet delivery in sequential order.
Sequence numbers are used for sequencing and
retransmissions.
117
Option 1 Simple SpoofingChange Address
When the spoofee sends the 2nd leg of the 3-way
handshake, the system who's address is being
spoofed will send a RESET message. The RESET
message says, essentially, "Hey! I'm not having a
conversation with you .... Leave me alone!"
SYN ( A, ISNa)
Eve
ACK(A, ISNa) SYN(B, ISNb)
RESET!!
118
Option 1 Simple SpoofingChange Address

An attacker can use simple IP address spoofing to
cover his/her tracks in a simple Denial of
Service attack (which we'll discuss later).
However, it's not too useful beyond that.
So, simple address spoofing is of limited use.
You cannot have true interactive sessions with a
host using this technique (unless you are on the
same LAN segment .... If Eve were on the same LAN
as Bob, the response from Bob could be
intercepted by Eve, allowing for interactive
sessions).

Exploiting Systems IP Spoofing
119
Option 2 Exploit Trust

We can take over a system with IP Address
spoofing by Eve exploiting the UNIX trust
relationships
A variant of this attack was used by Kevin
Mitnick against Tsutomu Shimomura in December,
1994
Sadly, it's still a useful technique today
Mostly on intranets, because properly implemented
firewalls have helped to stop this attack across
the Internet

Exploiting Systems IP Spoofing
120
Option 2 Exploit Trust

Assume machine Bob trusts machine Alice (e.g.,
Alice's name is in Bob's /etc/hosts.equiv file or
in a user's /.rhosts file)
These trust relationships essentially mean that
once a user logs in to Alice, the user can access
Bob without supplying a password. This access is
allowed, because Bob trusts Alice to do the
authentication properly. These trust
relationships are essentially using IP addresses
to support (or substitute for) authentication.

Exploiting Systems IP Spoofing
121
Option 2 Exploit Trust

Trust relationships are widely used in the UNIX
world, particularly for system administration. We
frequently see environments where a single
administrator is responsible for dozens or even
hundreds of systems. To move from system to
system, they often use trust relationships and
UNIX r-commands for access so that they do not
have to retype the password again and again and
can easily send commands via rsh. This is a major
security concern, because these trust
relationships can be undermined as described on
the next slide

Exploiting Systems IP Spoofing
122
Exploit Trust

The "random" sequence number sent by Bob (ISNb)
is often predictable
Eve can interact with Bob and, based on careful
timing, predict future sequence numbers with some
level of accuracy
This gives Eve a one-way channel to Bob
And Bob will think Eve is Alice!!! That's a
spoof!
Great!!! But... What about Alice's RESET?
You take Alice out of the picture for a while...
Denial of Service

Exploiting Systems IP Spoofing
Eve can have an open channel to Bob. She can
quickly reconfigure Bob so that Eve has full
access, without spoofing.
123
IP Sequence Prediction
124
Step-by-step

Step 0 Eve interacts with Bob by connecting to
one or more of his open ports. These connections
allow Eve to determine the approximate rate at
which Bob's ISNs are changing. This information
will be used to predict the ISN to use in Step 4.
Step 1 Eve launches a Denial of Service attack
against Alice. Alice is dead for a period of
time.
Step 2 Eve initiates a connection to Bob, using
Alice's address (Eve will likely try to utilize a
command like rsh). The first part of the 3-way
handshake is done.
Step 3 Bob dutifully responds with the 2nd part
of the 3-way handshake. This packet is routed to
Alice, who is dead and cannot respond with a
RESET.
Step 4 Using the information gathered in Step 0,
Eve sends the ACK to Bob, again spoofing Alice's
address

Exploiting Systems IP Spoofing
125
Option 2 Exploit Trust

Now Eve has an open channel to Bob
Eve (posing as Alice) can feed commands to Bob
Eve can use rsh command to add the real Eve to
the trust relationship of Bob. How? Concatenate
to /etc/hosts.equiv or simply add her name.
UNIX only.
Eve will see no replies from Bob, however, Alice
cannot respond (due to DoS)
For a short time, Eve looks like Alice to Bob
Eve must fly blind, but can re-configure Bob.

Exploiting Systems IP Spoofing
126
Option 3 Source Routing

this attack is simpler than option 2... and
platform independent (Option 2 required UNIX
trust relationships)
Just use source routing ....
With a source that appears to come from the
spoofed address
...and a path that includes the "spoofer" --
(i.e., the attacker)
All packets will follow the path
And responses will, too
This method for IP address spoofing is based on
source routing. Source routing is an option in IP
that allows the source of a packet to specify the
path it will take on the network. Each router hop
is included in the packet's header.

Exploiting Systems IP Spoofing
127
Source Routing
For this attack, Eve generates a source-routed
packet that appears to come from Alice (that's
the spoof). The packet contains a fake route list
that includes Eve's address. Note that the route
list is correct for all routers between Even and
Bob. Routers before Eve are irrelevant. Eve sends
this packet on the network. If the network allows
source routed traffic, the packet will follow
Eve's specified path to deliver the packet to
poor Bob. Bob will take action on the packet
(complete the TCP 3-way handshake, or whatever)
and send the response, source routed back to
Eve. Eve will intercept the packet, rather than
transmitting it back to Alice .... There you go!
Eve can get the responses from Bob while spoofing
Alice's address.
Route 1.Alice2.Router X3.Eve4.Router
Y5.Bob PACKET CONTENTS
Eve
Route 1.Bob2.Router Y3.Eve4.Router
X5.Alice PACKET CONTENTS
128
IP Address Spoofing Defenses

Make the Initial Sequence Numbers truly random
Need to install patches for TCP/IP stacks
Be careful with trust relationships Do not extend
trust outside of firewall
Either UNIX or Windows NT trust relationships
Don't base authentication on IP addresses
Utilize passwords, crypto, or other techniques
Replace very weak r-commands with stronger
commands
ssh, or its freeware cousins (lsh)
Utilize anti-spoof filters at routers and
firewalls
Do not allow source routed packets through
network gateways
Internet gateways (firewalls) and business
partner connections