CSS481 Spring 2003 - PowerPoint PPT Presentation

1 / 41

About This Presentation

Title:

CSS481 Spring 2003

Description:

... not discussed in the 'hacking' literature, but important ... Jerusalem virus on Friday the 13th. caused concern for some years afterwards. CSS481 Spring 2003 ... – PowerPoint PPT presentation

Number of Views:93

Avg rating:3.0/5.0

Slides: 42

Provided by: Steve57

Category:

more less

Transcript and Presenter's Notes

Title: CSS481 Spring 2003

1
Hacking Exploits and Malicious Code

How people break into systems, and what they do
once they get there.
Questions we might ask
why does somebody want to break in?
what are the possible points of entry?
what happens once they get in?

2
Motivations for Breaking In

Often not discussed in the hacking literature,
but important to know your enemy
So why break in?
for the fun of it
to cause damage
hurt the competition
steal trade secrets (customers, designs, ...)
collect email addresses
use the resources
hide identity
... more ... ?

3
Planning and Executing a Breakin

Reconnaissance
find your targets
learn as much about them as possible
Scanning
look for vulnerabilities
Application and Operating System Attacks
Viruses and Other Replicating Programs

4
Reconnaissance

Potential targets
IP addresses
Blocks of IP addresses
Hosts with certain characteristics (banks,
e-commerce sites, data warehouses)
Information about a particular target
people
hosts
information about infrastructure

5
Low-Tech Solutions

Remember, people are a hackers best friend
Make a phone call and ask for
a password
or a reference to another employee
or some information about their workstation
a voicemail box
Common social engineering pretexts
new employee calls help desk wanting information
on how to do a task
manager calls an employee demanding password, or
a reset
SA asks employee for a password
employee calls another employee to get phone or
personal information about an employee

6
Low-Tech Solutions (cont.)

Why call, when a visit is so much more personal?
grab some passwords
bring a floppy and insert some code on the system
grab a hard drive and take it out
Its (not) surprisingly easy to do even in a
fairly secure environment
everybody opens doors for you
not uncommon to be badgeless
And dont forget to take out the trash
notes with passwords
design documents
phone lists
(and dont think that people actually use
shredders)

7
The Internet is Your Friend

A surprising amount of information is available
Employee information
many organizations refuse to give any information
out about the employees
but an employees signature file contains work
phone number and email address
and the email headers may reveal names of servers
and other resources
Corporate culture
give yourself credibility when you visit
Information about the infrastructure
what database, web server, etc. is the company
running
Usenet groups are incredibly rich sources of
information
tech people are not typically very security
conscious
especially when dealing with other tech people

8
Internet Domain Names and Addresses

Given a domain name, find out its primary IP
address
and vice versa
Get contact information for the company
Get IP address blocks
Look at the Sam Spade tool

9
Summary of the Reconnaissance Phase

What are you looking for?
information about a specific organization
information about a potential target
In three basic categories
information about people
information about systems
information about the organization itself
Techniques
low-tech approaches (personal, phone, dumpsters)
information on the web
information from the web itself

10
The Scanning Phase

Suppose the attacker has a target and some
preliminary information
a few phone numbers
domain names / IP addresses
In scanning the attacker is looking for
vulnerabilities that will allow access to
information
systems

11
The First Line of Attack Modems

The victim desktop computer connected to modem
for home use
theyre there
theyre insecure (often not even any password
control!)
they allow wide access
Another nice find repeat dial tones
allow free long distance
affords anonymity
War dialers give them a block of numbers, they
give you
which lines had carriers (and which are likely to
be voice)
what the server said (more information about the
system on the other end) (nudges)
(at a rate of about 100 numbers per hour,
automatically)

12
Defense Against War Dialing

Use a centralized modem pool, which can be
monitored and audited more easily
also hides information about the individual
systems on the network
Allow dial-out access only for phones physically
connected to computers
Attack your own site periodically

13
Mapping the Network

Finding live hosts
given a block of IP addresses
send a PING to a host (whats a PING?)
send messages to common services (HTTP, SMTP)
Finding routers and network topology using
traceroute
And of course this can all be automated to build
a network topology graph
Defense against network scans use firewalls to
allow only the traffic you really need
no pings from the outside world (except external
servers)
filter ICMP time exceeded messages

14
Identifying Services on a Machine Port Scanning

There are 65535 possible ports for TCP services,
and the same number available for UDP service

The latest IANA port assignments can be gotten
from http//www.iana.org/assignments/port-
numbers The Well Known Ports are those from 0
through 1023. The Registered Ports are those
from 1024 through 49151 The Dynamic and/or
Private Ports are those from 49152 through
65535 Each line describes one service, and is
of the form service-name port/protocol
aliases ... comment tcpmux
1/tcp TCP port
service multiplexer tcpmux 1/udp
TCP port service
multiplexer rje 5/tcp
Remote Job Entry rje
5/udp Remote Job
Entry echo 7/tcp echo 7/udp
15
Port Scanning

Can look through common ports or through all
ports
Makes a service request and sees if anything
responds
If it does respond (and especially if its a
well-known service), the scan can yield
information about the responding service
Next slide is output from SuperScan, probing
cssgate

16
(No Transcript)
17
Ethical / Legal Implications of Using These Tools

Please read and refer to the UW Computing
Guidelines at
http//www.washington.edu/computing/rules/guidelin
es.html
The following practices are prohibited
Attempting to test security flaws yourself.
Attempting to disrupt operation of any system or
network.
Altering any data, software, or directories other
than your own without proper authorization.
Probing or connecting to any computers without a
legitimate reason to do so.
Attempting to gain root access on any of the UW
systems unless you have been given authorization
by the system administrator.
Using UW systems or networks as a staging ground
to crack other systems or networks.

18
Different Types of Scans

Polite the TCP connect
recall the three-step handshake, the connect scan
completes the handshake
this will result in either a SYN-ACK response, no
response, a RESET response, or an MCMP Port
Unreachable response
this might provide some additional information
if you get a SYN-ACK, send the final ACK, then
FIN
its time consuming, and logged
SYN scans
just send the first SYN, and see if theres a
response, but dont send the final ACK or FIN
fast, not logged, and (arguably) a DoS attack
Even more broken versions
send a FIN initially to obey the protocol, a
closed port should send a RESET, an open port
should send nothing

19
Other Things to Look At

UDP ports
UDP is a lighter-weight protocol, not having the
handshake, sequenced packets, etc.
PING is the most common UDP service
OS Fingerprint what operating system is
running?
this isnt generally available, but can be
inferred
sometimes the services will give it away
otherwise, try to predict it from the way the OS
responds to TCP requests
the protocol specifies the response in the case
of valid uses of the protocol, but not in the
case of invalid uses (e.g. a NULL packet to begin
a handshake)
and as such, operating systems tend to respond in
idiosyncratic ways

20
Intrusion Detection Systems

IDSs sit on the LAN and collect packets, looking
for attacks, and notifying an administrator if
they think an attack is in progress
The problem is how to infer an attack from a
bunch of network traffic
just traffic (DoS attack)
certain patterns of activity (e.g. a port scan)
Evading the IDS
dont make the scan traffic like a pattern in the
database
dont flood the network
or really flood the network (DoS on the IDS
itself)

21
Protecting against Network Scans and Attacks

Close down all ports not in use
RPC ports and X windows for example
Use firewalls to restrict packets in and out of
the LAN to whatever extent possible
Use most up-to-date version of IDS software
Use both host-based and network-based IDS systems

22
Summary of the Scanning Phase

What you know going in
some cursory information about the site domain
names and/or IP addresses
What you want to know coming out
all the machines and routers on the network
what software each is running (operating system
and services, including version)
what services are provided by which machines, and
which versions
Tools
network scanners (PINGing and tracing)
port scanners
IDEs
What comes next
knowing the system knowing the vulnerabilities
identify vulnerable software and try to gain
entry (penetration)

23
Application and OS Attacks

This is the access phase. How do you get in,
and what do you do when you get there?
OS Attacks contrasted with
network attacks (1 minute explanation)
viruses (wait for it ...)
The main attacks covered in the book are
buffer overflow attacks
SQL attacks
password harvesting
web application attacks (session hijacking)
How are these similar and/or different from each
other?

24
Basic Structure of Application Attacks

If you can get your instructions into the
application
And you can get the application to execute it
Then you can do some damage, depending on
the language (machine code, SQL, VB, Javascript)
the privilege level of the application
The "OS" aspect is secondary you get some
application to execute code for you, and it might
or might not be the OS
but some applications allow "escapes" to the OS
and interacting with the OS gives you broader
power

25
Stack Overflow Attacks

Your instructions are written in the actual
machine code of the host OS
which means a certain lack of portability
Getting it into the application is accomplished
by
providing longer input than the application
expects (no bounds checking)
the compiler / application allowing you to
overflow a buffer
Executing the machine code is accomplished by
the fact that data and code can be mixed on the
stack
careful manipulation of the input so the
operating system executes the first instruction
in your code
What you then can do
you have the operating systems attention, so you
have access to the file system, other processes
and services, etc
youre limited only by your privilege level (but
many services run as root)

26
Stack/Buffer Overflow Attacks (cont.)

This is more a means of access than a particular
exploit
The components
a running service or daemon
input from a client (read over a port)
input exceeds declared array bounds, and program
doesn't detect an error (bad programming!)
accepting variable is stored on the stack
therefore machine code gets inserted on the stack
careful / lucky manipulation of the code causes a
GOTO into the new code on the stack
operating system allows executing code from the
stack (can be turned off)
Lots of examples various Linux services (FTP),
various Windows services (IIS, SQL Server)

27
What To Do When You've Installed Your Code

Just do some damage
Exec an interactive shell or Xterm (so now the
daemon is still serving your port, but now it's
acting as a root-owned remote shell for you)
Configuration changes that make subsequent
entries possible (i.e. unlock the door from the
inside)
entries in rhosts, rusers
Clean up log files to hide the attack
Install client code that "reverses the direction"
of the packets, with the hope that this will
evade IDS systems

28
SQL Application Attacks

(What was the example we heard about in class?)
An application (e.g. web browser)
accepts user input
builds a SQL query from that input
submits it to a SQL query engine
The essence of the exploit is in
unexpected user input
careless checking of the input

29
SQL Attacks (cont.)

Example, website search by product ID
program is expecting at most 10 alphanumeric
characters
it constructs SELECT TITLE FROM PRODUCTS WHERE
ID "id"
this input would have some interesting side
effects AAA" "" DELETE FROM PRODUCTS WHERE
11
What caused the problem here?
bad input checking (that is not a valid product
ID!)
implicitly providing information about how the
input is processed before being sent to the query
engine
maybe it's done on the client side (e.g. using
Javascript), in which case you really have a
goldmine on your hands!
maybe it's implicitly available via error pages
(web server allows web browser to surface SQL
error messages)
The lessons (here and elsewhere)
input is your enemy
be aware of and careful with error handling
(control the information going from server to
client)
(these are simply good programming practices)

30
Password Attacks

How/why are these fundamentally different from
stack or SQL attacks?
Rely on the fact that
reconnaissance has provided you with some user
IDs
people choose predictable passwords
Online versus offline attacks
online just challenging the login process
repeatedly
time consuming, easy to detect
offline get a copy of the password file, and
challenge it repeatedly
(And of course another line of attack is simply
to try to get people to give you their passwords
directly via web forms.)

31
Web Attacks Session Spoofing

The basic problem HTTP is a "stateless"
protocol
every HTTP request must communicate all relevant
information to the server
at the same time, most web sites want to provide
continuity from page serve to page serve
therefore each HTTP request must contain
information identifying the user / session
The exploit if you can discover somebody else's
session ID, you can pretend to be them
at least for a while
at least for some class of operations

32
Session Spoofing (cont.)

What you can and cannot do about it (in designing
a website protocol)
First, you don't have the luxury of keeping
session IDs secret
since they are transmitted over the network,
somebody will see them
Three things you can do
make them unpredictable, so seeing your own ID
doesn't provide too much information about
others' IDs
choose random numbers, encrypt or hash the values
send only part of the session ID at every page
serve (Amazon's UBID and session ID)
require authentication every time session wants
to do something dangerous (buy something, access
account information)

33
Other Exploits Viruses, Worms, Trojan Horses

What's a virus / worm / Trojan Horse, and how do
they differ from the code we've already seen
Virus
infects another program
replicates
Worm
replicates and spreads over a network
not parasitic on another program
Trojan Horse
doesn't infect another program
no provision for self-replication or spreading
has some unexpected side-effect (doesn't do what
it purports to do)
One real difference is that this kind of Malware
spreads automatically, as opposed to the exploits
we've seen before which are directed by humans.
this introduces several other technical issues
like mutation / polymorphism and other methods
for evading detection, which aids in the
spreading process

34
The Main Structural Components of a Virus

Infection how does the virus spread?
Payload what does the virus do apart from
replicate infect?
Trigger what decides when the payload is
delivered?
Replication how does the virus get to other
machines?

35
Means of Infection

Buffer overflows and its friends
we've already seen how a program can "get in" to
a system through buffer overflow vulnerabilities
and the like
no reason that Malware can't use the same vector
Inviting it in
the classic a hyperlink in an email message
that executes a program
similarly macro-viruses in documents that are
automatically executed when the document is
opened
Boot-sector viruses
virus infects the boot sector of a floppy disc,
which in turn infects the hard drive etc.

36
Payloads

There isn't always a payload
SQL Slammer infected the SQL server memory
image, then aggressively sought to infect other
servers. (DoS attack)
From the annoying to the fatal
display annoying popups
freeze the system
change the registry
destroy permanent storage

37
Trigger

Often triggers immediately, but at one point it
was fashionable to trigger on a particular date
Jerusalem virus on Friday the 13th
caused concern for some years afterwards

38
Important Malware Through History

Lehigh (1987)
infected floppy disks through overwriting slack
space at the end of COMMAND.COM
triggered by DOS commands, and wrote the virus to
other COMMAND.COM files
after four infections, would overwrite some files
no attempt to obscure itself
CHRISTMA EXEC (1987)
first virus transmitted through email? (social
engineering)
drew a Christmas tree on screen and mailed itself
to everybody in the account holder's address book
Morris Worm (1988)
spread via vulnerabilities in Sendmail and Finger
also tried some password cracking
damage was (only) through degradation of service

39
Wave II Malware

WM/Concept (1995)
first widely disseminated macro virus (actually
shipped in production documents)
very little payload (displays a dialog box when
an infected document is opened)
but a very scary proof of concept
ShareFun (1997)
combination of macro virus and email transmission
sent copies to three randomly selected entries in
the user's address book

40
Wave III Malware

Melissa
PrettyPark (1999)
spread via an executable in an email attachment
mails copies to address-book entries
publishes itself to some IRC servers
installs itself first in the application
execution order, making it harder to implement a
"point and click disinfect" solution
Love Bug (2000)
attachment with name LOVE-LETTER-FOR-YOU .TXT.vbs
installed copies in some system directories,
which were executed on startup
overwrote many image and audio files with copies
of the virus
use the address book to send copies
tried to send password information to a web site
in the Philippenes
script file was widely modified and re-deployed
SQL Slammer Worm (2003)
most notable for its speed in replicating
(doubling every 8.5 seconds)
infected 90 of vulnerable hosts (100K) within
10 minutes