1 / 53

The current state of the Internet

The current state of the Internet An unprotected computer on the Internet WILL BE EXPLOITED within 24 hours! Richard Treece, ISS, 15 April 2002 Hacker Techniques Find and attack the “weakest link” Reconnaissance Gain access to first machine Use acquired access to gain further access

albert
Download Presentation

The current state of the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The current state of the Internet An unprotected computer on the Internet WILL BE EXPLOITED within 24 hours! Richard Treece, ISS, 15 April 2002

  2. Hacker Techniques • Find and attack the “weakest link” • Reconnaissance • Gain access to first machine • Use acquired access to gain further access

  3. Disclaimer • Hacking is illegal! • Some actual organizations and computers are used in the examples, • but only to provide realism • Do not hack the examples!

  4. The Stages of a Network Intrusion • 1. Scan: • • IP addresses in use, • • operating system is in use, • • “open” TCP or UDP ports • 2. Exploit: • Denial of Service (DoS) • scripts against open ports • Gain Root Privilege: • Buffer Overflows • Get Root/Administrator Password • 4. Install Back Door • 5. Use IRC (Internet Relay Chat) 4

  5. Reconnaissance • Public information • www • news postings • Network Scanning • Operating System Detection • War-dialing

  6. Public Info: www.internic.net Domain Name: GATECH.EDU Registrant: Georgia Institute of Technology, 258 4TH St, Atlanta, GA 30332 Contacts: Administrative Contact: Herbert Baines III GA Institute of Tech (GATECH-DOM), 258 4TH St., Atlanta, GA 30332 (404) 894-0226, herbert.baines@oit.gatech.edu Technical Contact: OIT, Georgia Tech 258 Fourth Street Atlanta, GA 30332 (404) 894-0226, hostmaster@gatech.edu Name Servers: TROLL-GW.GATECH.EDU 130.207.244.251 GATECH.EDU 130.207.244.244 NS1.USG.EDU 198.72.72.10

  7. Public Information: news postings Author: rajeshb <rajeshb@ncs.com.sg> Date: 1998/12/07 Forum: comp.unix.solaris author posting history Hi, Could someone tell me how to configure anonymous ftp for multiple IP addresses. Basically we are running virtual web servers on one server. We need to configure anonymous ftp for each virtual web account. I appreciate it if someone can help me as soon as possible. I know how to configure an anonymous ftp for single IP. Thanks, Rajesh.

  8. Network Scanning • Identifies: • accessible machines • servers (ports) on those machines

  9. Network Scanning (cont’d) • nmap -t -v hack.me.com 21 tcp ftp 23 tcp telnet 37 tcp time 53 tcp domain 70 tcp gopher 79 tcp finger 80 tcp http 109 tcp pop-2 110 tcp pop-3 111 tcp sunrpc 113 tcp auth 143 tcp imap 513 tcp login 514 tcp shell 635 tcp unknown

  10. Operating System Detection • Stack fingerprinting: • OS vendors often interpret specific RFC guidance differently when implementing their versions of TCP/IP stack. • Probing for these differences gives educated guess about the OS • e.g., FIN probe, “don’t fragment it” • nmap -O

  11. War-dialing • Find the organization’s modems, • by calling all of its phone numbers • www.fbi.gov: (202) 324-3000 • Reverse Business Phone: 202-324-3 All Listings Government Offices-US US Field Ofc 202-324-3000 1900 Half St Sw Washington, DC

  12. The Stages of a Network Intrusion • 1. Scan: • • IP addresses in use, • • operating system is in use, • • “open” TCP or UDP ports • 2. Exploit: • Denial of Service (DoS) • scripts against open ports • Gain Root Privilege • Buffer Overflows • Get Root/Administrator Password • 4. Install Back Door • 5. Use IRC (Internet Relay Chat) 12

  13. Denial of Service (DOS) (Source: Chapter 14 “Network Intrusion Detection An Analyst’s Handbook”, Second Edition, Northcutt and Novak) • SMURF – ICMP echos • ECHO-CHARGEN – UDP port 7 is echo; UDP port 19 is character generator. • Spoof a source address and two victims pound each other • TEARDROP – Send fragments with offset too small • source.40909 > target.3826 : udp 28 (frag 242 : 36 @ 0+) • source.40909 > target.3826 : 28 (frag 242 : 4 @ 24)+) • fragment ID = 242 with 36 bytes of data starting at offset 0 • fragment ID = 242 with 4 bytes of data starting at offset 24 • but this means we must back up from 36 bytes already received to 24 where • this goes. • Negative numbers may look like large positive numbers, put in other program’s • section of memory • If intrusion detection system (IDS) does not support packet reassembly check, • will get past the IDS

  14. Denial of Service (DOS) 4) PING OF DEATH – On a windows NT box type ping –L 65510 <victim IP address> This creates a packet when reassembled that is larger than the max size of 65,535 that is allowed. Causes system crash. - Max IP packet size allowed = 65535 - ICMP echo has a “pseudo header” consisting of 8 bytes of ICMP header info - Next in the ICMP packet is the ping data that is sent - Maximum amount of data can send is 65535 – 20 IP – 8 ICMP = 65507 - We sent 65510 which is too large 5) LAND ATTACK – Source IP address/Port equals Dest IP Address/Port

  15. Denial of Service (DOS) • 6) NMAP – Scans looking for open ports. You may download from www.insecure.org • Can crash unpatched systems • Can use many modes: • Vanilla TCP connect scanning • TCP SYN (half open scanning) • TCP FIN, xmas, or null (stealth) scanning • TCP ftp proxy (bounce attack) scanning (uses ftp port 20 to connect even though • not established by connection to port 21 as is normal procedure) • SYN FIN Scanning using IP fragments • UDP raw ICMP port unreachable scanning • ICMP scanning (ping-sweep) • TCP Ping Scanning • Remote OS identification by TCP/IP Finger Printing

  16. Distributed Denial of Service (DDOS) • Client machine – used to coordinate attack • Master or Handler – controls subservient computers • Agents or Daemons – Actually do the attack • TRINOO – Sends UDP floods to random destination port numbers on victim • TFN – Sends UDP flood, TCP SYN Flood, ICMP Echo Flood, or a SMURF Attack • Master communicates to daemon using ICMP echo reply, changes IP identification • number and payload of ICMP echo reply to identify type of attack to launch. • 3) TFN2k – First DDOS for windows. Communication between master and agents • can be encrypted over TCP, UDP, or ICMP with no identifying ports • 4) STACHELDRAHT - Combination of Trinoo and TFN • If you are a DDOS victim, at present this is very little you can do about it!!!

  17. The Stages of a Network Intrusion • 1. Scan: • • IP addresses in use, • • operating system is in use, • • “open” TCP or UDP ports • 2. Exploit: • Denial of Service (DoS) • scripts against open ports • Gain Root Privilege: • Buffer Overflows • Get Root/Administrator Password • 4. Install Back Door • 5. Use IRC (Internet Relay Chat) 17

  18. “The Holy Grail” • Hackers seek Superuser /Root Privilege (SUID) on the machine they are exploiting • With SUID privilege, the ‘own’ the machine • They can use the resources available for their own purposes (e.g.. crack passwords) or destroy data on the machine

  19. Gaining SUID privilege 1. Easiest way • trying default manufacturer password settings • Next Easiest – Social Engineering • Impersonate Tech Support • Hide trojan software inside free games, screensavers, etc. (e.g.. Anna Kournikova) • More Difficult – Buffer Overflow Attack • Must be a skilled programmer

  20. Gain access to first machine • Configuration errors • System-software errors

  21. Configuration errors: NFS $ showmount -e hack.me.com export list for hack.me.com: /home (everyone)

  22. Config errors: anonymous ftp (#1) $ ftp hack.me.com Connected to hack.me.com. 220 xyz FTP server (SunOS) ready. Name (hack.me.com:jjyuill): anonymous 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> get /etc/passwd /etc/passwd: Permission denied ftp> cd ../etc 250 CWD command successful. ftp> ls 200 PORT command successful. 150 ASCII data connection for /bin/ls (152.1.75.170,32871) (0 bytes). 226 ASCII Transfer complete.

  23. Config errors: anonymous ftp (#2) ftp> get passwd 200 PORT command successful. 150 ASCII data connection for passwd (152.1.75.170,32872) (23608 bytes). 226 ASCII Transfer complete. local: passwd remote: passwd 23962 bytes received in 0.14 seconds (1.7e+02 Kbytes/s) ftp> quit 221 Goodbye.

  24. Config errors: anonymous ftp (#3) $ less passwd sam:0Ke0ioGWcUIFg:100:10:NetAdm:/home/sam:/bin/csh bob:m4ydEoLScDlqg:101:10:bob:/home/bob:/bin/csh chris:iOD0dwTBKkeJw:102:10:chris:/home/chris:/bin/csh sue:A981GnNzq.AfE:103:10:sue:/home/sue:/bin/csh $ Crack passwd Guessed sam [sam] Guessed sue [hawaii]

  25. System-software errors: imapd (#1) • imapd buffer-overflow $ telnet hack.me.com 143 Trying hack.me.com... Connected to hack.me.com Escape character is '^]'. * OK hack.me.com IMAP4rev1 v10.205 server ready AUTH=KERBEROS

  26. System-software errors: imapd (#2) • sizeof(mechanism)==2048 • sizeof(tmp)==256 char *mail_auth (char *mechanism, authresponse_t resp,int argc,char *argv[]) { char tmp[MAILTMPLEN]; AUTHENTICATOR *auth; /* make upper case copy of mechanism name */ ucase (strcpy (tmp,mechanism));

  27. If user access, try to gain root usually via a bug in a command which runs as root e.g. lprm for RedHat 4.2 (4/20/98) Run crack on /etc/passwd users often have the same password on multiple machines Get further access (#1)

  28. Exploit misconfigured file permissions in user’s home directory e.g. echo ‘+ +’ >> .rhosts Format of entries: [+|-] [host] [+|-] [user] If root, install rootkits Trojans, backdoors, sniffers, log cleaners Packet Sniffing ftp and telnet passwords e-mail Lotus Notes Log cleaners Start with syslog.conf, edit log files, Wzap wtmp file Edit shell history file (or disable shell history) Get further access (#2)

  29. The Stages of a Network Intrusion • 1. Scan: • • IP addresses in use, • • operating system is in use, • • “open” TCP or UDP ports • 2. Exploit: • Denial of Service (DoS) • scripts against open ports • Gain Root Privilege: • Buffer Overflows • Get Root/Administrator Password • 4. Install Back Door • 5. Use IRC (Internet Relay Chat) 29

  30. Back Doors • Allows hackers to come back at their leisure. • Can exist at application level • Back Orifice • Can exist at system level • Replace dll’s in NT system • Replace functions in Linux/Unix e.g. login, ps, etc. • Can exist at root level • Most difficult to detect 5. Some root kits increase the security of a system and are used by network administrators on their own systems!

  31. Packet Sniffing

  32. Sniffing: Captured Passwords Source IP.port Destination IP.port 333.22.112.11.3903-333.22.111.15.23: login [root] 333.22.112.11.3903-333.22.111.15.23: password [sysadm#1] 333.22.112.11.3710-333.22.111.16.23: login [root] 333.22.112.11.3710-333.22.111.16.23: password [sysadm#1] 333.22.112.91.1075-333.22.112.94.23: login [lester] 333.22.112.91.1075-333.22.112.94.23: password [l2rz721] 333.22.112.64.1700-444.333.228.48.23: login [rcsproul] 333.22.112.64.1700-444.333.228.48.23: password [truck]

  33. The Stages of a Network Intrusion • 1. Scan: • • IP addresses in use, • • operating system is in use, • • “open” TCP or UDP ports • 2. Exploit: • Denial of Service (DoS) • scripts against open ports • Gain Root Privilege: • Buffer Overflows • Get Root/Administrator Password • 4. Install Back Door • 5. Use IRC (Internet Relay Chat) 33

  34. Internet Relay Chat • Some hackers, when they exploit a system, announce it to the hacker community. • This is normally done by ‘script kiddies’ as bragging rights. • A sophisticated hacker on the other hand, will most likely cover his/her tracks so that you will never know that they got into your systems.

  35. Web sites with hacker tools: Kevin Kotas’ favorite sites: http://technotronic.com/ http://security.pine.nl/ http://astalavista.box.sk/ http://Freshmeat.net/ http://www.rootshell.com http://oliver.efri.hr/~crv/security/bugs/list.html http://www.phrack.com/ http://www.securityfocus.com/ click on “forums”, then “bugtraq” http://main.succeed.net/~kill9/hack/tools/trojans/ IRC #hacker* Hacker Resources

  36. Hacker Techniques • Find and attack the “weakest link” • Reconnaissance • Gain access to first machine, • Use acquired access to gain further access

  37. How to protect your computer • Make sure your software is current and up to date (i.e. all current patches are installed) • Run Firewall software • http://www.zonealarm.com • Run a Hardware firewall • Run Intrusion Detection Software • SNORT http://www.snort.org • Run Tripwire (change tracking software) • http://www.tripwire.com

  38. Honeynets

  39. Honeypots • A security resource who’s value lies in being probed, attacked or compromised. • Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.

  40. Advantages / Disadvantages • Advantages • Reduce false negatives and false positives • Collect little data, but data of high value • Minimal resources • Conceptually simple • Disadvantages • Single point of failure • Risk

  41. What is a Honeynet • High-interaction honeypot • Used primarily to learn about the bad guys. • Network of production systems. • Once compromised, the data collected is used to learn the tools, tactics, and motives of the blackhat community.

  42. How it works • A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed. • Any traffic entering or leaving the Honeynet is suspect by nature. http://project.honeynet.org/papers/honeynet/

  43. Risk • Honeynets are highly complex, requiring extensive resources and manpower to properly maintain. • Honeynets are a high risk technology. As a high interaction honeypot, they can be used to attack or harm other non-Honeynet systems.

  44. Legal Issues • Privacy • Entrapment • Liability

More Related