530 likes | 922 Views
The current state of the Internet An unprotected computer on the Internet WILL BE EXPLOITED within 24 hours! Richard Treece, ISS, 15 April 2002 Hacker Techniques Find and attack the “weakest link” Reconnaissance Gain access to first machine Use acquired access to gain further access
E N D
The current state of the Internet An unprotected computer on the Internet WILL BE EXPLOITED within 24 hours! Richard Treece, ISS, 15 April 2002
Hacker Techniques • Find and attack the “weakest link” • Reconnaissance • Gain access to first machine • Use acquired access to gain further access
Disclaimer • Hacking is illegal! • Some actual organizations and computers are used in the examples, • but only to provide realism • Do not hack the examples!
The Stages of a Network Intrusion • 1. Scan: • • IP addresses in use, • • operating system is in use, • • “open” TCP or UDP ports • 2. Exploit: • Denial of Service (DoS) • scripts against open ports • Gain Root Privilege: • Buffer Overflows • Get Root/Administrator Password • 4. Install Back Door • 5. Use IRC (Internet Relay Chat) 4
Reconnaissance • Public information • www • news postings • Network Scanning • Operating System Detection • War-dialing
Public Info: www.internic.net Domain Name: GATECH.EDU Registrant: Georgia Institute of Technology, 258 4TH St, Atlanta, GA 30332 Contacts: Administrative Contact: Herbert Baines III GA Institute of Tech (GATECH-DOM), 258 4TH St., Atlanta, GA 30332 (404) 894-0226, herbert.baines@oit.gatech.edu Technical Contact: OIT, Georgia Tech 258 Fourth Street Atlanta, GA 30332 (404) 894-0226, hostmaster@gatech.edu Name Servers: TROLL-GW.GATECH.EDU 130.207.244.251 GATECH.EDU 130.207.244.244 NS1.USG.EDU 198.72.72.10
Public Information: news postings Author: rajeshb <rajeshb@ncs.com.sg> Date: 1998/12/07 Forum: comp.unix.solaris author posting history Hi, Could someone tell me how to configure anonymous ftp for multiple IP addresses. Basically we are running virtual web servers on one server. We need to configure anonymous ftp for each virtual web account. I appreciate it if someone can help me as soon as possible. I know how to configure an anonymous ftp for single IP. Thanks, Rajesh.
Network Scanning • Identifies: • accessible machines • servers (ports) on those machines
Network Scanning (cont’d) • nmap -t -v hack.me.com 21 tcp ftp 23 tcp telnet 37 tcp time 53 tcp domain 70 tcp gopher 79 tcp finger 80 tcp http 109 tcp pop-2 110 tcp pop-3 111 tcp sunrpc 113 tcp auth 143 tcp imap 513 tcp login 514 tcp shell 635 tcp unknown
Operating System Detection • Stack fingerprinting: • OS vendors often interpret specific RFC guidance differently when implementing their versions of TCP/IP stack. • Probing for these differences gives educated guess about the OS • e.g., FIN probe, “don’t fragment it” • nmap -O
War-dialing • Find the organization’s modems, • by calling all of its phone numbers • www.fbi.gov: (202) 324-3000 • Reverse Business Phone: 202-324-3 All Listings Government Offices-US US Field Ofc 202-324-3000 1900 Half St Sw Washington, DC
The Stages of a Network Intrusion • 1. Scan: • • IP addresses in use, • • operating system is in use, • • “open” TCP or UDP ports • 2. Exploit: • Denial of Service (DoS) • scripts against open ports • Gain Root Privilege • Buffer Overflows • Get Root/Administrator Password • 4. Install Back Door • 5. Use IRC (Internet Relay Chat) 12
Denial of Service (DOS) (Source: Chapter 14 “Network Intrusion Detection An Analyst’s Handbook”, Second Edition, Northcutt and Novak) • SMURF – ICMP echos • ECHO-CHARGEN – UDP port 7 is echo; UDP port 19 is character generator. • Spoof a source address and two victims pound each other • TEARDROP – Send fragments with offset too small • source.40909 > target.3826 : udp 28 (frag 242 : 36 @ 0+) • source.40909 > target.3826 : 28 (frag 242 : 4 @ 24)+) • fragment ID = 242 with 36 bytes of data starting at offset 0 • fragment ID = 242 with 4 bytes of data starting at offset 24 • but this means we must back up from 36 bytes already received to 24 where • this goes. • Negative numbers may look like large positive numbers, put in other program’s • section of memory • If intrusion detection system (IDS) does not support packet reassembly check, • will get past the IDS
Denial of Service (DOS) 4) PING OF DEATH – On a windows NT box type ping –L 65510 <victim IP address> This creates a packet when reassembled that is larger than the max size of 65,535 that is allowed. Causes system crash. - Max IP packet size allowed = 65535 - ICMP echo has a “pseudo header” consisting of 8 bytes of ICMP header info - Next in the ICMP packet is the ping data that is sent - Maximum amount of data can send is 65535 – 20 IP – 8 ICMP = 65507 - We sent 65510 which is too large 5) LAND ATTACK – Source IP address/Port equals Dest IP Address/Port
Denial of Service (DOS) • 6) NMAP – Scans looking for open ports. You may download from www.insecure.org • Can crash unpatched systems • Can use many modes: • Vanilla TCP connect scanning • TCP SYN (half open scanning) • TCP FIN, xmas, or null (stealth) scanning • TCP ftp proxy (bounce attack) scanning (uses ftp port 20 to connect even though • not established by connection to port 21 as is normal procedure) • SYN FIN Scanning using IP fragments • UDP raw ICMP port unreachable scanning • ICMP scanning (ping-sweep) • TCP Ping Scanning • Remote OS identification by TCP/IP Finger Printing
Distributed Denial of Service (DDOS) • Client machine – used to coordinate attack • Master or Handler – controls subservient computers • Agents or Daemons – Actually do the attack • TRINOO – Sends UDP floods to random destination port numbers on victim • TFN – Sends UDP flood, TCP SYN Flood, ICMP Echo Flood, or a SMURF Attack • Master communicates to daemon using ICMP echo reply, changes IP identification • number and payload of ICMP echo reply to identify type of attack to launch. • 3) TFN2k – First DDOS for windows. Communication between master and agents • can be encrypted over TCP, UDP, or ICMP with no identifying ports • 4) STACHELDRAHT - Combination of Trinoo and TFN • If you are a DDOS victim, at present this is very little you can do about it!!!
The Stages of a Network Intrusion • 1. Scan: • • IP addresses in use, • • operating system is in use, • • “open” TCP or UDP ports • 2. Exploit: • Denial of Service (DoS) • scripts against open ports • Gain Root Privilege: • Buffer Overflows • Get Root/Administrator Password • 4. Install Back Door • 5. Use IRC (Internet Relay Chat) 17
“The Holy Grail” • Hackers seek Superuser /Root Privilege (SUID) on the machine they are exploiting • With SUID privilege, the ‘own’ the machine • They can use the resources available for their own purposes (e.g.. crack passwords) or destroy data on the machine
Gaining SUID privilege 1. Easiest way • trying default manufacturer password settings • Next Easiest – Social Engineering • Impersonate Tech Support • Hide trojan software inside free games, screensavers, etc. (e.g.. Anna Kournikova) • More Difficult – Buffer Overflow Attack • Must be a skilled programmer
Gain access to first machine • Configuration errors • System-software errors
Configuration errors: NFS $ showmount -e hack.me.com export list for hack.me.com: /home (everyone)
Config errors: anonymous ftp (#1) $ ftp hack.me.com Connected to hack.me.com. 220 xyz FTP server (SunOS) ready. Name (hack.me.com:jjyuill): anonymous 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> get /etc/passwd /etc/passwd: Permission denied ftp> cd ../etc 250 CWD command successful. ftp> ls 200 PORT command successful. 150 ASCII data connection for /bin/ls (152.1.75.170,32871) (0 bytes). 226 ASCII Transfer complete.
Config errors: anonymous ftp (#2) ftp> get passwd 200 PORT command successful. 150 ASCII data connection for passwd (152.1.75.170,32872) (23608 bytes). 226 ASCII Transfer complete. local: passwd remote: passwd 23962 bytes received in 0.14 seconds (1.7e+02 Kbytes/s) ftp> quit 221 Goodbye.
Config errors: anonymous ftp (#3) $ less passwd sam:0Ke0ioGWcUIFg:100:10:NetAdm:/home/sam:/bin/csh bob:m4ydEoLScDlqg:101:10:bob:/home/bob:/bin/csh chris:iOD0dwTBKkeJw:102:10:chris:/home/chris:/bin/csh sue:A981GnNzq.AfE:103:10:sue:/home/sue:/bin/csh $ Crack passwd Guessed sam [sam] Guessed sue [hawaii]
System-software errors: imapd (#1) • imapd buffer-overflow $ telnet hack.me.com 143 Trying hack.me.com... Connected to hack.me.com Escape character is '^]'. * OK hack.me.com IMAP4rev1 v10.205 server ready AUTH=KERBEROS
System-software errors: imapd (#2) • sizeof(mechanism)==2048 • sizeof(tmp)==256 char *mail_auth (char *mechanism, authresponse_t resp,int argc,char *argv[]) { char tmp[MAILTMPLEN]; AUTHENTICATOR *auth; /* make upper case copy of mechanism name */ ucase (strcpy (tmp,mechanism));
If user access, try to gain root usually via a bug in a command which runs as root e.g. lprm for RedHat 4.2 (4/20/98) Run crack on /etc/passwd users often have the same password on multiple machines Get further access (#1)
Exploit misconfigured file permissions in user’s home directory e.g. echo ‘+ +’ >> .rhosts Format of entries: [+|-] [host] [+|-] [user] If root, install rootkits Trojans, backdoors, sniffers, log cleaners Packet Sniffing ftp and telnet passwords e-mail Lotus Notes Log cleaners Start with syslog.conf, edit log files, Wzap wtmp file Edit shell history file (or disable shell history) Get further access (#2)
The Stages of a Network Intrusion • 1. Scan: • • IP addresses in use, • • operating system is in use, • • “open” TCP or UDP ports • 2. Exploit: • Denial of Service (DoS) • scripts against open ports • Gain Root Privilege: • Buffer Overflows • Get Root/Administrator Password • 4. Install Back Door • 5. Use IRC (Internet Relay Chat) 29
Back Doors • Allows hackers to come back at their leisure. • Can exist at application level • Back Orifice • Can exist at system level • Replace dll’s in NT system • Replace functions in Linux/Unix e.g. login, ps, etc. • Can exist at root level • Most difficult to detect 5. Some root kits increase the security of a system and are used by network administrators on their own systems!
Sniffing: Captured Passwords Source IP.port Destination IP.port 333.22.112.11.3903-333.22.111.15.23: login [root] 333.22.112.11.3903-333.22.111.15.23: password [sysadm#1] 333.22.112.11.3710-333.22.111.16.23: login [root] 333.22.112.11.3710-333.22.111.16.23: password [sysadm#1] 333.22.112.91.1075-333.22.112.94.23: login [lester] 333.22.112.91.1075-333.22.112.94.23: password [l2rz721] 333.22.112.64.1700-444.333.228.48.23: login [rcsproul] 333.22.112.64.1700-444.333.228.48.23: password [truck]
The Stages of a Network Intrusion • 1. Scan: • • IP addresses in use, • • operating system is in use, • • “open” TCP or UDP ports • 2. Exploit: • Denial of Service (DoS) • scripts against open ports • Gain Root Privilege: • Buffer Overflows • Get Root/Administrator Password • 4. Install Back Door • 5. Use IRC (Internet Relay Chat) 33
Internet Relay Chat • Some hackers, when they exploit a system, announce it to the hacker community. • This is normally done by ‘script kiddies’ as bragging rights. • A sophisticated hacker on the other hand, will most likely cover his/her tracks so that you will never know that they got into your systems.
Web sites with hacker tools: Kevin Kotas’ favorite sites: http://technotronic.com/ http://security.pine.nl/ http://astalavista.box.sk/ http://Freshmeat.net/ http://www.rootshell.com http://oliver.efri.hr/~crv/security/bugs/list.html http://www.phrack.com/ http://www.securityfocus.com/ click on “forums”, then “bugtraq” http://main.succeed.net/~kill9/hack/tools/trojans/ IRC #hacker* Hacker Resources
Hacker Techniques • Find and attack the “weakest link” • Reconnaissance • Gain access to first machine, • Use acquired access to gain further access
How to protect your computer • Make sure your software is current and up to date (i.e. all current patches are installed) • Run Firewall software • http://www.zonealarm.com • Run a Hardware firewall • Run Intrusion Detection Software • SNORT http://www.snort.org • Run Tripwire (change tracking software) • http://www.tripwire.com
Honeypots • A security resource who’s value lies in being probed, attacked or compromised. • Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.
Advantages / Disadvantages • Advantages • Reduce false negatives and false positives • Collect little data, but data of high value • Minimal resources • Conceptually simple • Disadvantages • Single point of failure • Risk
What is a Honeynet • High-interaction honeypot • Used primarily to learn about the bad guys. • Network of production systems. • Once compromised, the data collected is used to learn the tools, tactics, and motives of the blackhat community.
How it works • A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed. • Any traffic entering or leaving the Honeynet is suspect by nature. http://project.honeynet.org/papers/honeynet/
Risk • Honeynets are highly complex, requiring extensive resources and manpower to properly maintain. • Honeynets are a high risk technology. As a high interaction honeypot, they can be used to attack or harm other non-Honeynet systems.
Legal Issues • Privacy • Entrapment • Liability