1 / 44

COMP3371 Cyber Security Week 8

COMP3371 Cyber Security Week 8. Richard Henson University of Worcester November 2018. Learning Objectives…. See the network through the eyes of an attacker… Use of vulnerability/penetration testing to check access to the organisation’s network (and information about it!) from outside

johnshall
Download Presentation

COMP3371 Cyber Security Week 8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP3371Cyber SecurityWeek 8 Richard Henson University of Worcester November2018

  2. Learning Objectives… • See the network through the eyes of an attacker… • Use of vulnerability/penetration testing to check access to the organisation’s network (and information about it!) from outside • Stop exploitation of known software vulnerabilities through specific TCP ports

  3. Defensive and Offensive Approaches to Security • Generally, the best way to protect data is to put it in a safe place and build walls around it (defensive approach) • Also wise to get someone to attack the organisation and try to breach its defences (offensive approach) • then report back on findings…

  4. Summary of Basic Defensive Security… • Firewalls… appropriately configured • on Internet gateways… • and end-point devices • Use of effective antivirus software • Patching and Updating software • Enforced information Security Policy • Correct use of PKI for www data • Covered in Cyber Essentials!

  5. Offensive Security: 1. Vulnerability Scanning • “Passive” Scanning • finding out about the network, website, etc. to see how it could be exploited • Similar to the more commonly known “penetration testing”… • does not attempt to penetrate the network defences • considered “ethical” and not illegal!

  6. 2. Penetration Testing • “Active” scanning: requires the investigator/hacking to penetrate the organisation’s defences, rather than “peer in” from the outside. • Would be illegal if permission not granted! • Requirement for Cyber Essentials Plus

  7. What & Why of “Footprinting” • Definition: • “Gathering information about a “target” system” • Could be Passive (non-penetrative) or Active (probing…) • Purpose: find out as much information about the digital and physical evidence of the target’s existence as possible • need to use multiple sources… • may (“black hat” hacking) need to be done secretly

  8. Rationale for “passive” Footprinting • The hacker may be able to gather what they need from public sources (e.g. the organisation’s website) • organisation needs to know what it is telling the world about itself… • Methodology: • Use search engine start by finding the domain name & URLs of popular pages • e.g. www.worc.ac.uk • Use tools to map/mirror the main website…

  9. Information Gathered without Penetration Testing • Domain Names • User/Group names • System Names • IP addresses • Employee Details/Company Directory • Network protocols used & VPN start/finish • Company documents • Intrusion detection system used

  10. Website Connections & History • History: use www.archive.org: • The Wayback Machine • Connections: use robtex.com • Business Intelligence: • sites that reveal company details • e.g. www.companieshouse.co.uk

  11. More Company Information… • “Whois” & CheckDNS.com: • lookups of IP/DNS combinations • details of who owns a domain name • details of DNS Zones & subdomains • Job hunters websites: • e.g. www.reed.co.uk • www.jobsite.co.uk • www.totaljobs.com

  12. People Information • Company information will reveal names • Use names in • search engines • Facebook • LinkedIn • Google Earth reveals: • company location(s)

  13. Physical Network Information (“active” footprinting or phishing) • External “probing” • should be detectable by a good defence system… (could be embarrassing!) • e.g. Traceroute: • Uses ICMP protocol “echo” • reveals names/IP addresses of intelligent hardware: • e.g. Routers, Gateways, DMZs

  14. Email Footprinting • Using the email system to find the organisation’s email names structure • “passive” monitor emails sent • IP source address • structure of name • “active” email sending programs : • test whether email addresses actually exist • test restrictions on attachments

  15. Phishing to extract user data(not intelligence gathering) • Send email user a message with a link or attachment • link is a form which tries to get their personal data • attachment contains malware which will infect their system • Rather obvious to IT professionals… • accounts wouldn’t be used by network infiltrators trying to hide their tracks

  16. Utilizing Google etc. (“passive”) • Google: Advanced Search options: • Uses [site:] [intitle:] [allintitle:] [inurl:] • In each case a search string should follow • e.g. “password” • Maltego • graphical representations of data

  17. Proxy Hacking (or Hijacking) • Attacker creates a copy of the targeted web page on a proxy server • artificially raises search engine ranking with methods like: • keyword stuffing • linking to the copied page from external sites… • authentic page will rank lower… • may even be seen as duplicated content (!) • and search engine may then remove it from its index

  18. Reconnaissance/Scanning • Three types of scan: • Network (already mentioned) • identifies active hosts • Port • send client requests until a suitable active port has been found… • Vulnerability • assessment of devices for weaknesses that can be exploited

  19. Legality and Vulnerability Scanning • Depends on whether you have asked! • running tests requires equipment and an experts time… • would normally charge for such a service, so… normal to contact org.! • Hacker wouldn’t want organisation to know • so… certainly wouldn’t ask permission! • illegal but gambles on not being caught!

  20. Ethical Hacking Principles • Hacking is a criminal offence in the UK • covered through The Computer Misuse Act (1990) • tightened in 2006 • Can only be done ”legally” by a trained (or trainee) professional • a computing student would be considered in this context under the law

  21. Ethical Hacking principles • Even if a practice is currently legal, doesn’t mean it is ethical! • Professionals only hack without permission if there is reason to believe a law is being broken • if not… they must ask permission • otherwise definitely unethical (and illegal… “gaining access without permission”)

  22. “Scanning” Methodology • Check for Live Systems • Check for open ports • “Banner Grabbing” • e.g. bad html request • Scan for vulnerabilities • Draw Network diagram(s) • Prepare proxies…

  23. Why use “offensive” security? • Recognised that manager(s) of an internal network: • can’t objectively mark their own homework! • can see out, but can’t see in! • Makes good sense for a third party to attempt to hack in with permission (therefore not illegal)… • test firewalls, patching, PKI implementation • report back to management…

  24. The “Cyber Kill Chain” (1)(Lockheed Martin…) • Reconnaissance • find the weakness(es) • Weaponisation • figure out how it can be exploited • Delivery • send the malicious software into the victims network

  25. The “Cyber Kill Chain” (2)(Lockheed Martin…) • Exploitation • run the software on the victims network • Installation • install the hack into the victims network • Command and Control • control the victims network in such a way as to achieve mission objectives • Actions on Objectives • “wash down” on how well it went…

  26. Reminder of Port Vulnerability • Simplified OSI model for TCP/IP… • levels 5/6/7 combined as application • level 4: transport (TCP/UDP) • TCP or UDP packets can attack the network… FTP HTTPS NFS DNS SNMP HTTP UDP TCP IP (network)

  27. Blocking TCP ports with a Firewall • Very many TCP and UDP ports: • 0 - 1023 are tightly bound to application services • 1024 – 49151 more loosely bound to services • 49152 – 65535 are private, or “dynamic” • In practice, any port over 1023 could be assigned dynamically to a service… • One of the more useful features of a firewall is that ports can be configured, and therefore data flow can be monitored and controlled

  28. Protecting Against TCP/IP Attacks, Probes and Scans • TCP/IP protocol stack has been largely unchanged since the early 1980's: • more than enough time for hackers to discover their weaknesses • often attack through a particular TCP port

  29. TCP Port 21: FTP (File Transfer Protocol) • FTP servers • by their very nature they open up very big security holes • especially if anonymous login allowed: • connect to the C: drive using NFS • download viruses • overwrite/delete files • to store pirated files and programs • Defence: • DO NOT to accept anonymous logins • only allow access via port 21 to that particular server

  30. TCP Port 25: SMTP • Easy target! Email programs/data large, complex, accessible… • Buffer overrun: • attacker enters more characters – perhaps including executable code - into an email field (e.g. To: ) • error generated • hackers get enough information to gain access • SPAM attack: • SMTP protocol design allows a message to go directly from the originator's email server to the recipient's email server • ALSO can be relayed by one or more mail servers in the middle • Spammers forward message to thousands of unwilling recipients!

  31. Port 25 SMTP: Defending… • Threat: • Buffer Overrun: • Solution: put server on a perimeter network • Spam Attack • Solution: DISABLE the relaying facility…

  32. UDP Port 53: DNS (Domain Name Service) • Without DNS, domain name to IP address translation would not exist!!! • Threat: if a site hosts DNS, attackers will try to: • modify DNS entries • download a copy of your DNS records (a process called zone transfer)

  33. Port 53 DNS: Solution… • Defence: • configure firewall to accept connections from the outside to TCP port 53 only from your secondary DNS server • the one downstream from you e.g. your ISP • two DNS servers: one on perimeter network, the other on the internal network: • perimeter DNS will answer queries from the outside • internal DNS will respond to all internal lookups

  34. TCP Port 79: Finger • A service that enumerates all the services you have available on your network servers: • invaluable tool in probing or scanning a network prior to an attack! • Defence: • block port 79… would-be attackers denied all this information about network services!

  35. TCP Ports 109-110: POP (Post Office Protocol) • POP used to download email data to a client… • POP3 (port 110) least secure version! • Defence: • block all access to port 110 except for that server • if POP3 not being used, block port 110!!!

  36. TCP Ports 135 and 137 NetBIOS • The Microsoft Windows protocol used for file and print sharing • last thing you probably want is for users on the Internet to connect to your servers' files and printers! • Block NetBIOS. Period!

  37. UDP Port 161 SNMP • SNMP is important for remote management of network devices: • but also it poses inherent security risks • stores configuration and performance parameters in a database that is then accessible via the network… • If network is open to the Internet, hackers can gain a large amount of very valuable information about the network… • So… if SNMP is used: • allow access to port 161 from internal network only • otherwise, block it entirely

  38. Denial of Service Attacks • An attempt to harm a network by flooding it with traffic so that network devices are overwhelmed and unable to provide services • Happen through the ICMP port, which the ping service uses • close off ICMP port: • thwarts denial of service (DoS) attacks… • and distributed denial of service (DDoS) attacks

  39. Mechanism of (D)DoSAttacks • Ping “normally” sends a brief request to a remote computer asking it to echo back its IP address • "Ping of Death“ • EITHER the attacker deliberately creates a very large ping packet and then transmits it to victim IP • ICMP can't deal with large packets • the receiving computer is unable to accept delivery and crashes or hangs • OR sends thousands of ping requests to a victim • CPU time is taken up answering ping requests, preventing it responding to other, legitimate requests

  40. DDoS attacks • Much more dangerous… • attackers gain access to a wide number of PCs or other devices • often rely on home computers, since they are less frequently protected • can also use previously “installed” worms and viruses • use these devices to launch a coordinated attack against a victim IP address

  41. Protecting against “Ping of Death” • Simple! • block ICMP echo requests and replies • If ICMP is needed… • ensure there is a rule blocking "outgoing time exceeded" & "unreachable" messages

  42. IP Spoofing • Use software to change source IP address of a packet! • Attackers can gain access to a PC within a protected network… • obtain its IP address • use it in packet headers so the Internet firewall lets the malicious packets through

  43. Protection against IP Spoofing • Block traffic coming into the network that contains IP addresses from the internal network… • Use a Proxy Server so internal IP addresses never exposed • Block traffic associated with “private” (NAT) and illegal/unrouteable IP addresses: • Illegal/unrouteable: • 255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0 • “Private” (NAT addresses as defined in RFC 1918): • 10.0.0.0-10.255.255.255 • 172.16.0.0-172.31.255.255 • 192.168.0.0-192.168.255.255 (often used by Wireless Routers)

  44. Other Typical Types of External Attacks – human/tech • Exhaustive • “brute force” attacks using all possible combinations of passwords to gain access • Inference • taking educated guesses on passwords, based on information gleaned • TOC/TOU (Time of check/use) • 1. use of a “sniffer” to capture log on data • 2. (later) using captured data & IP address in an attempt to impersonate the original user/client

More Related