Attacks and Ilya Chalyt Nicholas Egebo Vulnerabilities March 7 2005.

Attacks andAttacks and

Ilya Chalyt Ilya Chalyt

Nicholas EgeboNicholas Egebo

VulnerabilitiesVulnerabilities

March 7 2005

Topics of DiscussionTopics of Discussion

ReconnaissanceReconnaissanceGain information about a systemGain information about a system

VulnerabilitiesVulnerabilitiesAttributes of a system that can be maliciously Attributes of a system that can be maliciously

exploitedexploited

AttacksAttacksProcedures to exploit vulnerabilitiesProcedures to exploit vulnerabilities

Reference 1


Reconnaissance Reconnaissance War DialingWar Dialing War DrivingWar Driving Port ScanningPort Scanning ProbingProbing Packet SniffingPacket Sniffing

War Dialing (Reconnaissance)War Dialing (Reconnaissance)

MethodMethodDial a range of phone Dial a range of phone

numbers searching for numbers searching for modemmodem

MotivationMotivationLocate potential targetsLocate potential targets

DetectionDetectionDetection impossible Detection impossible

outside of the outside of the telephony telephony infrastructureinfrastructure

DefenseDefenseDisconnect unessential Disconnect unessential

modems from modems from outgoing phone linesoutgoing phone lines

Reference 2

War Driving (Reconnaissance)War Driving (Reconnaissance)

MethodMethodSurveillance of wireless Surveillance of wireless

signals in a regionsignals in a region

MotivationMotivationFind wireless trafficFind wireless traffic

DetectionDetectionCan only be detected by Can only be detected by

physical surveillancephysical surveillance

DefenseDefenseLimit geographic access Limit geographic access

to wireless signalto wireless signal

Reference 3

Port Scanning (Reconnaissance)Port Scanning (Reconnaissance)

MethodMethodSend out a SYN packet, Send out a SYN packet,

check for responsecheck for response

MotivationMotivationFind potential targetsFind potential targets

DetectionDetectionTraffic analysisTraffic analysis

DefenseDefenseClose/silence portsClose/silence ports

Reference 4

Probing (Reconnaissance)Probing (Reconnaissance)

MethodMethodSend packets to portsSend packets to ports

MotivationMotivationFind specific port Find specific port

informationinformation

DetectionDetectionTraffic analysisTraffic analysis

DefenseDefenseClose/silence portsClose/silence ports

Packet Sniffing (Reconnaissance)Packet Sniffing (Reconnaissance)

MethodMethodCapture and analyze Capture and analyze

packets traveling packets traveling across a network across a network interfaceinterface

MotivationMotivationGain access to Gain access to

information traveling information traveling on the networkon the network

DetectionDetectionNoneNone

DefenseDefenseUse encryption to Use encryption to

minimize cleartext on minimize cleartext on the networkthe network

Reference 5


VulnerabilitiesVulnerabilities BackdoorsBackdoors Code ExploitsCode Exploits EavesdroppingEavesdropping Indirect AttacksIndirect Attacks Social EngineeringSocial Engineering

Backdoors (Vulnerabilities)Backdoors (Vulnerabilities)

Bypass normal means of authenticationBypass normal means of authentication

Hidden from casual inspectionHidden from casual inspection

Installed separately or integrated into Installed separately or integrated into softwaresoftware

Reference 6

Code Exploits (Vulnerabilities)Code Exploits (Vulnerabilities)

Use of poor coding practices left uncaught Use of poor coding practices left uncaught by testingby testing

Defense: In depth unit and integration Defense: In depth unit and integration testingtesting

Eavesdropping (Vulnerability)Eavesdropping (Vulnerability)

Data transmitted without encryption can be Data transmitted without encryption can be captured and read by parties other than captured and read by parties other than the sender and receiverthe sender and receiver

Defense: Use of strong cryptography to Defense: Use of strong cryptography to minimize cleartext on the networkminimize cleartext on the network

Indirect Attacks (Vulnerabilities)Indirect Attacks (Vulnerabilities)

Internet users’ machines can be infected Internet users’ machines can be infected with zombies and made to perform attackswith zombies and made to perform attacks

The puppet master is left undetectedThe puppet master is left undetected

Defense: Train internet users to prevent Defense: Train internet users to prevent zombies and penalize zombie ownerszombies and penalize zombie owners

Social Engineering (Vulnerability)Social Engineering (Vulnerability)

Manipulate the weakest link of Manipulate the weakest link of cybersecurity – the user – to gain access cybersecurity – the user – to gain access to otherwise prohibited resourcesto otherwise prohibited resources

Defense: Train personnel to resist the Defense: Train personnel to resist the tactics of software engineeringtactics of software engineering

Reference 7


AttacksAttacks Password CracksPassword Cracks Web AttacksWeb Attacks Physical AttacksPhysical Attacks Worms & VirusesWorms & Viruses Logic BombLogic Bomb Buffer OverflowBuffer Overflow PhishingPhishing Bots, and ZombiesBots, and Zombies Spyware, Adware, and MalwareSpyware, Adware, and Malware Hardware KeyloggersHardware Keyloggers Eavesdropping & Playback attacksEavesdropping & Playback attacks DDoSDDoS

Password Cracks: Brute ForcePassword Cracks: Brute Force

MethodMethodTrying all combinations Trying all combinations

of legal symbols as of legal symbols as username/password username/password pairspairs

MotivationMotivationGain access to systemGain access to system

DetectionDetectionFrequent attempts to Frequent attempts to

authenticateauthenticate

DefenseDefenseLockouts – temporary Lockouts – temporary

and permanent and permanent

Reference 8

Password Cracks: Dictionary AttackPassword Cracks: Dictionary Attack

MethodMethodTrying all entries in a Trying all entries in a

collection of stringscollection of strings

MotivationMotivationGain access to system, Gain access to system,

faster than brute forcefaster than brute force



DefenseDefense Lockouts – temporary Lockouts – temporary

and permanent and permanent Complex passwordsComplex passwords

Reference 8

Password Cracks: Hybrid AttackPassword Cracks: Hybrid Attack

MethodMethodTrying all entries in a Trying all entries in a

collection of strings adding collection of strings adding numbers and symbols numbers and symbols concatenating them with concatenating them with each other and or numberseach other and or numbers

MotivationMotivationGain access to system, faster Gain access to system, faster

than brute force, more than brute force, more likely than just dictionary likely than just dictionary attackattack



DefenseDefenseLockouts – temporary and Lockouts – temporary and

permanent permanent

Reference 8

Password Cracks: l0phtcrackPassword Cracks: l0phtcrack

MethodMethodGain access to operating Gain access to operating

system’s hash table system’s hash table and perform cracking and perform cracking remotelyremotely

MotivationMotivationGain access to system, Gain access to system,

cracking elsewhere – cracking elsewhere – no lockoutsno lockouts

DetectionDetectionDetecting reading of Detecting reading of

hash tablehash table

DefenseDefenseLimit access to systemLimit access to system

Reference 8

Web Attacks: Source ViewingWeb Attacks: Source Viewing

MethodMethodRead source code for Read source code for

valuable informationvaluable information

MotivationMotivationFind passwords or Find passwords or

commented out URLcommented out URL


DefenseDefenseNoneNone

Web Attacks: URL Modification Web Attacks: URL Modification

MethodMethodManipulating URL to find Manipulating URL to find

pages not normally pages not normally accessible accessible

MotivationMotivationGain access to normally Gain access to normally

private directories or private directories or pagespages

DetectionDetectionCheck website URL logsCheck website URL logs

DefenseDefenseAdd access Add access

requirementsrequirements

Web Attacks: Post DataWeb Attacks: Post Data

MethodMethodChange post data to get Change post data to get

desired resultsdesired results

MotivationMotivationChange information Change information

being sent in your being sent in your favorfavor


DefenseDefenseVerify post data on Verify post data on

receiving endreceiving end

Web Attacks: Database AttackWeb Attacks: Database Attack

MethodMethodSending dangerous Sending dangerous

queries to databasequeries to database

MotivationMotivationDenial of serviceDenial of service

DetectionDetectionCheck database for Check database for

strange recordsstrange records

DefenseDefenseFilter database queriesFilter database queries

Reference 9

Web Attacks: Database InsertionWeb Attacks: Database Insertion

MethodMethodForm multiple queries to Form multiple queries to

a database through a database through formsforms

MotivationMotivationInsert information into a Insert information into a

table that might be table that might be unsafeunsafe

DetectionDetectionCheck database logsCheck database logs

DefenseDefenseFilter database queries, Filter database queries,

make them quotesafemake them quotesafe

Reference 9

Web Attacks: Meta DataWeb Attacks: Meta Data

MethodMethodUse meta characters to Use meta characters to

make malicious inputmake malicious input

MotivationMotivationPossibly reveal script or Possibly reveal script or

other useful other useful informationinformation

DetectionDetectionWebsite logsWebsite logs

DefenseDefenseFilter input of meta Filter input of meta

characterscharacters

Reference 10

Physical Attack: DamagePhysical Attack: Damage

MethodMethodAttack the computer with Attack the computer with

an axe an axe

MotivationMotivationDisable the computerDisable the computer

DetectionDetectionVideo CameraVideo Camera

DefenseDefenseLocked doors and Locked doors and

placed security guardsplaced security guards

Physical Attack: DisconnectPhysical Attack: Disconnect

MethodMethodInterrupt connection Interrupt connection

between two elements between two elements of the networkof the network

MotivationMotivationDisable the networkDisable the network

DetectionDetectionPingsPings



Physical Attack: ReroutePhysical Attack: Reroute

MethodMethodPass network signal Pass network signal

through additional through additional devicesdevices

MotivationMotivationMonitor traffic or spoof a Monitor traffic or spoof a

portion of the networkportion of the network

DetectionDetectionCameraCamera



Physical Attack: Spoof MAC & IPPhysical Attack: Spoof MAC & IP

MethodMethodIdentify MAC address of Identify MAC address of

target and replicatetarget and replicate

MotivationMotivationDeny target from Deny target from

receiving trafficreceiving traffic

DetectionDetectionMonitoring ARP requests Monitoring ARP requests

and checking logsand checking logs

DefenseDefenseNone as of nowNone as of now

Worms & Virus: File InfectorsWorms & Virus: File Infectors

MethodMethodInfects executables by Infects executables by

inserting itself into inserting itself into themthem

MotivationMotivationDamage files and spreadDamage files and spread

DetectionDetectionVirus scan or strange Virus scan or strange

computer behaviorcomputer behavior

DefenseDefenseAntivirus, being cautious Antivirus, being cautious

on the interneton the internet

Reference 10

Worms & Virus: Partition-sector InfectorsWorms & Virus: Partition-sector Infectors

MethodMethod Moves partition sectorMoves partition sector Replaces with selfReplaces with self On boot executes and On boot executes and

calls original calls original informationinformation






Reference 10

Worms & Virus: Boot-sector virusWorms & Virus: Boot-sector virus

MethodMethodReplaces boot loader, Replaces boot loader,

and spreads to hard and spreads to hard drive and floppiesdrive and floppies






Reference 10

Worms & Virus: Companion VirusWorms & Virus: Companion Virus

MethodMethodLocates executables and Locates executables and

mimics names, mimics names, changing the changing the extensionsextensions






Reference 10

Worms & Virus: Macro VirusWorms & Virus: Macro Virus

MethodMethodInfects documents, when Infects documents, when

document is accessed, document is accessed, macro executes in macro executes in applicationapplication






Reference 10

Worms & Virus: WormsWorms & Virus: Worms

MethodMethodReplicatesReplicates

MotivationMotivationVariable motivationsVariable motivations





Reference 11

Logic BombLogic Bomb

MethodMethodDiscreetly install “time bomb” Discreetly install “time bomb”

and prevent detonation if and prevent detonation if necessarynecessary

MotivationMotivationRevenge, synchronized Revenge, synchronized

attack, securing get awayattack, securing get away

DetectionDetectionStrange computer behaviorStrange computer behavior

DefenseDefense Keep and monitor logsKeep and monitor logs Monitor computer systems Monitor computer systems

closelyclosely

Buffer OverflowBuffer Overflow

MethodMethodPass too much information to Pass too much information to

the buffer with poor the buffer with poor checkingchecking

MotivationMotivationModify to information and/or Modify to information and/or

execute arbitrary codeexecute arbitrary code

DetectionDetectionLogsLogs

DefenseDefense Check input size before Check input size before

copying to buffercopying to buffer Guard return address Guard return address

against overwriteagainst overwrite Invalidate stack to execute Invalidate stack to execute

instructionsinstructions

Reference 12 & 13

PhishingPhishing

MethodMethodRequest information from a Request information from a

mass audience, collect mass audience, collect response from the gullibleresponse from the gullible

MotivationMotivationGain important informationGain important information

DetectionDetectionCareful examination of Careful examination of

requests for informationrequests for information

DefenseDefenseDistribute on a need to know Distribute on a need to know

basisbasis

Bots & ZombiesBots & Zombies

MethodMethodInstalled by virus or worm, Installed by virus or worm,

allow remote unreserved allow remote unreserved access to the systemaccess to the system

MotivationMotivationGain access to additional Gain access to additional

resources, hiding your resources, hiding your identityidentity

DetectionDetection Network analysisNetwork analysis Virus scansVirus scans Notice unusual behaviorNotice unusual behavior

DefenseDefenseInstall security patches and Install security patches and

be careful what you be careful what you downloaddownload

Spyware, Adware, and MalwareSpyware, Adware, and Malware

MethodMethodInstalled either willingly by the Installed either willingly by the

user via ActiveX or as part user via ActiveX or as part of a virus packageof a virus package

MotivationMotivation Gain information about the Gain information about the

useruser Serve users Serve users

advertisementsadvertisements

DetectionDetection Network analysisNetwork analysis Abnormal computer Abnormal computer

behaviorbehavior

DefenseDefenseVirus / adware / spyware / Virus / adware / spyware /

malware scans malware scans

Hardware KeyloggersHardware Keyloggers

MethodMethodAttach it to a computerAttach it to a computer

MotivationMotivationRecord user names, Record user names,

passwords, and other passwords, and other private informationprivate information

DetectionDetectionCheck physical Check physical

connectionsconnections

DefenseDefenseCameras and guardsCameras and guards

EavesdroppingEavesdropping

MethodMethod Record packets to the Record packets to the

networknetwork Attempt to decrypt Attempt to decrypt

encrypted packetsencrypted packets

MotivationMotivationGain access to user dataGain access to user data


DefenseDefenseStrong cryptographyStrong cryptography

Playback AttackPlayback Attack

MethodMethod Record packets to the Record packets to the

networknetwork Resend packets without Resend packets without

decryptiondecryption

MotivationMotivationMimic legitimate commandsMimic legitimate commands

DetectionDetectionNetwork analysisNetwork analysis

DefenseDefenseTime stampsTime stamps

DDoS: CPU attackDDoS: CPU attack

MethodMethodSend data that requires Send data that requires

cryptography to processcryptography to process

MotivationMotivationOccupy the CPU preventing Occupy the CPU preventing

normal operationsnormal operations



Reference 14

DDoS: Memory attackDDoS: Memory attack

MethodMethodSend data that requires the Send data that requires the

allocation of memoryallocation of memory

MotivationMotivationTake up resources, crashing Take up resources, crashing

the server when they are the server when they are exhaustedexhausted



Reference 14

ReferencesReferences1.1. Amoroso, Edward. Amoroso, Edward. Intrusion DetectionIntrusion Detection. Sparta, New Jersey: AT&T Laboratories, 1999.. Sparta, New Jersey: AT&T Laboratories, 1999.2.2. Gunn, Michael. Gunn, Michael. War DialingWar Dialing. SANS Institute, 2002. . SANS Institute, 2002. 3.3. Schwarau, Winn. “War-driving lessons,” Schwarau, Winn. “War-driving lessons,” Network WorldNetwork World, 02 September 2002., 02 September 2002.4.4. Bradley, Tony. Bradley, Tony. Introduction to Port ScanningIntroduction to Port Scanning. 2005. . 2005.

<http://netsecurity.about.com/cs/hackertools/a/aa121303.htm> (04 March 2005).<http://netsecurity.about.com/cs/hackertools/a/aa121303.htm> (04 March 2005).5.5. Bradley, Tony. Bradley, Tony. Introduction to Packet SniffingIntroduction to Packet Sniffing. 2005. . 2005.

<http://netsecurity.about.com/cs/hackertools/a/aa121403.htm> (05 March 2005).<http://netsecurity.about.com/cs/hackertools/a/aa121403.htm> (05 March 2005).6.6. Thompson, Ken. “Reflections on Trusting Trust.” Thompson, Ken. “Reflections on Trusting Trust.” Communications of the ACMCommunications of the ACM, Vol. 27, No. 8, , Vol. 27, No. 8,

August 1985.August 1985.7.7. Mitnick, Kevin. Mitnick, Kevin. The Art of Deception. Indianapolis, Indiana, 2002.The Art of Deception. Indianapolis, Indiana, 2002.8.8. Coyne, Sean. Coyne, Sean. Password Crackers: Types, Process and ToolsPassword Crackers: Types, Process and Tools . ITS Research Labs, 2004. ITS Research Labs, 20049.9. Friel, Steve. Friel, Steve. SQL Injection Attacks by ExampleSQL Injection Attacks by Example. 2005 <http://www.unixwiz.net/techtips/sql-. 2005 <http://www.unixwiz.net/techtips/sql-

injection.html> (05 March 2005)injection.html> (05 March 2005)10.10. Lucas, Julie. Lucas, Julie. The Effective Incident Response Team. The Effective Incident Response Team. Chapter 4. 2003Chapter 4. 200311.11. Worms versus Viruses. Worms versus Viruses. 2004. <http://viruses.surferbeware.com/worms-vs-viruses.htm> (06 2004. <http://viruses.surferbeware.com/worms-vs-viruses.htm> (06

March 2005)March 2005)12.12. Grove, Sandeep. “Buffer Overflow Attacks and Their Countermeasures.” Grove, Sandeep. “Buffer Overflow Attacks and Their Countermeasures.” Linux Journal. Linux Journal. 10 10

March 2003March 200313.13. Levy, Elias. “Smashing the Stack for Fun and Profit”.Levy, Elias. “Smashing the Stack for Fun and Profit”. Phrack Magazine Phrack Magazine IssueIssue 49, Fall 1997.49, Fall 1997.14.14. Distributed Denial of ServiceDistributed Denial of Service. 2002 <http://www.tla.org/talks/ddos-ntua.pdf> (05 March 2005). 2002 <http://www.tla.org/talks/ddos-ntua.pdf> (05 March 2005)

Date post:	16-Dec-2015
Category:	Documents
Upload:	gracie-hunnings
View:	218 times
Download:	3 times

Attacks and Ilya Chalyt Nicholas Egebo Vulnerabilities March 7 2005.

Documents