Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | gracie-hunnings |
View: | 218 times |
Download: | 3 times |
Attacks andAttacks and
Ilya Chalyt Ilya Chalyt
Nicholas EgeboNicholas Egebo
VulnerabilitiesVulnerabilities
March 7 2005
Topics of DiscussionTopics of Discussion
ReconnaissanceReconnaissanceGain information about a systemGain information about a system
VulnerabilitiesVulnerabilitiesAttributes of a system that can be maliciously Attributes of a system that can be maliciously
exploitedexploited
AttacksAttacksProcedures to exploit vulnerabilitiesProcedures to exploit vulnerabilities
Reference 1
Topics of DiscussionTopics of Discussion
Reconnaissance Reconnaissance War DialingWar Dialing War DrivingWar Driving Port ScanningPort Scanning ProbingProbing Packet SniffingPacket Sniffing
War Dialing (Reconnaissance)War Dialing (Reconnaissance)
MethodMethodDial a range of phone Dial a range of phone
numbers searching for numbers searching for modemmodem
MotivationMotivationLocate potential targetsLocate potential targets
DetectionDetectionDetection impossible Detection impossible
outside of the outside of the telephony telephony infrastructureinfrastructure
DefenseDefenseDisconnect unessential Disconnect unessential
modems from modems from outgoing phone linesoutgoing phone lines
Reference 2
War Driving (Reconnaissance)War Driving (Reconnaissance)
MethodMethodSurveillance of wireless Surveillance of wireless
signals in a regionsignals in a region
MotivationMotivationFind wireless trafficFind wireless traffic
DetectionDetectionCan only be detected by Can only be detected by
physical surveillancephysical surveillance
DefenseDefenseLimit geographic access Limit geographic access
to wireless signalto wireless signal
Reference 3
Port Scanning (Reconnaissance)Port Scanning (Reconnaissance)
MethodMethodSend out a SYN packet, Send out a SYN packet,
check for responsecheck for response
MotivationMotivationFind potential targetsFind potential targets
DetectionDetectionTraffic analysisTraffic analysis
DefenseDefenseClose/silence portsClose/silence ports
Reference 4
Probing (Reconnaissance)Probing (Reconnaissance)
MethodMethodSend packets to portsSend packets to ports
MotivationMotivationFind specific port Find specific port
informationinformation
DetectionDetectionTraffic analysisTraffic analysis
DefenseDefenseClose/silence portsClose/silence ports
Packet Sniffing (Reconnaissance)Packet Sniffing (Reconnaissance)
MethodMethodCapture and analyze Capture and analyze
packets traveling packets traveling across a network across a network interfaceinterface
MotivationMotivationGain access to Gain access to
information traveling information traveling on the networkon the network
DetectionDetectionNoneNone
DefenseDefenseUse encryption to Use encryption to
minimize cleartext on minimize cleartext on the networkthe network
Reference 5
Topics of DiscussionTopics of Discussion
VulnerabilitiesVulnerabilities BackdoorsBackdoors Code ExploitsCode Exploits EavesdroppingEavesdropping Indirect AttacksIndirect Attacks Social EngineeringSocial Engineering
Backdoors (Vulnerabilities)Backdoors (Vulnerabilities)
Bypass normal means of authenticationBypass normal means of authentication
Hidden from casual inspectionHidden from casual inspection
Installed separately or integrated into Installed separately or integrated into softwaresoftware
Reference 6
Code Exploits (Vulnerabilities)Code Exploits (Vulnerabilities)
Use of poor coding practices left uncaught Use of poor coding practices left uncaught by testingby testing
Defense: In depth unit and integration Defense: In depth unit and integration testingtesting
Eavesdropping (Vulnerability)Eavesdropping (Vulnerability)
Data transmitted without encryption can be Data transmitted without encryption can be captured and read by parties other than captured and read by parties other than the sender and receiverthe sender and receiver
Defense: Use of strong cryptography to Defense: Use of strong cryptography to minimize cleartext on the networkminimize cleartext on the network
Indirect Attacks (Vulnerabilities)Indirect Attacks (Vulnerabilities)
Internet users’ machines can be infected Internet users’ machines can be infected with zombies and made to perform attackswith zombies and made to perform attacks
The puppet master is left undetectedThe puppet master is left undetected
Defense: Train internet users to prevent Defense: Train internet users to prevent zombies and penalize zombie ownerszombies and penalize zombie owners
Social Engineering (Vulnerability)Social Engineering (Vulnerability)
Manipulate the weakest link of Manipulate the weakest link of cybersecurity – the user – to gain access cybersecurity – the user – to gain access to otherwise prohibited resourcesto otherwise prohibited resources
Defense: Train personnel to resist the Defense: Train personnel to resist the tactics of software engineeringtactics of software engineering
Reference 7
Topics of DiscussionTopics of Discussion
AttacksAttacks Password CracksPassword Cracks Web AttacksWeb Attacks Physical AttacksPhysical Attacks Worms & VirusesWorms & Viruses Logic BombLogic Bomb Buffer OverflowBuffer Overflow PhishingPhishing Bots, and ZombiesBots, and Zombies Spyware, Adware, and MalwareSpyware, Adware, and Malware Hardware KeyloggersHardware Keyloggers Eavesdropping & Playback attacksEavesdropping & Playback attacks DDoSDDoS
Password Cracks: Brute ForcePassword Cracks: Brute Force
MethodMethodTrying all combinations Trying all combinations
of legal symbols as of legal symbols as username/password username/password pairspairs
MotivationMotivationGain access to systemGain access to system
DetectionDetectionFrequent attempts to Frequent attempts to
authenticateauthenticate
DefenseDefenseLockouts – temporary Lockouts – temporary
and permanent and permanent
Reference 8
Password Cracks: Dictionary AttackPassword Cracks: Dictionary Attack
MethodMethodTrying all entries in a Trying all entries in a
collection of stringscollection of strings
MotivationMotivationGain access to system, Gain access to system,
faster than brute forcefaster than brute force
DetectionDetectionFrequent attempts to Frequent attempts to
authenticateauthenticate
DefenseDefense Lockouts – temporary Lockouts – temporary
and permanent and permanent Complex passwordsComplex passwords
Reference 8
Password Cracks: Hybrid AttackPassword Cracks: Hybrid Attack
MethodMethodTrying all entries in a Trying all entries in a
collection of strings adding collection of strings adding numbers and symbols numbers and symbols concatenating them with concatenating them with each other and or numberseach other and or numbers
MotivationMotivationGain access to system, faster Gain access to system, faster
than brute force, more than brute force, more likely than just dictionary likely than just dictionary attackattack
DetectionDetectionFrequent attempts to Frequent attempts to
authenticateauthenticate
DefenseDefenseLockouts – temporary and Lockouts – temporary and
permanent permanent
Reference 8
Password Cracks: l0phtcrackPassword Cracks: l0phtcrack
MethodMethodGain access to operating Gain access to operating
system’s hash table system’s hash table and perform cracking and perform cracking remotelyremotely
MotivationMotivationGain access to system, Gain access to system,
cracking elsewhere – cracking elsewhere – no lockoutsno lockouts
DetectionDetectionDetecting reading of Detecting reading of
hash tablehash table
DefenseDefenseLimit access to systemLimit access to system
Reference 8
Web Attacks: Source ViewingWeb Attacks: Source Viewing
MethodMethodRead source code for Read source code for
valuable informationvaluable information
MotivationMotivationFind passwords or Find passwords or
commented out URLcommented out URL
DetectionDetectionNoneNone
DefenseDefenseNoneNone
Web Attacks: URL Modification Web Attacks: URL Modification
MethodMethodManipulating URL to find Manipulating URL to find
pages not normally pages not normally accessible accessible
MotivationMotivationGain access to normally Gain access to normally
private directories or private directories or pagespages
DetectionDetectionCheck website URL logsCheck website URL logs
DefenseDefenseAdd access Add access
requirementsrequirements
Web Attacks: Post DataWeb Attacks: Post Data
MethodMethodChange post data to get Change post data to get
desired resultsdesired results
MotivationMotivationChange information Change information
being sent in your being sent in your favorfavor
DetectionDetectionNoneNone
DefenseDefenseVerify post data on Verify post data on
receiving endreceiving end
Web Attacks: Database AttackWeb Attacks: Database Attack
MethodMethodSending dangerous Sending dangerous
queries to databasequeries to database
MotivationMotivationDenial of serviceDenial of service
DetectionDetectionCheck database for Check database for
strange recordsstrange records
DefenseDefenseFilter database queriesFilter database queries
Reference 9
Web Attacks: Database InsertionWeb Attacks: Database Insertion
MethodMethodForm multiple queries to Form multiple queries to
a database through a database through formsforms
MotivationMotivationInsert information into a Insert information into a
table that might be table that might be unsafeunsafe
DetectionDetectionCheck database logsCheck database logs
DefenseDefenseFilter database queries, Filter database queries,
make them quotesafemake them quotesafe
Reference 9
Web Attacks: Meta DataWeb Attacks: Meta Data
MethodMethodUse meta characters to Use meta characters to
make malicious inputmake malicious input
MotivationMotivationPossibly reveal script or Possibly reveal script or
other useful other useful informationinformation
DetectionDetectionWebsite logsWebsite logs
DefenseDefenseFilter input of meta Filter input of meta
characterscharacters
Reference 10
Physical Attack: DamagePhysical Attack: Damage
MethodMethodAttack the computer with Attack the computer with
an axe an axe
MotivationMotivationDisable the computerDisable the computer
DetectionDetectionVideo CameraVideo Camera
DefenseDefenseLocked doors and Locked doors and
placed security guardsplaced security guards
Physical Attack: DisconnectPhysical Attack: Disconnect
MethodMethodInterrupt connection Interrupt connection
between two elements between two elements of the networkof the network
MotivationMotivationDisable the networkDisable the network
DetectionDetectionPingsPings
DefenseDefenseLocked doors and Locked doors and
placed security guardsplaced security guards
Physical Attack: ReroutePhysical Attack: Reroute
MethodMethodPass network signal Pass network signal
through additional through additional devicesdevices
MotivationMotivationMonitor traffic or spoof a Monitor traffic or spoof a
portion of the networkportion of the network
DetectionDetectionCameraCamera
DefenseDefenseLocked doors and Locked doors and
placed security guardsplaced security guards
Physical Attack: Spoof MAC & IPPhysical Attack: Spoof MAC & IP
MethodMethodIdentify MAC address of Identify MAC address of
target and replicatetarget and replicate
MotivationMotivationDeny target from Deny target from
receiving trafficreceiving traffic
DetectionDetectionMonitoring ARP requests Monitoring ARP requests
and checking logsand checking logs
DefenseDefenseNone as of nowNone as of now
Worms & Virus: File InfectorsWorms & Virus: File Infectors
MethodMethodInfects executables by Infects executables by
inserting itself into inserting itself into themthem
MotivationMotivationDamage files and spreadDamage files and spread
DetectionDetectionVirus scan or strange Virus scan or strange
computer behaviorcomputer behavior
DefenseDefenseAntivirus, being cautious Antivirus, being cautious
on the interneton the internet
Reference 10
Worms & Virus: Partition-sector InfectorsWorms & Virus: Partition-sector Infectors
MethodMethod Moves partition sectorMoves partition sector Replaces with selfReplaces with self On boot executes and On boot executes and
calls original calls original informationinformation
MotivationMotivationDamage files and spreadDamage files and spread
DetectionDetectionVirus scan or strange Virus scan or strange
computer behaviorcomputer behavior
DefenseDefenseAntivirus, being cautious Antivirus, being cautious
on the interneton the internet
Reference 10
Worms & Virus: Boot-sector virusWorms & Virus: Boot-sector virus
MethodMethodReplaces boot loader, Replaces boot loader,
and spreads to hard and spreads to hard drive and floppiesdrive and floppies
MotivationMotivationDamage files and spreadDamage files and spread
DetectionDetectionVirus scan or strange Virus scan or strange
computer behaviorcomputer behavior
DefenseDefenseAntivirus, being cautious Antivirus, being cautious
on the interneton the internet
Reference 10
Worms & Virus: Companion VirusWorms & Virus: Companion Virus
MethodMethodLocates executables and Locates executables and
mimics names, mimics names, changing the changing the extensionsextensions
MotivationMotivationDamage files and spreadDamage files and spread
DetectionDetectionVirus scan or strange Virus scan or strange
computer behaviorcomputer behavior
DefenseDefenseAntivirus, being cautious Antivirus, being cautious
on the interneton the internet
Reference 10
Worms & Virus: Macro VirusWorms & Virus: Macro Virus
MethodMethodInfects documents, when Infects documents, when
document is accessed, document is accessed, macro executes in macro executes in applicationapplication
MotivationMotivationDamage files and spreadDamage files and spread
DetectionDetectionVirus scan or strange Virus scan or strange
computer behaviorcomputer behavior
DefenseDefenseAntivirus, being cautious Antivirus, being cautious
on the interneton the internet
Reference 10
Worms & Virus: WormsWorms & Virus: Worms
MethodMethodReplicatesReplicates
MotivationMotivationVariable motivationsVariable motivations
DetectionDetectionVirus scan or strange Virus scan or strange
computer behaviorcomputer behavior
DefenseDefenseAntivirus, being cautious Antivirus, being cautious
on the interneton the internet
Reference 11
Logic BombLogic Bomb
MethodMethodDiscreetly install “time bomb” Discreetly install “time bomb”
and prevent detonation if and prevent detonation if necessarynecessary
MotivationMotivationRevenge, synchronized Revenge, synchronized
attack, securing get awayattack, securing get away
DetectionDetectionStrange computer behaviorStrange computer behavior
DefenseDefense Keep and monitor logsKeep and monitor logs Monitor computer systems Monitor computer systems
closelyclosely
Buffer OverflowBuffer Overflow
MethodMethodPass too much information to Pass too much information to
the buffer with poor the buffer with poor checkingchecking
MotivationMotivationModify to information and/or Modify to information and/or
execute arbitrary codeexecute arbitrary code
DetectionDetectionLogsLogs
DefenseDefense Check input size before Check input size before
copying to buffercopying to buffer Guard return address Guard return address
against overwriteagainst overwrite Invalidate stack to execute Invalidate stack to execute
instructionsinstructions
Reference 12 & 13
PhishingPhishing
MethodMethodRequest information from a Request information from a
mass audience, collect mass audience, collect response from the gullibleresponse from the gullible
MotivationMotivationGain important informationGain important information
DetectionDetectionCareful examination of Careful examination of
requests for informationrequests for information
DefenseDefenseDistribute on a need to know Distribute on a need to know
basisbasis
Bots & ZombiesBots & Zombies
MethodMethodInstalled by virus or worm, Installed by virus or worm,
allow remote unreserved allow remote unreserved access to the systemaccess to the system
MotivationMotivationGain access to additional Gain access to additional
resources, hiding your resources, hiding your identityidentity
DetectionDetection Network analysisNetwork analysis Virus scansVirus scans Notice unusual behaviorNotice unusual behavior
DefenseDefenseInstall security patches and Install security patches and
be careful what you be careful what you downloaddownload
Spyware, Adware, and MalwareSpyware, Adware, and Malware
MethodMethodInstalled either willingly by the Installed either willingly by the
user via ActiveX or as part user via ActiveX or as part of a virus packageof a virus package
MotivationMotivation Gain information about the Gain information about the
useruser Serve users Serve users
advertisementsadvertisements
DetectionDetection Network analysisNetwork analysis Abnormal computer Abnormal computer
behaviorbehavior
DefenseDefenseVirus / adware / spyware / Virus / adware / spyware /
malware scans malware scans
Hardware KeyloggersHardware Keyloggers
MethodMethodAttach it to a computerAttach it to a computer
MotivationMotivationRecord user names, Record user names,
passwords, and other passwords, and other private informationprivate information
DetectionDetectionCheck physical Check physical
connectionsconnections
DefenseDefenseCameras and guardsCameras and guards
EavesdroppingEavesdropping
MethodMethod Record packets to the Record packets to the
networknetwork Attempt to decrypt Attempt to decrypt
encrypted packetsencrypted packets
MotivationMotivationGain access to user dataGain access to user data
DetectionDetectionNoneNone
DefenseDefenseStrong cryptographyStrong cryptography
Playback AttackPlayback Attack
MethodMethod Record packets to the Record packets to the
networknetwork Resend packets without Resend packets without
decryptiondecryption
MotivationMotivationMimic legitimate commandsMimic legitimate commands
DetectionDetectionNetwork analysisNetwork analysis
DefenseDefenseTime stampsTime stamps
DDoS: CPU attackDDoS: CPU attack
MethodMethodSend data that requires Send data that requires
cryptography to processcryptography to process
MotivationMotivationOccupy the CPU preventing Occupy the CPU preventing
normal operationsnormal operations
DetectionDetectionNetwork analysisNetwork analysis
DefenseDefenseNoneNone
Reference 14
DDoS: Memory attackDDoS: Memory attack
MethodMethodSend data that requires the Send data that requires the
allocation of memoryallocation of memory
MotivationMotivationTake up resources, crashing Take up resources, crashing
the server when they are the server when they are exhaustedexhausted
DetectionDetectionNetwork analysisNetwork analysis
DefenseDefenseNoneNone
Reference 14
ReferencesReferences1.1. Amoroso, Edward. Amoroso, Edward. Intrusion DetectionIntrusion Detection. Sparta, New Jersey: AT&T Laboratories, 1999.. Sparta, New Jersey: AT&T Laboratories, 1999.2.2. Gunn, Michael. Gunn, Michael. War DialingWar Dialing. SANS Institute, 2002. . SANS Institute, 2002. 3.3. Schwarau, Winn. “War-driving lessons,” Schwarau, Winn. “War-driving lessons,” Network WorldNetwork World, 02 September 2002., 02 September 2002.4.4. Bradley, Tony. Bradley, Tony. Introduction to Port ScanningIntroduction to Port Scanning. 2005. . 2005.
<http://netsecurity.about.com/cs/hackertools/a/aa121303.htm> (04 March 2005).<http://netsecurity.about.com/cs/hackertools/a/aa121303.htm> (04 March 2005).5.5. Bradley, Tony. Bradley, Tony. Introduction to Packet SniffingIntroduction to Packet Sniffing. 2005. . 2005.
<http://netsecurity.about.com/cs/hackertools/a/aa121403.htm> (05 March 2005).<http://netsecurity.about.com/cs/hackertools/a/aa121403.htm> (05 March 2005).6.6. Thompson, Ken. “Reflections on Trusting Trust.” Thompson, Ken. “Reflections on Trusting Trust.” Communications of the ACMCommunications of the ACM, Vol. 27, No. 8, , Vol. 27, No. 8,
August 1985.August 1985.7.7. Mitnick, Kevin. Mitnick, Kevin. The Art of Deception. Indianapolis, Indiana, 2002.The Art of Deception. Indianapolis, Indiana, 2002.8.8. Coyne, Sean. Coyne, Sean. Password Crackers: Types, Process and ToolsPassword Crackers: Types, Process and Tools . ITS Research Labs, 2004. ITS Research Labs, 20049.9. Friel, Steve. Friel, Steve. SQL Injection Attacks by ExampleSQL Injection Attacks by Example. 2005 <http://www.unixwiz.net/techtips/sql-. 2005 <http://www.unixwiz.net/techtips/sql-
injection.html> (05 March 2005)injection.html> (05 March 2005)10.10. Lucas, Julie. Lucas, Julie. The Effective Incident Response Team. The Effective Incident Response Team. Chapter 4. 2003Chapter 4. 200311.11. Worms versus Viruses. Worms versus Viruses. 2004. <http://viruses.surferbeware.com/worms-vs-viruses.htm> (06 2004. <http://viruses.surferbeware.com/worms-vs-viruses.htm> (06
March 2005)March 2005)12.12. Grove, Sandeep. “Buffer Overflow Attacks and Their Countermeasures.” Grove, Sandeep. “Buffer Overflow Attacks and Their Countermeasures.” Linux Journal. Linux Journal. 10 10
March 2003March 200313.13. Levy, Elias. “Smashing the Stack for Fun and Profit”.Levy, Elias. “Smashing the Stack for Fun and Profit”. Phrack Magazine Phrack Magazine IssueIssue 49, Fall 1997.49, Fall 1997.14.14. Distributed Denial of ServiceDistributed Denial of Service. 2002 <http://www.tla.org/talks/ddos-ntua.pdf> (05 March 2005). 2002 <http://www.tla.org/talks/ddos-ntua.pdf> (05 March 2005)