Chapter 3Network and Computer

Attacks

ObjectivesAfter reading this chapter and completing the

exercises, you will be able to:Describe the different types of malicious

software and what damage they can doDescribe methods of protecting against

malware attacksDescribe the types of network attacksIdentify physical security attacks and

vulnerabilities

2

IntroductionAs an IT security professional, you need to be

aware of attacks an intruder can make on your network.

Attacks include unauthorized attempts to access network resources or systems, attempts to destroy or corrupt information, and attempts to prevent authorized users from accessing resources.

You must have a good understanding of both network security and computer security.

Hands-On Ethical Hacking and Network Defense, Second Edition 3

Malicious Software (Malware)Network attacks prevent a business from

operatingMalicious software (malware)

Virus Worm Trojan program

Goals Destroy data Corrupt data Shutdown a network or system Make money

4

VirusesVirus attaches itself to a file or program

Needs host to replicateDoes not stand on its ownNo foolproof prevention method

Antivirus programs Detection based on virus signatures

Signatures are kept in virus signature file Must update periodically Some offer automatic update feature

5

6

Table 3-1 Common computer viruses

Macro VirusesVirus encoded as a macro (a single instruction

that expands automatically into a set of instructions to perform a particular task.)Programs that support a macro programming

language (e.g., Visual Basic for Applications) Lists of commands Can be used in destructive ways

Example: Melissa Appeared in 1999

Even nonprogrammers can create macro virusesInstructions posted on Web sites

Security professionals learn from thinking like attackers

7

WormsReplicates and propagates without a host

Infamous examples: Code Red Nimda

Theoretically can infect every computer in the world over a short period

Cyber attacks against ATMs are a serious concern for the banking industry and law enforcement agencies worldwideExamples:

Slammer and Nachi ATM worm attacks8

9

Table 3-2 Common computer worms

10

Table 3-2 Common computer worms (cont’d.)

Trojan ProgramsInsidious attack against networks and computers

Disguise themselves as useful programsAllow attackers remote accessCan install backdoors and rootkits

Backdoors or rootkits are programs that give attackers a means of regaining access to the attacked computer later.

A rootkit is a type of malicious software that is activated each time your system boots up.Rootkits are difficult to detect because they are activated

before your system's Operating System has completely booted up.

A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS.

11

Trojan ProgramsBack Orifice is one of the most common Trojan

programs used today. It allows attackers to take full control of the attacked computer, like Windows XP Remote Desktop functions, except that Back Orifice works without the user’s knowledge.

A good software or hardware firewall would most likely identify traffic that’s using unfamiliar ports.

But Trojan programs that use common ports, such as TCP port 80 (HTTP) or UDP port 53 (DNS), are more difficult to detect.

Also, many home users and small businesses don’t use software or hardware firewalls.

12

13

Table 3-3 Trojan programs and ports

SpywareSends information from infected computer to

attackerConfidential financial dataPasswordsPINsAny other stored data

Can register each keystroke enteredPrevalent technology

Educate users about spyware

14

15

Figure 3-2 A spyware initiation program

AdwareSimilar to spyware

Installed without users being awareSometimes displays a bannerMain purpose

Determine user’s purchasing habits so that Web browsers can display advertisements tailored to this user

Main problemSlows down computers

16

Protecting Against Malware AttacksDifficult task

New viruses, worms, and Trojan programs appear daily

Antivirus programsDetected many malware programs

Educate users about these attacksUsers who aren’t trained thoroughly can open

holes into a network that no technology can protect against

17

18

Figure 3-3 Detecting a virus

Educating Your UsersStructural training

Includes all employees and managementE-mail monthly security updatesRecommend virus signature database updating

Activate automatic updates

SpyBot and Ad-AwareTwo most popular spyware and adware removal

programsHelp protect against spyware and adware

FirewallsSoftware (personal) and hardware (enterprise)

19

Avoiding Fear TacticsAvoid scaring users into complying with

security measuresSometimes used by unethical security

testersAgainst the OSSTMM’s Rules of Engagement

Promote awareness rather than instilling fearUsers should be aware of potential threatsBuild on users’ knowledge

Makes training easier

20

Intruder Attacks on Networks and Computers

AttackAny attempt by an unauthorized person to

access, damage, or use network resourcesNetwork security

Concern with security of network infrastructureComputer security

Concerned with security of a stand alone computer Not part of a network infrastructure

Computer crimeFastest growing type of crime worldwide

21

Denial-of-Service AttacksDenial-of-service (DoS) attack

Prevents legitimate users from accessing network resources

Some forms do not involve computers For example, intentionally looping a

document on a fax machine by taping two pages together can use up reams of paper on the destination fax machine, thus preventing others from using it

22

Denial-of-Service AttacksDoS Do not attempt to access information,

but:Cripples (disturbs) the networkMakes it vulnerable to other attacks

Installing an attack yourself is not wiseOnly explain how the attack could happen

23

Distributed Denial-of-Service AttacksDistributed denial-of-service (DDoS) attack

Attack on host from multiple servers or workstations

Network could be flooded with billions of packetsLoss of bandwidthDegradation or loss of speed

Often participants are not aware they are part of the attackThey, too, have been attacked

24

Distributed Denial-of-Service Attacks

25

Distributed Denial-of-Service Attacks

26

DDoS attacks are difficult to stop because owners of the compromised computers, referred to as zombies, are unaware that their systems are sending malicious packets to a victim thousands of miles away.

These compromised computers are usually part of a botnet (a network of “robot” computers) following instructions from a central location or system.

For more information, do a search on “Estonia DDoS.”

Buffer Overflow AttacksVulnerability in poorly written code

Doesn’t check for amount of memory space useFor example, if a program defines a buffer

size of 100 MB (the total amount of memory the program is supposed to use), and the program writes data over the 100 MB mark without triggering an error or preventing this occurrence, you have a buffer overflow.

27

Buffer Overflow AttacksAttacker writes code that overflows buffer

The trick is to not fill the overflow buffer with meaningless data, but fill it with executable program code. That way, the OS runs the code, and the attacker’s program does something harmful.

Usually, the code elevates the attacker’s permissions to an administrator’s level or gives the attacker the same privileges as the program’s owner or creator

Train programmer in developing applications with security in mind

28

Buffer Overflow Attacks

29

30

Table 3-4 Buffer overflow vulnerabilities

Ping of Death AttacksType of DoS attack

Not as common as during the late 1990sHow it works

Attacker creates a large ICMP packet More than allowed 65,535 bytes

Large packet is fragmented into small packets Reassembled at destination

Destination point cannot handle reassembled oversize packet Causes it to crash or freeze

31

Session HijackingEnables attacker to join a TCP session

Attacker makes both parties think he or she is the other party

Complex attack Beyond the scope of this book

32

Addressing Physical SecurityProtecting a network from attacks is

not always a software issue.You should have some basic skills in

protecting a network from physical attacks as well.

Inside attacks More likely than outside attacks

33

KeyloggersUsed to capture keystrokes on a computer

SoftwareLoaded on to computerBehaves like Trojan programs

HardwareSmall and easy to install deviceGoes between keyboard and computerExamples: KeyKatcher and KeyGhost

Available as software (spyware) Transfers information

34

35

Figure 3-4 An e-mail message captured by KeyKatcher

36

Figure 3-5 The KeyGhost menu

Behind Locked DoorsAs a security professional, you should be aware

of the types of locks used to secure a company’s assets.

If an intruder gets physical access to a server, whether it’s running Linux or Windows, it doesn’t matter how good your firewall or IDS is.

Encryption or public key infrastructure (PKI) enforcements don’t help in this situation, either.

If intruders can sit in front of your server, they can hack it. Simply put, lock up your server.

37

Behind Locked Doors (Solution)Lock up servers

Average person Can pick deadbolt lock in less than five minutesAfter only a week or two of practice

Experienced hackers Can pick deadbolt lock in under 30 seconds

Rotary locks are harder to pickRequire pushing in a sequence of numbered

barsKeep a record of who enters and leaves the room

Security cards can be used for better security

38

SummaryBe aware of attacks

Network infrastructures and standalone computers

Can be perpetrated by insiders or outside attackers

Malicious softwareVirusesWormsTrojan programsSpywareAdware

39

Summary (cont’d.)Attacks

Denial-of-Service (DoS)Distributed Denial-of-Service (DDoS)Buffer overflowPing of DeathSession hijacking

KeyloggersMonitor computer system

Physical security Everyone’s responsibility

40