COEN 252

Security Threats

Network Based Exploits

Phases of an Attack Reconnaissance Scanning Gaining Access Expanding Access Covering Tracks

Reconnaissance Social Engineering

“I cannot access my email. What do I do?” Dumpster Diving (especially useful when

people move) Search the Web

Sam Spade (www.samspade.org/ssw/), CyberKit, NetScanTools, ...

Search Engine Usenet postings Whois

ReconnaissanceDatabases To research .com , .net, and .org domain

names:InterNIC whois feature: www.internic.net/whois.html allwhois, network soultions, ...

ARIN: American Registry for Interent Numbers (www.arin.net/whoiis/arin-whois.html)

RIPE (Europe) www.ripe.net APNIC (Asia Pacific) www.apnic.net

Reconnaissance: ScanningOnce we have a target, we need to get to

know it better.Methods: War Dialing (to find out modem access) Network Mapping Vulnerability Scanning War Driving

Scanning: War DialingPurpose: Find a modem connection. Many users in a company install remote PC

software such as PCAnywhere without setting the software up correctly.

War Dialer finds these numbers by going through a range of phone numbers listening for a modem.

Demon Dialer tries a brute force password attack on a found connection.

Typically: war dialing will find an unsecured connection.

Scanning: Network MappingPing: ping is implemented using the Internet Control Message Protocol (ICMP) Echo Request.

A receiving station answers back to the sender.

Used by system administrators to check status of machines and connections.

Scanning: Network MappingTraceroute: Pings a system with ICMP echo requests

with varying life spans (= # of hops allowed).

A system that receives a package with expired numbers of hops sends an error message back to sender.

Traceroute uses this to find the route to a given system.

Useful for System Administration

Scanning: Network Mapping

Cheops:Network Scanner(UNIX based)

(Uses traceroute and other tools to map a network.)

Cheops et Co. are the reason that firewalls intercept pings.

Reconnaissance: Port Scans Applications on a system use ports to

listen for network traffic or send it out. 216 ports available, some for known

services such as http (80), ftp, ... Port scans send various type of IP

packages to target on different ports. Reaction tells them whether the port is

open (an application listens).

Reconnaissance: Nmap Uses different types of packets to check

for open ports. Can tell from the reaction what OS is

running, including patch levels. Can run in stealth mode, in which it is not

detected by many firewalls.

Gaining Access Gain access using application and OS

attacks. Gain access using network attack.

Gaining Access through Apps and OS Stack-Based Overflow AttacksStack is the area where function arguments

and return addresses are saved. Password Attacks Web Application Attacks

Gaining Access:Web Application Attacks The URL not only contains the web

address of a site, but also input:http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-

8&q=web+application+attack

A poorly written webpage allows the viewer to input data in an uncontrolled fashion. If the webpage contains SQL, the user might execute SQL commands.

Gaining Access through Network Attacks:Sniffing Sniffer: Gathers traffic from a LAN. Examples: Snort www.snort.org, Sniffit

reptile.rug.ac.be/~coder/sniffit/sniffit.html To gain access to packages, use spoofed

ARP (Address Resolution Protocol) to reroute traffic.

Gaining Access through Network Attacks:Sniffing Sniffing through a hub:

Hub broadcasts all traffic.

HUBSender

Listener

Listener

Listener

Listener

Gaining Access through Network Attacks:Sniffing Sniffing through a hub:

Switch only forwards to the link with the correct MAC address.

SwitchSender

Listener

Listener

Listener

Listener

Gaining Access through Network Attacks:Sniffing Sniffing through a hub:

MAC flooding: Switches store MAC addresses in a cache. Switches accept MAC advertising. Attacker sends a flood of MAC advertisings. Switch’s cache fills up. Switch moves into promiscuous mode.

Spoofed ARP messages

Gaining Access through Network Attacks:Sniffing Sniffing through a hub:

Spoofed ARP messages: ARP resolves between IP addresses and MAC addresses. Step 1: Attacker sets up IP Forwarding to the default router

on LAN. Step 2: Send a faked ARP reply to victims machine to

reroute default router IP to attackers MAC address. Step 3: Victim sends out a message to the outside world.

This is routed to the default router IP, i.e. to the attackers machine.

Step 4: Attacker reads traffic. Step 5: Because of forwarding, packet is forwarded to

actual default router.

Gaining Access through Network Attacks:Sniffing Man in the Middle Attack with DSniff:

Step 1: Send fake DNS response with IP address for the web site to be attacked to the victim.

Step 2: Victim connects to website. Step 3: DNS resolves to the attacker’s

machine, request send there. Step 4: Attacker’s site receives request, acts as

proxy, forwards it to real website. Step 5: Real website answers, attackers site

forwards to victim. …

Gaining Access: Session Hijacking IP Address Spoofing: Send out IP packages

with false IP addresses. If an attacker sits on a link through which

traffic between two sites flows, the attacker can inject spoofed packages to “hijack the session”.

Attacker inserts commands into the connection.

Details omitted.

Exploiting and Maintaining AddressAfter successful intrusion, an attacker

should: Use other tools to gain root or

administrator privileges. Erase traces (e.g. change log entries). Take measures to maintain access. Erase security holes so that no-one else

can gain illicit access and do something stupid to wake up the sys. ad.

Maintaining Access: Trojans A program with an additional, evil payload.

Running MS Word also reinstalls a backdoor. ps does not display the installed sniffer.

Maintaining Access: Backdoors Bypass normal security measures.

Example: netcat Install netcat on victim with the

GAPING_SECURITY_HOLE option.C:\ nc -1 –p 12345 –e cmd.sh In the future: connect to port 12345 and

start typing commands.

Maintaining Access: Backdoors BO2K (Back Orifice 2000) runs in stealth

mode (you cannot discover it by looking at the processes tab in the TASK MANAGER.

Otherwise, it is a remote control program like pcAnyWhere, that allows accessing a computer over the net.

Maintaining Access: Backdoors RootKit:

A backdoor built as a Trojan of system executables such as ipconfig.

Kernel-Level RootKit:Changes the OS, not only system executables.

Covering Tracks: Altering logs. Create difficult to find files and directories. Covert Channels through Networks:

Loki uses ICMP messages as the carrier. Use WWW traffic. Use unused fields in TCP/IP headers.

Hacker Profile Internal Hacker

Disgruntled employee Contracted employee

Targets for corporate espionage. Are not bound by employee policies and procedures.

Indirectly contracted employee Perform shared or subcontracted services

Hacker Profile External Hacker

Recreational Hacker 85% 90% male. Between 12 and 25. Highly intelligent low-achiever. Typically from dysfunctional families.

Professional Hacker Hackers for hire. Electronic warfare, corporate espionage. “Security Consultants” Security Consultants

Hacker Profile Virus writers1

Teenagers, College Students, Professionals Drop out of the scene as adults or have social problems. Intelligent, educated, male.

Study by Sarah Gordon, IBM, in Beiser, Vince, “Inside the Virus Writer’s Mind”

Hacker Profile Script Kiddy

Uses scripts of programs written by others to exploit known vulnerabilities

Goal is bragging rights, defacing web sites Sweep IP addresses for vulnerability Typically not explicitly malicious, but can cause

damage inadvertently

Hacker Profile Dedicated Hacker

Does research. Knows in and outs of OS, system, auditing and

security tools. Writes or modifies programs and shell scripts Reads security bulletins (CERT, NIST) Searches the underground.

Hacker Profile Skilled Hacker

Thorough understanding of system at the level of Sys Ad or above.

Can read OS source code. Understands network protocols.

Superhacker Does not brag or post. Can enter or bring down any system.

http://www.securityfocus.com/news/203

Hacker Motives Intellectually Motivated

Educational experimentation 28 year old computer expert diverted 2585 US West

computers to search for a new prime number. Used 10.63 years of computer time. Lengthened telephone number lookup to 5 minutes Almost shut down the Phoenix Service Delivery Center

“Harmless Fun” Web defacing

Wake-up Call Free-lance security consultant (still illegal)

Hacker Motives Personally motivated

Disgruntled employee. Cyber-stalking

E.g. to show of superiority to someone they feel / are inferior to.

Danger of escalation to physical attack. A 50-year old security guard used the internet to solicit

the rape of a 28-year old woman who rejected him. Impersonated her in chat rooms and online bulletins. Impersonated rape fantasies. At least six man knocked at her door at night offering

to rape her. Six years in prison.

Hacker Motives Socially motivated

Cyber-activism Politically motivated

Hacking KKK or NAACP websites Cyber-Terrorism

Threatens serious disruption of the infrastructure Power Water Transportation Communication

1988: Israeli Virus and logic bomb in Israeli government computers

Cyber-warfare

Hacker Motives Financially Motivated

Personal profit. Two Cisco Systems consultants issued almost $8 M

Cisco stock to themselves. Accessed a system used to manage stock option

disbursals to find control numbers for forged authorization forms.

Damage to the organization. British internet provider, Cloud Nine, went out of

business after crippling series of DOS attacks.

Ego Motivated

Hacker Damage Releasing Information Releasing Software

By circumventing copying protection. Through IP theft

Consuming Unused(?) Resources Discover and Document Vulnerabilities Compromise Systems and Increase their

Vulnerabilities Website Vandalism