The current state of the internet
Download
1 / 53

The current state of the Internet - PowerPoint PPT Presentation


  • 291 Views
  • Updated On :

The current state of the Internet An unprotected computer on the Internet WILL BE EXPLOITED within 24 hours! Richard Treece, ISS, 15 April 2002 Hacker Techniques Find and attack the “weakest link” Reconnaissance Gain access to first machine Use acquired access to gain further access

Related searches for The current state of the Internet

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The current state of the Internet' - albert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The current state of the internet l.jpg

The current state of the Internet

An unprotected computer on the Internet WILL BE EXPLOITED within 24 hours!

Richard Treece, ISS, 15 April 2002


Hacker techniques l.jpg
Hacker Techniques

  • Find and attack the “weakest link”

  • Reconnaissance

  • Gain access to first machine

  • Use acquired access to gain further access


Disclaimer l.jpg
Disclaimer

  • Hacking is illegal!

  • Some actual organizations and computers are used in the examples,

    • but only to provide realism

  • Do not hack the examples!


Slide4 l.jpg

The Stages of a Network Intrusion

  • 1. Scan:

  • • IP addresses in use,

  • • operating system is in use,

  • • “open” TCP or UDP ports

  • 2. Exploit:

    • Denial of Service (DoS)

    • scripts against open ports

  • Gain Root Privilege:

    • Buffer Overflows

    • Get Root/Administrator Password

  • 4. Install Back Door

  • 5. Use IRC (Internet Relay Chat)

  • 4


    Reconnaissance l.jpg
    Reconnaissance

    • Public information

      • www

      • news postings

    • Network Scanning

      • Operating System Detection

    • War-dialing


    Public info www internic net l.jpg
    Public Info: www.internic.net

    Domain Name: GATECH.EDU

    Registrant:

    Georgia Institute of Technology, 258 4TH St, Atlanta, GA 30332

    Contacts:

    Administrative Contact: Herbert Baines III

    GA Institute of Tech (GATECH-DOM), 258 4TH St., Atlanta, GA 30332

    (404) 894-0226, [email protected]

    Technical Contact: OIT, Georgia Tech 258 Fourth Street Atlanta, GA 30332

    (404) 894-0226, [email protected]

    Name Servers:

    TROLL-GW.GATECH.EDU 130.207.244.251

    GATECH.EDU 130.207.244.244

    NS1.USG.EDU 198.72.72.10


    Public information news postings l.jpg
    Public Information: news postings

    Author: rajeshb <[email protected]>

    Date: 1998/12/07

    Forum: comp.unix.solaris

    author posting history

    Hi,

    Could someone tell me how to configure anonymous ftp for

    multiple IP addresses. Basically we are running virtual web

    servers on one server. We need to configure anonymous ftp

    for each virtual web account. I appreciate it if someone can

    help me as soon as possible. I know how to configure an

    anonymous ftp for single IP.

    Thanks,

    Rajesh.


    Network scanning l.jpg
    Network Scanning

    • Identifies:

      • accessible machines

      • servers (ports) on those machines


    Network scanning cont d l.jpg
    Network Scanning (cont’d)

    • nmap -t -v hack.me.com

      21 tcp ftp

      23 tcp telnet

      37 tcp time

      53 tcp domain

      70 tcp gopher

      79 tcp finger

      80 tcp http

      109 tcp pop-2

      110 tcp pop-3

      111 tcp sunrpc

      113 tcp auth

      143 tcp imap

      513 tcp login

      514 tcp shell

      635 tcp unknown


    Operating system detection l.jpg
    Operating System Detection

    • Stack fingerprinting:

      • OS vendors often interpret specific RFC guidance differently when implementing their versions of TCP/IP stack.

      • Probing for these differences gives educated guess about the OS

        • e.g., FIN probe, “don’t fragment it”

      • nmap -O


    War dialing l.jpg
    War-dialing

    • Find the organization’s modems,

      • by calling all of its phone numbers

    • www.fbi.gov: (202) 324-3000

    • Reverse Business Phone: 202-324-3

      All Listings

      Government Offices-US

      US Field Ofc 202-324-3000

      1900 Half St Sw

      Washington, DC


    Slide12 l.jpg

    The Stages of a Network Intrusion

    • 1. Scan:

    • • IP addresses in use,

    • • operating system is in use,

    • • “open” TCP or UDP ports

    • 2. Exploit:

      • Denial of Service (DoS)

      • scripts against open ports

  • Gain Root Privilege

    • Buffer Overflows

    • Get Root/Administrator Password

  • 4. Install Back Door

  • 5. Use IRC (Internet Relay Chat)

  • 12


    Slide13 l.jpg

    Denial of Service (DOS)

    (Source: Chapter 14 “Network Intrusion Detection An Analyst’s Handbook”, Second Edition, Northcutt and Novak)

    • SMURF – ICMP echos

    • ECHO-CHARGEN – UDP port 7 is echo; UDP port 19 is character generator.

      • Spoof a source address and two victims pound each other

  • TEARDROP – Send fragments with offset too small

  • source.40909 > target.3826 : udp 28 (frag 242 : 36 @ 0+)

  • source.40909 > target.3826 : 28 (frag 242 : 4 @ 24)+)

  • fragment ID = 242 with 36 bytes of data starting at offset 0

  • fragment ID = 242 with 4 bytes of data starting at offset 24

  • but this means we must back up from 36 bytes already received to 24 where

  • this goes.

  • Negative numbers may look like large positive numbers, put in other program’s

  • section of memory

  • If intrusion detection system (IDS) does not support packet reassembly check,

  • will get past the IDS


  • Slide14 l.jpg

    Denial of Service (DOS)

    4) PING OF DEATH – On a windows NT box type

    ping –L 65510 <victim IP address>

    This creates a packet when reassembled that is larger than the

    max size of 65,535 that is allowed. Causes system crash.

    - Max IP packet size allowed = 65535

    - ICMP echo has a “pseudo header” consisting of 8 bytes of

    ICMP header info

    - Next in the ICMP packet is the ping data that is sent

    - Maximum amount of data can send is

    65535 – 20 IP – 8 ICMP = 65507

    - We sent 65510 which is too large

    5) LAND ATTACK – Source IP address/Port equals Dest IP Address/Port


    Slide15 l.jpg

    Denial of Service (DOS)

    • 6) NMAP – Scans looking for open ports. You may download from www.insecure.org

    • Can crash unpatched systems

    • Can use many modes:

      • Vanilla TCP connect scanning

      • TCP SYN (half open scanning)

      • TCP FIN, xmas, or null (stealth) scanning

      • TCP ftp proxy (bounce attack) scanning (uses ftp port 20 to connect even though

      • not established by connection to port 21 as is normal procedure)

      • SYN FIN Scanning using IP fragments

      • UDP raw ICMP port unreachable scanning

      • ICMP scanning (ping-sweep)

      • TCP Ping Scanning

      • Remote OS identification by TCP/IP Finger Printing


    Slide16 l.jpg

    Distributed Denial of Service (DDOS)

    • Client machine – used to coordinate attack

    • Master or Handler – controls subservient computers

    • Agents or Daemons – Actually do the attack

    • TRINOO – Sends UDP floods to random destination port numbers on victim

    • TFN – Sends UDP flood, TCP SYN Flood, ICMP Echo Flood, or a SMURF Attack

    • Master communicates to daemon using ICMP echo reply, changes IP identification

    • number and payload of ICMP echo reply to identify type of attack to launch.

    • 3) TFN2k – First DDOS for windows. Communication between master and agents

    • can be encrypted over TCP, UDP, or ICMP with no identifying ports

    • 4) STACHELDRAHT - Combination of Trinoo and TFN

    • If you are a DDOS victim, at present this is very little you can do about it!!!


    Slide17 l.jpg

    The Stages of a Network Intrusion

    • 1. Scan:

    • • IP addresses in use,

    • • operating system is in use,

    • • “open” TCP or UDP ports

    • 2. Exploit:

      • Denial of Service (DoS)

      • scripts against open ports

  • Gain Root Privilege:

    • Buffer Overflows

    • Get Root/Administrator Password

  • 4. Install Back Door

  • 5. Use IRC (Internet Relay Chat)

  • 17


    The holy grail l.jpg
    “The Holy Grail”

    • Hackers seek Superuser /Root Privilege (SUID) on the machine they are exploiting

    • With SUID privilege, the ‘own’ the machine

    • They can use the resources available for their own purposes (e.g.. crack passwords) or destroy data on the machine


    Gaining suid privilege l.jpg
    Gaining SUID privilege

    1. Easiest way

    • trying default manufacturer password settings

  • Next Easiest – Social Engineering

    • Impersonate Tech Support

    • Hide trojan software inside free games, screensavers, etc. (e.g.. Anna Kournikova)

  • More Difficult – Buffer Overflow Attack

    • Must be a skilled programmer


  • Gain access to first machine l.jpg
    Gain access to first machine

    • Configuration errors

    • System-software errors


    Configuration errors nfs l.jpg
    Configuration errors: NFS

    $ showmount -e hack.me.com

    export list for hack.me.com:

    /home (everyone)


    Config errors anonymous ftp 1 l.jpg
    Config errors: anonymous ftp (#1)

    $ ftp hack.me.com

    Connected to hack.me.com.

    220 xyz FTP server (SunOS) ready.

    Name (hack.me.com:jjyuill): anonymous

    331 Guest login ok, send ident as password.

    Password:

    230 Guest login ok, access restrictions apply.

    ftp> get /etc/passwd

    /etc/passwd: Permission denied

    ftp> cd ../etc

    250 CWD command successful.

    ftp> ls

    200 PORT command successful.

    150 ASCII data connection for /bin/ls (152.1.75.170,32871) (0 bytes).

    226 ASCII Transfer complete.


    Config errors anonymous ftp 2 l.jpg
    Config errors: anonymous ftp (#2)

    ftp> get passwd

    200 PORT command successful.

    150 ASCII data connection for passwd (152.1.75.170,32872) (23608 bytes).

    226 ASCII Transfer complete.

    local: passwd remote: passwd

    23962 bytes received in 0.14 seconds (1.7e+02 Kbytes/s)

    ftp> quit

    221 Goodbye.


    Config errors anonymous ftp 3 l.jpg
    Config errors: anonymous ftp (#3)

    $ less passwd

    sam:0Ke0ioGWcUIFg:100:10:NetAdm:/home/sam:/bin/csh

    bob:m4ydEoLScDlqg:101:10:bob:/home/bob:/bin/csh

    chris:iOD0dwTBKkeJw:102:10:chris:/home/chris:/bin/csh

    sue:A981GnNzq.AfE:103:10:sue:/home/sue:/bin/csh

    $ Crack passwd

    Guessed sam [sam]

    Guessed sue [hawaii]


    System software errors imapd 1 l.jpg
    System-software errors: imapd (#1)

    • imapd buffer-overflow

      $ telnet hack.me.com 143

      Trying hack.me.com...

      Connected to hack.me.com

      Escape character is '^]'.

      * OK hack.me.com IMAP4rev1 v10.205 server ready

      AUTH=KERBEROS


    System software errors imapd 2 l.jpg
    System-software errors: imapd (#2)

    • sizeof(mechanism)==2048

    • sizeof(tmp)==256

      char *mail_auth (char *mechanism,

      authresponse_t resp,int argc,char *argv[])

      {

      char tmp[MAILTMPLEN];

      AUTHENTICATOR *auth;

      /* make upper case copy of mechanism name */

      ucase (strcpy (tmp,mechanism));


    Get further access 1 l.jpg

    If user access, try to gain root

    usually via a bug in a command which runs as root

    e.g. lprm for RedHat 4.2 (4/20/98)

    Run crack on /etc/passwd

    users often have the same password on multiple machines

    Get further access (#1)


    Get further access 2 l.jpg

    Exploit misconfigured file permissions in user’s home directory

    e.g. echo ‘+ +’ >> .rhosts

    Format of entries: [+|-] [host] [+|-] [user]

    If root, install rootkits

    Trojans, backdoors, sniffers, log cleaners

    Packet Sniffing

    ftp and telnet passwords

    e-mail

    Lotus Notes

    Log cleaners

    Start with syslog.conf, edit log files, Wzap wtmp file

    Edit shell history file (or disable shell history)

    Get further access (#2)


    Slide29 l.jpg

    The Stages of a Network Intrusion directory

    • 1. Scan:

    • • IP addresses in use,

    • • operating system is in use,

    • • “open” TCP or UDP ports

    • 2. Exploit:

      • Denial of Service (DoS)

      • scripts against open ports

  • Gain Root Privilege:

    • Buffer Overflows

    • Get Root/Administrator Password

  • 4. Install Back Door

  • 5. Use IRC (Internet Relay Chat)

  • 29


    Back doors l.jpg
    Back Doors directory

    • Allows hackers to come back at their leisure.

    • Can exist at application level

      • Back Orifice

  • Can exist at system level

    • Replace dll’s in NT system

    • Replace functions in Linux/Unix e.g. login, ps, etc.

  • Can exist at root level

    • Most difficult to detect

      5. Some root kits increase the security of a system and are used by network administrators on their own systems!


  • Packet sniffing l.jpg
    Packet Sniffing directory


    Sniffing captured passwords l.jpg
    Sniffing: Captured Passwords directory

    Source IP.port

    Destination IP.port

    333.22.112.11.3903-333.22.111.15.23: login [root]

    333.22.112.11.3903-333.22.111.15.23: password [sysadm#1]

    333.22.112.11.3710-333.22.111.16.23: login [root]

    333.22.112.11.3710-333.22.111.16.23: password [sysadm#1]

    333.22.112.91.1075-333.22.112.94.23: login [lester]

    333.22.112.91.1075-333.22.112.94.23: password [l2rz721]

    333.22.112.64.1700-444.333.228.48.23: login [rcsproul]

    333.22.112.64.1700-444.333.228.48.23: password [truck]


    Slide33 l.jpg

    The Stages of a Network Intrusion directory

    • 1. Scan:

    • • IP addresses in use,

    • • operating system is in use,

    • • “open” TCP or UDP ports

    • 2. Exploit:

      • Denial of Service (DoS)

      • scripts against open ports

  • Gain Root Privilege:

    • Buffer Overflows

    • Get Root/Administrator Password

  • 4. Install Back Door

  • 5. Use IRC (Internet Relay Chat)

  • 33


    Internet relay chat l.jpg
    Internet Relay Chat directory

    • Some hackers, when they exploit a system, announce it to the hacker community.

    • This is normally done by ‘script kiddies’ as bragging rights.

    • A sophisticated hacker on the other hand, will most likely cover his/her tracks so that you will never know that they got into your systems.


    Hacker resources l.jpg

    Web sites with hacker tools: directory

    Kevin Kotas’ favorite sites:

    http://technotronic.com/

    http://security.pine.nl/

    http://astalavista.box.sk/

    http://Freshmeat.net/

    http://www.rootshell.com

    http://oliver.efri.hr/~crv/security/bugs/list.html

    http://www.phrack.com/

    http://www.securityfocus.com/

    click on “forums”, then “bugtraq”

    http://main.succeed.net/~kill9/hack/tools/trojans/

    IRC

    #hacker*

    Hacker Resources


    Hacker techniques41 l.jpg
    Hacker Techniques directory

    • Find and attack the “weakest link”

    • Reconnaissance

    • Gain access to first machine,

    • Use acquired access to gain further access


    How to protect your computer l.jpg
    How to protect your computer directory

    • Make sure your software is current and up to date (i.e. all current patches are installed)

    • Run Firewall software

      • http://www.zonealarm.com

  • Run a Hardware firewall

  • Run Intrusion Detection Software

    • SNORT http://www.snort.org

  • Run Tripwire (change tracking software)

    • http://www.tripwire.com


  • Honeynets l.jpg
    Honeynets directory


    Honeypots l.jpg
    Honeypots directory

    • A security resource who’s value lies in being probed, attacked or compromised.

    • Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.


    Advantages disadvantages l.jpg
    Advantages / Disadvantages directory

    • Advantages

      • Reduce false negatives and false positives

      • Collect little data, but data of high value

      • Minimal resources

      • Conceptually simple

    • Disadvantages

      • Single point of failure

      • Risk


    What is a honeynet l.jpg
    What is a Honeynet directory

    • High-interaction honeypot

    • Used primarily to learn about the bad guys.

    • Network of production systems.

    • Once compromised, the data collected is used to learn the tools, tactics, and motives of the blackhat community.


    How it works l.jpg
    How it works directory

    • A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.

    • Any traffic entering or leaving the Honeynet is suspect by nature.

    http://project.honeynet.org/papers/honeynet/


    Slide49 l.jpg
    Risk directory

    • Honeynets are highly complex, requiring extensive resources and manpower to properly maintain.

    • Honeynets are a high risk technology. As a high interaction honeypot, they can be used to attack or harm other non-Honeynet systems.


    Legal issues l.jpg
    Legal Issues directory

    • Privacy

    • Entrapment

    • Liability


    Privacy l.jpg
    Privacy directory

    No single statute concerning privacy

    • Electronic Communication Privacy Act (18 USC 2701-11)

    • Federal Wiretap Statute (Title III, 18 USC 2510-22)

    • The Pen/Trap Statute (18 USC § 3121-27)


    Entrapment l.jpg
    Entrapment directory

    • Used only by defendant to avoid conviction.

    • Cannot be held criminally liable for ‘entrapment’.

    • Applies only to law enforcement

    • Even then, most legal authorities consider Honeynets non-entrapment.


    Upstream liability l.jpg
    Upstream liability directory

    • Any organization may be liable if a Honeynet system is used to attack or damage other non-Honeynet systems.

      • Decided at state level, not federal

      • Civil issue, not criminal

    • This is why the Honeynet Project focuses so much attention on Data Control.


    ad