the current state of the internet
Download
Skip this Video
Download Presentation
The current state of the Internet

Loading in 2 Seconds...

play fullscreen
1 / 53

The current state of the Internet - PowerPoint PPT Presentation


  • 291 Views
  • Uploaded on

The current state of the Internet An unprotected computer on the Internet WILL BE EXPLOITED within 24 hours! Richard Treece, ISS, 15 April 2002 Hacker Techniques Find and attack the “weakest link” Reconnaissance Gain access to first machine Use acquired access to gain further access

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The current state of the Internet' - albert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the current state of the internet

The current state of the Internet

An unprotected computer on the Internet WILL BE EXPLOITED within 24 hours!

Richard Treece, ISS, 15 April 2002

hacker techniques
Hacker Techniques
  • Find and attack the “weakest link”
  • Reconnaissance
  • Gain access to first machine
  • Use acquired access to gain further access
disclaimer
Disclaimer
  • Hacking is illegal!
  • Some actual organizations and computers are used in the examples,
    • but only to provide realism
  • Do not hack the examples!
slide4
The Stages of a Network Intrusion
  • 1. Scan:
  • • IP addresses in use,
  • • operating system is in use,
  • • “open” TCP or UDP ports
  • 2. Exploit:
      • Denial of Service (DoS)
      • scripts against open ports
  • Gain Root Privilege:
      • Buffer Overflows
      • Get Root/Administrator Password
  • 4. Install Back Door
  • 5. Use IRC (Internet Relay Chat)

4

reconnaissance
Reconnaissance
  • Public information
    • www
    • news postings
  • Network Scanning
    • Operating System Detection
  • War-dialing
public info www internic net
Public Info: www.internic.net

Domain Name: GATECH.EDU

Registrant:

Georgia Institute of Technology, 258 4TH St, Atlanta, GA 30332

Contacts:

Administrative Contact: Herbert Baines III

GA Institute of Tech (GATECH-DOM), 258 4TH St., Atlanta, GA 30332

(404) 894-0226, [email protected]

Technical Contact: OIT, Georgia Tech 258 Fourth Street Atlanta, GA 30332

(404) 894-0226, [email protected]

Name Servers:

TROLL-GW.GATECH.EDU 130.207.244.251

GATECH.EDU 130.207.244.244

NS1.USG.EDU 198.72.72.10

public information news postings
Public Information: news postings

Author: rajeshb

Date: 1998/12/07

Forum: comp.unix.solaris

author posting history

Hi,

Could someone tell me how to configure anonymous ftp for

multiple IP addresses. Basically we are running virtual web

servers on one server. We need to configure anonymous ftp

for each virtual web account. I appreciate it if someone can

help me as soon as possible. I know how to configure an

anonymous ftp for single IP.

Thanks,

Rajesh.

network scanning
Network Scanning
  • Identifies:
    • accessible machines
    • servers (ports) on those machines
network scanning cont d
Network Scanning (cont’d)
  • nmap -t -v hack.me.com

21 tcp ftp

23 tcp telnet

37 tcp time

53 tcp domain

70 tcp gopher

79 tcp finger

80 tcp http

109 tcp pop-2

110 tcp pop-3

111 tcp sunrpc

113 tcp auth

143 tcp imap

513 tcp login

514 tcp shell

635 tcp unknown

operating system detection
Operating System Detection
  • Stack fingerprinting:
    • OS vendors often interpret specific RFC guidance differently when implementing their versions of TCP/IP stack.
    • Probing for these differences gives educated guess about the OS
      • e.g., FIN probe, “don’t fragment it”
    • nmap -O
war dialing
War-dialing
  • Find the organization’s modems,
    • by calling all of its phone numbers
  • www.fbi.gov: (202) 324-3000
  • Reverse Business Phone: 202-324-3

All Listings

Government Offices-US

US Field Ofc 202-324-3000

1900 Half St Sw

Washington, DC

slide12
The Stages of a Network Intrusion
  • 1. Scan:
  • • IP addresses in use,
  • • operating system is in use,
  • • “open” TCP or UDP ports
  • 2. Exploit:
      • Denial of Service (DoS)
      • scripts against open ports
  • Gain Root Privilege
      • Buffer Overflows
      • Get Root/Administrator Password
  • 4. Install Back Door
  • 5. Use IRC (Internet Relay Chat)

12

slide13
Denial of Service (DOS)

(Source: Chapter 14 “Network Intrusion Detection An Analyst’s Handbook”, Second Edition, Northcutt and Novak)

  • SMURF – ICMP echos
  • ECHO-CHARGEN – UDP port 7 is echo; UDP port 19 is character generator.
          • Spoof a source address and two victims pound each other
  • TEARDROP – Send fragments with offset too small
  • source.40909 > target.3826 : udp 28 (frag 242 : 36 @ 0+)
  • source.40909 > target.3826 : 28 (frag 242 : 4 @ 24)+)
  • fragment ID = 242 with 36 bytes of data starting at offset 0
  • fragment ID = 242 with 4 bytes of data starting at offset 24
  • but this means we must back up from 36 bytes already received to 24 where
  • this goes.
  • Negative numbers may look like large positive numbers, put in other program’s
  • section of memory
  • If intrusion detection system (IDS) does not support packet reassembly check,
  • will get past the IDS
slide14
Denial of Service (DOS)

4) PING OF DEATH – On a windows NT box type

ping –L 65510

This creates a packet when reassembled that is larger than the

max size of 65,535 that is allowed. Causes system crash.

- Max IP packet size allowed = 65535

- ICMP echo has a “pseudo header” consisting of 8 bytes of

ICMP header info

- Next in the ICMP packet is the ping data that is sent

- Maximum amount of data can send is

65535 – 20 IP – 8 ICMP = 65507

- We sent 65510 which is too large

5) LAND ATTACK – Source IP address/Port equals Dest IP Address/Port

slide15
Denial of Service (DOS)
  • 6) NMAP – Scans looking for open ports. You may download from www.insecure.org
  • Can crash unpatched systems
  • Can use many modes:
    • Vanilla TCP connect scanning
    • TCP SYN (half open scanning)
    • TCP FIN, xmas, or null (stealth) scanning
    • TCP ftp proxy (bounce attack) scanning (uses ftp port 20 to connect even though
    • not established by connection to port 21 as is normal procedure)
    • SYN FIN Scanning using IP fragments
    • UDP raw ICMP port unreachable scanning
    • ICMP scanning (ping-sweep)
    • TCP Ping Scanning
    • Remote OS identification by TCP/IP Finger Printing
slide16
Distributed Denial of Service (DDOS)
  • Client machine – used to coordinate attack
  • Master or Handler – controls subservient computers
  • Agents or Daemons – Actually do the attack
  • TRINOO – Sends UDP floods to random destination port numbers on victim
  • TFN – Sends UDP flood, TCP SYN Flood, ICMP Echo Flood, or a SMURF Attack
  • Master communicates to daemon using ICMP echo reply, changes IP identification
  • number and payload of ICMP echo reply to identify type of attack to launch.
  • 3) TFN2k – First DDOS for windows. Communication between master and agents
  • can be encrypted over TCP, UDP, or ICMP with no identifying ports
  • 4) STACHELDRAHT - Combination of Trinoo and TFN
  • If you are a DDOS victim, at present this is very little you can do about it!!!
slide17
The Stages of a Network Intrusion
  • 1. Scan:
  • • IP addresses in use,
  • • operating system is in use,
  • • “open” TCP or UDP ports
  • 2. Exploit:
      • Denial of Service (DoS)
      • scripts against open ports
  • Gain Root Privilege:
      • Buffer Overflows
      • Get Root/Administrator Password
  • 4. Install Back Door
  • 5. Use IRC (Internet Relay Chat)

17

the holy grail
“The Holy Grail”
  • Hackers seek Superuser /Root Privilege (SUID) on the machine they are exploiting
  • With SUID privilege, the ‘own’ the machine
  • They can use the resources available for their own purposes (e.g.. crack passwords) or destroy data on the machine
gaining suid privilege
Gaining SUID privilege

1. Easiest way

      • trying default manufacturer password settings
  • Next Easiest – Social Engineering
      • Impersonate Tech Support
      • Hide trojan software inside free games, screensavers, etc. (e.g.. Anna Kournikova)
  • More Difficult – Buffer Overflow Attack
      • Must be a skilled programmer
gain access to first machine
Gain access to first machine
  • Configuration errors
  • System-software errors
configuration errors nfs
Configuration errors: NFS

$ showmount -e hack.me.com

export list for hack.me.com:

/home (everyone)

config errors anonymous ftp 1
Config errors: anonymous ftp (#1)

$ ftp hack.me.com

Connected to hack.me.com.

220 xyz FTP server (SunOS) ready.

Name (hack.me.com:jjyuill): anonymous

331 Guest login ok, send ident as password.

Password:

230 Guest login ok, access restrictions apply.

ftp> get /etc/passwd

/etc/passwd: Permission denied

ftp> cd ../etc

250 CWD command successful.

ftp> ls

200 PORT command successful.

150 ASCII data connection for /bin/ls (152.1.75.170,32871) (0 bytes).

226 ASCII Transfer complete.

config errors anonymous ftp 2
Config errors: anonymous ftp (#2)

ftp> get passwd

200 PORT command successful.

150 ASCII data connection for passwd (152.1.75.170,32872) (23608 bytes).

226 ASCII Transfer complete.

local: passwd remote: passwd

23962 bytes received in 0.14 seconds (1.7e+02 Kbytes/s)

ftp> quit

221 Goodbye.

config errors anonymous ftp 3
Config errors: anonymous ftp (#3)

$ less passwd

sam:0Ke0ioGWcUIFg:100:10:NetAdm:/home/sam:/bin/csh

bob:m4ydEoLScDlqg:101:10:bob:/home/bob:/bin/csh

chris:iOD0dwTBKkeJw:102:10:chris:/home/chris:/bin/csh

sue:A981GnNzq.AfE:103:10:sue:/home/sue:/bin/csh

$ Crack passwd

Guessed sam [sam]

Guessed sue [hawaii]

system software errors imapd 1
System-software errors: imapd (#1)
  • imapd buffer-overflow

$ telnet hack.me.com 143

Trying hack.me.com...

Connected to hack.me.com

Escape character is '^]'.

* OK hack.me.com IMAP4rev1 v10.205 server ready

AUTH=KERBEROS

system software errors imapd 2
System-software errors: imapd (#2)
  • sizeof(mechanism)==2048
  • sizeof(tmp)==256

char *mail_auth (char *mechanism,

authresponse_t resp,int argc,char *argv[])

{

char tmp[MAILTMPLEN];

AUTHENTICATOR *auth;

/* make upper case copy of mechanism name */

ucase (strcpy (tmp,mechanism));

get further access 1
If user access, try to gain root

usually via a bug in a command which runs as root

e.g. lprm for RedHat 4.2 (4/20/98)

Run crack on /etc/passwd

users often have the same password on multiple machines

Get further access (#1)
get further access 2
Exploit misconfigured file permissions in user’s home directory

e.g. echo ‘+ +’ >> .rhosts

Format of entries: [+|-] [host] [+|-] [user]

If root, install rootkits

Trojans, backdoors, sniffers, log cleaners

Packet Sniffing

ftp and telnet passwords

e-mail

Lotus Notes

Log cleaners

Start with syslog.conf, edit log files, Wzap wtmp file

Edit shell history file (or disable shell history)

Get further access (#2)
slide29
The Stages of a Network Intrusion
  • 1. Scan:
  • • IP addresses in use,
  • • operating system is in use,
  • • “open” TCP or UDP ports
  • 2. Exploit:
      • Denial of Service (DoS)
      • scripts against open ports
  • Gain Root Privilege:
      • Buffer Overflows
      • Get Root/Administrator Password
  • 4. Install Back Door
  • 5. Use IRC (Internet Relay Chat)

29

back doors
Back Doors
  • Allows hackers to come back at their leisure.
  • Can exist at application level
      • Back Orifice
  • Can exist at system level
      • Replace dll’s in NT system
      • Replace functions in Linux/Unix e.g. login, ps, etc.
  • Can exist at root level
      • Most difficult to detect

5. Some root kits increase the security of a system and are used by network administrators on their own systems!

sniffing captured passwords
Sniffing: Captured Passwords

Source IP.port

Destination IP.port

333.22.112.11.3903-333.22.111.15.23: login [root]

333.22.112.11.3903-333.22.111.15.23: password [sysadm#1]

333.22.112.11.3710-333.22.111.16.23: login [root]

333.22.112.11.3710-333.22.111.16.23: password [sysadm#1]

333.22.112.91.1075-333.22.112.94.23: login [lester]

333.22.112.91.1075-333.22.112.94.23: password [l2rz721]

333.22.112.64.1700-444.333.228.48.23: login [rcsproul]

333.22.112.64.1700-444.333.228.48.23: password [truck]

slide33
The Stages of a Network Intrusion
  • 1. Scan:
  • • IP addresses in use,
  • • operating system is in use,
  • • “open” TCP or UDP ports
  • 2. Exploit:
      • Denial of Service (DoS)
      • scripts against open ports
  • Gain Root Privilege:
      • Buffer Overflows
      • Get Root/Administrator Password
  • 4. Install Back Door
  • 5. Use IRC (Internet Relay Chat)

33

internet relay chat
Internet Relay Chat
  • Some hackers, when they exploit a system, announce it to the hacker community.
  • This is normally done by ‘script kiddies’ as bragging rights.
  • A sophisticated hacker on the other hand, will most likely cover his/her tracks so that you will never know that they got into your systems.
hacker resources
Web sites with hacker tools:

Kevin Kotas’ favorite sites:

http://technotronic.com/

http://security.pine.nl/

http://astalavista.box.sk/

http://Freshmeat.net/

http://www.rootshell.com

http://oliver.efri.hr/~crv/security/bugs/list.html

http://www.phrack.com/

http://www.securityfocus.com/

click on “forums”, then “bugtraq”

http://main.succeed.net/~kill9/hack/tools/trojans/

IRC

#hacker*

Hacker Resources
hacker techniques41
Hacker Techniques
  • Find and attack the “weakest link”
  • Reconnaissance
  • Gain access to first machine,
  • Use acquired access to gain further access
how to protect your computer
How to protect your computer
  • Make sure your software is current and up to date (i.e. all current patches are installed)
  • Run Firewall software
      • http://www.zonealarm.com
  • Run a Hardware firewall
  • Run Intrusion Detection Software
      • SNORT http://www.snort.org
  • Run Tripwire (change tracking software)
      • http://www.tripwire.com
honeypots
Honeypots
  • A security resource who’s value lies in being probed, attacked or compromised.
  • Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.
advantages disadvantages
Advantages / Disadvantages
  • Advantages
    • Reduce false negatives and false positives
    • Collect little data, but data of high value
    • Minimal resources
    • Conceptually simple
  • Disadvantages
    • Single point of failure
    • Risk
what is a honeynet
What is a Honeynet
  • High-interaction honeypot
  • Used primarily to learn about the bad guys.
  • Network of production systems.
  • Once compromised, the data collected is used to learn the tools, tactics, and motives of the blackhat community.
how it works
How it works
  • A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.
  • Any traffic entering or leaving the Honeynet is suspect by nature.

http://project.honeynet.org/papers/honeynet/

slide49
Risk
  • Honeynets are highly complex, requiring extensive resources and manpower to properly maintain.
  • Honeynets are a high risk technology. As a high interaction honeypot, they can be used to attack or harm other non-Honeynet systems.
legal issues
Legal Issues
  • Privacy
  • Entrapment
  • Liability
privacy
Privacy

No single statute concerning privacy

  • Electronic Communication Privacy Act (18 USC 2701-11)
  • Federal Wiretap Statute (Title III, 18 USC 2510-22)
  • The Pen/Trap Statute (18 USC § 3121-27)
entrapment
Entrapment
  • Used only by defendant to avoid conviction.
  • Cannot be held criminally liable for ‘entrapment’.
  • Applies only to law enforcement
  • Even then, most legal authorities consider Honeynets non-entrapment.
upstream liability
Upstream liability
  • Any organization may be liable if a Honeynet system is used to attack or damage other non-Honeynet systems.
    • Decided at state level, not federal
    • Civil issue, not criminal
  • This is why the Honeynet Project focuses so much attention on Data Control.
ad