coen 252 n.
Skip this Video
Loading SlideShow in 5 Seconds..
COEN 252 PowerPoint Presentation
Download Presentation
COEN 252

Loading in 2 Seconds...

play fullscreen
1 / 36

COEN 252 - PowerPoint PPT Presentation

  • Uploaded on

COEN 252. Security Threats. Network Based Exploits. Phases of an Attack Reconnaissance Scanning Gaining Access Expanding Access Covering Tracks. Reconnaissance. Social Engineering “I cannot access my email. What do I do?” Dumpster Diving (especially useful when people move)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'COEN 252' - johnda

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
coen 252

COEN 252

Security Threats

network based exploits
Network Based Exploits

Phases of an Attack

  • Reconnaissance
  • Scanning
  • Gaining Access
  • Expanding Access
  • Covering Tracks
  • Social Engineering
    • “I cannot access my email. What do I do?”
    • Dumpster Diving (especially useful when people move)
  • Search the Web
    • Sam Spade (, CyberKit, NetScanTools, ...
    • Search Engine
    • Usenet postings
    • Whois


  • To research .com , .net, and .org domain names:InterNIC whois feature: allwhois, network soultions, ...
  • ARIN: American Registry for Interent Numbers (
  • RIPE (Europe)
  • APNIC (Asia Pacific)
reconnaissance scanning
Reconnaissance: Scanning

Once we have a target, we need to get to know it better.


  • War Dialing (to find out modem access)
  • Network Mapping
  • Vulnerability Scanning
  • War Driving
scanning war dialing
Scanning: War Dialing

Purpose: Find a modem connection.

  • Many users in a company install remote PC software such as PCAnywhere without setting the software up correctly.
  • War Dialer finds these numbers by going through a range of phone numbers listening for a modem.
  • Demon Dialer tries a brute force password attack on a found connection.
  • Typically: war dialing will find an unsecured connection.
scanning network mapping
Scanning: Network Mapping


  • ping is implemented using the Internet Control Message Protocol (ICMP) Echo Request.
  • A receiving station answers back to the sender.
  • Used by system administrators to check status of machines and connections.
scanning network mapping1
Scanning: Network Mapping


  • Pings a system with ICMP echo requests with varying life spans (= # of hops allowed).
  • A system that receives a package with expired numbers of hops sends an error message back to sender.
  • Traceroute uses this to find the route to a given system.
  • Useful for System Administration
scanning network mapping2
Scanning: Network Mapping


Network Scanner

(UNIX based)

(Uses traceroute and other tools to map a network.)

Cheops et Co. are the reason that firewalls intercept pings.

reconnaissance port scans
Reconnaissance: Port Scans
  • Applications on a system use ports to listen for network traffic or send it out.
  • 216 ports available, some for known services such as http (80), ftp, ...
  • Port scans send various type of IP packages to target on different ports.
  • Reaction tells them whether the port is open (an application listens).
reconnaissance nmap
Reconnaissance: Nmap
  • Uses different types of packets to check for open ports.
  • Can tell from the reaction what OS is running, including patch levels.
  • Can run in stealth mode, in which it is not detected by many firewalls.
reconnaissance webserver information leakage
Reconnaissance: Webserver Information Leakage
  • Most webservers leak information:
    • HTTP answers
      • Identify webserver
    • URLs
      • Have forms peculiar to certain webservers:
        • Extensions:
          • ASP pages: Probably IIS
          • “”
          • “htm”: Probably windows
        • Format of query string
    • Cookies
reconnaissance webserver information leakage1
Reconnaissance: Webserver Information Leakage
  • Most webservers leak information:
    • Error Messages
      • Identify webserver technology by name and version number.
      • Sometimes send debug information to browser.
      • Can be provoked by changing query strings or asking for non-existing resources.
        • Sometimes, possible to get a message from the database engine.
reconnaissance prevention
Reconnaissance Prevention
  • Firewalls can make it very difficult to scan from the outside.
    • Drop scan packets.
  • Patched OS do not have idiosyncratic behavior that allows OS determination.
  • IDS can detect internal scans and warn against them.
gaining access
Gaining Access
  • Gain access using application and OS attacks.
  • Gain access using network attack.
gaining access through apps and os
Gaining Access through Apps and OS
  • Buffer Overflow Attacks
    • Stack
    • Heap
  • Dynamic Memory Attacks
  • Format Vulnerabilities
  • Integer Overflow

  • Password Attacks
  • Web Application Attacks
gaining access web application attacks
Gaining Access:Web Application Attacks
  • The URL not only contains the web address of a site, but also input:

  • A poorly written webpage allows the viewer to input data in an uncontrolled fashion. If the webpage contains SQL, the user might execute SQL commands.
gaining access through network attacks sniffing
Gaining Access through Network Attacks: Sniffing
  • Sniffer: Gathers traffic from a LAN.
  • Examples: Snort, Sniffit
  • To gain access to packages, use spoofed ARP (Address Resolution Protocol) to reroute traffic.
gaining access session hijacking
Gaining Access: Session Hijacking
  • IP Address Spoofing: Send out IP packages with false IP addresses.
  • If an attacker sits on a link through which traffic between two sites flows, the attacker can inject spoofed packages to “hijack the session”.
  • Attacker inserts commands into the connection.
  • Details omitted.
exploiting and maintaining address
Exploiting and Maintaining Address

After successful intrusion, an attacker should:

  • Use other tools to gain root or administrator privileges.
  • Erase traces (e.g. change log entries).
  • Take measures to maintain access.
  • Erase security holes so that no-one else can gain illicit access and do something stupid to wake up the sys. ad.
maintaining access trojans
Maintaining Access: Trojans
  • A program with an additional, evil payload.
    • Running MS Word also reinstalls a backdoor.
    • ps does not display the installed sniffer.
maintaining access backdoors
Maintaining Access: Backdoors
  • Bypass normal security measures.

Example: netcat

  • Install netcat on victim with the GAPING_SECURITY_HOLE option.

C:\ nc -1 –p 12345 –e

  • In the future: connect to port 12345 and start typing commands.
maintaining access backdoors1
Maintaining Access: Backdoors
  • BO2K (Back Orifice 2000) runs in stealth mode (you cannot discover it by looking at the processes tab in the TASK MANAGER.
  • Otherwise, it is a remote control program like pcAnyWhere, that allows accessing a computer over the net.
maintaining access backdoors2
Maintaining Access: Backdoors
  • RootKit:

A backdoor built as a Trojan of system executables such as ipconfig.

  • Kernel-Level RootKit:

Changes the OS, not only system executables.

covering tracks
Covering Tracks:
  • Altering logs.
  • Create difficult to find files and directories.
  • Covert Channels through Networks:
    • Loki uses ICMP messages as the carrier.
    • Use WWW traffic.
    • Use unused fields in TCP/IP headers.
hacker profile
Hacker Profile
  • Internal Hacker
    • Disgruntled employee
    • Contracted employee
      • Targets for corporate espionage.
      • Are not bound by employee policies and procedures.
    • Indirectly contracted employee
      • Perform shared or subcontracted services
hacker profile1
Hacker Profile
  • External Hacker
    • Recreational Hacker
      • 85% 90% male.
      • Between 12 and 25.
      • Highly intelligent low-achiever.
      • Typically from dysfunctional families.
    • Professional Hacker
      • Hackers for hire.
      • Electronic warfare, corporate espionage.
      • “Security Consultants”
      • Security Consultants
hacker profile2
Hacker Profile
  • Virus writers1
    • Teenagers, College Students, Professionals
    • Drop out of the scene as adults or have social problems.
    • Intelligent, educated, male.

Study by Sarah Gordon, IBM, in Beiser, Vince, “Inside the Virus Writer’s Mind”

hacker profile3
Hacker Profile
  • Script Kiddy
    • Uses scripts of programs written by others to exploit known vulnerabilities
    • Goal is bragging rights, defacing web sites
    • Sweep IP addresses for vulnerability
    • Typically not explicitly malicious, but can cause damage inadvertently
hacker profile4
Hacker Profile
  • Dedicated Hacker
    • Does research.
    • Knows in and outs of OS, system, auditing and security tools.
    • Writes or modifies programs and shell scripts
    • Reads security bulletins (CERT, NIST)
    • Searches the underground.
hacker profile5
Hacker Profile
  • Skilled Hacker
    • Thorough understanding of system at the level of Sys Ad or above.
    • Can read OS source code.
    • Understands network protocols.
  • Superhacker
    • Does not brag or post.
    • Can enter or bring down any system.

hacker motives
Hacker Motives
  • Intellectually Motivated
    • Educational experimentation
      • 28 year old computer expert diverted 2585 US West computers to search for a new prime number.
      • Used 10.63 years of computer time.
      • Lengthened telephone number lookup to 5 minutes
      • Almost shut down the Phoenix Service Delivery Center
    • “Harmless Fun”
      • Web defacing
    • Wake-up Call
      • Free-lance security consultant (still illegal)
hacker motives1
Hacker Motives
  • Personally motivated
    • Disgruntled employee.
    • Cyber-stalking
      • E.g. to show of superiority to someone they feel / are inferior to.
      • Danger of escalation to physical attack.
        • A 50-year old security guard used the internet to solicit the rape of a 28-year old woman who rejected him.
        • Impersonated her in chat rooms and online bulletins.
        • Impersonated rape fantasies.
        • At least six man knocked at her door at night offering to rape her.
        • Six years in prison.
hacker motives2
Hacker Motives
  • Socially motivated
    • Cyber-activism
    • Politically motivated
      • Hacking KKK or NAACP websites
    • Cyber-Terrorism
      • Threatens serious disruption of the infrastructure
        • Power
        • Water
        • Transportation
        • Communication
      • 1988: Israeli Virus and logic bomb in Israeli government computers
    • Cyber-warfare
hacker motives3
Hacker Motives
  • Financially Motivated
    • Personal profit.
      • Two Cisco Systems consultants issued almost $8 M Cisco stock to themselves.
      • Accessed a system used to manage stock option disbursals to find control numbers for forged authorization forms.
    • Damage to the organization.
      • British internet provider, Cloud Nine, went out of business after crippling series of DOS attacks.
  • Ego Motivated
hacker damage
Hacker Damage
  • Releasing Information
  • Releasing Software
    • By circumventing copying protection.
    • Through IP theft
  • Consuming Unused(?) Resources
  • Discover and Document Vulnerabilities
  • Compromise Systems and Increase their Vulnerabilities
  • Website Vandalism