SYP: Network Security
1 / 72

SYP: Network Security - PowerPoint PPT Presentation

  • Uploaded on

SYP: Network Security . Security. Why is it important to understand how attacks work ? Golden Age of Hacking How bad is the problem? How did this happen?. Security Breach Example. 2003 group of hackers were “testing” security of various banks and noticed that one was extremely vulnerable

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'SYP: Network Security' - suelita

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


  • Why is it important to understand how attacks work ?

  • Golden Age of Hacking

  • How bad is the problem?

  • How did this happen?

Security breach example
Security Breach Example

  • 2003 group of hackers were “testing” security of various banks and noticed that one was extremely vulnerable

  • Within a couple of hours, they transferred over $10 million dollars from the bank to a private account

  • Due to bank’s poor network security, attackers tracks were difficult to find

  • To ensure no prosecution, hackers contacted bank president and gave two options:

    • Bank could prosecute, but attackers would deny everything and notify media on bank’s poor security

    • Sign proposal indicating that hacker’s were forming a security assessment at bank’s request for $5 million dollars and hackers would then return the other $5 million.

  • What choice do you think the bank president chose?

Organizational problems
Organizational Problems

  • Why companies don’t report attacks

    • Ignorance

    • Bad publicity

  • Cost and ineffectiveness of Fixing Existing Systems

  • Intangible Nature of Security Benefits

The attacker s process
The Attacker’s Process

  • Many ways an attacker can gain access or exploit a system

  • Some basic steps that hackers follow:

    • Passive reconnaissance

    • Active reconnaissance (scanning)

    • Exploiting the system

    • Uploading programs

    • Downloading data

    • Keeping access by using backdoors and trojan horses

    • Covering tracks

Passive reconnaissance
Passive Reconnaissance

  • To exploit a system an attacker must have some general information about the user or company

  • Information gathering

  • Sniffing

Active reconnaissance
Active Reconnaissance

  • At this point, an attacker has enough information to try active probing or scanning against a site.

  • Key information that an attacker will try to discover:

    • Hosts that are accessible

    • Locations of routers and firewalls

    • Operating systems running on key components

    • Ports that are open

    • Services that are running

    • Versions of applications that are running

Exploiting the system
Exploiting the System

  • 3 areas to exploit on a system:

    • Gaining access

      • Operating system attacks

      • Application-level attacks

      • Scripts and sample program attacks

      • Misconfiguration attacks

    • Elevation of privileges

    • Denial of service

Uploading and downloading programs
Uploading and Downloading Programs

  • After an attacker has gained access, they usually perform some set of actions on the server.

  • Most often, hacker will load some programs to the system.

  • With some attacks, such as corporate espionage, an attacker is after information

Keeping access
Keeping Access

  • Most cases, after attacker gains access to a system, he will put a back door so that he can return whenever he wants.

  • Basic back door: are highly detectable

  • Sophisticated back door: more difficult to detect

  • Gaining access to the system and create a back door simultaneously

Covering tracks
Covering Tracks

  • After an attacker compromises a machine and creates a back door, the last thing he does is make certain that he does not get caught

  • Clean up log files

  • Turn off logging

  • To protect against hackers – use a program that makes sure key files on the system have not been changed

Information gathering1
Information Gathering

  • Many companies only concentrate on protecting their systems from a specific exploit when they start building a security infrastructure

  • Key for a user or organization to know what information an attacker can acquire about them and minimize the potential damage

    • If the attacker can only gain limited information about the network, they will most likely move on to the next victim

Step 1 gathering initial information
Step 1 Gathering Initial Information

  • Find out initial information:

    • Open Source

    • Whois

    • Nslookup

Step 2 discover address range of the network
Step 2: Discover address range of the network

  • Find out address range of the network:

    • ARIN (American Registry for Internet Numbers)

    • Traceroute

Step 3 discovering active machines
Step 3 Discovering Active Machines

  • Find active machines:

    • Ping

Step 4 find open ports or access points
Step 4Find Open Ports or Access Points

  • Applications used to find open ports or access points:

    • Portscanners

    • Nmap

    • ScanPort

    • War Dialers

    • THC-Scan

Step 5 figure out the operating system
Step 5Figure Out the Operating System

  • Tools used to determine Operating Systems

    • Queso

    • Nmap

Step 6 figure out which services are running on each port
Step 6: Figure Out Which Services are Running on Each Port

  • Tools used to determine which services are running on each port

    • Default port and OS

    • Telnet

    • Vulnerability scanners

Step 7 map out the network
Step 7 Map Out the Network

  • Tools used to map out the network

    • Traceroute

    • Visual Ping

    • Cheops

Types of spoofing
Types of Spoofing

  • Types of Spoofing Techniques

    • IP Spoofing

    • Email Spoofing

    • Web Spoofing

    • Non-Technical Spoofing

Ip spoofing
IP Spoofing

  • Basic Address Change

    • Protection Against Address Changes

Ip spoofing continued
IP Spoofing Continued

  • Source Routing

    • Allows you to specify the path a packet will take through the Internet

    • Types:

      • Loose Source Routing (LSR)

      • Strict Source Routing (SSR)

  • Protection Against Source Routing

Ip spoofing continued1
IP Spoofing Continued

  • Trust Relationships

    • Protection Against Trust Relationships

Email spoofing
EMAIL Spoofing

  • Similar Email Address

    • Protection Against Similar Email Address

Email spoofing1
EMAIL Spoofing

  • Modifying a Mail Client

    • Protection Against Modifying a Mail Client

Email spoofing2
EMAIL Spoofing

  • Telnet to Port 25

    • Protection Against Telnetting to Port 25

Web spoofing
Web Spoofing

  • Basic Web Spoofing

    • Protection Against Basic Web Spoofing

Web spoofing1
Web Spoofing

  • Man-in-the-Middle Attacks

    • Protection Against Man-in-the-Middle Attacks

Web spoofing2
Web Spoofing

  • URL Rewriting

    • Protection Against URL Rewriting


Web spoofing3
Web Spoofing

Tracking State:

  • Cookies

    • Protection Against Cookies

Web spoofing4
Web Spoofing

Tracking State:

  • URL Session Tracking

    • Protection Against URL Session Tracking

Web spoofing5
Web Spoofing

Tracking State:

  • Hidden Form Elements

    • Protection Against Hidden Form Elements

General web spoofing protection
General Web Spoofing Protection

  • Disable JavaScript, ActiveX, etc.

  • Validate that application is properly tracking users

  • Make certain users can’t customize their browsers to display important information

  • Educate the users

  • Make certain that any form of ID used to track user is long and random

Non technical spoofing
Non-Technical Spoofing

  • Social Engineering

  • Reverse Social Engineering

  • Non-Technical Spoofing Protection

What is a dos attack
What is a DOS Attack?

  • Attack through which a person can render a system unusable or significantly reduced by overloading the system’s resources

  • DOS attacks can be intentional or accidental

  • Often used by an attacker if they are unable to gain access to a network or machine

Some types of dos attacks
Some Types of DOS Attacks

  • Ping of Death

  • SSPing

  • Smurf

  • CPU Hog

Typical attack
Typical Attack

  • Two of the most common weaknesses on computer systems:

    • Weak Passwords

    • Modems

Current state of passwords
Current State of Passwords

  • Current state of passwords in most companies and home systems are poor

    • Software often has default passwords that are rarely changed

    • Passwords are often chosen that are trivial to guess or have no password at all

    • Password intervals are too long

History of passwords
History of Passwords

  • Users often choose simple passwords

    • Wife’s name

    • Favorite sport

    • Date of user’s birthday

  • Complex passwords are often written down since they are difficult to remember

    • Ex: W#hg@5d4%d10

Future of passwords
Future of Passwords

  • Single Sign On (SSO)

    • One password for user’s various applications

  • Biometrics

    • Fingerprint scan

    • Hand scan

    • Retinal scan

    • Facial scan

    • Voice scan

Strong passwords
Strong Passwords

  • Subject to technology

  • Strong Password criteria:

    • Changes every 45 days

    • Minimum length of 10 characters

    • Must contain at least on alpha, one number, and one special character

    • Alpha, number, and special characters must be mixed up and not append to the end

      • Ex: abdheus#7 = Bad

      • Ex: fg#g3^hs5gw = Good

    • Cannot contain dictionary workds

    • Cannot reuse previous five passwords

    • Minimum password age of 10 days

    • After 3 failed logon attempts, password is locked for several hours

Why is password cracking important
Why is Password Cracking Important?

  • To audit the strength of passwords

  • To recover forgotten/unknown passwords

  • To migrate users

  • To use a checks and balance system

Types of password attacks
Types of Password Attacks

  • Dictionary Attacks

  • Brute Force Attacks

  • Hybrid Attacks

  • Social Engineering Attacks

Securing microsoft passwords
SecuringMicrosoft Passwords

Where are passwords stored in microsoft
Where Are Passwords Stored in Microsoft?

  • Password hashes for each account are stored in the Security Account Manager (SAM)

  • \Windows-directory\system32\config\SAM

  • \Windows-directory\repair

How does ms encrypt passwords
How Does MS Encrypt Passwords?

  • 2 hash algorithms

    • One for regular NT hash

      • MD4 hash algorithm

    • One for LANMAN hash

      • Pad password with 0’s to equal 14 character

      • Combined to attain 16-byte hash value

Why is it easier to crack ms passwords
Why is it Easier to Crack MS Passwords?

  • LAN Manager hashing scheme

    • Maximum 7 character passwords

  • No Salts

Microsoft password cracking programs
Microsoft Password-Cracking Programs

  • L0phtcrack

  • NTSweep

  • NTCrack

  • PWDump2


  • Computes passwords from variety of sources using a variety of methods

  • 3 modes used to crack passwords:

    • Dictionary

    • Hybrid

    • Brute-Force

L0phtcrack performance statistics
L0phtcrack Performance Statistics

  • Cracks 90% of passwords under 5 hours

  • 18% of passwords cracked in under 5 minutes

  • Most domain admin accounts cracked

  • Most companies only require a minimum of 8 character passwords but have no other restrictions


  • Takes advantage of Microsoft’s method of password changes

  • User is unaware of the password change

  • Can be run through a firewall without having special privileges

  • Can be run by anyone on the Internet

Ntsweep s limitations
NTSweep’s Limitations

  • Slow to perform

    • Ex: Dictionary Attack

  • Information can be logged and can be displayed through Event Viewer

  • Guessing programs are not always accurate

    • May return failure even though the password was correct

Network monitoring
Network Monitoring

  • Some Examples of Network Monitoring Tools Are:

  • HP OpenView

  • SolarWinds

  • Big Brother

  • Netsaint

  • Nagios


  • Good monitoring infrastructure will help detect attacks as they occur and stop them before there is a problem

  • Monitoring and logging are often used interchangeably

  • Monitoring 2 characteristics:

    • Secure

    • Intelligent

  • Problems w/running multiple monitor programs

What to monitor
What to Monitor

  • Focus on network devices that will impact more than one user if they fail

    • Servers

    • Routers and Switches

    • Security Monitoring

  • What services need to be monitored on each device

Syp 3a network security

  • SNMP (Simple Network Management Protocol) is the most popular method of monitoring network devices

  • SNMP’s popularity due to:

    • Modularity

    • Scalability

    • Adaptability

  • UDP-based protocol that uses Port 161 to exchange information

  • Uses Protocol Data Units (PDUs) to communicate between manager and agent

Snmp security
SNMP Security

  • SNMP has not proven to be very secure

  • SNMP is common attack target

  • Community Strings – passwords used to determine whether a device has read or read/write access to the network device

  • SNMP Version 1.0

    • Only included community strings to secure communications

    • Passwords not encrypted and sent clear-text

  • SNMP Version 3.0

    • Supports DES encryption between managers and agents

    • PDUs can use authentication to ensure validity of information

    • Agents configured to only allow certain groups access

Snmp types
SNMP Types

  • Nagios

  • WhatsUp Gold

  • Netcool

  • Big Brother

  • HP Openview

  • Solarwinds

Nagios defined
NAGIOS Defined

  • Nagios® is a host and service monitor designed to inform of network problems before clients, end-users or administration realize that they have occurred.

  • It has been designed to run under the Linux Operating System, but works fine under most variants as well. Runs CGI (Common Gateway Interface) scripts to be used to process Web forms, taking data entered by the end-user, processing, and dynamically writing HTML code on-the-fly to be returned to the end-user's browser. The monitoring daemon runs intermittent checks on hosts and services you specify using external "plugins" which return status information to Nagios. When problems are encountered, the daemon can send notifications out to administrative contacts in a variety of different ways (email, instant message, pager, etc.). Current status information, historical logs, and reports can all be accessed via a web browser.

Features of nagios
Features of Nagios

  • Monitoring of network services (SMTP, POP3, HTTP, NNTP, PING, etc.)

  • Monitoring of host resources (processor load, disk and memory usage, running processes, log files, etc.)

  • Monitoring of environmental factors such as temperature.

  • Simple plug-in design that allows users to easily develop their own host and service checks

  • Ability to define network host hierarchy, allowing detection of and distinction between hosts that are down and those that are unreachable

  • Contact notifications when service or host problems occur and get resolved (via email, pager, or other user-defined method)

  • Support for implementing redundant and distributed monitoring servers

  • Scheduled downtime for suppressing host and service notifications during periods of planned outages

  • Ability to acknowledge problems via the web interface