1 NETWORKS Lecture 13

2 Review – Last Lecture Computer Crimes Typical Vulnerabilities Typical Attack Protocols

3 Review -Vulnerability Exploit Cycle Advanced Intruders Discover Vulnerability Crude Exploit Tools Distributed Novice Intruders Use Crude Exploit Tools Automated Scanning/Exploit Tools Developed Widespread Use of Automated Scanning/Exploit Tools Intruders Begin Using New Types of Exploits

4 Outline Social Engineering Network Scanning

5 Social Engineering

6 Social Engineering The most common type of attack Basically: lying to someone to gain information on how to penetrate the network or systems Preys upon basic tendency in a company to trust other company personnel and believe what they are told over a phone or No detailed technical skills required - but must be creditable, knowledgeable of the organization and of methods and procedures to gain access | Easiest place to attack: users and support desk

7 Basics Social engineering preys on qualities of human nature: –the desire to be helpful –the tendency to trust people –the fear of getting into trouble The sign of a truly successful social engineer is they receive information without raising any suspicion as to what they are doing.

8 Types of Attacks 1 Impersonation - Case studies indicate that help desks are the most frequent targets of social engineering attacks. –A Social Engineer calls the help desk –Help desk is helpful –Social engineer will often know names of employees Important User - A common ploy is to pretend be not only an employee, but a vice president. –Help desk is less likely to turn down a request coming from a high-level official –Social engineer may threaten to report the employee to their supervisor.

9 Types of Attacks 2 Third-party Authorization - The social engineer may have obtained the name of someone in the organization who has the authority to grant access to information. –Ms. Shooter says its OK. –“Before he she went on vacation, Ms. Shooter said I should call you to get this information. Tech Support - Social engineer pretends to be someone from the infrastructure-support groups. –System is having a problem –Needs them to log on to test the connection

10 Types of Attacks 3 In Person - The social engineer may enter the building and pretend to be an employee, guest or service personnel. –May be dressed in a uniform –Allowed to roam –Become part of the cleaning crew Dumpster diving - Going through the trash Shoulder Surfing - Looking over a shoulder to see what they are typing. –Passwords –Phone-card numbers

11 Computer Based Attacks Popup Windows - A window will appear on the screen telling the user he has lost his network connection and needs to reenter their user name and password. –A program will the the intruder with the information. Mail attachments - Programs can be hidden in attachments. –Viruses Websites - A common ploy is to offer something free or a chance to win a sweepstakes on a Website. –To win requires an address and password. –Used with 401K come-on.

12 Example If I were to call up your office and claim I'm with your network consulting firm and I needed the person who picked up to help me run a test, would they help? –This sort of thing happens all the time: Could you log in and log out of the network please? OK, that looks fine. Could you do it again? Still not there... Maybe if I tried your account from here. Could I have your username and password?"

13 Real World Example (1) A women approached the CSO of her company with a disturbing story –A week earlier she received about the summer Olympics in Greece with a pointer to a web site –She visited the web site and it had some interesting information about the upcoming Olympics –Two days later she received an from an unknown address asking for $50 or they would tell her management that she had been surfing porn sites They even identified a directory on her system that contained child porn She check that directory and found a set of disgusting pictures

14 Real World Example (2) The company security team traced it down and found that the files had been transferred from an IP in Bulgaria It turn out that 15 others in the company had been hit by the same scam and some had paid the money The security team informed the CSO that this kind of thing happened about 10 times a year

15 Defense Recognize the signs Train your point of contact personnel to recognize key signs that they may be the target of a social engineering attack: –Refusal to give contact information –Rushing –Name-dropping –Intimidation –Small mistakes –Requesting forbidden information

16 Other Defenses Common defenses: –Require anyone there for service to show identification –Make a policy that passwords are never spoken over the phone. –Make a policy that passwords are not to be left lying around. –Implement caller ID technology. –Invest in shredders.

17 Network Scanning

18 Footprinting Before a hacker attempts to gain access to a system, time must be spent gathering information about the target. This process is known as footprinting –it is a critical step in subverting the security of a target system –Footprinting is the hacking equivalent to casing a potential robbery location. –Systematic footprinting allows the hacker to create a complete profile of the target system including information about the domain, network blocks, IP addresses exposed on the Internet, and system architecture. –Once the profile is known, a hacker will be able to focus on specific machines and ports to gain access to the system.

19 whois Network enumeration is the next step in gathering information about a target system. –A hacker will identify domain names and the network blocks associated with the target. whois is a simple directory service that can be accessed directly from machines with Internet access. –From the command line enter: whois –h whois.crsnic.net maury. whois server target w/wildcard

20 whois on the web From the web, whois can be activated at: – –

21 Whois query The result of the query on plu:

22 Additional Information The American Registry for Internet Numbers (ARIN) is the source database for network blocks associated with domains. –A query can be performed from or from a command line May not know the registration name

23 Result 1 The search provides 3 results – two of which are useful: Click here for more info

24 Result 2 This query provided some additional information:

25 Next Step Once the network block is known, the next step is to determine which IP addresses are accessible and what services are running on those machines. This is done via a process known as scanning. Scanning is usually performed with tools that attempt to disguise network reconnaissance.

26 Network Scanning What is network scanning? –Network Scanning is Proactively probe the network –Network Sniffing is Passively eavesdrop the network. –Both can help to gain a good picture of the network Why Scan? –Administrators: Scanning can discover vulnerabilities –Hackers: Helps gather network and OS information Why Sniff? –Administrators: Intrusion detection, Traffic logging, Fault Analysis –Hackers: Access sensitive information transmitted over the network Most attacks begin with a scan

27 Attackers Goal Vulnerabilities exist to allow an attacker to do the following remotely on many servers: execute arbitrary commands on the server gain unauthorized access to server files or directories gain shell access at the privilege level of the server process (often root) crash server daemon causing encrypted passwords to be dumped to the core file, from which the passwords may be retrieved and cracked deny service to regular server clients by consuming server resources corrupt information that the server needs (e.g. a nameserver cache) The GOAL is to locate a system with a vulnerability

28 Scanning Types There are four major types of scanning each with a different goal – looking for a different type of information –Ping sweeping (which host is alive?) –Port scanning (what services are available?) –OS detection (What platform sitting there?) –Firewalking (What’s behind the firewall)