COMP3371 Cyber Security Week 8 Richard Henson University of Worcester November 2018
Learning Objectives… See the network through the eyes of an attacker… Use of vulnerability/penetration testing to check access to the organisation’s network (and information about it!) from outside Stop exploitation of known software vulnerabilities through specific TCP ports
Defensive and Offensive Approaches to Security Generally, the best way to protect data is to put it in a safe place and build walls around it (defensive approach) Also wise to get someone to attack the organisation and try to breach its defences (offensive approach) then report back on findings…
Summary of Basic Defensive Security… Firewalls… appropriately configured on Internet gateways… and end-point devices Use of effective antivirus software Patching and Updating software Enforced information Security Policy Correct use of PKI for www data Covered in Cyber Essentials!
Offensive Security: 1. Vulnerability Scanning “Passive” Scanning finding out about the network, website, etc. to see how it could be exploited Similar to the more commonly known “penetration testing”… does not attempt to penetrate the network defences considered “ethical” and not illegal!
2. Penetration Testing “Active” scanning: requires the investigator/hacking to penetrate the organisation’s defences, rather than “peer in” from the outside. Would be illegal if permission not granted! Requirement for Cyber Essentials Plus
What & Why of “Footprinting” Definition: “Gathering information about a “target” system” Could be Passive (non-penetrative) or Active (probing…) Purpose: find out as much information about the digital and physical evidence of the target’s existence as possible need to use multiple sources… may (“black hat” hacking) need to be done secretly
Rationale for “passive” Footprinting The hacker may be able to gather what they need from public sources (e.g. the organisation’s website) organisation needs to know what it is telling the world about itself… Methodology: Use search engine start by finding the domain name & URLs of popular pages e.g. www.worc.ac.uk Use tools to map/mirror the main website…
Information Gathered without Penetration Testing Domain Names User/Group names System Names IP addresses Employee Details/Company Directory Network protocols used & VPN start/finish Company documents Intrusion detection system used
Website Connections & History History: use www.archive.org: The Wayback Machine Connections: use robtex.com Business Intelligence: sites that reveal company details e.g. www.companieshouse.co.uk
More Company Information… “Whois” & CheckDNS.com: lookups of IP/DNS combinations details of who owns a domain name details of DNS Zones & subdomains Job hunters websites: e.g. www.reed.co.uk www.jobsite.co.uk www.totaljobs.com
People Information Company information will reveal names Use names in search engines Facebook LinkedIn Google Earth reveals: company location(s)
Physical Network Information (“active” footprinting or phishing) External “probing” should be detectable by a good defence system… (could be embarrassing!) e.g. Traceroute: Uses ICMP protocol “echo” reveals names/IP addresses of intelligent hardware: e.g. Routers, Gateways, DMZs
Email Footprinting Using the email system to find the organisation’s email names structure “passive” monitor emails sent IP source address structure of name “active” email sending programs : test whether email addresses actually exist test restrictions on attachments
Phishing to extract user data (not intelligence gathering) Send email user a message with a link or attachment link is a form which tries to get their personal data attachment contains malware which will infect their system Rather obvious to IT professionals… accounts wouldn’t be used by network infiltrators trying to hide their tracks
Utilizing Google etc. (“passive”) Google: Advanced Search options: Uses [site:] [intitle:] [allintitle:] [inurl:] In each case a search string should follow e.g. “password” Maltego graphical representations of data
Proxy Hacking (or Hijacking) Attacker creates a copy of the targeted web page on a proxy server artificially raises search engine ranking with methods like: keyword stuffing linking to the copied page from external sites… authentic page will rank lower… may even be seen as duplicated content (!) and search engine may then remove it from its index
Reconnaissance/Scanning Three types of scan: Network (already mentioned) identifies active hosts Port send client requests until a suitable active port has been found… Vulnerability assessment of devices for weaknesses that can be exploited
Legality and Vulnerability Scanning Depends on whether you have asked! running tests requires equipment and an experts time… would normally charge for such a service, so… normal to contact org.! Hacker wouldn’t want organisation to know so… certainly wouldn’t ask permission! illegal but gambles on not being caught!
Ethical Hacking Principles Hacking is a criminal offence in the UK covered through The Computer Misuse Act (1990) tightened in 2006 Can only be done ”legally” by a trained (or trainee) professional a computing student would be considered in this context under the law
Ethical Hacking principles Even if a practice is currently legal, doesn’t mean it is ethical! Professionals only hack without permission if there is reason to believe a law is being broken if not… they must ask permission otherwise definitely unethical (and illegal… “gaining access without permission”)
“Scanning” Methodology Check for Live Systems Check for open ports “Banner Grabbing” e.g. bad html request Scan for vulnerabilities Draw Network diagram(s) Prepare proxies…
Why use “offensive” security? Recognised that manager(s) of an internal network: can’t objectively mark their own homework! can see out, but can’t see in! Makes good sense for a third party to attempt to hack in with permission (therefore not illegal)… test firewalls, patching, PKI implementation report back to management…
The “Cyber Kill Chain” (1) (Lockheed Martin…) Reconnaissance find the weakness(es) Weaponisation figure out how it can be exploited Delivery send the malicious software into the victims network
The “Cyber Kill Chain” (2) (Lockheed Martin…) Exploitation run the software on the victims network Installation install the hack into the victims network Command and Control control the victims network in such a way as to achieve mission objectives Actions on Objectives “wash down” on how well it went…
Reminder of Port Vulnerability Simplified OSI model for TCP/IP… levels 5/6/7 combined as application level 4: transport (TCP/UDP) TCP or UDP packets can attack the network… HTTP FTP HTTPS NFS DNS SNMP TCP UDP IP (network)
Blocking TCP ports with a Firewall Very many TCP and UDP ports: 0 - 1023 are tightly bound to application services 1024 – 49151 more loosely bound to services 49152 – 65535 are private, or “dynamic” In practice, any port over 1023 could be assigned dynamically to a service… One of the more useful features of a firewall is that ports can be configured, and therefore data flow can be monitored and controlled
Protecting Against TCP/IP Attacks, Probes and Scans TCP/IP protocol stack has been largely unchanged since the early 1980's: more than enough time for hackers to discover their weaknesses often attack through a particular TCP port
TCP Port 21: FTP (File Transfer Protocol) FTP servers by their very nature they open up very big security holes especially if anonymous login allowed: connect to the C: drive using NFS download viruses overwrite/delete files to store pirated files and programs Defence: DO NOT to accept anonymous logins only allow access via port 21 to that particular server
TCP Port 25: SMTP Easy target! Email programs/data large, complex, accessible… Buffer overrun: attacker enters more characters – perhaps including executable code - into an email field (e.g. To: ) error generated hackers get enough information to gain access SPAM attack: SMTP protocol design allows a message to go directly from the originator's email server to the recipient's email server ALSO can be relayed by one or more mail servers in the middle Spammers forward message to thousands of unwilling recipients!
Port 25 SMTP: Defending… Threat: Buffer Overrun: Spam Attack Solution: put server on a perimeter network Spam Attack Solution: DISABLE the relaying facility…
UDP Port 53: DNS (Domain Name Service) Without DNS, domain name to IP address translation would not exist!!! Threat: if a site hosts DNS, attackers will try to: modify DNS entries download a copy of your DNS records (a process called zone transfer)
Port 53 DNS: Solution… Defence: configure firewall to accept connections from the outside to TCP port 53 only from your secondary DNS server the one downstream from you e.g. your ISP two DNS servers: one on perimeter network, the other on the internal network: perimeter DNS will answer queries from the outside internal DNS will respond to all internal lookups
TCP Port 79: Finger A service that enumerates all the services you have available on your network servers: invaluable tool in probing or scanning a network prior to an attack! Defence: block port 79… would-be attackers denied all this information about network services!
TCP Ports 109-110: POP (Post Office Protocol) POP used to download email data to a client… POP3 (port 110) least secure version! Defence: block all access to port 110 except for that server if POP3 not being used, block port 110!!!
TCP Ports 135 and 137 NetBIOS The Microsoft Windows protocol used for file and print sharing last thing you probably want is for users on the Internet to connect to your servers' files and printers! Block NetBIOS. Period!
UDP Port 161 SNMP SNMP is important for remote management of network devices: but also it poses inherent security risks stores configuration and performance parameters in a database that is then accessible via the network… If network is open to the Internet, hackers can gain a large amount of very valuable information about the network… So… if SNMP is used: allow access to port 161 from internal network only otherwise, block it entirely
Denial of Service Attacks An attempt to harm a network by flooding it with traffic so that network devices are overwhelmed and unable to provide services Happen through the ICMP port, which the ping service uses close off ICMP port: thwarts denial of service (DoS) attacks… and distributed denial of service (DDoS) attacks
Mechanism of (D)DoS Attacks Ping “normally” sends a brief request to a remote computer asking it to echo back its IP address "Ping of Death“ EITHER the attacker deliberately creates a very large ping packet and then transmits it to victim IP ICMP can't deal with large packets the receiving computer is unable to accept delivery and crashes or hangs OR sends thousands of ping requests to a victim CPU time is taken up answering ping requests, preventing it responding to other, legitimate requests
DDoS attacks Much more dangerous… attackers gain access to a wide number of PCs or other devices often rely on home computers, since they are less frequently protected can also use previously “installed” worms and viruses use these devices to launch a coordinated attack against a victim IP address
Protecting against “Ping of Death” Simple! block ICMP echo requests and replies If ICMP is needed… ensure there is a rule blocking "outgoing time exceeded" & "unreachable" messages
IP Spoofing Use software to change source IP address of a packet! Attackers can gain access to a PC within a protected network… obtain its IP address use it in packet headers so the Internet firewall lets the malicious packets through
Protection against IP Spoofing Block traffic coming into the network that contains IP addresses from the internal network… Use a Proxy Server so internal IP addresses never exposed Block traffic associated with “private” (NAT) and illegal/unrouteable IP addresses: Illegal/unrouteable: 255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0 “Private” (NAT addresses as defined in RFC 1918): 10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255 (often used by Wireless Routers)
Other Typical Types of External Attacks – human/tech Exhaustive “brute force” attacks using all possible combinations of passwords to gain access Inference taking educated guesses on passwords, based on information gleaned TOC/TOU (Time of check/use) 1. use of a “sniffer” to capture log on data 2. (later) using captured data & IP address in an attempt to impersonate the original user/client