Internet Hacking Presentation prepared by: Alex Epstein Asif Hussain Genci Seseri Group 2.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.
CCNA – Network Fundamentals
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System Security Scanning and Discovery Chapter 14.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
Introduction to Network Security © N. Ganesan, Ph.D.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Introduction to Firewalls © N. Ganesan, Ph.D.. Overview.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Chapter Overview TCP/IP Protocols IP Addressing.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 
Forensic and Investigative Accounting
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Chapter 6: Packet Filtering
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
SYSTEM ADMINISTRATION Chapter 7 TCP/IP. Overview (OSI Model Review) The OSI Model is a layered framework that provides structure for data communications.
Software Security Testing Vinay Srinivasan cell:
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
1 Version 3.0 Module 11 TCP Application and Transport.
Chap 9 TCP/IP Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.
Introduction to Network Security © N. Ganesan, Ph.D.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
TCP/IP Transport and Application (Topic 6)
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
CHAPTER 9 Sniffing.
1 Chapter 8 – TCP/IP Fundamentals TCP/IP Protocols IP Addressing.
TCP/IP (Transmission Control Protocol / Internet Protocol)
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 3: TCP/IP Architecture.
1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.
Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
PREPARED BY : Harsh patel dhruv patel sreejit sundaram.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
CITA 352 Chapter 2 TCP/IP Concepts Review. Overview of TCP/IP Protocol –Language used by computers –Transmission Control Protocol/Internet Protocol (TCP/IP)
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Cyber crimes is the most popular news we come across daily In good olden days there were no development in the usage of computers as we have now As.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Instructor Materials Chapter 5 Providing Network Services
Domain 4 – Communication and Network Security
Topic 5: Communication and the Internet
Presentation transcript:

Internet Hacking Presentation prepared by: Alex Epstein Asif Hussain Genci Seseri Group 2

Internet Hacking The Presentation talks about:  Hacking History and General Information.  Various techniques that hackers use to crack the networks and websites and measures vital for survival against such attacks.  Port Scanning using PortQry.exe

Hacking History 1878 – “practical jokers” at Bell Telephone Co. Early 1960s – MIT geeks created “hacks”, programming shortcuts to speed up tasks 1969 – best hack. 2 Bell Labs employees created UNIX, a open machine run rules set – using free whistle as a phone tone 1978 – 1 st bulletin board

Hacking History (Cont.) 1984 – the great hacking war begins. Legion Of Doom vs. Masters Of Deception. The war especially escalated in – Federal Computer Fraud And Abuse Act is passed. Numerous arrests follow – “denial of service” attacks.

Selected Lingo Cracker: a malicious system security breaker. Hacker: a person enjoying exploring the systems and stretching their capabilities; programmer enthusiast; good fast programmer; expert in a specific field KISS Principle: “Keep It Simple, Stupid” Trojan Horse: a malicious security breaking program disguised as something benign Wetware: humans and our nervous system compared to software and/or hardware

Hacker Psych 101 Robin Hood Syndrome – misconstruing consequences of one’s own behavior as beneficial for society Hacker Categories: 1.Old School : hacking = honor. Interested in code, but not with criminal intent; little concern for privacy and property of information. Internet is an open system. 2. Script Kiddies/ Cyber Punks: common “hackers”. Arrested often, because brag online. D/load code and hack it out of boredom. Avg.: white male years old with high school education.

Hacker Psych 101(Cont.) Hacker Categories (cont.): 3. Professional criminals/Crackers: make living by breaking into system. May be hired for espionage or linked to criminal groups. Crack because of inferiority. Cracking a site gives them power. Refuge in computers to avoid real world relations. 4. Coders and Virus Writers: the least studied; see themselves as “elite”. Own test networks (“Zoos”). Vast, programming skills, but, not use code. Let others introduce it into the Internet (“The Wild”).

Hacker Attitude The world is full of fascinating unsolved problems No problem should have to be solved twice Boredom and drudgery are evil Freedom is good Attitude is no substitute for competence

Hacking Skills Programming skills Running open source UNIX code Using WWW and writing HTML Functional English skills

Hackers’ Respect To be respected by hackers you can…: –Write open source software –Help test and/or debug open source software –Publish useful information –Maintain the working infrastructure –Serve the hacker culture –Do off-computer work: Learn to write in native language Read science fiction Study Zen and/or take on martial arts Analyze music Appreciate puns and wordplay

Hackers’ Disrespect As a hacker, you should not: –Use silly grandiose user ID or screen name –Get in flame wars on Usenet or anywhere else –Call yourself cyberpunk or waste your time on such people –Write s or other posting full of misspellings or bad grammar

Hackers Hall Of Fame Richard Stallman: A hacker of the old school, he got a job at MIT's Artificial Intelligence Lab off the street in 1971 Dennis Ritchie and Ken Thompson: The founders of Bell Labs‘ legendary CS operating group, which created UNIX. John Draper: Figured out the whistle tone “trick” Kevin Mitnick: The first hacker to have his face immortalized on an FBI "Most Wanted" poster Vladimir Levin: Allegedly masterminded the Russian hacker gang that tricked Citibank's computers into spitting out $10 million. Linus Torvalds: Was a CS student at University of Helsinki when he wrote Linux in 1991

CRACKER EXPLOITS AND BATTLE PLANS This part of the Presentation talks about:  Various techniques that hackers use to crack the networks and websites.  Measures vital for survival against such attacks.

IP Spoofing IP spoofing is when an attacker captures the routing packets to redirect a file or transmission to a different destination. The technique is also effective in disguising an attacker's identity. Protocols that deal with inter-computer communication are most susceptible to spoofing,e.g., ICMP, IGMP and UDP. Solution is securing transmission packets and establishing screening policies, point to point encryption, configuring network to reject packets that claim to originate from a local address.

FTP Attacks  One of the most common FTP attacks is a buffer overflow caused by a malformed command.  A successful attack could either drop the attacker in a command shell or cause a denial of service.  Failure to apply the frequently released system upgrades and patches is the most common cause of FTP vulnerabilities.  FTP exploits are also useful in password guessing, FTP bounce attacks, and mining information (such as the machine's registry).

Unix Finger Exploits  The Unix OS finger utility was used as an efficient way to share user information in the early days of the Internet.  To an attacker, the Finger utility can yield valuable information, including user names, logons and contact information.  It also provides a pretty good indication of users' activities like how many times they are logged on.  The personal information it reveals can provide an attacker with enough of a framework to trick legitimate users into revealing passwords and access codes.

Flooding and Broadcasting  An attacker can significantly reduce the processing capacity of a network by sending more information requests than it can handle-a classic denial of service.  Sending a large amount of requests to a single port is Flooding. When the requests are sent to all network stations, it's called broadcasting.  Attackers will often use flood attacks to gain access to a system for use against other networks in distributed denial-of-service (DDoS) campaigns.  DDoS attacks are harder to stop because they come from multiple IP addresses simultaneously. The only solution is to trace the packets back to their source and shutdown the transmitting networks.

Fragmented Packet Attacks  Internet messages transmitted via TCP/IP can be divided into packets in such a way that only the first packet contains the TCP segment header information.  Some firewalls will allow the processing of subsequent packets that do not contain the same source address information as the first packet, which can cause any type of system to crash.  Fragmented packets can also create a flood-like situation because they are stored in the Kernel. The server will crash if the kernel memory absorbs too many fragmented packets.  Solution : Firewall Filters

Exploits  exploits come in five forms: mail floods, command manipulations, transport-level attacks, malicious code insertion and social engineering.  Mail-flood attacks occur when so much mail is sent to a target that communication programs destabilize and crash the system.  Command-manipulation attacks can cause a system to crash by subverting the mail transfer agent with a buffer overflow caused by entering a malformed command.

Exploits (Contd…)  Transport-level attacks exploit the SMTP. An attacker can cause a temporary error condition in the target system by overloading an SMTP buffer with more data than it can handle.  Malicious content is often propagated through e- mail systems. Some viruses and worms will be carried into a system appearing as a legitimate attachment  Social engineering s are an attacker's attempt to trick a legitimate user into revealing sensitive information or executing a task. E.g., posing as a network administrator to get your password for system upgrades.

Password Attacks  The most common password attacks are guessing, brute force, cracking and sniffing.  Password guessing involves entering common passwords either manually or through programmed scripts.  Brute-force logon attacks follow the same basic logic as password guessing, but are faster and more powerful.  Password cracking is a method for defeating the protection of encrypted passwords stored in a system's admin files.  Because an attacker needs a significant level of access to launch this kind of attack, the best defense is restricting and monitoring access privileges.

Selective Program Insertions  A selective program insertion is when an attacker places a destructive program—a virus, worm or Trojan horse--on a target system.  Some network administrators are augmenting their malware defenses with alternative technologies such as behavior blockers, which stop suspicious code based on behavior patterns, not signatures.  A time bomb, sometimes called a logic bomb, is an inserted program that executes its malicious payload on a predetermined time or date.

Port Scanning and Polling  Through port scanning and polling, an attacker can observe the functions and defenses of various system ports.  For example, scanning could be used to determine whether default SNMP community strings are open to the public, meaning information can be extracted for use in a remote command attack.

TCP/IP Sequence Stealing & Packet Interception  TCP/IP sequence stealing is the capturing of sequence numbers, which can be used to make an attacker's packets appear legitimate.  A successful TCP/IP attack could allow an attacker to intercept transactions between two organizations, providing an opportunity for a man-in-the-middle attack.  In some versions of Secured Shell Service Daemon (SSHD), only the public key is used for authentication. If an attacker learns the public key, he could create and insert forged packets.

Observations and Suggestions Various firms  Install firewall, but never upgrade them.  Do massive Website improvements without making parallel security improvements.  The best way to safeguard a website from attack is to approach security as the ongoing challenge rather than a one time effort.

Port Scanning Using PortQry What is port scanning? Using PortQry (the Portqry.exe command-line utility)

What Is Port Scanning? Network applications use TCP/UDP ports Clients connect to applications using ports Port scanning is the process of checking whether a port is open

TCP and UDP in TCP/IP protocol architecture

Port Numbers The Well Known Ports are those from 0 through The Registered Ports are those from 1024 through The Dynamic and/or Private Ports are those from through ftp://ftp.isi.edu/in-notes/rfc1700.txt

Well-know TCP / UDP ports TCP Port NumberDescription 20FTP (Data Channel) 21FTP (Control Channel) 23Telnet 80HyperText Transfer Protocol (HTTP) used for the World Wide Web 139NetBIOS session service UDP Port NumberDescription 53Domain Name System (DNS) Name Queries 69Trivial File Transfer Protocol (TFTP) 137NetBIOS name service 138NetBIOS datagram service 161Simple Network Management Protocol (SNMP)

Port Scanning for TCP TCP ports use "three-way handshake" Successful handshake means port is listening TCP Reset packet means port is not listening No response means port is filtered

Port Scanning for UDP UDP ports do not use "three-way handshake" Send UDP packet to port and wait for response Most applications will not respond to zero- length packets Formatted packet is necessary to get a response Most port scanners do not scan UDP ports

What Is Port Scanning used for? Use port scanning to: Test connectivity Test security

Using PortQry PortQry is designed as an application layer port scanner It checks whether TCP and UDP ports are open, closed, or filtered It determines if UDP ports are open using packets formatted for well known services Portqry is available for download on the Microsoft Web site at: /NT5/EN-US/portqry.exe

PortQry Supports: LDAP RPC DNS SMTP POP3 IMAP4 FTP NetBIOS Name Service

Status of a TCP/IP port Listening –A process is listening on the port on the computer you choose. Portqry.exe received a response from the port. Not Listening –No process is listening on the target port on the target system. Portqry.exe received an Internet Control Message Protocol (ICMP) "Destination Unreachable - Port Unreachable" message back from the target UDP port. Or if the target port is a TCP port, Portqry received a TCP acknowledgement packet with the Reset flag set. Filtered –The port on the computer you chose is being filtered. Portqry.exe did not receive a response from the port. A process may or may not be listening on the port. By default, TCP ports are queried three times and UDP ports are queried once before a report indicates that the port is filtered.

PortQry Usage portqry -n server [-p protocol] [-e || -r || -o endpoint(s)] [-l logfile] [- s] [-q] Where: -n [server] IP address or name of server to query -p [protocol] TCP or UDP or BOTH (default is TCP) -e [endpoint] single port to query (valid range: ) -r [end point range] range of ports to query (start:end) -o [end point order] range of ports to query in an order (x,y,z) -l [logfile] name of log file to create -s 'slow link delay' waits longer for UDP replies from remote systems -q 'quiet' operation runs with no output returns 0 if port is listening returns 1 if port is not listening returns 2 if port is listening or filtered

portqry -n myserver -p UDP -e 389 Returns LDAP base query information UDP port 389 (unknown service): LISTENING or FILTERED Sending LDAP query to UDP port LDAP query response: currentdate: 09/03/ :42:40 (unadjusted GMT) subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=eu,DC=reskit,DC=com dsServiceName: CN=NTDS Settings,CN=RED-DC-11,CN=Servers,CN=NA-WA- RED,CN=Sites,CN=Configuration,DC=eu,DC=reskit,DC=com namingContexts: DC=redmond,DC=eu,DC=reskit,DC=com defaultNamingContext: DC=redmond,DC=eu,DC=reskit,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=eu,DC=reskit,DC=com configurationNamingContext: CN=Configuration,DC=eu,DC=reskit,DC=com rootDomainNamingContext: DC=eu,DC=reskit,DC=com supportedControl: supportedLDAPVersion: 3 supportedLDAPPolicies: MaxPoolThreads highestCommittedUSN: supportedSASLMechanisms: GSSAPI dnsHostName: myserver.eu.reskit.com ldapServiceName: serverName: CN=MYSERVER,CN=Servers,CN=Sites,CN=Configuration,DC=eu,DC=reskit,DC=com supportedCapabilities: isSynchronized: TRUE isGlobalCatalogReady: TRUE ======== End of LDAP query response ======== UDP port 389 is LISTENING

portqry -n myserver -p UDP -e 135 Dumps RPC EndPoint Mapper database UDP port 135 (epmap service): LISTENING or FILTERED Querying Endpoint Mapper Database... Server's response: UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 ncacn_ip_tcp: [4144] UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface ncacn_np:\\\\MYSERVER[\\PIPE\\lsass] UUID: e b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_ip_tcp: [1030] UUID: e b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncadg_ip_udp: [1032] UUID: abcd-ef cffb ncacn_np:\\\\MYSERVER[\\PIPE\\lsass] UUID: abcd-ef cffb ncacn_np:\\\\MYSERVER[\\PIPE\\POLICYAGENT] Total endpoints found: 6 ==== End of RPC Endpoint Mapper query response ==== UDP port 135 is LISTENING

portqry -n myserver -p UDP -e 53 Verifies DNS query and response operation UDP port 53 (domain service): LISTENING or FILTERED Sending DNS query to UDP port UDP port 53 (domain service): LISTENING

portqry -n MyMailServer -p TCP -e 25 Returns SMTP, POP3, IMAP4 status messages TCP port 25 (SMTP service): LISTENING Data returned from the port: 220 MyMailServer.eu.reskit.com Microsoft ESMTP MAIL Service, Version: ready at Sun, 2 Sep :24:

portqry -n MyFtpServer -p TCP -e 21 Returns FTP status message and tests for anonymous account access 220 MyFtpServer Microsoft FTP Service (Version 5.0). 331 Anonymous access allowed, send identity (e- mail name) as password.

portqry -n myserver -p UDP -e 137 Verifies NetBIOS Name Service functionality and returns MAC address UDP port 137 (netbios-ns service): LISTENING or FILTERED Attempting NETBIOS adapter status query to UDP port Server's response: MAC address 00c04f7946f0 UDP port: LISTENING

Query behavior configurable using local service file Located in %systemroot%/system32/drivers/etc/servic e Resolves service name using this file Decides what type of query to send to port using this file

References s/hackers.htmlhttp:// s/hackers.html howto.htmlhttp:// howto.html round/Hacking/Methods/Technical/ round/Hacking/Methods/Technical/ /features4_battle_plans.shtmlhttp:// /features4_battle_plans.shtml Tim Rains Technical Lead Networking Teamhttp:// Tim Rains Technical Lead Networking Teamhttp:// Q310099, "Description of the Portqry.exe Command- Line Utility"Q310099