Reconnaissance Tools Tools that integrate Whois, ARIN, DNS interrogation and many more services: – Applications – Web-based portals

Slides:



Advertisements
Similar presentations
Ethical Hacking Module VII Sniffers.
Advertisements

Intrusions. Disclaimer Some techniques and tools mentioned in this class could be: – Illegal to use – Dangerous for others – they can crash machines and.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) – Interrogating DNS, split-horizon DNS Scanning – Learn.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
SYSTEM ADMINISTRATION Chapter 19
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
System Security Scanning and Discovery Chapter 14.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Network Attacks Mark Shtern.
System and Network Security Practices COEN 351 E-Commerce Security.
 In MHP 105, same time as our class  Reading list is online  Sample midterm is online o Try to solve it before the next class.
Firewalls and Intrusion Detection Systems
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ITIS 6167/8167: Network and Information Security Weichao Wang.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Ana Chanaba Robert Huylo
Module 7: Configuring TCP/IP Addressing and Name Resolution.
JMU GenCyber Boot Camp Summer, Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
CIS 450 – Network Security Chapter 3 – Information Gathering.
COEN 350 Security Threats. Network Based Exploits Phases of an Attack  Reconnaissance  Scanning  Gaining Access  Expanding Access  Covering Tracks.
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Linux Networking and Security
Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
1 Lab 1: Reconnaissance, Network Mapping, and Vulnerability Assessment Reconnaissance Scanning Network Mapping Port Scanning OS detection Vulnerability.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
CHAPTER 9 Sniffing.
CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.
Chapter 8 Phase3: Gaining Access Using Network Attacks
Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.
Network Attacks Bharatha Yajaman ISQS Outline Sniffing  Passive Sniffing  Active Sniffing IP Address Spoofing  Changing the IP address  Undermining.
Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.
1 CSCD434 Lecture 7 Spring 2012 Scanning Activities Network Mapping and Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Network Devices and Firewalls Lesson 14. It applies to our class…
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Introduction to Information Security
Intrusions.
Networks Fall 2009.
CITA 352 Chapter 5 Port Scanning.
or call for office visit,
LAN Vulnerabilities.
Port Scanning (based on nmap tool)
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Reconnaissance Tools Tools that integrate Whois, ARIN, DNS interrogation and many more services: – Applications – Web-based portals Dangerous

At The End Of Reconnaissance Attacker has a list of IP addresses assigned to the target network He has some administrative information about the target network He may also have a few “live” addresses and some idea about functionalities of the attached computers

Phase 2: Scanning Detecting information useful for break-in – Live machines – Network topology – Firewall configuration – Applications and OS types – Vulnerabilities

Network Mapping Finding live hosts – Ping sweep – TCP SYN sweep Map network topology – Traceroute Sends out ICMP or UDP packets with increasing TTL Gets back ICMP_TIME_EXCEEDED message from intermediate routers

Traceroute A A R1 R2 R3 db www mail 1. ICMP_ECHO to TTL=1 1a. ICMP_TIME_EXCEEDED from R1 victim.com A: R1 is my first hop to

A A R1 R2 R3 db www mail 2. ICMP_ECHO to TTL=2 2a. ICMP_TIME_EXCEEDED from R2 victim.com A: R1-R2 is my path to Traceroute

A A R1 R2 R3 db www mail 3. ICMP_ECHO to TTL=3 3a. ICMP_TIME_EXCEEDED from R3 victim.com A: R1-R2-R3 is my path to Traceroute

A A R1 R2 R3 db www mail 4. ICMP_ECHO to TTL=4 4a. ICMP_REPLY from victim.com A: R1-R2-R3-www is my path to Traceroute

A A R1 R2 R3 db www mail Repeat for db and mail servers victim.com A: R1-R2-R3-www is my path to R1-R2-R3-db is my path to db.victim.com R1-R2-R3-mail is my path to mail.victim.com  Victim network is a star with R3 at the center Traceroute

Network Mapping Tools Cheops – Linux application – – Automatically performs ping sweep and network mapping and displays results in a GUI Dangerous

Defenses Against Network Mapping And Scanning Filter out outgoing ICMP traffic – Maybe allow for your ISP only Use Network Address Translation (NAT) NAT box A B C D Internal hosts with / Request Request Reply Reply

How NATs Work For internal hosts to go out – B sends traffic to – NAT modifies the IP header of this traffic Source IP: B  NAT Source port: B’s chosen port Y  random port X – NAT remembers that whatever comes for it on port X should go to B on port Y – Google replies, NAT modifies the IP header Destination IP: NAT  B Destination port: X  Y

How NATs Work For public services offered by internal hosts – You advertise your web server A at NAT’s address ( and port 80) – NAT remembers that whatever comes for it on port 80 should go to A on port 80 – External clients send traffic to :80 – NAT modifies the IP header of this traffic Destination IP: NAT  A Destination port: NAT’s port 80  A’s service port 80 – A replies, NAT modifies the IP header Source IP: A  NAT Source port: 80  80

How NATs Work What if you have another Web server C – You advertise your web server A at NAT’s address ( and port 55) – not a standard Web server port so clients must know to talk to a diff. port – NAT remembers that whatever comes for it on port 55 should go to C on port 80 – External clients send traffic to :55 – NAT modifies the IP header of this traffic Destination IP: NAT  C Destination port: NAT’s port 55  C’s service port 80 – C replies, NAT modifies the IP header Source IP: C  NAT, source port: 80  55

Port Scanning Finding applications that listen on ports Send various packets: – Establish and tear down TCP connection – Half-open and tear down TCP connection – Send invalid TCP packets: FIN, Null, Xmas scan – Send TCP ACK packets – find firewall holes – Obscure the source – FTP bounce scans – UDP scans – Find RPC applications Dangerous

Port Scanning Set source port and address – To allow packets to pass through the firewall – To hide your source address Use TCP fingerprinting to find out OS type – TCP standard does not specify how to handle invalid packets – Implementations differ a lot

Port Scanning Tools Nmap – Unix and Windows NT application and GUI – – Various scan types – Adjustable timing Dangerous

Defenses Against Port Scanning Close all unused ports Remove all unnecessary services Filter out all unnecessary traffic Find openings before the attackers do Use smart filtering, based on client’s IP

Firewalk: Determining Firewall Rules Find out firewall rules for new connections We don’t care about target machine, just about packet types that can get through the firewall – Find out distance to firewall using traceroute – Ping arbitrary destination setting TTL=distance+1 – If you receive ICMP_TIME_EXCEEDED message, the ping went through

Defenses Against Firewalking Filter out outgoing ICMP traffic Use firewall proxies – This defense works because a proxy recreates each packet including the TTL field – The destination host would have to be set up to ignore messages that are not allowed

Firewall Flavors Packet filters – Stateless Allow all traffic to port 80 – Statefull Allow all traffic to port 80 on established connections Proxies – Capture all traffic and reissue it with source IP of the firewall – normalizes traffic

Vulnerability Scanning The attacker knows OS and applications installed on live hosts – He can now find for each combination Vulnerability exploits Common configuration errors Default configuration Vulnerability scanning tool uses a database of known vulnerabilities to generate packets Vulnerability scanning is also used for sysadmin

Vulnerability Scanning Tools SARA – SAINT – Nessus – Dangerous

Defenses Against Vulnerability Scanning Close your ports and keep systems patched Find your vulnerabilities before the attackers do

At The End Of Scanning Phase Attacker has a list of “live” IP addresses O pen ports and applications at live machines Some information about OS type and version of live machines Some information about application versions at open ports Information about network topology Information about firewall configuration

Phase 3: Gaining Access Exploit vulnerabilities – Exploits for a specific vulnerability can be downloaded from hacker sites – Skilled hackers write new exploits What is a vulnerability? What is an exploit?

Buffer Overflow Attacks Aka stack-based overflow attacks Stack stores important data on procedure call Function call arguments Return address Saved frame ptr Local variables for called procedure TOS Memory address increases

Buffer Overflow Attacks Consider a function void sample_function(char* s) { char buffer[10]; strcpy(buffer, s); return; } And a main program void main() { int i; char temp[200]; for(i=0; i<200;i++) temp[i]=‘A’; sample_function(temp); return; } Argument is larger than we expected …

Buffer Overflow Attacks Large input will be stored on the stack, overwriting system information Function call arguments Return address Saved frame ptr s,buffer[10] TOS Memory address increases Overwritten by A’s

Buffer Overflow Attacks Attacker overwrites return address to point somewhere else – “Local variables” portion of the stack – Places attack code in machine language at that portion – Since it is difficult to know exact address of the portion, pads attack code with NOPs before and after

Buffer Overflow Attacks Intrusion Detection Systems (IDSs) could look for sequence of NOPs to spot buffer overflows – Attacker uses polymorphism: he transforms the code so that NOP is changed into some other command that does the same thing, e.g. MOV R1, R1 – Attacker XORs important commands with a key – Attacker places XOR command and the key just before the encrypted attack code. XOR command is also obscured

Buffer Overflow Attacks What type of commands does the attacker execute? – Commands that help him gain access to the machine – Writes a string into inetd.conf file to start shell application listening on a port, then “logs on” through that port – Starts Xterm

Buffer Overflow Attacks How does an attacker discover Buffer overflow? – Looks at the source code – Runs application on his machine, tries to supply long inputs and looks at system registers Read more at –

Defenses Against Buffer Overflows For system administrators: – Apply patches, keep systems up-to-date – Disable execution from the stack – Monitor writes on the stack – Store return address somewhere else – Monitor outgoing traffic For software designers – Apply checks for buffer overflows – Use safe functions – Static and dynamic code analysis

Network Attacks Sniffing for passwords and usernames Spoofing addresses Hijacking a session

Sniffing Looking at raw packet information on the wire – Some media is more prone to sniffing – Ethernet – Some network topologies are more prone to sniffing – hub vs. switch

Sniffing On a Hub Ethernet is a broadcast media – every machine connected to it can hear all the information – Passive sniffing For X X A RY

Sniffing On a Hub Attacker can get anything that is not encrypted and is sent to LAN – Defense: encrypt all sensitive traffic – Tcpdump – Snort – Ethereal

Sniffing On a Switch Switch is connected by a separate physical line to every machine and it chooses only one line to send the message For X X A RY

Sniffing On a Switch – Take 1 Attacker sends a lot of ARP messages for fake addresses to R – Some switches send on all interfaces when their table overloads For X X A RY

Sniffing On a Switch – Take 2 Address Resolution Protocol (ARP) maps IP addresses with MAC addresses 1. For X 4. For X 2. Who has X? 3. I do X A RY

Sniffing On a Switch – Take 2 Attacker uses ARP poisoning to map his MAC address to IP address X 2. For X 1.I have X, MAC(A) I have Y, MAC(A) (unsolicited) X A RY 3. For X, MAC (A) 4. For X, MAC (X) 5. For X, MAC (X)

Sniffing On a Switch – Take 2 Attacker uses ARP poisoning to map his MAC address to IP address X 9. For Y, MAC(Y) X A RY 7. For Y, MAC (A) 8. For Y, MAC (Y) 6. For Y

Active Sniffing Tools Dsniff – – Also parses application packets for a lot of applications – Sniffs and spoofs DNS Dangerous

Spoofing DNS Attacker sniffs DNS requests, replies with his own address faster than real server (DNS cache poisoning) When real reply arrives client ignores it This can be coupled with man-in-the-middle attack on HTTPS and SSH

Sniffing Defenses Use end-to-end encryption Use switches – Statically configure MAC and IP bindings with ports Don’t accept suspicious certificates

What Is IP Spoofing Faking somebody else’s IP address in IP source address field How to spoof? – Linux and BSD OS have functions that enable superuser to create custom packets and fill in any information – Windows XP also has this capability but earlier Windows versions don’t

IP Address Spoofing in TCP packets Attacker cannot see reply packets Alice MBob M Attacker M 1. SYN, IP Alice, SEQ A 2. SYN SEQ B, ACK SEQ A 3. RESET

Guessing a Sequence Number Attacker wants to assume Alice’s identity – He establishes many connections to Bob with his own identity gets a few sequence numbers – He disables Alice (DDoS) – He sends SYN to Bob, Bob replies to Alice, attacker uses guessed value of SEQ B to complete connection – TCP session hijacking – If Bob and Alice have trust relationship (/etc/hosts.equiv file in Linux) he has just gained access to Bob – He can add his machine to /etc/hosts.equiv echo “ ” >> /etc/hosts.equiv How easy is it to guess SEQ B ?

Guessing a Sequence Number It used to be ISN=f(Time), still is in some Windows versions

Guessing a Sequence Number On Linux ISN=f(time)+rand

Guessing a Sequence Number On BSD ISN=rand

Spoofing Defenses Ingress and egress filtering Don’t use trust models with IP addresses Randomize sequence numbers

At The End of Gaining Access Attacker has successfully logged onto a machine

Phase 4: Maintaining Access Attacker establishes a listening application on a port (backdoor) so he can log on any time with or without a password Attackers frequently close security holes they find

Netcat Tool Similar to Linux cat command – – Client: Initiates connection to any port on remote machine – Server: Listens on any port – To open a shell on a victim machine On victim machine: nc –l –p 1234 /* This opens a backdoor */ On attacker machine: nc –c /bin/sh /* This enters through a backdoor, opens a shell */ Dangerous

Netcat Tool Used for – Port scanning – Backdoor – Relaying the attack

Trojans Application that claims to do one thing (and looks like it) but it also does something malicious Users download Trojans from Internet (thinking they are downloading a free game) or get them as greeting cards in , or as ActiveX controls when they visit a Web site Trojans can scramble your machine – They can also open a backdoor on your system They will also report successful infection to the attacker

Back Orifice Trojan application that can – Log keystrokes – Steal passwords – Create dialog boxes – Mess with files, processes or system (registry) – Redirect packets – Set up backdoors – Take over screen and keyboard –

Trojan Defenses Antivirus software Don’t download suspicious software Check MD5 sum on trusted software you download Disable automatic execution of attachments

At the End of Maintaining Access The attacker has opened a backdoor and can now access victim machine at any time

Phase 5: Covering Tracks Rootkits Alter logs Create hard-to-spot files Use covert channels

Application Rootkits Alter or replace system components (for instance DLLs) E.g., on Linux attacker replaces ls program Rootkits frequently come together with sniffers: – Capture a few characters of all sessions on the Ethernet and write into a file to steal passwords – Administrator would notice an interface in promiscuous mode Not if attacker modifies an application that shows interfaces - netstat

Application Rootkits Attacker will modify all key system applications that could reveal his presence – List processes e.g. ps – List files e.g. ls – Show open ports e.g. netstat – Show system utilization e.g. top He will also substitute modification date with the one in the past

Defenses Against App. Rootkits Don’t let attackers gain root access Use integrity checking of files: – Carry a floppy with md5sum, check hashes of system files against hashes advertised on vendor site or hashes you stored before Use Tripwire – Free integrity checker that saves md5 sums of all important files in a secure database (read only CD), then verifies them periodically –

Kernel Rootkits Replace system calls – Intercept calls to open one application with calls to open another, of attacker’s choosing – Now even checksums don’t help as attacker did not modify any system applications – You won’t even see attacker’s files in file listing – You won’t see some processes or open ports Usually installed as kernel modules Defenses: disable kernel modules

Altering Logs For binary logs: – Stop logging services – Load files into memory, change them – Restart logging service – Or use special tool For text logs simply change file through scripts Change login and event logs, command history file, last login data

Defenses Against Altering Logs Use separate log servers – Machines will send their log messages to these servers Encrypt log files Make log files append only Save logs on write-once media

Creating Hard-to-Spot Files Names could look like system file names, but slightly changed – Start with. – Start with. and add spaces – Make files hidden Defenses: intrusion detection systems and caution