Dictionary Attack Chien-Chung Shen

Slides:

Advertisements

Similar presentations

A “Dynamic” Firewall Jon Hillier Oxford University/ eScience Centre.

Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

SIM303. “ The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically,

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

Linux Security An overview notes from Linux Network Security HowTO.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

COEN 252: Computer Forensics Router Investigation.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

CERN’s Computer Security Challenge

Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.

Honeypot and Intrusion Detection System

CIS 450 – Network Security Chapter 3 – Information Gathering.

A Basic Introduction to Computer Security John H. Porter University of Virginia Department of Environmental Sciences.

Security at NCAR David Mitchell February 20th, 2007.

NETWORK SECURITY USING IPTABLES. TOPICS OF DISCUSSION NETWORK TRAFFIC IN PRESENT SCENARIO !! WHY WE NEED SECURITY ? T TYPE OF ATTACKS & WAYS TO TACKLE.

Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.

Firewalling With Netfilter/Iptables. What Is Netfilter/Iptables? Improved successor to ipchains available in linux kernel 2.4/2.6. Netfilter is a set.

 FreeBSD firewalls › ipfw -- IP firewall and traffic shaper control program  ipfw(8) › ipf (IP Filter) - alters packet filtering lists for IP packet.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

Cracking Techniques Onno W. Purbo

Linux Security. Module 13 – Linux Security ♦ Overview Linux is more prone today to security loopholes and attacks, both inside and outside the network.

1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.

Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.

Linux services troubleshooting. If you cannot connect to your service.. When you start service, check that it says ok (most services say that when starting.

TCOM Information Assurance Management System Hacking.

1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

Server Hardening Moses Ike and Paul Murley TexSAW 2015 Credit to Daniel Waymel and Corrin Thompson.

Firewalls Group 11Group 12 Bryan Chapman Richard Dillard Rohan Bansal Huang Chen Peijie Shen.

Retina Network Security Scanner

Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses.

Network and Port Scanning Chien-Chung Shen

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Securing your network But still be able to access it Hugh Mahon.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Ssh: secure shell.

Working at a Small-to-Medium Business or ISP – Chapter 8

IT443 – Network Security Administration Instructor: Bo Sheng

FIREWALL configuration in linux

Instructor Materials Chapter 7 Network Security

Onno W. Purbo Cracking Techniques Onno W. Purbo

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009

Introduction to Networking

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

Information Security Session October 24, 2005

Chapter 27: System Security

Firewalls Purpose of a Firewall Characteristic of a firewall

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

COP 4343 Unix System Administration

Firewalls By conventional definition, a firewall is a partition made

Crisis and Aftermath Morris worm.

6. Application Software Security

Presentation transcript:

Dictionary Attack Chien-Chung Shen

Introduction Scanning blocks of IP addresses for vulnerabilities at open ports is in many cases the starting point for breaking into a network When not behind firewall, it is easy to see such ongoing scans. All you have to do is to look at the access or the authorization logs of the services offered by host in network Focus on how to break into port 22 used for SSH service Dictionary attack: bad guys try a large number of common names as possible account names on the target machine and, should they succeed in stumbling into a name for which there is actually an account on the target machine, they then proceed to try a large number of commonly used passwords for that account On Ubuntu, try tail -f /var/log/auth.log Look up IP address at or geoiptool.com

Dictionary Attack In mounting dictionary attack, bad guys focus particularly on account names that a target machine could be expect to have with high probability –root, webmaster, webadmin, admin, guest, test, staff, etc. When local sshd daemon cannot reconcile the domain name from where SSH connection request is coming from with the IP address contained in the connection request –Message: failed - POSSIBLE BREAK-IN ATTEMPT!

Password File inside Conficker When an attacker who has mounted a dictionary attack does find an installed account on the victim machine, the next challenge for the attacker is to gain entry into the account by making guesses at the password for the account “Guesses” that are embedded in binary of Conficker worm –en.wikipedia.org/wiki/Confickeren.wikipedia.org/wiki/Conficker –nakedsecurity.sophos.com/2009/01/16/passwords-conficker-worm/

Thwart Dictionary Attack with Log Scanning Want to be able to SSH into your machine at home from work without allowing others to be able to do the same –/etc/hosts.allow : sshd: xxx.xxx.xxx.xxx –/etc/hosts.deny : ALL: ALL –/etc/hosts.allow takes precedence over /etc/hosts.deny Detecting repeated break-in attempts and temporarily (or, sometimes, permanently) blacklisting IP addresses from where the attacks are emanating DenyHosts by Phil Schwartz is one of the best tools that keeps an eye on sshd server logs (in /var/log/auth.log on Ubuntu) and takes immediate protective action if it sees signs of repeated unsuccessful attempts to break into the machine through SSH service –The basic operation of DenyHosts is that if it sees a repeated unsuccessful attempt from an IP address, it places that IP address in /etc/hosts.deny

DenyHost

Rate Limiting Repeated ssh Access with iptable Rules #!/bin/sh # iptables rules limit SSH access from any single IP address to five in # any 25 second period. INTERFACE="eth0" EXTERNAL_NET=" /24" PERIOD_EXTERNAL="25" TRIES_EXTERNAL="5" # Limit sshd user account scan from EXTERNAL net iptables -A INPUT -p tcp --dport 22 -i $INTERFACE \ --source $EXTERNAL_NET \ -m state --state NEW -m recent --name EXTERNAL --set # Log scan attack iptables -A INPUT -p tcp --dport 22 -i $INTERFACE \ --source $EXTERNAL_NET \ -m state --state NEW -m recent --name EXTERNAL --update \ --seconds $PERIOD_EXTERNAL --hitcount $TRIES_EXTERNAL -j LOG \ --log-level warning --log-tcp-options --log-ip-options \ --log-prefix "SFW2-DELAY-ssh-scan " # Limit ssh connection tries from one IP iptables -A INPUT -p tcp --dport 22 -i $INTERFACE \ --source $EXTERNAL_NET \ -m state --state NEW -m recent --name EXTERNAL --update \ --seconds $PERIOD_EXTERNAL --hitcount $TRIES_EXTERNAL -j DROP