Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

Published byGuadalupe Hollins Modified over 9 years ago

Similar presentations

Presentation on theme: " Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,"— Presentation transcript:

1  Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions, request-result conditions  Speak about security posture, system states, authentication mechanisms, etc.  Intrusion scenario o Reconnaissance, scanning, break-in and misuse, maintaining access, covering tracks o Reconnaisance: low-tech, Web-based

2  What does DNS do?  How does DNS work?  Types of information an attacker can gather: o Range of addresses used o Address of a mail server o Address of a web server o OS information o Comments

3 $ nslookup Default server:evil.attacker.com Address: 10.11.12.13 server 1.2.3.4 Default server:dns.victimsite.com Address: 1.2.3.4 set type=any ls –d victimsite.com system1 1DINA 1.2.2.1 1DINHINFO “Solaris 2.6 Mailserver” 1DINMX 10 mail1 web1DINA 1.2.11.27 1DINHINFO “NT4www” Dangerous

4  Provide only necessary information o No OS info and no comments  Restrict zone transfers o Allow only a few necessary hosts  Use split-horizon DNS

5  Show a different DNS view to external and internal users Internal DNS Employees External DNS External users Web server Mail server Internal DB

6  Tools that integrate Whois, ARIN, DNS interrogation and many more services: o Applications o Web-based portals  http://www.network-tools.com Dangerous

7  Attacker has a list of IP addresses assigned to the target network  He has some administrative information about the target network  He may also have a few “live” addresses and some idea about functionalities of the attached computers

8  Detecting information useful for break-in o Live machines o Network topology o Firewall configuration o Applications and OS types o Vulnerabilities

9  Finding live hosts o Ping sweep o TCP SYN sweep  Map network topology o Traceroute  Sends out ICMP or UDP packets with increasing TTL  Gets back ICMP_TIME_EXCEEDED message from intermediate routers

10 A A R1R1 R1R1 R2R2 R2R2 R3R3 R3R3 dbdb dbdb www mail 1. ICMP_ECHO to www.victim.com TTL=1 1a. ICMP_TIME_EXCEEDED from R1 victim.com A: R1 is my first hop to www.victim.com!

11 A A R1R1 R1R1 R2R2 R2R2 R3R3 R3R3 dbdb dbdb www mail 2. ICMP_ECHO to www.victim.com TTL=2 2a. ICMP_TIME_EXCEEDED from R2 victim.com A: R1-R2 is my path to www.victim.com!

12 A A R1R1 R1R1 R2R2 R2R2 R3R3 R3R3 dbdb dbdb www mail 3. ICMP_ECHO to www.victim.com TTL=3 3a. ICMP_TIME_EXCEEDED from R3 victim.com A: R1-R2-R3 is my path to www.victim.com!

13 A A R1R1 R1R1 R2R2 R2R2 R3R3 R3R3 dbdb dbdb www mail 4. ICMP_ECHO to www.victim.com TTL=4 4a. ICMP_REPLY from www.victim.com victim.com A: R1-R2-R3-www is my path to www.victim.com

14 A A R1R1 R1R1 R2R2 R2R2 R3R3 R3R3 dbdb dbdb www mail Repeat for db and mail servers victim.com A: R1-R2-R3-www is my path to www.victim.com R1-R2-R3-db is my path to db.victim.com R1-R2-R3-mail is my path to mail.victim.com  Victim network is a star with R3 at the center

15  Cheops o Linux application o http://cheops- ng.sourceforge.net/Automatically performs ping sweep and network mapping and displays results in GUI Dangerous

16  Filter out outgoing ICMP traffic o Maybe allow for your ISP only  Use Network Address Translation (NAT) NAT box A B C D Internal hosts with 192.168.0.0/16 1.2.3.4 8.9.10.11 Request 1.2.3.4 Request 192.168.13.73 Reply 192.168.13.73 Reply 1.2.3.4

17  For internal hosts to go out o B sends traffic to www.google.com o NAT modifies the IP header of this traffic  Source IP: B  NAT  Source port: B’s chosen port Y  random port X o NAT remembers that whatever comes for it on port X should go to B on port Y o Google replies, NAT modifies the IP header  Destination IP: NAT  B  Destination port: X  Y

18  For public services offered by internal hosts o You advertise your web server A at NAT’s address (1.2.3.4 and port 80) o NAT remembers that whatever comes for it on port 80 should go to A on port 80 o External clients send traffic to 1.2.3.4:80 o NAT modifies the IP header of this traffic  Destination IP: NAT  A  Destination port: NAT’s port 80  A’s service port 80 o A replies, NAT modifies the IP header  Source IP: A  NAT  Source port: 80  80

19  What if you have another Web server C o You advertise your web server A at NAT’s address (1.2.3.4 and port 55) – not a standard Web server port so clients must know to talk to a diff. port o NAT remembers that whatever comes for it on port 55 should go to C on port 80 o External clients send traffic to 1.2.3.4:55 o NAT modifies the IP header of this traffic  Destination IP: NAT  C  Destination port: NAT’s port 55  C’s service port 80 o C replies, NAT modifies the IP header  Source IP: C  NAT, source port: 80  55

20  Finding applications that listen on ports  Send various packets: o Establish and tear down TCP connection o Half-open and tear down TCP connection o Send invalid TCP packets: FIN, Null, Xmas scan o Send TCP ACK packets – find firewall holes o Obscure the source – FTP bounce scans o UDP scans o Find RPC applications Dangerous

21  Set source port and address o To allow packets to pass through the firewall o To hide your source address  Use TCP fingerprinting to find out OS type o TCP standard does not specify how to handle invalid packets o Implementations differ a lot

22  Nmap o Unix and Windows NT application and GUI o http://nmap.org/ o Various scan types o Adjustable timing Dangerous

23  Close all unused ports  Remove all unnecessary services  Filter out all unnecessary traffic  Find openings before the attackers do  Use smart filtering, based on client’s IP

24  Find out firewall rules for new connections  We don’t care about target machine, just about packet types that can get through the firewall o Find out distance to firewall using traceroute o Ping arbitrary destination setting TTL=distance+1 o If you receive ICMP_TIME_EXCEEDED message, the ping went through

25  Filter out outgoing ICMP traffic  Use firewall proxies o This defense works because a proxy recreates each packet including the TTL field

26  The attacker knows OS and applications installed on live hosts o He can now find for each combination  Vulnerability exploits  Common configuration errors  Default configuration  Vulnerability scanning tool uses a database of known vulnerabilities to generate packets  Vulnerability scanning is also used for sysadmin

27  SARA o http://www-arc.com/sara  SAINT o http://www.saintcorporation.com  Nessus o http://www.nessus.org Dangerous

28  Close your ports and keep systems patched  Find your vulnerabilities before the attackers do

29  Attacker has a list of “live” IP addresses  Open ports and applications at live machines  Some information about OS type and version of live machines  Some information about application versions at open ports  Information about network topology  Information about firewall configuration

Download ppt " Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,"

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Intrusions. Disclaimer Some techniques and tools mentioned in this class could be: – Illegal to use – Dangerous for others – they can crash machines and.

Intrusions. Disclaimer Some techniques and tools mentioned in this class could be: – Illegal to use – Dangerous for others – they can crash machines and.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. 2.Robert Zalenski, Firewall Technologies,

1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, Robert Zalenski, Firewall Technologies,
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance.

Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Reconnaissance Tools Tools that integrate Whois, ARIN, DNS interrogation and many more services: – Applications – Web-based portals

Reconnaissance Tools Tools that integrate Whois, ARIN, DNS interrogation and many more services: – Applications – Web-based portals
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Authorization and Policy. Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization.

Authorization and Policy. Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization.
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google