Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki.

Published byColeen Bradford Modified over 9 years ago

Similar presentations

Presentation on theme: "Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki."— Presentation transcript:

1 Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki

2 Attacks

3 Attacks Overview (391) There are generally two reasons someone is attacked You are specifically targeted –Company with money –Company with secrets –Revenge –“hacktivist” –Hard to stop.. You are a target of opportunity –Low hanging fruit –Script Kiddies –Most common, make yourself less easy (more)

4 Steps in an Attack (392) Any good hacker will take a few common steps to attack a site these can generally be ordered from 1-4 1.Reconnaissance – learn about the company in general 2.Scanning – scan the network and learn about the network –Ping sweeps –Port scans –Banner grabs –Os fingerprinting (see later slide) (more)

5 Steps in an attack (392) 3.Research Vulnerabilities – now that we know what software is running and hopefully the version. Figure out what it attacks it might be vulnerable to –nessus is a good tool –Security mailing lists (bugtraq) and sites 4.Performing the attack

6 Minimizing Attacks (394) Often you are going to be attacked by “script-kiddies” the easiest way to protect against them is simply make their job hard and they’ll move on somewhere else. Make sure OS and Apps are up to date with patches Turn off and remove un-necessary services and software Run a host based firewall Don’t display information in service banners Don’t provide any information about your network/systems publically

7 Terms (398) Trapdoor – a method usually put into an OS or application that allows the software developers to bypass security controls for the purpose of debugging or troubleshooting. Backdoor – A program installed into a compromised computer to allow hackers to access the machine Example: Back Orifice, NetBus (more)

8 Terms (413) Root kit – a program installed on a compromised system to hide a hackers tracks and help them to maintain continued access to a machine

9 DoS

10 DoS (394) What is a DOS? Which of the CIA triad does it attempt to affect. How does it work? Buffer overflows Protocol violations Brute Force (more)

11 DoS Attacks Some famous DoS attacks Ping of Death –Oversized Ping Packet –Counter Measures – Patch OS Tear Drop –Specially crafted overlapping IP Fragments (next) SYN Flood (later) Smurf (2 slides away)

12 Tear Drop (n/b)

13 Smurf Attack (n/b)

14 Smurf Attack How would a smurf attack someone? 1.Find site to attack, say www.ebay.comwww.ebay.com 2.Forge Ping packet from www.ebay.com to a BROADCAST network addresswww.ebay.com 3.Watch as the computers on the network all start pinging back www.ebay.comwww.ebay.com Countermeasures Drop forged packets at routers Drop directed broadcasts

15 Smurf Attack

16 SYN Flood (395) Attack –Forge IP SYN packet from downed system –Server responds to fake downed address, which never responds –Use up all the “listen queue” slots –Stops real new connections from establishing Countermeasures Stop forged packets at ingress/egress routers Patch OS Decrease 3 way handshake timeout values Increase 3 way handshake max connections Use a firewall as a middleman \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\S ynAttackProtect = 1 AND \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\T cpMaxConnectResponseRetransmissions >= 2

17 SYN Flood (395) use regedt32 HKEY_LOCAL_MACHINE\System\CurrentCo ntrolSet\Services\TCPIP\SynAttackProtect = 1 AND \HKEY_LOCAL_MACHINE\System\CurrentC ontrolSet\Services\TCPIP\TcpMaxConnectRe sponseRetransmissions >= 2 By the way the info is at http://technet.microsoft.com/en-us/library/cc938202.aspx

18 SYN Flood Example

19 DDoS (397) Distributed Denial of Service – a brute force method that generally uses “zombies” and “botnets” to simply overwhelm a server. May consist of a hierarchy of Attacker, Masters and Slaves (see image 2 slides) It’s like Bruce Lee.. He might be able to defeat 10 people at a time… but it’s only a matter of numbers before even he is overwhelmed… could he defeat 10,000 attackers at once? (more)

20 DDoS How are zombies and botnets usually created?

21 DDoS

22 Null Session (398) In early versions of windows, un-authenticated users could “browse” the network to see what resources existed on the network. This browsing made use of “Null Sessions” which were open “guest accounts”. Hackers can use Null Sessions and browsing to learn about the network and Null sessions should be disabled. To fight NULL sessions on windows HKLM\SYSTEM\CurrentControlSet\Control\LSA\Restri ctAnonymous = 1 see http://support.microsoft.com/?kbid=246261http://support.microsoft.com/?kbid=246261

23 Sniffing

24 Sniffing (399) Many Network Communications are sent in “clear text”. Someone gaining access to the physical network that they travel on can conduct a sniffing attack. (do example) Problems Sniff passwords See confidential information Counter measures Use encrypted applications (SSL) Use encrypted network communications (VPNs) Use Switches to battle sniffing Restrict physical access to networks Use 802.1x to require authorization before allowing network use

25 Spoofing

26 Spoofing (401) Making data look like it came from somewhere that it didn’t (forging)

27 Spoofing Countermeasure Have Internet/perimeter routers drop incoming packets claiming to be from your internal network. Have Internet/perimeter routers drop outgoing packets claiming to be from the Internet (spoofed from an inside node)

28 ARP spoofing or poisoning (n/b) ARP poisoning is an attack against a network, where one computer send fake ARP replies, in the attempt to trick another computer on the same network to communicate with it instead of the real machine. This can be used as a man in the middle attack, or a straight “hijacking” attack Arpwatch and Xarp are tools to monitor ARP traffic and help detect ARP poisoning.

29 Spoofing Email SMTP (email) has no authentication built into the protocol… therefore spoofing is trivial Do a quick example

30 IP Address Spoofing (401) IP also has no built in authentication. (IP Sec does) but not normal IP. So forging IP packets is trivial. Some systems use IP addresses as “access controls” so you can bypass firewalls and access controls by spoofing packets. (especially UDP) Countermeasures Set routers to drop forged packets? (how?) Use IP Sec

31 Man in the Middle Attack (403)

32 DNS poisoning (n/b) Faking DNS responses in order to trick a computer into going your site rather than a real site. Example. If I can “poison” your DNS cache and redirect www.bankofamerica.com to my IP address, I could put up a fake site and steal your banking information! (or setup a MiM attack)www.bankofamerica.com

33 Replay Attack (404) Replay Attack – Attacker captures a portion of communications between two parties and retransmits at a later time. Example: an attacker might replay a series of commands in a financial transaction to cause the transaction to be replayed multiple times. Countermeasures Encryption Authentication Session lifetimes Unique transaction keys

34 TCP/IP Hijacking TCP/IP or Session Hijacking – taking over an existing session between a client and a server. You then actually “steal” the connection and you have bypassed any authentication mechanisms. “hunt” on linux can be used for TCP Hijacking* Counter Measures Secure networks physically Use IP Sec

35 Covert Channels (n/b) Covert Channels are a way of people communicating in ways the system never expected (as such nothing is monitoring or protecting/restricting these communications) Covert Channels are usually used to secret pass secret information between people of a high clearance to a low clearance.. However they can also be used for hackers to secretly communication through network protection. One Example is LOKI

36 LOKI (n/b) Pings easily go through the firewalls undetected!

37 MAC flooding (n/b) Mac Flooding – Putting out tons of packets with different MAC addresses in the attempts to overfill the switches MAC tables. If this happens a switch might simply drop into “hub mode” and start simply sending traffic down each port.

38 Password Attacks

39 Password Guessing (407) This is pretty obvious, unfortunately people still use pretty easy to guess passwords, (ex. Their username or their kids names or birthdates) Countermeasures: Have a strong password policy Use Multi-factor authentication Implement account lock out times Implement login delays Protect password file

40 Dictionary Attacks (408) An attacker tries to go through common dictionary words and variations on words. Countermeasures: Have a strong password policy Use Multi-factor authentication Implement account lock out times Implement login delays Protect password file

41 Brute Force Attacks (408) Attacker tries every possible password Example – if a password can be 4 characters of 0-9 Start with 0000, then 0001, then 0002 etc.. All the way to 9999 Countermeasures: Have a strong password policy Use Multi-factor authentication Implement account lock out times Implement login delays Protect password file

42 Hybrid Attack Use any combination of the previous password attacks

43 Birthday Attacks (409) An attack against hashes, based on the “Birthday paradox” which states that in a group of 23 people or more the chance of two individuals having the same birthday is greater than 50%. Birthday attacks work as passwords are actually often stored as hash digests of the password

44 Rainbow tables

45 In many Operating systems the passwords stored are actually simply hash digest of the password rather than the actual password. Rainbow Tables are pre-computed hash values for passwords that can be used to help crack passwords. Countermeasures Use password “salts”

46 Software Exploits

47 Buffer Overflow (409) One of the most common types of attacks, a buffer overflow takes advantage of poor input validation in software. Most servers take input from a client. A Buffer overflow tries to send MORE data then is expected in order to overwrite memory and either Crash the system Actually inject commands for the remote server to run (more)

48 Buffer Overflow (409) Counter measures – Patch your software! Secure programming techniques and input validation (for places that write software, you generally cannot fix the problem as an administrator)

49 Buffer Overflow

50

51

52

53

54

55

56

57

58

59 Chapter 13 - Review Q. A SYN Flood is what type of attack? Q. Name one way to protect against sniffing attacks Q. What is the best protection against Buffer Overflows? Q. What are the steps in a 3 way handshake

60 Chapter 13 - Review Q. What is a smurf attack? Q. What is MAC flooding? Q. What is LOKI, What is Loki creating? (hint… a C_ _ _ _ _ C _ _ _ _ _ _)

Download ppt "Security+ All-In-One Edition Chapter 13 – Specific Attacks Brian E. Brzezicki."

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
Network Vulnerabilities and Attacks Dr. John Abraham UTPA.

Network Vulnerabilities and Attacks Dr. John Abraham UTPA.
Chapter 1: Fundamentals of Security JV Note: Images may not be relevant to information on slide.

Chapter 1: Fundamentals of Security JV Note: Images may not be relevant to information on slide.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
Attacks and Malicious Code Chapter 3. Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major.

Attacks and Malicious Code Chapter 3. Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major.

Similar presentations

Ads by Google