Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSIRT Training Material Technical Issues Klaus Möller DFN-CERT May 2001.

Published byCameron Kelly Modified over 9 years ago

Similar presentations

Presentation on theme: "CSIRT Training Material Technical Issues Klaus Möller DFN-CERT May 2001."— Presentation transcript:

1 CSIRT Training Material Technical Issues Klaus Möller DFN-CERT May 2001

2 Agenda  Goals of this module  Decisions and reasons  Programme  Whats been left out  Next steps

3 Goals of the module  Make new members of incident handling teams familiar with:  Technical concepts behind incidents  Incident technical terminology  Goals of intruder activity  Weaknesses exploited

4 Decisions and reasons  1 ½ hour is much too short  Concentrate on most common forms of incidents  This way, new members can become productive  Leave more advanced attacks for later  Programme follows intrusion cycle  Scan  Breakin  Hiding  Abuse  Show full chain  „Canonical“ structure ?

5 Decisions and reasons (cont.)  Prerequisite skills:  Basic UNIX administration  OS Structure: Kernel, (shared) libraries, programmes  Shell and environment variables  Basic TCP/IP administration  Familarity with IP/OSI stack model  Network interface  IP address

6 Programme  Total length ~60 - 70 minutes  How intruders work (~ 5 min)  Information gathering (~ 20 min)  Breaking into a system ( ~ 15 min)  Hiding traces and digging in (~ 10 min)  Abuses of systems (~ 10 min)

7 Programme (cont)  Information gathering  Scans  ICMP Sweeps (Echo, Timestamp, Netmask)  TCP Scans (SYN, ACK, RST, XMAS, NULL)  UDP Scans  Probes  DNS  Version information (banner grabbing, queries)  Distinguishing scans and probes from normal activity  WINS  Load balancers  traceroute

8 Programme (cont)  Breaking in  Buffer overflows  Program stack  When is a buffer vulnerable  Smashing the stack (overwriting return addreses)  Format string bugs  The unknown format chars of printf()  What functions are vulnerable  How it is done  How format bugs help buffer overruns

9 Programme (cont)  Hiding  Cleaning logfiles  Utmp, wtmp, lastlog  Other traces often overlooked by attackers  Shell history  Unsuccessful attacks  Digging in (rootkits)  Trojaned system commands  backdoors

10 Programme (cont)  Abuses (Denial-of-Service)  TCP SYN Flood  UDP Flood  Ping Flood  Smurf  Distinguishing between DoS and Scans  Backscatter

11 Whats been left out  Distributed attacks  Scans, Sniffing  Distributed Denial of Service  Other attack forms  Heap corruption  Return to libc  Kernel Mode rootkits  Warez, SPAM  Lots more

12 Next Steps  Flesh out course material  Slides  Handouts  Test materials  Incorporate critics  Document experiences

Download ppt "CSIRT Training Material Technical Issues Klaus Möller DFN-CERT May 2001."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Lesson 3-Hacker Techniques

Lesson 3-Hacker Techniques
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
Network Mapping  Identify Live Hosts  Determine running Services TCP Port Scanning UDP Port Scanning Banner Grabbing ARP Discovery  Identify Perimeter.

Network Mapping  Identify Live Hosts  Determine running Services TCP Port Scanning UDP Port Scanning Banner Grabbing ARP Discovery  Identify Perimeter.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.

CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.

Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Similar presentations

Ads by Google