cis 450 – network security chapter 17 – other types of attacks

CIS 450 – Network Security

Chapter 17 – Other Types of Attacks

Bind 8.2 NXT Exploit Operating System: Any OS running BIND (DNS server

software) versions 8.2, 8.2.1, or 8.2.2. OS' that shipped with a vulnerable named include: FreeBSD 3.2; NetBSD 1.4.1; OpenBSD 2.6; & RedHat Linux 6.0 and 6.1

The shell-creating exploit is OS-specific, due to the need for properly constructed assembly language to be written in the overrun, but any version of BIND can be corrupted and crashed by feeding bogus data

Protocols/Services Used: The Domain Name Service protocol and daemon

BIND version 8.2 introduced new features for establishing cryptographic security between master and slave nameservers, and their resolvers

Bind 8.2 NXT Exploit One such feature, the NXT ("nonexistence" records) record was

not subjected to proper bounds checking. and a malformed NXT record response to a query by an affected nameserver was capable of overrunning the end of an allocated memory buffer for the storage of this response, and either corrupting the running executable or inserting malicious code that will execute with the privileges of the owner of the namserver process

PROTECTION AGAINST THIS ATTACK: upgrade BIND to version 8.2.2-P5 or higher. The NXT record returned by remote servers in this version is checked against the size of the buffer into which it is intended to be stored, correcting the bug that allowed the buffer overrun. Because this exploit is made possible by poorly designed code within the operation of the nameserver itself, upgrade of this software to fix the bug is the only practical protection.

Cookies Exploit

The exploit is a buffer overflow exploit using cookies as the delivery mechanism

Operating Systems: All operating systems Protocols / Services

CGI HTTP State Management Mechanism (RFC 2109)

Brief Description This is a proof of concept exploit that uses Web

cookies as a delivery mechanism for a denial of service attack. With sufficient skill, it may also be possible to use it for a root exploit.

Cookies Exploit

CGI Protocol Description The Common Gateway Interface protocol is a

standard that allows a website user to communicate with programs running on the website’s servers.

A CGI program is essentially a program that the web server allows anyone in the world to run.

Unlike a static web page, CGI programs allow for the creation of dynamic web pages that respond to a client’s actions.

Cookies Exploit

CGI Protocol Weaknesses CGI programs have several areas of

vulnerability. Generally speaking, CGI programs are publicly available data entry points to the server. As such the client application should never be trusted to behave benignly.

Poorly written programs with buffer overflow vulnerabilities can give hackers a chance to disrupt the website’s operations and possibly a foothold into the website’s network.

Cookies Exploit

Cookie Protocol Description Cookies are a simple text-based mechanism to

maintain state between websites and the clients that visit them

The HTTP protocol that websites rely on is essentially a one-shot message transfer protocol

When a website wants to provide services or information that requires knowledge of previous communications with a client, it has two choices: maintain the information in a database at its site or store the data from the previous sessions on the client’s system. With the amount of visitors possible to a site, the processing and storage requirements to store the data at the website would be prohibitive.

Cookies Exploit

How The Exploit Works It is an attack against poorly written CGI routines of

any type that use cookies from the target system as the transport mechanism. The targeted flaw in the CGI routine is any function that does not do sufficient data verification before processing the data.

How to Block The data used in a buffer overflow attack comes in

through ports that have been left open for public access. Regardless of the transport mechanism, cookies or URL’s, they are coming through a port that cannot be blocked without losing the functionality that is being provided to legitimate visitors.

Cookies Exploit

How To Protect Against The Exploit Patches Available

As applications are being increasingly reviewed, a vast number of patches are being published to correct the vulnerable routines. The best measure in this respect is to inventory your applications and apply any patches that developer has published.

Procedural Solutions The best protection against buffer exploit attacks is

good programming techniques. Whereas you cannot eliminate the pipeline that they flow in, you can eliminate their targets.

SNMP Community Strings

Used for Reconnaissance Name: Simple Network Management

Protocol, SNMP, community strings set to "public" and "private“

Operating System: All system and network devices running SNMP agents

Protocols/Services: Simple Network Management Protocol that communicates using UDP port 161

SNMP Community Strings Brief Description

SNMP, is a commonly used service that provides network management and monitoring capabilities. SNMP offers the capability to poll networked devices and monitor data such as utilization and errors for various systems on the host. SNMP is also capable changing the configurations on the host, allowing the remote management of the network device. The protocol uses a community string for authentication from the SNMP client to the SNMP agent on the managed device. The default community string that provides the monitoring or read capability is often "public". The default management or write community string is often "private". The SNMP exploit takes advantage of these default community strings to allow an attacker to gain information about a device using the read community string "public", and the attacker can change a systems configuration using the write community string "private". The opportunity for this exploit is increased because the SNMP agent is often installed on a system by default without the administrator’s knowledge.

SNMP Community Strings How the exploit works

This default installation of SNMP provides an attacker with the means to perform reconnaissance on a system, and, an exploit that can be used to create a denial of service. SNMP MIBs (Management Information Base) provide information such as the system name, location, contacts, and sometimes even phone numbers. This soft intelligence can be very useful in social engineering. An attacker could call an organization and use the system contact and system name to gain a password from an unsuspecting user. The telephone number for the system contact could be used to provide a dialing prefix that the attacker could use for war dialing.

SNMP information also provides a great deal of hard intelligence about the system. One MIB provides the system description that reveals the operating system that the host is using. This can be matched against known exploits that would allow the attacker to gain further access into the SNMP host. SNMP data also provides interface descriptions, types, and other interface configuration information. This interface information can be gathered from more that one system to allow an attacker to piece together a network map of an organization showing how systems are interconnected. Some MIBs are writeable allowing the attacker to change the system configuration creating a denial of service opportunity. One such MIB is "ifAdminStatus". "IfAdminStatus" is set to "1" when the interface is operational and to "2" when it is down. An attacker could set "ifAdminStatus" to "2" using the SNMP set PDU which could disconnect the host from the network creating a denial service.

SNMP Community Strings

How to protect against it?The principle of least privileges is the best method to avoid the SNMP exploit. SNMP should not be enabled on devices that do not require it. It is more secure to push the information from the managed devices using SNMP traps rather that polling the devices using SNMP agents. SNMP community write strings can be disable if the network management platform only poll devices and does not change the remote devices configuration.

If SNMP is needed the community strings should be set at their maximum length and include a combination of letters, numbers, and special characters to avoid a brute force attack. All network devices should be scanned using an SNMP vulnerability scanner to ensure that they do not use the default community strings.

SNMP access should also be limited to only the devices that require SNMP for monitoring. This can be accomplished by allowing only authorized clients to access UDP port 161. All access to UDP port 161 should be denied from external networks.

Sniffing and Dsniff

Sniffer programsSniffers are a class of program that listen to and present network traffic in a recognizable form. Commercial ones like Microsoft's Network Monitor as well as public domain tools like Etherman and Curry Sniffer serve the same purpose. They can be used by network administrators for maintenance or network troubleshooting, traffic analysis, and other functions. A sniffer's main operational characteristic is its passivity or non-intrusiveness. Users don't know it's there and capturing data, unlike a network discovery tool like ICMP.

Sniffing and Dsniff

Dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Sniffing and Dsniff

Each of the tools included in the dsniff distribution has some unique function but falls into a functionality group. In general, the tools dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy are used to passively monitor a vulnerable shared network (such as a LAN where the sniffer sits behind any exterior firewall), looking for content of interest to the attacker. These modules could, for example, be used to try to obtain a password that has been sent in the clear or is weakly encrypted. The tools can auto detect various messaging protocols (about 30 are included) when dsniff is launched with the "-m" option.

Sniffing and Dsniff

Signature of the Attack Since it is a passive attack it leaves few signs of its existence Common targets are hosts and gateways that sit between

two difference network segments Places the host machine’s NIC in promiscuous mode which

will show up on sniffer detectors Consumes a large amount of disk space

Protection No sure way to protect against sniffing and ARP spoofing Use tools that search for sniffers and NICs in promiscuous

mode Use static ARP mappings Use encryption Change from telnet to alternate programs such as SSH

PGP ADK Exploit

PGP Home Page Versions: PGP 5.5.x through PGP 6.5.3 Brief Description:

Unauthorized administrative keys can be inserted into an unsuspecting certificate.

When the compromised certificate is imported by a user, subsequent encrypted files will be exposed to decryption by the holder of the unauthorized ADK (Additional Decryption Key) Private Key.

Signature of the attack There are two methods than can be used to detect this attack:

GnuPG the signature of the attack can be discerned from the results of the scan.

Using a utility released by PGP a more obvious indication of the attack is presented. Both of these detection schemes are listed below.

How to protect against – Upgrade to later version

Cisco IOS Type 7 Password Vulnerability

What is Cisco IOS (Internetworking Operating System) IOS can be thought of as Cisco's router

operating system. Every Cisco router has a configuration file that

instructs the router how it should interact with networks that are directly connected.

This interaction will typically include the routing of packets and the exchange of routing information with other layer 3 devices.


Cisco IOS type 7 passwords The command that is issued to encrypt user passwords

is "service password-encryption" and this command should be entered from the Cisco router configuration mode prompt. If the "service password-encryption" command is issued then all type 0 (zero) passwords are become encrypted.

How the exploit works This exploit works in a similar manner in which

L0phtCrack decrypts Windows NT passwords. Rather than trying to obtain a copy of a Windows NT SAM file, an attacker tries to obtain a copy of the encrypted type 7 password from a Cisco router usually by obtaining the Cisco IOS configuration file.


Signature of the attack If an attacker is using a program such as os7decrypt.pl and GetPass!

v1.1. to decrypt your passwords then it is already too late. The key is to ensure that the Cisco IOS configuration files are secured

in such a manner so that an attacker cannot obtain any encrypted Cisco IOS type 7 passwords.

How to protect against it? There is no way to protect Cisco IOS type 7 passwords from being

easily decrypted due to the nature of the weak reversible algorithm that is implemented.

"Cisco has no immediate plans to support a stronger encryption algorithm for Cisco IOS user passwords. If Cisco should decide to introduce such a feature in the future, that feature will definitely impose an additional ongoing administrative burden on users who choose to take advantage of it".1

Man-in-the-Middle Attack Against the Initiator of Otway-Rees Key Exchange Protocol

Operating System: All operating systems with which the Otway-Rees Key Exchange Protocol specification may be implemented, because it concerns a specification flaw in the key exchange protocol.

Brief Description: This vulnerability allows a hacker to find the session key distributed by a key exchange protocol. This is a man-in-the-middle type of attack. He can exploit this vulnerability without launching a brute-force attack on encrypted messages or breaking into any computer. The hacker simply manipulates protocol messages and uses an impersonation tool such as Hunt.


The Otway-Rees Protocol makes it possible to distribute a session key created by the trusted server S to two principals A and B. This key will encrypt the information transmitted between these two principals. Sharing this key and the cryptographic algorithms creates a VPN-type communication tunnel between the two principals.

Also, this protocol authenticates the principals to ensure the integrity of messages and that the key has been correctly distributed to the correct principals. This prevents the key from falling into the wrong hands, such as those of a hacker who is hijacking a session or conducting a man-in-the-middle attack.


How to use it No software exists to carry out this type of attack and

exploit this type of vulnerability in this protocol or other security protocols. With respect to attacks, it is easy for a knowledgeable hacker who controls the router through which information between A and B is transmitted to control the information using a filter and thereby retrieve the session key.

There might be no software to carry out this type of attack, but there is a tool, designed at Laval University in Québec City, that was developed to perform automatic verification of security protocols. We only have to provide this tool with a protocol specification similar to the format of the Otway-Rees Protocol specification.


Prevention The signature of this attack is relatively easy

for a configurable intrusion detection system to identify.

HTTPTunnel Exploit

httptunnel creates a bidirectional virtual data connection tunnelled in HTTP requests. The HTTP requests can be sent via an HTTP proxy if so desired.

This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and telnet or PPP to connect to a computer outside the firewall.

HTTPTunnel Exploit

What is HTTP Tunneling? Due to the ubiquitous nature of web servers they

represent an excellent high data value (HDV) target for attackers. In addition, given that they are probably behind a firewall they represent a single but important step into the target network. This is where HTTP tunneling comes in. As security awareness has increased, companies have added additional security systems between the web server and the Internet as well as on the web server itself. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are used to identify and alert administrators when an attack is detected against a system or a network. However, even these have their limitations and HTTP tunneling can be used to circumvent them.

HTTPTunnel Exploit

What is HTTP Tunneling? HTTP Tunneling works by utilizing a client to

encapsulate traffic within HTTP headers. The traffic is then directed to a server at the other end of the communication channel that takes the packets, strips the HTTP encapsulation headers and redirects the packet to its final destination. Both UDP and TCP traffic can be accomodated and encapsulated. This is due to the nature of the tunnel which, like an IPSec tunnel, sees the packets as the data payload only.

cis 450 – network security chapter 17 – other types of attacks

Documents