security+ all-in-one edition chapter 13 – specific attacks brian e. brzezicki
TRANSCRIPT
Security+All-In-One Edition
Chapter 13 – Specific Attacks
Brian E. Brzezicki
Attacks
Attacks Overview (391)There are generally two reasons someone is attacked• You are specifically targeted
– Company with money– Company with secrets– Revenge– “hacktivist”– Hard to stop..
• You are a target of opportunity– Low hanging fruit– Script Kiddies– Most common, make yourself less easy
(more)
Steps in an Attack (392)Any good hacker will take a few common steps to
attack a site these can generally be ordered from 1-4
1. Reconnaissance – learn about the company in general
2. Scanning – scan the network and learn about the network
– Ping sweeps– Port scans– Banner grabs– Os fingerprinting (see later slide)
(more)
Steps in an attack (392)3. Research Vulnerabilities – now that we
know what software is running and hopefully the version. Figure out what it attacks it might be vulnerable to
– nessus is a good tool– Security mailing lists (bugtraq) and sites
4. Performing the attack
Minimizing Attacks (394)Often you are going to be attacked by “script-kiddies”
the easiest way to protect against them is simply make their job hard and they’ll move on somewhere else.
• Make sure OS and Apps are up to date with patches• Turn off and remove un-necessary services and
software• Run a host based firewall• Don’t display information in service banners• Don’t provide any information about your
network/systems publically
Terms (398)Trapdoor – a method usually put into an OS or
application that allows the software developers to bypass security controls for the purpose of debugging or troubleshooting.
Backdoor – A program installed into a compromised computer to allow hackers to access the machine
• Example: Back Orifice, NetBus(more)
Terms (413)Root kit – a program installed on a
compromised system to hide a hackers tracks and help them to maintain continued access to a machine
DoS
DoS (394)What is a DOS?
Which of the CIA triad does it attempt to affect.
How does it work?• Buffer overflows• Protocol violations• Brute Force
(more)
DoS AttacksSome famous DoS attacks
• Ping of Death– Oversized Ping Packet– Counter Measures – Patch OS
• Tear Drop– Specially crafted overlapping IP Fragments (next)
• SYN Flood (later)
• Smurf (2 slides away)
Tear Drop (n/b)
Smurf Attack (n/b)
Smurf AttackHow would a smurf attack someone?
1. Find site to attack, say www.ebay.com2. Forge Ping packet from www.ebay.com to a
BROADCAST network address3. Watch as the computers on the network all
start pinging back www.ebay.comCountermeasures• Drop forged packets at routersDrop directed broadcasts
Smurf Attack
SYN Flood (395)Attack
– Forge IP SYN packet from downed system– Server responds to fake downed address, which never responds– Use up all the “listen queue” slots– Stops real new connections from establishing
Countermeasures• Stop forged packets at ingress/egress routers• Patch OS• Decrease 3 way handshake timeout values• Increase 3 way handshake max connections• Use a firewall as a middleman• \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\
SynAttackProtect = 1 AND
• \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\TcpMaxConnectResponseRetransmissions >= 2
SYN Flood (395)• use regedt32• HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\TCPIP\SynAttackProtect = 1 AND
• \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\TcpMaxConnectResponseRetransmissions >= 2
By the way the info is athttp://technet.microsoft.com/en-us/library/cc938202.aspx
SYN Flood Example
DDoS (397)Distributed Denial of Service – a brute force method
that generally uses “zombies” and “botnets” to simply overwhelm a server.
May consist of a hierarchy of Attacker, Masters and Slaves (see image 2 slides)
It’s like Bruce Lee.. He might be able to defeat 10 people at a time… but it’s only a matter of numbers before even he is overwhelmed… could he defeat 10,000 attackers at once?
(more)
DDoS
How are zombies and botnets usually created?
DDoS
Null Session (398)In early versions of windows, un-authenticated users
could “browse” the network to see what resources existed on the network. This browsing made use of “Null Sessions” which were open “guest accounts”.
Hackers can use Null Sessions and browsing to learn about the network and Null sessions should be disabled.
To fight NULL sessions on windowsHKLM\SYSTEM\CurrentControlSet\Control\LSA\
RestrictAnonymous = 1see http://support.microsoft.com/?kbid=246261
Sniffing
Sniffing (399)Many Network Communications are sent in “clear text”.
Someone gaining access to the physical network that they travel on can conduct a sniffing attack. (do example)
Problems• Sniff passwords• See confidential information
Counter measures• Use encrypted applications (SSL)• Use encrypted network communications (VPNs)• Use Switches to battle sniffing• Restrict physical access to networks• Use 802.1x to require authorization before allowing
network use
Spoofing
Spoofing (401)Making data look like it came from somewhere
that it didn’t (forging)
Spoofing Countermeasure
• Have Internet/perimeter routers drop incoming packets claiming to be from your internal network.
• Have Internet/perimeter routers drop outgoing packets claiming to be from the Internet (spoofed from an inside node)
ARP spoofing or poisoning (n/b)
• ARP poisoning is an attack against a network, where one computer send fake ARP replies, in the attempt to trick another computer on the same network to communicate with it instead of the real machine. This can be used as a man in the middle attack, or a straight “hijacking” attack
• Arpwatch and Xarp are tools to monitor ARP traffic and help detect ARP poisoning.
Spoofing Email
SMTP (email) has no authentication built into the protocol… therefore spoofing is trivial
Do a quick example
IP Address Spoofing (401)
IP also has no built in authentication. (IP Sec does) but not normal IP. So forging IP packets is trivial. Some systems use IP addresses as “access controls” so you can bypass firewalls and access controls by spoofing packets. (especially UDP)
Countermeasures • Set routers to drop forged packets? (how?)• Use IP Sec
Man in the Middle Attack (403)
DNS poisoning (n/b)
Faking DNS responses in order to trick a computer into going your site rather than a real site.
Example. If I can “poison” your DNS cache and redirect www.bankofamerica.com to my IP address, I could put up a fake site and steal your banking information! (or setup a MiM attack)
Replay Attack (404)Replay Attack – Attacker captures a portion of
communications between two parties and retransmits at a later time.
Example: an attacker might replay a series of commands in a financial transaction to cause the transaction to be replayed multiple times.
Countermeasures• Encryption• Authentication• Session lifetimes• Unique transaction keys
TCP/IP Hijacking
TCP/IP or Session Hijacking – taking over an existing session between a client and a server. You then actually “steal” the connection and you have bypassed any authentication mechanisms.
“hunt” on linux can be used for TCP Hijacking*
Counter Measures• Secure networks physically• Use IP Sec
Covert Channels (n/b)Covert Channels are a way of people
communicating in ways the system never expected (as such nothing is monitoring or protecting/restricting these communications)
Covert Channels are usually used to secret pass secret information between people of a high clearance to a low clearance.. However they can also be used for hackers to secretly communication through network protection.
One Example is LOKI
LOKI (n/b)
Pings easily go through the firewalls undetected!
MAC flooding (n/b)
Mac Flooding – Putting out tons of packets with different MAC addresses in the attempts to overfill the switches MAC tables. If this happens a switch might simply drop into “hub mode” and start simply sending traffic down each port.
Password Attacks
Password Guessing (407)
This is pretty obvious, unfortunately people still use pretty easy to guess passwords, (ex. Their username or their kids names or birthdates)
Countermeasures: • Have a strong password policy• Use Multi-factor authentication• Implement account lock out times• Implement login delays• Protect password file
Dictionary Attacks (408)An attacker tries to go through common
dictionary words and variations on words.
Countermeasures:
• Have a strong password policy
• Use Multi-factor authentication
• Implement account lock out times
• Implement login delays
• Protect password file
Brute Force Attacks (408)Attacker tries every possible passwordExample – if a password can be 4 characters of 0-9Start with 0000, then 0001, then 0002 etc.. All the way
to 9999
Countermeasures: • Have a strong password policy• Use Multi-factor authentication• Implement account lock out times• Implement login delays• Protect password file
Hybrid Attack
Use any combination of the previous password attacks
Birthday Attacks (409)An attack against hashes, based on the
“Birthday paradox” which states that in a group of 23 people or more the chance of two individuals having the same birthday is greater than 50%.
Birthday attacks work as passwords are actually often stored as hash digests of the password
Rainbow tables
Rainbow tablesIn many Operating systems the passwords
stored are actually simply hash digest of the password rather than the actual password.
Rainbow Tables are pre-computed hash values for passwords that can be used to help crack passwords.
Countermeasures• Use password “salts”
Software Exploits
Buffer Overflow (409)One of the most common types of attacks, a
buffer overflow takes advantage of poor input validation in software. Most servers take input from a client. A Buffer overflow tries to send MORE data then is expected in order to overwrite memory and either
• Crash the system• Actually inject commands for the remote
server to run(more)
Buffer Overflow (409)
Counter measures –
• Patch your software!
• Secure programming techniques and input validation (for places that write software, you generally cannot fix the problem as an administrator)
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Chapter 13 - ReviewQ. A SYN Flood is what type of attack?
Q. Name one way to protect against sniffing attacks
Q. What is the best protection against Buffer Overflows?
Q. What are the steps in a 3 way handshake
Chapter 13 - Review
Q. What is a smurf attack?
Q. What is MAC flooding?
Q. What is LOKI, What is Loki creating? (hint… a C_ _ _ _ _ C _ _ _ _ _ _)