Hacking - Computer Engineering

Download Report

Transcript Hacking - Computer Engineering 

COEN 350
Security Threats
Network Based Exploits
Phases of an Attack
Reconnaissance
 Scanning
 Gaining Access
 Expanding Access
 Covering Tracks

Reconnaissance

Social Engineering



“I cannot access my email. What do I do?”
Dumpster Diving (especially useful when
people move)
Search the Web




Sam Spade (www.samspade.org/ssw/),
CyberKit, NetScanTools, ...
Search Engine
Usenet postings
Whois
Reconnaissance
Databases
 To research .com , .net, and .org domain
names:InterNIC whois feature:
www.internic.net/whois.html allwhois,
network soultions, ...
 ARIN: American Registry for Interent
Numbers (www.arin.net/whoiis/arinwhois.html)
 RIPE (Europe) www.ripe.net
 APNIC (Asia Pacific) www.apnic.net
Scanning
Once we have a target, we need to get to
know it better.
Methods:
 War Dialing (to find out modem access)
 Network Mapping
 Vulnerability Scanning
 War Driving
Scanning: War Dialing
Purpose: Find a modem connection.
 Many users in a company install remote PC
software such as PCAnywhere without setting the
software up correctly.
 War Dialer finds these numbers by going through
a range of phone numbers listening for a modem.
 Demon Dialer tries a brute force password attack
on a found connection.
 Typically: war dialing will find an unsecured
connection.
Scanning: Network Mapping
Ping:
 ping is implemented using the Internet
Control Message Protocol (ICMP) Echo
Request.
 A receiving station answers back to the
sender.
 Used by system administrators to check
status of machines and connections.
Scanning: Network Mapping
Traceroute:
 Pings a system with ICMP echo requests
with varying life spans (= # of hops
allowed).
 A system that receives a package with
expired numbers of hops sends an error
message back to sender.
 Traceroute uses this to find the route to a
given system.
 Useful for System Administration
Scanning: Network Mapping
Cheops:
Network Scanner
(UNIX based)
(Uses traceroute and
other tools to map
a network.)
Cheops et Co. are the
reason that firewalls
intercept pings.
Scanning: Port Scans
Applications on a system use ports to
listen for network traffic or send it out.
 216 ports available, some for known
services such as http (80), ftp, ...
 Port scans send various type of IP
packages to target on different ports.
 Reaction tells them whether the port is
open (an application listens).

Scanning: Nmap
Uses different types of packets to check
for open ports.
 Can tell from the reaction what OS is
running, including patch levels.
 Can run in stealth mode, in which it is not
detected by many firewalls.

Gaining Access
Gain access using application and OS
attacks.
 Gain access using network attack.

Gaining Access through Apps and OS
Stack-Based Overflow Attacks
Stack is the area where function arguments
and return addresses are saved.
 Password Attacks
 Web Application Attacks

Stack Based Attacks
If a function is called, then the registers are
saved on the stack, followed by the
arguments, followed by the return
address. At the end of the function
execution, the registers are restored from
stack.
Stack Based Attack
If a function takes string arguments for
inputs and is poorly written, then a long
string input leads to the stack to be
unwound incorrectly.
As a consequence, some of the input ends
up as register values.
You can use this to execute short code
snippets.
Stack Based Attacks (How to do it?)
Take a popular application, install it on
your machine, and see whether you can
crash it by giving it long inputs.
 If it does, use the debug function to find
out what register values get loaded. Any
debugger installed on your system will tell
you.
 Fine-tune the input to let you do
something interesting
 Ready to go and wreck havoc.

Buffer Attack Example
On a Unix system, use a buffer overflow in
a network accessible program (running at
root level) to execute:
/bin/sh –c “echo 12345 stream tcp nowait
root /bin/sh sh –i” >> /etc/inetd.conf;
killall –HUP inetd
 This shell adds a network service at port
12345 that spawns a command shell with
full privileges.

Web Application Attacks

The URL not only contains the web
address of a site, but also input:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF8&q=web+application+attack

A poorly written webpage allows the
viewer to input data in an uncontrolled
fashion. If the webpage contains SQL, the
user might execute SQL commands.
Gaining Access through Network
Attacks: Sniffing
Sniffer: Gathers traffic from a LAN.
 Examples: Snort www.snort.org, Sniffit
reptile.rug.ac.be/~coder/sniffit/sniffit.html
 To gain access to packages, use spoofed
ARP (Address Resolution Protocol) to
reroute traffic.

Session Hijacking
IP Address Spoofing: Send out IP
packages with false IP addresses.
 If an attacker sits on a link through which
traffic between two sites flows, the
attacker can inject spoofed packages to
“hijack the session”.
 Details omitted.

Exploiting and Maintaining Address
After successful intrusion, an attacker
should:
 Use other tools to gain root or
administrator privileges.
 Erase traces (e.g. change log entries).
 Take measures to maintain access.
 Erase security holes so that no-one else
can gain illicit access and do something
stupid to wake up the sys. ad.
Trojans
A program with an additional, evil
payload.
 E.g. Running MS Word also reinstalls a
backdoor.

Backdoors
Bypass normal security measures.
Example: netcat
 Install
netcat on victim with the
GAPING_SECURITY_HOLE option.
C:\ nc -1 –p 12345 –e cmd.sh
 In the future: connect to port 12345 and
start typing commands.

Backdoors
BO2K (Back Orifice 2000) runs in stealth
mode (you cannot discover it by looking at
the processes tab in the TASK MANAGER.
 Otherwise, it is a remote control program
like pcAnyWhere, that allows accessing a
computer over the net.

Backdoors
RootKit:
A backdoor built as a Trojan of system
executables such as ipconfig.
 Kernel-Level RootKit:
Changes the OS, not only system
executables.

Responses
Filter Internet Connections.
 Run Security Audits. (E.g. try to use
hacking tools to break into your own
system.)
 Backup all data and prepare for complete
reinstall after an incident.
 Log on write-only media.
 For commercial sites: Develop a
comprehensive security policy.
