Networking in Linux
Download
Report
Transcript Networking in Linux
Dial-up, VPN and
Network Devices
hacking
Dial-up hacking
Phone number footprinting: phone directories (on-line and
CD-ROM)
Wardialing (scanning): automatically dialing a range of
numbers, like in telemarketing, using a hardware/software
combination.
PC with serial ports and modems it is all that is needed
Software: ToneLoc, THC-Scan (free) and Phone Sweep
(commercial). See book.
Typically: one modem can wardial 10,000 numbers in 7 days of 24
hours.
Telcos take this seriously and in many areas this is illegal (ping
sweep is not).
Penetration Domains: once logs are obtained the
connections can be classified as (see book for examples in
QBASIC):
LHF - easily guessed or commonly used passwords for known
systems
Single authentication, unlimited attempts
PBX, Voicemail, VPN
PBX: most PBX are no longer electro-mechanic machines, but
rather computers with IP numbers, graphical interfaces, etc.
Types: Octel, Williams, Meridian, ROLM, ATT -- all with specific
ways to login (some very easy to hack, see book).
Basic countermeasure: only turn modem on when
maintenance is needed, turn off most of the time.
Voicemail: low impact, brute force attempts, but no logs
(voice answers).
VPN: tunneling private data through the Internet with
encryption, reducing WAN costs, and supporting modern
electronic commerce.
Tunneling involves encapsulation of a datagram within another, be
it IP within IP (IPSec) or PPP within GRE (PPTP)
IPSec (replaces PPTP) and Layer 2 Tunneling Protocol - L2TP
(replaces L2F) are the most used VPN standards.
VPN Hacking
Microsoft PPTP: originally had a weak encryption function,
algorithm (RSA), the TCP port (1723) used for connection
control was vulnerable to DoS attacks, only the data was
encrypted. NT: Service Pack 4 closed these vulnerabilities, Win
9x clients should be upgraded to DUN 1.3 to use these
improvements.
IPSec: very difficult to understand, even by experts.
Win 2k, XP, 7: came with IPSec support as we saw previously. See
VPN with Single Sign On in Windows 7.
Hackers do not seem to have figured it out yet, what is good.
Schneier and Ferguson (renowned experts) conclusion:
IPSec is too complex to be secure, but it is better than any
other security protocol in existence.
Different implementations: VPN requires the use of VPN
gateways in the server side. Read this article to see a
comparison of these types.
VOIP hacking: sniffing and enumeration. New tools potential.
Network Devices
Detection: use traceroute to find the border router.
Port Scanning: Use Nmap or SuperScan and WUPS to scan
TCP and UDP ports. In linux use dig to obtain information: e.g.
dig -t mx ubalt.edu
Routers ports (book page 398). If no ports found means security is
in place.
If you find ports open you may be able to identify the type of device
(routers, switches, hubs) and their manufacturers.
OS Identification: using Nmap and other tools seen
previously.
Penetration: Once telnet or shell ports are found we can
connect and use the data base of passwords to login if the
administrator failed to change the default password, but brute
force also can be used.
SNMP: allow to check status, configuration and change the
configuration. You should restrict its use, if allowing it at all
through your border router.
Other vulnerabilities
Specific vulnerabilities: Cisco and Ascend write MIB. Cisco
weak password encryption. TFTP (most routers). Bay config file
is clear text.
Shared vs Switched: shared media broadcasts to all nodes.
Switched media builds a table of MAC addresses and send the
messages to a specific MAC.
Use Snmpsniff in Linux to sniff in shared media networks.
Packet sniffing was developed for the shared media
environment, but
There are now packet-sniffing tools for switches. Dsniff is
easily installed in Ubuntu: use sudo apt-get install dsniff.
Use sudo to run it. There is a FAQ to help you with its use.
See example.
Basic countermeasure: use encryption in all your traffic,
such as PKI (1,2). You can also use VPN to create more
secure connections.
Arp redirect: arp redirect is part of the dsniff package (traffic