Transcript Salt
Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data, ...) Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data, ...) Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls. 1 Access Control Today almost all systems are protected only by a simple password that is typed in, or sent over a network in the clear.Techniques for guessing passwords: 1. Try default passwords. 2. Try all short words, 1 to 3 characters long. 3. Try all the words in an electronic dictionary(60,000). 4. Collect information about the user’s hobbies, family names, birthday, etc. 5. Try user’s phone number, social security number, street address, etc. 6. Try all license plate numbers (123XYZ). Prevention: Enforce good password selection (c0p31an6) 2 Password Gathering Look under keyboard, telephone etc. Look in the Rolodex under “X” and “Z” Call up pretending to from “micro-support,” and ask for it. “Snoop” a network and watch the plaintext passwords go by. Tap a phone line - but this requires a very special modem. Use a “Trojan Horse” program to record key stokes. 3 UNIX Passwords User’s password ( should be required to have 8 characters, some non-letters) Random 12-bit number (Salt) DES Encrypted to 11 viewable characters User ID Salt Value Hash User ID Salt Value Hash User ID Salt Value Hash 4 Storing UNIX Passwords Until a few years ago, UNIX passwords were kept in in a publicly readable file, /etc/passwords. Now they are kept in a “shadow” directory only visible by “root”. “Salt”: • prevents duplicate passwords from being easily seen as such. • prevents use of standard reverse-lookup dictionaries ( a different diction would have to be generated for each value of Salt). • does not “effectively increase the length of the password.” 5 The Stages of a Network Intrusion 1. Scan the network to: • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. 6 Protection from a Network Intrusion 1. Use a “Firewall” between the local area network and the worldwide Internet to limit access (Chapter 10). 2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute). 3. Use a program like TripWire on each host to detect when systems files are altered, and email an alert to Sys Admin. 4. On Microsoft PC’s, a program like BlackIce is easier to install than learning how to reset default parameters to make the system safe (and fun besides). 7 8 9 10 Type "A" Probes The first three UDP probes, which started my investigation, had a single character in the data field, an 'A'. The UDP port numbers were identical, 31790->31789. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. Date Time EST Source IP (Place) Destination (Place) 1999-12-28 18:40 151.21.82.251 (Italy) to 24.88.48.47 (Atlanta, GA) 1999-12-10 18:28 152.169.145.206 ( AOL ) to 24.88.48.47 (Atlanta, GA) 1999-12-16 03:34 212.24.231.131 (Saudi Arabia) to 24.88.48.47 (Atlanta, GA) UDP packets with an empty data field, like those generated by the "nmap" scan program, do not stimulate the 1500-byte ICMP packets from an OS-9 Macintosh. 11 Type "Double-zero" Probes (James Bond, 007, "00" -> "license to kill") I have now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas. These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical UDP port numbers, 60000->2140. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. 1999-12-20 07:04 195.229.024.212 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA) 1999-12-21 08:04 195.229.024.213 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA) *DNS name: cwa129.emirates.net.ae 1999-12-25 09:39 212.174.198.29 (Turkey) to 24.94.xxx.xxx (Wichita, Kansas) *DNS: none 1999-12-31 05:35 195.99.56.179 (Manchester, UK*) to 14.88.xx.xx (Atlanta, GA) *DNS name: manchester_nas11.ida.bt.net 2000-01-04 05:08 24.94.80.152 (Road Runner, Hawaii) to 24.94.xxx.xxx (Wichita, Kansas) *DNS name: a24b94n80client152.hawaii.rr.com 2000-01-06 04:48 195.44.201.41 (cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA) *DNS name: ad11-s16-201-41.cwci.net 12 Traceroute to find location of IP Address Start: 11/21/99 11:07:40 PM Find route from: 24.88.48.47 to: www.orbicom.com. (196.28.160.129), Host Names truncated to 32 bytes 1 24.88.48.1 (24.88.48.1 2 24.88.3.21 (24.88.3.21 3 24.93.64.69 (24.93.64.69 4 24.93.64.61 (24.93.64.61 5 24.93.64.57 (24.93.64.57 6 sgarden-sa-gsr.carolina.rr.com. (24.93.64.30 7 roc-gsr-greensboro-gsr.carolina. (24.93.64.17 8 roc-asbr-roc-gsr.carolina.rr.com (24.93.64.6 9 12.127.173.205 (12.127.173.205 10 gbr2-a30s1.wswdc.ip.att.net. (12.127.1.30 11 gr2-p3110.wswdc.ip.att.net. (12.123.8.246 12 att-gw.washdc.teleglobe.net. (192.205.32.94 13 if-7-2.core1.newyork.teleglobe.n (207.45.222.145 14 if-0-0-0.bb3.newyork.teleglobe.n (207.45.221.69 15 ix-1-1-1.bb3.newyork.teleglobe.n (207.45.199.202 16 196.30.121.243 (196.30.121.243 17 fe0-0.cr3.ndf.iafrica.net. (196.31.17.26 18 atm6-0sub300.cr1.vic.iafrica.net (196.30.121.81 19 196.30.200.6 (196.30.200.6 20 196.4.162.86 (196.4.162.86 21 www.orbicom.com. (196.28.160.129 • Trace completed 11/21/99 11:08:25 PM • Max 30 hops, 40 byte packets ): ): ): ): ): ): ): ): ): ): ): ): ): ): ): ): ): ): ): ): ): 17ms 18ms 17ms 19ms 25ms 26ms 28ms 30ms 40ms 38ms 278ms 41ms 45ms 45ms 50ms 44ms 635ms 641ms 643ms 662ms 663ms 17ms 19ms 18ms 17ms 25ms 27ms 28ms 32ms 39ms 40ms 40ms 43ms 46ms 47ms 46ms 48ms 632ms 640ms 640ms 659ms 658ms 16ms 18ms 17ms 18ms 23ms 27ms 30ms 30ms 39ms 39ms 39ms 42ms 45ms 49ms 50ms 45ms 633ms 644ms 643ms 664ms 664ms 13