Transcript Hands-On Ethical Hacking and Network Security

Review For Exam 1
February 4, 2010
MIS 4600 - MBA 5880 © Abdou Illia
Introduction to Ethical
Hacking
Hackers
 Hackers
 Access computer system or network without
authorization
 Have different motivations (from prove their status to doing some
damage)
 Crackers
 Break into systems to steal or destroy data
 For the U.S. Department of Justice they all break
the law; can go to prison.
3
Hackers vs. Ethical Hackers
 Ethical hacker
 Performs most of the same activities as hackers and
crackers, but with owner’s permission
 Employed by companies to perform penetration or
security tests
 Red team
Team of ethical hackers with varied skills (social
engineering, ethics/legal issues, break-ins, etc.)
4
Penetration test vs. Security test
 Penetration test
Legally breaking into a company’s network to find
its weaknesses
Tester only reports findings
 Security test
More than a penetration test
Also includes:
 Analyzing company’s security policy and procedures
 Offering solutions to secure or protect the network
Security Policy
- Sets rules for expected behaviors by users (e.g. regular patches download, strong passwords, etc.), and IT
personnel (e.g. no unauthorized access to users’ files, …), etc.
Passwords
must not be
written down
- Defines access control rules.
- Defines consequences of violations.
5
-Helps track compliance with regulations.
- Etc.
Access to files must
be granted to the
level required by
users’ job
Hacking Tools
Referred to as Tiger box in course textbook
Collection of OSs and tools that assist with
hacking
Network scanners
Traffic monitors
Keyloggers
Password crackers
Etc.
Practical Extraction and Report Language (Perl)
C programming language
Scripts, i.e. set of instructions that runs in
sequence
6
Questions
 Which of the following may be part of a penetration test (P) or a
security test (S)? Use “X” to indicate your answer.
P
7
1.
Breaking into a computer system without authorization.
2.
Laying out specific actions to be taken in order to prevent dangerous packets to pass
through firewalls.
3.
Scanning a network in order to gather IP addresses of potential targets
4.
Finding that patches are not timely applied as recommended by corporate rules.
5.
Writing a report about a company’s security defense system.
6.
Scanning a network in order to find out what defense tools are being used.
7.
Finding that users cannot change their passwords themselves
8.
Finding that a company does not have an effective password reset rule.
9.
Finding out that a firewall does not block potentially dangerous packets
10
Proposing a new procedure which implementation may help improve systems security
11
Finding out that the administrator's account is called Admin and has a weak password
12
Finding out that 1/3 of the security procedures are not actually implemented.
13
Performing a denial-of service-attacks
14
Disabling network defense systems
S
Penetration Testing Models
White box
Black box
Gray box
 White box model
 Tester is told everything about the network topology and
technology
 Tester is authorized to interview IT personnel and company
employees
 Makes tester’s job a little easier
8
Note: some diagrams may show routers, firewalls, etc.
Penetration Testing Models (cont.)
White box
Black box
Gray box
 Black box model
Company staff does not know about the test
Tester is not given details about the network.
 Burden is on the tester to find these details
Tests if security personnel are able to detect an
attack
 Question: What is the disadvantage of letting the
company’s employees know about the penetration
test?
________________________________________________
 Question: What is the disadvantage of letting the
9
IT staff know about the penetration test?
________________________________________________
Penetration Testing Models (cont.)
 Gray box model
Hybrid of the white and black box models
Company gives tester partial information
10
White box
Black box
Gray box
TCP/IP Concepts
Overview of TCP/IP
Computer 1
Computer 2
Layer 1
Layer 2
Layer 3
Layer 4
Layer 1
Layer 2
Layer 3
Layer 4
 Transmission Control Protocol/Internet Protocol
(TCP/IP)
Most widely used protocol set
 TCP/IP is a protocol set with 4 layers*
 Protocol
Common language used by computers for
“speaking”
 IPX/SPX is another protocol set used in Novell
networks.
 Some company protect their network by using
IPX/SPX internally.
IPX/SPX LAN
12
“poor man’s firewall”
* A layer can be seen as a group of tasks/activities/jobs
TCP/IP
network
TCP/IP protocol set
Computer 1
Network interface layer
13
Application layer
Transport layer
Internet layer
Interface layer
Computer 2
Application layer
Transport layer
Internet layer
Interface layer
 TCP/IP is implemented as
software and hardware that
work together to create
messages that could be
“understood” by each computer
The Application Layer
 Front end to the lower-layer protocols
Computer 1
Application layer
Transport layer
Internet layer
Interface layer
 Many Application layer protocols: HTTP, FTP, ARP, etc.
 Includes network services and client software
 Examples: Web (HTTP service), Web browser
 Commands/utilities for connecting & using
Application layer network services:
14
 ftp: used to transfer files between clients and servers
 telnet servername [port number]: to log on to a server
Using the ftp utility
 Unlike SFTP, FTP is not secure because it allows anonymous logins.
 Most companies do not allow FTP connection to their servers.
 If user has an account, they can use it to connect using SFTP-based
client program.
command: give info about the command
 Open ftp.eiu.edu should open an ftp session with the ftp.eiu.edu
 Help
server.
 Some public anonymous ftp servers: ftp.arsc.edu, ftp.ussg.iu.edu,
15
ftp.loc.gov/pub. Detailed list at http://www.ftp-sites.org/
[Instructor will show how to use ftp]
Questions
1) Based on your knowledge of the ftp utility and ftp-based client
programs, what do you think a hacker needs in order to connect to a
specific secure ftp server? Name three things that are absolutely
required.
________________________, ______________________, ___________________
2) Which of the three things you have mentioned is the hardest to get?
_________________________
3) Once connected to an ftp server, a hacker can upload/download files
only based on the permissions associated with the user account
he/she has used to connect. Imagine that the only permissions
associated with the user account are see and download files that are
in the default ftp directory. Name two things that must occur to make
it possible for the hacker to go beyond just seeing and downloading
files that are in the default directory and be able to browse through
the entire directory structure and upload files to the server for
instance?
16
______________________________, _______________________________
Computer 1
Application layer
Transport layer
Internet layer
Interface layer
The Transport Layer
 Prepares Application layer messages for proper
“transportation” to a receiving device
 Main protocol used:
 The TCP protocol for connection-oriented “dialog”
 The User Datagram Protocol or UDP for connectionless transmissions
Makes sure messages arrive at destination
exactly as they left source (in case of
connection-oriented communication)
 TCP opens connections using 3-way handshake
 Computer 1 sends a Synchronization SYN request
 Computer 2 replies with a Sync-Acknowledgement SYN-ACK packet
 Computer 1 replies with an ACK packet
Computer 1
Transport layer
17
Computer 2
Application layer
Internet layer
Interface layer
Application layer
SYN
SYN/ACK
SYN
Transport layer
Internet layer
Interface layer
The Internet Layer
Computer 1
Application layer
Transport layer
Internet layer
Interface layer
 Responsible for routing packets to their destination
address
 Uses a logical address, called an IP address
 Main protocols used: IP and ICMP
 Internet Control Message Protocol (ICMP)
Used to send messages related to network operations
Helps in troubleshooting a network
Some Internet layer commands/utilities for
troubleshooting network connections. More complex
versions included in hacking tools:
 Ping: determines whether a computer is connected
18
 Traceroute and tracert: determine route to get to a computer
ICMP codes are used internally by
network administrators to
troubleshoot network connectivity
(code 0 and 8) using PING
command, track IP packets’ route
(code 30) using TRACERT or
TRACEROUTE command, etc.
Appropriate ICMP codes could be
used to configure firewalls to
prevent network attacks by
outsiders.
19
Using the ping utility
 Most companies do not allow “pinging” their computers from outside.
 Later, we will see how
some of these pinging
options may be used in
security attacks.
20
Pinging under Linux
Pinging under Widows OS
Using tracert and traceroute
 As a Network [Internet] layer tool, Tracert and Traceroute generate a
network map, showing how to get to a target computer.
 Some of these
options may be
abused by
hackers as we
will see later.

21
This is likely a firewall
or a router in EIU’s
network which real IP
address is hidden using
Network Address
Translation.
Questions
Pinging under Widows OS
 Based on your knowledge of the PING command, what possible damage may be
done when it is used with the –l option?
22
Computer 1
The Network Interface Layer
Application layer
Transport layer
Internet layer
Interface layer
 Represents the network pathway (i.e. transmission
media)
 Implemented through Network Interface Cards (NIC)
 Includes Medium Access Control (MAC) address
MAC is a physical address recorded on NICs)
 Breaks messages into short frames and adds MAC to
each
 Converts messages into signal for transmission
23
Sending message using TCP/IP
 Generating message at the Application layer
 Encapsulation: Adding protocols headers (H)
and trailers (T) to pack the message.
HTTP request
Application
HTTP req.
Transport
HTTP req. TCP-H
TCP segment
Internet
HTTP req. TCP-H IP-H
IP Packet
Network Interface NI-T
HTTP req. TCP-H IP-H NI-H
Frames
24
User PC
Transmission medium
Example: http://www.eiu.edu
Receiving a TCP/IP message
 Frames arrive through the network interface
 De-encapsulation: Removing protocols
headers (H) and trailers (T) to access request
HTTP request
HTTP req.
Example: http://www.eiu.edu
Application
TCP segment
HTTP req. TCP-H
Transport
IP Packet
HTTP req. TCP-H IP-H
Internet
HTTP req. TCP-H IP-H NI-H
Network Interface
Frames
25
NI-T
User PC
Transmission medium
TCP Segment
0-3
Data
offset
4-7
8-15
Source port
16-31
Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Reserved W C R C S S Y I
R E G K H T N N
Checksum
Window Size
Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Source port (16 bits) – a number that identifies the Application layer program used to send the message.
Destination port (16 bits) – a number that identifies the Application layer program the message is destined to.
Sequence number (32 bits) – Tracks packets received. Helps reassemble packets. Hackers may guest SN to hijack
conversations. Has a dual role
If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data
byte (and the acknowledged number in the corresponding ACK) will then be this sequence number plus 1.
If the SYN flag is clear, then this is the sequence number of the first data byte
Acknowledgment number (32 bits) – if the ACK flag is set then the value of this field is the next sequence number
that the receiver is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end
acknowledges the other end's initial sequence number itself, but no data.
Data offset (4 bits) – specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and
the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to
40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the
TCP segment to the actual data.
26
TCP Segment (cont.)
0-3
Data
offset
4-7
8-15
Source port
16-31
Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Reserved W C R C S S Y I
R E G K H T N N
Checksum
Window Size
Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Flags (8 bits) (aka Control bits) – contains 8 1-bit flags
CWR (1 bit) – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received
a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header
by RFC 3168).
ECE (1 bit) – Explicit Congestion Notification-Echo indicates
If the SYN flag is set, that the TCP peer is ECN capable.
If the SYN flag is clear, that a packet with Congestion Experienced flag in IP header set is received
during normal transmission (added to header by RFC 3168).
URG (1 bit) – indicates that the Urgent pointer field is significant
ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet
sent by the client should have this flag set.
PSH (1 bit) – Push function
RST (1 bit) – Reset the connection
SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag
set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others
when it is clear.
27
FIN (1 bit) – No more data from sender
TCP Segment (cont.)
0-3
Data
offset
4-7
8-15
Source port
16-31
Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Reserved W C R C S S Y I
Window Size
R E G K H T N N
Checksum
Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Window size (16 bits) – the size of the receive window, which specifies the number of
bytes (beyond the sequence number in the acknowledgment field) that the receiver is
currently willing to receive.
 Checksum (16 bits) – Used for error-checking of the header and data
 Urgent pointer (16 bits) – if the URG flag is set, then this field is an offset from the
sequence number indicating the last urgent data byte.
28
TCP Ports
 Identifies the service that is running
 Helps you stop or disable services that are not
needed
 Open ports are an invitation for an attack
 Only the first 1023 ports are considered well-
known
 List of well-known ports
 Available at the Internet Assigned Numbers Authority
(IANA) Web site (www.iana.org)
29
Port
Service
Explanation
20 and 21
File Transfer Protocol (FTP)
Used for sharing files over the
Internet. Requires a logon name and
password. More secure than Trivial
File Transfer Protocol (TFTP)
25
Simple Mail Transfer
Protocol (SMTP) email
E-mail servers listen on this port
53
Domain Name Service – DNS
Helps users connect to Web sites
using URLs instead of IP addresses
TCP Ports (continued)
Port
Service
Explanation
69
Trivial File Transfer Protocol
- Could be implemented using a very small
amount of memory.
- Implemented on top of the User Datagram
Protocol (UDP) using port number 69.
- Used for transferring router configurations
- TFTP only reads and writes files from/to a
remote server. It cannot list directories,
- Currently has no provisions for user
authentication
80
Hypertext Transfer Protocol
(HTTP)
- Used when connecting to a Web server
30
TCP Ports (continued)
Port
Service
Explanation
110
Post Office Protocol 3 (POP3)
Used for retrieving e-mails from server
119
Network News Transfer Protocol
For use with newsgroups
135
Remote Procedure Call (RPC)
Critical for the operation of Microsoft
Exchange Server and Active Directory.
139
NetBIOS
Used by Microsoft’s NetBIOS Session Service
143
Internet Message Access
Protocol 4 (IMAP4)
Used for retrieving e-mail. Better than POP3.
Could maintain mails on servers. Allows
searches, etc.
 Netstat command line
 displays open ports on a computer indicating
what services/applications are running.
31
IP Header
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Version - indicates the version of IP in four-bit . Should be 0100 for IPv4
 Internet Header Length (IHL) - tells the number of 32-bit words in the IP
header.
 TOS – Indicates the quality of service for delivering the packet: Normal
delay, high reliability, normal cost, high cost, etc.
 Total Length – defines entire packet size (header +data) in bytes. The
minimum-length is 20 bytes (20-byte header + 0 bytes data) and the
maximum is 65,535. Subnetworks may impose restrictions on the size, in
32 which case packets must be fragmented. Fragmentation is handled in either
the host or the router.
IP Header
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Identification - Primarily used for uniquely identifying fragments of an
original IP packet.
 Flags - A three-bit field used to control or identify fragments. They are (in
order, from high order to low order):
 Reserved, must be zero.
 Don't Fragment (DF): If the DF flag is set and fragmentation is required to route
33
the packet then the packet will be dropped
 More Fragments (MF): When a packet is fragmented all fragments have the MF
flag set except the last fragment,
IP Header
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live (TTL)
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Fragment Offset - Specifies the offset of a particular fragment relative to the
beginning of the original unfragmented IP packet. The first fragment has an offset of
zero.
 TTL - Helps prevent packets from persisting (e.g. going in circles) on an Internet.
Time specified in seconds, but time intervals less than 1 second are rounded up to 1.
Also in number of hop counts.
 Protocol - Defines the protocol used in the data portion of the IP packet. Common
protocols and their codes are: 1: Internet Control Message Protocol (ICMP), 2:
Internet Group Management Protocol (IGMP), 6: Transmission Control Protocol
(TCP), 17: User Datagram Protocol (UDP), 89: Open Shortest Path First (OSPF), 132:
34 Stream Control Transmission Protocol (SCTP).
IP Header
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live (TTL)
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Header Checksum - used for error-checking of the header. At each hop, the checksum
of the header must be compared to the value of this field. If a header checksum is
found to be mismatched, then the packet is discarded. Note that errors in the data field
are up to the encapsulated protocol to handle .
35
Short Case
 After performing a test on ABC Inc.’s network, a
penetration tester discovered that outsiders are
able to test internal hosts connectivity. He also
discovered that outsiders are able to “map” ABC
Inc.’s network which allows them to determine
the names and IP addresses of internal routers
and firewalls.
What commands the outsiders could possibly use in their
attempts?
2) What would you recommend doing in order make it
impossible for outsiders to (a) successfully test internal
hosts’ connectivity, and (b) map ABC Inc.’s network? Be
very specific in naming the actions that needed to be
taken to address the problem.
1)
36
Network & Computer Attacks
ISC* Objectives
 Confidentiality
 C – Confidentiality
 I – Integrity
 A – Availability
 A – Accountability/Authenticity
 Making sure that corporate data and transactions with
partners remain confidential
 Integrity
 Making sure that software programs, local data, and data
in-transit are not altered or destroyed
 Availability
 Making sure that computer and network resources or
services remain available for users and not disrupted
 Accountability
 Making sure that users are properly authenticated and
their actions accounted for.
 Authenticity
 Also called non-repudiation. Making sure that business
partner cannot deny their actions
38
* Information Security Countermeasures
Malicious Software attacks
 Common types of malware
 Viruses
 Worms
 Trojan horses
 Adware | Spyware
 Logic bombs
 [Web bots]
39
What is virus?
 A virus is a malware that …
attaches itself to files on a single computer
can replicate from file to file
does not stand on its own
 needs a host file – a vector - [unlike some other malware]
Does not spread across computers without human
intervention (flash drive, email attachment, etc.)
Types of virus host / vector
Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft
Windows, and ELF files in Linux)
Volume Boot Records of floppy disks and hard disk partitions | The master boot record (MBR) of a hard disk
General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and
shell script files on Unix-like platforms).
Application-specific script files (such as Telix-scripts)
System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run
software stored on USB Memory Storage Devices).
40
Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets,
Microsoft Access database files, and AmiPro documents)
ELF = Executable and Linkable Format | PDFs & images, like HTML, may link to malicious code | PDFs can also be infected with malicious code
Types of viruses
Based on host files
Boot sector viruses: attach themselves to files in
boot sector of HD
File infector viruses: attach themselves to program
files and user files
Macro viruses: attach to files with macro programs
embedded.
Based on mutation techniques
Polymorphic viruses: mutate with every infection
(using encryption techniques), making them hard
to locate
Metamorphic viruses: rewrite themselves
completely each time they are to infect new
executables*
41
* metamorphic engine is needed
Types of viruses (cont.)
 Based on deception methods
 Core MS-DOS viruses: make sure that the "last modified" date of
a host file stays the same when the file is infected by the virus.
 Cavity viruses
 infect files without increasing their sizes or damaging the files
 overwrite unused areas of executable files
File.exe of 300 KB
on a 512 KB block
 Examples: CIH virus, Chernobyl Virus that are 1 KB in size infect
Portable Executable files which have many empty gaps
 Antivirus PID killers: kill tasks associated with antivirus
 Stealth: hides itself by intercepting disk access requests
by antivirus programs.
42
The stealth returns an uninfected version of files to the antivirus software, so that infected files seem "clean”.
* metamorphic engine is needed
Request
Stealth
OS
Protecting against viruses
 Signature-based antivirus programs
Compare the contents of a file to a database of
virus signatures
 A signature is an algorithm or a hash (a number or string
of characters derived from the virus code) that uniquely
identifies a specific virus.
Must update signature database periodically or
use automatic update feature if available
Viruses signatures
1)
2)
3)
4)
5)
6)
43
67344883409999999999
DF56eeb&^fgkFT&&&88jjj
01000010100000000000
78020000100000102398
89950-1=ddjjdfjj3k3l355
…………………………………
Files
1)
2)
3)
4)
5)
6)
7)
Sales.xls
Forecast.doc
Staff.mdb
Ingredients.doc
Committees.xls
Minutes.accdb
………………….
Question: Name two kinds of situation where signature-based antivirus won’t be effective?
Protecting against viruses (cont.)
 Heuristic-based antivirus that use generic signature
Through mutation or refinements by attackers, viruses
can grow into dozens of slightly different strains
called variants
Example: The Vundo trojan has evolve into two
distinct family members, Trojan.Vundo and
Trojan.Vundo.B
A generic signature can be generated for a virus
family.
Heuristic analysis uses generic signatures to identify
new malware or variants of known malware
44
Question: Is generic signature more or less accurate than a specific virus’ signature?
Protecting against viruses (cont.)
 Heuristic-based antivirus that use virtual machines
Allow the antivirus program to simulate what would
happen if the suspicious file were to be executed
Execute the questionable program or script within a
specialized virtual machine
It then analyzes the execution, monitoring for
common viral activities: replication, file overwrites,
attempts to hide the existence of the suspicious file.
If one or more virus-like actions are detected, the
suspicious file is flagged as a potential virus.
45
Question: Which of the following is likely to lead to false positive virus identifications?
signature-based or heuristic-based antivirus.
Based on the descriptions, is the classification of the malware as virus
correct?
46
46
Worms
 Do not attach to files | A worm stands on its own
 Self-replicating malware that can propagate
across a network by themselves
 Use host computer’s resources, and their own
network application to send copies of itself to
other computers
 Types of harms:
 Consuming network bandwidth. Moorris and Mydoom are
notorious
 Consuming host computer resourses (processing, RAM)
 Delete files (e.g. ExploreZip worm)
 Encrypt files (which leads to cryptoviral extortion attack)
 Installing backdoor-zombie programs under control of
the worm author (e.g. Sobig)
47
Protecting against worms
 Worms spread by exploiting OS vulnerabilities
 Make sure that unnecessary ports are not open
 Regular OS security updates is the best protection
 Other effective defense systems:
 Antivirus programs
 Local firewall software can block incoming worms
Application layer
Transport layer
Internet layer
Interface layer
48
Application layer
Transport layer
Internet layer
Interface layer
Trojan Programs
 Non-self-replicating malware
 That appear to be useful programs like game, screen saver, free
antivirus, etc.
 But are actually backdoor or rootkits that facilitate remote access or a
“take over” by a remote hacker
 Once a Trojan horse is installed on a target computer, a Trojan
can be used to do the following:
Keystroke logging
Data theft (e.g. passwords, credit cards information, etc)
Installing other malware
Using the host computer as part of botnet for spamming or Distributed
DoS
 Deleting or modifying files




49
Trojan Programs (cont.)
You want to prevent Backdoor.Rtkit.B from communicating with the
hacker’s computer. What action would you take at the firewall level?
50
Protecting Against Malware Attacks
at the organizational level
 What is/are the most effective technical
solution(s) that could be implemented at the
network level to deal with malware attacks?
 What is/are the most effective non-technical
solution(s) that could be implemented in an
organization to deal with malware attacks?
51
Lab 3-related Questions
You should know
 Recognize a SAM hash extracted in a text file
 Name of the programs used in Lab 3 to extract
and crack passwords
 Know Windows’ command for creating (i.e.
adding) and deleting user accounts
 Have a general understanding of password
cracking
53