Transcript network_security

SYP: Network Security
Security
•
Why is it important to understand how
attacks work ?
•
Golden Age of Hacking
•
How bad is the problem?
•
How did this happen?
Security Breach Example
2003 group of hackers were “testing” security of various
banks and noticed that one was extremely vulnerable
Within a couple of hours, they transferred over $10
million dollars from the bank to a private account
Due to bank’s poor network security, attackers tracks
were difficult to find
To ensure no prosecution, hackers contacted bank
president and gave two options:
1.
2.
Bank could prosecute, but attackers would deny everything and
notify media on bank’s poor security
Sign proposal indicating that hacker’s were forming a security
assessment at bank’s request for $5 million dollars and hackers
would then return the other $5 million.
What choice do you think the bank president chose?
Organizational Problems
Why companies don’t report attacks
Ignorance
Bad publicity
Cost and ineffectiveness of Fixing
Existing Systems
Intangible Nature of Security Benefits
The Attacker’s Process
Many ways an attacker can gain access or
exploit a system
Some basic steps that hackers follow:
Passive reconnaissance
Active reconnaissance (scanning)
Exploiting the system
Uploading programs
Downloading data
Keeping access by using backdoors and trojan
horses
Covering tracks
Passive Reconnaissance
To exploit a system an attacker must have
some general information about the user or
company
Information gathering
Sniffing
Active Reconnaissance
At this point, an attacker has enough
information to try active probing or scanning
against a site.
Key information that an attacker will try to
discover:
Hosts that are accessible
Locations of routers and firewalls
Operating systems running on key components
Ports that are open
Services that are running
Versions of applications that are running
Exploiting the System
3 areas to exploit on a system:
1.
Gaining access
Operating system attacks
Application-level attacks
Scripts and sample program attacks
Misconfiguration attacks
2.
3.
Elevation of privileges
Denial of service
Uploading and Downloading
Programs
After an attacker has gained access, they
usually perform some set of actions on the
server.
Most often, hacker will load some programs to
the system.
With some attacks, such as corporate
espionage, an attacker is after information
Keeping Access
Most cases, after attacker gains access to a
system, he will put a back door so that he can
return whenever he wants.
Basic back door: are highly detectable
Sophisticated back door: more difficult to detect
Gaining access to the system and create a back
door simultaneously
Covering Tracks
After an attacker compromises a machine and
creates a back door, the last thing he does is
make certain that he does not get caught
Clean up log files
Turn off logging
To protect against hackers – use a program that
makes sure key files on the system have not
been changed
Information
Gathering
Information Gathering
Many companies only concentrate on protecting
their systems from a specific exploit when they
start building a security infrastructure
Key for a user or organization to know what
information an attacker can acquire about them
and minimize the potential damage
If the attacker can only gain limited information about
the network, they will most likely move on to the next
victim
Step 1
Gathering Initial Information
Find out initial information:
Open Source
Whois
Nslookup
Step 2: Discover address range of
the network
Find out address range of the network:
ARIN (American Registry for Internet
Numbers)
Traceroute
Step 3
Discovering Active Machines
Find active machines:
Ping
Step 4
Find Open Ports or Access Points
Applications used to find open ports or
access points:
Portscanners
Nmap
ScanPort
War Dialers
THC-Scan
Step 5
Figure Out the Operating System
Tools used to determine Operating
Systems
Queso
Nmap
Step 6: Figure Out Which Services are
Running on Each Port
Tools used to determine which services
are running on each port
Default port and OS
Telnet
Vulnerability scanners
Step 7
Map Out the Network
Tools used to map out the network
Traceroute
Visual Ping
Cheops
Spoofing
Types of Spoofing
Types of Spoofing Techniques
IP Spoofing
Email Spoofing
Web Spoofing
Non-Technical Spoofing
IP Spoofing
Basic Address Change
Protection Against Address Changes
IP Spoofing Continued
Source Routing
Allows you to specify the
path a packet will take
through the Internet
Types:
Loose Source Routing (LSR)
Strict Source Routing (SSR)
Protection Against Source Routing
IP Spoofing Continued
Trust Relationships
Protection Against Trust Relationships
EMAIL Spoofing
Similar Email Address
Protection Against Similar Email Address
EMAIL Spoofing
Modifying a Mail Client
Protection Against Modifying a Mail Client
EMAIL Spoofing
Telnet to Port 25
Protection Against Telnetting to Port 25
Web Spoofing
Basic Web Spoofing
Protection Against Basic Web Spoofing
Web Spoofing
Man-in-the-Middle Attacks
Protection Against Man-in-the-Middle Attacks
Web Spoofing
URL Rewriting
Protection Against URL Rewriting
From Anonymizer.com
Web Spoofing
Tracking State:
Cookies
Protection Against Cookies
Web Spoofing
Tracking State:
URL Session Tracking
Protection Against URL Session Tracking
Web Spoofing
Tracking State:
Hidden Form Elements
Protection Against Hidden Form Elements
General Web Spoofing
Protection
Disable JavaScript, ActiveX, etc.
Validate that application is properly tracking
users
Make certain users can’t customize their
browsers to display important information
Educate the users
Make certain that any form of ID used to track
user is long and random
Non-Technical Spoofing
Social Engineering
Reverse Social Engineering
Non-Technical Spoofing Protection
Denial of Service
(DOS)
What is a DOS Attack?
Attack through which a person can render
a system unusable or significantly reduced
by overloading the system’s resources
DOS attacks can be intentional or
accidental
Often used by an attacker if they are
unable to gain access to a network or
machine
Some Types of DOS
Attacks
Ping of Death
SSPing
Smurf
CPU Hog
Password Security
Typical Attack
Two of the most common weaknesses
on computer systems:
Weak Passwords
Modems
Current State of Passwords
Current state of passwords in most
companies and home systems are poor
Software often has default passwords that
are rarely changed
Passwords are often chosen that are trivial
to guess or have no password at all
Password intervals are too long
History of Passwords
Users often choose simple passwords
Wife’s name
Favorite sport
Date of user’s birthday
Complex passwords are often written
down since they are difficult to remember
Ex: W#hg@5d4%d10
Future of Passwords
Single Sign On (SSO)
One password for user’s various
applications
Biometrics
Fingerprint scan
Hand scan
Retinal scan
Facial scan
Voice scan
Strong Passwords
Subject to technology
Strong Password criteria:
Changes every 45 days
Minimum length of 10 characters
Must contain at least on alpha, one number, and one special
character
Alpha, number, and special characters must be mixed up and
not append to the end
Ex: abdheus#7 = Bad
Ex: fg#g3^hs5gw = Good
Cannot contain dictionary workds
Cannot reuse previous five passwords
Minimum password age of 10 days
After 3 failed logon attempts, password is locked for several
hours
Why is Password Cracking
Important?
To audit the strength of passwords
To recover forgotten/unknown passwords
To migrate users
To use a checks and balance system
Types of Password Attacks
Dictionary Attacks
Brute Force Attacks
Hybrid Attacks
Social Engineering Attacks
Securing
Microsoft Passwords
Where Are Passwords
Stored in Microsoft?
Password hashes for each account are
stored in the Security Account Manager
(SAM)
\Windows-directory\system32\config\SAM
\Windows-directory\repair
How Does MS Encrypt
Passwords?
2 hash algorithms
One for regular NT hash
MD4 hash algorithm
One for LANMAN hash
Pad password with 0’s to equal 14 character
Combined to attain 16-byte hash value
Why is it Easier to Crack
MS Passwords?
LAN Manager hashing scheme
Maximum 7 character passwords
No Salts
Microsoft PasswordCracking Programs
L0phtcrack
NTSweep
NTCrack
PWDump2
L0phtcrack
Computes passwords from variety of
sources using a variety of methods
3 modes used to crack passwords:
1.
2.
3.
Dictionary
Hybrid
Brute-Force
L0phtcrack Interface
L0phtcrack Performance
Statistics
Cracks 90% of passwords under 5 hours
18% of passwords cracked in under 5
minutes
Most domain admin accounts cracked
Most companies only require a minimum
of 8 character passwords but have no
other restrictions
Hiding L0phtcrack on
Desktop
NTSweep




Takes advantage of Microsoft’s method of
password changes
User is unaware of the password change
Can be run through a firewall without
having special privileges
Can be run by anyone on the Internet
NTSweep’s Limitations
Slow to perform
Ex: Dictionary Attack
Information can be logged and can be
displayed through Event Viewer
Guessing programs are not always
accurate
May return failure even though the password
was correct
Network Monitoring
Some Examples of Network Monitoring Tools
Are:
HP OpenView
SolarWinds
Big Brother
Netsaint
Nagios
Monitoring
Good monitoring infrastructure will help
detect attacks as they occur and stop
them before there is a problem
Monitoring and logging are often used
interchangeably
Monitoring 2 characteristics:
Secure
Intelligent
Problems w/running multiple monitor
programs
What to Monitor
Focus on network devices that will impact
more than one user if they fail
Servers
Routers and Switches
Security Monitoring
What services need to be monitored on
each device
SNMP
SNMP (Simple Network Management Protocol) is the
most popular method of monitoring network devices
SNMP’s popularity due to:
Modularity
Scalability
Adaptability
UDP-based protocol that uses Port 161 to exchange
information
Uses Protocol Data Units (PDUs) to communicate
between manager and agent
SNMP Security
SNMP has not proven to be very secure
SNMP is common attack target
Community Strings – passwords used to determine whether a
device has read or read/write access to the network device
SNMP Version 1.0
Only included community strings to secure
communications
Passwords not encrypted and sent clear-text
SNMP Version 3.0
Supports DES encryption between managers and agents
PDUs can use authentication to ensure validity of
information
Agents configured to only allow certain groups access
SNMP Types
Nagios
WhatsUp Gold
Netcool
Big Brother
HP Openview
Solarwinds
NAGIOS Defined
Nagios® is a host and service monitor designed to inform of network
problems before clients, end-users or administration realize that they
have occurred.
It has been designed to run under the Linux Operating System, but
works fine under most variants as well. Runs CGI (Common
Gateway Interface) scripts to be used to process Web forms, taking
data entered by the end-user, processing, and dynamically writing
HTML code on-the-fly to be returned to the end-user's browser. The
monitoring daemon runs intermittent checks on hosts and services
you specify using external "plugins" which return status information
to Nagios. When problems are encountered, the daemon can send
notifications out to administrative contacts in a variety of different
ways (email, instant message, pager, etc.). Current status
information, historical logs, and reports can all be accessed via a
web browser.
Features of Nagios
Monitoring of network services (SMTP, POP3, HTTP, NNTP, PING,
etc.)
Monitoring of host resources (processor load, disk and memory
usage, running processes, log files, etc.)
Monitoring of environmental factors such as temperature.
Simple plug-in design that allows users to easily develop their own
host and service checks
Ability to define network host hierarchy, allowing detection of and
distinction between hosts that are down and those that are
unreachable
Contact notifications when service or host problems occur and get
resolved (via email, pager, or other user-defined method)
Support for implementing redundant and distributed monitoring
servers
Scheduled downtime for suppressing host and service notifications
during periods of planned outages
Ability to acknowledge problems via the web interface
Nagios Monitoring
Nagios 3-D Status Screen
Nagios Status Map
Nagios Service Information
Nagios Service Alert
Nagios WAP Interface