Transcript Ciphers - Netline

Sécurité et Réseau
Eric Lapaille - Emmanuel Tychon Frederic Rouyre
© Netline 96-99
Sites Web
• http://www.cert.org/
• http://www.microsoft.com/security/default.asp
Attaques les plus courantes
 Exploitation of weaknesses in the "cgi-bin/phf" program used on Web servers to
steal system password files;
 Attacks on systems running the free Linux version of UNIX, including
installation of "sniffers" that can steal unencrypted passwords when people log
on to the systems
 Denial-of-service attacks were particularly troubling for Internet Service
Providers;
 Widely-available hacker kits have permitted even novices to attack systems with
known vulnerabilities;
 Poorly-configured anonymous FTP sites were used to exchange illegal copies of
proprietary software;
 Abuse of e-mail included mail-bombing, forgeries ("spoofing") and a large
increase in the amount of junk e-mail ("spamming");
 Viruses and hoaxes about viruses (especially wild claims about dangerous email) increased in 1996.
Evaluer la sécurité de NT
•
•
•
•
•
•
C2
Account policies
Users accounts
Compte administrateur
Compte Invité/Guest
Users Rights
C2
 The system should not dual boot. Windows NT should be the only operating system
installed.
 The OS/2 and POSIX subsystems should not be installed.
 All drives on the system must be formatted for the NT File System, not the FAT file system.
To check drive status in Windows NT 4.0, right-click on the drive and choose Properties.
 The Security Log should not overwrite old events. To check this, open the Event Viewer
and choose Log Settings from the Log menu. The option called "Do Not Overwrite Events
(Clear Log Manually)" should be enabled.
 Do not allow blank passwords. To check this, open the User Manager for Domains and
choose Account from the Policies menu and disable Permit Blank Passwords in the
Minimum Password Length field. This will require that you choose the "At Least x
Characters" field and specify a value for x.
 Disable the Guest account. In the User Manager, double-click on the Guest account and put
a check mark on the item called "Account Disabled."
Account policies & restrictions
 Maximum Password Age Password should expire in x number of days.
 Minimum Password Length Password should be greater than eight characters.
 Minimum Password Age Set to allow changes in x number of days.
 Password Uniqueness Set to Remember x Passwords.
 Lockout after x bad logon attempts Set x to 4.
 Reset Count After x minutes Set to approximately 20 minutes to avoid unnecessary
lockouts.
 Lockout Duration field Set according to your logon policies. If forever is set, an
administrator must restore the account.
 Forcibly disconnect remote users from server when logon hours expire Set this option
to prevent after-hours activities or disconnect systems that were left on
 User must log on in order to change password Set this option to prevent users whose
passwords have expired from logging on. The administrator must change the password.
Users accounts

Look for old user accounts of employees who have left the company and remove the accounts if appropriate.

Check the password options. Should the user be able to change the password? Does the password never expire? Is this
account disabled? If it is disabled, has the user left the company? If so, consider removing the account.

Click the Groups button to determine which groups the user belongs to. Is membership in these groups appropriate for the
user? What rights and permissions does the user obtain from the groups? What access does the group have to other
domains?

Click the Profile button in the New User properties dialog box to check the location of the user's home directory. If you
remove the account, also remove the specified directory. Does the user have a profile, and if so, is it mandatory? Are
System Policies required?

Click the Hours button to evaluate the times that the user can access the network. Make sure no one can log on after hours
if that is your policy.

Click the Logon To button to evaluate which computers the user can log on to. Make sure that no one can log on from a
computer in an unsupervised area.

Click the Account button to set an account expiration date if necessary. All temporary accounts or administrator "test"
accounts should expire automatically.

Click the Dialin button to evaluate dial-in capabilities. If users can dial in, enable Call Back options to a specified
telephone number in the dialog box for added security.
Administrator
•
If you are taking over the management of an existing system, you should change the Administrator account
name and password immediately. You do not know who might have a password that would give them access
to the account.
•
The Administrator account is often the target of attacks because of its well-known name. You should rename
the Administrator account to an obscure name and create a "decoy" account called "Administrator" with no
permissions. Intruders will attempt to break in to this decoy account instead of the real account.
•
Enable failed logons in the auditing system to detect attempts to log on to any account, including
Administrator. Look for unnecessary accounts that have Administrator status. Perhaps an intruder has created
such an account as a backdoor into the system.
•
Review the membership of the Administrators group and the Domain Admins group. Remove all unnecessary
users from this group. If you have a large network that consists of multiple administrators, interview these
administrators on a regular basis to evaluate their activities and need for Administrator status.
•
To protect against the loss of the Administrator, create a "backdoor" Administrator account with an obscure
name and a three-part password. Give three people one part of this password. In the event that Administrator
access is required, all three must be present to access the Administrator account
Guest account
 Users who log on as guests can access any shared folder that the
Everyone group has access to (i.e., if the Everyone group has
Read permissions to the Private folder, guests can access it with
Read permissions).
 You don't know who Guest users are and there is no
accountability because all guests log in to the same account.
 Always disable the Guest account on networks that are
connected to untrusted networks such as the Internet. It provides
too many opportunities for break-ins.
Users Rights

Access this computer from the network By default, only the Administrators and the Everyone
group have this right. Remove the Everyone group (why would you want everyone to access this
server from the network if you are interested in security?), then add specific groups as
appropriate. For example, create a new group called "Network Users" with this right, then add
users who should have network access.

Backup files and directories User's with this right can potentially carry any files off-site.
Carefully evaluate which users and groups have this right. Also evaluate the Restore files and
directories right.

Log on locally For servers, only administrators should have this right. No regular user ever
needs to logon directly to the server itself. By default, the administrative groups
(Administrators, Server Manager, etc.) have this right. Make sure that any user who is a member
of these groups has a separate management account.

Manage auditing and security logs Only the Administrators group should have this right.

Take ownership of files or other objects Only the Administrators group should have this right.
Firewall/Proxy Server
Perimeter Defenses
Proxy
Screening Router
Screening Router
• Screening routers can look at information related to the hard-wired address of
a computer, its IP address (Network layer), and even the types of connections
(Transport layer) and then provide filtering based on that information. A
screening router may be a stand-alone routing device or a computer that
contains two network interface cards (dual-homed system). The router
connects two networks and performs packet filtering to control traffic
between the networks.
• Administrators program the device with a set of rules that define how packet
filtering is done. Ports can also be blocked; for example, you can block all
applications except HTTP (Web) services. However, the rules that you can
define for routers may not be sufficient to protect your network resources,
especially if the Internet is connected to one side of the router. Those rules
may also be difficult to implement and error-prone, which could potentially
open up holes in your defenses.
NT Security
•
Local Security Authority (LSA)
•
This is also known as the Security Subsystem. It is the central component of NT security. It handles local
security policy and user authentication. LSA also handles generating and logging audit messages.
•
Security Account Manager (SAM)
•
SAM handles user and group accounts, and provides user authentication for LSA.
•
Security Reference Monitor (SRM)
•
SRM enforces access validation and auditing for LSA. It checks user accounts as the user tries to access
various files, directories, etc, and either allows or denies access. Auditing messages are generated as a result.
The SRM contains a copy of the access validation code to ensure that resources are protected uniformly
throughout the system, regardless of resource type.
•
User Interface (UI)
•
An important part of the security model, the UI is mainly all that the end user sees, and is how most of the
administration can be performed.
NT Security
• Stand Alone
• Workgroup
• Domain
NT Password
•
\\WINNT\SYSTEM32\CONFIG\SAM is the location of the security database. This is
usually world readable by default, but locked since it is in use by system compotents.
It is possible that there are SAM.SAV files which could be readable. If so, these could
be obtained for the purpose of getting password info.
•
During the installation of NT a copy of the password database is put in
\\WINNT\REPAIR. Since it was just installed, only the Administrator and Guest
accounts will be there, but maybe Administrator is enough
•
If the Sys Admin updates their repair disks, or you get a hold of a copy of the repair
disks, you can get password database. The file is SAM._ in the ERD directory.
•
If you are insane, you can go poking around in the SAM secret keys. First, schedule
service to logon as LocalSystem and allow it to interact with the desktop, and then
schedule an interactive regedt32 session. The regedt32 session will be running as
LocalSystem and you can play around in the secret keys.
Failles
•
•
•
•
NTFSDOS
NeTMonitor
GetAdmin
BackOrifice
NetBios
 NBTSTAT -A x.x.x.x (plug in the IP address of the box you're
after)
 Add the machine name this returns to your LMHOSTS file.
 If you are not on an NT 4.x machine, type NBTSTAT -R to
refresh the NetBios names.
 Try NET VIEW \\machinename to see the shares
 Try DIR \\machinename\share to list shares if open
 Try NET VIEW \\ipaddress or NET VIEW
\\fully.qualified.name.com, which should get you the user names
under NT 4.0.
FTP
• Anonymous
Port Scanner
• Port scanning is a technique to check TCP/IP ports to see what
services are available. For example port 80 is typically a web
server, port 25 is SMTP used by Internet mail and so on. By
scanning and seeing what TCP/IP ports are listening at the end
of a TCP/IP address, you can get an idea as to what type of box
the target might be, what services are available, and possibly
plan an attack if you are aware of an exploit involving a
particular service.
• If port 135, 137, 138, and 139 are open on the target of a scan, it
is quite possible that the target is NT
Denial Of Services
•
Denial of Service (DOS) is simply rendering a service offered by a workstation or server
unavailable to others. This is a controversial subject, since some people think that DOS is not a
hack, or rather juvenile and petty. While I can't think of very many reasons why you might want
to engage in DOS, I still will continue to include this type of material in Hack FAQs. What is
more sad -- the fact that I include them, or the fact that there are so many of them?
•
Reasons that a hacker might want to resort to DOS might include the following:
 A trojan has been installed, but a reboot is required to activate it.
 A hacker wishes to cover their tracks VERY DRAMATICALLY, or cover CPU activity with
a random crash to make the site think it was "just a fluke".
 The hacker isn't a hacker at all, but a pissed off lamer who has a poor outlook and too much
free time.
 The hacker is acting out of the need (or delusion) that the DOS serves a greater good, such
as a DOS attack on Pro Life sites by Pro Choice believers
Ping of Death
• The Ping of Death is a large ICMP packet sent by a workstation
to a target. The target receives the ping in fragments and starts
reassembling the packet. However, due to the size of the packet
once it is reassembled it is too big for the buffer and overflows
it. This causes unpredictable results, such as reboots or hangs.
• Windows 95 and Windows NT are capable of sending such a
packet. By simply typing in "ping -165527 -s 1 <target>" you
can send such a ping. There are also source code examples
available for Unix platforms that allow large ping packets to be
constructed. These sources are freely available on the Internet.
SYN flood Attack
• In the TCP/IP protocol, a three way handshake takes place as a
service is connected to. First in a SYN packet from the client,
with which the service responses with a SYN-ACK. Finally the
client responds to the SYN-ACK and the conversation is
considered started.
• A SYN Flood attack is when the client does not response to the
SYN-ACK, tying up the service until the service times out, and
continues to send SYN packets. The source address of the client
is forged to a non-existant host, and as long as the SYN packets
are sent faster than the timeout rate of the TCP stack waiting for
the time out, the resources of the service will be tied up.
Telnet
• First, by telnetting to port 53, 135, or 1031, and then typing in
about 10 or so characters and hitting enter will cause problems.
If DNS (port 53) is running, DNS will stop. If 135 answers, the
CPU utilization will increase to 100%, slowing performance.
And if port 1031 is hit, IIS will get knocked down. Typically the
fix is to reboot the server, as it will be hung or so slow as to
render it useless.
• Telnetting to port 80 and typing "GET ../.." will also crash IIS.
Registry
Hive
--------------------------HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_LOCAL_MACHINE\SECURITY
HKEY_LOCAL_MACHINE\SYSTEM
HKEY_LOCAL_MACHINE\SAM
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT
File
-----SOFTWARE
SECURITY
SYSTEM
SAM
USERxxx
ADMINxxx
DEFAULT
Backup File
-----------SOFTWARE.LOG
SECURITY.LOG
SYSTEM.LOG
SAM.LOG
USERxxx.LOG
ADMINxxx.LOG
DEFAULT.LOG
Ciphers
• Used to assure data privacy
• Scrambling of cleartext
data into ciphertext
– Letter of alphabet plus three
• Ciphers use a key to “seed”
the process
– Original input may be recovered
if the key is known
• How do ciphers function?
Ciphers
Input
Cipher
Output
Key
•
•
•
•
Cleartext = ABCDEFGHIJKLM…
Key = 011011010010…
Ciphertext = @#$%!a<ms{`?%…
What are some common types of ciphers?
Ciphers
• Data Encryption Standard - DES
– Developed by National Security
Agency, 1977
– Widely used in banking
• RC4
– Originally designed by RSA
– Mostly used on the Internet
• Others available: IDEA, Safer, etc.
• What makes these ciphers secure?
Ciphers
• Mathematically secure functions
– Input data cannot be recovered
without the key
• Key must be large number of bits
– Makes it impractical to try every possible key
• DES key is 56 bits - 32,000 trillion keys
– $64,000 computer - one year to try every key
• How do we securely distribute the
secret key?
Diffie-Hellman Public Key
• Invented at Stanford - first public-key system
– Used to derive secret keys
– Avoids other nonsecure distribution schemes
• Based on two mathematically related keys
– Regenerated each time a session is initialized
– One kept private the other public (transmitted)
– The private key cannot be derived
from the public key
• Are there other public-key systems?
Public Key - RSA
• Discovered at MIT- while trying to break DH
– Used to transmit secret keys
• Based on two mathematically related keys
– One kept private the other public (posted)
– Data is encrypted with the destination party’s public key he decrypts with his private key
• RSA Security Hole
– Sender can send same session key to an eavesdropper
• How does RSA work?
Public Key - RSA
Session key
A
B
B public key
B private key
1.A generates a session key that it would like
to use to communicate securely with B
Public Key - RSA
Session key
A
2.A obtains B’s public key
B
B public key
B private key
Public Key - RSA
B public key
Session key
A
2.A obtains B’s public key
B
B public key
B private key
Public Key - RSA
B public key
Session key
A
3.A encrypts the session key
with B’s public key
B
B public key
B private key
Public Key - RSA
Session key
A
3.A encrypts the session key
with B’s public key
B
B public key
B private key
Public Key - RSA
Session key
A
4.A transmits the encrypted
session key to B
B
B public key
B private key
Public Key - RSA
Session key
Session key
A
B
B public key
B private key
4. A transmits the encrypted
session key to B
Public Key - RSA
Session key
Session key
A
B
B public key
B private key
4. A transmits the encrypted
session key to B
Public Key - RSA
Session key
A
B
Session
B
publickey
key
B private key
4. A transmits the encrypted
session key to B
Public Key - RSA
Session key
A
B
5.B decrypts the received session
key using his private key
Session
B
publickey
key
B private key
Public Key - RSA
Session key
A
B
Session key
5. B decrypts the received session
key using his private key
Public Key - RSA
Session key
A
B
Session key
6.A and B can now communicate securely
using the same session key
Public Key - RSA
Session key
A
B
Session key
6. A and B can now communicate securely
using the same session key
A can send the same session key to someone else who
can then decipher data between A and B
Public Key - RSA
Session key
A
Session key
B
Session key
C
• A sends the same session key to C by using
C’s public key
Public Key - RSA
Session key
A
Session key
B
Session key
C
• C can now read the data transmitted
between A and B that B thought
was secure
Public Key - RSA
Session key
A
Session key

B
Session key
C
C can now read the data transmitted
between A and B that B thought
was secure
How does Diffie-Hellman work?
Ciphers And Public Keys
• Ciphers provide data privacy
– Nobody else can read the data
you transmit
• High-speed ciphers, DES, use
the same key for encryption
and decryption
• Diffie-Hellman public key gets the secret
session key to both parties
• What provides authenticity
and data integrity?
Digital Signatures
• More features than paper signatures
1. Identifies sender
2. Provides data integrity
• Data has not been modified
in transit
• Requires use of a hash
• What is a hash?
Digital Signatures - Hash
Data
Hash
function
Message digest
• One-way function, cannot recover input
• Provides a fixed-length output for any length input
and a different output for a different input
• Secure hash algorithm - 160-bit length
• How is a hash used in a digital signature?
Digital Signatures
Data
Hash
function
• Sender creates hash
Sender’s private key
Digital Signatures
Data
Hash
function
• Sender creates hash,
“signs” the hash
Encrypt
Sender’s private key
Digital Signatures
Data
Hash
function
Encrypt
“Signed” hash
Data
• Sender creates hash,
“signs” the hash,
and transmits data
and “signed” hash
Digital Signatures
“Signed” hash
Decrypt
Sender’s public key
• Receiver decrypts “signed” hash
Digital Signatures
“Signed” hash
Data
Sender’s public key
Decrypt
Hash
function
• Receiver decrypts “signed” hash, generates
new hash
Sender’s public key
“Signed” hash
Digital Signatures
Decrypt
=
Data
Validated
Hash
function
Abort
• Receiver decrypts “signed” hash, generates
new hash,
and compares both hashes
Digital Signatures
• Certifies data has not been
modified since “signed”
• A digital signature alone does
not allow the receiver to prove authenticity
of the sender
• Anyone could masquerade as
A by proposing a public key for
A and signing with the associated private
key
• How can B trust that A is A?
Digital Certificate
• Certification of authenticity
• Analogies:
– Driver’s license, passport, company ID
• Digital certificate provides authentication
through a digital signature of a third party
• How does a digital certificate work?
Digital Certificate
John Smith
XYZ Company
3#7uKy&&2@~?:[}FGRbv+0Jr%6^2#<,”
un*HtR-+’L<khYHr4$3&^^(0{/?m`~IJ
Hash signed by a respected authority - CA
• Includes personal info,
public key, and hash
• Hash is signed by certification authority’s
private key
• How do I get a certificate
and what is the benefit?
Digital Certificate
John Smith
XYZ Company
3#7uKy&&2@~?:[}FGRbv+0Jr%6^2#<,”
un*HtR-+’L<khYHr4$3&^^(0{/?m`~IJ
Hash signed by a respected authority - CA
• John brings his personal info and public key
to a respected authority
• Certification authority creates hash of
John’s info and public key and then signs
with CA’s private key
• So what is the benefit?
Digital Certificate
John Smith
XYZ Company
3#7uKy&&2@~?:[}FGRbv+0Jr%6^2#<,”
un*HtR-+’L<khYHr4$3&^^(0{/?m`~IJ
Hash signed by a respected authority - CA
• John can present his certificate as proof that
he appeared in front of a CA and said “this
is my public key”
• John’s certificate can be validated subject to
the credibility of the CA
• John is now authenticated
Use Of Digital Certificates
• Secure e-mail
– Privacy and integrity of message
– Authentication of sender
• Corporate security officer issues address books
with attached certificates
– Recipient receives only private messages after
integrity is verified and sender is authenticated
• Users can generate certificates and
attach them to messages for
noncompany e-mail