CIS 450 – Network Security

Download Report

Transcript CIS 450 – Network Security

CIS 450 – Network
Security
Chapter 2 – How and Why Hackers Do It
 What is an Exploit – Anything that can be
used to compromise a machine/network
 Compromises Include




Gaining access
Simplifying gaining access
Taking a system offline
Desensitizing sensitive information
 Critical to minimize the risk while reducing the
impact it has on overall functionality
The Attacker’s Process

Passive Reconnaissance




Attacker must have some general
information
Used to properly position themselves
Sniffing: sitting on a network segment
watching and recording all traffic (especially
passwords
Information gathering to help launch as
active attack
The Attacker’s Process

Active Reconnaissance


Gather the additional information hacker is
after
Active probing of system to find out
additional information



Find out IP address of firewall and routers
Version of Operating System
It is critical that there be some form of
logging & review to catch active
reconnaissance.
The Attacker’s Process

Exploiting the System

Gaining Access



Operating System Attacks – The default install
of most operating systems has large number of
services running and ports open
Application-level Attacks – take advantage of
less-than-perfect security found in most of
today’s software
Scripts & Sample Program Attacks – Sample
files and scripts that come with operating
systems/applications
The Attacker’s Process

Exploiting the System

Gaining Access – continued



Misconfiguration Attacks: Don’t bother to
remove unneeded services or software
Elevating Privileges: Goal is to gain either
root or administrator access to a system
Denial of Service: Deny legitimate users
access to a resource
The Attacker’s Process

Uploading Programs – Can be used to:





Increase access
Compromising other systems on network
Upload tools to compromise other systems
Downloading Data
Keeping Access

Put back door in for when attacker wants to
return (use Trojan horse program)
The Attacker’s Process

Covering Tracks



Clean up the log files
Turn off logging as soon as access is gained
Change properties to original settings. To
combat use programs that calculate
checksums.
The Types of Attacks
 Active Attacks – a deliberate action on the
part of the attacker to gain access to the
information he is after




Denial of Service
Intelligence gathering
Resource usage
Deception
 Passive Attacks – geared to gathering
information rather than gaining access
Categories of Exploits
 Over the Internet
 Coordinated attacks – coordinate with other
users and machines on a network (other users
do not have to be aware that they are being
used in attack)
 Session hijacking – taking over a session after
a legitimate user has gained access &
authentication
 Spoofing – the impersonating of assuming an
identity that is not your own. Very effective
with trust relationships.
Categories of Exploits
 Over the Internet – continued


Relaying – an attacker relays or bounces an
attack through a third party’s machine so it
looks like the attack came from the third party
and not from him
Trojan Horses or Viruses
Categories of Exploits
 Over the LAN



Large number of attacks come from trusted
insiders
Attacker, if breaking in as a legitimate user,
gets full access that the user would have
Sniffing Traffic – easier on a hub than a
switched network. Network cards should not
be set to promiscuous mode.
Categories of Exploits

Over the LAN – continued

Sniffing – Hub vs. Switch

The difference is in what a switch does versus what a hub does. A hub is
really a layer 1 device, simply a repeater. Putting a sniffer on a hub
truly allows you to monitor ALL traffic on that network segment.

A switch operates at layer 2, and sorts traffic based on destination MAC
address. Thus, if a packet is sent to one specific host, and the switch
knows which port that host lives on, only that host will get the traffic.
If a packet is broadcast to the whole network, then the switch forwards that
to all ports, since there cannot be a MAC address correlated to a broadcast
address. Putting a sniffer on a standard switch port then will only be able
to see traffic in and outbound from itself, plus the local network segment
broadcast traffic.

Most switches, at least at the enterprise level, allow configuring at least
1 port as a "monitoring" port. When this mode is enabled, the switch will
pass all traffic to the destination port and to the monitoring port. So if
you hang a sniffer off that port, you can then see all traffic on the
segment, at least from those devices attached to that switch.
Categories of Exploits
 Over the LAN – continued




Broadcasts – using TCP/IP broadcast address
which will send a packet to every machine on
the network segment
File Access
Remote Control – controlling the machine as if
you were sitting at it
Application Hijacking – similar in concept to
session hijacking. Involves taking over an
application & gaining unauthorized access.
Categories of Exploits
 Locally





Shoulder Surfing – watching someone as they
type in their password
Unlocked Terminals
Written Passwords
Unplugging Machines
Local Logon
 Offline

Download Password File
Categories of Exploits
 Offline – continued


Download Encrypted Text – the longer the key
the longer it will take to break
Copying large amounts of data to a removable
drive to look at offsite later
Routes Attackers Use to Get In
 Ports – the windows and doors of a computer
system - the more ports that are open the
more points of vulnerability


http://www.stengel.net/tcpports.htm
http://www.iss.net/security_center/advice/Expl
oits/Ports/default.htm
 Services – programs running on a machine to
perform a specific function - If a service is
running as root, any command it executes
runs as root. Have to limit number of services
running and at what priority they are running.
Routes Attackers Use to Get In
 Third-Party Software
 Operating System – default install is to leave
most of ports open and services running
 Passwords
 Social Engineering
 Trojan Horses – overt (open)/covert (hidden
feature)
 Inference Channels – gathers information
from open sources and surrounding events
Routes Attackers Use to Get In
 Covert Channels – involves a trusted insider
who is sending information to an
unauthorized outsider
Goals Attackers Try to Achieve
 Goals of information Security
 Confidentiality –Preventing, detecting, or deterring the
improper disclosure of information
 Hacker’s Goal – credit card information, competitor
information, identity theft
 Integrity – preventing, detecting, or deterring the
improper modification of data
 Hacker’s Goal – change data for own purposes
 Availability – preventing, detecting, or deterring the
unauthorized denial of service to data
 Hacker’s Goal – denieing access to all key
components of system