Transcript Document

© Centre for Development of Advanced Computing, Hyderabad
Presentation Outline
• Theory about Hacker
• Some Common Attacks(Theory)
• Buffer Overflow Case Study:
– Buffer Overflow in Microsoft RPC DCOM
implementation
Hacking Techniques Demonstration
© Centre for Development of Advanced Computing, Hyderabad
We believe…
• Think like Hacker, to stop the intrusion
in your own Network
• Protect your Network, before they(evil
hacker) attack the vulnerabilities in
your Network
© Centre for Development of Advanced Computing, Hyderabad
What is hacking
• Hacking is exploring the details of programmable
systems
• Stretching the capabilities of computer systems
• Sharing their computer expertise
• Can also mean breaking into computer
systems(cracking)
Hackers saw programming as a form of artistic expression
and
the computer was the instrument of their arts
© Centre for Development of Advanced Computing, Hyderabad
Difference between Hackers and crackers
• HACKER
– A person who enjoys exploring the details of programmable systems
and how to stretch their capabilities, as opposed to most users, who
prefer to learn only the minimum necessary.
– One who programs enthusiastically (even obsessively) or who enjoys
programming rather than simply theorizing about programming.
– Positive
• CRACKER
– gaining access to important information that you have. Surely you are
a V.I.P. in the computer world and you are being seriously hunted;
– gaining access to your system resources.
– interrupting your host’s efficiency (with no threat of exposure). This
may be dangerous if your clients require uninterrupted service from
your host;
– forming a base to implement the above goals while attacking another
computer. In this case, the logs of the attacked computer will show that
the attack was performed from your address;
– checking out the mechanism of attacks against other systems.
– Negative
© Centre for Development of Advanced Computing, Hyderabad
Hacking History
•
•
•
•
•
•
•
•
•
•
•
•
•
•
1969 - Unix ‘hacked’ together
1971 - Cap ‘n Crunch phone exploit discovered
1988 - Morris Internet worm crashes 6,000 servers
1994 - $10 million transferred from CitiBank accounts
1995 - Kevin Mitnick sentenced to 5 years in jail
2000 - Major websites succumb to DDoS
2000 - 15,700 credit and debit card numbers stolen from Western Union (hacked
while web database was undergoing maintenance)
2001 Code Red
– exploited bug in MS IIS to penetrate & spread
– probes random IPs for systems running IIS
– had trigger time for denial-of-service attack
– 2nd wave infected 360000 servers in 14 hours
Code Red 2 - had backdoor installed to allow remote control
Nimda -used multiple infection mechanisms email, shares, web client, IIS
2002 – Slammer Worm brings web to its knees by attacking MS SQL Server
2003- MS Blast worm exploited the vulnerability in the MS RPC DCOM
implementation
2004- My DOOM worm performing the DDOS against MS and SCO web site
……………………..
© Centre for Development of Advanced Computing, Hyderabad
Hackers’s Motivations
•
•
•
•
•
•
•
Fun
Profit
Extortion
Technical Reputation
Scorekeeping
Revenge/maliciousness
Intellectual Challenges
•
•
•
•
•
Desire to embarrass
Experimentation
Self Gratification
Problem Solving
Exposing System
Weakness
• Want to be Hero of Wild
Internet
© Centre for Development of Advanced Computing, Hyderabad
Types of hackers
•
•
•
•
•
•
•
Professional hackers
– Black Hats – the Bad Guys
– White Hats – Professional Security Experts
Script kiddies
– Mostly kids/students
• User tools created by black hats,
– To get free stuff
– Impress their peers
– Not get caught
Underemployed Adult Hackers
– Former Script Kiddies
• Can’t get employment in the field
• Want recognition in hacker community
Ideological Hackers
– hack as a mechanism to promote some political or ideological purpose
– Usually coincide with political events
Criminal Hackers
– Real criminals, are in it for whatever they can get no matter who it hurts
Corporate Spies
– Are relatively rare
Disgruntled Employees
– Most dangerous to an enterprise as they are “insiders”
– Since many companies subcontract their network services a disgruntled vendor could be
very dangerous to the host enterprise
© Centre for Development of Advanced Computing, Hyderabad
Types of Attacks
• Internal – like Technical attacks
• External – like Social Engineering
© Centre for Development of Advanced Computing, Hyderabad
Without Hackers,
• Programming languages such as C and C++
would not exist
• Operating Systems such as Unix and Linux
would not exist
• Microsoft might not been developed
• Basically, no one would be designing new
types of software
• Antivirus Companies would not have became
billionaire
© Centre for Development of Advanced Computing, Hyderabad
With Hackers that crack,
• Security is thought of and efforts are put
forward to making information more private
• Free software is made available because of
these people
• These crackers create jobs for others to stop
them
• Since home users are more vulnerable with
less security they are an easy target for people
to hack into for fun
• Software developers improve their software
Hacking is healthy to the computer industry?
© Centre for Development of Advanced Computing, Hyderabad
Threats to the Information System
Autonomous Agents, Back Doors, Backup Theft, Call Forwarding Fakery, Condition Bombs,
Covert Channels, Cracking, Data Aggregation, Data Diddling, Data Theft, Degradation
of Service, Denial of Service, Dumpster Diving, E-mail Overflow, E-Mail Spoofing,
Excess Privileges, False Updates, Get a Job, Hangup Hooking, Illegal Value Insertion,
Invalid Values on Calls, Induced Stress Failures, Infrastructure Interference,
Infrastructure Observation, Input Overflow, IP Spoofing, Logic Bombs, Login Spoofing,
Masquerading, MIP Sucking, Network Services Attacks, Backup Information, Open
Microphone Listening, Packet Insertion, Packet Sniffing, Password Cracking, Password
Guessing, Password Sniffing, PABX Bugging, Phracking, Phreaking, Ping of Death,
Piracy, Process Bypassing, Protection Limit Poking, Salami Technique, Scanning,
Session Hijacking, Shoulder Surfing, Social Engineering, Spamming, Sympathetic
Vibration, Time Bombs, Timing Attacks, Toll Fraud Networks, Traffic Analysis, Trap
Doors, Trojan Horses, Tunneling, Use Bombs, Van Eck Bugging, Viruses, Wiretapping,
Worms
© Centre for Development of Advanced Computing, Hyderabad
How Hackers can Access Your Network
Internet
Wireless
Door
© Centre for Development of Advanced Computing, Hyderabad
Modem
Once inside, the hacker can...
• Modify logs
– To cover their tracks
– To mess with you
• Steal files
– Sometimes destroy after stealing
– A pro would steal and cover their tracks so to be undetected
• Modify files
– To let you know they were there
– To cause mischief
• Install back doors
– So they can get in again
• Attack other systems
© Centre for Development of Advanced Computing, Hyderabad
Some Common Attacks
© Centre for Development of Advanced Computing, Hyderabad
TCP SYN flood
SYN RQST
server
SYN ACK
client
victim
zombie
Zombies
Spoofed SYN RQST
SYN ACK
© Centre for Development of Advanced Computing, Hyderabad
Waiting
buffer
overflows
Distributed Denial of Service
Zombies on
innocent
computers
Infrastructure-level DDoS
attacks
Bandwidth-level DDoS
attacks
Server-level DDoS attacks
© Centre for Development of Advanced Computing, Hyderabad
Smurf Amplification
Direct broadcast address
dst
src
victim
zombie
amp.255
ping.rqst
1
amp/255.255.255.0
500
500
500
500
500victim
© Centre for Development of Advanced Computing, Hyderabad
Spoofing
Mr. Z is that you?
Yes I’m here!
X
Y
© Centre for Development of Advanced Computing, Hyderabad
Z
Social Engineering
“social engineering is a term that is used by hackers and crackers to denote
unauthorized access by methods other than cracking software”
Good afternoon., Is this Mr. Devesh
Yes
Sorry to disturb you. I understand that you are very busy,
but I cannot log into the network.
Attacker
And what does the computer tell you?
“Wrong password.”
Are you sure you are using the correct password?
I don’t know. I don’t remember the password very well.
What is your login name?
Devesh
OK, I’ll assign you a new password… Hmm…let it be art25. Got it?
I’ll try. Thank
you. Computing, Hyderabad
© Centre for Development
of Advanced
Devesh
Passive Sniffing
In Hub Networks
login:
devesh
passwd:
india123
SNIFFER
© Centre for Development of Advanced Computing, Hyderabad
Active Sniffing
Port 1- 00:00:00:AA:AA:AA
Port 2- 00:00:00:BB:BB:BB
Port 3- 00:00:00:CC:CC:CC
Switch
1
2
3
00:00:00:AA:AA:AA
00:00:00:BB:BB:BB
00:00:00:CC:CC:CC
© Centre for Development of Advanced Computing, Hyderabad
How ARP Works
ARP Request
A
B
Who has 192.168.51.36
192.168.51.36 is at 00:00:00:BB:BB:BB
IP -> 192.168.51.35
MAC -> 00:00:00:AA:AA:AA
Internal ARP Cache
192.168.51.36 – 00:00:00:BB:BB:BB
ARP Reply
IP -> 192.168.51.36
MAC -> 00:00:00:BB:BB:BB
Internal ARP Cache
192.168.51.35 – 00:00:00:AA:AA:AA
© Centre for Development of Advanced Computing, Hyderabad
ARP Cache Poisoning
System A
System B
IP -> 192.168.51.36
MAC -> 00:00:00:BB:BB:BB
IP -> 192.168.51.35
MAC -> 00:00:00:AA:AA:AA
Internal ARP Cache
192.168.51.36 – 00:00:00:CC:CC:CC
Internal ARP Cache
192.168.51.35 – 00:00:00:CC:CC:CC
Attacker
192.168.51.36 is at
00:00:00:CC:CC:CC
IP -> 192.168.51.37
MAC -> 00:00:00:CC:CC:CC
Internal ARP Cache
192.168.51.36 – 00:00:00:BB:BB:BB
192.168.51.35 – 00:00:00:AA:AA:AA
© Centre for Development of Advanced Computing, Hyderabad
192.168.51.35 is at
00:00:00:CC:CC:CC
Attack Methodology
The Beginning – Goal : Decide why this system should
be attacked.
Steps
1.
Gather the Information about the victim hosts
2.
Locate the victim hosts by some scanning program
3.
Identify the victim host vulnerability
4.
Attack the victim host via this vulnerability
5.
Establish backdoors for later access
6.
After break-in, use this victim host to
–
Install rootkit to cover tracks
–
run sniffer to collect user password information
–
hack or attack other network
–
use this victim host resource to carry out their activities
–
Web page defacement for certain assertion
© Centre for Development of Advanced Computing, Hyderabad
Buffer Overflow
In general, buffer overflow attack involves the
following steps:
i. stuffing more data into a buffer than
it can handle
ii. overwrites the return address of a
function
iii. switches the execution flow to the
hacker code
© Centre for Development of Advanced Computing, Hyderabad
Case Study : Buffer Overflow
• Buffer Overflow Vulnerability in
Windows RPC DCOM Implementation
© Centre for Development of Advanced Computing, Hyderabad
About Vulnerability
• Vulnerability within the Microsoft’s RPC DCOM vulnerability was
made public on July 16th 2003
– Attackers can execute the code of their choice with system
privilege by exploiting this buffer Overflow problem
• First version of the exploit was released on July 23, 2003 by
XFOCUS(Only DOS by crashing the SVChost.exe)
• Second version of the exploit was released on July 25th 2003 by
Metasploit (Allow the spawn and binding of the Command shell with
system privilege on remote machine)
• Backdoor trojan was found on the affected Machine on 2nd August
2003
• On august 11th the worm known as MS Blast was discovered which
infected hundred of thousands of machines within few hours
© Centre for Development of Advanced Computing, Hyderabad
Reason for Buffer Overflow
• Problem due to unchecked parameter within
function
a DCOM
– HRESULT CoGetInstanceFromFile(
IN COSERVERINFO * pServerInfo,
IN CLSID * pClsid,
IN IUnknown * punkOuter, // only relevant locally
IN DWORD dwClsCtx,
IN DWORD grfMode,
szName
IN OLECHAR *
IN DWORD dwCount,
IN OUT MULTI_QI * pResults );
• This function is used to create a new object and initialize it from file
• The sixth parameter i..e. szName is allocated a space of 0x20(32 bytes) for
the file name
– Input is not checked here.
• When a larger value is input, anything beyond 0x20 space is overflowed
and then allow the arbitrary code to get executed with system privilege
hr = CoGetInstanceFromFile (pServerInfo, NULL, 0, CLSCTX_REMOTE_SERVER,
STGM_READWRITE,
"C:\\1234561111111111111111111111111.doc",1,&qi);
© Centre for Development of Advanced Computing, Hyderabad
Steps Performed by Exploit Code
Victim
Attacker
192.168.51.35(>1024)
Exploit establishes the connection to
TCP port 135 on Victim Machine
192.168.51.36:135
Exploit send the DCE/RPC Bind Request for the file
“\\victim\c$\1234561111111111111111111111.doc”
to victim machine and uses the buffer overflow
to spawn the shell on TCP port 4444
192.168.51.36:135
192.168.51.35(>1024)
192.168.51.35(>1024)
Exploits connects to shell on newly opened
TCP port 4444 and has the System privilege
© Centre for Development of Advanced Computing, Hyderabad
192.168.51.36:4444
Recently Announced buffer Overflow Problem in MS
 MSASN.1 Vulnerability Could allow the remote code execution
 Abstract Syntax Notation(ASN.1) is a data standard that is used
by many applications and devices in the technology industry for
allowing the normalization and understanding of data across
various platform
 MSASN1.dll is widely used by Windows security Subsystem.
 Announced on Feb 10, 2004 by Microsoft
 All the Microsoft OS Platform is affected
 Exploit released on feb 14th
But only crash the LSASS.exe service and force the system to
reboot
 Next possible WORM will be under the Development.
© Centre for Development of Advanced Computing, Hyderabad
Thank You
© Centre for Development of Advanced Computing, Hyderabad