Circumventing Security - University of Maine System

Download Report

Transcript Circumventing Security - University of Maine System

Circumventing Security
Lecture 14
November 15, 2000
Some Terms



Spoofing- an active security attack where one
machine masquerades as another.
Sniffing- use of the network interface to
receive data not intended for the host machine
in which the interface resides.
Exploit- a documented bug/hole in the
software that usually allows for a user to
remotely or locally gain access to the machine.
Types of Attacks

The different types of attacks can be divided into two
categories.
–
Local (Physical) attacks


–
Remote attacks



Less common
More difficult to determine if compromised
More common
Generally easier to determine if compromised
Many attacks are a combination of both a local and
remote attack!
Simple Local Attacks

Removing a computer from service:
–
–
–

Turning off the power
Unplugging a computer
Cutting or unplugging a network connection
Attacking a computer from the terminal
–
–
Using known exploits at the keyboard to access the
machine.
Removing a screensaver password: Reboot and
change it before screensaver turns on.
Common Remote Attacks

Most remote exploits have a common “path”:
1.
2.
3.
4.
5.
Use a known exploit to gain remote access to the machine
(BIND, FTPD).
Download a copy of the /etc/passwd file.
Run a password cracking program on the local machine until
the root password is compromised.
Gain access to the machine (telnet, ssh, exploit, etc).
Change to the root user with the cracked password.
Spoofing Attacks

Spoofing attacks are a combination of both local and
remote attacks.
–
–
–
Hardware address spoofing
ARP spoofing
IP route spoofing



–
–
ICMP spoofing
RIP spoofing
Other protocol spoofing
DNS spoofing
TCP/IP datagram spoofing
Hardware Address Spoofing



Most software does not modify the source field in an
Ethernet frame leaving the interface.
When a packet is received on Ethernet, the source
address is assumed to be valid.
However, most NICs have the ability to use softwarecontrolled hardware addresses, so an address can be
faked.
–

01-01-01-01-01-01 or 12-34-56-78-90-AB
Consider the possibility of one machine trusting a
secure connection based on the hardware address!
Hardware Spoofing (cont.)

Consider the functionality of a bridge:
1.
2.

A packet from machine A on segment 1 arrives at
the bridge, destined for machine B on segment 2.
The bridge will modify the source address of the
packet to C and then send to machine B on
segment 2.
A/B combination is transformed to C/B.
Hardware Spoofing (cont.)


Since a bridge is basically a PC, all PC’s have
the ability to modify Ethernet frames.
Trusting a machine based only on the
hardware address is NOT recommended!
ARP Spoofing



Most ARP spoofing attacks are accidental than
intentional!
If two machines have the same IP address, they will
both respond to the same ARP request!
Depending on the operating system, one of two things
could happen
–
–
The slowest (last) ARP reply to arrive will be cached until the
ARP entry expires.
The first ARP reply to arrive will be cached, and any further
ARP replies will be ignored (until ARP entry expires).
ARP Spoofing (cont.)

Depending on the situation, the attacker will
have to have the ARP request arrive first or last
depending on what target system they are
trying to compromise.
ARP Spoofing (cont.)

An attacker has a few options to ARP spoof:
–
Turn off the legitimate machine & use it’s IP address



–
Power it down locally
Shut it down remotely (in Unix, halt)
Throw the circuit breaker for that machine, etc
Reconfigure target machine with a new IP address,
and hijack the old for the attacker’s machine.
Preventing ARP Spoofing

1.
2.
A true target of an ARP spoof is the machine
attempting to deceive, not the machine that
one hijacks!
Stop using ARP! All shares based on IP
addresses should use permanent entries in
the ARP cache
Use an ARP server (but the server can still be
deceived!)
Route Spoofing



Route spoofing is where one attempts to
redirect IP datagrams to a location that is not
the true destination.
Route spoofing, like ARP spoofing, can lead to
a Denial of Service (DoS) attack.
Denial of Service- some action taken to
prevent a target machine from properly
communicating (sending, receiving, both) with
the network.
Route Spoofing (cont.)


With sophisticated software, one use both
route spoofing and ARP spoofing to give the
illusion that the network is functioning properly,
while removing the target machine from the
communication!
If two routers exist on a network, only one can
be the default router.
Route Spoofing (cont.)

1.
2.
3.
4.
Here’s how a route spoof can occur:
A machine always sends a transmission to the default
router first.
If the default router is not the best choice for the
transmission, it sends an ICMP redirect message
back to the host on the same network segment, and
forwards the datagram to the appropriate router.
The redirect message basically says “it would be best
to send datagrams to a router with IP address
A.B.C.D for network W.X.Y.Z”
Host machine updates its routing table so it doesn’t
make the mistake again.
ICMP-Based Route Spoofing

A machine can create ICMP redirect messages and
send them to any other machine in the network!
–
–


The routing table could be unusable. DoS attack.
A machine could send an ICMP redirect with it’s own IP
address, and pose as a router, therefore filtering ALL traffic!
Simplest way to avoid ICMP spoofing is disable ICMP
redirect messages, in both the hosts and the routers!
But if you kept ICMP redirects, one could validate the
redirect source address as another level of security.
Domain Name System Spoofing


Overview: A machine (nameserver) holds a
mapping between IP addresses and names
(www.cnn.com, for example).
A client sends a request to the nameserver for
the IP address of www.cnn.com, and the
nameserver replies with the address.
Domain Name Spoofing (cont.)



Hosts commonly trust other machines based on their
names.
If the nameserver is compromised, then the domain
names are subsequently compromised.
Security-oriented TCP programs do a two-way lookup
to authorize machines:
–
–
–
Forward lookup (name to IP address)
Reverse lookup (IP address to name)
If both match, then machine is authorized.
Domain Name Spoofing (cont.)


In order to make attackers’ lives more difficult,
administrators commonly put the “forward
zone” and the “reverse zone” on two separate
machines, so BOTH must be compromised.
Also DNS records commonly exist on two
separate authoritative nameservers, so
multiple queries to differing nameservers is
also another level of authentication.
TCP Spoofing



An attacker only needs to estimate the sequence
number to be assigned to the next data byte to be sent
by the legitimate user.
If the correct next-sequence number is guessed, the
attacker can send a forged datagram containing the
tainted data that will be processed as valid data by the
receiver.
If the attacker sends tainted data after the legitimate
data, the target machine may completely discard the
forged datagram if it contains less data than the
legitimate datagram.
TCP Spoofing (cont.)


If the tainted datagram contains more data
than the legitimate datagram, only the length of
the legitimate datagram is rejected. The rest of
the tainted transmission would be accepted as
being valid.
On the other hand, if the forged datagram
arrives before the legitimate datagram, the
forgery will be discarded.
TCP Spoofing (cont.)



If the attacker guesses a number that’s a bit
too high, the receiver will take the datagram
and put in in the buffer.
Some of the bytes at the end of the datagram
may be discarded because they may not fit in
the space allocated by the window
advertisement.
Later, the legitimate datagram will arrive and fill
the wholes in the entire transmission.
A TCP Spoofing Example




Consider a user logging into a timesharing machine
and leaving the session idle.
An attacker merely has to guess the total data bytes
that the user sent to the server. Usually, the username,
password, and a few commands are sent before the
connection lies idle.
If the attacker estimates within 100 bytes, they are
usually close enough to hit the advertisement window.
All the attacker has to do is send a forged datagram
with a sequence of bytes that correspond to a
command, and it will be executed as if the logged in
user typed it!
TCP Spoofing Example (cont.)


Since the TCP forgery occurs as the regular
user, only user commands can be executed.
rm –rf * for example
Reducing TCP Spoofing Risks
1.
2.
3.
Log out of unused terminals and open new
ones only when necessary.
Use a interactive protocol (telnet, rlogin) that
adds overhead to make guessing the
sequence number more difficult.
Use encrypted-based terminal sessions
(ssh).
Common Vulnerabilities





IP Spoofing
Weak passwords
Default/Guest accounts
Network snooping/sniffing
Viruses/Trojan Horses
Common Exploits



Most common exploits involve buffer overruns.
If the target software runs as a privileged user, then the
attacker can run commands as a privileged user!
Exploits vary from operating system to operating
system.
–
–
–
–
–
Windows NT 4.0: 71 vul.
Windows NT 2000: 58 vul.
RedHat Linux 6.2 i386: 34 vul.
Windows 98: 31 vul.
Windows 95: 28 vul.
Common Exploits (cont.)

Buffer Overflow Exploits
–
–
–
–
–
–



CERT CA-99-03: FTP buffer overflow
CERT CA-99-08: qpopper (mail)
CERT CA-99-09: IMAPD (mail)
CERT CA-99-12: mountd (partition mounting)
POP3 USER buffer overflow
POP3 PASS buffer overflow
Finger services
BIND NXT vulnerability (DNS)
And many, many more!
Discovering Vulnerabilities

Disclaimer: This sort of unauthorized activity
may go against your AUP. Do this at your own
risk!
riggs:wages> telnet mail.eece.maine.edu 21
Trying 130.111.113.34...
Connected to rainier.eece.maine.edu.
Escape character is '^]'.
220 rainier FTP server (Version wu-2.6.0(1) Thu Oct 21 12:27:00
EDT 1999) ready.
Discovering (cont.)



Then, you take the information that the server
is running wu-2.6.0(1) and you then look on the
common bug tracking sites to see if there are
any vulnerabilities.
No common bugs exist for this FTP server.
Let’s look at another possibility, the SMTP
server software on port 25.
Discovering (cont.)
riggs:wages> telnet mail.eece.maine.edu 25
Trying 130.111.113.34...
Connected to rainier.eece.maine.edu.
Escape character is '^]'.
220 rainier.eece.maine.edu ESMTP Sendmail 8.9.3/8.9.3/Marc v3.1
(09/04/98); Tue, 14 Nov 2000 23:48:19 –0500


No known exploits for Sendmail 8.9.3
Let’s look at the POP server next
Discovering (cont.)
riggs:wages> telnet mail.eece.maine.edu 110
Trying 130.111.113.34...
Connected to rainier.eece.maine.edu.
Escape character is '^]'.
+OK POP3 rainier v7.52 server ready

No known exploits for this server.

Port scanners
IP scanners
