1998-10-16-MAEDS-NetSecurity
Download
Report
Transcript 1998-10-16-MAEDS-NetSecurity
Network Security
by: Mark Lachniet ([email protected])
Introductions
Mark Lachniet
Director of Information Data Systems
at Holt Public Schools
Novell MasterCNE
Freeware
Disc Golf <yay!>
And the Victim
A.K.A. “Fred”
“White Hats” and
“Black Hats”
• The good guys versus the bad guys
• Some developers of “hacking”
programs do so to educate others
and point out flaws for the
betterment of computer security
• A wide variety of “white hat” help,
advisories, and lists are available
• Also an ever-growing group of “black
hats” armed with easy-to-use scripts
known as “script kiddies.”
Networks & Servers
• Requirement to do business
• Time and knowledge intensive to
manage
• Many connected to the Internet
• Easy availability of hacking tools
=
DANGER
Security Risks
•
•
•
•
•
•
•
Physical, Logical, and policy security
User habits - passwords, logging in & out
Software bugs, Viruses & Trojans
Network attacks
Disgruntled employees
Competitors
Bored K12 students :)
Focusing on the Net
• Focus on networks and the Internet
• Most school districts are connected to the
Internet
• The threat of a remote compromise
• If a hacker can “own” your net, he can get
access to virtually all of your important
data
• Developments in security happen in
“Internet Time” (quick!)
• Takes a lot of time to research and
implement good security
Running on Internet time
• This presentation represents *my*
knowledge at this time (10/98)
• I don’t really consider myself a security
expert, just a network Administrator
• There is undoubtably a great deal I do
*not* know and should be telling you
• The technology changes quickly - assume
that it already has
• Nonetheless, hopefully this will help you
in your own IT work
Types of Risks
•
•
•
•
•
DoS - Denial of Service
Exploits - getting administrator access
Password cracking - brute force
Network mapping - host/port scans
Sniffers - intercept passwords on the
net
• Trojans and backdoors - getting back
into the system
• Misc - networked printers, routers, etc.
• And more...
Denial of Service
• Through some mechanism, services on
the network or server are disabled
• Often due to poor programming (for
example buffer overflows)
• What is a buffer overflow?
• DoS attacks exist for virtually every
computer type from UNIX to PC
• Windows NT is vulnerable to some DoS
attacks, even with current service packs
• TCP/IP stacks often vulnerable as well
• Used for destructive purposes (why else?)
Exploits
• Generally used to obtain administrator
privileges on a server
• Most often for UNIX operating systems,
but sometimes for NT/Novell as well
• Usually distributed as source code or
shell scripts (hence “script kiddies”)
• Usually involves a server program with
administrator privileges that is
misconfigured or has a bug in it
• Exploits are easy to obtain and run!
Network scanners
• Useful for getting the “lay of the land”
• Determining what computers are
connected to the net and the services they
offer
• Often used in coordination with exploits to
scan a LARGE number of IP addresses for
hosts which are vulnerable
• This is happening right NOW! Take a look
at your web server logs and you can bet
you will see their handiwork
• Some scanners can even tell what kind of
computer is in use.
About those “script kiddies”
• Whereas once hacking was something
done by a technical elite, now programs
of mass destruction are widely
available
• People with little or no actual
knowledge can use powerful tools to
compromise security
• If you haven’t been scanned yet, it is
just a matter of time
• You NEED to know if your security is
good before they find out for you
Network Sniffers
• Used to snoop on network traffic
• Can obtain usernames and passwords
from plaintext transmissions such as
Telnet, FTP, and mail
• Can also be used for other malicious
purposes
• Assume that all traffic on the Internet is
being watched by *someone*
• Encryption is protection against this kind
of attack
• Telnet vs. Secure Shell [demo]
Network Sniffers, cont.
• Some sniffers can “hijack” a connection
between two other hosts and take over
one of the ends of the conversation.
• Some sniffers can destroy a connection
as well, rendering the connection
useless
• Sniffers are often used in combination
with other programs such as Trojans
• Sniffers are frequently used to obtain
additional passwords from an alreadycompromised host
Brute force attacks
• Most passwords are 1-way encrypted. When
you type in your password, it is encrypted
and compared to the password the system
has on file for you. If the encrypted result
matches, you typed the word
• Brute force engines attempt to encrypt an
entire dictionary, one word at a time, in hopes
of getting the password
• Can be used to obtain administrator
privileges on NT, Novell, and UNIX!
• Servers respond by disabling login or
slowing down drastically after a certain
number of failed logins, thereby making it
very time consuming to attack them
Brute force on Windows NT
• Windows NT is especially vulnerable to
brute force attacks such as NAT
(NetBios Audit Tool)
• Under NT, the Administrator account
cannot be disabled, so it is open to
unlimited (and fast) brute force attacks
• Never let your NT admin password be
in the dictionary!
• Can be hacked from anywhere on the
Internet if your server is connected to
the net
Screen-shot of a NT hack on my home server
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
[*]--- Attempting to connect with name: PUTZY
[*]--- CONNECTED with name: PUTZY
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Mon Oct 5 12:08:15 1998
[*]--- Timezone is UTC-4.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to connect with name: PUTZY
[*]--- CONNECTED with name: PUTZY
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `10th'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `1st'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `2nd'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `3rd'
And so on...
Microsoft sharing shares too much
information - another screen from home
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
[*]--- Checking host: 10.0.0.4
[*]--- Obtaining list of remote NetBIOS names
[*]--- Remote systems name tables:
PUTZY
LACHNIET
LACHNIET
PUTZY
LACHNIET
PUTZY
ADMINISTRATOR
LACHNIET
INet~Services
LACHNIET
IS~PUTZY
^A^B__MSBROWSE__^B
NT server name
Workgroup name
Admin’s name
Programs running on
the server
All of this information helps the hackers...
NetWare is not immune
• NetWare can also be brute force
attacked
• NetWare 3.x is more vulnerable than
4.x+
• Pandora - designed to crack a copy
of directory services
• For NetWare 4.x+, generally requires
access to the console or
administrator access to acquire a
copy of directory services
Brute force and UNIX
• Brute force attacks originated on UNIX
to crack the /etc/passwd file
• Requires a user account or stolen
password file
• Shadow passwords or other more
advanced authentication systems can
reduce the risk of this type of attack in
UNIX environments
• Once again, just don’t ever use a
password that is in the dictionary, or a
place, or your mom, or your dog, etc.
Miscellaneous Attacks
• Lots of other strange bugs exist in
everything from server software to
routers and printers
• For example, HP Jet Direct printers
can be controlled and crashed
remotely
• With physical access, certain routers
(e.g. Cisco) can be taken over
• “Fake Mail” is a good example of the
lack of security on the Internet [demo]
Trojans and back doors
• Are used to obtain or keep access to a
system
• Are remotely accessible, often with a simple
password
• Allow full control of the host computer
• For UNIX, usually provides a root shell
through a booby-trapped server program
• Under Windows 95, “Back Orifice” is all
the rage in Trojan technology
• Once you have one, as you will see, nothing
is safe
State of the art software
“Back Orifice”
• Written by the “Cult of the Dead Cow”
• Is small and powerful (only 128k bytes!)
• Is similar to a virus - some program
containing the program must be run on the
computer in question
• Generally distributed hidden inside of other
legitimate programs (such as FTP downloads
or E-Mail attachments)
• Quietly installs itself and hides the evidence,
running in the background at all times
• Makes use of additional features through
“Butt plug-ins”
Back Orifice Butt Plug-ins
• A Butt plug-in is installed along with
the trojan and provides additional
capabilities
• Butt-Trumpet sends and Email stating
the IP address of the compromised
computer (making you vulnerable even
if you have a dialup connection)
• Butt-Sniffer allows a remote user to
monitor network traffice on *your* local
area network
• The potential is limitless [demo]
Are you ever going to trust
an attachment again?
• Since Email can be forged to appear
to be coming from just about anyone,
ALL email attachments are suspect!
• Make people in your organization
aware of this risk - many people will
click on anything that comes their
way
L0pht Crack
• Multi-purpose NT hacking utility
• Performs brute force attacks on NT
passwords (from the registry, from
Emergency Repair discs, and from
sniffed network traffic
• Integral sniffer to snatch NT
passwords off the network for
hacking
• http://www.l0pht.com (web site)
Nessus
• Is a client/server hacking program similar to
“Satan”
• Server runs on a UNIX host (usually someone
else’s who has already been hacked)
• The hacker runs a client remotely and
submits requests to the Nessus server
• The nessus server scans a range of hosts for
known vulnerabilities and provides a detail
report back to the client
• All the activity appears to come from the
hacked server host, so the hacker goes free!
• The next big thing: coordinated server
attacks!
Getting help!
•
•
•
•
Okay, so now you are worried!
Research your operating systems on the net
Subscribe to Bug-Traq and other listserves
The best way to know that you are secure is
to hack your own network! it would be in your
best interests to get someone to audit your
security. If you don’t, someone will!
• Always keep up to date with service packs
and patches
• Register your product so you will be made
aware of security issues by the manufacturer
• Allow time for technical personnel to
research security and improve their skills
END
[email protected]