Hackers and Their Art
Download
Report
Transcript Hackers and Their Art
Forces that Have Brought the world to
it’s knees over the centuries
Hackers and their art
An introduction into why they do it and
how they research it.
If you know the enemy and know yourself,
you need not fear the result of a hundred battles.
If you know yourself but not the enemy,
for every victory you will also suffer a defeat.
If you know neither the enemy nor yourself,
you will succumb in every battle.
Sun Tzu, The Art of War
What Is Hacking?
The Act of Gaining Access to a
Computer File or Network Without
Authorization.
The Hackers Motivation
Is the Hacker a Criminal?
“We seek after knowledge and you call us criminals.
Yes, I am a criminal.
My crime is that of curiosity.
My crime is that of outsmarting you,
Something that you will never forgive me for.
You may stop this individual but, you can’t stop us all…
After all, we’re all alike.”
The Hackers Manifesto
The Mentor
The Five Phases
•
•
•
•
•
Reconnaissance
Scanning
Gaining access
Maintaining access
Covering the tracks
Phase I
Reconnaissance
Low Technology Reconnaissance
• Social engineering
• Physical break in / Piggybacking
• Dumpster Diving
Computer Based Reconnaissance
Information Gathered on line through the use of tools such as “Sam Spade”.
Tools available to the hacker in this program include but are not limited to:
•Ping
•Traceroute
•Finger Client
•Multiple Whois databases
•DNS lookup
•DNZ Zone transfer
•IP block registration
•View web site source code
•Crawl a web site
•Notepad for taking system notes
What the Hacker Hopes to Gain at This
Stage of Attack:
•
•
•
•
•
•
Domain name
Contacts at the target organization
DNS server IP addresses
Other target system addresses
A glimpse of technologies in use
User names and passwords (or their format)
Basic Defenses at This Stage
•
•
•
•
•
Disabling Ping on border routers
Split DNS
Keep Whois database records up to date
Do not use OS type or system function in domain names
Create, implement, and enforce a user password policy
Split DNS
Phase II
Scanning
Typical Scanning Techniques
•
•
•
•
War dialing using THC-Scan
Network mapping using Cheops-ng
Port Scanning using Nmap
Vulnerability scanning using Nessus
What the Hacker Hopes to Gain at This
Stage of Attack:
•
•
•
•
List of telephone #’s with active modems
List of open ports
Map of the network
List of vulnerabilities
Basic Defenses Against War Dialing
• Create, Implement, and enforce a Dial up policy
• Use of Call back service on server
• Removal of banner from dial up connection
Basic Defenses Against Network
Mapping
•
•
•
•
Remove telnet and web server from firewall
Implement ACL’s on all border routers
Use ACL’s to block ICMP to internal net
Disable unused ports / services on routers
Basic Defenses Against Port
Scanning
• Run a port scan against your own system to
find open ports and close them
• Disable unneeded services through the
services control panel
• Use software firewalls and proxy servers
Basic Defenses for Vulnerability
Scanning
• Routinely update servers with latest patches
and service packs
• Run multiple vulnerability scanners against
your network to find the “Holes” before
they do
• Ensure that all software installed on
firewalls and servers is from a reputable
source
Phase III
Gaining Access
Typical Methods of Gaining
System Access
•
•
•
•
•
On site Hacking
Stolen user ID’s and Passwords
Running “Brute force attacks”
Trojan horses
Cracking password files
Access Methods Continued
• Utilization of data gathered while “Sniffing”
• IP spoofing and ARP cache poisoning
•Exploiting buffer overflows in software
What the Hacker Hopes to Gain at This
Stage of the Attack:
Access!!!
Just making sure you were still awake ;)
LAN Sniffing (HUB)
LAN Sniffing (Switch)
Basic Defenses Against Sniffing
• Use Secure Shell instead of Telnet
• Use VPN tools to encrypt data between systems
• Install Switches instead of Hubs
• Create VLANS on switches
• Hard code the ARP tables on your systems
Buffer Overflow
Basic Defenses Against Buffer Overflows
• Implement a non-executable stack
(Ex: set noexec_user_stack=1)
• On windows 2000 use SecureStack
• Use automated code examining tools like ITS4
Basic Defenses Against Password Cracking
• Create and implement a strong PW policy
(At least 8 characters alpha and numeric)
• Force users to change passwords regularly
by using Windows Users policy
• Install PW filtering software to ensure
integrity of user chosen passwords
• Conduct PW audits with their programs
(L0phtCrack or John the Ripper)
Phase IV
Maintaining Access
Methods of maintaining access
• Trojan Horses
• Backdoors
Basic Defenses against Trojans and Backdoors
• Routinely scan for Trojans on your network
• Ensure definition files for Anti-virus software are
up to date
• Look for changes in the system
• Install anti-virus software on both server and
client machines
• Create “fingerprints” of key files and run an
integrity checker against them on a regular basis
Phase V
Covering the tracks
Methods of avoiding detection
• NTFS alternate data streams and hidden files
• Reverse WWW shell
• Altering, Replacing, or Moving log files
NTFS alternate data streams and hidden files
• NTFS supports file streaming
(each filename is like a chest of drawers)
1.) Name of file viewed in explorer
2.) “Normal” Stream
(Contains the expected contents of the file)
3.) Alternate Data Streams hidden under normal file
Why are Streams Stealthy?
• Streams don’t show up in windows explorer
(only “Normal” streams are displayed)
• Length of file displayed in explorer only
includes “Normal” stream
• When files are copied all streams follow the
name if copied into an NTFS partition
Basic Defenses Against File Hiding in Windows
• Most commercial anti-virus packages detect
malicious code
• LADS
Reverse WWW Shell
•
•
•
•
Client / server implemented in a single program
Carries a command shell over HTTP
Attacker uses client to access server from off site
Software appears to be surfing the web but, is
really polling client for commands to be executed
on the server
Reverse WWW Shell
Basic defenses against Reverse WWW Shell
• Physical security of Servers
• Utilization of intrusion detection systems
• Investigate “Strange” or unknown processes
(especially those running with root privileges)
Basic Defenses against log file tampering
• Setup logs to track failed logons attempts
(Don’t just set them up ….. USE THEM!!!)
• Periodically review logs for any anomalies
• Use logs as a baseline to periodically review
if new security measures need to be
implemented
Conclusion
“Imagine a school where children can read and write, but with
teachers who can not, and you have a metaphor of the information
age in which we live.”
Peter Cochrane
Web Resources for Keeping Up to Date
• SANS: http://www.sans.org
• Security Focus: http://www.securityfocus.com
• Search Security: http://www.searchsecurity.com
Acquisition of Software Resources
• Sam Spade:
http://www.samspade.org
• THC-Scan:
http://www.pimmel.com/thcfiles.php3
• Cheops-ng
http://cheops-ng.sourceforge.net
• Nmap
http://www.insecure.org/nmap
Acquisition of Software Resources
• NESSUS:
http://www.nessus.org
• SecureStack:
http://www.securewave.com/products/securestack/secure_stack.html
• ITS4:
http://www.cigital.com/its4
• John the Ripper:
http://www.Openwall.com/john
Acquisition of Software Resources
• L0phtCrack:
http://www.atstake.com/research/lc3
• Sniffit:
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
• Secure Shell (Open Source):
http://www.openssh.com
• Netcat:
http://www.atstake.com/research/tools/index.html
Acquisition of Software Resources
• AIDE (Advanced Intrusion Detection Environment):
http://www.cs.tut.fi/~rammer/aide.html
• LADS (Locate Alternate Data Streams):
http://www.heysoft.de/index.htm
• Reverse WWW Shell:
http://www.megasecurity.org/Sources/rwwwshell-1_6_perl.txt