EE579T-Class 8 - Electrical & Computer Engineering

Download Report

Transcript EE579T-Class 8 - Electrical & Computer Engineering

EE579T
Network Security
8: More About Network-Based Attacks
Prof. Richard A. Stanley
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #1
Thought for the Day
“Denial of service attacks are the
last resort of a desperate mind;
unfortunately, they are a reality.”
Stuart McClure, Joel Scambray, George Kurtz
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #2
Overview of Tonight’s Class
•
•
•
•
Review last week’s lesson
Look at network security in the news
Course project scheduling
Network attacks--continued
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #3
Last Week...
• TCP/IP was not intended as a secure
protocol; as a result, it has vulnerabilities
that can be exploited
• There are many types of attacks that can be
mounted over network connections in order
to gain unauthorized access to resources
• Never forget, the best access is hands-on
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #4
Network Security Last Week- 1
• SubSeven updated to Version 2.2, adds
– support for proxy programs
– ability to listen to a random port
– GUI-based packet sniffer
– ability to relay information about compromised
machines to Web sites via CGI
– list of infected machines can then be passed
around to hackers
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #5
Network Security Last Week- 2
• GAO faults IRS online tax filing security
– Hackers can access taxpayer data, including tax
return
– Authentication/signature requirements not
upheld, but $2.1B refunds paid anyway!
• Successful hacks to government sites have
increased markedly; only half are reported
– Problem attributed to OS’s that are vulnerable
when delivered
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #6
Network Security Last Week- 3
• W32.Kris, the “Christmas virus,” has
resurfaced bigger and badder
– Modified, renamed to W32.Magistr.24876
– Payload capable of overwriting a hard drive and
destroying a computer's BIOS chip.
– Virus (actually a worm) infects random Word
file on the user's hard drive, then attaches that
file and 5 other files, to an e-mail which it
sends to all in the address book
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #7
Network Security Last Week- 4
• IT leaders form Online Privacy Alliance to
combat privacy legislation. Approach:
– identify expensive regulatory burdens
– question how any U.S. Internet law would
apply to non-Internet industries
– assures lawmakers that privacy is best guarded
by new technology, not new laws.
– asserts that online privacy would cost
consumers billions annually
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #8
Network Security Last Week- 5
• Largest Internet criminal attack to date:
– Eastern European hackers spent a year
systematically exploiting known Windows NT
vulnerabilities to steal customer data
– More than 1million credit cards numbers taken
– More than 40 sites victimized
• FBI and USSS taking unprecedented step of
releasing detailed forensic information from
ongoing investigations because of the
importance of the attacks
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #9
Network Security Last Week- 6
• Updated worm-generating software issued
– Brazilian hacker Kalamar has refined his
software used to write the Kournikova virus
– Software encrypts the worms so they are
impossible to delete
– They can also carry an executable payload
• Hacker distances himself from
responsibility for wrongdoing, claiming that
"worms are for learning, not for spreading”
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #10
Network Security Last Week- 7
• Bibliofind closes its books after hack
– No more online payments for Amazon spin-off,
Bibliofind
– Hacker had been sitting on the site's servers
since October, downloading customer
information, including credit card numbers
– Servers were taken down 2 Mar; all customer
information was purged
– Customers now have to arrange payment
directly with the sellers
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #11
Network Security Last Week- 8
• Naked Wife virus: destructive but contained
• Israeli hacktivists suspected in rerouting Hamas
home page to a pornographic site
• Vierika VB worm
– Outlook e-mail attachment
– Lowers Internet Explorer security settings
– Changes a user's start page to an Italian site that
contains the main part of the worm
• Palm passwords accessible through back door via
serial syncing cable
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #12
Revised Class Schedule Due to
Snow Day
• We can go in many directions from here
– What do you want to hear about most in the 3
remaining lectures?
• Schedule
–
–
–
–
3/22, 3/29, 4/5: Lecture classes
4/12: Exam + 2 project presentations
4/19: 6 project presentations
4/26: 6 project presentations + prof. evaluation
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #13
Course Projects - 1
1. Port scanning technology
– Sullivan, Toomey
2. Extensible authentication protocol
– Mizar, Hirsh, Tummala
3. Honey Pot
– Kaps, Gaubatz
4. Wired/Wireless security comparison
– Azevedo, Nguyen, H. Tummala
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #14
Course Projects - 2
5. SOHO network security
– Davis, Syversen, Kintigh
6. Sniffing switched networks
– Michaud, Lindsay, VanRandwyk
7. Broadband access security
– Sumeet, Nirmit, Harsh
8. Trojan Horse security
– Aparna, Subramanian
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #15
Course Projects - 3
9. Java security
– Malloy
10. Router security
– Mansour,
11. DDoS Security
– Gorse, Pushee
12. Network Security Processors
– McLaren, Brown
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #16
Projects -4
13. Network cryptography
– Lee
14. ATM Security (can’t do 26 Apr)
– Fernandes, Kuppur, Venkatesh
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #17
Network Based Attacks
Do You Do Windows?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #18
ARP Revisited
• Bad guy on same network segment
– Sends gratuituous ARP response
– Most implementations will cache the response,
even though it was not requested
– This takes over the IP address associated with
the MAC address
• Bad guy on another network segment
– Only has to deal with routing between segments
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #19
Hacking Windows 98
• Good news
– Very limited remote administration capability
– Impossible to execute commands remotely,
except with third-party software or proxy
• BUT THESE EXIST!
• Bad news
– No real security design; “feel-good” features
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #20
Windows 9x Remote Attacks
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #21
Windows 98 Shares
• Printer shares fairly benign, save for freeriding (which costs money for time and
supplies, so it isn’t a victimless attack)
• File shares another story
– Many scanners exist to uncover Win9x shares
– If root partition shared, Trojan Horses easy to
plant that execute on next boot + other mischief
– PWL files can be downloaded for cracking
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #22
Replay Authentication Hash
• Win9x with file sharing issues same
challenge to remote computer in a given 15minute period
• Username and challenge are hashed for
authentication
– Username sent in clear
– Identically hashed authentication request could
be sent in the 15 minute period to mount share
• So far, not widely exploited. But…?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #23
Dial-Up Servers
• Can easily provide back door into LAN if
dial-up used on a modem connection
• Modem allows password enumeration and
guessing, just as on the broadband side
• Intruders can attack what they find
– Can’t go further because Win9x can’t route
network traffic
• VPN now bundled with DUN, so...
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #24
Remotely Hacking the Registry
• Win9x does not have built-in remote
registry access
• Remote Registry Service is provided on the
Win9x distribution CD, and provides this
service
– found in \admin\nettools\remotreg
– Forces user-level security to be enabled
• Not the easiest hole to create or to exploit
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #25
Back Doors - 1
• BackOrifice
– Creators bill it as a remote admin tool!
– Allows nearly complete remote control of Win9x
systems, including Registry mods
– UDP-based (default port 31337)
– You want it?
• www.bo2k.com
– You want to find and kill it?
• www.ultraglobe.com/basement/backorifice/index.shtml
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #26
Back Doors - 2
• Net Bus
– Remote control of Win9x and Win NT
– TCP based (port 12345 or 20034)
– Because of TCP basing, more likely to be caught by
a firewall (most firewalls don’t worry about UDP)
– You want it?
• http://home.t-online.de/TschiTschi/netbus_pro.htm
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #27
Back Door Catch-22
• Server software must execute on the target
machine -- cannot launch from remote
• How to make this possible?
– Buffer overflow to push code into target
• “long attachment filename” bug in Outlook
– Hostile mobile code
– Trickery (e.g. Saran Wrap makes BO look like
InstallShield)
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #28
Built-in / Add-in Problems
• MS Personal Web Server
– If unpatched, reveals file contents to attackers
who know file location and request via nonstandard URL
• Commercial software
– PCAnywhere
– LapLink
– CarbonCopy
Spring 2001
© 2000, 2001, Richard A. Stanley
These are an attacker’s
dreams come true!
WPI
EE579T/8 #29
Win9x Console-Based Attacks
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #30
Reboot
• Win9x has no logon security
• Windows password merely identifies the
active user (try clicking “Cancel”)
• Any logon screen is cosmetic -- security
doesn’t really mean much here
• If you prefer, reboot from your own floppy
disk
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #31
Defeat the Screen Saver
Password
• CD-ROM Autorun runs under screen saver
– Polls for CD-ROM insertion
– If “yes”, runs programs at ‘open=‘ in the
Autorun.inf file, which can be anything
• Screen saver password
– Stored in registry
– Poor encryption, has been broken
– Easy break-in, somewhat stealthy
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #32
Passwords in the Registry
• Many programs store their passwords in the
Registry
– Lots are not even encrypted
– This is handy if you forget, but also a
vulnerability
• Tools available to make password recovery
from the Registry simple
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #33
Crack Password Files at Leisure
• PWL file found in root partition
• Attacker can download files to a floppy and
crack at his convenience
– copy C:\Windows\*.pwl a:
• Many tools exist to help this effort, e.g.
– PWL Tool, $75, one-time demo free
• www.webdon.com
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #34
Windows NT Attacks
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #35
NT Versus Unix
• NT perceived as insecure
– But not really more insecure than Unix
• Why?
– Running code in server processor space can be
restricted
– Interactive console login restricted to a few admin
accounts
– Source code access poor, so few buffer issues
• Issues
– Backwards compatibility
– Ease of use
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #36
Goal: Become Administrator
• Guessing passwords
• Remote exploits
• Privilege escalation
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #37
Guessing Passwords Over the
Network
• Manual guessing
– Requires knowledge of user names
• Automated guessing
– Requires knowledge of user names
• Eavesdropping
– Requires network segment access
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #38
Manual Password Guessing - 1
• Users tend towards the easiest password:
none
• Failing that, passwords are chosen to be
easy to remember
• Much software runs under NT user
accounts, the names of which become
public knowledge after a time, and are
usually easily remembered
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #39
Manual Password Guessing - 2
• Start with user list
– DumpACL
– sid2user
• Open Network Neighborhood or use Find
Computer and IP address
• Start making educated guesses to log into a
valid user account
• Works, but time-consuming
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #40
Automated Password Guessing
• Tools automate the process
– Legion
– NetBIOS Auditing Tool
• Command line use, enables scripting
• Null passwords? Use NTInfo Scan
• CyberCop Scanner is a commercial tool to
do this
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #41
Eavesdropping
• Requires access to the network segment
• L0phtcrack
–
–
–
–
NT password-guessing tool
Usually works offline against the PW file
Getting the PW file not a trivial exercise
L0phtcrack now includes SMB Packet Capture
• Listens to network segment
• Captures login sessions, strips encrypted data
• Reverse engineers NT password encryption
• Anyone who can eavesdrop can become
Administrator within a very short time!
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #42
Switched Architecture?
• Social engineering from L0phtcrack:
– Include following URL in email to target:
////yourcomputer/sharename/message.html
– Effect is to send PW hashes to you for
verification
• L0pht also has sniffer to dump PW hashes
from PPTP, a variant of which provides
VPN service under NT
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #43
Countermeasures
• Block NetBIOS-specific ports
– Disable TCP & UDP ports 135-139 at the
perimeter firewall
– Disable TCP/IP binding for any adapter
connected to public networks
• Enforce password policies
– Use the User Manager
– Build good passwords (Passfilt DLL)
– Use the Passprop tool
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #44
More Countermeasures
• Disable LANMAN authentication
– NT 4.0 SR 4 and later permits Registry setting
to prohibit NT host from accepting LANMAN
– This denies ability to “pass the hash”
– BUT: earlier client authentications will fail,
exposing the LM hash anyway
• Enable SMB signing
– Requires crypto verification of every SMB
packet
Spring–2001
EE579T/8 #45
NT-only solution WPI
© 2000, 2001, Richard A. Stanley
Prevention
• Switched networks are to be preferred
– Remember the L0pht social engineering idea
• Keep Windows 9x and Windows for
Workgroups clients off the network
• Enable auditing and logging
– Analyze the logs routinely!
– Log full of Logon/Logoff failures probably
indicates and automated attack
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #46
What About Intrusion Detection?
• Many tools available
• A good tool can serve as a canary in a coal
mine, but
– Intrusion detection is not a mature technology
– Detection tends to be based on comparison to
known attacks
– Avoiding the novel is a problem
– False alarms can raise havoc with routine ops
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #47
More Remote Attacks
• Remote buffer overflows
– Several published overflows in NT
– Likelihood of severe attacks using this approach
growing
• Denial of service
– Known holes in NT patched--install patches!
– Probably other holes to be found, especially in
Windows 2000, which is a tabula rasa
– DoS can be used to force reboot, which then
triggers execution of malicious code
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #48
Privilege Escalation -1
• Vacuuming up information
– From non-Admin account, need to identify info
that will gain higher privilege
– Enumerate shares, search for password files,
probe the Registry
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #49
Privilege Escalation - 2
• getadmin
– Adds a user to local Administrators group
– Uses low-level kernel routine to set a flag
allowing access to any running process
– Uses DLL injection to insert malicious code to
a process that can add users
– Must be run locally on target system
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #50
Privilege Escalation - 3
• sechole
– Similar functionality to getadmin
– secholed puts user in Domain Admins group
– Modifies OpenProcess API call to attach to a
privileged process
– Must be run locally on target…
– UNLESS target running IIS, in which case it is
possible to launch remotely
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #51
Countermeasures
• Apply the patches
• Don’t allow write access to executable
directories
• Block ports 135-139 (shuts down Windows
file sharing)
• Audit execute privileges on web server
filesystem
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #52
Buffer Overflows
• Sending oversize ICMP packets
• Sending IIS 3.0 a 4048 byte URL request
• Sending email with 256-character file name
attachments to Netscape/MS email clients
• SMB logon to NT with incorrect data size
• Sending Pine user an email with “from”
address > 256 characters
• Connect to WinGate POP3 port with user
name of 256 characters
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #53
Summary
• Windows 9x has no built-in security. This
is both a blessing and a curse
• Windows NT can be a reasonably secure
operating system if used properly
• There are ways to exploit NT
• Allowing Win9x clients to log onto an NT
domain increases security exposure
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #54
Homework - 1
1. You are a user on a Windows NT network
segment. You want access to the payroll
files, which you can obtain either as a
member of the Payroll group or the
Administrator group. How would approach
breaking into the network to gain access to
these files?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #55
Homework - 2
2. Your Windows 2000 network requires that
several tens of Windows 98 clients be
allowed to connect to it. What security
problems do you foresee? How can you
mitigate these problems?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #56
Assignment for Next Week
• Next week’s topic: Yet More Network-Based
Attacks
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/8 #57