Transcript Salt
Network Intruders
Masquerader: A person who is not authorized to use a
computer, but gains access appearing to be someone with
authorization (steals services, violates the right to privacy,
destroys data, ...)
Misfeasor: A person who has limited authorization to use a
computer, but misuses that authorization (steals services,
violates the right to privacy, destroys data, ...)
Clandestine User: A person who seizes supervisory control of a
computer and proceeds to evade auditing and access controls.
1
Access Control
Today almost all systems are protected only by a simple password
that is typed in, or sent over a network in the clear.Techniques for
guessing passwords:
1. Try default passwords.
2. Try all short words, 1 to 3 characters long.
3. Try all the words in an electronic dictionary(60,000).
4. Collect information about the user’s hobbies, family names,
birthday, etc.
5. Try user’s phone number, social security number, street
address, etc.
6. Try all license plate numbers (123XYZ).
Prevention: Enforce good password selection (c0p31an6)
2
Password Gathering
Look under keyboard, telephone etc.
Look in the Rolodex under “X” and “Z”
Call up pretending to from “micro-support,” and ask for it.
“Snoop” a network and watch the plaintext passwords go by.
Tap a phone line - but this requires a very special modem.
Use a “Trojan Horse” program to record key stokes.
3
UNIX Passwords
User’s password ( should be required to
have 8 characters, some non-letters)
Random 12-bit number
(Salt)
DES Encrypted to 11
viewable characters
User ID
Salt Value
Hash
User ID
Salt Value
Hash
User ID
Salt Value
Hash
4
Storing UNIX Passwords
Until a few years ago, UNIX passwords were kept in in a publicly
readable file, /etc/passwords. Now they are kept in a “shadow”
directory only visible by “root”.
“Salt”:
• prevents duplicate passwords from being easily seen as such.
• prevents use of standard reverse-lookup dictionaries ( a different
diction would have to be generated for each value of Salt).
• does not “effectively increase the length of the password.”
5
The Stages of a Network Intrusion
1. Scan the network to:
• locate which IP addresses are in use,
• what operating system is in use,
• what TCP or UDP ports are “open” (being listened to
by Servers).
2. Run “Exploit” scripts against open ports
3. Get access to Shell program which is “suid” (has “root”
privileges).
4. Download from Hacker Web site special versions of systems
files that will let Cracker have free access in the future without his
cpu time or disk storage space being noticed by auditing
programs.
5. Use IRC (Internet Relay Chat) to invite friends to the feast.
6
Protection from a Network Intrusion
1. Use a “Firewall” between the local area network and the worldwide Internet to limit access (Chapter 10).
2. Use an IDS (Intrusion Detection System) to detect Cracker
during the scanning stage (lock out the IP address, or monitor and
prosecute).
3. Use a program like TripWire on each host to detect when
systems files are altered, and email an alert to Sys Admin.
4. On Microsoft PC’s, a program like BlackIce is easier to install
than learning how to reset default parameters to make the system
safe (and fun besides).
7
8
9
10
Type "A" Probes
The first three UDP probes, which started my investigation, had a single character in
the data field, an 'A'. The UDP port numbers were identical, 31790->31789.
They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP
Destination_Unreachable-Port Packets. The Echo-Request is never answered.
Date Time EST Source IP (Place)
Destination (Place)
1999-12-28 18:40 151.21.82.251 (Italy) to 24.88.48.47 (Atlanta, GA)
1999-12-10 18:28 152.169.145.206 ( AOL ) to 24.88.48.47 (Atlanta, GA)
1999-12-16 03:34 212.24.231.131 (Saudi Arabia) to 24.88.48.47 (Atlanta, GA)
UDP packets with an empty data field, like those generated by the "nmap" scan program,
do not stimulate the 1500-byte ICMP packets from an OS-9 Macintosh.
11
Type "Double-zero" Probes (James Bond, 007, "00" -> "license to kill")
I have now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas.
These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical
UDP port numbers, 60000->2140. They stimulate the 1500-byte ICMP Echo-Request packet
and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is
never answered.
1999-12-20 07:04 195.229.024.212 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA)
1999-12-21 08:04 195.229.024.213 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA)
*DNS name: cwa129.emirates.net.ae
1999-12-25 09:39 212.174.198.29 (Turkey) to 24.94.xxx.xxx (Wichita, Kansas)
*DNS: none
1999-12-31 05:35 195.99.56.179 (Manchester, UK*) to 14.88.xx.xx (Atlanta, GA)
*DNS name: manchester_nas11.ida.bt.net
2000-01-04 05:08 24.94.80.152 (Road Runner, Hawaii) to 24.94.xxx.xxx (Wichita, Kansas)
*DNS name: a24b94n80client152.hawaii.rr.com
2000-01-06 04:48 195.44.201.41 (cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA)
*DNS name: ad11-s16-201-41.cwci.net
12
Traceroute to find location of IP Address
Start: 11/21/99
11:07:40 PM
Find route from: 24.88.48.47
to: www.orbicom.com. (196.28.160.129),
Host Names truncated to 32 bytes
1 24.88.48.1
(24.88.48.1
2 24.88.3.21
(24.88.3.21
3 24.93.64.69
(24.93.64.69
4 24.93.64.61
(24.93.64.61
5 24.93.64.57
(24.93.64.57
6 sgarden-sa-gsr.carolina.rr.com. (24.93.64.30
7 roc-gsr-greensboro-gsr.carolina. (24.93.64.17
8 roc-asbr-roc-gsr.carolina.rr.com (24.93.64.6
9 12.127.173.205
(12.127.173.205
10 gbr2-a30s1.wswdc.ip.att.net.
(12.127.1.30
11 gr2-p3110.wswdc.ip.att.net.
(12.123.8.246
12 att-gw.washdc.teleglobe.net.
(192.205.32.94
13 if-7-2.core1.newyork.teleglobe.n (207.45.222.145
14 if-0-0-0.bb3.newyork.teleglobe.n (207.45.221.69
15 ix-1-1-1.bb3.newyork.teleglobe.n (207.45.199.202
16 196.30.121.243
(196.30.121.243
17 fe0-0.cr3.ndf.iafrica.net.
(196.31.17.26
18 atm6-0sub300.cr1.vic.iafrica.net (196.30.121.81
19 196.30.200.6
(196.30.200.6
20 196.4.162.86
(196.4.162.86
21 www.orbicom.com.
(196.28.160.129
• Trace completed 11/21/99
11:08:25 PM •
Max 30 hops, 40 byte packets
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
17ms
18ms
17ms
19ms
25ms
26ms
28ms
30ms
40ms
38ms
278ms
41ms
45ms
45ms
50ms
44ms
635ms
641ms
643ms
662ms
663ms
17ms
19ms
18ms
17ms
25ms
27ms
28ms
32ms
39ms
40ms
40ms
43ms
46ms
47ms
46ms
48ms
632ms
640ms
640ms
659ms
658ms
16ms
18ms
17ms
18ms
23ms
27ms
30ms
30ms
39ms
39ms
39ms
42ms
45ms
49ms
50ms
45ms
633ms
644ms
643ms
664ms
664ms
13