Hacking Overview

Download Report

Transcript Hacking Overview 

COEN 250
Security Threats
Network Based Exploits
Phases of an Attack
Reconnaissance
 Scanning
 Gaining Access
 Expanding Access
 Covering Tracks

Reconnaissance

Social Engineering
 “I
cannot access my email. What do I do?”
 Dumpster Diving (especially useful when people
move)

Search the Web
 Sam
Spade (www.samspade.org/ssw/), CyberKit,
NetScanTools, ...
 Search Engine
 Usenet postings
 Whois
Reconnaissance
Databases
 To research .com , .net, and .org domain
names:InterNIC whois feature:
www.internic.net/whois.html allwhois, network
soultions, ...
 ARIN: American Registry for Interent Numbers
(www.arin.net/whoiis/arin-whois.html)
 RIPE (Europe) www.ripe.net
 APNIC (Asia Pacific) www.apnic.net
Reconnaissance: Scanning
Once we have a target, we need to get to
know it better.
Methods:
 War Dialing (to find out modem access)
 Network Mapping
 Vulnerability Scanning
 War Driving
Scanning: War Dialing
Purpose: Find a modem connection.
 Many users in a company install remote PC software
such as PCAnywhere without setting the software up
correctly.
 War Dialer finds these numbers by going through a
range of phone numbers listening for a modem.
 Demon Dialer tries a brute force password attack on a
found connection.
 Typically: war dialing will find an unsecured connection.
Scanning: Network Mapping
Ping:
 ping is implemented using the Internet
Control Message Protocol (ICMP) Echo
Request.
 A receiving station answers back to the
sender.
 Used by system administrators to check
status of machines and connections.
Scanning: Network Mapping
Traceroute:
 Pings a system with ICMP echo requests with
varying life spans (= # of hops allowed).
 A system that receives a package with expired
numbers of hops sends an error message back
to sender.
 Traceroute uses this to find the route to a given
system.
 Useful for System Administration
Scanning: Network Mapping
Cheops:
Network Scanner
(UNIX based)
(Uses traceroute and
other tools to map a
network.)
Cheops et Co. are the
reason that firewalls
intercept pings.
Reconnaissance: Port Scans
Applications on a system use ports to
listen for network traffic or send it out.
 216 ports available, some for known
services such as http (80), ftp, ...
 Port scans send various type of IP
packages to target on different ports.
 Reaction tells them whether the port is
open (an application listens).

Reconnaissance: Nmap
Uses different types of packets to check
for open ports.
 Can tell from the reaction what OS is
running, including patch levels.
 Can run in stealth mode, in which it is not
detected by many firewalls.

Reconnaissance: Webserver
Information Leakage

Most webservers leak information:
 HTTP

answers
Identify webserver
 URLs

Have forms peculiar to certain webservers:

Extensions:
 ASP pages: Probably IIS


“http://search.barnesandnoble.com/booksearch/results.asp?WRD=Oxford+history&z=y&cds2Pid=9481”
 “htm”: Probably windows
Format of query string
 Cookies
Reconnaissance: Webserver
Information Leakage

Most webservers leak information:
 Error
Messages
Identify webserver technology by name and version
number.
 Sometimes send debug information to browser.
 Can be provoked by changing query strings or
asking for non-existing resources.


Sometimes, possible to get a message from the database
engine.
Reconnaissance Prevention

Firewalls can make it very difficult to scan
from the outside.
 Drop
scan packets.
Patched OS do not have idiosyncratic
behavior that allows OS determination.
 IDS can detect internal scans and warn
against them.

Gaining Access
Gain access using application and OS
attacks.
 Gain access using network attack.

Gaining Access through Apps and
OS






Buffer Overflow Attacks

Trends:
 Stack
 Modularized
 Heap
super-tools
 The Metasploit
Project
Dynamic Memory Attacks
Format Vulnerabilities
Integer Overflow
…
Password Attacks
Web Application Attacks



multiple
attacks
multiple
payloads
easily updated
Gaining Access:
Web Application Attacks

The URL not only contains the web
address of a site, but also input:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF8&q=web+application+attack

A poorly written webpage allows the
viewer to input data in an uncontrolled
fashion. If the webpage contains SQL, the
user might execute SQL commands.
Gaining Access through Network
Attacks:Sniffing
Sniffer: Gathers traffic from a LAN.
 Examples: Snort www.snort.org, Sniffit
reptile.rug.ac.be/~coder/sniffit/sniffit.html
 To gain access to packages, use spoofed
ARP (Address Resolution Protocol) to
reroute traffic.

Gaining Access: Session
Hijacking
IP Address Spoofing: Send out IP
packages with false IP addresses.
 If an attacker sits on a link through which
traffic between two sites flows, the
attacker can inject spoofed packages to
“hijack the session”.
 Attacker inserts commands into the
connection.
 Details omitted.

Exploiting and Maintaining
Access
After successful intrusion, an attacker
should:
 Use other tools to gain root or
administrator privileges.
 Erase traces (e.g. change log entries).
 Take measures to maintain access.
 Erase security holes so that no-one else
can gain illicit access and do something
stupid to wake up the sys. ad.
Maintaining Access: Trojans

A program with an additional, evil payload.
 Running
MS Word also reinstalls a backdoor.
 ps does not display the installed sniffer.
Maintaining Access: Backdoors
Bypass normal security measures.
Example: netcat
 Install
netcat on victim with the
GAPING_SECURITY_HOLE option.
C:\ nc -1 –p 12345 –e cmd.sh
 In the future: connect to port 12345 and
start typing commands.

Maintaining Access: Backdoors
BO2K (Back Orifice 2000) runs in stealth
mode (you cannot discover it by looking at
the processes tab in the TASK
MANAGER.
 Otherwise, it is a remote control program
like pcAnyWhere, that allows accessing a
computer over the net.

Maintaining Access: Backdoors

RootKit:
A backdoor built as a Trojan of system
executables such as ipconfig.

Kernel-Level RootKit:
Changes the OS, not only system executables.
Covering Tracks:
Altering logs.
 Create difficult to find files and directories.
 Covert Channels through Networks:

 Loki
uses ICMP messages as the carrier.
 Use WWW traffic.
 Use unused fields in TCP/IP headers.
Hacker Damage


Releasing Information
Releasing Software
 By
circumventing copying protection.
 Through IP theft




Consuming Unused(?) Resources
Discover and Document Vulnerabilities
Compromise Systems and Increase their
Vulnerabilities
Website Vandalism
Hacking Profile
Shift to for-profit motiv
 Shift to underground economy
