Internet Hacking
Download
Report
Transcript Internet Hacking
Internet Hacking
Presentation prepared by:
Alex Epstein
Asif Hussain
Genci Seseri
Group 2
Internet Hacking
The Presentation talks about:
Hacking History and General
Information.
Various techniques that hackers use to
crack
the networks and websites and
measures vital
for survival against such
attacks.
Port Scanning using PortQry.exe
Hacking History
• 1878 – “practical jokers” at Bell
Telephone Co.
• Early 1960s – MIT geeks created
“hacks”, programming shortcuts to
speed up tasks
• 1969 – best hack. 2 Bell Labs employees
created UNIX, a open machine run
rules set.
• 1971 – using free whistle as a phone
tone
Hacking History (Cont.)
• 1984 – the great hacking war begins.
Legion Of Doom vs. Masters Of
Deception. The war especially
escalated in 1990-91.
• 1986 – Federal Computer Fraud And
Abuse Act is passed. Numerous arrests
follow.
• 2000 – “denial of service” attacks.
Selected Lingo
• Cracker: a malicious system security breaker.
• Hacker: a person enjoying exploring the
systems and stretching their capabilities;
programmer enthusiast; good fast
programmer; expert in a specific field
• KISS Principle: “Keep It Simple, Stupid”
• Trojan Horse: a malicious security breaking
program disguised as something benign
• Wetware: humans and our nervous system
compared to software and/or hardware
Hacker Psych 101
•
•
Robin Hood Syndrome – misconstruing
consequences of one’s own behavior as
beneficial for society
Hacker Categories:
1. Old School : hacking = honor. Interested in code,
but not with criminal intent; little concern for
privacy and property of information. Internet is
an open system.
2. Script Kiddies/ Cyber Punks: common
“hackers”. Arrested often, because brag online.
D/load code and hack it out of boredom. Avg.:
white male 12-30 years old with high school
education.
Hacker Psych 101(Cont.)
• Hacker Categories (cont.):
3. Professional criminals/Crackers: make living by
breaking into system. May be hired for espionage
or linked to criminal groups. Crack because of
inferiority. Cracking a site gives them power.
Refuge in computers to avoid real world relations.
4. Coders and Virus Writers: the least studied; see
themselves as “elite”. Own test networks
(“Zoos”). Vast, programming skills, but, not use
code. Let others introduce it into the Internet
(“The Wild”).
Hacker Attitude
• The world is full of fascinating
unsolved problems
• No problem should have to be solved
twice
• Boredom and drudgery are evil
• Freedom is good
• Attitude is no substitute for competence
Hacking Skills
• Programming skills
• Running open source UNIX code
• Using WWW and writing HTML
• Functional English skills
Hackers’ Respect
• To be respected by hackers you can…:
–
–
–
–
–
–
Write open source software
Help test and/or debug open source software
Publish useful information
Maintain the working infrastructure
Serve the hacker culture
Do off-computer work:
• Learn to write in native language
• Read science fiction
• Study Zen and/or take on martial arts
• Analyze music
• Appreciate puns and wordplay
Hackers’ Disrespect
• As a hacker, you should not:
– Use silly grandiose user ID or screen name
– Get in flame wars on Usenet or anywhere
else
– Call yourself cyberpunk or waste your
time on such people
– Write e-mails or other posting full of
misspellings or bad grammar
Hackers Hall Of Fame
• Richard Stallman: A hacker of the old school, he got a
job at MIT's Artificial Intelligence Lab off the street in
1971
• Dennis Ritchie and Ken Thompson:
The founders of Bell Labs‘ legendary CS operating
group, which created UNIX.
• John Draper: Figured out the whistle tone “trick”
• Kevin Mitnick: The first hacker to have his face
immortalized on an FBI "Most Wanted" poster
• Vladimir Levin: Allegedly masterminded the Russian
hacker gang that tricked Citibank's computers into
spitting out $10 million.
• Linus Torvalds: Was a CS student at University of
Helsinki when he wrote Linux in 1991
CRACKER EXPLOITS AND
BATTLE PLANS
This part of the Presentation talks about:
Various techniques that hackers use to
crack
the networks and websites.
Measures vital for survival against such
attacks.
IP Spoofing
• IP spoofing is when an attacker captures the
routing packets to redirect a file or transmission to
a different destination.
• The technique is also effective in disguising an
attacker's identity.
• Protocols that deal with inter-computer
communication are most susceptible to
spoofing,e.g., ICMP, IGMP and UDP.
• Solution is securing transmission packets and
establishing screening policies, point to point
encryption, configuring network to reject packets
that claim to originate from a local address.
FTP Attacks
One of the most common FTP attacks is a buffer
overflow caused by a malformed command.
A successful attack could either drop the attacker in
a command shell or cause a denial of service.
Failure to apply the frequently released system
upgrades and patches is the most common cause of
FTP vulnerabilities.
FTP exploits are also useful in password guessing ,
FTP bounce attacks, and mining information (such
as the machine's registry).
Unix Finger Exploits
The Unix OS finger utility was used as an efficient
way to share user information in the early days of
the Internet.
To an attacker, the Finger utility can yield valuable
information, including user names, logons and
contact information.
It also provides a pretty good indication of users'
activities like how many times they are logged on.
The personal information it reveals can provide an
attacker with enough of a framework to trick
legitimate users into revealing passwords and
access codes.
Flooding and Broadcasting
An attacker can significantly reduce the processing
capacity of a network by sending more information
requests than it can handle-a classic denial of
service.
Sending a large amount of requests to a single port
is Flooding. When the requests are sent to all
network stations, it's called broadcasting.
Attackers will often use flood attacks to gain access
to a system for use against other networks in
distributed denial-of-service (DDoS) campaigns.
DDoS attacks are harder to stop because they come
from multiple IP addresses simultaneously. The
only solution is to trace the packets back to their
source and shutdown the transmitting networks.
Fragmented Packet Attacks
Internet messages transmitted via TCP/IP can be
divided into packets in such a way that only the
first packet contains the TCP segment header
information.
Some firewalls will allow the processing of
subsequent packets that do not contain the same
source address information as the first packet,
which can cause any type of system to crash.
Fragmented packets can also create a flood-like
situation because they are stored in the Kernel. The
server will crash if the kernel memory absorbs too
many fragmented packets.
Solution : Firewall Filters
Email Exploits
E-mail exploits come in five forms: mail floods,
command manipulations, transport-level attacks,
malicious code insertion and social engineering.
Mail-flood attacks occur when so much mail is sent
to a target that communication programs destabilize
and crash the system.
Command-manipulation attacks can cause a system
to crash by subverting the mail transfer agent with a
buffer overflow caused by entering a malformed
command.
Email Exploits (Contd…)
Transport-level attacks exploit the SMTP. An
attacker can cause a temporary error condition in
the target system by overloading an SMTP buffer
with more data than it can handle.
Malicious content is often propagated through email systems. Some viruses and worms will be
carried into a system appearing as a legitimate
attachment
Social engineering e-mails are an attacker's attempt
to trick a legitimate user into revealing sensitive
information or executing a task. E.g., posing as a
network administrator to get your password for
Password Attacks
The most common password attacks are guessing,
brute force, cracking and sniffing.
Password guessing involves entering common
passwords either manually or through programmed
scripts.
Brute-force logon attacks follow the same basic logic
as password guessing, but are faster and more
powerful.
Password cracking is a method for defeating the
protection of encrypted passwords stored in a
system's admin files.
Because an attacker needs a significant level of
access to launch this kind of attack, the best defense
Selective Program Insertions
A selective program insertion is when an attacker
places a destructive program—a virus, worm or
Trojan horse--on a target system.
Some network administrators are augmenting their
malware defenses with alternative technologies
such as behavior blockers, which stop suspicious
code based on behavior patterns, not signatures.
A time bomb, sometimes called a logic bomb, is an
inserted program that executes its malicious
payload on a predetermined time or date.
Port Scanning and Polling
Through port scanning and polling, an attacker can
observe the functions and defenses of various
system ports.
For example, scanning could be used to determine
whether default SNMP community strings are open
to the public, meaning information can be extracted
for use in a remote command attack.
TCP/IP Sequence Stealing & Packet
Interception
TCP/IP sequence stealing is the capturing of
sequence numbers, which can be used to
make an attacker's packets appear legitimate.
A successful TCP/IP attack could allow an
attacker to intercept transactions between
two organizations, providing an opportunity
for a man-in-the-middle attack.
In some versions of Secured Shell Service
Daemon (SSHD), only the public key is used
for authentication. If an attacker learns the
public key, he could create and insert forged
packets.
Observations and Suggestions
Various firms
Install firewall, but never upgrade them.
Do massive Website improvements without
making parallel security improvements.
The best way to safeguard a website from
attack is to approach security as the ongoing
challenge rather than a one time effort.
Port Scanning Using PortQry
• What is port scanning?
• Using PortQry
(the Portqry.exe command-line utility)
What Is Port Scanning?
• Network
applications use
TCP/UDP ports
• Clients connect to
applications using
ports
• Port scanning is the
process of checking
whether a port is
open
TCP
389
UDP
135
Transport
ICMP
IP
Internet
Ethernet
Network
TCP and UDP in
TCP/IP protocol architecture
Port Numbers
• The Well Known Ports are those from 0
through 1023.
• The Registered Ports are those from 1024
through 49151.
• The Dynamic and/or Private Ports are those
from 49152 through 65535.
http://www.iana.org/assignments/port-numbers
ftp://ftp.isi.edu/in-notes/rfc1700.txt
Well-know TCP / UDP ports
TCP Port Number
Description
20
FTP (Data Channel)
21
FTP (Control Channel)
23
Telnet
80
HyperText Transfer Protocol (HTTP)
used for the World Wide Web
139
NetBIOS session service
UDP Port Number
Description
53
Domain Name System (DNS) Name
Queries
69
Trivial File Transfer Protocol (TFTP)
137
NetBIOS name service
138
NetBIOS datagram service
161
Simple Network Management Protocol
(SNMP)
Port Scanning for TCP
• TCP ports use
"three-way
handshake"
• Successful
handshake means
port is listening
• TCP Reset packet
means port is not
listening
• No response means
port is filtered
TCP
389
Transport
ICMP
IP
Internet
Ethernet
Network
Port Scanning for UDP
• UDP ports do not use
"three-way handshake"
• Send UDP packet to
port and wait for
response
• Most applications will
not respond to zerolength packets
• Formatted packet is
necessary to get a
response
• Most port scanners do
not scan UDP ports
UDP
135
Transport
ICMP
IP
Internet
Ethernet
Network
What Is Port Scanning used for?
Use port scanning
to:
• Test connectivity
• Test security
query ports
Port Scanner App
Firewall
TCP 25: SMTP
TCP 80: WWW
UDP 135: RPC EPM
UDP 389: LDAP
Server
Using PortQry
• PortQry is designed as an
application layer port scanner
• It checks whether TCP and UDP
ports are open, closed, or filtered
• It determines if UDP ports are open
using packets formatted for well
known services
Portqry is available for download on the Microsoft Web site at:
http://download.microsoft.com/download/win2000adserv/Utility/1.0
/NT5/EN-US/portqry.exe
PortQry Supports:
•
•
•
•
•
•
•
•
LDAP
RPC
DNS
SMTP
POP3
IMAP4
FTP
NetBIOS Name Service
LDAP
RPC
EPM
TCP
389
UDP
135
Application
Session
Transport
ICMP
IP
Internet
Ethernet
Network
Status of a TCP/IP port
• Listening
– A process is listening on the port on the computer you choose.
Portqry.exe received a response from the port.
• Not Listening
– No process is listening on the target port on the target system.
Portqry.exe received an Internet Control Message Protocol (ICMP)
"Destination Unreachable - Port Unreachable" message back from
the target UDP port. Or if the target port is a TCP port, Portqry
received a TCP acknowledgement packet with the Reset flag set.
• Filtered
– The port on the computer you chose is being filtered.
Portqry.exe did not receive a response from the port. A
process may or may not be listening on the port. By default,
TCP ports are queried three times and UDP ports are
queried once before a report indicates that the port is
filtered.
PortQry Usage
portqry -n server [-p protocol] [-e || -r || -o endpoint(s)] [-l logfile] [s] [-q]
Where:
-n [server] IP address or name of server to query
-p [protocol] TCP or UDP or BOTH (default is TCP)
-e [endpoint] single port to query (valid range: 1-65535)
-r [end point range] range of ports to query (start:end)
-o [end point order] range of ports to query in an order (x,y,z)
-l [logfile] name of log file to create
-s 'slow link delay' waits longer for UDP replies from remote systems
-q 'quiet' operation runs with no output
returns 0 if port is listening
returns 1 if port is not listening
returns 2 if port is listening or filtered
portqry -n myserver -p UDP -e 389
Returns LDAP base query information
UDP port 389 (unknown service): LISTENING or FILTERED
Sending LDAP query to UDP port 389...
LDAP query response:
currentdate: 09/03/2001 05:42:40 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=eu,DC=reskit,DC=com
dsServiceName: CN=NTDS Settings,CN=RED-DC-11,CN=Servers,CN=NA-WARED,CN=Sites,CN=Configuration,DC=eu,DC=reskit,DC=com
namingContexts: DC=redmond,DC=eu,DC=reskit,DC=com
defaultNamingContext: DC=redmond,DC=eu,DC=reskit,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=eu,DC=reskit,DC=com
configurationNamingContext: CN=Configuration,DC=eu,DC=reskit,DC=com
rootDomainNamingContext: DC=eu,DC=reskit,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 4259431
supportedSASLMechanisms: GSSAPI
dnsHostName: myserver.eu.reskit.com
ldapServiceName: eu.reskit.com:[email protected]
serverName:
CN=MYSERVER,CN=Servers,CN=Sites,CN=Configuration,DC=eu,DC=reskit,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
======== End of LDAP query response ========
UDP port 389 is LISTENING
portqry -n myserver -p UDP -e 135
Dumps RPC EndPoint Mapper database
UDP port 135 (epmap service): LISTENING or FILTERED
Querying Endpoint Mapper Database...
Server's response:
UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:169.254.12.191[4144]
UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:\\\\MYSERVER[\\PIPE\\lsass]
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:169.254.12.191[1030]
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncadg_ip_udp:169.254.12.191[1032]
UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\MYSERVER[\\PIPE\\lsass]
UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\MYSERVER[\\PIPE\\POLICYAGENT]
Total endpoints found: 6
==== End of RPC Endpoint Mapper query response ====
UDP port 135 is LISTENING
portqry -n myserver -p UDP -e 53
• Verifies DNS query and response
operation
UDP port 53 (domain service): LISTENING or
FILTERED
Sending DNS query to UDP port 53...
UDP port 53 (domain service): LISTENING
portqry -n MyMailServer -p TCP -e 25
• Returns SMTP, POP3, IMAP4 status
messages
TCP port 25 (SMTP service): LISTENING
Data returned from the port:
220 MyMailServer.eu.reskit.com Microsoft ESMTP MAIL
Service, Version: 5.0.2195.2966 ready at Sun, 2 Sep 2001
23:24:30 -0700
portqry -n MyFtpServer -p TCP -e 21
• Returns FTP status message and tests
for anonymous account access
220 MyFtpServer Microsoft FTP Service (Version 5.0).
331 Anonymous access allowed, send identity (email name) as password.
portqry -n myserver -p UDP -e 137
• Verifies NetBIOS Name Service
functionality and returns MAC address
UDP port 137 (netbios-ns service): LISTENING or FILTERED
Attempting NETBIOS adapter status query to UDP port 137...
Server's response: MAC address 00c04f7946f0
UDP port: LISTENING
Query behavior configurable
using local service file
• Located in
%systemroot%/system32/drivers/etc/servic
e
• Resolves service name using this file
• Decides what type of query to send to
port using this file
References
• http://www.tlc.discovery.com/convergence/hacker
s/hackers.html
• http://www.tuxedo.org/~esr/faqs/hackerhowto.html
• http://www.iss.net/security_center/advice/Underg
round/Hacking/Methods/Technical/
• http://www.infosecuritymag.com/articles/march01
/features4_battle_plans.shtml
• http://www.nmrc.org/faqs/www/wsec09.html
• http://www.microsoft.com/. Tim Rains • Technical Lead •
Networking Team
• Q310099, "Description of the Portqry.exe CommandLine Utility"