Security+ All-In-One Edition Chapter 1

Download Report

Transcript Security+ All-In-One Edition Chapter 1

Security+
All-In-One Edition
Chapter 13 – Specific Attacks
Brian E. Brzezicki
Attacks
Attacks Overview (391)
There are generally two reasons someone is attacked
• You are specifically targeted
–
–
–
–
–
Company with money
Company with secrets
Revenge
“hacktivist”
Hard to stop..
• You are a target of opportunity
– Low hanging fruit
– Script Kiddies
– Most common, make yourself less easy
(more)
Steps in an Attack (392)
Any good hacker will take a few common steps to
attack a site these can generally be ordered from
1-4
1. Reconnaissance – learn about the company in
general
2. Scanning – scan the network and learn about the
network
–
–
–
–
Ping sweeps
Port scans
Banner grabs
Os fingerprinting (see later slide)
(more)
Steps in an attack (392)
3. Research Vulnerabilities – now that we
know what software is running and hopefully
the version. Figure out what it attacks it
might be vulnerable to
– nessus is a good tool
– Security mailing lists (bugtraq) and sites
4. Performing the attack
Minimizing Attacks (394)
Often you are going to be attacked by “script-kiddies”
the easiest way to protect against them is simply
make their job hard and they’ll move on somewhere
else.
• Make sure OS and Apps are up to date with patches
• Turn off and remove un-necessary services and
software
• Run a host based firewall
• Don’t display information in service banners
• Don’t provide any information about your
network/systems publically
Terms (398)
Trapdoor – a method usually put into an OS or
application that allows the software
developers to bypass security controls for the
purpose of debugging or troubleshooting.
Backdoor – A program installed into a
compromised computer to allow hackers to
access the machine
• Example: Back Orifice, NetBus
(more)
Terms (413)
Root kit – a program installed on a
compromised system to hide a hackers tracks
and help them to maintain continued access
to a machine
DoS
DoS (394)
What is a DOS?
Which of the CIA triad does it attempt to affect.
How does it work?
• Buffer overflows
• Protocol violations
• Brute Force
(more)
DoS Attacks
Some famous DoS attacks
• Ping of Death
– Oversized Ping Packet
– Counter Measures – Patch OS
• Tear Drop
– Specially crafted overlapping IP Fragments (next)
• SYN Flood (later)
• Smurf (2 slides away)
Tear Drop (n/b)
Smurf Attack (n/b)
Smurf Attack
How would a smurf attack someone?
1. Find site to attack, say www.ebay.com
2. Forge Ping packet from www.ebay.com to a
BROADCAST network address
3. Watch as the computers on the network all
start pinging back www.ebay.com
Countermeasures
• Drop forged packets at routers
Drop directed broadcasts
Smurf Attack
SYN Flood (395)
Attack
– Forge IP SYN packet from downed system
– Server responds to fake downed address, which never responds
– Use up all the “listen queue” slots
– Stops real new connections from establishing
Countermeasures
• Stop forged packets at ingress/egress routers
• Patch OS
• Decrease 3 way handshake timeout values
• Increase 3 way handshake max connections
• Use a firewall as a middleman
• \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\S
ynAttackProtect = 1
AND
• \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\T
cpMaxConnectResponseRetransmissions >= 2
SYN Flood (395)
• use regedt32
• HKEY_LOCAL_MACHINE\System\CurrentCo
ntrolSet\Services\TCPIP\SynAttackProtect = 1
AND
• \HKEY_LOCAL_MACHINE\System\CurrentC
ontrolSet\Services\TCPIP\TcpMaxConnectRe
sponseRetransmissions >= 2
By the way the info is at
http://technet.microsoft.com/en-us/library/cc938202.aspx
SYN Flood Example
DDoS (397)
Distributed Denial of Service – a brute force method
that generally uses “zombies” and “botnets” to
simply overwhelm a server.
May consist of a hierarchy of Attacker, Masters and
Slaves (see image 2 slides)
It’s like Bruce Lee.. He might be able to defeat 10
people at a time… but it’s only a matter of numbers
before even he is overwhelmed… could he defeat
10,000 attackers at once?
(more)
DDoS
How are zombies and botnets usually
created?
DDoS
Null Session (398)
In early versions of windows, un-authenticated users
could “browse” the network to see what resources
existed on the network. This browsing made use of
“Null Sessions” which were open “guest accounts”.
Hackers can use Null Sessions and browsing to learn
about the network and Null sessions should be
disabled.
To fight NULL sessions on windows
HKLM\SYSTEM\CurrentControlSet\Control\LSA\Restri
ctAnonymous = 1
see http://support.microsoft.com/?kbid=246261
Sniffing
Sniffing (399)
Many Network Communications are sent in “clear text”.
Someone gaining access to the physical network that they
travel on can conduct a sniffing attack. (do example)
Problems
•
Sniff passwords
•
See confidential information
Counter measures
•
Use encrypted applications (SSL)
•
Use encrypted network communications (VPNs)
•
Use Switches to battle sniffing
•
Restrict physical access to networks
•
Use 802.1x to require authorization before allowing
network use
Spoofing
Spoofing (401)
Making data look like it came from somewhere
that it didn’t (forging)
Spoofing Countermeasure
• Have Internet/perimeter routers drop
incoming packets claiming to be from your
internal network.
• Have Internet/perimeter routers drop outgoing
packets claiming to be from the Internet
(spoofed from an inside node)
ARP spoofing or poisoning (n/b)
• ARP poisoning is an attack against a
network, where one computer send fake ARP
replies, in the attempt to trick another
computer on the same network to
communicate with it instead of the real
machine. This can be used as a man in the
middle attack, or a straight “hijacking” attack
• Arpwatch and Xarp are tools to monitor ARP
traffic and help detect ARP poisoning.
Spoofing Email
SMTP (email) has no authentication built into
the protocol… therefore spoofing is trivial
Do a quick example
IP Address Spoofing (401)
IP also has no built in authentication. (IP Sec
does) but not normal IP. So forging IP
packets is trivial. Some systems use IP
addresses as “access controls” so you can
bypass firewalls and access controls by
spoofing packets. (especially UDP)
Countermeasures
• Set routers to drop forged packets? (how?)
• Use IP Sec
Man in the Middle Attack (403)
DNS poisoning (n/b)
Faking DNS responses in order to trick a
computer into going your site rather than a
real site.
Example. If I can “poison” your DNS cache and
redirect www.bankofamerica.com to my IP
address, I could put up a fake site and steal
your banking information! (or setup a MiM
attack)
Replay Attack (404)
Replay Attack – Attacker captures a portion of
communications between two parties and
retransmits at a later time.
Example: an attacker might replay a series of
commands in a financial transaction to cause the
transaction to be replayed multiple times.
Countermeasures
• Encryption
• Authentication
• Session lifetimes
• Unique transaction keys
TCP/IP Hijacking
TCP/IP or Session Hijacking – taking over an
existing session between a client and a server.
You then actually “steal” the connection and you
have bypassed any authentication mechanisms.
“hunt” on linux can be used for TCP Hijacking*
Counter Measures
• Secure networks physically
• Use IP Sec
Covert Channels (n/b)
Covert Channels are a way of people
communicating in ways the system never
expected (as such nothing is monitoring or
protecting/restricting these communications)
Covert Channels are usually used to secret
pass secret information between people of a
high clearance to a low clearance.. However
they can also be used for hackers to secretly
communication through network protection.
One Example is LOKI
LOKI (n/b)
Pings easily go through the firewalls
undetected!
MAC flooding (n/b)
Mac Flooding – Putting out tons of packets with
different MAC addresses in the attempts to
overfill the switches MAC tables. If this
happens a switch might simply drop into “hub
mode” and start simply sending traffic down
each port.
Password Attacks
Password Guessing (407)
This is pretty obvious, unfortunately people still use
pretty easy to guess passwords, (ex. Their
username or their kids names or birthdates)
Countermeasures:
• Have a strong password policy
• Use Multi-factor authentication
• Implement account lock out times
• Implement login delays
• Protect password file
Dictionary Attacks (408)
An attacker tries to go through common
dictionary words and variations on words.
Countermeasures:
• Have a strong password policy
• Use Multi-factor authentication
• Implement account lock out times
• Implement login delays
• Protect password file
Brute Force Attacks (408)
Attacker tries every possible password
Example – if a password can be 4 characters of 0-9
Start with 0000, then 0001, then 0002 etc.. All the way
to 9999
Countermeasures:
• Have a strong password policy
• Use Multi-factor authentication
• Implement account lock out times
• Implement login delays
• Protect password file
Hybrid Attack
Use any combination of the previous
password attacks
Birthday Attacks (409)
An attack against hashes, based on the
“Birthday paradox” which states that in a
group of 23 people or more the chance of two
individuals having the same birthday is
greater than 50%.
Birthday attacks work as passwords are
actually often stored as hash digests of the
password
Rainbow tables
Rainbow tables
In many Operating systems the passwords
stored are actually simply hash digest of the
password rather than the actual password.
Rainbow Tables are pre-computed hash values
for passwords that can be used to help crack
passwords.
Countermeasures
• Use password “salts”
Software Exploits
Buffer Overflow (409)
One of the most common types of attacks, a
buffer overflow takes advantage of poor input
validation in software. Most servers take input
from a client. A Buffer overflow tries to send
MORE data then is expected in order to
overwrite memory and either
• Crash the system
• Actually inject commands for the remote
server to run
(more)
Buffer Overflow (409)
Counter measures –
• Patch your software!
• Secure programming techniques and input
validation (for places that write software,
you generally cannot fix the problem as an
administrator)
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Buffer Overflow
Chapter 13 - Review
Q. A SYN Flood is what type of attack?
Q. Name one way to protect against sniffing
attacks
Q. What is the best protection against Buffer
Overflows?
Q. What are the steps in a 3 way handshake
Chapter 13 - Review
Q. What is a smurf attack?
Q. What is MAC flooding?
Q. What is LOKI, What is Loki creating? (hint…
a C_ _ _ _ _ C _ _ _ _ _ _)