EE579S Computer Security - Electrical & Computer Engineering
Download
Report
Transcript EE579S Computer Security - Electrical & Computer Engineering
EE579T
Network Security
9: Yet More Network-Based Attacks
Prof. Richard A. Stanley
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #1
Thought for the Day
“But in the evening he took his daughter
Leah and brought her to Jacob…”
Genesis 29: 23
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #2
Overview of Tonight’s Class
•
•
•
•
Review last week’s lesson
Look at network security in the news
Course project schedule in actual time
Network attacks--continued
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #3
Last Week
• Windows 9x has no built-in security. This
is both a blessing and a curse
• Windows NT can be a reasonably secure
operating system if used properly
• There are ways to exploit NT -- these were
begun last week and will be expanded this
week
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #4
Hacker of the Week
• Abraham Abdallah
– Brooklyn, NY bus boy
– Stole identity of 217 of Forbes 400 richest folk
– Used public library internet access
– Wide use of other technical means
– Impersonated, possibly stole funds -- $10M?
– 18 USC § 1028
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #5
Network Security Last Week• Insider monitoring seen as next wave in IT
security
– Fallout from the Hanssen case
– Final recognition of where the threat is?
– Your thoughts?
• Pentagon interest may give biometrics
needed boost
– Testing 600 products on market for DoD use
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #6
Network Security Last Week- 2
• Totality offers e-business insurance
– Covers against hacker attacks, damage to
intellectual property and extortion
– What does this imply?
• Brinks breaks into Net security market
– partnered with Hyperon Inc.
– intrusion-detection and response services for
companies that can't afford a full-time IT
security staff
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #7
Network Security Last Week- 3
• FBI's NIPC warns of IDS vulnerability (3/16)
Internet Security Systems (ISS) has issued an alert
regarding a software tool called Stick that can be used
maliciously to exploit a vulnerability in Windows NT and
2000 versions of RealSecure Network Sensor 5.0, an
intrusion-detection system (IDS). According to the FBI's
National Infrastructure Protection Center, Stick can disable
a network's IDS by flooding it with Internet traffic from
several random IP addresses simultaneously. No such
attacks have been reported, however, ISS said.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #8
Network Security Last Week- 4
• 'Stick' causes an antihacking 'panic’ (3/19)
– Stick allegedly an IDS buster
– Experts say the technology is not new; Stick
may be flawed
– Stick’s author says it was designed to test IDS’s
and was given to the NSA for evaluation
– NSA & NIPC determined Stick was a threat
and issued a government-wide warning
What a difference a weekend makes!
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #9
Network Security Last Week- 5
• Privacy concerns rise
– Software tools help protect online privacy as threats
mount
– New Web page shows who's tracking you
– HIPAA delayed in implementation
• Virus attacks look set to pick up pace
– Security experts warn that complexity (sic) of recent
virus attacks indicate that another big wave of attacks
may not be too far off.
– One expert points to peer-to-peer technology because of
the massive amounts of file sharing
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #10
Network Security Last Week- 6
• Everything old is new again: "TCP weakness may
be worse than suspected”
– Guardent researcher released findings on TCP
vulnerability; and came under fire from critics claiming
his findings were old news
– Initial TCP session sequence numbers are predictable
– Response: adding a random sequence to the beginning
of the Initial Sequence Numbers
– Scientist says sequence can still be guessed by a skilled
attacker
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #11
Network Security Last Week- 7
• Why do you suppose we do this review
every week?
– Keep abreast of current events?
– Develop a seasoned eye for security problems
in the real world?
– Merge the theoretical and the practical?
– Become a cynic?
YES! Learn to view with a critical eye.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #12
Updated Class Schedule
–
–
–
–
–
–
3/22: More network-based attacks
3/29: Law, ethics, and privacy concerns
4/5: Intrusion detection technology
4/12: Exam + 2 project presentations
4/19: 6 project presentations
4/26: Final 6 project presentations + professor
evaluation
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #13
Course Project Schedules - 1
Date
April 12
Time
7:50-8:15
Team
14
April 12
8:15-8:50
11
April 19
6:00-6:25
13
April 19
April 19
6:25-6:50
6:50-7:15
7
3
April 19
7:25-7:50
12
April 19
7:50-8:15
6
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #14
Course Project Schedules - 2
Date
April 19
Time
8:15-8:50
Team
2
April 26
6:00-6:25
5
April 26
6:25-6:50
9
April 26
April 26
6:50-7:15
7:25-7:50
10
1
April 26
7:50-8:15
8
April 26
8:15-8:50
4
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #15
Course Projects - 1
1. Port scanning technology
– Sullivan, Toomey
2. Extensible authentication protocol
– Mizar, Hirsh, Tummala
3. Honey Pot
– Kaps, Gaubatz
4. Wired/Wireless security comparison
– Azevedo, Nguyen, H. Tummala
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #16
Course Projects - 2
5. SOHO network security
– Davis, Syversen, Kintigh
6. Sniffing switched networks
– Michaud, Lindsay, VanRandwyk
7. Broadband access security
– Sumeet, Nirmit, Harsh
8. Trojan Horse security
– Aparna, Subramanian
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #17
Course Projects - 3
9. Java security
– Malloy
10. Router security
– Mansour,
11. DDoS Security
– Gorse, Pushee
12. Network Security Processors
– McLaren, Brown
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #18
Projects -4
13. Network cryptography
– Lee
14. ATM Security (can’t do 26 Apr)
– Fernandes, Kuppur, Venkatesh
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #19
UDP Revisited
• UDP is used to provide low-overhead, nonguaranteed, connectionless datagram delivery
• UDP packets contain source and destination info,
may contain a checksum
• Some services (e.g. NTP, DNS) depend on UDP,
and cannot be shut off
• Filtering UDP packets not straightforward, and
often ignored
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #20
More Network Based Attacks
Do You Do Windows NT?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #21
Remember The Goal:
Become Administrator
• Becoming Admin:
– Guessing passwords
– Remote exploits
– Privilege escalation
• Build on your new power
– Crack the SAM
– Exploit trust
– Remote control
• Cover your tracks
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #22
Guessing Passwords Over the
Network
• Manual guessing
– Requires knowledge of user names
• Automated guessing
– Requires knowledge of user names
• Eavesdropping
– Requires network segment access
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #23
Automated Password Guessing
• Tools automate the manual process
– Legion
– NetBIOS Auditing Tool
• Command line use, enables scripting
• Null passwords? Use NTInfo Scan
• CyberCop Scanner is a commercial tool to
do this
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #24
Eavesdropping
• Requires access to the network segment
• L0phtcrack
–
–
–
–
NT password-guessing tool
Usually works offline against the PW file
Getting the PW file not a trivial exercise
L0phtcrack now includes SMB Packet Capture
• Listens to network segment
• Captures login sessions, strips encrypted data
• Reverse engineers NT password encryption
• Anyone who can eavesdrop can become
Administrator within a very short time!
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #25
Switched Architecture = Fix?
• Social engineering from L0phtcrack:
– Include following URL (as a file) in email to target:
////yourcomputer/sharename/message.html
– Effect is to send PW hashes to you for verification
• L0pht also has sniffer to dump PW hashes from
PPTP, a variant of which provides VPN service
under NT
• BUT…switched network still less vulnerable than
non-switched, all else equal
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #26
Countermeasures
• Block NetBIOS-specific ports
– Disable TCP & UDP ports 135-139 at the
perimeter firewall (but what does this also do?)
– Disable TCP/IP binding for any adapter
connected to public networks (but…?)
• Enforce password policies
– Use the User Manager
– Build good passwords (Passfilt DLL)
– Use the Passprop tool
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #27
More Countermeasures
• Disable LANMAN authentication
– NT 4.0 SR 4 and later permits Registry setting
to prohibit NT host from accepting LANMAN
– This denies ability to “pass the hash”
– BUT: earlier client authentications will fail,
exposing the LM hash anyway
• Enable SMB signing
– Requires crypto verification of every SMB
packet
Spring–2001
EE579T/9 #28
NT-only solution WPI
© 2000, 2001, Richard A. Stanley
Prevention
• Switched networks are to be preferred
– Remember the L0pht social engineering idea
• Keep Windows 9x and Windows for
Workgroups clients off the network
• Enable auditing and logging
– Analyze the logs routinely!
– Log full of Logon/Logoff failures probably
indicates and automated attack
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #29
More Remote Attacks
• Remote buffer overflows
– Several published overflows in NT
– Likelihood of severe attacks using this approach
growing
• Denial of service
– Known holes in NT patched--install patches!
– Probably other holes to be found, especially in
Windows 2000, which is a tabula rasa
– DoS can be used to force reboot, which then
triggers execution of malicious code
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #30
Privilege Escalation -1
• Vacuuming up information
– From non-Admin account, need to identify info
that will gain higher privilege
– Enumerate shares, search for password files,
probe the Registry
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #31
Privilege Escalation - 2
• getadmin
– Adds a user to local Administrators group
– Uses low-level kernel routine to set a flag
allowing access to any running process
– Uses DLL injection to insert malicious code to
a process that can add users
– Must be run locally on target system
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #32
Privilege Escalation - 3
• sechole
– Similar functionality to getadmin
– secholed puts user in Domain Admins group
– Modifies OpenProcess API call to attach to a
privileged process
– Must be run locally on target…
– UNLESS target running IIS, in which case it is
possible to launch remotely
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #33
Privilege Escalation - 4
• Trojan applications
– Exploit the path
– Executable registry values, e.g. those in:
•
•
•
•
•
Run
RunOnce
RunOnceEx
AeDebug
Winlogon
Spring 2001
© 2000, 2001, Richard A. Stanley
Any value can launch code
Debugger can launch code
Userinit can launch code
WPI
EE579T/9 #34
Countermeasures
• Apply the patches
• Don’t allow write access to executable
directories
• Block ports 135-139 (but this shuts down
Windows file sharing)
• Audit execute privileges on web server
filesystem
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #35
Privilege Escalation
On balance, this is not trivially easy
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #36
SAM’s the Man -- And the
Target!
• SAM=Security Accounts Manager
• NT equivalent to Unix /etc/password
• Once you have Admin privileges, this is where the
user names and PWs are found
– Backwards compatibility hinders crypto
– LanManager crypto has been broken
– Relatively easy to crack PWs with tools (L0phtcrack
can crack all alphanumeric PWs in <24 hrs with a
Pentium II @ 450 mHz
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #37
Getting the SAM
• Boot to another OS and copy the file
• Get the backup SAM from the repair
directory
• Extract PW hashes from the SAM (e.g. with
pwdump or pwdump2)
– Newer version bypasses SYSKEY
• Network eavesdropping
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #38
NT Passwords: A Word
• Two versions of PW stored in SAM
– NT version (NT hash)
– LanMan version (LM hash): FLAWED!
• LanMan Problem
– PW split into two 7-byte halves, blank-padded
to make 14 characters long
– Each half encrypted separately, then
concatenated to make the LM hash
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #39
NT Password Problems
• LM hash exposes serious crypto problem:
– No password is stronger than 7 characters
– Tools exist to crack these passwords
• L0phtcrack
• Excellent guesses of entire PW can be made by
cracking the weaker half first
• So?
– Choose NT passwords of length = 7 or 14
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #40
NT Password Crackers
• L0phtcrack
– GUI, fast
• John the Ripper
– Command-line tool, dictionary-based
– Unix, but cracks LanMan hashes
• Crack 5 with NT extensions
– Many permutations used to crack
– Not easy to use, but powerful
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #41
Anti-Cracking Countermeasures
• Choose good NT passwords
– Above discussion on length pertains
– Include non-printable ASCII characters for key
accounts (like Admin)
• ALT-255 = NUM LOCK
– Protect the SAM
• Physical security for the server
• Keep track of the Admin group
– Implement SYSKEY (NT SP2)
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #42
Exploiting Trust
• Good account administration
– User accounts don’t have Admin privileges
– Local Admin, Domain Admin not mirrored
• Exploit data in Local Security Authority
– passwords, hashes, dialup info, etc.
• Autologon
• Keystroke logging
– IKS costs $149, runs in kernel, logs all strokes
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #43
Remote Control
• NT Resource Kit is first point of departure
– Remote Command Line (remote.exe)
– Remote Command Servie (rcmd.exe)
– Included with server version of NT
– remote.exe easier to install and use
• Must run on target system
• With Admin access, can launch on schedule
• Remote shell via Netcat
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #44
Back Doors - 1
• BackOrifice
– BO2k runs on NT and Win9x
– Provides remote control of machine
– Source code available, making custom
modifications easy, detection harder
• Net Bus
– Remote control of Win9x and Win NT
– Keystroke logging an option
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #45
Back Door - 2
• How about a remote GUI with all the bells
and whistles?
• Try Virtual Network Computing
–
–
–
–
–
By AT&T Labs, Cambridge, UK
Free!
Can be installed remotely over the network
Stealthy
Virtually equivalent to “hands-on” access
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #46
Countermeasures
•
•
•
•
Look for the filenames of bad programs
Hunt through the Registry
Regularly check the process list
Check the ports periodically
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #47
Covering Up
• Disable auditing
• Clear the event log
• Hide a toolkit on the target system
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #48
Think Creatively
• For example, suppose you could change the
system clock. What might happen?
– Old Kerberos tickets could be good again
– Scheduled jobs may not run
– And…?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #49
Cracking Unix
• Remote access
– Exploit a listening service
– Route through a Unix system that links two or
more networks securely
– Remote execution attack (e.g. Trojan email,
etc.)
• Get root privileges
• Cover your tracks
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #50
Unix vs. NT
•
•
•
•
Unix around longer, source code available
Very many buffer overflow attacks
Specifics can be found in many texts
Note, however, that the methodology of the
attack follows the model used for NT. Why
is this?
• Would you expect this model to have
generality?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #51
Summary
• There is a set methodology to follow to gain
network access (but this isn’t a cookie-cutter sort
of approach)
• The methodology follows from the architecture
and the software of the network
• The types of attacks vary widely, and new ones are
constantly being developed
• Basic countermeasures and sound auditing will go
a long ways towards securing the network
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #52
Homework - 1
1. You are the architect of a Unix-based
corporate network. You have been asked to
audit the network for security. How will
you proceed? What automated tools might
you use, and where would you get them? If
you could only search for three top
vulnerabilities, what would they be?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #53
Homework - 2
2. Napster allows the sharing of material that
is, or may be, copyrighted. U. S. copyright
law holds that the author owns the copyright
to whatever he/she produces, from the
moment it is expressed in a tangible form
(e.g. in bits on a disk). Is Napster legal? Is
it ethical? Should it be either or neither?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #54
Assignment for Next Week
• Next week’s topic: Legal and ethical issues in
network-based security
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/9 #55