2000-05-10-MAEDS-3hr-Security
Download
Report
Transcript 2000-05-10-MAEDS-3hr-Security
Network Security
For:
The Michigan Association for
Educational Data Systems
May 10th, 2000
By:
Mark Lachniet, MCNE / MCSE
mailto:[email protected]
Introductions
Mark Lachniet
Director of Information Systems at Holt
Public Schools
Novell Master CNE, NetWare 4&5
Microsoft MCSE, NT 4.0
Linux user since 1994
Security guy by necessity
Paul Melson, CNE
Networking Technologies Specialist for Holt
Public Schools
4 year educational technology veteran
NetWare 4 CNE, Linux user/admin since 1994
UNIX professional by day, evil skr1pt k1ddi3 by
night
Matt Mercure, CNA
Computer Technician for Holt Public Schools
Novell CNA, working on CNE
Black Belt (good for server room security)
Linux newbie (1999)
Electrical Engineering Technology degree
Precautions!
You should have a good understanding of the
operating systems before trying anything!
Working with computer security can be very
complex and prone to error - Sometimes its hard to
make the exploits work and not break anything
I cannot possibly discuss all the important issues
pertaining to network security - this is just a start
My own knowledge is limited compared with more
advanced or specialized hackers
I am a network admin, not a hacker - I do not spend
my life trying to hack systems
Warning on Full
Disclosure
The best way to secure your system is to use the tools that
the hackers use and hack yourself!!
The techniques I discuss are dangerous, and if used
immorally, illegal.
All of the information I’m presenting is available to anyone on
the Internet, including your students!
The difference between “Black Hat” and “White Hat” hackers
The concept of the “security through obscurity” model versus
the “many eyes” model
Open Source vs. Closed source response models
“Linux vs. Microsoft: Who solves security problems
faster?”
Warning About Demos
Getting ready for this presentation was difficult
because the number of machines we are using
You never know what’ll get messed up, so bear
with me if there is a problem
I believe in showing the actual hacking software
that hackers use
Hearing about it is one thing, seeing it is another
Seeing it should also scare the bejeezus out of
you, and therefore have a greater impact on
your practices
Supplemental Materials
Supplemental materials to refer to:
Lists of URLs for later use
Primary text from various sources
Program files via. FTP from lachniet.com
ftp://lachniet.com/pub/security
Program files via. CD-ROM (Secure-Happy)
Any programs I provide for you could have been
modified in some way - if you are truly paranoid, you
should download them yourself from the Internet
I have “web captured” several useful pages into Adobe
Acrobat PDF format for the purposes of this class
Warning on
Supplemental Materials
The CD you have contains the actual programs I
will demo, and the actual programs hackers use
When you see a icon in the presentation, this
means that the software is available on your CD
When you see a icon, it means there is
supplemental documentation on the CD to read
All of these programs are free for download on the
Internet - I don’t have any special connections
The programs I am giving you are dangerous! Use
them professionally and morally!
Hacking Platforms
Hacking tools are built mainly for Win9x/NT and
GNU-Linux/UNIX platforms
GNU-Linux is #1 for several reasons: It’s fast,
flexible, well supported, has many network-aware
libraries (libpcap, libnet, perl, etc.) and of course
FREE
If you want to be productive in advanced computer
networking you must Learn GNU-Linux!
Windows 9x / NT also have some tools but is more
limited
Macintosh is not really even a contender
Linux: The Geek Factor
Online Hacker
Resources
First and foremost, join relevant join Listservs
immediately! (NTBugtraq, Bugtraq, etc.)
Secondly, refer frequently to major security websites
such as:
www.securityfocus.com
www.nmrc.org
www.l0pht.com
www.rootshell.com
www.securityportal.com
www.auscert.org
www.trinux.org
A Basic Network
The Internet
UNIX Workstation
Ethernet Hub
Mac II
Win 98 PC
x86 Server
Problems With the Basic
Network
Uses a hub - all traffic can be seen by all
workstations on the network, facilitating traffic
Is directly connected to the Internet - people can
reach the workstations from the outside
Heterogeneous network - requires a solid
knowledge of each type of computer and all of
their vulnerabilities
If even one machine can be compromised, it
can lead to the hacking of others
The UNIX workstation is a prime target to hack
A Better Network
REAL IP ADDRESSES
The Internet
Router
Workstation
IBM Compatible
Ethernet Switch
FAKE IPADDRESSES
Mac II
IBM Compatible
Advantages to the
“better network”
Uses a switch, all but broadcast and unusual traffic
such as multicast are filtered
Machines can only see their own traffic
Uses a router to separate the private network (fake
IP addresses) from the Internet (real IP addresses)
Gives a central point of control to monitor and
restrict access to external resources
Provides for a large number of client workstations
with only a single IP address
Could also do this with a server running MS-Proxy,
BorderManager, or Linux
Firewalls
Designed to control the flow of network traffic
Usually based on IP / Port combinations called Access
Control Lists (ACLs)
Can be configured to respond to traffic patterns (e.g.
locking out a recognizable attack signature)
Generally configured in one of three types:
Ingress - controls what can enter the firewall - useful to
stop IP spoofing
Forward - controls what packets are forwarded through
the firewall and how (e.g., regular TCP/IP routing, or
NAT/Masquerading)
Egress - what is allowed out of the router - may wish to
stop broadcast messages, napster, etc.
Application Proxies
Operate at a higher level on the OSI model than a
firewall
Deals with application data like FTP, HTTP, SMTP
instead of just with packet headers
Web proxies are the most common example (Microsoft
Proxy Server, Border Manager, Squid)
Proxies exist for many services, FTP, video, etc.
Allow ACL’s based not only on IP information but on
username/password combinations and other criteria
Generally used to either improve performance (cache)
or to “punch a hole” through a firewall
The Holt Public Schools model - student machines have
no firewall access, but do have access to the proxy
Network Protocols
TCP/IP - IP for routing, TCP/UDP for transport
Currently in use: IPv4, IPv6 to come
IPv6 will have some security enhancements and will
provide for a much larger domain of numbers so
you can eventually network your toaster and
microwave
NetBEUI - for LAN only, mainly for NetBIOS
(Windows Networking)
IPX / SPX - Novell implementation, fast and easy to
run in a WAN (largely transparent routing)
Programs and Ports
TCP/IP applications use IP addresses and Ports
to communicate
Some example ports:
Port
23 - Telnet
Port 20/21 - FTP
Port 25 - SMTP (Internet E-Mail)
Port 80 - HTTP
Port 139 - Windows Networking
Firewalls control access based on both address
and port
Mapping the Network
The first step to any hacking is to discover which hosts
are active and which services (ports) are running
To do this, use a portscanner such as NMAP
Portscanners use various methods, some subtle, to do
their mapping. Some methods are hard to detect
Portscanners allow you to scan a large range of Internet
addresses (theoretically all of them)
Some do “OS fingerprinting” so you can determine the
operating system that is running from various quirks in
the TCP/IP stack
This allows you to focus your attack on vulnerable
operating systems (e.g. old UNIX operating systems)
Know when you are
being portscanned
Use an IP logger program
Versions exist for UNIX and Windows
Some are sensitive to some of the “covert” methods of
portscanning
Under UNIX, can be configured to take action when it
has identified an incoming portscan
Responses can be to firewall off the host, add the host
to /etc/hosts.deny, or launch a shell program
Counter-measures are tempting to launch, but
remember: the host you are retaliating against is
probably another innocent victim!
I have gotten as many as 3 attacks in a week
On Trinux
Our hacker is using a vicious hacker toolkit known as Trinux
Trinux is a micro-distribution of GNU-Linux that fits on two
floppy disks
You (yes you) are vulnerable to Trinux! If someone can boot
to a floppy disk, they can use Trinux on your network
What? You are protected by your BIOS? Are you so sure?
BIOS password cracker programs are easy to find and
download!
Trinux contains many of the TCP/IP programs we will now
demo: NMAP, Iptraf, and HUNT
I have modified Trinux to make it even more dangerous - my
version includes READSMB which can steal passwords in an
NT environment
Demo NMAP
NMAP Output
Examine the output of NMAP on a Windows 2000
advanced server with mainly default settings
Discuss the ports that are open
OS Fingerprinting methods - uses strangeness in
the TCP/IP stack to determine operating system sometimes takes a few tries to get it right
New fingerprints are constantly submitted to a
signature database for future releases
Discuss the operating system - what would be the
next step? A keyword search for “Hack <keyword>”
Network Sniffers
Sniffers are used to monitor network traffic
Sniffers need “promiscuous mode” access to the
network card. This requires a supported network card most will work, but not all
Most sniffers require admin access, or to be logged
directly into a machine
Some sniffers only summarize data by packet headers
and type
Others can peer into the payload of the packet and see
transmitted information such as plaintext passwords in
Telnet, FTP, and POP3
Network Sniffers cont.
Some sniffers can track a TCP conversation (such as
Telnet session) providing a type of “VCR playback”
HUNT can actually monitor a telnet session and hijack it,
leaving the attacker logged in as the victim
To beat sniffers, use encryption!
Secure Shell (SSH) is a must
Unfortunately, not all popular services yet use
encryption (but they soon will)
Some types of sniffing can be detected by “anti-sniffers”
Sniffers exist for many platforms - Windows, UNIX, even
Windows CE
Demo Iptraf
Demo Hunt
Denial of Service - What
Designed to deny access to services to
legitimate users
There are many types of DoS attacks
Many take advantages in misconfigurations and
bugs in software (applications, operating
systems, and protocol stack)
DoS attacks are usually coded in C for the
GNU-Linux platform, compiled, and used
Often take advantage of spoofed source IP
addresses, making them hard to track
Denial of Service - Why
To reboot a server for some reason (to complete a hack
or hide tracks)
Divert attention from other attacks
Test your systems against available DoS attacks
A remote system is having problems and cannot be
reached to be properly rebooted
To be a jerk
To promote an agenda (e.g. pro-life, pro-choice)
This happens for geopolitical reasons as well (during the
Kosovo conflict, for example)
Can cause a lot of grief for system admins
Can also cost a LOT of money for companies
Distributed DoS (DDoS)
Distributed DoS attacks are the latest twist
DDoS attacks use a hierarchical system of
clients, masters, and slaves to attack more than
one system at a time from multiple hosts
The latest attacks on major media sites such as
CNN were done by this method
DDoS attacks are hard to deal with because you
can’t simply firewall off a single host
DDoS attacks are usually perpetuated from
hosts that have already been compromised
DDoS Continued
Some DDoS attacks are nothing more than thousands
of constantly repeated HTTP GET commands to crash a
web server
The U.S. Government is starting to get worried about
such attacks
Some important transactions that take place over the
Internet (email, secure telephony) may be vulnerable
Also, the threat of damage to the U.S. economy is very
real - the Internet is a vulnerable entity, and having it
disrupted can cost millions of dollars a day
Take a look at the estimates of damage just from the
ILOVEYOU virus!
mstream.c Analysis
ATTACKER
HANDLER
AGENT
HANDLER
AGENT
HANDLER
AGENT
VICTIM.COM
AGENT
Other Distributed
Attacks
Portscanning ( as per phrack#56 in the
supplemental documentation on CD)
Can also be adapted to Brute Force / Dictionary
password cracking attempts
It will be interesting to see what comes next probably windows-based DDoS tools (because
windows users are primarily dialup and
uneducated about security issues)
Will force people to develop better intrusion
detection and defense systems
Remote Attacks
Getting an account - username and password
Learn Password (sniffing, social engineering,
shoulder-surfing, read sticky-notes on monitor)
Guess Password (brute force attacks, social
engineering)
Exploit a misconfiguration (default password,
such as that found in Piranah on RedHat 6.2)
Exploit a bug in a piece of software
Exploit a buffer overflow
Buffer Overflows
Occur when a program or user sends an unexpectedly
large amount of information to an input variable on a
server that is too small (programmers will know this)
memory is overwritten on the host, and code is inserted
into memory that does something nasty
Require setuid programs, programs that run with high
levels of permission (web server processes, fileserver
software, DNS server, etc.)
In UNIX, usually made to create a set UID shell or install
a back-door program
On other platforms, may allow spawning of nasty
programs or DoS attacks
Buffer Overflows cont.
There is a huge effort on the part of programmers to
find buffer overflows
Some programs, such as SLINT, exist to test a
program for buffer overflows
An essential part of advanced security auditing - most
regular users will never do this
Humorously, buffer overflows often exist in security
auditing software! Sniffit, a well used network sniffer is
an example
Some programs (AIM) actually use buffer overflows
on purpose as security measures (to differentiate from
the competition)
On Passwords
There are many different levels of password
security
Passwords are not decrypted, they are compared!
A program will take a user’s password and encrypt
it, sending that encrypted password to the
authentication mechanism
The two encrypted passwords are compared, and if
they match, access is granted
The level of encryption and security of the method
vary greatly
Passwords Cont.
Most operating systems introduce a “salt” to the
encryption algorithm. This allows for a great deal of
variance in possible encrypted passwords
Varying salts force a cracking program to encrypt a
single password MANY different ways in order to get a
match - therefore it takes longer to do - therefore it is
more secure
Guess which OS doesn’t use a salt! Microsoft! That
makes Microsoft hashes the fastest to crack
Other systems that are more secure already exist
(SecurID, biometrics,etc.) but are not in common use
Passwords cont.
When people finally realize how insecure our technology is,
they will begin to use more secure systems
We need to eliminate “backward compatibility” in software the technology exists to make things much more secure but it
is not used because it breaks compatibility with older systems
The media attention on hackers is probably a good thing
overall, as it will root out the insecure systems in an open
marketplace
Hackers often say that they hack “not to be evil, but to point
out the inherent insecurity” of software
What would you rather have, an elite few who know about
bugs in your software, or have EVERYONE know about the
problems and have the problem fixed?
Password Auditing
Make sure people have good passwords
This is one of the few things you can do to help yourself
Never use words in a dictionary or in common usage
Content specific dictionaries exist for everything from
biblical history to botany terms
Make your passwords LONG - the longer they are, the
harder they are to crack
Use strange combinations of words, numbers, and
punctuation
If you make your passwords hard enough to crack, a
hacker might just get bored with you and move on to
easier targets (rather than tie up his CPU’s cracking a
Crack Yourself Before
You Whack Yourself!
The best thing you can do is to attempt to crack
your own passwords!
You now have all of the software you need to do
this:
L0phtCrack 2.52 - For NT
Pandora 4.0b2 - For Novell
John the Ripper - For UNIX
Web Pass Checker - For brute-forcing HTTP
servers (runs under Linux only)
Dictionary & Brute Force
Password Attacks
Dictionary attacks use words from a dictionary file
until it finally gets the right one.
Never use dictionary words!
Brute force tries every single possible character
permutation until it gets it right
Given enough time, any password can be cracked with
brute force
Requires a cracker server with a lot of muscle - I let a
cracker run on a 14 character password and it only got
up to 6 digits in 14 hours
Time required to crack grows geometrically the longer it
gets
Online and Offline
Password Cracking
Attacks can take place online - such as a bruteforce attack that attempts to log in with every
word in the dictionary
Attacks can also take place offline - this requires
a person to somehow obtain password
information from the target system
In UNIX, this has typically meant stealing
/etc/passwd. Similar methods exist for
NT/Novell
More recently, /etc/passwd is shadowed, but if
you have enough access, you can still get it
Stopping offline attacks
Offline attacks are difficult to stop - if they can get your
data, they can take it home and work on it at their
leisure
You *MUST* physically secure your server to have any
real security - if you can boot the machine, you can
probably find a way to get the data
For example, on the average UNIX box, a person at the
console can reboot it with ctrl-alt-delete, then boot to
“single user mode” and have free access to all files on
the system
Eliminate the ability to shut down the system on the
console - though they can still just unplug it
Install a BIOS password, and LOCK the bios from
Offline Attacks on NT
NT stores its security information in a SAM file
It is possible to make a boot disk with a DOS NTFS driver ,
boot the floppy, and access the NTFS volume
Once there, can copy the SAM file to a floppy disk and take it
home to crack
Requires you to run PWDUMP to dump the password hashes
to crack from the SAM file
Then, load the hashes into L0phtCrack and crack!
Emergency Repair Disks (ERD) contain the SAM file! Never
leave these laying around!
There is also sometimes a backup made of the SAM file
during server installation
This may be fixed in Windows 2000 (I couldn’t get the SAM
file in my testing)
Offline Attacks on Novell
The Novell console is *NOT* secure - using Debug
Mode, you can beat the screensaver (if you don’t
believe me, read the Hack FAQ at nmrc.org - it works)
If you can beat the screensaver, you may be able to run
DSMAINT
DSMAINT creates a copy of the directory services
database in a flat-file database
This database can be downloaded to disk and taken
home for cracking
If you can pull the hard drive from a Novell box, you can
do anything you want
Stopping Online Attacks
Novell: Intruder Detection & Lockout
NT: Logging in Event Viewer & Lockout(?!)
UNIX: slower response to each wrong password makes
it take incrementally longer on sequential attempts
UNIX: closes connection after N tries
Could use an IP logger program in combination with a
firewall rule to stop repeated connections from a certain
host (indicative of brute-force attack)
Firewall yourself from the real world! Do you really need
everyone in the world able to access your NT files?!
Does your HTTP server use the same usernames and
passwords as your fileserver? That can be attacked!
Windows NT Security
Yes, NT has some problems
Much of it because must be backwards compatible
A default NT 4.0 box is like swiss cheese!
Must install ALL service packs and hot fixes
Should follow documents such as the AusCert Windows
NT Configuration Guide
Should register with Microsoft and check the web page
frequently
Should subscribe to the NTBugTraq listserv
Microsoft is not lax in responding to security problems
once they are public, but has a history of not addressing
them until publicly posted
Auditing your NT
Network
Use a hybrid portscanner / network probe
program
SMB Scanner is a good example - it will first
do a portscan, then show all of the share
information for all of your hosts
This is a good way to find “rogue shares” on the
part of your pseudo-educated users
SMB Scanner will also allow you to do a bruteforce attack on a Windows server once detected
Checking NetBIOS
Information Remotely
Nbtstat -a
talk about the various types of info that will
appear - the name of the machine, the domain,
user logged in, services (IS~LOAF for example)
IMHO, this is a huge security problem - you can
identify who sits at a machine and use it for
unsavory purposes (like targeting an attack, or
email virus/trojan)
L0phtCrack
L0phtCrack - The tool of choice for cracking a
Windows network
Does both online and offline functions
Will sniff the network for encrypted password
hashes and save them to a file
Once you have the hashes, you can then take
the hashes and brute-force them against a
dictionary file
Its amazingly fast and amazingly dangerous
Demo L0phtCrack
Standard NetBIOS
attacks
On the average machine, there are some common
exploitable configurations
Should rename Administrator account to something
else
Should disable Guest account
Should not have ANY un-passworded accounts
Should not allow connections over TCP/IP to IP
addresses outside your own (especially if
connected to the Internet!)
Should not run any programs you don’t really need
Demo L0phtCrack
My Trinux Disk
The Trinux Disks that are on your CD have a
special program called READSMB
READSMB does the same thing as the
L0phtCrack hash capture module
This means that anyone who can boot a floppy
in your network can now scarf all login
authentications that go across the wire
No software need be installed
No one will ever know
Scary, eh? Hope you have good passwords!
Pandora by nmrc.org
NMRC (Nomad Mobile Research Center) has
created a NetWare hacking program called Pandora
Pandora does offline cracking of passwords
Pandora also does a variety of nasty online tricks,
including DoS attacks, session hijacking, and more
On older NetWare boxes (4.x and below) there are
a lot of nasty tricks
NetWare 5.1 seems more resilient to such problems
but still is vulnerable to Yang
Demo Pandora / Yang
Trojans, Virii, Backdoors
There are a lot of other ways to mess you up as
well - Trojans and Backdoors are one
Backdoors such as NetBus allow remote control
of a machine across the internet
Once a machine is compromised by such a
program, it can be used to compromise other
systems (by installing a sniffer on the trojaned
machine for example)
Keyloggers are another nasty way of getting
passwords and sensitive information. I have
provided two demo copies for you to play with
Detecting Trojans
Trojans, keyloggers, and backdoors can be tricky
buggers
Typically install themselves so that you don’t even
know they are running
Some keyloggers are actually smart enough to
encrypt the log files and EMAIL THEM over the
Internet to a waiting hacker
To determine (for any reason) what services are
loaded on your windows machine, use regedit to
look at your Run, RunOnce, and RunServices keys!
Also a good way to get rid of pesky programs
Using Regedit
Security CD Tour
Documentation Tour
1.0 Analysis of mstream.c & how the system
was compromised
2.0 NetBios Auditing Tool Information (note:
seems to crash on some systems - try old
win95!)
3.0 Securing Novell - Information to live by
4.0 Joining BugTraq - do it NOW!
5.0 Analysis of the ILOVEYOU virus (timely!)
Web Browser Security
Web browsers have some vulnerabilities
Make sure your browser is up to date - both Netscape
and Internet Explorer have had bugs
Most attacks against browsers are what is known as
“cross-site scripting”
May make you think that you are connecting to a real
site and intercepts your username/password
May present a relatively innocuous-looking dialog box or
web form that does something naughty when you click
OK or some such
Browser Security cont.
JavaScript is powerful - sometimes powerful enough to do
harm
Microsoft browser components - ActiveX are even worse!
The more integrated your Internet software is with your OS,
the more vulnerable you are. Look at the ILOVEYOU virus
for example
Cookies - store variable=value combinations on your
computer for use by web servers. Access controlled by
domain name of web server (but could be faked!)
History File - contains information on where you have gone
and what you have looked at. Control-H in Netscape!
Cache - contains pictures of graphic files that have been
cached for later use. Watch out for fleshtones!
Web Server Security
A common point of attack
Usually run at an elevated privilege level
Very complex, so many bugs and configuration
issues
Even apache.org, maker of the best Open
Source web server was hacked!
Questions?
Mark Lachniet
E-Mail: [email protected]