Transcript Review For Final

Review For Final
April 29, 2010
MIS 4600 – MBA 5880 - © Abdou Illia
Introduction to Ethical
Hacking
Hackers
 Hackers
 Access computer system or network without
authorization
 Have different motivations (from prove their status to some
damage)
 Crackers
 Break into systems to steal or destroy data
 Script kiddies or packet monkeys
 Young inexperienced hackers
 Use publicly available hacking tools or copy codes and
techniques from the Internet
3
Hackers vs. Ethical Hackers
 Ethical hacker
 Performs most of the same activities as hackers and
crackers, but with owner’s permission
 Employed by companies to perform penetration or
security tests
 Red team
Team of ethical hackers with varied skills (social
engineering, ethics/legal issues, break-ins, etc.)
4
Penetration test vs. Security test
 Penetration test
Legally breaking into a company’s network to find
its weaknesses
Tester only reports findings
 Security test
More than a penetration test
Also includes:
 Analyzing company’s security policy and procedures
 Offering solutions to secure or protect the network
Security Policy
- Sets rules for expected behaviors by users (e.g. regular patches download, strong passwords, etc.), and IT
personnel (e.g. no unauthorized access to users’ files, …), etc.
Passwords
must not be
written down
- Defines access control rules.
- Defines consequences of violations.
5
-Helps track compliance with regulations.
- Etc.
Access to files must
be granted to the
level required by
users’ job
Hacking Tools
Referred to as Tiger box in course textbook
Collection of OSs and tools that assist with
hacking & security tests
Network scanners
Traffic monitors / packet sniffers
Keyloggers
Password crackers like L0phtCrack
Password extractors like pwdump, etc.
Practical Extraction and Report Language (Perl)
C programming language
Scripts, i.e. set of instructions that runs in
sequence
6
Questions
 Which of the following may be part of a Penetration test (P) or a
Security test (S)? Use “X” to indicate your answer.
7
1.
Breaking into a computer system without authorization.
2.
Laying out specific actions to be taken in order to prevent dangerous packets to pass
through firewalls.
3.
Scanning a network in order to gather IP addresses of potential targets
4.
Finding that patches are not timely applied as recommended by corporate rules.
5.
Writing a report about a company’s security defense system.
6.
Scanning a network in order to find out what defense tools are being used.
7.
Finding that users cannot change their passwords themselves
8.
Finding that a company does not have an effective password reset rule.
9.
Finding out that a firewall does not block potentially dangerous packets
10
Proposing a new procedure which implementation may help improve systems security
11
Finding out that the administrator's account is called Admin and has a weak password
12
Finding out that 1/3 of the security procedures are not actually implemented.
13
Performing a denial-of service-attacks
14
Disabling network defense systems
P
S
X
X
X
X
X
Penetration Testing Models
White box
Black box
Gray box
 White box model
 Tester is told everything about the network topology and
technology
 Tester is authorized to interview IT personnel and company
employees
 Makes tester’s job a little easier
8
Note: some diagrams may show routers, firewalls, etc.
Penetration Testing Models (cont.)
White box
Black box
Gray box
 Black box model
Company staff does not know about the test
Tester is not given details about the network.
 Burden is on the tester to find these details
Helps knowing whether security personnel are
able to detect an attack
 Question: What is the disadvantage of letting the
company’s employees know about the penetration
test?
________________________________________________
 Question: What is the disadvantage of letting the
9
IT staff know about the penetration test?
________________________________________________
Penetration Testing Models (cont.)
 Gray box model
Hybrid of the white and black box models
Company gives tester partial information
10
White box
Black box
Gray box
What You Should Know
 What is the difference b/w penetration test and
security test?
 What is a hacker, a cracker, a packet monkey?
 What three models are used for penetration tests?
 What is the difference b/w the three
 What is a red team?
 What portion of your ISP contract might affect your
ability to conduct penetration tests over the Internet?
11
TCP/IP Concepts
Overview of TCP/IP
Computer 1
Computer 2
Layer 1
Layer 2
Layer 3
Layer 4
Layer 1
Layer 2
Layer 3
Layer 4
 Transmission Control Protocol/Internet Protocol
(TCP/IP)
Most widely used protocol set
 TCP/IP is a protocol set with 4 layers*
 Protocol
Common language used by computers for
“speaking”
 IPX/SPX is another protocol set used in Novell
networks.
 Some company protect their network by using
IPX/SPX internally.
IPX/SPX LAN
13
“poor man’s firewall”
* A layer can be seen as a group of tasks/activities/jobs
TCP/IP
network
The Application Layer
 Front end to the lower-layer protocols
Computer 1
Application layer
Transport layer
Internet layer
Interface layer
 Many Application layer protocols: HTTP, FTP, ARP, etc.
 Includes network services and client software
 Examples: Web (HTTP service), Web browser
 Commands/utilities for connecting & using
Application layer network services:
14
 ftp: used to transfer files between clients and servers
 telnet servername [port number]: to log on to a server
Computer 1
Application layer
Transport layer
Internet layer
Interface layer
The Transport Layer
 Prepares Application layer messages for proper
“transportation” to a receiving device
 Main protocol used:
 The TCP protocol for connection-oriented “dialog”
 The User Datagram Protocol or UDP for connectionless transmissions
Makes sure messages arrive at destination
exactly as they left source (in case of
connection-oriented communication)
 TCP opens connections using 3-way handshake
 Computer 1 sends a Synchronization SYN request
 Computer 2 replies with a Sync-Acknowledgement SYN-ACK packet
 Computer 1 replies with an ACK packet
Computer 1
Transport layer
15
Computer 2
Application layer
Internet layer
Interface layer
Application layer
SYN
SYN/ACK
SYN
Transport layer
Internet layer
Interface layer
The Internet Layer
Computer 1
Application layer
Transport layer
Internet layer
Interface layer
 Responsible for routing packets to their destination
address
 Uses a logical address, called an IP address
 Main protocols used: IP and ICMP
 Internet Control Message Protocol (ICMP)
Used to send messages related to network operations
Helps in troubleshooting a network
Some Internet layer commands/utilities for
troubleshooting network connections. More complex
versions included in hacking tools:
 Ping: determines whether a computer is connected and
16
reachable
 Traceroute and tracert: determine route to get to a computer
Sending message using TCP/IP
 Generating message at the Application layer
 Encapsulation: Adding protocols headers (H)
and trailers (T) to pack the message.
HTTP request
Application
HTTP req.
Transport
HTTP req. TCP-H
TCP segment
Internet
HTTP req. TCP-H IP-H
IP Packet
Network Interface NI-T
HTTP req. TCP-H IP-H NI-H
Frames
17
User PC
Transmission medium
Example: http://www.eiu.edu
Receiving a TCP/IP message
 Frames arrive through the network interface
 De-encapsulation: Removing protocols
headers (H) and trailers (T) to access request
HTTP request
HTTP req.
Example: http://www.eiu.edu
Application
TCP segment
HTTP req. TCP-H
Transport
IP Packet
HTTP req. TCP-H IP-H
Internet
HTTP req. TCP-H IP-H NI-H
Network Interface
Frames
18
NI-T
User PC
Transmission medium
TCP Segment
0-3
TCP Headers
Data
offset
4-7
8-15
Source port
16-31
Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Reserved W C R C S S Y I
R E G K H T N N
Checksum
Window Size
Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Source port (16 bits) – a number that identifies the Application layer program used to send the message.
Destination port (16 bits) – a number that identifies the Application layer program the message is destined to.
Sequence number (32 bits) – Tracks packets received. Helps reassemble packets. Hackers may guest SN to hijack
conversations. Has a dual role
If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data
byte (and the acknowledged number in the corresponding ACK) will then be this sequence number plus 1.
If the SYN flag is clear, then this is the sequence number of the first data byte
Acknowledgment number (32 bits) – if the ACK flag is set then the value of this field is the next sequence number
that the receiver is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end
acknowledges the other end's initial sequence number itself, but no data.
Data offset (4 bits) – specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and
the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to
40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the
TCP segment to the actual data.
19
TCP Segment (cont.)
0-3
TCP Headers
Data
offset
4-7
8-15
Source port
16-31
Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Reserved W C R C S S Y I
R E G K H T N N
Checksum
Window Size
Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Flags (8 bits) (aka Control bits) – contains 8 1-bit flags
CWR (1 bit) – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received
a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header
by RFC 3168).
ECE (1 bit) – Explicit Congestion Notification-Echo indicates
If the SYN flag is set, that the TCP peer is ECN capable.
If the SYN flag is clear, that a packet with Congestion Experienced flag in IP header set is received
during normal transmission (added to header by RFC 3168).
URG (1 bit) – indicates that the Urgent pointer field is significant
ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet
sent by the client should have this flag set.
PSH (1 bit) – Push function
RST (1 bit) – Reset the connection
SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag
set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others
when it is clear.
20
FIN (1 bit) – No more data from sender
IP Header
IP Headers
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Version - indicates the version of IP used . Should be 0100 for IPv4
 Internet Header Length (IHL) - tells the number of 32-bit words in the IP
header.
 TOS – Indicates the quality of service for delivering the packet: Normal
delay, high reliability, normal cost, high cost, etc.
 Total Length – defines entire packet size (header +data) in bytes. The
minimum-length is 20 bytes (20-byte header + 0 bytes data) and the
maximum is 65,535. Subnetworks may impose restrictions on the size, in
21 which case packets must be fragmented. Fragmentation is handled in either
the host or the router.
IP Header
IP Headers
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Identification - Primarily used for uniquely identifying fragments of an
original IP packet.
 Flags - A three-bit field used to control or identify fragments. They are (in
order, from high order to low order):
 Reserved, must be zero.
 Don't Fragment (DF): If the DF flag is set and fragmentation is required to route
22
the packet then the packet will be dropped
 More Fragments (MF): When a packet is fragmented all fragments have the MF
flag set except the last fragment,
IP Header
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live (TTL)
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Fragment Offset - Specifies the offset of a particular fragment relative to the
beginning of the original unfragmented IP packet. The first fragment has an offset of
zero.
 TTL - Helps prevent packets from persisting (e.g. going in circles) on an Internet.
Time specified in seconds, but time intervals less than 1 second are rounded up to 1.
Also in number of hop counts.
 Protocol - Defines the protocol used in the data portion of the IP packet. Common
protocols and their codes are: 1: Internet Control Message Protocol (ICMP), 2:
Internet Group Management Protocol (IGMP), 6: Transmission Control Protocol
(TCP), 17: User Datagram Protocol (UDP), 89: Open Shortest Path First (OSPF), 132:
23 Stream Control Transmission Protocol (SCTP).
Network & Computer Attacks
Part 1
ISC* Objectives
 Confidentiality
 C – Confidentiality
 I – Integrity
 A – Availability
 A – Accountability/Authenticity
 Making sure that corporate data and transactions with
partners remain confidential
 Integrity
 Making sure that software programs, local data, and data
in-transit are not altered or destroyed
 Availability
 Making sure that computer and network resources or
services remain available for users and not disrupted
 Accountability
 Making sure that users are properly authenticated and
their actions accounted for.
 Authenticity
 Also called non-repudiation. Making sure that business
partner cannot deny their actions
25
* Information Security Countermeasures
Malicious Software attacks
 Common types of malware
 Viruses
 Worms
 Trojan horses
26
What is virus?
 A virus is a malware that …
attaches itself to files on a single computer
can replicate from file to file
does not stand on its own
 needs a host file – a vector - [unlike some other malware]
Does not spread across computers without human
intervention (flash drive, email attachment, etc.)
Types of virus host / vector
Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft
Windows, and ELF files in Linux)
Volume Boot Records of floppy disks and hard disk partitions | The master boot record (MBR) of a hard disk
General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and
shell script files on Unix-like platforms).
Application-specific script files (such as Telix-scripts)
System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run
software stored on USB Memory Storage Devices).
27
Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets,
Microsoft Access database files, and AmiPro documents)
ELF = Executable and Linkable Format | PDFs & images, like HTML, may link to malicious code | PDFs can also be infected with malicious code
Types of viruses
Based on host files
Boot sector viruses: attach themselves to files in
boot sector of HD
File infector viruses: attach themselves to program
files and user files
Macro viruses: attach to files with macro programs
embedded.
Based on mutation techniques
Polymorphic viruses: mutate with every infection
(using encryption techniques), making them hard
to locate
Metamorphic viruses: rewrite themselves
completely each time they are to infect new
executables*
28
* metamorphic engine is needed
Types of viruses (cont.)
 Based on deception methods
 Core MS-DOS viruses: make sure that the "last modified" date of
a host file stays the same when the file is infected by the virus.
 Cavity viruses
 infect files without increasing their sizes or damaging the files
 overwrite unused areas of executable files
File.exe of 300 KB
on a 512 KB block
 Examples: CIH virus, Chernobyl Virus that are 1 KB in size infect
Portable Executable files which have many empty gaps
 Antivirus PID killers: kill tasks associated with antivirus
 Stealth: hides itself by intercepting disk access requests
by antivirus programs.
29
The stealth returns an uninfected version of files to the antivirus software, so that infected files seem "clean”.
* metamorphic engine is needed
Request
Stealth
OS
Protecting against viruses
 Signature-based antivirus programs
Compare the contents of a file to a database of
virus signatures
 A signature is an algorithm or a hash (a number or string
of characters derived from the virus code) that uniquely
identifies a specific virus.
Must update signature database periodically or
use automatic update feature if available
Viruses signatures
1)
2)
3)
4)
5)
6)
30
67344883409999999999
DF56eeb&^fgkFT&&&88jjj
01000010100000000000
78020000100000102398
89950-1=ddjjdfjj3k3l355
…………………………………
Files
1)
2)
3)
4)
5)
6)
7)
Sales.xls
Forecast.doc
Staff.mdb
Ingredients.doc
Committees.xls
Minutes.accdb
………………….
Question: Name two kinds of situation where signature-based antivirus won’t be effective?
Protecting against viruses (cont.)
 Heuristic-based antivirus that use generic signature
Through mutation or refinements by attackers, viruses
can grow into dozens of slightly different strains
called variants
Example: The Vundo trojan has evolve into two
distinct family members, Trojan.Vundo and
Trojan.Vundo.B
A generic signature can be generated for a virus
family.
Heuristic analysis uses generic signatures to identify
new malware or variants of known malware
31
Question: Is generic signature more or less accurate than a specific virus’ signature?
Protecting against viruses (cont.)
 Heuristic-based antivirus that use virtual machines
Allow the antivirus program to simulate what would
happen if the suspicious file were to be executed
Execute the questionable program or script within a
specialized virtual machine
It then analyzes the execution, monitoring for
common viral activities: replication, file overwrites,
attempts to hide the existence of the suspicious file.
If one or more virus-like actions are detected, the
suspicious file is flagged as a potential virus.
32
Question: Which of the following is likely to lead to false positive virus identifications?
signature-based or heuristic-based antivirus.
Based on the descriptions, is the classification of the malware as virus
correct?
33
33
Worms
 Do not attach to files | A worm stands on its own
 Self-replicating malware that can propagate
across a network by themselves
 Use host computer’s resources, and their own
network application to send copies of themselves
to other computers
 Types of harms:
 Consuming network bandwidth.
 Consuming host computer resources (processing, RAM)
 Delete files (e.g. ExploreZip worm)
 Encrypt files (which leads to cryptoviral extortion attack)
 Installing backdoor-zombie programs under control of
the worm author (e.g. Sobig)
34
Protecting against worms
 Worms spread by exploiting OS vulnerabilities
 Make sure that unnecessary ports are not open
 Regular OS security updates is the best protection
 Other effective defense systems:
 Antivirus programs
 Local firewall software can block incoming worms
Application layer
Transport layer
Internet layer
Interface layer
35
Application layer
Transport layer
Internet layer
Interface layer
Trojan Programs
 Non-self-replicating malware
 That appear to be useful programs like game, screen saver, free
antivirus, etc.
 But are actually backdoor or rootkits that facilitate remote access or a
“take over” by a remote hacker
 Once a Trojan horse is installed on a target computer, it can be
used to do the following:
Keystroke logging
Data theft (e.g. passwords, credit cards information, etc)
Installing other malware
Using the host computer as part of botnet for spamming or Distributed
DoS
 Deleting or modifying files




36
Trojan Programs (cont.)
You want to prevent Backdoor.Rtkit.B from communicating with the
hacker’s computer. What action would you take at the firewall level?
37
Network & Computer Attacks
Part 2
38
Denial of Service (DoS)
 Attempt to make a computer resources unavailable to
legitimate users
Intel Pentium 4 540 (3 Ghz)
512 MB SDRAM
2 x 100 GB SATA HDD
16x CD Drive
Gateway 3-button mouse
Gateway 108 keyboard
SVGA graphic card
NetworkNetwork
Attacker’sHome
Home
Legitimate user
Legitimate user
HTTP requests
Workstation
Stream of HTTP requests
Workstation
Internet
Router
Hub
Workstation
Web Server
HTTP requests
All workstations use IP spoofing
to send HTTP requests to the
web server.
Legitimate user
Workstation
Legitimate user

39


The attackers tries to overload the server by sending a stream of HTTP requests.
The server needs to use its limited resources (processor, RAM) to respond to each request
When overloaded, the server slows down or even crashes.
Workstation
TCP opening and DoS
Server
1
SYN
SYN/ACK
ACK
Waiting for request
from Computer 1
2
SYN
SYN/ACK
ACK
Waiting for request
from Computer 2
3
SYN
SYN/ACK
ACK
Waiting for request
from Computer 3
.
.
.
...
.
 Typically, client initiates connection
 Server can maintain multiple connections
 For each TCP connection request (SYN), server…
 Responds to the request (SYN/ACK)
40  Set resources aside (Processor’s capacity, RAM, bandwidth)
in order respond to each upcoming data request
TCP Connection opening
 TCP connection opening is accomplish as follow
3-way
handshake
 Client sends a TCP SYN to request connection
 Server responds by sending back a TCP SYN/ACK
 Client responds by sending a TCP ACK
 Some form of computer attacks exploit the 3-way
handshake process
 Example: A client may send a TCP ACK without the two
steps of the 3-way handshake being accomplished
ACK
Attacker
41
Victim
SYN Flood DoS
 Attacker sends a series of TCP SYN opening requests
 For each SYN, the target has to
 Send back a SYN/ACK segment, and
 set aside memory, and other resources to respond
 When overwhelmed, target slows down or even crash
 SYN takes advantage of client/server workload
asymmetry
SYN
SYN
SYN
SYN
SYN
Attacker
42
Victim
Web Server configuration
43
Bandwidth Throttling
Method of ensuring a bandwidth-intensive
device, such as a server…
will limit ("throttle") the quantity of data it transmits
and/or accepts within a specified period of time
For web servers, bandwidth throttling …
helps limit network congestion and server crashes
For ISPs, bandwidth throttling …
can be used to limit users' speeds across certain
applications (such as BitTorrent), or limit upload
speeds.
When allowed bandwidth is reached, the
server will block further connection
attempts…
44
By moving them into a queue, or
By dropping them
Total Length (16 bits)
Flags
Fragment Offset (13 bits)
Ping of Death attacks
 Take advantage of
 Fact that TCP/IP allows large packets to be fragmented
 Some network applications & operating systems’ inability to handle
packets larger than 65536 bytes
 Attacker sends IP packets that are larger than 65,536
bytes through IP fragmentation.
 Ping of death attacks are rare today as most operating
systems have been fixed to prevent this type of attack
from occurring.
 List of OS that were vulnerable:
 http://insecure.org/sploits/ping-o-death.html
 Fix
 Add checks in the reassembly process of servers
 Add checks in firewall to protect hosts with bug not fixed
 Check that Sum of Total Length fields for fragmented IP is < 65536 bytes
45
or less than maximum allowed
Distributed DoS (DDoS)
Attack
 Attacker hacks into multiple clients and plants handler
programs and Zombie programs on them
 Attacker sends attack commands to Handlers and Zombie
programs which execute the attacks
 First appeared in 2000 with Mafiaboy attack against cnn.com,
ebay.com, etrade.com, yahoo.com, etc.
Attack
Command
DoS Messages
Computer with
Zombie
Server
46
Attack
Command
Handler
DoS Messages Computer with
Zombie
Attack
Command
Attacker
Buffer Overflow Attack
 Occurs when ill-written programs allow data destined to a
memory buffer to overwrite instructions in adjacent
memory register that contains instructions.
 If the data contains malware, the malware could run and
creates a DoS
 Example of input data: ABCDEF LET JOHN IN WITHOUT
PASSWORD
Buffer
1
2
3
Instructions
4
5
6
Print
Run Program
Accept input
Buffer
1
A
2
B
3
C
Instructions
4
D
5
E
6
F
LET JOHN IN WITHOUT PASSWORD
Run Program
47
Accept input
Keyloggers
 Used to capture keystrokes on a computer
Hardware
Software
 Software
Behaves like Trojan programs
 Hardware
Easy to install
Goes between the keyboard and the CPU
KeyKatcher and KeyGhost
48
What You Should Know
 What happens in a TCP opening phase?
 Explain how Ping of Death attack occurs?
 Explain difference between DoS and DDoS.
 Do DoS attacks primarily attempt to jeopardize
confidentiality, integrity, or availability?
 What is a Buffer Overflow attack?
 What is a hardware keylogger?
 You also need to understand the 3-way
handshake: SYN, SYN/ACK, ACK
49
Programming For Security
Professionals
50
What You Should Know
 Answer to the questions included in the
Ch7ReviewQuestions.doc file posted to the
Notes’ section of the course Web site.
51
Linux Operating System
Vulnerabilities
52
What You Should Know
 Answer to the questions included in the
Ch9ReviewQuestions.doc file posted to the
Notes’ section of the course Web site.
53