Transcript Hacking Overview Pres.

COEN 252
Security Threats
Network Based Exploits
Phases of an Attack





Reconnaissance
Scanning
Gaining Access
Expanding Access
Covering Tracks
Reconnaissance

Social Engineering



“I cannot access my email. What do I do?”
Dumpster Diving (especially useful when people
move)
Search the Web




Sam Spade (www.samspade.org/ssw/), CyberKit,
NetScanTools, ...
Search Engine
Usenet postings
Whois
Reconnaissance
Databases
 To research .com , .net, and .org domain
names:InterNIC whois feature:
www.internic.net/whois.html allwhois,
network soultions, ...
 ARIN: American Registry for Interent
Numbers (www.arin.net/whoiis/arinwhois.html)
 RIPE (Europe) www.ripe.net
 APNIC (Asia Pacific) www.apnic.net
Reconnaissance: Scanning
Once we have a target, we need to get to
know it better.
Methods:
 War Dialing (to find out modem access)
 Network Mapping
 Vulnerability Scanning
 War Driving
Scanning: War Dialing
Purpose: Find a modem connection.
 Many users in a company install remote PC software
such as PCAnywhere without setting the software up
correctly.
 War Dialer finds these numbers by going through a
range of phone numbers listening for a modem.
 Demon Dialer tries a brute force password attack on
a found connection.
 Typically: war dialing will find an unsecured
connection.
Scanning: Network Mapping
Ping:
 ping is implemented using the Internet
Control Message Protocol (ICMP) Echo
Request.
 A receiving station answers back to the
sender.
 Used by system administrators to check
status of machines and connections.
Scanning: Network Mapping
Traceroute:
 Pings a system with ICMP echo requests with
varying life spans (= # of hops allowed).
 A system that receives a package with
expired numbers of hops sends an error
message back to sender.
 Traceroute uses this to find the route to a
given system.
 Useful for System Administration
Scanning: Network Mapping
Cheops:
Network Scanner
(UNIX based)
(Uses traceroute and
other tools to map a
network.)
Cheops et Co. are the
reason that firewalls
intercept pings.
Reconnaissance: Port Scans




Applications on a system use ports to
listen for network traffic or send it out.
216 ports available, some for known
services such as http (80), ftp, ...
Port scans send various type of IP
packages to target on different ports.
Reaction tells them whether the port is
open (an application listens).
Reconnaissance: Nmap



Uses different types of packets to check
for open ports.
Can tell from the reaction what OS is
running, including patch levels.
Can run in stealth mode, in which it is
not detected by many firewalls.
Reconnaissance: Webserver
Information Leakage

Most webservers leak information:

HTTP answers


Identify webserver
URLs

Have forms peculiar to certain webservers:

Extensions:
 ASP pages: Probably IIS

“htm”: Probably windows
Format of query string



“http://search.barnesandnoble.com/booksearch/results.asp?WRD=Oxford+history&z=y&cds2Pid=9481”
Cookies
Reconnaissance: Webserver
Information Leakage

Most webservers leak information:

Error Messages



Identify webserver technology by name and version
number.
Sometimes send debug information to browser.
Can be provoked by changing query strings or
asking for non-existing resources.

Sometimes, possible to get a message from the database
engine.
Reconnaissance Prevention

Firewalls can make it very difficult to
scan from the outside.



Drop scan packets.
Patched OS do not have idiosyncratic
behavior that allows OS determination.
IDS can detect internal scans and warn
against them.
Gaining Access


Gain access using application and OS
attacks.
Gain access using network attack.
Gaining Access through Apps and
OS
Stack-Based Overflow Attacks
Stack is the area where function
arguments and return addresses are
saved.
 Password Attacks
 Web Application Attacks

Gaining Access:
Web Application Attacks

The URL not only contains the web
address of a site, but also input:
http://www.google.com/search?hl=en&ie=UTF8&oe=UTF-8&q=web+application+attack

A poorly written webpage allows the
viewer to input data in an uncontrolled
fashion. If the webpage contains SQL,
the user might execute SQL commands.
Gaining Access through Network
Attacks:Sniffing



Sniffer: Gathers traffic from a LAN.
Examples: Snort www.snort.org, Sniffit
reptile.rug.ac.be/~coder/sniffit/sniffit.ht
ml
To gain access to packages, use
spoofed ARP (Address Resolution
Protocol) to reroute traffic.
Gaining Access: Session
Hijacking




IP Address Spoofing: Send out IP
packages with false IP addresses.
If an attacker sits on a link through
which traffic between two sites flows,
the attacker can inject spoofed
packages to “hijack the session”.
Attacker inserts commands into the
connection.
Details omitted.
Exploiting and Maintaining
Address
After successful intrusion, an attacker
should:
 Use other tools to gain root or
administrator privileges.
 Erase traces (e.g. change log entries).
 Take measures to maintain access.
 Erase security holes so that no-one else
can gain illicit access and do something
stupid to wake up the sys. ad.
Maintaining Access: Trojans

A program with an additional, evil
payload.


Running MS Word also reinstalls a
backdoor.
ps does not display the installed sniffer.
Maintaining Access: Backdoors
Bypass normal security measures.
Example: netcat
 Install
netcat on victim with the
GAPING_SECURITY_HOLE option.
C:\ nc -1 –p 12345 –e cmd.sh
 In the future: connect to port 12345
and start typing commands.

Maintaining Access: Backdoors


BO2K (Back Orifice 2000) runs in
stealth mode (you cannot discover it by
looking at the processes tab in the
TASK MANAGER.
Otherwise, it is a remote control
program like pcAnyWhere, that allows
accessing a computer over the net.
Maintaining Access: Backdoors

RootKit:
A backdoor built as a Trojan of system
executables such as ipconfig.

Kernel-Level RootKit:
Changes the OS, not only system
executables.
Covering Tracks:



Altering logs.
Create difficult to find files and
directories.
Covert Channels through Networks:



Loki uses ICMP messages as the carrier.
Use WWW traffic.
Use unused fields in TCP/IP headers.
Hacker Profile

Internal Hacker


Disgruntled employee
Contracted employee



Targets for corporate espionage.
Are not bound by employee policies and
procedures.
Indirectly contracted employee

Perform shared or subcontracted services
Hacker Profile

External Hacker

Recreational Hacker





85% 90% male.
Between 12 and 25.
Highly intelligent low-achiever.
Typically from dysfunctional families.
Professional Hacker



Hackers for hire.
Electronic warfare, corporate espionage.
“Security Consultants”
Hacker Profile

Virus writers1



Teenagers, College Students, Professionals
Drop out of the scene as adults or have social
problems.
Intelligent, educated, male.
Study by Sarah Gordon, IBM, in Beiser, Vince, “Inside the Virus
Hacker Profile

Script Kiddy




Uses scripts of programs written by others
to exploit known vulnerabilities
Goal is bragging rights, defacing web sites
Sweep IP addresses for vulnerability
Typically not explicitly malicious, but can
cause damage inadvertently
Hacker Profile

Dedicated Hacker





Does research.
Knows in and outs of OS, system, auditing
and security tools.
Writes or modifies programs and shell
scripts
Reads security bulletins (CERT, NIST)
Searches the underground.
Hacker Profile

Skilled Hacker




Thorough understanding of system at the
level of Sys Ad or above.
Can read OS source code.
Understands network protocols.
Superhacker


Does not brag or post.
Can enter or bring down any system.
Hacker Motives

Intellectually Motivated

Educational experimentation





“Harmless Fun”


28 year old computer expert diverted 2585 US West
computers to search for a new prime number.
Used 10.63 years of computer time.
Lengthened telephone number lookup to 5 minutes
Almost shut down the Phoenix Service Delivery
Center
Web defacing
Wake-up Call
Hacker Motives

Personally motivated


Disgruntled employee.
Cyber-stalking


E.g. to show of superiority to someone they feel / are
inferior to.
Danger of escalation to physical attack.





A 50-year old security guard used the internet to solicit the
rape of a 28-year old woman who rejected him.
Impersonated her in chat rooms and online bulletins.
Impersonated rape fantasies.
At least six man knocked at her door at night offering to
rape her.
Six years in prison.
Hacker Motives

Socially motivated


Cyber-activism
Politically motivated


Hacking KKK or NAACP websites
Cyber-Terrorism

Threatens serious disruption of the infrastructure






Power
Water
Transportation
Communication
1988: Israeli Virus and logic bomb in Israeli government
computers
Cyber-warfare
Hacker Motives

Financially Motivated

Personal profit.



Damage to the organization.


Two Cisco Systems consultants issued almost $8 M
Cisco stock to themselves.
Accessed a system used to manage stock option
disbursals to find control numbers for forged
authorization forms.
British internet provider, Cloud Nine, went out of
business after crippling series of DOS attacks.
Ego Motivated
Hacker Damage


Releasing Information
Releasing Software






By circumventing copying protection.
Through IP theft
Consuming Unused(?) Resources
Discover and Document Vulnerabilities
Compromise Systems and Increase their
Vulnerabilities
Website Vandalism