0% found this document useful (0 votes)
19 views65 pages

Hacking 1

The document discusses the traditional steps a hacker takes to compromise a network which includes reconnaissance to gather information, scanning and enumeration to identify vulnerabilities, gaining access by exploiting a vulnerability, and exploiting the access to steal information or establish continued access; it also provides examples of specific techniques used at each step like social engineering, port scanning, and privilege escalation. The document also outlines defenses network administrators can implement at each step to harden their systems and make hacking more difficult.

Uploaded by

MATHESWARAN P
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
19 views65 pages

Hacking 1

The document discusses the traditional steps a hacker takes to compromise a network which includes reconnaissance to gather information, scanning and enumeration to identify vulnerabilities, gaining access by exploiting a vulnerability, and exploiting the access to steal information or establish continued access; it also provides examples of specific techniques used at each step like social engineering, port scanning, and privilege escalation. The document also outlines defenses network administrators can implement at each step to harden their systems and make hacking more difficult.

Uploaded by

MATHESWARAN P
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 65

Hacking & Defense 1

CS 478 /CIS 678 Network Security


Dr. Susan Lincke
Network Security
Hacking & Defense Part 1
Text:
• Computer Security: Principles and Practice, W Stallings, L Brown
• Chapter 12 Operating System Security

Objectives:
The student should be able to:
• Define traceroute, ping sweep, port scanning, finger printing, man-in-the-middle, spoofing,
directory traversal, SQL injection, Nessus, nmap, native virtualization, hosted virtualization
• List 3 attacks and countermeasures for each of the hacking steps: 1) Footprint, 2) Scan/Enumerate,
3) Gain Access , and 4) Exploit (3 attacks only)
• Describe the 3 major steps of hardening a computer. Explain the reason and methods of each of
the steps.

Class Time:
Lecture:
• Hacking 1 hour
• General Controls 1/2 hour
• Lab 1: Footprinting 1 hour
Total: 2.5 hours
The Problem of Network Security
The Internet allows an attacker
to attack from anywhere in
the world from their home
desk.

They just need to find one


vulnerability: a security
analyst needs to close every
vulnerability.
Traditional Hacking
The traditional way to break into a bank/museum/store include:
1. Reconnaissance or Footprint:
– When are the worst guards off duty?
– When are there fewest people?
– What is the lingo?
2. Scan & Enumerate:
– Where are the goods? Is there a back door?
– Who is the person to contact for social engineering?
3. Gain Access:
– Break in
4. Exploit:
– Dig tunnel to have continual access
– Find out needed information: payment card or company secrets
– Establish good social engineering relationship to access further info.
Traditional Network Hacking
The traditional way to hack into a system the steps
include:
1. Reconnaissance: Get a big picture of what the network
is
1b. Initial break-in: Social Engineering: Phishing: establish
base residence to…
2. Scan & Enumerate: Identify reachable hosts, services,
OS/service versions
3. Gain Access: Break in
3b. Establish persistence, hide tracks, escalate privileges
4. Exploit: Obtain information: payment card or
corporate info; continual access
Stages of a
Cyber-Operation
Target Identification
• Opportunistic Attack:
focuses on any easy-to-
break-into site
• Targeted Attack: specific
victim in mind
• Searches for a vulnerability that
will work.
Hacking Networks
Phase 1: Reconnaissance / Footprint
• Physical Break-In
• Dumpster Diving Registrant:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052

• Google, Newsgroups, Web US

Domain name: MICROSOFT.COM

sites Administrative Contact:


Administrator, Domain [email protected]
One Microsoft Way

• WhoIs Database & Sam Redmond, WA 98052


US
+1.4258828080

Spade Technical Contact:


Hostmaster, MSN [email protected]
One Microsoft Way
Redmond, WA 98052 US

• Social Engineering +1.4258828080

Registration Service Provider:

• Domain Name Server


DBMS VeriSign, [email protected]
800-579-2848 x4
Please contact DBMS VeriSign for domain updates, DNS/Nameserver

Interrogations
changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.


Record last updated on 27-Aug-2006.

• Shoulder surfing
Record expires on 03-May-2014.
Record created on 02-May-1991.

Domain servers in listed order:


NS3.MSFT.NET 213.199.144.151
NS1.MSFT.NET 207.68.160.190
NS4.MSFT.NET 207.46.66.126
NS2.MSFT.NET 65.54.240.126
NS5.MSFT.NET 65.55.238.126

“Hi Ann, This is Tom, the Admin.


We are having a bad problem.
What is your password?”
Reconnaisance / Footprinting
Footprinting: Gather information about target. Stages include:
• Determine scope of activity: What is out there & what does hacker hope
to accomplish?
• Search company web pages: locations, subsidiaries, contact names, phone
numbers, email, privacy or security policies, links to organization’s other
web servers.
• Monitor HTML comment tags not publicly shown
• Perform open-source searches for info on target: news, press releases
• www.sec.gov EDGAR database lists publicly traded companies: recently-
listed or recently-acquired often vulnerable
• Network Enumeration: Discover networks attached to the domains
• Obtain information from whois databases
• Identify domain names: ms.com and Microsoft.com
• Network Reconnaissance: Learn network topology via DNS interrogation
and network commands (e.g., traceroute)
Network Reconnaissance
Network Reconnaissance: Learn network
topology
• DNS: Domain Name Server maps IP addresses
to hostnames and vice versa
– DNS Interrogation: Learn location of web, email,
firewall servers
– Zone transfers dump the contents of the DNS
database to a secondary site (intention: backup
site)
DNS Lookup Command: nslookup
$ nslookup

set type=any
ls –d Tellurian.net. >> /tmp/store
ce 1D IN CNAME Aesop
au 1D IN A 192.168.230.4
1D IN TXT “Location: Library”
1D IN RP jcoy.erebus jcoy.who
1D IN MX 0 tellurianadmin-smtp

Above we are asking to use the Tellurian.net DNS server to list all records for the
domain
• HINFO: Identifies platform/OS
• MX: Mail Exchange (Email server)
• A: Internet Address
DNS Controls
To Guard Security:
• Don’t give away information!
• Exclude internal network information in external name servers
• Eliminate HINFO records from name servers
• Prevent or restrict zone transfers to authorized machines/users
• Restrict access to internal DNS from outside
• Disable inbound connections to TCP port 53: TCP zone transfer,
UDP name lookups
• UDP name lookups sent as TCP requests when > 512 bytes
• Log inbound connections to port 53 to track potential attacks
Reconnaissance:
Traceroute
Traceroute: Provides list of routers To Guard Security:
between source and destination • Do not permit pings from outside
To run: the network
• [bash]$ traceroute cs.uwp.edu • Block ICMP and UDP at network
edge (firewall or router)
• [DOS]: tracert • Note: Blocking only ICMP or UDP
may allow access, since both may
• Traceroute can be run from be used
multiple locations to learn • Detect attacks
multiple entry points into • Use IDS systems to detect
network traceroute requests
• www.snort.org: Free IDS program
detects these
• How traceroute operates: • RotoRouter:
– Traceroute uses www.ussrback.com/UNIX/loggers/
ICMP_TIME_EXCEEDED messages rr.c.gz: generates fake responses
– Windows: Uses ICMP echo request to traceroutes.
packet
– UNIX: uses UDP or ICMP with –I
option
Reconnaissance:
Whois & Initial Break-in
Whois provides information on:
• Registrar: Sponsoring company
• Organizational/Point of contact: Contact information
Whois databases include:
• www.whois.com

Guard Security by:


• Posting fictitious name in whois database
• Keep contact information, contact registration in registry up-to-
date
• Ensure secure access to registry (AOL was defrauded in 1998)
• Guard personnel books
Initial Break-in:
1b: Social Engineering Attacks
Social Engineering: break into Shoulder surfing: Reads terminal
company via human interface – via info by looking over someone’s
phone or email shoulder
•Poses as a trusted user, manager, •Reading login/passwords or other
admin confidential info
Phishing: sending an email Tailgating: Passing an ID check point
pretending to be someone else by walking out of view of the guard
Water Hole: Infected website infects with others
visitors. Goal: Establish a hold internal to the
network
•Launch attacks from internal
network
1b: Initial Break-in:
Virus/Worm
• Virus: Code that causes a copy of
itself to be inserted into one or To Joe
more programs.
To Ann
• Worm: Independent program To Jill
which replicates itself and sends
copies from computer to
computer across network
connections. Upon arrival the
worm may be activated to
replicate.
• Total Losses, 2005 Est: $42,
787,767
Email List:
[email protected]
[email protected]
[email protected]
Hacking Networks
Phase 2: Scanning & Enumeration
After successful phishing attack, can install network scanner
• Where is data? Company trade secrets? Point of sale machines?

Scanning
• Host Scanning: Which IP addresses are valid?
• Network Scanning: How is the network routing system organized?
• Port Scanning: Which services are running on which ports?
Enumeration
• Fingerprinting: Which software versions are running on different
sockets?
– Active fingerprinting: Send specific messages & observe replies
– Passive fingerprinting: Observe patterns in IP packets
– Stealth scanning: Slow scanning stays under intrusion detection radar
screen
2: Hacking Networks: Scanning &
Enumeration: Scanning Tools
• War Driving: NetStumbler
• War Dialing: Dialing numbers looking for
modems
• Network Mapping: Nmap
• Vulnerability-Scanning Tools: Nessus
2: IP/ICMP Scanning
Ping Sweep (Nmap)
Which hosts exist?
SRC: 192.168.0.35 DEST:
Ping-> 124.223.0.22
Ping-> 124.223.0.25
<-Ping Reply 124.223.0.25
Ping-> 124.223.0.34
Ping-> 124.223.0.38
Ping-> 124.223.0.28

Windump Output:
• 15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request
seq 7168
• 15:19:42.748241 IP 192.168.0.5 > 192.168.0.4: icmp 1480: echo reply seq
7168
2: Which ports exist?
Initiate a TCP connection:
SYN 
 SYN,ACK
ACK 

Windump of establish connection:


• 14:54:50.191132 IP 192.168.0.4.1226 > 192.168.0.5.23: S
262694098:262694098(0) win 16384 (DF)
• 14:54:50.192200 IP 192.168.0.5.23 > 192.168.0.4.1226: S
116356462:116356462(0) ack 262694099 win 17520 (DF)
• 14:54:50.192249 IP 192.168.0.4.1226 > 192.168.0.5.23: . ack 1 win 17520
(DF)
TCP/UDP Port Scanning (NMAP)
16:05:30.167 IP 10.1.1.179 > 10.1.1.1: icmp 8: echo request seq 21868
16:05:30.722 IP 10.1.1.179.51637 > 10.1.1.1.80: . ack 4061861214 win 1024
16:05:30.380 IP 10.1.1.1 > 10.1.1.179: icmp 8: echo reply seq 21868
16:05:30.126 IP 10.1.1.1.80 > 10.1.1.179.51637: R 4061861214:4061861214(0) win 0
16:05:30.181 arp who-has 10.1.1.2 tell 10.1.1.179
16:05:30.160 arp reply 10.1.1.2 is-at 00:14:1c:cb:7e:40
16:05:30.194 IP 10.1.1.179.51637 > 10.1.1.2.80: . ack 2891650718 win 4096
16:05:30.651 IP 10.1.1.2.80 > 10.1.1.179.51637: R 2891650718:2891650718(0) win 0
16:05:30.387 IP 10.1.1.179.51614 > 10.1.1.1.80: S 1057455211:1057455211(0) win 3072
16:05:30.590 IP 10.1.1.179.51614 > 10.1.1.2.80: S 1057455211:1057455211(0) win 2048
16:05:30.723 IP 10.1.1.179.51614 > 10.1.1.3.80: S 1057455211:1057455211(0) win 2048
16:05:30.837 IP 10.1.1.179.51614 > 10.1.1.1.1723: S 1057455211:1057455211(0) win 4096
16:05:30.210 IP 10.1.1.3.80 > 10.1.1.179.51614: S 1929989182:1929989182(0) ack 1057455212 win
5840 <mss 1460>
16:05:30.145 IP 10.1.1.179.51614 > 10.1.1.3.80: R 1057455212:1057455212(0) win 0
16:05:30.371 IP 10.1.1.2.80 > 10.1.1.179.51614: S 210104500:210104500(0) ack 1057455212 win 4128
<mss 536>
16:05:30.723 IP 10.1.1.1.80 > 10.1.1.179.51614: S 2750234221:2750234221(0) ack 1057455212 win 4128
<mss 536>
16:05:30.744 IP 10.1.1.179.51614 > 10.1.1.1.80: R 1057455212:1057455212(0) win 0
16:05:30.810 IP 10.1.1.1.1723 > 10.1.1.179.51614: R 0:0(0) ack 1057455212 win 0
Interesting ports on sholmes.cybersec.cs.uwp.edu

NMAP Results (10.1.1.3):


(The 1647 ports scanned but not shown below are
in state: closed)
Starting nmap 3.81 ( PORT STATE SERVICE
http://www.insecure.org/nmap ) at 2006-07-27 22/tcp open ssh
16:05 Central Daylight Time 53/tcp open domain
Interesting ports on 80/tcp open http
MainRouter.cybersec.cs.uwp.edu (10.1.1.1): 110/tcp open pop3
(The 1659 ports scanned but not shown below are 111/tcp open rpcbind
in state: closed) 113/tcp open auth
PORT STATE SERVICE 139/tcp open netbios-ssn
22/tcp open ssh 143/tcp open imap
23/tcp open telnet 445/tcp open microsoft-ds
80/tcp open http 548/tcp open afpovertcp
443/tcp open https 631/tcp open ipp
MAC Address: 00:14:69:3A:FE:F6 (Unknown) 644/tcp open unknown
668/tcp open unknown
Interesting ports on 993/tcp open imaps
MainSwitch.cybersec.cs.uwp.edu (10.1.1.2): 2049/tcp open nfs
(The 1661 ports scanned but not shown below are 3128/tcp open squid-http
in state: closed) MAC Address: 00:0E:A6:5C:E1:67 (Asustek
PORT STATE SERVICE Computer)
23/tcp open telnet
80/tcp open http Nmap finished: 3 IP addresses (3 hosts up) scanned
MAC Address: 00:14:1C:CB:7E:40 (Unknown) in 2.360 seconds
Scan Types
• TCP connect scan: Performs 3-way handshake
• TCP SYN: SYN SYN/ACK
• TCP FIN: FINRST (UNIX)
• TCP XmasTree scan: FIN/URG/PUSHRST
• TCP Null: no flagsRST
• TCP ACK: ACK Is firewall stateful?
• TCP Windows: Identify system via window size
reporting
• TCP RCP: Identify RCP ports, program names and
version numbers
• UDP Scan: If inactive ICMP port unreachable
Scanner - Controls
To Guard Security:
• Detect attack
• Detect ping sweeps and incoming ICMP traffic for port scans via
IDS/IPS
• Identify attacker and possible time of attack
• Prevent attacks
• Filter all incoming sessions from ports except those that are
expressly permitted
• Filter traffic from attack source IP addresses
• Filter all ICMP traffic or
– Filter ICMP TIMESTAMP and ADDRESS MASK packet requests
• Minimal: Allow ECHO_REPLY, HOST_UNREACHABLE,
TIME_EXCEEDED into demilitarized zone (DMZ)
2: Enumeration => Fingerprinting:
Identifying the system software
Active Stack Fingerprinting: Send Passive Stack Fingerprinting:
messages to determine Monitors network traffic to
versions of system software determine OS type/version
• Stack Fingerprinting: Identify • Tool: Siphon
host OS. • TTL: What is initial Time To
• Banner Grabbing: Identify Live value?
applications (including version • Window Size: What is the
if possible) default window size?
• Identify host OS version: FIN • DF: Is the Don’t Fragment flag
probe, Bogus Flag probe, set?
Initial Sequence Number
sampling, Don’t fragment bit
monitoring, TCP initial window
size, ACK value, ICMP message
reactions, etc.
Scanning & Enumeration:
Which services exist? Nessus

The remote host is running a version of Windows which has a flaw in


its RPC interface, which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges.

An attacker or a worm could use it to gain the control of this host.

Note that this is NOT the same bug as the one described in MS03-026
epmap which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.
(135/tcp)

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-


039.mspx

Risk factor : High


CVE : CAN-2003-0715, CAN-2003-0528, CAN-2003-0605
BID : 8458
Other references : IAVA:2003-A-0012
Plugin ID : 11835
Nessus
unknown (5900/tcp)

The remote server is running VNC.


VNC permits a console to be displayed remotely.
Solution: Disable VNC access from the network by
using a firewall, or stop VNC service if not needed.

Risk factor : Medium


Plugin ID : 10342
Version of VNC Protocol is: RFB 003.008

Plugin ID : 10342
Port is open
Plugin ID : 11219
Enumeration Tools
Port scanners and Enumeration Tools include:
• Nmap or Network Mapper: TCP/UDP, decoy or bogus scans
supported to complicate IDS detection
• Scanners & Probes: Nessus, OpenVAS, Greenbone Security
Assistant, Inprotect, Nmap, THC-Amap, THC-Vmap, NBTScan,
nmbscan, AuditMyPc.com, Gibson Research Corporation (Shields
Up), Security Auditor's Research Assistant (SARA)
• Unix scanners: Samba: Smbclient, Nmblookup, Rpcclient, Rpcinfo,
showmount, R-tools…
• Wireless tools: NetStumbler, AiroPeek, Wellenreiter, Kismet
• War Dialers: ToneLoc, THC-Scan, Shokdial
• Netcat or nc: TCP & UDP port scanning, verbose options
• NetScan: axfr, whois, ping sweeps, NetBIOS name table scans,
SNMP walks, etc.
Enumeration Controls
To Guard Security:
• Evaluate computer from the inside
• Enumeration tools help the administrator to determine
available services and evaluate vulnerabilities
– MS Baseline Security Analyzer (MBSA)
– NESSUS
• Evaluate computer from the outside
• Scan to find unnecessary services from outside FW
– Can use nmap or www.grc.com (LeakTest) to scan your own machine
or network
• Disable all unnecessary services
– UNIX: comment out unnecessary services in /etc/inetd.conf
– WINDOWS: Disable services via Control Panel/Services
Hacking Networks:
Phase 3: Gaining Access
Network Attacks: System Attacks:
• Sniffing • Buffer Overflow
• Spoofing • Password Cracking
• Session Hijacking • SQL Injection
• Man in the middle • Web Protocol Abuse
• Replay • Denial of Service
• DDOS • Spyware (obtain
passwords)

Login: Ginger Password: Snap


3. Gaining Access:
System Attacks…
Buffer Overflows Directory Traversal
• Overflowing input • Using
buffers to corrupt www.cs.uwp.edu/../../cmd.exe

system stack and cause Password Attacks:


code execution with • Automatically guessing
intention of gaining passwords
access. SQL Injection
• Requires zero privilege
• Can exploit any node.
3. Gaining Access:
Network Attacks
• Distributed Denial of Service: Zombies attack one victim.
• Spoofing: Pretending to be another network node (e.g., IP,
MAC, email spoofing)
• Man in the Middle: Insert oneself between two
communicating nodes: a form of spoofing
• Sniffing or Eavesdropping: e.g., Wireshark
• Replay: Capture a packet and resend it
• DNS Poisoning: Giving DNS false addresses; providing false
information: e.g., ARP poisoning
• Session Hijacking: Generating fake packets to alter
communication between two points
Analyzing Protocols: ARP
ARP Sequence:
192.168.0.4 192.168.0.5
ARP Request
ARP Reply

Windump Output:
• 14:54:50.190823 arp who-has 192.168.0.5 tell 192.168.0.4
• 14:54:50.191108 arp reply 192.168.0.5 is-at 0:90:27:1c:50:d0
ARP: Man-in-the-Middle Attack

1.1.1.1
(1) ARP 1.1.1.1?

(3) ARP 1.1.1.1!

1.1.1.3
(1) ARP 1.1.1.1?

(2) ARP 1.1.1.1!

1.1.1.2
ARP: Man-in-the-Middle Attack

1.1.1.1

1.1.1.3 (2) Login


(1) Login

(3) Password (4) Password

1.1.1.2
Spoofing
• DNS Spoofing: Attacker provides
DNS reply before the real DNS Joe
server
• MAC Address Spoofing:
Impersonate another terminal to I am John…
gain access
• IP Address Spoofing: Send
Receive-Window = 0 or Session
Hijacking
• Phishing: Sending an email or
providing a web page, pretending
you are someone else but using Router/AP
your IP address
• May not receive any replies… John
Man-In-The-Middle Attack

Real AP

Login

Login
Trojan AP or
Rogue Access Point

Also implements SPOOFING


Victim
SQL Injection
• Java Original: “SELECT * FROM users_table
WHERE username=” + “’” + username + “’” + “
AND password = “ + “’” + password + “’”;
• Inserted Password: Aa’ OR ‘’=’
• Java Result: “SELECT * FROM users_table Welcome to My System
WHERE username=’anyname’ AND password =
‘Aa’ OR ‘ ‘ = ‘ ‘;
Login:
• Inserted Password: foo’;DELETE FROM
users_table WHERE username LIKE ‘%
• Java Result: “SELECT * FROM users_table Password:
WHERE username=’anyname’ AND password =
‘foo’; DELETE FROM users_table WHERE
username LIKE ‘%’

• Inserted entry: ‘|shell(“cmd /c echo “ &


char(124) & “format c:”)|’
Hacking Networks:
3b: Gain Access: Persistence
Hide Presence/Establish Persistence/Exploit
Hidden entrance
Backdoor

Undesirable feature:
e.g., log keystrokes
Trojan Horse access data

Replaces system
User-Level Rootkit executables: e.g.
Login, ls, du
Bots Spyware/ Replaces OS kernel:
Adware Kernel-Level Rootkit e.g. process or file
Slave forwards/performs
commands; spreads, control to hide
Collect info,
list email addrs, DOS
insert ads,
attacks
filter search results
3b: Gaining Access: Persistence
Establish Persistence/Hide Presence
Escalation of Privileges:
• Password Guessing
• Keystroke Logger: Learn passwords
• Exploit known vulnerabilities of software
• Session Hijacking: Take over existing session
After Break-In:
• Create backdoors for reentry
• Weaken security
• Hide tracks: Delete logs
Gaining Access:
Auditing Checks
Auditing Checks:
• Be careful of false positives and false negatives!
• Slow responses can result in negative (wrong) conclusion
• Vulnerabilities may be eligible only if combined with a particular
version of OS
• Vulnerability tests can have bugs
• A vulnerability may exist – but the context may not exist for the
application
• Specific network h/w may impact test (e.g., load balancing, firewall
proxies)
Therefore:
• Use two tools to test!
• Determine if vulnerability exist in context of OS, applications, etc.
• Treat information as confidential
Exploit:
•Exfiltrate data: corporate secrets, payment card info
•Launch DOS/DDOS attacks
•Web defacement
•Establish continual access

STAGE 4: EXPLOIT
Distributed Denial of Service
Zombies

Attacker Victim
Handler

N. Korea Russia United


States

SYN Flood
Smurf Attack (Pings)
DNS Amplification Attacks
• Use packets directed at a legitimate DNS server as the
intermediary system

• Attacker creates a series of DNS requests containing the


spoofed source address of the target system

• Exploit DNS behavior to convert a small request to a much


larger response (amplification)

• Target is flooded with responses

• Basic defense against this attack is to prevent the use of


spoofed source addresses
A Few….

GENERAL CONTROLS
Key security mechanisms
• Maximize software security
– Patch OS, applications, 3rd Party applications with auto-update
– Configure security settings carefully
• Restrict access
– Restrict admin privileges
– Disable unnecessary accounts
– Password controls
• Restrict number of services
– White-list approved applications
– Uninstall or disable unnecessary services
Plan to Maximize Security
Design security into the system
•Security in Requirements
•Authentication & Access
Control
•Configure properly first time
Careful administration
•Logs, synchronized clocks
•Local/remote management
Hardening a Computer
Carefully install OS/App
•Install, patch in a protected network
•Anti-virus, firewall, IDS/IPS
•Auto-update patches
Minimize access to services
•Remove unnecessary services
•Configure access permissions: users
& groups
•Secure boot process
Test the system
•Outside & Inside
Install Additional Security Controls
• Anti-virus software
– Also for smart-phones
• IDS/IPS: traffic monitoring, file integrity checking
(tripwire)
• Firewall: Can restrict input to certain ports, or
protocols
• Check for rogue machines, systems
• Whitelist applications (if possible)
– Only certain set of executables may run
Remove Unnecessary Services
• If every app has 1 vulnerability, then fewer apps are better
• Remove unnecessary services
– Customize installation
– Remove OS services and capabilities
– Balance between usability & security
– Remove, don’t disable
• Restrict account access
– Restrict default accounts
– Change default passwords
• Minimize access to existing services
– Restrict elevated privileges
– Use elevated privileges minimally
– Log privileged actions GUEST
Securing Applications
• Install in protected network
• Limit permissions
– Web application should have minimal permissions
– Permissions can be increased for certain actions
– Set file permissions for administrator versus web user
• UNIX Chroot jail limits file system access
• Set security settings: logs, account lockout,
password, banners
• Add controls as necessary: Encryption, digital
certificate
Security Maintenance
• Monitor log information
– Detective technique catches after-the-fact
– System, network, application
– Allocate sufficient space, best off-line
• Perform regular backups
– Archive: retain copies of data over time
– Off-site storage works for fires, disasters, on-site thief
• Regularly test system security
– Automate: daily tests, hourly, every 10 minutes
• Patch & update critical software
• Recover from Security compromises
Virtual Machine

App App
Guest Guest
App App
OS OS
Guest Guest Hypervisor/
Virtual
OS OS VMM
Disk
Hypervisor/VMM Host OS
Physical
Physical Hardware
Hardware

Native Virtualization Hosted Virtualization


Preferred for servers Common in clients
Virtual Machine Security
• Plan for security: Each VM is one isolated
function
• Secure host system, hypervisor, guest OSes,
guest applications
• Restrict administrator access to the virtualized
solution
From: Hacking Exposed: Network Security Secrets & Solutions

A Few….

SPECIFIC APPLICATIONS
ONLY LET IN SPECIFICALLY PERMITTED APPLICATIONS
WHY ARE SOME PORTS IMPORTANT TO CLOSE?
Firewall Recommendations:
Default Deny

In Rules Out Rules

Default Deny: Deny all IP/Port addresses, except those


specifically allowed
Default Accept: Accept all IP/Port addresses, except those
specifically denied
Network Protocols
Simple Network Management Protocol
TFTP TCP/UDP Port 69 (SNMP) UDP 161
• Simple file transfer protocol that • Collects information from the
sends in cleartext network – and may give it away too.
• Lacks any authentication • Can provide usernames, OS version,
mechanism share names/paths, running services,
[root$] tftp 192.168.202.34
etc.
Tftp> connect 192.168.202.34
Tftp> get /etc/passwd
/tmp/crackpasswd Countermeasures:
Tftp> quit
• Block TCP/UDP 161 at network
Countermeasures: perimeter
• Avoid tftp all together
• Use an excellent password
• Block TCP/UDP port 69 at firewall
• Disable if not required
• Limit access to the /tftpboot
directory • Use authentication & encryption
More Network Services
ICMP DHCP:
• Function: IP error reporting • Function: Dynamically
protocol allocates IP addresses
• Consider closing in ICMP: • DHCP Manager: TCP 135
• Echo (Ping) • DHCP Lease: UDP 67-68
• Destination Unreachable,
• (Subnet) Address Mask
Request,
• Host Unreachable,
• Port Unreachable,
• Redirect,
• Time Exceeded,
• Admin Prohibited (ACL
denied)
UNIX-Specific Applications
UNIX Remote Procedure Call, Network File System, TCP/UDP 2049
TCP/UDP 111, 32771 • List directories being shared
• The portmapper provides info on [root$] showmount –e <ip_addr>
RPC programs, versions, protocol, export list for <ip_addr>
port
[root$] rpcinfo –p <ip_addr> /pub (everyone)
C:\> rpcdump <ip_addr> /usr user
[root$] nmap –sS –sR <ip_addr>
Countermeasures:
Countermeasures: • Ensure exported file systems
• Use authentication (and possibly have proper permissions (set
encryption) with RPC read/write permissions per host)
• Block ports 111, 32771 and other • Block NFS at network perimeter:
RPC ports to outside TCP/UDP 2049
• UNIX: port 111
• Sun: port 32771
Windows-Specific Applications
After Windows 2000:
• Domain Name Server (DNS): UDP 53
• Lightweight Directory Access Protocol (LDAP): Selecting My
Network Places to search to in Active Directory Server
– TCP/UDP 389; TCP port 3268
– TCP 3269: Global Catalog
– TCP 636: LDAP SSL
• Server Message Block (SMB) Direct Hosting: Working with a
service within My Network Places (e.g., print): TCP port 445
(older: 137-139)
• Kerberos: Encrypted Authentication: TCP/UDP 88.
– TCP/UDP 464
– TCP 544: KShell
Surely Port 80 & 443 should be
kept open?
We have webpages encrypted (port 443) and
unencrypted (port 80). We leave these open.
•Crackers know port 80 & 443 are usually open
•Malware can use these ports to get in
(command & control, botnets)
•So… which servers serve web pages? Permit
for them only (encrypted/unencrypted)
•Clients should not have ports 80 & 443 open
Additional Resources
• SANS has webcasts, documents, news
– https://www.sans.org/security-resources/
• US National Institute of Standards and Technology (NIST)
– https://www.nist.gov/topics/information-technology
• Web pages for MS Windows for security tools, checklists, and
guides:
– www.microsoft.com/en-us/security/default.aspx
• Recognize Trojans
– Close off all ports used by Trojan horses:
– Port 80 (web) can also be used by trojans and other applications when
their normal port is closed
Summary of Controls
Vendor-Independent Controls to Minimize Security Risks
• Filter incoming connections for all ports, except those that are needed
• Build machines – OS, Applications – in a controlled environment
• Ensure machines run minimal services
• Run software with patches installed – auto-update patches
• Restrict access to services (data, configuration files) based on need
• Display warnings against trespassing
• Collect and monitor logs via remote server (login attempts, changes in
permissions, accounts, or log/audit settings, file/printer accesses, etc.)
• Ensure remote administration uses strong authentication and encryption
controls
• Partition services and hardware in network to maximize security
• Use IDS/IPS to detect attack patterns

You might also like