Hacking 1
Hacking 1
Objectives:
The student should be able to:
• Define traceroute, ping sweep, port scanning, finger printing, man-in-the-middle, spoofing,
directory traversal, SQL injection, Nessus, nmap, native virtualization, hosted virtualization
• List 3 attacks and countermeasures for each of the hacking steps: 1) Footprint, 2) Scan/Enumerate,
3) Gain Access , and 4) Exploit (3 attacks only)
• Describe the 3 major steps of hardening a computer. Explain the reason and methods of each of
the steps.
Class Time:
Lecture:
• Hacking 1 hour
• General Controls 1/2 hour
• Lab 1: Footprinting 1 hour
Total: 2.5 hours
The Problem of Network Security
The Internet allows an attacker
to attack from anywhere in
the world from their home
desk.
Interrogations
changes, and general domain support questions.
• Shoulder surfing
Record expires on 03-May-2014.
Record created on 02-May-1991.
Above we are asking to use the Tellurian.net DNS server to list all records for the
domain
• HINFO: Identifies platform/OS
• MX: Mail Exchange (Email server)
• A: Internet Address
DNS Controls
To Guard Security:
• Don’t give away information!
• Exclude internal network information in external name servers
• Eliminate HINFO records from name servers
• Prevent or restrict zone transfers to authorized machines/users
• Restrict access to internal DNS from outside
• Disable inbound connections to TCP port 53: TCP zone transfer,
UDP name lookups
• UDP name lookups sent as TCP requests when > 512 bytes
• Log inbound connections to port 53 to track potential attacks
Reconnaissance:
Traceroute
Traceroute: Provides list of routers To Guard Security:
between source and destination • Do not permit pings from outside
To run: the network
• [bash]$ traceroute cs.uwp.edu • Block ICMP and UDP at network
edge (firewall or router)
• [DOS]: tracert • Note: Blocking only ICMP or UDP
may allow access, since both may
• Traceroute can be run from be used
multiple locations to learn • Detect attacks
multiple entry points into • Use IDS systems to detect
network traceroute requests
• www.snort.org: Free IDS program
detects these
• How traceroute operates: • RotoRouter:
– Traceroute uses www.ussrback.com/UNIX/loggers/
ICMP_TIME_EXCEEDED messages rr.c.gz: generates fake responses
– Windows: Uses ICMP echo request to traceroutes.
packet
– UNIX: uses UDP or ICMP with –I
option
Reconnaissance:
Whois & Initial Break-in
Whois provides information on:
• Registrar: Sponsoring company
• Organizational/Point of contact: Contact information
Whois databases include:
• www.whois.com
Scanning
• Host Scanning: Which IP addresses are valid?
• Network Scanning: How is the network routing system organized?
• Port Scanning: Which services are running on which ports?
Enumeration
• Fingerprinting: Which software versions are running on different
sockets?
– Active fingerprinting: Send specific messages & observe replies
– Passive fingerprinting: Observe patterns in IP packets
– Stealth scanning: Slow scanning stays under intrusion detection radar
screen
2: Hacking Networks: Scanning &
Enumeration: Scanning Tools
• War Driving: NetStumbler
• War Dialing: Dialing numbers looking for
modems
• Network Mapping: Nmap
• Vulnerability-Scanning Tools: Nessus
2: IP/ICMP Scanning
Ping Sweep (Nmap)
Which hosts exist?
SRC: 192.168.0.35 DEST:
Ping-> 124.223.0.22
Ping-> 124.223.0.25
<-Ping Reply 124.223.0.25
Ping-> 124.223.0.34
Ping-> 124.223.0.38
Ping-> 124.223.0.28
Windump Output:
• 15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request
seq 7168
• 15:19:42.748241 IP 192.168.0.5 > 192.168.0.4: icmp 1480: echo reply seq
7168
2: Which ports exist?
Initiate a TCP connection:
SYN
SYN,ACK
ACK
Note that this is NOT the same bug as the one described in MS03-026
epmap which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.
(135/tcp)
Plugin ID : 10342
Port is open
Plugin ID : 11219
Enumeration Tools
Port scanners and Enumeration Tools include:
• Nmap or Network Mapper: TCP/UDP, decoy or bogus scans
supported to complicate IDS detection
• Scanners & Probes: Nessus, OpenVAS, Greenbone Security
Assistant, Inprotect, Nmap, THC-Amap, THC-Vmap, NBTScan,
nmbscan, AuditMyPc.com, Gibson Research Corporation (Shields
Up), Security Auditor's Research Assistant (SARA)
• Unix scanners: Samba: Smbclient, Nmblookup, Rpcclient, Rpcinfo,
showmount, R-tools…
• Wireless tools: NetStumbler, AiroPeek, Wellenreiter, Kismet
• War Dialers: ToneLoc, THC-Scan, Shokdial
• Netcat or nc: TCP & UDP port scanning, verbose options
• NetScan: axfr, whois, ping sweeps, NetBIOS name table scans,
SNMP walks, etc.
Enumeration Controls
To Guard Security:
• Evaluate computer from the inside
• Enumeration tools help the administrator to determine
available services and evaluate vulnerabilities
– MS Baseline Security Analyzer (MBSA)
– NESSUS
• Evaluate computer from the outside
• Scan to find unnecessary services from outside FW
– Can use nmap or www.grc.com (LeakTest) to scan your own machine
or network
• Disable all unnecessary services
– UNIX: comment out unnecessary services in /etc/inetd.conf
– WINDOWS: Disable services via Control Panel/Services
Hacking Networks:
Phase 3: Gaining Access
Network Attacks: System Attacks:
• Sniffing • Buffer Overflow
• Spoofing • Password Cracking
• Session Hijacking • SQL Injection
• Man in the middle • Web Protocol Abuse
• Replay • Denial of Service
• DDOS • Spyware (obtain
passwords)
Windump Output:
• 14:54:50.190823 arp who-has 192.168.0.5 tell 192.168.0.4
• 14:54:50.191108 arp reply 192.168.0.5 is-at 0:90:27:1c:50:d0
ARP: Man-in-the-Middle Attack
1.1.1.1
(1) ARP 1.1.1.1?
1.1.1.3
(1) ARP 1.1.1.1?
1.1.1.2
ARP: Man-in-the-Middle Attack
1.1.1.1
1.1.1.2
Spoofing
• DNS Spoofing: Attacker provides
DNS reply before the real DNS Joe
server
• MAC Address Spoofing:
Impersonate another terminal to I am John…
gain access
• IP Address Spoofing: Send
Receive-Window = 0 or Session
Hijacking
• Phishing: Sending an email or
providing a web page, pretending
you are someone else but using Router/AP
your IP address
• May not receive any replies… John
Man-In-The-Middle Attack
Real AP
Login
Login
Trojan AP or
Rogue Access Point
Undesirable feature:
e.g., log keystrokes
Trojan Horse access data
Replaces system
User-Level Rootkit executables: e.g.
Login, ls, du
Bots Spyware/ Replaces OS kernel:
Adware Kernel-Level Rootkit e.g. process or file
Slave forwards/performs
commands; spreads, control to hide
Collect info,
list email addrs, DOS
insert ads,
attacks
filter search results
3b: Gaining Access: Persistence
Establish Persistence/Hide Presence
Escalation of Privileges:
• Password Guessing
• Keystroke Logger: Learn passwords
• Exploit known vulnerabilities of software
• Session Hijacking: Take over existing session
After Break-In:
• Create backdoors for reentry
• Weaken security
• Hide tracks: Delete logs
Gaining Access:
Auditing Checks
Auditing Checks:
• Be careful of false positives and false negatives!
• Slow responses can result in negative (wrong) conclusion
• Vulnerabilities may be eligible only if combined with a particular
version of OS
• Vulnerability tests can have bugs
• A vulnerability may exist – but the context may not exist for the
application
• Specific network h/w may impact test (e.g., load balancing, firewall
proxies)
Therefore:
• Use two tools to test!
• Determine if vulnerability exist in context of OS, applications, etc.
• Treat information as confidential
Exploit:
•Exfiltrate data: corporate secrets, payment card info
•Launch DOS/DDOS attacks
•Web defacement
•Establish continual access
STAGE 4: EXPLOIT
Distributed Denial of Service
Zombies
Attacker Victim
Handler
SYN Flood
Smurf Attack (Pings)
DNS Amplification Attacks
• Use packets directed at a legitimate DNS server as the
intermediary system
GENERAL CONTROLS
Key security mechanisms
• Maximize software security
– Patch OS, applications, 3rd Party applications with auto-update
– Configure security settings carefully
• Restrict access
– Restrict admin privileges
– Disable unnecessary accounts
– Password controls
• Restrict number of services
– White-list approved applications
– Uninstall or disable unnecessary services
Plan to Maximize Security
Design security into the system
•Security in Requirements
•Authentication & Access
Control
•Configure properly first time
Careful administration
•Logs, synchronized clocks
•Local/remote management
Hardening a Computer
Carefully install OS/App
•Install, patch in a protected network
•Anti-virus, firewall, IDS/IPS
•Auto-update patches
Minimize access to services
•Remove unnecessary services
•Configure access permissions: users
& groups
•Secure boot process
Test the system
•Outside & Inside
Install Additional Security Controls
• Anti-virus software
– Also for smart-phones
• IDS/IPS: traffic monitoring, file integrity checking
(tripwire)
• Firewall: Can restrict input to certain ports, or
protocols
• Check for rogue machines, systems
• Whitelist applications (if possible)
– Only certain set of executables may run
Remove Unnecessary Services
• If every app has 1 vulnerability, then fewer apps are better
• Remove unnecessary services
– Customize installation
– Remove OS services and capabilities
– Balance between usability & security
– Remove, don’t disable
• Restrict account access
– Restrict default accounts
– Change default passwords
• Minimize access to existing services
– Restrict elevated privileges
– Use elevated privileges minimally
– Log privileged actions GUEST
Securing Applications
• Install in protected network
• Limit permissions
– Web application should have minimal permissions
– Permissions can be increased for certain actions
– Set file permissions for administrator versus web user
• UNIX Chroot jail limits file system access
• Set security settings: logs, account lockout,
password, banners
• Add controls as necessary: Encryption, digital
certificate
Security Maintenance
• Monitor log information
– Detective technique catches after-the-fact
– System, network, application
– Allocate sufficient space, best off-line
• Perform regular backups
– Archive: retain copies of data over time
– Off-site storage works for fires, disasters, on-site thief
• Regularly test system security
– Automate: daily tests, hourly, every 10 minutes
• Patch & update critical software
• Recover from Security compromises
Virtual Machine
App App
Guest Guest
App App
OS OS
Guest Guest Hypervisor/
Virtual
OS OS VMM
Disk
Hypervisor/VMM Host OS
Physical
Physical Hardware
Hardware
A Few….
SPECIFIC APPLICATIONS
ONLY LET IN SPECIFICALLY PERMITTED APPLICATIONS
WHY ARE SOME PORTS IMPORTANT TO CLOSE?
Firewall Recommendations:
Default Deny