VULNERABILITIES

AND ATTACKS

Faculty of Information Technology

Hanoi University
 Content
2

 Vulnerability
 Types of Vulnerabilities
 Exposure
 Common Vulnerabilities & Exposures
 Attacks
 TCP/IP attacks
 Application attacks
 DoS and DDoS
 1.Vulnerability- lỗ hổng
3

 CVE Initiative's definitions of the term

“Vulnerability”
 An information security "vulnerability" is
a mistake in software/system or network
that can be directly used by a hacker to
gain access to a system or network.
 Vulnerabilities
4

 At every layer in the protocol stack!

 Network-layer attacks
 IP-level vulnerabilities
 Routing attacks
 Transport-layer attacks
 TCP vulnerabilities
 Application-layer attacks
 2.Exposure-
5

 An information security "exposure" lỗ

hổng lộ thông tin is a system
configuration issue or a mistake in
software/system/network that reveals
information or capabilities that can be
used by a hacker as a stepping-stone-
bàn đạp into a system or network.
 Exposure examples
6

 An "exposure" describes a state in a

computing system/system/network (or set of
systems) that is not a vulnerability, but either:
 allows an attacker to conduct information
gathering activities
 allows an attacker to hide activities
 includes a capability that behaves as
expected, but can be easily compromised
 is a primary point of entry that an attacker
may attempt to use to gain access to the
system or data
 is considered a problem according to some
reasonable security policy
 Exposure examples
7

 running services such as finger (useful for

information gathering)
 running services that are common attack
points –một số dịch vụ phổ biến dễ bị tấn công
 Ex: HTTP(trang web), FTP,(truyền file) or

SMTP(gửi email)
 use of applications or services that can be
successfully attacked by brute force methods
 Ex: use of 54 bits key for encryption
 In order to have a strong handle on data
security issues that may potentially
impact your business, it is imperative to
understand the relationships of three
components:
 Threat
 Vulnerability
 Risk
What is threat?
A threat refers to a new or newly discovered incident
that has the potential to harm a system or your
company overall. There are three main types of threats:
 Natural threats, such as floods, hurricanes, or

tornadoes
 Unintentional threats, like an employee

mistakenly accessing the wrong information

 Intentional threats, such as spyware-phần mềm

gián điệp , malware-phần mềm độc hại , adware

companies-phần mềm quảng cáo độc hại , or the
actions of a disgruntled employee-hành động của
nhân viên bất mãn
What is a vulnerability?

 A vulnerability refers to
a known weakness of an asset (resource)
that can be exploited by one or more
attackers. In other words, it is a known
issue that allows an attack to succeed.
 For example, when a team member resigns and
you forget to disable their access to external
accounts, change logins, or remove their names
from company credit cards, this leaves your
business open to both intentional and
unintentional threats.
Risk
 Risk is defined as the potential for loss
or damage when a threat exploits a
vulnerability. Examples of risk include:
 Financial losses-rủi ro tài chính
 Loss of privacy-mất quyền riêng tư
 Damage to your reputation-ảnh hưởng danh
tiếng
 Legal implications- hệ quả pháp lí
 Even loss of life-nguy hiểm tính mạng
 4. CVE
13

 Common Vulnerabilities and Exposures (CVE®) is

a dictionary of common names (i.e., CVE
Identifiers) for publicly known information
security vulnerabilities, while its Common
Configuration Enumeration (CCE™) provides
identifiers for security configuration issues and
exposures.
 Before CVE:
Same Problem, Different Names
14

Organization Name
CERT CA-96.06.cgi_example_code

CyberSafe Network: HTTP ‘phf’ Attack

ISS http-cgi-phf

AXENT phf CGI allows remote command execution

Bugtraq PHF Attacks – Fun and games for the whole family

BindView #107 – cgi-phf

Cisco #3200 – WWW phf attack

IBM ERS Vulnerability in NCSA/Apache Example Code

CERIAS http_escshellcmd

L-3 #180 HTTP Server CGI example code compromises http server
 After CVE:
15
One Common Language

Description Name
ToolTalk (rpc.ttdbserverd) CVE-1999-0003
buffer overflow
Buffer overflow in in qpopper CVE-1999-0006

CGI phf program allows remote command CVE-1999-0067

execution
Windows NT debug-level access CVE-1999-0344
bug (a.k.a. Sechole)
 CVE
16

 One name for one vulnerability or

exposure
 One standardized description for each
vulnerability or exposure
 A dictionary rather than a database
 How disparate databases and tools
can "speak" the same language
 The way to interoperability and better
security coverage
 A basis for evaluation among tools and
databases
 Free for public download and use
 4. SANS Top 20
17
Vulnerabilities
 Seven years ago, SANS Institute and the
National Infrastructure Protection Center
(NIPC) at the FBI released a document
summarizing the Ten Most Critical
Internet Security Vulnerabilities
 Thousands of organizations relied on
that list, and on the expanded Top-20
lists that followed in succeeding years,
to prioritize their efforts so they could
close the most dangerous holes first.
 4. SANS Top 20 Vulnerabilities 2007
http://sans.org/top20/?portal=0c0130b2ad2aeba59cdfcdd8ab3
443ab
18
 Content
19

 Vulnerability
 Types of Vulnerabilities
 Exposure
 Threats, Vulnerability and Risk
 Common Vulnerabilities & Exposures
 Attacks << You are here
 TCP/IP attacks
 Application attacks
 DoS and DDoS
Security Flaws in IP
 The IP addresses are changed by the
originating host
 Address spoofing
 Using source address for authentication
 r-utilities (rlogin, rsh, rhosts etc..)
2.1.1.1 C Can A claim it is B to the
•

server S?
•ARP Spoofing
Internet
Internet Can C claim it is B to the
•

1.1.1.3 S server S?
•Source Routing
A 1.1.1.1 1.1.1.2 B
 Ping Flood
Use fake IP of
victim Internet
Internet

Attacking System

Broadcast
Broadcast
Enabled
Enabled
Network
Network
Victim System
Routing Attacks-tấn công
định tuyến
 Distance Vector Routing
 Announce 0 distance to all other nodes
 Blackholetraffic
 Eavesdrop

 Link State Routing

 Can drop links randomly
 Can claim direct link to any other routers
 A bit harder to attack than DV
 Border Gateway Protocol
 Announce different prefix
 Alter routing path
3-way handshake of TCP/IP

Hello. How do you do?

I’m fine

How do you do?

I’m fine

Estalish and start communication

TCP SYN Flooding
 Exploit state allocated at server after initial
SYN packet
 Send a SYN and don’t reply with ACK
 Server will wait for 511 seconds for ACK
 Finite queue size for incomplete
connections (1024)
 Once the queue is full it doesn’t accept
requests
SYN FLOODING

attacker

legimate users
Application Layer Attacks
Code Exploits
 Use of poor coding practices left
uncaught by testing

 Defense: In depth unit and integration

testing
Password Cracks: Brute
Force
 Method  Detection
 Trying all  Frequent
combinations of attempts to
legal symbols as authenticate
username/passwo
rd pairs
 Defense
 Motivation  Lockouts –
 Gain access to temporary and
system permanent
Password Cracks: Dictionary
Attack
 Method  Detection
 Trying all common  Frequent attempts
passwords in to authenticate
dictionary

 Defense
 Motivation  Lockouts –
temporary and
 Gain access to
permanent
system, faster  Complex passwords
than brute force
Web Attacks: Source
Viewing
 Method  Detection
 Read source code  None
for valuable
information

 Defense
 Motivation  None
 Find passwords or
commented out
URL
Web Attacks: URL
Modification
 Method  Detection
 Manipulating URL to  Check website
find pages not URL logs
normally accessible

 Motivation
 Gain access to
 Defense
normally private  Add access
directories or pages requirements
Web Attacks: Post Data
 Method  Detection
 Change post data  None
to get desired
results
 Defense
 Motivation  Verify post data
 Change on receiving end
information being
sent in your favor
Web Attacks: Database
Attack
 Method  Detection
 Sending  Check database
dangerous for strange
queries to records
database

 Defense
 Motivation  Filter database
 Denial of service queries
Backdoors
 Bypass normal means of authentication
 Hidden from casual inspection
 Installed separately or integrated into
software
Worms & Virus: File
Infectors
 Method  Detection
 Infects  Virus scan or
executables by strange computer
inserting itself behavior
into them

 Motivation
 Defense
 Antivirus, being
 Damage files and
cautious on the
spread internet
Worms & Virus: Boot-sector
virus
 Method  Detection
 Replaces boot  Virus scan or
loader, and strange computer
spreads to hard behavior
drive and floppies

 Motivation  Defense
 Damage files and  Antivirus, being
spread cautious on the
internet
Worms & Virus: Companion
Virus
 Method  Detection
 Locates executables  Virus scan or
and mimics names, strange computer
changing the behavior
extensions

 Motivation  Defense
 Damage files and  Antivirus, being
spread
cautious on the
internet
Worms & Virus: Macro Virus
 Method  Detection
 Infects
documents,  Virus
scan or
when document is strange computer
accessed, macro behavior
executes in
application

 Defense
 Motivation  Antivirus,
being
 Damage files and cautious on the
spread internet
Worms & Virus: Worms
 Method  Detection
 Replicates  Virus scan or
strange computer
behavior

 Motivation  Defense
 Variable  Antivirus, being
motivations cautious on the
internet
Logic Bomb
 Method  Detection
 A logic bomb is a  Strangecomputer
piece of code behavior
intentionally inserted
into a software system
that will set off a
malicious function
when specified
conditions are met
e.x: Time bomb
 Defense
 Keep and monitor
 Motivation logs
 Monitor computer
 Revenge,
synchronized attack, systems closely
securing get away
Buffer Overflow
 Method  Detection
 Passtoo much  Logs
information to the
buffer with poor
checking

 Defense
 Check input size
 Motivation before copying to
 Modifyto buffer
information and/or  Guard return address
execute arbitrary against overwrite
code  Invalidate stack to
execute instructions
Phishing
 Method  Detection
 Request  Careful
information from a examination of
mass audience, requests for
collect response information
from a fake site

 Motivation  Defense
 Gainimportant  Distribute
on a
information need to know basis
Phishing: Example
Bots & Zombies
 Method  Detection
 Installed by virus or  Network analysis
worm, allow remote  Virus scans
unreserved access to  Notice unusual
the system behavior
 A node in DDOS
attack

 Defense
 Install security
 Motivation patches and be
 Gain access to careful what you
additional resources, download
hiding your identity
Spyware, Adware, and Malware
 Method  Detection
 Installedeither  Network analysis
willingly by the user  Abnormal computer
via ActiveX or as behavior
part of a virus
package

 Defense
 Virus
/ adware /
 Motivation spyware / malware
 Gain information scans
about the user
 Serve users
advertisements
Hardware Keyloggers
 Method  Detection
 Attachit to a  Checkphysical
computer connections
 Record your typing

 Defense
 Cameras and
 Motivation guards
 Record user names,
passwords, and other
private information
Social Engineering
 Manipulate the weakest link of
cybersecurity
– the user – to gain access to otherwise
prohibited resources

 Defense: Train personnel to resist the

tactics of software engineering
Outline
 TCP/IP attacks
 Application attacks
 DoS and D-DoS You are here
Denial of Service
• Objective  make a service unusable,
usually by overloading the server or
network

• Consume host resources

– TCP SYN floods
– ICMP ECHO (ping) floods

• Consume bandwidth
– UDP floods
– ICMP floods
Denial of Service – tấn công
từ chối dịch vụ
 Crashing the victim
 Ping-of-Death
 TCP options (unused, or used incorrectly)

 Forcing more computation

 Taking long path in processing of packets
 Simple DoS

Attacker

Victim Victim Victim

• The Attacker usually spoofed source address to hide origin

• Easy to block
Distributed DoS
Attacker

Handler Handler

Agent Agent Agent Agent Agent

Victim
Distributed DoS
 The handlers are usually very high
volume servers
 Easy to hide the attack packets
 The agents are usually home users with
DSL/Cable
 Already infected and the agent installed
 Very difficult to track down the attacker
Tutorial
 Vulnerability scanning using Nmap
 Web vulnerability scanning using
Acunetix
 Google hacking