1.Slides by Nikhil Zope

2. Outline In the NEWS (LOIS) DDoS attacks Passive Network Attacks Active Network Attacks Designing a Secure Network Web 2.0 Summary TecHnoHacKs Cyber Security And Research Center.7/20/2012 3. TecHnoHacKs Cyber Security And Research Center.7/20/2012 4. Low Orbit Ion Cannon (LOIC) Primary tool being used by the script kiddies Low Orbit Ion Cannon (LOIC) is a web app performance tool Denial of Service/testing tool DoS operation using HTTP/TCP/UDP requests DDoS voluntarily joining botnet Hive Mind TecHnoHacKs Cyber Security And Research Center.7/20/2012 5. How does LOIC work? While IsFlooding is True{ 1. Create/Connect a TCP Socket to webserver 2. Send standard GET request to the server 3. Read the first 64 bytes returned 4. Sleep for configured Delay } TecHnoHacKs Cyber Security And Research Center.7/20/2012 6. Low Orbit Ion Cannon Hive TecHnoHacKs Cyber Security And Research Center.7/20/2012 7. Low Orbit Ion Cannon New TecHnoHacKs Cyber Security And Research Center.7/20/2012 8. Hive Mind The automatic mode or Hive Mind, option to voluntarily join a botnet Using mode, all parameters of attack set up remotely via IRC, including target IRC is a network protocol designed to provide real- time group chat, often (miss)used to control botnets TecHnoHacKs Cyber Security And Research Center.7/20/2012 9. LOIC trail If an anonymization network (TOR) is not used traceable IP address records can be logged by its recipient Logs kept by the ISP used to identify users Many users arrested using LOIC LOIC not anonymous TecHnoHacKs Cyber Security And Research Center.7/20/2012 10. LOIC/ Wireshark Demo 1. Turn on VMware WinXP machine 2. Turn on Wireshark 3. Turn on LOIC 4. Start packet capture in Wireshark 5. Start LOIC TecHnoHacKs Cyber Security And Research Center.7/20/2012 11. LOIC Mitigation Attack vector old as the HTTP protocol Best approach is to use a good rule based firewall, allow for rules on connection limits per IP per second Legitimate uses for this tool: Performance base lines Measuring server performance TecHnoHacKs Cyber Security And Research Center.7/20/2012 12. TecHnoHacKs Cyber Security And Research Center.7/20/2012 13. FTP Password Attack Setup 1. Install virtual machine or connect to network 2. Install Internet Information Services (IIS) on Windows and File Transfer Protocol (FTP) 3. Setup FTP with a password 4. Run Wireshark while attempting FTP TecHnoHacKs Cyber Security And Research Center.7/20/2012 14. FTP Password Attack 1. Run Wireshark on LAN in promiscuous mode 2. Wait till someone connects to host with FTP TecHnoHacKs Cyber Security And Research Center.7/20/2012 15. Passive online attack 0.http://www.httprecipes.com/1/2/forms.php 1.Run Wireshark 2.Filter http 3.Find post method 4.Follow TCP stream 5.You have username and password in the clear if server isnt using https SSL or other encryption TecHnoHacKs Cyber Security And Research Center.7/20/2012 16. TecHnoHacKs Cyber Security And Research Center.7/20/2012 17. Replay and Man-in-the-middle When passwords cant be caught in plaintext Man-in-the-middle ARP poisoning Replay attack Session hijacking TecHnoHacKs Cyber Security And Research Center.7/20/2012 18. Cain and Abel (ARP poisoning) 1. Install Cain and Abel 2. Connect to a network 3. Select sniffer tab 4. Start sniffer and select network interface 5. Select hosts on bottom and press then ok 6. Select bottom APR tab and click top window 7. Press and select target IP then hit Ok 8. Hit then select passwords tab, (http) TecHnoHacKs Cyber Security And Research Center.7/20/2012 19. TecHnoHacKs Cyber Security And Research Center.7/20/2012 20. Policy Network security Company goals lead to security policy Network infrastructure design policy Network design meets requirements TecHnoHacKs Cyber Security And Research Center.7/20/2012 21. So how do we go from? TecHnoHacKs Cyber Security And Research Center.7/20/2012 22. Data Classification Policy develops from information flow Who can access what? Common classifications: Public Secret Confidential Group based TecHnoHacKs Cyber Security And Research Center.7/20/2012 23. User Classifications Serves same purpose as data classification Who can access what? Common classifications: Outsiders Employees Executives Owners TecHnoHacKs Cyber Security And Research Center.7/20/2012 24. Access Control Matrix (ACM) TecHnoHacKs Cyber Security And Research Center.7/20/2012 25. Network Organization Network infrastructure design using ACM Layered security measures Separation of information Fairly standard corporate network TecHnoHacKs Cyber Security And Research Center.7/20/2012 26. Network Organization Public or External Network Internal Network Public network firewall Internal network firewall Demilitarized Zone (DMZ) TecHnoHacKs Cyber Security And Research Center.7/20/2012 27. Firewalls Firewalls filter based on: IP Addresses, destination Ports Filtering firewall based on: Packet Headers Source addresses Proxy or application level firewalls based on message content: Virus scanner Key terms? TecHnoHacKs Cyber Security And Research Center.7/20/2012 28. Firewall Operation TecHnoHacKs Cyber Security And Research Center.7/20/2012 29. Outer Firewall Can be used to: 1. Restrict outside access to internal network 2. Restrict internal access to internet while allowing access to DMZ based on Access Control Lists (ACLs) 3. ACLs bind source address/port and destinations address/ports to access rights TecHnoHacKs Cyber Security And Research Center.7/20/2012 30. Outer Firewall Public needs Web server and mail server access, no other services Firewall interface allows connections to WWW services (HTTP and HTTPS) and electronic mail (SMTP) Internet sees addresses of Web and mail servers equalthat of the firewall, NAT TecHnoHacKs Cyber Security And Research Center.7/20/2012 31. Internal Firewall Sensitive data resides in internal network Block all traffic except authorized traffic (fail-safe defaults principle) Information comes only from DMZ, never directly from Internet TecHnoHacKs Cyber Security And Research Center.7/20/2012 32. Ports/Services 20-21 FTP 22 SSH/SCP 23 Telnet 25 SMTP 53 DNS 67-68 DHCP/BOOTP 80 HTTP 443 HTTP over SSL 465 SMTP over SSL TecHnoHacKs Cyber Security And Research Center.7/20/2012 33. Proxies Proxies - hosts that relay data Hide identity and protect privacy Can be used as firewalls The Onion Routing network (TOR) Proxy network made of volunteer hosts TecHnoHacKs Cyber Security And Research Center.7/20/2012 34. DMZ and Servers Demilitarized Zone or DMZ - area outside internal firewall, some ports unblocked for inbound internet access to servers Servers hosts which serve webpages or store and process electronic mail for users Web server and mail server contained in DMZ TecHnoHacKs Cyber Security And Research Center.7/20/2012 35. Domain Name System (DNS) Server Knows directory name service information for: DMZ mail, Web, and log hosts Internal trusted administrative host Outer firewall Inner firewall TecHnoHacKs Cyber Security And Research Center.7/20/2012 36. DMZ Log Server All other servers log messages by writing them to a local file and then to the log server The log server also writes them to a file and then to write-once media Confined to the DMZ Does not initiate transfer to inner network TecHnoHacKs Cyber Security And Research Center.7/20/2012 37. Internal Network Subnets may have firewall and servers, may filter traffic as inner firewall does Subnets may share servers Information flow constraints arrangement Firewalls impose confinement at interfaces TecHnoHacKs Cyber Security And Research Center.7/20/2012 38. Firewall Attacks Attackers have 3 methods of firewall entry Web server ports (HTTP) port proxy checks for invalid or illegal HTTP requests and rejects them SMTP port Mail proxy will detect and reject such attempts Bypass the low-level firewall checks by exploiting firewall vulnerabilities TecHnoHacKs Cyber Security And Research Center.7/20/2012 39. Defense Practices Economy of mechanism (simple mechanisms) Making hosts or devices do only their job Separation of privilege (divided jobs) More than one host does a certain job Defense in depth (layered security defense) Multiple defenses to bypass TecHnoHacKs Cyber Security And Research Center.7/20/2012 40. Internet Attacks Distributed Denial of Service (DDoS) SYN flood Consumes bandwidth Consumes memory resources Remedies TCP intercept mode Synkill software TecHnoHacKs Cyber Security And Research Center.7/20/2012 41. Attacks Focus on what we are most concerned about: Successful attacks Failed attacks in areas where attacks ought not to be launched e.g. DMZ. Efforts into where we can obtain useful results TecHnoHacKs Cyber Security And Research Center.7/20/2012 42. Summary Security requirements network infrastructure Security goals security policy network form Internal firewall limits traffic to public servers Outer firewall blocks external traffic from internal Public servers only provide one service Application level firewalls check contents TecHnoHacKs Cyber Security And Research Center.7/20/2012 43. TecHnoHacKs Cyber Security And Research Center.7/20/2012 44. Quantification of Attackers Activities on Servers running Web 2.0 Applications Attackers use search-based strategies Google Easiest ways to attack servers dominate Password cracking attacks on SSH TecHnoHacKs Cyber Security And Research Center.7/20/2012 45. Quantification of Attackers Activities on Servers running Web 2.0 Applications Blog user accounts and vulnerability scans Spam attacks dominate Web 2.0 applications such as Blogs and Wikis Less activity use known vulnerabilities TecHnoHacKs Cyber Security And Research Center.7/20/2012 46. Groups Of Companies Presents . . . TecHnoHacKs . CYBER SECURITY AND RESEARCH CENTER For Education and Training. TecHnoHacKs Cyber Security And Research Center.7/20/2012