sam_bowne
TRANSCRIPT
Chapter 1: Ethical Hacking Overview
CNIT 123 – Bowne Page 1 of 5
Objectives Describe the role of an ethical hacker Describe what you can do legally as an ethical hacker Describe what you cannot do as an ethical hacker Introduction to Ethical Hacking
Ethical hackers Employed by companies to perform penetration tests
Penetration test Legal attempt to break into a company’s network to find its weakest link Tester only reports findings, does not solve problems
Security test More than an attempt to break in; also includes analyzing company’s security policy and procedures Tester offers solutions to secure or protect the network
The Role of Security and Penetration Testers Hackers
• Access computer system or network without authorization • Breaks the law; can go to prison
Crackers • Break into systems to steal or destroy data • U.S. Department of Justice calls both hackers
Ethical hacker • Performs most of the same activities but with owner’s permission
The Role of Security and Penetration Testers Script kiddies or packet monkeys
• Young inexperienced hackers • Copy codes and techniques from knowledgeable hackers
Experienced penetration testers write programs or scripts using these languages • Practical Extraction and Report Language (Perl), C, C++, Python, JavaScript, Visual Basic, SQL,
and many others Script
• Set of instructions that runs in sequence It Takes Time to Become a Hacker
• This class alone won’t make you a hacker, or an expert It might make you a script kiddie
• It usually takes years of study and experience to earn respect in the hacker community • It’s a hobby, a lifestyle, and an attitude
A drive to figure out how things work The Role of Security and Penetration Testers Tiger box
• Collection of OSs and hacking tools • Usually on a laptop • Helps penetration testers and security testers conduct vulnerabilities assessments and attacks
Penetration-Testing Methodologies White box model
• Tester is told everything about the network topology and technology
Chapter 1: Ethical Hacking Overview
Network diagram • Tester is authorized to
interview IT personnel and company employees
• Makes tester’s job a little easier
Network Diagram • From
ratemynetworkdiagram.com (Link Ch 1g)
This is a Floor Plan Penetration-Testing Methodologies Black box model
• Company staff does not know about the test • Tester is not given details about the network ▪ Burden is on the tester to find these details • Tests if security personnel are able to detect an attack
Penetration-Testing Methodologies Gray box model
• Hybrid of the white and black box models • Company gives tester partial information
Certification Programs for Network Security Personnel Certification programs available in almost every area of network security Basics:
• CompTIA Security+ (CNIT 120) • Network+ (CNIT 106 or 201)
CNIT 123 – Bowne Page 2 of 5
Chapter 1: Ethical Hacking Overview
Take Certification Tests Here CNIT is a Prometric Vue testing
center • Certification tests are
given in S214 • CompTIA and Microsoft • The next tests will be in
the second week of April, right after Spring Break
– Email [email protected] if you want to take a test
Certified Ethical Hacker (CEH)
• But see Run Away From The CEH Certification
• Link Ch 1e on my Web page OSSTMM Professional Security Tester (OPST) Designated by the Institute for Security and Open Methodologies (ISECOM)
• Uses the Open Source Security Testing Methodology Manual (OSSTMM) • Test is only offered in Connecticut and outside the USA, as far as I can tell • See links Ch 1f and Ch 1h on my Web page
Certified Information Systems Security Professional (CISSP) Issued by the International Information Systems Security Certifications Consortium (ISC2) Usually more concerned with policies and procedures than technical details Web site
• www.isc2.org SANS Institute SysAdmin, Audit, Network, Security (SANS) Offers certifications through Global Information Assurance Certification (GIAC) Top 20 list
• One of the most popular SANS Institute documents • Details the most common network exploits • Suggests ways of correcting vulnerabilities
Web site www.sans.org (links Ch 1i & Ch 1j)
What You Can Do Legally Laws involving technology change as rapidly as technology itself Find what is legal for you locally
• Laws change from place to place Be aware of what is allowed and what is not allowed Laws of the Land Tools on your computer might be illegal to possess Contact local law enforcement agencies before installing hacking tools Written words are open to interpretation Governments are getting more serious about punishment for cybercrimes
CNIT 123 – Bowne Page 3 of 5
Chapter 1: Ethical Hacking Overview
Recent Hacking Cases Is Port Scanning Legal? Some states deem it legal Not always the case Federal Government does not see it as a violation
• Allows each state to address it separately Read your ISP’s “Acceptable Use Policy”
• IRC “bots” may be forbidden Program that sends automatic responses to users
Gives the appearance of a person being present CCSF Computer Use Policy Federal Laws Federal computer crime laws are getting more specific
• Cover cybercrimes and intellectual property issues
Computer Hacking and Intellectual Property (CHIP) • New government branch to address cybercrimes and intellectual property issues
What You Cannot Do Legally Accessing a computer without permission is illegal Other illegal actions
• Installing worms or viruses • Denial of Service attacks • Denying users access to network resources
Be careful your actions do not prevent customers from doing their jobs Anti-Spam Vigilantes: Lycos
• Ch 1l1: Lycos starts anti-spam screensaver plan: Dec 2, 2004
CNIT 123 – Bowne Page 4 of 5
Chapter 1: Ethical Hacking Overview
CNIT 123 – Bowne Page 5 of 5
• Ch 1l2: Lycos Pulls Anti-Spam 'Vigilante' Campaign -- Dec 3, 2004 • Ch 1l3: Lycos's Spam Attack Network Dismantled -- Spammers sent the DOS packets back to Lycos
-- Dec 6, 2004 Anti-Spam Vigilantes: Blue Frog
• Ch 1m: Blue Frog begins its "vigilante approach" to fight spam -- July, 2005 • Ch 1n: Russian spammer fights back, claims to have stolen Blue Frog's database, sends threating
email -- DOS attack in progress -- May 2, 2006 • Ch 1o: Blue Frog compromised and destroyed by attacks, urgent instructions to uninstall it, the
owners have lost control -- May 17, 2006 Anti-Spam Vigilantes: The Future
• Ch 1p: Call for help creating distributed, open-source Blue Frog replacement -- May 17, 2006 Not in textbook, see links on my page (samsclass.info)
Get It in Writing Using a contract is just good business Contracts may be useful in court Books on working as an independent contractor
• The Computer Consultant’s Guide by Janet Ruhl • Getting Started in Computer Consulting by Peter Meyer
Internet can also be a useful resource Have an attorney read over your contract before sending or signing it Ethical Hacking in a Nutshell What it takes to be a security tester
• Knowledge of network and computer technology • Ability to communicate with management and IT personnel • Understanding of the laws • Ability to use necessary tools
Last modified 1-20-07 0:12
Chapter 2: TCP/IP Concepts Review
Objectives Describe the TCP/IP protocol stack Explain the basic concepts of IP addressing Explain the binary, octal, and hexadecimal numbering system Overview of TCP/IP Protocol
Common language used by computers for speaking Transmission Control Protocol/Internet Protocol (TCP/IP)
Most widely used protocol TCP/IP stack
Contains four different layers Network Internet Transport Application
The Application Layer Front end to the lower-layer protocols What you can see and touch – closest to the user at the keyboard HTTP, FTP, SMTP, SNMP, SSH, IRC and TELNET all operate in the Application Layer
The Transport Layer Encapsulates data into segments Segments can use TCP or UDP to reach a destination host
TCP is a connection-oriented protocol TCP three-way handshake
Computer A sends a SYN packet Computer B replies with a SYN-ACK packet Computer A replies with an ACK packet
CNIT 123 – Bowne Page 1 of 7
Chapter 2: TCP/IP Concepts Review
TCP Header Format
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Segment Headers Critical components:
TCP flags Initial Sequence Number (ISN) Source and destination port
Abused by hackers finding vulnerabilities TCP Flags Each flag occupies one bit Can be set to 0 (off) or 1 (on) Six flags
SYN: synchronize, (not synthesis) flag ACK: acknowledge flag PSH: push flag URG: urgent flag RST: reset flag FIN: finish flag
Error in textbook on page 22: SYNchronize, not SYNthesis (link Ch 2a, RFC 793) Initial Sequence Number (ISN) 32-bit number Tracks packets received Enables reassembly of large packets Sent on steps 1 and 2 of the TCP three-way handshake
By guessing ISN values, a hacker can hijack a TCP session, gaining access to a server without logging in
CNIT 123 – Bowne Page 2 of 7
Chapter 2: TCP/IP Concepts Review
CNIT 123 – Bowne Page 3 of 7
TCP Ports Port
Logical, not physical, component of a TCP connection Identifies the service that is running Example: HTTP uses port 80
A 16-bit number – 65,536 ports Each TCP packet has a source and destination port Blocking Ports Helps you stop or disable services that are not needed
Open ports are an invitation for an attack You can’t block all the ports
That would stop all networking At a minimum, ports 25 and 80 are usually open on a server, so it can send out Email and Web pages
Only the first 1023 ports are considered well-known List of well-known ports
Available at the Internet Assigned Numbers Authority (IANA) Web site (www.iana.org) Ports 20 and 21
File Transfer Protocol (FTP) Use for sharing files over the Internet Requires a logon name and password More secure than Trivial File Transfer Protocol (TFTP)
Port 25 Simple Mail Transfer Protocol (SMTP) E-mail servers listen on this port
Port 53 Domain Name Service (DNS) Helps users connect to Web sites using URLs instead of IP addresses
Port 69 Trivial File Transfer Protocol Used for transferring router configurations
Port 80 Hypertext Transfer Protocol (HTTP) Used when connecting to a Web server
Port 110 Post Office Protocol 3 (POP3) Used for retrieving e-mail
Port 119 Network News Transfer Protocol For use with newsgroups
Port 135 Remote Procedure Call (RPC) Critical for the operation of Microsoft Exchange Server and Active Directory
Port 139 NetBIOS Used by Microsoft’s NetBIOS Session Service File and printer sharing
Port 143 Internet Message Access Protocol 4 (IMAP4) Used for retrieving e-mail More features than POP3
Chapter 2: TCP/IP Concepts Review
Demonstration Telnet to hills.ccsf.edu and netstat to see the connections
Port 23 (usual Telnet) Port 25 blocked off campus, but 110 connects Port 21 works, but needs a username and password
Demonstration Wireshark Packet Sniffer
TCP Handshake: SYN, SYN/ACK, ACK TCP Ports TCP Status
Flags
CNIT 123 – Bowne Page 4 of 7
Chapter 2: TCP/IP Concepts Review
User Datagram Protocol (UDP) Fast but unreliable protocol Operates on transport layer Does not need to verify whether the receiver is listening Higher layers of the TCP/IP stack handle reliability problems Connectionless protocol The Internet Layer Responsible for routing packets to their destination address Uses a logical address, called an IP address IP addressing packet delivery is connectionless Internet Control Message Protocol (ICMP) Operates in the Internet layer of the TCP/IP stack Used to send messages related to network operations Helps in troubleshooting a network Some commands include
Ping Traceroute
Wireshark Capture of a PING Warriors of the Net Network+ Movie Warriorsofthe.net (link Ch 2d) IP Addressing Consists of four bytes, like 147.144.20.1 Two components
Network address Host address
Neither portion may be all 1s or all 0s Classes
Class A Class B Class C
CNIT 123 – Bowne Page 5 of 7
Chapter 2: TCP/IP Concepts Review
CNIT 123 – Bowne Page 6 of 7
Class A First byte is reserved for network address Last three bytes are for host address Supports more than 16 million host computers Limited number of Class A networks Reserved for large corporations and governments (see link Ch 2b) Format: network.node.node.node
Class B First two bytes are reserved for network address Last two bytes are for host address Supports more than 65,000 host computers Assigned to large corporations and Internet Service Providers (ISPs) Format: network.network.node.node
CCSF has 147.144.0.0 – 147.144.255.255 Class C
First three bytes are reserved for network address Last byte is for host address Supports up to 254 host computers Usually available for small business and home networks Format: network.network.network.node
Subnetting Each network can be assigned a subnet mask Helps identify the network address bits from the host address bits
Class A uses a subnet mask of 255.0.0.0 Also called /8
Class B uses a subnet mask of 255.255.0.0 Also called /16
Class C uses a subnet mask of 255.255.255.0 Also called /24
Planning IP Address Assignments Each network segment must have a unique network address Address cannot contain all 0s or all 1s To access computers on other networks
Each computer needs IP address of gateway TCP/IP uses subnet mask to determine if the destination computer is on the same network or a different network
If destination is on a different network, it relays packet to gateway Gateway forwards packet to its next destination (routing) Packet eventually reaches destination
Overview of Numbering Systems Binary Octal Hexadecimal Reviewing the Binary Numbering System Uses the number 2 as its base Binary digits (bits): 0 and 1 Byte
Group of 8 bits Can represent 28 = 256 different values
UNIX and Linux Permissions UNIX and Linux File permissions are represented with bits
Chapter 2: TCP/IP Concepts Review
CNIT 123 – Bowne Page 7 of 7
0 means removing the permission 1 means granting the permission 111 (rwx) means all permissions apply
Examples of Determining Binary Values Each position represents a power of 2 value
Usually the bit on the right is the less significant bit Converting 1011 to decimal
1 x 20 = 1 1 x 21 = 2 0 x 22 = 0 1 x 23 = 8
1 + 2 + 8 = 11 (decimal value) Understanding Nibbles Half a byte or four bits Helps with reading the number by separating the byte
1111 1010 Components
High-order nibble (left side) Low-order nibble (right side)
Understanding Nibbles (continued) Converting 1010 1010 to decimal
Low-order nibble 1010 = 10 (base 10)
Multiply high-order nibble by 16 1010 = 10 x 16 = 160 (base 10)
160 + 10 = 170 (base 10) Reviewing the Octal Numbering System Uses 8 as its base
Supports digits from 0 to 7 Octal digits can be represented with three bits Permissions on UNIX
Owner permissions (rwx) Group permissions (rwx) Other permissions (rwx) Example: 111 101 001
Octal representation 751 Reviewing the Hexadecimal Numbering System Uses 16 as its base
Support numbers from 0 to 15 Hex number consists of two characters
Each character represents a nibble Value contains alphabetic letters (A … F)
A representing 10 and F representing 15 Sometimes expressed with “0x” in front If you want more about binary, see Link Ch 2c
Last modified 1-26-07 10 pm
Chapter 3: Network and Computer Attacks
Objectives Describe the different types of malicious
software Describe methods of protecting against
malware attacks Describe the types of network attacks Identify physical security attacks and
vulnerabilities Malicious Software (Malware) Network attacks prevent a business from
operating Malicious software (Malware) includes
Virus Worms Trojan horses
Goals Destroy data Corrupt data Shutdown a network or
system Viruses Virus attaches itself to an executable
file Can replicate itself through an
executable program Needs a host program to
replicate No foolproof method of preventing
them Antivirus Software Detects and removes viruses Detection based on virus signatures Must update signature database periodically Use automatic update feature Base 64 Encoding Used to evade anti-spam tools, and to obscure passwords Encodes six bits at a time (0 – 64) with a single ASCII character
A - Z: 0 – 25 a – z: 26 – 51 1 – 9: 52 – 61 + and - 62 and 63
See links Ch 3a, 3b Viruses (continued) Commercial base 64 decoders Shell
Executable piece of programming code Should not appear in an e-mail attachment
CNIT 123 – Bowne Page 1 of 1
Chapter 3: Network and Computer Attacks
Macro Viruses
CNIT 123 – Bowne Page 2 of 2
Virus encoded as a macro Macro
Lists of commands Can be used in destructive ways
Example: Melissa Appeared in 1999 It is very simple – see link Ch 3c for source
code Writing Viruses Even nonprogrammers can create macro viruses
Instructions posted on Web sites Virus creation kits available for download (see
link Ch 3d) Security professionals can learn from thinking like
attackers But don’t create and
release a virus! People get long prison terms for that.
Worms Worm
Replicates and propagates without a host
Infamous examples Code Red Nimda
Can infect every computer in the world in a short time
At least in theory ATM Machine Worms
Cyberattacks against ATM machines
Slammer and Nachi worms
Trend produces antivirus for ATM machines
See links Ch 3g, 3h, 3i
Nachi was written to clean up damage caused by the Blaster worm, but it got out of control
See link Ch 3j Diebold was criticized
for using Windows for ATM machines, which they also use on voting machines
Chapter 3: Network and Computer Attacks
Trojan Programs Insidious attack against networks Disguise themselves as useful programs
Hide malicious content in program Backdoors Rootkits
Allow attackers remote access
Firewalls Identify traffic on uncommon ports Can block this type of attack, if your firewall filters outgoing traffic
Windows XP SP2’s firewall does not filter outgoing traffic Vista’s firewall doesn’t either (by default), according to link Ch
3l and 3m Trojan programs can use known ports to get through firewalls
HTTP (TCP 80) or DNS (UDP 53) Trojan Demonstration
Make a file with command-line Windows commands Save it as C:\Documents and Settings\
username\cmd.bat Start, Run, CMD will execute this file instead of
C:\Windows\System32\Cmd.exe Improved Trojan Resets the administrator password Almost invisible to user Works in Win XP, but not so easy in Vista
CNIT 123 – Bowne Page 3 of 3
Chapter 3: Network and Computer Attacks
Spyware Sends information from the infected computer to the
attacker Confidential financial data Passwords PINs Any other stored data
Can register each keystroke entered (keylogger) Prevalent technology Educate users about spyware
Deceptive Dialog Box Adware Similar to spyware
Can be installed without the user being aware Sometimes displays a banner Main goal
Determine user’s online purchasing habits Tailored advertisement
Main problem Slows down computers
Protecting Against Malware Attacks Difficult task New viruses, worms, Trojan programs appear daily Antivirus programs offer a lot of protection Educate your users about these types of attacks Educating Your Users Structural training
Most effective measure Includes all employees and management
E-mail monthly security updates Simple but effective training method
Update virus signature database automatically SpyBot and Ad-Aware
Help protect against spyware and adware Windows Defender is excellent too
Firewalls Hardware (enterprise solution) Software (personal solution) Can be combined
Intrusion Detection System (IDS) Monitors your network 24/7
FUD Fear, Uncertainty and Doubt
Avoid scaring users into complying with security measures Sometimes used by unethical security testers Against the OSSTMM’s Rules of Engagement
Promote awareness rather than instilling fear Users should be aware of potential threats Build on users’ knowledge
CNIT 123 – Bowne Page 4 of 4
Chapter 3: Network and Computer Attacks
Intruder Attacks on Networks and Computers Attack
Any attempt by an unauthorized person to access or use network resources Network security
Security of computers and other devices in a network Computer security
Securing a standalone computer--not part of a network infrastructure Computer crime
Fastest growing type of crime worldwide Denial-of-Service Attacks Denial-of-Service (DoS) attack
Prevents legitimate users from accessing network resources Some forms do not involve computers, like feeding a paper loop through a fax machine
DoS attacks do not attempt to access information Cripple the network Make it vulnerable to other type of attacks
Testing for DoS Vulnerabilities Performing an attack yourself is not wise
You only need to prove that an attack could be carried out Distributed Denial-of-Service Attacks Attack on a host from multiple
servers or workstations Network could be flooded with
billions of requests Loss of bandwidth Degradation or loss of
speed Often participants are not aware
they are part of the attack Attacking computers
could be controlled using Trojan programs
Buffer Overflow Attacks Vulnerability in poorly written code
Code does not check predefined size of input field
Goal Fill overflow buffer with
executable code OS executes this code Can elevate attacker’s
permission to Administrator or even Kernel
Programmers need special training to write secure code
CNIT 123 – Bowne Page 5 of 5
Chapter 3: Network and Computer Attacks
CNIT 123 – Bowne Page 6 of 6
Ping of Death Attacks Type of DoS attack Not as common as during the late 1990s How it works
Attacker creates a large ICMP packet More than 65,535 bytes
Large packet is fragmented at source network Destination network reassembles large packet Destination point cannot handle oversize packet and crashes Modern systems are protected from this (Link Ch 3n)
Session Hijacking Enables attacker to join a TCP session Attacker makes both parties think he or she is the other party Addressing Physical Security Protecting a network also requires physical security Inside attacks are more likely than attacks from outside the company Keyloggers Used to capture keystrokes on a computer
Hardware Software
Software Behaves like Trojan programs
Hardware Easy to install Goes between the keyboard and the CPU KeyKatcher and KeyGhost
Protection Software-based
Antivirus Hardware-based
Random visual tests Look for added hardware Superglue keyboard connectors in
Behind Locked Doors Lock up your servers
Physical access means they can hack in Consider Ophcrack – booting to a CD-based OS will bypass
almost any security Lockpicking Average person can pick deadbolt locks in less than five minutes
After only a week or two of practice Experienced hackers can pick deadbolt locks in under 30 seconds Bump keys are even easier (Link Ch 3o) Card Reader Locks Keep a log of who enters and leaves the room Security cards can be used instead of keys for better security
Image from link Ch 3p
Last modified 2-2-07 3 pm
Chapter 4: Footprinting and Social Engineering
Objectives
Footprinting Describe DNS zone transfers Identify the types of social engineering
Footprinting
Using Web Tools for Footprinting “Case the joint”
• Look over the location • Find weakness in security systems • Types of locks, alarms
In computer jargon, this is called footprinting • Discover information about
The organization Its network
Conducting Competitive Intelligence Numerous resources to find information legally Competitive Intelligence
• Gathering information using technology Identify methods others can use to find information about your organization Limit amount of information company makes public CNIT 123 – Bowne Page 1 of 8
Chapter 4: Footprinting and Social Engineering
Analyzing a Company’s Web Site Web pages are an easy source of information
Setting Proxy Server Many tools available Paros
• Powerful tool for UNIX and Windows • www.parosproxy.org • Requires having Java J2SE installed
www.sun.com Paros
• Start Paros • Set proxy server in a browser • Then go to a site in the browser
mtsconsulting.net is a good test • Analyze -> Spider to find all the pages
Setting a Proxy Server in Firefox • Tools • Options • Advanced • Settings
Then go to mtjconsulting.com Spider Results Scan Results In Paros:
Spider Results • Analyze • Spider
Finds all the pages in a site
Don’t scan any sites without permission! Only mtjconsulting.com
Scan Results In Paros:
• Analyze • Scan
Finds security risks in a site
Again, don’t scan sites without permission!
CNIT 123 – Bowne Page 2 of 8
Chapter 4: Footprinting and Social Engineering
Using Other Footprinting Tools Whois
• Commonly used tool • Gathers IP address and domain information • Attackers can also use it
Host command • Can look up one IP address, or the whole
DNS Zone file All the servers in the domain
ARIN Whois from Linux host mit.edu nc whois.arin.net 18.7.22.69
This shows registration information for the domain SamSpade
• GUI tool • Available for UNIX and Windows • Easy to use
CNIT 123 – Bowne Page 3 of 8
Chapter 4: Footprinting and Social Engineering
Using E-mail Addresses E-mail addresses help you retrieve even more information than the previous commands Find e-mail address format
• Guess other employees’ e-mail accounts Tool to find corporate employee information
• Groups.google.com Using HTTP Basics HTTP operates on port 80 Use HTTP language to pull information from a Web server Basic understanding of HTTP is beneficial for security testers Return codes
• Reveal information about server OS
CNIT 123 – Bowne Page 4 of 8
Chapter 4: Footprinting and Social Engineering
HTTP methods • GET / HTTP/1.1. is the most basic method
CNIT 123 – Bowne Page 5 of 8
ompare to source code Activity 4-3 in your book does not work
• Can determine information about server OS from the server’s generated output
Using Netcat as a Browser Use Ubuntu Linux nc www.ccsf.edu 80 HEAD / HTTP/1.0
• Gets header GET / HTTP/1.0
• Gets whole Web page
• Open www.ccsf.edu in a browser and c
Cookies and Web Bugs
Detecting Cookies and Web Bugs
Text file generated by a Web server
b server when user returns
formation
Viewing Cook
ons
es
1-pixel x 1-pixel image file (usually transparent)
are and adware in data collection
Cookie •• Stored on a user’s browser • Information sent back to We• Used to customize Web pages • Some cookies store personal in
Security issue ies
In Firefox Tools, OptiPrivacy tab Show CookiWeb bug
• • Referenced in an <IMG> tag • Usually works with a cookie • Purpose similar to that of spyw• Comes from third-party companies specializing
Chapter 4: Footprinting and Social Engineering
Web Bug Detector 1.0 • Firefox experimental add-in program that warns you about
Web bugs Bugnosis is gone
Using Domain Name Service (DNS) Zone Transfers
DNS • Resolves host names to IP addresses • People prefer using URLs to IP addresses • Extremely vulnerable
Zone Transfer tools • Dig • Host
Primary DNS Server
CNIT 123 – Bowne Page 6 of 8
Determining company’s primary DNS server
• Look for the Start of Authority (SOA) record
• Shows zones or IP addresses
Using dig top find the SOA dig soa mit.edu Shows three servers, with IP
addresses This is a start at mapping the MIT
network Using (DNS) Zone Transfers Zone Transfer
• Enables you to see all hosts on a network
• Gives you organization’s network diagram
MIT has protected their network – zone transfers no longer work
dig @BITSY.mit.edu mit.edu axfr Command fails now
Chapter 4: Footprinting and Social Engineering
CNIT 123 – Bowne Page 7 of 8
Introduction to Social Engineering
Older than computers Targets the human component of a network Goals
• Obtain confidential information (passwords) • Obtain personal information
Tactics • Persuasion • Intimidation • Coercion • Extortion/blackmailing
The biggest security threat to networks Most difficult to protect against Main idea:
• “Why to crack a password when you can simply ask for it?” • Users divulge their passwords to IT personnel
Studies human behavior • Recognize personality traits • Understand how to read body language
Techniques • Urgency • Quid pro quo • Status quo • Kindness • Position
Preventing Social Engineering Train user not to reveal any information to outsiders Verify caller identity
• Ask questions • Call back to confirm
Security drills The Art of Shoulder Surfing Shoulder surfer
• Reads what users enter on keyboards Logon names Passwords PINs
Tools for Shoulder Surfing Binoculars or telescopes or cameras in cell phones Knowledge of key positions and typing techniques Knowledge of popular letter substitutions
• s equals $, a equals @ Prevention
• Avoid typing when someone is nearby • Avoid typing when someone nearby is talking on cell phone • Computer monitors should face away from door or cubicle entryway • Immediately change password if you suspect someone is observing you
Chapter 4: Footprinting and Social Engineering
CNIT 123 – Bowne Page 8 of 8
Dumpster Diving Attacker finds information in victim’s trash
• Discarded computer manuals Notes or passwords written in them
• Telephone directories • Calendars with schedules • Financial reports • Interoffice memos • Company policy • Utility bills • Resumes of employees
Prevention • Educate your users about dumpster diving • Proper trash disposal • Use “disk shredder” software to erase disks before discarding them
Software writes random bits Done at least seven times
• Discard computer manuals offsite • Shred documents before disposal
The Art of Piggybacking Trailing closely behind an employee cleared to enter restricted areas How it works:
• Watch authorized personnel enter an area • Quickly join them at security entrance • Exploit the desire of other to be polite and helpful • Attacker wears a fake badge or security card
Prevention • Use turnstiles • Train personnel to notify the presence of strangers • Do not hold secured doors for anyone
Even for people you know • All employees must use secure cards
Last modified 2-23-09
Chapter 5: Port Scanning
Objectives
Describe port scanning Describe different types of port scans Describe various port-scanning tools Explain what ping sweeps are used for Explain how shell scripting is used to automate security tasks
Introduction to Port Scanning
Port Scanning • Finds out which services are offered by a host • Identifies vulnerabilities
Open services can be used on attacks • Identify a vulnerable port • Launch an exploit
Scan all ports when testing • Not just well-
known ports
CNIT 123 – Bowne Page 1 of 1
AW Security Port Scanner A commercial tool to
identify vulnerabilities Port scanning programs
report • Open ports • Closed ports • Filtered ports • Best-guess
assessment of which OS is running
Is Port Scanning Legal? The legal status of port
scanning is unclear • If you have
permission, it's legal
• If you cause damage of $5,000 or more, it may be illegal
• For more, see links Ch 5a and Ch 5b
Types of Port Scans
Normal TCP Handshake Client SYN Server Client SYN/ACK Server Client ACK Server
• After this, you are ready to send data
Chapter 5: Port Scanning
SYN Port Scan Client SYN Server Client SYN/ACK Server Client RST Server
• The server is ready, but the client decided not to complete the handshake SYN scan
• Stealthy scan, because session handshakes are never completed • That keeps it out of some log files • Three states
Closed RST response from server
Open
SYN,ACK response from server
Client then sends RST Filtered
No response from server Connect scan
• Completes the three-way handshake • Not stealthy--appears in log files • Three states
Closed RST response from server
Open
SYN,ACK response from server
Client sends ACK Client sends RST
Filtered
No response from server NULL scan
• All the packet flags are turned off • Two results:
Closed ports reply with RST
Open or filtered ports give no response XMAS scan
• FIN, PSH and URG flags are set • Works like a NULL scan – a closed port responds with an RST packet
FIN scan • Only FIN flag is set • Closed port responds with an RST packet
CNIT 123 – Bowne Page 2 of 2
Chapter 5: Port Scanning
CNIT 123 – Bowne Page 3 of 3
Windows Machines NULL, XMAS and FIN scans don't work on Windows machines
• Win 2000 Pro and Win Server 2003 shows all ports closed • Win XP Pro all ports open/filtered
See the NMAP tutorial (link Ch 5c) Ping scan
• Simplest method sends ICMP ECHO REQUEST to the destination(s) • TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap) • Any response shows the target is up
ACK scan • Used to get information about a firewall • Stateful firewalls track connection and block unsolicited ACK packets • Stateless firewalls just block incoming SYN packets, so you get a RST response
UDP scan • Closed port responds with ICMP “Port Unreachable” message • Rarely used
Using Port-Scanning Tools
Nmap Unicornscan NetScanTools Pro 2004 Nessus Nmap Originally written for Phrack magazine One of the most popular tools GUI versions
• Xnmap and Ubuntu's NmapFE Open source tool Standard tool for security professionals The Matrix Reloaded Trinity uses Nmap (Video at link Ch 4e) Unicornscan Developed in 2004 for Linux & UNIX only Ideal for large networks Scans 65,535 ports in three to seven seconds Optimizes UDP scanning Alco can use TCP, ICMP, or IP
• Free from http://unicornscan.org/ (link Ch 5f)
Chapter 5: Port Scanning
NetScanTools Pro Robust easy-to-use commercial tool Runs on Windows Types of tests
• Database vulnerabilities • DHCP server discovery • IP packets viewer • Name server lookup • OS fingerprinting • Many more (see link Ch
5g) Nessus First released in 1998 Free, open source tool Uses a client/server technology Can conduct tests from different
locations Can use different OSs for client and
network Server
• Any *NIX platform Client
• Can be *NIX or Windows Functions much like a database
server Ability to update security checks
plug-ins Some plug-ins are considered
dangerous Finds services running on ports Finds vulnerabilities associated
with identified services
Nessus Plug-ins
CNIT 123 – Bowne Page 4 of 4
Chapter 5: Port Scanning
Conducting Ping Sweeps
Ping sweeps • Identify which IP addresses belong to active hosts • Ping a range of IP addresses
Problems • Computers that are shut down cannot respond • Networks may be configured to block ICMP Echo Requests • Firewalls may filter out ICMP traffic
FPing Ping multiple IP addresses simultaneously www.fping.com/download Command-line tool Input: multiple IP addresses
• To enter a range of addresses -g option
• Input file with addresses -f option
See links Ch 5k, 5l Hping Used to bypass filtering devices
• Allows users to fragment and manipulate IP packets
www.hping.org/download Powerful tool
• All security testers must be familiar with tool
Supports many parameters (command options) • See links Ch 5m, Ch 5n
ate a lot of traffic
e are other broadcast addresses ending in 63, 127, and 191
in a lot of ping responses
nts them from amplifying smurf attacks untu don't respond to broadcast PINGs
See links Ch 5o, 5p
Broadcast Addresses If you PING a broadcast address, that can creNormally the broadcast address ends in 255 But if your LAN is subnetted with a subnet mask like 255.255.255.192
• TherSmurf Attack Pinging a broadcast address on an old network resultedSo just put the victim's IP address in the "From" field
• The victim is attacked by a flood of pings, none of them directly from you Modern routers don't forward broadcast packets, which preveWindows XP and Ub
CNIT 123 – Bowne Page 5 of 5
Chapter 5: Port Scanning
CNIT 123 – Bowne Page 6 of 6
Crafting IP Packets Packet components
• Source IP address • Destination IP address • Flags
Crafting packets helps you obtain more information about a service Tools
• Fping • Hping
Understanding Shell Scripting
Modify tools to better suit your needs Script
• Computer program that automates tasks • Time-saving solution
Scripting Basics Similar to DOS batch programming Script or batch file
• Text file • Contains multiple commands
Repetitive commands are good candidate for scripting Practice is the key
Last modified 2-23-07 8 pm
Chapter 6: Enumeration
Objectives
Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate NetWare OS targets Enumerate *NIX OS targets Introduction to Enumeration Enumeration extracts information about:
• Resources or shares on the network • User names or groups assigned on the network • Last time user logged on • User’s password
Before enumeration, you use Port scanning and footprinting • To Determine OS being used
Intrusive process NBTscan NBT (NetBIOS over TCP/IP)
• is the Windows networking protocol
• used for shared folders and printers
NBTscan • Tool for enumerating Microsoft OSs
Enumerating Microsoft Operating Systems Study OS history
• Knowing your target makes your job easier Many attacks that work for older Windows OSs still work with newer versions Windows 95 The first Windows version that did not start with DOS Still used the DOS kernel to some extent Introduced the Registry database to replace Win.ini, Autoexec.bat, and other text files Introduced Plug and Play and ActiveX Used FAT16 file system Windows 98 and ME More Stable than Win 95 Used FAT32 file system Win ME introduced System Restore Win 95, 98, and ME are collectively called "Win 9x" Windows NT 3.51 Server/Workstation No dependence on DOS kernel Domains and Domain Controllers NTFS File System to replace FAT16 and FAT31 Much more secure and stable than Win9x Many companies still use Win NT Server Domain Controllers Win NT 4.0 was an upgrade
CNIT 123 – Bowne Page 1 of 1
Chapter 6: Enumeration
Windows 2000 Server/Professional Upgrade of Win NT Active Directory
• Powerful database storing information about all objects in a network Users, printers, servers, etc.
• Based on Novell's Novell Directory Services Enumerating this system would include enumerating Active Directory Windows XP Professional Much more secure, especially after Service Pack 2
• Windows File Protection • Data Execution Prevention • Windows Firewall
Windows Server 2003 Much more secure, especially after Service Pack 1
• Network services are closed by default • Internet Explorer security set higher
NetBIOS Basics Network Basic Input Output
System (NetBIOS) • Programming
interface • Allows computer
communication over a LAN
• Used to share files and printers
NetBIOS names Computer names on Windows
systems Limit of 16 characters Last character identifies type
of service running Must be unique on a network NetBIOS Null Sessions Null session
• Unauthenticated connection to a Windows computer • Does not use logon and passwords values
Around for over a decade • Still present on Windows XP
A large vulnerability • See links Ch 6a-f
Null Session Information Using these NULL connections allows you to gather the following information from the host:
• List of users and groups • List of machines • List of shares • Users and host SIDs (Security Identifiers)
From brown.edu (link Ch 6b)
CNIT 123 – Bowne Page 2 of 2
Chapter 6: Enumeration
Demonstration of Null Sessions Start Win 2000 Pro
CNIT 123 – Bowne Page 3 of 3
:
Share a folder From a Win XP command prompt
• NET VIEW \\ip-address Fails • NET USE \\ip-address\IPC$ ""
/u:"" Creates the null session Username="" Password=""
• NET VIEW \\ip-address Works now
Demonstration of Enumeration Download Winfo from link Ch 6g Run it – see all the information! NULL Session Information NULL sessions exist in windows networking
to allow• Trusted domains to enumerate
resources • Computers outside the domain to
authenticate and enumerate users • The SYSTEM account to authenticate and enumerate resources
NetBIOS NULL sessions are enabled by default in Windows NT and 2000 From brown.edu (link Ch 6b)
NULL Sessions in Win XP and 2003 Server Windows XP and 2003 don't allow Null Sessions, according to link Ch 6c.
• I tried the NET USE command on Win XP SP2 and it did not work
• Link Ch 6f says you can still do it in Win XP SP2, but you need to use a different procedure
NetBIOS Enumeration Tools Nbtstat command
• Powerful enumeration tool included with the Microsoft OS
• Displays NetBIOS table Net view command
• Shows whether there are any shared resources on a network host
Net use command • Used to connect to a computer with shared
folders or files Additional Enumeration Tools NetScanTools Pro DumpSec Hyena NessusWX
Chapter 6: Enumeration
NetScanTools Pro Produces a graphical view of NetBIOS running on a network Enumerates any shares running on the computer Verifies whether access is available for shared resource using its Universal Naming Convention (UNC) name
• Costs about $250 per machine (see link Ch 6i)
DumpSec Enumeration tool for Microsoft systems Produced by Foundstone, Inc. Allows user to connect to a server and “dump” the following information
• Permissions for shares • Permissions for printers • Permissions for the Registry • Users in column or table format • Policies and rights • Services
CNIT 123 – Bowne Page 4 of 4
Chapter 6: Enumeration
Hyena Excellent GUI product for managing and securing Microsoft OSs Shows shares and user logon names for Windows servers and domain controllers Displays graphical representation of:
• Microsoft Terminal Services • Microsoft Windows Network • Web Client Network
CNIT 123 – Bowne Page 5 of 5
• Find User/Group Prices DumpSec seems to be free Hyena costs bout $200 per station (Link Ch 6j) NessusWX This is the client part of Nessus Allows enumeration of different
OSs on a large network Running NessusWX
• Be sure Nessus server is up and running
• Open the NessusWX client application
• To connect your client with the Nessus server
Click Communications, Connect from the menu on the session window
Enter server’s name Log on the Nessus server
Nessus identifies • NetBIOS names in use • Shared resources • Vulnerabilities with shared
resources • Also offers solutions to those
vulnerabilities • OS version • OS vulnerabilities • Firewall vulnerabilities
Etherleak Vulnerability Padding in Ethernet frames comes from
RAM, it's not just zeroes Real data can leak out that way See link Ch 6l
Chapter 6: Enumeration
CNIT 123 – Bowne Page 6 of 6
Enumerating the NetWare Operating System Security professionals see Novell NetWare as a “dead horse”
• Ignoring an OS can limit your career as a security professional Novell NetWare version 4.11
• Novell does not offer any technical support for earlier versions • Novell has switched to SUSE Linux now
NetWare Enumeration Tools NetWare 5.1 is still used on many networks New vulnerabilities are discovered daily
• You need to be vigilant in checking vendor sites and security sites
Tool • Nessus
Nessus • Enumerates a NetWare server • Determines eDirectory information • Discovers the user name and password
for the FTP account • Discovers names of several user
accounts Novell Client32
• Available at www.novell.com • Client available for several OSs
Specify information for • Tree • Content • Server
Enumerating the *NIX Operating System Several variations
• Solaris • SunOS • HP-UX • Linux • Ultrix • AIX • BSD UNIX • FreeBSD • OpenBSD
UNIX Enumeration Finger utility
• Most popular tool for security testers • Finds out who is logged in to a *NIX system • Determine owner of any process
Nessus • Another important *NIX enumeration tool
Last modified 2-23-07 8 pm
Chapter 7: Programming for Security Professionals
Objectives
Explain basic programming concepts Write a simple C program Explain how Web pages are created with HTML Describe and create basic Perl programs Explain basic object-oriented programming concepts
Introduction to Computer Programming
Computer programmers must understand the rules of programming languages • Programmers deal with syntax errors
One minor mistake and the program will not run • Or worse, it will produce unpredictable results
Being a good programmer takes time and patience Computer Programming Fundamentals Fundamental concepts
• Branching, Looping, and Testing (BLT) • Documentation
Function • Mini program within a main program that carries out a task
Branching, Looping, and Testing (BLT) Branching
• Takes you from one area of the program to another area Looping
• Act of performing a task over and over
Testing • Verifies some
condition and returns true or false
A C Program
CNIT 123 – Bowne Page 1 of 1
Filename ends in .c
It's hard to read at first
A single missing semicolon can ruin a program
Comments Comments make
code easier to read Branching and Testing Diagram of branches See links Ch 7b, 7c
Chapter 7: Programming for Security Professionals
Looping
CNIT 123 – Bowne Page 2 of 2
Algorithm • Defines steps
for performing a task
• Keep it as simple as possible
Bug • An error that
causes unpredictable results Pseudocode
• English-like language used to create the structure of a program Pseudocode For Shopping PurchaseIngredients Function
• Call GetCar Function • Call DriveToStore Function • Purchase Bacon, Bread, Tomatoes, Lettuce, and Mayonnaise
End PurchaseIngredients Function Documentation Documenting your work is essential
• Add comments to your programs • Comments should explain what you are doing
Many programmers find it time consuming and tedious Helps others understand your work Bugs Industry standard
• 20 to 30 bugs for every 1000 lines of code (link Ch 7f)
Textbook claims a much smaller number without a source Windows 2000 contains almost 50 million lines
• And fewer than 60,000 bugs (about 1 per 1000 lines) • See link Ch 7e for comments in the leaked Win 2000 source code
Linux has 0.17 bugs per 1000 lines of code • (Link Ch 7f)
Learning the C Language
Developed by Dennis Ritchie at Bell Laboratories in 1972 Powerful and concise language UNIX was first written in assembly language and later rewritten in C C++ is an enhancement of the C language C is powerful but dangerous
• Bugs can crash computers, and it's easy to leave security holes in the code
Chapter 7: Programming for Security Professionals
Assembly Language The binary language hard-
wired into the processor is machine language
Assembly Language uses a combination of hexadecimal numbers and expressions
• Very powerful but hard to use (Link Ch 7g)
Compiling C in Ubuntu Linux Compiler
• Converts a text-based program (source code) into executable or binary code
To prepare Ubuntu Linux for C programming, use this command:
CNIT 123 – Bowne Page 3 of 3
ssuuddoo aapptt--ggeett iinnssttaallll bbuuiilldd--eesssseennttiiaall Then you compile a file named "program.c" with this command:
ggcccc pprrooggrraamm..cc ––oo pprrooggrraamm..eexxee Anatomy of a C Program The first computer program a C student learns "Hello, World!" Comments Use /* and */ to
comment large portions of text
Use // for one-line comments
Include #include statement
• Loads libraries that hold the commands and functions used in your program Functions A Function Name is always followed by parentheses ( ) Curly Braces { } shows where a function begins and ends main() function
• Every C program requires a main() function • main() is where processing starts
Functions can call other functions • Parameters or arguments are optional
\n represents a line feed
Chapter 7: Programming for Security Professionals
Declaring Variables A variable represents a numeric or string value You must declare a variable before using it Mathematical Operators The i++ in the example below adds one to the variable i Logical Operators The i<11 in the example below compares the variable i to 11
CNIT 123 – Bowne Page 4 of 4
Chapter 7: Programming for Security Professionals
Understanding HTML Basics
HTML is a language used to create Web pages HTML files are text files Security professionals often need to examine Web pages
• Be able to recognize when something looks suspicious Creating a Web Page Using HTML Create HTML Web page in Notepad, View HTML Web page in a Web browser HTML does not use branching, looping, or testing HTML is a static formatting language, rather than a programming language < and > symbols denote HTML tags
• Each tag has a matching closing tag, like <HTML> and </HTML>
CNIT 123 – Bowne Page 5 of 5
Chapter 7: Programming for Security Professionals
Understanding Practical Extraction and Report Language (Perl)
PERL • Powerful scripting language • Used to write scripts and programs for security professionals
Background on Perl Developed by Larry
Wall in 1987
CNIT 123 – Bowne Page 6 of 6
Can run on almost any platform
• *NIX-base OSs already have Perl installed
Perl syntax is similar to C Hackers use Perl to write malware Security professionals use Perl to perform repetitive tasks and conduct security monitoring Understanding the Basics of Perl perl –h command
• Gives you a list of parameters used with perl Understanding the BLT of Perl Some syntax rules
• Keyword “sub” is used in front of function names • Variables begin with the $ character • Comment lines begin with the # character • The & character is used when calling a function
Chapter 7: Programming for Security Professionals
Branching in Perl &speak;
• Calls the subroutine sub speak
• Defines the subroutine For Loop in Perl For loop
Testing Conditions in Perl
Understanding Object-Oriented Programming Concepts
New programming paradigm There are several languages that support object-oriented programming
• C++ • C# • Java • Perl 6.0 • Object Cobol
CNIT 123 – Bowne Page 7 of 7
Chapter 7: Programming for Security Professionals
CNIT 123 – Bowne Page 8 of 8
Components of Object-Oriented Programming Classes
• Structures that hold pieces of data and functions The :: symbol
• Used to separate the name of a class from a member function • Example:
Employee::GetEmp() Example of a Class in C++ class Employee { public:
• char firstname[25]; • char lastname[25]; • char PlaceOfBirth[30]; • [code continues]
}; void GetEmp() {
• // Perform tasks to get employee info • [program code goes here]
} Error in textbook C example on page 138 should be this instead
Last modified 3-9-07
Chapter 8: Microsoft Operating System Vulnerabilities
Objectives
Tools to assess Microsoft system vulnerabilities Describe the vulnerabilities of Microsoft operating systems and services Techniques to harden Microsoft systems against common vulnerabilities Best practices for securing Microsoft systems
Tools to Identify Vulnerabilities on Microsoft Systems
Many tools are available for this task • Using more than one tool is advisable
Using several tools help you pinpoint problems more accurately Built-in Microsoft Tools Microsoft Baseline Security Analyzer (MBSA) Winfingerprint HFNetChk Microsoft Baseline Security Analyzer (MBSA) Effective tool that checks for
• Patches • Security updates • Configuration errors • Blank or weak passwords • Others
MBSA supports remote scanning • Associated product must be installed on scanned computer
MBSA Results
CNIT 123 – Bowne Page 1 of 7
Chapter 8: Microsoft Operating System Vulnerabilities
MBSA Versions 2.x for Win 2000 or later &
Office XP or later 1.2.1 if you have older products After installing, MBSA can
• Scan the local machine
• Scan other computers remotely
• Be scanned remotely over the Internet
HFNetChk HFNetChk is part of MBSA
• Available separately from Shavlik Technologies
• Can be used to control the scanning more precisely, from the command line
Winfingerprint Administrative tool It can be used to scan network
resources Exploits Windows null
sessions Detects
• NetBIOS shares • Disk information
and services • Null sessions
Can find • OS detection • Service packs and
hotfixes • Running Services • See Proj X6 for
Details
Microsoft OS Vulnerabilities
Microsoft integrates many of its products into a single package • Such as Internet Explorer and Windows OS • This creates many useful features • It also creates vulnerabilities
Security testers should search for vulnerabilities on • The OS they are testing • Any application running on the server
CNIT 123 – Bowne Page 2 of 7
Chapter 8: Microsoft Operating System Vulnerabilities
CVE (Common Vulnerabilities and Exposures ) A list of standardized names for vulnerabilities Makes it easier to share information about them
• cve.mitre.org (link Ch 8c) • Demonstration: Search
Remote Procedure Call (RPC) RPC is an interprocess communication mechanism
• Allows a program running on one host to run code on a remote host
Examples of worms that exploited RPC • MSBlast (LovSAN, Blaster) • Nachi
Use MBSA to detect if a computer is vulnerable to an RPC-related issue
NetBIOS Software loaded into memory
• Enables a computer program to interact with a network resource or other device
NetBIOS is not a protocol • NetBIOS is an interface to a network protocol • It’s sometimes called a session-layer protocol,
or a protocol suite (Links Ch 8d, 8e, 8f) NetBEUI NetBIOS Extended User Interface
• Fast, efficient network protocol • Allows NetBIOS packets to be transmitted over
TCP/IP • NBT is NetBIOS over TCP
Newer Microsoft OSs do not need NetBIOS to share resources
• NetBIOS is used for backward compatibility • You can turn off NetBIOS for Windows 2000
and later (links Ch 8g & 8h) Server Message Block (SMB) Used by Windows 95, 98 and NT to share files Usually runs on top of NetBIOS, NetBEUI or TCP/IP Hacking tools
• L0phtcrack’s SMB Packet Capture utility • SMBRelay • Ettercap (see Project 23, links Ch 8r, Ch 8s)
CNIT 123 – Bowne Page 3 of 7
Chapter 8: Microsoft Operating System Vulnerabilities
Demonstration: ettercap
Common Internet File System (CIFS) CIFS replaced SMB for Windows 2000, XP, and Windows 2003 Server
• SMB is still used for backward compatibility CIFS is a remote file system protocol
• Enables computers to share network resources over the Internet Enhancements over SMB
• Resource locking (if 2 people use the same thing at once) • Support for fault tolerance • Capability to run more efficiently over dial-up • Support for anonymous and authenticated access
Server security methods • Share-level security
A password assigned to a shared resource • User-level security
An access control list assigned to a shared resource Users must be on the list to gain access
• Passwords are stored in an encrypted form on the server But CIFS is still vulnerable (see link Ch 8n)
• Don’t let NetBIOS traffic past the firewall Understanding Samba Open-source implementation of CIFS
• Created in 1992 Samba allows sharing resources over multiple OSs Samba accessing Microsoft shares can make a network susceptible to attack Samba is used to “trick” Microsoft services into believing the *NIX resources are
Microsoft resources Samba is Built into Ubuntu Click Places, Connect to Server
• Windows shares are marked with SMB Closing SMB Ports Best way to protect a network from SMB attacks
• Routers should filter out ports 137 to 139 and 445
CNIT 123 – Bowne Page 4 of 7
Chapter 8: Microsoft Operating System Vulnerabilities
Default Installations Windows 9x, NT, and 2000 all start out with many services running and ports open
• They are very insecure until you lock them down
Win XP, 2003, and Vista are much more secure by default
• Services are blocked until you open them
Passwords and Authentication A comprehensive password
policy is critical • Change password regularly • Require passwords length of at least six
characters • Require complex passwords • Never write a password down or store it
online or on the local system • Do not reveal a password over the phone
Configure domain controllers • Enforce password age, length and
complexity • Account lockout threshold • Account lockout duration
Start, Run, GPEDIT.MSC
IIS (Internet Information Services)
IIS 5 and earlier installs with critical security vulnerabilities
• Run IIS Lockdown Wizard (link Ch 8p) IIS 6.0 installs with a “secure by default” posture
• Configure only services that are needed • Windows 2000 ships with IIS installed
by default • Running MBSA can detect IIS running
on your network
CNIT 123 – Bowne Page 5 of 7
Chapter 8: Microsoft Operating System Vulnerabilities
CNIT 123 – Bowne Page 6 of 7
SQL Server
SQL vulnerabilities exploits areas • The SA account with a blank password • SQL Server Agent • Buffer overflow • Extended stored procedures • Default SQL port 1433
Vulnerabilities related to SQL Server 7.0 and SQL Server 2000 The SA Account The SA account is the master account, with full rights SQL Server 6.5 and 7 installations do not require setting a password for this account SQL Server 2000 supports mixed-mode authentication
• SA account is created with a blank password • SA account cannot be disabled
SQL Server Agent Service mainly responsible for
• Replication • Running scheduled jobs • Restarting the SQL service
Authorized but unprivileged user can create scheduled jobs to be run by the agent Buffer Overflow Database Consistency Checker in SQL Server 2000
• Contains commands with buffer overflows SQL Server 7 and 2000 have functions that generate text messages
• They do not check that messages fit in the buffers supplied to hold them Format string vulnerability in the C runtime functions Extended Stored Procedures Several of the extended stored procedures fail to perform input validation
• They are susceptible to buffer overruns Default SQL Port 1443 SQL Server is a Winsock application
• Communicates over TCP/IP using port 1443 Spida worm
• Scans for systems listening on TCP port 1443 • Once connected, attempts to use the xp_cmdshell
Enables and sets a password for the Guest account Changing default port is not an easy task
Best Practices for Hardening Microsoft Systems
Penetration tester • Finds vulnerabilities
Security tester • Finds vulnerabilities • Gives recommendations for correcting found vulnerabilities
Patching Systems The number-one way to keep your system secure
• Attacks take advantage of known vulnerabilities
Chapter 8: Microsoft Operating System Vulnerabilities
CNIT 123 – Bowne Page 7 of 7
• Options for small networks Accessing Windows Update manually Automatic Updates
• This technique does not really ensure that all machines are patched at the same time • Does not let you skip patches you don’t want
Some patches cause problems, so they should be tested first Options for patch management for large networks
• Systems Management Server (SMS) • Software Update Service (SUS)
Patches are pushed out from the network server after they have been tested Antivirus Solutions An antivirus solution is essential For small networks
• Desktop antivirus tool with automatic updates For large networks
• Corporate-level solution An antivirus tool is almost useless if it is not updated regularly Enable Logging and Review Logs Regularly Important step for monitoring critical areas
• Performance • Traffic patterns • Possible security breaches
Logging can have negative impact on performance Review logs regularly for signs of intrusion or other problems
• Use a log-monitoring tool Disable Unused or Unneeded Services Disable unneeded services Delete unnecessary applications or scripts Unused applications or services are an invitation for attacks Requires careful planning
• Close unused ports but maintain functionality Other Security Best Practices
• Use a firewall on each machine, and also a firewall protecting the whole LAN from the Internet • Delete unused scripts and sample applications • Delete default hidden shares • Use different names and passwords for public interfaces •
Other Security Best Practices • Be careful of default permissions
For example, new shares are readable by all users in Win XP • Use available tools to assess system security
Like MBSA, IIS Lockdown Wizard, etc. • Disable the Guest account • Rename the default Administrator account • Enforce a good password policy • Educate users about security • Keep informed about current threats
Last modified 3-18-07 5:30 pm
Chapter 9: Linux Operating System Vulnerabilities
Objectives
Describe the fundamentals of the Linux operating system Describe the vulnerabilities of the Linux operating system Describe Linux remote attacks Explain countermeasures for protecting the Linux operating system
Review of Linux Fundamentals
Linux is a version of UNIX • Usually available
free • Red Hat
Includes documentation and support for a fee
Linux creates default directories
Linux Exploration Demo
cd / ls -F Note: ls -F adds: / to directories * to executables @ to linked files cd /bin ls -F Note: familiar commands ls, nc, mkdir cd /dev ls Note: hda - hard disk. eth0 is not here--Ethernet devices are treated differently (link Ch 9a) cd /etc ls -F Note: hosts file with name-to-IP mapping ("cat hosts" to see it) passwd with user names and groups ("cat passwd" to see it) shadow file with hashed passwords ("sudo cat shadow" to see it)
CNIT 123 – Bowne Page 1 of 1
Chapter 9: Linux Operating System Vulnerabilities
cd /home ls -l Note: Home directory for each user, owned by the user cd /lib ls -F Note: Libraries here, nothing particularly interesting cd /mnt ls -al Note: Nothing here unless a removable device is connected cd /proc ls -F Note: These files show information about running processes. "cat interrupts" "cat iomem" "cat ioports" shows the device resources, like Device Manager "cat meminfo" shows memory statistics "cat partitions" shows the hard disk partitions "cat version" shows the Linux version cd /var/log ls cat boot Note: This file is the boot log
Linux File System
Provides directory structure Establishes a file-naming convention Includes utilities to compress or encrypt files Provides for both file and data integrity Enables error recovery Stores information about files and folders *NIX systems store information about files in information nodes (inodes)
CNIT 123 – Bowne Page 2 of 2
Chapter 9: Linux Operating System Vulnerabilities
inodes Information stored in an inode
• An inode number • Owner of the file • Group the file belongs to • Size of the file • Date the file was created • Date the file was last modified or read
There is a fixed number of inodes • By default, one inode per 4 KB of disk space
Mounting In Windows, each device has a letter
• A: for floppy, C: for hard disk, and so on *NIX mounts a file system (usually a drive) as a
subfile system of the root file system / mount command is used to mount file systems
CNIT 123 – Bowne Page 3 of 3
• or to display currently mounted file systems
df command displays disk usage of mounted file systems
*NIX File System History Minix file system
• Max. size 64 MB, Max. file name 14 chars
Extended File System (Ext)
• Max. size 2 GB, Max. file name 256 chars
mount and df in Ubuntu
Second Extended File System (Ext2fs) • Max. size 4 TB, better performance and stability
Third Extended File System (Ext3fs) • Journaling—recovers from crashes better
Chapter 9: Linux Operating System Vulnerabilities
Linux Commands Getting Help Many of these commands have multiple parameters and additional functionality Use these commands to get help. (Replace command with the command you want help with, such as ifconfig)
command --help man command
CNIT 123 – Bowne Page 4 of 4
Chapter 9: Linux Operating System Vulnerabilities
Linux OS Vulnerabilities
UNIX has been around for quite some time Attackers have had plenty of time to discover
vulnerabilities in *NIX systems
CNIT 123 – Bowne Page 5 of 5
Enumeration tools can also be used against Linux systems
Nessus can be used to enumerate Linux systems
Nessus can be used to • Discover
vulnerabilities related to SMB and NetBIOS
• Discover other vulnerabilities
• Enumerate shared resources
Test Linux computer against common known vulnerabilities
• Review the CVE and CAN information
• See links Ch 9m, n, o
Remote Access Attacks on Linux Systems Differentiate between
local attacks and remote attacks
• Remote attacks are harder to perform
Nessus Scanning a Linux Server (with Samba)
Attacking a network remotely requires • Knowing what system a remote user is operating • The attacked system’s password and login accounts
Footprinting an Attacked System Footprinting techniques
• Used to find out information about a target system Determining the OS version the attacked computer is running
• Check newsgroups for details on posted messages • Knowing a company’s e-mail address makes the search easier
Other Footprinting Tools Whois databases DNS zone transfers Nessus
Chapter 9: Linux Operating System Vulnerabilities
Port scanning tools Using Social Engineering to Attack Remote Linux Systems Goal
• To get OS information from company employees Common techniques
• Urgency • Quid pro quo • Status quo • Kindness • Position
Train your employees about social engineering techniques
Trojans
Trojan programs spread as • E-mail attachments • Fake patches or security fixes that can be downloaded from the Internet
Trojan program functions • Allow for remote administration • Create a FTP server on attacked machine • Steal passwords • Log all keys a user enters, and e-mail results to the attacker
Trojan programs can use legitimate outbound ports • Firewalls and IDSs cannot identify this traffic as malicious • Example: Sheepshank uses HTTP GETs
It is easier to protect systems from already identified Trojan programs • See links Ch 9e, f, g
Rootkits
• Contain Trojan binary programs ready to be installed by an intruder with root access to the system • Replace legitimate commands with Trojan programs • Hides the tools used for later attacks • Example: LRK5
LRK5 • A famous Linux Rootkit • See Links Ch 9h, i, j
Rootkit Detectors Security testers should check their Linux systems for
rootkits • Rootkit Hunter (Link Ch 9l) • Chkrootkit (Link Ch 9l) • Rootkit Profiler (Link Ch 9k)
Demonstration of rkhunter sudo apt-get install rkhunter sudo rkhunter –c
CNIT 123 – Bowne Page 6 of 6
Chapter 9: Linux Operating System Vulnerabilities
Creating Buffer Overflow Programs
Buffer overflows write code to the OS’s memory • Then run some type of program • Can elevate the attacker’s permissions to the level of the owner
Security testers should know what a buffer overflow program looks like A C program that causes a buffer overflow
The program compiles, but returns the error shown to the
right A C code snippet that fills the stack with shell code
CNIT 123 – Bowne Page 7 of 7
Chapter 9: Linux Operating System Vulnerabilities
CNIT 123 – Bowne Page 8 of 8
Avoiding Buffer Overflows Write code that avoids functions known to have buffer overflow vulnerabilities
strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack Some compilers like gcc warn programmers when dangerous functions are used
Using Sniffers to Gain Access to Remote Linux Systems
Sniffers work by setting a network card adapter in promiscuous mode • NIC accepts all packets that traverse the network cable
Attacker can analyze packets and learn user names and passwords • Avoid using protocols such as Telnet, HTTP, and FTP that send data in clear text
Sniffers • Tcpdump, Ethereal (now Wireshark)
Countermeasures Against Linux Remote Attacks
Measures include • User awareness training • Keeping current on new kernel releases and security updates
User Awareness Training Social Engineering
• Users must be told not to reveal information to outsiders • Make customers aware that many exploits can be downloaded from Web sites • Teach users to be suspicious of people asking questions about the system they are using
Verify caller’s identity Call back technique
Keeping Current Never-ending battle
• New vulnerabilities are discovered daily • New patches are issued to fix new vulnerabilities
Installing these fixes is essential to protecting your system Many OSs are shipped with automated tools for updating your systems
Last modified 3-22-07 9 am
Chapter 10: Hacking Web Servers
Objectives
Describe Web applications Explain Web application vulnerabilities Describe the tools used to attack Web servers Web Servers The two main Web servers are Apache (Open source) and IIS (Microsoft)
Understanding Web Applications
It is nearly impossible to write a program without bugs • Some bugs create security vulnerabilities
Web applications also have bugs • Web applications have a larger user base than standalone applications • Bugs are a bigger problem for Web applications
Web Application Components Static Web pages
• Created using HTML Dynamic Web pages
• Need special components <form> tags Common Gateway Interface (CGI) scripts Active Server Pages (ASP) PHP ColdFusion Scripting languages like JavaScript ODBC (Open Database connector)
Web Forms Use the <form> element or tag in an HTML document
• Allows customer to submit information to the Web server Web servers process information from a Web form by using a Web
application Easy way for attackers to intercept data that users submit to a Web
server Web form example
<html><body> <form> Enter your username: <input type="text" name="username"> <br> Enter your password: <input type="text" name="password"> </form></body></html>
Common Gateway Interface (CGI) Handles moving data from a Web server to a Web browser The majority of dynamic Web pages are created with CGI and scripting languages Describes how a Web server passes data to a Web browser
• Relies on Perl or another scripting language to create dynamic Web pages
CNIT 123 – Bowne Page 1 of 1
Chapter 10: Hacking Web Servers
CGI Languages CGI programs can be written in different programming and scripting languages
• C or C++ • Perl • Unix shell scripting • Visual Basic • FORTRAN
CGI example • Written in Perl • Hello.pl • Should be placed in the cgi-bin directory on the Web server
#!/usr/bin/perl print "Content-type: text/html\n\n"; print "Hello Security Testers!";
Another CGI Example Link Ch 10a: Sam’s Feedback Form Link Ch 10b: CGI Script in Perl that processes the data from the form Active Server Pages (ASP) Microsoft’s server-side script engine
• HTML pages are static—always the same • ASP creates HTML pages as needed. They are not static
ASP uses scripting languages such as JScript or VBScript Not all Web servers support ASP
• IIS supports ASP • Apache doesn’t support ASP as well
Active Server Pages (ASP) You can’t see the source of an ASP page from a browser This makes it harder to hack into, although not
impossible ASP examples at links
Ch 10d, e, f Apache Web Server Apache is the most popular Web Server program Advantages
• Stable and reliable • Works on just about any *NIX and
Windows platform • It is free and open source
See links Ch 10g, 10h Using Scripting Languages Dynamic Web pages can be developed using scripting languages
• VBScript • JavaScript • PHP
CNIT 123 – Bowne Page 2 of 2
Chapter 10: Hacking Web Servers
PHP: Hypertext Processor (PHP) Enables Web developers to create dynamic Web pages
• Similar to ASP Open-source server-side scripting language
• Can be embedded in an HTML Web page using PHP tags <?php and ?> Users cannot see PHP code in their Web browser Used primarily on UNIX systems
• Also supported on Macintosh and Microsoft platforms PHP Example <html><head><title>Example</title></head> <body> <?php echo 'Hello, World!'; ?> </body></html>
• See links Ch 10k, 10l PHP has known vulnerabilities
• See links Ch 10m, 10n PHP is often used with MySQL Databases ColdFusion Server-side scripting language used to develop dynamic Web pages Created by the Allaire Corporation
• Purchased by Macromedia, now owned by Adobe -- Expensive Uses its own proprietary tags written in ColdFusion Markup Language (CFML) CFML Web applications can contain other technologies, such as HTML or JavaScript ColdFusion Example <html><head><title>Ex</title></head> <body> <CFLOCATION URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO"> </body> </html>
• See links Ch 10o ColdFusion Vulnerabilities See links Ch 10p, 10q
CNIT 123 – Bowne Page 3 of 3
Chapter 10: Hacking Web Servers
VBScript Visual Basic Script is a scripting language developed by Microsoft You can insert VBScript commands into a static HTML page to make it dynamic
• Provides the power of a full programming language • Executed by the client’s browser
VBScript Example <html><body> <script type="text/vbscript"> document.write("<h1>Hello!</h1>") document.write("Date Activated: " & date()) </script> </body></html>
See link Ch 10r – works in IE, but not in Firefox
Firefox does not support VBScript (link Ch 10s)
VBScript vulnerabilities • See links Ch 10t, 10u
JavaScript Popular scripting language JavaScript also has the power of a programming language
• Branching • Looping • Testing
JavaScript Example <html><head> <script type="text/javascript"> function chastise_user(){ alert("So, you like breaking rules?") document.getElementByld("cmdButton").focus()} </script></head> <body><h3>Don't click the button!</h3> <form> <input type="button" value="Don't Click!" name="cmdButton" onClick="chastise_user()" /> </form></body></html>
• See link Ch 10v – works in IE and Firefox
JavaScript Vulnerabilities See link Ch 10w
CNIT 123 – Bowne Page 4 of 4
Chapter 10: Hacking Web Servers
Connecting to Databases Web pages can display
information stored on databases
There are several technologies used to connect databases with Web applications
• Technology depends on the OS used
ODBC OLE DB ADO
• Theory is the same Open Database Connectivity (ODBC) Standard database access
method developed by the SQL Access Group
ODBC interface allows an application to access
• Data stored in a database management system (DBMS) • Can use Oracle, SQL, or any DBMS that understands and can issue ODBC commands
Interoperability among back-end DBMS is a key feature of the ODBC interface •
ODBC defines • Standardized representation of data types • A library of ODBC functions • Standard methods of connecting to and logging on to a DBMS •
OLE DB and ADO Object Linking and Embedding Database (OLE DB) and ActiveX Data Objects (ADO)
• These two more modern, complex technologies replace ODBC and make up"Microsoft’s Universal Data Access“
• See link Ch 10x
Understanding Web Application Vulnerabilities
Many platforms and programming languages can be used to design a Web site Application security is as important as network security Attackers controlling a Web server can
• Deface the Web site • Destroy or steal company’s data • Gain control of user accounts • Perform secondary attacks from the Web site • Gain root access to other applications or servers
CNIT 123 – Bowne Page 5 of 5
Chapter 10: Hacking Web Servers
CNIT 123 – Bowne Page 6 of 6
Open Web Application Security Project (OWASP) • Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web
applications • Publishes the Ten Most Critical Web Application Security Vulnerabilities
Top-10 Web application vulnerabilities Unvalidated parameters
• HTTP requests from browsers that are not validated by the Web server • Inserted form fields, cookies, headers, etc. (See link Ch 10y)
Broken access control • Developers implement access controls but fail to test them properly
For example, letting an authenticated user read another user’s files Broken account and session management
• Enables attackers to compromise passwords or session cookies to gain access to accounts Cross-site scripting (XSS) flaws
• Attackers inject code into a web page, such as a forum or guestbook • When others user view the page, confidential information is stolen • See link Ch 10za
Buffer overflows • It is possible for an attacker to use C or C++ code that includes a buffer overflow
Command injection flaws • An attacker can embed malicious code and run a program on the database server • Example: SQL Injection
Error-handling problems • Error messages may reveal information that an attacker can use
Insecure use of cryptography • Storing keys, certificates, and passwords on a Web server can be dangerous
Remote administration flaws • Attacker can gain access to the Web server through the remote administration interface
Web and application server misconfiguration • Any Web server software out of the box is usually vulnerable to attack
Default accounts and passwords Overly informative error messages
WebGoat project • Helps security testers learn how to perform vulnerabilities testing on Web applications • Developed by OWASP
It’s like HackThisSite without the helpful forum • Tutorials for WebGoat are being made, but they aren’t yet ready
Assessing Web Applications Issues to consider
• Dynamic Web pages • Connection to a backend database server • User authentication • What platform was used?
Chapter 10: Hacking Web Servers
Does the Web Application Use Dynamic Web Pages? Static Web pages do not create a secure environment IIS attack example: Directory Traversal
• Adding ..\ to a URL refers to a directory above the Web page directory • Early versions of IIS filtered out \, but not %c1%9c, which is a Unicode version of the same
character • See link Ch 10 zh
Connection to a Backend Database Server Security testers should check for the possibility of SQL injection being used to attack the system SQL injection involves the attacker supplying SQL commands on a Web application field SQL Injection Example HTML form collects name and pw SQL then uses those fields:
• SELECT * FROM customer WHERE username = ‘name' AND password = ‘pw' If a hacker enters a name of
’ OR 1=1 -- The SQL becomes:
• SELECT * FROM customer WHERE username = ‘’ OR 1=1 --' AND password = ‘pw‘ Which is always true, and returns all the records HackThisSite Basic testing should look for
• Whether you can enter text with punctuation marks • Whether you can enter a single quotation mark followed by any SQL keywords • Whether you can get any sort of database error when attempting to inject SQL
User Authentication Many Web applications require another server to authenticate users Examine how information is passed between the two servers
• Encrypted channels Verify that logon and password information is stored on secure places Authentication servers introduce a second target What Platform Was Used? Popular platforms include:
• IIS with ASP and SQL Server (Microsoft) • Linux, Apache, MySQL, and PHP (LAMP)
Footprinting is used to find out the platform • The more you know about a system the easier it is to gather information about its vulnerabilities
CNIT 123 – Bowne Page 7 of 7
Chapter 10: Hacking Web Servers
Tools of Web Attackers and Security Testers
Choose the right tools for the job Attackers look for tools that enable them to attack the system
• They choose their tools based on the vulnerabilities found on a target system or application Web Tools Cgiscan.c: CGI scanning tool
• Written in C in 1999 by Bronc Buster • Tool for searching Web sites for CGI scripts that can be exploited • One of the best tools for scanning the Web for systems with CGI vulnerabilities
See link Ch 10zi cgiscan and WebGoat Phfscan.c
• Written to scan Web sites looking for hosts that could be exploited by the PHF bug • The PHF bug enables an attacker to download the victim’s /etc/passwd file • It also allows attackers to run programs on the victim’s Web server by using a particular URL
See links Ch 10zj, 10 zk
CNIT 123 – Bowne Page 8 of 8
Chapter 10: Hacking Web Servers
CNIT 123 – Bowne Page 9 of 9
Wfetch: GUI tool from Microsoft • Displays information that is not normally shown in a browser, such as HTTP headers • It also attempts authentication using
Multiple HTTP methods Configuration of host name and TCP port HTTP 1.0 and HTTP 1.1 support Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication types Multiple connection types Proxy support Client-certificate support
See link Ch 10zl
Last modified 4-8-07 6 pm
Chapter 10: Hacking Wireless Networks
Objectives
Explain wireless technology Describe wireless networking standards Describe the process of authentication Describe wardriving Describe wireless hacking and tools used by hackers and security professionals
Understanding Wireless Technology
For a wireless network to function, you must have the right hardware and software Wireless technology is part of our lives
• Baby monitors • Cell and cordless phones • Pagers • GPS • Remote controls • Garage door openers • Two-way radios • Wireless PDAs
Components of a Wireless Network A wireless network has only three basic components
• Access Point (AP) • Wireless network interface card (WNIC) • Ethernet cable
Access Points An access point (AP) is a transceiver that connects to an Ethernet cable
• It bridges the wireless network with the wired network Not all wireless networks connect to a wired network
• Most companies have Wireless LANs (WLANs) that connect to their wired network topology The AP is where channels are configured An AP enables users to connect to a LAN using wireless technology
• An AP is available only within a defined area
CNIT 123 – Bowne Page 1 of 10
Chapter 10: Hacking Wireless Networks
Service Set Identifiers (SSIDs) Name used to identify the wireless local area network (WLAN) The SSID is configured on the AP
• Unique 1- to 32-character alphanumeric name • Name is case sensitive
Wireless computers need to configure the SSID before connecting to a wireless network
SSID is transmitted with each packet • Identifies which network the packet belongs
The AP usually broadcasts the SSID Many vendors have SSIDs set to a default value that companies
never change An AP can be configured to not broadcast its SSID until after
authentication • Wireless hackers can attempt to guess the SSID
Verify that your clients or customers are not using a default SSID See links Ch 11a, b Configuring an Access Point Configuring an AP varies depending on the hardware
• Most devices allow access through any Web browser
• Enter IP address on your Web browser and provide your user logon name and password
Wireless Router A wireless router includes an access point, a router, and
a switch Configuring an Access Point Wireless Configuration Options
• SSID • Wired Equivalent Privacy (WEP) encryption • WPA (WiFi Protected Access ) is better
Steps for configuring a D-Link wireless router (continued)
• Turn off SSID broadcast • You should also change your SSID
Wireless NICs For wireless technology to work, each node or
computer must have a wireless NIC NIC’s main function
• Converting the radio waves it receives into digital signals the computer understands
Wireless NICs There are many wireless NICs on the market
• Choose yours depending on how you plan to use it
• Some tools require certain specific brands of NICs
CNIT 123 – Bowne Page 2 of 10
Chapter 10: Hacking Wireless Networks
Understanding Wireless Network Standards
A standard is a set of rules formulated by an organization Institute of Electrical and Electronics Engineers (IEEE)
• Defines several standards for wireless networks
IEEE: CCSF Student Chapter Next meeting:
• May 3, 2007 in Cloud 218 4:30 pm Email [email protected] for more info IEEE Standards Standards pass through these groups:
• Working group (WG) • Sponsor Executive Committee (SEC) • Standards Review Committee (RevCom) • IEEE Standards Board
IEEE Project 802 • LAN and WAN standards
The 802.11 Standard The first wireless technology standard Defined wireless connectivity at 1 Mbps and 2 Mbps
within a LAN Applied to layers 1 and 2 of the OSI model Wireless networks cannot detect collisions
• Carrier sense multiple access/collision avoidance (CSMA/CA) is used instead of CSMA/CD Addressing Wireless LANs do not have an address associated with a physical location
• An addressable unit is called a station (STA) The Basic Architecture of 802.11 802.11 uses a basic service set (BSS) as its building block
• Computers within a BSS can communicate with each other • To connect two BSSs, 802.11 requires a distribution system (DS)
Frequency Range In the United States, Wi-Fi uses frequencies near 2.4 GHz
(Except 802.11a at 5 GHz) • There are 11 channels, but they overlap, so only three are commonly used
See link Ch 11c (cisco.com)
CNIT 123 – Bowne Page 3 of 10
Chapter 10: Hacking Wireless Networks
Other terms to define the channel:
• Wavelength • Frequency • Cycle • Hertz or cycles per
second • Bands
Infrared (IR) Infrared light can’t be seen by the
human eye IR technology is restricted to a
single room or line of sight IR light cannot penetrate walls, ceilings, or floors
• Image: IR transmitter for wireless headphones Narrowband Uses microwave radio band frequencies to transmit data Popular uses
• Cordless phones • Garage door openers
Spread Spectrum Data is spread across a large-frequency bandwidth instead of
traveling across just one frequency band Methods
• Frequency-hopping spread spectrum (FHSS) • Direct sequence spread spectrum (DSSS) • Orthogonal frequency division multiplexing (OFDM)
See links Ch 11d, Ch 11d1 IEEE Additional 802.11 Projects 802.11a
• Created in 1999 • Operating frequency 5 GHz • Throughput 54 Mbps
802.11b • Operates in the 2.4 GHz range • Throughput 11 Mbps • Also referred as Wi-Fi (wireless fidelity) • Allows for 11 channels to prevent overlapping signals
Effectively only three channels (1, 6, and 11) can be used in combination without overlapping • Introduced Wired Equivalent Privacy (WEP)
802.11e • It has improvements to address the problem of interference
When interference is detected, signals can jump to another frequency more quickly 802.11g
• Operates in the 2.4 GHz range • Uses OFDM for modulation • Throughput increased from 11 Mbps to 54 Mbps
CNIT 123 – Bowne Page 4 of 10
Chapter 10: Hacking Wireless Networks
802.11i • Introduced Wi-Fi Protected Access (WPA) • Corrected many of the security vulnerabilities of 802.11b
802.15 • Addresses networking devices within one person’s workspace
Called wireless personal area network (WPAN) • Bluetooth is a common example
802.16 • Addresses the issue of wireless metropolitan area networks (MANs) • Defines the WirelessMAN Air Interface • It will have a range of up to 30 miles • Throughput of up to 120 Mbps
802.20 • Addresses wireless MANs for mobile users who are sitting in trains, subways, or cars traveling at
speeds up to 150 miles per hour Bluetooth
• Defines a method for interconnecting portable devices without wires • Maximum distance allowed is 10 meters • It uses the 2.45 GHz frequency band • Throughput of up to 12 Mbps
HiperLAN2 • European WLAN standard • It is not compatible with 802.11 standards
CNIT 123 – Bowne Page 5 of 10
Chapter 10: Hacking Wireless Networks
CNIT 123 – Bowne Page 6 of 10
Understanding Authentication
Wireless technology brings new security risks to a network Authentication
• Establishing that a user is authentic—authorized to use the network • If authentication fails, anyone in radio range can use your network
The 802.1X Standard Defines the process of authenticating and authorizing users on a WLAN Basic concepts
• Point-to-Point Protocol (PPP) • Extensible Authentication Protocol (EAP) • Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA)
Point-to-Point Protocol (PPP) Many ISPs use PPP to connect dial-up or DSL users PPP handles authentication with a user name and password, sent with PAP or CHAP
• PAP (Password Authentication Protocol) sends passwords unencrypted Vulnerable to trivial sniffing attacks
See link Ch 11f CHAP Vulnerability CHAP (Challenge-Handshake Authentication Protocol)
• Server sends a Challenge with a random value • Client sends a Response, hashing the random value with the secret password
This is still vulnerable to a sort of session hijacking attack (see links Ch 11e) Extensible Authentication Protocol (EAP) EAP is an enhancement to PPP Allows a company to select its authentication method
• Certificates • Kerberos
Kerberos is used on LANs for authentication Uses Tickets and Keys Used by Windows 2000, XP, and 2003 Server by default Not common on WLANS (I think)
X.509 Certificate Record that authenticates network entities Identifies
• The owner • The certificate authority (CA) • The owner’s public key
See link Ch 11j
Chapter 10: Hacking Wireless Networks
Sample X.509 Certificate Go to gmail.com Double-click the padlock Public Key Your browser uses the Public
Key to encrypt data so only Gmail can read it
LEAP Lightweight Extensible
Authentication Protocol (LEAP)
• A Cisco product • Vulnerable, but
Cisco didn’t care • Joshua Wright
wrote the ASLEAP hacking tool to crack LEAP, and forced Cisco to develop a better protocol
See link Ch 11g
More Secure EAP Methods Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
• Secure but rarely used, because both client and server need certificates signed by a CA Protected EAP (PEAP) and Microsoft PEAP
• Very secure, only requires server to have a certificate signed by a CA See link Ch 11h 802.1X components Supplicant
• The user accessing a WLAN Authenticator
• The AP Authentication server
• Checks an account database to see if user’s credentials are acceptable
• May use RADIUS (Remote Access Dial-In User Service)
See link Ch 11k
CNIT 123 – Bowne Page 7 of 10
Chapter 10: Hacking Wireless Networks
CNIT 123 – Bowne Page 8 of 10
Wired Equivalent Privacy (WEP) Part of the 802.11b standard Encrypts data on a wireless network WEP has many vulnerabilities To crack WEP, see links Ch 11l, 11m Wi-Fi Protected Access (WPA) Specified in the 802.11i standard Replaces WEP WPA improves encryption by using Temporal Key Integrity Protocol (TKIP) TKIP Enhancements Message Integrity Check (MIC)
• Prevent attacker from injecting forged packets Extended Initialization Vector (IV) with sequencing rules
• Prevent replays (attacker re-sending copied packets) Per-packet key mixing
• MAC addresses are used to create a key • Each link uses a different key
Rekeying mechanism • Provides fresh keys • Prevents attackers from reusing old keys
WPA Adds 802.1x WPA also adds an authentication mechanism implementing 802.1X and EAP
• This was not available in WEP
Understanding Wardriving
Hackers use wardriving • Finding insecure access points • Using a laptop or palmtop computer
Wardriving is not illegal • But using the resources of these networks is illegal
Warflying • Variant where an airplane is used instead of a car
How It Works An attacker or security tester simply drives around with the following equipment
• Laptop computer • Wireless NIC • An antenna • Software that scans the area for SSIDs
Not all wireless NICs are compatible with scanning programs Antenna prices vary depending on the quality and the range they can cover Scanning software can identify
• The company’s SSID • The type of security enabled • The signal strength
Indicating how close the AP is to the attacker
Chapter 10: Hacking Wireless Networks
NetStumbler Shareware tool written for Windows that enables you to detect WLANs
• Supports 802.11a, 802.11b, and 802.11g standards NetStumbler was primarily designed to
• Verify your WLAN configuration • Detect other wireless networks • Detect unauthorized APs
NetStumbler is capable of interface with a GPS
• Enabling a security tester or hacker to map out locations of all the WLANs the software detects NetStumbler logs the following information
• SSID • MAC address and Manufacturer of the AP • Channel • Signal Strength • Encryption
Can detect APs within a 350-foot radius • With a good antenna, they can locate APs a couple of miles away
Kismet Another product for conducting wardriving attacks Runs on Linux, BSD, MAC OS X, and Linux PDAs Kismet is advertised also as a sniffer and IDS
• Kismet can sniff 802.11b, 802.11a, and 802.11g traffic Kismet features
• Ethereal- and Tcpdump-compatible data logging • AirSnort compatible • Network IP range detection • Hidden network SSID detection • Graphical mapping of networks • Client-server architecture • Manufacturer and model identification of APs and clients • Detection of known default access point configurations • XML output • Supports 20 card types
CNIT 123 – Bowne Page 9 of 10
Chapter 10: Hacking Wireless Networks
CNIT 123 – Bowne Page 10 of 10
Understanding Wireless Hacking
Hacking a wireless network is not much different from hacking a wired LAN Techniques for hacking wireless networks
• Port scanning • Enumeration
Tools of the Trade Equipment
• Laptop computer • A wireless NIC • An antenna • Sniffer software
AirSnort Created by Jeremy Bruestle and Blake Hegerle It is the tool most hackers wanting to access WEP-enabled WLANs use AirSnort limitations
• Runs on either Linux or Windows (textbook is wrong) • Requires specific drivers • Not all wireless NICs function with AirSnort
See links Ch 11p, 11q WEPCrack Another open-source tool used to crack WEP encryption
• WEPCrack was released about a week before AirSnort It also works on *NIX systems WEPCrack uses Perl scripts to carry out attacks on wireless systems
• AirSnort is considered better (link Ch 11r)
Countermeasures for Wireless Attacks
Anti-wardriving software makes it more difficult for attackers to discover your wireless LAN • Honeypots
Servers with fake data to snare intruders • Fakeap and Black Alchemy Fake AP
Software that makes fake Access Points Link Ch 11s
Use special paint to stop radio from escaping your building Allow only predetermined MAC addresses and IP
addresses to have access to the wireless LAN
DMZ
Use an authentication server instead of relying on a wireless device to authenticate users
Use an EAP authentication protocol If you use WEP, use 104-bit encryption rather than
40-bit encryption • But just use WPA instead
Assign static IP addresses to wireless clients instead of using DHCP
Don’t broadcast the SSID Place the AP in the demilitarized zone (DMZ) (image
from wikipedia) Last modified 4-15-07 5 pm
Chapter 12: Cryptography
Objectives
Describe the history of cryptography Describe symmetric and asymmetric cryptography algorithms Explain public key infrastructure (PKI) Describe possible attacks on cryptosystems
Understanding Cryptography Basics
Cryptography is the process of converting plaintext into ciphertext • Plaintext: readable text (also called cleartext) • Ciphertext: unreadable or encrypted text
Cryptography is used to hide information from unauthorized users Decryption is the process of converting ciphertext back to plaintext History of Cryptography Substitution cipher
• Replaces one letter with another letter based on a key • Example: Julius Caesar’s Cipher
Used a key value of 3 ABCDEFGHIJKLMNOPQRSTUVWXYZ DEFGHIJKLMNOPQRSTUVWXYZABC
Cryptanalysis studies the process of breaking encryption algorithms When a new encryption algorithm is developed, cryptanalysts study it and
try to break it • Or prove that it is impractical to break it (taking much time and
many resources) Enigma Used by the Germans during World War II
• Replaced letters as they were typed • Substitutions were computed using a key and a set of switches or rotors • Image from Wikipedia (link Ch 12a)
Steganography The process of hiding data in plain view in pictures, graphics, or text
• Example: changing colors slightly to encode individual bits in an image The image on the left contains the image on the right hidden in it (link Ch 12c) Algorithms An algorithm is a mathematical function or program that works with a key Security comes from
• A strong algorithm—one that cannot be reversed without the key • A key that cannot be found or guessed
Keys (not in textbook) A sequence of random bits
• The range of allowable values is called a keyspace The larger the keyspace, the more secure the key
• 8-bit key has 28 = 256 values in keyspace • 24-bit key has 224 = 16 million values • 56-bit key has 256 = 7 x 1016 values • 128-bit key has 2128 = 3 x 1038 values
CNIT 123 – Bowne Page 1 of 11
Chapter 12: Cryptography
Brute Force (not in textbook) In 1997 a 56-bit key was broken by brute force
• Testing all possible 56-bit keys • Used 14,000 machines organized via the Internet • It took 3 months • See link Ch 12d
How Many Bits Do You Need? (not in textbook) How many keys could all the computers on Earth test in a year?
• Pentium 4 processor: 109 cycles per second • One year = 3 x 107 seconds • There are less than 1010 computers on Earth
One per person • 109 x 3 x 107 x 1010 = 3 x 1026 calculations • 128 bits should be enough (3 x 1038 values)
Unless computers get much faster, or someone breaks the algorithm
Symmetric Cryptography
CNIT 123 – Bowne Page 2 of 11
Symmetric Cryptography Algorithms Symmetric algorithms have one key that
encrypts and decrypts data Advantages
• Symmetric algorithms are fast • They are difficult to break if a
large key size is used • Only one key needed
Disadvantages • Symmetric keys must remain
secret • Difficult to deliver keys (key
distribution) • Symmetric algorithms don’t
support authenticity or nonrepudiation
You can’t know for sure who sent the message, since two people have the same key
Types of symmetric algorithms • Stream ciphers
Operate on plaintext one bit at a time • Block ciphers
Operate on blocks of plaintext DeCSS Commercial DVDs are encoded with a 40-bit key
• It’s simple to crack it by brute force • Three hackers did that in 1999
See links Ch 12e, 12f • Legislation such as the DMCA made it illegal to publish the algorithm
See Illegal Prime Number (Link Ch 12g)
Chapter 12: Cryptography
Data Encryption Standard (DES) National Institute of Standards and Technology (NIST)
• Wanted a means of protecting sensitive but unclassified data • Invited vendors in early 1970 to submit data encryption algorithms
IBM proposed Lucifer • A 128-bit encryption algorithm
The National Security Agency (NSA) reduced the key size from 128 bits to 64 bits and created DES
• Only 56 bits of the key are actually used In 1988, NSA thought the standard was at risk to be broken In 1997, a DES key was broken in 3 months In 1998, the EFF built a a computer system that cracked a DES key in 3 days
• Link Ch 12h Triple DES (3DES) Triple Data Encryption System (3DES) 3DES served as a quick fix to the vulnerabilities of DES 3DES performed three DES encryptions 256 times stronger than DES
• More secure but slower to compute See link Ch 12i
Advanced Encryption Standard (AES) Became effective in 2002 as a standard
• The process took 5 years Block cipher that operates on 128-bit blocks of plaintext Keys can be 128, 192, or 256 bits Uses Rindjael algorithm
• Link Ch 12j International Data Encryption Algorithm (IDEA) Block cipher that operates on 64-bit blocks of plaintext It uses a 128-bit key Developed by Xuejia Lai and James Massey
• Designed to work more efficiently in computers used at home and in businesses IDEA is free for noncommercial use
• It is included in PGP encryption software Blowfish Block cipher that operates on 64-bit blocks of plaintext The key length can be as large as 448 bits Developed by Bruce Schneier RC5 Block cipher that can operate on different block sizes: 32, 64, and 128 The key size can reach 2048 bits Created by Ronald L. Rivest in 1994 for RSA Data Security Cracking RC5 56-bit and 64-bit key RC5s have already been cracked The RC5-72 project is underway, trying to crack a 72-bit key
• At the current rate, it will take 1000 years Links Ch 12l, 12m
CNIT 123 – Bowne Page 3 of 11
Chapter 12: Cryptography
Asymmetric Cryptography Algorithms
Use two keys that are mathematically related
• Data encrypted with one key can be decrypted only with the other key
Another name for asymmetric key cryptography is public key cryptography
• Public key: known by the public
• Private key: known only by owner
Asymmetric Cryptography Provides message authenticity and
nonrepudiation • Authenticity validates the sender of a message • Nonrepudiation means a user cannot deny sending a message
Asymmetric algorithms are more scalable but slower than symmetric algorithms • Scalable: can adapt to larger networks • Each person needs only one key pair
Everyone can use the same public key to send you data Each person signs messages with their own private key
RSA Developed in 1977 by Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman The algorithm is based on the difficulty of factoring large numbers The Secure Socket Layer (SSL) protocol uses the RSA algorithm Diffie-Hellman Developed by Whitfield Diffie and Martin Hellman Does not provide encryption but is used for key exchange
• Two parties agree on a key without ever sending it directly over the network • The numbers transmitted can be used to compute the key, but only by the parties holding secret
private numbers Prevents sniffing attacks (link Ch 12 Elliptic Curve Cryptosystems (ECC) It is an efficient algorithm requiring few resources
• Memory • Disk space • Bandwidth
ECC is used for encryption as well as digital signatures and key distribution Elgamal Public key algorithm used to
• Encrypt data • Create digital signature • Exchange secret keys
Written by Taher Elgamal in 1985 The algorithm uses discrete logarithm problems
• Solving a discrete logarithm problem can take many years and require CPU-intensive operations
CNIT 123 – Bowne Page 4 of 11
Chapter 12: Cryptography
Digital Signatures A hash value ensures that the message was not altered in transit (integrity) Provides message integrity, authenticity and nonrepudiation
Digital Signature Standard (DSS) Established by the NIST in 1991
• Ensures that digital signatures rather than written signatures can be verified Federal government requirements
• RSA and Digital Signature Algorithm (DSA) must be used for all digital signatures • Hashing algorithm must be used to ensure the integrity of the message
NIST required that the Secure Hash Algorithm (SHA) be used Pretty Good Privacy (PGP) Developed by Phil Zimmerman as a free e-mail encryption program
• Zimmerman was almost arrested for his innovation • Back in the mid-1990s, any kind of “unbreakable” encryption was seen as a weapon and compared
to selling arms to the enemy PGP is a free public key encryption program
CNIT 123 – Bowne Page 5 of 11
Chapter 12: Cryptography
CNIT 123 – Bowne Page 6 of 11
PGP uses certificates similar to those in public key infrastructure (PKI)
• PGP does not use a centralized CA • Verification of a CA is not as efficient as PKI
Algorithms supported by PGP • IDEA • RSA • DSA • Message Digest 5 (MD5) • SHA-1
Secure Multipurpose Internet Mail Extension (S/MIME) Is another public key encryption standard used to encrypt and digitally sign e-mail Can encrypt e-mail messages containing attachments Can use PKI certificates for authentication S/MIME version 2 defined in RFC 2311 S/MIME version 3 defined in RFC 2633 Privacy-Enhanced Mail (PEM) Internet standard that is compatible with both symmetric and asymmetric methods of encryption Can use the X.509 certificate standards and encrypt messages with DES Not used as much today
• MIME Object Security Services (MOSS) is a newer implementation of PEM
Hashing Algorithms
Take a variable-length message and produce a fixed-length value called a message digest A hash value is equivalent to a fingerprint of the message
• If the message is changed later, the hash value changes Collisions If two different messages produce the same hash value, it results in a collision
• A good hashing algorithm must be collision-free Hashing Algorithms SHA-1 is one of the most popular hashing algorithms
• SHA-1 has been broken • Collisions were found in 2004 and 2005 (link Ch 12p • As of March 15, 2005, the NIST recommends not using SHA applications • But there are collisions in MD5 too • SHA-256 hasn’t been broken yet
See link Ch 12q
Chapter 12: Cryptography
CNIT 123 – Bowne Page 7 of 11
Summary of Cryptographic Algorithms
Symmetric Algorithms (Private-key) Name Key size Notes DES 56 bits Insecure because key is too short 3DES 168 bits As secure as 112-bit key, not yet broken
Being replaced by AES
AES 128,192, or 256 bits Uses 128-bit blocks and the Rindjael algorithm Approved for US Govt classified information I DEA 128 bits Uses 64-bit blocks, used in PGP, very secure
Blowfish 32 bits to 448 bits Uses 64-bit blocks, developed by Bruce Schneier
Public domain
RC5 0 bits to 2040 bits Block size can be 32, 64, or 138 bits 56-bit and 64-bit key versions have been cracked 72-bit version has not been cracked A
symmetric Algorithms (Public-key)
Name Notes D
iffie-Hellman Key exchange only, not encryption
R
SA Secure, used by SSL
ECC Efficient newer technique Elgamal Used in GPG and PGP H
ashing Algorithms
Name Notes M
D2 Written for 8-bit machines, no longer secure
M
D4 No longer secure
MD5 Security is questionable now SHA-1 The successor to MD5, used in TLS, SSL, PGP, SSH, S/MIME, and IPsec.
It has been broken so it's not longer completely secure
S
HA-2 Not yet broken, but no longer recommended.
The NIST is now developing a new algorithm to replace SHA.
Public Key Infrastructure (PKI)
Not an algorithm A structure that consists of programs, protocols, and security protocols Uses public key cryptography Enables secure data transmission over the Internet
Chapter 12: Cryptography
PKI Components
CNIT 123 – Bowne Page 8 of 11
Certificate: a digital document that verifies the identity of an entity
• Contains a unique serial number and must follow the X.509 standard
Public keys are issued by a certification authority (CA)
A certificate that the CA issues to a company binds a public key to the recipient’s private key
Certificate Expiration and Renewal A period of validity is assigned to
each certificate • After that date, the
certificate expires A certificate can be renewed with a new expiration date assigned
• If the keys are still valid and remain uncompromised Certificate Revocation and Suspension Reasons to suspend or revoke a certificate
• A user leaves the company • A hardware crash causes a key to be lost • A private key is compromised
Revocation is permanent Suspension can be lifted Certificate Revocation List (CRL)
• Contains all revoked and suspended certificates • Issued by CAs
Backing Up Keys Backing up keys is critical
• If keys are destroyed and not backed up properly, encrypted business-critical information might be irretrievable
Trusted Root CAs The CA is usually responsible for backing up keys
• A key recovery policy is also part of the CA’s responsibility
Chapter 12: Cryptography
Microsoft Root CA You can set up your own
Certificate Authority Server Windows Server 2003
or Windows 2000 Server
Install the Certificate Services
Note that after installing this service the name of the domain or computer cannot change
Specify options to generate
certificates, including • Cryptographic Service
Provider • Hash algorithm • Key length
Understanding Cryptographic Attacks
Sniffing and port scanning are passive attacks – just watching Active attacks attempt to determine the secret key being used to encrypt plaintext Cryptographic algorithms are usually public
• Follows the open-source culture • Except the NSA and CIA and etc.
Birthday Attack If 23 people are in the room, what is the chance that they all have different birthdays? So there’s a 51% chance that two of them have the same birthday See link Ch 12r If there are N possible hash values,
• You’ll find collisions when you have calculated 1.2 x sqrt(N) values
CNIT 123 – Bowne Page 9 of 11
Chapter 12: Cryptography
SHA-1 uses a 160-bit key • Theoretically, it would require 280 computations to break • SHA-1 has already been broken, because of other weaknesses
Mathematical Attacks Properties of the algorithm are attacked by using mathematical computations Categories
• Ciphertext-only attack The attacker has the ciphertext of several messages but not the plaintext Attacker tries to find out the key and algorithm used to encrypt the messages Attacker can capture ciphertext using a sniffer program such as Ethereal or Tcpdump
Categories • Known plaintext attack
The attacker has messages in both encrypted form and decrypted forms This attack is easier to perform than the ciphertext-only attack Looks for patterns in both plaintext and ciphertext
• Chosen-plaintext attack The attacker has access to plaintext and ciphertext Attacker has the ability to choose which message to encrypt
Categories (continued) • Chosen-ciphertext attack
The attacker has access to the ciphertext to be decrypted and to the resulting plaintext Attacker needs access to the cryptosystem to perform this type of attack
Brute Force Attack An attacker tries to guess passwords by attempting every possible combination of letters
• Requires lots of time and patience • Password-cracking programs that can use brute force
John the Ripper Cain and Abel Ophcrack
Also uses memory to save time – “Rainbow tables” Man-in-the-Middle Attack Victim sends public key to Server
• Attacker generates two “false” key pairs • Attacker intercepts the genuine keys and
send false keys out • Both parties send encrypted traffic, but not
with the same keys These false keys won’t be verified by a CA Dictionary Attack Attacker uses a dictionary of known words to try to guess passwords
• There are programs that can help attackers run a dictionary attack Programs that can do dictionary attacks
• John the Ripper • Cain and Abel
Replay Attack The attacker captures data and attempts to resubmit the captured data
• The device thinks a legitimate connection is in effect If the captured data was logon information, the attacker could gain access to a system and be authenticated Most authentication systems are resistant to replay attacks
CNIT 123 – Bowne Page 10 of 11
Chapter 12: Cryptography
CNIT 123 – Bowne Page 11 of 11
Password Cracking Password cracking is illegal in the United States
• It is legal to crack your own password if you forgot it You need the hashed password file
• /etc/passwd or /etc/shadow for *NIX • The SAM database in Windows
Then perform dictionary or brute-force attacks on the file Password cracking programs John the Ripper Hydra (THC) EXPECT L0phtcrack Pwdump3v2 Ophcrack does it all for you – gathering the SAM database and cracking it
Last modified 11-6-08
Chapter 13: Protecting Networks with Security Devices
CNIT 123 – Bowne Page 1 of 1
Objectives
Describe network security devices Describe firewall technology Describe intrusion detection systems Describe honeypots
Routers
Router
Routers are like intersections; switches are like streets
• Image from Wikipedia (link Ch 13a)
Understanding Routers Routers are hardware devices used on a
network to send packets to different network segments
• Operate at the network layer of the OSI model
Routing Protocols Routers tell one another what paths are available with Routing Protocols
• Link-state routing protocol Each router has complete information about every
network link Example: Open Shortest Path First (OSPF)
• Distance-vector routing protocol Routers only know which direction to send
packets, and how far Example: Routing Information Protocol (RIP)
Cisco Routers Image from cisco.com (link Ch 13b) Understanding Basic Hardware Routers Cisco routers are widely used in the networking
community • More than one million Cisco 2500 series
routers are currently being used by companies around the world Vulnerabilities exist in Cisco as they do in any operating system
• See link Ch 13c Cisco Router Components Internetwork Operating System (IOS) Random access memory (RAM)
• Holds the router’s running configuration, routing tables, and buffers • If you turn off the router, the contents stored in RAM are wiped out
Nonvolatile RAM (NVRAM) • Holds the router’s configuration file, but the information is not lost if the router is turned off
Flash memory • Holds the IOS the router is using • Is rewritable memory, so you can upgrade the IOS
Chapter 13: Protecting Networks with Security Devices
Read-only memory (ROM) Read-only memory (ROM) • Contains a minimal version of the
IOS used to boot the router if flash memory gets corrupted
• Contains a minimal version of the IOS used to boot the router if flash memory gets corrupted
Interfaces Interfaces • Hardware connectivity points • Hardware connectivity points • Example: an Ethernet port is an
interface that connects to a LAN • Example: an Ethernet port is an
interface that connects to a LAN Michael Lynn Michael Lynn He presented a major Cisco security
vulnerability at the Black Hat security conference in 2005
He presented a major Cisco security vulnerability at the Black Hat security conference in 2005
He lost his job, was sued, conference materials were confiscated, etc.
He lost his job, was sued, conference materials were confiscated, etc.
• See links Ch 13 d, e, f, g • See links Ch 13 d, e, f, g Cisco IOS is controlled from the command line Cisco IOS is controlled from the command line The details are not included in this class The details are not included in this class Skip pages 324-329 Skip pages 324-329
Understanding Firewalls
Firewalls are hardware devices or software installed on a system and have two purposes • Controlling access to all traffic that enters an internal network • Controlling all traffic that leaves an internal network
Hardware Firewalls Advantage of hardware firewalls
• Faster than software firewalls (more throughput)
Disadvantages of hardware firewalls • You are limited by the
firewall’s hardware Number of interfaces, etc.
• Usually filter incoming traffic only (link Ch 13i)
CNIT 123 – Bowne Page 2 of 2
Chapter 13: Protecting Networks with Security Devices
Software Firewalls Advantages of software firewalls
• Customizable: can interact with the user to provide more protection
• You can easily add NICs to the server running the firewall software
Software Firewalls Disadvantages of software firewalls
• You might have to worry about configuration problems
• They rely on the OS on which they are running
Firewall Technologies Network address translation (NAT) Access control lists (Packet filtering) Stateful packet inspection (SPI) Network Address Translation (NAT) Internal private IP addresses are mapped
to public external IP addresses • Hides the internal infrastructure
Port Address Translation (PAT) • This allows thousands of
internal IP addresses to be mapped to one external IP address
• Each connection from the private network is mapped to a different public port
Access Control Lists A series of rules to control traffic Criteria
• Source IP address • Destination IP address • Ports or services • More possibilities
Same as “Packet Filtering”
CNIT 123 – Bowne Page 3 of 3
Chapter 13: Protecting Networks with Security Devices
Stateful Packet Inspection (SPI) Stateful packet filters examine the current state of the network
• If you have sent a request to a server, packets from that server may be allowed in • Packets from the same server might be blocked if no request was sent first
State Table Stateful firewalls
maintain a state table showing the current connections
ACK Port scan Used to get
information about a firewall
Stateful firewalls track connection and block unsolicited ACK packets Stateless firewalls only block incoming SYN packets, so you get a RST response We covered this in chapter 5 Stateful Packet Inspection (SPI) Stateful packet filters recognize types of anomalies that most routers ignore Stateless packet filters handle each packet on an individual basis
• This makes them less effective against some attacks Implementing a Firewall Using only one firewall between a company’s internal network and the Internet is dangerous
• It leaves the company open to attack if a hacker compromises the firewall
Use a demilitarized zone instead Demilitarized Zone (DMZ) DMZ is a small network
containing resources available to Internet users
• Helps maintain security on the company’s internal network
Sits between the Internet and the internal network
It is sometimes referred to as a “perimeter network”
CNIT 123 – Bowne Page 4 of 4
Chapter 13: Protecting Networks with Security Devices
Understanding the Private Internet Exchange (PIX) Firewall Cisco PIX firewall
• One of the most popular firewalls on the market Configuration of the PIX Firewall Working with a PIX firewall is similar to
working with any other Cisco router Login prompt
• If you are not authorized to be in this XYZ Hawaii network device,
• log out immediately! • User Access Verification • Password: • This banner serves a legal
purpose • A banner that says “welcome”
may prevent prosecution of hackers who nter e
PIX Firewall Features One PIX can be used to create a DMZ
• See link Ch 13k PIX Firewall Features Unicast Reverse Path Forwarding
• Also known as "reverse route lookup"
• Checks to see that packets have correct source IP addresses
Flood Defender • Prevents SYN Floods • Only a limited number of "embryonic connections" are allowed
PIX Firewall Features FragGuard and Virtual Re-Assembly
• Re-assembles IP fragments to prevent some DoS attacks, like the Ping of Death and Teardrop Limits
• DNS Responses • ActiveX controls • Java applets
I skipped pages 333-336
CNIT 123 – Bowne Page 5 of 5
Chapter 13: Protecting Networks with Security Devices
Microsoft ISA Internet Security and
Acceleration (ISA) Microsoft’s software approach
to firewalls Microsoft Internet Security and
Acceleration (ISA) Server • Software that runs
on a Windows Server
• Functions as a software router, firewall, and IDS (Intrusion Detection System)
ISA protects your network from Internet threats
ISA lets remote users connect securely, handling authentication and encryption
Image from microsoft.com link Ch 13m
ISA has the same functionality as any hardware router
• Packet filtering to control incoming traffic
• Application filtering through the examination of protocols
• Intrusion detection filters • Access policies to control outgoing traffic
IP Packet Filters ISA enables administrators to filter IP traffic based on the following:
• Source and destination IP address • Network protocol, such as HTTP • Source port or destination port
ISA provides a GUI for these configurations • A network segment can be denied or allowed HTTP access in the Remote Computer tab
CNIT 123 – Bowne Page 6 of 6
Chapter 13: Protecting Networks with Security Devices
Denying access to port 80 for the specified subnet
CNIT 123 – Bowne Page 7 of 7
Chapter 13: Protecting Networks with Security Devices
Application Filters Can accept or deny data from specific
applications or data containing specific content
SMTP filter can restrict • E-mail with specific attachments • E-mail from a specific user or
domain • E-mail containing specific
keywords • SMTP commands
Email can also be filtered based o • Sender's name • Sender's domain • Keywords like VIAGRA or
Mortgage These techniques are not very
effective—spammers know how to defeat them
SMTP Commands tab • Administrator can prevent a user
from running SMTP commands FTP Access filter H.323 filter
• real-time multimedia conferences See link Ch 13n Intrusion Detection Filters Analyze all traffic for possible known
intrusions • DNS intrusion detection filter • POP filter • RPC filter • SMTP filter • SOCKS filter • Streaming Media filter • Web Proxy filter
CNIT 123 – Bowne Page 8 of 8
Chapter 13: Protecting Networks with Security Devices
Intrusion Detection Systems (IDSs)
Monitor network devices so that security administrators can identify attacks in progress and stop them An IDS looks at the traffic and compares it with known exploits
• Similar to virus software using a signature file to identify viruses Types
• Network-based IDSs • Host-based IDSs
Network-based IDSs • Monitor activity on network
segments • They sniff traffic and alert a
security administrator when something suspicious occurs
See link Ch 13o Host-based IDSs
• The software is installed on the server you’re attempting to protect, like antivirus software
• Used to protect a critical network server or database server
Passive and Active IDSs IDSs are categorized by how they react
when they detect suspicious behavior
• Passive systems Send out an alert and
log the activity Don't try to stop it
• Active systems Log events and send out
alerts Can also interoperate
with routers and firewalls to block the activity automatically
CNIT 123 – Bowne Page 9 of 9
Chapter 13: Protecting Networks with Security Devices
CNIT 123 – Bowne Page 10 of 10
Understanding Honeypots
Honeypot • Computer placed on the perimeter of a network • Contains information intended to lure and then trap hackers
Computer is configured to have vulnerabilities Goal
• Keep hackers connected long enough so they can be traced back How They Work A honeypot appears to have
important data or sensitive information stored on it
• Could store fake financial data that tempts hackers to attempt browsing through the data
Hackers will spend time attacking the honeypot
• And stop looking for real vulnerabilities in the company’s network
Honeypots also enable security professionals to collect data on attackers
Virtual honeypots • Honeypots created
using software solutions instead of hardware devices
• Example: Honeyd Project Honey Pot Web masters install software on
their websites When spammers harvest email
addresses from sites, HoneyNet's servers record the IP of the harvester
• Can help prosecute the spammers and block the spam
Link Ch 13p Uses a Capture Server and one or more Capture Clients
• The clients run in virtual machines • Clients connect to suspect Web servers • If the client detects an infection, it alerts the Capture Server and restores itself to a clean state • The server gathers data about malicious websites
See link Ch 13q
Last modified 6-4-09
Lecture 14: More Wireless Hacking – Cracking Wired Equivalent Privacy (WEP)
CNIT 123 – Bowne Page 1 of 4
Legal Concerns Defeating security to enter a network without permission is clearly illegal
• Even if the security is weak Sniffing unencrypted wireless traffic may also be illegal
• It could be regarded as an illegal wiretap • The situation is unclear, and varies from state to state • In California, privacy concerns tend to outweigh other considerations • See links l14v, l14w
Equipment
Wireless Network Interface Cards (NICs) and Drivers The Goal All wireless NICs can connect to an Access Point But hacking requires more than that, because we need to do
• Sniffing – collecting traffic addressed to other devices • Injection – transmitting forged packets which will appear to be from other devices
Windows v. Linux The best wireless hacking software is written in Linux
• The Windows tools are inferior, and don't support packet injection But all the wireless NICs are designed for Windows
• And the drivers are written for Windows • Linux drivers are hard to find and confusing to install
Wireless NIC Modes There are four modes a NIC can use
• Master mode • Managed mode • Ad-hoc mode • Monitor mode
See link l_14j Master Mode
• Also called AP or Infrastructure mode
• Looks like an access point • Creates a network with
A name (SSID) A channel
Managed Mode • Also called Client mode • The usual mode for a Wi-Fi laptop • Joins a network created by a master • Automatically changes channel to match the master • Presents credentials, and if accepted,
becomes associated with the master Ad-hoc Mode
• Peer-to-peer network • No master or Access Point • Nodes must agree on a channel and SSID
Lecture 14: More Wireless Hacking – Cracking Wired Equivalent Privacy (WEP)
CNIT 123 – Bowne Page 2 of 4
Monitor Mode • Does not associate with Access Point • Listens to traffic • Like a wired NIC in Promiscuous
Mode Wi-Fi NICs To connect to a Wi-Fi network, you need a
Network Interface Card (NIC) PCMCIA The most common type is the PCMCIA card
• Designed for laptop computers USB
• Can be used on a laptop or desktop PC PCI
• Installs inside a desktop PC Choosing a NIC For penetration testing (hacking), consider these factors:
• Chipset • Output power • Receiving sensitivity • External antenna connectors • Support for 802.11i and improved WEP
versions Wi-Fi NIC Manufacturers Each wireless card has two manufacturers
• The card itself is made by a company like Netgear Ubiquiti Linksys D-Link many, many others
• But the chipset (control circuitry) is made by a different company Chipsets To find out what chipset your card uses, you must search on the Web
USB
PCI
PCMCIA
• Card manufacturer's don't want you to know
Major chipsets: • Prism • Cisco Aironet • Hermes/Orinoco • Atheros
There are others
Lecture 14: More Wireless Hacking – Cracking Wired Equivalent Privacy (WEP)
CNIT 123 – Bowne Page 3 of 4
Prism Chipset Prism chipset is a favorite among hackers
• Completely open -- specifications available • Has more Linux drivers than any other
chipset See link l_14d
Prism chipset is the best choice for penetration testing
HostAP Linux Drivers are highly recommended, supporting:
• NIC acting as an Access Point • Use of the iwconfig command to
configure the NIC See link l_14h
Cisco Aironet Chipset Cisco proprietary – not open Based on Prism, with more features
• Regulated power output • Hardware-based channel-
hopping Very sensitive – good for wardriving
• Cannot use HostAP drivers • Not useful for man-in-the-
middle or other complex attacks
Hermes Chipset Lucent proprietary – not open Lucent published some source code for WaveLAN/ORiNOCO cards Useful for all penetration testing, but require
• Shmoo driver patches (link l_14l) to use monitor mode Atheros Chipset The most common chipset in 802.11a devices
• Best Atheros drivers are MadWIFI (link l_14m) • Some cards work better than others • Monitor mode is available, at least for some cards
Other Cards If all else fails, you could use Windows drivers with a wrapper to make them work in Linux
• DriverLoader (link l_14n) • NdisWrapper (link l_14o)
But all you'll get is basic functions, not monitor mode or packet injection • Not much use for hacking
Cracking WEP: Tools and Principles
A Simple WEP Crack The Access Point and Client are using WEP
encryption The hacker device just listens
Lecture 14: More Wireless Hacking – Cracking Wired Equivalent Privacy (WEP)
CNIT 123 – Bowne Page 4 of 4
Listening is Slow You need to capture 50,000 to 200,000 "interesting" packets to crack a 64-bit WEP key
• The "interesting" packets are the ones containing Initialization Vectors (IVs) • Only about ¼ of the packets contain IVs • So you need 200,000 to 800,000 packets
It can take hours or days to capture that many packets
Packet Injection A second hacker machine injects packets to create
more "interesting packet" Injection is MUCH Faster With packet injection, the listener can collect 200
IVs per second 5 – 10 minutes is usually enough to crack a 64-bit
key Cracking a 128-bit key takes an hour or so
• Link l_14r AP & Client Requirements Access Point
• Any AP that supports WEP should be fine (they all do) Client
• Any computer with any wireless card will do • Could use Windows or Linux
Listener Requirements NIC must support Monitor Mode Could use Windows or Linux
• But you can't use NDISwrapper Software
• Airodump (part of the Aircrack Suite) for Windows or Linux (see Link l_14q) • BackTrack is a live Linux CD with Aircrack on it (and many other hacking tools)
Link l_14n Injector Requirements NIC must support injection Must use Linux Software
• void11 and aireplay Link l_14q
Sources http://www.aircrack-ng.org/doku.php?id=compatible_cards (link l_14a) http://www.wi-foo.com/ (link l_14c) http://www.vias.org/wirelessnetw/wndw_05_04.html (link l_14j) http://smallnetbuilder.com/content/view/24244/98/ (link l_14p)
Last modified 5-11-09
Lecture 15: Man in the Middle Attack to get Passwords from HTTPS Sessions
How HTTPS Works
HTTP v. HTTPS HTTP doesn't encrypt data at all
• You can sniff traffic with Wireshark, ettercap, etc. • Completely insecure
HTTPS uses public-key encryption to secure data • Much safer, but it can still be cracked to some extent by a man-in-the-middle attack
Components of HTTPS When you use a secure
session (HTTPS), these protocols work together:
• Address Resolution Protocol (ARP)
• Domain Name System (DNS)
• Secure Sockets Layers (SSL) ARP Request and Reply Client wants to find Gateway ARP Request: Who has
192.168.2.1? ARP Reply:
• MAC: 00-30-bd-02-ed-7b has 192.168.2.1
Demonstration: Sniffing ARP with Wireshark Start Wireshark capturing packets Clear the ARP cache
• arp –d * Ping the default gateway
DNS Query and Response Client wants to find
Gmail.com DNS Query: Where is
Gmail.com? DNS Response:
• Gmail.com is at 64.233.171.83
Demonstration: Sniffing DNS with Wireshark Start Wireshark capturing packets Clear the DNS cache
• ipconfig /flushdns Ping Gmail.com
CNIT 123 – Bowne Page 1 of 1
Lecture 15: Man in the Middle Attack to get Passwords from HTTPS Sessions
CNIT 123 – Bowne Page 2 of 2
SSL Handshake SSL handshake has three
stages: • Hellos • Certificate, Key
Exchange, and Authentication
• "Change cipher spec" – handshake finished
The Gateway just forwards all this traffic to the Web server Demonstration: Sniffing SSL Handshake with Wireshark Start Wireshark capturing packets Open a browser and go to yahoo.com Click the My Mail button
Hello
Key
Hand
Hand – these three packets are the TCP Handshake, which happens before the SSL handshake Hello – these two packets are the Hellos, which start the SSL handshake Key – these packets perform the last two stages of the SSL handshake:
• Certificate, Key Exchange, and Authentication • "Change cipher spec" – handshake finished
Open a Socket to Port 443 This is the usual SYN, SYN/ACK, SYN TCP handshake Port 443 is used for HTTPS Hellos Client Hello Server sends Hello
• This exchange is used to agree on a protocol version and encryption method Certificate, Key Exchange, and Authentication Server sends Certificate Client sends Public Key Client Authenticates Certificate with Certificate Authority (not visible) Change Cipher Spec Server sends "Change Cipher Spec" Client sends "Change Cipher Spec" SSL Handshake is done, now client can send encrypted Application Data
Lecture 15: Man in the Middle Attack to get Passwords from HTTPS Sessions
CNIT 123 – Bowne Page 3 of 3
Summary of HTTPS Process SSL handshake has three stages:
• Hellos • Certificate, Key Exchange, and Authentication • "Change cipher spec" – handshake finished
Man-in-the-Middle Attack
ARP Cache Poisoning The Linux utility 'arpspoof'
sends a constant series of ARP REPLIES
This diverts Ethernet traffic to the hacker
• Part of the 'dsniff' package
DNS Spoofing The Linux utility 'dnspoof'
listens for DNS queries Sends DNS responses sending
Web server data to the hacker
• Part of the 'dsniff' package
IP Routing 'fragrouter' can forward
packets to their correct destination That allows normal Web surfing (HTTP)
• Part of the 'dsniff' package • This could also be done with 'iptables'
SSL Spoofing 'webmitm' creates a Certificate and intercepts SSL
handshakes • Part of the 'dsniff' package
Limitations of the Attack The SSL spoofing is not perfect You can't actually log in and read email
• Internet Explorer sends your password to the hacker before giving up on the connection
• Firefox doesn't send your password to the hacker
Sources Hacking videos from link l_15b
• How to decrypt SSL encrypted traffic using a man in the middle attack (Auditor).swf
• MITM Hijacking.wmv SSL Handshake information from l_15a (cs.bham.ac.uk)
Last modified 5-11-09