sam_bowne

Chapter 1: Ethical Hacking Overview

CNIT 123 – Bowne of 5

Objectives Describe the role of an ethical hacker Describe what you can do legally as an ethical hacker Describe what you cannot do as an ethical hacker Introduction to Ethical Hacking

Ethical hackers Employed by companies to perform penetration tests

Penetration test Legal attempt to break into a company’s network to find its weakest link Tester only reports findings, does not solve problems

Security test More than an attempt to break in; also includes analyzing company’s security policy and procedures Tester offers solutions to secure or protect the network

The Role of Security and Penetration Testers Hackers

• Access computer system or network without authorization • Breaks the law; can go to prison

Crackers • Break into systems to steal or destroy data • U.S. Department of Justice calls both hackers

Ethical hacker • Performs most of the same activities but with owner’s permission

The Role of Security and Penetration Testers Script kiddies or packet monkeys

• Young inexperienced hackers • Copy codes and techniques from knowledgeable hackers

Experienced penetration testers write programs or scripts using these languages • Practical Extraction and Report Language (Perl), C, C++, Python, JavaScript, Visual Basic, SQL,

and many others Script

• Set of instructions that runs in sequence It Takes Time to Become a Hacker

• This class alone won’t make you a hacker, or an expert It might make you a script kiddie

• It usually takes years of study and experience to earn respect in the hacker community • It’s a hobby, a lifestyle, and an attitude

A drive to figure out how things work The Role of Security and Penetration Testers Tiger box

• Collection of OSs and hacking tools • Usually on a laptop • Helps penetration testers and security testers conduct vulnerabilities assessments and attacks

Penetration-Testing Methodologies White box model

• Tester is told everything about the network topology and technology


Network diagram • Tester is authorized to

interview IT personnel and company employees

• Makes tester’s job a little easier

Network Diagram • From

ratemynetworkdiagram.com (Link Ch 1g)

This is a Floor Plan Penetration-Testing Methodologies Black box model

• Company staff does not know about the test • Tester is not given details about the network ▪ Burden is on the tester to find these details • Tests if security personnel are able to detect an attack

Penetration-Testing Methodologies Gray box model

• Hybrid of the white and black box models • Company gives tester partial information

Certification Programs for Network Security Personnel Certification programs available in almost every area of network security Basics:

• CompTIA Security+ (CNIT 120) • Network+ (CNIT 106 or 201)



Take Certification Tests Here CNIT is a Prometric Vue testing

center • Certification tests are

given in S214 • CompTIA and Microsoft • The next tests will be in

the second week of April, right after Spring Break

– Email [email protected] if you want to take a test

Certified Ethical Hacker (CEH)

• But see Run Away From The CEH Certification

• Link Ch 1e on my Web page OSSTMM Professional Security Tester (OPST) Designated by the Institute for Security and Open Methodologies (ISECOM)

• Uses the Open Source Security Testing Methodology Manual (OSSTMM) • Test is only offered in Connecticut and outside the USA, as far as I can tell • See links Ch 1f and Ch 1h on my Web page

Certified Information Systems Security Professional (CISSP) Issued by the International Information Systems Security Certifications Consortium (ISC2) Usually more concerned with policies and procedures than technical details Web site

• www.isc2.org SANS Institute SysAdmin, Audit, Network, Security (SANS) Offers certifications through Global Information Assurance Certification (GIAC) Top 20 list

• One of the most popular SANS Institute documents • Details the most common network exploits • Suggests ways of correcting vulnerabilities

Web site www.sans.org (links Ch 1i & Ch 1j)

What You Can Do Legally Laws involving technology change as rapidly as technology itself Find what is legal for you locally

• Laws change from place to place Be aware of what is allowed and what is not allowed Laws of the Land Tools on your computer might be illegal to possess Contact local law enforcement agencies before installing hacking tools Written words are open to interpretation Governments are getting more serious about punishment for cybercrimes



Recent Hacking Cases Is Port Scanning Legal? Some states deem it legal Not always the case Federal Government does not see it as a violation

• Allows each state to address it separately Read your ISP’s “Acceptable Use Policy”

• IRC “bots” may be forbidden Program that sends automatic responses to users

Gives the appearance of a person being present CCSF Computer Use Policy Federal Laws Federal computer crime laws are getting more specific

• Cover cybercrimes and intellectual property issues

Computer Hacking and Intellectual Property (CHIP) • New government branch to address cybercrimes and intellectual property issues

What You Cannot Do Legally Accessing a computer without permission is illegal Other illegal actions

• Installing worms or viruses • Denial of Service attacks • Denying users access to network resources

Be careful your actions do not prevent customers from doing their jobs Anti-Spam Vigilantes: Lycos

• Ch 1l1: Lycos starts anti-spam screensaver plan: Dec 2, 2004




• Ch 1l2: Lycos Pulls Anti-Spam 'Vigilante' Campaign -- Dec 3, 2004 • Ch 1l3: Lycos's Spam Attack Network Dismantled -- Spammers sent the DOS packets back to Lycos

-- Dec 6, 2004 Anti-Spam Vigilantes: Blue Frog

• Ch 1m: Blue Frog begins its "vigilante approach" to fight spam -- July, 2005 • Ch 1n: Russian spammer fights back, claims to have stolen Blue Frog's database, sends threating

email -- DOS attack in progress -- May 2, 2006 • Ch 1o: Blue Frog compromised and destroyed by attacks, urgent instructions to uninstall it, the

owners have lost control -- May 17, 2006 Anti-Spam Vigilantes: The Future

• Ch 1p: Call for help creating distributed, open-source Blue Frog replacement -- May 17, 2006 Not in textbook, see links on my page (samsclass.info)

Get It in Writing Using a contract is just good business Contracts may be useful in court Books on working as an independent contractor

• The Computer Consultant’s Guide by Janet Ruhl • Getting Started in Computer Consulting by Peter Meyer

Internet can also be a useful resource Have an attorney read over your contract before sending or signing it Ethical Hacking in a Nutshell What it takes to be a security tester

• Knowledge of network and computer technology • Ability to communicate with management and IT personnel • Understanding of the laws • Ability to use necessary tools

Last modified 1-20-07 0:12

Chapter 2: TCP/IP Concepts Review

Objectives Describe the TCP/IP protocol stack Explain the basic concepts of IP addressing Explain the binary, octal, and hexadecimal numbering system Overview of TCP/IP Protocol

Common language used by computers for speaking Transmission Control Protocol/Internet Protocol (TCP/IP)

Most widely used protocol TCP/IP stack

Contains four different layers Network Internet Transport Application

The Application Layer Front end to the lower-layer protocols What you can see and touch – closest to the user at the keyboard HTTP, FTP, SMTP, SNMP, SSH, IRC and TELNET all operate in the Application Layer

The Transport Layer Encapsulates data into segments Segments can use TCP or UDP to reach a destination host

TCP is a connection-oriented protocol TCP three-way handshake

Computer A sends a SYN packet Computer B replies with a SYN-ACK packet Computer A replies with an ACK packet

CNIT 123 – Bowne Page 1 of 7


TCP Header Format

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

TCP Segment Headers Critical components:

TCP flags Initial Sequence Number (ISN) Source and destination port

Abused by hackers finding vulnerabilities TCP Flags Each flag occupies one bit Can be set to 0 (off) or 1 (on) Six flags

SYN: synchronize, (not synthesis) flag ACK: acknowledge flag PSH: push flag URG: urgent flag RST: reset flag FIN: finish flag

Error in textbook on page 22: SYNchronize, not SYNthesis (link Ch 2a, RFC 793) Initial Sequence Number (ISN) 32-bit number Tracks packets received Enables reassembly of large packets Sent on steps 1 and 2 of the TCP three-way handshake

By guessing ISN values, a hacker can hijack a TCP session, gaining access to a server without logging in




TCP Ports Port

Logical, not physical, component of a TCP connection Identifies the service that is running Example: HTTP uses port 80

A 16-bit number – 65,536 ports Each TCP packet has a source and destination port Blocking Ports Helps you stop or disable services that are not needed

Open ports are an invitation for an attack You can’t block all the ports

That would stop all networking At a minimum, ports 25 and 80 are usually open on a server, so it can send out Email and Web pages

Only the first 1023 ports are considered well-known List of well-known ports

Available at the Internet Assigned Numbers Authority (IANA) Web site (www.iana.org) Ports 20 and 21

File Transfer Protocol (FTP) Use for sharing files over the Internet Requires a logon name and password More secure than Trivial File Transfer Protocol (TFTP)

Port 25 Simple Mail Transfer Protocol (SMTP) E-mail servers listen on this port

Port 53 Domain Name Service (DNS) Helps users connect to Web sites using URLs instead of IP addresses

Port 69 Trivial File Transfer Protocol Used for transferring router configurations

Port 80 Hypertext Transfer Protocol (HTTP) Used when connecting to a Web server

Port 110 Post Office Protocol 3 (POP3) Used for retrieving e-mail

Port 119 Network News Transfer Protocol For use with newsgroups

Port 135 Remote Procedure Call (RPC) Critical for the operation of Microsoft Exchange Server and Active Directory

Port 139 NetBIOS Used by Microsoft’s NetBIOS Session Service File and printer sharing

Port 143 Internet Message Access Protocol 4 (IMAP4) Used for retrieving e-mail More features than POP3


Demonstration Telnet to hills.ccsf.edu and netstat to see the connections

Port 23 (usual Telnet) Port 25 blocked off campus, but 110 connects Port 21 works, but needs a username and password

Demonstration Wireshark Packet Sniffer

TCP Handshake: SYN, SYN/ACK, ACK TCP Ports TCP Status

Flags



User Datagram Protocol (UDP) Fast but unreliable protocol Operates on transport layer Does not need to verify whether the receiver is listening Higher layers of the TCP/IP stack handle reliability problems Connectionless protocol The Internet Layer Responsible for routing packets to their destination address Uses a logical address, called an IP address IP addressing packet delivery is connectionless Internet Control Message Protocol (ICMP) Operates in the Internet layer of the TCP/IP stack Used to send messages related to network operations Helps in troubleshooting a network Some commands include

Ping Traceroute

Wireshark Capture of a PING Warriors of the Net Network+ Movie Warriorsofthe.net (link Ch 2d) IP Addressing Consists of four bytes, like 147.144.20.1 Two components

Network address Host address

Neither portion may be all 1s or all 0s Classes

Class A Class B Class C




Class A First byte is reserved for network address Last three bytes are for host address Supports more than 16 million host computers Limited number of Class A networks Reserved for large corporations and governments (see link Ch 2b) Format: network.node.node.node

Class B First two bytes are reserved for network address Last two bytes are for host address Supports more than 65,000 host computers Assigned to large corporations and Internet Service Providers (ISPs) Format: network.network.node.node

CCSF has 147.144.0.0 – 147.144.255.255 Class C

First three bytes are reserved for network address Last byte is for host address Supports up to 254 host computers Usually available for small business and home networks Format: network.network.network.node

Subnetting Each network can be assigned a subnet mask Helps identify the network address bits from the host address bits

Class A uses a subnet mask of 255.0.0.0 Also called /8

Class B uses a subnet mask of 255.255.0.0 Also called /16

Class C uses a subnet mask of 255.255.255.0 Also called /24

Planning IP Address Assignments Each network segment must have a unique network address Address cannot contain all 0s or all 1s To access computers on other networks

Each computer needs IP address of gateway TCP/IP uses subnet mask to determine if the destination computer is on the same network or a different network

If destination is on a different network, it relays packet to gateway Gateway forwards packet to its next destination (routing) Packet eventually reaches destination

Overview of Numbering Systems Binary Octal Hexadecimal Reviewing the Binary Numbering System Uses the number 2 as its base Binary digits (bits): 0 and 1 Byte

Group of 8 bits Can represent 28 = 256 different values

UNIX and Linux Permissions UNIX and Linux File permissions are represented with bits



0 means removing the permission 1 means granting the permission 111 (rwx) means all permissions apply

Examples of Determining Binary Values Each position represents a power of 2 value

Usually the bit on the right is the less significant bit Converting 1011 to decimal

1 x 20 = 1 1 x 21 = 2 0 x 22 = 0 1 x 23 = 8

1 + 2 + 8 = 11 (decimal value) Understanding Nibbles Half a byte or four bits Helps with reading the number by separating the byte

1111 1010 Components

High-order nibble (left side) Low-order nibble (right side)

Understanding Nibbles (continued) Converting 1010 1010 to decimal

Low-order nibble 1010 = 10 (base 10)

Multiply high-order nibble by 16 1010 = 10 x 16 = 160 (base 10)

160 + 10 = 170 (base 10) Reviewing the Octal Numbering System Uses 8 as its base

Supports digits from 0 to 7 Octal digits can be represented with three bits Permissions on UNIX

Owner permissions (rwx) Group permissions (rwx) Other permissions (rwx) Example: 111 101 001

Octal representation 751 Reviewing the Hexadecimal Numbering System Uses 16 as its base

Support numbers from 0 to 15 Hex number consists of two characters

Each character represents a nibble Value contains alphabetic letters (A … F)

A representing 10 and F representing 15 Sometimes expressed with “0x” in front If you want more about binary, see Link Ch 2c

Last modified 1-26-07 10 pm

Chapter 3: Network and Computer Attacks

Objectives Describe the different types of malicious

software Describe methods of protecting against

malware attacks Describe the types of network attacks Identify physical security attacks and

vulnerabilities Malicious Software (Malware) Network attacks prevent a business from

operating Malicious software (Malware) includes

Virus Worms Trojan horses

Goals Destroy data Corrupt data Shutdown a network or

system Viruses Virus attaches itself to an executable

file Can replicate itself through an

executable program Needs a host program to

replicate No foolproof method of preventing

them Antivirus Software Detects and removes viruses Detection based on virus signatures Must update signature database periodically Use automatic update feature Base 64 Encoding Used to evade anti-spam tools, and to obscure passwords Encodes six bits at a time (0 – 64) with a single ASCII character

A - Z: 0 – 25 a – z: 26 – 51 1 – 9: 52 – 61 + and - 62 and 63

See links Ch 3a, 3b Viruses (continued) Commercial base 64 decoders Shell

Executable piece of programming code Should not appear in an e-mail attachment



Macro Viruses


Virus encoded as a macro Macro

Lists of commands Can be used in destructive ways

Example: Melissa Appeared in 1999 It is very simple – see link Ch 3c for source

code Writing Viruses Even nonprogrammers can create macro viruses

Instructions posted on Web sites Virus creation kits available for download (see

link Ch 3d) Security professionals can learn from thinking like

attackers But don’t create and

release a virus! People get long prison terms for that.

Worms Worm

Replicates and propagates without a host

Infamous examples Code Red Nimda

Can infect every computer in the world in a short time

At least in theory ATM Machine Worms

Cyberattacks against ATM machines

Slammer and Nachi worms

Trend produces antivirus for ATM machines

See links Ch 3g, 3h, 3i

Nachi was written to clean up damage caused by the Blaster worm, but it got out of control

See link Ch 3j Diebold was criticized

for using Windows for ATM machines, which they also use on voting machines


Trojan Programs Insidious attack against networks Disguise themselves as useful programs

Hide malicious content in program Backdoors Rootkits

Allow attackers remote access

Firewalls Identify traffic on uncommon ports Can block this type of attack, if your firewall filters outgoing traffic

Windows XP SP2’s firewall does not filter outgoing traffic Vista’s firewall doesn’t either (by default), according to link Ch

3l and 3m Trojan programs can use known ports to get through firewalls

HTTP (TCP 80) or DNS (UDP 53) Trojan Demonstration

Make a file with command-line Windows commands Save it as C:\Documents and Settings\

username\cmd.bat Start, Run, CMD will execute this file instead of

C:\Windows\System32\Cmd.exe Improved Trojan Resets the administrator password Almost invisible to user Works in Win XP, but not so easy in Vista



Spyware Sends information from the infected computer to the

attacker Confidential financial data Passwords PINs Any other stored data

Can register each keystroke entered (keylogger) Prevalent technology Educate users about spyware

Deceptive Dialog Box Adware Similar to spyware

Can be installed without the user being aware Sometimes displays a banner Main goal

Determine user’s online purchasing habits Tailored advertisement

Main problem Slows down computers

Protecting Against Malware Attacks Difficult task New viruses, worms, Trojan programs appear daily Antivirus programs offer a lot of protection Educate your users about these types of attacks Educating Your Users Structural training

Most effective measure Includes all employees and management

E-mail monthly security updates Simple but effective training method

Update virus signature database automatically SpyBot and Ad-Aware

Help protect against spyware and adware Windows Defender is excellent too

Firewalls Hardware (enterprise solution) Software (personal solution) Can be combined

Intrusion Detection System (IDS) Monitors your network 24/7

FUD Fear, Uncertainty and Doubt

Avoid scaring users into complying with security measures Sometimes used by unethical security testers Against the OSSTMM’s Rules of Engagement

Promote awareness rather than instilling fear Users should be aware of potential threats Build on users’ knowledge



Intruder Attacks on Networks and Computers Attack

Any attempt by an unauthorized person to access or use network resources Network security

Security of computers and other devices in a network Computer security

Securing a standalone computer--not part of a network infrastructure Computer crime

Fastest growing type of crime worldwide Denial-of-Service Attacks Denial-of-Service (DoS) attack

Prevents legitimate users from accessing network resources Some forms do not involve computers, like feeding a paper loop through a fax machine

DoS attacks do not attempt to access information Cripple the network Make it vulnerable to other type of attacks

Testing for DoS Vulnerabilities Performing an attack yourself is not wise

You only need to prove that an attack could be carried out Distributed Denial-of-Service Attacks Attack on a host from multiple

servers or workstations Network could be flooded with

billions of requests Loss of bandwidth Degradation or loss of

speed Often participants are not aware

they are part of the attack Attacking computers

could be controlled using Trojan programs

Buffer Overflow Attacks Vulnerability in poorly written code

Code does not check predefined size of input field

Goal Fill overflow buffer with

executable code OS executes this code Can elevate attacker’s

permission to Administrator or even Kernel

Programmers need special training to write secure code




Ping of Death Attacks Type of DoS attack Not as common as during the late 1990s How it works

Attacker creates a large ICMP packet More than 65,535 bytes

Large packet is fragmented at source network Destination network reassembles large packet Destination point cannot handle oversize packet and crashes Modern systems are protected from this (Link Ch 3n)

Session Hijacking Enables attacker to join a TCP session Attacker makes both parties think he or she is the other party Addressing Physical Security Protecting a network also requires physical security Inside attacks are more likely than attacks from outside the company Keyloggers Used to capture keystrokes on a computer

Hardware Software

Software Behaves like Trojan programs

Hardware Easy to install Goes between the keyboard and the CPU KeyKatcher and KeyGhost

Protection Software-based

Antivirus Hardware-based

Random visual tests Look for added hardware Superglue keyboard connectors in

Behind Locked Doors Lock up your servers

Physical access means they can hack in Consider Ophcrack – booting to a CD-based OS will bypass

almost any security Lockpicking Average person can pick deadbolt locks in less than five minutes

After only a week or two of practice Experienced hackers can pick deadbolt locks in under 30 seconds Bump keys are even easier (Link Ch 3o) Card Reader Locks Keep a log of who enters and leaves the room Security cards can be used instead of keys for better security

Image from link Ch 3p


http://talenca.en.alibaba.com/product/50070207/50321211/Hotel_Locks/IC_Card_Lock.html�

Chapter 4: Footprinting and Social Engineering

Objectives

Footprinting Describe DNS zone transfers Identify the types of social engineering

Footprinting

Using Web Tools for Footprinting “Case the joint”

• Look over the location • Find weakness in security systems • Types of locks, alarms

In computer jargon, this is called footprinting • Discover information about

The organization Its network

Conducting Competitive Intelligence Numerous resources to find information legally Competitive Intelligence

• Gathering information using technology Identify methods others can use to find information about your organization Limit amount of information company makes public CNIT 123 – Bowne Page 1 of 8


Analyzing a Company’s Web Site Web pages are an easy source of information

Setting Proxy Server Many tools available Paros

• Powerful tool for UNIX and Windows • www.parosproxy.org • Requires having Java J2SE installed

www.sun.com Paros

• Start Paros • Set proxy server in a browser • Then go to a site in the browser

mtsconsulting.net is a good test • Analyze -> Spider to find all the pages

Setting a Proxy Server in Firefox • Tools • Options • Advanced • Settings

Then go to mtjconsulting.com Spider Results Scan Results In Paros:

Spider Results • Analyze • Spider

Finds all the pages in a site

Don’t scan any sites without permission! Only mtjconsulting.com

Scan Results In Paros:

• Analyze • Scan

Finds security risks in a site

Again, don’t scan sites without permission!



Using Other Footprinting Tools Whois

• Commonly used tool • Gathers IP address and domain information • Attackers can also use it

Host command • Can look up one IP address, or the whole

DNS Zone file All the servers in the domain

ARIN Whois from Linux host mit.edu nc whois.arin.net 18.7.22.69

This shows registration information for the domain SamSpade

• GUI tool • Available for UNIX and Windows • Easy to use



Using E-mail Addresses E-mail addresses help you retrieve even more information than the previous commands Find e-mail address format

• Guess other employees’ e-mail accounts Tool to find corporate employee information

• Groups.google.com Using HTTP Basics HTTP operates on port 80 Use HTTP language to pull information from a Web server Basic understanding of HTTP is beneficial for security testers Return codes

• Reveal information about server OS



HTTP methods • GET / HTTP/1.1. is the most basic method


ompare to source code Activity 4-3 in your book does not work

• Can determine information about server OS from the server’s generated output

Using Netcat as a Browser Use Ubuntu Linux nc www.ccsf.edu 80 HEAD / HTTP/1.0

• Gets header GET / HTTP/1.0

• Gets whole Web page

• Open www.ccsf.edu in a browser and c

Cookies and Web Bugs

Detecting Cookies and Web Bugs

Text file generated by a Web server

b server when user returns

formation

Viewing Cook

ons

es

1-pixel x 1-pixel image file (usually transparent)

are and adware in data collection

Cookie •• Stored on a user’s browser • Information sent back to We• Used to customize Web pages • Some cookies store personal in

Security issue ies

In Firefox Tools, OptiPrivacy tab Show CookiWeb bug

• • Referenced in an <IMG> tag • Usually works with a cookie • Purpose similar to that of spyw• Comes from third-party companies specializing


Web Bug Detector 1.0 • Firefox experimental add-in program that warns you about

Web bugs Bugnosis is gone

Using Domain Name Service (DNS) Zone Transfers

DNS • Resolves host names to IP addresses • People prefer using URLs to IP addresses • Extremely vulnerable

Zone Transfer tools • Dig • Host

Primary DNS Server


Determining company’s primary DNS server

• Look for the Start of Authority (SOA) record

• Shows zones or IP addresses

Using dig top find the SOA dig soa mit.edu Shows three servers, with IP

addresses This is a start at mapping the MIT

network Using (DNS) Zone Transfers Zone Transfer

• Enables you to see all hosts on a network

• Gives you organization’s network diagram

MIT has protected their network – zone transfers no longer work

dig @BITSY.mit.edu mit.edu axfr Command fails now



Introduction to Social Engineering

Older than computers Targets the human component of a network Goals

• Obtain confidential information (passwords) • Obtain personal information

Tactics • Persuasion • Intimidation • Coercion • Extortion/blackmailing

The biggest security threat to networks Most difficult to protect against Main idea:

• “Why to crack a password when you can simply ask for it?” • Users divulge their passwords to IT personnel

Studies human behavior • Recognize personality traits • Understand how to read body language

Techniques • Urgency • Quid pro quo • Status quo • Kindness • Position

Preventing Social Engineering Train user not to reveal any information to outsiders Verify caller identity

• Ask questions • Call back to confirm

Security drills The Art of Shoulder Surfing Shoulder surfer

• Reads what users enter on keyboards Logon names Passwords PINs

Tools for Shoulder Surfing Binoculars or telescopes or cameras in cell phones Knowledge of key positions and typing techniques Knowledge of popular letter substitutions

• s equals $, a equals @ Prevention

• Avoid typing when someone is nearby • Avoid typing when someone nearby is talking on cell phone • Computer monitors should face away from door or cubicle entryway • Immediately change password if you suspect someone is observing you



Dumpster Diving Attacker finds information in victim’s trash

• Discarded computer manuals Notes or passwords written in them

• Telephone directories • Calendars with schedules • Financial reports • Interoffice memos • Company policy • Utility bills • Resumes of employees

Prevention • Educate your users about dumpster diving • Proper trash disposal • Use “disk shredder” software to erase disks before discarding them

Software writes random bits Done at least seven times

• Discard computer manuals offsite • Shred documents before disposal

The Art of Piggybacking Trailing closely behind an employee cleared to enter restricted areas How it works:

• Watch authorized personnel enter an area • Quickly join them at security entrance • Exploit the desire of other to be polite and helpful • Attacker wears a fake badge or security card

Prevention • Use turnstiles • Train personnel to notify the presence of strangers • Do not hold secured doors for anyone

Even for people you know • All employees must use secure cards

Last modified 2-23-09

Chapter 5: Port Scanning

Objectives

Describe port scanning Describe different types of port scans Describe various port-scanning tools Explain what ping sweeps are used for Explain how shell scripting is used to automate security tasks

Introduction to Port Scanning

Port Scanning • Finds out which services are offered by a host • Identifies vulnerabilities

Open services can be used on attacks • Identify a vulnerable port • Launch an exploit

Scan all ports when testing • Not just well-

known ports


AW Security Port Scanner A commercial tool to

identify vulnerabilities Port scanning programs

report • Open ports • Closed ports • Filtered ports • Best-guess

assessment of which OS is running

Is Port Scanning Legal? The legal status of port

scanning is unclear • If you have

permission, it's legal

• If you cause damage of $5,000 or more, it may be illegal

• For more, see links Ch 5a and Ch 5b

Types of Port Scans

Normal TCP Handshake Client SYN Server Client SYN/ACK Server Client ACK Server

• After this, you are ready to send data


SYN Port Scan Client SYN Server Client SYN/ACK Server Client RST Server

• The server is ready, but the client decided not to complete the handshake SYN scan

• Stealthy scan, because session handshakes are never completed • That keeps it out of some log files • Three states

Closed RST response from server

Open

SYN,ACK response from server

Client then sends RST Filtered

No response from server Connect scan

• Completes the three-way handshake • Not stealthy--appears in log files • Three states

Closed RST response from server

Open

SYN,ACK response from server

Client sends ACK Client sends RST

Filtered

No response from server NULL scan

• All the packet flags are turned off • Two results:

Closed ports reply with RST

Open or filtered ports give no response XMAS scan

• FIN, PSH and URG flags are set • Works like a NULL scan – a closed port responds with an RST packet

FIN scan • Only FIN flag is set • Closed port responds with an RST packet




Windows Machines NULL, XMAS and FIN scans don't work on Windows machines

• Win 2000 Pro and Win Server 2003 shows all ports closed • Win XP Pro all ports open/filtered

See the NMAP tutorial (link Ch 5c) Ping scan

• Simplest method sends ICMP ECHO REQUEST to the destination(s) • TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap) • Any response shows the target is up

ACK scan • Used to get information about a firewall • Stateful firewalls track connection and block unsolicited ACK packets • Stateless firewalls just block incoming SYN packets, so you get a RST response

UDP scan • Closed port responds with ICMP “Port Unreachable” message • Rarely used

Using Port-Scanning Tools

Nmap Unicornscan NetScanTools Pro 2004 Nessus Nmap Originally written for Phrack magazine One of the most popular tools GUI versions

• Xnmap and Ubuntu's NmapFE Open source tool Standard tool for security professionals The Matrix Reloaded Trinity uses Nmap (Video at link Ch 4e) Unicornscan Developed in 2004 for Linux & UNIX only Ideal for large networks Scans 65,535 ports in three to seven seconds Optimizes UDP scanning Alco can use TCP, ICMP, or IP

• Free from http://unicornscan.org/ (link Ch 5f)


NetScanTools Pro Robust easy-to-use commercial tool Runs on Windows Types of tests

• Database vulnerabilities • DHCP server discovery • IP packets viewer • Name server lookup • OS fingerprinting • Many more (see link Ch

5g) Nessus First released in 1998 Free, open source tool Uses a client/server technology Can conduct tests from different

locations Can use different OSs for client and

network Server

• Any *NIX platform Client

• Can be *NIX or Windows Functions much like a database

server Ability to update security checks

plug-ins Some plug-ins are considered

dangerous Finds services running on ports Finds vulnerabilities associated

with identified services

Nessus Plug-ins



Conducting Ping Sweeps

Ping sweeps • Identify which IP addresses belong to active hosts • Ping a range of IP addresses

Problems • Computers that are shut down cannot respond • Networks may be configured to block ICMP Echo Requests • Firewalls may filter out ICMP traffic

FPing Ping multiple IP addresses simultaneously www.fping.com/download Command-line tool Input: multiple IP addresses

• To enter a range of addresses -g option

• Input file with addresses -f option

See links Ch 5k, 5l Hping Used to bypass filtering devices

• Allows users to fragment and manipulate IP packets

www.hping.org/download Powerful tool

• All security testers must be familiar with tool

Supports many parameters (command options) • See links Ch 5m, Ch 5n

ate a lot of traffic

e are other broadcast addresses ending in 63, 127, and 191

in a lot of ping responses

nts them from amplifying smurf attacks untu don't respond to broadcast PINGs

See links Ch 5o, 5p

Broadcast Addresses If you PING a broadcast address, that can creNormally the broadcast address ends in 255 But if your LAN is subnetted with a subnet mask like 255.255.255.192

• TherSmurf Attack Pinging a broadcast address on an old network resultedSo just put the victim's IP address in the "From" field

• The victim is attacked by a flood of pings, none of them directly from you Modern routers don't forward broadcast packets, which preveWindows XP and Ub




Crafting IP Packets Packet components

• Source IP address • Destination IP address • Flags

Crafting packets helps you obtain more information about a service Tools

• Fping • Hping

Understanding Shell Scripting

Modify tools to better suit your needs Script

• Computer program that automates tasks • Time-saving solution

Scripting Basics Similar to DOS batch programming Script or batch file

• Text file • Contains multiple commands

Repetitive commands are good candidate for scripting Practice is the key


Chapter 6: Enumeration

Objectives

Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate NetWare OS targets Enumerate *NIX OS targets Introduction to Enumeration Enumeration extracts information about:

• Resources or shares on the network • User names or groups assigned on the network • Last time user logged on • User’s password

Before enumeration, you use Port scanning and footprinting • To Determine OS being used

Intrusive process NBTscan NBT (NetBIOS over TCP/IP)

• is the Windows networking protocol

• used for shared folders and printers

NBTscan • Tool for enumerating Microsoft OSs

Enumerating Microsoft Operating Systems Study OS history

• Knowing your target makes your job easier Many attacks that work for older Windows OSs still work with newer versions Windows 95 The first Windows version that did not start with DOS Still used the DOS kernel to some extent Introduced the Registry database to replace Win.ini, Autoexec.bat, and other text files Introduced Plug and Play and ActiveX Used FAT16 file system Windows 98 and ME More Stable than Win 95 Used FAT32 file system Win ME introduced System Restore Win 95, 98, and ME are collectively called "Win 9x" Windows NT 3.51 Server/Workstation No dependence on DOS kernel Domains and Domain Controllers NTFS File System to replace FAT16 and FAT31 Much more secure and stable than Win9x Many companies still use Win NT Server Domain Controllers Win NT 4.0 was an upgrade



Windows 2000 Server/Professional Upgrade of Win NT Active Directory

• Powerful database storing information about all objects in a network Users, printers, servers, etc.

• Based on Novell's Novell Directory Services Enumerating this system would include enumerating Active Directory Windows XP Professional Much more secure, especially after Service Pack 2

• Windows File Protection • Data Execution Prevention • Windows Firewall

Windows Server 2003 Much more secure, especially after Service Pack 1

• Network services are closed by default • Internet Explorer security set higher

NetBIOS Basics Network Basic Input Output

System (NetBIOS) • Programming

interface • Allows computer

communication over a LAN

• Used to share files and printers

NetBIOS names Computer names on Windows

systems Limit of 16 characters Last character identifies type

of service running Must be unique on a network NetBIOS Null Sessions Null session

• Unauthenticated connection to a Windows computer • Does not use logon and passwords values

Around for over a decade • Still present on Windows XP

A large vulnerability • See links Ch 6a-f

Null Session Information Using these NULL connections allows you to gather the following information from the host:

• List of users and groups • List of machines • List of shares • Users and host SIDs (Security Identifiers)

From brown.edu (link Ch 6b)



Demonstration of Null Sessions Start Win 2000 Pro


:

Share a folder From a Win XP command prompt

• NET VIEW \\ip-address Fails • NET USE \\ip-address\IPC$ ""

/u:"" Creates the null session Username="" Password=""

• NET VIEW \\ip-address Works now

Demonstration of Enumeration Download Winfo from link Ch 6g Run it – see all the information! NULL Session Information NULL sessions exist in windows networking

to allow• Trusted domains to enumerate

resources • Computers outside the domain to

authenticate and enumerate users • The SYSTEM account to authenticate and enumerate resources

NetBIOS NULL sessions are enabled by default in Windows NT and 2000 From brown.edu (link Ch 6b)

NULL Sessions in Win XP and 2003 Server Windows XP and 2003 don't allow Null Sessions, according to link Ch 6c.

• I tried the NET USE command on Win XP SP2 and it did not work

• Link Ch 6f says you can still do it in Win XP SP2, but you need to use a different procedure

NetBIOS Enumeration Tools Nbtstat command

• Powerful enumeration tool included with the Microsoft OS

• Displays NetBIOS table Net view command

• Shows whether there are any shared resources on a network host

Net use command • Used to connect to a computer with shared

folders or files Additional Enumeration Tools NetScanTools Pro DumpSec Hyena NessusWX


NetScanTools Pro Produces a graphical view of NetBIOS running on a network Enumerates any shares running on the computer Verifies whether access is available for shared resource using its Universal Naming Convention (UNC) name

• Costs about $250 per machine (see link Ch 6i)

DumpSec Enumeration tool for Microsoft systems Produced by Foundstone, Inc. Allows user to connect to a server and “dump” the following information

• Permissions for shares • Permissions for printers • Permissions for the Registry • Users in column or table format • Policies and rights • Services



Hyena Excellent GUI product for managing and securing Microsoft OSs Shows shares and user logon names for Windows servers and domain controllers Displays graphical representation of:

• Microsoft Terminal Services • Microsoft Windows Network • Web Client Network


• Find User/Group Prices DumpSec seems to be free Hyena costs bout $200 per station (Link Ch 6j) NessusWX This is the client part of Nessus Allows enumeration of different

OSs on a large network Running NessusWX

• Be sure Nessus server is up and running

• Open the NessusWX client application

• To connect your client with the Nessus server

Click Communications, Connect from the menu on the session window

Enter server’s name Log on the Nessus server

Nessus identifies • NetBIOS names in use • Shared resources • Vulnerabilities with shared

resources • Also offers solutions to those

vulnerabilities • OS version • OS vulnerabilities • Firewall vulnerabilities

Etherleak Vulnerability Padding in Ethernet frames comes from

RAM, it's not just zeroes Real data can leak out that way See link Ch 6l



Enumerating the NetWare Operating System Security professionals see Novell NetWare as a “dead horse”

• Ignoring an OS can limit your career as a security professional Novell NetWare version 4.11

• Novell does not offer any technical support for earlier versions • Novell has switched to SUSE Linux now

NetWare Enumeration Tools NetWare 5.1 is still used on many networks New vulnerabilities are discovered daily

• You need to be vigilant in checking vendor sites and security sites

Tool • Nessus

Nessus • Enumerates a NetWare server • Determines eDirectory information • Discovers the user name and password

for the FTP account • Discovers names of several user

accounts Novell Client32

• Available at www.novell.com • Client available for several OSs

Specify information for • Tree • Content • Server

Enumerating the *NIX Operating System Several variations

• Solaris • SunOS • HP-UX • Linux • Ultrix • AIX • BSD UNIX • FreeBSD • OpenBSD

UNIX Enumeration Finger utility

• Most popular tool for security testers • Finds out who is logged in to a *NIX system • Determine owner of any process

Nessus • Another important *NIX enumeration tool


Chapter 7: Programming for Security Professionals

Objectives

Explain basic programming concepts Write a simple C program Explain how Web pages are created with HTML Describe and create basic Perl programs Explain basic object-oriented programming concepts

Introduction to Computer Programming

Computer programmers must understand the rules of programming languages • Programmers deal with syntax errors

One minor mistake and the program will not run • Or worse, it will produce unpredictable results

Being a good programmer takes time and patience Computer Programming Fundamentals Fundamental concepts

• Branching, Looping, and Testing (BLT) • Documentation

Function • Mini program within a main program that carries out a task

Branching, Looping, and Testing (BLT) Branching

• Takes you from one area of the program to another area Looping

• Act of performing a task over and over

Testing • Verifies some

condition and returns true or false

A C Program


Filename ends in .c

It's hard to read at first

A single missing semicolon can ruin a program

Comments Comments make

code easier to read Branching and Testing Diagram of branches See links Ch 7b, 7c


Looping


Algorithm • Defines steps

for performing a task

• Keep it as simple as possible

Bug • An error that

causes unpredictable results Pseudocode

• English-like language used to create the structure of a program Pseudocode For Shopping PurchaseIngredients Function

• Call GetCar Function • Call DriveToStore Function • Purchase Bacon, Bread, Tomatoes, Lettuce, and Mayonnaise

End PurchaseIngredients Function Documentation Documenting your work is essential

• Add comments to your programs • Comments should explain what you are doing

Many programmers find it time consuming and tedious Helps others understand your work Bugs Industry standard

• 20 to 30 bugs for every 1000 lines of code (link Ch 7f)

Textbook claims a much smaller number without a source Windows 2000 contains almost 50 million lines

• And fewer than 60,000 bugs (about 1 per 1000 lines) • See link Ch 7e for comments in the leaked Win 2000 source code

Linux has 0.17 bugs per 1000 lines of code • (Link Ch 7f)

Learning the C Language

Developed by Dennis Ritchie at Bell Laboratories in 1972 Powerful and concise language UNIX was first written in assembly language and later rewritten in C C++ is an enhancement of the C language C is powerful but dangerous

• Bugs can crash computers, and it's easy to leave security holes in the code


Assembly Language The binary language hard-

wired into the processor is machine language

Assembly Language uses a combination of hexadecimal numbers and expressions

• Very powerful but hard to use (Link Ch 7g)

Compiling C in Ubuntu Linux Compiler

• Converts a text-based program (source code) into executable or binary code

To prepare Ubuntu Linux for C programming, use this command:


ssuuddoo aapptt--ggeett iinnssttaallll bbuuiilldd--eesssseennttiiaall Then you compile a file named "program.c" with this command:

ggcccc pprrooggrraamm..cc ––oo pprrooggrraamm..eexxee Anatomy of a C Program The first computer program a C student learns "Hello, World!" Comments Use /* and */ to

comment large portions of text

Use // for one-line comments

Include #include statement

• Loads libraries that hold the commands and functions used in your program Functions A Function Name is always followed by parentheses ( ) Curly Braces { } shows where a function begins and ends main() function

• Every C program requires a main() function • main() is where processing starts

Functions can call other functions • Parameters or arguments are optional

\n represents a line feed


Declaring Variables A variable represents a numeric or string value You must declare a variable before using it Mathematical Operators The i++ in the example below adds one to the variable i Logical Operators The i<11 in the example below compares the variable i to 11



Understanding HTML Basics

HTML is a language used to create Web pages HTML files are text files Security professionals often need to examine Web pages

• Be able to recognize when something looks suspicious Creating a Web Page Using HTML Create HTML Web page in Notepad, View HTML Web page in a Web browser HTML does not use branching, looping, or testing HTML is a static formatting language, rather than a programming language < and > symbols denote HTML tags

• Each tag has a matching closing tag, like <HTML> and </HTML>



Understanding Practical Extraction and Report Language (Perl)

PERL • Powerful scripting language • Used to write scripts and programs for security professionals

Background on Perl Developed by Larry

Wall in 1987


Can run on almost any platform

• *NIX-base OSs already have Perl installed

Perl syntax is similar to C Hackers use Perl to write malware Security professionals use Perl to perform repetitive tasks and conduct security monitoring Understanding the Basics of Perl perl –h command

• Gives you a list of parameters used with perl Understanding the BLT of Perl Some syntax rules

• Keyword “sub” is used in front of function names • Variables begin with the $ character • Comment lines begin with the # character • The & character is used when calling a function


Branching in Perl &speak;

• Calls the subroutine sub speak

• Defines the subroutine For Loop in Perl For loop

Testing Conditions in Perl

Understanding Object-Oriented Programming Concepts

New programming paradigm There are several languages that support object-oriented programming

• C++ • C# • Java • Perl 6.0 • Object Cobol




Components of Object-Oriented Programming Classes

• Structures that hold pieces of data and functions The :: symbol

• Used to separate the name of a class from a member function • Example:

Employee::GetEmp() Example of a Class in C++ class Employee { public:

• char firstname[25]; • char lastname[25]; • char PlaceOfBirth[30]; • [code continues]

}; void GetEmp() {

• // Perform tasks to get employee info • [program code goes here]

} Error in textbook C example on page 138 should be this instead


Chapter 8: Microsoft Operating System Vulnerabilities

Objectives

Tools to assess Microsoft system vulnerabilities Describe the vulnerabilities of Microsoft operating systems and services Techniques to harden Microsoft systems against common vulnerabilities Best practices for securing Microsoft systems

Tools to Identify Vulnerabilities on Microsoft Systems

Many tools are available for this task • Using more than one tool is advisable

Using several tools help you pinpoint problems more accurately Built-in Microsoft Tools Microsoft Baseline Security Analyzer (MBSA) Winfingerprint HFNetChk Microsoft Baseline Security Analyzer (MBSA) Effective tool that checks for

• Patches • Security updates • Configuration errors • Blank or weak passwords • Others

MBSA supports remote scanning • Associated product must be installed on scanned computer

MBSA Results



MBSA Versions 2.x for Win 2000 or later &

Office XP or later 1.2.1 if you have older products After installing, MBSA can

• Scan the local machine

• Scan other computers remotely

• Be scanned remotely over the Internet

HFNetChk HFNetChk is part of MBSA

• Available separately from Shavlik Technologies

• Can be used to control the scanning more precisely, from the command line

Winfingerprint Administrative tool It can be used to scan network

resources Exploits Windows null

sessions Detects

• NetBIOS shares • Disk information

and services • Null sessions

Can find • OS detection • Service packs and

hotfixes • Running Services • See Proj X6 for

Details

Microsoft OS Vulnerabilities

Microsoft integrates many of its products into a single package • Such as Internet Explorer and Windows OS • This creates many useful features • It also creates vulnerabilities

Security testers should search for vulnerabilities on • The OS they are testing • Any application running on the server



CVE (Common Vulnerabilities and Exposures ) A list of standardized names for vulnerabilities Makes it easier to share information about them

• cve.mitre.org (link Ch 8c) • Demonstration: Search

Remote Procedure Call (RPC) RPC is an interprocess communication mechanism

• Allows a program running on one host to run code on a remote host

Examples of worms that exploited RPC • MSBlast (LovSAN, Blaster) • Nachi

Use MBSA to detect if a computer is vulnerable to an RPC-related issue

NetBIOS Software loaded into memory

• Enables a computer program to interact with a network resource or other device

NetBIOS is not a protocol • NetBIOS is an interface to a network protocol • It’s sometimes called a session-layer protocol,

or a protocol suite (Links Ch 8d, 8e, 8f) NetBEUI NetBIOS Extended User Interface

• Fast, efficient network protocol • Allows NetBIOS packets to be transmitted over

TCP/IP • NBT is NetBIOS over TCP

Newer Microsoft OSs do not need NetBIOS to share resources

• NetBIOS is used for backward compatibility • You can turn off NetBIOS for Windows 2000

and later (links Ch 8g & 8h) Server Message Block (SMB) Used by Windows 95, 98 and NT to share files Usually runs on top of NetBIOS, NetBEUI or TCP/IP Hacking tools

• L0phtcrack’s SMB Packet Capture utility • SMBRelay • Ettercap (see Project 23, links Ch 8r, Ch 8s)



Demonstration: ettercap

Common Internet File System (CIFS) CIFS replaced SMB for Windows 2000, XP, and Windows 2003 Server

• SMB is still used for backward compatibility CIFS is a remote file system protocol

• Enables computers to share network resources over the Internet Enhancements over SMB

• Resource locking (if 2 people use the same thing at once) • Support for fault tolerance • Capability to run more efficiently over dial-up • Support for anonymous and authenticated access

Server security methods • Share-level security

A password assigned to a shared resource • User-level security

An access control list assigned to a shared resource Users must be on the list to gain access

• Passwords are stored in an encrypted form on the server But CIFS is still vulnerable (see link Ch 8n)

• Don’t let NetBIOS traffic past the firewall Understanding Samba Open-source implementation of CIFS

• Created in 1992 Samba allows sharing resources over multiple OSs Samba accessing Microsoft shares can make a network susceptible to attack Samba is used to “trick” Microsoft services into believing the *NIX resources are

Microsoft resources Samba is Built into Ubuntu Click Places, Connect to Server

• Windows shares are marked with SMB Closing SMB Ports Best way to protect a network from SMB attacks

• Routers should filter out ports 137 to 139 and 445



Default Installations Windows 9x, NT, and 2000 all start out with many services running and ports open

• They are very insecure until you lock them down

Win XP, 2003, and Vista are much more secure by default

• Services are blocked until you open them

Passwords and Authentication A comprehensive password

policy is critical • Change password regularly • Require passwords length of at least six

characters • Require complex passwords • Never write a password down or store it

online or on the local system • Do not reveal a password over the phone

Configure domain controllers • Enforce password age, length and

complexity • Account lockout threshold • Account lockout duration

Start, Run, GPEDIT.MSC

IIS (Internet Information Services)

IIS 5 and earlier installs with critical security vulnerabilities

• Run IIS Lockdown Wizard (link Ch 8p) IIS 6.0 installs with a “secure by default” posture

• Configure only services that are needed • Windows 2000 ships with IIS installed

by default • Running MBSA can detect IIS running

on your network




SQL Server

SQL vulnerabilities exploits areas • The SA account with a blank password • SQL Server Agent • Buffer overflow • Extended stored procedures • Default SQL port 1433

Vulnerabilities related to SQL Server 7.0 and SQL Server 2000 The SA Account The SA account is the master account, with full rights SQL Server 6.5 and 7 installations do not require setting a password for this account SQL Server 2000 supports mixed-mode authentication

• SA account is created with a blank password • SA account cannot be disabled

SQL Server Agent Service mainly responsible for

• Replication • Running scheduled jobs • Restarting the SQL service

Authorized but unprivileged user can create scheduled jobs to be run by the agent Buffer Overflow Database Consistency Checker in SQL Server 2000

• Contains commands with buffer overflows SQL Server 7 and 2000 have functions that generate text messages

• They do not check that messages fit in the buffers supplied to hold them Format string vulnerability in the C runtime functions Extended Stored Procedures Several of the extended stored procedures fail to perform input validation

• They are susceptible to buffer overruns Default SQL Port 1443 SQL Server is a Winsock application

• Communicates over TCP/IP using port 1443 Spida worm

• Scans for systems listening on TCP port 1443 • Once connected, attempts to use the xp_cmdshell

Enables and sets a password for the Guest account Changing default port is not an easy task

Best Practices for Hardening Microsoft Systems

Penetration tester • Finds vulnerabilities

Security tester • Finds vulnerabilities • Gives recommendations for correcting found vulnerabilities

Patching Systems The number-one way to keep your system secure

• Attacks take advantage of known vulnerabilities



• Options for small networks Accessing Windows Update manually Automatic Updates

• This technique does not really ensure that all machines are patched at the same time • Does not let you skip patches you don’t want

Some patches cause problems, so they should be tested first Options for patch management for large networks

• Systems Management Server (SMS) • Software Update Service (SUS)

Patches are pushed out from the network server after they have been tested Antivirus Solutions An antivirus solution is essential For small networks

• Desktop antivirus tool with automatic updates For large networks

• Corporate-level solution An antivirus tool is almost useless if it is not updated regularly Enable Logging and Review Logs Regularly Important step for monitoring critical areas

• Performance • Traffic patterns • Possible security breaches

Logging can have negative impact on performance Review logs regularly for signs of intrusion or other problems

• Use a log-monitoring tool Disable Unused or Unneeded Services Disable unneeded services Delete unnecessary applications or scripts Unused applications or services are an invitation for attacks Requires careful planning

• Close unused ports but maintain functionality Other Security Best Practices

• Use a firewall on each machine, and also a firewall protecting the whole LAN from the Internet • Delete unused scripts and sample applications • Delete default hidden shares • Use different names and passwords for public interfaces •

Other Security Best Practices • Be careful of default permissions

For example, new shares are readable by all users in Win XP • Use available tools to assess system security

Like MBSA, IIS Lockdown Wizard, etc. • Disable the Guest account • Rename the default Administrator account • Enforce a good password policy • Educate users about security • Keep informed about current threats

Last modified 3-18-07 5:30 pm

Chapter 9: Linux Operating System Vulnerabilities

Objectives

Describe the fundamentals of the Linux operating system Describe the vulnerabilities of the Linux operating system Describe Linux remote attacks Explain countermeasures for protecting the Linux operating system

Review of Linux Fundamentals

Linux is a version of UNIX • Usually available

free • Red Hat

Includes documentation and support for a fee

Linux creates default directories

Linux Exploration Demo

cd / ls -F Note: ls -F adds: / to directories * to executables @ to linked files cd /bin ls -F Note: familiar commands ls, nc, mkdir cd /dev ls Note: hda - hard disk. eth0 is not here--Ethernet devices are treated differently (link Ch 9a) cd /etc ls -F Note: hosts file with name-to-IP mapping ("cat hosts" to see it) passwd with user names and groups ("cat passwd" to see it) shadow file with hashed passwords ("sudo cat shadow" to see it)



cd /home ls -l Note: Home directory for each user, owned by the user cd /lib ls -F Note: Libraries here, nothing particularly interesting cd /mnt ls -al Note: Nothing here unless a removable device is connected cd /proc ls -F Note: These files show information about running processes. "cat interrupts" "cat iomem" "cat ioports" shows the device resources, like Device Manager "cat meminfo" shows memory statistics "cat partitions" shows the hard disk partitions "cat version" shows the Linux version cd /var/log ls cat boot Note: This file is the boot log

Linux File System

Provides directory structure Establishes a file-naming convention Includes utilities to compress or encrypt files Provides for both file and data integrity Enables error recovery Stores information about files and folders *NIX systems store information about files in information nodes (inodes)



inodes Information stored in an inode

• An inode number • Owner of the file • Group the file belongs to • Size of the file • Date the file was created • Date the file was last modified or read

There is a fixed number of inodes • By default, one inode per 4 KB of disk space

Mounting In Windows, each device has a letter

• A: for floppy, C: for hard disk, and so on *NIX mounts a file system (usually a drive) as a

subfile system of the root file system / mount command is used to mount file systems


• or to display currently mounted file systems

df command displays disk usage of mounted file systems

*NIX File System History Minix file system

• Max. size 64 MB, Max. file name 14 chars

Extended File System (Ext)

• Max. size 2 GB, Max. file name 256 chars

mount and df in Ubuntu

Second Extended File System (Ext2fs) • Max. size 4 TB, better performance and stability

Third Extended File System (Ext3fs) • Journaling—recovers from crashes better


Linux Commands Getting Help Many of these commands have multiple parameters and additional functionality Use these commands to get help. (Replace command with the command you want help with, such as ifconfig)

command --help man command



Linux OS Vulnerabilities

UNIX has been around for quite some time Attackers have had plenty of time to discover

vulnerabilities in *NIX systems


Enumeration tools can also be used against Linux systems

Nessus can be used to enumerate Linux systems

Nessus can be used to • Discover

vulnerabilities related to SMB and NetBIOS

• Discover other vulnerabilities

• Enumerate shared resources

Test Linux computer against common known vulnerabilities

• Review the CVE and CAN information

• See links Ch 9m, n, o

Remote Access Attacks on Linux Systems Differentiate between

local attacks and remote attacks

• Remote attacks are harder to perform

Nessus Scanning a Linux Server (with Samba)

Attacking a network remotely requires • Knowing what system a remote user is operating • The attacked system’s password and login accounts

Footprinting an Attacked System Footprinting techniques

• Used to find out information about a target system Determining the OS version the attacked computer is running

• Check newsgroups for details on posted messages • Knowing a company’s e-mail address makes the search easier

Other Footprinting Tools Whois databases DNS zone transfers Nessus


Port scanning tools Using Social Engineering to Attack Remote Linux Systems Goal

• To get OS information from company employees Common techniques

• Urgency • Quid pro quo • Status quo • Kindness • Position

Train your employees about social engineering techniques

Trojans

Trojan programs spread as • E-mail attachments • Fake patches or security fixes that can be downloaded from the Internet

Trojan program functions • Allow for remote administration • Create a FTP server on attacked machine • Steal passwords • Log all keys a user enters, and e-mail results to the attacker

Trojan programs can use legitimate outbound ports • Firewalls and IDSs cannot identify this traffic as malicious • Example: Sheepshank uses HTTP GETs

It is easier to protect systems from already identified Trojan programs • See links Ch 9e, f, g

Rootkits

• Contain Trojan binary programs ready to be installed by an intruder with root access to the system • Replace legitimate commands with Trojan programs • Hides the tools used for later attacks • Example: LRK5

LRK5 • A famous Linux Rootkit • See Links Ch 9h, i, j

Rootkit Detectors Security testers should check their Linux systems for

rootkits • Rootkit Hunter (Link Ch 9l) • Chkrootkit (Link Ch 9l) • Rootkit Profiler (Link Ch 9k)

Demonstration of rkhunter sudo apt-get install rkhunter sudo rkhunter –c



Creating Buffer Overflow Programs

Buffer overflows write code to the OS’s memory • Then run some type of program • Can elevate the attacker’s permissions to the level of the owner

Security testers should know what a buffer overflow program looks like A C program that causes a buffer overflow

The program compiles, but returns the error shown to the

right A C code snippet that fills the stack with shell code




Avoiding Buffer Overflows Write code that avoids functions known to have buffer overflow vulnerabilities

strcpy() strcat() sprintf() gets()

Configure OS to not allow code in the stack to run any other executable code in the stack Some compilers like gcc warn programmers when dangerous functions are used

Using Sniffers to Gain Access to Remote Linux Systems

Sniffers work by setting a network card adapter in promiscuous mode • NIC accepts all packets that traverse the network cable

Attacker can analyze packets and learn user names and passwords • Avoid using protocols such as Telnet, HTTP, and FTP that send data in clear text

Sniffers • Tcpdump, Ethereal (now Wireshark)

Countermeasures Against Linux Remote Attacks

Measures include • User awareness training • Keeping current on new kernel releases and security updates

User Awareness Training Social Engineering

• Users must be told not to reveal information to outsiders • Make customers aware that many exploits can be downloaded from Web sites • Teach users to be suspicious of people asking questions about the system they are using

Verify caller’s identity Call back technique

Keeping Current Never-ending battle

• New vulnerabilities are discovered daily • New patches are issued to fix new vulnerabilities

Installing these fixes is essential to protecting your system Many OSs are shipped with automated tools for updating your systems

Last modified 3-22-07 9 am

Chapter 10: Hacking Web Servers

Objectives

Describe Web applications Explain Web application vulnerabilities Describe the tools used to attack Web servers Web Servers The two main Web servers are Apache (Open source) and IIS (Microsoft)

Understanding Web Applications

It is nearly impossible to write a program without bugs • Some bugs create security vulnerabilities

Web applications also have bugs • Web applications have a larger user base than standalone applications • Bugs are a bigger problem for Web applications

Web Application Components Static Web pages

• Created using HTML Dynamic Web pages

• Need special components <form> tags Common Gateway Interface (CGI) scripts Active Server Pages (ASP) PHP ColdFusion Scripting languages like JavaScript ODBC (Open Database connector)

Web Forms Use the <form> element or tag in an HTML document

• Allows customer to submit information to the Web server Web servers process information from a Web form by using a Web

application Easy way for attackers to intercept data that users submit to a Web

server Web form example

<html><body> <form> Enter your username: <input type="text" name="username"> <br> Enter your password: <input type="text" name="password"> </form></body></html>

Common Gateway Interface (CGI) Handles moving data from a Web server to a Web browser The majority of dynamic Web pages are created with CGI and scripting languages Describes how a Web server passes data to a Web browser

• Relies on Perl or another scripting language to create dynamic Web pages



CGI Languages CGI programs can be written in different programming and scripting languages

• C or C++ • Perl • Unix shell scripting • Visual Basic • FORTRAN

CGI example • Written in Perl • Hello.pl • Should be placed in the cgi-bin directory on the Web server

#!/usr/bin/perl print "Content-type: text/html\n\n"; print "Hello Security Testers!";

Another CGI Example Link Ch 10a: Sam’s Feedback Form Link Ch 10b: CGI Script in Perl that processes the data from the form Active Server Pages (ASP) Microsoft’s server-side script engine

• HTML pages are static—always the same • ASP creates HTML pages as needed. They are not static

ASP uses scripting languages such as JScript or VBScript Not all Web servers support ASP

• IIS supports ASP • Apache doesn’t support ASP as well

Active Server Pages (ASP) You can’t see the source of an ASP page from a browser This makes it harder to hack into, although not

impossible ASP examples at links

Ch 10d, e, f Apache Web Server Apache is the most popular Web Server program Advantages

• Stable and reliable • Works on just about any *NIX and

Windows platform • It is free and open source

See links Ch 10g, 10h Using Scripting Languages Dynamic Web pages can be developed using scripting languages

• VBScript • JavaScript • PHP



PHP: Hypertext Processor (PHP) Enables Web developers to create dynamic Web pages

• Similar to ASP Open-source server-side scripting language

• Can be embedded in an HTML Web page using PHP tags <?php and ?> Users cannot see PHP code in their Web browser Used primarily on UNIX systems

• Also supported on Macintosh and Microsoft platforms PHP Example <html><head><title>Example</title></head> <body> <?php echo 'Hello, World!'; ?> </body></html>

• See links Ch 10k, 10l PHP has known vulnerabilities

• See links Ch 10m, 10n PHP is often used with MySQL Databases ColdFusion Server-side scripting language used to develop dynamic Web pages Created by the Allaire Corporation

• Purchased by Macromedia, now owned by Adobe -- Expensive Uses its own proprietary tags written in ColdFusion Markup Language (CFML) CFML Web applications can contain other technologies, such as HTML or JavaScript ColdFusion Example <html><head><title>Ex</title></head> <body> <CFLOCATION URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO"> </body> </html>

• See links Ch 10o ColdFusion Vulnerabilities See links Ch 10p, 10q



VBScript Visual Basic Script is a scripting language developed by Microsoft You can insert VBScript commands into a static HTML page to make it dynamic

• Provides the power of a full programming language • Executed by the client’s browser

VBScript Example <html><body> <script type="text/vbscript"> document.write("<h1>Hello!</h1>") document.write("Date Activated: " & date()) </script> </body></html>

See link Ch 10r – works in IE, but not in Firefox

Firefox does not support VBScript (link Ch 10s)

VBScript vulnerabilities • See links Ch 10t, 10u

JavaScript Popular scripting language JavaScript also has the power of a programming language

• Branching • Looping • Testing

JavaScript Example <html><head> <script type="text/javascript"> function chastise_user(){ alert("So, you like breaking rules?") document.getElementByld("cmdButton").focus()} </script></head> <body><h3>Don't click the button!</h3> <form> <input type="button" value="Don't Click!" name="cmdButton" onClick="chastise_user()" /> </form></body></html>

• See link Ch 10v – works in IE and Firefox

JavaScript Vulnerabilities See link Ch 10w



Connecting to Databases Web pages can display

information stored on databases

There are several technologies used to connect databases with Web applications

• Technology depends on the OS used

ODBC OLE DB ADO

• Theory is the same Open Database Connectivity (ODBC) Standard database access

method developed by the SQL Access Group

ODBC interface allows an application to access

• Data stored in a database management system (DBMS) • Can use Oracle, SQL, or any DBMS that understands and can issue ODBC commands

Interoperability among back-end DBMS is a key feature of the ODBC interface •

ODBC defines • Standardized representation of data types • A library of ODBC functions • Standard methods of connecting to and logging on to a DBMS •

OLE DB and ADO Object Linking and Embedding Database (OLE DB) and ActiveX Data Objects (ADO)

• These two more modern, complex technologies replace ODBC and make up"Microsoft’s Universal Data Access“

• See link Ch 10x

Understanding Web Application Vulnerabilities

Many platforms and programming languages can be used to design a Web site Application security is as important as network security Attackers controlling a Web server can

• Deface the Web site • Destroy or steal company’s data • Gain control of user accounts • Perform secondary attacks from the Web site • Gain root access to other applications or servers




Open Web Application Security Project (OWASP) • Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web

applications • Publishes the Ten Most Critical Web Application Security Vulnerabilities

Top-10 Web application vulnerabilities Unvalidated parameters

• HTTP requests from browsers that are not validated by the Web server • Inserted form fields, cookies, headers, etc. (See link Ch 10y)

Broken access control • Developers implement access controls but fail to test them properly

For example, letting an authenticated user read another user’s files Broken account and session management

• Enables attackers to compromise passwords or session cookies to gain access to accounts Cross-site scripting (XSS) flaws

• Attackers inject code into a web page, such as a forum or guestbook • When others user view the page, confidential information is stolen • See link Ch 10za

Buffer overflows • It is possible for an attacker to use C or C++ code that includes a buffer overflow

Command injection flaws • An attacker can embed malicious code and run a program on the database server • Example: SQL Injection

Error-handling problems • Error messages may reveal information that an attacker can use

Insecure use of cryptography • Storing keys, certificates, and passwords on a Web server can be dangerous

Remote administration flaws • Attacker can gain access to the Web server through the remote administration interface

Web and application server misconfiguration • Any Web server software out of the box is usually vulnerable to attack

Default accounts and passwords Overly informative error messages

WebGoat project • Helps security testers learn how to perform vulnerabilities testing on Web applications • Developed by OWASP

It’s like HackThisSite without the helpful forum • Tutorials for WebGoat are being made, but they aren’t yet ready

Assessing Web Applications Issues to consider

• Dynamic Web pages • Connection to a backend database server • User authentication • What platform was used?


Does the Web Application Use Dynamic Web Pages? Static Web pages do not create a secure environment IIS attack example: Directory Traversal

• Adding ..\ to a URL refers to a directory above the Web page directory • Early versions of IIS filtered out \, but not %c1%9c, which is a Unicode version of the same

character • See link Ch 10 zh

Connection to a Backend Database Server Security testers should check for the possibility of SQL injection being used to attack the system SQL injection involves the attacker supplying SQL commands on a Web application field SQL Injection Example HTML form collects name and pw SQL then uses those fields:

• SELECT * FROM customer WHERE username = ‘name' AND password = ‘pw' If a hacker enters a name of

’ OR 1=1 -- The SQL becomes:

• SELECT * FROM customer WHERE username = ‘’ OR 1=1 --' AND password = ‘pw‘ Which is always true, and returns all the records HackThisSite Basic testing should look for

• Whether you can enter text with punctuation marks • Whether you can enter a single quotation mark followed by any SQL keywords • Whether you can get any sort of database error when attempting to inject SQL

User Authentication Many Web applications require another server to authenticate users Examine how information is passed between the two servers

• Encrypted channels Verify that logon and password information is stored on secure places Authentication servers introduce a second target What Platform Was Used? Popular platforms include:

• IIS with ASP and SQL Server (Microsoft) • Linux, Apache, MySQL, and PHP (LAMP)

Footprinting is used to find out the platform • The more you know about a system the easier it is to gather information about its vulnerabilities



Tools of Web Attackers and Security Testers

Choose the right tools for the job Attackers look for tools that enable them to attack the system

• They choose their tools based on the vulnerabilities found on a target system or application Web Tools Cgiscan.c: CGI scanning tool

• Written in C in 1999 by Bronc Buster • Tool for searching Web sites for CGI scripts that can be exploited • One of the best tools for scanning the Web for systems with CGI vulnerabilities

See link Ch 10zi cgiscan and WebGoat Phfscan.c

• Written to scan Web sites looking for hosts that could be exploited by the PHF bug • The PHF bug enables an attacker to download the victim’s /etc/passwd file • It also allows attackers to run programs on the victim’s Web server by using a particular URL

See links Ch 10zj, 10 zk




Wfetch: GUI tool from Microsoft • Displays information that is not normally shown in a browser, such as HTTP headers • It also attempts authentication using

Multiple HTTP methods Configuration of host name and TCP port HTTP 1.0 and HTTP 1.1 support Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication types Multiple connection types Proxy support Client-certificate support

See link Ch 10zl


Chapter 10: Hacking Wireless Networks

Objectives

Explain wireless technology Describe wireless networking standards Describe the process of authentication Describe wardriving Describe wireless hacking and tools used by hackers and security professionals

Understanding Wireless Technology

For a wireless network to function, you must have the right hardware and software Wireless technology is part of our lives

• Baby monitors • Cell and cordless phones • Pagers • GPS • Remote controls • Garage door openers • Two-way radios • Wireless PDAs

Components of a Wireless Network A wireless network has only three basic components

• Access Point (AP) • Wireless network interface card (WNIC) • Ethernet cable

Access Points An access point (AP) is a transceiver that connects to an Ethernet cable

• It bridges the wireless network with the wired network Not all wireless networks connect to a wired network

• Most companies have Wireless LANs (WLANs) that connect to their wired network topology The AP is where channels are configured An AP enables users to connect to a LAN using wireless technology

• An AP is available only within a defined area



Service Set Identifiers (SSIDs) Name used to identify the wireless local area network (WLAN) The SSID is configured on the AP

• Unique 1- to 32-character alphanumeric name • Name is case sensitive

Wireless computers need to configure the SSID before connecting to a wireless network

SSID is transmitted with each packet • Identifies which network the packet belongs

The AP usually broadcasts the SSID Many vendors have SSIDs set to a default value that companies

never change An AP can be configured to not broadcast its SSID until after

authentication • Wireless hackers can attempt to guess the SSID

Verify that your clients or customers are not using a default SSID See links Ch 11a, b Configuring an Access Point Configuring an AP varies depending on the hardware

• Most devices allow access through any Web browser

• Enter IP address on your Web browser and provide your user logon name and password

Wireless Router A wireless router includes an access point, a router, and

a switch Configuring an Access Point Wireless Configuration Options

• SSID • Wired Equivalent Privacy (WEP) encryption • WPA (WiFi Protected Access ) is better

Steps for configuring a D-Link wireless router (continued)

• Turn off SSID broadcast • You should also change your SSID

Wireless NICs For wireless technology to work, each node or

computer must have a wireless NIC NIC’s main function

• Converting the radio waves it receives into digital signals the computer understands

Wireless NICs There are many wireless NICs on the market

• Choose yours depending on how you plan to use it

• Some tools require certain specific brands of NICs



Understanding Wireless Network Standards

A standard is a set of rules formulated by an organization Institute of Electrical and Electronics Engineers (IEEE)

• Defines several standards for wireless networks

IEEE: CCSF Student Chapter Next meeting:

• May 3, 2007 in Cloud 218 4:30 pm Email [email protected] for more info IEEE Standards Standards pass through these groups:

• Working group (WG) • Sponsor Executive Committee (SEC) • Standards Review Committee (RevCom) • IEEE Standards Board

IEEE Project 802 • LAN and WAN standards

The 802.11 Standard The first wireless technology standard Defined wireless connectivity at 1 Mbps and 2 Mbps

within a LAN Applied to layers 1 and 2 of the OSI model Wireless networks cannot detect collisions

• Carrier sense multiple access/collision avoidance (CSMA/CA) is used instead of CSMA/CD Addressing Wireless LANs do not have an address associated with a physical location

• An addressable unit is called a station (STA) The Basic Architecture of 802.11 802.11 uses a basic service set (BSS) as its building block

• Computers within a BSS can communicate with each other • To connect two BSSs, 802.11 requires a distribution system (DS)

Frequency Range In the United States, Wi-Fi uses frequencies near 2.4 GHz

(Except 802.11a at 5 GHz) • There are 11 channels, but they overlap, so only three are commonly used

See link Ch 11c (cisco.com)



Other terms to define the channel:

• Wavelength • Frequency • Cycle • Hertz or cycles per

second • Bands

Infrared (IR) Infrared light can’t be seen by the

human eye IR technology is restricted to a

single room or line of sight IR light cannot penetrate walls, ceilings, or floors

• Image: IR transmitter for wireless headphones Narrowband Uses microwave radio band frequencies to transmit data Popular uses

• Cordless phones • Garage door openers

Spread Spectrum Data is spread across a large-frequency bandwidth instead of

traveling across just one frequency band Methods

• Frequency-hopping spread spectrum (FHSS) • Direct sequence spread spectrum (DSSS) • Orthogonal frequency division multiplexing (OFDM)

See links Ch 11d, Ch 11d1 IEEE Additional 802.11 Projects 802.11a

• Created in 1999 • Operating frequency 5 GHz • Throughput 54 Mbps

802.11b • Operates in the 2.4 GHz range • Throughput 11 Mbps • Also referred as Wi-Fi (wireless fidelity) • Allows for 11 channels to prevent overlapping signals

Effectively only three channels (1, 6, and 11) can be used in combination without overlapping • Introduced Wired Equivalent Privacy (WEP)

802.11e • It has improvements to address the problem of interference

When interference is detected, signals can jump to another frequency more quickly 802.11g

• Operates in the 2.4 GHz range • Uses OFDM for modulation • Throughput increased from 11 Mbps to 54 Mbps



802.11i • Introduced Wi-Fi Protected Access (WPA) • Corrected many of the security vulnerabilities of 802.11b

802.15 • Addresses networking devices within one person’s workspace

Called wireless personal area network (WPAN) • Bluetooth is a common example

802.16 • Addresses the issue of wireless metropolitan area networks (MANs) • Defines the WirelessMAN Air Interface • It will have a range of up to 30 miles • Throughput of up to 120 Mbps

802.20 • Addresses wireless MANs for mobile users who are sitting in trains, subways, or cars traveling at

speeds up to 150 miles per hour Bluetooth

• Defines a method for interconnecting portable devices without wires • Maximum distance allowed is 10 meters • It uses the 2.45 GHz frequency band • Throughput of up to 12 Mbps

HiperLAN2 • European WLAN standard • It is not compatible with 802.11 standards




Understanding Authentication

Wireless technology brings new security risks to a network Authentication

• Establishing that a user is authentic—authorized to use the network • If authentication fails, anyone in radio range can use your network

The 802.1X Standard Defines the process of authenticating and authorizing users on a WLAN Basic concepts

• Point-to-Point Protocol (PPP) • Extensible Authentication Protocol (EAP) • Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA)

Point-to-Point Protocol (PPP) Many ISPs use PPP to connect dial-up or DSL users PPP handles authentication with a user name and password, sent with PAP or CHAP

• PAP (Password Authentication Protocol) sends passwords unencrypted Vulnerable to trivial sniffing attacks

See link Ch 11f CHAP Vulnerability CHAP (Challenge-Handshake Authentication Protocol)

• Server sends a Challenge with a random value • Client sends a Response, hashing the random value with the secret password

This is still vulnerable to a sort of session hijacking attack (see links Ch 11e) Extensible Authentication Protocol (EAP) EAP is an enhancement to PPP Allows a company to select its authentication method

• Certificates • Kerberos

Kerberos is used on LANs for authentication Uses Tickets and Keys Used by Windows 2000, XP, and 2003 Server by default Not common on WLANS (I think)

X.509 Certificate Record that authenticates network entities Identifies

• The owner • The certificate authority (CA) • The owner’s public key

See link Ch 11j


Sample X.509 Certificate Go to gmail.com Double-click the padlock Public Key Your browser uses the Public

Key to encrypt data so only Gmail can read it

LEAP Lightweight Extensible

Authentication Protocol (LEAP)

• A Cisco product • Vulnerable, but

Cisco didn’t care • Joshua Wright

wrote the ASLEAP hacking tool to crack LEAP, and forced Cisco to develop a better protocol

See link Ch 11g

More Secure EAP Methods Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

• Secure but rarely used, because both client and server need certificates signed by a CA Protected EAP (PEAP) and Microsoft PEAP

• Very secure, only requires server to have a certificate signed by a CA See link Ch 11h 802.1X components Supplicant

• The user accessing a WLAN Authenticator

• The AP Authentication server

• Checks an account database to see if user’s credentials are acceptable

• May use RADIUS (Remote Access Dial-In User Service)

See link Ch 11k




Wired Equivalent Privacy (WEP) Part of the 802.11b standard Encrypts data on a wireless network WEP has many vulnerabilities To crack WEP, see links Ch 11l, 11m Wi-Fi Protected Access (WPA) Specified in the 802.11i standard Replaces WEP WPA improves encryption by using Temporal Key Integrity Protocol (TKIP) TKIP Enhancements Message Integrity Check (MIC)

• Prevent attacker from injecting forged packets Extended Initialization Vector (IV) with sequencing rules

• Prevent replays (attacker re-sending copied packets) Per-packet key mixing

• MAC addresses are used to create a key • Each link uses a different key

Rekeying mechanism • Provides fresh keys • Prevents attackers from reusing old keys

WPA Adds 802.1x WPA also adds an authentication mechanism implementing 802.1X and EAP

• This was not available in WEP

Understanding Wardriving

Hackers use wardriving • Finding insecure access points • Using a laptop or palmtop computer

Wardriving is not illegal • But using the resources of these networks is illegal

Warflying • Variant where an airplane is used instead of a car

How It Works An attacker or security tester simply drives around with the following equipment

• Laptop computer • Wireless NIC • An antenna • Software that scans the area for SSIDs

Not all wireless NICs are compatible with scanning programs Antenna prices vary depending on the quality and the range they can cover Scanning software can identify

• The company’s SSID • The type of security enabled • The signal strength

Indicating how close the AP is to the attacker


NetStumbler Shareware tool written for Windows that enables you to detect WLANs

• Supports 802.11a, 802.11b, and 802.11g standards NetStumbler was primarily designed to

• Verify your WLAN configuration • Detect other wireless networks • Detect unauthorized APs

NetStumbler is capable of interface with a GPS

• Enabling a security tester or hacker to map out locations of all the WLANs the software detects NetStumbler logs the following information

• SSID • MAC address and Manufacturer of the AP • Channel • Signal Strength • Encryption

Can detect APs within a 350-foot radius • With a good antenna, they can locate APs a couple of miles away

Kismet Another product for conducting wardriving attacks Runs on Linux, BSD, MAC OS X, and Linux PDAs Kismet is advertised also as a sniffer and IDS

• Kismet can sniff 802.11b, 802.11a, and 802.11g traffic Kismet features

• Ethereal- and Tcpdump-compatible data logging • AirSnort compatible • Network IP range detection • Hidden network SSID detection • Graphical mapping of networks • Client-server architecture • Manufacturer and model identification of APs and clients • Detection of known default access point configurations • XML output • Supports 20 card types




Understanding Wireless Hacking

Hacking a wireless network is not much different from hacking a wired LAN Techniques for hacking wireless networks

• Port scanning • Enumeration

Tools of the Trade Equipment

• Laptop computer • A wireless NIC • An antenna • Sniffer software

AirSnort Created by Jeremy Bruestle and Blake Hegerle It is the tool most hackers wanting to access WEP-enabled WLANs use AirSnort limitations

• Runs on either Linux or Windows (textbook is wrong) • Requires specific drivers • Not all wireless NICs function with AirSnort

See links Ch 11p, 11q WEPCrack Another open-source tool used to crack WEP encryption

• WEPCrack was released about a week before AirSnort It also works on *NIX systems WEPCrack uses Perl scripts to carry out attacks on wireless systems

• AirSnort is considered better (link Ch 11r)

Countermeasures for Wireless Attacks

Anti-wardriving software makes it more difficult for attackers to discover your wireless LAN • Honeypots

Servers with fake data to snare intruders • Fakeap and Black Alchemy Fake AP

Software that makes fake Access Points Link Ch 11s

Use special paint to stop radio from escaping your building Allow only predetermined MAC addresses and IP

addresses to have access to the wireless LAN

DMZ

Use an authentication server instead of relying on a wireless device to authenticate users

Use an EAP authentication protocol If you use WEP, use 104-bit encryption rather than

40-bit encryption • But just use WPA instead

Assign static IP addresses to wireless clients instead of using DHCP

Don’t broadcast the SSID Place the AP in the demilitarized zone (DMZ) (image

from wikipedia) Last modified 4-15-07 5 pm

Chapter 12: Cryptography

Objectives

Describe the history of cryptography Describe symmetric and asymmetric cryptography algorithms Explain public key infrastructure (PKI) Describe possible attacks on cryptosystems

Understanding Cryptography Basics

Cryptography is the process of converting plaintext into ciphertext • Plaintext: readable text (also called cleartext) • Ciphertext: unreadable or encrypted text

Cryptography is used to hide information from unauthorized users Decryption is the process of converting ciphertext back to plaintext History of Cryptography Substitution cipher

• Replaces one letter with another letter based on a key • Example: Julius Caesar’s Cipher

Used a key value of 3 ABCDEFGHIJKLMNOPQRSTUVWXYZ DEFGHIJKLMNOPQRSTUVWXYZABC

Cryptanalysis studies the process of breaking encryption algorithms When a new encryption algorithm is developed, cryptanalysts study it and

try to break it • Or prove that it is impractical to break it (taking much time and

many resources) Enigma Used by the Germans during World War II

• Replaced letters as they were typed • Substitutions were computed using a key and a set of switches or rotors • Image from Wikipedia (link Ch 12a)

Steganography The process of hiding data in plain view in pictures, graphics, or text

• Example: changing colors slightly to encode individual bits in an image The image on the left contains the image on the right hidden in it (link Ch 12c) Algorithms An algorithm is a mathematical function or program that works with a key Security comes from

• A strong algorithm—one that cannot be reversed without the key • A key that cannot be found or guessed

Keys (not in textbook) A sequence of random bits

• The range of allowable values is called a keyspace The larger the keyspace, the more secure the key

• 8-bit key has 28 = 256 values in keyspace • 24-bit key has 224 = 16 million values • 56-bit key has 256 = 7 x 1016 values • 128-bit key has 2128 = 3 x 1038 values



Brute Force (not in textbook) In 1997 a 56-bit key was broken by brute force

• Testing all possible 56-bit keys • Used 14,000 machines organized via the Internet • It took 3 months • See link Ch 12d

How Many Bits Do You Need? (not in textbook) How many keys could all the computers on Earth test in a year?

• Pentium 4 processor: 109 cycles per second • One year = 3 x 107 seconds • There are less than 1010 computers on Earth

One per person • 109 x 3 x 107 x 1010 = 3 x 1026 calculations • 128 bits should be enough (3 x 1038 values)

Unless computers get much faster, or someone breaks the algorithm

Symmetric Cryptography


Symmetric Cryptography Algorithms Symmetric algorithms have one key that

encrypts and decrypts data Advantages

• Symmetric algorithms are fast • They are difficult to break if a

large key size is used • Only one key needed

Disadvantages • Symmetric keys must remain

secret • Difficult to deliver keys (key

distribution) • Symmetric algorithms don’t

support authenticity or nonrepudiation

You can’t know for sure who sent the message, since two people have the same key

Types of symmetric algorithms • Stream ciphers

Operate on plaintext one bit at a time • Block ciphers

Operate on blocks of plaintext DeCSS Commercial DVDs are encoded with a 40-bit key

• It’s simple to crack it by brute force • Three hackers did that in 1999

See links Ch 12e, 12f • Legislation such as the DMCA made it illegal to publish the algorithm

See Illegal Prime Number (Link Ch 12g)


Data Encryption Standard (DES) National Institute of Standards and Technology (NIST)

• Wanted a means of protecting sensitive but unclassified data • Invited vendors in early 1970 to submit data encryption algorithms

IBM proposed Lucifer • A 128-bit encryption algorithm

The National Security Agency (NSA) reduced the key size from 128 bits to 64 bits and created DES

• Only 56 bits of the key are actually used In 1988, NSA thought the standard was at risk to be broken In 1997, a DES key was broken in 3 months In 1998, the EFF built a a computer system that cracked a DES key in 3 days

• Link Ch 12h Triple DES (3DES) Triple Data Encryption System (3DES) 3DES served as a quick fix to the vulnerabilities of DES 3DES performed three DES encryptions 256 times stronger than DES

• More secure but slower to compute See link Ch 12i

Advanced Encryption Standard (AES) Became effective in 2002 as a standard

• The process took 5 years Block cipher that operates on 128-bit blocks of plaintext Keys can be 128, 192, or 256 bits Uses Rindjael algorithm

• Link Ch 12j International Data Encryption Algorithm (IDEA) Block cipher that operates on 64-bit blocks of plaintext It uses a 128-bit key Developed by Xuejia Lai and James Massey

• Designed to work more efficiently in computers used at home and in businesses IDEA is free for noncommercial use

• It is included in PGP encryption software Blowfish Block cipher that operates on 64-bit blocks of plaintext The key length can be as large as 448 bits Developed by Bruce Schneier RC5 Block cipher that can operate on different block sizes: 32, 64, and 128 The key size can reach 2048 bits Created by Ronald L. Rivest in 1994 for RSA Data Security Cracking RC5 56-bit and 64-bit key RC5s have already been cracked The RC5-72 project is underway, trying to crack a 72-bit key

• At the current rate, it will take 1000 years Links Ch 12l, 12m



Asymmetric Cryptography Algorithms

Use two keys that are mathematically related

• Data encrypted with one key can be decrypted only with the other key

Another name for asymmetric key cryptography is public key cryptography

• Public key: known by the public

• Private key: known only by owner

Asymmetric Cryptography Provides message authenticity and

nonrepudiation • Authenticity validates the sender of a message • Nonrepudiation means a user cannot deny sending a message

Asymmetric algorithms are more scalable but slower than symmetric algorithms • Scalable: can adapt to larger networks • Each person needs only one key pair

Everyone can use the same public key to send you data Each person signs messages with their own private key

RSA Developed in 1977 by Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman The algorithm is based on the difficulty of factoring large numbers The Secure Socket Layer (SSL) protocol uses the RSA algorithm Diffie-Hellman Developed by Whitfield Diffie and Martin Hellman Does not provide encryption but is used for key exchange

• Two parties agree on a key without ever sending it directly over the network • The numbers transmitted can be used to compute the key, but only by the parties holding secret

private numbers Prevents sniffing attacks (link Ch 12 Elliptic Curve Cryptosystems (ECC) It is an efficient algorithm requiring few resources

• Memory • Disk space • Bandwidth

ECC is used for encryption as well as digital signatures and key distribution Elgamal Public key algorithm used to

• Encrypt data • Create digital signature • Exchange secret keys

Written by Taher Elgamal in 1985 The algorithm uses discrete logarithm problems

• Solving a discrete logarithm problem can take many years and require CPU-intensive operations



Digital Signatures A hash value ensures that the message was not altered in transit (integrity) Provides message integrity, authenticity and nonrepudiation

Digital Signature Standard (DSS) Established by the NIST in 1991

• Ensures that digital signatures rather than written signatures can be verified Federal government requirements

• RSA and Digital Signature Algorithm (DSA) must be used for all digital signatures • Hashing algorithm must be used to ensure the integrity of the message

NIST required that the Secure Hash Algorithm (SHA) be used Pretty Good Privacy (PGP) Developed by Phil Zimmerman as a free e-mail encryption program

• Zimmerman was almost arrested for his innovation • Back in the mid-1990s, any kind of “unbreakable” encryption was seen as a weapon and compared

to selling arms to the enemy PGP is a free public key encryption program




PGP uses certificates similar to those in public key infrastructure (PKI)

• PGP does not use a centralized CA • Verification of a CA is not as efficient as PKI

Algorithms supported by PGP • IDEA • RSA • DSA • Message Digest 5 (MD5) • SHA-1

Secure Multipurpose Internet Mail Extension (S/MIME) Is another public key encryption standard used to encrypt and digitally sign e-mail Can encrypt e-mail messages containing attachments Can use PKI certificates for authentication S/MIME version 2 defined in RFC 2311 S/MIME version 3 defined in RFC 2633 Privacy-Enhanced Mail (PEM) Internet standard that is compatible with both symmetric and asymmetric methods of encryption Can use the X.509 certificate standards and encrypt messages with DES Not used as much today

• MIME Object Security Services (MOSS) is a newer implementation of PEM

Hashing Algorithms

Take a variable-length message and produce a fixed-length value called a message digest A hash value is equivalent to a fingerprint of the message

• If the message is changed later, the hash value changes Collisions If two different messages produce the same hash value, it results in a collision

• A good hashing algorithm must be collision-free Hashing Algorithms SHA-1 is one of the most popular hashing algorithms

• SHA-1 has been broken • Collisions were found in 2004 and 2005 (link Ch 12p • As of March 15, 2005, the NIST recommends not using SHA applications • But there are collisions in MD5 too • SHA-256 hasn’t been broken yet

See link Ch 12q



Summary of Cryptographic Algorithms

Symmetric Algorithms (Private-key) Name Key size Notes DES 56 bits Insecure because key is too short 3DES 168 bits As secure as 112-bit key, not yet broken

Being replaced by AES

AES 128,192, or 256 bits Uses 128-bit blocks and the Rindjael algorithm Approved for US Govt classified information I DEA 128 bits Uses 64-bit blocks, used in PGP, very secure

Blowfish 32 bits to 448 bits Uses 64-bit blocks, developed by Bruce Schneier

Public domain

RC5 0 bits to 2040 bits Block size can be 32, 64, or 138 bits 56-bit and 64-bit key versions have been cracked 72-bit version has not been cracked A

symmetric Algorithms (Public-key)

Name Notes D

iffie-Hellman Key exchange only, not encryption

R

SA Secure, used by SSL

ECC Efficient newer technique Elgamal Used in GPG and PGP H

ashing Algorithms

Name Notes M

D2 Written for 8-bit machines, no longer secure

M

D4 No longer secure

MD5 Security is questionable now SHA-1 The successor to MD5, used in TLS, SSL, PGP, SSH, S/MIME, and IPsec.

It has been broken so it's not longer completely secure

S

HA-2 Not yet broken, but no longer recommended.

The NIST is now developing a new algorithm to replace SHA.

Public Key Infrastructure (PKI)

Not an algorithm A structure that consists of programs, protocols, and security protocols Uses public key cryptography Enables secure data transmission over the Internet


PKI Components


Certificate: a digital document that verifies the identity of an entity

• Contains a unique serial number and must follow the X.509 standard

Public keys are issued by a certification authority (CA)

A certificate that the CA issues to a company binds a public key to the recipient’s private key

Certificate Expiration and Renewal A period of validity is assigned to

each certificate • After that date, the

certificate expires A certificate can be renewed with a new expiration date assigned

• If the keys are still valid and remain uncompromised Certificate Revocation and Suspension Reasons to suspend or revoke a certificate

• A user leaves the company • A hardware crash causes a key to be lost • A private key is compromised

Revocation is permanent Suspension can be lifted Certificate Revocation List (CRL)

• Contains all revoked and suspended certificates • Issued by CAs

Backing Up Keys Backing up keys is critical

• If keys are destroyed and not backed up properly, encrypted business-critical information might be irretrievable

Trusted Root CAs The CA is usually responsible for backing up keys

• A key recovery policy is also part of the CA’s responsibility


Microsoft Root CA You can set up your own

Certificate Authority Server Windows Server 2003

or Windows 2000 Server

Install the Certificate Services

Note that after installing this service the name of the domain or computer cannot change

Specify options to generate

certificates, including • Cryptographic Service

Provider • Hash algorithm • Key length

Understanding Cryptographic Attacks

Sniffing and port scanning are passive attacks – just watching Active attacks attempt to determine the secret key being used to encrypt plaintext Cryptographic algorithms are usually public

• Follows the open-source culture • Except the NSA and CIA and etc.

Birthday Attack If 23 people are in the room, what is the chance that they all have different birthdays? So there’s a 51% chance that two of them have the same birthday See link Ch 12r If there are N possible hash values,

• You’ll find collisions when you have calculated 1.2 x sqrt(N) values



SHA-1 uses a 160-bit key • Theoretically, it would require 280 computations to break • SHA-1 has already been broken, because of other weaknesses

Mathematical Attacks Properties of the algorithm are attacked by using mathematical computations Categories

• Ciphertext-only attack The attacker has the ciphertext of several messages but not the plaintext Attacker tries to find out the key and algorithm used to encrypt the messages Attacker can capture ciphertext using a sniffer program such as Ethereal or Tcpdump

Categories • Known plaintext attack

The attacker has messages in both encrypted form and decrypted forms This attack is easier to perform than the ciphertext-only attack Looks for patterns in both plaintext and ciphertext

• Chosen-plaintext attack The attacker has access to plaintext and ciphertext Attacker has the ability to choose which message to encrypt

Categories (continued) • Chosen-ciphertext attack

The attacker has access to the ciphertext to be decrypted and to the resulting plaintext Attacker needs access to the cryptosystem to perform this type of attack

Brute Force Attack An attacker tries to guess passwords by attempting every possible combination of letters

• Requires lots of time and patience • Password-cracking programs that can use brute force

John the Ripper Cain and Abel Ophcrack

Also uses memory to save time – “Rainbow tables” Man-in-the-Middle Attack Victim sends public key to Server

• Attacker generates two “false” key pairs • Attacker intercepts the genuine keys and

send false keys out • Both parties send encrypted traffic, but not

with the same keys These false keys won’t be verified by a CA Dictionary Attack Attacker uses a dictionary of known words to try to guess passwords

• There are programs that can help attackers run a dictionary attack Programs that can do dictionary attacks

• John the Ripper • Cain and Abel

Replay Attack The attacker captures data and attempts to resubmit the captured data

• The device thinks a legitimate connection is in effect If the captured data was logon information, the attacker could gain access to a system and be authenticated Most authentication systems are resistant to replay attacks




Password Cracking Password cracking is illegal in the United States

• It is legal to crack your own password if you forgot it You need the hashed password file

• /etc/passwd or /etc/shadow for *NIX • The SAM database in Windows

Then perform dictionary or brute-force attacks on the file Password cracking programs John the Ripper Hydra (THC) EXPECT L0phtcrack Pwdump3v2 Ophcrack does it all for you – gathering the SAM database and cracking it


Chapter 13: Protecting Networks with Security Devices


Objectives

Describe network security devices Describe firewall technology Describe intrusion detection systems Describe honeypots

Routers

Router

Routers are like intersections; switches are like streets

• Image from Wikipedia (link Ch 13a)

Understanding Routers Routers are hardware devices used on a

network to send packets to different network segments

• Operate at the network layer of the OSI model

Routing Protocols Routers tell one another what paths are available with Routing Protocols

• Link-state routing protocol Each router has complete information about every

network link Example: Open Shortest Path First (OSPF)

• Distance-vector routing protocol Routers only know which direction to send

packets, and how far Example: Routing Information Protocol (RIP)

Cisco Routers Image from cisco.com (link Ch 13b) Understanding Basic Hardware Routers Cisco routers are widely used in the networking

community • More than one million Cisco 2500 series

routers are currently being used by companies around the world Vulnerabilities exist in Cisco as they do in any operating system

• See link Ch 13c Cisco Router Components Internetwork Operating System (IOS) Random access memory (RAM)

• Holds the router’s running configuration, routing tables, and buffers • If you turn off the router, the contents stored in RAM are wiped out

Nonvolatile RAM (NVRAM) • Holds the router’s configuration file, but the information is not lost if the router is turned off

Flash memory • Holds the IOS the router is using • Is rewritable memory, so you can upgrade the IOS


Read-only memory (ROM) Read-only memory (ROM) • Contains a minimal version of the

IOS used to boot the router if flash memory gets corrupted

• Contains a minimal version of the IOS used to boot the router if flash memory gets corrupted

Interfaces Interfaces • Hardware connectivity points • Hardware connectivity points • Example: an Ethernet port is an

interface that connects to a LAN • Example: an Ethernet port is an

interface that connects to a LAN Michael Lynn Michael Lynn He presented a major Cisco security

vulnerability at the Black Hat security conference in 2005

He presented a major Cisco security vulnerability at the Black Hat security conference in 2005

He lost his job, was sued, conference materials were confiscated, etc.

He lost his job, was sued, conference materials were confiscated, etc.

• See links Ch 13 d, e, f, g • See links Ch 13 d, e, f, g Cisco IOS is controlled from the command line Cisco IOS is controlled from the command line The details are not included in this class The details are not included in this class Skip pages 324-329 Skip pages 324-329

Understanding Firewalls

Firewalls are hardware devices or software installed on a system and have two purposes • Controlling access to all traffic that enters an internal network • Controlling all traffic that leaves an internal network

Hardware Firewalls Advantage of hardware firewalls

• Faster than software firewalls (more throughput)

Disadvantages of hardware firewalls • You are limited by the

firewall’s hardware Number of interfaces, etc.

• Usually filter incoming traffic only (link Ch 13i)



Software Firewalls Advantages of software firewalls

• Customizable: can interact with the user to provide more protection

• You can easily add NICs to the server running the firewall software

Software Firewalls Disadvantages of software firewalls

• You might have to worry about configuration problems

• They rely on the OS on which they are running

Firewall Technologies Network address translation (NAT) Access control lists (Packet filtering) Stateful packet inspection (SPI) Network Address Translation (NAT) Internal private IP addresses are mapped

to public external IP addresses • Hides the internal infrastructure

Port Address Translation (PAT) • This allows thousands of

internal IP addresses to be mapped to one external IP address

• Each connection from the private network is mapped to a different public port

Access Control Lists A series of rules to control traffic Criteria

• Source IP address • Destination IP address • Ports or services • More possibilities

Same as “Packet Filtering”



Stateful Packet Inspection (SPI) Stateful packet filters examine the current state of the network

• If you have sent a request to a server, packets from that server may be allowed in • Packets from the same server might be blocked if no request was sent first

State Table Stateful firewalls

maintain a state table showing the current connections

ACK Port scan Used to get

information about a firewall

Stateful firewalls track connection and block unsolicited ACK packets Stateless firewalls only block incoming SYN packets, so you get a RST response We covered this in chapter 5 Stateful Packet Inspection (SPI) Stateful packet filters recognize types of anomalies that most routers ignore Stateless packet filters handle each packet on an individual basis

• This makes them less effective against some attacks Implementing a Firewall Using only one firewall between a company’s internal network and the Internet is dangerous

• It leaves the company open to attack if a hacker compromises the firewall

Use a demilitarized zone instead Demilitarized Zone (DMZ) DMZ is a small network

containing resources available to Internet users

• Helps maintain security on the company’s internal network

Sits between the Internet and the internal network

It is sometimes referred to as a “perimeter network”



Understanding the Private Internet Exchange (PIX) Firewall Cisco PIX firewall

• One of the most popular firewalls on the market Configuration of the PIX Firewall Working with a PIX firewall is similar to

working with any other Cisco router Login prompt

• If you are not authorized to be in this XYZ Hawaii network device,

• log out immediately! • User Access Verification • Password: • This banner serves a legal

purpose • A banner that says “welcome”

may prevent prosecution of hackers who nter e

PIX Firewall Features One PIX can be used to create a DMZ

• See link Ch 13k PIX Firewall Features Unicast Reverse Path Forwarding

• Also known as "reverse route lookup"

• Checks to see that packets have correct source IP addresses

Flood Defender • Prevents SYN Floods • Only a limited number of "embryonic connections" are allowed

PIX Firewall Features FragGuard and Virtual Re-Assembly

• Re-assembles IP fragments to prevent some DoS attacks, like the Ping of Death and Teardrop Limits

• DNS Responses • ActiveX controls • Java applets

I skipped pages 333-336



Microsoft ISA Internet Security and

Acceleration (ISA) Microsoft’s software approach

to firewalls Microsoft Internet Security and

Acceleration (ISA) Server • Software that runs

on a Windows Server

• Functions as a software router, firewall, and IDS (Intrusion Detection System)

ISA protects your network from Internet threats

ISA lets remote users connect securely, handling authentication and encryption

Image from microsoft.com link Ch 13m

ISA has the same functionality as any hardware router

• Packet filtering to control incoming traffic

• Application filtering through the examination of protocols

• Intrusion detection filters • Access policies to control outgoing traffic

IP Packet Filters ISA enables administrators to filter IP traffic based on the following:

• Source and destination IP address • Network protocol, such as HTTP • Source port or destination port

ISA provides a GUI for these configurations • A network segment can be denied or allowed HTTP access in the Remote Computer tab



Denying access to port 80 for the specified subnet



Application Filters Can accept or deny data from specific

applications or data containing specific content

SMTP filter can restrict • E-mail with specific attachments • E-mail from a specific user or

domain • E-mail containing specific

keywords • SMTP commands

Email can also be filtered based o • Sender's name • Sender's domain • Keywords like VIAGRA or

Mortgage These techniques are not very

effective—spammers know how to defeat them

SMTP Commands tab • Administrator can prevent a user

from running SMTP commands FTP Access filter H.323 filter

• real-time multimedia conferences See link Ch 13n Intrusion Detection Filters Analyze all traffic for possible known

intrusions • DNS intrusion detection filter • POP filter • RPC filter • SMTP filter • SOCKS filter • Streaming Media filter • Web Proxy filter



Intrusion Detection Systems (IDSs)

Monitor network devices so that security administrators can identify attacks in progress and stop them An IDS looks at the traffic and compares it with known exploits

• Similar to virus software using a signature file to identify viruses Types

• Network-based IDSs • Host-based IDSs

Network-based IDSs • Monitor activity on network

segments • They sniff traffic and alert a

security administrator when something suspicious occurs

See link Ch 13o Host-based IDSs

• The software is installed on the server you’re attempting to protect, like antivirus software

• Used to protect a critical network server or database server

Passive and Active IDSs IDSs are categorized by how they react

when they detect suspicious behavior

• Passive systems Send out an alert and

log the activity Don't try to stop it

• Active systems Log events and send out

alerts Can also interoperate

with routers and firewalls to block the activity automatically




Understanding Honeypots

Honeypot • Computer placed on the perimeter of a network • Contains information intended to lure and then trap hackers

Computer is configured to have vulnerabilities Goal

• Keep hackers connected long enough so they can be traced back How They Work A honeypot appears to have

important data or sensitive information stored on it

• Could store fake financial data that tempts hackers to attempt browsing through the data

Hackers will spend time attacking the honeypot

• And stop looking for real vulnerabilities in the company’s network

Honeypots also enable security professionals to collect data on attackers

Virtual honeypots • Honeypots created

using software solutions instead of hardware devices

• Example: Honeyd Project Honey Pot Web masters install software on

their websites When spammers harvest email

addresses from sites, HoneyNet's servers record the IP of the harvester

• Can help prosecute the spammers and block the spam

Link Ch 13p Uses a Capture Server and one or more Capture Clients

• The clients run in virtual machines • Clients connect to suspect Web servers • If the client detects an infection, it alerts the Capture Server and restores itself to a clean state • The server gathers data about malicious websites

See link Ch 13q


Lecture 14: More Wireless Hacking – Cracking Wired Equivalent Privacy (WEP)


Legal Concerns Defeating security to enter a network without permission is clearly illegal

• Even if the security is weak Sniffing unencrypted wireless traffic may also be illegal

• It could be regarded as an illegal wiretap • The situation is unclear, and varies from state to state • In California, privacy concerns tend to outweigh other considerations • See links l14v, l14w

Equipment

Wireless Network Interface Cards (NICs) and Drivers The Goal All wireless NICs can connect to an Access Point But hacking requires more than that, because we need to do

• Sniffing – collecting traffic addressed to other devices • Injection – transmitting forged packets which will appear to be from other devices

Windows v. Linux The best wireless hacking software is written in Linux

• The Windows tools are inferior, and don't support packet injection But all the wireless NICs are designed for Windows

• And the drivers are written for Windows • Linux drivers are hard to find and confusing to install

Wireless NIC Modes There are four modes a NIC can use

• Master mode • Managed mode • Ad-hoc mode • Monitor mode

See link l_14j Master Mode

• Also called AP or Infrastructure mode

• Looks like an access point • Creates a network with

A name (SSID) A channel

Managed Mode • Also called Client mode • The usual mode for a Wi-Fi laptop • Joins a network created by a master • Automatically changes channel to match the master • Presents credentials, and if accepted,

becomes associated with the master Ad-hoc Mode

• Peer-to-peer network • No master or Access Point • Nodes must agree on a channel and SSID



Monitor Mode • Does not associate with Access Point • Listens to traffic • Like a wired NIC in Promiscuous

Mode Wi-Fi NICs To connect to a Wi-Fi network, you need a

Network Interface Card (NIC) PCMCIA The most common type is the PCMCIA card

• Designed for laptop computers USB

• Can be used on a laptop or desktop PC PCI

• Installs inside a desktop PC Choosing a NIC For penetration testing (hacking), consider these factors:

• Chipset • Output power • Receiving sensitivity • External antenna connectors • Support for 802.11i and improved WEP

versions Wi-Fi NIC Manufacturers Each wireless card has two manufacturers

• The card itself is made by a company like Netgear Ubiquiti Linksys D-Link many, many others

• But the chipset (control circuitry) is made by a different company Chipsets To find out what chipset your card uses, you must search on the Web

USB

PCI

PCMCIA

• Card manufacturer's don't want you to know

Major chipsets: • Prism • Cisco Aironet • Hermes/Orinoco • Atheros

There are others



Prism Chipset Prism chipset is a favorite among hackers

• Completely open -- specifications available • Has more Linux drivers than any other

chipset See link l_14d

Prism chipset is the best choice for penetration testing

HostAP Linux Drivers are highly recommended, supporting:

• NIC acting as an Access Point • Use of the iwconfig command to

configure the NIC See link l_14h

Cisco Aironet Chipset Cisco proprietary – not open Based on Prism, with more features

• Regulated power output • Hardware-based channel-

hopping Very sensitive – good for wardriving

• Cannot use HostAP drivers • Not useful for man-in-the-

middle or other complex attacks

Hermes Chipset Lucent proprietary – not open Lucent published some source code for WaveLAN/ORiNOCO cards Useful for all penetration testing, but require

• Shmoo driver patches (link l_14l) to use monitor mode Atheros Chipset The most common chipset in 802.11a devices

• Best Atheros drivers are MadWIFI (link l_14m) • Some cards work better than others • Monitor mode is available, at least for some cards

Other Cards If all else fails, you could use Windows drivers with a wrapper to make them work in Linux

• DriverLoader (link l_14n) • NdisWrapper (link l_14o)

But all you'll get is basic functions, not monitor mode or packet injection • Not much use for hacking

Cracking WEP: Tools and Principles

A Simple WEP Crack The Access Point and Client are using WEP

encryption The hacker device just listens



Listening is Slow You need to capture 50,000 to 200,000 "interesting" packets to crack a 64-bit WEP key

• The "interesting" packets are the ones containing Initialization Vectors (IVs) • Only about ¼ of the packets contain IVs • So you need 200,000 to 800,000 packets

It can take hours or days to capture that many packets

Packet Injection A second hacker machine injects packets to create

more "interesting packet" Injection is MUCH Faster With packet injection, the listener can collect 200

IVs per second 5 – 10 minutes is usually enough to crack a 64-bit

key Cracking a 128-bit key takes an hour or so

• Link l_14r AP & Client Requirements Access Point

• Any AP that supports WEP should be fine (they all do) Client

• Any computer with any wireless card will do • Could use Windows or Linux

Listener Requirements NIC must support Monitor Mode Could use Windows or Linux

• But you can't use NDISwrapper Software

• Airodump (part of the Aircrack Suite) for Windows or Linux (see Link l_14q) • BackTrack is a live Linux CD with Aircrack on it (and many other hacking tools)

Link l_14n Injector Requirements NIC must support injection Must use Linux Software

• void11 and aireplay Link l_14q

Sources http://www.aircrack-ng.org/doku.php?id=compatible_cards (link l_14a) http://www.wi-foo.com/ (link l_14c) http://www.vias.org/wirelessnetw/wndw_05_04.html (link l_14j) http://smallnetbuilder.com/content/view/24244/98/ (link l_14p)


Lecture 15: Man in the Middle Attack to get Passwords from HTTPS Sessions

How HTTPS Works

HTTP v. HTTPS HTTP doesn't encrypt data at all

• You can sniff traffic with Wireshark, ettercap, etc. • Completely insecure

HTTPS uses public-key encryption to secure data • Much safer, but it can still be cracked to some extent by a man-in-the-middle attack

Components of HTTPS When you use a secure

session (HTTPS), these protocols work together:

• Address Resolution Protocol (ARP)

• Domain Name System (DNS)

• Secure Sockets Layers (SSL) ARP Request and Reply Client wants to find Gateway ARP Request: Who has

192.168.2.1? ARP Reply:

• MAC: 00-30-bd-02-ed-7b has 192.168.2.1

Demonstration: Sniffing ARP with Wireshark Start Wireshark capturing packets Clear the ARP cache

• arp –d * Ping the default gateway

DNS Query and Response Client wants to find

Gmail.com DNS Query: Where is

Gmail.com? DNS Response:

• Gmail.com is at 64.233.171.83

Demonstration: Sniffing DNS with Wireshark Start Wireshark capturing packets Clear the DNS cache

• ipconfig /flushdns Ping Gmail.com




SSL Handshake SSL handshake has three

stages: • Hellos • Certificate, Key

Exchange, and Authentication

• "Change cipher spec" – handshake finished

The Gateway just forwards all this traffic to the Web server Demonstration: Sniffing SSL Handshake with Wireshark Start Wireshark capturing packets Open a browser and go to yahoo.com Click the My Mail button

Hello

Key

Hand

Hand – these three packets are the TCP Handshake, which happens before the SSL handshake Hello – these two packets are the Hellos, which start the SSL handshake Key – these packets perform the last two stages of the SSL handshake:

• Certificate, Key Exchange, and Authentication • "Change cipher spec" – handshake finished

Open a Socket to Port 443 This is the usual SYN, SYN/ACK, SYN TCP handshake Port 443 is used for HTTPS Hellos Client Hello Server sends Hello

• This exchange is used to agree on a protocol version and encryption method Certificate, Key Exchange, and Authentication Server sends Certificate Client sends Public Key Client Authenticates Certificate with Certificate Authority (not visible) Change Cipher Spec Server sends "Change Cipher Spec" Client sends "Change Cipher Spec" SSL Handshake is done, now client can send encrypted Application Data



Summary of HTTPS Process SSL handshake has three stages:

• Hellos • Certificate, Key Exchange, and Authentication • "Change cipher spec" – handshake finished

Man-in-the-Middle Attack

ARP Cache Poisoning The Linux utility 'arpspoof'

sends a constant series of ARP REPLIES

This diverts Ethernet traffic to the hacker

• Part of the 'dsniff' package

DNS Spoofing The Linux utility 'dnspoof'

listens for DNS queries Sends DNS responses sending

Web server data to the hacker

• Part of the 'dsniff' package

IP Routing 'fragrouter' can forward

packets to their correct destination That allows normal Web surfing (HTTP)

• Part of the 'dsniff' package • This could also be done with 'iptables'

SSL Spoofing 'webmitm' creates a Certificate and intercepts SSL

handshakes • Part of the 'dsniff' package

Limitations of the Attack The SSL spoofing is not perfect You can't actually log in and read email

• Internet Explorer sends your password to the hacker before giving up on the connection

• Firefox doesn't send your password to the hacker

Sources Hacking videos from link l_15b

• How to decrypt SSL encrypted traffic using a man in the middle attack (Auditor).swf

• MITM Hijacking.wmv SSL Handshake information from l_15a (cs.bham.ac.uk)
