studies in networking

7/29/2019 Studies in Networking

1/51

A.M.A COMPUTER COLLEGE

LAS PIAS

A Partial Fulfillment

of

Requirements to

ITNA02 and ITNA03

Submitted To:

Roy, Paul Ryan

Submitted By:

Mallari, Franklin C.


2/51

Abstract

A network is set of devices or nodes by communication links. Anetwork must be able to meet certain number of criteria and one of

them is security. Network security issues including protecting data

from unauthorized access, there are enemies to the data and also to

the data which is transmitted through network and the most common

enemies are hackers, unaware staff, snoops, viruses, Trojan horse

program, and vandals.

Network (Internet) communication has become an integral part

of the infrastructure of todays world. The information communicated

comes in numerous forms and is used in many applications. In a

large number of these applications, it is desired that the

communication be done in secret. Such secret communication ranges

from the obvious cases of bank transfers, corporate communications,

and credit card purchases, on down to a large percentage of

everyday email. With email, many people wrongly assume that their

communication is safe because it is just a small piece of an

enormous amount of data being sent worldwide. After all, who is

going to see it? But in reality, the Network (Internet) is not a secure

medium, and there are programs out there which just sit and watch

messages go by for interesting information.Hackers are computer enthusiast who takes pleasure in gaining

access to other people's computers or network. Unaware staffs are

employees who focus on their specific job duties often overlook

Standard n\w security rules Employees Known as "snoops gaining


3/51

unauthorized access to confidential data to provide competitors with

otherwise inaccessible information. What can these enemies do?

Viruses are computer programs that are written by unauthorized

programmers and are designed to replicate themselves and infect

computers when triggered by a specific event. Some viruses are

more destructive and cause such problems as deleting files from a

hard drive or slowing down a system. Trojan horse programs are

actually enemies undisguised. Trojans can delete data and open up

computers to additional attacks. Innumerable types of networks

attacks have been documented and they are dos attacks, access

attacks.

ACCESS ATTACKS are conducted to exploit vulnerabilities.

Prevent access to part or all of a computer system. Social

engineering is the increasingly prevalent act of obtaining network

security information thru non - technical means. Spam is the most

commonly used term for unsolicited electronic Mail or the action of

broadcasting unsolicited advertising Messages via e - mail.

Spam is usually harmless but it can be a nuisance, taking up

the Recipient time and storage space. Organizations have extensive

choice of technologies, ranging from anti - virus software packages to

dedicated network security hardware, such as firewalls and intrusion

detection systems, to provide protection for all areas of the network.

Antivirus software is virus protection software is packaged with most

computers and can counter most virus threats if the software is

regularly updated and correctly maintained security policies or rules

that are electronically programmed and stored within security

equipment to control such areas access.


4/51

Introduction

The frequency of computer network attacks and the subsequentsensational news reporting have alerted the public to the vulnerability

of computer networks and the dangers of not only using them but

also of depending on them. In addition, such activities and reports

have put society in a state of constant fear always expecting the next

big one and what it would involve, and forced people to focus on

security issues. The greatest fear among professionals however, is

that of a public with a hundred percent total dependency on

computers and computer networks becoming desensitized, having

reached a level where they are almost immune, where they no longer

care about such fears. If this ever happens, we the professionals, and

socirty in general, as creators of these networks, will have failed to

ensure their security.

Unfortunately, there are already signs that this is beginning to

happen. We are steamrolling at full speed into total dependency on

computers and computer networks, yet despite the multiplicity of

sometimes confusing security solutions and best practices on the

market, numerous security experts and proclaimed good intentions of

implementation of these solutions, there is no one agreed on

approach to the network security problem. In fact, if the currentcomputer ownership, use, and dependency on computers and

computer network keep on track, the number of such attacks is

likewise going to keep rising at probably the same rate if not higher.

Likewise the national critical infrastructures will become more


5/51

intertwined than they are now, making the security of these systems a

great priority for national and individual security.

The picture we have painted here of total dependency worries

many, especially those in the security community. Without a doubt

security professionals are more worried about computer system

security and information security than the average computer user

because they are the people in the trenches on the forefront of the

system security battle, just as soldiers in a war might worry more

about the prospects of a successful outcome than would the general

civilian population. They are worried more because they know that

whatever quantity of resources we have as a society, we are not

likely to achieve perfect security because security is a continuous

process based on a changing technology. As the technology

changes, security parameters, needs, requirements, and standards

change. We are playing a catch up game whose outcome is uncertain

and probably un-winnable. There are several reasons for this.

First, the overwhelming number of computer network

vulnerabilities are software based resulting from either application or

system software. As anyone with a first course in software

engineering will tell you, it is impossible to test out all bugs in a

software product with billions of possible outcomes based on just a

few inputs. So unlike other branches of product engineering such as

car and airplane manufacturing, where one can test all possible

outcomes from any given inputs, it is impossible to do this in

software. This results in an unknown number of bugs in every

software product. Yet the role of software as the engine that drives


6/51

these networks is undisputable and growth of the software industry is

only in its infancy.

Computer and network security is a new and fast moving

technology and as such, is still being defined and most probably will

always be still defined. Security incidents are rising at an alarming

rate every year. As the complexity of the threats increases, so do the

security measures required to protect networks. Data center

operators, network administrators, and other data center

professionals need to comprehend the basics of security in order to

safely deploy and manage networks today.

Securing the modern business network and IT infrastructure

demands an end-to-end approach and a firm grasp of vulnerabilities

and associated protective measures. While such knowledge cannot

prevent all attempts at network incursion or system attac, it can

empower network engineers to eliminate certain general problems,

greatly reduce potential damages, and quickly detect breaches. With

the ever-increasing number and complexity of attacks, vigilant

approaches to security in both large and small enterprises are a

must. Network security originally focused on algorithmic aspects such

as encryption and hashing techniques. While these concepts rarely

change, these skills alone are insufficient to protect computer

networks. As crackers hacked away at networks and systems,

security courses arose that emphasized the latest attacks. There is

always fault management, fault software, abuse of resources

connecting to computer networks. These are the main reasons which

cause security problems for a Network. Today, security problem

becomes one of the main problems for computer network and internet


7/51

developing. However, there is no simple way to establish a secure

computer network. In fact, we cannot find a network in the world,

which does not have any security holes nowadays. The

infrastructures of cyberspace are vulnerable due to three kinds of

failure: complexity, accident, and hostile intent. Hundreds of millions

of people now appreciate a cyber-context for terms like viruses,

denial of service, privacy, worms, fraud, and crime more

generally. Attacks so far have been limited. While in some network

attacks the value of losses is in the hundreds of millions, damage so

far is seen as tolerable.

While preventing attack is largely based on government

authority and responsibility, the detailed knowledge needed to

prevent an attack on a cyber-system to prevent damage rests

primarily with its owner.

Protecting infrastructure systems arguably involves five coupled

stages. First, it is necessary to attempt to determine potential

attackers. Second, if attacked, the need is to prevent the attack and

to prevent damage. Third, since success cannot be guaranteed in

either preventing or thwarting an attack, the next stage is to limit the

damage as much as possible. Fourth, having sustained some level of

damage from an attack, the Defender must reconstitute the pre-attack

state of affairs. Finally, since changing technology and incentives to

attack influence both offence and defense, the final step is for the

defender to learn from failure in order to improve performance, just as

attackers will learn from their failures.

The more specific defenses to be discussed may be usefully

partitioned into two forms: passive and active.


8/51

Passive defense essentially consists in target hardening.

Active defense, in contrast, imposes some risk or penalty on

the attacker. Risk or penalty may include identification and exposure,

investigation and prosecution, or pre-emptive or counter attacks of

various sorts.

FOCUS ON SECURITY

The Network Security program emphasizes to secure a

network. The following background information in security helps in

making correct decisions. Some areas are concept-oriented:

Attack Recognition: Recognize common attacks, such

as spoofing, man-in-th-middle, (distributed) denial of

service, buffer overflow, etc.

Encryption techniques: Understand techniques to

ensure confidentiality, authenticity, integrity, and no

repudiation of data transfer. These must be understood at

a protocol and at least partially at a mathematics or

algorithmic level, in order to select and implement the

algorithm matching the organizations needs.

Network Security Architecture: Configure a network

with security appliances and softwares, such as

placement of firewalls, Intrusion Detection Systems, and

log management.

To secure a network, certain skills must also be practiced:


9/51

Protocol analysis: Recognize normal from abnormal

protocol sequences, using sniffers. Protocols minimally

include: IP, ARP, ICMP, TCP, UDP, HTTP, and

encryption protocols: SSH, SSL, IPSec.

Access Control Lists (ACLs): Configure and audit

routers and firewalls to filter packets accurately and

efficiently, by dropping, passing, or protecting (via VPN)

packets based upon their IP and/or port addresses, and

state.

Intrusion Detection/Prevention Sytems(IDS/IPS): Setand test rules to recognize and report attacks in a timely

manner.

Vulnerability Testing: Test all nodes (routers, servers,

clients) to determine active applications, via scanning or

other vulnerability test tools and interpret results.

Application Software Protection: Program and testsecure software to avoid backdoor entry via SQL

injection, buffer overflow, etc.

Incident Response: Respond to an attack by escalating

attention, collecting evidence, and performing computer

forensics. The last three skills incorporate computer

systems security, since they are required to counteract

internet hacking.

The TCP/IP Protocol:


10/51

The attacks which are discussed in this paper are all utilizing

weaknesses in the implementation of the TCP/IP protocols to make

the attacked computer or network stop working as intended. To

understand the attacks one has to have a basic knowledge of how

these protocols are intended to function. TCP/IP is the acronym of

Transmission Control Protocol / Internet Protocol and is one of

severeal network protocols developed by the United States

Department of Defense (DoD) at the end of the 1970s. The reason

why such a protocol was designed was the need to build a network of

computers being able to connect to other networks of the same kind

(routing). This network was named ARPANET (Advanced Research

Project Agency Internetwork), and is the predecessor of what we call

internet these days.

TCP/IP is a protocol suite which is used to transfer data through

networks. Actually TCP/IP consists of several protocols. The most

important are:

IP Internet Protocol This protocol mainly takes care of

specifying where to send the data. To do that, each IP packet

has sender and receiver information. The most common DoS

attacks at the IP level exploit the IP packet format.

TCP Transmission Control Protocol This protocol handles

the secure delivery of data to the address specified in the IP

protocol. Most of the TCP level attacks exploit weaknesses

present in the implementations of the TCP finite state machine.

By attacking specific weaknesses in applications and

implementations of TCP, it is possible for an attacker to make


11/51

services or systems crash, refuses service, or otherwise

become unstable.

A communication through a network using TCP/IP or

UDP/IP will typically use several packets. Each of the packets will

have a sending and a receiving address, some data and some

additional control information. Particularly, the address information

is part of the IP protocol being the other data in the TCP or the

UDP part of the packet. ICMP has no separate TCP part all the

necessary information is in the ICMP packet. In addition to the

recipients address all TCP/IP and UDP/IP communication uses a

special port number which it connects to. These port numbers

determine the kind of service the sender wants to communicate to

the receiver of information.

Denial of Service Attacks

DoS attacks today are part of every Internet users life. They

are happening all the time, and all the Internet users, as a

community, have some part in creating them, suffering from them or

even loosing time and money because of them. DoS attacks do not

have anything to do with breaking into computers, taking control over

remote hosts on the Internet or stealing privileged information like

credit card numbers. Using the Internet way of speaking DoS is

neither a Hack nor a Crack. The sole purpose of DoS attacks is to

disrupt the services offered by the victim. While the attack is in place,

and no action has been taken to fix the problem, the victim would not

be able to provide its services on the Internet. DoS attacks are really

a form of vandalism against Internet Services. DoS attacks take


12/51

advantage of weaknesses in the IP protocol stack in order to disrupt

Internet services. DoS attacks can take several forms and can be

categorized according to several parameters.

Particularly, in this study we differentiate denial of service

attacks based on where is the origin of the attack being generated at.

Normal DoS attacks are being generated by a single host (or small

number of hosts at the same location). The only real way for DoS

attacks to impose a real way for DoS attacks to impose a real threat

is to exploit some software or design flaw. Such flaws can include, for

example, wrong implementations of the IP stack, which crash the

whole host when receiving a non-standard IP packet. Such an attack

would generally have lower volumes of data. Unless some exploits

exist at the victim hosts, which have not been fixed, a DoS attack

should not pose a real threat to high-end services on todays Internet.

Some solutions to Denial of Service Attacks

The way DoS and DDoS attacks are perpetrated, by exploiting

limitations of protocols and applications, is one of the main factors

why they are continuously evolving, and because of that presenting

new challenges on how to combat or limit their effects. Even if all of

these attacks cannot be completely avoided, some basic rules can be

followed to protect the network against some, and to limit the extent

of the attack:

Make sure the network has a firewall up that aggressively

keeps everything out except legal traffic.


13/51

Implement router filters. This will lessen the exposure to

certain denial-of-service attacks. Additionaly, it will aid in

preventing users on network from effectively launching

certain denial-of-service attacks.

Install patches to guard against TCP/IP attacks. This will

substantially reduce the exposure to these attacks but

may not eliminate the risk entirely.

Observe the system performance and establish baselines

for ordinary activity. Use the baseline to gauge unusual

levels of disk activity, CPU usage, or network traffic.

Firewalls

By far the most common security measure these days is a

firewall. A lot of confusion surrounds the concept of a firewall, but it

can basically be defined as any perimiter device that permits or

denies traffic based on a set of rules configured by the administrator.

Thus a firewall may be as simple as a router with access-lists, or as

complex as a set of modules distributed through the network

controlled from one central location.

The firewall protects everything 'behind' it from everything in

front of it. Usually the 'front' of the firewall is its Internet facing side,

and the 'behind' is the internal network. The way firewalls are

designed to suit different types of networks is called the firewall

topology.

These are packages that are meant for individual desktops and

are fairly easy to use. The first thing they do is make the machine

invisible to pings and other network probes. Most of them also let you


14/51

choose what programs are allowed to access the Internet, therefore

you can allow your browser and mail client, but if you see some

suspicious program trying to access the network, you can disallow it.

This is a form of 'egress filtering' or outbound traffic filtering and

provides very good protection against trojan horse programs and

worms.

However firewalls are no cure all solution to network security

woes. A firewall is only as good as its rule set and there are many

ways an attacker can find common misconfigurations and errors in

the rules. For example, say the firewall blocks all traffic except traffic

originating from port 53 (DNS) so that everyone can resolve names,

the attacker could then use this rule to his advantage. By changing

the source port of his attack or scan to port 53, the firewall will allow

all of his traffic through because it assumes it is DNS traffic.

Bypassing firewalls is a whole study in itself and one which is

very interesting especially to those with a passion for networking as it

normally involves misusing the way TCP and IP are supposed to

work. That said, firewalls today are becoming very sophisticated and

a well installed firewall can severely thwart a would-be attackers

plans.

It is important to remember the firewall does not look into the

data section of the packet, thus if you have a webserver that is

vulnerable to a CGI exploit and the firewall is set to allow traffic to it,

there is no way the firewall can stop an attacker from attacking the

webserver because it does not look at the data inside the packet.

This would be the job of an intrusion detection system (covered

further on).


15/51

Partitioning and Protecting Network Boundaries with Firewalls

A Firewallis a mechanism by which a controlled barrier is used

to control network traffic into and out of an organizational intranet.

Firewalls are basically application specific routers. They run on

dedicated embedded systems such as an internet appliance or they

can be software programs running on a general server platform. In

most cases these systems will have two network interfaces, one for

the external network such as the Internet and one for the internal

intranet side. The firewall process can tightly control what is allowed

to traverse from one side to the other. Firewalls can range from being

fairly simple to very complex.

As with most aspects of security, deciding what type of firewall

to use will depend upon factors such as traffic levels, services

needing protection and the complexity of rules required. The greater

the number of services that must be able to traverse the firewall the

more complex the requirement becomes. The difficulty for the

firewalls is distinguishing between legitimate and illegitimate traffic.

What do firewalls protect against and what protection do they not

provide? Firewalls are like a lot of things; if configured correctly the

can be a reasonable form of protection from external threats including

some denial of service (DoS) attacks. If not configured correctly the

can be major security holes in an organization. The most basic

protection a firewall provides is the ability to block network traffic to

certain destinations. This includes both IP addresses and particular

network service ports. A site that wishes to provide external access to

a web server can restrict all traffic to port 80 ( the standard http port).


16/51

Usually this restriction will only be applied for traffic originating from

the un-trusted side. Traffic from the trusted side is not restricted. All

other traffic such as mail traffic, ftp, snmp, etc. would not be allowed

across the firewall and into the intranet. An example of a simple

firewall is shown in [Figure 1].

Figure 1

An even simpler case is a firewall often used by people with

home or small business cable or DSL routers. Typically these

firewalls are setup to restrict ALL external access and only allow

services originating from the inside. A careful reader might realize

that in neither of these cases is the firewall actually blocking all traffic

from the outside. If that were the case how could one surf the web

and retrieve web pages? What the firewall is doing is restrictingconnection requests from the outside. In the first case all connection

requests from the inside are passed to the outside as well as all

subsequent data transfer on that connection. From the exterior, only

a connection request to the web server is allowed to complete and


17/51

pass data, all others are blocked. The second case is more stringent

as connections can only be made from the interior to the exterior.

More complex firewall rules can utilize what is called stateful

inspection techniques. This approach adds to the basic port blocking

approach by looking at traffic behaviors and sequences to detect

spoof attacks and denial of service attacks.

Anti-Virus System

Everyone is familiar with the desktop version of anti virus

packages like Norton Antivirus and Mcafee. The way these operate is

fairly simple -- when researchers find a new virus, they figure out

some unique characteristic it has (maybe a registry key it creates or a

file it replaces) and out of this they write the virus 'signature'.

The whole load of signatures that your antivirus scans for what

is known as the virus 'definitions'. This is the reason why keeping

your virus definitions up-to-date is very important. Many anti-virus

packages have an auto-update feature for you to download the latest

definitions. The scanning ability of your software is only as good as

the date of your definitions. In the enterprise, it is very common for

admins to install anti-virus software on all machines, but there is no

policy for regular update of the definitions. This is meaningless

protection and serves only to provide a false sense of security.

With the recent spread of email viruses, anti-virus software atthe MTA (Mail Transfer Agent , also known as the 'mail server') is

becoming increasingly popular. The mail server will automatically

scan any email it recieves for viruses and quarantine the infections.

The idea is that since all mail passes through the MTA, this is the


18/51

logical point to scan for viruses. Given that most mail servers have a

permanent connection to the Internet, they can regularly download

the latest definitions. On the downside, these can be evaded quite

simply. If you zip up the infected file or trojan, or encrypt it, the anti-

virus system may not be able to scan it.

End users must be taught how to respond to anti virus alerts.

This is especially true in the enterprise -- an attacker doesn't need to

try and bypass your fortress like firewall if all he has to do is email

trojans to a lot of people in the company. It just takes one uninformed

user to open the infected package and he will have a backdoor to the

internal network.

It is advisable that the IT department gives a brief seminar on

how to handle email from untrusted sources and how to deal with

attachments. These are very common attack vectors simply because

you may harden a computer system as much as you like, but the

weak point still remains the user who operates it. As crackers say

'The human is the path of least resistance into the network'.

Tools an Attacker Uses

General Network Tools

As surprising as it might sound, some of the most powerful

tools especially in the beginning stages of an attack are the regular

network tools available with most operating systems. For exampleand attacker will usually query the 'whois' databases for information

on the target. After that he might use 'nslookup' to see if he can

transfer the whole contents of their DNS zone (called a zone transfer

-- big surprise !!). This will let him identify high profile targets such as


19/51

webservers, mailservers, dns servers etc. He might also be able to

figure what different systems do based on their dns name -- for

example sqlserver.victim.com would most likely be a database

server. Other important tools include traceroute to map the network

and ping to check which hosts are alive. You should make sure your

firewall blocks ping requests and traceroute packets.

Exploits

An exploit is a generic term for the code that actually 'exploits' a

vulnerability in a system. The exploit can be a script that causes the

target machine to crash in a controlled manner (eg: a buffer overflow)

or it could be a program that takes advantage of a misconfiguration.

A 0-day exploit is an exploit that is unknown to the security

community as a whole. Since most vulnerabilities are patched within

24 hours, 0-day exploits are the ones that the vendor has not yet

released a patch for. Attackers keep large collections of exploits for

different systems and different services, so when they attack a

network, they find a host running a vulnerable version of some

service and then use the relevant exploit.

Port Scanners

Most of you will know what portscanners are. Any system that

offers TCP or UDP services will have an open port for that service.

For example if you're serving up webpages, you'll likely have TCP

port 80 open, FTP is TCP port 20/21, Telnet is TCP 23, SNMP is

UDP port 161 and so on. A portscanner scans a host or a range of

hosts to determine what ports are open and what service is running

on them. This tells the attacker which systems can be attacked.


20/51

For example, if I scan a webserver and find that port 80 is running an

old webserver -- IIS/4.0, I can target this system with my collection of

exploits for IIS 4. Usually the port scanning will be conducted at the

start of the attack, to determine which hosts are interesting. This is

when the attacker is still footprinting the network -- feeling his way

around to get an idea of what type of services are offered and what

Operating Systems are in use etc. One of the best portscanners

around is Nmap (http://www.insecure.org/nmap). Nmap runs on just

about every operating system is very versatile in how it lets you scan

a system and has many features including OS fingerprinting, service

version scanning and stealth scanning. Another popular scanner is

Superscan (http://www.foundstone.com) which is only for the

windows platform.

Network Sniffers

A network sniffer puts the computers NIC (network interface

card or LAN card) into 'promiscuous mode'. In this mode, the NICpicks up all the traffic on its subnet regardless of whether it was

meant for it or not. Attackers set up sniffers so that they can capture

all the network traffic and pull out logins and passwords. The most

popular network sniffer is TCPdump as it can be run from the

command line -- which is usually the level of access a remote

attacker will get. Other popular sniffers are Iris and Ethereal. When

the target network is a switched environment (a network which uses

layer 2 switches), a conventional network scanner will not be of any

use. For such cases, the switched network sniffer Ettercap

(http://ettercap.sourceforge.net) and WireShark


21/51

(http://www.wireshark.org) are very popular. Such programs are

usually run with other hacking capable applications that allow the

attacker to collect passwords, hijack sessions, modify ongoing

connections and kill connections. Such programs can even sniff

secured communications like SSL (used for secure webpages) and

SSH1 (Secure Shell - a remote access service like telnet, but

encrypted).

Vulnerability Scanners

A vulnerability scanner is like a portscanner on steroids, once it

has identified which services are running, it checks the system

against a large database of known vulnerabilities and then prepares a

report on what security holes are found. The software can be updated

to scan for the latest security holes. These tools are very simple to

use unfortunately, so many script kiddies simply point them at a

target machine to find out what they can attack. The most popular

ones are Retina (http://www.eeye.com), Nessus

(http://www.nessus.org) and GFI LanScan (http://www.gfi.com).

These are very useful tools for admins as well as they can scan their

whole network and get a detailed summary of what holes exist.

Password Crackers

Once an attacker has gained some level of access, he/she

usually goes after the password file on the relevant machine. In UNIX

like systems this is the /etc/passwd or /etc/shadow file and in

Windows it is the SAM database. Once he gets hold of this file, its

usually game over, he runs it through a password cracker that will

usually guarantee him further access. Running a password cracker

against your own password files can be a scary and enlightening


22/51

experience. L0phtcrack cracked my old password fR7x!5kK after

being left on for just one night !

There are essentially two methods of password cracking:

Dictionary Mode - In this mode, the attacker feeds the cracker

a word list of common passwords such as 'abc123' or

'password'. The cracker will try each of these passwords and

note where it gets a match. This mode is useful when the

attacker knows something about the target. Say I know that the

passwords for the servers in your business are the names of

Greek Gods (yes Chris, that's a shout-out to you ;)) I can find a

dictionary list of Greek God names and run it through the

password cracker.

Most attackers have a large collection of wordlists. For example

when I do penetration testing work, I usually use common

password lists, Indian name lists and a couple of customized lists

based on what I know about the company (usually data I pick up

from their company website). Many people think that adding on a

couple of numbers at the start or end of a password (for example

'superman99') makes the password very difficult to crack. This is a

myth as most password crackers have the option of adding

numbers to the end of words from the wordlist. While it may take

the attacker 30 minutes more to crack your password, it does not

make it much more secure.


23/51

Brute Force Mode - In this mode, the password cracker will try

every possible combination for the password. In other words it

will try aaaaa, aaaab, aaaac, aaaad etc. this method will crack

every possible password -- its just a matter of how long it takes.

It can turn up surprising results because of the power of

modern computers. A 5-6 character alphanumeric password is

crackable within a matter of a few hours or maybe a few days,

depending on the speed of the software and machine. Powerful

crackers include l0phtcrack for windows passwords and John

the Ripper for UNIX style passwords.

For each category, I have listed one or two tools as an

example. At the end of this article I will present a more detailed list

of tools with descriptions and possible uses.

Password Attacks

Password-guessing attacks are one of the most popular

aspects of penetration testing. Passwords come from a lot of places

you can guess them, you can find them lying around in files, and in

some cases, you can obtain them from the operating system.

Passwords obtained from the operating system are sometimes in the

clear or are reversibly encrypted, and sometimes they are stored as a

bash, often known as a password verifier. A bashing function is

designed to take an input and convert it to an output in a non-

reversible manner, so you will sometimes see password verifiers

referred to as an OWF (one-way function).


24/51

Password hashes are typically attacked (or cracked) using a

combination of dictionary attacks and brute-force methods. With a

dictionary attack, the attacker obtains a large list of words and feeds

the list and the password hashes to the cracking tool. A brute force

attack in its simplest form iterates through all possible passwords

using a specified character set. For example, aaa would be followed

by aab, aac, and so on. Although password attacks seem simple,

there can be more to them than is obvious at first.

Where to Find Passwords

Passwords are found in many places. Most likely, they will be

associated with user accounts, either locally or collected into a

domain. Passwords can also frequently be found in places like the

following:

In batch files and scripts

On Web Pages

In helpful applications and operating systems that offer to

save passwords for you

In service accounts, and in DCOM objects configured to

run as a particular user

Under users keyboards and on sticky notes on the

monitor

In Microsoft Excel spreadsheets hidden on a share

In text files, such as AdminPasswords.txt, that are hidden

deep inside a server the user hopes youll never get into


25/51

On the network, especially where services accepting

clear-text passwords run

In files left during software installation

In Simple Management Protocol (SNMP) community

strings

Associated with password-protected files

All the locations in the preceding list were used during actual

penetration tests. One penetration tester who worked for a

major auditing firm had a batch file that he ran on systems to

collect all the file types he knew about that might contain

passwords. It is a useful approach. Remember that automated

tools dont do a very good job of finding passwords hidden in

odd places, so this batch file technique will often get you into

systems even where routine network scans occur.

Brute Force AttacksA brute force attack typically consists of two different

approaches: the first approach is a dictionary attack, and the second

approach is to simply try all possible passwords within a key place.

These two approaches can be combined, either by appending all

possible characters to a dictionary word or by making common

substitutions, such as 1 for I, or 4 for a. Brute force attacks can be

launched against both online systems and passwords hashes that

you have obtained.

Performing these attacks seems simple, but there are some

twists you need to take into account. Lets also get an idea of the


26/51

scale of the problem. In general, the number of possible passwords is

given by:

Number of Passwords = (key space) length

Number of Possible Passwords for Common Scenarios______

Key space Possible Character Length Number of Passwords

Case-insensitive 26 7 8.03E+09

Alpha characters (a-z)

Case-sensitive alpha char. 52 7 1.03E+12

Alphanumeric characters 62 7 3.52E+12

US English Keyboard char 94 7 6.48E+13

Case-insensitive 26 7 1.68E+21

alpha characters (a-z)

Online Password Testing

Online password testing is the process of attempting to find

passwords by attempting a logon. Any service that allows you to

authenticate can be used. Online password testing (sometimes called

password grinding) is much slower than offline testing a typical

password attempt rate might be on the order of 50 passwords a

minute. As you might imagine, a true brute force attack takes a lot

longer. Under these conditions, trying millions of passwords simplyisnt an option. A better approach is a dictionary attack. The following

password types will get you into many networks:

Blank Using no password is much too common an

occurrence


27/51

passwordas the password This is the most common

non-blank password, even in non-English speaking

countries.

Password same as machine name Try lowercase,

uppercase and mixed-case variations.

There are a number of issues to be concerned about with

online password testing: locking out accounts, placing load on

the system, and being detected. Account lockouts, especially

permanent lockouts, can create a serious of denial of service

(DoS) condition. Most operating systems and network devicescan be configured to lock out accounts based on a certain

number of failed passwords, the length of time between

failures, and the length of lockout. You can use certain

strategies to determine whether lockouts are in place, but first,

experiment. Before you crank up a tool that will grind away at

the passwords for an entire domain, try your strategy on one

user and see what happens. In some cases, you will able to

determine that you are being locked out. Windows systems will

tell you the lockout policy if you have user-level access.

If you are faced with lockouts, one strategy is to try a

single password for all the users, then start the user list over

again with the next password. However, a very large user

database might keep you from trying password often enough to

cause lockouts. If you are checking a small user database, all

you can do is try fewer passwords than will trigger a lock out,

wait, and then try some more. Typically, you wont find many


28/51

passwords using brute force attacks. On most networks, you

can get into plenty of systems using the very weak passwords

listed earlier. One exception to this is when you find a password

by other means and you want to discover where else it its used.

For example, if you find one system for which the administrator

password is Passw0rd! , you should check other systems for

use of the password. Frequently, checking other systems on

the network for a discovered password is a productive

approach.

Offline Password Testing

Offline password testing is sometimes known as cracking

passwords and is named after crack, which is a tool created by Alec

Muffett to test passwords from the UNIX systems password files.

There are a number of these tools, so a feature comparison is not

feasible here.

Threats to Web services differ from service to service, but here

are some common threats that you should look for in you penetration

tests (assuming your organization provides a Web Service):

Unauthorized Access

Network Sniffing

Tampering

Information Disclosure

Unauthorized Access


29/51

Unless your organization provides free public Web Services,

special care should be taken to ensure that only authorized users are

accessing these services. This is even more important when you r

Web Services handles sensitive information such as credit card

numbers and social security numbers. When you are testing your

organizations Web Service for unauthorized access threats, look for

credentials being passed as clear-text in SOAP messages, use of

weak authentication schemes, or worse yet, no authentication at all.

Countermeasures

Your organization should be protecting its web services

from unauthorized use with mechanisms such as password

digests, Kerberos tickets, or X.509 certificates in SOAP

authentication headers.

Network Sniffing

Network Sniffing refers to an attacker eavesdropping on

communications between hosts. Your organizations Web service

could be transmitting sensitive data, so the communications of these

services are prime targets for attackers. Attackers might also try at a

later time to reply to the communications they have captured. During

your penetration tests, look for weaknesses such as transmitting

credentials clear-text in SOAP messages, failing to use transport

security, and not authenticating messages.

CountermeasuresIn addition to the countermeasures to network sniffing

threats, are those provided by the Web Services

Enhancements (WSE) for the .NET Framework.

Tampering


30/51

Even though messages are route between your organizations

Web Services and clients, attackers might try to a tamper with the

data in those messages through MITM attacks, for example. Look for

Web Service communications that are not protected by transport

security or by some authentication scheme.

Countermeasures

Digitally signing messages can provide recipients with

confirmation that communications have not been modified.

Also, communicating over secure transports will greatly help in

mitigating tampering threats.

Information Disclosure

Your organizations Web service might expose extraneous

information in error messages that could aid an attacker in later

attacks. Look for detailed exception traces because of improperly

handled exception data. Also, look for configuration data about you

organizations Web service, such Web Service Description Language

(WSDL) file (static or dynamically generated) , that might be exposed

to unauthorized users.

Countermeasures

Perform a code and design review of your organizations

Web service to ensure that all exceptions are being caught,

especially those that inherit from

System.Web.Services.Protocols.SoaException. Protect WSDL files

with access control list (ACLs), and disable documentation protocols

that dynamically generate this data if these protocols are not

required.

Intrusion Detection System


31/51

An intrusion detection system (IDS) monitors network traffic and

monitors for suspicious activity and alerts the system or network

administrator. In some cases the IDS may also respond to anomalous

or malicious traffic by taking action such as blocking the user or

source IP address from accessing the network.

IDS come in a variety of flavors and approach the goal of

detecting suspicious traffic in different ways. There are network

based (NIDS) and host based (HIDS) intrusion detection systems.

There are IDS that detect based on looking for specific signatures of

known threats- similar to the way antivirus software typically detects

and protects against malware- and there are IDS that detect based

on comparing traffic patterns against a baseline and looking for

anomalies. There are IDS that simply monitor and alert and there are

IDS that perform an action or actions in response to a detected

threat. Well cover each of these briefly.

IDS's have become the 'next big thing' the way firewalls were

some time ago. There are bascially two types of Intrusion Detection

Systems :

Host based IDS

Network based IDS

Host based IDS - These are installed on a particular important

machine (usually a server or some important target) and are tasked

with making sure that the system state matches a particular set

baseline. For example, the popular file-integrity checker Tripwire --

this program is run on the target machine just after it has been

installed. It creates a database of file signatures for the system and

regularly checks the current system files against their known 'safe'


32/51

signatures. If a file has been changed, the administrator is alerted.

This works very well as most attackers will replace a common system

file with a trojaned version to give them backdoor access.

Network based IDS - These are more popular and quite easy to

install. Basically they consist of a normal network sniffer running in

promiscuous mode (in this mode the network card picks up all traffic

even if its not meant for it). The sniffer is attached to a database of

known attack signatures and the IDS analyses each packet that it

picks up to check for known attacks. For example a common web

attack might contain the string '/system32/cmd.exe?' in the URL. The

IDS will have a match for this in the database and will alert the

administrator.

Newer IDS' support active prevention of attacks - instead of just

alerting an administrator, the IDS can dynamically update the firewall

rules to disallow traffic from the attacking IP address for some

amount of time. Or the IDS can use 'session sniping' to fool both

sides of the connection into closing down so that the attack cannot be

completed.

Unfortunately IDS systems generate a lot of false positives (a

false positive is basically a false alarm, where the IDS sees legitimate

traffic and for some reason matches it against an attack pattern) this

tempts a lot of administrators into turning them off or even worse --

not bothering to read the logs. This may result in an actual attack

being missed.

NIDS


33/51

Network Intrusion Detection Systems are placed at a strategic

point or points within the network to monitor traffic to and from all

devices on the network. Ideally you would scan all inbound and

outbound traffic, however doing so might create a bottleneck that

would impair the overall speed of the network.

HIDS

Host Intrusion Detection Systems are run on individual hosts or

devices on the network. A HIDS monitors the inbound and outbound

packets from the device only and will alert the user or administrator of

suspicious activity is detected

Signature Based

A signature based IDS will monitor packets on the network and

compare them against a database of signatures or attributes from

known malicious threats. This is similar to the way most antivirus

software detects malware. The issue is that there will be a lag

between a new threat being discovered in the wild and the signature

for detecting that threat being applied to your IDS. During that lag

time your IDS would be unable to detect the new threat.

Anomaly Based

An IDS which is anomaly based will monitor network traffic and

compare it against an established baseline. The baseline will identify

what is normal for that network- what sort of bandwidth is generally

used, what protocols are used, what ports and devices generally

connect to each other- and alert the administrator or user when traffic


34/51

is detected which is anomalous, or significantly different, than the

baseline.

Intrusion Prevention Systems

Prevent Network Intrusion

The criminal act of breaking into computer networks, one

definition of hacking, poses a major threat to everyone connected to

the Internet. It threatens infiltration, loss of proprietary data, fraud,

destruction and operational paralysis. The more prominent the

organization is, the greater its risk is of being hacked and the bigger

the challenge (and thus payoff) is for an illegal hacker.

As hackers use their genius to develop sophisticated tools to

realize their unlawful aims, businesses must take every precaution to

prevent successful attacks. Firewalls have become ineffective as

attacks move to the application level. Anti-virus programs are also not

enough as they offer only reactive measures. Organizations must

deploy a comprehensive network intrusion prevention system to

constantly map and monitor activities to prevent hackers from slipping

anything past their networks defenses.

These include:

Vulnerability-based threats such as:

Worms and BotNets

Trojan horses and the creation of backdoors


35/51

Vendor-specific exploitation vulnerabilities in products

e.g., Microsoft, Oracle

Exploitation of vulnerabilities in applications such as

web, mail, VoIP, DNS, SQL

Spyware, Phishing, anonymizers

Non-vulnerability-based threats that misuse application

and server resources such as:

Server brute force attacks; misuse of server

authentication/authorization schemes

Web application vulnerability scanning

SIP application scanning

SIP application flooding

Strengthen Your Defenses

Intrusion prevention systems (IPSs) are an integral part of a

defense approach, since there arent other devices which exercise

access control to protect computers from exploitation. IPSs were

invented to resolve ambiguities in passive network monitoring by

placing detection systems in-line (regarded by some to be an

extension of intrusion detection system [IDS] technology, IPS

technology is actually another form of access control, like anapplication-layer firewall). IPSs are a considerable improvement upon

firewall technologies as they make access control decisions based on

application content, rather than IP addresses or ports as is done by

traditional firewalls.


36/51

The advanced intrusion detection and prevention capabilities

offered by the DefensePro IPS NBA, DoS and Reputation Service

provides maximum protection for network elements, hosts and

applications. It is composed of different application-level protection

features to prevent intrusion attempts such as worms, Trojan horses

and single-bullet attacks, facilitating complete and high-speed

cleansing of all malicious intrusions.

Features include:

Vulnerability-based signature protection powered byRadwares Security Update Service

Zero-day worm propagation prevention

Anti-scanning protection

Security reports

Methods of attack will continue to evolve, increasing in

complexity and becoming at once more dangerous and difficult todetect. To effectively protect their network and its users, network

intrusion prevention systems need to be one step ahead of any

threat. Based on adaptive behavioral-based and signature based

technologies, Radwares Intrusion Prevention System and network

security solutions provide organizations with integrated network

intrusion prevention and Denial of Service (DoS) protection. These

defend against both network- and application-level attacks, delivering

a holistic approach to application- and network-level threats, while

enhancing the overall performance of security across the

organization.


37/51

What is Malware?

Malware (Malicious Software) is any program that works

against the interest of the systems user or owner. Viruses, worms,

Trojans, and bots are all part of a class of software called malware.

Malware or malicious code (malcode) is short for malicious software.

It is code or software that is specifically designed to damage, disrupt,

steal, or in general inflict some other bad or illegitimate action on

data, hosts, or networks.

There are many different classes of malware that have varying

ways of infecting systems and propagating themselves. Malware can

infect systems by being bundled with other programs or attached as

macros to files. Others are installed by exploiting a known

vulnerability in an operating system (OS), network device, or other

software, such as a hole in a browser that only requires users to visit

a website to infect their computers. The vast majority, however, are

installed by some action from a user, such as clicking an e-mail

attachment or downloading a file from the Internet.

Some of the more commonly known types of malware are

viruses, worms, Trojans, bots, back doors, spyware, and adware.

Damage from malware varies from causing minor irritation (such as

browser popup ads), to stealing confidential information or money,

destroying data, and compromising and/or entirely disabling systems

and networks.

Malware cannot damage the physical hardware of systems and

network equipment, but it can damage the data and software residing

on the equipment. Malware should also not be confused with


38/51

defective software, which is intended for legitimate purposes but has

errors or bugs.

Classes of Malicious SoftwareTwo of the most common types of malware are viruses and

worms. These types of programs are able to self-replicate and can

spread copies of themselves, which might even be modified copies.

To be classified as a virus or worm, malware must have the ability to

propagate. The difference is that a worm operates more or less

independently of other files, whereas a virus depends on a host

program to spread itself. These and other classes of malicious

software are described below.

Viruses

A computer virus is a type of malware that propagates by

inserting a copy of itself into and becoming part of another program. It

spreads from one computer to another, leaving infections as it travels.

Viruses can range in severity from causing mildly annoying effects to

damaging data or software and causing denial-of-service (DoS)

conditions. Almost all viruses are attached to an executable file,

which means the virus may exist on a system but will not be active or

able to spread until a user runs or opens the malicious host file or

program. When the host code is executed, the viral code is executed

as well. Normally, the host program keeps functioning after it is

infected by the virus. However, some viruses overwrite other

programs with copies of themselves, which destroys the host

program altogether. Viruses spread when the software or document


39/51

they are attached to is transferred from one computer to another

using the network, a disk, file sharing, or infected e-mail attachments.

WormsComputer worms are similar to viruses in that they replicate

functional copies of themselves and can cause the same type of

damage. In contrast to viruses, which require the spreading of an

infected host file, worms are standalone software and do not require

a host program or human help to propagate. To spread, worms either

exploit a vulnerability on the target system or use some kind of social

engineering to trick users into executing them. A worm enters a

computer through a vulnerability in the system and takes advantage

of file-transport or information-transport features on the system,

allowing it to travel unaided.

Trojans

A Trojan is another type of malware named after the wooden

horse the Greeks used to infiltrate Troy. It is a harmful piece of

software that looks legitimate. Users are typically tricked into loading

and executing it on their systems. After it is activated, it can achieve

any number of attacks on the host, from irritating the user (popping

up windows or changing desktops) to damaging the host (deleting

files, stealing data, or activating and spreading other malware, such

as viruses). Trojans are also known to create back doors to give

malicious users access to the system.

Unlike viruses and worms, Trojans do not reproduce by

infecting other files nor do they self-replicate. Trojans must spread


40/51

through user interaction such as opening an e-mail attachment or

downloading and running a file from the Internet.

Bots

"Bot" is derived from the word "robot" and is an automated

process that interacts with other network services. Bots often

automate tasks and provide information or services that would

otherwise be conducted by a human being. A typical use of bots is to

gather information (such as web crawlers), or interact automatically

with instant messaging (IM), Internet Relay Chat (IRC), or other web

interfaces. They may also be used to interact dynamically with

websites.

Bots can be used for either good or malicious intent. A

malicious bot is self-propagating malware designed to infect a host

and connect back to a central server or servers that act as a

command and control (C&C) center for an entire network of

compromised devices, or "botnet." With a botnet, attackers can

launch broad-based, "remote-control," flood-type attacks against their

target(s). In addition to the worm-like ability to self-propagate, bots

can include the ability to log keystrokes, gather passwords, capture

and analyze packets, gather financial information, launch DoS

attacks, relay spam, and open back doors on the infected host. Bots

have all the advantages of worms, but are generally much more

versatile in their infection vector, and are often modified within hours

of publication of a new exploit. They have been known to exploit back

doors opened by worms and viruses, which allows them to access


41/51

networks that have good perimeter control. Bots rarely announce

their presence with high scan rates, which damage network

infrastructure; instead they infect networks in a way that escapes

immediate notice.

Best Practices for Combating Viruses, Worms, Trojans, and Bots

The first steps to protecting your computer are to ensure that

your OS is up to date. This means regularly applying the most recent

patches and fixes recommended by the OS vendor. Secondly, you

should have antivirus software installed on your system and

download updates frequently to ensure that your software has the

latest fixes for new viruses, worms, Trojans, and bots. Additionally,

you want to make sure that your antivirus program can scan e-mail

and files as they are downloaded from the Internet. This will help

prevent malicious programs from reaching your computer. You may

also want to consider installing a firewall.

Additional Definitions and References

Exploit

An exploit is a piece of software, a command, or a methodology

that attacks a particular security vulnerability. Exploits are not always

malicious in intentthey are sometimes used only as a way of

demonstrating that a vulnerability exists. However, they are a

common component of malware.

Back Door

A back door is an undocumented way of accessing a system,

bypassing the normal authentication mechanisms. Some back doors


42/51

are placed in the software by the original programmer and others are

placed on systems through a system compromise, such as a virus or

worm. Usually, attackers use back doors for easier and continued

access to a system after it has been compromised.

The Threat to Home Users

Many people underestimate the threat they face when they use

the Internet. The prevalent mindset is "who would bother to attack me

or my computer?", while this is true -- it may be unlikely that an

attacker would individually target you, as to him, you are just one

more system on the Internet.

Many script kiddies simply unleash an automated tool that will

scan large ranges of IP addresses looking for vulnerable systems,

when it finds one, this tool will automatically exploit the vulnerability

and take control of this machine.

The script kiddie can later use this vast collection of 'owned'

systems to launch a denial of service (DoS) attacks, or just cover his

tracks by hopping from one system to another in order to hide his real

IP address. This technique of proxying attacks through many systems

is quite common, as it makes it very difficult for law enforcement to

back trace the route of the attack, especially if the attacker relays it

through systems in different geographic locations.

It is very feasible -- in fact quite likely -- that your machine will

be in the target range of such a scan, and if you haven't taken

adequate precautions, it will be owned.

The other threat comes from computer worms that have

recently been the subject of a lot of media attention. Essentially a

worm is just an exploit with a propagation mechanism. It works in a


43/51

manner similar to how the script kiddie's automated tool works -- it

scans ranges of IP addresses, infects vulnerable machines, and then

uses those to scan further. Thus the rate of infection increases

geometrically as each infected system starts looking for new victims.

In theory a worm could be written with such a refined scanning

algorithm, that it could infect 100% of all vulnerable machines within

ten minutes. This leaves hardly any time for response.

Another threat comes in the form of viruses, most often these

may be propagated by email and use some crude form of social

engineering (such as using the subject line "I love you" or "Re: The

documents you asked for") to trick people into opening them. No form

of network level protection can guard against these attacks.

The effects of the virus may be mundane (simply spreading to

people in your address book) to devastating (deleting critical system

files). A couple of years ago there was an email virus that emailed

confidential documents from the popular Windows "My Documents"

folder to everyone in the victims address book.

So while you per se may not be high profile enough to warrant

a systematic attack, you are what I like to call a bystander victim..

someone who got attacked simply because you could be attacked,

and you were there to be attacked.

As broadband and always-on Internet connections become

commonplace, even hackers are targetting the IP ranges where they

know they will find cable modem customers. They do this because

they know they will find unprotected always-on systems here that can

be used as a base for launching other attacks.


44/51

The Threat to the Enterprise

Most businesses have conceded that having an Internet

presence is critical to keep up with the competition, and most of them

have realised the need to secure that online presence.

Gone are the days when firewalls were an option and employees

were given unrestricted Internet access. These days most medium

sized corporations implement firewalls, content monitoring and

intrusion detection systems as part of the basic network

infrastructure.

For the enterprise, security is very important -- the threats include:

Corporate espionage by competitors,

Attacks from disgruntled ex-employees

Attacks from outsiders who are looking to obtain private data and

steal the company's crown jewels (be it a database of credit cards,

information on a new product, financial data, source code to

programs, etc.)

Attacks from outsiders who just want to use your company's

resources to store pornography, illegal pirated software, movies and

music, so that others can download and your company ends up

paying the bandwidth bill and in some countries can be held liable for

the copyright violations on movies and music.

As far as securing the enterprise goes, it is not enough to

merely install a firewall or intrustion detection system and assume

that you are covered against all threats. The company must have a

complete security policy and basic training must be imparted to all


45/51

employees telling them things they should and should not do, as well

as who to contact in the event of an incident. Larger companies may

even have an incident response or security team to deal specifically

with these issues.

One has to understand that security in the enterprise is a 24/7

problem. There is a famous saying, "A chain is only as strong as its

weakest link", the same rule applies to security After the security

measures are put in place, someone has to take the trouble to read

the logs, occasionally test the security, follow mailing-lists of the latest

vulnerabilities to make sure software and hardware is up-to-date etc.

In other words, if your organisation is serious about security, there

should be someone who handles security issues. This person is often

a network administrator, but invariably in the chaotic throes of day-to-

day administration (yes we all dread user support calls ! :) the

security of the organisation gets compromised -- for example, an

admin who needs to deliver 10 machines to a new department may

not password protect the administrator account, just because it saves

him some time and lets him meet a deadline. In short, an organisation

is either serious about security issues or does not bother with them at

all.

While the notion of 24/7 security may seem paranoid to some

people, one has to understand that in a lot of cases a company is not

specifically targetted by an attacker. The company's network just

happen to be one that the attacker knows how to break into and thus

they get targetted. This is often the case in attacks where company

ftp or webservers have been used to host illegal material. The

attackers don't care what the company does - they just know that this


46/51

is a system accessible from the Internet where they can store large

amounts of warez (pirated software), music, movies, or pornography.

This is actually a much larger problem than most people are aware of

because in many cases, the attackers are very good at hiding the

illegal data. Its only when the bandwidth bill has to be paid that

someone realises that something is amiss.

Brief Walk-through of an Attack

This is an account of how an attacker in the real world might go

about trying to exploit your system. There is no fixed way to attack a

system, but a large number will follow the similar methodology or at

least the chain of events.

Remember that attackers will usually choose the simplest way

to get into the network. The path of least resistance principle always

applies.

Reconnaissance & Footprinting

Here the attacker will try to gather as much information about

your company and network as they can without making a noise. They

will first use legitimate channels, such as google and your company

webpage to find out as much about you as they can. They will look for

the following information:

Technical information is a goldmine, things like a webpage to help

your employees log in from home will be priceless information to

them. So also will newsgroup postings by your IT department asking

how to set up particular software, as they now know that you use this

software and perhaps they know of a vulnerability in it.


47/51

Personal information about the company and its corporate structure.

They will want information on the heads of IT departments, the CEO

and other people who have a lot of power. They can use this

information to forge email, or social engineer information out of

subordinates.

Information about your partners. This might be useful information for

them if they know you have some sort of network connection to a

supplier or partner. They can then include the supplier's systems in

their attack, and find a way in to your network from there.

General news. This can be useful information to an attacker as well.

If your website says that it is going down for maintenance for some

days because you are changing your web server, it might be a clue

that the new setup will be in its teething stages and the admins may

not have secured it fully yet.

They will also query the whois databases to find out what block

of IP addresses you own. This will give them a general idea of where

to start their network level scans. After this they will start a series of

network probes. The most basic of which will be to determine if you

have a firewall, and what it protects. They will try and identify any

systems you have that are accessible from the Internet.

The most important targets will be the ones that provide public

services. These will be :

Webservers - usually the front door into the network. All

webserver software has some bugs in it, and if you're running

home made CGI scripts such as login pages etc, they might be

vulnerable to techniques such as SQL injection.


48/51

Mail servers - Sendmail is very popular and most versions

have at least one serious vulnerability in them. Many IT heads

don't like to take down the mail server for maintenance as doing

without it is very frustrating for the rest of the company

(especially when the CEO doesn't get his mail).

DNS servers - Many implementations of BIND are vulnerable to

serious attacks. The DNS server can be used as a base for other

attacks, such as redirecting users to other websites etc.

Network infrastructure - Routers and switches may not have

been properly secured and may have default passwords or a web

administration interface running. Once controlled they can be used

for anything from a simple Denial of Service attack by messing up

their configurations, to channeling all your data through the

attackers machine to a sniffer.

Database servers - Many database servers have the default sa

account password blank and other common misconfigurations.

These are very high profile targets as the criminal might be looking

to steal anything from your customer list to credit card numbers.

As a rule, a database server should never be Internet facing.

The more naive of the lot (or the ones who know that security

logs are never looked at) may run a commercial vulnerability scanner

such as nessus or retina over the network. This will ease their work.

Exploitation PhaseAfter determining which are valid targets and figuring out what

OS and version of software they are using (example which version of

Apache or IIS is the web server running), the attacker can look for an

exploit targeting that particular version. For example if they find you


49/51

are running an out of date version of Sendmail, they will look for an

exploit targeting that version or below.

They will first look in their collection of exploits because they

have tested these. If they cannot find one, they will look to public

repositories such as http://www.packetstormsecurity.nl. They will

probably try to choose common exploits as these are more likely to

work and they can probably test them in their own lab.

From here they have already won half the game as they are

behind the firewall and can probably see a lot more of the internal

network than you ever intended for them to. Many networks tend to

be very hard to penetrate from the outside, but are woefully

unprotected internally. This hard exterior with a mushy interior is a

recipe for trouble -- an attacker who penetrates the first line of

defense will have the full run of your network.

After getting in, they will also probably install backdoors on this

first compromised system to provide them with many ways in, in case

their original hole gets shut down. This is why when you identify a

machine that was broken into, it should be built up again from scratch

as there is no way of knowing what kind of backdoors might be

installed. It could be tricky to find a program that runs itself from

2:00AM to 4:00AM every night and tries to connect to the attackers

machine. Once they have successfully guaranteed their access, the

harder part of the intrusion is usually over.


50/51

Conclusion

The security issues in our networked systems as described in

this paper identify some of the work that needs to be done, and the

urgency with which concerns need to be addressed. Dependence on

some of the IT-based infrastructures in several countries is such tat

serious national consequences could result from the exploitation of

their vulnerabilities. And as the density of networks increases, the

necessity for transnational participation in improving network security

increases. The changing technologies and the potential for changing

threats is taxing our understanding of the threats and how to deal with

them. Due to the complexity and entanglement among networks and

communities internationally, any increases in network security must

involve the concerted efforts of as many nations as possible.

We have to understand that a great deal can be accomplished

through such mechanism, but not without taking note of their earlier


51/51

trouble spots. We must learn from prior unexpected consequences in

international cooperation, just as in the battle to secure networked

systems, and be ever more cautious as we move forward toward

some type of international action. But move forward quickly we must

if the benefits from the use of our networked systems are to be

realized in the myriad ways that they have been and are hoped in for

in the future. Nations must cooperate fully within their capability in

order to contain the actions of those who threaten our networks, and

to realize the positive vision that we have for our societies.