studies in networking
TRANSCRIPT
-
7/29/2019 Studies in Networking
1/51
A.M.A COMPUTER COLLEGE
LAS PIAS
A Partial Fulfillment
of
Requirements to
ITNA02 and ITNA03
Submitted To:
Roy, Paul Ryan
Submitted By:
Mallari, Franklin C.
-
7/29/2019 Studies in Networking
2/51
Abstract
A network is set of devices or nodes by communication links. Anetwork must be able to meet certain number of criteria and one of
them is security. Network security issues including protecting data
from unauthorized access, there are enemies to the data and also to
the data which is transmitted through network and the most common
enemies are hackers, unaware staff, snoops, viruses, Trojan horse
program, and vandals.
Network (Internet) communication has become an integral part
of the infrastructure of todays world. The information communicated
comes in numerous forms and is used in many applications. In a
large number of these applications, it is desired that the
communication be done in secret. Such secret communication ranges
from the obvious cases of bank transfers, corporate communications,
and credit card purchases, on down to a large percentage of
everyday email. With email, many people wrongly assume that their
communication is safe because it is just a small piece of an
enormous amount of data being sent worldwide. After all, who is
going to see it? But in reality, the Network (Internet) is not a secure
medium, and there are programs out there which just sit and watch
messages go by for interesting information.Hackers are computer enthusiast who takes pleasure in gaining
access to other people's computers or network. Unaware staffs are
employees who focus on their specific job duties often overlook
Standard n\w security rules Employees Known as "snoops gaining
-
7/29/2019 Studies in Networking
3/51
unauthorized access to confidential data to provide competitors with
otherwise inaccessible information. What can these enemies do?
Viruses are computer programs that are written by unauthorized
programmers and are designed to replicate themselves and infect
computers when triggered by a specific event. Some viruses are
more destructive and cause such problems as deleting files from a
hard drive or slowing down a system. Trojan horse programs are
actually enemies undisguised. Trojans can delete data and open up
computers to additional attacks. Innumerable types of networks
attacks have been documented and they are dos attacks, access
attacks.
ACCESS ATTACKS are conducted to exploit vulnerabilities.
Prevent access to part or all of a computer system. Social
engineering is the increasingly prevalent act of obtaining network
security information thru non - technical means. Spam is the most
commonly used term for unsolicited electronic Mail or the action of
broadcasting unsolicited advertising Messages via e - mail.
Spam is usually harmless but it can be a nuisance, taking up
the Recipient time and storage space. Organizations have extensive
choice of technologies, ranging from anti - virus software packages to
dedicated network security hardware, such as firewalls and intrusion
detection systems, to provide protection for all areas of the network.
Antivirus software is virus protection software is packaged with most
computers and can counter most virus threats if the software is
regularly updated and correctly maintained security policies or rules
that are electronically programmed and stored within security
equipment to control such areas access.
-
7/29/2019 Studies in Networking
4/51
Introduction
The frequency of computer network attacks and the subsequentsensational news reporting have alerted the public to the vulnerability
of computer networks and the dangers of not only using them but
also of depending on them. In addition, such activities and reports
have put society in a state of constant fear always expecting the next
big one and what it would involve, and forced people to focus on
security issues. The greatest fear among professionals however, is
that of a public with a hundred percent total dependency on
computers and computer networks becoming desensitized, having
reached a level where they are almost immune, where they no longer
care about such fears. If this ever happens, we the professionals, and
socirty in general, as creators of these networks, will have failed to
ensure their security.
Unfortunately, there are already signs that this is beginning to
happen. We are steamrolling at full speed into total dependency on
computers and computer networks, yet despite the multiplicity of
sometimes confusing security solutions and best practices on the
market, numerous security experts and proclaimed good intentions of
implementation of these solutions, there is no one agreed on
approach to the network security problem. In fact, if the currentcomputer ownership, use, and dependency on computers and
computer network keep on track, the number of such attacks is
likewise going to keep rising at probably the same rate if not higher.
Likewise the national critical infrastructures will become more
-
7/29/2019 Studies in Networking
5/51
intertwined than they are now, making the security of these systems a
great priority for national and individual security.
The picture we have painted here of total dependency worries
many, especially those in the security community. Without a doubt
security professionals are more worried about computer system
security and information security than the average computer user
because they are the people in the trenches on the forefront of the
system security battle, just as soldiers in a war might worry more
about the prospects of a successful outcome than would the general
civilian population. They are worried more because they know that
whatever quantity of resources we have as a society, we are not
likely to achieve perfect security because security is a continuous
process based on a changing technology. As the technology
changes, security parameters, needs, requirements, and standards
change. We are playing a catch up game whose outcome is uncertain
and probably un-winnable. There are several reasons for this.
First, the overwhelming number of computer network
vulnerabilities are software based resulting from either application or
system software. As anyone with a first course in software
engineering will tell you, it is impossible to test out all bugs in a
software product with billions of possible outcomes based on just a
few inputs. So unlike other branches of product engineering such as
car and airplane manufacturing, where one can test all possible
outcomes from any given inputs, it is impossible to do this in
software. This results in an unknown number of bugs in every
software product. Yet the role of software as the engine that drives
-
7/29/2019 Studies in Networking
6/51
these networks is undisputable and growth of the software industry is
only in its infancy.
Computer and network security is a new and fast moving
technology and as such, is still being defined and most probably will
always be still defined. Security incidents are rising at an alarming
rate every year. As the complexity of the threats increases, so do the
security measures required to protect networks. Data center
operators, network administrators, and other data center
professionals need to comprehend the basics of security in order to
safely deploy and manage networks today.
Securing the modern business network and IT infrastructure
demands an end-to-end approach and a firm grasp of vulnerabilities
and associated protective measures. While such knowledge cannot
prevent all attempts at network incursion or system attac, it can
empower network engineers to eliminate certain general problems,
greatly reduce potential damages, and quickly detect breaches. With
the ever-increasing number and complexity of attacks, vigilant
approaches to security in both large and small enterprises are a
must. Network security originally focused on algorithmic aspects such
as encryption and hashing techniques. While these concepts rarely
change, these skills alone are insufficient to protect computer
networks. As crackers hacked away at networks and systems,
security courses arose that emphasized the latest attacks. There is
always fault management, fault software, abuse of resources
connecting to computer networks. These are the main reasons which
cause security problems for a Network. Today, security problem
becomes one of the main problems for computer network and internet
-
7/29/2019 Studies in Networking
7/51
developing. However, there is no simple way to establish a secure
computer network. In fact, we cannot find a network in the world,
which does not have any security holes nowadays. The
infrastructures of cyberspace are vulnerable due to three kinds of
failure: complexity, accident, and hostile intent. Hundreds of millions
of people now appreciate a cyber-context for terms like viruses,
denial of service, privacy, worms, fraud, and crime more
generally. Attacks so far have been limited. While in some network
attacks the value of losses is in the hundreds of millions, damage so
far is seen as tolerable.
While preventing attack is largely based on government
authority and responsibility, the detailed knowledge needed to
prevent an attack on a cyber-system to prevent damage rests
primarily with its owner.
Protecting infrastructure systems arguably involves five coupled
stages. First, it is necessary to attempt to determine potential
attackers. Second, if attacked, the need is to prevent the attack and
to prevent damage. Third, since success cannot be guaranteed in
either preventing or thwarting an attack, the next stage is to limit the
damage as much as possible. Fourth, having sustained some level of
damage from an attack, the Defender must reconstitute the pre-attack
state of affairs. Finally, since changing technology and incentives to
attack influence both offence and defense, the final step is for the
defender to learn from failure in order to improve performance, just as
attackers will learn from their failures.
The more specific defenses to be discussed may be usefully
partitioned into two forms: passive and active.
-
7/29/2019 Studies in Networking
8/51
Passive defense essentially consists in target hardening.
Active defense, in contrast, imposes some risk or penalty on
the attacker. Risk or penalty may include identification and exposure,
investigation and prosecution, or pre-emptive or counter attacks of
various sorts.
FOCUS ON SECURITY
The Network Security program emphasizes to secure a
network. The following background information in security helps in
making correct decisions. Some areas are concept-oriented:
Attack Recognition: Recognize common attacks, such
as spoofing, man-in-th-middle, (distributed) denial of
service, buffer overflow, etc.
Encryption techniques: Understand techniques to
ensure confidentiality, authenticity, integrity, and no
repudiation of data transfer. These must be understood at
a protocol and at least partially at a mathematics or
algorithmic level, in order to select and implement the
algorithm matching the organizations needs.
Network Security Architecture: Configure a network
with security appliances and softwares, such as
placement of firewalls, Intrusion Detection Systems, and
log management.
To secure a network, certain skills must also be practiced:
-
7/29/2019 Studies in Networking
9/51
Protocol analysis: Recognize normal from abnormal
protocol sequences, using sniffers. Protocols minimally
include: IP, ARP, ICMP, TCP, UDP, HTTP, and
encryption protocols: SSH, SSL, IPSec.
Access Control Lists (ACLs): Configure and audit
routers and firewalls to filter packets accurately and
efficiently, by dropping, passing, or protecting (via VPN)
packets based upon their IP and/or port addresses, and
state.
Intrusion Detection/Prevention Sytems(IDS/IPS): Setand test rules to recognize and report attacks in a timely
manner.
Vulnerability Testing: Test all nodes (routers, servers,
clients) to determine active applications, via scanning or
other vulnerability test tools and interpret results.
Application Software Protection: Program and testsecure software to avoid backdoor entry via SQL
injection, buffer overflow, etc.
Incident Response: Respond to an attack by escalating
attention, collecting evidence, and performing computer
forensics. The last three skills incorporate computer
systems security, since they are required to counteract
internet hacking.
The TCP/IP Protocol:
-
7/29/2019 Studies in Networking
10/51
The attacks which are discussed in this paper are all utilizing
weaknesses in the implementation of the TCP/IP protocols to make
the attacked computer or network stop working as intended. To
understand the attacks one has to have a basic knowledge of how
these protocols are intended to function. TCP/IP is the acronym of
Transmission Control Protocol / Internet Protocol and is one of
severeal network protocols developed by the United States
Department of Defense (DoD) at the end of the 1970s. The reason
why such a protocol was designed was the need to build a network of
computers being able to connect to other networks of the same kind
(routing). This network was named ARPANET (Advanced Research
Project Agency Internetwork), and is the predecessor of what we call
internet these days.
TCP/IP is a protocol suite which is used to transfer data through
networks. Actually TCP/IP consists of several protocols. The most
important are:
IP Internet Protocol This protocol mainly takes care of
specifying where to send the data. To do that, each IP packet
has sender and receiver information. The most common DoS
attacks at the IP level exploit the IP packet format.
TCP Transmission Control Protocol This protocol handles
the secure delivery of data to the address specified in the IP
protocol. Most of the TCP level attacks exploit weaknesses
present in the implementations of the TCP finite state machine.
By attacking specific weaknesses in applications and
implementations of TCP, it is possible for an attacker to make
-
7/29/2019 Studies in Networking
11/51
services or systems crash, refuses service, or otherwise
become unstable.
A communication through a network using TCP/IP or
UDP/IP will typically use several packets. Each of the packets will
have a sending and a receiving address, some data and some
additional control information. Particularly, the address information
is part of the IP protocol being the other data in the TCP or the
UDP part of the packet. ICMP has no separate TCP part all the
necessary information is in the ICMP packet. In addition to the
recipients address all TCP/IP and UDP/IP communication uses a
special port number which it connects to. These port numbers
determine the kind of service the sender wants to communicate to
the receiver of information.
Denial of Service Attacks
DoS attacks today are part of every Internet users life. They
are happening all the time, and all the Internet users, as a
community, have some part in creating them, suffering from them or
even loosing time and money because of them. DoS attacks do not
have anything to do with breaking into computers, taking control over
remote hosts on the Internet or stealing privileged information like
credit card numbers. Using the Internet way of speaking DoS is
neither a Hack nor a Crack. The sole purpose of DoS attacks is to
disrupt the services offered by the victim. While the attack is in place,
and no action has been taken to fix the problem, the victim would not
be able to provide its services on the Internet. DoS attacks are really
a form of vandalism against Internet Services. DoS attacks take
-
7/29/2019 Studies in Networking
12/51
advantage of weaknesses in the IP protocol stack in order to disrupt
Internet services. DoS attacks can take several forms and can be
categorized according to several parameters.
Particularly, in this study we differentiate denial of service
attacks based on where is the origin of the attack being generated at.
Normal DoS attacks are being generated by a single host (or small
number of hosts at the same location). The only real way for DoS
attacks to impose a real way for DoS attacks to impose a real threat
is to exploit some software or design flaw. Such flaws can include, for
example, wrong implementations of the IP stack, which crash the
whole host when receiving a non-standard IP packet. Such an attack
would generally have lower volumes of data. Unless some exploits
exist at the victim hosts, which have not been fixed, a DoS attack
should not pose a real threat to high-end services on todays Internet.
Some solutions to Denial of Service Attacks
The way DoS and DDoS attacks are perpetrated, by exploiting
limitations of protocols and applications, is one of the main factors
why they are continuously evolving, and because of that presenting
new challenges on how to combat or limit their effects. Even if all of
these attacks cannot be completely avoided, some basic rules can be
followed to protect the network against some, and to limit the extent
of the attack:
Make sure the network has a firewall up that aggressively
keeps everything out except legal traffic.
-
7/29/2019 Studies in Networking
13/51
Implement router filters. This will lessen the exposure to
certain denial-of-service attacks. Additionaly, it will aid in
preventing users on network from effectively launching
certain denial-of-service attacks.
Install patches to guard against TCP/IP attacks. This will
substantially reduce the exposure to these attacks but
may not eliminate the risk entirely.
Observe the system performance and establish baselines
for ordinary activity. Use the baseline to gauge unusual
levels of disk activity, CPU usage, or network traffic.
Firewalls
By far the most common security measure these days is a
firewall. A lot of confusion surrounds the concept of a firewall, but it
can basically be defined as any perimiter device that permits or
denies traffic based on a set of rules configured by the administrator.
Thus a firewall may be as simple as a router with access-lists, or as
complex as a set of modules distributed through the network
controlled from one central location.
The firewall protects everything 'behind' it from everything in
front of it. Usually the 'front' of the firewall is its Internet facing side,
and the 'behind' is the internal network. The way firewalls are
designed to suit different types of networks is called the firewall
topology.
These are packages that are meant for individual desktops and
are fairly easy to use. The first thing they do is make the machine
invisible to pings and other network probes. Most of them also let you
-
7/29/2019 Studies in Networking
14/51
choose what programs are allowed to access the Internet, therefore
you can allow your browser and mail client, but if you see some
suspicious program trying to access the network, you can disallow it.
This is a form of 'egress filtering' or outbound traffic filtering and
provides very good protection against trojan horse programs and
worms.
However firewalls are no cure all solution to network security
woes. A firewall is only as good as its rule set and there are many
ways an attacker can find common misconfigurations and errors in
the rules. For example, say the firewall blocks all traffic except traffic
originating from port 53 (DNS) so that everyone can resolve names,
the attacker could then use this rule to his advantage. By changing
the source port of his attack or scan to port 53, the firewall will allow
all of his traffic through because it assumes it is DNS traffic.
Bypassing firewalls is a whole study in itself and one which is
very interesting especially to those with a passion for networking as it
normally involves misusing the way TCP and IP are supposed to
work. That said, firewalls today are becoming very sophisticated and
a well installed firewall can severely thwart a would-be attackers
plans.
It is important to remember the firewall does not look into the
data section of the packet, thus if you have a webserver that is
vulnerable to a CGI exploit and the firewall is set to allow traffic to it,
there is no way the firewall can stop an attacker from attacking the
webserver because it does not look at the data inside the packet.
This would be the job of an intrusion detection system (covered
further on).
-
7/29/2019 Studies in Networking
15/51
Partitioning and Protecting Network Boundaries with Firewalls
A Firewallis a mechanism by which a controlled barrier is used
to control network traffic into and out of an organizational intranet.
Firewalls are basically application specific routers. They run on
dedicated embedded systems such as an internet appliance or they
can be software programs running on a general server platform. In
most cases these systems will have two network interfaces, one for
the external network such as the Internet and one for the internal
intranet side. The firewall process can tightly control what is allowed
to traverse from one side to the other. Firewalls can range from being
fairly simple to very complex.
As with most aspects of security, deciding what type of firewall
to use will depend upon factors such as traffic levels, services
needing protection and the complexity of rules required. The greater
the number of services that must be able to traverse the firewall the
more complex the requirement becomes. The difficulty for the
firewalls is distinguishing between legitimate and illegitimate traffic.
What do firewalls protect against and what protection do they not
provide? Firewalls are like a lot of things; if configured correctly the
can be a reasonable form of protection from external threats including
some denial of service (DoS) attacks. If not configured correctly the
can be major security holes in an organization. The most basic
protection a firewall provides is the ability to block network traffic to
certain destinations. This includes both IP addresses and particular
network service ports. A site that wishes to provide external access to
a web server can restrict all traffic to port 80 ( the standard http port).
-
7/29/2019 Studies in Networking
16/51
Usually this restriction will only be applied for traffic originating from
the un-trusted side. Traffic from the trusted side is not restricted. All
other traffic such as mail traffic, ftp, snmp, etc. would not be allowed
across the firewall and into the intranet. An example of a simple
firewall is shown in [Figure 1].
Figure 1
An even simpler case is a firewall often used by people with
home or small business cable or DSL routers. Typically these
firewalls are setup to restrict ALL external access and only allow
services originating from the inside. A careful reader might realize
that in neither of these cases is the firewall actually blocking all traffic
from the outside. If that were the case how could one surf the web
and retrieve web pages? What the firewall is doing is restrictingconnection requests from the outside. In the first case all connection
requests from the inside are passed to the outside as well as all
subsequent data transfer on that connection. From the exterior, only
a connection request to the web server is allowed to complete and
-
7/29/2019 Studies in Networking
17/51
pass data, all others are blocked. The second case is more stringent
as connections can only be made from the interior to the exterior.
More complex firewall rules can utilize what is called stateful
inspection techniques. This approach adds to the basic port blocking
approach by looking at traffic behaviors and sequences to detect
spoof attacks and denial of service attacks.
Anti-Virus System
Everyone is familiar with the desktop version of anti virus
packages like Norton Antivirus and Mcafee. The way these operate is
fairly simple -- when researchers find a new virus, they figure out
some unique characteristic it has (maybe a registry key it creates or a
file it replaces) and out of this they write the virus 'signature'.
The whole load of signatures that your antivirus scans for what
is known as the virus 'definitions'. This is the reason why keeping
your virus definitions up-to-date is very important. Many anti-virus
packages have an auto-update feature for you to download the latest
definitions. The scanning ability of your software is only as good as
the date of your definitions. In the enterprise, it is very common for
admins to install anti-virus software on all machines, but there is no
policy for regular update of the definitions. This is meaningless
protection and serves only to provide a false sense of security.
With the recent spread of email viruses, anti-virus software atthe MTA (Mail Transfer Agent , also known as the 'mail server') is
becoming increasingly popular. The mail server will automatically
scan any email it recieves for viruses and quarantine the infections.
The idea is that since all mail passes through the MTA, this is the
-
7/29/2019 Studies in Networking
18/51
logical point to scan for viruses. Given that most mail servers have a
permanent connection to the Internet, they can regularly download
the latest definitions. On the downside, these can be evaded quite
simply. If you zip up the infected file or trojan, or encrypt it, the anti-
virus system may not be able to scan it.
End users must be taught how to respond to anti virus alerts.
This is especially true in the enterprise -- an attacker doesn't need to
try and bypass your fortress like firewall if all he has to do is email
trojans to a lot of people in the company. It just takes one uninformed
user to open the infected package and he will have a backdoor to the
internal network.
It is advisable that the IT department gives a brief seminar on
how to handle email from untrusted sources and how to deal with
attachments. These are very common attack vectors simply because
you may harden a computer system as much as you like, but the
weak point still remains the user who operates it. As crackers say
'The human is the path of least resistance into the network'.
Tools an Attacker Uses
General Network Tools
As surprising as it might sound, some of the most powerful
tools especially in the beginning stages of an attack are the regular
network tools available with most operating systems. For exampleand attacker will usually query the 'whois' databases for information
on the target. After that he might use 'nslookup' to see if he can
transfer the whole contents of their DNS zone (called a zone transfer
-- big surprise !!). This will let him identify high profile targets such as
-
7/29/2019 Studies in Networking
19/51
webservers, mailservers, dns servers etc. He might also be able to
figure what different systems do based on their dns name -- for
example sqlserver.victim.com would most likely be a database
server. Other important tools include traceroute to map the network
and ping to check which hosts are alive. You should make sure your
firewall blocks ping requests and traceroute packets.
Exploits
An exploit is a generic term for the code that actually 'exploits' a
vulnerability in a system. The exploit can be a script that causes the
target machine to crash in a controlled manner (eg: a buffer overflow)
or it could be a program that takes advantage of a misconfiguration.
A 0-day exploit is an exploit that is unknown to the security
community as a whole. Since most vulnerabilities are patched within
24 hours, 0-day exploits are the ones that the vendor has not yet
released a patch for. Attackers keep large collections of exploits for
different systems and different services, so when they attack a
network, they find a host running a vulnerable version of some
service and then use the relevant exploit.
Port Scanners
Most of you will know what portscanners are. Any system that
offers TCP or UDP services will have an open port for that service.
For example if you're serving up webpages, you'll likely have TCP
port 80 open, FTP is TCP port 20/21, Telnet is TCP 23, SNMP is
UDP port 161 and so on. A portscanner scans a host or a range of
hosts to determine what ports are open and what service is running
on them. This tells the attacker which systems can be attacked.
-
7/29/2019 Studies in Networking
20/51
For example, if I scan a webserver and find that port 80 is running an
old webserver -- IIS/4.0, I can target this system with my collection of
exploits for IIS 4. Usually the port scanning will be conducted at the
start of the attack, to determine which hosts are interesting. This is
when the attacker is still footprinting the network -- feeling his way
around to get an idea of what type of services are offered and what
Operating Systems are in use etc. One of the best portscanners
around is Nmap (http://www.insecure.org/nmap). Nmap runs on just
about every operating system is very versatile in how it lets you scan
a system and has many features including OS fingerprinting, service
version scanning and stealth scanning. Another popular scanner is
Superscan (http://www.foundstone.com) which is only for the
windows platform.
Network Sniffers
A network sniffer puts the computers NIC (network interface
card or LAN card) into 'promiscuous mode'. In this mode, the NICpicks up all the traffic on its subnet regardless of whether it was
meant for it or not. Attackers set up sniffers so that they can capture
all the network traffic and pull out logins and passwords. The most
popular network sniffer is TCPdump as it can be run from the
command line -- which is usually the level of access a remote
attacker will get. Other popular sniffers are Iris and Ethereal. When
the target network is a switched environment (a network which uses
layer 2 switches), a conventional network scanner will not be of any
use. For such cases, the switched network sniffer Ettercap
(http://ettercap.sourceforge.net) and WireShark
-
7/29/2019 Studies in Networking
21/51
(http://www.wireshark.org) are very popular. Such programs are
usually run with other hacking capable applications that allow the
attacker to collect passwords, hijack sessions, modify ongoing
connections and kill connections. Such programs can even sniff
secured communications like SSL (used for secure webpages) and
SSH1 (Secure Shell - a remote access service like telnet, but
encrypted).
Vulnerability Scanners
A vulnerability scanner is like a portscanner on steroids, once it
has identified which services are running, it checks the system
against a large database of known vulnerabilities and then prepares a
report on what security holes are found. The software can be updated
to scan for the latest security holes. These tools are very simple to
use unfortunately, so many script kiddies simply point them at a
target machine to find out what they can attack. The most popular
ones are Retina (http://www.eeye.com), Nessus
(http://www.nessus.org) and GFI LanScan (http://www.gfi.com).
These are very useful tools for admins as well as they can scan their
whole network and get a detailed summary of what holes exist.
Password Crackers
Once an attacker has gained some level of access, he/she
usually goes after the password file on the relevant machine. In UNIX
like systems this is the /etc/passwd or /etc/shadow file and in
Windows it is the SAM database. Once he gets hold of this file, its
usually game over, he runs it through a password cracker that will
usually guarantee him further access. Running a password cracker
against your own password files can be a scary and enlightening
-
7/29/2019 Studies in Networking
22/51
experience. L0phtcrack cracked my old password fR7x!5kK after
being left on for just one night !
There are essentially two methods of password cracking:
Dictionary Mode - In this mode, the attacker feeds the cracker
a word list of common passwords such as 'abc123' or
'password'. The cracker will try each of these passwords and
note where it gets a match. This mode is useful when the
attacker knows something about the target. Say I know that the
passwords for the servers in your business are the names of
Greek Gods (yes Chris, that's a shout-out to you ;)) I can find a
dictionary list of Greek God names and run it through the
password cracker.
Most attackers have a large collection of wordlists. For example
when I do penetration testing work, I usually use common
password lists, Indian name lists and a couple of customized lists
based on what I know about the company (usually data I pick up
from their company website). Many people think that adding on a
couple of numbers at the start or end of a password (for example
'superman99') makes the password very difficult to crack. This is a
myth as most password crackers have the option of adding
numbers to the end of words from the wordlist. While it may take
the attacker 30 minutes more to crack your password, it does not
make it much more secure.
-
7/29/2019 Studies in Networking
23/51
Brute Force Mode - In this mode, the password cracker will try
every possible combination for the password. In other words it
will try aaaaa, aaaab, aaaac, aaaad etc. this method will crack
every possible password -- its just a matter of how long it takes.
It can turn up surprising results because of the power of
modern computers. A 5-6 character alphanumeric password is
crackable within a matter of a few hours or maybe a few days,
depending on the speed of the software and machine. Powerful
crackers include l0phtcrack for windows passwords and John
the Ripper for UNIX style passwords.
For each category, I have listed one or two tools as an
example. At the end of this article I will present a more detailed list
of tools with descriptions and possible uses.
Password Attacks
Password-guessing attacks are one of the most popular
aspects of penetration testing. Passwords come from a lot of places
you can guess them, you can find them lying around in files, and in
some cases, you can obtain them from the operating system.
Passwords obtained from the operating system are sometimes in the
clear or are reversibly encrypted, and sometimes they are stored as a
bash, often known as a password verifier. A bashing function is
designed to take an input and convert it to an output in a non-
reversible manner, so you will sometimes see password verifiers
referred to as an OWF (one-way function).
-
7/29/2019 Studies in Networking
24/51
Password hashes are typically attacked (or cracked) using a
combination of dictionary attacks and brute-force methods. With a
dictionary attack, the attacker obtains a large list of words and feeds
the list and the password hashes to the cracking tool. A brute force
attack in its simplest form iterates through all possible passwords
using a specified character set. For example, aaa would be followed
by aab, aac, and so on. Although password attacks seem simple,
there can be more to them than is obvious at first.
Where to Find Passwords
Passwords are found in many places. Most likely, they will be
associated with user accounts, either locally or collected into a
domain. Passwords can also frequently be found in places like the
following:
In batch files and scripts
On Web Pages
In helpful applications and operating systems that offer to
save passwords for you
In service accounts, and in DCOM objects configured to
run as a particular user
Under users keyboards and on sticky notes on the
monitor
In Microsoft Excel spreadsheets hidden on a share
In text files, such as AdminPasswords.txt, that are hidden
deep inside a server the user hopes youll never get into
-
7/29/2019 Studies in Networking
25/51
On the network, especially where services accepting
clear-text passwords run
In files left during software installation
In Simple Management Protocol (SNMP) community
strings
Associated with password-protected files
All the locations in the preceding list were used during actual
penetration tests. One penetration tester who worked for a
major auditing firm had a batch file that he ran on systems to
collect all the file types he knew about that might contain
passwords. It is a useful approach. Remember that automated
tools dont do a very good job of finding passwords hidden in
odd places, so this batch file technique will often get you into
systems even where routine network scans occur.
Brute Force AttacksA brute force attack typically consists of two different
approaches: the first approach is a dictionary attack, and the second
approach is to simply try all possible passwords within a key place.
These two approaches can be combined, either by appending all
possible characters to a dictionary word or by making common
substitutions, such as 1 for I, or 4 for a. Brute force attacks can be
launched against both online systems and passwords hashes that
you have obtained.
Performing these attacks seems simple, but there are some
twists you need to take into account. Lets also get an idea of the
-
7/29/2019 Studies in Networking
26/51
scale of the problem. In general, the number of possible passwords is
given by:
Number of Passwords = (key space) length
Number of Possible Passwords for Common Scenarios______
Key space Possible Character Length Number of Passwords
Case-insensitive 26 7 8.03E+09
Alpha characters (a-z)
Case-sensitive alpha char. 52 7 1.03E+12
Alphanumeric characters 62 7 3.52E+12
US English Keyboard char 94 7 6.48E+13
Case-insensitive 26 7 1.68E+21
alpha characters (a-z)
Online Password Testing
Online password testing is the process of attempting to find
passwords by attempting a logon. Any service that allows you to
authenticate can be used. Online password testing (sometimes called
password grinding) is much slower than offline testing a typical
password attempt rate might be on the order of 50 passwords a
minute. As you might imagine, a true brute force attack takes a lot
longer. Under these conditions, trying millions of passwords simplyisnt an option. A better approach is a dictionary attack. The following
password types will get you into many networks:
Blank Using no password is much too common an
occurrence
-
7/29/2019 Studies in Networking
27/51
passwordas the password This is the most common
non-blank password, even in non-English speaking
countries.
Password same as machine name Try lowercase,
uppercase and mixed-case variations.
There are a number of issues to be concerned about with
online password testing: locking out accounts, placing load on
the system, and being detected. Account lockouts, especially
permanent lockouts, can create a serious of denial of service
(DoS) condition. Most operating systems and network devicescan be configured to lock out accounts based on a certain
number of failed passwords, the length of time between
failures, and the length of lockout. You can use certain
strategies to determine whether lockouts are in place, but first,
experiment. Before you crank up a tool that will grind away at
the passwords for an entire domain, try your strategy on one
user and see what happens. In some cases, you will able to
determine that you are being locked out. Windows systems will
tell you the lockout policy if you have user-level access.
If you are faced with lockouts, one strategy is to try a
single password for all the users, then start the user list over
again with the next password. However, a very large user
database might keep you from trying password often enough to
cause lockouts. If you are checking a small user database, all
you can do is try fewer passwords than will trigger a lock out,
wait, and then try some more. Typically, you wont find many
-
7/29/2019 Studies in Networking
28/51
passwords using brute force attacks. On most networks, you
can get into plenty of systems using the very weak passwords
listed earlier. One exception to this is when you find a password
by other means and you want to discover where else it its used.
For example, if you find one system for which the administrator
password is Passw0rd! , you should check other systems for
use of the password. Frequently, checking other systems on
the network for a discovered password is a productive
approach.
Offline Password Testing
Offline password testing is sometimes known as cracking
passwords and is named after crack, which is a tool created by Alec
Muffett to test passwords from the UNIX systems password files.
There are a number of these tools, so a feature comparison is not
feasible here.
Threats to Web services differ from service to service, but here
are some common threats that you should look for in you penetration
tests (assuming your organization provides a Web Service):
Unauthorized Access
Network Sniffing
Tampering
Information Disclosure
Unauthorized Access
-
7/29/2019 Studies in Networking
29/51
Unless your organization provides free public Web Services,
special care should be taken to ensure that only authorized users are
accessing these services. This is even more important when you r
Web Services handles sensitive information such as credit card
numbers and social security numbers. When you are testing your
organizations Web Service for unauthorized access threats, look for
credentials being passed as clear-text in SOAP messages, use of
weak authentication schemes, or worse yet, no authentication at all.
Countermeasures
Your organization should be protecting its web services
from unauthorized use with mechanisms such as password
digests, Kerberos tickets, or X.509 certificates in SOAP
authentication headers.
Network Sniffing
Network Sniffing refers to an attacker eavesdropping on
communications between hosts. Your organizations Web service
could be transmitting sensitive data, so the communications of these
services are prime targets for attackers. Attackers might also try at a
later time to reply to the communications they have captured. During
your penetration tests, look for weaknesses such as transmitting
credentials clear-text in SOAP messages, failing to use transport
security, and not authenticating messages.
CountermeasuresIn addition to the countermeasures to network sniffing
threats, are those provided by the Web Services
Enhancements (WSE) for the .NET Framework.
Tampering
-
7/29/2019 Studies in Networking
30/51
Even though messages are route between your organizations
Web Services and clients, attackers might try to a tamper with the
data in those messages through MITM attacks, for example. Look for
Web Service communications that are not protected by transport
security or by some authentication scheme.
Countermeasures
Digitally signing messages can provide recipients with
confirmation that communications have not been modified.
Also, communicating over secure transports will greatly help in
mitigating tampering threats.
Information Disclosure
Your organizations Web service might expose extraneous
information in error messages that could aid an attacker in later
attacks. Look for detailed exception traces because of improperly
handled exception data. Also, look for configuration data about you
organizations Web service, such Web Service Description Language
(WSDL) file (static or dynamically generated) , that might be exposed
to unauthorized users.
Countermeasures
Perform a code and design review of your organizations
Web service to ensure that all exceptions are being caught,
especially those that inherit from
System.Web.Services.Protocols.SoaException. Protect WSDL files
with access control list (ACLs), and disable documentation protocols
that dynamically generate this data if these protocols are not
required.
Intrusion Detection System
-
7/29/2019 Studies in Networking
31/51
An intrusion detection system (IDS) monitors network traffic and
monitors for suspicious activity and alerts the system or network
administrator. In some cases the IDS may also respond to anomalous
or malicious traffic by taking action such as blocking the user or
source IP address from accessing the network.
IDS come in a variety of flavors and approach the goal of
detecting suspicious traffic in different ways. There are network
based (NIDS) and host based (HIDS) intrusion detection systems.
There are IDS that detect based on looking for specific signatures of
known threats- similar to the way antivirus software typically detects
and protects against malware- and there are IDS that detect based
on comparing traffic patterns against a baseline and looking for
anomalies. There are IDS that simply monitor and alert and there are
IDS that perform an action or actions in response to a detected
threat. Well cover each of these briefly.
IDS's have become the 'next big thing' the way firewalls were
some time ago. There are bascially two types of Intrusion Detection
Systems :
Host based IDS
Network based IDS
Host based IDS - These are installed on a particular important
machine (usually a server or some important target) and are tasked
with making sure that the system state matches a particular set
baseline. For example, the popular file-integrity checker Tripwire --
this program is run on the target machine just after it has been
installed. It creates a database of file signatures for the system and
regularly checks the current system files against their known 'safe'
-
7/29/2019 Studies in Networking
32/51
signatures. If a file has been changed, the administrator is alerted.
This works very well as most attackers will replace a common system
file with a trojaned version to give them backdoor access.
Network based IDS - These are more popular and quite easy to
install. Basically they consist of a normal network sniffer running in
promiscuous mode (in this mode the network card picks up all traffic
even if its not meant for it). The sniffer is attached to a database of
known attack signatures and the IDS analyses each packet that it
picks up to check for known attacks. For example a common web
attack might contain the string '/system32/cmd.exe?' in the URL. The
IDS will have a match for this in the database and will alert the
administrator.
Newer IDS' support active prevention of attacks - instead of just
alerting an administrator, the IDS can dynamically update the firewall
rules to disallow traffic from the attacking IP address for some
amount of time. Or the IDS can use 'session sniping' to fool both
sides of the connection into closing down so that the attack cannot be
completed.
Unfortunately IDS systems generate a lot of false positives (a
false positive is basically a false alarm, where the IDS sees legitimate
traffic and for some reason matches it against an attack pattern) this
tempts a lot of administrators into turning them off or even worse --
not bothering to read the logs. This may result in an actual attack
being missed.
NIDS
-
7/29/2019 Studies in Networking
33/51
Network Intrusion Detection Systems are placed at a strategic
point or points within the network to monitor traffic to and from all
devices on the network. Ideally you would scan all inbound and
outbound traffic, however doing so might create a bottleneck that
would impair the overall speed of the network.
HIDS
Host Intrusion Detection Systems are run on individual hosts or
devices on the network. A HIDS monitors the inbound and outbound
packets from the device only and will alert the user or administrator of
suspicious activity is detected
Signature Based
A signature based IDS will monitor packets on the network and
compare them against a database of signatures or attributes from
known malicious threats. This is similar to the way most antivirus
software detects malware. The issue is that there will be a lag
between a new threat being discovered in the wild and the signature
for detecting that threat being applied to your IDS. During that lag
time your IDS would be unable to detect the new threat.
Anomaly Based
An IDS which is anomaly based will monitor network traffic and
compare it against an established baseline. The baseline will identify
what is normal for that network- what sort of bandwidth is generally
used, what protocols are used, what ports and devices generally
connect to each other- and alert the administrator or user when traffic
-
7/29/2019 Studies in Networking
34/51
is detected which is anomalous, or significantly different, than the
baseline.
Intrusion Prevention Systems
Prevent Network Intrusion
The criminal act of breaking into computer networks, one
definition of hacking, poses a major threat to everyone connected to
the Internet. It threatens infiltration, loss of proprietary data, fraud,
destruction and operational paralysis. The more prominent the
organization is, the greater its risk is of being hacked and the bigger
the challenge (and thus payoff) is for an illegal hacker.
As hackers use their genius to develop sophisticated tools to
realize their unlawful aims, businesses must take every precaution to
prevent successful attacks. Firewalls have become ineffective as
attacks move to the application level. Anti-virus programs are also not
enough as they offer only reactive measures. Organizations must
deploy a comprehensive network intrusion prevention system to
constantly map and monitor activities to prevent hackers from slipping
anything past their networks defenses.
These include:
Vulnerability-based threats such as:
Worms and BotNets
Trojan horses and the creation of backdoors
-
7/29/2019 Studies in Networking
35/51
Vendor-specific exploitation vulnerabilities in products
e.g., Microsoft, Oracle
Exploitation of vulnerabilities in applications such as
web, mail, VoIP, DNS, SQL
Spyware, Phishing, anonymizers
Non-vulnerability-based threats that misuse application
and server resources such as:
Server brute force attacks; misuse of server
authentication/authorization schemes
Web application vulnerability scanning
SIP application scanning
SIP application flooding
Strengthen Your Defenses
Intrusion prevention systems (IPSs) are an integral part of a
defense approach, since there arent other devices which exercise
access control to protect computers from exploitation. IPSs were
invented to resolve ambiguities in passive network monitoring by
placing detection systems in-line (regarded by some to be an
extension of intrusion detection system [IDS] technology, IPS
technology is actually another form of access control, like anapplication-layer firewall). IPSs are a considerable improvement upon
firewall technologies as they make access control decisions based on
application content, rather than IP addresses or ports as is done by
traditional firewalls.
-
7/29/2019 Studies in Networking
36/51
The advanced intrusion detection and prevention capabilities
offered by the DefensePro IPS NBA, DoS and Reputation Service
provides maximum protection for network elements, hosts and
applications. It is composed of different application-level protection
features to prevent intrusion attempts such as worms, Trojan horses
and single-bullet attacks, facilitating complete and high-speed
cleansing of all malicious intrusions.
Features include:
Vulnerability-based signature protection powered byRadwares Security Update Service
Zero-day worm propagation prevention
Anti-scanning protection
Security reports
Methods of attack will continue to evolve, increasing in
complexity and becoming at once more dangerous and difficult todetect. To effectively protect their network and its users, network
intrusion prevention systems need to be one step ahead of any
threat. Based on adaptive behavioral-based and signature based
technologies, Radwares Intrusion Prevention System and network
security solutions provide organizations with integrated network
intrusion prevention and Denial of Service (DoS) protection. These
defend against both network- and application-level attacks, delivering
a holistic approach to application- and network-level threats, while
enhancing the overall performance of security across the
organization.
-
7/29/2019 Studies in Networking
37/51
What is Malware?
Malware (Malicious Software) is any program that works
against the interest of the systems user or owner. Viruses, worms,
Trojans, and bots are all part of a class of software called malware.
Malware or malicious code (malcode) is short for malicious software.
It is code or software that is specifically designed to damage, disrupt,
steal, or in general inflict some other bad or illegitimate action on
data, hosts, or networks.
There are many different classes of malware that have varying
ways of infecting systems and propagating themselves. Malware can
infect systems by being bundled with other programs or attached as
macros to files. Others are installed by exploiting a known
vulnerability in an operating system (OS), network device, or other
software, such as a hole in a browser that only requires users to visit
a website to infect their computers. The vast majority, however, are
installed by some action from a user, such as clicking an e-mail
attachment or downloading a file from the Internet.
Some of the more commonly known types of malware are
viruses, worms, Trojans, bots, back doors, spyware, and adware.
Damage from malware varies from causing minor irritation (such as
browser popup ads), to stealing confidential information or money,
destroying data, and compromising and/or entirely disabling systems
and networks.
Malware cannot damage the physical hardware of systems and
network equipment, but it can damage the data and software residing
on the equipment. Malware should also not be confused with
-
7/29/2019 Studies in Networking
38/51
defective software, which is intended for legitimate purposes but has
errors or bugs.
Classes of Malicious SoftwareTwo of the most common types of malware are viruses and
worms. These types of programs are able to self-replicate and can
spread copies of themselves, which might even be modified copies.
To be classified as a virus or worm, malware must have the ability to
propagate. The difference is that a worm operates more or less
independently of other files, whereas a virus depends on a host
program to spread itself. These and other classes of malicious
software are described below.
Viruses
A computer virus is a type of malware that propagates by
inserting a copy of itself into and becoming part of another program. It
spreads from one computer to another, leaving infections as it travels.
Viruses can range in severity from causing mildly annoying effects to
damaging data or software and causing denial-of-service (DoS)
conditions. Almost all viruses are attached to an executable file,
which means the virus may exist on a system but will not be active or
able to spread until a user runs or opens the malicious host file or
program. When the host code is executed, the viral code is executed
as well. Normally, the host program keeps functioning after it is
infected by the virus. However, some viruses overwrite other
programs with copies of themselves, which destroys the host
program altogether. Viruses spread when the software or document
-
7/29/2019 Studies in Networking
39/51
they are attached to is transferred from one computer to another
using the network, a disk, file sharing, or infected e-mail attachments.
WormsComputer worms are similar to viruses in that they replicate
functional copies of themselves and can cause the same type of
damage. In contrast to viruses, which require the spreading of an
infected host file, worms are standalone software and do not require
a host program or human help to propagate. To spread, worms either
exploit a vulnerability on the target system or use some kind of social
engineering to trick users into executing them. A worm enters a
computer through a vulnerability in the system and takes advantage
of file-transport or information-transport features on the system,
allowing it to travel unaided.
Trojans
A Trojan is another type of malware named after the wooden
horse the Greeks used to infiltrate Troy. It is a harmful piece of
software that looks legitimate. Users are typically tricked into loading
and executing it on their systems. After it is activated, it can achieve
any number of attacks on the host, from irritating the user (popping
up windows or changing desktops) to damaging the host (deleting
files, stealing data, or activating and spreading other malware, such
as viruses). Trojans are also known to create back doors to give
malicious users access to the system.
Unlike viruses and worms, Trojans do not reproduce by
infecting other files nor do they self-replicate. Trojans must spread
-
7/29/2019 Studies in Networking
40/51
through user interaction such as opening an e-mail attachment or
downloading and running a file from the Internet.
Bots
"Bot" is derived from the word "robot" and is an automated
process that interacts with other network services. Bots often
automate tasks and provide information or services that would
otherwise be conducted by a human being. A typical use of bots is to
gather information (such as web crawlers), or interact automatically
with instant messaging (IM), Internet Relay Chat (IRC), or other web
interfaces. They may also be used to interact dynamically with
websites.
Bots can be used for either good or malicious intent. A
malicious bot is self-propagating malware designed to infect a host
and connect back to a central server or servers that act as a
command and control (C&C) center for an entire network of
compromised devices, or "botnet." With a botnet, attackers can
launch broad-based, "remote-control," flood-type attacks against their
target(s). In addition to the worm-like ability to self-propagate, bots
can include the ability to log keystrokes, gather passwords, capture
and analyze packets, gather financial information, launch DoS
attacks, relay spam, and open back doors on the infected host. Bots
have all the advantages of worms, but are generally much more
versatile in their infection vector, and are often modified within hours
of publication of a new exploit. They have been known to exploit back
doors opened by worms and viruses, which allows them to access
-
7/29/2019 Studies in Networking
41/51
networks that have good perimeter control. Bots rarely announce
their presence with high scan rates, which damage network
infrastructure; instead they infect networks in a way that escapes
immediate notice.
Best Practices for Combating Viruses, Worms, Trojans, and Bots
The first steps to protecting your computer are to ensure that
your OS is up to date. This means regularly applying the most recent
patches and fixes recommended by the OS vendor. Secondly, you
should have antivirus software installed on your system and
download updates frequently to ensure that your software has the
latest fixes for new viruses, worms, Trojans, and bots. Additionally,
you want to make sure that your antivirus program can scan e-mail
and files as they are downloaded from the Internet. This will help
prevent malicious programs from reaching your computer. You may
also want to consider installing a firewall.
Additional Definitions and References
Exploit
An exploit is a piece of software, a command, or a methodology
that attacks a particular security vulnerability. Exploits are not always
malicious in intentthey are sometimes used only as a way of
demonstrating that a vulnerability exists. However, they are a
common component of malware.
Back Door
A back door is an undocumented way of accessing a system,
bypassing the normal authentication mechanisms. Some back doors
-
7/29/2019 Studies in Networking
42/51
are placed in the software by the original programmer and others are
placed on systems through a system compromise, such as a virus or
worm. Usually, attackers use back doors for easier and continued
access to a system after it has been compromised.
The Threat to Home Users
Many people underestimate the threat they face when they use
the Internet. The prevalent mindset is "who would bother to attack me
or my computer?", while this is true -- it may be unlikely that an
attacker would individually target you, as to him, you are just one
more system on the Internet.
Many script kiddies simply unleash an automated tool that will
scan large ranges of IP addresses looking for vulnerable systems,
when it finds one, this tool will automatically exploit the vulnerability
and take control of this machine.
The script kiddie can later use this vast collection of 'owned'
systems to launch a denial of service (DoS) attacks, or just cover his
tracks by hopping from one system to another in order to hide his real
IP address. This technique of proxying attacks through many systems
is quite common, as it makes it very difficult for law enforcement to
back trace the route of the attack, especially if the attacker relays it
through systems in different geographic locations.
It is very feasible -- in fact quite likely -- that your machine will
be in the target range of such a scan, and if you haven't taken
adequate precautions, it will be owned.
The other threat comes from computer worms that have
recently been the subject of a lot of media attention. Essentially a
worm is just an exploit with a propagation mechanism. It works in a
-
7/29/2019 Studies in Networking
43/51
manner similar to how the script kiddie's automated tool works -- it
scans ranges of IP addresses, infects vulnerable machines, and then
uses those to scan further. Thus the rate of infection increases
geometrically as each infected system starts looking for new victims.
In theory a worm could be written with such a refined scanning
algorithm, that it could infect 100% of all vulnerable machines within
ten minutes. This leaves hardly any time for response.
Another threat comes in the form of viruses, most often these
may be propagated by email and use some crude form of social
engineering (such as using the subject line "I love you" or "Re: The
documents you asked for") to trick people into opening them. No form
of network level protection can guard against these attacks.
The effects of the virus may be mundane (simply spreading to
people in your address book) to devastating (deleting critical system
files). A couple of years ago there was an email virus that emailed
confidential documents from the popular Windows "My Documents"
folder to everyone in the victims address book.
So while you per se may not be high profile enough to warrant
a systematic attack, you are what I like to call a bystander victim..
someone who got attacked simply because you could be attacked,
and you were there to be attacked.
As broadband and always-on Internet connections become
commonplace, even hackers are targetting the IP ranges where they
know they will find cable modem customers. They do this because
they know they will find unprotected always-on systems here that can
be used as a base for launching other attacks.
-
7/29/2019 Studies in Networking
44/51
The Threat to the Enterprise
Most businesses have conceded that having an Internet
presence is critical to keep up with the competition, and most of them
have realised the need to secure that online presence.
Gone are the days when firewalls were an option and employees
were given unrestricted Internet access. These days most medium
sized corporations implement firewalls, content monitoring and
intrusion detection systems as part of the basic network
infrastructure.
For the enterprise, security is very important -- the threats include:
Corporate espionage by competitors,
Attacks from disgruntled ex-employees
Attacks from outsiders who are looking to obtain private data and
steal the company's crown jewels (be it a database of credit cards,
information on a new product, financial data, source code to
programs, etc.)
Attacks from outsiders who just want to use your company's
resources to store pornography, illegal pirated software, movies and
music, so that others can download and your company ends up
paying the bandwidth bill and in some countries can be held liable for
the copyright violations on movies and music.
As far as securing the enterprise goes, it is not enough to
merely install a firewall or intrustion detection system and assume
that you are covered against all threats. The company must have a
complete security policy and basic training must be imparted to all
-
7/29/2019 Studies in Networking
45/51
employees telling them things they should and should not do, as well
as who to contact in the event of an incident. Larger companies may
even have an incident response or security team to deal specifically
with these issues.
One has to understand that security in the enterprise is a 24/7
problem. There is a famous saying, "A chain is only as strong as its
weakest link", the same rule applies to security After the security
measures are put in place, someone has to take the trouble to read
the logs, occasionally test the security, follow mailing-lists of the latest
vulnerabilities to make sure software and hardware is up-to-date etc.
In other words, if your organisation is serious about security, there
should be someone who handles security issues. This person is often
a network administrator, but invariably in the chaotic throes of day-to-
day administration (yes we all dread user support calls ! :) the
security of the organisation gets compromised -- for example, an
admin who needs to deliver 10 machines to a new department may
not password protect the administrator account, just because it saves
him some time and lets him meet a deadline. In short, an organisation
is either serious about security issues or does not bother with them at
all.
While the notion of 24/7 security may seem paranoid to some
people, one has to understand that in a lot of cases a company is not
specifically targetted by an attacker. The company's network just
happen to be one that the attacker knows how to break into and thus
they get targetted. This is often the case in attacks where company
ftp or webservers have been used to host illegal material. The
attackers don't care what the company does - they just know that this
-
7/29/2019 Studies in Networking
46/51
is a system accessible from the Internet where they can store large
amounts of warez (pirated software), music, movies, or pornography.
This is actually a much larger problem than most people are aware of
because in many cases, the attackers are very good at hiding the
illegal data. Its only when the bandwidth bill has to be paid that
someone realises that something is amiss.
Brief Walk-through of an Attack
This is an account of how an attacker in the real world might go
about trying to exploit your system. There is no fixed way to attack a
system, but a large number will follow the similar methodology or at
least the chain of events.
Remember that attackers will usually choose the simplest way
to get into the network. The path of least resistance principle always
applies.
Reconnaissance & Footprinting
Here the attacker will try to gather as much information about
your company and network as they can without making a noise. They
will first use legitimate channels, such as google and your company
webpage to find out as much about you as they can. They will look for
the following information:
Technical information is a goldmine, things like a webpage to help
your employees log in from home will be priceless information to
them. So also will newsgroup postings by your IT department asking
how to set up particular software, as they now know that you use this
software and perhaps they know of a vulnerability in it.
-
7/29/2019 Studies in Networking
47/51
Personal information about the company and its corporate structure.
They will want information on the heads of IT departments, the CEO
and other people who have a lot of power. They can use this
information to forge email, or social engineer information out of
subordinates.
Information about your partners. This might be useful information for
them if they know you have some sort of network connection to a
supplier or partner. They can then include the supplier's systems in
their attack, and find a way in to your network from there.
General news. This can be useful information to an attacker as well.
If your website says that it is going down for maintenance for some
days because you are changing your web server, it might be a clue
that the new setup will be in its teething stages and the admins may
not have secured it fully yet.
They will also query the whois databases to find out what block
of IP addresses you own. This will give them a general idea of where
to start their network level scans. After this they will start a series of
network probes. The most basic of which will be to determine if you
have a firewall, and what it protects. They will try and identify any
systems you have that are accessible from the Internet.
The most important targets will be the ones that provide public
services. These will be :
Webservers - usually the front door into the network. All
webserver software has some bugs in it, and if you're running
home made CGI scripts such as login pages etc, they might be
vulnerable to techniques such as SQL injection.
-
7/29/2019 Studies in Networking
48/51
Mail servers - Sendmail is very popular and most versions
have at least one serious vulnerability in them. Many IT heads
don't like to take down the mail server for maintenance as doing
without it is very frustrating for the rest of the company
(especially when the CEO doesn't get his mail).
DNS servers - Many implementations of BIND are vulnerable to
serious attacks. The DNS server can be used as a base for other
attacks, such as redirecting users to other websites etc.
Network infrastructure - Routers and switches may not have
been properly secured and may have default passwords or a web
administration interface running. Once controlled they can be used
for anything from a simple Denial of Service attack by messing up
their configurations, to channeling all your data through the
attackers machine to a sniffer.
Database servers - Many database servers have the default sa
account password blank and other common misconfigurations.
These are very high profile targets as the criminal might be looking
to steal anything from your customer list to credit card numbers.
As a rule, a database server should never be Internet facing.
The more naive of the lot (or the ones who know that security
logs are never looked at) may run a commercial vulnerability scanner
such as nessus or retina over the network. This will ease their work.
Exploitation PhaseAfter determining which are valid targets and figuring out what
OS and version of software they are using (example which version of
Apache or IIS is the web server running), the attacker can look for an
exploit targeting that particular version. For example if they find you
-
7/29/2019 Studies in Networking
49/51
are running an out of date version of Sendmail, they will look for an
exploit targeting that version or below.
They will first look in their collection of exploits because they
have tested these. If they cannot find one, they will look to public
repositories such as http://www.packetstormsecurity.nl. They will
probably try to choose common exploits as these are more likely to
work and they can probably test them in their own lab.
From here they have already won half the game as they are
behind the firewall and can probably see a lot more of the internal
network than you ever intended for them to. Many networks tend to
be very hard to penetrate from the outside, but are woefully
unprotected internally. This hard exterior with a mushy interior is a
recipe for trouble -- an attacker who penetrates the first line of
defense will have the full run of your network.
After getting in, they will also probably install backdoors on this
first compromised system to provide them with many ways in, in case
their original hole gets shut down. This is why when you identify a
machine that was broken into, it should be built up again from scratch
as there is no way of knowing what kind of backdoors might be
installed. It could be tricky to find a program that runs itself from
2:00AM to 4:00AM every night and tries to connect to the attackers
machine. Once they have successfully guaranteed their access, the
harder part of the intrusion is usually over.
-
7/29/2019 Studies in Networking
50/51
Conclusion
The security issues in our networked systems as described in
this paper identify some of the work that needs to be done, and the
urgency with which concerns need to be addressed. Dependence on
some of the IT-based infrastructures in several countries is such tat
serious national consequences could result from the exploitation of
their vulnerabilities. And as the density of networks increases, the
necessity for transnational participation in improving network security
increases. The changing technologies and the potential for changing
threats is taxing our understanding of the threats and how to deal with
them. Due to the complexity and entanglement among networks and
communities internationally, any increases in network security must
involve the concerted efforts of as many nations as possible.
We have to understand that a great deal can be accomplished
through such mechanism, but not without taking note of their earlier
-
7/29/2019 Studies in Networking
51/51
trouble spots. We must learn from prior unexpected consequences in
international cooperation, just as in the battle to secure networked
systems, and be ever more cautious as we move forward toward
some type of international action. But move forward quickly we must
if the benefits from the use of our networked systems are to be
realized in the myriad ways that they have been and are hoped in for
in the future. Nations must cooperate fully within their capability in
order to contain the actions of those who threaten our networks, and
to realize the positive vision that we have for our societies.