A significant security problem for networked systems is: o hostile, o or at least unwanted, trespass by users or software. User trespass (intrude) can take the form of: o unauthorized logon to a machine or, o an authorized user gaining of privileges or o performance of actions beyond (pass) those that have been authorized. Software trespass can take the form of a: o virus, o worm, or o Trojan horse
HCMUTE 25/05/2017 Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE Intruder Hacker: phases Attacks: DDOS, Dictionary attack, TCP Attack, Packet Sniff, Social attack Malicious Software: Virus, Worm, Trojan… 25/05/2017 GV: VANNT HCMUTE 25/05/2017 A significant security problem for networked systems is: o hostile, o or at least unwanted, trespass by users or software User trespass (intrude) can take the form of: o unauthorized logon to a machine or, o an authorized user gaining of privileges or o performance of actions beyond (pass) those that have been authorized Software trespass can take the form of a: o virus, o worm, or o Trojan horse 25/05/2017 The two most publicized threats to security: o the intruder: often referred to as a hack er or crack er o (the other is viruses) classes of intruders: Masquerader: A person penetrates a system’s access controls to exploit a legitimate user’s account -> outsider o Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges -> insider o Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls -> outsider or insider o Other class: benign vs serious 25/05/2017 GV: VANNT HCMUTE 25/05/2017 Nguyen Thi Thanh Van - Khoa CNTT 25/05/2017 Benign intruders might be tolerable, although they consume resources and may slow performance for legitimate users However, there is no way in advance to know whether an intruder will be benign or harmful IDSs and IPSs are designed to counter this type of hacker threat One of the results of the growing awareness of the intruder problem has been the establishment of a number of Computer Emergency Response Teams (CERTs) o 25/05/2017 GV: VANNT collect / disseminate vulnerability info / responses HCMUTE 25/05/2017 GV: VANNT White Hat: finding vulnerabilities in a computer system for the purpose of "patching" the holes Black Hat: penetrate a system with the original intention was destroy network systems or enrich themselves Gray Hat: illegal entry but not harmful 25/05/2017 25/05/2017 HCMUTE 25/05/2017 Footprinting/Reconnaissance Scanning and Enumeration Ganing access Maintaining access Covering track 25/05/2017 Physical Break-In Dumpster Diving Google, Newsgroups, Web sites Social Engineering o Phishing: fake email o Pharming: fake web pages GV: VANNT WhoIs Database & arin.net Domain Name Server Interrogations HCMUTE 25/05/2017 The second stage would be to learn the network and computer configurations War Driving: Can I find a wireless network? War Dialing: Can I find a modem to connect to? Network Mapping: What IP addresses exist, and what ports are open on them? Vulnerability-Scanning Tools: What versions of software are implemented on devices? Passive attack Sniffing Traffic Analysis Footprinting Network Attacks: Sniffing (Eavesdropping) IP Address Spoofing Session Hijacking Login: Ginger Password: Snap GV: VANNT System Attacks: Buffer Overflow Password Cracking SQL Injection Web Protocol Abuse Denial of Service Trap Door Virus, Worm, Trojan horse, Active attacks HCMUTE 25/05/2017 Control system: system commands, log keystrokes, pswd Backdoor Trojan Horse Useful utility actually creates a backdoor Replaces system User-Level Rootkit executables: e.g Login, ls, du Bots Spyware/Adware Replaces OS kernel: Kernel-Level Rootkit e.g process or file Slave forwards/performs Spyware: Collect info: control to hide commands; spreads, keystroke logger, list email addrs, DOS collect credit card #s, attacks AdWare: insert ads, filter search results Nguyen Thi Thanh Van - Khoa CNTT 25/05/2017 GV: VANNT HCMUTE GV: VANNT 25/05/2017 25/05/2017 15 25/05/2017 16 HCMUTE 25/05/2017 25/05/2017 17 Crack password Dictionary attack Brute Force Attack o Hybrid Attack o Syllable Attack o Rule-Based Attack o o Denied Of Services: Spoofing: SYN, source address Flooding: SYN TCP, UDP, ICMP o Distributed DOS attacks o Reflection Amplification: DNS SMURF o Over bufferFlow o o 25/05/2017 GV: VANNT TCP Attack Packet Sniff Session Hijacking Social attack Google Bomb 18 HCMUTE 25/05/2017 the process of guessing or recovering a password from stored locations or from data transmission system Techniques: o Dictionary attack o Brute Force Attack o Hybrid Attack o Syllable Attack o Rule-Based Attack Tools: o Cain and Abel, Crunch in Kali Linux o OphCrack, 25/05/2017 19 A technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying millions of possibilities, such as words in a dictionary We can run a dictionary attack on the passwords o o The passwords in /etc/passwd are encrypted with the crypt() function (one-way hash) Can take a dictionary of words, crypt() them all, and compare with the hashed passwords This is why your passwords should be meaningless random junk! o For example, “sdfo839f” is a good password 15-441 Networks Fall 2002 GV: VANNT 20 10 HCMUTE 25/05/2017 How we prevent this? IPSec o Provides source authentication, so Mr Big Ears cannot pretend to be Alice o Encrypts data before transport, so Mr Big Ears cannot talk to Bob without knowing what the session key is 59 Crack password Denied Of Services: TCP Attack Session Hijacking Packet Sniff o IP-based o MAC-based o ARP-based Social attack Google Bomb 25/05/2017 GV: VANNT 60 30 HCMUTE 25/05/2017 Session hijack ing is synonymous with a stolen session, in which an attacker intercepts and takes over a legitimately established session between a user and a host 25/05/2017 61 spoofing and hijacking are two distinctly different acts o Spoofing: • when an attacking party pretends to be something or someone else, such as a user or computer • The attacker does not take over any session o In hijacking: • the attacker takes over an existing active session • In this process, the attacker waits for an authorized party to establish a connection to a resource or service and then takes over the session 25/05/2017 GV: VANNT 62 31 HCMUTE 25/05/2017 Step 1: Sniffing You must be able to sniff the traffic on the network between the two points that have the session you wish to take over Step 2: Monitoring Your goal is to observe the flow of traffic between the two points with an eye toward predicting the sequence numbers of the packets Step 3: Session Desynchronization breaking the session between the two parties Step 4: Session ID Prediction You predict the session ID itself (more on that later) to take over the session Step 5: Command Injection You are free to start injecting commands into the session targeting the remaining party (most likely a server or other valuable resource) 25/05/2017 Active Attack A session hijacking attack is considered active when the attacker assumes the session as their own, 25/05/2017 GV: VANNT 63 64 32 HCMUTE 25/05/2017 A passive attack focuses on monitoring the traffic between the victim and the server It uses a sniffer utility to capture and monitor the traffic as it goes across the wire 25/05/2017 65 Handful of attacks: o session sniffing: • a variation of sniffing o predicting session tokens: • most effective way is to gather a few session IDs o man-in-the-middle, • discuss later o man-in-the-browser: • cross-site scripting, • Trojans, and • JavaScript 25/05/2017 GV: VANNT 66 33 HCMUTE 25/05/2017 Crack password Denied Of Services: TCP Attack Session Hijacking Packet Sniff o IP-based o MAC-based o ARP-based Social attack Google Bomb 25/05/2017 GV: VANNT 68 34 HCMUTE 25/05/2017 Sniffing involves: Router A Router B capturing, decoding, inspecting and Host A interpreting the information inside a network packet on a TCP/IP network o o o o The purpose is to steal information: o o o o Host B user IDs, passwords, network details, credit card numbers, etc Sniffing is generally referred to as a “passive” type of attack 69 sniffing can range from Layer through Layer 70 GV: VANNT 35 HCMUTE 25/05/2017 Network sniffing uses sniffer software, either open source or commercial Broadly, there are three ways to sniff a network 71 Sniffing tools o tcpdump o sniffit o Ethereal o Cain and Abel o hunt o dsniff o ip spoofing 25/05/2017 GV: VANNT 72 36 HCMUTE 25/05/2017 IP-based o putting the network card into promiscuous mode and sniffing all packets matching the IP address filter MAC-based: o putting the network card into promiscuous mode and sniffing all packets matching the MAC address filter ARP-based o poison the ARP caches of the two hosts that you want to sniff -> the two hosts start their connection and it gets sent to us o sniffing can be done on a switched network 25/05/2017 73 enabling sniffing on a switch is to turn it into a device that does allow sniffing => Switch Switch: o keeps traffic separate to each switch port (collision domain), o keeps track of MAC addresses received by writing them to a content addressable memory (CAM) table A switch is flooded with MAC addresses, it may easily overwhelm the switch’s ability to write to its own CAM table 25/05/2017 GV: VANNT 74 37 HCMUTE 25/05/2017 attempts to contaminate a network with incorrect gateway or host mappings (because ARP broadcasts are free) Some tools you can use to ARP-poison a host are: Ethereal, Cain and Abel Enabling the IP DHCP Snooping feature on Cisco switches prevents ARP poisoning 25/05/2017 75 MAC spoofing: attacker (or tester) changes their MAC address to another MAC address (existed) Port security: o allows only a specific number of MAC addresses to attach to each switch port (usually one or two) o If this number is exceeded, the port will usually shut down depending on the configuration applied MAC spoofing isn’t necessarily a technique used to allow network-wide sniffing, but it does work to allow an unauthorized client onto the network without too much administrative hacking effort 25/05/2017 GV: VANNT 76 38 HCMUTE 25/05/2017 How can we protect ourselves? SSH, not Telnet o Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!) o Now that I have told you this, please not exploit this information o Packet sniffing is, by the way, prohibited by Computing Services HTTP over SSL o Especially when making purchases with credit cards! SFTP, not FTP o Unless you really don’t care about the password or data o Can also use KerbFTP (download from MyAndrew) IPSec o Provides network-layer confidentiality 15-441 Networks Fall 2002 Look for systems running network cards in promiscuous mode Under normal circumstances there is little reason for a network card to be in promiscuous mode and as such all cards running in this mode should be investigated Run an NIDS to detect telltale signs of sniffing and track it down Tools such as HP’s Performance Insight can provide a way to view the network and identify strange traffic 25/05/2017 GV: VANNT 77 78 39 HCMUTE 25/05/2017 Wireshark TCPdump Windump Omnipeek Dsniff: o A suite of tools designed to perf orm snif fing with dif f erent protocols with theintent of intercepting and rev ealing passwords Dsnif f is designed f or Unix and Linux platf orms and does not hav e a complete equiv alent on the Windows platf orm EtherApe: o A Linux/Unix tool designed to graphically display a sy stem’s incoming andoutgoing connections MSN Sniffer: NetWitness NextGen: o o A snif f ing utility specifically designed f or sniffing traffic generated by the Includes a hardware-based snif f er, along with other f eatures,designed to monitor and analy ze all traf fic on a network; a popular tool in use by the FBI and other law enf orcement agencies 25/05/2017 Crack password Denied Of Services: TCP Attack Packet Sniff Social attack Google Bomb 25/05/2017 GV: VANNT 79 80 40 HCMUTE 25/05/2017 People can be just as dangerous as unprotected computer systems o People can be lied to, manipulated, bribed, threatened, harmed, tortured, etc to give up valuable information o Most humans will breakdown once they are at the “harmed” stage, unless they have been specially trained Fun Example 1: o “Hi, I’m your AT&T rep, I’m stuck on a pole I need you to punch a bunch of buttons for me” the best that can be done is to implement a wide variety of solutions and more closely monitor who has access to what network resources and information o But, this solution is still not perfect 15-441 Networks Fall 2002 Crack password Denied Of Services: TCP Attack Packet Sniff Social attack Google Bomb 25/05/2017 GV: VANNT 81 82 41 HCMUTE 25/05/2017 Manipulates of search results on Google A site is ranked high in the search results even though the page content that is not related to that keyword To this, the hacker can mobilize large amounts of backlinks pointing to your website through keywords For example, in 2004, entering the words "miserable failure" (miserable failure), users of Google to get links to former US President George Bush 25/05/2017 Buffer overflow is a DoS technique attempt to place much more data inside a buffer than it could keep or even when a software attempts to place data in a memory space area past a buffer could be activated by inputs that are designed to perform program code, or maybe modify how a software works results from input is longer than the implementor intended 25/05/2017 GV: VANNT 83 84 42 HCMUTE 25/05/2017 25/05/2017 http://www.robertgraham.com/pubs/network-intrusiondetection.html http://online.securityfocus.com/infocus/1527 http://www.snort.org/ http://www.cert.org/ http://www.nmap.org/ http://grc.com/dos/grcdos.htm http://lcamtuf.coredump.cx/newtcp/ 15-441 Networks Fall 2002 GV: VANNT 85 86 43 HCMUTE 25/05/2017 Cryptography and Network Security, Principles and Practice, William Stallings, Prentice Hall, Sixth Edition, 2013 2014, CEHv8: Certified Ethical Hacker Version Study Guide o Chapter 8-12 25/05/2017 87 Exercises: see in CEH v8, ex o Hping o Using Netstat to Detect Open Ports (8.2) o Using TCPView to Track Port Usage o … Experience in group o Demo at least attacks… o Demo at least malicious software, … 25/05/2017 GV: VANNT 88 44 ... machines respond back to victim, overloading it 15 -4 4 1 Networks Fall 2002 GV: VANNT 42 21 HCMUTE 25/05/2017 25/05/2017 a ping packet > 64 KB Although not much of a significant threat today... o Reflection o Amplification: DNS o SMURF o Teardrop o Ping of Death o Mini Case Study: Code-Red 15 -4 4 1 Networks Fall 2002 GV: VANNT 25 use fake source addresses generate large... e-mails GV: VANNT 11 HCMUTE 25/05/2017 Back-end Resources: items that support a public-facing resource such as o a web page o customer database or o server farm essentially render all front-end