Hackers and Scanners Antti Palokangas

advertisement
Hackers and Scanners
Antti Palokangas
Hackers & scanners
• Most of scanners are easy to use and widely
distributed
• It is no longer a question of if, but when you will
be probed
• You may believe that if no one knows about your
systems, you are secure. Others believe that their
systems are of no value, so why would anyone
probe them? But these kind of unprotected
systems are easy to exploit for example to DDoSattacks
What is a ”script kiddie”?
• Script kiddies can be advanced users or just kids
who have found a nice application and bugs from
Internet
• Script kiddies look for an easy kill
• They do this by focusing on a small number of
exploits, and then searching randomly the entire
Internet for that exploit
• Scanners are important tools for searching the
exploitable systems
Example of script kiddie using
scanners
• Step 1: Script kiddie finds a bug nobody else
knows about or uses a common exploit from e.g.
www.cert.org or bugtraq (archived at
www.securityfocus.com), hoping that
administrator of a system hasn’t fixed the bug
• Step 2: Uses tools (e.g. z0ne) to scan random
networks for IP-addresses. Tool builds an IPdatabase which can be used also later (databases
may contain over 2 million addresses)
Example of script kiddie using
scanners
• Step 3: Scans IP-addresses for information:
e.g. operating system type, running services,
system architecture (x86, Alpha, Sparc)
• Step 4: Breaks into exploitable systems
where bug hasn’t been fixed
Usefulness of a scanner for a
hacker
• It’s important to fix bugs immediately to prevent abovementioned attacks and run only needed services
• The way bug fixes are updated now would mean that a
hacker who tries to take advantage of a known bug before
the bug is fixed would have a small time margin from an
unpredictable time when a bug is found to an uncertain
time when a bug is fixed
• This type of attack may not be suitable for a hacker who
wants to break into certain well-administered system. But
there is always somewhere a system that hasn’t been
updated
Usefulness of a scanner for a
hacker
• We may say that finding holes with a publicly known vulnerability
scanner is probably most useful if the goal of the hacker is
- just to break in somewhere
- terrorist action or vandalism
- make a computer crime anywhere
• If the target is a specific system which is known to have high security,
the hacker should:
– find new holes, not the ones in the bulletin boards,
– or plant holes using viruses or other distribution methods
• A scanner can be useful, but it should be not detected easily. Therefore it
may be not necessary for the attacker to find all information he can get.
After all, he may have rather few new holes that can be used.
Reverse engineering security
patches
• Currently security patches in software releases are reverse
engineered and their security implications are sought for
and similar holes in other pieces of software are looked for.
• This is relatively slow work (though not very slow –
reverse engineering a security patch may be done in a day),
but it will find new holes.
• Being too certain of security after having successfully
scanned a system without any vulnerabilities found is quite
wrong. Security scanner can be compared to an anti-virus
program: it only checks for known holes and it must be
updated to remain functional
Detecting scanning
• It may be possible to monitor the network for odd
behavior and detect scanning
• One way is to find scanning patterns in our log
files after scan has occured (manually or
automatically by Intrusion Detection Systems)
Detecting a scanner
•
There are programs which detect a scanner: Courtney,
Gabriel, scan_detector, TCP Wrapper, scanlogd, Argus.
• Some of them have a sniffer, like tcpdump, and look for a
rapid sequence of short connection attempts to TCP and
UDP ports. Some use proxies and make logs
• There has not been any raise in the number of attacks made
with SATAN or other scanners.
• We may assume it is because real attackers modify the
scanners so, that scanning goes undetected. It is for
instance possible to slow down scanning below the level
which causes a scanner detector to alarm.
Detecting a scanner
• There are also stealth scanners which do not leave traces of
the scan. Jakal and Nmap are stealth scanners using half
scan (start SYN/ACK but never complete it).
• ”Half scanning” won’t fool e.g. PortSentry, tcplogd or
Intrusion Detection Systems (IDS) but it will prevent
applications logging suspiciously closed connections
Detecting scanning
• Courtney detects if the system has been scanned by
SATAN, or any other similar port scanner and notifies this
to the administrator. Courtney is a short PERL script,
which uses tcpdump sniffer.
• tcpdump is a sniffer, which puts a LAN interface to a
promiscuous mode so, that all IP packets can be read by
the sniffer. tcpdump is one of the more popular programs
for traffic measurement also. The Courtney program
notices port scanning from a rapid sequence of connection
attempts to many UDP and TCP ports.
• Gabriel is similar to Courtney, but it is a binarycreated
from C and does not use tcpdump. It only runs on Sun.
• Either of these are not very useful nowadays
Other ways to improve security
• Scanning a system and finding no bad holes (most systems
cannot protect against DoS-attacks, so this vulnerability
there is) may give a wrong feeling of security. There are
bugs though they are not found.
• What one can do is to replace the services by something
more simple ones which hopefully have much fewer bugs
or none at all (if they are very simple, this is possible)
• Usually services are not replaceable, they can only be
patched and updated
• TCP ports need not have the real daemon listening them
(or have the inetd daemon start the service, which is
another common way). One can also make a proxy service
using TCP Port Wrappers developed by Wietse Venema.
Other ways to improve security
• SOCKS is a proxy technique which is used to
build circuit level firewalls. Socksifying all ports
is one way to stop an intruder from using them.
• There are tools (IP Personality, Fingerprint fucker,
Stealth patch, IPlog) to fake your operating system
so that Nmap will be fooled and guesses wrong.
• Exploits are often OS-specific, so faking makes
hacking more difficult
Other ways to improve security
• The defender could offer some traps to see if the
attacker tries them
• These traps are called honeypots
• Honeypots should be implemented so that attacker
can’t do anything harmful, but honeypot
administrator gains valuable information on
attacker’s methods
• More on honeypots: http://project.honeynet.org/
How to test your own
vulnerabilities?
• If you have only one computer, you could
use an Internet-service to scan your
vulnerabilities. Several sites do it for free
usually after registering.
• How much do you trust these kind of
services?
Download