種子教師國外培訓課程 Intrusion Detection System and Tool Kits Bo Cheng (鄭伯炤) Email:bcheng@ccu.edu,tw Tel: 05-272-0411 Ext. 33512 1 Information Networking Security and Assurance Lab National Chung Cheng University Agenda (03/03) Time Topics 8:00 - 9:20 Welcome 9:20 - 10:30 IDS Introduction 10:30 - 10:50 Coffee Break 10:50 - 12:00 Hacking (I) 12:00 - 13:00 Lunch Break 13:00 - 13:30 Nmap 13:30 - 14:00 A Real World Attack: Wu-ftp attack 14:00 - 15:00 Nessus 15:00 - 15:20 Coffee Break 15:20 - 16:40 IDS Faq 16:40 - 17:10 Tripwire 17:10 - 17:30 tcpdump, tcprelay and Swatch Information Networking Security and Assurance Lab National Chung Cheng University 2 Agenda (03/04) Time Topics 9:00 - 10:30 Hacking (II) 10:30 - 10:50 Coffee Break 10:50 - 11:20 Auditing Windows 11:20 - 12:00 SARA 12:00 - 13:00 Lunch Break 13:00 - 14:00 Snort 14:00 - 14:30 PortSentry 14:30 - 15:00 DumpSec 15:00 - 15:20 Coffee Break 15:20 - 16:20 IDS Evasion 16:20 - 16:50 Fragrouter 16:50 - 17:30 Nikto Information Networking Security and Assurance Lab National Chung Cheng University 3 Agenda (03/05) Time Topics 9:00 - 10:30 Detection Engine 10:30 - 10:50 Coffee Break 10:50 - 12:00 The Future of IDS and IPS 4 Information Networking Security and Assurance Lab National Chung Cheng University The Introduction of Intrusion Detection systems 5 Information Networking Security and Assurance Lab National Chung Cheng University Outline Introduction The type of IDS Tools that Complement IDS Deploying IDS A Brief History of IDS The players in IDS market Summary Reference 6 Information Networking Security and Assurance Lab National Chung Cheng University Introduction What is Intrusion? CIA Confidentiality Availability Information Security Integrity What is Intrusion Detection? the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems 7 Information Networking Security and Assurance Lab National Chung Cheng University Types of IDS (Information Source) Operate on information (e.g., log or Host (HID) OS system call) collected from within an individual computer system. Uses a module, coupled with the application, to extract the desired information and monitor transactions Application-Integrated (AIID) Application (AID) Network (NID) Capture and analyze all network packets Operate on application transactions log e.g., Entercept Web Server Edition Monitor packets to/from Network-Node (NNID) a specific node 8 Information Networking Security and Assurance Lab National Chung Cheng University http://www.networkintrusion.co.uk/ids.htm The Detection Results False Positive • Annoy • Crying wolf • Tuning • Prevention? True Negative True Positive • Wire-speed performance • Mis-configuration • Poor detection engine • IDS Evasion False Negative Information Networking Security and Assurance Lab National Chung Cheng University 9 IDS Responses After Detection Intrusion Detection Working Group •IDMEF - Message Exchange Format Alarms/ Notifications Passive Responses Active Responses •IDXP - Exchange Protocol Communication protocol for exchanging IDMEF messages Generate SNMP trap SNMP Integration Support SNMP Manager (e.g., HP OV) and MIB (e.g., iss.mib trap) Take Action Against the Intruder Retaliation: Information warfare Injecting TCP reset packets Collect additional information Change the Environment Information Networking Security and Assurance Lab National Chung Cheng University XML-based alert format among IDS components Reconfiguring routers/firewalls (e.g., via FW1 OPSEC) to block packets based on IP address, network ports, protocols, or services 10 Source: NIST Check Point - Open Platform for Secure Enterprise Connectivity (OPSEC) TCP/UDP Port Name Short description FW1_cvp Check Point OPSEC Content Vectoring Protocol - Protocol used for communication between FWM and AntiVirus Server 18182 /tcp FW1_ufp Check Point OPSEC URL Filtering Protocol - Protocol used for communication between FWM and Server for Content Control (e.g. Web Content) 18183 /tcp FW1_sam Check Point OPSEC Suspicious Activity Monitor API - Protocol e.g. for Block Intruder between MM and FWM 18184 /tcp FW1_lea Check Point OPSEC Log Export API - Protocol for exporting logs from MM 18185 /tcp FW1_omi Check Point OPSEC Objects Management Interface - Protocol used by applications having access to the ruleset saved at MM 18187 /tcp FW1_ela Check Point Event Logging API - Protocol used by applications delivering logs to MM 18207 /tcp FW1_pslo gon Check Point Policy Server Logon protocol - Protocol used for download of Desktop Security from PS to SCl 18181 /tcp 11 Information Networking Security and Assurance Lab National Chung Cheng University NFR and RealSecure support FW-1_sam and FW1_ela Complement IDS Tools Create a baseline and apply a message digest (cryptographic hash) to key files and then checking the files periodically When the IDS detects attackers, it seamlessly transfers then to a special padded cell host Determine whether a network or host is vulnerable to known attacks File Integrity Checkers Vulnerability Assessment Honey Pot Padded Cell A system/resource designed to be attractive to potential attacker 12 Information Networking Security and Assurance Lab National Chung Cheng University Source: http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/index.shtml NIDS Deployments •See all outside attacks to help forensic analysis Internet 1 •Identify DMZ related attacks •Spot outside attacks penetrate the network's perimeter •Avoid outside attacks to IDS itself •Highlight external firewall problems with the policy/performance •Pinpoint compromised server via outgoing traffic External firewall 2 DMZ •Increase the possibility to recognize attacks. •Detect attacks from insider or authorized users within the security perimeter. Mode: •Tap 3 4 •SPAN (Mirror) Network Backbones •Port Clustering •In-Line Critical Subnets Information Networking Security and Assurance Lab National Chung Cheng University •Observe attacks on critical systems and resources •Provide cost effective solutions 13 IDS Balancer Network Internet •Toplayer’s IDS Balancer •Radware FireProof GigaBit SX Tap Fiber Tap IDS Balancer •Availability •Scalability •ROI •Cost-effective (reduce sensors while increasing intrusion coverage) 14 Information Networking Security and Assurance Lab National Chung Cheng University A Brief History of IDS SAIC’s CMDS team along the first with commercial the Haystack vendor team, of IDS SAIC ASIM NetRanger, Air Force's was made also Cryptologic the considerable developing first commercially Support progress a form Center of viable in revealed Stalker the first was the visible a necessary host-based, host-based information pattern intrusion for UC Davis’ Lawrence Livermore Lab Intrusion Detection Expert System The security market leader developed analyze audit trails from government audit trails contained vital information Distributed UC Davis's Intrusion Todd Heberlein Detection develop System Heberlein tools, with introduced its Stalker the line first of host-based idea of host-based overcoming network developed intrusion the intrusion scalability Automated detection detection, and Security portability device. called matching commercial detection system company that detection included robust system produced an IDS that analyzed audit a network intrusion detection system mainframe computers and create that could be valuable trackingsolution (DIDS) NSM, the augmented first network thein intrusion existing hybrid products. intrusion detection. Computer issues. Measurement Misuse System Detection to monitor System search development capabilities to manually and as data by comparing it. with defined called RealSecure profiles of users upon their misuse and understanding user by trackingsystem detection clientbased machines as well (CMDS). network traffic on the Air data Force's automatically theUS audit patterns. activities behavior the servers it query originally monitored. network. Information Networking Security and Assurance Lab National Chung Cheng University 15 The players in IDS market (I) In 1999 Host-Based RealSecure ISS In 1997 Network-Based RealSecure BlackICE Sentry Network ICE BlackICE Sentry (GigaBit) 16 Information Networking Security and Assurance Lab National Chung Cheng University The players in IDS market (II) CISCO Entercept tech Standard Edition Enterprise Edition Host-Based (Entercept tech) Standard Edition Enterprise Edition Network-Based Catalyst 6000 IDS 4230 IDS 4210 In 1997 Air Force Cryptologic Support Center ASIM ASIM Development Staff from AF CSC $124Million Wheel Group NetRanger 17 Information Networking Security and Assurance Lab National Chung Cheng University The players in IDS market (III) Symantec Host-Based Intruder Alert Network-Based NetProwler Axent Enterasys/Cabletron Host-Based Squire Network-Based Dragon Network Security Wizards 18 Information Networking Security and Assurance Lab National Chung Cheng University CyberSafe Intrusion.com Host-based Kane Network-based SecureNet Pro Host-Based Centrax Network-Based Centrax (NNID tech.) NetworkICE ODS Host-based CMDS Kane MimeStar SecureNet Pro Centrax Entrax Network Associates Trusted Information Systems CMDS SAIC UCAL Davis Lawrence Livermore labs Haystack Development staff Haystack Labs Stalker 19 Information Networking Security and Assurance Lab National Chung Cheng University Summary Government funding and corporate interest helped Anderson, Heberlein, and Denning spawned the evolution of IDS. Intrusion detection has indeed come a long way, becoming a necessary means of monitoring, detecting, and responding to security threats. 20 Information Networking Security and Assurance Lab National Chung Cheng University Reference NIST Special Publication on Intrusion Detection Systems http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf The Evolution of Intrusion Detection Systems http://www.tdisecurity.com/documents/IDSEvolution.pdf Web site http://www.cisco.com http://www.iss.net http://www.enterasys.com http://www.intrusion.com http://www.cybersafe.com/centrax/ 21 Information Networking Security and Assurance Lab National Chung Cheng University 22 Information Networking Security and Assurance Lab National Chung Cheng University Hacking I 23 Information Networking Security and Assurance Lab National Chung Cheng University Attack Motivations, Phases and Goals Data manipulation System access Elevated privileges Deny of Service Analyze Information & Prepare Attacks • Service in use • Known OS/Application vulnerability • Known network protocol security weakness • Network topology • Revenge • Political activism • Financial gain Actual Attack Network Compromise DoS/DDoS Attack • Bandwidth consumption • Host resource starvation Collect Information • Public data source • Scanning and probing 24 Information Networking Security and Assurance Lab National Chung Cheng University Tools, Tools, Tools Network Scanning Reconnaissance •Telnet •Nmap •Hping2 •Netcat •ICMP: Ping and Traceroute •Nslookup •Whois •ARIN •Dig •Target Web Site •Others Penetration Tool Vulnerability Assessment •Nessus •SARA 25 Information Networking Security and Assurance Lab National Chung Cheng University Collect Information Public data source Scanning and probing 26 Information Networking Security and Assurance Lab National Chung Cheng University Whois Database Contain data elements regarding Internet addresses, domain names, and individual contacts domain name uniquely 27 Information Networking Security and Assurance Lab National Chung Cheng University ARIN American Registry for Internet Numbers Gather information about who owns particular IP address ranges, given company or domain names 28 Information Networking Security and Assurance Lab National Chung Cheng University DNS A hierarchical database Root DNS Servers (start point) com DNS Servers net DNS Servers org DNS Servers abc.com DNS Servers The DNS hierarchy 29 Information Networking Security and Assurance Lab National Chung Cheng University DNS Resolve ROOT DNS SERVER www.abc.com referral to abc.com LOCAL DNS SERVER com DNS SERVER www.abc.com = 10.11.12.13 CLIENT A recursive search to resolve a domain name Information Networking Security and Assurance Lab National Chung Cheng University abc.com 30 DNS SERVER Some DNS Record Type Record Type Name Purpose Example Record Format Address (A Record) Maps a domain name to a specific IP address www 1D IN A 10.1.1.1 Host Information (HINFO Record) Identifies the host system type www 1D IN HINFO Solaris8 Mail Exchanger (MX record) Identifies a mail system accepting mail for the giver domain @ 1D IN MX 10 mail.abc.com Name Server (NS Record) Identifies the DNS servers associated with a giver domain @ 1D IN NS nameserver.abc.com Text (TXT Record) Associates an arbitrary text string with the domain name System1 IN TXT “This is a cool system” 31 Information Networking Security and Assurance Lab National Chung Cheng University nslookup IP 反查 domain name Return fromfrom localremote DNS cache Return DNS cache Zone Transfer 32 Information Networking Security and Assurance Lab National Chung Cheng University A split DNS EXTERNAL DNS INTERNET DMZ INTERNAL DNS INTERNAL NETWORK INTERNAL SYSTEM 33 Information Networking Security and Assurance Lab National Chung Cheng University DMZ DMZ stands for De-Militarized Zone. The DMZ setting allows the server that provides public resources (Ex. Web or FTP) to map public IP addresses for Internet users to use in a Broadband sharing router environment. INTERNET DMZ Internal Network DMZ system ,such as Web, Mail, DNS and FTP Allowed Forbidden Information Networking Security and Assurance Lab National Chung Cheng University 34 Collect Information Public data source Scanning and probing 35 Information Networking Security and Assurance Lab National Chung Cheng University Network Mapping Map out your network infrastructure Mapping and scanning your Internet gateway, including DMZ systems, such as Web, mail, FTP, and DNS Mapping and scanning your internal network Techniques Finding live hosts Tracing your network topology 36 Information Networking Security and Assurance Lab National Chung Cheng University Finding Live Hosts Two methods ICMP ping Ping all possible addresses to determine which ones have active hosts Ping, using an ICMP Echo Request packet • Alive, sending an ICMP Echo Reply message • Otherwise, nothing is listening at that address TCP/UDP packet If block incoming ICMP send a TCP or UDP packet to a port, such as TCP port 80 37 Information Networking Security and Assurance Lab National Chung Cheng University Traceroute TTL = 1 Time exceeded TTL = 2 Time exceeded Using traceroute to discover the path from source to destination 38 Information Networking Security and Assurance Lab National Chung Cheng University Cheops 39 Information Networking Security and Assurance Lab National Chung Cheng University Defenses against Network Mapping Filter IN: Firewalls and packet-filtering capabilities of your routers OUT: Stop ICMP Time Exceeded messages leaving your network Blocking Block incoming ICMP messages at gateway Ping Web server? Maybe Ping DMZ database server? Probably not Ping internal network hosts? Definitely not 40 Information Networking Security and Assurance Lab National Chung Cheng University Using port scanners Analyzing which ports are open To know the purpose of each system To learn potential entryways into system TCP/IP stack has 65,535 TCP/UDP ports “well-known” port numbers TCP port 80 RFC 1700 Nmap @ www.insecure.org/Nmap 41 Information Networking Security and Assurance Lab National Chung Cheng University Nmap What type of packets does the scanning system send TCP Connect, TCP SYN, TCP FIN, … 42 Information Networking Security and Assurance Lab National Chung Cheng University Types of Nmap Scans Legitimate TCP connections established using a three-way handshake SYN with ISNA ACK ISNA and SYN with ISNB ACK ISNB Connection ALICE BOB The TCP three-way handshake 43 Information Networking Security and Assurance Lab National Chung Cheng University TCP Header Bit: 0 4 10 16 Source port 31 Destination port 20 octets Sequence number Acknowledgement number Data offset Reserved U A P R S F R C S S Y I G K H T N N Checksum Window Urgent pointer Options + padding 44 Information Networking Security and Assurance Lab National Chung Cheng University The Polite Scan: TCP Connect Completes the three-way handshake, and then gracefully tears down the connection using FIN packets If closed No SYN-ACK returned Receive either no response, a RESET packet, or an ICMP Port Unreachable Easy to detect 45 Information Networking Security and Assurance Lab National Chung Cheng University A Little Stealthier: TCP SYN Scan TCP SYN scans Sending a SYN to each target port If open, a SYN-ACK response Sends a RESET packet, aborting the connection Referred to as “half-open” scans Two benefits The end system Not record the connection, however, routers or firewalls do Its speed 46 Information Networking Security and Assurance Lab National Chung Cheng University Violate the Protocol Spec: TCP FIN, Xmas Tree, Null Scans(1) TCP FIN scan A FIN packet to tear down the connection, but no connections are set up!! Xmas Tree scan Sends packets with the FIN, URG, and PUSH code bits set Null scan Sends packets with no code bits set 47 Information Networking Security and Assurance Lab National Chung Cheng University TCP ACK Scans SYN SYN-ACK SYN Packet Filter Device Allow outgoing traffic and the established responses Block incoming traffic if the SYN packet is set EXTERNAL NETWORK INTERNAL NETWORK Allowing outgoing sessions (and responses), while blocking incoming session initiation Information Networking Security and Assurance Lab National Chung Cheng University 48 TCP ACK Scans (cont.) ACK dest port 1024 ACK dest port 1025 ACK dest port 1026 Aha! I know port 1026 is open through the firewall EXTERNAL NETWORK Packet Filter Device RESET INTERNAL NETWORK 49 Information Networking Security and Assurance Lab National Chung Cheng University Vulnerability Scanning Tools What’s vulnerability scanner Types of vulnerabilities Common configuration errors Default configuration weaknesses Well-known system vulnerabilities 50 Information Networking Security and Assurance Lab National Chung Cheng University Vulnerability Scanning Tools (cont.) User Configuration Tool Scanning Engine Knowledge Base of Current Active Scan Vulnerability Database Results Repository & Report Generation A generic vulnerability scanner Information Networking Security and Assurance Lab National Chung Cheng University TARGETS 51 Nessus Nessus Plug-ins categories: Finger abuses Windows Backdoors Gain a shell remotely CGI abuses Remote file access RPC Firewalls FTP SMTP …… 52 Information Networking Security and Assurance Lab National Chung Cheng University The Nessus Architecture Client-server architecture Client: user configuration tool and a results repository/report generation tool Server: vulnerabilities database, a knowledge base of the current active scan, and a scanning engine Supports strong authentication, based on public key encryption Supports strong encryption based on the twofish and ripemd algorithms The advantage of the client-server architecture The most common use: running on a single machine 53 Information Networking Security and Assurance Lab National Chung Cheng University Intrusion Detection System Tools can be detected by a network-based intrusion detection system (IDS) IDSs listen for attacks and warn administrators of the attacker’s activities The attackers evade detection by the IDS BlackHat versus WhiteHat 54 Information Networking Security and Assurance Lab National Chung Cheng University How Intrusion Detection Systems Work Captures all data on the LAN Sort through this data to determine if an actual attack is underway Have a database of attack signatures When attacks discovered, the IDS will warn the administrator 55 Information Networking Security and Assurance Lab National Chung Cheng University A Network-Based Intrusion Detection System Port 23! Alert! Alert NETWORK IDS PROBE TCP port 80 NETWORK TCP port 23 ATTACKER PROTECTED SERVER 56 Information Networking Security and Assurance Lab National Chung Cheng University Gaining Access Using Application and Operating System Attacks 57 Information Networking Security and Assurance Lab National Chung Cheng University Outlines Stack-Based Buffer Overflow Attacks Password Attacks Web Application Attacks 58 Information Networking Security and Assurance Lab National Chung Cheng University What is a Stack-Based Buffer Overflow? 59 Information Networking Security and Assurance Lab National Chung Cheng University The Make up of a Buffer Overflow 60 Information Networking Security and Assurance Lab National Chung Cheng University Application Layer IDS Evasion for Buffer Overflow K2 released ADMutate A buffer overflows exploit ADMutate A news exploit polymorphism For NOPs Substitute a bunch of functionally equivalent statements for the NOPs For the machine language code Applies the XOR to the code to combine it with a randomly generated key 61 Information Networking Security and Assurance Lab National Chung Cheng University Outlines Stack-Based Buffer Overflow Attacks Password Attacks Web Application Attacks 64 Information Networking Security and Assurance Lab National Chung Cheng University Password Attacks Guessing Default Passwords Password Guessing through Login Scription Password cracking 65 Information Networking Security and Assurance Lab National Chung Cheng University Let’s Crack Those Passwords! Stealing the encrypted passwords and trying to recover the clear-text password Dictionary Brute-force cracking hybrid •Create a password guess •Encrypt the guess •Compare encrypted guess with encrypted value from the stolen password file •If match, you’ve got the password! Else, loop back to the top. Password cracking is really just a loop. 66 Information Networking Security and Assurance Lab National Chung Cheng University Tools Cracking Passwords Cracking Windows NT/2000 Passwords Using L0phtCrack (LC4) http://www.atstake.com/products/lc/ Cracking UNIX-like and Windows-based Passwords Using John the Ripper http://www.openwall.com/john/ 67 Information Networking Security and Assurance Lab National Chung Cheng University Outlines Stack-Based Buffer Overflow Attacks Password Attacks Web Application Attacks 68 Information Networking Security and Assurance Lab National Chung Cheng University Account Harvesting Account harvesting’s concept Different error message for an incorrect userID than for an incorrect password Lock out user accounts? Yes, DoS attack No, password guessing across the network 69 Information Networking Security and Assurance Lab National Chung Cheng University Yellow-orange IAmRyan 241230 70 Information Networking Security and Assurance Lab National Chung Cheng University Thank YOU 71 Information Networking Security and Assurance Lab National Chung Cheng University Security Essentials Toolkit Nmap 72 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Challenge Procedure Summary Reference 73 Information Networking Security and Assurance Lab National Chung Cheng University Description Reconnaissance is key for an attacker to be successful. To defend against attacks, you should examine your systems from the viewpoint of the attacker. Use some tools that you can see what the attackers see, and then you can patch any vulnerabilities. Nmap is a classic example of a reconnaissance tool. 74 Information Networking Security and Assurance Lab National Chung Cheng University Purpose To know: The features and role of Nmap in auditing systems. How to install, use, and analyze the output of Nmap. 75 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study Hacker’s attack methodology. Why we need Scanning Tools ? 76 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities Permission Do not proceed without receiving the necessary permissions. Hardware Intel-based PC Software Windows OS and Linux OS Nmap http://www.insecure.org/nmap/ 77 Information Networking Security and Assurance Lab National Chung Cheng University Challenge Procedure Step 1:Install Nmap (Skip) Step 2:Review Nmap Option Step 3:Test Nmap 78 Information Networking Security and Assurance Lab National Chung Cheng University Step 2:Nmap Option (1/2) By scan type : Hosts (-sP) TCP Ports (-sT) RPC servers (-sR) SYN scan (-sS) FIN scan (-sF), Xmas tree (-sX), null scan (-sN) ACK scan (-sA) Scanning for UDP Ports (-sU) 79 Information Networking Security and Assurance Lab National Chung Cheng University Step 2:Nmap Option (2/2) By other function : Fragmentation (-f) Decoys (-D) OS Fingerprinting (-O) Timing (-T option) option Time between Probes Probe Response Timeout Paranoid 5 min 5 min Sneaky 15 sec 15 sec Polite 0.4 sec 6 sec (10 max) Normal None 6 sec (10 max) Aggressive None 1 sec (1.5 max) Insane None 0.3 sec max 80 Information Networking Security and Assurance Lab National Chung Cheng University Step 3:Test Nmap (NMapWin v1.3.1) 81 Information Networking Security and Assurance Lab National Chung Cheng University Step 3:Test Nmap (Linux Nmap) 82 Information Networking Security and Assurance Lab National Chung Cheng University Summary Nmap is an powerful tool that allows administrators, as well as attackers, to determine what services and ports are open on a particular device. Nmap scans of your network should be run frequently to verify that new services or ports have not been unknowingly add your environment. 83 Information Networking Security and Assurance Lab National Chung Cheng University Reference http://www.insecure.org/nmap/ 84 Information Networking Security and Assurance Lab National Chung Cheng University 85 Information Networking Security and Assurance Lab National Chung Cheng University A Real World Attack: wu-ftp 86 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Step by step Summary Reference 87 Information Networking Security and Assurance Lab National Chung Cheng University Description There have many intrusion accident happened in day. Do you know what technique that crackers can intrude your web server, mail server and ftp server. Today, this exercise will guide you through the process of discovering a vulnerable system, exploiting the vulnerability, and installing software to cover your tracks. 88 Information Networking Security and Assurance Lab National Chung Cheng University Purpose Located a vulnerable system Exploit that vulnerability to gain a root shell Installed a RootKit Access the system via the RootKit 89 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study (I) CERT Advisory CA-1999-13 Multiple Vulnerabilities in WU-FTPD 1. MAPPING_CHDIR Buffer Overflow 2. Message File Buffer Overflow 3. SITE NEWER Consumes Memory http://www.cert.org/advisories/CA-1999-13.html 90 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study (II) What is Buffer overflow? 2003 Top Ten Vulnerability Threat (Symantec) 2 a programmer Microsoft RPCSS DCOM Interface Long Filename Heap Corruption allowing for an unbounded operation on data. 3 Microsoft Windows ntdll.dll Buffer Overflow 4 Sun Solaris Sadmin Client Credentials Remote Administrative Access 5 Sendmail Address Prescan Memory Corruption 6 Multiple Microsoft Internet Explorer Script Execution 7 Microsoft Windows Workstation Service Remote Buffer Overflow 8 Samba ‘call_trans2open” Remote Buffer Overflow 9 Microsoft Windows Locator Service Buffer Overflow 10 Cisco IOS Malicious IPV4 Packet Sequence Denial of Service 1 Microsoft Windows DCOM RPC Internet BufferisOverrun A type of programmatic flaw that due to 91 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities WARNING: This process of cracking a system is only tested in internal network. Do not actual exploit on unprivileve host Hardware PC or Workstation with UNIX-like system Software Wu-ftp 6.2.0 RootKits and Buffer Overflow Program 92 Information Networking Security and Assurance Lab National Chung Cheng University Step (I): reconnaissance and scanning Use “nmap” for system scanning Test the account of anonymous 93 Information Networking Security and Assurance Lab National Chung Cheng University Step (II): exploit the target Decompress the buffer overflow file and compile it List the usage of this tool 94 Information Networking Security and Assurance Lab National Chung Cheng University Step (III): cracking Execute the buffer overflow on target host Got the root right 95 Information Networking Security and Assurance Lab National Chung Cheng University Step (IV) Download the rootkit from outside and install it checking the login user Download the tool from another victim Decompress the rootkit Execute the rootkit 96 Information Networking Security and Assurance Lab National Chung Cheng University Step (V): auto-patch the victim the default login password change the system command open the telnet port Report the system information close the system filewall 97 Information Networking Security and Assurance Lab National Chung Cheng University Step (IV) try the rootkit if it works The Telnet daemon has been replaced Input the ID and the Password Which predefine by us We have got a root shell now Now you can do anything 98 Information Networking Security and Assurance Lab National Chung Cheng University Summary Checking the OS and applications’ vulnerability periodically. Catch the idea of “Defense in Depth.” There is no security operating system or application for a willing heart. 99 Information Networking Security and Assurance Lab National Chung Cheng University Reference CERT http://www.cert.org/ Nmap http://incsecure.org/ Buffer Overflow and RootKits download site http://www.flatline.org.uk/~pete/ids/ 100 Information Networking Security and Assurance Lab National Chung Cheng University 101 Information Networking Security and Assurance Lab National Chung Cheng University The premier open source Vulnerability Assessment tool 102 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Step by step Summary Reference 103 Information Networking Security and Assurance Lab National Chung Cheng University Description (I) A security scanner is a software which will audit remotely a given network and determine whether crackers may break into it, or misuse it in some way. Nessus is a free, open source vulnerability scanner that provide a view of your networks as seen by outsiders. 104 Information Networking Security and Assurance Lab National Chung Cheng University Description (II) Nessus also provide many kinds of detailed report that identifies the vulnerabilities and the critical issues that need to be corrected. Nessus Features: Plugin-based customized security checks can be written in C or NASL2(Nessus’s Scripting Language ver. 2) Exportable report Support many kinds of export report, like ASCII text, LaTex and HTML 105 Information Networking Security and Assurance Lab National Chung Cheng University Purpose Teach you how to install, configure and use Nessus. You will also learn how to interpret its output. 106 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study nessus client nessusd server FTP server Mail server Nessus – Client and Server architecture nessusWX win32 client Target network WWW server 107 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities Permission Do not proceed without receiving the necessary permissions Hardware PC or Workstation with UNIX-based OS Software Client GTK- the gimp toolkit, version 1.2 Server OpenSSL The latest stable release is nessus 2.0.9 108 Information Networking Security and Assurance Lab National Chung Cheng University Step (I): install nessus Some way to install lynx -source http://install.nessus.org | sh dangerous sh nessus-installer.sh Easy and less dangerous Install the nessus tarball archives individually nessus-libraries libasl nessus-core nessus-plugins Safe, but noisy 109 Information Networking Security and Assurance Lab National Chung Cheng University Step (II): create nessusd account add the client user’s account The authentication method by password check Edit user’s right 110 Information Networking Security and Assurance Lab National Chung Cheng University Step (III): create nessusd account The authentication method by key change The key information of user 111 Information Networking Security and Assurance Lab National Chung Cheng University Step (IV): Configure your nessusd Edit the file /usr/local/etc/nessus/nessus.conf plugins_folder = /usr/local/lib/nessus/plugins max_hosts = 30 max_checks = 10 logfile = /usr/local/var/nessus/logs/nessusd.messages log_whole_attack = yes rules = /usr/local/etc/nessus/nessusd.rules users = /usr/local/etc/nessus/nessusd.users cgi_path = /cgi-bin:/scripts port_range = default use_mac_addr = no plugin_upload = no slice_network_addresses = no Maximum number of simultaneous host tested Maximum number of simultaneous checks Scan the range of port found in /etc/services Can users upload plugins? Execute nessusd –D Default listen on TCP 1241 Execute nessus Safely start nessusd as root on TCP 1241 112 Information Networking Security and Assurance Lab National Chung Cheng University Step (V): Nessus client configuration (UNIX) The nessusd server’s address The open port number of nessusd Login user name User password Click on “Log in” 113 Information Networking Security and Assurance Lab National Chung Cheng University The test would not cause the target host crash 114 Information Networking Security and Assurance Lab National Chung Cheng University The scan range You can give extra information to some security check so that the audit is more complete Send the test result to defined mail address Avoid the detection by IDS Choice the scan tools 115 Information Networking Security and Assurance Lab National Chung Cheng University Input the target’s address allow a user to restrict his test. For instance, I want to test 10.163.156.1/24, except 10.163.156.5. The ruleset I entered allows me to do that. A single IP address: 10.163.156.1 A range of IP addresses: 10.163.156.1-254 A range of IP addresses in CIDR: 10.163.156.1/24 A hostname in Full Qualified Domain Name notation: hope.fr.nessus.org 116 Information Networking Security and Assurance Lab National Chung Cheng University The Nessus Knowledge Base Feature: Allow user can save the Knowledge base in client host Nessus information 117 Information Networking Security and Assurance Lab National Chung Cheng University Step (VI): the scan process The target’s open port Scaning The security level Comments of this note The resource of this security include know-how and the solution 118 Information Networking Security and Assurance Lab National Chung Cheng University Step (VI): the export of the data Report in nessus clinent format export to XML LaTeX format can be output to PDF Report in Html with graphs 119 Information Networking Security and Assurance Lab National Chung Cheng University Summary PC Magazine nominated Nessus as being one of the “Best Products of 2003", in the "open-source" category ! Nessus is a powerful vulnerability assessment and port scanner that allows you to see the same view of your network that an outsider sees. 120 Information Networking Security and Assurance Lab National Chung Cheng University Reference Nessus & Nessus WX website http://www.nessus.org NeWT website http://www.tenablesecurity.com/newt.html PC Manage http://www.pcmag.com/article2/0,4149,1420870,00. asp 121 Information Networking Security and Assurance Lab National Chung Cheng University 122 Information Networking Security and Assurance Lab National Chung Cheng University Appendix A – other nessus commands nessus-build Script can be used to build a .nes nessus plugin from a .c source file. nessus-config Displays compiler/linker flags for the nessus libaries nessus-mkcert-client Create a client certificate Protects the communication between the client and the server by using SSL. SSL requires the server to present a certificate to the client, and the client can optionally present a certificate to the server. nessus-mkrand Create a file with random bytes nessus-adduser Is a simple program which will add a user in the proper nessusd configuration files, and wil send a singal to nessusd if it is running to notify it of the changes. 123 Information Networking Security and Assurance Lab National Chung Cheng University Appendix B - NessusWX Nessus Client for Win32 http://nessuswx.nessus.org/ Current version 1.4.4 124 Information Networking Security and Assurance Lab National Chung Cheng University 125 Information Networking Security and Assurance Lab National Chung Cheng University 126 Information Networking Security and Assurance Lab National Chung Cheng University 127 Information Networking Security and Assurance Lab National Chung Cheng University Options & port scan properties 128 Information Networking Security and Assurance Lab National Chung Cheng University Connection & comments 129 Information Networking Security and Assurance Lab National Chung Cheng University 130 Information Networking Security and Assurance Lab National Chung Cheng University 131 Information Networking Security and Assurance Lab National Chung Cheng University 132 Information Networking Security and Assurance Lab National Chung Cheng University 133 Information Networking Security and Assurance Lab National Chung Cheng University Applendix C – commercial product NeWT 1.0 A native port of Nessus under Windows, which is very easy to install and to use This is a commercial product from Tenable Network Security 134 Information Networking Security and Assurance Lab National Chung Cheng University Start Screen 135 Information Networking Security and Assurance Lab National Chung Cheng University Scan config 136 Information Networking Security and Assurance Lab National Chung Cheng University Scan in progress 137 Information Networking Security and Assurance Lab National Chung Cheng University Example report 138 Information Networking Security and Assurance Lab National Chung Cheng University FAQ: Network Intrusion Detection Systems 139 Information Networking Security and Assurance Lab National Chung Cheng University Outline Introduction Architecture Policy & Resources IDS and Firewalls Limitations of NIDS 140 Information Networking Security and Assurance Lab National Chung Cheng University Introduction What is a "network intrusion detection system (NIDS)"? Who is misusing the system? Why can intruders get into systems? What is a typical intrusion scenario? Where can I find current statistics about intrusions? 141 Information Networking Security and Assurance Lab National Chung Cheng University What is a "network intrusion detection system (NIDS)"? An intrusion is somebody attempting to break into or misuse your system. The word "misuse" is broad, and can reflect something severe as stealing confidential data to something minor such as misusing your email system for spam. Network intrusion detection systems (NIDS) monitors packets on the network wire and attempts to discover if a hacker / cracker is attempting to break into a system (or cause a denial of service attack). 142 Information Networking Security and Assurance Lab National Chung Cheng University Who is misusing the system? Outsiders Outside intruders may come from the Internet, dial-up lines, physical break-ins, or from partner (vendor, customer, reseller, etc.) network that is linked to your corporate network. Insiders Intruders that legitimately use your internal network. These include users who misuse privileges or who impersonate higher privileged users. A frequently quoted statistic is that 80% of security breaches are committed by insiders. 143 Information Networking Security and Assurance Lab National Chung Cheng University Why can intruders get into systems? Software bugs Buffer overflows、Unexpected combinations、Unhandled input、Race conditions… System configuration Default configurations、Lazy administrators、Hole creation、Trust relationships… Password cracking Really weak passwords、Dictionary attacks、Brute force attacks… Sniffing unsecured traffic Shared medium、Server sniffing、Remote sniffing… Design flaws TCP/IP protocol flaws、UNIX design flaws… 144 Information Networking Security and Assurance Lab National Chung Cheng University What is a typical intrusion scenario? A typical scenario might be: Step 1: Outside reconnaissance The intruder might search news articles and press releases about your company. Step 2: Inside reconnaissance At this point, the intruder has done 'normal' activity on the network and has not done anything that can be classified as an intrusion. Step 3: Exploit The intruder crosses the line and starts exploiting possible holes in the target machines. Step 4: Foot hold At this stage, the hacker has successfully gained a foot hold in your network by hacking into a machine. Step 5: Profit The intruder takes advantage of their status to steal confidential data, misuse system resources, or deface web pages. 145 Information Networking Security and Assurance Lab National Chung Cheng University Where can I find current statistics about intrusions? CyberNotes by NIPC http://www.fbi.gov/nipc/welcome.htm AusCERT Consolidated Statistics Project http://www.auscert.org.au/Information/acsp/index.html An Analysis Of Security Incidents On The Internet 1989 – 1995 http://www.cert.org/research/JHThesis/Start.html CERT Reports, Articles, and Presentations http://www.cert.org/nav/reports.html 1999 CSI-DBI Survey http://www.gocsi.com/summary.htm http://www.gocsi.com/prelea990301.htm 146 Information Networking Security and Assurance Lab National Chung Cheng University Architecture How are intrusions detected? What happens after a NIDS detects an attack? Where do I put IDS systems on my network? 147 Information Networking Security and Assurance Lab National Chung Cheng University How are intrusions detected? Anomaly detection The most common way people approach network intrusion detection is to detect statistical anomalies. The idea behind this approach is to measure a "baseline" of such stats as CPU utilization, disk activity, user logins, file activity, and so forth. Then, the system can trigger when there is a deviation from this baseline. Signature recognition The majority of commercial products are based upon examining the traffic looking for well-known patterns of attack. This means that for every hacker technique, the engineers code something into the system for that technique. 148 Information Networking Security and Assurance Lab National Chung Cheng University What happens after a NIDS detects an attack? Reconfigure firewall chime SNMP Trap NT Event syslog send e-mail page Log the attack Save evidence Launch program Terminate the TCP session 149 Information Networking Security and Assurance Lab National Chung Cheng University Where do I put IDS systems on my network? Some Places suggest to put IDS: Network hosts A NIDS installed like virus scanning software is the most effective way to detect such intrusions. Network perimeter IDS is most effective on the network perimeter, such as on both sides of the firewall, near the dial-up server, and on links to partner networks. WAN backbone Another high-value point is the corporate WAN backbone. A frequent problem is hacking from "outlying" areas to the main corporate network. Server farms For extremely important servers, you may be able to install dedicate IDS systems that monitor just the individual server's link. LAN backbones IDS systems are impractical for LAN backbones, because of their high traffic requirements. Some vendors are incorporating IDS detection into switches. 150 Information Networking Security and Assurance Lab National Chung Cheng University Policy & Resources How should I implement intrusion detection my enterprise? Where can I find updates about new security holes? What are some other security and intrusion detection resources? 151 Information Networking Security and Assurance Lab National Chung Cheng University How should I implement intrusion detection my enterprise? Think about how you can configure the following systems in order to detect intruders: Operating Systems Such as WinNT and UNIX come with integrated logging/auditing features that can be used to monitor security critical resources. Services Such as web servers, e-mail servers, and databases, include logging/auditing features as well. Network Intrusion Detection Systems That watch network traffic in an attempt to discover intrusion attempts. Firewalls Usually have some network intrusion detection capabilities. Network management platforms Have tools to help network managers set alerts on suspicious activity. 152 Information Networking Security and Assurance Lab National Chung Cheng University Where can I find updates about new security holes? CERT (Computer Emergency Response Team) http://www.cert.org AUSCERT (AUStralian Computer Emergency Response Team) http://www.auscert.org.au/ CIAC (Computer Incident Advisory Capability) by US Department of Energy http://www.ciac.org/. 153 Information Networking Security and Assurance Lab National Chung Cheng University What are some other security and intrusion detection resources? SANS Institute http://www.sans.org/ Technical Incursion Countermeasures http://www.ticm.com IDS mailing list Email questions to ids-owner@uow.edu.au ISS database http://www.iss.net/security_center/advice/Countermeasures/ Intrusion_Detection/default.htm 154 Information Networking Security and Assurance Lab National Chung Cheng University IDS and Firewalls Why do I need IDS if I already have a firewall? 155 Information Networking Security and Assurance Lab National Chung Cheng University Why do I need IDS if I already have a firewall? Some reasons for adding IDS to you firewall are: Double-checks misconfigured firewalls. Catches attacks that firewalls legitimate allow through (such as attacks against web servers). Catches attempts that fail. Catches insider hacking. "Defense in depth, and overkill paranoia, are your friends.“ (quote by Bennett Todd ) Hackers are much more capable than you think; the more defenses you have, the better. 156 Information Networking Security and Assurance Lab National Chung Cheng University Limitations of NIDS Switched network Resource limitations 157 Information Networking Security and Assurance Lab National Chung Cheng University Switched network There are some solutions to this problem, but not all of them are satisfactory. Embed IDS within the switch Some vendors (Cisco, ODS) are imbedding intrusion detection directly into switches. Monitor/span port Many switches have a "monitor port" for attaching network analyzers. A NIDS can easily be added to this port as well. Tap into the cable (for inter-switch or switch-to-node) A monitor can be connected directly to the cable in order to monitor the traffic. Host-based sensors The only way to defeat the resource limitations of switched networks is to distribute host-based intrusion detection. 158 Information Networking Security and Assurance Lab National Chung Cheng University Resource limitations This section lists some typical resource issues: Network traffic loads Current NIDS have trouble keeping up with fully loaded segments. TCP connections IDS must maintain connection state for a large number of TCP connections. This requires extensive amount of memory. Other state information TCP is the simplest example of state information that must be kept by the IDS in memory, but other examples include IP fragments, TCP scan information, and ARP tables. Long term state A classic problem is "slow scans", where the attacker scans the system very slowly. 159 Information Networking Security and Assurance Lab National Chung Cheng University Security Organization 160 Information Networking Security and Assurance Lab National Chung Cheng University Outline NIPC CERT AusCERT CIAC SANS Institute CVE 161 Information Networking Security and Assurance Lab National Chung Cheng University NIPC National Infrastructure Protection Center http://www.nipc.gov Publication: CYBERNOTES Every two weeks by Information Analysis and Infrastructure Protection (IAIP) at the Department of Homeland Security. • • • • Bugs, Holes & Patches Trends Viruses Trojans 162 Information Networking Security and Assurance Lab National Chung Cheng University CERT® Coordination Center (CERT®/CC ) Computer Emergency Response Team http://www.cert.org/nav/index_main.html CERT/CC was the first computer security incident response team. Vulnerabilities, Incidents & Fixes Incident Notes & Vulnerability Notes Security Practices & Evaluations Survivability Research & Analysis Training & Education 163 Information Networking Security and Assurance Lab National Chung Cheng University AusCERT AusCERT, as Australia’s national Computer Emergency Response Team (CERT), is an independent, not-for-profit organization, based at The University of Queensland. https://www.auscert.org.au/index.html AusCERT has a representative on the Forum for Incident Response and Security Teams (FIRST) steering committee. Publication: Security Bulletins Member Newsletters Checklists Presentations and Papers 164 Information Networking Security and Assurance Lab National Chung Cheng University CIAC Computer Incident Advisory Capability U.S. Department of Energy http://www.ciac.org/ciac/index.html Publication: CIAC Bulletins and Advisories CIAC Technical Bulletins Computer Security Tools (Developed by CIAC) 165 Information Networking Security and Assurance Lab National Chung Cheng University SANS Institute SysAdmin, Audit, Network, Security http://www.sans.org/index.php SANS Computer & Information Security Training SANS Weekly Security Bulletins and Alerts SANS Forum SANS Top Twenty List 166 Information Networking Security and Assurance Lab National Chung Cheng University CVE® Common Vulnerabilities and Exposures http://cve.mitre.org/ CVE is sponsored by U.S. Department of Homeland Security. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. A list of standardized names for vulnerabilities and other information security exposures. 167 Information Networking Security and Assurance Lab National Chung Cheng University CVE® (cont.) How to Build the CVE List: Stage 1: Submission Conversion、Matching、Refinement、Editing Phase Stage 2: Candidates Assignment 、Proposal 、Voting 、Modification 、Final Decision Phase Stage 3: The Entry Changing the name from CAN-YYYY-NNNN to CVE-YYYYNNNN Modification Phase 168 Information Networking Security and Assurance Lab National Chung Cheng University CVE Goal 169 Information Networking Security and Assurance Lab National Chung Cheng University 171 Information Networking Security and Assurance Lab National Chung Cheng University Host-Based Intrusion Detection software TRIPWIRE 172 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Step by step Summary Reference 173 Information Networking Security and Assurance Lab National Chung Cheng University Description The first objective of an attacker is to obtain access to your system. The second objective is to retain that access, even if you close the hole she entered. To accomplish this, an attacker will often install a RootKit Tripwire creates a database of advanced mathematical checksums (MD5) to take a snapshot of a system’s file properties and contents. 174 Information Networking Security and Assurance Lab National Chung Cheng University Purpose To introduce you to the installation, configuration, and use of Tripwire as a hostbased intrusion detection system 175 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study What is RootKit? a collection of modified System Binaries that are designed to hide the attacker’s activities on your system. How do you know if you can trust the information your system is giving you? 176 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities Hardware: PC or Workstation with UNIX-based OS Software Tripwire 2.3.1 177 Information Networking Security and Assurance Lab National Chung Cheng University Step (I): Install on FreeBSD FreeBSD Enter local Make withthe FreeBSD passphrase portthe treesite Enter Enter the site Enter the site Enter the local key passphrase keyfile passphrase passphrase file passphrase The information Generating the of install database by the configuration policy file Waitlocal a while Install for creating complete the database The keyfile passphrase will need when initial The site keyfile passphrase will need when initial or modify SignSign the thetripwire the Tripwire Tripwire database configuration policy file.file The filelocal key or modify the configuration file or the policy file may also be used for signing integrity check reports Accept the license agreement178 Information Networking Security and Assurance Lab National Chung Cheng University Step (II): Test Tripwire Add a user name is jared who have root access right compare the file system and the tripwire database The output after check the file system Tripwire detect that the file have been modified 179 Information Networking Security and Assurance Lab National Chung Cheng University Step (III): Scheduling function Using “crontab” to run Tripwire check every day as 1 a.m. and the output will be mailed to root at same time. Edit /etc/crontab with root and restart /usr/sbin/cron 180 Information Networking Security and Assurance Lab National Chung Cheng University The tripwire configure file The tripwire policy file 181 Information Networking Security and Assurance Lab National Chung Cheng University Summary Using a database of calculate checksums, tripwire is capable of detecting when a critical system file is changed. The database made by tripwire should be secured in such a way that an attacker can not alter it. 182 Information Networking Security and Assurance Lab National Chung Cheng University Reference http://www.tripwire.org RFC 1321 - The MD5 Message-Digest Algorithm Man page of tripwire 183 Information Networking Security and Assurance Lab National Chung Cheng University 184 Information Networking Security and Assurance Lab National Chung Cheng University Appendix – install on Linux Select the tripwire rpm for each linux distribution and install it. rpm –I tripwire-[version].i386.rpm After complete the installation, create the site keyfile password and the local keyfile password sh /etc/tripwire/twinstall.sh 185 Information Networking Security and Assurance Lab National Chung Cheng University Sign the Tripwire configuration file Sign the Tripwire policy file Install the default policy /usr/sbin/twadmin –m P /etc/tripwire/twpol.txt Generate the initial checksum database /usr/sbin/tripwire –m I Edit the default site policy file vi /etc/tripwire/twpol.txt 186 Information Networking Security and Assurance Lab National Chung Cheng University Network-Based Intrusion Detection TCPDUMP 187 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Step by step Summary Reference 188 Information Networking Security and Assurance Lab National Chung Cheng University Description Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring on your network. TCPDUMP provides options and filters to assist in the proper and thorough analysis of the acquired traffic. 189 Information Networking Security and Assurance Lab National Chung Cheng University Propose To demonstrate how to install and use TCPdump and how to analyze data that is collected. To understand what the basic functionality of network-based intrusion detection. 190 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study Promiscuous mode In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. This mode of operation is sometimes given to a network snoop server that captures and saves all packets for analysis 191 Information Networking Security and Assurance Lab National Chung Cheng University Output format ARP/RARP packets arp who-has [A] tell [B] arp reply [A] is-at [a] TCP packets src > dst: flags data-seqno ack window urgent options src: source ip address and port dst: destination ip address and port flags: S (SYN), F (FIN), P(PUSH), R(RST), . (no flags) Data-seqno: describes the portion of sequence space covered by the data in the packet Ack: sequence number of the next data Window: the number of byte of receive buffer space Urg: indicates there is “urgent” data in the packet Options: tcp options enclosed in angle brackets 192 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities Hardware: PC or Workstation with UNIX-based OS or Microsoft windows Software TCPDUMP 3.8.1 LIBCAP 0.8.1 193 Information Networking Security and Assurance Lab National Chung Cheng University Step (I): install For Linux Download libpcap from http://www.tcpdump.org/release/libpcap0.7.2.tar.gz tar zxvf libpcap-0.7.2.tar.gz; cd libpcap-0.7.2; ./configure; make; make install Download tcpdump fom http://www.tcpdump.org/release/tcpdump3.7.2.tar.gz tar zxvf tcpdump-3.7.2.tar.gz; cd tcpdump3.7.2; ./configure; make; make install For FreeBSD bulit-in 194 Information Networking Security and Assurance Lab National Chung Cheng University Step (II): execute Listen on the address is 140.123.113.86 and don’t convert address to names The packets number is count by kernel Listen the packet which tcp port is 80 Too many packet that the system can not process 195 Information Networking Security and Assurance Lab National Chung Cheng University Summary TCPdump is powerful packet capture utilities that allow for the extraction of particular types of network traffic based on header information. They can filter any field in the IP, ICMP, UDP, or TCP header using byte offsets. 196 Information Networking Security and Assurance Lab National Chung Cheng University Replay packets from capture files TCPREPLAY 197 Information Networking Security and Assurance Lab National Chung Cheng University Description TCPreplay is a tool for replaying network traffic from files which saved by tcpdump TCPreplay resend all packets from input files at the speed at which they were recorded, a specified data rate, or as fast as the hardware is capable. 198 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities Hardware: PC or Workstation with UNIX-based OS Software TCPreplay 2.02 199 Information Networking Security and Assurance Lab National Chung Cheng University Step 200 Information Networking Security and Assurance Lab National Chung Cheng University Summary Originally, TCPreplay was written to test network intrusion detection systems, however TCPreplay has been used to test firewalls, routers, and other network devices. 201 Information Networking Security and Assurance Lab National Chung Cheng University Host-based Intrusion Detection software the Simple WATCHdog swatch 202 Information Networking Security and Assurance Lab National Chung Cheng University Description Reconnaissance is important for a successful attack, but it can also give the attacker away swatch monitor syslog by looking for new entries that match specific criteria and provides a variety of alert mechanisms 203 Information Networking Security and Assurance Lab National Chung Cheng University Propose Exercise demonstrates how to install and configure swatch After swatch is install, an alert is triggered and notification is sent 204 Information Networking Security and Assurance Lab National Chung Cheng University Requirement facilities Hardware pc or workstation software Perl 5 Time::HiRes Date::Calc Date::Format File::Tail 205 Information Networking Security and Assurance Lab National Chung Cheng University Step (I): Install 206 Information Networking Security and Assurance Lab National Chung Cheng University Step (II): Config Copy the example configuration file and review it 207 Information Networking Security and Assurance Lab National Chung Cheng University Step (III) execute swatch with root and put it into background 208 Information Networking Security and Assurance Lab National Chung Cheng University Step (IV) change the swatch configuration file Trigger an event that will cause swatch to issue a notification 209 Information Networking Security and Assurance Lab National Chung Cheng University Step (V) check the mail 210 Information Networking Security and Assurance Lab National Chung Cheng University summary Swatch provides a simple method for notification when selected events occur on the system Swatch also provides variety of notification methods, such as mail, pagers, pop-up windows, or other custom command Swatch reduce the need for continual attention to log file while providing a more timely awareness of issues as they arise. 211 Information Networking Security and Assurance Lab National Chung Cheng University Reference TCPdump website http://www.tcpdump.org WinDump http://windump.polito.it TCPreplay website http://tcpreplay.sourceforge.net swatch website http://swatch.sourceforge.net 212 Information Networking Security and Assurance Lab National Chung Cheng University 213 Information Networking Security and Assurance Lab National Chung Cheng University Hacking II 214 Information Networking Security and Assurance Lab National Chung Cheng University Gaining Access Using Network Attacks 215 Information Networking Security and Assurance Lab National Chung Cheng University Sniffer A sniffer grab anything sent across the LAN What type of data can a sniffer capture? Anything, but encrypted An attacker must have an account Island hopping attack 216 Information Networking Security and Assurance Lab National Chung Cheng University Island hopping attack LAN 217 Information Networking Security and Assurance Lab National Chung Cheng University Some of the most interesting sniffers Passive sniffing Snort, a freeware sniffer and network-based IDS, available at www.snort.org Sniffit, freeware running on a variety of UNIX flavors, available at reptile.rug.ac.be/~coder/sniffit/sniffit.html Active sniffing Dsniff, a free suite of tools built around a sniffer running on variations of UNIX, available at www.monkey.org/~dugsong/dsniff 218 Information Networking Security and Assurance Lab National Chung Cheng University Sniffing through a Hub: Passive Sniffing Blah, blah, blah HUB Blah, blah, blah BROADCAST ETHERNET 219 Information Networking Security and Assurance Lab National Chung Cheng University Active Sniffing: Sniffing through a Switch and Other Cool Goodies Switched Ethernet does not broadcast Looks at the MAC address Active sniffing tool: Dsniff Blah, blah, blah SWITCH SWITCHED ETHERNET 220 Information Networking Security and Assurance Lab National Chung Cheng University Advanced sniffing attacks Foiling Switches with Spoofed ARP Messages Remapping DNS names to redirect network connections Sniffing SSL and SSH connections 221 Information Networking Security and Assurance Lab National Chung Cheng University Foiling Switches with Spoofed ARP Messages(1) Victim’s traffic isn’t sent to attacker Blah, blah, blah THE OUTSIDE WORLD SWITCH CLIENT MACHINE DEFAULT ROUTER A switched LAN prevents an attacker from passively sniffing traffic 222 Information Networking Security and Assurance Lab National Chung Cheng University Foiling Switches with Spoofed ARP Messages(2) 1 Configure IP Forwarding to send packets to the default router for the LAN and activates the Dsniff program 2 Send fake ARP response to remap default router IP address to attacker’s MAC address. SWITCH CLIENT MACHINE Router’s IP Attacker’s Router’s MAC MAC 3 Victim sends traffic destined for the outside world. Based on poisoned ARP table entry, traffic is really sent to the attacker’s MAC address. 4 Sniff the traffic from the link. 5 Packets are forwarded from attacker’s machine to the actual default router for delivery to the outside world. THE OUTSIDE WORLD DEFAULT ROUTER Arpspoof redirects traffic, allowing the attacker to sniff a switched LAN 223 Information Networking Security and Assurance Lab National Chung Cheng University Sniffing and Spoofing DNS 1 Attacker activates dnsspoof program Attacker quickly sends fake DNS response with any IP address the attacker wants the victim to use: www.skoudisstuff.com = 10.1.1.56 Attacker sniffs DNS request from the line. SWITCH CLIENT MACHINE Victim tries to resolve a name using DNS Victim now surfs to attacker’s site instead of desired destination. www.skoudisstuff.com ,the desired destination at 10.22.12.41 DEFAULT ROUTER THE OUTSIDE WORLD Attacker’s machine at 10.1.1.56 224 Information Networking Security and Assurance Lab National Chung Cheng University Sniffing an HTTPS connection using dsniff’s person-in-the-middle attack 2 Dnsspoof sends fake DNS response with the IP address of the machine running webmitm (10.1.2.3) www.edsbank.com 3 Victim establishes SSL connection, not knowing attacker is proxying connection 1 Attacker activates dnsspoof and webmitm programs IP address = 10.1.2.3 4 Webmitm proxies the https connection, establishing an https connection to the server and sending the attacker’s own certificate to the client LAN 5 Victim now access the desired server, but all traffic is viewable by attacker using webmitm as a proxy www.skoudisstuff.comt he desired destination at 10.22.12.41 DEFAULT ROUTER THE OUTSIDE WORLD IP address 10.22.12.41 225 Information Networking Security and Assurance Lab National Chung Cheng University IP Address Spoofing Changing or disguising the source IP address Not want to have their actions traced back Helps attackers undermine various applications IP Address Spoofing Flavor 1: Simply Changing the IP Address Flavor 2: Undermining UNIX r-Commands Flavor 3: Spoofing with Source Routing 226 Information Networking Security and Assurance Lab National Chung Cheng University Simply Changing the IP Address EVE SYN (A, ISNA) ACK (A, ISNA) SYN (B, ISNB) RESET !!! ALICE BOB 227 Information Networking Security and Assurance Lab National Chung Cheng University Spoofing with Source Routing 1/2 Let the attacker get responses Allows the source machine sending a packet to specify the path it will take on the network Two kinds of source routing Loose source routing Strict source routing Reference: RFC 791 228 Information Networking Security and Assurance Lab National Chung Cheng University IP Options Class Number Length Description 0 0 0 0 0 0 1 2 3 7 0 0 11 Var Var End of Options No op Security Loose Source Routing Record Route 0 0 2 8 9 4 4 Var Var Stream ID (obsolete) Strict Source Routing Internet Time-Stamp 229 Information Networking Security and Assurance Lab National Chung Cheng University Spoofing with Source Routing 2/2 PACKET EVE PACKET Route: 1. Alice 2. Eve 3. Bob Packet Contents Route: 1. Alice 2. Eve 3. Bob Packet Contents ALICE Spoofing attack using source routing. BOB 230 Information Networking Security and Assurance Lab National Chung Cheng University IP Spoofing Defense Implement “anti-spoof” packet filters Both incoming (ingress) and outgoing (egress) Not allow source-routed packets through network gateways 231 Information Networking Security and Assurance Lab National Chung Cheng University IP Spoofing Defense NETWORK A FILTERING DEVICE Dropped NETWORK B Packet with IP source address on Network A Anti-spoof filters. 232 Information Networking Security and Assurance Lab National Chung Cheng University Session Hijacking 1/3 A marriage of sniffing and spoofing Seeing packets, but also monitoring the TCP sequence numbers Sniffing, then injecting spoofed traffic Alice telnet NETWORK Alice BOB “Hi, I’m Alice” EVE A network-based session hijacking scenario. 233 Information Networking Security and Assurance Lab National Chung Cheng University Session Hijacking 2/3 Session hijacking tools Hunt, network-based Dsniff’s sshmitm tool Juggernaut, network-based TTYWatcher, host-based TTYSnoop, host-based 234 Information Networking Security and Assurance Lab National Chung Cheng University Session Hijacking 3/3 ACK ACK ACK ACK NETWORK Alice BOB Packets with increasing sequence numbers EVE An ACK storm triggered by session hijacking. 235 Information Networking Security and Assurance Lab National Chung Cheng University Session Hijacking with Hunt 1/3 Hunt Network-based session-hijacking tool Runs on Linux Allows to view a bunch of sessions, and select a particular one to hijack Inject a command or two into the session stream, resulting in an ACK storm How to prevent an ACK storm? ARP spoofing • Sends unsolicited ARPs, known as “gratuitous packets” • Most system devour, overwriting the IP-to-MAC address mapping in their ARP tables 236 Information Networking Security and Assurance Lab National Chung Cheng University Session Hijacking with Hunt 2/3 IP = a.b.c.d MAC = AA.AA.AA.AA.AA.AA IP = w.x.y.z MAC = BB.BB.BB.BB.BB.BB “ARP w.x.y.z is at DD.DD.DD.DD.DD.DD” “ARP a.b.c.d is at EE.EE.EE.EE.EE.EE” IP = Anything MAC = CC.CC.CC.CC.CC.CC 237 Information Networking Security and Assurance Lab National Chung Cheng University Session Hijacking with Hunt 3/3 IP = e.f.g.h MAC = GG.GG.GG.GG.GG.GG IP = i.j.k.l MAC = HH.HH.HH.HH.HH.HH IP = w.x.y.z MAC = BB.BB.BB.BB.BB.BB IP = a.b.c.d MAC = AA.AA.AA.AA.AA.AA “ARP i.j.k.l is at II.II.II.II.II.II” “ARP e.f.g.h is at JJ.JJ.JJ.JJ.JJ.JJ” IP = Anything MAC = CC.CC.CC.CC.CC.CC 238 Information Networking Security and Assurance Lab National Chung Cheng University Netcat: A General Purpose Network Tool Swiss Army knife of network tools two modes Client mode: nc Listen mode: nc –l Supports source routing SYSTEM RUNNING NETCAT Input from a file NETCAT IN CLIENT MODE Output sent across the network to any TCP or UDP port on any system. SYSTEM RUNNING NETCAT Input received from the network on any TCP or UDP port. NETCAT IN LISTEN MODE Input from a file 239 Information Networking Security and Assurance Lab National Chung Cheng University Netcat for File Transfer Pushing Destination machine receiving file $nc –l –p 1234 > [file] Source machine sending file $nc [remote_machine] 1234 < [file] SOURCE Send to TCP port X DESTINATION Input from NETCAT a file IN CLIENT MODE NETCAT IN LISTEM MODE Output to a file Listen on port X 240 Information Networking Security and Assurance Lab National Chung Cheng University Netcat for File Transfer Pulling Source machine, offering file for transfer $nc –l –p 1234 < [file] Destination machine, pulling file $nc [remote_machine] 1234 > [file] SOURCE Listen on port X Input from NETCAT a file IN LISTEN MODE Connect to port X DESTINATION NETCAT IN CLIENT MODE Dumps file across network Output to a file Receives file from network 241 Information Networking Security and Assurance Lab National Chung Cheng University Netcat for Port Scanning Supports only standard, “vanilla” port scans, which complete the TCP three-way handshake $ echo QUIT | nc –v –w 3 [target_machine] [startport] - [endport] 242 Information Networking Security and Assurance Lab National Chung Cheng University Netcat for Vulnerability Scanning Used as a limited vulnerability scanning tool Write various scripts that implement vulnerability checks The UNIX version of Netcat ships with several shell scripts, including RPC NFS Weak trust relationships Bad passwords Limited compared to Nessus 243 Information Networking Security and Assurance Lab National Chung Cheng University Relaying Traffic with Netcat Send NC output LISTENER to input NC CLIENT Send NC output LISTENER to input NC CLIENT 244 Information Networking Security and Assurance Lab National Chung Cheng University Relaying Traffic with Netcat DMZ SYSTEM COMPROMIZED BY ATTACKER Listen on UDP port 53 NETCAT CLIENT OUTSIDE Send NC output LISTENER to input NC CLIENT Originate on TCP port 25 No traffic allowed from outside to inside. NETCAT LISTENER ON DNS traffic (UDP 53) allowed from outside to DMZ. INTERNAL SYSTEM SMTP traffic (TCP 25) allowed from DMZ to inside. INSIDE 245 Information Networking Security and Assurance Lab National Chung Cheng University Introduction to DoS STOPPING SERVICES Process killing System reconfiguring LOCALLY Process crashing EXHAUSTING RESOURCES Forking processes to fill the process table Filling up the whole file system ATTACK IS LAUNCHED… Malformed packet attacks Packet floods, (e.g., SYN (e.g., Land, Teardrop, etc.) Flood, Smurf, Distributed REMOTELY Denial of Service Denial-of-Service attack categories 246 Information Networking Security and Assurance Lab National Chung Cheng University Stopping Local Services Using a local account, stopping valuable processes that make up services Shut down the inetd process Methods for stopping local services: Process killing System reconfiguration Process crashing A nasty example: the logic bomb Logic bomb extortion threats 247 Information Networking Security and Assurance Lab National Chung Cheng University Locally Exhausting Resources When resources are exhausted, the system grind to a halt, preventing legitimate access Methods for exhausting local resources Filling up the process table Filling up the file system Sending outbound traffic that fills up the communications link 248 Information Networking Security and Assurance Lab National Chung Cheng University Remotely Stopping Services Remote DoS attacks more prevalent Exploit an error in the TCP/IP stack Exploit Name Overview of How It Works Susceptible Platforms Land Sends a spoofed packet, where the source IP address is the same as the destination IP address, and the source port is the same as the destination port, The target receives a packet that appears to be leaving the same port that it is arriving on, at the same time on the same machine. Older TCP/IP stacks get confused at this unexpected event and crash A large number of platforms, including Windows systems, various UNIX types, routers, printers, etc. Latierra A relative of Land, which sends multiple Land-type packets to multiple ports simultaneously A large number of platforms, including Windows systems, various UNIX types, routers, printers, etc. 249 Information Networking Security and Assurance Lab National Chung Cheng University Remotely Stopping Services Exploit Name Overview of How It Works Susceptible Platforms Ping of Death Sends an oversized ping packet. Older TCP/IP stacks cannot properly handle a ping packet greater than 64 kilobytes, and crash when one arrives. Numerous systems, including Windows, many UNIX variants, printers, etc. Jolt2 Sends a stream of packet fragments, none of which have a fragment offset of zero. Therefore, none of the fragments looks like the first one in the series. As long as the stream of fragments is being sent, rebuilding these bogus fragments consumes all processor capacity on the target machine. Windows 95, 98, NT, and 2000 Teardrop, Newtear, Bonk, Syndrop Various tools that send overlapping IP packet fragments. The fragment offset values in the packet headers are set to incorrect values, so that the fragments do not align properly when reassembled. Some TCP/IP stacks crash when they receive such overlapping fragments. Windows 95, 98, and NT and Linux machines. Winnuke Sends garbage data to an open file sharing port (TCP port 139) on a Windows machine. When data arrives on the port that is not formatted in legitimate Server Message Block (SMB) protocol, the system crashes. Windows 95 and NT. 250 Information Networking Security and Assurance Lab National Chung Cheng University Remotely Exhausting Resources Using a flood of packets SYN floods Smurf attacks Distributed DoS attacks, DDoS 251 Information Networking Security and Assurance Lab National Chung Cheng University SYN Flood Three-way handshake The TCP/IP stack allocates a small piece of memory on its connection queue To remember the initial sequence number Two ways To fill the connection queue with half-open connections Just fill the entire communications link 252 Information Networking Security and Assurance Lab National Chung Cheng University SYN Flood EVE SYN (ISNA) SYN-ACK RESET!!! BOB ALICE Connection queue freed up upon receiving RESET packet. SYN(X1,ISNx) SYN(X2,ISNx) SYN(X3,ISNx) EVE BOB SYN-ACK 253 Information Networking Security and Assurance Lab National Chung Cheng University SYN cookies (Linux Kernel) ISNB is a function of the source IP address, destination IP address, port numbers, and a secret seed. Bob doesn’t remember ISNB, or store any information about the half-open connection in the queue. SYN(A, ISNA) SYN(B, ISNB) ACK(A, ISNA) ACK(B, ISNB) ALICE BOB When the ACK (B, ISNB) arrives, Bob applies the same function to the ACK packet to check if the value of ISNB is legitimate. If this is a valid ISNB, the connection is established. Bob will never store information in the connection queue for these SYNs; Instead, Bob sends SYN(B, ISNB) ACK(X, ISNx) EVE sends spoofed packets from X EVE Information Networking Security and Assurance Lab National Chung Cheng University 254 Smurf Attacks Also known as directed broadcast attacks Router converts the IP broadcast message to a MAC broadcast message using a MAC address of FF:FF:FF:FF:FF:FF Every machine read the message and send a respone 255 Information Networking Security and Assurance Lab National Chung Cheng University Smurf Attacks UG H! Broadcast ping spoofed from w.x.y.z Responses! w.x.y.z SMURF AMPLIFIER 256 Information Networking Security and Assurance Lab National Chung Cheng University DDoS Architecture First, tack over a large number of victim machine, referred to as “zombies” Install the zombie software on the systems The component of the DDoS tool The attacker uses a special client tool to interact with the zombies 257 Information Networking Security and Assurance Lab National Chung Cheng University A DDoS attack using Tribe Flood Network 2000 CLIENT UGH! ZOMBIE ZOMBIE ATTACKER WITH NETCAT CLIENT ZOMBIE VICTIM ZOMBIE ZOMBIE 258 Information Networking Security and Assurance Lab National Chung Cheng University TFN2K, a Powerful DDoS Tool Attack types including: Targa UDP Flood SYN Flood ICMP Flood Smurf Attack “Mix” Attack-UDP, SYN, and ICMP Floods 259 Information Networking Security and Assurance Lab National Chung Cheng University TFN2K, a Powerful DDoS Tool Features Authentication using an encrypted password All packets from the client to the zombies are sent using an ICMP Echo Reply packet ICMP Echo Replies allowed into many network No port number associated with ICMP Finding the attacker is very difficult The client machine included a encrypted file indicating the IP addresses of all of the zombies under its control Allows the attacker to run a single arbitrary command simultaneously on all zombies 260 Information Networking Security and Assurance Lab National Chung Cheng University Maintaining Access: Trojans, Backdoors, and Rootkits 261 Information Networking Security and Assurance Lab National Chung Cheng University Backdoors Allow an attacker to access a machine using an alternative entry method To bypass the front door When Attackers Collide Attacker closes security holes, and installs backdoor Backdoor security controls even stronger than standard system security controls, possibly using SSH 262 Information Networking Security and Assurance Lab National Chung Cheng University Backdoors Melded into Trojan Horses Type of Trojan Horse Backdoor Characteristics Analogy Example Tools Application-level Trojan Horse Backdoor A separate application runs on the system, giving the attacker backdoor access. An attacker adds poison to your soup. A foreign entity is added into the existing system by the attacker. Back Orifice 2000 Traditional RootKits Critical operating system components are replaced or modified by the attacker to create backdoors and hide on the system An attacker replaces the potatoes in your soup with modified potatoes that are poisonous. The existing components of the system are modified by the attacker. Linux RootKit5 for Linux T0rnKit for Linux, Solaris Other, platformspecific RootKits for SunOS, AIX, SCO, Solaris, etc. (BO2K) Sub7 Hack-a-tack QAZ 263 Information Networking Security and Assurance Lab National Chung Cheng University Backdoors Melded into Trojan Horses (cont.) Type of Trojan Horse Backdoor Kernel-level RootKits Characteristics Analogy Example Tools The operating system kernel itself is modified to foster backdoor access and allow the attacker to hide. An attacker replaces your tongue with a modified, poison tongue so that you cannot detect their deviousness by looking at the soup. The very organs you eat with are modified to poison you. Knark for Linux Adore for Linux Plasmoid’s Solaris Kernel-Level RootKit Windows NT RootKit 264 Information Networking Security and Assurance Lab National Chung Cheng University Application-Level Add a separate application to a system Mostly developed for Windows platforms RootKits are more popular in the UNIX world EX. Back Orifice 2000 (BO2K) Backdoor Client Backdoor Server NETWORK (Internet, intranet, etc.) Remote access and control ATTACKER VICTIM 265 Information Networking Security and Assurance Lab National Chung Cheng University Traditional RootKits Replace critical operating system executables Traditionally focused on UNIX systems NT/2000 RootKits replace Dynamic Link Libraries 266 Information Networking Security and Assurance Lab National Chung Cheng University Comparison System Executables Remain intact Login With Backdoor EVIL BACKDOOR Good Good Good Login PS ifconfig KERNEL Trojan PS KERNEL Trojan ifconfig System Executables Are altered to Include Backdoor and Other stealth capabilities Comparing Application-Level Trojan horse backdoors with traditional RootKits 267 Information Networking Security and Assurance Lab National Chung Cheng University What Do Traditional RootKits Do? RootKits depend on the attacker already having root access A RootKit is a suite of tools that allow the attacker to maintain root-level access by implementing a backdoor 268 Information Networking Security and Assurance Lab National Chung Cheng University /bin/login Replacement Authentication A RootKit replaces /bin/login with a modified version that includes a backdoor password 269 Information Networking Security and Assurance Lab National Chung Cheng University Traditional RootKits Linux RootKit 5 (lrk5) Targeting Linux systems t0rnkit Targeting Linux and Solaris systems 270 Information Networking Security and Assurance Lab National Chung Cheng University Nastiest: Kernel-Level RootKits The kernel is the fundamental, underlying part of the OS Troja n Logi n Trojan PS Trojan ifconfig Good KERNEL Login Information Networking Security and Assurance Lab National Chung Cheng University Good PS KERNEL Good Good Ifconfi tripwir g e TROJAN KERNEL 271 What They can Do… The Power of Execution Redirection Most Kernel-level RootKits include a capability to do execution redirection Bait-and-switch /bin/login -> /bin/backdoorlogin File Hiding Kernel-level RootKits support file hiding Implemented in the kernel Process Hiding Hiding processes, such as a Netcat backdoor Network Hiding netstat Masking particular network port usage Nmap 272 Information Networking Security and Assurance Lab National Chung Cheng University How to Implement Kernel-Level RootKits Loadable Kernel Modules Many kernel-level RootKits are implemented as LKMs insmod knark.o 273 Information Networking Security and Assurance Lab National Chung Cheng University Some Examples of Kernel-Level RootKits Knark, a Linux Kernel-Level RootKit Remote execution Promiscuous mode hiding Taskhacking Real-ttime process hiding Kill -31 process_id Kernel-module hiding Knark package includes a separate module called modhide 274 Information Networking Security and Assurance Lab National Chung Cheng University Some Examples of Kernel-Level RootKits (cont.) Adore, Another Linux Kernel-Level RootKit Plasmoid’s Solaris Loadable Kernel Module RootKit Windows NT Kernel-Level RootKit by RootKit.com www.rootkit.com A patch 275 Information Networking Security and Assurance Lab National Chung Cheng University Thank YOU 276 Information Networking Security and Assurance Lab National Chung Cheng University Auditing your Microsoft Windows system Host-Based Intrusion Detection system 277 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Step by step Summary Reference 278 Information Networking Security and Assurance Lab National Chung Cheng University Description After a system has been hardened, the final step is to baseline it so that changes that are indicative of a successful intrusion can be detected. The system logs are an invaluable source of information regarding the activity on your systems. 279 Information Networking Security and Assurance Lab National Chung Cheng University Purpose To introduce you to simple tools that can be used to create powerful baseline and auditing methods for your systems 280 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study 281 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities Hardware PC or Workstation with Microsoft Windows 2000 or XP Software dumpel http://www.microsoft.com/windows2000/techinfo/reskit/tools/e xisting/dumpel-o.asp Microsoft Excel Micorsoft Windows 2000 resource kit – netsvc.exe Fport http://www.foundstone.com/resources/termsofuse.htm?file=fpor t.zip 282 Information Networking Security and Assurance Lab National Chung Cheng University Step (I): Analyze log files Download “dumpel” for analyze the log files and decompress that. 283 Information Networking Security and Assurance Lab National Chung Cheng University Use dumpel.exe to output the system log file Dumpel –f devent –l system -t 284 Information Networking Security and Assurance Lab National Chung Cheng University process the log file by Micorsoft Excel 285 Information Networking Security and Assurance Lab National Chung Cheng University The import wizard setup 286 Information Networking Security and Assurance Lab National Chung Cheng University Sort the data 287 Information Networking Security and Assurance Lab National Chung Cheng University Filter the Event ID 288 Information Networking Security and Assurance Lab National Chung Cheng University Step (II): Baseline open ports Download and then uncompress Fport Execute fport and redirect its output to a baseline file 289 Information Networking Security and Assurance Lab National Chung Cheng University Step (III): Baseline running services Execute netsvc and redirect its output to a baseline file for future reference useage NETSVC service_name \\computer_name /command 290 Information Networking Security and Assurance Lab National Chung Cheng University Step (IV): Schedule baseline audits Schedule the baseline audits Test the baseline batch file. 291 Information Networking Security and Assurance Lab National Chung Cheng University Setup the scheduled task 292 Information Networking Security and Assurance Lab National Chung Cheng University Setup with the schedule wizard 293 Information Networking Security and Assurance Lab National Chung Cheng University summary Before a hardened system is put into production, a baseline of the system is made for future auditing and forensic purpose Simple tools can be scripted to easily monitor the large system for any unexpected changes 294 Information Networking Security and Assurance Lab National Chung Cheng University Reference Windows 2000 resource kits http://www.microsoft.com/windows2000/techinfo/re skit/tools/default.asp FountStone website: http://www.foundstone.com 295 Information Networking Security and Assurance Lab National Chung Cheng University 296 Information Networking Security and Assurance Lab National Chung Cheng University Security Essentials Toolkit SARA 297 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Challenge Procedure Summary Reference 298 Information Networking Security and Assurance Lab National Chung Cheng University Description Security Auditor's Research Assistant, a derivative of the Security Administrator Tool for Analyzing Networks. (SATAN) Remotely probes systems via the network and stores its findings in a database. The results can be viewed with HTML browser that supports the http protocol. 299 Information Networking Security and Assurance Lab National Chung Cheng University Purpose To know the SARA Tool and how to scan you target security vulnerability. 300 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study Why should we need to audit our environment? 301 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities Permission Do not proceed without receiving the necessary permissions. Hardware Intel-based PC Software Linux OS with Apache Web Server SARA 5 http://www-arc.com/sara/ 302 Information Networking Security and Assurance Lab National Chung Cheng University Challenge Procedure Step 1:Install SARA Step 2:Start SARA Step 3:Select Target and Scan Step 4:View Report Step 5:Report Writer 303 Information Networking Security and Assurance Lab National Chung Cheng University Step 1:Install SARA When you want to install SARA, you must install apache server first. Install SARA ./Configure make 304 Information Networking Security and Assurance Lab National Chung Cheng University Step 2: Start SARA (1/2) 305 Information Networking Security and Assurance Lab National Chung Cheng University Step 2: Start SARA (2/2) 306 Information Networking Security and Assurance Lab National Chung Cheng University Step 3: Select Target and Scan (1/5) 307 Information Networking Security and Assurance Lab National Chung Cheng University Step 3: Select Target and Scan (2/5) 308 Information Networking Security and Assurance Lab National Chung Cheng University Step 3: Select Target and Scan (3/5) 309 Information Networking Security and Assurance Lab National Chung Cheng University Step 3: Select Target and Scan (4/5) 310 Information Networking Security and Assurance Lab National Chung Cheng University Step 3: Select Target and Scan (5/5) 311 Information Networking Security and Assurance Lab National Chung Cheng University Step 4: View Report (1/5) 312 Information Networking Security and Assurance Lab National Chung Cheng University Step 4: View Report (2/5) 313 Information Networking Security and Assurance Lab National Chung Cheng University Step 4: View Report (3/5) 314 Information Networking Security and Assurance Lab National Chung Cheng University Step 4: View Report (4/5) 315 Information Networking Security and Assurance Lab National Chung Cheng University Step 4: View Report (5/5) 316 Information Networking Security and Assurance Lab National Chung Cheng University Step 5: Report Writer (1/3) 317 Information Networking Security and Assurance Lab National Chung Cheng University Step 5: Report Writer (2/3) 318 Information Networking Security and Assurance Lab National Chung Cheng University Step 5: Report Writer (3/3) 319 Information Networking Security and Assurance Lab National Chung Cheng University Summary SARA is a network scanner, not system scanner. (See Service) After you use SARA to audit your network service, you can see your network service vulnerability. SANS and CVE provides a common roadmap for vulnerability definitions. 320 Information Networking Security and Assurance Lab National Chung Cheng University Reference http://www-arc.com/sara/ http://www.secureroot.com/security/tools/966532531 5.html http://www.sans.org/top20/ http://cve.mitre.org/ 321 Information Networking Security and Assurance Lab National Chung Cheng University 322 Information Networking Security and Assurance Lab National Chung Cheng University Snort: Network-based Intrusion Detection System 323 Information Networking Security and Assurance Lab National Chung Cheng University Description Snort A Network-based intrusion detection system Freeware http://www.snort.org Principle Listening to traffic on the network comparing it against the patterns or signatures of known malicious traffic Alert if malicious 324 Information Networking Security and Assurance Lab National Chung Cheng University Objective Installing and configuring Snort Analysis Console for Intrusion Databases 325 Information Networking Security and Assurance Lab National Chung Cheng University Snort: Three Main Mode Sniffer Mode ./snort -vde Packet Logger Mode ./snort –vde –l ./log –h 192.168.1.0/24 Network Intrusion Detection Mode ./snort –vde –l ./log –h 192.168.1.0/24 –c snort.conf 326 Information Networking Security and Assurance Lab National Chung Cheng University Installing Snort from source code Compile Snort #groupadd snort #useradd –g snort snort # tar –zxvf snort-2.1.*.tar.gz <attention!!!> # cd snort-2.1.* # ./configure --with-mysql=/where/you/installed # make # make install #cd etc #cp snort.conf /etc/snort #cp *.config /etc/snort #cp contrib/S99snort /etc/init.d/snort Install the latest rules # mkdir /etc/snort # cp rules/* /etc/snort Create the logging directory for snort #mkdir /var/log/snort 327 Information Networking Security and Assurance Lab National Chung Cheng University Attention!!! Snort-2.1.0 cd snort-2.1.0/src grep /var/run * edit util.c /var/run/ -> var/run 328 Information Networking Security and Assurance Lab National Chung Cheng University snort.conf 329 Information Networking Security and Assurance Lab National Chung Cheng University snort.conf --Set the Network variables 330 Information Networking Security and Assurance Lab National Chung Cheng University snort.conf --Configure preprocessors 331 Information Networking Security and Assurance Lab National Chung Cheng University snort.conf --Configure output plug-ins 332 Information Networking Security and Assurance Lab National Chung Cheng University snort.conf --Customize your rule set 333 Information Networking Security and Assurance Lab National Chung Cheng University Writing Snort Rules (1/3) The Basics Alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”; msg:”mount access”;) Rule header section Rule option section Variables var MY_NET [192.168.1.0/24,10.1.1.0/24] Includes include <include file path/name> alert tcp any any -> $MY_NET any (flags:S; msg:”SYN packet”;) 334 Information Networking Security and Assurance Lab National Chung Cheng University Writing Snort Rules (2/3) Rules Headers Rules Actions alert log pass activate dynamic tcp ip udp icmp Protocols IP Addresses CIDR ! [x.y.z.0/24,a.b.c.0/24] Port Numbers 1:1024 :6000 500: The Direction Operator -> <- <> Activate/Dynamic Rules 335 Information Networking Security and Assurance Lab National Chung Cheng University Writing Snort Rules (3/3) Rule Options Skip, please reference Snort Users Manual http://www.snort.org/docs/writing_rules/index.html 336 Information Networking Security and Assurance Lab National Chung Cheng University Alerts 337 Information Networking Security and Assurance Lab National Chung Cheng University Go deep into Conceptual Topology Sensor Placement Model Snort + Apache + Mysql + ACID 338 Information Networking Security and Assurance Lab National Chung Cheng University 339 Information Networking Security and Assurance Lab National Chung Cheng University 340 Information Networking Security and Assurance Lab National Chung Cheng University Snort + Apache + Mysql + ACID Apache Web Server hosting the ACID web-based console MySQL Server storing Snort alerts ACID (Analysis Console for Intrusion Databases) a web-based application for viewing firewall logs and/or IDS alerts Snort 341 Information Networking Security and Assurance Lab National Chung Cheng University 342 Information Networking Security and Assurance Lab National Chung Cheng University 343 Information Networking Security and Assurance Lab National Chung Cheng University 344 Information Networking Security and Assurance Lab National Chung Cheng University Reference Web site Snort http://www.snort.org 345 Information Networking Security and Assurance Lab National Chung Cheng University Security Essentials Toolkit PortSentry 346 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Challenge Procedure Summary Reference 347 Information Networking Security and Assurance Lab National Chung Cheng University Description PortSentry is an example of host-based intrusion detection software. PortSentry monitors the TCP and UDP ports on the system in an attempt to determine if someone is scanning the system in anticipation of an attack. Another unique aspect of PortSentry is that it will also initiate protective action automatically. (/etc/hosts.deny) 348 Information Networking Security and Assurance Lab National Chung Cheng University Purpose To know: How the host-based IDS work. How to install & configure Portsentry. 349 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study Hacker’s attack technique. Port Scanning Tools. Principle of the host-based IDS. 350 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities Hardware Intel-based PC running Linux OS Software PortSentry 1.2 http://sourceforge.net/projects/sentrytools/ 351 Information Networking Security and Assurance Lab National Chung Cheng University Challenge Procedure Step 1:Install PortSentry Step 2:Configure PortSentry Step 3:Test PortSentry Step 4:Kill PortSentry 352 Information Networking Security and Assurance Lab National Chung Cheng University Step 1:Install PortSentry Log in as root. Then download the PortSentry source file. 353 Information Networking Security and Assurance Lab National Chung Cheng University Step 2:Configure PortSentry (1/2) vi /usr/local/psionic/portsentry/portsentry.ignore 354 Information Networking Security and Assurance Lab National Chung Cheng University Step 2:Configure PortSentry (2/2) /usr/local/psionic/portsentry/portsentry –tcp /usr/local/psionic/portsentry/portsentry –udp tail /var/log/messages 355 Information Networking Security and Assurance Lab National Chung Cheng University Step 3:Test PortSentry (1/2) 356 Information Networking Security and Assurance Lab National Chung Cheng University Step 3:Test PortSentry (2/2) 357 Information Networking Security and Assurance Lab National Chung Cheng University Step 4:Kill PortSentry (1/2) vi /etc/hosts.deny 358 Information Networking Security and Assurance Lab National Chung Cheng University Step 4:Kill PortSentry (2/2) killall portsentry 359 Information Networking Security and Assurance Lab National Chung Cheng University Summary PortSentry is host-based intrusion detection software. It’s able to detect port scanning. Protective action automatically, PortSentry can adding scanning system’s IP address to the hosts.deny file. Care should be taken when using PortSentry, it can also be used to cause a type of denial of service (DoS). 360 Information Networking Security and Assurance Lab National Chung Cheng University Reference SANS GIAC Certification:Security Essentials Toolkit (GSEC) http://www2.tw.ibm.com/developerWorks/tutorial/SelectTutori al.do?tutorialId=268#sec7 http://linux.cudeso.be/linuxdoc/portsentry.php http://linux.rice.edu/help/tips-sentry.html http://toget.pchome.com.tw/intro/unix_system/5095.html 361 Information Networking Security and Assurance Lab National Chung Cheng University 362 Information Networking Security and Assurance Lab National Chung Cheng University Security Essentials Toolkit DumpSec 363 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Challenge Procedure Summary Reference 364 Information Networking Security and Assurance Lab National Chung Cheng University Description A gaping hole in Windows NT and Windows 2000 is null sessions. Required by these operating system for communications between servers, they are often left open for nonauthenticated users. The amount information available to the attacker via null session is so great that tools are helpful to distill all of it. One such tools is DumpSec. As always, what’s valuable to attackers is valuable to network administrator. DumpSec is also an excellent tool as part of an audit toolkit. 365 Information Networking Security and Assurance Lab National Chung Cheng University Purpose To know: How to audit Windows NT environment. How to install, use, and analyze the output of DumpSec. 366 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study What is DumpSec? It dumps the permissions and audit settings for the file system, registry, printer and shares in a concise, readable listbox (text) format, so holes in system security are readily apparent. How does DumpSec work? DumpSec works by connecting to the target box as the Null user via the [net use \\server "" /user:""] command and then call NetServerGetInfo() API to collect information. 367 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities Permission Do not proceed without receiving the necessary permission. Hardware Intel-based PC running Windows 2000 Professional. Software DumpSec http://www.somarsoft.com 368 Information Networking Security and Assurance Lab National Chung Cheng University Challenge Procedure Step 1:Install DumpSec (Skip) Step 2:Select a target computer. Step 3:Search for unprotected shares. Step 4:Extract user information. Step 5:Search for RAS dial-in account. Step 6:Analyze system policies. Step 7:Examine running service. 369 Information Networking Security and Assurance Lab National Chung Cheng University Step 2:Select a target computer 370 Information Networking Security and Assurance Lab National Chung Cheng University Step 3:Search for unprotected shares 371 Information Networking Security and Assurance Lab National Chung Cheng University Step 4:Extract user information 372 Information Networking Security and Assurance Lab National Chung Cheng University Step 5:Search for RAS dial-in account 373 Information Networking Security and Assurance Lab National Chung Cheng University Step 6:Analyze system policies 374 Information Networking Security and Assurance Lab National Chung Cheng University Step 7:Examine running service 375 Information Networking Security and Assurance Lab National Chung Cheng University Summary DumpSec provides a very comprehensive view of user account and simple management. DumpSec is free, so it offer a cost effective method to help evaluate user account security. However, to complete a review of the domain, time must be spent with the domain administrators discussing policies and procedures as well. 376 Information Networking Security and Assurance Lab National Chung Cheng University Reference http://www.somarsoft.com/ http://www.mnisaca.org/dumpsec.doc http://www.emb.gov.hk/ited/Chinese/resources/biling ual_glossary_on_IT_terms/D.asp http://www.microsoft.com/taiwan/technet/security/pr odtech/windows/windows2000/staysecure/secops06.h tm 377 Information Networking Security and Assurance Lab National Chung Cheng University 378 Information Networking Security and Assurance Lab National Chung Cheng University IDS Evasion Techniques 379 Information Networking Security and Assurance Lab National Chung Cheng University Introduction BlackHat community vs. WhiteHat (IDS vendors) BlackHat exploit inherent weaknesses in NIDSs 380 Information Networking Security and Assurance Lab National Chung Cheng University Outline IDS Evasion vs. Detection Engine IDS Evasion at the Network Level IDS Evasion at the Application Level Basic String Matching Weaknesses Polymorphic Shell Code Fragmentation Attacks Denial of Service Conclusion 381 Information Networking Security and Assurance Lab National Chung Cheng University IDS Evasion vs. Detection Engine Simple Pattern Matching Traffic Anomalies Protocol Anomalies String Matching Weaknesses Stateful Signatures Backdoor Detection 382 Information Networking Security and Assurance Lab National Chung Cheng University 383 Information Networking Security and Assurance Lab National Chung Cheng University IDS Evasion at the Network Level Fragment packets Fragments captured, remembered, and analyzed by the IDS Requires a great deal of memory and processing power on the IDS IDS must reassemble packets. However, different target systems have various inconsistencies in the way they handle fragments Just use fragments Send a flood of fragments Fragment the packets in unexpected ways 384 Information Networking Security and Assurance Lab National Chung Cheng University The tiny fragment attack Looks good to me… Fragment 1: Part of TCP Header ATTACKER Fragment 2: Rest of TCP Header with port number NETWORK NETWORK IDS PROBE PROTECTED SERVER 385 Information Networking Security and Assurance Lab National Chung Cheng University Fragmentation Attacks Fragmentation overwrite Packet #1 GET x.idd Packet #2 somerandomcharacters Packet #3 a.? (buffer overflow) Packet GET x.ida.? (buffer overflow) Packet GET x.idsomerandomcharacters Fragmentation time-out Packet #1 Packet #2 (59 seconds later) GET foo.id a.? (buffer overflow) MF bit set 386 Information Networking Security and Assurance Lab National Chung Cheng University A fragment overlap attack Looks good to me… Fragment 1: GET x.idd ATTACKER Fragment 2: a.? (buffer overflow) NETWORK IDS PROBE NETWORK GET x.ida.? (buffer overflow) PROTECTED SERVER 387 Information Networking Security and Assurance Lab National Chung Cheng University Fragmentation Attacks Fragmentation combined with some other network techniques (take TTL for example) Packet # 1 Payload GET foo.id TTL >2 Packet # 2 Payload evasion.htm TTL 2 Packet # 3 Payload TTL a?bufferoverflow > 2 Packet GET foo.idevasion.htm Packet GET foo.ida?bufferoverflow 388 Information Networking Security and Assurance Lab National Chung Cheng University Using FragRouter to evade IDS detection Looks good to me… NETWORK IDS PROBE ATTACK SYSTEM Attack packets FRAGROUTER Attack fragments VICTIM 389 Information Networking Security and Assurance Lab National Chung Cheng University Some of the Many Fragmentation Options Offered by FragRouter Name Flag How the packets are mangled frag-1 -F1 Send data in ordered 8-byte IP fragments frag-2 -F2 Send data in ordered 24-byte IP fragments frag-3 -F3 Send data in ordered 8-byte IP fragments, with one fragment sent out of order tcp-1 -T1 Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte segments tcp-5 -T5 Complete TCP handshake, send data in ordered 2-byte segments, preceding each segment with a 1-byte null data segment that overlaps the latter half of it. This amounts to the forward-overlapping 2-byte segment rewriting the null data back to the real attack. tcp-7 -T7 Complete TCP handshake, send data in ordered 1-byte segments interleaved with 1-byte null segments for the same connection but with drastically different sequence numbers. 390 Information Networking Security and Assurance Lab National Chung Cheng University IDS Evasion at the Application Level Manipulating information at the Application Layer Allow an attacker to modify particular Application-level commands IDS gets confused and will not detect the attack Nikto, a good example of Application-level IDS evasion 391 Information Networking Security and Assurance Lab National Chung Cheng University IDS Evasion Tactics IDS Evasion Tactic Name How Tactic Works Example URL Encoding The request is encoded using unicode equivalents of the characters. Some IDSs will not recognize the encoding as a request for the vulnerable script. GET /%63%67%69%2d%62%69 %6e/broken.cgi HTTP/1.0 TAB Separation Instead of using spaces in the HTTP request, use tabs. If the IDS signature is based on spaces, the IDS will miss the attack GET<tab>/cgibin/broken.cgi<tab>HTTP/1. 0 Case Sensitivity Windows systems are case insensitive. If the IDS is looking for “cgi-bin” and we send “CGI-BIN,” the IDS may not notice GET /CGI-BIN/broken.cgi HTTP/1.0 392 Information Networking Security and Assurance Lab National Chung Cheng University Basic String Matching Weaknesses Signature-based IDS Breaking the string match of a poorly written signature is trivial Signature (Snort) Evasion by changing string 393 Information Networking Security and Assurance Lab National Chung Cheng University Basic String Matching Weaknesses more advanced techniques Through an interactive session Hex encoding a url 394 Information Networking Security and Assurance Lab National Chung Cheng University Polymorphic Shell Code devolved by K2 and is based on virus evasion techniques SSH CRC32 buffer overflows 395 Information Networking Security and Assurance Lab National Chung Cheng University Polymorphic Shell Code Currently there are 55 replacements used on x86 (less on other architectures) http://cansecwest.com/noplist-v1-1.txt 396 Information Networking Security and Assurance Lab National Chung Cheng University Denial of Service (DoS) A less civilized method of evasion Tools such as Stick, Snot and several testing tools used to create a vast amount of alarms that can: Consume the devices processing power and allow attacks to sneak by; Fill up disk space causing attacks to not be logged; Cause more alarms than can be handled by management systems Cause personnel to not be able to investigate all the alarms; and, Cause the device to lock up 397 Information Networking Security and Assurance Lab National Chung Cheng University Conclusion Traditional string matching weaknesses are becoming more difficult to evade Network level evasion tactics such as fragmentation can still be successful Turn on or off certain processing intensive modules depending on the environment Fortunately, processing power is increasing quickly, and if vendors are willing to sacrifice bandwidth, more prudent processing of events can be realized. 398 Information Networking Security and Assurance Lab National Chung Cheng University Security Essentials Toolkit Fragrouter 399 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Challenge Procedure Summary Reference 400 Information Networking Security and Assurance Lab National Chung Cheng University Description Something is plagues many attackers is the problem of how to bypass the intrusion detection systems. Network-based IDS attempts to match the traffic it sees against known patterns. With the attack packets fragmented, the attacker has a better chance of bypassing the victim’s IDS. Fragrouter is a prime example of a tool that can do packets fragmentation. 401 Information Networking Security and Assurance Lab National Chung Cheng University Purpose To know: An example of IDS evasion. How to install and configure Fragrouter. 402 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study (1/2) Firewall Network Attacker Target IDS 403 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-Study (2/2) Firewall Fragrouter Attacker Target IDS 404 Information Networking Security and Assurance Lab National Chung Cheng University Required Facilities Permission Do not proceed without receiving the necessary permission. Hardware Intel-based System Software Linux Kernel 2.2 or higher Fragrouter http://online.securityfocus.com/data/tools/fragrouter1.6.tar.gz 405 Information Networking Security and Assurance Lab National Chung Cheng University Challenge Procedure Step 1:Install Fragrouter Step 2: Review Fragrouter Option Step 3: Test Fragrouter 406 Information Networking Security and Assurance Lab National Chung Cheng University Step 1:Install Fragrouter tar zxf fragrouter-1.6.tar.gz ./configure make make install 407 Information Networking Security and Assurance Lab National Chung Cheng University Step 2: Review Fragrouter Option (1/3) -B1:No fragmentation. -F1:Fragments the packet into ordered 8-byte fragmentation. -F2:Fragments the packet into ordered 24-byte fragmentation. -F3:Like –F1, but place one of fragments out of order. -F4:Duplicates one of the fragmented packets. -F5:Fragments the packet and send out of order while also duplicating a random packet. -F6:Send the data in unordered, 8-byte fragment. -F7:Send the data in ordered 16 byte fragments, places an 8-byte, null data fragment in front of each fragment. 408 Information Networking Security and Assurance Lab National Chung Cheng University Step 2: Review Fragrouter Option (2/3) -T1:Complete TCP three-way hand-shake, Then Sends fake FIN and RST datawith bad checksums before sending the real data in ordered, 1-byte segment. -T2:Sends the data with the sequence number wrapping back to zero. -T3:Duplicates the penultimate segment of each segment. -T4:Sends additional 1-byte null data of each segment. -T5:2 byte segments, in each segments 1-byte is null data. -T6:Sequence number jumps of 1,000 throughout the data stream. -T7:Send data in 1-byte segment and 1-byte null data, but change the sequence number. -T8:1-byte segments placing one of those segments out of data. -T9:Sending all of its data out of order. 409 Information Networking Security and Assurance Lab National Chung Cheng University Step 2: Review Fragrouter Option (3/3) -C1:Not complete 3-way handshake, sends data with random sequence number. -C2:Complete 3-way handshake, sends data in order 1-byte, and intermix SYN packets for establish connection. -C3:Not complete 3-way handshake, sends null data as if the handshake is complete. Then complete 3-way handshake and sends the data. -R1:Complete 3-way handshake and shut down with RST packet, then reconnect and sends data. -I2: Complete 3-way handshake and send data, but 1-byte segment with bad checksum. -I3: Complete 3-way handshake and send data, 1-byte segment’s ACK flag not set. -M1:Use Thomas Lopatic’s Windows NT 4.0 SP 2 fragmentation attack. -M2:Use John McDonald’s Linux IP chains fragmentation attack. 410 Information Networking Security and Assurance Lab National Chung Cheng University Step 3: Test Fragrouter (1/4) fragrouter –option 411 Information Networking Security and Assurance Lab National Chung Cheng University Step 3: Test Fragrouter (2/4) Change Gateway 412 Information Networking Security and Assurance Lab National Chung Cheng University Step 3: Test Fragrouter (3/4) Example 1: fragrouter –B1 413 Information Networking Security and Assurance Lab National Chung Cheng University Step 3: Test Fragrouter (4/4) Example 2: fragrouter –T1 414 Information Networking Security and Assurance Lab National Chung Cheng University Summary Fragrouter is an example to do IDS evasion. Both of the Fragrouter and attack machine need to be on the same network segment, and the victim need to be on a separate segment. Don’t proceed without receiving the necessary permissions. 415 Information Networking Security and Assurance Lab National Chung Cheng University Reference http://dag.wieers.com/packages/fragrouter/ http://online.securityfocus.com/data/tools/fragrouter-1.6.tar.gz http://www.securityfocus.com/tools/176 http://www.securityfocus.com/infocus/1577 http://oldsite.linuxaid.com.cn/solution/showsol.jsp?i=413#rout e_vs_router http://ouah.kernsh.org/IP_frag.htm 416 Information Networking Security and Assurance Lab National Chung Cheng University 417 Information Networking Security and Assurance Lab National Chung Cheng University A Vulnerability Assessment NIKTO 418 Information Networking Security and Assurance Lab National Chung Cheng University Outline Description Purpose Principle and Pre-Study Required Facilities Step by step Summary Reference 419 Information Networking Security and Assurance Lab National Chung Cheng University Description Nikto is a web server scanner which performs comprehensive tests against web server for multiple items 2600 potentially dangerous files/CGIs Versions on over 625 servers Version specific problems on over 230 servers Nikto support for LibWhisker’s anti-IDS methods (IDS evasion) 420 Information Networking Security and Assurance Lab National Chung Cheng University Description Nikto perform security or information checks Misconfigurations Default files and scripts Insecure files and scripts Outdate software 421 Information Networking Security and Assurance Lab National Chung Cheng University Purpose To understand what is vulnerability scanner, and why we need it To family with the operation of the Nikto vulnerability scanner. 422 Information Networking Security and Assurance Lab National Chung Cheng University Principle and Pre-study A look at whisker's anti-IDS tactics an HTTP request defined by RFC 1945 Types of IDS Smart Raw 423 Information Networking Security and Assurance Lab National Chung Cheng University IDS evasion Evasion type Evasion method 1 Method matching GET /cgi-bin/some.cgi HEAD /cgi-bin/some.cgi 2 URL encoding cgi-bin %63%67%69%2d%62%69%6e 3 Double slashes /cgi-bin/some.cgi //cgi-bin//some.cgi 4 Reverse traversal /cgi-bin/some.cgi 5 Self-reference directories cgi-bin/phf /./cgi-bin/./phf 6 Premature request ending GET /%20HTTP/1.0%0d%0aHeader:%20/../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n 7 Parameter hiding GET /index.htm%3fparam=/../cgi-bin/some.cgi HTTP/1.0 8 HTTP mis-formatting Method<space>URI<space>HTTP/Version CRLF CRLF -> Method<tab>URI<tab>HTTP/ Version CRLF CRLF 9 Long URLs GET /rfprfp<lots of characters>rfprfp/../cgi-bin/some.cgi HTTP/1.0 10 DOS/Win directory syntax "/cgi-bin/some.cgi“ "/cgi-bin\some.cgi" 11 NULL method processing GET%00 /cgi-bin/some.cgi HTTP/1.0 12 Case sensitivity /cgi-bin/some.cgi /CGI-BIN/SOME.CGI 13 Session splicing "GET / HTTP/1.0“ "GE", "T ", "/", " H", "T", "TP", "/1", ".0" Information Networking Security and Assurance Lab 14 In summary National Chung Cheng University GET /cgi-bin/blahblah/../some.cgi HTTP/1.0 Combine multiple tactics together 424 Required Facilities Permission Do not proceed without receiving the necessary permissions Hardware: PC or Workstation with UNIX-based OS Software Perl 5.004 Nikto 1.32 NET::SSLeay LibWhisker OpenSSL 425 Information Networking Security and Assurance Lab National Chung Cheng University Step (I): install Nikto Install nikto with port tree After install nikto, patch /usr/local/bin/nikto.pl to indicate the config.txt patch /usr/local/etc/nikto/config.txt to indicate the plugin directory 426 Information Networking Security and Assurance Lab National Chung Cheng University IDS evasion option mutate checks option IDS evasion method 427 Information Networking Security and Assurance Lab National Chung Cheng University Basic scan information Web server banner and basic function Report some vulnerability and suggest the solution Information Networking Security and Assurance Lab National Chung Cheng University Report the result 428 Step (II): execute nikto Basic scan information Web server banner and basic function Report some vulnerability and suggest the solution Report the result 429 Information Networking Security and Assurance Lab National Chung Cheng University Step (III): IDS evasion Detection with IDS evasion method 1 2 on target 140.123.113.86 430 Information Networking Security and Assurance Lab National Chung Cheng University Summary CGI exploits are everywhere. It is most important that you scan your own site so that you can see what attackers might see. Nikto is a PERL, open source web server scanner which supports SSL. It checks for remote web server vulnerabilities and misconfigurations. 431 Information Networking Security and Assurance Lab National Chung Cheng University Reference Nikto http://www.cirt.net/code/nikto.html Comprehensive Perl Archive Network http://www.cpan.org LibWhisker http://www.wiretrip.net/rfp/lw.asp A look at whisker’s anti-IDS tactics http://www.wiretrip.net/rfp/txt/whiskerids.html 432 Information Networking Security and Assurance Lab National Chung Cheng University 433 Information Networking Security and Assurance Lab National Chung Cheng University Intrusion Detection System Detection Analysis Comparison 434 Information Networking Security and Assurance Lab National Chung Cheng University Outline What is IDS? Detection Analysis Comparison Anomaly Misuse Signatures-based Commercial Intrusion Detection System IDS challenges 435 Information Networking Security and Assurance Lab National Chung Cheng University What is IDS? IDS stands for “Intrusion Detection System” Detecting inappropriate, incorrect, or anomalous activity on a system Identifying network intrusion attempts Send alert to administrators, and make response Intrusion — attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network. (NIST sp800-31) 436 Information Networking Security and Assurance Lab National Chung Cheng University Detection Analysis Comparison: Anomaly Anomaly detection involves defining “normal” activity and looking for deviations from this baseline 437 Information Networking Security and Assurance Lab National Chung Cheng University Detection Analysis Comparison: Misuse Predictive models are built from labeled data sets (instances are labeled as “normal” or “intrusive”) These models can be more sophisticated and precise than manually created signatures Unable to detect attacks whose instances have not yet been observed 438 Information Networking Security and Assurance Lab National Chung Cheng University Misuse Signatures explicitly define what activity should be considered malicious Simple pattern matching Stateful pattern matching Protocol decode-based analysis Heuristic-based analysis 439 Information Networking Security and Assurance Lab National Chung Cheng University Detection Analysis Comparison: Signatures Stateless Pattern Matching Looking for a fixed sequence of bytes in a single packet Pros + simple + direct correlation (highly specific) + reliable alerts (for the specified pattern) + applicable across all protocols Cons - false positive rates (pattern not has unique as assumed) - any attack modification lead to false negative - does not apply well to stream based traffic (single packet inspection) - do not scale can dramatically slow performance - blind until new pattern is developed - evasion is somewhat easy 440 Information Networking Security and Assurance Lab National Chung Cheng University Detection Analysis Comparison: Signatures (cont.) Stateful Pattern Matching Matches are made in context within the state of the stream Pros + only lightly more effort than simple pattern matching + direct correlation (highly specific) + reliable alerts (for the specified pattern) + applicable across all protocols + evasion becomes more difficult Cons - false positive rates (pattern not has unique as assumed) - any attack modification lead to false negative - may require multiple signatures to deal with a single vulnerability - blind until new pattern is developed 441 Information Networking Security and Assurance Lab National Chung Cheng University Detection Analysis Comparison: Signatures (cont.) Protocol Decode-Based Analysis Decode protocols elements like the client or server in the conversation would do then look for RFC violations (fields content, header and payload size, special characters,…) Pro + minimize the chance for false positive (for well defined protocols) + direct correlation (highly specific) + reliable alerts (for the specified protocol) Cons - can lead to high false positive if the RFC is ambiguous (grey area) - longer and more complex development time 442 Information Networking Security and Assurance Lab National Chung Cheng University Detection Analysis Comparison: Signatures (cont.) Heuristic-Based Analysis Based on algorithmic logic such as statistical evaluations of the type of traffic being presented Pros + some types of suspicious activity cannot be detected through other means Cons - algorithm may require tuning or modification 443 Information Networking Security and Assurance Lab National Chung Cheng University Anomaly Look for traffic that deviates from what is seen “normally”. Issue is to define what “normal” is. If normal is hard-coded then it becomes heuristic-based. Learning what normal is sounds like the panacea but it’s only been limited to academia research so far and with limited success. Pros + can detect unknown attack (if implemented properly) + low overhead (no new signature to develop and install) Cons - no intrusion data granularity (no pattern, unknown attacks) - highly dependant on what has been learn as normal 444 Information Networking Security and Assurance Lab National Chung Cheng University Signature verbose Anomalous Pros Cons Signature Anomalous + Fast + Detect known attack immediately + Can detect unknown attacks + Can detect misuse within a valid session - Only detect attacks known to system - Signatures can be written more general. (false positives) - Give false feeling of security, if not up to date - Complex, intensive - Prone to false negatives and positives - Longer ramp-up time (need to generate profiles of users to detect deviation from these profiles) Information Networking Security and Assurance Lab National Chung Cheng University 445 Commercial Intrusion Detection System Misuse detection based commercial Snort – open source network IDS based on signatures. Network Flight Recorder (NFR) detects known attacks and their variations NetRanger (CISCO) – sensors (analyze the traffic) and directors (manage sensors) Shadow – collects audit data and runs tcpdump filters to catch attacks P-Best (SRI) – rule-based expert system that describes malicious behavior NetStat (UCSB) – real time IDS using state transition analysis 446 Information Networking Security and Assurance Lab National Chung Cheng University Commercial Intrusion Detection System (cont.) Anomaly detection based commercial IDSs IDES, NIDES – statistical anomaly detection EMERAld – statistical anomaly detection SPADE (Statistical anomaly detection Engine) within Snort Computer watch (AT&T) – expert system that summarizes security sensitive events and apply rules to detect anomalous behavior Wisdom & Sense – builds a set of rules that statistically describe normal behavior 447 Information Networking Security and Assurance Lab National Chung Cheng University SPADE --- Snort plug-in SPADE: examines TCP SYN packets and maintains the count of packets observed on (dest IP, dest Port) tuples SPADE checks the probability of every new packet on the (dest IP, dest Port) tuple The lower the probability, the higher the anomaly score Drawback: raises false alarms on legitimate traffic for which (dest IP, dest Port) combinations are infrequent Dest Port Dest IP ## # # # ### # # # ** # 448 Information Networking Security and Assurance Lab National Chung Cheng University IDS challenges Minimizing false positive Minimizing false negative Keeping up with performance Handling the large amount of data generated 449 Information Networking Security and Assurance Lab National Chung Cheng University The Future of IDS and IPS 450 Information Networking Security and Assurance Lab National Chung Cheng University IDS Market Forecast (I) 451 Information Networking Security and Assurance Lab National Chung Cheng University Source: IDC, 2001 IDS Market Forecast (II) 452 Information Networking Security and Assurance Lab National Chung Cheng University Source: IDC, 2001 IDS Life Cycle Setting up the current generation of IDSs requires a substantial time investment to ensure they'll flag only suspicious traffic and leave everything else alone. www.nwfusion.com/techinsider/2002/0624security1.html • Signature Updating • Writing Signature Testing • Accuracy • Resource Usage • Stress Vulnerability Assessment Configuration Tuning Installation • Information Collecting • Filtering and Correlation • Traffic Analysis 453 Information Networking Security and Assurance Lab National Chung Cheng University Testing Reality Eight IDSs fail to impress during the month long test on a production network. Several IDSs crashed repeatedly under the burden of the false alarms they churned out. When real attacks came along, some products didn't catch them and others buried the reports so deep in false alarms that they were easy to miss. Overly complex interfaces made tuning out false alarms a challenge http://www.nwfusion.com/techinsider/2002/0624security1.html 454 Information Networking Security and Assurance Lab National Chung Cheng University High Speed IDS Tests (Attacks Detected at 970 Mbps Information Networking Security and Assurance Lab National Chung Cheng University http://www.nwfusion.com/reviews/2002/1104revnetr.html 455 When Firewall Meets IDS Firewall An gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). • Access Control • NAT • Prevent the attacks • Validate firewall configuration • Detect attacks but firewalls allow them to pass through (such as attacks against web servers). • Seize insider hacking IDS A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real- time warning of, attempts to access system resources in an unauthorized manner 456 Information Networking Security and Assurance Lab National Chung Cheng University Gateway IDS (GIDS) and Host Intrusion Prevention (HIP) Company Inadvertently block legitimate traffic Company Website Entercept Security Technologies www.entercept.com Harris STAT Neutralizer www.statonline.com Okena StormWatch and StormFront www.okena.com Sana Security www.sanasecurity.com Linux IDS www.lids.org Website Captus Networks www.captusnetworks.com Cisco Systems IDS www.cisco.com ForeScout ActiveScout www.forescout.com RealSecure Network Protection www.iss.net Intruvert Networks www.intruvert.com NetScreen Technologies IDP www.netscreen.com Snort Hogwash http://hogwash.sourceforge.net TippingPoint Technologies UnityOne www.tippingpoint.com Information Networking Security and Assurance Lab National Chung Cheng University Ineffective against denial-ofservice attacks http://www.cio.com/archive/061503/et_article.html OneSecure Netscreen 457 Okena Cisco Entercept and Intruvert Network Associates NIDS Market Predictions: Head to Head • Intrusion detection market jumped 29.2 per cent year on year (firewall/virtual private network security appliance market increased 7.5 per cent). • In contrast to statements that intrusion detection software is dead, the growth in intrusion detection appliances show that many organizations still see the value in monitoring their networks • Could reached $2 billion in 2005, up from $486 million in 2000. 1000 600 400 200 0 •IDS market will grow 43 per cent to $149m by 2004 •IDS revenue will hit $1.1bn by 2006, 230 800 491 571 634 688 327 70 2002 2003 IPS Revenue 2004 2005 IDS Revenue • IDS is dead, long live IPS • By year end 2004, advances in non-signature based intrusion detection technology will enable network-based intrusion prevention to replace 50% of established IDS deployments and capture 75% of new deployments. • By end of 2003, 90% of IDS deployments will fail when false positives are not reduced by 50%. Information Networking Security and Assurance Lab National Chung Cheng University http://www.vnunet.com/News/1143747 http://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids-meeting/idsbg.pdf 458 Security Platform Evolution 459 Information Networking Security and Assurance Lab National Chung Cheng University Source: Gartner Research IDS Battle: Statements From Marcus Ranum The IDS battle of the day after tomorrow will be applying _relevance_ and _significance_ to the correlated results The IDS battle of tomorrow will be data correlation from varieties of sources IDS battle of today is detection algorithms Information Networking Security and Assurance Lab National Chung Cheng University 460 http://archives.neohapsis.com/archives/sf/ids/2002-q1/0271.html Other Suggestions From Xerox Detect a wide variety of intrusion types Very high certainty Real-time detection Develop a network-wide view rather than local views Analysis must work reliably with incomplete data Detect unanticipated attack methods Scale to very large heterogeneous systems What data to collect for maximal effectiveness; network instrumentation Automated response Discover or narrow down the source of an attack Integrate with network management and fault diagnosis Infer intent; forming the big picture Cooperative problem solving http://www.blackhat.com/presentations/bh-usa-99/teresa-lunt/tutorial.ppt 461 Information Networking Security and Assurance Lab National Chung Cheng University My Opinions MEAP Performance Management Accuracy Evasion 462 Information Networking Security and Assurance Lab National Chung Cheng University 463 Information Networking Security and Assurance Lab National Chung Cheng University