Salt

advertisement

Network Intruders

Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data, ...)

Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data, ...)

Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls.

1

Access Control

Today almost all systems are protected only by a simple password that is typed in, or sent over a network in the clear.Techniques for guessing passwords:

1. Try default passwords.

2. Try all short words, 1 to 3 characters long.

3. Try all the words in an electronic dictionary(60,000).

4. Collect information about the user’s hobbies, family names, birthday, etc.

5. Try user’s phone number, social security number, street address, etc.

6. Try all license plate numbers (123XYZ).

Prevention: Enforce good password selection (c0p31an6)

2

Password Gathering

Look under keyboard, telephone etc.

Look in the Rolodex under “X” and “Z”

Call up pretending to from “micro-support,” and ask for it.

“Snoop” a network and watch the plaintext passwords go by.

Tap a phone line - but this requires a very special modem.

Use a “Trojan Horse” program to record key stokes.

3

UNIX Passwords

User’s password ( should be required to have 8 characters, some non-letters)

Random 12-bit number

(Salt)

DES Encrypted to 11 viewable characters

User ID

User ID

User ID

Salt Value

Salt Value

Salt Value

Hash

Hash

Hash

4

Storing UNIX Passwords

Until a few years ago, UNIX passwords were kept in in a publicly readable file, /etc/passwords. Now they are kept in a “shadow” directory only visible by “root”.

“Salt”:

• prevents duplicate passwords from being easily seen as such.

• prevents use of standard reverse-lookup dictionaries ( a different diction would have to be generated for each value of Salt).

• does not “effectively increase the length of the password.”

5

The Stages of a Network Intrusion

1. Scan the network to:

• locate which IP addresses are in use,

• what operating system is in use,

• what TCP or UDP ports are “open” (being listened to by Servers).

2. Run “Exploit” scripts against open ports

3. Get access to Shell program which is “suid” (has “root” privileges).

4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.

5. Use IRC (Internet Relay Chat) to invite friends to the feast.

6

Protection from a Network Intrusion

1. Use a “Firewall” between the local area network and the worldwide Internet to limit access (Chapter 10).

2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute).

3. Use a program like TripWire on each host to detect when systems files are altered, and email an alert to Sys Admin.

4. On Microsoft PC’s, a program like BlackIce is easier to install than learning how to reset default parameters to make the system safe (and fun besides).

7

8

9

10

Type "A" Probes

The first three UDP probes, which started my investigation, had a single character in the data field, an 'A'. The UDP port numbers were identical, 31790->31789.

They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP

Destination_Unreachable-Port Packets. The Echo-Request is never answered.

Date Time EST Source IP (Place) Destination (Place)

1999-12-28 18:40 151.21.82.251 (Italy) to 24.88.48.47 (Atlanta, GA)

1999-12-10 18:28 152.169.145.206 ( AOL ) to 24.88.48.47 (Atlanta, GA)

1999-12-16 03:34 212.24.231.131 (Saudi Arabia) to 24.88.48.47 (Atlanta, GA)

UDP packets with an empty data field, like those generated by the "nmap" scan program, do not stimulate the 1500-byte ICMP packets from an OS-9 Macintosh.

11

Type "Double-zero" Probes (James Bond, 007, "00" -> "license to kill")

I have now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas.

These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical

UDP port numbers, 60000->2140. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered.

1999-12-20 07:04 195.229.024.212 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA)

1999-12-21 08:04 195.229.024.213 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA)

*DNS name: cwa129.emirates.net.ae

1999-12-25 09:39 212.174.198.29 (Turkey) to 24.94.xxx.xxx (Wichita, Kansas)

*DNS: none

1999-12-31 05:35 195.99.56.179 (Manchester, UK*) to 14.88.xx.xx (Atlanta, GA)

*DNS name: manchester_nas11.ida.bt.net

2000-01-04 05:08 24.94.80.152 (Road Runner, Hawaii) to 24.94.xxx.xxx (Wichita, Kansas)

*DNS name: a24b94n80client152.hawaii.rr.com

2000-01-06 04:48 195.44.201.41 (cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA)

*DNS name: ad11-s16-201-41.cwci.net

12

Traceroute to find location of IP Address

Start: 11/21/99 11:07:40 PM

Find route from: 24.88.48.47

to: www.orbicom.com. (196.28.160.129), Max 30 hops, 40 byte packets

Host Names truncated to 32 bytes

1 24.88.48.1 (24.88.48.1 ): 17ms 17ms 16ms

2 24.88.3.21 (24.88.3.21 ): 18ms 19ms 18ms

3 24.93.64.69 (24.93.64.69 ): 17ms 18ms 17ms

4 24.93.64.61 (24.93.64.61 ): 19ms 17ms 18ms

5 24.93.64.57 (24.93.64.57 ): 25ms 25ms 23ms

6 sgarden-sa-gsr.carolina.rr.com. (24.93.64.30 ): 26ms 27ms 27ms

7 roc-gsr-greensboro-gsr.carolina. (24.93.64.17 ): 28ms 28ms 30ms

8 roc-asbr-roc-gsr.carolina.rr.com (24.93.64.6 ): 30ms 32ms 30ms

9 12.127.173.205 (12.127.173.205 ): 40ms 39ms 39ms

10 gbr2-a30s1.wswdc.ip.att.net. (12.127.1.30 ): 38ms 40ms 39ms

11 gr2-p3110.wswdc.ip.att.net. (12.123.8.246 ): 278ms 40ms 39ms

12 att-gw.washdc.teleglobe.net. (192.205.32.94 ): 41ms 43ms 42ms

13 if-7-2.core1.newyork.teleglobe.n (207.45.222.145 ): 45ms 46ms 45ms

14 if-0-0-0.bb3.newyork.teleglobe.n (207.45.221.69 ): 45ms 47ms 49ms

15 ix-1-1-1.bb3.newyork.teleglobe.n (207.45.199.202 ): 50ms 46ms 50ms

16 196.30.121.243 (196.30.121.243 ): 44ms 48ms 45ms

17 fe0-0.cr3.ndf.iafrica.net. (196.31.17.26 ): 635ms 632ms 633ms

18 atm6-0sub300.cr1.vic.iafrica.net (196.30.121.81 ): 641ms 640ms 644ms

19 196.30.200.6 (196.30.200.6 ): 643ms 640ms 643ms

20 196.4.162.86 (196.4.162.86 ): 662ms 659ms 664ms

21 www.orbicom.com. (196.28.160.129 ): 663ms 658ms 664ms

• Trace completed 11/21/99 11:08:25 PM •

13

Download