Networks and Security
How Real is the Threat?
88% of IT staff polled in the US recently
said their organizations had been affected
by Internet viruses or worms in the past
year even though 90% of firms have an IT
security system in place. Information Security
Magazine, 2001
Worm Threats
 NIMDA and Code Red generated the
majority of attack activity accounting for
63% of recorded attacks
 Each worm attacked known problems with
available patches
 New zero-day worms that hit vulnerabilities
not posted
 Future worms will morph
Trends
 39% seemed to be targeted to breech a
specific system or company
 61% seemed opportunistic with the attacker
scanning and looking to exploit what was
found
 42% of the attacks were aimed at large
corporations of 1,000 or more employees
 This suggests, higher profile corporations
are bigger targets than lower profile
Majority of Attacks Are Launched From
a Small Number of Countries
 Ten countries account for 70% of attacks
– 30% United States
– 9% South Korea
– 8% China
 The largest number of attacks per IP
address was Israel
Attacks and Ports
Current Attacks
Most Probed Ports
Windows service for conversion
Of IP addresses to names in file sharing apps
First step in a scan to hit file shares
Open when a web server installed
Used by MS-SQL server for remote
Clients to query for network connections
Trends
 The industries with the highest attacks rates are:
– Education
– High Tech
– Financial Services
– Media/Entertainment
– Power and energy companies
 Each averaged more than 700 attacks per company
in the last six months
 Power and energy companies suffered attacks from
the Mid East at twice the mean of other companies
 High Tech and Financial companies suffered
attacks from Asia at a rate that was 50% higher
than the mean for other companies
Top Ten Attacks
 47.8% M.S. IIS Server ISAPI overflow
 25.1% (Code Red) Generic Root Request Attack of








root.exe in /scripts directory.
23.5% M.S. IIS Server Traversal Attack
17% M.S. IIS Server Arbitrary Code Attack (code URL
twice)
16.5% (Code Red) "cmd.exe" Attack
5% Scan for 27374 port for SubSeven (2600
Magazine)
3.8% Scan for vulnerable or mis-configured FTP
servers.
2.8% Scans for RPC enabled
1.3% Scans for ssh (Exploit)
1.2% Scans for LPD (Exploit) (Source RipTech)
General Types of Hackers
 Kiddie Scripters
 Black hats
 Network-savvy employees
 Government Entities
Kiddie Scripters
 Run scripts from hacker sites
 Rarely recompile to change ports or affect
attack signatures
 Poor resources - usually tied to an ISP
 Usually want a quick “hit” or break-in and
are largely indiscriminate about targets
 Leave behind lots of evidence
Take Your Pick of Hacker
Groups
Places for Evil
Know Your Enemy--Places to
Visit




http://www.hacktech.org/
http://surf.to/damage_inc
http://www.oninet.es/usuarios/darknode/
http://b0iler.eyeonsecurity.org/tutorials/index.
html
 http://ist-it-true.org/pt
 http://hackersplayground
 http://packetstorm.widexs.nl/exploits20.shtm
 http://astalavista.box.sk.
Black Hats
 Re-compile code of others to change attack
signatures
 Write programs that may or may not be shared
 Moderate resources - usually tied to an ISP but can
have own domains and domain servers
 Much more cautious and attacks may be spread over
weeks
 Mafia organizational models: key talented hackers
with high skills are generally isolated by layers of
“kiddie scripters” for protection
Reconnaissance
Look for a file that
Doesn’t exist on a web
Server: 404 error will
Reveal server and version
Network-Savvy Employees
 Never share or use code of others unless it
is an intentional deception
 Inside knowledge of infrastructure enables
more sophisticated approach
Governments
 Attacks and coordinated probes may stretch over a
period of months or years and are calculated to
bypass the best IDS’
 Launched as part of policy
 Has direct access to tier 1 Internet service
providers (ISP) or uses government resources
 Able to manipulate domain, WHOIS databases,
and root server and Internet routing paths
 May be recruited from Black hats or federal
agencies
Nuisance Threats
 These individuals may evolve from online
trespass and vandalism to more criminal
activity such as theft of information,
extortion, and credit card fraud
 In addition, this group is a pool of potential
resources for more traditional criminal
elements to exploit either directly or
indirectly
Low Level Threats
On-line Trespass
Vandalism
Script Kiddies – compile
existing hacker code
Existing vulnerabilities
Malicious Threats
 Launch virus’ or self-propagating “bots”
that harvest e-mail addresses, credit card
numbers, or other valuable data
 Identity theft is big business
Doomsday Threats
 After key financial information that can be
leveraged for money
 Scan likely unfriendly nations for critical
infrastructure weak points
 Characterized by long term stealth (not
noisy) scans and probes
 Access to resources
 Undetectable
Criminal Activity Categories
 Extortion
 Organized Crime
 Political Groups (Terrorists)
 Industrial Espionage and Sabotage
 International Intrusions
Criminal Activity
49% of information security professionals'
companies have had personnel who have
physically destroyed or stole computing
equipment -- up from 42% in 2000. Industry Survey
from Information Security Magazine, 2001. See
http://www.vectec.org/researchcenter/stats.html?category=9
Hacker Pattern Reuse
 Each hacker has a “signature” for attack
methodologies
 It is often possible to describe each separate
attacker by their trademark styles and
choice of tools and exploits
 Once they find a sequence or type of attack
that works they use the same choice of
tools each time
Seven Step Attack Profile
Overview
 Reconnaissance – gathering information on your







organization
Foot printing – get the network details.
Port Scanning – find the actual services available.
Enumeration - Promising targets are identified in more
detail.
Gaining Access - choose an informed hack/crack.
Escalating Privileges - elevate to system access.
Pilfering - Grab any interesting/profitable data.
Covering Tracks - Hide interlopers machine romp
Profiling
 Objective
– Gathering information about the
organization
 Technique
– Web searches, public documents, and
legal databases
 Web browsers – most public or legally
available information is now available on
line
Sniffers Are Your Friend
and Foe
 Everything that touches your machine from a data
network can be seen on a sniffer: Passwords,
account names, social security numbers, birth
dates, and other personal information
 Hackers frequently use sniffers to ply their trade
 Sniffers also help the good guys by catching
issues that IDS’ and firewall logs will miss
Network Associates (NAI)
Sniffer
Network Associates (NAI)
Sniffer
 Premier network diagnostic program
available to network professionals
 A great number of hacker sniffers tend to
concentrate on capturing and logging
targeted information such as user names,
passwords and commands
 dsniff is a package of password grabs
including mailsnarf an e-mail grabber
dsniff
Sniffer Exploits
 Sniffers are programs that use
“promiscuous” drivers
 These specialized drivers allow network
information to be “sniffed” off of the local
network segment
 In segments that utilize Ethernet hubs, as
opposed to switches, the attacker can log
every user’s information off the network
Dsniff – De-encrypting
Password Sniffer
 dsniff listens patiently for passwords to come
along
 It will decode NETBios-based Windows, IMAP,
POP3, SNMP, and many other types of passwords
 If you are using the network diagram programs
like Visio, TGV (Computer Associates) and HP
OpenView with the read/read-write SMP
password – you are giving it away to attackers
Sniffer Defenses
 Ethernet switches are not a security panacea
 Flooding the switch with bogus MAC
addresses can flood the bridge table and
cause one of two of the following switch
behaviors to users:
– 30% of the time switch starts forwarding
ALL packet to ALL ports (hub behavior)
– 70% of the time the switch crashes
Sniffer Defense
 Monitor your switch reboots with simple
networking management protocol (SNMP)
 Send SNMP “traps” to your central
security monitoring console when switches
reboot or have switch table “full” error
events
 It is also very valuable to centrally log
switch and router SNMP AUTH events
which send login authorization failures!
Sniffer Defense
 @stake, makes a sniffer “detector” AntiSniff
available for trial and sale
 Promiscuous drivers take notably longer to
process network requests
 This detector makes detection available based on
the noted delays in the surrounding IP client
software on hosts
L0PHT (@stake) antisniff
Foot Printing
 Objective
– Get address range, namespace details, contacts, and
reverse domain info
 Technique
– Open source info, DNS, iterative reverse DNS or zone
transfer
 Tools
– nslookup, dig, whois, ARIN whois, etc.,
– Plain old HTTP lookups on their favorite search
engine, Google, Altavista
Foot printing
 whois
 nslookup
•
•
•
•
http://www.arin.net/whois/index.html
Department of Defense
RIPE
APNIC
 Web Search Engines
– Google
Domain Name Service (DNS)
 Domain name services (DNS) map text
strings by a hierarchical directory to a
specific IP address that the computer
application can use
 Domain name servers are also called name
servers
Domain Name Services (DNS)
 DNS servers use forward and reverse zone text
files that contain domain entries
 Forward files include INFO records
 INFO type “A” records for IP addresses
 INFO HINFO records for software and platform
information
 INFO CNAME or canonical names for aliases
 INFO MX or mail exchange records for email
Whois
Domain Lookup
http://www.arin.net/w
hois/index.html
http://www.geektools.
com/cgi-bin/proxy.cgi
Geektools.com
DNS Exploit – Information
Grabbing
Programs like Sam Spade and whois
reveal an enormous amount of
information about your company
Internet connections, managers, and
administrative contacts.
Sam Spade
Sam Spade
Sam Spade
DNS Exploit – Information
Grabbing
Defense
 Use two DNS servers, one inside your network,
and another outside. This is called the “split”
domain name server architecture.
 By blocking the inside name server that has all
the network information from outside access – it
is possible to hide inner host information from
interlopers
 Allow only the most essential information to be
available to the general Internet.
 Secure the servers the Internet “knows about.”
“Split” Domain Servers
Denial of Service Exploit
 Lots of connections entering the open TCP
state with the host machines sending SYN
packets to synchronize sequence numbers
 During the open state the host machine
consumes CPU time allocating memory buffers
consuming limited resources on the host
machine
 Host machine may many times be sending
replies back to a “spoofed” attacker address
 If enough TCP open states are started on the
target machine . . .
 It runs out of memory or CPU resources and
stops accepting new connections or crashes
Denial of Service Defense
 Specialized intrusion detection systems
recognize DoS attacks and issue RST
packets to either the sender or destination or
both and kill the network connection
 The host machine immediately releases
resources upon receipt of a packet with the
RST flag set
Denial of Service Defense
 Reduce the TCP wait timer on your servers from the
default 600 seconds to about 3
 This “times out” the connection state and allows
your server to recoup it’s resources faster and resist
this attack
 Increase the server resources-- Memory is cheap
 Allocate additional memory buffers to handle the
attack-- Bumping from 10 to 200 should do it
Logical Data Network Structure
 Networks are made up of network devices that
pass packets based on addresses and network
paths
 Routers and switches keep track of these
addresses and routes in internal tables
 What are some examples of these internal
tables?
Logical Data Network Structure
 “Switch” tables
– Switch mappings associated with a physical
interface
 “ARP table” layer 3 network addresses
associated with a L2 address and usually
a physical interface
Logical Data Network Structure
Layer 3 network route mappings associated
with a L1 (physical) interface
Internet Command and
Management Protocol (ICMP)
 Routers that become congested return an
ICMP source quench message as a simple form
of flow control
 Some routers send an ICMP “source quench”
if their communication buffers get full
 ICMP is the traffic cop for IP networks
RARP, BOOTP, and DHCP
 RARP (earlier slide) - given the MAC (L2)
address give me the network (L3) address
 BOOTP - an improvement on RARP that gave us
automated IP addresses, automated boot images,
gateway addresses, etc.,
 DHCP - Dual host configuration protocol - a later
protocol (Microsoft) that added user specified
fields, and advanced abilities such as redundancy
Crafted Packets Exploit
Build what you want and create a hack - a thousand different ways.
if ( (packet = malloc(1500)) == NULL ) {perror("malloc: "); exit(-1);}
– if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) {perror("socket: ");
exit(-1);}
– libnet_build_ip(len,
/* Size of the payload */
– /* ICMP Header for Parameter Problem
– * --------------+---------------+---------------+--------------– *| Type (12) | Code (0) | Checksum
|
– * --------------+---------------+---------------+--------------– *| Pointer |
unused
|
– * --------------+---------------+---------------+--------------– * Internet Header + 64 bits of original datagram data....
– */
– /* Need to embed an IP packet within the ICMP */
– ip = (struct ip *) (packet + IP_H + 8); /* 8 = icmp header */
– ip->ip_v
= 0x4;
/* IPV4
*/
– ip->ip_hl
= 0xf;
/* Some IP Options */
– ip->ip_tos = 0xa3;
/* Whatever
*/
– ip->ip_len = htons(data_len); /* Length of packet */
– ip->ip_id
= 30241;
/* Whatever
*/
– ip->ip_off = 0;
/* No frag's
*/
– ip->ip_ttl = 32;
/* Whatever
*/
– ip->ip_p
= 98;
/* Random protocol */
– ip->ip_sum = 0;
/* Will calc later */
– ip->ip_src.s_addr = ins_src_ip;
– ip->ip_dst.s_addr = ins_dst_ip;
DNS Exploit – Cache
Poisoning
DNS queries are heavily cached on
servers. What if an attacker could craft
a packet that “poisons” the DNS cache
with the wrong information?
Could a hacker/cracker redirect
domain name server queries to the
wrong machine?
What Else Could Crafted
Packets Do?
 Distribute bad route to your core date
network routers dumping much of your
network traffic
 Foul up switched networks with bogus
bridge data unit (BDU) packets that would
switch off network interfaces
 Block router IP interfaces with bad ARP
replies
Crafted Packets Defense
Turn everything off!
 Do not require or allow ICMP features like gateway
redirection, source quench, or router advertisement
 Turn off spanning tree algorithm (STA) where it
makes sense
 Use the authenticated and encrypted versions of any
available protocols i.e., OSPF not RIP ver. I
 Tie your routers together with access control lists
(ACL’s) to control inbound broadcasts
 Don’t “do it by the book”. Cisco design principles are
wrong as they value “speed” of the network over
security. Application server speed is king and people
on LANS’s don’t perceive LAN speed optimization as
delays
netcat
netcat, the swiss army knife of hacking.
 Can “attach” to an arbitrary client port to
listen for data
 Can be set up to send out crafted packet data
to an arbitrary port
 Usually after capturing traffic into a hex file,
the data is edited, and sent out to the same
network it came from
Netcat options –
scary!!!
Netcat listener
Netcat Listener Receiving
Test Text
Port Scanning
 Target ID and assessment for attack
– What looks most promising?
 Technique
– ICMP sweep, TCP/UDP scans, OS detection.
What is the version of Windows they are
running? What are the publicly available
hacks/cracks for this version?
 Tools
– fping, hping, nmap, ncat -p, fscan, queso
Ports or Service Addresses
 Service or port, is a 16 bit base 10 number
Example: 31337
 Port addresses allow the program to know
what application the data packet is intended
 Popular service addresses or ports are 80 for
http, 23 for telnet, 20 and 21 for file transfer
protocol, 22 for remote shell
How Do I Know What
Services Are Running?
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
(state)
tcp4
0
0 *.submission
*.*
LISTEN
tcp4
0
0 *.sunrpc
*.*
LISTEN
udp6
0
0 *.chargen
*.*
udp4
0
0 *.echo
*.*
udp4
0
0 *.time
*.*
udp4
0
0 *.daytime
*.*
udp4
0
0 *.bootps
*.*
udp4
0
0 *.tftp
*.*
udp4
0
0 *.ntalk
*.*
udp4
0
0 *.1011
*.*
udp4
0
0 *.nfsd
*.*
udp4
0
0 *.1023
*.*
udp4
0
0 *.sunrpc
*.*
udp4
0
0 *.syslog
*.*
udp6
0
0 *.syslog
*.*
Active UNIX domain sockets
Address Type
Recv-Q Send-Q
Inode
Conn
Refs Nextref
Addr
c6143ec0 dgram
0
0
0 c613efc0
0 c6143f00
c6143f00 dgram
0
0
0 c613efc0
0 c6143f40
netstat!
UDP Packet Ports
TCP Addresses
How Do Hackers Generate
Port Scans?
Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
Insufficient responses for TCP sequencing (3), OS detection may be less
accurate
Interesting ports on william.clark (192.168.1.130):
(The 1007 ports scanned but not shown below are in state: closed)
Port
State
Service
7/tcp
open
echo
19/tcp
open
chargen
21/tcp
open
ftp
22/tcp
open
ssh
23/tcp
open
telnet
25/tcp
open
smtp
37/tcp
open
time
79/tcp
open
finger
111/tcp
open
sunrpc
139/tcp
open
netbios-ssn
512/tcp
open
exec
513/tcp
open
login
514/tcp
open
shell
540/tcp
open
uucp
587/tcp
open
submission
1022/tcp
open
unknown
1023/tcp
open
unknown
nmap
< O.S. Guess!
Remote operating system guess: MacOS X 10.0.4 (Darwin V. 1.3-1.3.7 or
4P13)
Uptime 0.007 days (since Thu Nov 15 15:11:50 2001)
Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
How do hackers generate port
scans?
nmapfe
Features of TCP Packets
 Sequence Numbers – what packet is this in a
sequence or flow of packets?
 Windows Size - how many IP packets do I send at a
time before requiring an acknowledgement packet?
 Flags – RST - set, for errors, may be used as a session “stopper”
in “active” intrusion detection.
– SYN - set to synchronize sequence numbers
– ACK - acknowledges data and session information
TCP A Connection Oriented
Protocol
 The TCP protocol for IP packets (TCP/IP)
has features which enable TCP packets to
keep track of
–
–
–
–
How many packets need to be sent?
How many packets have been sent?
How many packets are left to be sent?
If there is an error, which packets are needed to
be sent again?
Man in the Middle Attacks
 There exist TCP “session grabbing” programs,
such as “Juggernaut” and “Hunt”, that if
attackers are at a place on the network where
they can eavesdrop both sides of the data
connection, they can “intercept” one end of the
conversation and “take it over.”
TCP Sequence Prediction
Yes, it is possible to do what’s called TCP sequence
prediction and pick up another session – even if you
can’t eavesdrop.
 Hunt and Juggernaut are two programs that connect
to a computer, usually a server, and by interacting
with it characterize the type of TCP sequence that
the machine expects in connections. It then tries to
“break into” another connection that machine may
be having with another user.
 Normally, you will detect Juggernaut, and its big
brother Hunt, trying to break into established web
site connections to other customers to steal personal
information or identities.
Enumeration
 Objective
– Promising targets are identified in more detail.
 Technique
– List user accounts, trusts, find IP addresses to
attack, file shares, ID apps, etc. Are campus
wide directories available? LDAP?
 Tools
– LDAP directories, Legion, NIS, DumpACL,
sid2user, Onsite, etc.,
Address Resolution Protocol Tab
Entries
Address resolution protocol (ARP) is an internal
table within routers that associates IP addresses to
the PC’s ethernet address and also to a physical
interface.
 ARP Table Entries
00-0c-34-23-af-bc 128.12.43.44 intf0
00-0c-34-23-af-bc 128.12.43.44 intf0
00-0c-34-23-af-bc 128.12.43.44 intf0
00-0c-34-23-af-bc 128.12.43.44 intf1
If an attacker could get your networks ARP information they would have the “keys”
to your network.
Arpwatch – Very Common
In Unix
Monitors the address resolution
protocol as the network works to
capture and send to the user (or
attacker) the IP and ethernet address
information of your network
This can give an attacker all the
specific information they need to “cull”
a sheep out the herd
Firewalls Definition
What are they?
 Firewalls are network devices that pass or
drop packets based on a programmed rule
set
 Firewall rule sets are based on physical port,
IP address, transport address (port) or other
parameters
Firewalls Definition
Firewalls are generally categorized into three groups:
 State “less”, does not maintain state or track
packet history
 State “full”, maintains state, is able to defragment
packets
 Proxy, may redirect traffic to other machines
based on FW policy. Typically used to redirect email through virus scanning software.
Basic Firewall Platforms
Types
 Packet dropping filters (stateless) –
commonly seen as access control lists
(ACL’S) in routers. Cisco dominates this
market.
 Complex or state-full firewalls – generally
seen in firewall appliances, Lucent Brick,
Cisco PIX, Check Point and Nokia all have
entries in this market.
Firewalls – Network Based
Firewalls -- Bridge Based
Bridging Firewalls are Better
Why?
 Because routing firewalls depend on IP
address “gateways” to route packets.
 Any external IP addresses are subject to
attack and may limit your data when they
are attacked.
 Bridge based firewalls have no external
IP addresses that are required to route
packets and as such – do not have routing
interfaces that can be attacked!
FW May Block Based On IP
Address
FW May Block Based On Port
Address
What Does A Basic Firewall
Setup Look Like?
Firewalls come in other
flavors
The market is full of smart firewalls.
 A layer 7 or application layer firewall acts to
block packet streams from certain applications
such as peer-to-peer media sharing programs like
Gnutella.
 These are also known as traffic shaping devices
 Traffic shaping firewalls can block MP3 (audio)
even if the data is using a common well known
service (WKS) port such as FTP or HTTP. They
detect the type of data not just the IP address and
port that is being used.
Host Based Firewalls
Excellent protection one host at a time.
 Software running under the operating
system
 Many host software firewalls also use
intrusion detection algorithms in tune with
the firewall to protect the host
 Commercial software such as Norton,
McAfee, Black Ice Defender, and Zone
Alarm dominate this market
Host Based Firewalls: Black Ice
Defender
Host Based Firewalls: Black
Ice Defender
Host Based Firewalls: Norton
Host Based Firewalls: Tiny
Firewall
Network Address Translation
(NAT)
 Firewalls that “hide” multiple IP addresses
behind a single IP address!
 This has the effect of confusing attackers. In
particular, an “nmap –O” scan which will
determine the operating system will be “all
over the map” and genrally fail through NAT
with multiple machines.
 The NAT algorithm is easily modified to
control or block inbound versus outbound
connections
Network Address Translation
(NAT)
FW Rule Sets - Examples
 Loose (Higher Education)
– Accept all, specifically deny dangerous
ports (services)
 Moderate (Corporate)
– Deny all except for well know services on
known machines
 Tight (Defense)
– Deny all except the generals to nba.com.












Sub 7 Trojan BOTH * * GI064A pass
Quake and Derivatives BOTH * * GI064B pass
Hack-a-Tack BOTH * * GI068A pass
Sub 7 Artifact BOTH * * GI035A pass
Sub 7 Trojan BOTH * * GI034B pass
NetSphere Trojan BOTH * * GI064B pass
SANs Russian Trojan SD423439 Host Blocks ***This
one was mine!
BOTH * * GI021A pass
mstream DoS attack BOTH * * GI087g pass
***Interesting port to monitor.
GNUTELLA BOTH * * GI086 pass ***Peer to peer
stuff. Season to your taste.
Deep Throat Trojan Back Door SANs
BOTH * * GI085 pass
GRC.COM’s IPAgent Scan
(free)
IPAgent is a small program that works with a server at the
grc.com web site and does a quick service scan on your
Internet web address and then gives the results to you in
a web page. Very cool and a good way to get a good nights
Sleep.
Cryptographic Signatures
for Log Files
cd /var/log
md5 * <file> > files.signed
(Results on next slide.)
What should happen to the
cryptographic log signature?
Cryptographic Signatures for
Log Files


















MD5 (DumpACL.bmp) = 605a3a25509ae2544be6226d80f03f88
MD5 (Google on 1.2.doc) = 754ca03e3d9ebda8417a6077ca6a0d01
MD5 (L0PHTAntiSniff.bmp) = bf103290401593b6facd7348af8e8176
MD5 (L0PHTCrack3init.jpg) = 7ed453ee8e3dfb49109deb48bc3e49ad
MD5 (LANguard01.bmp) = 4a5b1d9ebb705a40d692e771bd3008be
MD5 (LANguard02.bmp) = 0d9e0bcac7996e5aebe194e99be6be06
MD5 (LANguard03.bmp) = 112069b54acf47e638987f02b77bd3f3
MD5 (LANguard04.bmp) = 2596984869bb792735c34ae8aa294ff2
MD5 (LANguard05.bmp) = 2b662e5ef494a4bc7aff0b983a548d46
MD5 (LANguard06.bmp) = c97ccaef49926c77fb2bc62c44f06e9b
MD5 (NAISniffer.bmp) = cf0e4cbd7569718e284a71f4a7b30ef6
MD5 (SamSpade.bmp) = fb918f4fceb8b6c97c9725558324127a
MD5 (SamSpade2.bmp) = 52c0d752b7dd4661466a9a01123259cf
MD5 (SamSpade3.bmp) = c49ecd049e47135b481166abbf67ffb9
MD5 (inzider2.jpg) = eb0fb6b0f8df47f7c63ba7b8d15ebdfc
MD5 (md5.txt) = d41d8cd98f00b204e9800998ecf8427e
MD5 (netstata.txt) = 35642c009d287a329fb783b6ab1a9fbd
MD5 (nmap.txt) = d663bb68fbf4a215fb9daa30f33b0aba
Firewall Logs
Firewall Logs
Incredible amounts of information is available from
FW logs!
Napster_Sharing, 8888,"c:\xxx old drive\corel\suite8\movies\Currency.avi"
Napster_Sharing,8888,"c:\xxx old drive\program
files\napster\incomplete\09_The Making of Brain Salad Surgery.mp3"
Napster_Sharing,8888,"c:\xxx old drive\program files\napster\incomplete\Copy
of Bob Dylan -Like A Rolling Stone.mp3"
Napster_Sharing,8888,"c:\xxx old drive\program
files\napster\incomplete\Tenacious D - With Karate Ill Kick Your Ass.mp3"
Napster_Sharing,8888,"c:\xxx old drive\program
files\napster\incomplete\{Techno}Sm_Trax_-_Got_the_Groove.mp3"
Napster_Sharing,8888,"c:\xxx old drive\corel\suite8\movies\Currency.avi"
Napster_Sharing,8888,"c:\xxx old drive\program files\napster\incomplete\Copy
of Bob Dylan -Like A Rolling Stone.mp3"
Napster_Sharing,8888,"c:\xxx old drive\program
files\napster\incomplete\Tenacious D - With Karate Ill Kick Your Ass.mp3"
Honey Pots
PC’s that wait for the hacker to connect.
 Port connection detection
– Shell Scripts that span small programs that
answer in a predefined manner on popular ports
typical of standard operating systems.
 Operating system sensors
– Psionic Port Sentry for Linux (Unix)
– Windows operating system based connection
Honey pots?
Intrusion Detection Systems
PC’s that monitor network traffic looking for specific data
packet patterns indicative of harmful network traffic such
as:







Trojans: hidden remote access programs.
Software viruses
E-mail subject and attachments types and content.
Suspicious FTP/TFTP transfers.
ssh and scp versions and session information.
Peer-to-Peer program login information.
Service scans or attacks of hackers.
Intrusion Detection Logging
Event Severity Levels
 95% Informational/False Positives
– Network-wide Port Scans
 4% Warning
– Per host scans - but no compromise
 <.1% Critical
– Continuous attack from one IP address
– <.01% Emergency
– Successful exploit of system
Intrusion Detection Systems
Long Term: Database Queries
 Packet databases against which SQL queries can
answer the question: who issued a single ping in the
last six months not associated with any web, e-mail,
FTP or ssh connections?
 This technique is predicated on a large database
comprised of suspicious packets
 Can discover complex relationships over a number
of months
 This is a method to discover the talented or
professional attackers!
Intrusion Detection Market
Network Associates 13%
Axent 3%
Others 10%
L3 4%
Internet Security Systems: 71%
Source: IDC and ISS
Port Scans










”nmap” is the preferred tool along with “fping” and “hping”.
Src Host
Src Port Dst Host Dst Port Pcol
Service
212.177.241.99 3486
137.190.3.212
143
TCP
212.177.241.99 3487
137.190.3.212
110
TCP
212.177.241.99 3488
137.190.3.212
111
TCP
212.177.241.99 3489
137.190.3.212
6000
TCP
212.177.241.99 3490
137.190.3.212
79
TCP
212.177.241.99 3491
137.190.3.212
53
TCP
212.177.241.99 3492
137.190.3.212
31337
TCP
212.177.241.99 3493
137.190.3.212
2766
TCP
imap
pop3
6/111/3488
x11
finger
dns
6/31337/3492
6/2766/3493

212.177.241.99
3494
137.190.3.212
139
TCP
netbios-ssn









212.177.241.99
212.177.241.99
212.177.241.99
212.177.241.99
212.177.241.99
212.177.241.99
212.177.241.99
212.177.241.99
212.177.241.99
3495
3496
3497
3498
3499
3500
3501
3502
3503
137.190.3.212
137.190.3.212
137.190.3.212
137.190.3.212
137.190.3.212
137.190.160.2
137.190.160.2
137.190.160.2
137.190.160.2
25
21
22
1114
1
80
23
143
110
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
smtp
ftp
ssh
6/1114/3498
6/1/3499
http
telnet
imap
pop3
Intrusion Detection System
Logs



















Severity (icon), Time, Attack, Intruder, Count,
1, 02/12/01 14:56:01, UDP port probe, 204.113.234.2, 6
1, 02/16/01 11:11:00, DNS port probe, 213.69.97.66, 1
2, 02/23/01 11:09:41, SNMP discovery broadcast, WS10060926, 1
1, 02/25/01 20:18:12, DNS port probe, cr644852-a.rchrd1.on.wave.home.com, 2
2, 02/26/01 00:43:30, SNMP discovery broadcast, wsuidrive.weber.edu, 9
1, 02/26/01 11:22:42, HTTP port probe, 204.113.234.2, 5
1, 02/28/01 11:01:58, TCP port probe, 204.113.234.2, 127
2, 02/28/01 11:02:23, TCP SYN flood, 204.113.234.2, 13
2, 02/28/01 11:04:09, TCP port scan, 204.113.234.2, 59
1, 02/28/01 11:04:09, TCP port scan, 204.113.234.2, 5531
1, 02/28/01 11:04:12, UDP port probe, 204.113.234.2, 2
2, 02/28/01 11:04:12, TCP OS fingerprint, 204.113.234.2, 6
1, 02/28/01 11:04:12, TCP ACK ping, 204.113.234.2, 4
2, 02/28/01 11:04:12, NMAP OS fingerprint, 204.113.234.2, 4
2, 03/06/01 16:41:10, UDP port scan, kappa.weber.edu, 1
1, 03/07/01 10:00:00, DNS port probe, integrex.colo.magmom.net, 1
1, 03/07/01 12:23:00, FTP port probe, cr330368-a.etob1.on.wave.home.com, 3
3, 03/14/01 13:40:09, PPTP malformed, pipeline1.weber.edu, 1
Gaining Access
 Objective
– To compile enough knowledge to choose an
informed hack/crack
 Technique
– Back doors, social engineering, buffer
overflows, promiscuous password grabs, hacks,
etc.,
 Tools
– Telephone, war dialing, crack, Legion,
pwdump2, bind and LPR hacks, etc.,
Gaining Access
 The NULL session. Microsoft’s master key
to any Windows box under WIN2K
 Buffer overflows to known port services
might do it
Buffer Overflows
– Diagram - typical buffer overflow
Mechanics of Buffer
Overflows
Goal: Exploit buffer overflow vulnerability to
perform malicious function on a target system.
 Identify open port or local access is available
 Test the input string types and boundaries
accepted by the program
 Construct an input value that will perform the
malicious function when executing with the
programs privileges in the hosts programs space
 Execute the program so that it jumps to
additional the malicious code
Buffer Overflows Fuel
Network Based Worms
Recent worm attacks
 L1on Linux worm
 SQL Slammer
 Ramen Linux Worm
 Code Red worm for Windows
 Nimda Windows worm
Windows Processes
Unix processes (ps –ex or ps
auwx)
Inzider2 – What Your Mother
Didn’t Tell You
Attackers routinely bypass operating system
memory and process management to hide
trojan programs.
inzider2 does a brute force memory check for
processes. It’s important for virus checkers
to look in memory for viruses and not just on
disk.
Forensic Analysis of Packets
Hackers hidden? No, the evidence is on the
wire!
 TCP, UDP, and ICMP packets hold
numerous clues!
– Sequence numbers
– window size
– target and source ports
– IP addresses
– flags and more offer an insight into your
attacker
Forensic Analysis of Packets
Lets try it! What’s going on in the following capture? Polymorphic
destination and timing.












2000/03/23 08 20 00 18 OUT 192.72.120.74 204.113.223.234 ping_resp none 10 1120
2000/03/23 07 36 32 18 OUT 192.72.120.74 204.113.34.112 ping_resp none 7 784
2000/03/23 08 31 51 18 OUT 192.72.120.74 204.113.79.122 ping_resp none 9 1008
2000/03/23 07 46 15 18 OUT 195.238.2.19 204.113.86.205 1/3/3 none 6 576
2000/03/23 07 40 48 18 OUT 195.238.2.19 204.113.81.71 1/3/3 none 2 224
2000/03/23 07 32 35 18 OUT 195.238.2.19 204.113.81.71 1/3/3 none 6 672
2000/03/23 07 50 43 18 OUT 195.238.2.19 204.113.58.18 1/3/3 none 2 224
2000/03/23 07 59 27 18 OUT 195.238.2.19 204.113.58.24 1/3/3 none 6 672
2000/03/23 08 07 28 18 OUT 195.238.2.19 204.113.58.24 1/3/3 none 6 672
2000/03/23 07 32 48 18 OUT 195.238.2.19 204.113.81.71 1/3/3 none 2 224
2000/03/23 07 50 23 18 OUT 195.238.2.19 204.113.58.18 1/3/3 none 4 448
2000/03/23 07 59 40 18 OUT 195.238.2.19 204.113.58.24 1/3/3 none 2 224
Polymorphism and Distracters
Polymorphic destinations, sources, and ports. What’s an
IDS to do?
















2000/03/30 14 21 53 2 IN 192.41.60.38 204.113.124.89 6/13643/1971 1 40
2000/03/30 14 21 54 2 IN 209.252.122.37 204.113.169.21 6/65457/47868 1 40
2000/03/30 14 21 57 2 IN 130.49.68.73 204.113.230.81 6/20443/11946 1 40
2000/03/30 14 22 04 2 IN 145.101.193.19 204.113.147.45 6/64071/7698 1 40
2000/03/30 14 22 08 2 IN 209.252.122.37 204.113.144.80 6/56431/28396 1 40
2000/03/30 14 22 11 2 IN 209.252.122.37 204.113.119.121 6/11602/9082 1 40
2000/03/30 14 22 11 2 IN 208.28.236.81 204.113.110.4 6/23201/49700 1 40
2000/03/30 14 22 17 2 IN 192.41.60.38 204.113.112.82 6/59299/63684 1 40
2000/03/30 14 22 18 2 IN 199.183.9.105 204.113.234.88 6/43377/65316 1 40
2000/03/30 14 22 19 2 IN 199.183.9.105 204.113.230.106 6/59932/28865 1 40
2000/03/30 14 22 22 2 IN 209.252.122.37 204.113.202.17 6/19822/61999 1 40
2000/03/30 14 22 22 2 IN 209.247.108.212 204.113.205.71 6/46531/28491 1 40
2000/03/30 14 22 23 2 IN 208.28.236.81 204.113.253.118 6/65448/43557 1 40
2000/03/30 14 22 24 2 IN 194.47.143.229 204.113.43.81 6/64904/14091 1 40
2000/03/30 14 22 31 2 IN 204.113.53.34 204.113.63.255 netbios gm 5 1145
2000/03/30 14 22 34 2 IN 209.247.108.212 204.113.250.115 6/8463/38040 1 40
Escalating Privileges
 Objective
– If user access - elevate to system access.
 Technique
– Password cracking, known exploits. Buffer overflows
in known user level programs
 Tools
– L0PHTcrack, john, getadmin, sechole, lc_messages,
etc. Sendmail had numerous hacks to raise privilege to
“root”. Getadmin is a user level program designed to
raise an unprivileged user to “admin” on Windows ‘95
and ‘98
Pilfering
 Objective
– Grab any interesting/profitable data on machine
 Technique
– Evaluate trusts, look for clear text passwords
 Tools
– cat, type, rhosts, search e-mail, LSA secrets,
user data, config files, and registry data.
Covering Tracks
 Objective
– Hide interlopers machine romp
 Technique
– Clear or modify logs, hide tools, install "root"
kits and trojans
 Tools
– zap, rm *.log, B.O., SubSeven, NetBus, etc.,
Trojans
I want to come back and show the
others in my clan!
Trojans – BackOrifice, NetBus, and
SubSeven.
If you find a trojan – make sure you
understand how it got there!
Covering Tracks
Generally, but not always, a
malicious exit.
Crash the server.
Password Cracking
L0PHT Crack III (LC4)
Case Study Nimda Worm
 Worm = self-replicating malicious code
 Discovered September 18, 2001
 Derivative of Code Red worm (June 2001)
 Affects all Windows platforms
 Estimated $500 million downtime and clean
up cost in first 24 hours
 Unique in its variety of propagation
techniques
Intrusion Detection Hits on
NIMDA
First sign - explosive
TFTP activity.
Intrusion Detection Hits on
NIMDA
Second sign, all the same
File transferred! Admin.dll
1. Scans for vulnerable
IIS Servers
Desktops
2. Infects web
browsers
3. Searches for
network shares
4. Emails
copies to
other users
(ISS)
Nimda Infected Server
Engineering
Internet
DMZ
Accounting
Nimda Lessons Learned
 Mimics and automates attacker behavior
 Threats are not confined to high profile
targets
 There is no “silver bullet”
 Depth and diversity of defense is required
 Strong methodology is only proven way to
address complex security challenges
Nimda Lessons Learned
Use patches to address
vulnerabilities
Update policy to
require hardening
of servers and
desktops
Scanner
Desktops
Engineering
Internet
DMZ
Obtain threat and
vulnerability
detection tools
IDS
Accounting
IDS
References
Security Web Sites and Alerts Lists
http://nsi.org
http://www.cs.purdue.edu/coast/
http://www.telstra.com.au/info/security.html
http://www.nsi.org/Compsec.html
http://www.securityportal.com/
http://www.ntbugtraq.com/
http://www.icsa.net/
http://www.phrack.com/
References
Security Web Sites
http://www.2600.com/
http://www.securityfocus.com/
ftp://ftp.porcupine.org/pub/security/index.html
http://www.l0pht.com/
http://www.ibiblio.org/matusiak/bkmrk.html/
References
Security Vulnerabilities
http://xforce.iss.net/
http://seclab.cs.ucdavis.edu/projects/vulnera
bilities/#database/
http://www.cerias.purdue.edu/coast/projects/
vdb.html
http://www.rootshell.com/
References
Security Tools
http://packetstorm.securify.com/
ftp://ciac.llnl.gov/pub/ciac/sectools/unix/
ftp://coast.cs.purdue.edu/pub/tools/
ftp://ftp.cert.org/pub/tools/
ftp://ftp.win.tue.nl/pub/security/
ftp://ftp.funet.fp/pub/unix/security/
References
Securing Wireless Ethernet
http://c:\CISO_CDROM\Protecting 802.11b
Networks.txt
References
Encryption
http://www.gnupg.org/ - GNU Privacy Guard (pgp
replacement)
http://www.openssl.org/ - OpenSSL (Free SSL
toolkit)
http://www.pgpi.com/ - PGP (International)
http://www.pgp.com/ - PGP (US)
http://www.ssh.fi/ - SSH Communicaitons
http://net.lut.ac.uk/psst/ - psst - gnu's ssh
replacement
http://www.ssleay.org/ - ssleay (use OpenSSL
now)
Resources
Conferences
http://www.sans.org/newlook/home.php
http://www.gocsi.com/wkshop.shtml/
http://www.nsa.gov/isso/programs/coeiae/index.ht
m
http://www.misti.com/
http://csrc.nist.gov/ATE/
References
Security Trends
http://c:\CISO_CDROM\Hack Attacks Global
Concern.html
http://www.vnunet.com/News/1126993.html
http://C:\CISO_CDROM\Managing the CyberThreat.htm
, Control Risks Group.
http://www.esat.kuleuven.ac.be/cosic/news-981028.html
http://www.sans.org/, See
http://C:\CSO_CDROM\Threats.htm
References
Security Trends
http://www.vectec.org/researchcenter/stats.html?cat
egory=9
http://www.securitysoftwaretech.com/antisniff/purp
ose.html
Software Description
http://c:\CISO_CDROM\Software Description.html
References
Covert TCP Connections
http://c:\CISO_CDROM\Covert.txt ; covert.tcp.tar
Firewall Information
http://www.linuxdoc.org/HOWTO/IP-MasqueradeHOWTO.html
Intrusion Detection Information
http://www.snort.org
References
Denial of Service
http://c:\CISO_CDROM\DoS_trends.pdf
http://c:\CISO_CDROM\grc.txt
http://media.grc.com:8080/files/grcdos.pdf
http:\\c:\CISO_CDROM\DDoS
//c:\CISO_CDROM\E-mail Log (raw).txt
http://www.silicondefense.com/software/snortsnarf/
SMTP Body Parts
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc821.html
References
Setting Security Standards
http://www.gcn.com/vol19_no6/news/1564-1.html
http://csrc.nist.gov/csrc/maillist.html
http://csrc.nist.gov/csrc/standards.html
http://csrc.nist.gov/publications/nistpubs/8007/node280.html (IEEE)
http://csrc.nist.gov/publications/nistpubs/8007/node278.html (CCIT)
http://csrc.nist.gov/publications/nistpubs/8007/node279.html (ECMA)
References
Threats
Known Exploits and Prevention
http://ist-it-true.org/pt,
http://hackersplayground,
http://packetstorm.widexs.nl/exploits20.sh
tml
http://astalavista.box.sk.
References
Daemon9, aka Route. "Project Neptune." (Phrack 48, Article 13,
1996)
Irwin, Vicki and Pomeranz, Hal. "Advanced Intrusion Detection and
Packet Filtering." (SANS Network Security 99, 1999)
Newsham, Tim, and Ptacek, Tom. "Insertion, Evasion, and Denial of
Service: Eluding Network Intrusion Detection." (Secure
Networks, Inc., 1998)
Northcutt, Stephen. Network Intrusion Detection: An Analyst's
Handbook. (Indianapolis, Indiana: New Riders, 1999)
Postel, Jon (ed.). "RFC 793: Transmission Control Protocol.”
(Defense Advanced Research Projects Agency, 1981)
Stevens, W. Richard. TCP/IP Illustrated, Volume 1: The Protocols.
(Reading, Massachusetts: Addison-Wesley, 1994)
Windows O.S. Security How
To’s
http://www.microsoft.com/technet/itsoluti
ons/howto/sechow.asp
 Get help securing your corporate
network with these step-by-step HowTo guides. Windows 2000 Professional
System Security in Windows
2000












Apply Predefined Security Templates in Windows 2000
Change the Policy Settings for a Certification Authority (CA) in Windows 2000
Configure a Certificate Authority to Issue Smart Card Certificates in Windows 2000
Configure a Domain EFS Recovery Policy in Windows 2000
Configure Certificate Trust Lists in Internet Information Services 5.0
Configure Security for a Simple Network Management Protocol Service in Windows
2000
Configure Windows 2000 Server to Notify You When a Security Breach Is Being
Attempted
Control Access to a Database on a Web Server in Windows 2000
Create Automatic Certificate Requests with Group Policy in Windows
Define Security Templates in the Security Templates Snap-in in Windows 2000
Disable the Automatic L2TP/IPSec Policy
Enforce a Remote Access Security Policy in Windows 2000
Windows 2000












Export Certificates in Windows 2000
Find and Clean Up Duplicate Security Identifiers with Ntdsutil in Windows 2000
Get a Certificate Signed by an Off-Network Root Authority in Windows 2000
Harden the TCP/IP Stack Against Denial of Service Attacks in Windows 2000
Install a Smart Card Reader in Windows 2000
Keep Domain Group Policies from Applying to Administrator Accounts and Selected
Users in Windows 2000
Prevent the Last Logged-On User Name from Being Displayed in Windows 2000
Publish a Certificate Revocation List in Windows 2000
Use Group Policy to Apply Security Patches in Windows 2000
Use IPSec Policy to Secure Terminal Services Communications in Windows 2000
Use the Directory Services Store Tool to Add a Non-Windows 2000 Certification
Authority (CA) to the PKI in Windows 2000
Back Up Your Encrypting File System Private Key in Windows 2000
Windows 2000 Server
 Configure a Primary Internet Authentication Service Server on a






Domain Controller
Configure Remote Access Client Account Lockout in Windows 2000
Configure Security for Files and Folders on a Network (Domain) in
Windows 2000
Monitor for Unauthorized User Access in Windows 2000
Prevent Users From Changing a Password Except When Required in
Windows 2000
Prevent Users From Submitting Alternate Logon Credentials in
Windows 2000
Restore an Encrypting File System Private Key for Encrypted Data
Recovery in Windows 2000
Windows 2000 Server















Perform Security Planning for Internet Information Services 5.0
Configure the Security for a Server That Uses Microsoft NNTP Service in Windows
2000
Configure User and Group Access on an Intranet in Windows NT 4.0 or Windows 2000
Provide Secure Point-to-Point Communications Across the Internet in Windows 2000
Safely Connect Your Company to the Internet in Windows 2000
Set SMTP Security Options in Windows 2000
Use IPSec Monitor in Windows 2000
Deploy
Enable SSL for All Customers Who Interact with Your Web Site in Internet Information
Services
View or Change Authentication Methods in IIS
Operate
View or Change Authentication Methods in IIS
Prevent Users from Accessing Unauthorized Web Sites in ISA Server
Provide Internet Access Through a Firewall in Internet Security and Acceleration
Server
Add an Authorized Page Warning in Windows 2000
Windows 2000 Server






Configure IIS 5.0 Web Site Authentication in Windows 2000
Install Imported Certificates on a Web Server in Windows 2000
Prevent Mail Relay in the IIS 5.0 SMTP Server in Windows 2000
Prevent Web Caching in Windows 2000
Secure XML Web Services with Secure Socket Layer in Windows 2000
Set Secure NTFS Permissions on IIS 5.0 Log Files and Virtual Directories in
Windows 2000
 Use Internet Protocol Security to Secure Network Traffic Between Two Hosts
in Windows 2000
 Use NTFS Security to Protect a Web Page Running on IIS 4.0 or 5.0
Windows XP














Access an EFI Partition in Windows XP 64-Bit Edition
Audit User Access of Files, Folders, and Printers in Windows XP
Change the Logon Window and the Shutdown Preferences in Windows XP
Configure a Preshared Key for Use with Layer 2 Tunneling Protocol Connections in
Windows XP
Create and Disable Administrative Shares on Windows XP
Delegate Security for a Printer in Windows XP
Disable the Local Administrator Account in Windows
Encrypt a File in Windows XP
Encrypt a Folder in Windows XP
Encrypt Offline Files to Secure Data in Windows XP
Manage Stored User Names and Passwords on a Computer in a Domain in Windows XP
Manage Stored User Names and Passwords on a Computer That Is Not in a Domain in
Windows XP
Prevent a User From Running or Stopping a Scheduled Process in Windows XP
Remove File Encryption in Windows XP
Windows XP
















Set Up a .NET Passport Account in Windows XP
Set WMI Namespace Security in Windows XP
Set, View, Change, or Remove File and Folder Permissions in Windows XP
Set, View, Change, or Remove Special Permissions for Files and Folders in Windows
XP
Share Access to an Encrypted File in Windows XP
Turn On Remote Desktop Automatic Logon in Windows XP
Use Cipher.exe to Overwrite Deleted Data in Windows
Use the Autologon Feature in the Remote Desktop Connection in Windows XP
Use the Group Policy Editor to Manage Local Computer Policy in Windows XP
Use the Microsoft Personal Security Advisor Web Site in Windows
Internet Security and Acceleration Server
Configure Logging in Internet Security and Acceleration Server
Set Up and Allocate Bandwidth in ISA Server
Configure the ISA Server 2000 HTTP Redirector Filter in Windows 2000
Enable Reporting in Internet Security and Acceleration Server 2000
Filter ISA Server Web Proxy Cache Entries in Windows 2000
Windows XP
 Monitor Server Activity in Internet Security and Acceleration Server
2000
 Securely Publish Multiple Web Sites by Using ISA Server in Windows
2000
 Set Bandwidth Configuration in Microsoft Internet Security and
Acceleration Server