1 / 33

EECS 354 Network Security

EECS 354 Network Security. Introduction. Why Learn To Hack. Understanding how to break into computer systems allows you to better defend them Learn how to think like an attacker Defense then becomes second-nature Security is an increasingly important field

lan
Télécharger la présentation

EECS 354 Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EECS 354Network Security Introduction

  2. Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how to think like an attacker Defense then becomes second-nature Security is an increasingly important field There are many jobs for security specialists Developers are expected to be aware of security concerns

  3. Why Internet Security 3 • >The past decade has seen an explosion in concern about information security • G-20 countries recently urged to treat cyber-attacks as threat to global economy. • G20 have lost 2.5 million jobs to counterfeiting and piracy, and lost $125 billion annually to cyber-attacks. • > Security specialist markets are expanding! • “Salary Premiums for Security Certifications Increasing” (Computerworld 2007) • Up to 15% more salary • Demand is being driven not only by compliance and government regulation, but also by customers who are "demanding more security" from companies • >US Struggles to recruit compute security experts (Washington Post Dec. 23 2009)

  4. Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability

  5. Course Overview Atypical structure This course is based on group learning and experience Originally developed in 2007 by grad students Have experienced undergrads as co-instructors with oversight by the professor Material tweaked and improved with each iteration The class will follow a theory and practice model We will introduce the basic theory for fundamental hacking techniques, then carry out these techniques in controlled environments

  6. Course Objectives No mandatory CTF this year Motivated students are encouraged to field a team in the iCTF Practical knowledge of computer security Theory Attack Defense

  7. Prerequisites and Materials Required EECS 213 or ECE 205 and 231 Networking (EECS 340) Highly Recommended Operating Systems (EECS 343) Familiarity with the UNIX environment No textbooks All readings will come from handouts

  8. Communication Slides will be made online prior to each class Web page: http://hamsa.cs.northwestern.edu/ Newsgroup: nuctf@googlegroups.com IRC: #NorthwesternNetsec on irc.ubuntu.com

  9. Grading There will be a short written final for this class at the scheduled exam time. Participation and Labs 40% Homework 40% Final 20%

  10. Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability

  11. Class Virtual Machines Everyone has an account on hamsa.cs.northwestern.edu For testing buffer overflows, etc, use netsec-playground because it does not have ASLR You do not have a login for the other VMs: netsec-projects and netsec-demos

  12. Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability

  13. Linux Memory Layout Stack Runtime stack (8MB limit) Heap Dynamically allocated storage When call malloc, calloc, new DLLs Dynamically Linked Libraries Library routines (e.g., printf, malloc) Linked into object code when first executed Data Statically allocated data E.g., arrays & strings declared in code Text Executable machine instructions Read-only FF 00 Stack Heap DLLs Heap Data Text

  14. Linux Memory Allocation Some Heap More Heap Initially Linked Stack Stack Stack Stack Heap Heap DLLs DLLs DLLs Heap Data Data Data Data Text Text Text Text

  15. Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability

  16. Exploits An exploit is any computer input that takes advantage of a vulnerability to cause unintended behavior, usually to gain control of a computer system (Wikipedia) We will craft custom exploits to remotely gain control of computer systems

  17. Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability

  18. Linux Learning to hack on MS Windows is like trying to learn how to dance in a body cast anonymous Linux offers low-level access to OS services as well as a powerful command-line By the end of this class everyone will be very comfortable working and hacking in a Linux environment

  19. Linux Must know Basic Linux commands (see Lab 1) Command line text editor(s) Valuable Linux filesystem (/etc, /usr, etc.) Downloading source code, compiling, and installing ./configure, make, make install Ubuntu aptitude package management Come to office hours or ask on IRC for Linux help

  20. Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability

  21. TCP/IP This course assumes some knowledge of how networks work It is not necessary to understand every detail TCP Discussion Socket Discussion

  22. Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability

  23. netcat The TCP/IP swiss-army knife Simplest usage: $ nc host port Downloading a webpage using netcat: $ nc google.com 80 GET / HTTP/1.1

  24. nmap Major features Host Discovery – Identifies computers on a network Port Scanning – Enumerates the open ports on one or more computers Version Detection – Determines the application name and version number of services on remote machines OS Detection – Remotely determining the operating system from network devices You must be root (use sudo) to use some features Consistently voted as one of the most used security tools

  25. Nessus Nessus is an open-source vulnerability scanner Its goal is to detect weaknesses on a target host In addition, Nessus probes the remote host for any useful information (type of OS, etc.)

  26. Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability

  27. netstat/ps Once you have access to a box, what do you do? Two useful tools are netstat and ps netstat – print network connections, interface statistics, etc. ps – report a snapshot of the current running processes

  28. netstat Command line options --inet specifies the inet address family (only displays network sockets) -a/--all show all connections (both listening and non-listening sockets) -p/--program show the PID and the name of the program to which each socket belongs -n/--numeric show numerical addresses instead of trying to determine symbolic host To show all network sockets $ netstat --inet -apn

  29. ps To see all processes you are running $ ps To see all processes running on the machine $ps ax $ps aux (to see user information) To see all processes root is running $ps aux | grep root

  30. Overview Exploit demo Course information VM logistics x86 stack structure What are exploits? Why we use Linux TCP/IP Network utilities Local utilities Source code availability

  31. Source Code Availability In general, we will have source code available for analysis This mirrors many real-world situations Even without source code, many applications have documented vulnerabilities that are easily exploited Things can get tricky when source code is not available Brute-forcing becomes extremely helpful Reverse engineering is another option

  32. Source Code Most buffer overflows use the same functions No bounds check: gets, strcpy, scanf Programmer-based bounds check: memcpy, strncpy Use grep to find where these functions are used Not all are vulnerable, but it's a quick starting point

  33. Course Schedule http://hamsa.cs.northwestern.edu/schedule/

More Related