390 likes | 728 Vues
How and Why the Hackers Do It TSM 352 Good Guys vs Bad Guys New technologies provide new capabilities – for both the trustworthy and the un-trustworthy As technologies evolve their capabilities must be explored on both sides
E N D
How and Why the Hackers Do It TSM 352
Good Guys vs Bad Guys • New technologies provide new capabilities – for both the trustworthy and the un-trustworthy • As technologies evolve their capabilities must be explored on both sides • The good guys develop techniques for defending and the bad guys develop techniques for attacking • Then they both adjust to compensate for the other • We see this in all forms of crime – when fingerprinting was discovered, criminals started wearing gloves.
Know Thine Enemy • In order to develop techniques to fight crime, the good guys must understand the crimes and how they are perpetrated. • Learn hacking tools in order to learn how to defend against them • Some hacker tools are more complex than the defense. • Hackers continue to evolve their tools. There is no defense that is guaranteed against all future attacks. The only thing you can do is to adopt a solid defense strategy and NOT ASSUME you are safe. • Never become complacent – always watch for tell-tale signs.
A Hacker’s Mecca • The Internet was developed in a ‘trusting’ environment – it was never intended for the masses. • Obviously, that has changed because... • It became a way to generate a lot of revenue – whenever money is involved the masses will come • It has received a lot of publicity • Security is behind.. • Rapid deployment of the Internet • Lack of a governing body • The Legal profession is even further behind
Internet Security gets Attention • It’s ‘every man for himself’. So, the Internet criminal is living large. • This is all starting to change. The main reason is that the Internet crime is hitting where it hurts – in the pocketbook of global commerce. • Network administrators are learning about the threats and starting to make adjustments. • A whole new market niche is appearing for network and computer-security products as well as professionals.
Current Situation • Security has become a major issue – protocols are starting to evolve and new, more robust protocols are being developed. • Most systems are easy to break into • There are a tremendous number of vulnerabilities, as well as exploits for those vulnerabilities that are easy to get and easy to use • Companies don’t realize they are being attacked • Companies don’t report crimes for fear of embarrassment and lost reputation/business • Companies have no policies which can be incorporated into network security • Security through obscurity is still widely employed
Changes in the Wind • Security awareness is climbing • New defense techniques are emerging • The ‘security professional’ of the next 5 years will look very good • There will be big money increases in security products and professionals over the next 5 years. • The network security specialist will become a profession • The hardest job of the security specialist will not be learning the technology – it will be convincing the CEO’s to spend money on security.
What is the Minimum? • Invest in Prevention and Detection (in that order) • Close the biggest holes first • Raise the security level to stop the amateurs • Use logs and examine logs • Train Employees
Word of Caution • You will be learning to use a number of exploit tools in this course. • These tools should only be used in the lab environment – not on systems/network for which you do not have approval. • As a side note - it is much easier to learn about an exploit in a controlled environment
What is an ‘Exploit’? • Gaining Access to a machine for which you do not have authorization • Setting up a system to provide/simplify such access • Taking a system offline • Desensitizing Sensitive information (dumpster diving)
Overview of the Attack Process • Passive Reconnaissance – “listening/looking” • Active reconnaissance – “asking/probing” • Exploiting • Gaining access through.. • OS attacks • Application-level attacks • Scripts • Mis-configuration attacks • Elevating of privileges • Denial of Service • Uploading programs & Downloading Data • Keeping access • Backdoors • New accounts • Covering tracks
Passive Reconnaissance • Information Gathering • Company Web Sites • Whois • DNS Queries • Chat rooms and BBS’s • Physical presence • Dumpster Diving • Sniffing
Passive Recon Defense • Do not underestimate the amount of information that can be acquired this way • The attacker does not really give clues to his investigation during passive recon • The only defense possible at this point is to hope that too much information is not available. • It is important that a company review what information is allowed to leak. This is one of the places where policy comes in.
Active Reconnaissance • Active Probing • ICMP Sweeps • Scanning • Port Scanning • OS Fingerprinting • Service software/version/patch level determination • Network mapping • This is the stage where the target can begin to react – since the attacker is actively probing, there will be signs. Therefore the target has his first evidence
Exploiting • Gaining access • Elevation of Privileges • Denial of Service (DoS)
Exploiting - Gaining Access • Operating System Attacks • Application-level attacks • Scripts and sample program attacks • Mis-configuration attacks • The Key to defense here is to minimize each of these weaknesses
Operating System Attacks • Default installs have too much enabled. • This is a convenience to the software provider – less calls to the help desk. • The user does a default install and everything is already up and running. • Even worse when user does an ‘install everything’ – which is probably the most common install. • With improved security awareness, admins at least are not taking the full install approach
Application-level Attacks • Take advantage of no/poor security found in mostof today’s application software. • Programmers are pressed to release working code. Until just recently, consumers were not concerned with security of code – just if it works. • The most common in-security in a program is caused by failure to do two things: • Input Filtering – to determine if information provided by the user is valid • Error checking – to avoid crashing
Scripts and Sample Program Attacks • Scripts are used to perform minor tasks – some sort of setup or initialization on a program. • Sample files are often included on an install – to provide an example for the user to work from. Web servers are notorious for this. • The scripts and sample files are more of an ‘afterthought’ than a detailed programming endeavor. Therefore they almost never consider security. • A hacker can often use these scripts and sample files to help gain access to a system. • Obviously, a secure installation would remove all such scripts and files.
Misconfiguration Attacks • Service setup is often difficult • Admin may make several stabs at it before being successful. • Once working (for whatever reason), the admin is often off to another task – rather than analyzing exactly what he has done, and even starting over to get it right. • Always remove any un-needed services or software – that way configuration of those items is not an issue • Adequately estimate your time to accomplish an install/configure. Insure that you have been given adequate time. • Misconfiguration is often a result of users being in a hurry to have something up and working – and pressuring the network admin to get it up.
Elevating Privleges • This is the technique of increasing your capabilities once access has been acquired. • Often, it is a user’s account that is compromised. The idea is to elevate that user to a more capable account.
Denial of Service (DoS) • Often the last resort for a frustrated hacker • May be used directly to accomplish a couple of things: • Remove the system from online in order to pose as that system or perform an operation that the system wouldn’t otherwise allow (if it was working properly) • Prevent the system from offering/accessing network services. This is often just a ‘spite’ or vandal action, but could also be used by a competitor. • DoS’s are difficult to prevent, but their impact can be subdued with proper techniques.
Uploading Programs • Means “hacker-to-target” • Provides future access – ‘keeping access’ • Provides technique for gathering more information (like an installed sniffer that reports back to you) • Provides a platform to launch more attacks (locally or remotely)
Downloading Data • Means “target-to-hacker” • This is the ‘theft’ category. • Most often downloaded are password files • This allows the hacker to work offline
Covering Tracks • At this point the admin is starting to lose any chance of discovering the hacker’s identity or even the damage in many cases • Logging is the key to discovering hacker activity. It is one of the first things that a good hacker will disable. • Checksums are a good defense.
Session Hijacking • It is easier to sneak in as a ‘legitimate user’ than to break in • Find an established session and take over it after user has gained access • Simple in idea, but complex in practice – extremely difficult over the Internet – a little easier on a LAN
Spoofing • The act of impersonating or assuming an identity • Could be at a number of levels – login, MAC address, IP address, even service or application • Used for exploiting trust relationships – which are often based on something the user has or knows. ‘Has’ would be their IP address for example. ‘Knows’ would be their password or other key information. Spoofing is usually reserved for the ‘knows’.
Relaying • Where an attacker relays or ‘bounces’ his traffic through a third party’s machine to disguise the attack. • This could be to indirectly attack the relay agent or simply to shield the attack on the end point. • Typical example is email relaying – to avoid the true return address going in the email.
Viruses and Trojan Horses • Any program that has affects other than those expected by the end user is really a virus. A Trojan Horse is just a special case of a virus. • Trojan horses are probably the easiest and one of the most powerful exploits to use. • Require target to run a program on their machine, should be detected by AV software. Unfortunately, MOST users are quite stupid when it comes to this. • Client web software is a threat – Outlook Express, for example • Emphasizes the importance of running AV and keeping it current.
Sniffing • One of the most powerful hacking techniques available. • Limited to local traffic. • Encryption is the only defense for sniffing. • Sniffing Programs • Vary from extremely simple, to very advanced. • Most are also protocol analyzers and/or have specific purposes – to sniff out a particular protocol, character string, or application. For example, there are ‘password sniffers’ that simply look for passwords in the traffic. • The simplest sniffer merely captures the traffic bit for bit and puts it into a file. This file can then be later analyzed. • Work on the premise of putting the NIC into ‘promiscuous mode’. There are ‘anti-sniff’ utilities available, but they do not absolutely identify a sniffer. Anti-sniffers generate traffic that the promiscuous mode NIC will respond to when it shouldn’t
Broadcasts • Limited to local networks. • However, it is possible with some misconfigured routers to use one of these types of attacks over the Internet. • The idea is to utilize the function of the broadcast address – an address to which all machines are supposed to respond. • ping <broadcast address> • The attacker would couple this with a spoof of the return address, so that all the replies would go to the target machine – a type of DoS. • Most TCP/IP stacks today are set to not respond to a ping broadcast address. However, any broadcast must be at least processed by all machines. Therefore, any broadcast (layer 2 or layer 3) will cause some sort of resource usage.
Resource Sharing Attacks • For Windows, this is handled with SMB (server message block) protocol. With Linux/Unix it is handled with NIS/NFS. The two OS’s can share together if xNix runs Samba. • Includes printer sharing as well. • These file sharing vulnerabilities can be exploited over the Internet, but the firewall should definitely block those ports which lead to file sharing services (135-139, and 445 on windows), 111, 513, 600x, etc on linux. • Normally vulnerable due to poor passwords or IP trust relationships
Remote Control • “Remote control” is just another term used to talk about Trojan Horses. • Remote control programs typically use non-standard ports, which means the firewalls will block most traffic. On the other hand, most remote control exploits allow the attacker to specify a port, and he can merely chose a port that the firewall has open.
Local Attacks • Shoulder Surfing • Unlocked terminals • Written passwords • Unplugging machines - DoS (either power or network) • Local logon
Offline Hacking • Hackers often do most of their work offline. As long as they are offline, there is no chance that their activities will be noticed. They can work on information and files they have gathered during their online time • Cracking password files (very time consuming) • Cracking other encrypted files • Studying the results from information gathering
Social Engineering • “Inference channel” is a fancy term meaning that conclusions have been inferred from observations. Author gives a couple of examples, but basically it works like this: you combine what you observe with what you already know to come to conclusions. • Covert channel involves a trusted insider (a spy), who is providing the hacker with information, and/or access.
Three Basic Security Goals • Confidentiality – preventing disclosure of information • Integrity – preventing modifications of information • Availability – staying online