Module 05 -Network Attacks

7/30/2019 Module 05 -Network Attacks

1/30

Network SecurityAdministrator

Module V:

Network Attacks


2/30

EC-CouncilCopyright byEC-Council

All Rights reserved. Reproduction is strictly prohibited

Module Objectives

~ Current Statistics

~ Classification of Hackers

~ Types of Attacks

~ Spoofing Attacks

~

Spamming Attacks~ Introduction to:

Eavesdropping

Phishing War Dialing

~ Introduction to:

Social Engineering

Password Cracking Sniffing& Scanning

Wire Tapping

War Driving War Chalking

DoS/ DDoS Attacks

Buffer Over Flow Attacks


3/30



Module Flow

Hackers Classification Attacks Classification

DoS/ DDoS attack

Malicious elements

Current statistics

War DialingPhishing

Spoofing, SpammingEavesdropping

Sniffing, Scanning

Social Engineering

Password CrackingWire Tapping

Buffer Over FlowWar DrivingWar Chalking


4/30EC-CouncilCopyright byEC-Council


Current Statistics

Source: Survey conducted by CSI/FBI on Types of Attacks or Misuse Detected inthe last 12 months




Defining Terms: Threats, Attack and Exploit

~ Threat:

A circumstance, event, or person with

the potential to cause harm to asystem in the form of destruction,disclosure, data modification, and/orDenial of Service (DoS)

~ Attack: An assault on system security that

derives from an intelligent threat

~

Exploit: A way to breach the security of an IT

system through a vulnerability




Classification of Hackers

~ Black Hat:

Also called as cracker or dark side hacker

Negotiates the security of the system

without authorized access

~ White Hat:

Focuses on securing IT systems

Alerts owners of the systems against security

flaws and break-in attempts

~ Grey Hat:

Combination of black hat and white hat hackers

Intrudes into a system and does no damage~ Ethical Hackers:

Holds extensive knowledge and skills concerning theweb

Evaluates sensitive information gathered andapplies robust measures to ensure security




Classification of Attacks

~ Internal Attack:

Attack initiated by an authorizedentity for misusing the resourcesinside the security perimeter

~ External Attack:

Attack initiated by an unauthorized orillegitimate user of the system outsidethe security perimeter




Trojan

~ Malicious program that is masqueraded as legitimate software

~ Has spying capabilities that facilitate computers to be controlled

remotely~ Dropper

Trojan spreading other malware

~

Configures the network of zombie computers for launching DDosattacks

~ Two parts:

Server

Present on the server system

Client

Present on the attackers system




Virus

~ Malicious program that replicates itself with humanintervention

~

Major virus types: Boot Sector Infectors

Attacks the susceptible boot program on thebootable floppy disk

File Infectors

Attack and modify .EXE and .COM programfiles

Macro Viruses Use built-in programming languages of

popular applications for creating maliciousmacros


10/30EC-Council

Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited

Worm

~ Malicious program that replicates itself withouthuman intervention

~ Categories:

E-mail Worms

Spread through infected e-mails

Instant messaging Worms

Spread through instant messagingapplications

Internet Worms

Scan the internet for vulnerablemachines and try gaining access

File- sharing Network Worms

Copy themselves to a shared folder with

a harmless name


11/30EC-Council


Rootkit

~ Set of tools to control a compromisedcomputer in a network

~ Hides running processes, files or system dataenabling attacker to access a system withoutuser knowledge

~ Types:

Kernel level rootkit: Appends additional code and/or

replaces a portion of kernel codewith modified code for hiding a

backdoor on a computer Application level rootkit:

Modifies the behavior of existingapplications using hooks, patches,

injected code


12/30EC-Council


Spoofing Attacks

~ Through a spoofing attack,the attacker aims to create a

contextthat misleads thevictim to make impropersecurity-related decisions

~ Attacker can impersonatelocal system IP addressesthrough spoofing techniques

~ Countermeasures:

Filtering packets passingthrough Internet via the router

Blocking unauthorized packets


13/30



Spamming Attacks

~ Method of sending unsolicited e-mails in bulk

~ Drawback:

Decrease in system performance

Slow e-mail transfers

~ Countermeasures:

Review e-mail headers to identify the ownerof the e-mail

Configure the router to block incomingpackets from the specified address

Augment the logging capabilities to detect oralert of such activity


14/30



Eavesdropping

~ Intercepting and viewing the contents andcommunications in an unauthorized way

~

Electronic eavesdropping: Use of electronic transmitting or

recording device to monitorconversations in a covert manner

~ Eavesdrop Techniques via

Phone lines

e-mail

instant messaging


15/30



Phishing

~ Form of social engineering wheremasquerading is used for stealing fiscal

information~ Stands for password harvesting fishing

~ Term originated from the use ofsophisticated methods to fish users foracquiring sensitive information

~ Phishing Techniques:

Phishing through negotiated web servers

Phishing through port redirection

Phishing exploiting botnets, which arecomputers that are remotely controlled byattacker


16/30



War Dialing

~ Process of dialing large number oftelephone numbers to locate:

Insecure modems and dial-inaccounts

Inventory and lock down devices andband devices

Break-in attempts

~War Dialing Tools:

Toneloc

SecureLogix Telesweep Secure

Sandstorm PhoneSweep


17/30



Social Engineering

~ Tricking a person into disclosinginformation

~ Obtains confidential information fromlegitimate users

~ Technical flaws in computer systemsthat intruders exploit

~ Lack of security awareness or gullibilityof computer users

~ Attacks at two levels:

Physical

Psychological


18/30



Password Cracking

~ Process of recovering the originalform of passwords stored inencrypted form in a computer

~ Weak passwords make themvulnerable

~ Attacker accesses a hashed password

either by: Reading a password verification table

Intercepting a hashed passwordtransferred over the network

Password guessing

~ Countermeasure:

Shadowing password files in UNIXenhances password security


19/30



Sniffing

~ Sniffer program monitors network traffic

~ Carried out for legitimate purposes such as

network data administration and illegitimateworks such as stealing of network information

~ Objectives of Sniffing are:

Stealing of:

Passwords

Email text

Files in transfer

~ Sniffing Countermeasures: Encrypting traffic containing confidential

information

Using instrument software to locate snifferposition in the network


20/30



Types of Sniffing

~ Passive Sniffing:

Sniffing through a hub

Termed as passive as it is difficult to detect

Trojans are used for installing sniffers in the network

~Active Sniffing:

Sniffing through a switch

Difficult to sniff

Can be easily detected

Common techniques:

ARP Spoofing

MAC Flooding


21/30



Scanning

~ Network scanning is a procedure foridentifying active hosts on a network,

either for the purpose of attacking themor for network security assessment

~ Objectives:

Detects systems running on the network

Discovers active/running ports

Performs fingerprinting I.e discovering

operating systems running on the targetsystem

Identifies the services running/listening on

the target system

f i


22/30



Types of Scanning

~ Port Scanning:

Connecting to TCP/UDP ports on the

target system to trace the servicesrunning in a listening state

~ Network Scanning:

Identifying active hosts on a networkfor the purpose of attack or as a networksecurity assessment

~ Vulnerability Scanning:

Identifying the vulnerabilities ofcomputing systems in a network

Consists of a scanning engine and acatalog(list of files)

W b P D f


23/30



Web Page Defacement

~ Unlawful modification of websites

~ Also called as web-jacking,site vandalism, cyber-graffiti

~ Expensive and critical to victims

~ Types:

Visible defacements

Make hackers popular in their community

Invisible defacements

Hamper the website's effectiveness by modifying the visibility of site to searchengines

~ Countermeasure

SigNet web defacement protection method Based on detached digital signatures

SQL I j i


24/30



SQL Injection

~ Technique of injecting SQL (Standard QueryLanguage) commands to exploit non-validated input

susceptibilities in a web application database back end~ Programmers employ sequential commands with user

input, which facilitates attackers to inject commands

Attackers can execute random SQL commands

through the web application

Wi t i


25/30



Wiretapping

~ Screening of telephone conversations by athird party secretly

~

Two types: Passive wiretapping:

Similar to eavesdropping process

Active wiretapping:

Altering the contents of thecommunication


26/30



War Driving, War Chalking, War Flying

~ War driving:

Using a laptop's wireless NIC set in

licentious mode for detecting unsecuredwireless LAN signals

~ War flying:

Activity of using an aero plane and a Wi-Fi-

equipped computer, (laptop,PDA etc) fordetecting Wi-Fi wireless networks

~ War chalking:

Marking series of distinct symbols onedifices for indicating access points in thevicinity

Symbols describe the settings to connect to

wireless networks through the Internet


27/30



Denial of Service Attacks (D0S)

~ Disables the network by flooding uselessnetwork traffic

~ Ping of death and teardrop attacks exploitsthe limitations in the TCP/IP protocols

~ Basic Types of Attack:

Resources Consumption:

Bandwidth

Resources Starvation:

CPU time or disk space

Disruption of Physical NetworkComponents:

Failures of applications or operating systemscomponents


28/30



Distributed Denial of Service Attacks (DDos)

~ Involves compromising computers andinstalling an application that initiatespacket flooding to a target system

~ DDoS tools use Client/Serverarchitecture to direct attacks

~ DDoS attacks tools:

Trinoo

Tribe Flood Net

TFN2K

~ Countermeasure: Filtering incoming and outgoing packets

B ff O fl Att k


29/30



Buffer Overflow Attacks

~ A type of DoS attack

~ Occurs when applications writes content that exceeds buffer size

~

Buffer: Area of computer memory for temporary data storage

Restricted in size

~ E-mails with attachments consisting of over 256-character can result in buffer

overflow

Summary


30/30



Summary

~ Threat is an event that harms the system, Attack is the damage to the securityof the system; Exploit is to break the security of the system through a weakpoint

~ Trojan is a malicious program that impersonates as a genuine software~ Virus is a malicious program that replicates itself by creating copies

~ Worm is a malicious program that replicates itself without the help of otherprograms

~ Spamming attack is sending unwanted e-mails in bulk

~ Password cracking is the technique of recovering the original form ofpasswords present in the decrypted forms in the system

~ Sniffing is employing a sniffer program to examine the network traffic

~ Denial of Service Attacks (DoS) is the unavailability of services to authenticusers

~ Buffer overflow occurs when the systems applications write content that isbeyond the buffer size

Documents

Module 05 -Network Attacks