Review For Exam 1 February 4, 2010 MIS 4600 - MBA 5880 © Abdou Illia

Review For Exam 1

February 4, 2010

MIS 4600 - MBA 5880 © Abdou Illia

Introduction to Ethical Hacking

Hackers

3

HackersAccess computer system or network without

authorizationHave different motivations (from prove their status to doing

some damage)

CrackersBreak into systems to steal or destroy data

For the U.S. Department of Justice they all break the law; can go to prison.

Hackers vs. Ethical Hackers

4

Ethical hackerPerforms most of the same activities as hackers and

crackers, but with owner’s permission Employed by companies to perform penetration or

security tests

Red teamTeam of ethical hackers with varied skills (social

engineering, ethics/legal issues, break-ins, etc.)

Penetration test vs. Security test

5

Penetration testLegally breaking into a company’s network to

find its weaknessesTester only reports findings

Security testMore than a penetration testAlso includes:

Analyzing company’s security policy and procedures

Offering solutions to secure or protect the networkSecurity Policy

- Sets rules for expected behaviors by users (e.g. regular patches download, strong passwords, etc.), and IT personnel (e.g. no unauthorized access to users’ files, …), etc.

- Defines access control rules.

- Defines consequences of violations.

-Helps track compliance with regulations.

- Etc.

Passwords must not be

written down

Access to files must be granted to the level required by

users’ job

Hacking Tools

6

Referred to as Tiger box in course textbookCollection of OSs and tools that assist with

hackingNetwork scannersTraffic monitorsKeyloggersPassword crackersEtc.

Practical Extraction and Report Language (Perl)

C programming languageScripts, i.e. set of instructions that runs in

sequence

Questions Which of the following may be part of a penetration test (P) or a

security test (S)? Use “X” to indicate your answer.

P S

1. Breaking into a computer system without authorization.

2. Laying out specific actions to be taken in order to prevent dangerous packets to pass through firewalls.

3. Scanning a network in order to gather IP addresses of potential targets

4. Finding that patches are not timely applied as recommended by corporate rules.

5. Writing a report about a company’s security defense system.

6. Scanning a network in order to find out what defense tools are being used.

7. Finding that users cannot change their passwords themselves

8. Finding that a company does not have an effective password reset rule.

9. Finding out that a firewall does not block potentially dangerous packets

10 Proposing a new procedure which implementation may help improve systems security

11 Finding out that the administrator's account is called Admin and has a weak password

12 Finding out that 1/3 of the security procedures are not actually implemented.

13 Performing a denial-of service-attacks

14 Disabling network defense systems

7

Penetration Testing Models

8

White box modelTester is told everything about the network topology and

technologyTester is authorized to interview IT personnel and

company employeesMakes tester’s job a little easier

Note: some diagrams may show routers, firewalls, etc.

White boxBlack boxGray box

Penetration Testing Models (cont.)

9

Black box modelCompany staff does not know about the testTester is not given details about the network.

Burden is on the tester to find these detailsTests if security personnel are able to detect an

attack

Question: What is the disadvantage of letting the company’s employees know about the penetration test?

________________________________________________

Question: What is the disadvantage of letting the IT staff know about the penetration test?

________________________________________________


Penetration Testing Models (cont.)

10

Gray box modelHybrid of the white and black box modelsCompany gives tester partial information


TCP/IP Concepts

Overview of TCP/IPTransmission Control Protocol/Internet Protocol

(TCP/IP)Most widely used protocol set

TCP/IP is a protocol set with 4 layers*Protocol

Common language used by computers for “speaking”

IPX/SPX is another protocol set used in Novell networks.

Some company protect their network by using IPX/SPX internally.“poor man’s firewall”

12

Layer 1Layer 2Layer 3Layer 4

Computer 1 Computer 2

TCP/IP network

IPX/SPX LAN

* A layer can be seen as a group of tasks/activities/jobs

Layer 1Layer 2Layer 3Layer 4

1313

Netw

ork in

terface layer

TCP/IP protocol set

Application layer

Transport layerInternet layerInterface layer

Application layer



TCP/IP is implemented as software and hardware that work together to create messages that could be “understood” by each computer

The Application LayerFront end to the lower-layer protocolsMany Application layer protocols: HTTP, FTP, ARP, etc. Includes network services and client software

Examples: Web (HTTP service), Web browser

14

Commands/utilities for connecting & using Application layer network services:

ftp: used to transfer files between clients and servers telnet servername [port number]: to log on to a server

Application layer


Computer 1

Using the ftp utility

15

Help command: give info about the command Open ftp.eiu.edu should open an ftp session with the ftp.eiu.edu server.

Some public anonymous ftp servers: ftp.arsc.edu, ftp.ussg.iu.edu, ftp.loc.gov/pub. Detailed list at http://www.ftp-sites.org/

[Instructor will show how to use ftp]

Unlike SFTP, FTP is not secure because it allows anonymous logins. Most companies do not allow FTP connection to their servers. If user has an account, they can use it to connect using SFTP-based

client program.

Questions

16

1) Based on your knowledge of the ftp utility and ftp-based client programs, what do you think a hacker needs in order to connect to a specific secure ftp server? Name three things that are absolutely required.

________________________, ______________________, ___________________

2) Which of the three things you have mentioned is the hardest to get?

_________________________

3) Once connected to an ftp server, a hacker can upload/download files only based on the permissions associated with the user account he/she has used to connect. Imagine that the only permissions associated with the user account are see and download files that are in the default ftp directory. Name two things that must occur to make it possible for the hacker to go beyond just seeing and downloading files that are in the default directory and be able to browse through the entire directory structure and upload files to the server for instance?

______________________________, _______________________________

The Transport LayerPrepares Application layer messages for proper

“transportation” to a receiving deviceMain protocol used:

The TCP protocol for connection-oriented “dialog” The User Datagram Protocol or UDP for connectionless

transmissions

Makes sure messages arrive at destination exactly as they left source (in case of connection-oriented communication)

TCP opens connections using 3-way handshake Computer 1 sends a Synchronization SYN request Computer 2 replies with a Sync-Acknowledgement SYN-ACK packet Computer 1 replies with an ACK packet

17

Application layer

Transport layer

Internet layer

Interface layer

Application layer

Transport layer

Internet layer

Interface layer


SYN

SYN/ACK

SYN

Application layer


Computer 1

The Internet LayerResponsible for routing packets to their destination

address

Uses a logical address, called an IP address

Main protocols used: IP and ICMP

Internet Control Message Protocol (ICMP)Used to send messages related to network operationsHelps in troubleshooting a networkSome Internet layer commands/utilities for

troubleshooting network connections. More complex versions included in hacking tools:Ping: determines whether a computer is connectedTraceroute and tracert: determine route to get to a

computer18

Application layer


Computer 1

19

ICMP codes are used internally by network administrators to

troubleshoot network connectivity (code 0 and 8) using PING

command, track IP packets’ route (code 30) using TRACERT or TRACEROUTE command, etc.

Appropriate ICMP codes could be used to configure firewalls to prevent network attacks by

outsiders.

Using the ping utility

20

Most companies do not allow “pinging” their computers from outside.

Pinging under Widows OS

Pin

ging

und

er L

inux

Later, we will see how some of these pinging options may be used in security attacks.

Using tracert and traceroute

21

As a Network [Internet] layer tool, Tracert and Traceroute generate a network map, showing how to get to a target computer.

Some of these options may be abused by hackers as we will see later.

This is likely a firewall or a router in EIU’s network which real IP address is hidden using Network Address Translation.

Questions

22

Pinging under Widows OS

Based on your knowledge of the PING command, what possible damage may be done when it is used with the –l option?

The Network Interface LayerRepresents the network pathway (i.e. transmission

media)

Implemented through Network Interface Cards (NIC)

Includes Medium Access Control (MAC) addressMAC is a physical address recorded on NICs)

Breaks messages into short frames and adds MAC to each

Converts messages into signal for transmission

23

Application layer

Transport layer

Internet layer

Interface layer

Computer 1

NI-TNI-T

Sending message using TCP/IPGenerating message at the Application

layerEncapsulation: Adding protocols headers

(H) and trailers (T) to pack the message.

HTTP req.HTTP req.

Transmission mediumUser PC

24

ApplicationApplication

TransportTransport

InternetInternet

Network InterfaceNetwork Interface

HTTP req.HTTP req.

HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H

HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H NI-HNI-H

TCP-HTCP-H

HTTP requestExample: http://www.eiu.edu

TCP segment

IP Packet

Frames

NI-TNI-T

Receiving a TCP/IP message

Frames arrive through the network interface

De-encapsulation: Removing protocols headers (H) and trailers (T) to access request HTTP req.HTTP req.

Transmission mediumUser PC

25

ApplicationApplication

TransportTransport

InternetInternet

Network InterfaceNetwork Interface

HTTP req.HTTP req.

HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H

HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H NI-HNI-H

TCP-HTCP-H

HTTP requestExample: http://www.eiu.edu

TCP segment

IP Packet

Frames

TCP Segment

26

0-3 4-7 8-15 16-31

Source port Destination port

Sequence number

Acknowledgment number

Data offset

Reserved

CWR

ECE

URG

ACK

PSH

RST

SYN

FIN

Window Size

Checksum Urgent pointer

Options (if Data Offset > 5)

Data Field (should contain HTTP Request based on our previous example)

Source port (16 bits) – a number that identifies the Application layer program used to send the message.Destination port (16 bits) – a number that identifies the Application layer program the message is destined to.Sequence number (32 bits) – Tracks packets received. Helps reassemble packets. Hackers may guest SN to hijack conversations. Has a dual role

If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data byte (and the acknowledged number in the corresponding ACK) will then be this sequence number plus 1. If the SYN flag is clear, then this is the sequence number of the first data byte

Acknowledgment number (32 bits) – if the ACK flag is set then the value of this field is the next sequence number that the receiver is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end acknowledges the other end's initial sequence number itself, but no data. Data offset (4 bits) – specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to 40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data.

TCP Segment (cont.)

27

Flags (8 bits) (aka Control bits) – contains 8 1-bit flags CWR (1 bit) – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header by RFC 3168). ECE (1 bit) – Explicit Congestion Notification-Echo indicates

If the SYN flag is set, that the TCP peer is ECN capable. If the SYN flag is clear, that a packet with Congestion Experienced flag in IP header set is received during normal transmission (added to header by RFC 3168).

URG (1 bit) – indicates that the Urgent pointer field is significant ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. PSH (1 bit) – Push function RST (1 bit) – Reset the connection SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear. FIN (1 bit) – No more data from sender

0-3 4-7 8-15 16-31

Source port Destination port

Sequence number

Acknowledgment number

Data offset

Reserved

CWR

ECE

URG

ACK

PSH

RST

SYN

FIN

Window Size

Checksum Urgent pointer

Options (if Data Offset > 5)


TCP Segment (cont.)

28

Window size (16 bits) – the size of the receive window, which specifies the number of bytes (beyond the sequence number in the acknowledgment field) that the receiver is currently willing to receive. Checksum (16 bits) – Used for error-checking of the header and data Urgent pointer (16 bits) – if the URG flag is set, then this field is an offset from the sequence number indicating the last urgent data byte.

0-3 4-7 8-15 16-31Source port Destination port

Sequence numberAcknowledgment number

Data offset

Reserved

CWR

ECE

URG

ACK

PSH

RST

SYN

FIN

Window Size

Checksum Urgent pointerOptions (if Data Offset > 5)


TCP Ports Identifies the service that is runningHelps you stop or disable services that are not

neededOpen ports are an invitation for an attack

Only the first 1023 ports are considered well-known

List of well-known portsAvailable at the Internet Assigned Numbers Authority

(IANA) Web site (www.iana.org)

29

Port Service Explanation

20 and 21 File Transfer Protocol (FTP) Used for sharing files over the Internet. Requires a logon name and password. More secure than Trivial File Transfer Protocol (TFTP)

25 Simple Mail Transfer Protocol (SMTP) email

E-mail servers listen on this port

53 Domain Name Service – DNS

Helps users connect to Web sites using URLs instead of IP addresses

TCP Ports (continued)

30

Port Service Explanation

69 Trivial File Transfer Protocol - Could be implemented using a very small amount of memory.- Implemented on top of the User Datagram Protocol (UDP) using port number 69.- Used for transferring router configurations- TFTP only reads and writes files from/to a remote server. It cannot list directories, - Currently has no provisions for user authentication

80 Hypertext Transfer Protocol (HTTP)

- Used when connecting to a Web server

TCP Ports (continued)

31

Port Service Explanation110 Post Office Protocol 3 (POP3) Used for retrieving e-mails from server

119 Network News Transfer Protocol

For use with newsgroups

135 Remote Procedure Call (RPC) Critical for the operation of Microsoft Exchange Server and Active Directory.

139 NetBIOS Used by Microsoft’s NetBIOS Session Service

143 Internet Message Access Protocol 4 (IMAP4)

Used for retrieving e-mail. Better than POP3. Could maintain mails on servers. Allows searches, etc.

Netstat command line displays open ports on a computer indicating

what services/applications are running.

IP Header

32

Version - indicates the version of IP in four-bit . Should be 0100 for IPv4 Internet Header Length (IHL) - tells the number of 32-bit words in the IP

header. TOS – Indicates the quality of service for delivering the packet: Normal

delay, high reliability, normal cost, high cost, etc. Total Length – defines entire packet size (header +data) in bytes. The

minimum-length is 20 bytes (20-byte header + 0 bytes data) and the maximum is 65,535. Subnetworks may impose restrictions on the size, in which case packets must be fragmented. Fragmentation is handled in either the host or the router.

0–3 4–7 8–15 16–18 19–31

VersionHeader length

Type Of Service Total Length

Identification Flags Fragment Offset

Time to Live Protocol Header Checksum

Source Address

Destination Address

Options

Data

IP Header

33

Identification - Primarily used for uniquely identifying fragments of an original IP packet.

Flags - A three-bit field used to control or identify fragments. They are (in order, from high order to low order):

Reserved, must be zero. Don't Fragment (DF): If the DF flag is set and fragmentation is required to route

the packet then the packet will be dropped More Fragments (MF): When a packet is fragmented all fragments have the MF

flag set except the last fragment,

0–3 4–7 8–15 16–18 19–31




Time to Live Protocol Header Checksum

Source Address

Destination Address

Options

Data

IP Header

34

Fragment Offset - Specifies the offset of a particular fragment relative to the beginning of the original unfragmented IP packet. The first fragment has an offset of zero.

TTL - Helps prevent packets from persisting (e.g. going in circles) on an Internet. Time specified in seconds, but time intervals less than 1 second are rounded up to 1. Also in number of hop counts.

Protocol - Defines the protocol used in the data portion of the IP packet. Common protocols and their codes are: 1: Internet Control Message Protocol (ICMP), 2: Internet Group Management Protocol (IGMP), 6: Transmission Control Protocol (TCP), 17: User Datagram Protocol (UDP), 89: Open Shortest Path First (OSPF), 132: Stream Control Transmission Protocol (SCTP).

0–3 4–7 8–15 16–18 19–31




Time to Live (TTL) Protocol Header Checksum

Source Address

Destination Address

Options

Data

IP Header

35

Header Checksum - used for error-checking of the header. At each hop, the checksum of the header must be compared to the value of this field. If a header checksum is found to be mismatched, then the packet is discarded. Note that errors in the data field are up to the encapsulated protocol to handle .

0–3 4–7 8–15 16–18 19–31




Time to Live (TTL) Protocol Header Checksum

Source Address

Destination Address

Options

Data

Short CaseAfter performing a test on ABC Inc.’s network, a

penetration tester discovered that outsiders are able to test internal hosts connectivity. He also discovered that outsiders are able to “map” ABC Inc.’s network which allows them to determine the names and IP addresses of internal routers and firewalls.

1) What commands the outsiders could possibly use in their attempts?

2) What would you recommend doing in order make it impossible for outsiders to (a) successfully test internal hosts’ connectivity, and (b) map ABC Inc.’s network? Be very specific in naming the actions that needed to be taken to address the problem.

36

Network & Computer Attacks

ISC* ObjectivesConfidentiality

Making sure that corporate data and transactions with partners remain confidential

IntegrityMaking sure that software programs, local data, and

data in-transit are not altered or destroyedAvailability

Making sure that computer and network resources or services remain available for users and not disrupted

AccountabilityMaking sure that users are properly authenticated and

their actions accounted for.Authenticity

Also called non-repudiation. Making sure that business partner cannot deny their actions

38 * Information Security Countermeasures

C – Confidentiality

I – Integrity

A – Availability

A – Accountability/Authenticity

Malicious Software attacksCommon types of malware

VirusesWormsTrojan horsesAdware | SpywareLogic bombs [Web bots]

39

What is virus?A virus is a malware that …

attaches itself to files on a single computercan replicate from file to filedoes not stand on its own

needs a host file – a vector - [unlike some other malware]Does not spread across computers without human

intervention (flash drive, email attachment, etc.)

40

Types of virus host / vectorBinary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux)

Volume Boot Records of floppy disks and hard disk partitions | The master boot record (MBR) of a hard disk

General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms).

Application-specific script files (such as Telix-scripts)

System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run software stored on USB Memory Storage Devices).

Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, Microsoft Access database files, and AmiPro documents)ELF = Executable and Linkable Format | PDFs & images, like HTML, may link to malicious code | PDFs can also be infected with malicious

code

Types of virusesBased on host files

Boot sector viruses: attach themselves to files in boot sector of HD

File infector viruses: attach themselves to program files and user files

Macro viruses: attach to files with macro programs embedded.

Based on mutation techniquesPolymorphic viruses: mutate with every

infection (using encryption techniques), making them hard to locate

Metamorphic viruses: rewrite themselves completely each time they are to infect new executables*

41* metamorphic engine is needed

Types of viruses (cont.)Based on deception methods

Core MS-DOS viruses: make sure that the "last modified" date of a host file stays the same when the file is infected by the virus.

Cavity viruses

infect files without increasing their sizes or damaging the files

overwrite unused areas of executable files

Examples: CIH virus, Chernobyl Virus that are 1 KB in size infect Portable Executable files which have many empty gaps

Antivirus PID killers: kill tasks associated with antivirus

Stealth: hides itself by intercepting disk access requests by antivirus programs.

42* metamorphic engine is needed

Request

OS

StealthThe stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean”.

File.exe of 300 KB on a 512 KB block

Protecting against virusesSignature-based antivirus programs

Compare the contents of a file to a database of virus signaturesA signature is an algorithm or a hash (a number or string

of characters derived from the virus code) that uniquely identifies a specific virus.

Must update signature database periodically or use automatic update feature if available

43

1) 673448834099999999992) DF56eeb&^fgkFT&&&88jjj3) 010000101000000000004) 780200001000001023985) 89950-1=ddjjdfjj3k3l3556) …………………………………

1) Sales.xls2) Forecast.doc3) Staff.mdb4) Ingredients.doc5) Committees.xls6) Minutes.accdb7) ………………….

Viruses signatures Files

Question: Name two kinds of situation where signature-based antivirus won’t be effective?

Protecting against viruses (cont.)

Heuristic-based antivirus that use generic signatureThrough mutation or refinements by attackers,

viruses can grow into dozens of slightly different strains called variants

Example: The Vundo trojan has evolve into two distinct family members, Trojan.Vundo and Trojan.Vundo.B

A generic signature can be generated for a virus family.

Heuristic analysis uses generic signatures to identify new malware or variants of known malware

44Question: Is generic signature more or less accurate than a specific virus’ signature?

Protecting against viruses (cont.)

Heuristic-based antivirus that use virtual machines

Allow the antivirus program to simulate what would happen if the suspicious file were to be executed

Execute the questionable program or script within a specialized virtual machine

It then analyzes the execution, monitoring for common viral activities: replication, file overwrites, attempts to hide the existence of the suspicious file.

If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus.

45

Question: Which of the following is likely to lead to false positive virus identifications? signature-based or heuristic-based antivirus.

4646

Based on the descriptions, is the classification of the malware as virus correct?

WormsDo not attach to files | A worm stands on its ownSelf-replicating malware that can propagate

across a network by themselvesUse host computer’s resources, and their own

network application to send copies of itself to other computers

Types of harms:Consuming network bandwidth. Moorris and Mydoom are

notoriousConsuming host computer resourses (processing, RAM)Delete files (e.g. ExploreZip worm)Encrypt files (which leads to cryptoviral extortion attack) Installing backdoor-zombie programs under control of the

worm author (e.g. Sobig)

47

Protecting against wormsWorms spread by exploiting OS vulnerabilities

Make sure that unnecessary ports are not open

Regular OS security updates is the best protection

Other effective defense systems: Antivirus programsLocal firewall software can block incoming worms

48

Application layer

Transport layer

Internet layer

Interface layer

Application layer

Transport layer

Internet layer

Interface layer

Trojan Programs Non-self-replicating malware

That appear to be useful programs like game, screen saver, free antivirus, etc.

But are actually backdoor or rootkits that facilitate remote access or a “take over” by a remote hacker

Once a Trojan horse is installed on a target computer, a Trojan can be used to do the following:

Keystroke logging Data theft (e.g. passwords, credit cards information, etc) Installing other malware Using the host computer as part of botnet for spamming or Distributed

DoS Deleting or modifying files

49

50

Trojan Programs (cont.)

You want to prevent Backdoor.Rtkit.B from communicating with the hacker’s computer. What action would you take at the firewall level?

Protecting Against Malware Attacks at the organizational levelWhat is/are the most effective technical

solution(s) that could be implemented at the network level to deal with malware attacks?

What is/are the most effective non-technical solution(s) that could be implemented in an organization to deal with malware attacks?

51

Lab 3-related Questions

You should knowRecognize a SAM hash extracted in a text fileName of the programs used in Lab 3 to extract

and crack passwordsKnow Windows’ command for creating (i.e.

adding) and deleting user accountsHave a general understanding of password

cracking

53