Upload
bennett-winfred-williams
View
219
Download
1
Embed Size (px)
Citation preview
Review For Exam 1
February 4, 2010
MIS 4600 - MBA 5880 © Abdou Illia
Introduction to Ethical Hacking
Hackers
3
HackersAccess computer system or network without
authorizationHave different motivations (from prove their status to doing
some damage)
CrackersBreak into systems to steal or destroy data
For the U.S. Department of Justice they all break the law; can go to prison.
Hackers vs. Ethical Hackers
4
Ethical hackerPerforms most of the same activities as hackers and
crackers, but with owner’s permission Employed by companies to perform penetration or
security tests
Red teamTeam of ethical hackers with varied skills (social
engineering, ethics/legal issues, break-ins, etc.)
Penetration test vs. Security test
5
Penetration testLegally breaking into a company’s network to
find its weaknessesTester only reports findings
Security testMore than a penetration testAlso includes:
Analyzing company’s security policy and procedures
Offering solutions to secure or protect the networkSecurity Policy
- Sets rules for expected behaviors by users (e.g. regular patches download, strong passwords, etc.), and IT personnel (e.g. no unauthorized access to users’ files, …), etc.
- Defines access control rules.
- Defines consequences of violations.
-Helps track compliance with regulations.
- Etc.
Passwords must not be
written down
Access to files must be granted to the level required by
users’ job
Hacking Tools
6
Referred to as Tiger box in course textbookCollection of OSs and tools that assist with
hackingNetwork scannersTraffic monitorsKeyloggersPassword crackersEtc.
Practical Extraction and Report Language (Perl)
C programming languageScripts, i.e. set of instructions that runs in
sequence
Questions Which of the following may be part of a penetration test (P) or a
security test (S)? Use “X” to indicate your answer.
P S
1. Breaking into a computer system without authorization.
2. Laying out specific actions to be taken in order to prevent dangerous packets to pass through firewalls.
3. Scanning a network in order to gather IP addresses of potential targets
4. Finding that patches are not timely applied as recommended by corporate rules.
5. Writing a report about a company’s security defense system.
6. Scanning a network in order to find out what defense tools are being used.
7. Finding that users cannot change their passwords themselves
8. Finding that a company does not have an effective password reset rule.
9. Finding out that a firewall does not block potentially dangerous packets
10 Proposing a new procedure which implementation may help improve systems security
11 Finding out that the administrator's account is called Admin and has a weak password
12 Finding out that 1/3 of the security procedures are not actually implemented.
13 Performing a denial-of service-attacks
14 Disabling network defense systems
7
Penetration Testing Models
8
White box modelTester is told everything about the network topology and
technologyTester is authorized to interview IT personnel and
company employeesMakes tester’s job a little easier
Note: some diagrams may show routers, firewalls, etc.
White boxBlack boxGray box
Penetration Testing Models (cont.)
9
Black box modelCompany staff does not know about the testTester is not given details about the network.
Burden is on the tester to find these detailsTests if security personnel are able to detect an
attack
Question: What is the disadvantage of letting the company’s employees know about the penetration test?
________________________________________________
Question: What is the disadvantage of letting the IT staff know about the penetration test?
________________________________________________
White boxBlack boxGray box
Penetration Testing Models (cont.)
10
Gray box modelHybrid of the white and black box modelsCompany gives tester partial information
White boxBlack boxGray box
TCP/IP Concepts
Overview of TCP/IPTransmission Control Protocol/Internet Protocol
(TCP/IP)Most widely used protocol set
TCP/IP is a protocol set with 4 layers*Protocol
Common language used by computers for “speaking”
IPX/SPX is another protocol set used in Novell networks.
Some company protect their network by using IPX/SPX internally.“poor man’s firewall”
12
Layer 1Layer 2Layer 3Layer 4
Computer 1 Computer 2
TCP/IP network
IPX/SPX LAN
* A layer can be seen as a group of tasks/activities/jobs
Layer 1Layer 2Layer 3Layer 4
1313
Netw
ork in
terface layer
TCP/IP protocol set
Application layer
Transport layerInternet layerInterface layer
Application layer
Transport layerInternet layerInterface layer
Computer 1 Computer 2
TCP/IP is implemented as software and hardware that work together to create messages that could be “understood” by each computer
The Application LayerFront end to the lower-layer protocolsMany Application layer protocols: HTTP, FTP, ARP, etc. Includes network services and client software
Examples: Web (HTTP service), Web browser
14
Commands/utilities for connecting & using Application layer network services:
ftp: used to transfer files between clients and servers telnet servername [port number]: to log on to a server
Application layer
Transport layerInternet layerInterface layer
Computer 1
Using the ftp utility
15
Help command: give info about the command Open ftp.eiu.edu should open an ftp session with the ftp.eiu.edu server.
Some public anonymous ftp servers: ftp.arsc.edu, ftp.ussg.iu.edu, ftp.loc.gov/pub. Detailed list at http://www.ftp-sites.org/
[Instructor will show how to use ftp]
Unlike SFTP, FTP is not secure because it allows anonymous logins. Most companies do not allow FTP connection to their servers. If user has an account, they can use it to connect using SFTP-based
client program.
Questions
16
1) Based on your knowledge of the ftp utility and ftp-based client programs, what do you think a hacker needs in order to connect to a specific secure ftp server? Name three things that are absolutely required.
________________________, ______________________, ___________________
2) Which of the three things you have mentioned is the hardest to get?
_________________________
3) Once connected to an ftp server, a hacker can upload/download files only based on the permissions associated with the user account he/she has used to connect. Imagine that the only permissions associated with the user account are see and download files that are in the default ftp directory. Name two things that must occur to make it possible for the hacker to go beyond just seeing and downloading files that are in the default directory and be able to browse through the entire directory structure and upload files to the server for instance?
______________________________, _______________________________
The Transport LayerPrepares Application layer messages for proper
“transportation” to a receiving deviceMain protocol used:
The TCP protocol for connection-oriented “dialog” The User Datagram Protocol or UDP for connectionless
transmissions
Makes sure messages arrive at destination exactly as they left source (in case of connection-oriented communication)
TCP opens connections using 3-way handshake Computer 1 sends a Synchronization SYN request Computer 2 replies with a Sync-Acknowledgement SYN-ACK packet Computer 1 replies with an ACK packet
17
Application layer
Transport layer
Internet layer
Interface layer
Application layer
Transport layer
Internet layer
Interface layer
Computer 1 Computer 2
SYN
SYN/ACK
SYN
Application layer
Transport layerInternet layerInterface layer
Computer 1
The Internet LayerResponsible for routing packets to their destination
address
Uses a logical address, called an IP address
Main protocols used: IP and ICMP
Internet Control Message Protocol (ICMP)Used to send messages related to network operationsHelps in troubleshooting a networkSome Internet layer commands/utilities for
troubleshooting network connections. More complex versions included in hacking tools:Ping: determines whether a computer is connectedTraceroute and tracert: determine route to get to a
computer18
Application layer
Transport layerInternet layerInterface layer
Computer 1
19
ICMP codes are used internally by network administrators to
troubleshoot network connectivity (code 0 and 8) using PING
command, track IP packets’ route (code 30) using TRACERT or TRACEROUTE command, etc.
Appropriate ICMP codes could be used to configure firewalls to prevent network attacks by
outsiders.
Using the ping utility
20
Most companies do not allow “pinging” their computers from outside.
Pinging under Widows OS
Pin
ging
und
er L
inux
Later, we will see how some of these pinging options may be used in security attacks.
Using tracert and traceroute
21
As a Network [Internet] layer tool, Tracert and Traceroute generate a network map, showing how to get to a target computer.
Some of these options may be abused by hackers as we will see later.
This is likely a firewall or a router in EIU’s network which real IP address is hidden using Network Address Translation.
Questions
22
Pinging under Widows OS
Based on your knowledge of the PING command, what possible damage may be done when it is used with the –l option?
The Network Interface LayerRepresents the network pathway (i.e. transmission
media)
Implemented through Network Interface Cards (NIC)
Includes Medium Access Control (MAC) addressMAC is a physical address recorded on NICs)
Breaks messages into short frames and adds MAC to each
Converts messages into signal for transmission
23
Application layer
Transport layer
Internet layer
Interface layer
Computer 1
NI-TNI-T
Sending message using TCP/IPGenerating message at the Application
layerEncapsulation: Adding protocols headers
(H) and trailers (T) to pack the message.
HTTP req.HTTP req.
Transmission mediumUser PC
24
ApplicationApplication
TransportTransport
InternetInternet
Network InterfaceNetwork Interface
HTTP req.HTTP req.
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H NI-HNI-H
TCP-HTCP-H
HTTP requestExample: http://www.eiu.edu
TCP segment
IP Packet
Frames
NI-TNI-T
Receiving a TCP/IP message
Frames arrive through the network interface
De-encapsulation: Removing protocols headers (H) and trailers (T) to access request HTTP req.HTTP req.
Transmission mediumUser PC
25
ApplicationApplication
TransportTransport
InternetInternet
Network InterfaceNetwork Interface
HTTP req.HTTP req.
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H NI-HNI-H
TCP-HTCP-H
HTTP requestExample: http://www.eiu.edu
TCP segment
IP Packet
Frames
TCP Segment
26
0-3 4-7 8-15 16-31
Source port Destination port
Sequence number
Acknowledgment number
Data offset
Reserved
CWR
ECE
URG
ACK
PSH
RST
SYN
FIN
Window Size
Checksum Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Source port (16 bits) – a number that identifies the Application layer program used to send the message.Destination port (16 bits) – a number that identifies the Application layer program the message is destined to.Sequence number (32 bits) – Tracks packets received. Helps reassemble packets. Hackers may guest SN to hijack conversations. Has a dual role
If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data byte (and the acknowledged number in the corresponding ACK) will then be this sequence number plus 1. If the SYN flag is clear, then this is the sequence number of the first data byte
Acknowledgment number (32 bits) – if the ACK flag is set then the value of this field is the next sequence number that the receiver is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end acknowledges the other end's initial sequence number itself, but no data. Data offset (4 bits) – specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to 40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data.
TCP Segment (cont.)
27
Flags (8 bits) (aka Control bits) – contains 8 1-bit flags CWR (1 bit) – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header by RFC 3168). ECE (1 bit) – Explicit Congestion Notification-Echo indicates
If the SYN flag is set, that the TCP peer is ECN capable. If the SYN flag is clear, that a packet with Congestion Experienced flag in IP header set is received during normal transmission (added to header by RFC 3168).
URG (1 bit) – indicates that the Urgent pointer field is significant ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. PSH (1 bit) – Push function RST (1 bit) – Reset the connection SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear. FIN (1 bit) – No more data from sender
0-3 4-7 8-15 16-31
Source port Destination port
Sequence number
Acknowledgment number
Data offset
Reserved
CWR
ECE
URG
ACK
PSH
RST
SYN
FIN
Window Size
Checksum Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
TCP Segment (cont.)
28
Window size (16 bits) – the size of the receive window, which specifies the number of bytes (beyond the sequence number in the acknowledgment field) that the receiver is currently willing to receive. Checksum (16 bits) – Used for error-checking of the header and data Urgent pointer (16 bits) – if the URG flag is set, then this field is an offset from the sequence number indicating the last urgent data byte.
0-3 4-7 8-15 16-31Source port Destination port
Sequence numberAcknowledgment number
Data offset
Reserved
CWR
ECE
URG
ACK
PSH
RST
SYN
FIN
Window Size
Checksum Urgent pointerOptions (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
TCP Ports Identifies the service that is runningHelps you stop or disable services that are not
neededOpen ports are an invitation for an attack
Only the first 1023 ports are considered well-known
List of well-known portsAvailable at the Internet Assigned Numbers Authority
(IANA) Web site (www.iana.org)
29
Port Service Explanation
20 and 21 File Transfer Protocol (FTP) Used for sharing files over the Internet. Requires a logon name and password. More secure than Trivial File Transfer Protocol (TFTP)
25 Simple Mail Transfer Protocol (SMTP) email
E-mail servers listen on this port
53 Domain Name Service – DNS
Helps users connect to Web sites using URLs instead of IP addresses
TCP Ports (continued)
30
Port Service Explanation
69 Trivial File Transfer Protocol - Could be implemented using a very small amount of memory.- Implemented on top of the User Datagram Protocol (UDP) using port number 69.- Used for transferring router configurations- TFTP only reads and writes files from/to a remote server. It cannot list directories, - Currently has no provisions for user authentication
80 Hypertext Transfer Protocol (HTTP)
- Used when connecting to a Web server
TCP Ports (continued)
31
Port Service Explanation110 Post Office Protocol 3 (POP3) Used for retrieving e-mails from server
119 Network News Transfer Protocol
For use with newsgroups
135 Remote Procedure Call (RPC) Critical for the operation of Microsoft Exchange Server and Active Directory.
139 NetBIOS Used by Microsoft’s NetBIOS Session Service
143 Internet Message Access Protocol 4 (IMAP4)
Used for retrieving e-mail. Better than POP3. Could maintain mails on servers. Allows searches, etc.
Netstat command line displays open ports on a computer indicating
what services/applications are running.
IP Header
32
Version - indicates the version of IP in four-bit . Should be 0100 for IPv4 Internet Header Length (IHL) - tells the number of 32-bit words in the IP
header. TOS – Indicates the quality of service for delivering the packet: Normal
delay, high reliability, normal cost, high cost, etc. Total Length – defines entire packet size (header +data) in bytes. The
minimum-length is 20 bytes (20-byte header + 0 bytes data) and the maximum is 65,535. Subnetworks may impose restrictions on the size, in which case packets must be fragmented. Fragmentation is handled in either the host or the router.
0–3 4–7 8–15 16–18 19–31
VersionHeader length
Type Of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options
Data
IP Header
33
Identification - Primarily used for uniquely identifying fragments of an original IP packet.
Flags - A three-bit field used to control or identify fragments. They are (in order, from high order to low order):
Reserved, must be zero. Don't Fragment (DF): If the DF flag is set and fragmentation is required to route
the packet then the packet will be dropped More Fragments (MF): When a packet is fragmented all fragments have the MF
flag set except the last fragment,
0–3 4–7 8–15 16–18 19–31
VersionHeader length
Type Of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options
Data
IP Header
34
Fragment Offset - Specifies the offset of a particular fragment relative to the beginning of the original unfragmented IP packet. The first fragment has an offset of zero.
TTL - Helps prevent packets from persisting (e.g. going in circles) on an Internet. Time specified in seconds, but time intervals less than 1 second are rounded up to 1. Also in number of hop counts.
Protocol - Defines the protocol used in the data portion of the IP packet. Common protocols and their codes are: 1: Internet Control Message Protocol (ICMP), 2: Internet Group Management Protocol (IGMP), 6: Transmission Control Protocol (TCP), 17: User Datagram Protocol (UDP), 89: Open Shortest Path First (OSPF), 132: Stream Control Transmission Protocol (SCTP).
0–3 4–7 8–15 16–18 19–31
VersionHeader length
Type Of Service Total Length
Identification Flags Fragment Offset
Time to Live (TTL) Protocol Header Checksum
Source Address
Destination Address
Options
Data
IP Header
35
Header Checksum - used for error-checking of the header. At each hop, the checksum of the header must be compared to the value of this field. If a header checksum is found to be mismatched, then the packet is discarded. Note that errors in the data field are up to the encapsulated protocol to handle .
0–3 4–7 8–15 16–18 19–31
VersionHeader length
Type Of Service Total Length
Identification Flags Fragment Offset
Time to Live (TTL) Protocol Header Checksum
Source Address
Destination Address
Options
Data
Short CaseAfter performing a test on ABC Inc.’s network, a
penetration tester discovered that outsiders are able to test internal hosts connectivity. He also discovered that outsiders are able to “map” ABC Inc.’s network which allows them to determine the names and IP addresses of internal routers and firewalls.
1) What commands the outsiders could possibly use in their attempts?
2) What would you recommend doing in order make it impossible for outsiders to (a) successfully test internal hosts’ connectivity, and (b) map ABC Inc.’s network? Be very specific in naming the actions that needed to be taken to address the problem.
36
Network & Computer Attacks
ISC* ObjectivesConfidentiality
Making sure that corporate data and transactions with partners remain confidential
IntegrityMaking sure that software programs, local data, and
data in-transit are not altered or destroyedAvailability
Making sure that computer and network resources or services remain available for users and not disrupted
AccountabilityMaking sure that users are properly authenticated and
their actions accounted for.Authenticity
Also called non-repudiation. Making sure that business partner cannot deny their actions
38 * Information Security Countermeasures
C – Confidentiality
I – Integrity
A – Availability
A – Accountability/Authenticity
Malicious Software attacksCommon types of malware
VirusesWormsTrojan horsesAdware | SpywareLogic bombs [Web bots]
39
What is virus?A virus is a malware that …
attaches itself to files on a single computercan replicate from file to filedoes not stand on its own
needs a host file – a vector - [unlike some other malware]Does not spread across computers without human
intervention (flash drive, email attachment, etc.)
40
Types of virus host / vectorBinary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux)
Volume Boot Records of floppy disks and hard disk partitions | The master boot record (MBR) of a hard disk
General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms).
Application-specific script files (such as Telix-scripts)
System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run software stored on USB Memory Storage Devices).
Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, Microsoft Access database files, and AmiPro documents)ELF = Executable and Linkable Format | PDFs & images, like HTML, may link to malicious code | PDFs can also be infected with malicious
code
Types of virusesBased on host files
Boot sector viruses: attach themselves to files in boot sector of HD
File infector viruses: attach themselves to program files and user files
Macro viruses: attach to files with macro programs embedded.
Based on mutation techniquesPolymorphic viruses: mutate with every
infection (using encryption techniques), making them hard to locate
Metamorphic viruses: rewrite themselves completely each time they are to infect new executables*
41* metamorphic engine is needed
Types of viruses (cont.)Based on deception methods
Core MS-DOS viruses: make sure that the "last modified" date of a host file stays the same when the file is infected by the virus.
Cavity viruses
infect files without increasing their sizes or damaging the files
overwrite unused areas of executable files
Examples: CIH virus, Chernobyl Virus that are 1 KB in size infect Portable Executable files which have many empty gaps
Antivirus PID killers: kill tasks associated with antivirus
Stealth: hides itself by intercepting disk access requests by antivirus programs.
42* metamorphic engine is needed
Request
OS
StealthThe stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean”.
File.exe of 300 KB on a 512 KB block
Protecting against virusesSignature-based antivirus programs
Compare the contents of a file to a database of virus signaturesA signature is an algorithm or a hash (a number or string
of characters derived from the virus code) that uniquely identifies a specific virus.
Must update signature database periodically or use automatic update feature if available
43
1) 673448834099999999992) DF56eeb&^fgkFT&&&88jjj3) 010000101000000000004) 780200001000001023985) 89950-1=ddjjdfjj3k3l3556) …………………………………
1) Sales.xls2) Forecast.doc3) Staff.mdb4) Ingredients.doc5) Committees.xls6) Minutes.accdb7) ………………….
Viruses signatures Files
Question: Name two kinds of situation where signature-based antivirus won’t be effective?
Protecting against viruses (cont.)
Heuristic-based antivirus that use generic signatureThrough mutation or refinements by attackers,
viruses can grow into dozens of slightly different strains called variants
Example: The Vundo trojan has evolve into two distinct family members, Trojan.Vundo and Trojan.Vundo.B
A generic signature can be generated for a virus family.
Heuristic analysis uses generic signatures to identify new malware or variants of known malware
44Question: Is generic signature more or less accurate than a specific virus’ signature?
Protecting against viruses (cont.)
Heuristic-based antivirus that use virtual machines
Allow the antivirus program to simulate what would happen if the suspicious file were to be executed
Execute the questionable program or script within a specialized virtual machine
It then analyzes the execution, monitoring for common viral activities: replication, file overwrites, attempts to hide the existence of the suspicious file.
If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus.
45
Question: Which of the following is likely to lead to false positive virus identifications? signature-based or heuristic-based antivirus.
4646
Based on the descriptions, is the classification of the malware as virus correct?
WormsDo not attach to files | A worm stands on its ownSelf-replicating malware that can propagate
across a network by themselvesUse host computer’s resources, and their own
network application to send copies of itself to other computers
Types of harms:Consuming network bandwidth. Moorris and Mydoom are
notoriousConsuming host computer resourses (processing, RAM)Delete files (e.g. ExploreZip worm)Encrypt files (which leads to cryptoviral extortion attack) Installing backdoor-zombie programs under control of the
worm author (e.g. Sobig)
47
Protecting against wormsWorms spread by exploiting OS vulnerabilities
Make sure that unnecessary ports are not open
Regular OS security updates is the best protection
Other effective defense systems: Antivirus programsLocal firewall software can block incoming worms
48
Application layer
Transport layer
Internet layer
Interface layer
Application layer
Transport layer
Internet layer
Interface layer
Trojan Programs Non-self-replicating malware
That appear to be useful programs like game, screen saver, free antivirus, etc.
But are actually backdoor or rootkits that facilitate remote access or a “take over” by a remote hacker
Once a Trojan horse is installed on a target computer, a Trojan can be used to do the following:
Keystroke logging Data theft (e.g. passwords, credit cards information, etc) Installing other malware Using the host computer as part of botnet for spamming or Distributed
DoS Deleting or modifying files
49
50
Trojan Programs (cont.)
You want to prevent Backdoor.Rtkit.B from communicating with the hacker’s computer. What action would you take at the firewall level?
Protecting Against Malware Attacks at the organizational levelWhat is/are the most effective technical
solution(s) that could be implemented at the network level to deal with malware attacks?
What is/are the most effective non-technical solution(s) that could be implemented in an organization to deal with malware attacks?
51
Lab 3-related Questions
You should knowRecognize a SAM hash extracted in a text fileName of the programs used in Lab 3 to extract
and crack passwordsKnow Windows’ command for creating (i.e.
adding) and deleting user accountsHave a general understanding of password
cracking
53