Why do I need Security by tae66661

VIEWS: 104 PAGES: 76

									Hacking Exposed




      hacking     page 1
Contents (I)
 Part I
   – Type of threats: structured and unstructured
   – Source of threats: internal and external
 Part II: Email attack
   –   typical email attacks
   –   Factors that make virus spread
   –   Types of Virus
   –   Types of Worm
   –   How to protect email clients
   –   How to protect email




                                 hacking            2
Contents (II)
 Part 3: TCP/IP Hacking
   – Sniffing
   – Spoofing
   – Hijacking
   – ARP attacks
   – RARP attacks
 Part 4: Measures to mitigate attacks
   – Types of malicious codes
   – Others attacks:
   – Countermeasures: Anti-virus, Scanner, apply patches,
     user awareness education

                          hacking                           3
Type of threats
 In recent survey conducted by the Computer
  Security Institute (CSI), 70% of organizations
  polled stated that their network security defenses
  had been invaded. Amongst these attacks,
  60%(2004) and 50%(2005) of the incidents came
  from within the organizations.
 There are basically two types of threats
   – Structured threats
   – Unstructured threats
 There are also two sources of threats
   – internal threats
   – external threats
                            hacking                    4
Structured threats
 Structured threats come from attackers that are
  highly motivated and technical competent.
 These attackers have the technical proficiency to
  understand existing tool, adapt current hacking
  tools, and create new custom tools.
   – Usually, this type of attacker act alone.
   – They use sophistical iced hacking techniques to
     penetrate unsuspecting organizations.




                          hacking                      5
Unstructured threats
 Most unstructured attackers against network occur
  from moderately skilled attackers. Most of the
  time, these attacks are driven by personal
  gratification.
   – A small percentage of the time, these attacks are
     malicious in nature.
   – But the impact can be significant.
 Hacking tools and scripts abound on numerous
  Internet sites. Intellectual curiosity drivers many
  novice hackers to download these tools and
  experiment with them on local and remote
  networks. Other gets a thrill out of breaking into
  computers.              hacking                        6
Internal threats
 Internal threats are perpetrated by those inside an
  organization through intentional or unintentional
  activities such as the following:
   – Current employee with malicious intention
   – Current employee with unintentional activities
   – Employees who mis-manage the environment –
     employees who do not use safe passwords or who mis-
     configure network equipment out of ignorance
   – Legitimate users accessing networked services that
     would normally be restricted to them (i.e. log-on abuse)


                           hacking                              7
External threats
 External threats are carried out by those outside an
  organization through intentional or unintentional
  activities such as the following:
   –   Thrill seeker
   –   Competitors
   –   Enemies
   –   Thieves
   –   Spies
   –   Hostile former employees
   –   Others

                           hacking                       8
Part 2: Email attack
typical email attacks
Factors that make virus spread
Types of Virus
Types of Worm
How to protect email clients
How to protect email server

                         hacking   page 9
email attacks
 Internet is very much prone to attack
 Worm is able to spread because many
  system blindly trusted each other
 Internal software components of each server
  also blindly trust each other
 application that make things simple can
  cause problem. Automatically open
  attachment with attachment panes
 unchecked system bugs

                    hacking                     10
typical email attacks: virus
 Virus
  – binary file that requires human intervention in order to
    spread (e.g. download, double-click or transfer with
    floppy-disk)
  – RFC 1135 state: “A virus is a piece of code that inserts
    itself into a host, including OS, to propagate. It cannot
    run independently. It requires that its host program be
    run to activate it”
  – Macro-virus = a convenience mini-applications resided
    in victim’s machine that can create damage to computer
    system
       • For example: Melissa is a macro virus.


                               hacking                          11
typical email attacks: worm
 Worm
  – spreads to other system with little or no user
    intervention. Spread itself upon activation once.
  – RFC 1135 states: A “worm” is a program that can run
    independently, will consume the resources of its host
    and/or network from within in order to maintain itself,
    and can propagate a complete working version of itself
    on to other machines.
  – current anti-virus software classify worm as
       • worm as code propagates between host
       • virus as code propagates only within a single host
       • Note: there are malicious do both!!


                               hacking                        12
Factors that make virus spread
 single network make it easier to spread (vs.
  heterogeneous network)
 network with standard mail user agent (e.g.
  MS outlook is now installed application in
  MS Windows)
 Operation System with facilities that user’s
  configurable features, such as Component
  Object Model.
 Ubiquitous Network that use TCP/IP

                     hacking                     13
typical email attacks: Trojan
 code disguised as innocent program but
  behave in an unexpected, usually malicious
  manner
  – example: electronics greeting cards, chain letter
 limitation: user needs to be convinced to
  accept/run them
 defense: don’t run programs that you don’t
  know

                       hacking                          14
Anatomy of malicious code
 two components
   – propagation
    • delivery mechanism is the method the code spreads
      itself. In old days, floppy disk, now: Internet via
      email or web-pages
  – payload
    • code that executed if triggered.
       – e.g. Michelangelo virus
       – delete your hard-disk partition tables
    • some virus have no payload, it only infect and
      spread


                           hacking                          15
Types of virus
 Boot sector virus
   – Move data within the boot sector or overwrite the sector with new
     information
 Stealth virus
   – Hides the modifications that it has made to files or boot records.
 Polymorphic virus
   – Produces varied but operational copies of itself.
 Multipart virus
   – Infects both the boot sector of a hard drive and executable files.
 Self-garbling virus
   – Attempts to hide from antivirus software by garbling its own code.
     As the virus spreads, it changes the way its code is encoded.
   – also known as polymorphism or virus mutating

                                 hacking                                  16
Types of Worm
 True worm
   – requires no human intervention to spread.
   – function only on a homogeneous network
   – require worm to be written with programming language
     same as the email server.
   – rare, as it requires high skills
 Protocol worm
   – uses a transport protocol, such as TCP/IP to spread
   – without human intervention
   – e.g. Morris worm (1988)
      • name after its creator Robert Morris
      • exploited a buffer overflow in fingerd and used debug
        commands in sendmail to break into system running Berkeley
        UNIX                   hacking                               17
Types of Worm (2)
 Hybrid worm
  – requires a low level of user intervention to spread, but
    also acts like a virus
  – behave like viruses in that they deliver a payload
  – exhibits worm behavior, able to spread automatically
    from system to system
  – e.g. Melissa (1998) and and its loveletter variants,
    bubbleBoy and lifeStages
       • a macro in Word: Document_open()
       • when user open infected word document
       • it will check if email application is Outlook, if so, composing a
         list of the first 50 email addressed found in the user’s address
         book, and send the email using victim’s name.
       • attach itself to the email in one-line
                                hacking                                      18
How to protect email clients
    purchasing an anti-virus package
    –   scanning attachments can take time and processor
        speed
    –   may not able to find new virus if application is not
        updated regularly.
    Obtaining an personal firewall
    –   tell you the IP address and/or resolved IP address
    –   filter out TCP/IP related packet
    –   Disable a system from sending and/or receiving email
    encrypting your transmission: install
     applications such as PGP

                            hacking                            19
How to protect email server
 Hardening the email server’s OS: lock down
  unnecessary port, upgrading your system using
  latest, stable server patches and bug fixes; change
  default settings
 Place your system behind a firewall
   – configuring the sever to allow connections from certain
     host only
   – email-scanning: scan the body of email message help to
     protect email users, MTA and MDA
   – attachment scanning: scan all attachment. Applications
     to block out attachment suspect contain virus. For
     conscious admin, the option is to disallow email
     attachment.
                          hacking                              20
Part 3: TCP/IP Hacking




         hacking    page 21
Special IP Addresses
 As source and destination address
   – Loopback interface: 127.X.X.X (usually 127.0.0.1)
 As source address
   – netid=0, hostid=0 or hostid=XXX: this host on this net (used
     in special cases such as booting procedures)
 As destination address
   – All bits set to 1: local broadcast
   – netid + hostid with all bits set to 1: net-directed broadcast to
     netid
 Reserved private addresses (RFC 1597):
   – 10.0.0.0 - 10.255.255.255
   – 172.16.0.0 - 172.31.255.255
   – 192.168.0.0 - 192.168.255.255


                                hacking                                 22
Local Area Network Attacks
 A number of kinds of attack in LAN:
  – Sniffing
  – Spoofing
  – Hijacking
  – ARP attacks
  – RARP attacks




                   hacking              23
Why Sniffer?
 Many protocols (TELNET, FTP, POP,
  HTTP) transfer authentication information
  in the clear
 By sniffing the traffic it is possible to
  collect usernames/passwords, files, mail, etc.




                               Hacker’s
                               Computer

                     hacking                   24
Why Spoofing?
 IP spoofing is used to impersonate
  sources of security-critical information
  (e.g., a DNS server or a NIS(Network
  Information Service) server)

 IP spoofing is used to exploit address-
  based authentication



                   hacking                   25
Hijacking
 Sniffing/Spoofing is the base for hijacking
 The attacker waits for an client request
 Races against legitimate host when
  producing a reply
 ARP-, UDP-, and TCP-based variations of
  this attack exist



                     hacking                    26
Detecting Sniffers on your Network

 Sniffers are typically passive programs
 They put the network interface in promiscuous
  mode and listen for traffic
 They can be detected by programs such as:
   – ifconfig
       eth0 Link encap:Ethernet HWaddr 00:10:4B:E2:F6:4C
       inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
       UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
       RX packets:1016 errors:0 dropped:0 overruns:0 frame:0
       TX packets:209 errors:0 dropped:0 overruns:0 carrier:0
       collisions:0 txqueuelen:100



                              hacking                                  27
Attacks to ARP
 ARP does not provide any means of authentication
 Racing against the queried host it is possible to
  provide a false IP address/link-level address
  mapping
 Fake ARP queries can be used to store wrong
  ARP mappings in a host cache
 In both cases, the net effect is the redirection of
  traffic to the attacker (at least for the lifetime of
  the cache entry)
 Used in denial-of service and spoofing attacks


                          hacking                         28
Attacks to ARP




          hacking   29
Attacks to ARP (2)
 Since ARP is “stateless” it is possible to provide a
  fake reply even if a request has not been sent




                        hacking                          30
Attacks to RARP
 RARP, as ARP, does not provide any
  authentication mechanisms
 An attacker can race against legitimate
  servers sending fake replies
 By doing this, an attacker can assign the IP
  address of an existing host to a particular
  diskless workstation cutting out the victim
  host from traffic

                     hacking                     31
Sniffering in Switched Ethernet
 Switched Ethernet does not allow direct sniffing
 ARP spoofing with forwarding can be used to
  bypass this protection
 MAC flooding
   – Switches maintain a table with MAC address/port
     mappings
   – Flooding the switch with bogus MAC address will
     overflow table memory and revert the behavior from
     “switch” to “hub”



                          hacking                         32
Routing: Indirect Delivery
 If two hosts are in different physical networks the
  IP datagram is encapsulated in a lower level
  protocol and delivered to the directly connected
  gateway
 The gateway decides which is the next step in the
  delivery process
 This step is repeated until a gateway that is in the
  same physical subnetwork of the destination host
  is reached
 Then direct delivery is used


                         hacking                         33
Routing




          hacking   34
Non-blind Spoofing(NBS)
 Non-blind spoofing Using the spoofing to interfere with a connection
  that sends packets along your subnet (so generally one of the 2 hosts
  involved is located on your subnet, or all data traffic has to be passing
  your network device,... you might consider taking a job at some
  transatlantic route provider).
 The concept of non-blind spoofing is pretty simple. Because packets
  travel within your reach, you can get the current sequence and
  acknowledge (SEQ/ACK) numbers on the connection. NBS is thus a
  very easy and accurate method of attack, but limited to connections
  going over your subnet. In spoofing documentation these attacks are
  sometimes omitted, because they are mostly 'denial-of-service' attacks,
  or because people don't realise the advantage a spoof (in particularly a
  hijack) can have above simple password sniffing.




                                  hacking                                     35
Blind Spoofing(BlS)
 Blind spoofing Using the spoofing to
  interfere with a connection (or creating one),
  that does not send packets along your cable.
 Spoofing in generally is referred to as a
  very high level of attack. This refers to
  blind spoofing, because NBS is kidstuff for
  a competent coder.



                     hacking                   36
Blind IP Spoofing
 A host sends an IP datagram with the address of some other host as the
  source address
 The host replies to the legitimate host
 Usually the attacker does not have access to the reply traffic




                                  hacking                                  37
Man-in-the-middle Attacks
 An attacker that has control a gateway used
  in the delivery process can
  – Sniff the traffic
  – Intercept/block traffic
  – Modify traffic




                       hacking                  38
Types of Routing
 Source routing
   – The originator of a datagram determines the
     route to follow independently before sending
     the datagram (IP source routing option)
 Hop-by-hop routing
  – The delivery route is determined by the
    gateways that participate in the delivery process




                        hacking                     39
Attacks Using Source Routing
 The IP source routing option can be used to
  specify the route to be used in the delivery process,
  independent of the “normal” delivery mechanisms
 Using source routing a host can force the traffic
  through specific routes that allow access to the
  traffic (sniffing or man-in-the-middle attacks)
 If the reverse route is used to reply to traffic, a
  host can easily impersonate another host that has
  some kind of privileged relationship with the host
  that is the destination of the datagram (a trust
  relationship)

                        hacking                       40
Routing Protocols
 Dynamic routing is performed by a number of protocols
  organized hierarchically with different scopes and
  Characteristics
 Routing protocols distribute information about delivery
  routes
 Exterior Gateway Protocols (EGPs) are used to distribute
  routing information between different autonomous systems
   – e.g. EGP, Border Gateway Protocol - BGP
 Interior Gateway Protocols (IGPs) are used to distribute
  routing information inside an autonomous system
   – e.g. Routing Information Protocol - RIP, Open Shortest Path First
     - OSPF



                               hacking                                   41
Routing Protocols




           hacking   42
Routing Information Protocol
   Uses UDP to transport messages (port 520)
   RIP has no knowledge of subnet addressing
   RIPv1 provides NO authentication mechanism
   RIPv2 uses a cleartext password
   Routers broadcast RIP messages every 30 seconds
    – Each message contains on or more (up to 25) advertisements of
      routes to particular destinations
    – Each advertisement is associated with a metric: the hop count
        • Hop count is 1 for directly attached networks
        • Hop count is limited to 15 hops (inside an autonomous system)
 When several path are possible the one is the smallest hop
    count is used

                                  hacking                                 43
RIP Attacks
 A host can send spoofed RIP packets and “inject”
  routes to a host (IP/UDP spoofing is easy!)
 A route with a smaller hop count would be used
  instead of the legitimate one
 This attack can be used for
   – Hijacking
   – denial-of-service
 On a LAN, RIPv2 passwords can be sniffed and
  used in the attack

                       hacking                       44
Fragmentation
 When a datagram is encapsulated in lower level
  protocols (e.g., Ethernet) it may be necessary to
  split the datagram in smaller portions
 This happens when the datagram size is bigger
  than the data link layer MTU (Maximum
  Transmission Unit)
 Fragmentation can be performed at the source host
  or in an intermediate step in datagram delivery
 If the datagram has the “do not fragment” flag set
  an ICMP error message is sent back to the
  originator

                       hacking                         45
Fragmentation (IP Datagram)




            hacking           46
Fragmentation
 If the datagram can be fragmented:
   – The header is copied in each fragment
       • In particular, the “datagram id” is copied in each fragment
   – The “more fragments” flag is set with the exception of the last
     fragment
   – The “fragmentation offset” field contains the position of the
     fragment with respect to the original datagram expressed in 8 byte
     units
   – The “total length field” is changed to match the size of the
     fragment
 Each fragment is then delivered as a separate datagram
 If one fragment is lost the entire datagram is discarded
  after a timeout


                                  hacking                                 47
Fragmentation Attacks:
Ping of Death
 The offset of the last segment is such that the
  total size of the reassembled datagram is
  bigger than the maximum allowed size: a
  kernel static buffer is overflowed causing a
  kernel panic




                        hacking                     48
Ping of Death
23:01:06.266646 < 128.111.48.69   > 128.111.48.70: icmp: echo request (frag
      4321:1480@0+)
23:01:06.421261 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@1480+)
23:01:06.575953 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@2960+)
23:01:06.730065 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@4440+)
23:01:06.884625 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@5920+)
23:01:07.038801 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@7400+)
23:01:07.193403 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@8880+)
23:01:07.348185 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@10360+)
23:01:07.502326 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@11840+)
[...]
23:01:12.451121 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@59200+)
23:01:12.605235 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@60680+)
23:01:12.759927 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@62160+)
23:01:12.917811 < 128.111.48.69   >   128.111.48.70:   (frag   4321:1480@63640+)
23:01:13.090936 < 128.111.48.69   >   128.111.48.70:   (frag   4321:398@65120)



     Total 65120 + 398 = 65518 + 20 bytes of header = 65538 > 65535!
     (max. allowable size: 64K i.e. 0->65535)


                                      hacking                                      49
Fragmentation Attacks:
Stealth Traffic
 Sometime also called “The Tiny Fragment Attack”
 Firewalls and intrusion detection systems analyze
  incoming datagrams using the information
  contained in both the datagram header and the
  datagram payload (TCP ports, UDP ports, SYN
  and ACK flags in the TCP header)
 An attacker may use fragmentation to avoid
  detection
   – e.g. some IDS do not reassemble datagrams


                         hacking                  50
Fragmentation Attacks:
The Teardrop Attack
 This is also a denial of service attack that can
  cause the victim host to hang crash or reboot, as
  was the Ping of Death attack.
 The teardrop attack utilizes the weakness of the IP
  protocol reassembly process. The teardrop attack
  is a UDP attack, which uses overlapping offset
  fields in an attempt to bring down the victim host.




                         hacking                        51
Fragmentation Attacks:
The Overlapping Fragment Attack
 Another variation on the teardrop attack that also uses
  overlapping fragments.
 The datagram is deliberately fragmented by the attacker
 Some of the fragment are re-sent with different contents so
  that they will overwrite the original contents
   – The first fragment specifies a “begin” TCP destination port for the
     TCP packet (e.g., 80)
   – The fragment is allowed to go through the filter and no check is
     performed on the following ones
   – The attacker sends a fragment that, using a non-null offset,
     overwrites the TCP destination port with a different, blocked one
     (e.g., 23)
   – When the datagram is reassembled it will be delivered to
     the new port

                                hacking                                    52
Fragmentation Attacks:
The Unnamed Attack
 This attack is yet another variation on the
  teardrop attack that attempts to cause a denial of
  service to the victim host.
 This time however the fragments are not
  overlapping but are created in such a way that
  there is a gap created in the fragments.
 This is done by manipulating the offset values to
  ensure there are parts of the fragment, which
  have been skipped.
 Some operating systems may behave unreliably
  when this exploit is used upon them.
                        hacking                        53
ICMP Echo Request / Reply

 Used by the ping program

 # ping 192.168.1.1
 PING 192.168.1.1 (192.168.1.1) from 192.168.1.100 : 56(84) bytes of
 data.
 64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=1.049 msec
 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=660 usec
 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=597 usec
 64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=548 usec
 64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=601 usec
 64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=592 usec
 64 bytes from 192.168.1.1: icmp_seq=6 ttl=64 time=547 usec
 --- 192.168.1.1 ping statistics ---
 7 packets transmitted, 7 packets received, 0% packet loss
 round-trip min/avg/max/mdev = 0.547/0.656/1.049/0.165 ms




                              hacking                                  54
ICMP Echo Attacks
 ICMP Echo Request messages can be used to map the
  hosts of a network (pingscan or ipsweep)
 ICMP echo datagrams are sent to all the hosts in a
  subnetwork
 The attacker collects the replies and determines which
  hosts are
  actually alive
      Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com,
      www.insecure.org/nmap/)
      Host cisco-sales.ns.com (195.121.31.11) appears to be up.
      Host sales1.ns.com (195.121.31.19) appears to be up.
      Host sales4.ns.com (195.121.31.22) appears to be up.
      Host sales2.ns.com (195.121.31.43) appears to be up.
      Host sales3.ns.com (195.121.31.181) appears to be up.
      Nmap run completed -- 256 IP addresses (5 hosts up) scanned in 1
      second

 ICMP Echo Request can be used to perform a denial of
  service attack (smurf)
                               hacking                                   55
ICMP Attack: Smurf
 The infamous
  Smurf - ICMP
  echo requests
  to a network
  broadcast with
  a spoofed
  source address
  of the victim.
  Hence the
  victim obtains
  several
  potentially
  thousands)
  replies...tying
  up the victims
  network
  resources:
                    hacking   56
ICMP Redirect Attacks
 ICMP redirect messages can be used to re-route
  traffic on specific routes or to a specific host that
  is not a router at all
 The attack is performed sending to a host a
  spoofed ICMP redirect message that appears to
  come from the host’s default gateway
 The attack can be used to
   – Hijack traffic
   – Perform a denial-of-service attack


                           hacking                        57
ICMP Redirect Attacks
# arp -n
Address            HWtype   HWaddress
192.168.1.1        ether    00:20:78:CA:7E:AE
192.168.1.10       ether    00:01:03:1D:98:B8
192.168.1.100      ether    08:00:46:07:04:A3

C:\WINDOWS>route   PRINT
Active Routes:
Network Address    Netmask           Gateway Address   Interface      Metric
0.0.0.0            0.0.0.0           192.168.1.1       192.168.1.10   1
127.0.0.0          255.0.0.0         127.0.0.1         127.0.0.1      1
192.168.1.0        255.255.255.0     192.168.1.10      192.168.1.10   1
192.168.1.10       255.255.255.255   127.0.0.1         127.0.0.1      1
192.168.1.255      255.255.255.255   192.168.1.10      192.168.1.10   1

# tcpdump -n
8:0:46:7:4:a3 0:1:3:1d:98:b8 0800 70: 192.168.1.1 > 192.168.1.10:
icmp: redirect 128.111.48.69 to host 192.168.1.100



                                     hacking                                   58
ICMP Redirect Attacks
 C:\WINDOWS>route PRINT
 Active Routes:
 Network Address   Netmask           Gateway Address   Interface      Metric
 0.0.0.0           0.0.0.0           192.168.1.1       192.168.1.10   1
 127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      1
 128.111.48.69     255.255.255.255   192.168.1.100     192.168.1.10   1
 192.168.1.0       255.255.255.0     192.168.1.10      192.168.1.10   1
 192.168.1.10      255.255.255.255   127.0.0.1         127.0.0.1      1
 192.168.1.255     255.255.255.255   192.168.1.10      192.168.1.10   1

 C:\WINDOWS>ping 128.111.48.69
 0:1:3:1d:98:b8 8:0:46:7:4:a3 0800 74: 192.168.1.10 > 128.111.48.69:
 icmp: echo request
 0:1:3:1d:98:b8 8:0:46:7:4:a3 0800 74: 192.168.1.10 > 128.111.48.69:
 icmp: echo request
 ...




                                hacking                                    59
ICMP Destination Unreachable

 ICMP message used by gateways to state that the
  datagram cannot be delivered
 Many subtypes
   –   Network unreachable
   –   Host unreachable
   –   Protocol unreachable
   –   Port unreachable
   –   Fragmentation needed but don’t fragment bit set
   –   Destination host unknown
   –   Destination network unknown
   –   ...
                             hacking                     60
Destination Unreachable Attacks
 Forged destination unreachable messages can cut
  out nodes from the network (denial of service)




                       hacking                      61
ICMP Time Exceeded
 Used when
  – TTL becomes zero (code = 0)
  – The reassembling of a fragmented datagram times out (code =1)




                             hacking                                62
Traceroute
 ICMP Time Exceeded messages are used by the traceroute
    program to determine the path used to deliver a datagram
   A series of IP datagrams are sent to the destination node
   Each datagram has an increasing TTL field (starting at 1)
   From the ICMP Time exceeded messages returned by the
    intermediate gateways it is possible to reconstruct the route
    from the source to the destination
   Note: traceroute allows one to specify loose source routing
    (-g option)
   Tools immensely useful (topology mapping)


                              hacking                               63
      Traceroute
traceroute to res-server.ns.com (195.121.32.42), 30 hops max, 38 byte packets 1

csworld48 (128.111.48.2) 1.077 ms 0.827 ms 1.051 ms 2
engr-gw-lo.ucsb.edu (128.111.51.1) 1.479 ms 0.855 ms 1.222 ms 3
border1.ucsb.edu (128.111.1.83) 1.224 ms 1.375 ms 1.222 ms 4
gsr-g-1-0.commserv.ucsb.edu (128.111.252.150) 1.357 ms 1.383 ms 1.642 ms 5
USC--ucsb.ATM.calren2.net (198.32.248.73) 3.876 ms 4.493 ms 3.913 ms 6
ISI--USC.POS.calren2.net (198.32.248.26) 4.401 ms 4.533 ms 4.261 ms 7
UCLA--ISI.POS.calren2.net (198.32.248.30) 4.933 ms 4.897 ms 5.002 ms 8
UCLA-7507--UCLA.POS.calren2.net (198.32.248.118) 5.429 ms 5.530 ms 5.384 ms 9
corerouter2-serial6-0-0.Bloomington.cw.net (166.63.131.129) 8.562 ms 8.244 ms
7.857 ms 10
corerouter1.SanFrancisco.cw.net (204.70.9.131) 17.563 ms 17.861 ms 17.941 ms11
bordercore1.SanFrancisco.cw.net (166.48.12.1) 18.108 ms 18.269 ms 17.945 ms12
frontier-comm.SanFrancisco.cw.net (166.48.13.242) 19.164 ms 18.749 ms 20.472 ms
13
pos4-1-155M.cr2.SNV.gblx.net (206.132.150.233) 19.664 ms 18.666 ms 18.503 ms 14
cisco-ns.ns.com (195.121.39.51) 19.481 ms 18.014 ms 20.472 ms 15
res-server.ns.com (195.121.32.42) 20.401 ms 20.962 ms 19.641 ms 16


                                       hacking                               64
UDP Spoofing
 Basically IP spoofing
 Very easy to perform




                          hacking   65
UDP Hijacking
 Variation of the UDP spoofing attack




                       hacking           66
UDP Storms
 A spoofed UDP datagram is sent to the echo
  service (7)
 The source port is set to the chargen service (19)
 The reply of the echo service is interpreted as a
  request by the chargen service
 The reply of the chargen service is interpreted as a
  request by the echo service
 ...
 The same attack can be carried out using two echo
  services

                        hacking                          67
Part 4: Measures to mitigate
attacks

Types of malicious codes
Others attacks:
Countermeasures: Anti-virus,
Scanner, apply patches, user
awareness education
                  hacking      page 68
Malicious Code
 Virus:
   – Is a program that searches out other programs and infects them by
     embedding a copy of itself. When the infected program executes,
     the embedded virus is executed which propagates the infection.
 Worm:
   – They can reproduce on their own with no need for a host
     application and that they are self-contained programs.
 Logic bomb:
   – Will execute a program, or string of code, when a certain event
     happens.
 Trojan horse:
   – Is a program disguised as another program.


                               hacking                                   69
Other Attacks
 DoS / Denial of Service:
   – An attack consuming the victim's bandwidth or resources, that
     cause the system to crash or stop processing other packet.
 Smurf:
   – Requires three players: the attacker, the victim and the amplifying
     network.
   – The attacker spoofs, or changes the source IP address in a packet
     header, to make an ICMP ECHO packet seem as though it
     originated at the victim's system. This ICMP ECHO message is
     broadcasted to the amplifying network, which will reply to the
     message in full force. The victims system and victim's network is
     overwhelmed.



                                hacking                                    70
Other Attacks (con’t):
 Fraggle:
   – Uses UDP as its weapon of choice. The attacker broadcasts a
     spoofed UDP packet to the amplifying network, which in turn
     replies to the victim's system
 SYN Flood:
   – Continually sending the victim SYN messages with spoofed
     packets. The victim will commit the necessary resources to set up
     this communication socket and it will send its SYN/ACK message
     waiting for the ACK message in return.
 Teardrop:
   – An attacker sending very small packets that would cause a system
     to freeze or reboot. Causes by the fact that some systems make
     sure that packets are not too large, but do not check to see if a
     packet is too small.


                               hacking                                   71
Other Attacks (con’t)
 DDoS / Distributed Denial of Service:
  – Is a logical extension of the DoS.
  – The attacker creates master controllers that can in turn
    control slaves / zombie machines.
 DNS DoS Attacks:
  – A record at a DNS server is replaced with a new record
    pointing at a fake/false IP address.
 Cache poisoning
  – The attacker inserting data into the cache of the server
    instead of replacing the actual records.

                            hacking                            72
Methods of detecting malicious code
 Anti-virus software
   – regularly scan system looking for known signatures
   – need to update anti-virus software as frequently as possible
   – anti-virus vendors can update signatures in a matter of hours after
     the new virus had been detected
   – recent approach: heuristic method
        • detect code if it look alike a malicious (such as un-reasonable access)
 Application programs such as personal firewall, scanner,
  sniffer to give alarms (or display logs)
   –   File size increase
   –   Many unexpected disk accesses
   –   Change in update or modified timestamps
   –   Broadcast / multicast storm
   –   Important factor: Alarm Threshold
        • false trigger cause unnecessary panic
                                    hacking                                         73
Methods to secure against malicious
code
 Cover security holes in Web browser
   – web surfing is high risk in security
   – secure web browser to stop executable contents
       • avoid active script, JavaScript, ActiveX, Java etc
 Cover security holes in Operation System and other
  applications programs.
   – apply patches
 User awareness and education
   – new virus cannot be detected by anti-virus software
   – only the vigilance of users (and administrators) is the best
     approach
 Information Security management system
   – a systematic, document system that address ALL issues concerning
     the CIA of information.
                                  hacking                           74
Summary
 Type of threats: structured and unstructured
 Source of threats: internal and external
 type of hackers
   – hacker, cracker and script kiddie
   – white hat, black hat, grey hat
 Reconnaissance:
   – Passive: sniffing
   – Active: port-scanning
 Ways to exploit the System
   – Gaining Access
   – Elevation of Privileges
   – Denial of Services


                                hacking          75
Summary (2)
 TCP/IP Hacking
  – Sniffing, Spoofing, Hijacking, ARP attacks,
    RARP attacks
 Malicious Code: Virus, Worm, Logic bomb
  and Trojan horse

Computer Security Institute’s url:
http://www.gocsi.com/

                       hacking                    76

								
To top