NETworK porTS, SErvICES, ANd ThrEATS In this section, we discuss network ports, network services, and potential threats to your network.. Also, by becoming familiar with common network t
Trang 1documentation as the Assigned Call ID), which is a unique identifier for the call being attempted A final Outgoing-Call-Connected message completes the handshake, and data can flow, marked with the Tunnel IDs and Call ID
to ensure that it can be uniquely distinguished from other traffic
Again, as in the PPTP case, there is a message to disconnect a call and a message to disconnect a tunnel – these are the Call-Disconnect-Notify and Stop-Control-Connection-Notification messages If it sounds like L2TP is PPTP with a few different names, that’s because L2TP was designed to include the best features of PPTP and Cisco’s Layer 2 Forwarding (L2F) Protocol L2TP’s main usability benefit comes in its use of a single pseudo-connection over a protocol that is forwarded by most routers UDP L2TP’s biggest security benefit also comes from the use of a well-defined protocol – Internet Protocol Security (IPsec) L2TP is most often used as a VPN by combining it with IPsec ESP – so that VPN traffic is encapsulated in five layers (see Figure 9.8):
PPP
1
L2TP
2
UDP
3
IPsec ESP
4
IP
5
Although this might sound confusing, the L2TP/IPsec VPN is a common method of maintaining trusted and encrypted connections from machine to machine across uncontrolled external networks
NETworK porTS, SErvICES, ANd ThrEATS
In this section, we discuss network ports, network services, and potential threats to your network To properly protect your network, you need to first identify the existing vulnerabilities As we will discuss, knowing what exists
FIGurE 9.8 L2TP/IPsec
Packet Showing Multiple
Levels of Encapsulation.
Trang 2in your network is the best first defense By identifying ports that are open
but may not be in use, you will be able to begin to close the peep holes into
your network from the outside world By monitoring required services and
removing all others, you reduce the opportunity for attack and begin to make
your environment more predictable
Also, by becoming familiar with common network threats that exist
today, you can take measures to prepare your environment to stand against
these threats The easiest way for a hacker to make its way into your
envi-ronment is to exploit known vulnerabilities By understanding how these
threats work, you will be able to safeguard against them as best as possible
and be ready for when new threats arise
Network ports and protocols
Unnecessary network ports and protocols in your environment should
be eliminated whenever possible Many of our internal networks today
use TPC/IP as the primary protocol So for most that means eliminating the
following protocols: Internetwork Packet Exchange (IPX), Sequenced Packet
Exchange (SPX), and/or NetBIOS Extended User Interface (NetBEUI) It
is also important to look at the specific operational protocols used in a
network such as Internet Control Messaging Protocol (ICMP), Internet
Group Management Protocol (IGMP), Service Advertising Protocol (SAP),
and the Network Basic Input/Output System (NetBIOS) functionality
asso-ciated with Server Message Block (SMB) transmissions in Windows-based
systems
Although you are considering removal of nonessential protocols, it is
important to look at every area of the network to determine what is actually
occurring and running on the system The appropriate tools are needed to
NoTES FroM ThE FIEld …
Eliminate External NetBIoS Traffic
One of the most common methods of obtaining access
to a Windows-based system and then gaining control
of that system is through NetBIOS traffic
Windows-based systems use NetBIOS in conjunction with SMB
to exchange service information and establish secure
channel communications between machines for
ses-sion maintenance If file and print sharing is enabled on
a Windows computer, NetBIOS traffic can be viewed on the external network unless it has been disabled on the external interface With the proliferation of digital sub-scriber line (DSL), Broadband, and other “always-on”
connections to the Internet, it is vital that this functional-ity be disabled on all interfaces exposed to the Internet.
Trang 3do this, and the Internet contains a wealth of resources for tools and infor-mation to analyze and inspect systems
A number of functional (and free) tools can be found at sites such as www.foundstone.com/knowledge/free_tools.html Among these, tools like
SuperScan 3.0 are extremely useful in the evaluation process.
Monitoring a mixed environment of Windows, UNIX, Linux and/or Netware machines can be accomplished using tools such as Big Brother, which may be downloaded and evaluated (or in some cases used without charge) by visiting www.bb4.com or Nagios, which can be found at www nagios.org
Another useful tool is Nmap, a portscanner, which is available at http://insecure.org/nmap/ These tools can be used to scan, monitor, and report on multiple platforms giving a better view of what is present in an environment In UNIX and Linux-based systems, nonessential services can be controlled in a variety of ways depending on the distribution being worked with This may include editing or making changes in
con-figuration files such as xinetd.conf or inetd.conf or the use of graphical administration tools such as linuxconf or webmin in Linux, or the use
of facilities such as svcadm in Solaris It may also include the use of
ipchains, iptables, pf, or ipfilter in various versions to restrict the options
available for connection at a firewall
Modern Windows-based platforms allow the configuration of OS and network services from provided administrative tools These tools include
a service applet in a control panel or a Microsoft Management Console (MMC) tool in a Windows XP/Vista/2003/2008 environment It may also
be possible to check or modify configurations at the network adaptor prop-erties and configuration pages In either case, it is important to restrict access and thus limit vulnerability due to unused or unnecessary services
or protocols
Let’s take a moment to use a tool to check what protocols and services are running on systems in a network This will give you an idea of what you
Note
As you begin to evaluate the need to remove protocols and services, make sure that the items you are removing are within your area of control Consult with your system adminis-trator on the appropriate action to take and make sure you have prepared a plan to back out and recover if you found that you have removed something, that is, later deemed necessary, or if you make a mistake.
Trang 4are working with Exercise 9.3 uses Nmap to look at the configuration of a
network, specifically to generate a discussion and overview of the services
and protocols that might be considered when thinking about restricting
access at various levels Nmap is used to scan ports, and while it is not a
full-blown security scanner, it can identify additional information about
a service that can be used to determine an exploit that could be effective
Security scanners that can be used to detail existing vulnerabilities include
products such as Nessus and LANGuard Network Security Scanner On
using a UNIX-based platform, a number of evaluation tools have been
developed, such as Amap, P0f, and Nessus, which can perform a variety of
port and security scans In Exercise 9.3, you will scan a network to identify
potential vulnerabilities
ExErcisE 9.3 scanning for Vulnerabilities
In this exercise, you will examine a network to identify open ports and what
could be the potential problems or holes in specific systems In this exercise,
you are going to use Nmap, which you can download and install for free prior
to starting the exercise by going to http://insecure.org/nmap/download.html
and selecting the download tool This tool is available for Windows or Linux
computers
To begin the exercise, launch Nmap from the command line You want
to make sure that you install the program into a folder that is in the path
or that you open it from the installed folder When you have opened a
command line prompt, complete the exercise by performing the following
steps:
From the command line type
following response:
C:\>nmap
Nmap V 4.20 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sR/-I RPC/Identd scan (use with other scan types)
Trang 5Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services
-v Verbose Its use is recommended Use twice for greater effect.
-P0 Don’t ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,…] Hide scan using many decoys
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
-iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e<devicename> Specify source address or network interface interactive Go into interactive mode (then press h for help)
win_help Windows-specific features
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
This should give you some idea of some of the types of scans that
2
Nmap can perform Notice the first and second entries The –sS is
a TCP stealth scan, and the –sT is a TCP full connect The dif-ference in these is that the stealth scan does only two of the three steps of the TCP handshake, while the full connect scan does all three steps and is slightly more reliable
Now run Nmap with the –sT option and configure it to scan
3
the entire subnet The following gives an example of the proper syntax
C:\>nmap –sT 192.168.1.1-254
The scan may take some time On a large network, expect the tool
4
to take longer as there will be many hosts for it to scan
When the scan is complete, the results will be returned that will
5
look similar to those shown here
Interesting ports on (192.168.1.17):
(The 1,600 ports scanned but not shown below are in state: filtered)
Trang 6Interesting ports on (192.168.1.18):
(The 1,594 ports scanned but not shown below are in state: filtered)
139/tcp Open netbios-ssn
9100/tcp Open jetdirect
9111/tcp Open DragonIDSConsole
9152/tcp Open ms-sql2000
Interesting ports on (192.168.1.19):
(The 1,594 ports scanned but not shown below are in state: filtered)
9100/tcp open jetdirect
9112/tcp open DragonIDSSensor
9152/tcp open ms-sql2000
Interesting ports on VENUS (192.168.1.20):
(The 1,596 ports scanned but not shown below are in state: filtered)
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Interesting ports on PLUTO (192.168.1.21):
(The 1,596 ports scanned but not shown below are in state: filtered)
139/tcp open netbios-ssn
Trang 7Interesting ports on (192.168.1.25):
(The 1,598 ports scanned but not shown below are in state: filtered)
Nmap run completed – 254 IP addresses (six hosts up) scanned in 2528 s
In the example shown above, notice how you can see the ports that were identified on each system Although this is the same type of tool that would
be used by an attacker, it’s also a valuable tool for the security professional You can see from the example that there are a number of ports open on each
of the hosts that were probed Remember that these machines are in an internal network, so some of these ports should be allowed
The question as to whether or not the ports should be open should lead
us back to a discussion involving environmental policy and risk assess-ment If nothing else, this type of tool can allow us to see if our hardening activities have worked and verify that no one has opened services on a system that is not allowed Even for ports that are allowed and have been identified by scanning tools, decisions must be made as to which of these ports are likely to be vulnerable, and then the risks of the vulnerability weighed against the need for the particular service connected to that port Port vulnerabilities are constantly updated by various vendors and should
be reviewed and evaluated for risk at regular intervals to reduce potential problems It is important to remember that scans of a network should be con-ducted initially to develop a baseline of what services and protocols are active
on the network From there, the work begins to pare down which of the identi-fied service must stay active and which can be eliminated Once the network has been secured according to policy, these scans should be conducted on a periodic basis to ensure that the network is in compliance with policy
Test day Tip
Spend a few minutes reviewing port and protocol numbers for standard services provided
in the network environment This will help when you are analyzing questions that require configuration of ACL lists and determinations of appropriate blocks to install to secure a network.
Trang 8Network Threats
Network threats exist in today’s world in many forms It seems as if the
more creative network administrators become in protecting their
environ-ments, the more creative hackers and script kiddies become at innovating
ways to get past the most admirable security efforts
One of the more exciting and dynamic aspects of network security relates
to the threat of attacks A great deal of media attention and many vendor
product offerings have been targeting attacks and attack methodologies This
is perhaps the reason that CompTIA has been focusing many questions in
this particular area Although there are many different varieties and methods
of attack, they all can be generally grouped into several categories:
By the general target of the attack (application, network, or mixed)
■
■
By whether the attack is active or passive
■
■
By how the attack works (for example, via password cracking or by
■
■
exploiting code and cryptographic algorithms)
It’s important to realize that the boundaries between these three
cat-egories aren’t fixed As attacks become more complex, they tend to be both
application-based and network-based, which has spawned the new term
mixed threat applications An example of such an attack can be seen in
the MyDoom worm, which targeted Windows machines in 2004 Victims
received an e-mail indicating a delivery error, and if they executed the
attached file, MyDoom would take over The compromised machine would
reproduce the attack by sending the e-mail to contacts in the user’s address
book and by copying the attachment to peer-to-peer (P2P) sharing
directo-ries It would also open a backdoor on port 3,127 and try to launch a denial
hEAd oF ThE ClASS…
Attack Methodologies in plain English
In this section, we’ve listed network attacks,
appli-cation attacks, and mixed threat attacks, and within
those are included buffer overflows, DDoS attacks,
fragmentation attacks, and theft of service attacks
Although the list of descriptions might look
over-whelming, generally the names are self-explanatory
For example, consider a DoS attack As its name
implies, this attack is designed to do just one thing –
render a computer or network nonfunctional so as to
deny service to its legitimate users That’s it So, a DoS
attack could be as simple as unplugging machines
at random in a data center or as complex as orga-nizing an army of hacked computers to send pack-ets to a single host to overwhelm it and shut down its communications Another term that has caused
some confusion is a mixed threat attack This simply
describes any type of attack that is comprised of two different, smaller attacks For example, an attack that goes after Outlook clients, and then sets up a bootleg music server on the victim machine, is classified as a mixed threat attack.
Trang 9of service (DoS) attack against organizations such as The SCO Group or Microsoft So, as attackers get more creative, we have seen more and more combined and sophisticated threats In the next few sections, we will detail some of the most common network threats and attack techniques so that you can be aware of them and understand how to recognize their symptoms and thereby devise a plan to thwart attack
TCP/IP Hijacking
TCP/IP hijacking, or session hijacking, is a problem that has appeared in most TCP/IP-based applications, ranging from simple Telnet sessions to Web-based e-commerce applications To hijack a TCP/IP connection, a mali-cious user must first have the ability to intercept a legitimate user’s data, and then insert himself or herself into that session much like a
man-in-the-middle (MITM) attack A tool known as Hunt (www.packetstormsecurity
.org/sniffers/hunt/) is very commonly used to monitor and hijack sessions It works especially well on basic Telnet or FTP sessions
A more interesting and malicious form of session hijacking involves Web-based applications (especially, e-commerce and other applications that rely heavily on cookies to maintain session state) The first scenario involves hijacking a user’s cookie, which is normally used to store login credentials and other sensitive information, and using that cookie to then access that user’s session The legitimate user will simply receive a “ses-sion expired” or “login failed” message and probably will not even be aware that anything suspicious happened The other issue with Web server appli-cations that can lead to session hijacking is incorrectly configured session timeouts A Web application is typically configured to time out a user’s session after a set period of inactivity If this timeout is too large, it leaves
a window of opportunity for an attacker to potentially use a hijacked cookie
or even predict a session ID number and hijack a user’s session
To prevent these types of attacks, as with other TCP/IP-based attacks, the use of encrypted sessions are key; in the case of Web applications, unique and pseudorandom session IDs and cookies should be used along with SSL encryption This makes it harder for attackers to guess the appro-priate sequence to insert into connections or to intercept communications that are encrypted during transit
Null Sessions
Null sessions are unauthenticated connections When someone attempts to con-nect to a Windows machine and does not present credentials, they can poten-tially successfully connect as an anonymous user, thus creating a Null session Null sessions present vulnerability, in that once someone has successfully connected to a machine, there is a lot to be learned about the machine The
Trang 10more that is exposed about the machine, the more ammunition a hacker will
have to attempt to gain further access For instance, in Windows NT/2000,
content about the local machine SAM database was potentially accessible
from a Null session Once someone has obtained information about local
usernames, they can then launch a brute force or dictionary attack in an
attempt to gain additional access to the machine
Null session can be controlled to some degree with registry hacks that
can be deployed out to your machines, but the version of Windows OS will
dictate what can be configured for Null session behavior on your machine
IP Spoofing
The most classic example of spoofing is IP spoofing TCP/IP requires that
every host fills in its own source address on packets, and there are almost no
measures in place to stop hosts from lying Spoofing, by definition, is always
intentional However, the fact that some malfunctions and
misconfigura-tions can cause the exact same effect as an intentional spoof causes difficulty
in determining whether an incorrect address indicates a spoof
Spoofing is a result of some inherent flaws in TCP/IP TCP/IP basically
assumes that all computers are telling the truth There is little or no
check-ing done to verify that a packet really comes from the address indicated in
the IP header When the protocols were being designed in the late 1960s,
engineers didn’t anticipate that anyone would or could use the protocol
maliciously In fact, one engineer at the time described the system as
flaw-less because “computers don’t lie.” There are different types of IP spoofing
attacks These include blind spoofing attacks in which the attacker can only
send packets and has to make assumptions or guesses about replies, and
informed attacks in which the attacker can monitor, and therefore
partici-pate in, bidirectional communications
There are ways to combat spoofing, however Stateful firewalls usually
have spoofing protection whereby they define which IPs are allowed to
origi-nate in each of their interfaces If a packet claimed to be from a network
speci-fied as belonging to a different interface, the packet is quickly dropped This
protects from both blind and informed attacks An easy way to defeat blind
spoofing attacks is to disable source routing in your network at your firewall,
at your router, or both Source routing is, in short, a way to tell your packet to
take the same path back that it took while going forward This information is
contained in the packet’s IP options, and disabling this will prevent attackers
from using it to get responses back from their spoofed packets
Spoofing is not always malicious Some network redundancy schemes
rely on automated spoofing to take over the identity of a downed server
This is due to the fact that the networking technologies never accounted for
the need for one server to take over for another