A significant security problem for networked systems is: o hostile, o or at least unwanted, trespass by users or software. User trespass (intrude) can take the form of: o unauthorized logon to a machine or, o an authorized user gaining of privileges or o performance of actions beyond (pass) those that have been authorized. Software trespass can take the form of a: o virus, o worm, or o Trojan horse
Trang 1
Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE
Intruder
Hacker: 4 phases
Attacks: DDOS, Dictionary attack, TCP Attack, Packet
Sniff, Social attack
Malicious Software: Virus, Worm, Trojan….
Trang 2 A significant security problem for networked systems is:
o hostile,
o or at least unwanted, trespass by users or software.
User trespass (intrude) can take the form of:
o unauthorized logon to a machine or,
o an authorized user gaining of privileges or
o performance of actions beyond (pass) those that have been authorized.
Software trespass can take the form of a:
o virus,
o worm, or
o Trojan horse
o the intruder: often referred to as a hack er or crack er
o (the other is viruses).
o Masquerader: A person penetrates a system’s access controls to exploit
a legitimate user’s account -> outsider
o Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges -> insider
o Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls ->
outsider or insider
Trang 3
Nguyen Thi Thanh Van - Khoa CNTT
25/05/2017
Benign intruders might be tolerable, although they do
consume resources and may slow performance for legitimate users
intruder will be benign or harmful.
threat
intruder problem has been the establishment of a number
of Computer Emergency Response Teams (CERTs)
o collect / disseminate vulnerability info / responses
Trang 4 White Hat: finding vulnerabilities in a computer system for the purpose of "patching" the holes
was destroy network systems or enrich themselves
Trang 5Footprinting/Reconnaissance Scanning and Enumeration Ganing access
Maintaining access Covering track
o Phishing: fake email
o Pharming: fake web pages
WhoIs Database & arin.net
Domain Name Server Interrogations
Trang 6The second stage would be to learn the network and computer configurations
War Driving: Can I find a wireless network?
War Dialing: Can I find a modem to connect to?
Network Mapping: What IP addresses exist, and what ports are open on
Trang 7Trojan Horse
Spyware/Adware Bots
User-Level Rootkit
Kernel-Level Rootkit
Replaces system executables: e.g
Login, ls, du Replaces OS kernel:
e.g process or file control to hide
Control system:
system commands, log keystrokes, pswd Useful utility actually creates a backdoor.
Slave forwards/performs commands; spreads, list email addrs, DOS attacks
Spyware: Collect info:
keystroke logger, collect credit card #s, AdWare: insert ads, filter search results
Nguyen Thi Thanh Van - Khoa CNTT
Trang 825/05/2017 15
Trang 9o Spoofing: SYN, source address
o Flooding: SYN TCP, UDP, ICMP
o Distributed DOS attacks
o Reflection Amplification: DNS SMURF
o Over bufferFlow
TCP Attack
Packet Sniff
Session Hijacking
Trang 10 the process of guessing or recovering a password from stored locations or from data transmission system.
We can run a dictionary attack on the passwords
o The passwords in /etc/passwd are encrypted with the crypt() function (one-way hash)
o Can take a dictionary of words, crypt() them all, and compare with the hashed passwords
This is why your passwords should be meaningless random junk!
Trang 11 denial of service (DoS) an action that prevents or
impairs (damage) the authorized use of networks, systems, or applications by exhausting resources such
as central processing units (CPU), memory, bandwidth, and disk space
Trang 12 Back-end Resources: items that support a public-facing resource such as
o a web page
o customer database or
o server farm essentially render all front-end resources unavailable.
o within a local area network, with intent to compromise the network itself,
o or to compromise a specific node such as a server or client system.
Trang 1315-441 Networks Fall 2002 25
o Spoofing: SYN, source address
o Flooding: SYN TCP, UDP, ICMP
o Distributed DOS attacks
o Mini Case Study: Code-Red
use fake source addresses
generate large volumes (number) of packets
directed at target
with different, random, source addresses
cause same bottleneck
responses are scattered across Internet
real source is much harder to identify
used in many types of denial of service attacks
Trang 14 IP Source Guard: Cisco IOS Software feature for Catalyst
switches
system
request packets with forged source addresses
o records the details of the TCP connection request,
o sends the SYN-ACK packet to the claimed source address,
o resend the SYN-ACK packet a number of times before finally assuming the connection request has failed, and deleting the information saved concerning it
Trang 15 attacker often uses either
o random source addresses
o or that of an overloaded server
o to block return of (most) reset packets
o attacker can be on a much lower capacity link
Trang 16 classified based on network protocol used
o uses ICMP packets, eg echo request
o typically allowed through, some required
o alternative uses UDP packets to some port
o use TCP SYN (connection request) packets
o but for volume attack
packets in a ping flood
Trang 17 the IP packets that the attacker uses against its victim contain UDP datagrams of different sizes
acknowledging back the server's SYN response
Trang 18 DOS
Same techniques as regular DoS, but on a much larger scale
multiple systems allow much higher traffic volumes to form a Distributed Denial of Service (DDoS) Attack
often compromised PC’s / workstations
o zombies with backdoor programs installed
o forming a botnet
e.g
o Tribe Flood Network (TFN), TFN2K
o Sub7Server Trojan and IRC bots
• Infect a large number of machines with a “zombie” program
Trang 19 use normal behavior of network
target (services) that are running a server
o server response is directed at target to spoofed address
o response can flood target
intermediary and target
Trang 20 a reflection-based DDos attack
o generating multiple response packets
the broadcast address for some network
use DNS requests with spoofed source address being the target
exploit DNS behavior to convert a small request to a much larger response
o 60 byte request to 512 - 4000 byte response
attacker sends requests to multiple well connected servers, which flood target
o need only moderate flow of request packets
o DNS servers will also be loaded
Usable tool: dig, Tsunami
Defense Mechanism
o Disable DNS recursive query
Trang 2225/05/2017 43
ping blocking, OS patching, and general awareness, back in its heyday the
easy-to-use DoS exploit
Trang 23 involves sending fragmented packets to a target machine
This causes the target machine to become unstable when attempting to rebuild the fragmented packets.
o July 19, 2001: over 359,000 computers infected with Code-Red
in less than 14 hours
o Used a recently known buffer exploit in Microsoft IIS
o Damages estimated in excess of $2.6 billion
o CodeRed launched a DDOS attack against
www1.whitehouse.gov from the 20th to the 28th of every month!
o Spent the rest of its time infecting other hosts
Trang 24 DoSHTTP DoSHTTP is an HTTP flood DoS tool It can target
URLs, and it uses port designation.
UDP Flood This utility generates UDP packets at a specified
rate and to a specific network.
Jolt2 This IP packet fragmentation DoS tool can send large
numbers of fragmented packets to a Windows host.
Targa This 8-in-1 tool can perform DoS attacks using one or
many of the included options Attacks Targa is capable of land, WinNuke, and teardrop attack
multiple IPs
because of its easy one-button operation Some people suspect that groups such as Anonymous, which use DDoS attacks as their primary weapon, use LOIC as their main tool
perform UDP, SYN, and UDP flood attacks
Attacks can beconfigured to run for a specified duration and to specific ports
Trang 25o End hosts create IP packets and routers process them purely based on destination address alone
not affect delivery
o Source address – host may trick destination into believing that the packet is from a trusted source
• Especially applications which use IP addresses as a simple authentication method
• Solution – use better authentication methods
Trang 2615-441 Networks Fall 2002 51
o Starting sequence numbers, port numbers
o Port numbers are sometimes well known to begin with (ex HTTP uses port 80)
o Sequence numbers are sometimes chosen in very predictable ways
and the recipient will believe it came from the original source
o Ex Instead of downloading and running new program, you download a virus and execute it
Trang 27 The ISN (Initial Sequence Number) has always been the subject of security issues, as it seems to be a favorite way for hackers to 'hijack' TCP connections.
o The attacker wants to attack Host A.
o It floods Host B with new requests causing a Denial of service attack to stop Host B from communicating with A.
o Now, the attacker can predict the sequence number of the packet that A is expecting from B.
o Attacker prepares such kind of packet and sends it to Host A.
o Since its a faked packed so host A thinks its coming from B.
o Now, this packet can be a packet terminating the connection or asking host A to run some malicious commands/scripts etc.
Trang 2815-441 Networks Fall 2002 55
the network
o He can intercept all of their packets
Mr Big Ears
they must not be delivered to Bob (why?)
next ISN (sniffed from the network)
Packets
Alice
Bob
Trang 29 This attack is fairly simple to understand once the above attack is clear to you.
o Once the attacker is able to hijack a TCP session
o The attacker sends packets with RST Flag ON to both A and B or any one of the host.
o Since both A and B do not know that an attacker has sent these packets so they treat these packets normally.
o Since they are reset packets so connection between A and B is terminated.
between Alice and Bob?
o Can just DoS Alice instead of dropping her packets
o Can just send guesses of what the ISN is until it is accepted
o Mitnick: payload is “add self to rhosts”
o Or, “xterm -display MrBigEars:0”
Trang 31 Session hijack ing is synonymous with a stolen session, in which an
attacker intercepts and takes over a legitimately established session between a user and a host
• the attacker takes over an existing active session
• In this process, the attacker waits for an authorized party to establish a connection to a resource or service and then takes over the session.
Trang 32 Step 1: Sniffing You must be able to sniff the traffic on the network
between the two points that have the session you wish to take over.
Step 2: Monitoring Your goal is to observe the flow of traffic
between the two points with an eye toward predicting the sequence numbers of the packets.
Step 3: Session Desynchronization breaking the session between
the two parties.
Step 4: Session ID Prediction You predict the session ID itself
(more on that later) to take over the session.
Step 5: Command Injection You are free to start injecting
commands into the session targeting the remaining party (most likely a server or other valuable resource).
Active Attack A session hijacking attack is considered
active when the attacker assumes the session as their own,
Trang 33 A passive attack focuses on monitoring the traffic
between the victim and the server
as it goes across the wire
o session sniffing:
• a variation of sniffing
o predicting session tokens:
• most effective way is to gather a few session IDs
Trang 35o user IDs,
o passwords,
o network details,
o credit card numbers, etc
Trang 37o poison the ARP caches of the two hosts that you want to sniff ->
the two hosts start their connection and it gets sent to us
o sniffing can be done on a switched network
does allow sniffing => Switch
o keeps traffic separate to each switch port (collision domain),
o keeps track of MAC addresses received by writing them to a content addressable memory (CAM) table
overwhelm the switch’s ability to write to its own CAM table
Trang 38 attempts to contaminate a network with incorrect gateway or host mappings (because ARP broadcasts are free)
Ethereal, Cain and Abel
Enabling the IP DHCP Snooping feature on Cisco switches prevents ARP poisoning
address to another MAC address (existed)
network-wide sniffing, but it does work to allow an unauthorized client onto the network without too much administrative hacking effort
Trang 39o Unless you reallydon’t care about the password or data
o Can also use KerbFTP (download from MyAndrew)
o Provides network-layer confidentiality
mode Under normal circumstances there is little reason for a network card to be in promiscuous mode and as such all cards running in this mode should be
investigated
it down
way to view the network andidentify strange traffic
Trang 41o Most humans will breakdown once they are at the “harmed”
stage, unless they have been specially trained
o “Hi, I’m your AT&T rep, I’m stuck on a pole I need you to punch
a bunch of buttons for me”
of solutions and more closely monitor who has access to what network resources and information
o But, this solution is still not perfect
Trang 42 Manipulates of search results on Google
A site is ranked high in the search results even though the page content that is not related to that keyword
To do this, the hacker can mobilize large amounts of backlinks pointing to your website through keywords
For example, in 2004, entering the words "miserable
failure" (miserable failure), users of Google to get links to
former US President George Bush
Buffer overflow is a DoS technique
could keep or even when a software attempts to place data in a memory space area past a buffer
program code, or maybe modify how a software works
intended
Trang 4325/05/2017 85
detection.html
Trang 44 Cryptography and Network Security, Principles
and Practice, William Stallings, Prentice Hall,Sixth Edition, 2013
o Using Netstat to Detect Open Ports (8.2)
o Using TCPView to Track Port Usage
o …
o Demo at least 3 attacks…
o Demo at least 3 malicious software, …