april 29, 2010 review for final mis 4600 – mba 5880 - © abdou illia
TRANSCRIPT
April 29, 2010
Review For Final
MIS 4600 – MBA 5880 - © Abdou Illia
Introduction to Ethical Hacking
Hackers
3
HackersAccess computer system or network without
authorizationHave different motivations (from prove their status to some
damage)
CrackersBreak into systems to steal or destroy data
Script kiddies or packet monkeysYoung inexperienced hackersUse publicly available hacking tools or copy codes and
techniques from the Internet
Hackers vs. Ethical Hackers
4
Ethical hackerPerforms most of the same activities as hackers and
crackers, but with owner’s permission Employed by companies to perform penetration or
security tests
Red teamTeam of ethical hackers with varied skills (social
engineering, ethics/legal issues, break-ins, etc.)
Penetration test vs. Security test
5
Penetration testLegally breaking into a company’s network to
find its weaknessesTester only reports findings
Security testMore than a penetration testAlso includes:
Analyzing company’s security policy and procedures
Offering solutions to secure or protect the networkSecurity Policy
- Sets rules for expected behaviors by users (e.g. regular patches download, strong passwords, etc.), and IT personnel (e.g. no unauthorized access to users’ files, …), etc.
- Defines access control rules.
- Defines consequences of violations.
-Helps track compliance with regulations.
- Etc.
Passwords must not be
written down
Access to files must be granted to the level required by
users’ job
Hacking Tools
6
Referred to as Tiger box in course textbookCollection of OSs and tools that assist with
hacking & security testsNetwork scannersTraffic monitors / packet sniffersKeyloggersPassword crackers like L0phtCrackPassword extractors like pwdump, etc.
Practical Extraction and Report Language (Perl)
C programming languageScripts, i.e. set of instructions that runs in
sequence
Questions Which of the following may be part of a Penetration test (P) or a
Security test (S)? Use “X” to indicate your answer.
P S
1. Breaking into a computer system without authorization. X X
2. Laying out specific actions to be taken in order to prevent dangerous packets to pass through firewalls.
X
3. Scanning a network in order to gather IP addresses of potential targets
4. Finding that patches are not timely applied as recommended by corporate rules.
5. Writing a report about a company’s security defense system.
6. Scanning a network in order to find out what defense tools are being used.
7. Finding that users cannot change their passwords themselves
8. Finding that a company does not have an effective password reset rule.
9. Finding out that a firewall does not block potentially dangerous packets
10 Proposing a new procedure which implementation may help improve systems security
11 Finding out that the administrator's account is called Admin and has a weak password
12 Finding out that 1/3 of the security procedures are not actually implemented.
13 Performing a denial-of service-attacks X X
14 Disabling network defense systems
7
Penetration Testing Models
8
White box modelTester is told everything about the network topology and
technologyTester is authorized to interview IT personnel and
company employeesMakes tester’s job a little easier
Note: some diagrams may show routers, firewalls, etc.
White boxBlack boxGray box
Penetration Testing Models (cont.)
9
Black box modelCompany staff does not know about the testTester is not given details about the network.
Burden is on the tester to find these detailsHelps knowing whether security personnel are
able to detect an attack
Question: What is the disadvantage of letting the company’s employees know about the penetration test?
________________________________________________
Question: What is the disadvantage of letting the IT staff know about the penetration test?
________________________________________________
White boxBlack boxGray box
Penetration Testing Models (cont.)
10
Gray box modelHybrid of the white and black box modelsCompany gives tester partial information
White boxBlack boxGray box
What You Should Know
11
What is the difference b/w penetration test and security test?
What is a hacker, a cracker, a packet monkey?
What three models are used for penetration tests?
What is the difference b/w the three
What is a red team?
What portion of your ISP contract might affect your ability to conduct penetration tests over the Internet?
TCP/IP Concepts
Overview of TCP/IPTransmission Control Protocol/Internet Protocol
(TCP/IP)Most widely used protocol set
TCP/IP is a protocol set with 4 layers*Protocol
Common language used by computers for “speaking”
IPX/SPX is another protocol set used in Novell networks.
Some company protect their network by using IPX/SPX internally.“poor man’s firewall”
13
Layer 1Layer 2Layer 3Layer 4
Computer 1 Computer 2
TCP/IP network
IPX/SPX LAN
* A layer can be seen as a group of tasks/activities/jobs
Layer 1Layer 2Layer 3Layer 4
The Application LayerFront end to the lower-layer protocolsMany Application layer protocols: HTTP, FTP, ARP, etc. Includes network services and client software
Examples: Web (HTTP service), Web browser
14
Commands/utilities for connecting & using Application layer network services:
ftp: used to transfer files between clients and servers telnet servername [port number]: to log on to a server
Application layer
Transport layerInternet layerInterface layer
Computer 1
The Transport LayerPrepares Application layer messages for proper
“transportation” to a receiving deviceMain protocol used:
The TCP protocol for connection-oriented “dialog” The User Datagram Protocol or UDP for connectionless
transmissions
Makes sure messages arrive at destination exactly as they left source (in case of connection-oriented communication)
TCP opens connections using 3-way handshake Computer 1 sends a Synchronization SYN request Computer 2 replies with a Sync-Acknowledgement SYN-ACK packet Computer 1 replies with an ACK packet
15
Application layer
Transport layer
Internet layer
Interface layer
Application layer
Transport layer
Internet layer
Interface layer
Computer 1 Computer 2
SYN
SYN/ACK
SYN
Application layer
Transport layerInternet layerInterface layer
Computer 1
The Internet LayerResponsible for routing packets to their destination
address
Uses a logical address, called an IP address
Main protocols used: IP and ICMP
Internet Control Message Protocol (ICMP)Used to send messages related to network operationsHelps in troubleshooting a networkSome Internet layer commands/utilities for
troubleshooting network connections. More complex versions included in hacking tools:Ping: determines whether a computer is connected and
reachableTraceroute and tracert: determine route to get to a computer16
Application layer
Transport layerInternet layerInterface layer
Computer 1
NI-TNI-T
Sending message using TCP/IPGenerating message at the Application
layerEncapsulation: Adding protocols headers
(H) and trailers (T) to pack the message.
HTTP req.HTTP req.
Transmission mediumUser PC
17
ApplicationApplication
TransportTransport
InternetInternet
Network InterfaceNetwork Interface
HTTP req.HTTP req.
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H NI-HNI-H
TCP-HTCP-H
HTTP requestExample: http://www.eiu.edu
TCP segment
IP Packet
Frames
NI-TNI-T
Receiving a TCP/IP message
Frames arrive through the network interface
De-encapsulation: Removing protocols headers (H) and trailers (T) to access request HTTP req.HTTP req.
Transmission mediumUser PC
18
ApplicationApplication
TransportTransport
InternetInternet
Network InterfaceNetwork Interface
HTTP req.HTTP req.
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H NI-HNI-H
TCP-HTCP-H
HTTP requestExample: http://www.eiu.edu
TCP segment
IP Packet
Frames
TCP Segment
19
0-3 4-7 8-15 16-31
Source port Destination port
Sequence number
Acknowledgment number
Data offset
Reserved
CWR
ECE
URG
ACK
PSH
RST
SYN
FIN
Window Size
Checksum Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Source port (16 bits) – a number that identifies the Application layer program used to send the message.Destination port (16 bits) – a number that identifies the Application layer program the message is destined to.Sequence number (32 bits) – Tracks packets received. Helps reassemble packets. Hackers may guest SN to hijack conversations. Has a dual role
If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data byte (and the acknowledged number in the corresponding ACK) will then be this sequence number plus 1. If the SYN flag is clear, then this is the sequence number of the first data byte
Acknowledgment number (32 bits) – if the ACK flag is set then the value of this field is the next sequence number that the receiver is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end acknowledges the other end's initial sequence number itself, but no data. Data offset (4 bits) – specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to 40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data.
TC
P H
eaders
TCP Segment (cont.)
20
Flags (8 bits) (aka Control bits) – contains 8 1-bit flags CWR (1 bit) – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header by RFC 3168). ECE (1 bit) – Explicit Congestion Notification-Echo indicates
If the SYN flag is set, that the TCP peer is ECN capable. If the SYN flag is clear, that a packet with Congestion Experienced flag in IP header set is received during normal transmission (added to header by RFC 3168).
URG (1 bit) – indicates that the Urgent pointer field is significant ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. PSH (1 bit) – Push function RST (1 bit) – Reset the connection SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear. FIN (1 bit) – No more data from sender
0-3 4-7 8-15 16-31
Source port Destination port
Sequence number
Acknowledgment number
Data offset
Reserved
CWR
ECE
URG
ACK
PSH
RST
SYN
FIN
Window Size
Checksum Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
TC
P H
eaders
IP Header
21
Version - indicates the version of IP used . Should be 0100 for IPv4 Internet Header Length (IHL) - tells the number of 32-bit words in the IP
header. TOS – Indicates the quality of service for delivering the packet: Normal
delay, high reliability, normal cost, high cost, etc. Total Length – defines entire packet size (header +data) in bytes. The
minimum-length is 20 bytes (20-byte header + 0 bytes data) and the maximum is 65,535. Subnetworks may impose restrictions on the size, in which case packets must be fragmented. Fragmentation is handled in either the host or the router.
0–3 4–7 8–15 16–18 19–31
VersionHeader length
Type Of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options
Data
IP H
eaders
IP Header
22
Identification - Primarily used for uniquely identifying fragments of an original IP packet.
Flags - A three-bit field used to control or identify fragments. They are (in order, from high order to low order):
Reserved, must be zero. Don't Fragment (DF): If the DF flag is set and fragmentation is required to route
the packet then the packet will be dropped More Fragments (MF): When a packet is fragmented all fragments have the MF
flag set except the last fragment,
0–3 4–7 8–15 16–18 19–31
VersionHeader length
Type Of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options
Data
IP H
eaders
IP Header
23
Fragment Offset - Specifies the offset of a particular fragment relative to the beginning of the original unfragmented IP packet. The first fragment has an offset of zero.
TTL - Helps prevent packets from persisting (e.g. going in circles) on an Internet. Time specified in seconds, but time intervals less than 1 second are rounded up to 1. Also in number of hop counts.
Protocol - Defines the protocol used in the data portion of the IP packet. Common protocols and their codes are: 1: Internet Control Message Protocol (ICMP), 2: Internet Group Management Protocol (IGMP), 6: Transmission Control Protocol (TCP), 17: User Datagram Protocol (UDP), 89: Open Shortest Path First (OSPF), 132: Stream Control Transmission Protocol (SCTP).
0–3 4–7 8–15 16–18 19–31
VersionHeader length
Type Of Service Total Length
Identification Flags Fragment Offset
Time to Live (TTL) Protocol Header Checksum
Source Address
Destination Address
Options
Data
Network & Computer AttacksPart 1
ISC* ObjectivesConfidentiality
Making sure that corporate data and transactions with partners remain confidential
IntegrityMaking sure that software programs, local data, and
data in-transit are not altered or destroyedAvailability
Making sure that computer and network resources or services remain available for users and not disrupted
AccountabilityMaking sure that users are properly authenticated and
their actions accounted for.Authenticity
Also called non-repudiation. Making sure that business partner cannot deny their actions
25 * Information Security Countermeasures
C – Confidentiality
I – Integrity
A – Availability
A – Accountability/Authenticity
Malicious Software attacksCommon types of malware
VirusesWormsTrojan horses
26
What is virus?A virus is a malware that …
attaches itself to files on a single computercan replicate from file to filedoes not stand on its own
needs a host file – a vector - [unlike some other malware]Does not spread across computers without human
intervention (flash drive, email attachment, etc.)
27
Types of virus host / vectorBinary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux)
Volume Boot Records of floppy disks and hard disk partitions | The master boot record (MBR) of a hard disk
General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms).
Application-specific script files (such as Telix-scripts)
System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run software stored on USB Memory Storage Devices).
Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, Microsoft Access database files, and AmiPro documents)ELF = Executable and Linkable Format | PDFs & images, like HTML, may link to malicious code | PDFs can also be infected with malicious
code
Types of virusesBased on host files
Boot sector viruses: attach themselves to files in boot sector of HD
File infector viruses: attach themselves to program files and user files
Macro viruses: attach to files with macro programs embedded.
Based on mutation techniquesPolymorphic viruses: mutate with every
infection (using encryption techniques), making them hard to locate
Metamorphic viruses: rewrite themselves completely each time they are to infect new executables*
28* metamorphic engine is needed
Types of viruses (cont.)Based on deception methods
Core MS-DOS viruses: make sure that the "last modified" date of a host file stays the same when the file is infected by the virus.
Cavity viruses
infect files without increasing their sizes or damaging the files
overwrite unused areas of executable files
Examples: CIH virus, Chernobyl Virus that are 1 KB in size infect Portable Executable files which have many empty gaps
Antivirus PID killers: kill tasks associated with antivirus
Stealth: hides itself by intercepting disk access requests by antivirus programs.
29* metamorphic engine is needed
Request
OS
StealthThe stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean”.
File.exe of 300 KB on a 512 KB block
Protecting against virusesSignature-based antivirus programs
Compare the contents of a file to a database of virus signaturesA signature is an algorithm or a hash (a number or
string of characters derived from the virus code) that uniquely identifies a specific virus.
Must update signature database periodically or use automatic update feature if available
30
1) 673448834099999999992) DF56eeb&^fgkFT&&&88jjj3) 010000101000000000004) 780200001000001023985) 89950-1=ddjjdfjj3k3l3556) …………………………………
1) Sales.xls2) Forecast.doc3) Staff.mdb4) Ingredients.doc5) Committees.xls6) Minutes.accdb7) ………………….
Viruses signatures Files
Question: Name two kinds of situation where signature-based antivirus won’t be effective?
Protecting against viruses (cont.)
Heuristic-based antivirus that use generic signatureThrough mutation or refinements by attackers,
viruses can grow into dozens of slightly different strains called variants
Example: The Vundo trojan has evolve into two distinct family members, Trojan.Vundo and Trojan.Vundo.B
A generic signature can be generated for a virus family.
Heuristic analysis uses generic signatures to identify new malware or variants of known malware
31Question: Is generic signature more or less accurate than a specific virus’ signature?
Protecting against viruses (cont.)
Heuristic-based antivirus that use virtual machines
Allow the antivirus program to simulate what would happen if the suspicious file were to be executed
Execute the questionable program or script within a specialized virtual machine
It then analyzes the execution, monitoring for common viral activities: replication, file overwrites, attempts to hide the existence of the suspicious file.
If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus.
32
Question: Which of the following is likely to lead to false positive virus identifications? signature-based or heuristic-based antivirus.
3333
Based on the descriptions, is the classification of the malware as virus correct?
WormsDo not attach to files | A worm stands on its ownSelf-replicating malware that can propagate
across a network by themselvesUse host computer’s resources, and their own
network application to send copies of themselves to other computers
Types of harms:Consuming network bandwidth. Consuming host computer resources (processing, RAM)Delete files (e.g. ExploreZip worm)Encrypt files (which leads to cryptoviral extortion attack) Installing backdoor-zombie programs under control of
the worm author (e.g. Sobig)
34
Protecting against wormsWorms spread by exploiting OS vulnerabilities
Make sure that unnecessary ports are not open
Regular OS security updates is the best protection
Other effective defense systems: Antivirus programsLocal firewall software can block incoming worms
35
Application layer
Transport layer
Internet layer
Interface layer
Application layer
Transport layer
Internet layer
Interface layer
Trojan Programs Non-self-replicating malware
That appear to be useful programs like game, screen saver, free antivirus, etc.
But are actually backdoor or rootkits that facilitate remote access or a “take over” by a remote hacker
Once a Trojan horse is installed on a target computer, it can be used to do the following:
Keystroke logging Data theft (e.g. passwords, credit cards information, etc) Installing other malware Using the host computer as part of botnet for spamming or Distributed
DoS Deleting or modifying files
36
37
Trojan Programs (cont.)
You want to prevent Backdoor.Rtkit.B from communicating with the hacker’s computer. What action would you take at the firewall level?
Network & Computer AttacksPart 2
38
Denial of Service (DoS)
The attackers tries to overload the server by sending a stream of HTTP requests. The server needs to use its limited resources (processor, RAM) to respond to each request When overloaded, the server slows down or even crashes.
Home Network
Hub
Workstation
WorkstationWorkstation
WorkstationWorkstation
Router
Internet
Web Server
Intel Pentium 4 540 (3 Ghz)512 MB SDRAM2 x 100 GB SATA HDD16x CD DriveGateway 3-button mouseGateway 108 keyboardSVGA graphic card
Legitimate user
Legitimate user
Legitimate user
Legitimate user
Stream of HTTP requests
All workstations use IP spoofingto send HTTP requests to the
web server.
HTTP requests
HTTP requests
Attacker’s Home Network
39
Attempt to make a computer resources unavailable to legitimate users
TCP opening and DoS
Typically, client initiates connection Server can maintain multiple connections For each TCP connection request (SYN), server…
Responds to the request (SYN/ACK)Set resources aside (Processor’s capacity, RAM, bandwidth) in order respond to each upcoming data
request
....
SYNSYN/ACKACK
Waiting for request from Computer 1
1
SYNSYN/ACKACK
2
SYNSYN/ACKACK
3
Waiting for request from Computer 2
Waiting for request from Computer 3
Server
.
.
.
40
TCP Connection opening TCP connection opening is accomplish as follow
Client sends a TCP SYN to request connectionServer responds by sending back a TCP SYN/ACKClient responds by sending a TCP ACK
Some form of computer attacks exploit the 3-way handshake process
Example: A client may send a TCP ACK without the two steps of the 3-way handshake being accomplished
Attacker
Victim
ACK
41
3-wayhandshake
SYN Flood DoS Attacker sends a series of TCP SYN opening requests For each SYN, the target has to
Send back a SYN/ACK segment, andset aside memory, and other resources to respond
When overwhelmed, target slows down or even crash SYN takes advantage of client/server workload
asymmetry
Attacker
Victim
SYN SYN SYN SYN SYN
42
Web Server configuration
43
Bandwidth ThrottlingMethod of ensuring a bandwidth-intensive
device, such as a server…will limit ("throttle") the quantity of data it transmits
and/or accepts within a specified period of time
For web servers, bandwidth throttling …helps limit network congestion and server crashes
For ISPs, bandwidth throttling …can be used to limit users' speeds across certain
applications (such as BitTorrent), or limit upload speeds.
When allowed bandwidth is reached, the server will block further connection attempts…By moving them into a queue, orBy dropping them44
Ping of Death attacks Take advantage of
Fact that TCP/IP allows large packets to be fragmented Some network applications & operating systems’ inability to handle
packets larger than 65536 bytes Attacker sends IP packets that are larger than 65,536
bytes through IP fragmentation. Ping of death attacks are rare today as most operating
systems have been fixed to prevent this type of attack from occurring.
List of OS that were vulnerable:http://insecure.org/sploits/ping-o-death.html
Fix Add checks in the reassembly process of servers Add checks in firewall to protect hosts with bug not fixed Check that Sum of Total Length fields for fragmented IP is < 65536
bytes or less than maximum allowed
Total Length (16 bits) Flags Fragment Offset (13 bits)
45
Distributed DoS (DDoS) Attack
Server
DoS Messages
DoS MessagesComputer with
Zombie
Computer withZombie
Handler
AttackCommand
AttackCommand
Attacker hacks into multiple clients and plants handler programs and Zombie programs on them
Attacker sends attack commands to Handlers and Zombie programs which execute the attacks
First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc.
Attacker
AttackCommand
46
Buffer Overflow Attack Occurs when ill-written programs allow data destined to
a memory buffer to overwrite instructions in adjacent memory register that contains instructions.
If the data contains malware, the malware could run and creates a DoS
Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD
47
Buffer Instructions
1 2 3 4 5 6
Run Program
Accept input
Buffer Instructions
1 2 3 4 5 6
A B C D E F LET JOHN IN WITHOUT PASSWORD
Run Program
Accept input
KeyloggersUsed to capture keystrokes on a computer
HardwareSoftware
SoftwareBehaves like Trojan programs
HardwareEasy to installGoes between the keyboard and the CPUKeyKatcher and KeyGhost
48
What You Should Know What happens in a TCP opening phase? Explain how Ping of Death attack occurs? Explain difference between DoS and DDoS.Do DoS attacks primarily attempt to jeopardize
confidentiality, integrity, or availability?What is a Buffer Overflow attack?What is a hardware keylogger?
You also need to understand the 3-way handshake: SYN, SYN/ACK, ACK
49
Programming For Security Professionals
50
What You Should KnowAnswer to the questions included in the
Ch7ReviewQuestions.doc file posted to the Notes’ section of the course Web site.
51
Linux Operating System Vulnerabilities
52
What You Should KnowAnswer to the questions included in the
Ch9ReviewQuestions.doc file posted to the Notes’ section of the course Web site.
53