network security by: mark lachniet ([email protected])
TRANSCRIPT
Network Securityby: Mark Lachniet ([email protected])
Introductions
Mark Lachniet Director of Information Data Systems
at Holt Public Schools Novell MasterCNE Freeware Disc Golf <yay!>
Mark Lachniet Director of Information Data Systems
at Holt Public Schools Novell MasterCNE Freeware Disc Golf <yay!>
And the VictimA.K.A. “Fred”
“White Hats” and “Black Hats”
• The good guys versus the bad guys• Some developers of “hacking” programs
do so to educate others and point out flaws for the betterment of computer security
• A wide variety of “white hat” help, advisories, and lists are available
• Also an ever-growing group of “black hats” armed with easy-to-use scripts known as “script kiddies.”
Networks & Servers
• Requirement to do business
• Time and knowledge intensive to manage
• Many connected to the Internet
• Easy availability of hacking tools
=DANGER
Security Risks• Physical, Logical, and policy security• User habits - passwords, logging in & out• Software bugs, Viruses & Trojans• Network attacks• Disgruntled employees• Competitors• Bored K12 students :)
Focusing on the Net
• Focus on networks and the Internet• Most school districts are connected to the
Internet• The threat of a remote compromise • If a hacker can “own” your net, he can get
access to virtually all of your important data• Developments in security happen in
“Internet Time” (quick!)• Takes a lot of time to research and
implement good security
Running on Internet time• This presentation represents *my*
knowledge at this time (10/98)• I don’t really consider myself a security
expert, just a network Administrator• There is undoubtably a great deal I do
*not* know and should be telling you• The technology changes quickly - assume
that it already has• Nonetheless, hopefully this will help you
in your own IT work
Types of Risks• DoS - Denial of Service• Exploits - getting administrator access• Password cracking - brute force • Network mapping - host/port scans• Sniffers - intercept passwords on the net• Trojans and backdoors - getting back
into the system• Misc - networked printers, routers, etc.• And more...
Denial of Service• Through some mechanism, services on
the network or server are disabled• Often due to poor programming (for
example buffer overflows)• What is a buffer overflow?• DoS attacks exist for virtually every
computer type from UNIX to PC• Windows NT is vulnerable to some DoS
attacks, even with current service packs• TCP/IP stacks often vulnerable as well• Used for destructive purposes (why else?)
Exploits• Generally used to obtain administrator
privileges on a server
• Most often for UNIX operating systems, but sometimes for NT/Novell as well
• Usually distributed as source code or shell scripts (hence “script kiddies”)
• Usually involves a server program with administrator privileges that is misconfigured or has a bug in it
• Exploits are easy to obtain and run!
Network scanners• Useful for getting the “lay of the land”• Determining what computers are
connected to the net and the services they offer
• Often used in coordination with exploits to scan a LARGE number of IP addresses for hosts which are vulnerable
• This is happening right NOW! Take a look at your web server logs and you can bet you will see their handiwork
• Some scanners can even tell what kind of computer is in use.
About those “script kiddies”• Whereas once hacking was something
done by a technical elite, now programs of mass destruction are widely available
• People with little or no actual knowledge can use powerful tools to compromise security
• If you haven’t been scanned yet, it is just a matter of time
• You NEED to know if your security is good before they find out for you
• Used to snoop on network traffic• Can obtain usernames and passwords
from plaintext transmissions such as Telnet, FTP, and mail
• Can also be used for other malicious purposes
• Assume that all traffic on the Internet is being watched by *someone*
• Encryption is protection against this kind of attack
• Telnet vs. Secure Shell [demo]
Network Sniffers
• Some sniffers can “hijack” a connection between two other hosts and take over one of the ends of the conversation.
• Some sniffers can destroy a connection as well, rendering the connection useless
• Sniffers are often used in combination with other programs such as Trojans
• Sniffers are frequently used to obtain additional passwords from an already- compromised host
Network Sniffers, cont.
Brute force attacks• Most passwords are 1-way encrypted. When you
type in your password, it is encrypted and compared to the password the system has on file for you. If the encrypted result matches, you typed the word
• Brute force engines attempt to encrypt an entire dictionary, one word at a time, in hopes of getting the password
• Can be used to obtain administrator privileges on NT, Novell, and UNIX!
• Servers respond by disabling login or slowing down drastically after a certain number of failed logins, thereby making it very time consuming to attack them
Brute force on Windows NT• Windows NT is especially vulnerable to
brute force attacks such as NAT (NetBios Audit Tool)
• Under NT, the Administrator account cannot be disabled, so it is open to unlimited (and fast) brute force attacks
• Never let your NT admin password be in the dictionary!
• Can be hacked from anywhere on the Internet if your server is connected to the net
Screen-shot of a NT hack on my home server
• [*]--- Attempting to connect with name: PUTZY
• [*]--- CONNECTED with name: PUTZY
• [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
• [*]--- Server time is Mon Oct 5 12:08:15 1998
• [*]--- Timezone is UTC-4.0
• [*]--- Remote server wants us to encrypt, telling it not to
•
• [*]--- Attempting to connect with name: PUTZY
• [*]--- CONNECTED with name: PUTZY
• [*]--- Attempting to establish session
• [*]--- Was not able to establish session with no password
• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `10th'
• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `1st'
• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `2nd'
• [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `3rd'
And so on...
Microsoft sharing shares too much information - another screen from home
• [*]--- Checking host: 10.0.0.4• [*]--- Obtaining list of remote NetBIOS names• [*]--- Remote systems name tables:
• PUTZY• LACHNIET• LACHNIET• PUTZY• LACHNIET• PUTZY• ADMINISTRATOR• LACHNIET• INet~Services• LACHNIET• IS~PUTZY• ^A^B__MSBROWSE__^B
All of this information helps the hackers...
Admin’s name
NT server name
Workgroup name
Programs running on the server
NetWare is not immune
• NetWare can also be brute force attacked• NetWare 3.x is more vulnerable than 4.x+• Pandora - designed to crack a copy of
directory services• For NetWare 4.x+, generally requires
access to the console or administrator access to acquire a copy of directory services
Brute force and UNIX• Brute force attacks originated on UNIX
to crack the /etc/passwd file
• Requires a user account or stolen password file
• Shadow passwords or other more advanced authentication systems can reduce the risk of this type of attack in UNIX environments
• Once again, just don’t ever use a password that is in the dictionary, or a place, or your mom, or your dog, etc.
Miscellaneous Attacks
• Lots of other strange bugs exist in everything from server software to routers and printers
• For example, HP Jet Direct printers can be controlled and crashed remotely
• With physical access, certain routers (e.g. Cisco) can be taken over
• “Fake Mail” is a good example of the lack of security on the Internet [demo]
Trojans and back doors• Are used to obtain or keep access to a system• Are remotely accessible, often with a simple
password• Allow full control of the host computer• For UNIX, usually provides a root shell
through a booby-trapped server program• Under Windows 95, “Back Orifice” is all the
rage in Trojan technology• Once you have one, as you will see, nothing is
safe
State of the art software“Back Orifice”
• Written by the “Cult of the Dead Cow”• Is small and powerful (only 128k bytes!)• Is similar to a virus - some program containing the
program must be run on the computer in question• Generally distributed hidden inside of other
legitimate programs (such as FTP downloads or E-Mail attachments)
• Quietly installs itself and hides the evidence, running in the background at all times
• Makes use of additional features through “Butt plug-ins”
Back Orifice Butt Plug-ins• A Butt plug-in is installed along with the
trojan and provides additional capabilities
• Butt-Trumpet sends and Email stating the IP address of the compromised computer (making you vulnerable even if you have a dialup connection)
• Butt-Sniffer allows a remote user to monitor network traffice on *your* local area network
• The potential is limitless [demo]
Are you ever going to trust an attachment again?
• Since Email can be forged to appear to be coming from just about anyone, ALL email attachments are suspect!
• Make people in your organization aware of this risk - many people will click on anything that comes their way
L0pht Crack• Multi-purpose NT hacking utility
• Performs brute force attacks on NT passwords (from the registry, from Emergency Repair discs, and from sniffed network traffic
• Integral sniffer to snatch NT passwords off the network for hacking
• http://www.l0pht.com (web site)
Nessus• Is a client/server hacking program similar to
“Satan”
• Server runs on a UNIX host (usually someone else’s who has already been hacked)
• The hacker runs a client remotely and submits requests to the Nessus server
• The nessus server scans a range of hosts for known vulnerabilities and provides a detail report back to the client
• All the activity appears to come from the hacked server host, so the hacker goes free!
• The next big thing: coordinated server attacks!
Getting help!• Okay, so now you are worried!• Research your operating systems on the net• Subscribe to Bug-Traq and other listserves• The best way to know that you are secure is to
hack your own network! it would be in your best interests to get someone to audit your security. If you don’t, someone will!
• Always keep up to date with service packs and patches
• Register your product so you will be made aware of security issues by the manufacturer
• Allow time for technical personnel to research security and improve their skills