Information about http://www.eecis.udel.edu/~sunshine/courses/F03/CIS659/class7.pdf
CIS 659 Introduction to Network Security Fall 2003 Class 7 9…
Tags: c files, c functions, cipher, exe files, gnu org, lm, math, network security, program compilation, project 1, submission guidelines, unix, visual studio,Pages: 9
Language: english
Created: Thu Jan 1 00:00:00 9
Display cached document
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Project 1 Makefile
Adhere to submission guidelines Tutorial
Submit all and only the required files http://www.gnu.org/manual/make/html_chapter/make_toc.html
.c, .h, Makefile for each folder supercipher, File that holds rules for your program compilation
togglecipher and losscipher
Example:
Don't submit project files from Visual
Studio or exe files You have two .c files and three .h files: cipher.c
Submit PS or PDF of your writeup functions.c functions.h cipher.h allincludes.h
all: cipher.c functions.c functions.h cipher.h allincludes.h
Submit Makefile
gcc o supercipher Ifunctions.h Icipher.h Iallincludes.h \
Make sure your project compiles on EECIS Unix tab -lm functions.c cipher.c
machines Output file name
If you use math.h
For losscipher address both bit loss and block
loss 1 2
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
It Is Time To Open Emulab Account Disclaimer
Go to http://www.emulab.net Some techniques and tools mentioned in this
class could be:
Sign up with existing project CIS662 Dangerous
Illegal to use
(unfortunately I asked for a wrong name)
Dangerous for others they can crash machines
Go to Documentation link and read about how and clog the network
to use Emulab Dangerous for you downloading the attack code
you provide attacker with info about your machine
Don't use any such tools in real networks
especially not on EECIS network
You can only use them in a controlled environment
3 4
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Intrusions Intrusion Scenario
Why do people break into computers? 1. Reconnaissance
What type of people usually breaks into 2. Scanning
computers? 3. Gaining access at OS, application or network
I thought that this was a security course. Why level
are we learning about attacks? 4. Maintaining access
5. Covering tracks
5 6
1
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Phase 1: Reconnaissance Low Tech Reconnaissance
Get a lot of information about intended Social engineering
target: Instruct the employees not to divulge sensitive
Learn how its network is organized information on the phone
Learn any specifics about OS and applications Physical break-in
running Insist on using badges for access, everyone must
have a badge, lock sensitive equipment
How about wireless access?
Dumpster diving
Shred important documents
7 8
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Web Reconnaissance Whois databases
Search organization's web site When an organization acquires domain name
Make sure not to post anything sensitive it provides information to a registrar
Search information on Usenet postings Looking at public registrar files one can find
Instruct your employees what info should not be out:
posted Registered domain names
Find out what is posted about you Domain name servers
Use Google to find all documents mentioning Contact people names, phone numbers,
this company to find out partner companies E-mail addresses
Find out what is posted about you
9 10
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Whois databases ARIN databases
http://www.networksolutions.com Find out range of IP addresses assigned to a
Domain Name: UDEL.EDU Technical Contact:
Registrant:
Same as above company
University of Delaware
192 South Chapel Street
Name Servers: This will be useful later for scanning
DNS1.UDEL.EDU 128.175.13.16
Newark, DE 19716
UNITED STATES
DNS2.UDEL.EDU 128.175.13.17 http://www.arin.net/whois/arinwhois.html
NOC2.DCCS.UPENN.EDU 128.91.254.1
NOC3.DCCS.UPENN.EDU 128.91.254.4
Contacts:
Domain record activated: 24-Jul-1985
Administrative Contact: Domain record last updated: 22-Dec-2001
Daniel J. Grim
Executive Director
University of Delaware
192 South Chapel Street
Newark, DE 19716
UNITED STATES
(302) 831-3700 (302) 831-1990
udel-domain@udel.edu 11 12
2
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
ARIN databases Domain Name System
OrgName: University of Delaware
OrgID: UNIVER-19 What does DNS do?
Address: 192 South Chapel Street
City: Newark
StateProv: DE
How does DNS work?
PostalCode: 19716
Country: US Types of information an attacker can gather:
NetRange: 199.75.219.0 - 199.75.219.255
CIDR: 199.75.219.0/24 Range of addresses used
NetName: UDEL-219
NetHandle: NET-199-75-219-0-1 Address of a mail server
Parent: NET-199-75-0-0-1
NetType: Reassigned Address of a web server
Comment:
RegDate: 1996-10-18
Updated: 1996-10-18
OS information
TechHandle: RWR3-ARIN
TechName: Reisor, Ron W.
Comments
TechPhone: +1-302-831-6030
TechEmail:
13 14
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Interrogating DNS Zone Transfer Protecting DNS
$ nslookup
Provide only necessary information no OS
Default server:evil.attacker.com Dangerous
Address: 10.11.12.13 info and no comments
server 1.2.3.4 Restrict zone transfers allow only a few
Default server:dns.victimsite.com
Address: 1.2.3.4 necessary hosts
set type=any Use split-DNS
ls d victimsite.com
system1 1DINA 1.2.2.1
1DINHINFO "Solaris 2.6 Mailserver"
1DINMX 10 mail1
web 1DINA 1.2.11.27
1DINHINFO "NT4www"
15 16
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Split-DNS Reconnaissance Tools
Show different view to external and internal Tools that integrate ping, whois, ARIN, DNS
users interrogation and many more services:
Internal Internal
External DNS Applications
DB
DNS http://www.samspade.org/ssw
Web
server Web based portals Dangerous
http://nettool.false.net
Mail http://www.samspade.org
server http://members.tripod.com/mixtersecurity/evil.html
Employees
http://www.network-tools.com
External users
17 18
3
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Phase 2: Scanning War Dialing
Detecting information useful for break-in Finding modem access
Live machines Why modems?
Network topology Networks are protected by a firewall, modems
Firewall configuration punch holes in firewalls
Applications and OS types Modem access may not even be password-
Vulnerabilities protected
19 20
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
War Dialing War Dialing Tools
Find out several phone numbers to feed into a THC-Scan
war dialer Windows Application
It will try ranges surrounding them http://thc.inferno.tusculum.edu
Randomly Easy to use interface
With random pause intervals Automatic but accepts user input
It will record every success, move on if it TBA
Dangerous
encounters busy tone or a human picks up PDA application
It takes about an hour to check 100 numbers http://www.l0pht.com
21 22
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
After War Dialing Defenses Against War Dialing
Gain access by guessing passwords Do not allow users to install modems
Gain information about OS Dial-out modems only
If modem sends a string of characters Find your modems before the attackers do
identifying server application, use specific
application client to access it
23 24
4
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Network Mapping Traceroute Example
traceroute to copland.udel.edu (128.175.13.92), 30 hops max, 38 byte packets
Finding live hosts 1 dward (131.179.192.1) 0.278 ms 0.288 ms 0.288 ms
2 131.179.187.3 (131.179.187.3) 0.412 ms 0.431 ms 0.413 ms
Ping sweep 3 Border.CS.UCLA.EDU (131.179.12.1) 0.794 ms 0.808 ms 0.795 ms
4 compsci--mathsci.backbone.ucla.net (169.232.49.65) 0.642 ms 0.578 ms 0.566 ms
TCP SYN 5 mathsci--core.backbone.ucla.net (169.232.6.109) 0.815 ms 0.659 ms 0.640 ms
6 core--border.backbone.ucla.net (169.232.6.138) 0.719 ms 0.734 ms 0.867 ms
Map network topology 7 tus-dc1--ucla-egm.cenic.net (137.164.24.133) 1.693 ms 2.036 ms 1.571 ms
8 dc-lax-dc2--tus-dc1-pos.cenic.net (137.164.22.42) 2.010 ms 1.803 ms 2.138 ms
9 hpr-lax-hpr--dc-lax-dc2-ge--2.cenic.net (137.164.22.21) 1.874 ms 2.727 ms 2.383 ms
Traceroute 10 abilene-LA--hpr-lax-gsr1-10ge.cenic.net (137.164.25.3) 16.122 ms 1.835 ms 10.820
ms
Sends out ICMP or UDP packets with increasing TTL 11 hstnng-losang.abilene.ucaid.edu (198.32.8.22) 33.603 ms 33.774 ms 34.025 ms
12 atlang-hstnng.abilene.ucaid.edu (198.32.8.34) 46.541 ms 46.815 ms 46.587 ms
Gets back ICMP_Time_Exceeded message from 13 washng-atla.abilene.ucaid.edu (198.32.8.66) 73.733 ms 73.866 ms 73.957 ms
intermediate routers 14 chp-br4-p-0-0-0.nss.udel.edu (128.175.137.9) 77.276 ms 77.861 ms 77.319 ms
15 chp-rt2-v-9.nss.udel.edu (128.175.111.198) 78.076 ms 77.472 ms 77.515 ms
16 copland.udel.edu (128.175.13.92) 77.266 ms 77.502 ms 77.281 ms
25 26
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Network Mapping Tools Defenses Against Network Mapping
Cheops Filter out outgoing ICMP traffic
Linux application Maybe allow for your ISP only
http://www.marko.net/cheops Use NAT 3.73
68.1
Automatically performs ping sweep and network 92.1
u est 1 3
mapping and displays results in GUI Req .13.7
.168
4 192
Request 1.2.3. eply
NAT R
Dangerous Reply 1.2.3.4 Address 1.2.3.4
Address 8.9.10.11
Internal hosts with
192.168.0.0/16 addresses
27 28
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Port Scanning Port Scanning
Finding applications that listen on ports Set source port and address
Send various packets: To allow packets to pass through the firewall
Establish and tear down TCP connection To hide your source address
Half-open and tear down TCP connection Use TCP fingerprinting to find out OS type
Send invalid TCP packets: FIN, Null, Xmas scan TCP standard does not specify how to handle
Send TCP ACK packets find firewall holes invalid packets
Obscure the source FTP bounce scans Implementations wildly differ
UDP scans
Find RPC applications Dangerous
29 30
5
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Port Scanning Tools Defenses Against Port Scanning
Nmap Close all unused ports
Unix and Windows NT application and GUI Remove all unnecessary services
http://www.insecure.org/Nmap Filter out all unnecessary traffic
Various scan types
Find openings before the attackers do
Adjustable timing
Dangerous Use smart filtering
31 32
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Firewalk: Determining Firewall Rules Defenses Against Firewalking
Find out firewall rules for new connections Filter out outgoing ICMP traffic
We don't care about target machine, just Use firewall proxies
about packet types that can get through the
firewall
Find out distance to firewall using traceroute
Ping arbitrary destination setting TTL=distance+1
If you receive ICMP_Time_Exceeded packet
went through
33 34
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Vulnerability Scanning Vulnerability Scanning Tools
The attacker knows OS and applications SARA
installed on live hosts http://www-arc.com/sara
He can now find for each combination
Vulnerability exploits
SAINT
Common configuration errors http://www.wwdsi.com/saint
Default configuration VLAD
Vulnerability scanning tool uses a database of http://razor.bindview.com/tools
known vulnerabilities to formulate packets
and send them to hosts Nessus
Dangerous
http://www.nessus.org
Vulnerability scanning is also used for
sysadmin
35 36
6
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Defenses Against
Phase 3: Gaining Access
Vulnerability Scanning
Close your ports and keep systems patched Exploit vulnerabilities
Find your vulnerabilities before the attackers Exploits for a specific vulnerability can be
do downloaded from hacker sites
Skilled hackers write new exploits
37 38
CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03 CIS 659 Introduction to Network Security Fall 2003 Class 7 9/30/03
Stack-based Overflow Attacks Stack-based Overflow Attacks
Stack stores important data on procedure call Consider a function
void sample_function(char* s)
{
char buffer[10];
strcpy(buffer, string);
TOS Local variables return;
for called procedure }
Saved frame ptr And a main program Argument is larger
Memory address void main() than we expected
Return address {
increases int i;
Function call char buffer[200];
arguments for(i=0; i