Register now to access 7 million high quality study materials (What's Course Hero?) Course Hero is the premier provider of high quality online educational resources. With millions of study documents, online tutors, digital flashcards and free courseware, Course Hero is helping students learn more efficiently and effectively. Whether you're interested in exploring new subjects or mastering key topics for your next exam, Course Hero has the tools you need to achieve your goals.
172 Pages
ADVERSARYIEEE_ROC2
Course: SEPT 12, Fall 2009School: Syracuse
Rating:
Word Count: 7666
Document Preview
Leonard Dr. Popyack Syracuse University 2002 Popyack@rl.af.mil Adversarial Threats to Your Information System A malicious hacker or adversary has many items working in his favor. What are some of the threats he poses to you and your information systems? You may be surprised at how many of these threats are controllable by your INFOSEC team. This seminar takes the perspective of an adversary and shows some...
Unformatted Document Excerpt
Coursehero >> New York >> Syracuse >> SEPT 12Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Leonard Dr. Popyack Syracuse University 2002
Popyack@rl.af.mil
Adversarial Threats to Your Information System
A malicious hacker or adversary has many items working in his favor. What are some of the threats he poses to you and your information systems? You may be surprised at how many of these threats are controllable by your INFOSEC team. This seminar takes the perspective of an adversary and shows some immediate and long term remedies for each threat. In some cases there is no easy solution, but it is important for you to recognize these threats. We will explore all phases of an attack and show how wireless LANs play a part in these attacks.
Stages of An Attack
Target Selection Reconnaissance Penetration Internal operations, Keeping the connection
Overview
Reconnaissance Scanning
War dialers & War Driving Port scanning and mapping Firewall filters and Firewalk Vulnerability Scanners
Overview
Exploit the System
Gaining Access Denial Of Service (DOS) tools Application level Attacks
Keeping Access
BO2K Rootkits Knark Covert Channels & Backdoors
Purpose
The purpose of this lecture is to understand certain attack methods ... ...so we can implement effective defense strategies We must protect our systems How can we create effective defenses?
That's the real reason we're here
Why these look at these tools & techniques?
Because they are in widespread use right now They provide us fundamental information about the principles the attackers are employing. They illustrate what we need to do to defend ourselves Some of them are pretty Kewl! Some are VERY NASTY!
Note!
Individual tools may run on UNIX or Windows... We will cover attack concepts that can be applied against Windows NT, UNIX, or other platforms (Novell, VAX, MVS, etc.) I've included links to tools Use at your own risk! They could harm your network in unexpected ways Review the source code... Is this legit? Experiment on a test network, separated from production and office or campus systems. This is not hard to do! Also, DON'T USE YOUR WORK OR BUSINESS ACCOUNT TO DOWNLOAD THE TOOLS OR SURF THE HACKER SITES! Why?
General Trends of Exploits
What are we seeing in the wild? Hacker tools are getting easier to use and more easily distributed The rise of Hacker groups as distribution houses for software The LOpht and Cult of the Dead Cow Highquality, extremely functional hacker tools Better quality than from some major software houses
General Trends
Excellent communication through the computer underground to Chat, web, informal grouping, and hacker Computer and Network Conferences With the rise of these hacker groups, a lot more information about security is available to the general public. The lessinformed attackers (often called "script kiddies" or "ankle biters") will use this information in attacks. We must use this information to defend ourselves. I've included several references at the to help you stay informed.
General Trends
Used to be many different types of systems out there ("the computer room") Now, we have a smaller number of systems types (Windows, Linux, MacOS, SunOS, FreeBSD, Palm, etc)
They are distributed everywhere! Less experience users and administrators One virus or attack can jeopardize vast number of systems (Morris worm, Melissa Virus, I LOVE YOU, Nimda)
Home Laboratories are easy and inexpensive to set up for the hacker!
NEVER
UNDERESTIMATE YOUR ADVERSARY!!!
Your Adversaries Advantages
He can use multiple sources for his attack His attack can be timed to be inconvenient for you (Friday before a 3-day holiday, Christmas Eve, During your company picnic,...) He has the ability to corral greater media attention Increased sense of `hero' complex when a hacker brings down a large company.
Two Attack Forms
Zero-Knowledge Attack
No knowledge from the inside of your organization is know before the attempt is made to target your company (your assets, intellectual property, finances, or other)
Knowledgeable, perhaps by use of an inside, or from an insider
An inside, either implanted or home grown has decided to gather information to be used for targeting your organization.
Reconnaissance
Reconnaissance
Reconnaissance
An attacker will gather as much information as he can about you, your company, your people, your computers, your network, and your physical security. Your network:
You may not know it, but there is already much information about you out there. An adversary will use all data mining possible.
Open information
Reconnaissance
American Registry for Internet Numbers
Who owns particular IP address (Whois)
(http://www.arin.net/whois/arinwhois.html) DNS Interrogation (use nslookup)
Targets own web site (crawl it a lot of info can be gathered by crawling names, e-mail address, phone numbers, branches of the organization, trusted relationships) programs: Websnake, Webzip, curl Search Engines, web searches: can show trusted relations (for example, you may show up on a customer list, your web designer may use you as a reference)
Open Information
Usenet news postings (Deja.com) GOOGLE Flipping:Related pages which link use altavista, and search for link:www.target.com (Hotbot linkdomain:www.target.com) Example: on altavista, link:cisco.com AND title:resume if you are looking for resumes of cisco engineers.
Reconnaissance
Open Information
X-Raying: finding areas in a company web page not normally accessible. How? In Altavista, host: or url: followed by keywords or names. Example: host:lucent.com and "business development"
Reconnaissance
Open Information
Peeling: many times there is more information embedded within really long URLs. Peel off some of the junk and look for web addresses or secondary addresses, and unique areas. Example: http://www.lucent.com/web1.lucent .com/resumes/kramerz.html http://anon.free.anonymizer.com/h ttp://www.snowmaps.com
Reconnaissance
Open Information
Anchor Searches: Anchor labels may be informative in searching for targets. Example: You can search the anchors by using a search engine and using anchor: "view resumes" Harvesting: pick out and use keywords in related documents then use meta search engines (like alltheweb.com, mamma.com, dogpile.com)
Reconnaissance
Open Information
Reconnaissance
Peer searches: once you find specific information or specific people, conduct peer searches using the Meta search engines. Example: Jon Doe bank manager doej@bank.com
use dogpile and look for all other references to doej@bank.com Might turn up doej is into drag racing and a common dialog could be established.
Open Information
Open a phony e-mail account. Send e-mail to insiders. (The return e-mail headers can tell you loads of info about the inside systems!) DATA-MINING!!!! Company, people, trusted relationships, mailing lists Capability to connect to company DNS server (pull down all registered domains at a site!)
Reconnaissance
Scanning
"finding weak points"
WAR Dialing
Named for the dialer in the movie "Wargames" An attacker is trying to find a backdoor into your network. A modem which is used for remote access. This might be the easiest point of penetration! The telephone numbers gathered in the recon phase are a good starting point! Phreaking is looking for voice back doors, whereas hacking is looking for network access backdoors.
Scanning
WAR Dialing
Scanning WAR Dialers
War dialers dial a sequence of telephone numbers attempting to locate modem carriers or a secondary dial tone "demon Dialers" is another name Phone Numbers come from:
Phone book, InterNIC data, WebCrawl, mailing lists, newsgroups, social engineering "I am from the phone company and I need to verify what numbers you folks are using for data lines..."
WAR Dialer Software
Scanning WAR Dialers The Hackers Choice 2.0 ADIAL (Auto Dial) by VeXaTiOn, 1995 Deluxe FoneCode Hacker by The Sorceress KHAIAH 1985 Dialing Demon version 1.05 by Tracy McKibben 1988 Doo Tools version 1.10, by Phantom Photon 1991 PBX Scanner Version 5.0, by Great White 1989 SuperDialer 1.03 by Evan Anderson 1990 ToneLoc 1.10 by Minor Threat & Mucho Maas 1994 XDialerR by ICiKl 1996 ZHacker 3.21, by BIackBeard 1991
The Hackers Choice 2.0
Scanning WAR Dialers
THCScan 2.0 The Hacker's Choice (THC) Written by Van Hauser; released 12/98 Essentially an updated to the very venerable ToneLoc (by Mucho Maas and Minor Threat, 1994) Available at http://thc.infemo.tusculum.edu THCScan is one of the most full featured, noncommercial, war dialing tools available today.
The Hackers Choice 2.0
Scanning WAR Dialers
A convenient statistic is the number of lines dialed per hour. With a single machine and a single modem, we typically do 100 to 125 lines per hour. This is a useful metric in determining how long it will take to dial large numbers of lines.
Ok, I found the numbers...
Scanning WAR Dialers
You found a number of modems. What do you do now?? Review the war dialer logs and look for familiar login prompts or even warning banners Connect to each discovered modem
Often times, you will find a system without a password
PCAnywhere for a clueless user you're in, baby! Old, neglected machine still on the network A Router!!!!!
If there is a userID/password prompt, guess
Make it an educated guess, based on the system What are default accounts/passwords? What are common things associated with the target?
Try these Username/passwords!
Scanning WAR Dialers
Root sync bin nobody operator manager Admin Administrator
System days of the week COMPANY NAME COMPANY PRODUCT Custom dictionaries built from company keywords and acronyms
WAR Dialer Defense
An effective dialup line and modem policy is crucial Inventory all dialup lines with a business need Activate scanning detection functionality in your PBX, if available Telewalls A firewall for phones Conduct war dialing exercises against your own network reconcile your findings to the inventory Utilize a commercial war dialer Sandstorm's Phonesweep or ISS's Telephony Scanner Toneloc or THCScan (Free) Conduct periodic desktodesk checks in the evenings Use two people for this (buddy system) Scanning WAR Dialers
WAR Driving
IEEE 802.11b Wireless Networks
Port Scanning
TCP/IP Handshake
Scanning Port Scanning
TCP/IP 3-way Handshake establishes a connection to a port
All legitimate Transmission Control Protocol (TCP) connections (e.g., HTTP, telnet, ftp, etc.) are established through a threeway handshake.
65,535 TCP ports, 65,535 UDP ports (no 3-way with UDP)
Three Way Handshake
SYN | ACK Client 1: Send SYN seq=x 2: Send SYN seq=y, ACK x+1 3: Send ACK y+1
SYN ACK Server
The handshake allows for the establishment of sequence numbers (x or y are ISN = Initial Sequence Number) between the two systems. These sequence numbers are used so that TCP can provide for reliable packet delivery in sequential order. Sequence numbers are used for sequencing and retransmissions.
Port Scanners
Scanning Port Scanning
Scan all 65,535 (times 2) ports
Find tcp 80, web server Find tcp 23, telnet server Find udp 53, DNS server Find tcp 6000, X Window server etc.
Nmap is a very useful tool with advanced scanning capabilities Available at: hftp://www.insecure.org/nmap
Port Scanners
Scanning Port Scanning
By scanning each port, we can determine what is listening on the box, and find ways to get in. Tools like Nmap allow us to inventory open ports in a variety of ways. Numerous other port scanners are available, including:
strobe Probe etcp
Nmap is the most fully featured of all of these tools. The ISS and CyberCop commercial scanners also include port scanning capabilities.
Open Port Information
Scanning Port Scanning
With a list of open ports, the attacker can get an idea of which services are in use by consulting RFC 1700. Also, particular exploits for these services can be found at
http://www.technotronic.com. the attacker can devise his/her own exploits! http://www.iana.org
An NMAP scan
Scanning Port Scanning Allows for conducting numerous types of scans: "Vanilla" TCP scans
Connect to every port, with 3way handshake
SYN scan using IP fragments
Bypass some packet filters... Yes!
SYN scans (aka "halfopen" scans)
Only do initial SYN Harder to detect and much quicker
FIN scans
Stealthy and bypass some filters
UDP Scanning FTP Proxy "Bounce Attack" Scanning RPC Scanning TCP Sequence prediction test ACK scanning Xmas Tree NULL scan
Scanning Port Scanning
NMAP scan FTP Proxy Bounce
FTP Proxy "Bounce Attacks" utilize an ancient feature of FTP servers. These servers allow a user to tell the server to send the file to another system. Using this capability, an attacker can bounce an NMAP port scan off of someone's FTP server, to help obscure the source of the attack. You should make sure that you disable the FTP Bounce capability from your public FTP servers.
NMAP TCP Stack Fingerprinting
Scanning Port Scanning
Attempts to determine the operating system of target by sending various packet types and measuring the response This concept originated with a tool called QueSO, available at: hftp://www.apostols.org/projectz/queso
NMAP TCP Stack Fingerprinting
Scanning Port Scanning
Nmap does various types of tests to determine the platform:
TCP Sequence Prediction SYN packet to open port NULL packet to open port SYN|FIN|URG|PSH packet to open port ACK packet to open port SYN packet to closed port ACK packet to closed port FIN|PSH|URG packet to closed port UDP packet to closed port
TCP Stack Fingerprinting
Scanning Port Scanning
Note that each TCP stack implementation may have a very unique signature to how it behaves, particularly when confronted with various illegal combinations of TCP flags and packets! This information is used to identify the target system. NMAP has a data base of how various systems respond to these illegal flags. NMAP can determine what system you are running!!!
TCP Stack Fingerprinting
Scanning Port Scanning
Based on the TCP stack response, Nmap can identify over 400+ types and versions of systems, including:
Windows 3.1, 3.11, 95, 98, NT (SP 14 or 56) Win2000 NetBSD, FreeBSD MacOS Solaris 2.x AIX VAX/VMS / Open VMS Cisco IOS HP/JetDirect Linux HPUX 3Com products SCO UNIX IRIX
TCP Stack Fingerprinting
Scanning Port Scanning
Customizable database so the hacker can add his own information signatures Using this information, an attacker can focus an attack!!! An NT Portscanner -- SuperScan
Scanning Port Scanning
NMAP Demo
Superscanner demo
bash-2.04$ sudo nmap Nmap V. 2.54BETA29 Usage: nmap [Scan Type(s)] [Options] <host or net list> Some Common Scan Types ('*' options require root privileges) -sT TCP connect() port scan (default) * -sS TCP SYN stealth port scan (best all-around TCP scan) * -sU UDP port scan -sP ping scan (Find any reachable machines)
NMAP Scans
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p <range> ports to scan. Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile> -iL <inputfile> Get targets from file; Use '-' for stdin * -S <your_IP>/-e <devicename> Specify source address or network interface --interactive Go into interactive mode (then press h for help) Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*' SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
bash2.04$ sudo nmap sS O v www.snowmaps.com Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ ) Host (207.198.14.42) appears to be up ... good. Initiating SYN Stealth Scan against (207.198.14.42) Adding open port 25/tcp Adding open port 53/tcp Adding open port 80/tcp Adding open port 22/tcp Adding open port 3306/tcp Adding open port 110/tcp The SYN Stealth Scan took 8 seconds to scan 1548 ports. For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled
www.snowmaps.com
Interesting ports on (207.198.14.42): (The 1542 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 3306/tcp open mysql Remote operating system guess: FreeBSD 2.2.1 4.1 TCP Sequence Prediction: Class=random positive increments Difficulty=34067 (Worthy challenge) IPID Sequence Generation: Incremental Nmap run completed 1 IP address (1 host up) scanned in 10 seconds bash2.04$
www.snowmaps.com
bash2.04$ sudo nmap sS O v 24.49.192.77 Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ ) Host nyutica3b77.aburny.adelphia.net (24.49.192.77) appears to be up ... good. Initiating SYN Stealth Scan against nyutica3b77.aburny.adelphia.net (24.49.192.77) The SYN Stealth Scan took 594 seconds to scan 1548 ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1548 scanned ports on nyutica3b77.aburny.adelphia.net (24.49.192.77) are: filtered Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint: SInfo(V=2.54BETA29%P=i686pclinuxgnu%D=11/5%Time=3BE6CB47%O=1%C=1) T5(Resp=N) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=N) PU(Resp=N)
24.49.192.77
Nmap run completed 1 IP address (1 host up) scanned in 633 seconds bash2.04$
bash2.04$ sudo nmap sS O P0 v 24.24.27.115 Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ ) Host syr242427115.twcny.rr.com (24.24.27.115) appears to be up ... good. Initiating SYN Stealth Scan against syr242427115.twcny.rr.com (24.24.27.115) The SYN Stealth Scan took 2008 seconds to scan 1548 ports. Warning: OS detection will be MUCH less reliable because we did not find at lea st 1 open and 1 closed TCP port All 1548 scanned ports on syr242427115.twcny.rr.com (24.24.27.115) are: filt ered Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint: SInfo(V=2.54BETA29%P=i686pclinuxgnu%D=11/5%Time=3BE6DB03%O=1%C=1) T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N)
24.24.27.115
Nmap run completed 1 IP address (1 host up) scanned in 2192 seconds bash2.04$
bash2.04$ sudo nmap sS O v www.webtag.net Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ ) Host (206.74.229.14) appears to be up ... good. Initiating SYN Stealth Scan against (206.74.229.14) Adding open port 80/tcp Adding open port 110/tcp Adding open port 21/tcp Adding open port 106/tcp Adding open port 53/tcp Adding open port 23/tcp Adding open port 25/tcp Adding open port 1112/tcp Adding open port 513/tcp Adding open port 79/tcp Adding open port 514/tcp The SYN Stealth Scan took 26 seconds to scan 1548 ports. For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled Interesting ports on (206.74.229.14): (The 1536 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 79/tcp open finger 80/tcp open http 106/tcp open pop3pw 110/tcp open pop3 139/tcp filtered netbiosssn 513/tcp open login 514/tcp open shell 1112/tcp open msql Remote operating system guess: Solaris 2.6 2.7 Uptime 1.453 days (since Sun Nov 4 03:56:09 2001) TCP Sequence Prediction: Class=random positive increments Difficulty=22872 (Worthy challenge)
www.webtag.net
IPID Sequence Generation: Incremental Nmap run completed 1 IP address (1 host up) scanned in 37 seconds bash2.04$
Port Scanner Defense
Scanning Port Scanning
Close All unused ports!
Unix: /etc/inetd.conf also /etc/rc3.d (xinetd daemon) Windows NT disable all unnecessary services by uninstalling them or shutting them off in the services control panel Windows 2000 restrict ports, shut off services
Port Scanner Defense
Scanning Port Scanning
Utilize an Intrusion Detection System (IDS)
Commercial
ISS RealSecure Cisco NetRanger Network Flight Recorder More...
Freeware
Snort
Firewall Attacks
Scanning -- FireWalk
Firewalk allows an attacker to determine which ports on a (packet filter) firewall are open Written by David Goldsmith and Michael Schiffman, October 1998, and available at http://packetstorm.securify.com/U NIX/audit/firewalk Based on ideas originally used in traceroute, a tool that determines the path of packets using the IP TimeToLive (TTL) field
Scanning -- FireWalk
Scanning -- FireWalk
Firewalk determines the filtering rules associated with packet filters (either for a hostbased packet filter firewall or router access control lists). Firewalk does not work against pure proxybased firewalls, because proxies do not forward packets. Instead, a proxy application absorbs packets on one side of the gateway and regenerates packets on the other side. Packet filters actually forward the same packets, after applying filtering rules.
Firewalk phases
Scanning -- FireWalk
Given this info, firewalk operates in two phases:
Network Discovery Phase Scanning Phase
The Network Discovery Phase essentially does a traceroute to determine the hop count to the last gateway (router) before the filtering takes place
TTL=4 Time to Live Exceeded TTL=3 Time to Live Exceeded
Router
Attacker
Router Server
TTL=1 Time to Live Exceeded TTL=2 Time to Live Exceeded
IP=10.2.1.10
Firewall
IP=10.1.1.1
During the network discovery phase, Firewalk sends packets with incrementing TTLs to determine how many network hops exist between the tool and the firewall. When a packet reaches its maximum TTL (which is decremented by each hop), the final gateway sends back a Timetolive exceeded message.
Router
Attacker
Router Server
This is essentially the same function as traceroute, used to determine the hop count. Once this number is determined, the tool can conduct the scanning phase.
Firewall
IP=10.2.1.10
IP=10.1.1.1
TTL=4, TCP Port 1 TTL=4, TCP Port 2 TTL=4, TCP Port 3 TTL=4, TCP Port 4 TTL=4, TCP Port 80
Time to Live Exceeded!!!
Router
Attacker
Router Server IP=10.2.1.10 Port 80 is unfiltered!!!!!
Firewall
IP=10.1.1.1
Firewalk Defenses
Scanning -- FireWalk
1) Just live with it; accept the fact that someone could map your network and determine your firewall filtering rules 2) Disallow ICMP TTL Exceeded messages from leaving your internal network ... May cause problems! Network diagnostics may not work, and your users may want to traceroute...(quite a reasonable idea for sensitive networks), NAT 3) Use a proxy server instead of a packet filter
Packet filters have IP forwarding on, so the packets traverse them and "live on" Proxies are an end point of the connection; the packets are not forwarded, so their life ends upon reaching the proxy Possible performance implications
Vulnerability Scanners
Vulnerability Scanning
SATAN is the granddaddy of these tools (saint, sara SANTA=SATAN) Many commercial derivatives
ISS's scanner Network Associates' CyberCop Cisco's NetSonar
Vulnerability Scanners
These are all tools to help to map a network, scan for open ports, and find various vulnerabilities They generate nice looking reports for management... The tools test against a list of known exploits
What about the unknown? That's why we want to have security indepth! Use a multilayered, sound architecture
More Tips
Vulnerability Scanning
Be careful with password guessing modules. They may lock out legitimate users! You may want to disable these modules from running across the network and use password cracking software on the local system files to find weak passwords.Use L0pht cracker or others Look on your CD under password crackers.
Scanner Limitations
Vulnerability Scanning
Vulnerability scanning tools are extremely useful because they security automate checks across a large number of systems over the network. However, please understand their limitations!
The tools only check for vulnerabilities that they know. They cannot find vulnerabilities that they don't understand. The tools tend to be very dumb and flat they look for vulnerabilities.
A real attacker will apply a great deal of intelligence to try to reverse engineer your network. Instead of just looking at the outside interfaces, the intelligent attacker will try to understand what's going on behind them.
Nessus
Vulnerability Scanning
Nessus is a free, opensource general vulnerability scanner It is used by the white hat community (security folks) and the black hats (malicious hacker) Facts:
Project started by Renaud Deraison Available at hftp://www.nessus.org Consists of a client and server, with modular plugins for individual tests
Nessus
Vulnerability Scanning
Nessus is a very useful tool, and has some advantages over the commercial tools:
You can review the sourcecode of the main tool and any of the security checks to make sure that nothing "fishy" is going on. You can write your own tests and incorporate them into the tool A large group of developers is involved around the world creating new tests The price! US $ 0.00
Vulnerability Scanning
Co mo nfig ni to ure r an d
scan
Server has numerous plugins with various tests
Nessus
Vulnerability Scanning
The client and server can be on the same machine. (you can put it all on a laptop) Information between the client and the server can be encrypted Large number of plug-ins available for the server, each testing for specific vulnerabilities in the target.
Nessus - Platform
Vulnerability Scanning
Server
FreeBSD, Linux, and Solaris
Client
FreeBSD, Linux, Solaris Windows 95/98/NT 2000 Java (can run on Macs, anything)
Remember, both Client and Server can be on the same machine. For serious work with Nessus, use Nessus on Unix
Nessus - Plugins
Vulnerability Scanning
Separate plugin for each type of attack There is a defined API for writing Nessus plugins Currently, plugins written in C Or, plugins can be written in the Nessus Attack Scripting Language (NASL) One plugin is in charge of doing one attack and to report the result to the nessus server (nessusd). Each plugin can use some functions of the Nessus library, called libnessus. CVS version and daily snapshots are available. As of November, 2000: Over 300 UNIX plugins 90 Windows NT plugins Make sure you check those MD5 hashes!!! (so you don't load a Trojan plugin!!!!!) A very nice capability of Nessus is the ability to write your own plugins, a capability not supported in the major commercial scanners.
Nessus GUI
Vulnerability Scanning
You can configure: -port for the client to server comm -Encryption algorithms -Target systems -which plugins to use -port ranges and types of scans -email address for report
Nessus's report of Test server before Attack
Vulnerability Scanners - Defense
Vulnerability Scanning
Close all unused ports Shut off all unneeded services
In Windows NT, stop or delete services in services control panel In UNIX, edit /etc/inetd.conf and rc.d files
Apply all system patches
Keep up to date!
Utilize an Intrusion Detection System
Networkbased IDS
Commercial: ISS ReaISecure, Cisco NetRanger, Network Flight Recorder, Dragon, etc. Freeware: Snort
Exploiting Systems
Gaining Access Denial of Service Application Level Attacks Stealthy Attacks
Gaining Access
Exploiting Systems
IP Address Spoofing IP Fragmentation Attacks, FragRouter Sniffing (Sniffit) Session Hijacking (Hunt) DNS Cache Poisining (Jizz) Web Hijacking Netcat and other Hack tools
IP Address Spoofing
Exploiting Systems
Spoofing = Pretending to be someone else IP address spoofing is quite common in a number of attacks
Foiling systems that utilize IP addresses for control
Router access control lists Firewalls Trust relationships (particularly, UNIX rcommands)
Denial of Service Logs
IP Spoofing
Exploiting Systems
IP Spoofing can be trivial or very complex
Option 1: Change the IP address Option 2: IP Address Spoofing and Trust Relationship Attacks Option 3: IP Address Spoofing and Source Routing
Exploiting Systems IP Spoofing
Option 1
I can change my IP address to anything I want...
UNIX: ifconfig eth0 w.x.y.z Windows: use network control panel
Yes, but... You won't get responses to your messages, because the network won't route the responses back to you you Also, the TCP 3way handshake will cause you problems You'll get a RESET message from the real system, unless ....
Recall the Three Way Handshake
SYN ACK Server
SYN | ACK Client 1: Send SYN seq=x 2: Send SYN seq=y, ACK x+1 3: Send ACK y+1
The handshake allows for the establishment of sequence numbers (x or y are ISN = Initial Sequence Number) between the two systems. These sequence numbers are used so that TCP can provide for reliable packet delivery in sequential order. Sequence numbers are used for sequencing and retransmissions.
Option 1 Simple Spoofing Change Address
When the spoofee sends the 2nd leg of the 3way handshake, the system who's address is being spoofed will send a RESET message. The RESET message says, essentially, "Hey! I'm not having a conversation with you .... Leave me alone!"
SYN ( A, ISNa) Eve
ACK(A, ISNa) SYN(B, ISNb)
Alice
RESET!!
Bob
Exploiting Systems IP Spoofing
Option 2 Exploit Trust
We can take over a system with IP Address spoofing by Eve exploiting the UNIX trust relationships A variant of this attack was used by Kevin Mitnick against Tsutomu Shimomura in December, 1994 Sadly, it's still a useful technique today
Mostly on intranets, because properly implemented firewalls have helped to stop this attack across the Internet
Exploiting Systems IP Spoofing
Exploit Trust
The "random" sequence number sent by Bob (ISNb) is often predictable Eve can interact with Bob and, based on careful timing, predict future sequence numbers with some level of accuracy This gives Eve a oneway channel to Bob And Bob will think Eve is Alice!!! That's a spoof! Great!!! But... What about Alice's RESET?
You take Alice out of the picture for a while... Denial of Service
Eve can have an open channel to Bob. She can quickly reconfigure Bob so that Eve has full access, without spoofing.
IP Sequence Prediction
Non-existent System
SYN Flood SYN | ACK SYN | ACK SYN | ACK SYN | ACK SYN SYN SYN Trusted Host
Attacker
Spoofed SYN Spoofed IP Target Host
Exploiting Systems IP Spoofing
Option 2 Exploit Trust
Now Eve has an open channel to Bob Eve (posing as Alice) can feed commands to Bob Eve can use rsh command to add the real "Eve" to the trust relationship of Bob. How? Concatenate "++" to /etc/hosts.equiv or simply add her name. UNIX only. Eve will see no replies from Bob, however, Alice cannot respond (due to DoS) For a short time, Eve looks like Alice to Bob Eve must "fly blind", but can re-configure Bob.
Option 3 Source Routing
Exploiting Systems IP Spoofing this attack is simpler than option 2... and platform independent (Option 2 required UNIX trust relationships) Just use source routing .... With a source that appears to come from the spoofed address ...and a path that includes the "spoofer" (i.e., the attacker) All packets will follow the path And responses will, too This method for IP address spoofing is based on source routing. Source routing is an option in IP that allows the source of a packet to specify the path it will take on the network. Each router hop is included in the packet's header.
For this attack, Eve generates a sourcerouted packet that appears to come from Alice (that's the spoof). The packet contains a fake route list that includes Eve's address. Note that the route list is correct for all routers between Even and Bob. Routers before Eve are irrelevant. Eve sends this packet on the network. If the network allows source routed traffic, the packet will follow Eve's specified path to deliver the packet to poor Bob. Bob will take action on the packet (complete the TCP 3way handshake, or whatever) and send the response, source routed back to Eve. Eve will intercept the packet, rather than transmitting it back to Alice .... There you go! Eve can get the responses from Bob while spoofing Alice's address.
Source Routing
Route: 1.Alice 2.Router X 3.Eve 4.Router Y 5.Bob Eve Route: 1.Bob 2.Router Y 3.Eve 4.Router X 5.Alice
PACKET CONTENTS PACKET CONTENTS
Alice
Bob
IP Address Spoofing Defenses
Exploiting Systems IP Spoofing
Make the Initial Sequence Numbers truly random Need to install patches for TCP/IP stacks Be careful with trust relationships Do not extend trust outside of firewall
Either UNIX or Windows NT trust relationships
Don't base authentication on IP addresses
Utilize passwords, crypto, or other techniques
Replace very weak rcommands with stronger commands
ssh, or its freeware cousins (lsh)
Utilize antispoof filters at routers and firewalls Do not allow source routed packets through network gateways
Internet gateways (firewalls) and business partner connections
NEVER
Never use source routing in Firewalls, routers, or any gateway system!
IP Fragmentation Attacks
IP Fragmentation
Penetration IP Fragments
Useful in getting around packet filters in routers and firewalls Also useful in avoiding detection by networkbased Intrusion Detection Systems (IDSs) Recall how packet filtering (firewall) works...
It allows tcp source_address to destination_address using a specific port number implicitly denies all other
Penetration IP Fragments
Port 23 Attacker Port 80
Server IDS IP=10.2.1.10
Firewall
IP=10.1.1.1
Penetration IP Fragments
IP Fragmentation Attacks
IP allows packets to be broken down into fragments for more efficient transport across various media The TCP packet (and its header) are carried in the IP packet Two attacks possible:
ip tcp ip
Tiny fragment attack Fragment Overlap attack
ip
tcp
ip
Normal IP Fragmentation
Penetration IP Fragments
ip
tcp
ip
tcp
ip
tcp
ip
tcp
ip
tcp
ip
tcp
To support different transmission media, IP allows for the breaking up of single large packets into smaller packets, called fragments. The higherlevel protocol carried in IP (usually TCP or UDP) is split up among the various fragments.
Penetration IP Fragments
Tiny Fragment Attack
ip tcp ip tcp tcp
ip
ip
ip
tcp
ip
tcp
ip
tcp
ip
tcp
ip
Make a fragment small enough so that the TCP header is split between two fragments. The port number will be in the second fragment.
Penetration IP Fragments
All IP fragments are re-assembled
Attacker
Tcp port unknown
Fragment 1 (part of tcp header)
ip
tcp
Fragment 2(rest of tcp header)
Server IDS
ip
tcp
Firewall
Penetration IP Fragments
IP Fragment Overlap Attack
A more insidious fragment attack is the Fragment Overlap attack. For this scenario, the attacker creates two fragments for each IP packet. One fragment has the TCP header, including the port number for a service allowed by the filter (e.g., http, TCP port 80). The second fragment has an offset value that is a lie. The offset is too small, so that when the fragments are reassembled, the second fragment overwrites part of the first, particularly the part of the first fragment including the port number.
ip
tcp
ip
tcp
ip
tcp
ip
Penetration IP Fragments
Fragment Overlap attack In the second fragment, lie about the offset from the first fragment. When the packet is reconstructed at the protected server, the port number will be overwritten.
All IP fragments are re-assembled
Attacker
Tcp port 80. OK!
Second IP fragment was just a fragment of the first. That is OK too!
Fragment 1 (Packet is for port 80)
ip tcp
Server IDS
ip
tcp
Fragment 2 (Packet says is for port 80), however, I have an offset, say 12, and After overlaying, the TCP header will read port 23!
Firewall
Penetration IP Fragments
IP Fragment Attack Tools
Fragrouter -- can be used to create nasty fragmentation attacks
Written by Dug Song http://www.anzen.com/research/nidsbench With fragrouter, all packets entering one interface go out the other interface fragmented The attacker can specify how fragmentation will occur Helps bypass some packet filters and avoid intrusion detection systems (IDSs) You can also send the packets through a multi-network named host, so the packets appear to be coming from multiple hosts!
Sniffers
Sniffers
Sniffers gather all information transmitted across a line For broadcast media (ethernet), allows an attacker to gather passwords, etc. For ethernet, all data is broadcast on the LAN segment Switched ethernet limits data to a specific source and destination port on a switch Sniffers are among the most common of hacker tools. They gather traffic off of the network, which an attacker can read in real time, or squirrel away in a file.
Sniffers
Many attacks are discovered only when a sniffer log consumes all available file space. When an ethernet interface is gathering all traffic, it is said to be in "promiscuous mode". Traditional ethernet, usually implemented in a hub, is a broadcast medium, which broadcasts all data to all systems connected to the LAN segment. Therefore, traditional ethernet is inherently sniffable.
, lah B
,b ah bl
lah
Blah, blah, blah
Blah, blah, blah
HUB
Bl
ah ,
bla h,
bla h
BROADCAST ETHERNET
, lah B
,b ah bl
lah
Blah, blah, blah
Blah, blah, blah
HUB
Bl
ah ,
bla h,
bla h
BROADCAST ETHERNET
ah Bl
Blah, blah, blah
S W I T C H
blah
bla h
SWITCHED ETHERNET
Sniffers
Switched ethernet does not broadcast all information to all links of the LAN segment. Instead, the switch is more intelligent than the hub, and, by looking at the destination MAC address, will only send the data to the required port on the switch. Switched ethernet is only sniffable in limited ways.
Snifferz
There are countless examples of sniffers out there
es freeware (ships with SunOS, Solaris RootKits) Linsniff freeware (ships with Linux Rootkits) Websniff freeware tcpdump freeware snoop distributed with Solaris Network Associates commercial Shomiti Surveyor commercial
Another very good sniffer is snort, by Martin Roesch
hftp://www.clark.net/roesch/security.html Very powerful scripting capabilities Doubles as a lightweight Intrusion Detection System
Used by hackers
Sniffers are particularly useful in what is known as an "Island Hopping Attack", named after the U.S. strategy in the Pacific theater during WWII. Island Hopping attacks involve an attacker taking over a single machine through some exploit (e.g., a hole found in sendmail, a we...
Textbooks related to the document above:
Find millions of documents on Course Hero - Study Guides, Lecture Notes, Reference Materials, Practice Exams and more.
Course Hero has millions of course specific materials providing students with the best way to expand
their education.
Below is a small sample set of documents:
Below is a small sample set of documents:
Syracuse - MAR - 19
INTERNET SECURITY.Security in Networks and Distributed SystemsDr. Leonard Popyack Fall 2001Security in Networks and Distributed Systems9.3 Network Security Controls Encryption Access Control Authentication in Distributed Systems Traffic C
Syracuse - ECS - 102
ECS 102Lab 4Sept 19 - Sept 23, 2003Anywhere that I ask you to observe what happens, write down you observations in the space provided. I. For this lab we will be doing an experiment, rolling a die and keeping track of how many times each number
Syracuse - ECS - 102
ECS 102Academic Excellence Workshop - Worksheet 3Fall 20051. p111. #1 2. p111 #2 3. What will be the output of this function? /* lyrics by Sonny Curtis */ #include<stdio.h> /* function prototypes */ void work(); void despair(); void justice();
Syracuse - ECS - 102
ECS 102Lab 8October 19/20, 2004Anywhere that I ask you to observe what happens, write down your observations in the space provided."'I wonder if I've been changed in the night? Let me think: was I the same when I got up this morning? I almost
Syracuse - ECS - 102
inputsdouble rad; /*radius of the circular window */double lW; /* length of the window */double wW; /* width of the window */double lH; /* length of the house */double hH; /* height of the house */outputsdouble pA; /* area of house without w
Syracuse - CPS - 196
/* arrayscope.c *//* demonstrates a function that assigns to an array parameter */#include <stdio.h>/* function prototypes */void clearArray (int values[], int numberOfElements);void notClearValue (int value);int main ( ){/* declare an
Syracuse - CPS - 196
/* datestructure.c *//* This program demonstrates the use of structures with a date structure *//* The date structure definition is similar to the one in the text, chapter 9, except that it uses integers to represent the months */#include <st
Syracuse - CPS - 196
/* userand.c */#include<stdio.h> /* printf */#include<stdlib.h> /*rand, srand, RAND_MAX*/#include<time.h> /* time */int main(void){ int i; /* print some integer random numbers by calling rand */ printf("Some random numbers\n");
Syracuse - CPS - 196
/* coinstructure.c *//* This program converts the name of a U.S. coin to the number of cents that it is worth, and vice versa. *//* It uses an array of coin structures to store the coin names and values. */#include <stdio.h>#include <string.h>#d
Syracuse - CPS - 196
/*paramexamples.c*/ /* demonstrate the function calls to two functions */#include<stdio.h> /* function prototypes */ void repeatnumber(int x); void doublenumber(int y);int main(void) { /* variable declarations */ int anyint; /
Syracuse - CPS - 196
/* coinarray.c *//* This program converts the name of a U.S. coin to the number of cents that it is worth, and vice versa. *//* It uses two parallel arrays to store the coin names and values. */#include <stdio.h>#include <string.h>#define LENGTH
Syracuse - CPS - 196
/* squareroot.c *//* demonstrates the Newton-Raphson method to compute the square root, adapted from the example in the text starting on page 131 */#include <stdio.h>/* function prototypes */double absoluteValue (double x);double
Syracuse - CPS - 196
/*returnexamples.c*/ /* demonstrate the function calls to functions with return values*/#include<stdio.h> /* function prototypes */ char tell_nextletter(char c); char getletter(int m);int main(void) { /* variable declarations */ ch
Syracuse - CPS - 196
/* The Welcome Message Program *//* * Prints a text string as output. */ /* tells the compiler to use the standard I/O functions, including printf */ #include <stdio.h> /* the main function is always called main - it returns an integer
Syracuse - CPS - 196
/*paintwall.c*/ /* computing the surface to paint on a wall, using two functions*/#include<stdio.h> /* function prototypes */ double ComputeRectArea(double height, double length); double ComputeCircleArea(double radius);int main(void) {
Syracuse - CPS - 196
/* tictactoeboard.c *//* This program uses a 2-D array to hold the values of a tic-tac-toe board, using the characters ' ' (space) for the empty space, and 'X' and 'O' for the X's and O's. This program displays an example board, but it doe
Syracuse - CPS - 196
/* reversearray.c *//* This program reads an array from a file and calls a function, reverse, to reverse the elements of the array.*/#include <stdio.h>#define sentinel 1000#define MAX_ARRAY 100/* function prototypes */void reverse (int va
Syracuse - CPS - 196
/* shufflesort.c *//* Program to demonstrate sorting an array of integers, using a shuffle sort algorithm. From the text by Kochan in chapter 8 */#include <stdio.h>void sort (int values[ ], int numberOfElements);void printarray (int values[
Syracuse - CPS - 196
/* drawing.c */#include<stdio.h>#include<string.h>/* defined constants */#define WIDTH 40 /* width of buffer: only WIDTH-2 available for drawing*/ #define HEIGHT 10 /* height of buffer *//* function prototypes */void c
Syracuse - YXU - 06
PROCEEDINGS OF THE AMERICAN MATHEMATICAL SOCIETY Volume 129, Number 6, Pages 18611872 S 0002-9939(00)05966-9 Article electronically published on December 7, 2000SUBDIVISION SCHEMES FOR ITERATED FUNCTION SYSTEMSCHARLES A. MICCHELLI, THOMAS SAUER, A
Syracuse - YLU - 08
MCS 320Introduction to Symbolic ComputationSpring 20033. Making Plots with MATLAB3.1 Basic PlottingSuppose we want to plot the function y = sin(x), over the interval [-, ]. First we have to sample points from this function, say at evenly spac
Syracuse - YXU - 06
PROCEEDINGS OF THE AMERICAN MATHEMATICAL SOCIETY Volume 134, Number 9, September 2006, Pages 27192728 S 0002-9939(06)08315-8 Article electronically published on March 23, 2006THE BEDROSIAN IDENTITY FOR THE HILBERT TRANSFORM OF PRODUCT FUNCTIONSYUE
Syracuse - CHE - 686
Dihydroxylation of Alkenes: Diol Stereochemistry as a Function of MethodOsO4: stereospecific, syn addition from least hindered faceMe OH Me OHEpoxide opening: stereospecific, trans diaxial addition (SN 2)O OH OH H2O regiochemistry: under aci
Syracuse - CHE - 686
How to Request a Copy of the Aldrich Chemical Catalog 1. Go to the aldrich web site: http:/www.sigmaaldrich.com 2. Click on "Support" from the menu at the top (you may have to choose a country first) 3. Click on "Request Literature" 4. Choose the Ald
Syracuse - CHE - 686
Approaches to the Erythronolides OBR2 TBSOHO MeO R' R OR O O OH3 9HOO OOO OTBS Masamune 6-deoxyerythronolide B OH7O9O13OH OOHO TBSO9O OStork erythronolide AR O O1OH1R OH OH N O Schreiber 6-deoxyerythronolide B
Syracuse - CHE - 686
Pauson-Khand reaction: mechanismO C (CO) 3Co Co(CO) 3 C O(CO)3Co RCo(CO) 3 H- CO(CO)3Co RCo(CO) 2 HHR- 2 COR' (CO)3Co RR' Co(CO) 2 H + CO alkene insertion R' (CO)3Co (CO)3Co R H R' + (CO)3Co (CO)3Co R R' C - [Co 2(CO)6] R H (CO)
Syracuse - CHE - 686
Momilactone retrosynthetic analysis (Deslongchamps)CO2Me CO2Me H O O H O RO H MeO 2C RO MeO2C CO2Me CO2MeO + O A CO2Me CO2Me MeO B OR Diels-Alder diastereoselectivityCO2Me CO2Me E E MOMO (endo) E chair-boat-chair E E (endo) MOMO (exo) E E MOMO
Syracuse - CHE - 686
Indolizomycin Retrosynthetic Analysis (Danishefsky)OOH NO N TEOCOTBS O N TEOC CHO O NO O ORoseophilin Retrosynthetic Analysis (Frstner)MeO HCl Cl O + NH O N SEMMeO O Cl NHN HO TBSO PhO2S O O Br OH HO ClReserpineMeO N H H MeO
Syracuse - CHE - 686
Miscellaneous Polycyclic CompoundsMomilactone Deslongchamps J. Org. Chem. 2002, 67, 5269. Seychellene Piers J. Am. Chem. Soc. 1971, 93, 5113. Mirrington J. Org. Chem. 1978, 37, 1843. Jung J. Am. Chem. Soc. 1981, 103, 6677. Stork Tetrahedron Lett. 1
Syracuse - CSE - 607
CSE/CIS 607 Assessment Exam 01/17/08 NAME (print): SIGNATUREQuestion 1: Let f : X - Y be an injection (i.e. one-to-one). Prove that: there is a surjective (i.e. onto) function g : Y - X such that for all x X, g(f (x) = x. Since f is one-to-one, ea
Syracuse - CIS - 252
Lab 8: Higher-order Patterns for Processing ListsOverview This lab will give you some practice with Haskells higherorder functions map and filter. These generalize some idioms for list processing that weve already seen. Caveat: This lab is based on
Syracuse - CIS - 252
Homework 2: Circles and DiamondsCIS 252 C Introduction to Computer ScienceAdministrivia. This homework is ofcially due in the bin in CST 3-212 by You may also nd it useful to read the Notes section of this assignment noon on February 2. The follo
Syracuse - CIS - 252
Lab 6: Getting Started with Type Classes and Algrebraic Types1. IntroductionThis lab will give you some practice in working with Haskells type classes. When you introduce a new data type in Haskell, you often want to extend the meaning of old funct
Syracuse - CIS - 252
Homework 8: More on Higher-Order FunctionsCIS 252 = Introduction to Computer Sciencechanges [32,98,45,12,84] A DMINISTRIVIA . The homework is based on Chapter 9 of Thompson's HCFP. This homework is due in the bin in CST 3-212 by noon on Monshould
Syracuse - CIS - 252
Lab 9: More On Higher-order Functions 1. Functions as First-class ValuesIn Haskell, functions are rst-class values. This means that they have the same status as other values, such as integers, oating-point numbers, character strings, etc. This lab e
Syracuse - CIS - 252
Lab 5: Patterns for List ProcessingOverview. This lab gives you some practice with some common idioms for list processing. These idiomsmapping, ltering, and foldingare so common that Haskell (and most other functional programming languages) includes
Syracuse - CIS - 252
MONADIC I/O IN HASKELLCIS 252 - Spring 2008 Introduction to Computer ScienceThis is based on Chapter 18 of Thompson & "Tackling the Awkward Squad," by Simon Peyton Jones http:/research.microsoft.com/~simonpj/papers/marktoberdorf/THE CONFLICTH
Syracuse - CIS - 252
CIS 252 Introduction to Computer Science Spring 2008Course SyllabusJ ANUARY 14, 2008 Catalog Description Programming emphasizing recursion, data structures, and data abstraction. Elementary analysis of and reasoning about programs. Public policy
Syracuse - CIS - 252
SOME HISTORYAround 100 years ago there was of a lot of interest (and fuss) about the foundations of mathematics. General Worries: Q: How much of math can be formalized? Q: How much of math can be turned into a mere calculation? A specic problem: Hil
Syracuse - CIS - 252
Lab 1: Hello WorldThis lab will introduce you to some of the key tools we will be using in this course. In many labs, you are allowed to work together with a partner. However, this lab must be a solo effort since we'll be setting up your Unix accoun
Syracuse - CIS - 252
Homework 3: Yet More PicturesAdministriviaNotes This homework is based on the rst four chapters of Haskell: The Craft of Functional Programming (HCFP). You may use any code you want from the lectures. However, you should include a note in your comm
Syracuse - CIS - 252
Lab 4: Haskell List ComprehensionsOverview. In this lab you get to try out some of Haskell's basic mechanisms for defining lists. It is based on 5.4 and 5.5 of Thompson. You may work singly or in pairs on this lab.CIS 252 C Introduction to Compute
Syracuse - CIS - 252
Lab 3: Pictures of RecursionOverviewThis lab will give you practice with writing recursive functions in Haskell, using the Pictures module (http:/www.cis.syr.edu/courses/cis252/code/ Pictures.lhs) from Homework 1. Remember to include aimport Pictu
Syracuse - CIS - 252
Homework 6: Binary TreesAdministriviaThis homework is based on chapter 14 of Thompson, and requires you (as in: you lose lots of points if you don't) to follow the design recipe discussed in lecture. This homework is due in the bin in CST 3-116 by
Syracuse - CIS - 252
Homework 1 AdministriviaCoverage. This homework covers material in Chapters 1 & 2 of Haskell: The Craft of Functional Programming (HCFP).CIS 252 C Introduction to Computer ScienceFirst, introduce the folowing Haskell denition:twoHorse : Picture
Syracuse - CIS - 252
Lab 2: Getting Familiar with Haskell & HugsYou may work singly or in pairs on this lab.CIS 252 C Introduction to Computer ScienceFor more detail on Emacs than provided in this lab: Start up Emacs, go to Emacs's Help menu, select Emacs Tutorial, a
Syracuse - CIS - 252
Homework 10: Turing MachinesCIS 252 < Introduction to Computer ScienceAdministrivia. This homework covers material from Chapter 31 of The For example, if the original input is "abbab#abbab", the nal output should be "Y"; if the original input is
Syracuse - CIS - 453
SRS TOC0. TOC Main TOC 1. Introduction 1. Purpose 2. Scope 3. Definitions, acronyms, and abbreviations 4. References 5. Overview 2. General description 1. Product perspective 2. Product functions 3. User characteristics 4. Game objectives 5. General
Syracuse - CIS - 655
Sun Fire T2000 Server OverviewSun Microsystems, Inc. www.sun.comPart No. 819-2543-11 April 2006, Revision A Submit comments about this document at: http:/www.sun.com/hwdocs/feedbackCopyright 2006 Sun Microsystems, Inc., 4150 Network Circle, San
Syracuse - CIS - 554
Before function calls:a= 5 b= 10At end of badswap, before return:x= 10 y= 5After call to badswap:a= 5 b= 10At end of goodswap, before return:x= 10 y= 5After call to goodswap:a= 10 b= 5At end of badswap, before return:x= 50 y= 2Befor
Syracuse - SC - 504
Introduction to Programming in C+Class 8 02/12/2003 Rohit ValsakumarCharacter I/OAll data is input or output in the form of charactersIf the program expects a integer input then the character stream received from the input is automat
Syracuse - SC - 504
IntroductiontoProgramming inC+Class22 04/17/2003 RohitValsakumarMultipleInheritance Aclasscanbederivedfrommorethanoneclass Thisiscalledasmultipleinheritance ThesyntaxisasgivenbelowclassA /BaseclassA {. }; classB /BaseclassB { }; classC:public
Syracuse - SC - 196
CPS 196 Introduction to Computer Programming: CMemory, Addresses Function declarations Function calls scanf OverviewMemory Addresses Function declaration, call scanf MemoryPart of the computer that holds data and instructions
Syracuse - SC - 504
CIS504CIS 504 U001 Introduction to Programming: C+ Rohit Valsakumar sc504a@ecs.syr.edu SPRING 2003 Lab 11CIS5041CIS504LAB 11Overloading:Write a program that contains and does the following: A) Create a class called "Complex" for performi
Syracuse - SC - 504
CIS504CIS 504 U001 Introduction to Programming: C+ Rohit Valsakumar sc504a@ecs.syr.edu SPRING 2003 Lab 6CIS5041CIS504Complete the following program and make sure that every function works as expected Only a bare skeleton is provided for eac
Syracuse - SC - 196
LECTURE 5 DATA OUTPUTputchar FUNCTIONSingle characters can be displayed using the C library function putchar. The putchar function is complementary to the getchar function. The putchar transmits a single character to the standard output device. It
Syracuse - CSE - 773
(* file ~/public_html/cse773/README.txt, L. Morris, 1/8/03 *)This subdirectory of my public_html is intended to make relevant textualmaterial which I have written, and may want to revise from time to time,accessible to students in CSE 773, Spring
Wyoming - WYO - 4
Wyoming 4-H is.open to youths ages 8 to 19.Where to find Wyoming 4-H.County Albany Big Horn Campbell Carbon Converse Crook Fremont Goshen Hot Springs Johnson Laramie Lincoln Natrona Niobrara Park Platte Sheridan Sublette Sweetwater Teton Uinta Wa
Syracuse - JPTHOM - 01
TaxAppendixTable1.Topmarginalstateincometaxrateonwages1988 3.65 0 5.41 7 9.3 4.76 0 7.7 0 5.66 9 8.2 2.5 3.4 7.39 3.87 4.39 4.14 8 5 5 4.6 8 4.75 4.39 9.02 5.9 0 0 3.5 7.83 8.38 7 3.77 6.55 5.64 9 2.1 6.04 7 0 0 0 6.58 6.05 5.75 0 9.5 6.5 6.93 0 198
Syracuse - MAT - 121
Problems from Section 6-5 of the text-8. Find the margin of error: n = 777, x = 543, 90% confidence.12. Construct the confidence interval estimate of the population proportionp: n = 1200, x = 800, 90% confidence.16. Use the given information
Syracuse - MAT - 19
Problems from Section 6-5 of the text-8. Find the margin of error: n = 777, x = 543, 90% confidence.12. Construct the confidence interval estimate of the population proportionp: n = 1200, x = 800, 90% confidence.16. Use the given information