CPE549_L4 - CPE 549 Computer Network Attack Profiles...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 6/16/2008 CPE 549 Computer Network Attack Profiles National Interest Spy Personal Gain Thief Trespasser Personal Fame Curiosity Vandal ScriptScript-Kiddy Author Undergraduate Expert Specialist SOURCE: Microsoft and Accenture Microsoft Hacker A person who enjoys learning details of a programming language or system A person who enjoys actually doing the programming rather than just theorizing about it A person capable of appreciating someone else's hacking A person who picks up programming quickly A person who is an expert at a particular programming language or system, as in "Unix hacker" 1 6/16/2008 Cracker A cracker is someone who breaks into someone else's computer system, often on a network; bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security. A cracker can be doing this for profit, maliciously, for some altruistic purpose or cause, or because the challenge is there. Some breaking-and-entering has been done ostensibly to point out weaknesses in a site's security system. Hacker classes • Black hats – highly skilled, malicious, destructive “crackers” • White hats – skills used for defensive security analysts • Gray hats – offensively and defensively; will hack for different reasons, depends on situation. Script Kiddie Immature, but unfortunately often just as dangerous exploiter of security lapses on the Internet. The typical script kiddy uses existing and frequently well-known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet - often randomly and with little regard or perhaps even understanding of the potentially harmful consequences 2 6/16/2008 Anatomy of a Hack Gaining Access Footprinting Escalating Privilege Scanning Pilfering Enumeration Denial of Service Covering Tracks Creating Backdoors Attack Methodology Footprinting Target address range and naming acquisition and information gathering are essential to a surgical attack. The key here is not to miss any details Open source search www.google.com, http://www.arin.net, http://news.netcraft.com/, DNS zone transfer, banner grabbing Footprinting 3 6/16/2008 Footprinting Sam Spade Sam Spade (Cont.) 4 6/16/2008 Nslookup Used in Windows and Unix to find various details relating to DNS including IP addresses of a particular computer, MX records for a domain or the NS servers of a domain - all using DNS lookups. The name means "name server lookup". The most common version of the program is included as part of the BIND package. A more modern alternative to nslookup is the dig program, also shipping with BIND. Traceroute (Windows: tracert) tracert) Traceroute • The traceroute program discovers the path that an IP datagram follows to reach a target host. – Start by sending a probe message with a TTL value of 1 bound for the target host. – If the target host cannot be reached in one hop then: • The datagram is dropped. • The machine that drops it returns an ICMP TTL-exceeded message. • Traceroute records the name and address of the machine and the round trip time. – The TTL value is incremented by one, and the probe is sent again. – This process continues until the target is reached, and traceroute generates a report of its findings. • Can be used to gain some idea about the topology of a network. 5 6/16/2008 Footprinting Footprinting Attack Methodology Footprinting Scanning Bulk target assessment and identification of listening services focuses the attacker’s attention on the most promising avenues of entry Ping Sweep, Port Scan, vulnerability scanning (noisy) NMAP, NMAP, Nessus, Superscan 6 6/16/2008 Scanning Scanning Attack Methodology Footprinting Scanning Enumeration More intrusive probing now begins as attackers begin identifying valid user accounts or poorly protected resource shares List user accounts, list file shares, identify application DumpACL, sid2user, null sessions, sid2 showmount, NAT, Legion, netcat, rcpinfo 7 6/16/2008 Enumeration Attack Methodology Footprinting Scanning Enumeration Gaining Access Enough data has been gathered at this point to make an informed attempt to access the target Password eavesdropping, file share brute forcing, password file grab, buffer overflows Tcpdump, lophtcrack, NAT, legion, tftp, pwdump2 pwdump2, ttdb, eEye IISHack Gaining Access 8 6/16/2008 Attack Methodology Footprinting Scanning Enumeration If only user-level access was obtained in userthe last step, the attacker will now seek to gain complete control of the system Gaining Access Password cracking, known exploits Escalating Privilege Crack, lophtcrack, rdist, getadmin, sechole Escalating Privilege Attack Methodology Footprinting Pilfering The The information gathering process begins to identify mechanisms to gain access to trusted systems Scanning Evaluate trusts, search for cleartext passwords Enumeration Rhosts, Rhosts, LSA Secrets, user data, configuration files, registry Gaining Access Escalating Privilege 9 6/16/2008 Attack Methodology Footprinting Pilfering Scanning Covering Tracks Once Once total ownership of the target is secured, hiding this fact from sysadm becomes paramount, lest they quickly end the romp Enumeration Clear logs, hide tools Zap, Event log gui, elsave, hidden directories, file streaming Gaining Access Escalating Privilege Attack Methodology Footprinting Pilfering Scanning Covering Tracks Enumeration Creating Backdoors Gaining Access Escalating Privilege Trap Trap doors will be laid in various parts of the system to ensure that privileged access is easily regained at the whim of the intruder Create rogue user accounts, load rootkits, rootkits, schedule batch jobs, infect startup scripts, plant remote control devices, install monitoring mechanisms, replace apps with trojans Members of wheel, administrators, cron, cron, AT, rc, startup folder, registry keys, netcat, rc, netcat, remote.exe, remote.exe, VNC, keystroke loggers, Rootkit Rootkit A program (or combination of several programs) designed to take control (in Unix terms "root" access, in Windows terms "Administrator" access) of a computer system, without authorization by the system's owners. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are also Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. 10 6/16/2008 Attack Methodology Footprinting Pilfering Scanning Covering Tracks Enumeration Creating Backdoors Gaining Access Denial of Service Escalating Privilege If an attacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort SYN flood, ICMP techniques, identical src/dst SYN requests, overlapping fragment/offset bugs, out of bounds TCP options Synk4 Synk4, ping of death, smurf, land, latierra, teardrop, bonk, newtear, supernuke.exe, trinoo Attack Methodology Footprinting Pilfering Scanning Covering Tracks Enumeration Creating Backdoors Gaining Access Denial of Service Escalating Privilege How To Get Your Network Hacked In 10 Easy Steps Don’t patch anything Run unhardened applications 3. Logon everywhere as a domain admin 4. Open lots of holes in the firewall 5. Allow unrestricted internal traffic 6. Allow all outbound traffic 7. Don’t harden servers 8. Use lame passwords 9. Use high-level service accounts, in multiple highplaces 10. Assume everything is OK 1. 2. 11 6/16/2008 The moral Initial Initial entry is everything Most Most networks are designed like egg shells Hard Hard and crunchy on the outside Soft Soft and chewy on the inside Once Once an attacker is inside the network you can… Update Update resume Hope Hope he does a good job running it Drain Drain the network Hacker Challenge Websites http://www.datastronghold.com/archive/t6937.html Hackthissite.org http://www.hackthissite.org 12 6/16/2008 Questions & Answers 13 ...
View Full Document

This note was uploaded on 12/14/2011 for the course CPE 549 taught by Professor Sparks during the Fall '11 term at University of Alabama - Huntsville.

Ask a homework question - tutors are online